Saturday, November 21, 2020

Man in the Middle of Your Email

 Cybercriminals stole $15 million from a U.S. company by inserting themselves in email correspondence relating to legitimate business fund transfers. The tactic is called Business Email Compromise (BEC) and is one of the most financially damaging online crimes according to the FBI. BEC is a lucrative scam because we rely on email to conduct financial business transactions, such as wire transfers. The traditional BEC scam process contains four steps: identifying a target, grooming that target, exchanging information with the victim, and then completing the wire transfer of funds. This scenario requires attackers to convince the victim that they are conducting a legitimate business transaction when they are dealing with a fraud.

Although the traditional BEC scam can be successful, most businesses have implemented training to spot these types of efforts. These scams can be thwarted by diligent targets easily, which is why this BEC campaign allowed business transactions to be negotiated by senior executives. Mitiga, the incident response company investigating the occurrence, said the threat actors spent weeks trying to compromise the chosen email accounts. They collected information from the victim’s inbox before setting up email for-warding rules to ensure that if they lost access to the account, they would still receive messages from the compromised account. The attackers also created Microsoft Office 365 email domains, with slight alterations to the domain names, to impersonate both parties of the trans-action when needed and registered these domains with GoDaddy as businesses. They monitored the inboxes for a month gathering information from senior executives about planned financial business transactions, then they took over the conversation at the opportune moment to provide altered wire transfer information using the fake domains.

The attackers still needed to make sure that the executives and financial officers at the company did not see the transaction as suspicious and flag it for investigation as the bank could still block the transfer of funds going to the wrong account. To hide transaction emails from the concerned parties, the attacker set up email filtering rules from the inbox to move emails from specific addresses to a hidden folder. The filtering of communications concerning the money transfer from the legitimate inbox owner lasted for two weeks, which was sufficient time for the attackers to successfully move the funds to a foreign bank account.

Microsoft and law enforcement agencies are investigating the incidents. Still, there is little hope of reclaiming the lost funds once transferred outside US jurisdiction. Mitiga said they have seen a dramatic in-crease in BEC attacks this year. The Mitiga CEO, Tal Mozes, said that BEC attacks are up 63%, mostly originating from African countries and targeting U.S. businesses.

Sources:

https://www.zdnet.com/article/15-million-business-email-scam-exposed-in-the-us/

https://www.bleepingcomputer.com/news/security/the-anatomy-of-a-15-million-cyber-heist-on-a-us-company/

https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise


Windows Zero-day Issue

 If you Google “Win10 zero-day”, you’ll likely find a number of results. Today’s zero-day is one that involves both Google Chrome and Microsoft Windows and is actively exploited. It has been disclosed with a proof of concept but is still not patched by Microsoft!

The Windows security issue, tracked as CVE-2020-17087, is reported to impact every version of the Windows OS from Windows 7 to the current Windows 10. Google’s Project Zero security team discovered the flaw, notified Microsoft, and provided seven days to patch before Google would disclose the details. Some argue this is a short time before disclosure but Project Zero researchers Ben Hawkes and Tavis Ormandy defended their timeline saying: “We think there's defensive utility to sharing these details, and that opportunistic attacks using these details between now and the patch being released is reasonable [sic] un-likely”. That’s probably true, as the researchers knew the chained exploit required another vulnerability: CVE-2020-15999, a Chrome browser-based bug which was patched 20 October 2020. These are likely the same reasons why Microsoft can be so calm regarding the vulnerability, as the fix is pushed off until next patch Tuesday on 10 November 2020.

The previously patched Chrome browser bug, CVE-2020-15999, is a heap buffer overflow vulnerability in the “Load_SBit_Png” function of the FreeType 2 library. This is used for font rendering in multiple applications, one of which is Google Chrome. Google’s own security researcher on the Project Zero team, Sergei Glazunov, is credited with the discovery. The attack would be accomplished using social engineering to lure a user to browse a website hosting a specially crafted malicious font file. Glazunov has published a proof-of-concept font file. The Microsoft Windows unpatched bug, CVE-2020-17087, is a buffer overflow vulnerability in the Windows Kernel Cryptography Driver, cng.sys, and the way it processes input/output control. Mateusz Jurczyk, another Project Zero security researcher who discovered the issue, says the bug is the result of a 16-bit integer truncation. A proof of concept was included as an attachment to the Google Project Zero issue tracker entry and has been tested on Windows 10 1903 (64-bit).

