Information Technology

Ukraine was being hit by cyber-attacks well before Russia launched its invasion. DDoS attacks and wiper malware were among the cyber threats which targeted Ukrainian government ministries, banks, media and other services, but there are also other examples from recent history.

Ukraine Crisis

Russia has been accused of being behind attacks that took down Ukrainian power grids in December 2015, and it’s thought that the Russian military was also behind the widespread and disruptive NotPetya malware attack of June 2017. NotPetya was designed to target organisations in the Ukrainian financial, energy and government sectors, but the impact quickly spread to organisations around the world. And as the conflict continues, firms far from that geography have been urged to check their security posture. As NCSC CEO Lindy Cameron commented just a few days ago “Cyber attacks do not respect geographic boundaries” warning that cyber attacks that have international consequences – intentional or not. The NCSC has urged organisations to take action to secure their networks. And there are steps which can be taken – some of which are relatively simple – which can increase resilience against most any cyber attacks. 1. Apply patches and security updates Applying patches and security updates to operating systems and software is the best way to close vulnerabilities in networks. Many cyber attacks actively look to exploit unpatched software as an easy backdoor into networks. Devices and software with known security vulnerabilities should be patched immediately. 2. Use strong passwords  A common way for cyber attackers to breach networks is to simply guess usernames and passwords – particularly if the organisation uses cloud services like Microsoft Office 365 or Google Workspace. Users should be urged not to use common, easy to guess passwords and instead to manage passwords with a password manager. Any devices on the network with default passwords should have them changed. 3. Use multi-factor authentication Multi-factor authentication (MFA) provides an additional barrier to cyber attacks and should be applied to all users. The benefit of multi-factor authentication is that even if a username and password has been stolen or correctly guessed, it’s still very difficult for attackers to access the account. If MFA is correctly configured, the user will be alerted to any attempts to login to their account – and they are alerted to an attempt to access an account and it wasn’t them, they should be encouraged to report it to the information security team. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)4. Teach phishing awareness Many cyber attacks start with phishing emails and staff should be trained in how to identify some of the most common techniques cyber attackers use, as well as how to report phishing emails for further investigation. Some phishing attacks are more sophisticated and harder to identify, but even in those cases, if a user thinks they’ve fallen victim to a phishing attack, they should be encouraged to come forward – without repercussions – in order to help identify and detect the attack in order to remove the intruders and secure accounts. 5. Use antivirus software and ensure that it works Antivirus software and firewalls can help to detect suspicious links, malware and other threats distributed by cyber attacks and they should be installed on every device. Like other software, it’s important to confirm that antivirus software is up to date with the latest updates and that it’s active and working correctly. 6. Know your networkYou can’t defend your network if you don’t know what’s on it, so information security teams should actively be able to identify all devices and users on the network – as well as being able to detect potentially suspicious activity. If a device or user account is acting unusually, by accessing files they don’t need for their job, or moving to parts of the network that are irrelevant to them, it could be an indication that their account has been compromised by cyber criminals attempting to plant malware. Keep logging activity for at least month, so older activity can be traced to identify how a breach happened. SEE: A winning strategy for cybersecurity (ZDNet special report)7. Backup your network – and regularly test backups Backups are a vital component to ensuring cyber resilience and they can play a big role in minimizing disruption in the event of a cyber attack, particularly ransomware or wiper malware. Backups should be made at regular intervals, a copy of the backups should be stored offline and they should be regularly tested to make sure they work. 8. Be mindful of third-party access to your network and supply chains Managing IT networks can be complex and that sometimes requires organisations to bring in outside help, providing non-regular users with high level access. Organisations should have a comprehensive grasp on what access outside users can have and be mindful of removing security controls.  Any access that’s no longer required should be removed. Organisations should also attempt to understand the security practices of businesses in their supply chain – it’s possible that if one of those is breached, their network could be used as a gateway to the larger target. 9. Have an incident response plan Even if organisations have followed all of the relevant advice, they should still draw up a plan of how to react in the event of a cyber attack. For example, if the network is down, how will they communicate a response? Thinking about different scenarios, plannning ahead and running training exercises can reduce the impact of a successful cyber attack. “Organisations should recognise the risk that cyber presents to their operations and ensure that they have strong cyber resilience and an ability to detect, respond and remediate threats, and make sure plans are in place to counter any disruptive attacks,” says Stuart McKenzie, SVP of consulting at Mandiant. 10. Brief the wider organisation about cyber threats It’s the job of information security to know about cyber attacks and how to deal with them, but outside the cybersecurity team, it’s unlikely to be common knowledge. Staff ranging from the boardroom to juniors should be aware of the importance of cybersecurity and be made aware of how to report suspected security events. In order for a business to be secure, it’s crucial for everyone to play a part. MORE ON CYBERSECURITY More

