Information Technology

Security firm Kaspersky said today that it discovered a Linux version of the RansomEXX ransomware, marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions.

RansomEXX is a relatively new ransomware strain that was first spotted earlier this year in June.
The ransomware has been used in attacks against the Texas Department of Transportation, Konica Minolta, US government contractor Tyler Technologies, Montreal’s public transportation system, and, most recently, against Brazil’s court system (STJ).
RansomEXX is what security researchers call a “big-game hunter” or “human-operated ransomware.” These two terms are used to describe ransomware groups that hunt large targets in search for big paydays, knowing that some companies or government agencies can’t afford to stay down while they recover their systems.
These groups buy access or breach networks themselves, expand access to as many systems as possible, and then manually deploy their ransomware binary as a final payload to cripple as much of the target’s infrastructure as possible.
But over the past year, there has been a paradigm shift into how these groups operate.
Many ransomware gangs have realized that attacking workstations first isn’t a lucrative deal, as companies will tend to re-image affected systems and move on without paying ransoms.

In recent months, in many incidents, some ransomware gangs haven’t bothered encrypting workstations, and have first and foremost, targeted crucial servers inside a company’s network, knowing that by taking down these systems first, companies wouldn’t be able to access their centralized data troves, even if workstations were unaffected.
The RansomEXX gang creating a Linux version of their Windows ransomware is in tune with how many companies operate today, with many firms running internal systems on Linux, and not always on Windows Server.
A Linux version makes perfect sense from an attacker’s perspective; always looking to expand and touch as much core infrastructure as possible in their quest to cripple companies and demand higher ransoms.
What we see from RansomEXX may soon turn out to be an industry-defining trend, with other big ransomware groups rolling out their Linux versions in the future as well.
And, this trend appears to have already begun. According to cyber-security firm Emsisoft, besides RansomEXX, the Mespinoza (Pysa) ransomware gang has also recently developed a Linux variant from their initial Windows version.
But Linux ransomware is also not unique. In the past years, other ransomware gangs have created Linux ransomware strains as well, such as the Snatch group. However, those groups were small-time operations that relied on spam campaigns to infect victims, were rarely successful, and did not engage in targeted intrusions like the current generation of ransomware groups we see today.
Emsisoft says the RansomEXX Linux variants they’ve detected were seen as far back as July. Configuring systems to detect RansomEXX Linux variants isn’t a solid strategy because of the way big-game hunter ransomware crews operate. By the time attackers deploy the ransomware, they already own most of a company’s network. The best strategy companies can take against these types of intrusions is to secure network perimeters by applying security patches to gateway devices and by making sure they are not misconfigured with weak or default credentials.
Technical details about the RansomEXX Linux variant are available in the Kaspersky report. More

Hackers used previously unknown tools in a cyber espionage campaign targeting defence and aerospace companies in a social engineering and phishing campaign which is more widely targeted than first thought.
Researchers at McAfee first detailed Operation North Star earlier this year, but further analysis of reveals additional tactics and techniques of the campaign which has almost identical elements to Hidden Cobra – AKA The Lazarus Group – a hacking operation which the US government and others say is working out of North Korea on behalf of the government in Pyongyang.
The campaign is still based around spear-phishing emails and LinkedIn messages which pose as job recruitment messages in an effort to lure victims into opening malicious attachments. Hackers even used legitimate recruitment adverts and documents taken from popular US defence contractor websites to make the emails look more authentic.
But now additional analysis by McAfee has revealed how the attackers use two stages of malware implants. All targets are compromised with the first stage of malware, which allows attackers to gather data including disk information, free disk space, computer name and logged in username and process information.
The hackers analyse this information to determine if the victim is high value enough to continue to with an attack – if the victim isn’t deemed important enough, the machine is sidelined while the attackers focus on distributing a second stage malware to victims deemed more worthwhile of attention.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
The second stage uses a previously known implant called Torisma, a custom-developed tool focused on specialised monitoring of high value victims’ systems, looking to gain access to login credentials and remote desktop sessions – all while remaining undetected.