As far as the observations in the wild, this chained attack is being used for targeted attacks according to Shane Huntley, Director of Google’s Threat Analysis Group. Microsoft also acknowledged their bug has only been spotted in conjunction with the Chrome vulnerability, which has been patched in Chrome and other Chromium-based browsers.

Sources

        https://bugs.chromium.org/p/project-zero/issues/detail?id=2104

        https://threatpost.com/unpatched-windows-zero-day-exploited-sandbox-escape/160828/


Cisco Devices Vulnerable

 Cisco is warning of attacks actively exploiting the CVE-2020-3118 vulnerability found to affect carrier-grade routers running the Cisco IOS XR Software. The issue resides in the implementation of the Cisco Discovery Protocol for Cisco IOS XR Software and could allow an unauthenticated attacker to execute arbitrary code on the device. While Cisco has released a patch for this vulnerability back in February of 2020, new research has shown that the use of this vulnerability is prevalent among nation-state actors in gaining access to an organization.

This vulnerability is due to improper validation of string input from select fields in the Cisco Discovery Protocol messages. The Cisco Discovery Protocol is a Layer 2 protocol that is used to share information about Cisco equipment, including the operating system and IP address. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected de-vice. A successful exploit could allow the attacker to cause a stack overflow, which could enable the attacker to execute arbitrary code with administrative privileges on an affected device. The affected Cisco routing platforms include the Network Convergence System (NCS) 540, NCS 560, NCS 5500, 8000, and ASR 9000 series routers. The vulnerability also affects third-party white box routers and Cisco products with the Cisco Discovery Protocol enabled both on at least one interface and globally. Those devices include ASR 9000 Series Aggregation Services Routers, Carrier Routing System (CRS), IOS XRv 9000 Router, as well as the NCS 1000 Series, 5000 Series, and 6000 Series routers.

In October 2020, the Cisco Product Security Incident Response Team (PSIRT) released an updated advisory that detailed reports of an attempted exploitation of this vulnerability in the wild. In addition, the U.S. National Security Agency (NSA) included the CVE-2020-3118 vulnerability among 25 security vulnerabilities currently targeted or exploited by Chinese state-sponsored threat actors. "The findings of this research are significant as Layer 2 protocols are the under-pinning for all networks, and as an attack surface are an under-researched area and yet are the foundation for the practice of network segmentation," VP of Research at Armis, Ben Seri said.

As stated, Cisco fixed the CVE-2020-3118 vulnerability back in February of 2020. System administrators should look to see if any of their devices are susceptible to this vulnerability and update them immediately. Cisco also provides administrators with workarounds if they are not able to immediately patch these devices.

Sources

https://www.bleepingcomputer.com/news/security/cisco-warns-of-attacks-targeting-high-severity-router-vulnerability/

https://securityaffairs.co/wordpress/109816/hacking/cisco-cve-2020-3118-flaw-attacks.html

Virtual Appliances Vulnerable

 When deploying new software for your enterprise, there are a number of things to consider: cost, hardware, and what value it provides. One area of consideration often lacking is how to ensure the software stays up to date and doesn’t become a security liability. Containerized applications usually excel in this area because they can be deployed and upgraded with ease. In a lot of cases you just restart the application and it’s automatically updated to the latest version. Virtual appliances follow a similar idea, keeping the application isolated to its own virtual environment so that it can be managed with ease. Containers and virtual appliances aren’t magic - they require long term management from whoever publishes them to stay secure. What happens when vendors forget about their own virtual appliances? Orca Security, a security company focusing on cloud applications, recently set out to answer this question.

In a quest to quantify the state of virtual appliance security, Orca recently scanned over 2200 virtual appliances from 540 vendors. Before actually running the scans, they devised a scoring system ranging from 0-100 taking into account factors such as operating system version and application version. They also looked for known vulnerabilities such as HeartBleed, DirtyCOW, and many high CVSS scoring vulnerabilities in both the system as a whole and the specific applications running on the appliance. This system was used to grade appliances from A+ to F based on the numerical score.

The results of their scans were concerning. Only 8% of the appliances scanned received an A+ rating. 12% received a B rating, 25% received a C rating, 16% received a D rating, with the remaining 15% of the appliances receiving an F rating. Over 400,000 vulnerabilities were found across all the scanned appliances once everything was complete. Unsurprisingly it was found that appliances which received more frequent updates fared better in the vulnerability scans. They found that almost half of the appliances had received no updates in the year before their scans started. Only 16.8% of them had been updated in the 3 months leading up to the scanning.