Researchers at Palo Alto Network’s Unit 42 said they discovered a tool — named SockDetour — that serves as a backup backdoor in case the primary one is removed. They believe it’s possible that is has “been in the wild since at least July 2019.”The researchers said the backdoor, which is compiled in 64-bit PE file format, stood out and is hard to detect because it operations filelessly and socketlessly on compromised Windows servers. 

ZDNet Recommends

“One of the command and control (C2) infrastructures that the threat actor used for malware distribution for the TiltedTemple campaign hosted SockDetour along with other miscellaneous tools such as a memory dumping tool and several webshells. We are tracking SockDetour as one campaign within TiltedTemple, but cannot yet say definitively whether the activities stem from a single or multiple threat actors,” the researchers explained. “Based on Unit 42’s telemetry data and the analysis of the collected samples, we believe the threat actor behind SockDetour has been focused on targeting US-based defense contractors using the tools. Unit 42 has evidence of at least four defense contractors being targeted by this campaign, with a compromise of at least one contractor.”SockDetour allows attackers to remain stealthily on compromised Windows servers by loading filelessly in legitimate service processes and using legitimate processes’ network sockets to establish its own encrypted C2 channel.The researchers did not find any additional SockDetour samples on public repositories, and the plugin DLL remains unknown. They added that it is being delivered through SockDetour’s encrypted channel and communicating via hijacked sockets.Unit 42 noted that the type of NAS server found hosting SockDetour is typically used by small businesses. The company tied the backdoor to a larger APT campaign they named TiltedTemple. They first identified TiltedTemple while investigating its use of the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077. “Our initial publications on TiltedTemple focused on attacks that occurred through compromised ManageEngine ADSelfService Plus servers and through ManageEngine ServiceDesk Plus,” the researchers said. “The TiltedTemple campaign has compromised organizations across the technology, energy, healthcare, education, finance, and defense industries and conducted reconnaissance activities against these industries and others, including infrastructure associated with five US states. We found SockDetour hosted on infrastructure associated with TiltedTemple, though we have not yet determined whether this is the work of a single threat actor or several.”Unit 42 began its investigation of the TitledTemple campaign in August 2021 and found evidence that SockDetour “was delivered from an external FTP server to a U.S.-based defense contractor’s internet-facing Windows server on July 27, 2021.” The FTP server also hosted other tools used by the threat actor, such as a memory dumping tool and ASP webshells, according to Unit 42. The company found that after analyzing the attack, at least three other U.S.-based defense contractors were targeted by the same actor.”The FTP server that hosted SockDetour was a compromised Quality Network Appliance Provider (QNAP) small office and home office (SOHO) network-attached storage (NAS) server. The NAS server is known to have multiple vulnerabilities, including a remote code execution vulnerability, CVE-2021-28799,” the researchers said. “This vulnerability was leveraged by various ransomware families in massive infection campaigns in April 2021. We believe the threat actor behind SockDetour likely also leveraged these vulnerabilities to compromise the NAS server. In fact, the NAS server was already infected with QLocker from the previous ransomware campaigns.”Unit 42 noted that the threat actor managed to convert SockDetour into a shellcode using the Donut framework open source shellcode generator. When injected into manually chosen target processes, the backdoor “leverages the Microsoft Detours library package, which is designed for the monitoring and instrumentation of API calls on Windows to hijack a network socket.” More

A new form of ransomware has been spotted by security company researchers after they saw it being used against two different organisations.Dubbed Entropy, the new ransomware has been detailed by cybersecurity researchers at Sophos who uncovered it on the networks of two organisations – a media company and a regional government – after being called in to investigate the two separate incidents within the space of a week.  