“What is clear is that the campaign’s objective was to establish a long-term, persistent espionage campaign focused on specific individuals in possession of strategically valuable technology from key countries around the world,” McAfee researchers said in a blog post.
For Operation North Star, this meant researching specific target victims and created custom content to lure victims in, then infecting them with malware in an effort to commit espionage.
Initial reporting of the campaign detailed attacks against targets in the US, but those weren’t the only ones hackers were looking to compromise – analysis of the attacks has revealed that defence and technology contractors in Israel, Russia, India and Australia have also been targeted by this campaign.
“The actors behind the campaign were more sophisticated than they initially appeared. They are focused and deliberate in what they meant to achieve and more disciplined and patient in executing to achieve their objective,” said researchers.
Cyber espionage isn’t the only form of cyber attacks that North Korea is involved in; hackers working on behalf of Pyongyang regularly steal cryptocurrency to get around internatioanl sanctons. North Korea was also blamed for the WannaCry ransomware outbreak.
READ MORE ON CYBERSECURITY More

Image: Check Point
Several companies and large corporations from Israel have been breached and had their systems encrypted using a new strain of ransomware named Pay2Key, in what appears to be a targeted attack against Israeli networks.

The first attacks were seen in late October but have now grown in numbers while also remaining contained to Israel.
“As days go by, more of the reported ransomware attacks turn out to be related to the new Pay2Key ransomware,” Israeli cyber-security firm Check Point said in a security alert published today.
According to the company, attacks usually happened after midnight, when companies have fewer IT employees at work.
The initial entry point for all intrusions is currently believed to be weakly secured RDP (Remote Desktop Protocol) services.
Access to company networks appears to have been obtained “some time before the attack,” but once the ransomware crew begins its intrusion, it usually takes them an hour to spread to the entire network and encrypt files.
To avoid having their activities detected, the Pay2Key operators usually set up a pivot point on the local network, through which they proxy all their communications to reduce their detectable network footprint.

Once the encryption ends, ransom notes are left on the hacked systems, with the Pay2Key gang usually asking for payments of 7 to 9 bitcoins (~$110K-$140K).
Based on current analysis, Check Point said the encryption scheme appears to be solid (using the AES and RSA algorithms), which unfortunately has prevented the company from creating a free decrypter for victims.
Researchers say the ransomware has been created from scratch, with no overlaps with other known ransomware strains, and appears to have been named “Cobalt” during a previous/development phase.
Some sleuthing from the Check Point team has also linked the ransomware to a Keybase account using the same Pay2Key name, registered earlier this year in June, but it is currently unclear who developed the ransomware and why are they targeting only Israeli companies. More

Vulcan Cyber has opened its extensive database of vulnerabilities in enterprise IT in a bid to speed up large remediation backlogs and improve team effectiveness.
The Remedy Cloud is a free website with one of the largest databases of common vulnerabilities and exposures (CVEs) along with the best way to fix each one, patches, and relevant notes. 

“Due to process breakdowns there’s never an end — just a growing backlog of vulnerabilities that require remediation,” says Yaniv Bar-Dayan, CEO of Vulcan. 
The complexity of enterprise IT operations carries with it a growing number of vulnerabilities that need to be patched. But organizations struggle to identify every vulnerability and then access which ones are the most important and need to be tackled first. 
Some CVEs have been “weaponized” by criminals and are used to expose sensitive corporate data that can result in massive fines and lost business trust.
The backlog in CVE remediation is partly due to a bottleneck that Vulcan says occurs when security teams hand-off the fix to DevOps, or other IT teams. 
“Vulcan Remedy Cloud streamlines this workflow by providing both teams with remediation playbooks. This one function is extraordinarily effective at creating cross-team alignment and cooperation,” says Bar-Dayan.

The Vulcan remedies database provides the patches, the configuration scripts, and workarounds that have been proven to work with the most challenging vulnerabilities.
Vulcan also announced a remediation analytics feature added to its paid-for Vulcan remediation orchestration platform which automates much of the remediation process.  More

The US Justice Department says it’s seized $1bn in bitcoin allegedly stolen by a hacker from Silk Road creator Ross Ulbricht before his arrest for running the dark-web market. 
Announcing the bitcoin seizure from the unnamed hacker, the Department of Justice revealed it is now seeking forfeiture of the illicit funds, which represent its largest haul of cryptocurrency to date.

Ulbricht operated Silk Road between 2011 and October 2013, when the FBI seized the dark-web site and arrested him. He was convicted in 2015 for money laundering and distributing narcotics, and sentenced to life in prison. He lost an appeal for a new trial in 2017. 
SEE: Network security policy (TechRepublic Premium)
Over that period, the site generated revenues of 9.5 million bitcoins and earned commissions totaling over 600,000 bitcoins.
According to the complaint, earlier this year law enforcement used a bitcoin attribution company to analyze bitcoin transactions carried out by Silk Road and noticed 54 transactions around 2013 that were sent to two addresses totaling 70,411.46 bitcoins. 
Since the transactions weren’t recorded in Silk Road’s database, it was assumed the funds were stolen. 