Orca believes that poor internal security processes are responsible for the majority of the vulnerable appliances. When appliances or software reach end of life they remain available for an unknown amount of time, resulting in people actually using them. In some cases, the publisher may not even be aware that they’re still offering severely outdated software for download. It is important to verify that your infrastructure remains patched and up to date, virtual or not.

Sources

https://www.csoonline.com/article/3584767/half-of-all-virtual-appliances-have-outdated-software-and-serious-vulnerabilities.html

https://orca.security/virtual-appliance-security-report/


More Microsoft Blog posts on Security

 

Title: Secure your GitHub deployment using Microsoft Cloud App Security
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/secure-your-github-deployment-using-microsoft-cloud-app-security/ba-p/1882423
Overview: Welcome to newest post in our series on how to protect your API Connected Apps using Microsoft Cloud App Security (Microsoft CAS).

 

Title: Hunt across cloud applications activities with Microsoft 365 Defender advanced hunting
URL: https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-across-cloud-applications-activities-with-microsoft-365/ba-p/1893857
Overview: We’re thrilled to share that the new CloudAppEvents table is now available as a public preview in advanced hunting for Microsoft 365 Defender.

 

Title: How to export data from Splunk to Azure Sentinel
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-export-data-from-splunk-to-azure-sentinel/ba-p/1891237
Overview: We have published several Blog posts on how Azure Sentinel can be used  Side-by-Side with 3rd Party SIEM tools,  leveraging cloud-native SIEM and SOAR capabilities to forward enriched alerts.

 

Title: Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs
URL: https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/
Overview: In collaboration with leading silicon partners AMD, Intel, and Qualcomm Technologies, Inc., we are announcing the Microsoft Pluton security processor. This chip-to-cloud security technology, pioneered in Xbox and Azure Sphere, will bring even more security advancements to future Windows PCs and signals the beginning of a journey with ecosystem and OEM partners.

 

Title: MCAS Ninja: What’s a CASB and Why Do I Need One?
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/mcas-ninja-what-s-a-casb-and-why-do-i-need-one/ba-p/1896575
Overview: As an IT professional of 20 years, I can recall the days of supporting line of business applications hosted in a corporate datacenter, behind a firewall, where IT had complete control. As Software as a Service (SaaS) started becoming the new modern line of business apps, a new challenge presented itself – the infrastructure behind that app is outside IT’s control. Not having controls to govern access (nor the data) in the app posed significant risks to the organization, not to mention a lack of visibility into the compliance and security posture of the app.

 

Title: Key layers for developing a smarter SOC with CyberProof-managed Microsoft Azure security services
URL: https://www.microsoft.com/security/blog/2020/11/17/key-layers-for-developing-a-smarter-soc-with-cyberproof-managed-microsoft-azure-security-services/
Overview: This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog series. Learn more about MISA here.   Security teams are struggling to reduce the time to detect and respond to threats due to the complexity and volume of alerts being generated from multiple security technologies. With more workloads being migrated to the…

 

Title: Forrester TEI study: Azure Sentinel delivers 201 percent ROI over 3 years and a payback of less than 6 months
URL: https://www.microsoft.com/security/blog/2020/11/16/forrester-tei-study-azure-sentinel-delivers-201-percent-roi-over-3-years-and-a-payback-of-less-than-6-months/
Overview: 2020 has been a transitional year, ushering in broad changes in how, and where, we work. Security operations (SecOps) teams face more significant challenges than ever as they protect the organization in this rapidly changing environment. These teams need a flexible, cost-effective, and efficient solution to empower their employees, improve security, and optimize costs against…

 

Title: Gartner names Microsoft a Leader in the 2020 Magic Quadrant for Cloud Access Security Brokers
URL: https://www.microsoft.com/security/blog/2020/11/18/gartner-names-microsoft-a-leader-in-the-2020-magic-quadrant-for-cloud-access-security-brokers/
Overview: The past few months have changed the way we work in many ways, working from home, social distancing, and remote operations have all had impacts on our previously known ways of life. At Microsoft, we have been working hard to assist our customers adjust to this rapidly changing and evolving work environment. As has been…

New Book I Co-Authored "On Thin Ice"


PROTECT YOUR BUSINESS AND ASSETS FROM HACKERS!