ZDNet Recommends

The attackers compromised the media company by exploiting ProxyShell vulnerabilities to install remote shells on unpatched Microsoft Exchange servers, before using Cobalt Strike, a legitimate penetration testing tool often exploited by cyber criminals, to investigate the network over a four-month period. Analysis of infected machines also revealed that Dridex trojan malware had been installed. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Dridex was also detected on the network of the regional government organisation. In this case, Dridex was directly delivered via a phishing email. Then the malware was itself used to deliver additional malware and remote access. In this attack, it was only 75 hours between the initial compromise and the cyber criminals stealing data. “They were both using Dridex, and that obviously set off a few alarm bells,” Peter Mackenzie, director of incident response at Sophos, told ZDNet. Dridex has been active since at least 2011 and became a popular tool for cyber criminals to distribute malware, ransomware and other malicious payloads. In 2019, the US Department of Justice announced charges against two Russian nationals suspected of being behind Dridex. In fact, when analysing Entropy, a new ransomware variant, detection tools initially identified it as Dridex itself because of similarities in the code. Not only that, but analysis of the malware showed that additional work had been done to optimise it. The updated code also contains text that mentions the targeted organisation’s name, followed by “…falls apart. Entropy Increases”, which is a line from John Green’s 2005 novel, Looking For Alaska. Dridex is linked to Evil Corp, a cyber-criminal gang behind a string of ransomware attacks, deploying variants including BitPaymer, DoppelPaymer, WastedLocker, Hades and Macaw ransomware. However, it’s also possible that the code has been borrowed or stolen and this could be a misdirection attempt from other cyber criminals. The nature of the malware ecosystem means it’s extremely difficult to be 100% confident of attribution. As researchers note, both targets had vulnerable Windows systems that lacked current patches and updates, which allowed them to be compromised. As is the case with many common cyberattacks, including ransomware, patching networks with the appropriate security updates can go a long way to preventing intruders from getting onto the network in the first place – as can applying multi-factor authentication. “In both cases, the attackers relied upon a lack of diligence – both targets had vulnerable Windows systems that lacked current patches and updates,” Sophos said. It noted that properly patched machines, like the Exchange server, would have forced the attackers to work harder to make their initial access into the organizations they penetrated. “A requirement to use multi-factor authentication, had it been in place, would have created further challenges for unauthorized users to log in to those or other machines,” it noted.SEE: A winning strategy for cybersecurity (ZDNet special report)Organisations can also help prevent attacks by actively monitoring their networks for suspicious activity by potential intruders, which might indicate that something should be investigated and removed. “They will keep trying unless someone kicks them off the network. They’re just going to keep trying, so you have to have a security team either internally or externally that is monitoring your environment and is looking out for these signs that someone is in,” said Mackenzie. “If you don’t support those warning signs, it is just a matter of time before they will eventually win,” he said.  MORE ON CYBERSECURITY More

Salesforce announced this week that it rewarded ethical hackers with more than $2.8 million in bounties for finding vulnerabilities throughout 2021. More than 4,700 reports on suspected vulnerabilities were submitted to Salesforce last year, and the highest bounty paid was $30,000.  Since launching its bug bounty program in 2015, Salesforce has paid out about $12.2 million in total and accepted about 22,200 reports. More than $9.5 million of that has come since 2019, according to Salesforce data. Salesforce software engineer Anup Ghatage said engineering teams use data from the bug bounty program “to better understand the tendencies and methodologies of malicious hackers.””Being able to understand the methods the hackers use to find vulnerabilities allows me to employ the same methods to better secure our software,” Ghatage said.Salesforce explained that once products and features are tested internally, ethical hackers are asked to take a crack at testing security features in sandboxes. As an example, they said the Trailhead Slack App was used as a bounty promotion in August before it was released in September. One hacker who participated in the program, Inhibitor181, said he started out in ethical hacking after becoming a developer. “Not only is it more stimulating and less monotonous to use my programming skills to legally hack into global companies’ products, but it also allows me to do my part in preventing cybercrime. Not all hackers are bad,” they said. In October, Google and Salesforce announced the creation of a vendor-neutral cybersecurity baseline called the Minimum Viable Security Product (MVSP), which they said was an effort to “raise the bar for security while simplifying the vetting process” for third-party vendors.   More

