Information Technology

Agent Tesla malware variants are now using new techniques to try and eradicate endpoint antivirus security. 

On Tuesday, Sophos researchers said that two new variants of the Remote Access Trojan (RAT) are targeting Microsoft Anti-Malware Software Interface (AMSI), scanning and analysis software designed to prevent malware infections from taking hold. 
Agent Tesla operators will now attempt to tamper with AMSI to degrade its defenses and remove endpoint protection at the point of execution. If successful, this allows the malware to deploy its full payload. 
First discovered in 2014, Agent Tesla is a commercial RAT written in .NET and includes and is a well-known information stealer. The malware is often spread through phishing campaigns and malicious email attachments and is used to harvest account credentials, steal system data, and provide remote access to a compromised PC to attackers. 
Phishing email samples include package delivery notices, attachments claiming to be catalogs, PPE offerings related to COVID-19, and when used against organizations they may also relate to business-critical issues such as invoicing. 
Sophos says that the malware, which is under constant development, includes a .NET downloader that calls and grabs malicious code hosted on legitimate websites including Pastebin which is published in a base64-encoded and obfuscated manner. 
These “chunks” of codes are merged together, decoded, and decrypted to form the main loader. 

If AMSI has been successfully disarmed, this loader is then installed and can run without any interference, deploying Agent Tesla in full in order to take screenshots, log keyboard input, steal data saved on clipboards, and grab credentials from browsers, email clients, apps, and more. 
Other updates to the malware, labeled as Tesla 2 and 3, includes an increased number of applications on the hit-list for the theft of credentials and enhanced obfuscation, as well as options for operators to use the Tor client and Telegram’s messaging API when connecting to command-and-control (C2) servers.
Target applications include Opera, Chromium, Chrome, Firefox, OpenVPN, and Outlook.
“The differences we see between v2 and v3 of Agent Tesla appear to be focused on improving the success rate of the malware against sandbox defenses and malware scanners, and on providing more C2 options to their attacker customers,” the researchers say.
Criminal clients can also choose to maintain persistence by executing the malware on system starts and can remotely uninstall Agent Tesla if they wish. If another, past version of the malware is detected on the target system and the option to maintain persistence is selected, both versions 2 and 3 will remove it. 
Sophos says that in December 2020, Agent Tesla payloads accounted for approximately 20% of all malicious email attachments. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The average ransom paid to cyber criminals following a ransomware attack is falling as more companies become reluctant to give into extortion demands.
Analysis by cybersecurity company Coveware has found that the average ransom payment paid following a ransomware attack decreased by a third in the final quarter of 2020, dropping to $154,108 from $233,817 during the previous three months.

More on privacy

The company attributes the drop in the average ransom payment to victims choosing not to give into demands to pay bitcoin in exchange for the decryption key, which the criminals claim will restore the network to working order.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    
While it’s positive that a higher percentage of these victims are choosing not to pay cyber criminals, there’s still a large number of organisations that do give in – allowing ransomware to continue to be successful, even if those behind attacks have been making slightly less money. However, it might be enough for some ransomware operators to consider if the effort is worth it.
“When fewer companies pay, regardless of the reason, it causes a long-term impact, that compounded over time can make a material difference in the volume of attacks,” said a blog post by Coveware.
The rise in organisations choosing not to give into extortion tactics around ransomware has also led the gangs to change their tactics, as shown by the increase in ransomware attacks where criminals threaten to leak stolen data if the victim doesn’t pay. According to Coveware, these accounted for 70% of ransomware attacks in the final three months of 2020 – up from 50% during the previous three months.

However, while almost three-quarters of organisations threatened with data being published between July and September paid ransoms, that dropped to 60% for organisations who fell victim between October and December.
Researchers note that even if the ransom is paid, there’s no guarantee that criminals will delete the data, and instead they may use it for some other malicious purposes, something which organisations might be considering when making a decision over payment.
And, as cybersecurity companies and law enforcement agencies warn, any payment made following a ransomware attack just motivates the criminals to continue attacks.
Ransomware also continues to be a success because cyber criminals are able to successfully breach insecure networks in order to lay down the foundations of attacks.
Phishing emails and exploitation of Remote Desktop Protocol (RDP) are the most common methods for ransomware attacks to enter networks. While a phishing email relies on victims opening malicious documents or links to set the attack in motion, RDP doesn’t need an individual in the victim organisation to be involved at all, because attackers are able to abuse leaked credentials.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
In both of these cases, the ransomware is finding a way into networks because cyber criminals are exploiting security vulnerabilities. Applying security patches to prevent malicious hackers using known vulnerabilities can go a long way to stopping malware being executed on the network.
Using tools like two-factor authentication can help prevent attackers gaining a foothold on the network, because even if they have the right login credentials, it’s much harder to exploit them.
Meanwhile, regularly updating offline backups also provides organisations that do fall victim to ransomware attacks with a means of restoring the network without rewarding criminals.
MORE ON CYBERSECURITY More