In April 2013, the bulk of the funds totaling 69,471.082201 bitcoins were sent to an account referred to as ‘1HQ3’, the first characters in the address. 
“Between April 2015 and November 2020, the remainder of the funds, 69,370.082201 bitcoins, remained in 1HQ3. As of November 3, 2020, 1HQ3 had a balance of 69,370.22491543 bitcoin (valued at approximately $1bn as of November 4, 2020),” the document states.
Investigators determined that the unnamed hacker, referred to as ‘Individual X’ in court documents, was involved in a transaction that related to the account. 
The US Internal Revenue Service and the Justice Department reckon Individual X stole the cryptocurrency from Silk Road.
“According to the investigation, Ulbricht became aware of Individual X’s online identity and threatened Individual X for return of the cryptocurrency to Ulbricht. Individual X did not return the cryptocurrency but kept it and did not spend it,” the complaint reads.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
Earlier this week, the unnamed hacker agreed to forfeit the cryptocurrency to the US Attorney’s Office, Northern District of California and on November 3, the US government took possession of the cryptocurrency. 
Now the Justice Department needs to prove that the seized cryptocurrency is subject to forfeiture. 
In 2014 the US government auctioned off about 30,000 of the bitcoins found in the wallet files on Silk Road’s servers.  More

Image: Manthana Chaiwong, ZDNet
Ransomware gangs that steal a company’s data and then get paid a ransom fee to delete it don’t always follow through on their promise.

The number of cases where something like this has happened has increased, according to a report published by Coveware this week and according to several incidents shared by security researchers with ZDNet researchers over the past few months.
These incidents take place only for a certain category of ransomware attacks — namely those carried out by “big-game hunters” or “human-operated” ransomware gangs.
These two terms refer to incidents where a ransomware gang specifically targets enterprise or government networks, knowing that once infected, these victims can’t afford prolonged downtimes and will likely agree to huge payouts.
But since the fall of 2019, more and more ransomware gangs began stealing large troves of files from the hacked organizations before encrypting the victims’ files.
The idea was to threaten the victim to release its sensitive files online if the company wanted to restore its network from backups instead of paying for a decryption key to recover its files.
Some ransomware gangs even created dedicated portals called “leak sites,” where they’d publish data from companies that didn’t want to pay.

Image: ZDNet

If hacked companies agreed to pay for a decryption key, ransomware gangs also promised to delete the data they had stolen.
In a report published this week, Coveware, a company that provides incident response services to hacked companies, said that half of the ransomware incidents it investigated in Q3 2020 had involved the theft of company data before files were encrypted, doubling the number of ransomware incidents preceded by data theft it saw in the previous quarter.
But Coveware says that these types of attacks have reached a “tipping point” and that more and more incidents are being reported where ransomware gangs aren’t keeping their promises.
For example, Coveware said it had seen groups using the REvil (Sodinokibi) ransomware approach victims weeks after the victim paid a ransom demand and ask for a second payment using renewed threats to make public the same data that victims thought was deleted weeks before.
Coveware said it also saw the Netwalker (Mailto) and Mespinoza (Pysa) gangs publish stolen data on their leak sites even if the victim companies had paid the ransom demand. Security researchers have told ZDNet that these incidents were most likely caused by technical errors in the ransomware gang’s platforms, but this still meant that the ransomware gangs hadn’t deleted the data as they promised.
Further, Coveware also said it observed the Conti ransomware gang send victims falsified evidence as proof of having deleted the data. Such evidence is usually requested by the victim’s legal team, but sending over falsified proof means the ransomware gang never intended to delete the data and was most likely intent on reusing at a later point.
On top of this, Coveware said it also saw the Maze ransomware gang post stolen data on their leak sites accidentally, even before they notified victims that they had stolen their files.
This has also happened with the Sekhmet and Egregor gangs; both considered to have spun off from the original Maze operation, Coveware said.
In addition to these, ZDNet also learned of additional incidents from other companies providing incident response services for ransomware attacks.
Most of these incidents involve the Maze gang, the pioneer of the ransomware leak site, and the double-extortion scheme. More exactly, they involve “affiliates,” a term that describes cybercriminals who bought access to the Maze ransomware-as-a-service (RaaS) platform and were using the Maze ransomware to encrypt files.
But while some affiliates play by the rules, some haven’t. There have been cases where a former Maze affiliate who was kicked out of the Maze RaaS program had approached and tried to extort former victims with the same stolen data for the second time, data which they promised to delete.
There have also been cases where Maze affiliates accidentally posted stolen data on the Maze leak site, even after a successful ransom payment. The data was eventually taken down, but not after the posts on the Maze site got hundreds or thousands of reads (and potential downloads).
Things got worse throughout the year for Maze affiliates as antivirus companies started detecting Maze payloads and blocking the encryption and stopping attacks.
In many of these cases, the Maze affiliates had to settle for using only the data they managed to steal before the encryption was blocked and often had to settle for smaller ransom payments.
Seeking new avenues of profits, in at least two cases, a Maze group attempted to sell employee credentials and personal data to security researchers posing as underground data brokers.