In the five years since I first explored the potential impact of a Digital Cold War on the IT industry, tensions with Russia have gotten worse, especially following a series of cyberattacks on systems in the United States. These include Russia’s involvement in the SolarWinds breach, as well as its interference with the 2016 US presidential elections via attacks on the Democratic National Committee infrastructure and the purchasing of tens of millions of ads on Facebook in an attempt to sow discontent among US voters.Under Vladimir Putin’s leadership, the nation has focused on international cybersecurity concerns for many years.

Ukraine Crisis

Ukraine invasionUnder the pretext of “Peacekeeping operations,” Russia has now initiated a full-scale invasion of Ukraine. Presumably, Russia also has been responsible for recent cyberattacks on Ukrainian banks.In response, the United States, NATO nations, and allied countries have imposed numerous economic sanctions on Russia, including blocking its two state-owned banks from debt trading on US and European markets and freezing their assets under US jurisdictions, as well as freezing the assets of the country’s wealthiest citizens. Germany has halted its plans on Russia’s Nord Stream 2 Gas Pipeline. Further wide-ranging sanctions are expected as Russia continues its assault on Ukraine.On February the 23rd, President Biden condemned the military action and said, “President Putin has chosen a premeditated war that will bring a catastrophic loss of life and human suffering. Russia alone is responsible for the death and destruction this attack will bring, and the United States and its Allies and partners will respond in a united and decisive way. The world will hold Russia accountable.”The economic impacts of this conflict will likely be significant, including a halt on Russian oil and natural gas exports to Western Europe and, presumably, the denial of civil and commercial air transit to Asia through Russian airspace. Although the United States, unlike Europe, is not a major consumer of Russian energy exports, it would be simplistic to say that Russia has no impact on US business at all.An extended conflict with Russia — coupled with the imposition of wide-ranging sanctions — will have a tangible impact on the global technology industry.Russian tech firms are now ‘technologia non grata’ within enterprises in Western nationsLet’s start with Russian software companies themselves.

ZDNet Recommends

Many of these have significant market share and widespread use within US corporations. Some of these were founded in Russia, while others are headquartered elsewhere but maintain a significant amount of their development presence within Russia and other parts of Eastern Europe. UK-incorporated Kaspersky Lab, for example, is a major and well-established player in the antivirus/antimalware space. It maintains its international headquarters, and has substantial research and development capabilities in Russia, even though its primary R&D center was moved to Israel in 2017.It’s also thought that Eugene Kaspersky, the company’s founder, has strong personal ties to the Putin-controlled government. Kaspersky has repeatedly denied these allegations, but questions about the man and his company remain and will be further scrutinized, particularly as the conflict develops.In the past, evidence emerged that Kaspersky’s software was involved in compromising the security of a contract employee of the United States National Security Agency in 2015. Kaspersky Lab insists that, to the contrary, the evidence supporting this has not been properly established and has produced an internal audit of the findings.NGINX Inc is the support and consulting arm of an open source reverse proxy web server project that is very popular with some of the most high-volume internet services on the planet. The company is of Russian origin but was sold to F5 Networks in 2019. The founder of the company, Igor Sysoev, announced his departure in January of this year.Parallels, Inc., which Corel acquired in 2018, focuses extensively on virtualization technology. Their Parallels Desktop is one of the most popular solutions for Windows virtualization on the Mac. Historically, their primary development labs were in Moscow and Novosibirsk, Russia. The company was founded by a Russian, Serguei Beloussov (who became a Singaporean citizen in 2001), and has many persons of Russian origin as key developers and executives. Two of their products, Virtuozzo and Plesk, were spun off as their own companies in 2017. Parallels’ Odin, a complex management stack for billing and provisioning automation used by service providers and private clouds running on VMware’s virtual infrastructure stack and Microsoft’s Azure, was sold to Ingram Micro in 2015. It is unknown how much Russian code is in these systems. Acronis, like Parallels, is another company founded by Serguei Beloussov. After founding Parallels in 1999, and being involved with both companies for some time, he became CEO of Acronis in May of 2013. The company specializes in cybersecurity products for end-to-end device protection, and in the past, has had bare-metal systems imaging, systems deployment, and storage management products for Microsoft Windows and Linux. The company maintains its global headquarters in Singapore. However, it has substantial R&D operations in Eastern Europe in addition to operations in Israel, Singapore, and the US.