Ransomware attacks are a potential danger for any organisation, with ransomware variants including Conti, Egregor, Maze and many others still successfully compromising victims across all industries – but there are some industries that criminal gangs are targeting more than others.
The ransomware attacks are successful because many organisations can’t afford for their network to be out of service for a sustained period of time, so many businesses are still taking what they perceive to be the quickest and easier route to restoring the network by giving into the ransom demands of criminals.

More on privacy

A recent report by cybersecurity company Digital Shadows examined which industries were most targeted by ransomware during 2020. While almost every industry found itself dealing with ransomware gangs over the course of the past 12 months, industrial goods and services was the most targeted, accounting for 29% – or almost one in three – ransomware attacks.
SEE: Security Awareness and Training policy (TechRepublic Premium)
That number of attacks is more than those on the next three most targeted sectors – construction, technology and retail – combined.
Manufacturers and infrastructure can make a tempting targeted for ransomware attacks because the organisations in these sectors need to be in operation around the clock, whether that’s running a factory production line or operating a utilities plant. If they can’t provide these services, there can be wide-ranging impacts further down the supply chain.
“Industrial organisations will feel more pressure to pay the ransom as periods of inoperability have significant impacts to their customers. This may result in a perception that organizations in this area are more likely to pay a ransom demand compared to organizations in other sectors,” says Jamie Hart, cyber-threat intelligence analyst at Digital Shadows.

Also, these systems also tend to be in constant use, which can create another problem because operators may be reluctant to take them offline to apply the steady flow of routine software patches necessary to protect against security vulnerabilities that can give ransomware gangs access in the first place. That’s if the machines can receive security updates at all because obsolete, unsupported technology is still common in many industrial environments.
“Organisations in this vertical are heavily reliant on systems that are outdated and thus require significant efforts to maintain vulnerability management. Additionally, these systems are so vital to the day-to-day operations of these organizations taking them offline for patching is a significant undertaking,” says Hart.
This reliance on older systems and the need for constant uptime, therefore, makes industrial plants tempting victims for ransomware attacks. For the cyber criminals, it’s all about the money and they’re targeting factories because they know there’s money to be made, potentially against a soft target that will be willing to pay up.
“Ransoming an enterprise, that’s one thing. Ransoming an industrial plant that has a 15-million-a-day production line that would be affected by downtime, that’s another,” says Rob Lee, CEO and co-founder of Dragos, a company specialising in industrial cybersecurity.”It will be extremely enticing for ransomware operators.”
Most ransomeware will target the PCs and servers on the business network (which is often enough to shut down operations), but some are going further to target the industrial systems too. There are some specialist ransomware operations that are looking to take attacks even further in their quest to make money, such as ransomware variants like EKANS, which are specifically designed to target industrial control systems (ICS).
The prospect of ransomware encrypting ICS systems in factories is a worrying prospect, but there’s also the potential these gangs could target critical infrastructure and attempt to hold energy, water and other utilities hostage.
These aren’t products that organisations and individuals could go without for a few days – if a cyber criminal has the ability to shut down the power of a city, the impact is going to be felt far and wide.
There have been some examples of likely state-sponsored hackers compromising critical infrastructure suppliers and tampering with the systems, such as Stuxnet – a malware attack that caused substantial damage to Iran’s nuclear program by spinning up centrifuges to the extent it tore them apart.
There’s also Industroyer – also known as Crashoveride – which caused a power grid blackout across a large area of Ukraine in December 2016.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
Inevitably, where state-backed cyber attackers lead, cyber criminals will follow – as demonstrated by the uptake of leaked NSA hacking tool EternalBlue, which not only helped power destructive attacks like North Korea’s WannaCry campaign and Russia’s NotPetya attack, but was taken up by cyber criminals to distribute ransomware, malware, cryptocurrency miners and other malicious payloads.
And now cyber criminals are increasingly turning towards targeting industrial control systems as they learn how previous attacks work and attempt to mimic techniques and procedures in ransomware campaigns.
“We have rising instances of ransomware actors who are more interested in getting into these spaces to the extent of designing very crude, but very concerning techniques such as terminating processes to extend encryption activity,” says Joe Slowik, senior security researcher at DomainTools.
Ekans ransomware was first documented in early 2020 and is designed to target Windows machines in industrial environments – complete with commands and processes associated with a number of industrial control system-specific functionalities, with the intention of stopping them as part of a ransomware attack.
It’s a cyber-criminal operation designed purely for financial gain – especially as a utilities provider can’t wait for weeks to restore the network, so could be pushed into paying the ransom in the hope that applying the decryption key solves the immediate problems.
But encrypting industrial control systems is different to encrypting the network of enterprise business – these systems can control machines that have a physical presence in the world and disruption of these machines could potentially lead to unforeseen consequences. Shutting down a factory is not quite the same as shutting down a PC.
“A combination of the deliberate intention of trying to hold industrial operations to ransom, as well as the unintentional impact of if you terminate these things in the wrong way, can lead to not just classic ransomware problems but potentially serious implications,” says Slowik.
Currently, ransomware that targets industrial control systems is still a rare occurrence – even if wider industrial environments still regularly find themselves on the receiving end of ransomware attacks. But in both cases, there are things the organisations can do to minimise the chances of falling victim to a ransomware attack in the first place.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) 
Unpatched security vulnerabilities can allow ransomware and other malware to enter and propagate around the network, so it’s highly recommended that critical security updates are applied soon after they’re released as they’re there to protect against known vulnerabilities. While it might be painful to briefly disrupt parts of the network to make sure the patches are applied, it’s going to be less painful than falling victim to a cyberattack.
In addition to this, anything that can’t receive security updates for one reason or another should be segmented from the rest of the network – if it even needs to be outwardly facing the internet at all – to help prevent cyber criminals from using more vulnerable systems as a gateway to the rest of the network.
Crucially, industrial organisations should be bolstering their cybersecurity now – not when it’s already too late to protect against potentially damaging attacks.
“I don’t think we should be freaking out now, I don’t think the sky is falling, but I think we’re in that five-year event window where this gets really bad. If you want to get ahead of that, you better be starting now,” says Lee.
MORE ON CYBERSECURITY More