These examples confirm what many security researchers had already suspected — namely, that ransomware gangs can’t be trusted or taken on their word.
“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end,” Coveware wrote in its report. “Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future.”
The security firm is now recommending that companies never consider that any of their data to be deleted and plan accordingly, which usually involves notifying all impacted users and employees.
The advice needs to be given because some companies have been using the excuse that they’ve paid the ransom demand and that the ransomware gang made a pinky-promise to delete the data as an excuse not to notify their users and employees.
Since many of the documents stolen in ransomware attacks contain sensitive personal and financial details, if resold, these documents can be very useful for a slew of fraudulent operations that a victim company’s customers or employees need to be aware of and prepare for. More

Apple has released security updates today for iOS to patch three zero-day vulnerabilities that were discovered being abused in attacks against its users.
According to Shane Huntley, Director of Google’s Threat Analysis Group, the three iOS zero-days are related to the recent spat of three Chrome zero-days[1, 2, 3] and a Windows zero-day that Google had previously disclosed over the past two weeks.
Just like in the four previous cases, Google has not shared details about the attacker(s) or their target(s).

Targeted exploitation in the wild similar to the other recently reported 0days. Not related to any election targeting.
— Shane Huntley (@ShaneHuntley) November 5, 2020

While it’s unknown if the zero-days have been used against selected targets or en-masse, iOS users are advised to update to iOS 14.2, just to be on the safe side.
The same security bugs have also been fixed in iPadOS 14.2 and watchOS 5.3.8, 6.2.9, and 7.1, and have also been backported for older generation iPhones via iOS 12.4.9, also released today.
According to Google Project Zero team lead Ben Hawkes, whose team discovered and reported the attacks to Apple, the three iOS zero-days are:
CVE-2020-27930 — a remote code execution issue in the iOS FontParser component that lets attackers run code remotely on iOS devices.
CVE-2020-27932 — a privilege escalation vulnerability in the iOS kernel that lets attackers run malicious code with kernel-level privileges.
CVE-2020-27950 — a memory leak in the iOS kernel that allows attackers to retrieve content from an iOS device’s kernel memory.
All three bugs are believed to have been used together, part of an exploit chain, allowing attackers to compromise iPhone devices remotely. More

Image: Licya
Campari Group, the famed Italian beverage vendor behind brands like Campari, Cinzano, and Appleton, has been hit by a ransomware attack and has taken down a large part of its IT network.
The attack took place last Sunday, on November 1, and has been linked to the RagnarLocker ransomware gang, according to a copy of the ransom note shared with ZDNet by a malware researcher who goes online by the name of Pancak3.

Image supplied
The RagnarLocker gang is now trying to extort the company into paying a ransom demand to decrypt its files.
But the ransomware group is also threatening to release files it stole from Campari’s network if the company doesn’t pay its ransom demand in a week after the initial intrusion.
Screenshots of Campari’s internal network and corporate documents have been posted on a dark web portal where the RagnarLocker gang runs a “leak site”, as proof of the intrusion. Included in these proofs is even a copy of the contract signed by Campari with US actor Matthew McConaughey for the Wild Turkey bourbon brand.

In a text chat window available to RagnarLocker victims, a Campari representative has not replied to the ransomware gang.
Instead, the Italian company appears to have chosen to restore its encrypted systems rather than pay the ransom demand, according to a short press release published on Tuesday, where Campari said it’s working on a “progressive restart in safety conditions.”

In the same press release, Campari also said it detected the intrusion as soon as it took place and immediately moved in to isolate impacted systems, and that the incident is not expected to have any significant impact on its financial results.
However, at the time of writing, Campari websites, email servers, and phone lines are still down, five days after the attack.
A Campari representative also couldn’t be reached because of the company’s current state of affairs.
Campari is the second major beverage vendor after Arizona Beverages that’s knocked online because of a ransomware attack in the past two years. More