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

Veeam Software founded by Russian-born Ratmir Timashev concentrates on enterprise backup solutions for VMware and Microsoft public and private cloud stacks. Like Parallels and Acronis, it is also multinational. For many years, it had much of its R&D based out of St. Petersburg, Russia. It was purchased by Insight Partners in 2020 and installed a new management team. However, it has yet to be determined how much Russian legacy code is in its products or continues to be contributed to them.These are only just a few examples. Numerous Russian software firms generate billions of dollars of revenue that have products and services that have significant enterprise penetration in the United States, EMEA, and Asia. There are also many smaller ones that perform niche or specialized services, such as subcontracting.It should also be noted that many mobile apps — including entertainment software for iOS, Android, Windows — also originate in  Russia.Russian services firms will also be impactedMany global technology giants in the software and services industries have used Russian and Eastern European developers in the past because of their high-quality and value-priced work compared to their US and Western Europe-based counterparts. And many have invested hundreds of millions of dollars in having a developer as well as reseller channel presence in Russia. World governments do not need to levy Iran-style isolationist sanctions against Russia for a snowball effect to start within US corporations that use Russian software or services.The escalation into full-blown conflict in Ukraine will make C-seats within global enterprises extremely concerned about using software that originates from Russia or has been produced by Russian nationals. The most conservative companies will probably “rip and replace” most off-the-shelf stuff and go with other solutions, preferably American ones.The Russian mobile apps? BYOD mobile device management (MDM) policies will wall them off from being installed on any device that can access a corporate network. And if sanctions are put in place by world governments, we can expect them to disappear entirely from the mobile device stores.Countless games and apps originating from Russia could be no more when actual sanctions on that industry are implemented.But C-seats aren’t going to wait for governments to ban Russian software. If there is any lack of confidence in a vendor’s trustworthiness, or if there is any concern that their customer loyalty can be swapped out or influenced by the Putin regime and used to compromise their own systems,  be assured that software of Russian origin will disappear very quickly from enterprise IT infrastructure.Contractor visas will certainly be canceled en-masse or will not be renewed for Russian nationals performing work for large corporations. You can count on it.Any vendor that is being considered for a large software contract with a US company is going to undergo significant scrutiny and will be asked if any of their product involved Russian developers. If it doesn’t pass the most basic audits and sniff tests, they can just forget about doing business in this country.So if a vendor does have a prominent Russian developer headcount, they will have to pack up shop and move those labs back to the US or country that is better aligned with US interests — as we have seen with the companies listed above. This goes especially for anybody wanting to do federal contract work.Then there is the issue of custom code produced by outsourced firms. That gets a lot trickier.Obviously, there’s the question of how recent the code is and whether or not there are suitable methods in place to audit it. We can expect that there will be services products offered shortly by the US and Western European IT firms to pour through vast amounts of custom code so that they can be sure Russian nationals leave behind no backdoor compromises under the influence of the Putin regime.If you thought your Y2K mitigation was expensive, wait until your enterprise experiences the Russian Purge.I don’t have to tell any of you just how expensive a proposition this is. The wealthiest corporations, sensing a huge risk to security and customer confidence, will address this as quickly as possible and swallow the bitter pill of costly audits.But many companies may not have the immediate funds to do it. They will try their best to mitigate the risk on their own, and compromised code may sit around for years until major system migrations occur and the old code gets (hopefully) flushed out.We will almost certainly be dealing with Russian cyberattacks from within the walls of our own companies for years to come, from software initially developed under the auspices of having access to relatively cheap and highly-skilled strategically outsourced programmer talent.Will Russian software and services become the first victim in a Digital War? Talk Back and Let Me Know. More

Darktrace has acquired Cybersprint in a deal worth €47.5 million. 