Microsoft wants to help protect you from malware. 
Image: Getty Images/iStockphoto
Microsoft has posted an extensive account of its investigation of the systems used to fire out millions of emails distributing at least seven different types of malware.
Microsoft identifies two elements of the new email infrastructure it discovered in March and April, and then tracked for the rest of the year. It calls the first segment StrangeU because of it often using the word “strange” in new domains. The second segment used a domain generation algorithm, a technique for creating domain names randomly, and was thus dubbed RandomU.   

“The emergence of this infrastructure in March dovetailed with the disruption of the Necurs botnet that resulted in the reduction of service,” security researchers from the Microsoft 365 Defender Threat Intelligence Team said. 
SEE: Windows 10 Start menu hacks (TechRepublic Premium)
Necurs was a large and long-running botnet with a history in delivering the Dridex banking trojan, but it’s also been used to distribute ransomware, remote access trojans, and information-stealing trojans. 
Necurs is an example of a for-hire operation that leases delivery capacity as a service, while allowing attackers to focus on malware production. 
“The StrangeU and RandomU infrastructure appear to fill in the service gap that the Necurs disruption created, proving that attackers are highly motivated to quickly adapt to temporary interruptions to their operations,” Microsoft notes. 

The new email infrastructure has predominantly targeted machines in the US, Australia, and the UK in the wholesale distribution, financial services, and healthcare industries.
Initially, it was used to distribute commodity malware, but in September the Dridex and Trickbot operators started using the infrastructure too. Trickbot was taken down last October, but reappeared in January and has gained a new component that scans local networks for valuable open ports that can be attacked later.  
Some of the notable campaigns using StrangeU and RandomU since March include: 
Korean spear-phishing campaigns that delivered Makop ransomware in April and June
Emergency alert notifications that distributed Mondfoxia in April
Black Lives Matter lure that delivered Trickbot in June
Dridex campaign delivered through StrangeU and other infra from June to July
Dofoil (SmokeLoader) campaign in August
Emotet and Dridex activities in September, October, and November
On June 10, security firm Fortinet reported a mass email campaign with malicious Word attachments and subject headers that appeared to target people sympathetic to the BLM movement. The emails purported to seek feedback on the movement. As Microsoft notes, multiple campaigns that month carried Trickbot. 
SEE: Windows 10 toolbar: Here’s how Microsoft is adding news, weather and traffic
Microsoft notes these campaigns mostly targeted corporate email accounts in the US and Canada and avoided consumer accounts. The campaigns were also small, designed to evade detection. 
The Dridex campaigns from late June and through July used StrangeU and compromised corporate email accounts to deliver Excel documents with malicious macros.    