How your business RIGHT NOW is at risk for losing considerable
 productivity, sales, customers, lawsuits and money from 
 malware attacks

Why YOUR BUSINESS is the #1 target for cyberattacks, and 
 why YOU are your business’s weakest link

How a MOUNTAIN of COSTS and WEEKS of WASTED TIME could result from
 a single data breach and what you should do to prevent an attack

What are the TOP NINE ways cybercriminals HACK your network and 
 what you can do now to stop them

What exactly is CLOUD COMPUTING and how it can enhance your 
network security while increasing productivity and lowering costs

How it takes the average IDENTITY THEFT victim 600 HOURS to clear
 their name and the four ways to protect your business today

The major risks of allowing your employees to work from home
 and the FOUR SIMPLE STEPS to ensure this business model never
 compromises your network

And so much more! 


All of the authors of this book have donated all royalties to St. Jude Children's Hospital. 


New Microsoft Security Blogs

 Title: Monitoring your Logic Apps Playbooks in Azure Sentinel

URL: https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-your-logic-apps-playbooks-in-azure-sentinel/ba-p/1873211
Overview: In the world of cybersecurity and Security Information and Event Management (SIEM) systems, security orchestration, automation, and response (SOAR) plays a crucial role.

 

Title: Using Sensitivity Labels in M365 – How to Protect NDA Data from Leaking
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/using-sensitivity-labels-in-m365-how-to-protect-nda-data-from/ba-p/1873986
Overview: Follow along with this video covering a scenario of sales sharing active project development for new products and understand how both admins and end user can apply labels to prevent these actions before data leaves the company.

 

Title: Attack simulation training public preview now open to all E3 customers
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/attack-simulation-training-public-preview-now-open-to-all-e3/ba-p/1873169
Overview: At Ignite 2020, we announced the public preview of Attack simulation training in Microsoft Defender for Office 365. Delivered in partnership with Terranova Security, Attack simulation training is a premium feature available to Microsoft Defender for Office 365 P2, Microsoft 365 E5 and Microsoft Security E5 license holders.

 

Title: Using Sensitivity Labels in M365 – How to Protect NDA Data from Leaking
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/using-sensitivity-labels-in-m365-how-to-protect-nda-data-from/ba-p/1873986
Overview: Follow along with this video covering a scenario of sales sharing active project development for new products and understand how both admins and end user can apply labels to prevent these actions before data leaves the company.

 

Title: Empowering employees to securely work from anywhere with an internet-first model and Zero Trust
URL: https://www.microsoft.com/security/blog/2020/11/11/empowering-employees-to-securely-work-from-anywhere-with-an-internet-first-model-and-zero-trust/
Overview: Like many this year, our Microsoft workforce had to quickly transition to a work from the home model in response to COVID-19. While nobody could have predicted the world’s current state, it has provided a very real-world test of the investments we have made implementing a Zero Trust security model internally.

 

Title: The Microsoft Cloud App Security (MCAS) Ninja Training is Here!
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/the-microsoft-cloud-app-security-mcas-ninja-training-is-here/ba-p/1877343
Overview: The Microsoft Cloud App Security (MCAS) Ninja Training is Here!

 

Title: Microsoft Insider Risk Management & Communication Compliance - New Announcements & Updates
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-insider-risk-management-amp-communication-compliance/ba-p/1877730
Overview: The Microsoft 365 community is excited to announce new capabilities in Microsoft Insider Risk Management & Communication Compliance to help minimize internal risks by enabling you to detect, investigate, capture, and act on malicious and inadvertent activities in your organization.

 

Title: Microsoft On-Premises DLP Webinar
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-on-premises-dlp-webinar/ba-p/1878047
Overview: The On-Premises DLP webinar provided an overview of an MIP solution for on-premises data at rest, understanding on-prem specific challenges, implementing methodology, and concluded with a demonstration of the most useful scenarios that can be addressed by the on-premises scanner.

 

Title: Hunting for Barium using Azure Sentinel
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-barium-using-azure-sentinel/ba-p/1875913
Overview: Leveraging Indictors of Compromise (IOC) and searching historical data for attack patterns is one of the primary responsibilities of a security monitoring team.