The acquisition was announced on Wednesday. Under the terms of the agreement, Darktrace will pay €47.5 million ($53.7m), 75% of which will be handed over in cash, and 25% will be transferred through equity. According to the British cybersecurity firm, the agreed purchase price is roughly 12.5 times Cybersprint’s annual recurring revenue (ARR).  Located in the Netherlands, Cybersprint aims to “improve digital security around the globe” through the development of the Attack Surface Management platform, which leverages artificial intelligence (AI) and machine learning (ML) algorithms to automatically scan, map, and correlate business assets, as well as identify any weaknesses, vulnerabilities, and blind spots that external threats could take advantage of.  Cybersprint says the platform provides an “outside-in perspective, similarly to how hackers see your brand.” Darktrace considers Cybersprint technologies as potentially “enriching” resources able to augment the capabilities of the Darktrace Detect and Respond product line.  Darktrace solutions are based on ML algorithms designed to make calculations through real-world data feeds. Cybersprint’s platform will be integrated as a new module in Prevent and will be used to generate data for the Darktrace cross-domain Attack Path Modeling security suite. According to Darktrace, the acquisition will “accelerate the company’s market entry into new areas like proactive AI cybersecurity.” In addition, the cybersecurity firm will secure Cybersprint’s research & development center in The Hague. Darktrace already operates a separate R&D team in Cambridge, England.  Darktrace aims to complete the deal in March 2022. The purchase is not expected to materially impact Darktrace’s 2022 financial results.  “I’m very excited about this fantastic step in the journey of Cybersprint,” commented Pieter Jansen, CEO of Cybersprint. “When we began conversations with Darktrace, we felt an instant connection on vision, culture, and technology. That’s why we are looking forward to joining Darktrace and working together to accelerate state-of-the-art innovations to make organizations more cyber secure.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Asia was the most targeted region last year, accounting for one in four cybersecurity attacks launched worldwide. Japan, Australia, and India experienced the most incidents in the region, where server access and ransomware were amongst the most popular forms of attacks.Financial services and manufacturing organisations also bore the brunt of attacks in Asia, taking on almost 60% of such incidents, according to IBM’s annual X-Force Threat Intelligence Index. IBM Security monitors 150 billion security events daily across more than 130 countries, pulling from data sources such as network and endpoint detection devices, incident response engagements, and phishing kit tracking. Finance and insurance companies, in particular, took on 30% of attacks IBM was able to remediate. Manufacturing organisations bore 29% of attacks in the region, followed by professional and business services at 13% and the transport sector at 10%.

Asia took on 26% of cybersecurity attacks IBM observed globally. Japan, in particular, saw significant activities that the tech vendor attributed to the Summer Olympic Games, which were held in Tokyo last July. Europe and North America received 24% and 23%, respectively, of attacks launched last year, while the Middle East and Africa took on 14% and Latin America received 13%.  In Asia, server access attacks and ransomware were the top two forms of attacks last year, accounting for 20% and 11%, respectively, of all incidents. Data theft came in third at 10%, while remote access trojans and adware each accounted for 9% of attacks. The high portion of server access attacks might point to Asian organisations’ ability to identify such attacks quickly before they escalated to more critical forms of attacks, IBM noted. It added that REvil accounted for 33% of ransomware attacks in Asia, with others such as Bitlocker, Nefilim, MedusaLocker, and Ragnar Locker also surfacing last year.Hackers also looked to exploit vulnerabilities and tapped phishing as a way to breach businesses in Asia, with both tied as the top infection vectors contributing to 43% of attacks. Brute force was used in 7% of attacks while another 7% of hackers used stolen credentials to gain initial access to networks.  Worldwide, IBM said there was a 33% climb in attacks brought about by vulnerability exploitation of unpatched software. This led to 44% of ransomware attacks carried out last year. Unpatched vulnerabilities in manufacturing companies, specifically, resulted in 47% of attacks. This vertical experienced the most attacks last year, taking on 23% of the overall global count. Financial services and insurance previously had been the most targeted industry, according to IBM. “Experiencing more ransomware attacks than any other industry, attackers wagered on the ripple effect that disruption on manufacturing organisations would cause their downstream supply chains to pressure them into paying the ransom,” the report noted. It stressed the need for enterprises to prioritise vulnerability management to mitigate security risks. Unpatched vulnerabilities led to half of attacks in Asia, Europe, and MEA last year. According to IBM, ransomware remained the top attack method in 2021. In addition, the average lifespan of a ransomware group before it shuttered or rebranded was estimated to be 17 months. The report pointed to REvil, which was responsible for 37% of all ransomware attacks in 2021 and had operated for four years through various rebrands. This suggested the likelihood it had resurfaced despite its takedown in an operation involving multiple governments in mid-2021.Hackers also had their eyes on cloud environments. The number of new Linux ransomware code climbed 146% last year alongside a shift in target focus towards Docker containers. These activities could make it easier for more threat actors to tap cloud platforms for malicious purposes, IBM warned. RELATED COVERAGE More

Cybersecurity giant Fortinet found that Log4j had nearly 50 times the activity volume compared to ProxyLogon based on peak 10-day average volume in the second half of 2021. The finding was part of the company’s FortiGuard Labs Global Threat Landscape Report released this week. The Fortinet report also spotlighted attacks on Linux systems, many of which come in the form of executable and linkable format (ELF) binaries.”The rate of new Linux malware signatures in Q4 quadrupled that of Q1 2021 with ELF variant Muhstik, RedXOR malware, and even Log4j being examples of threats targeting Linux. The prevalence of ELF and other Linux malware detections doubled during 2021,” the report explained. “This growth in variants and volume suggests that Linux malware is increasingly part of adversaries’ arsenal.”
Fortinet
Threat actors are also evolving their use of botnets beyond DDoS attacks. Instead of being “primarily monolithic,” Fortinet said botnets “are now multipurpose attack vehicles leveraging a variety of more sophisticated attack techniques, including ransomware.” “For example, threat actors, including operators of botnets like Mirai, integrated exploits for the Log4j vulnerability into their attack kits. Also, botnet activity was tracked associated with a new variant of the RedXOR malware, which targets Linux systems for data exfiltration. Detections of botnets delivering a variant of RedLine Stealer malware also surged in early October morphing to find new targets using a COVID-themed file,” the report said. The report went into detail about how cyberattackers are maximizing attack vectors associated with remote work and learning. Fortinet saw an explosion in various forms of browser-based malware that appeared in the form of phishing lures as well as scripts that inject code or redirect users to malicious sites.

more Log4j

The researchers split the distribution mechanisms into three broad categories: Microsoft Office executables (MSExcel/, MSOffice/), PDF files, and browser scripts (HTML/, JS/).”Such techniques continue to be a popular way for cybercriminals to exploit people’s desire for the latest news about the pandemic, politics, sports, or other headlines, and to then find entryways back to corporate networks. With hybrid work and learning remaining a reality, there are fewer layers of protection between malware and would-be victims,” Fortinet said. When it comes to ransomware Fortinet said it continues to see a mix of new and old ransomware strains used in attacks.FortiGuard Labs said it “observed a consistent level of malicious activity involving multiple ransomware strains, including new versions of Phobos, Yanluowang and BlackMatter.” Researchers with Fortinet noted that the Log4j vulnerabilities and others were one example of how quickly cybercriminals and nation states move in exploiting widespread flaws. Derek Manky, chief of security insights and global threat alliances at FortiGuard Labs, said new and evolving attack techniques span the entire kill chain but especially in the weaponization phase, showing an evolution to a more advanced persistent cybercrime strategy that is more destructive and unpredictable.  More