Microsoft
Despite all this complexity, Microsoft notes that many of the fundamentals remain the same.
“As attacks continue to grow in modularity, the tactics that attackers use to deliver phishing email, gain initial access on systems, and move laterally will continuously become more varied. This research shows that despite these disparities and the increased resiliency attackers have built, the core tactics and tools that they use are still limited in scope, relying repeatedly on familiar malicious macros, lures, and sending tactics,” it said. More

A small but complex malware variant is targeting supercomputers worldwide.

Reverse engineered by ESET and described in a blog post on Tuesday, the malware has been traced back to attacks against supercomputers used by a large Asian Internet Service Provider (ISP), a US endpoint security vendor, and a number of privately-held servers, among other targets. 
The cybersecurity team has named the malware Kobalos in deference to the kobalos, a small creature in Greek mythology believed to cause mischief. 
Kobalos is unusual for a number of reasons. The malware’s codebase is tiny but is sophisticated enough to impact at least Linux, BSD, and Solaris operating systems. ESET suspects it may possibly be compatible with attacks against AIX and Microsoft Windows machines, too. 
“It has to be said that this level of sophistication is only rarely seen in Linux malware,” commented cybersecurity researcher Marc-Etienne Léveillé.
While working with the CERN Computer Security Team, ESET realized the “unique, multiplatform” malware was targeting high performance computer (HPC) clusters. In some cases of infection, it appears that ‘sidekick’ malware hijacks SSH server connections to steal credentials that are then used to obtain access to HPC clusters and deploy Kobalos. 
“The presence of this credential stealer may partially answer how Kobalos propagates,” the team says. 

Kobalos is, in essence, a backdoor. Once the malware has landed on a supercomputer, the code buries itself in an OpenSSH server executable and will trigger the backdoor if a call is made through a specific TCP source port.
Other variants act as middlemen for traditional command-and-control (C2) server connections.
Kobalos grants its operators remote access to file systems, allows them to spawn terminal sessions, and also acts as connection points to other servers infected with the malware. 
ESET says that a unique facet of Kobalos is its ability to turn any compromised server into a C2 through a single command. 
“As the C2 server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C2 server,” the researchers noted. 
The malware was a challenge to analyze as all of its code is held in a “single function that recursively calls itself to perform subtasks,” ESET says, adding that all strings are encrypted as a further barrier to reverse engineering. As of now, more research needs to be conducted in the malware — and who may be responsible for its development.
“We were unable to determine the intentions of the operators of Kobalos,” ESET commented. “No other malware, except for the SSH credential stealer, was found by the system administrators of the compromised machines. Hopefully, the details we reveal today in our new publication will help raise awareness around this threat and put its activity under the microscope.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A company that fell victim to a ransomware attack and paid cyber criminals millions for the decryption key to restore their network fell victim to the exact same ransomware gang under two weeks later after failing to examine why the attack was able to happen in the first place.
The cautionary tale is detailed by the UK’s National Cyber Security Centre (NCSC) in a blog post about the rise of ransomware.

ZDNet Recommends

The unnamed company fell victim to a ransomware attack and paid millions in bitcoin in order to restore the network and retrieve the files.
SEE: Network security policy (TechRepublic Premium)
However, the company just left it at that, failing to analyse how cyber criminals infiltrated the network – something that came back to haunt them when the same ransomware gang infected the network with the same ransomware less than two weeks later. The company ended up paying a ransom a second time.
“We’ve heard of one organisation that paid a ransom (a little under £6.5million with today’s exchange rates) and recovered their files (using the supplied decryptor), without any effort to identify the root cause and secure their network. Less than two weeks later, the same attacker attacked the victim’s network again, using the same mechanism as before, and re-deployed their ransomware. The victim felt they had no other option but to pay the ransom again,” the NCSC blog said.
The NCSC has detailed the incident as a lesson for other organisations – and the lesson is that if you fall victim to a ransomware attack, find out how it was possible for cyber criminals to embed themselves on the network undetected before the ransomware payload was unleashed.