 

Title: Security Unlocked—a new Podcast on the Technology and People Powering Microsoft Security
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/security-unlocked-a-new-podcast-on-the-technology-and-people/ba-p/1878709
Overview: How are we using machine learning (ML) and artificial intelligence (AI) to improve cybersecurity today? What are the different types of ML algorithms, and how do they differ? Taking it a step further, how do we protect our ML systems? According to the 2020 Microsoft Digital Defense Report, we know adversarial machine learning and attacks on ML systems are part of the future of cybersecurity. Yet, 89% percent of surveyed organizations felt they don’t have the right tools in place to secure their ML systems. 

 

Title: Secure your Calls- Monitoring Microsoft TEAMS CallRecords Activity Logs using Azure Sentinel
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/secure-your-calls-monitoring-microsoft-teams-callrecords/ba-p/1574600
Overview: Collecting TEAMS CallRecords Activity Data 

 

Title: Best practices for deploying and using the AIP UL scanner
URL: https://techcommunity.microsoft.com/t5/microsoft-security-and/best-practices-for-deploying-and-using-the-aip-ul-scanner/ba-p/1878168
Overview: In this article we would like to summarize what we know about the AIP scanner and share lessons learned while helping our enterprise customers deploy the AIP scanner to production, so that you can avoid possible pitfalls and make your implementation of the AIP scanner easier, faster, more efficient, and get the most out of your investments.

 

Title: System Management Mode deep dive: How SMM isolation hardens the platform
URL: https://www.microsoft.com/security/blog/2020/11/12/system-management-mode-deep-dive-how-smm-isolation-hardens-the-platform/
Overview: Key to defending the hypervisor, and by extension the rest of the OS, from low-level threats is protecting System Management Mode (SMM), an execution mode in x86-based processors that runs at a higher effective privilege than the hypervisor.

 

Title: Using Azure Data Explorer for long term retention of Azure Sentinel logs
URL: https://techcommunity.microsoft.com/t5/azure-sentinel/using-azure-data-explorer-for-long-term-retention-of-azure/ba-p/1883947
Overview: In this blog post, we will explain how you can use Azure Data Explorer (will be referred to in this blog post as ADX from now on) as a secondary log store and when this might be appropriate for your .

 

 

Warning about false updates

 Riding on the edge of current events is one of the best ways to catch someone unaware. Having, or hinting at, something that is still unknown can provide enough cover for a malicious entity to confuse a victim into falling for a trap. A common technique includes providing false updates for a program that is new enough to precede the victim’s expertise, thus taking advantage of their naiveĆ©. There were a glut of issues and vulnerabilities when Zoom had just started out as a popular videoconferencing tool. Microsoft Teams is now getting their fair share of trouble.

Microsoft is warning customers in a non-public security advisory, reported by BleepingComputer, that a malicious ad campaign is evolving and infecting users with ransomware, infostealer, and even Cobalt Strike to be used in conjunction with the ZeroLogon vulnerability. They call it the FakeUpdate attack. The attack begins with the victim accessing a malicious server and downloading the mal-ware themselves, convinced that they need an update to Microsoft Teams. The Microsoft Teams program is a widely used business communication platform that performs the services of an instant messenger, a videoconferencing soft-ware, file storage, and application integration. The file contained in the sup-posed update delivers a PowerShell script that bears on its back a host of mal-ware that has shown its evolution. It initially carried only DoppelPaymer ransomware, but then moved onto WastedLocker and the Cobalt Strike threat emulation software. It also provides an actual copy of Microsoft Teams so they might actually be updating the victim’s Teams software. Previous FakeUpdate campaigns carried the Predator the Thief infostealer, the Bladabindi (NJRat) backdoor, and Zloader stealer.

The attackers were able to use Google Ads services as a force multiplier by purchasing a search engine ad which made search results for Microsoft Teams pro-vide a malicious link as one of the top results. Links in ads are a constant source of suspicion already, but it is understandable for less savvy users to engage in the convenience without recognizing the risk.

Microsoft itself is advising users to use web browsers that can provide a degree of protection by exerting discretion against malicious websites and to maintain standard strong passwords for local admin privileges. Organizations can also minimize attack surfaces by blocking executable files or blocking JavaScript and VBScript from downloading potentially malicious content.

Sources

https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/

https://threatpost.com/microsoft-teams-fakeupdates-malware/161071/

https://securityaffairs.co/wordpress/110693/malware/fake-microsoft-teams-cobalt-strike.html



Performance Measurement Guide for Information Security

 

EXTENSION: Call for Comments Extended to December 10th for “Performance Measurement Guide for Information Security

NIST is extending the public comment period on Special Publication (SP) 800-55 Revision 1, “Performance Measurement Guide for Information Security,” to December 10, 2020.  See the Publication Details link for a link to the document and instructions for submitting comments.

