Information Technology

Microsoft has shone a spotlight on ransomware-as-a-service (RaaS), a style of criminal enterprise that relies on gig workers and is structured around profit-sharing to reduce risk borne by a single actor. Microsoft security teams are tracking more than 35 unique ransomware families and 250 threat actors across nation-state, ransomware and criminal activities. RaaS, it says, is a gig economy involving multiple actors around three key pillars.”In the same way our traditional economy has shifted toward gig workers for efficiency, criminals are learning that there’s less work and less risk involved by renting or selling their tools for a portion of the profits than performing the attacks themselves,” Microsoft Security says in a blogpost. “This industrialization of the cybercrime economy has made it easier for attackers to use ready-made penetration testing and other tools to perform their attacks,” it said.RaaS has forced Microsoft to look at attacks differently. It’s not one actor, but many, meaning that identifying the ransomware family itself doesn’t give defenders the full picture of threats on the network. Stealing data from a target, for example, may be carried out by one group for double extortion, but another group is responsible for developing ransomware payloads, while other RaaS affiliates may deploy a given ransomware payload. In other words, knowing that you’ve fallen victim to one type of ransomware only tells half the picture, wasting defenders’ time chasing down the wrong signals.     “Payload-based attribution meant that much of the activity that led to Conti ransomware deployment was attributed to the “Conti Group”, even though many affiliates had wildly different tradecraft, skills, and reporting structures,” Microsoft notes. “Some Conti affiliates performed small-scale intrusions using the tools offered by the RaaS, while others performed weeks-long operations involving data exfiltration and extortion using their own techniques and tools.” Researchers at security firm Intel471 recently detailed the Conti group’s cooperation with members of LockBit 2.0, Maze and Ryuk gangs to refine encryption algorithms and ransom notes, and contract developers from other groups to build new ransomware.    At a high level, key actors in RaaS include the operator who develops and maintains ransomware payloads and payment portals to communicate with victims; access brokers that compromise networks and sell RaaS affiliates access to it; and RaaS affiliates who run the ransomware attack, steal data, move laterally on compromise networks and persist on systems. Ransomware really becomes dangerous at the “hands-on-keyboard phase”. “When the attack reaches the active attack stage of deleting backups or shadow copies, the attack would be minutes away from ransomware deployment,” Microsoft notes. By this stage, the attackers has likely exfiltrated data and would require defenders to prioritize the investigation of alerts or detections of tools like Cobalt Strike and quickly launching incident response (IR) procedures to contain a human adversary before they can deploy ransomware.Others actors in this economy may handle the leak site to share snippets of data stolen from victims. Other extortion services include leak site hosting, decryption negotiation, payment processing, and cryptocurrency transaction services. Microsoft estimates that where an access broker has compromised 2,500 potential victims, about 60 victims encounter activity associated with known ransomware attackers. Around 20 of these victims are successfully compromised, and then one of these organizations sees an actual ransomware payload deployed on their network. Microsoft rates Trickbot, which it has been tracking as DEV-0193 since October 2020, as “the most prolific” ransomware group today. It is responsible for developing, distributing and maintaining the Trickbot, Bazaloader, and AnchorDNS payloads. The group also managed the Ryuk RaaS program before its shutdown in June 2021, as well as Ryuk’s believed successor, Conti. DEV-0193 has also hired developers from Emotet, Qakbot, and IcedID, according to Microsoft.     Microsoft’s report also covers ELBRUS, also known as FIN7, which uses point-of-sale (PoS) and ATM malware to harvest payment card information. In 2020, it deployed MAZE and REvil RaaS, but then developed DarkSide as their own RaaS ecosystem, which it then retired in May 2021 and replaced with BlackMatter in July, only to retire it in November.  “The tendency to report on ransomware incidents based on payload and attribute it to a monolithic gang often obfuscates the true relationship between the attackers, which is very accurate of the DarkSide RaaS,” Microsoft notes. While Microsoft hasn’t seen ELBRUS running a RaaS program today, it says it’s still “very active in compromising organizations via phishing campaigns” that lead to their JSSLoader and Griffon malware. Microsoft has also seen the group exploiting CVE-2021-31207 in Exchange — a low-privilege ProxyShell bug — to elevate to high SYSTEM-level privileges in victim organizations in April 2022. The BlackCat ransomware gang is another notable RaaS affiliate actor. It appeared in November 2021 and was created by ‘access brokers’ that previously sold access to multiple RaaS groups, including BlackMatter, according to Cisco’s Talos researchers. The group Microsoft tracks as DEV-0504 currently deploys BlackCat, but previously deployed Ryuk, Revil, Lockbit 2.0, BlackMatter, and Conti. When one RaaS program shuts down, it moves to another, Microsoft notes. While most of these RaaS groups are believed to operate from Russia, Microsoft highlights DEV-0401 as a unique “China-based lone wolf turned LockBit 2.0 affiliate” that recently started targeting the CVE-2021-44228 vulnerability in Log4j 2 in VMWare Horizon. “Because DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-driven reporting and evade detections and actions against them,” Microsoft notes. Microsoft’s top advice for organizations to is to protect credentials. “More than malware, attackers need credentials to succeed in their attacks. In almost all attacks where ransomware deployment was successful, the attackers had access to a domain admin-level account or local administrator passwords that were consistent throughout the environment,” Microsoft says. Attackers can deploy ransomware through Group Policy or tools like PsExec (or clones like PAExec, CSExec, and WinExeSvc), but spreading ransomware to multiple systems is much harder without the credentials that provide administrative access in a network. “Compromised credentials are so important to these attacks that when cybercriminals sell ill-gotten access to a network, in many instances, the price includes a guaranteed administrator account to start with,” says Microsoft.  More

A joint operation involving intelligence agency GCHQ and the Ministry of Defence took direct action against computer networks used by cyber criminals, helping to protect people against cyberattacks and also making hundreds of thousands of stolen credit cards worthless to the crooks who stole them.The action by the National Cyber Force – using the combined resources of the MoD and GCHQ – has been revealed by Jeremy Fleming, director of GCHQ. “Through the National Cyber Force, we are actively undermining the cyber criminals’ assumption that they can act with impunity on the internet. We have disrupted criminals, making it clear that they are being observed, and going after their ability to profit from their illegal work,” he said, speaking at the National Cyber Security Centre’s (NCSC) Cyber UK event in Newport, Wales. 

ZDNet Recommends

Fleming described how the NCF – which was first announced in 2020 and received an official home in 2021 – is working alongside international partners to actively mount operations to “undermine” the networks of cyber criminals, denying them access to malware and other offensive cyber tools and preventing malicious hackers from profiting from cybercrime – all to help protect citizens from falling victim to cyberattacks and fraud. SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened”In real life this means: tens of millions of pounds in potential fraud against the UK economy avoided. Hundreds of thousands of stolen credit cards made worthless to the criminals, and countless potential victims of crime around the world with their data and accounts safeguarded,” said Fleming. He did not detail how this was done.”The NCF is already making a big impact. From countering disinformation, to supporting the activities of our military overseas, and to helping law enforcement to go after criminal gangs, it is improving the UK’s defences and it’s imposing a cost on our adversaries,” he added.The active operations of the NCF forms just one part of a national cybersecurity strategy designed to help protect people, organisations and infrastructure from cyberattacks.  Another key aspect of that approach detailed by the intelligence agency chief is the importance of cybersecurity skills, along with finding and training people from a diverse range of backgrounds to draw on their own experiences to help keep the UK stay safe from cyber criminals – and other hostile cyber threats. “The talent in the community today is huge. But if the UK wants to continue to be successful, we need to widen the appeal of careers in cyber,” said Fleming. “Together, we must work to attract the next generation of talent from as diverse a pool as possible, from right across the country. The range of lived experiences this will bring into the workforce will make us collectively better,” he added. Concluding his speech, Fleming emphasized the importance of cybersecurity and protecting against all manner of threats that the UK and much of the wider world looks set to face in the coming years. “The global shifts we are seeing will take decades to resolve. And while I can’t predict how things will turn out, I can confidently say that cyber and cybersecurity will continue to be pivotal,” he said. MORE ON CYBERSECURITY More

Lincoln College in Illinois will shut down permanently this week after financial woes caused by the pandemic were magnified by a ransomware attack last December. In a note posted on its website, the 157-year-old liberal arts college in rural Illinois said it had survived multiple recessions, a major campus fire in 1912, the Spanish flu of 1918, the Great Depression, World War II, and the 2008 global financial crisis. 

But then came the COVID-19 pandemic, which harmed its already strained finances through a drop in enrollments and large tech investments required to support remote learning. The final blow came on December 19 when the college was hit by ransomware, which affected its IT systems for recruitment, retention and fundraising. Per NBC, it’s the first US higher education institution to shut in part due to ransomware.SEE: What is ransomware? Everything you need to know about one of the biggest menaces on the webThe college told NPR in March it would be forced to close at the end of the spring term, on May 13, unless it received a major donation or merger. The system outage lasted one and a half months, but the college didn’t have a clear picture of its outlook until systems were fully restored in March. It said the ransomware attack “thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections”.The college continued: “All systems required for recruitment, retention, and fundraising efforts were inoperable. Fortunately, no personal identifying information was exposed. Once fully restored in March 2022, the projections displayed significant enrollment shortfalls, requiring a transformational donation or partnership to sustain Lincoln College beyond the current semester.”The historically Black college was established in 1865 and named after president Abraham Lincoln.Per EdScoop, Lincoln College president, David Gerlach, appealed to Elon Musk via Twitter on April 5 for a “miracle gift” to save the college. The college was seeking a $50 million pledge to stay open, according to an April 15 report by The Chicago Tribune. A Go Fund Me campaign to save the college raised just $2,252 of a $20 million target. Gerlach told the Chicago Tribune the college was the victim of an Iran-based ransomware gang. He said the school paid a sum of less than $100,000 to regain access to affected systems. However, even after paying the sum, it still took months to fully restore systems.     According to security firm Emsisoft, 26 US colleges and 62 school districts were hit by ransomware attackers in 2021. Data was stolen in at least half of the 88 total incidents. Ransomware gangs often steal data before encrypting systems, using the threat of a data leak to pressure victims into paying multi-million dollar ransoms.     More

An increasing number of businesses are adopting cloud applications and services and that means cyber criminals are targeting these services. Now, new advice has been issued to help firms secure their data and services as they move towards the cloud. The updated guidance from the National Cyber Security Centre (NCSC) – the cybersecurity arm of GCHQ – looks to supply everyone from small businesses to large enterprises with tools to ensure that, whether they are current or prospective cloud-computing users, they have appropriate cybersecurity measures in place. 

The guidance also emphasises the importance of proper due diligence when handling sensitive data to reduce the risk posed by breaches, leaks or the loss of devices that have access to sensitive data.  SEE: A winning strategy for cybersecurity (ZDNet special report) While many organisations have shifted towards using a wider range of cloud-computing applications as part of the rise in remote working, this move has also left many businesses vulnerable to cyberattacks and data breaches.  Much of the new cloud security guidance is based upon NCSC’s newly published principles-based technology assurance approach. Some of the key advice includes highlighting how cloud applications can be secure by default, which includes enforcing the use of multi-factor authentication to help secure accounts, even if the usernames and passwords are leaked or stolen. The advice also recommends that cloud vendors make it as easy as possible for customers to fulfil their security responsibilities, while also encouraging customers to delegate as much responsibility for security as is practical to their cloud providers. Outsourcing the cybersecurity of cloud could be particularly useful for small and medium-sized businesses who might lack the resources or staff required to fully secure the network – at a time when cyber criminals are known to be targeting smaller businesses as part of supply chain attacks.”The cloud plays an increasingly vital role in the functioning of online services across the UK, and this trend will continue into the future. Our refreshed Cloud Security Guidance has the philosophy of security-by-design at its heart, meaning that organisations can have confidence when choosing a provider,” said Paul Maddinson, director of national resilience and strategy at the NCSC. “I’d strongly encourage network defenders at organisations of all sizes to make use of the actionable advice set out in our refreshed cloud security guidance,” he added. The updated guidance from the NCSC comes after the cybersecurity agency announced that it has taken down almost three million scam websites used to conduct cyberattacks during the past year.MORE ON CYBERSECURITY More

A record number of scams have been removed from the internet as part of a scheme to help protect people from fraud and cybercrime. The National Cyber Security Centre (NCSC) says it removed a total of 2.7 million scams, illicit domains and phishing services during 2021, nearly four times more than during 2020.  

ZDNet Recommends

The rise in take downs comes after the NCSC – the cyber arm of intelligence agency GCHQ – expanded operations designed to remove malicious online content. These include fake celebrity endorsement scams, bogus extortion emails, missed delivery scam text messages, and a wide range of fraudulent and malicious websites. SEE: How to keep your bank details and finances more secure onlineOne scam email even involved cyber criminals claiming to be NCSC CEO Lindy Cameron, telling the potential victim that the NCSC had recently stopped £5 million being stolen from them and to reply with personal information in order to get the funds back. The scam was taken down by the NCSC.”We know that scammers will go to great lengths and indeed my name has been used to try and trick people, but as we continue to expand our defences we can see the tangible impact this is having,” Cameron said.The NCSC also removed more than 1,400 NHS-themed phishing campaigns during the last year, as cyber criminals attempted to trick people with fake messages about the COVID-19 vaccine rollout and vaccine passports. Many of the scam websites and emails are designed to steal key personal data from victims like usernames, passwords, contact details and bank information.  Not only can the cyber criminals exploit this information to directly steal money and information from personal accounts from victims, but they can also use stolen information to commit additional fraud – like taking out loans in someone’s name – creating further issues for the victim. The take downs are part of the NCSC’s Active Cyber Defence (ACD) programme, an initiative designed to prevent millions of cyberattacks from reaching citizens, organisations and critical infrastructure. The NCSC says the rise in the number of take downs reflects the expansion of the defence programme, rather than a big rise in scams. “The latest ACD figures shine a light on how the NCSC has responded to emerging cyber-threat trends and security issues to keep the UK safe at scale,” said Cameron. “We know that scammers will go to great lengths and indeed my name has been used to try to trick people, but – as we continue to expand our defences – we can see the tangible impact this is having,” she added. SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsIn addition to scams being taken down, the NCSC blocked more than 1.2 million domains linked with Android Flubot malware, which commonly spreads via text messages, claiming the reciever has missed a delivery and telling them they need to follow a link to enter their details to organise a redelivery. Any information entered in the fake postal service or delivery firm page is stolen by the attackers. “The highlights shared today evidence some of the crucial interventions we made last year to take down online threats, deter attackers and improve our collective cyber resilience,” said Ian Levy, technical director at the NCSC. “As ACD continues to grow and innovate, we strongly encourage the private sector to work even more closely with us to enhance the effectiveness of our services to take down and block malicious websites,” he added. MORE ON CYBERSECURITY More

In a landmark settlement, facial recognition company Clearview AI, known for downloading billions of user photos from social media and other websites to build a face-search database for use by law enforcement, has agreed to cease sales to private companies and individuals in the United States.Filed in Illinois’ federal court on Monday, the settlement marks the most significant action against the New York-based company to date, and reigns in a technology that has reportedly been used by Ukraine to track “people of interest” during the ongoing Russian invasion. The lawsuit was brought by the non-profit American Civil Liberties Union (ACLU), and Mujeres Latinas en Acción, among others, in 2020 over alleged violations of an Illinois digital privacy law, with the settlement pending approval by a federal judge. Adopted in 2008, the Illinois law, known as the Biometric Information Privacy Act (BIPA), has so far led to several key tech-privacy settlements, including a $550 million settlement from Facebook related to its facial recognition use.Although Clearview AI has agreed to stop selling its services to the Illinois government and local police services for five years, the company will continue to offer its services to other law enforcement and federal agencies, and government contractors outside of Illinois.Despite this, Linda Xóchitl Tortolero, president and CEO of Mujeres Latinas en Acción, a Chicago-based non-profit, claimed in a statement that the settlement was a “big win for the most vulnerable people in Illinois”.”Before this agreement, Clearview ignored the fact that biometric information can be misused to create dangerous situations and threats to their lives. Today that’s no longer the case.”Additionally, the settlement requires that the company maintain an “opt-out request form” on its website, so that Illinois residents can upload a photo of themselves to ensure their faceprints will be blocked from appearing in Clearview’s search results. The company will also be required to pay $50,000 toward internet advertising to promote the opt-out request function.The settlement follows a push in February by members of congress for the federal government to end its use of Clearview AI’s facial recognition technology.”Facial recognition tools pose a serious threat to the public’s civil liberties and privacy rights, and Clearview AI’s product is particularly dangerous. We urge you to immediately stop the Department’s use of facial recognition technology, including Clearview AI’s tools. Clearview AI’s technology could eliminate public anonymity in the United States,” the members of Congress wrote in a letter to Homeland Security.Prior to the settlement, Clearview had announced it’s 10 billion publicly available facial image database to be the “largest known of its kind in the world,” and that the company was on track to have approximately 100 billion face prints within a year, enough to ensure “almost everyone in the world will be identifiable.”RELATED COVERAGE More

Microsoft has unveiled a set of new managed cybersecurity services to help customers combat malware and other threats amid an ongoing cybersecurity skills crunch. Microsoft has created a new umbrella managed service category called Microsoft Security Experts consisting of “human-led” services and machine learning to help customers address security, compliance, identity, privacy and productivity goals. “Security Experts combines expert-trained technology with human-led services to help organizations achieve more secure, compliant, and productive outcomes,” it said in a post explaining the new offering.New to this group is Microsoft Defender Experts for Hunting, a service to help customers hunt for threats by combing over data from Microsoft Defender, Office 365, cloud applications, and identity. Microsoft says its experts will investigate findings and pass contextual alert information and instructions to customers. Also new is Microsoft Defender Experts for XDR, referring to the managed extended detection and response (XDR) service category offered by multiple cybersecurity firms. An XDR service collects data from endpoints, cloud infrastructure and networks to accelerate investigations, threat hunting, and response times. Microsoft’s Defender Experts for XDR promises to provide detection and response for endpoint email, data, cloud applications and identity. The managed part of the service offers customers the capability to rapidly detect, analyze, investigate and respond to threats across email, services, identity and cloud apps. Defender Experts for XDR will go into preview in fall 2022, according to Microsoft.Microsoft is also launching Microsoft Security Services for Enterprise, a “high-touch”, dedicated managed service offering for enterprise customers that combines threat hunting and managed XDR, using Microsoft’s security information and event management (SIEM) and XDR to protect all cloud environments and all platforms. The three new managed service security products join existing services such as Microsoft’s Security Services for Incident Response and its Security Services for Modernization. The company hopes its managed security services are taken up by enterprises facing difficulties filling cybersecurity roles. Microsoft last year estimated there were over 460,000 open cybersecurity roles in the US, accounting for 6% of all unfilled jobs in the nation.   Highlighting its scale, Microsoft says it employs over 8,500 security pros and is investing $20 billion in security over the next five years. It is actively tracking more than 35 ransomware groups and 250 unique threat actors. More

A powerful form of trojan malware that offers complete backdoor access to Windows systems is being sold on underground forums for the price of a cup of coffee – and it’s being developed and maintained by one person.Known as DCRat, the backdoor malware has existed since 2018 but has since been redesigned and relaunched.When malware is cheap it’s often associated with only delivering limited capabilities. But DCRat – offered online for as little as $5 – unfortunately comes equipped with a variety of a functions, including the ability to steal usernames, passwords, credit card details, browser history, Telegram login credentials, Steam accounts, Discord tokens, and more.  

ZDNet Recommends

DCRat can also take screenshots, steal clipboard contents and contains a keylogger that can track anything the victim types onto their computer. It ultimately provides cyber criminals with full access to almost everything the victim does after downloading the malware. SEE: A winning strategy for cybersecurity (ZDNet special report)Malware this powerful tends to be the work of sophisticated and well-resourced cyber-criminal groups, but according to analysis by cybersecurity researchers at BlackBerry, DCRat is developed and maintained by a single user who actively markets their product on several Russian-speaking underground forums, as well as a Telegram channel. “This remote access Trojan (RAT) appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget,” BlackBerry warned.The anonymous nature of the accounts don’t reveal much about DCRat’s creator, but researchers suggest that, despite the powerful nature of the malware, maintaining it isn’t their full-time job. The financial status of the person behind the malware could also be the reason why DCRat is available at such a low price compared to other tools with similar capabilities. “A lone-wolf operator would have low operating costs and, given the associated complexity of DCRat, low costs for backend infrastructure hosting” Simpson said.The backdoor tool is written in JPHP programming language, an obscure implementation of PHP that runs on a Java virtual machine. The coding language is often used by cross-platform game developers because it’s both easy to use and flexible. In the case of DCRat, those features makes it perfect for developing and updating the malware – researchers note that minor updates and fixes are announced almost every day. And because JPHP isn’t as widely used as other programming languages, it’s potentially more difficult to detect signatures and protect systems. SEE: A security researcher easily found my passwords and more: How my digital footprints left me surprisingly over-exposedThere’s also evidence that the author of DCRat isn’t entirely honest with their customers. Anyone running an instance of the malware can see statistics showing “servers working” and “users online” – but analysis of these tabs appears to suggest the numbers are completely made up. But for now, DCRat remains a potent cybersecurity threat, providing cyber criminals with the ability to steal vast amounts of information from other individuals and organisations, particularly as the malware remains under active development, with new capabilities being added. “We would anticipate that organisations with weak endpoint defences and poor internal security posture would be likely targets or at greater risk,” said BlackBerry.It’s still unclear how DCRat is actually delivered to victims, but researchers note that deployment of the malware often coincides with the use of Cobalt Strike, a legitimate penetration-testing tool that is often abused by cyber criminals.  While DCRat is a potent cybersecurity threat, there are steps that individuals and organisations can take to help protect against falling victim. For example, researchers suggest that applying multi-factor authentication can help prevent accounts being taken over even if passwords have been stolen, while IT departments should monitor the network to detect – and prevent – potentially suspicious activity. MORE ON CYBERSECURITY More