“For most victims that reach out to the NCSC, their first priority is – understandably – getting their data back and ensuring their business can operate again. However, the real problem is that ransomware is often just a visible symptom of a more serious network intrusion that may have persisted for days, and possibly longer,” said the blog post by an NCSC technical lead for incident management.
In order to install ransomware, cyber criminals may have been able to gain backdoor access to the network – potentially via a previous malware intrusion – as well as having administrator privileges or other login credentials.
If the attackers have that, they could easily deploy another attack if they wanted to – and did, in the example detailed above, as the victim hadn’t examined how their network was compromised.
Examining the network following a ransomware incident and determining how the malware was able to enter the network as well as staying undetected for so long is, therefore, something all organisations that fall victim to ransomware should be considering alongside restoring the network – or preferably, before they even think about restoring the network.
Some might believe that paying the ransom to criminals is going to be the quickest and most cost-effective means of restoring the network – but that’s also rarely the case. Because not only is the ransom paid, potentially at a cost of millions, but the post-event analysis and rebuilding of a damaged network also costs large amounts.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
And as the NCSC notes, falling victim to a ransomware attack will often lead to an extended period of disruption before operations resemble anything normal.
“Recovering from a ransomware incident is rarely a speedy process. The investigation, system rebuild and data recovery often involves weeks of work,” said the post.
The best way to avoid any of this is to ensure your network is secure against cyberattacks in the first place by doing things like making sure operating systems and security patches are up to date and applying multi-factor authentication across the network.
It’s also recommended that organisations regularly backup their networks – and store those backups offline – so in the event of a successful ransomware attack, the network can be restored with the least disruption possible.

MORE ON CYBERSECURITY More

At least one major ransomware gang is abusing vulnerabilities in the VMWare ESXi product to take over virtual machines deployed in enterprise environments and encrypt their virtual hard drives.

The attacks, first seen last October, have been linked to intrusions carried out by a criminal group that deployed the RansomExx ransomware.
According to multiple security researchers who spoke with ZDNet, evidence suggests the attackers used CVE-2019-5544 and CVE-2020-3992, two vulnerabilities in VMware ESXi, a hypervisor solution that allows multiple virtual machines to share the same hard drive storage.
Both bugs impact the Service Location Protocol (SLP), a protocol used by devices on the same network to discover each other; also included with ESXi.
The vulnerabilities allow an attacker on the same network to send malicious SLP requests to an ESXi device and take control of it, even if the attacker has not managed to compromise the VMWare vCenter server to which the ESXi instances usually report to.
In attacks that have taken place last year, the RansomExx gang has been seen gaining access to a device on a corporate network and abusing this initial entry point to attack local ESXi instances and encrypt their virtual hard disks, used to store data from across virtual machines, causing massive disruptions to companies, as ESXi virtual disks are usually used to centralize data from multiple other systems.
Reports of these attacks have been documented on Reddit, shared on Twitter, presented at a security conference last month, and confirmed in interviews with ZDNet over the past two months.

Free threat intel – identify and patch VMware ESX vulnerabilities CVE-2019-5544 and CVE-2020-3992.Ransomware group using them to bypass all Windows OS security, by shutting down VMs and encrypting the VMDK’s directly on hypervisor.
— Kevin Beaumont (@GossiTheDog) November 7, 2020

For now, only the RansomExx (also known as Defray777) gang has been seen abusing this trick, but in a mysterious update last month, the operator of the Babuk Locker ransomware has also announced an eerily similar feature —although successful attacks have not yet been confirmed.

System administrators at companies that rely on VMWare ESXi to manage the storage space used by their virtual machines are advised to either apply the necessary ESXi patches or disable SLP support to prevent attacks if the protocol isn’t needed. More

Cybersecurity firm Rapid7 said it has signed a deal to acquire Alcide, a developer of Kubernetes security technology, for roughly $50 million. The security analytics provider revealed the deal on Monday, saying the acquisition will help its customers manage the security of their cloud and container environments.

Based in Tel Aviv, Alcide’s technology aims to bridge security and DevOps with code-to-production security for Kubernetes deployments. 
According to Rapid7, Alcide’s cloud workload protection platform (CWPP) can be combined with the company’s existing cloud security posture management service to offer customers a more unified platform for application security management. 
“We are thrilled to welcome Alcide to Rapid7,” said Corey Thomas, CEO of Rapid7. “The technical talent within Israel’s cybersecurity ecosystem is unparalleled and we look forward to working together with the Alcide team to provide organizations with comprehensive cloud security that drives business growth and innovation.”
Rapid7’s purchase of Alcide comes on the heels of its acquisition of DivvyCloud in April 2020. The company said both acquisitions are meant to bolster its ability to provide customers with a cloud native security platform for managing risk and compliance.
RELATED: More