Publication Details:
https://csrc.nist.gov/publications/detail/sp/800-55/rev-2/draft


National Online Informative References (OLIR) Program: NISTIRs 8278 and 8278A Published

 NISTIR 8278National Cybersecurity Online Informative References (OLIR) Program: Program Overview and OLIR Uses, describes the OLIR Program, what OLIRs are, what benefits they provide, how anyone can search and access OLIRs, and how subject matter experts can contribute OLIRs. This report includes:

  • Additional Focal Document Templates
  • Functional enhancements to the OLIR Catalog and Derived Relationships Mapping (DRM) display tool

NISTIR 8278ANational Cybersecurity Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers, replaces NISTIR 8204. The primary focus of NISTIR 8278A is to instruct Developers on how to complete the OLIR Focal Document spreadsheet when submitting an Informative Reference to NIST for inclusion in the OLIR Catalog. This report includes:

  • Requirement guidance to include additional focal document templates introduced in NISTIR 8278.
  • A “Strength of Relationships” section (3.2.11) that includes guidance for populating the magnitude field when evaluating focal and reference document elements.  Interested commenters should read the ‘Note to Reviewers’ (page iii) as we seek feedback on this requested feature describing additional detail about the relationship.

Both publications are based on feedback received from early adopters as well as discussions at the December 2019 OLIR workshop.

 

NISTIR 8278 details:
https://csrc.nist.gov/publications/detail/nistir/8278/final

NISTIR 8278A details:
https://csrc.nist.gov/publications/detail/nistir/8278a/final

OLIR Workshop (December 2019):
https://www.nccoe.nist.gov/events/workshop-cybersecurity-online-informative-references

Classes of Ransomware

 Intel 471 recently released a report out-lining the most popular, up-and-coming, and some deep cuts in the ransomware world. They separate the groups into three tiers based on how prevalent and successful they have been. But all of these groups work by specializing and delegating tasks.

The lowest tier groups include the likes of CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, XINOF, and Zeoticus. These groups have had low publicity regarding their attacks, but their marketing exists and persists, so it stands to reason that they are func-tional and operating. The main deviation from the other groups is how they don’t publish the data from victims who refuse to pay the ransom and how little infor-mation there is about their supposed victims.

The next tier includes the rising stars of the Ransomware as a Service (RaaS) world: Avaddon, Conti, Clop, DarkSide, Pysa/Mespinoza, Ragnar, Ranzy, SunCrypt, and Thanos. These are the names to keep an eye on. They have had successful confirmed attacks and employ their own blogs for the “expose and shame” tactics which embarrass victims who don’t pay the ransom, and encourage further victims with a credibility to back their threats.

Their final group includes the heaviest hitters with whom all our readers should be familiar. This rogues gallery includes DoppelPaymer, Egregor/Maze, Netwalker, REvil, and Ryuk. DoppelPaymer runs the Dopple Leaks blog and was behind the first mortality due to malware. Egregor/Maze had announced their retirement from the cybercrime scene, but have had an impressive record in their attacks on Barnes & Noble, Crytek, and Ubisoft. Netwalker began in September of 2019 and has had an efficient pattern of spear phishing their targets to establish a foot-hold and following it up with a fileless attack that undermines Windows OSs of 7 and up. They also have an “individual mode” which locks a single device and offers only the key to that device, as op-posed to their “network mode” which encrypts an entire network and offers options for individual keys or a master key to use with their decryption tool. REvil has been seen leveraging the popular Blue-Gate vulnerability and working with other groups to help gain access to networks for infection. By separating the tasks they’ve seen increases in profits from the tens of thousands in profit per target to the mil-lions in profit. Lastly the Ryuk ransomware has been seen in conjunction with both Trickbo, Emotet, and, most recently, BazarLoader. Ryuk has been seen working with up to three teams: one to direct spam campaigns to infect victims, a team to spread the attack through corporate networks, and a last team to deploy the ransomware and conduct negotiations.

Criminals working together is always a concern as the age-old adage says, “Teamwork makes the dream work”. Keeping up to date and aware of the various groups is critical to maintaining vigilance against their tactics.

Sources:

https://www.bleepingcomputer.com/news/security/dozens-of-ransomware-gangs-partner-with-hackers-to-extort-victims/

https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer