ransomware
9 TopicsLockbit resurface after takeover & Lazarus are hitting Feb 25th – March 2nd - This Week in Security
Introduction This week's security editor is Lior Rotkovitch. The latest news highlight was all about the return of Lockbit after the take down of the Lockbit “ransomware-as-a-service” The hacking group responded to the takedown and said they were lazy as they were swimming in money they forgot to update the php servers. This is the nature of security, one goes down one comes up, or the same one. Reading the news is just one way to know what's up. Driving a car in endless traffic jams is a great time for listening to podcasts of your favorite kind. The security podcasts that I listened to last week are : Episode 19 - February 2024 - AI App Security For IoT Edge Devices It is always a pleasure hearing my EMEA partner Aaron B talking YouTube episode page Risky Business #738 -- LockBit is down but not out. Yet. One of my favorite podcasts Episode page Malicious Life - Kevin Mitnick, Part 1 And finally, Malicious Life is back with an episode on Kevin Mitnick Episode page Until next time, keep it safe. LockBit ransomware returns, restores servers after police disruption On February 19, authorities took down LockBit’s infrastructure, which included 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, decryption keys, and the affiliate panel. Immediately after the takedown, the gang confirmed the breach saying that they lost only the servers running PHP and that backup systems without PHP were untouched. LockBit says that law enforcement, to which they refer collectively as the FBI, breached two main servers “because for 5 years of swimming in money, I became very lazy.” “Due to my personal negligence and irresponsibility, I relaxed and did not update PHP in time.” The threat actor says that the victim’s admin and chat panels server and the blog server were running PHP 8.1.2 and were likely hacked using a critical vulnerability tracked as CVE-2023-3824. https://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-restores-servers-after-police-disruption/#google_vignette https://www.securityweek.com/lockbit-ransomware-gang-resurfaces-with-new-site/ Critical Flaw in Popular ‘Ultimate Member’ WordPress Plugin The flaw, tracked as CVE-2024-1071 (CVSS score of 9.8), affects websites running the Ultimate Member WordPress membership plugin and could be exploited by unauthenticated attackers to append SQL queries to existing ones and extract information from databases. According to Defiant, the bug exists because of an insecure implementation in users' query functionality, which results in the text sanitization function failing to protect against SQL injection attacks. The company’s researchers also found that the structure of the query only allows attackers to take a time-based blind approach, using SQL CASE statements and the sleep command while observing the response time for the requests to steal information. https://www.securityweek.com/critical-flaw-in-popular-ultimate-member-wordpress-plugin/ The Week in Ransomware - March 1st 2024 - Healthcare Under Siege The most impactful attack of 2024 so far is the attack on UnitedHealth Group's subsidiary Change Healthcare, which has had significant consequences for the US healthcare system. This attack was laterlinked to the BlackCat ransomware operation, with UnitedHealth also confirming the group was behind the attack. In some cases, patients are forced to pay full price for their medications until the issue is resolved. However, some medicines can cost thousands of dollars, making it difficult for many to afford the payments. To make matters worse, the BlackCat ransomware operation, aka ALPHV,claims to have stolen 6TB of data from Change Healthcareduring the attack, containing the personal information of millions of people. The attack has led the FBI, CISA, and the HHS to issue a joint advisorywarning of BlackCat attacks on hospitals. https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-1st-2024-healthcare-under-siege/ Lazarus Exploits Typos to Sneak PyPI Malware into Dev Systems Hacking group Lazarus uploaded four packages to the Python Package Index (PyPI) repository to infect developer systems with malware. The disclosure comes days after Phylumuncoveredseveral rogue packages on the npm registry that have been used to single out software developers as part of a campaign codenamed Contagious Interview. An interesting commonality between the two sets of attacks is that the malicious code is concealed within a test script ("test.py"). In this case, however, the test file is merely a smokescreen for what's an XOR-encoded DLL file, which, in turn, creates two DLL files named IconCache.db and NTUSER.DAT. The attack sequence then uses NTUSER.DAT to load and execute IconCache.db, a malware called Comebacker that's responsible for establishing connections with a command-and-control (C2) server to fetch and run a Windows executable file. https://thehackernews.com/2024/02/lazarus-exploits-typos-to-sneak-pypi.html338Views4likes0CommentsKyle Fox's Security News 2023 in Review - F5 SIRT
Intro I thought we would do a little end of the year roundup of a few subjects I feel are notable from 2023. I will be publishing an article with some things I am looking out for in 2024 and a list of all my YouTube recommendations from 2023 later in January. Software Bill of Materials Back in 2021 the White House put out an executive order aiming to improve cybersecurity in the United States. One of the bullet points of that executive order was to improve the Software Supply Chain security of software sold to the Federal Government. This had been largely spurred by a series of breaches in the Federal Government, most prominently the SolarWinds software supply chain attack. Previously there had been breaches because of vulnerabilities in software used by companies and government organizations, one such famous breach was the Equifax breach in 2017 that resulted in a 700 Million US Dollar settlement. This breach was facilitated by the Apache Struts vulnerability CVE-2017-5638, and Equifax neither patched the vulnerability in Apache Struts, nor did Web Application Firewall protections exist or were configured properly. After the White House Executive Order, software bill of materials work started to pick up steam, there had been calls leading up to the order to establish SBOMs for software as a standard, and those were discussed in places like Y Combinator News. The CISA established efforts to collect and facilitate work on SBOM resources, Anchore released a SBOM tool called Syft to create lists of packages from containers, and also a tool called Grype to create lists of vulnerabilities from that list by using the NVD database. So by time 2023 was underway, regulators were putting pressure on the software industry to produce SBOMs and the White House had incorporated this into its ongoing cybersecurity strategy. We expect SBOMs to be a major part of 2024 as well. What it Means for an Attack to go Mainstream Many of us consider an exploit to be mainstream when a Metasploit module is written for it, and that serves well and good for things that Metasploit does well, such as attacks over a network. But what about attacks over wireless? Well, we now have the Flipper. I have previously written about Flipper exploits, but at that time I did not really dive into what it is, exactly. The Flipper Zero is a small Tamagotchi like device that incorporates a number of wireless and wired technologies and scripts to do things with those technologies. Its wireless capabilities consist of a TI CC1101 driven Sub-1Ghz transceiver that can do things like talk to IoT devices and various access control systems. Also, for even more access control system shenanigans, it incorporates both a 125khz proximity card reader/writer/emulator and a 13.56Mhz NFC module (ST25R3916). Proximity cards are often used for electronic locks on buildings and provide no security, having been developed using technology that predates microcontrollers small enough to fit on a access badge. 13.56Mhz technology presents a more formidable foe to the Flipper, since most modern access control systems use secure contactless smart cards with technology stacks like MiFARE, but the Flipper is able to conduct brute force and dictionary attacks against some of the simpler cards using this technology. One big feature the Flipper has is Bluetooth, which as I had written in the This Week In Security linked above, allows a Flipper, in that case loaded with special software, to conduct a discovery spam attack that at the time it came out, would crash many Apple iOS devices. The Bluetooth is implemented using the onboard Bluetooth support in Flippers processor, an STM32WB55RG from ST's new wireless microcontroller lineup. Other connectivity available on the Flipper is Infrared transmit and receive, allowing it to emulate remote controls, and iButton / 1-Wire support, allowing it to read iButtons, which are sometimes used for access control or security guard tour verification systems. All of this information and the supported protocols is expanded upon in the Flipper documentation. In the SDR field we had been creeping up on this sorta mainstreaming of RF hacking for a long time, starting a long time ago with an ambitious SDR project called the DSP-10, which used the then contemporary Analog Devices ADSP-2181 Digital Signal Processor. Later on Matt Ettus developed the Universal Software Radio Peripheral, originally sold as kits by Ettus Research, which was later bought out by test equipment manufacturer National Instruments. The USRP is often used beside an SDR suite called GNU Radio, which provides a processing block oriented environment allowing quick construction of SDR dataflows between processing blocks, and from that, fast concept to implementation of SDR solutions. The USRP devices continue to be developed to this day, with devices capable of large RF bandwidths and multiple inputs and outputs topping out the lineup. This all eventually resulted in a device called the HackRF developed by Great Scott Gadgets. Which was expanded using the PortaPack to allow portable operation, with expanded software for that called Havoc and Mayhem creating a very capable device. While that was the high end, the low end had its own small revolution when people discovered that you could use a simple DVB-T adapter with the RTL2832 chipset to recieve radio signals and feed them into SDR software such as GNU Radio, SDR++, HDSDR, and Gqrx. Its also important to mention that there are a ton of SDR platforms out there these days, in addition to all those above there is also LimeSDR, BladeRF, and KiwiSDR, to name just a few more. Ransom Attacks Continue As Aaron reported in January of 2023, the year started off with the Royal Mail (UK) being ransomwared. Probably the most widespread issue with ransomware was the MOVEit critical vulnerability CVE-2023-34362 and its exploit by the CL0P ransomware gang. This was such a massive and widespread issue that it affected multiple agencies of the US Federal Government, the UK Government, multitudes of private companies, DMVs in two states and the list keeps going. A cyber attack also hit MGM Resorts costing the company an estimated $100 million US Dollars. I share the sentiment of Megazone when he wrote in May that he is tired of ransomware. We can talk endlessly about solutions, either novel things like zero trust or old standbys like quickly patching vulnerabilities, but as long as IT is considered a cost center and something that is not a priority the entire industry will teeter on the brink of disaster. Fortunately we are seeing more agencies announce rules requiring breaches to be disclosed, including the HHS for HIPAA covered information, and the SEC for anything "material" to stockholders. AI Gathers Mindshare and Criticism 2023 started out with ChatGPT as one of the fastest growing online applications, with millions of users using it to do things like write letters and research topics, but as people quickly found out, it could hallucinate facts, drawing any facts it provides into question. This quickly became a problem in the legal sphere when a law firm filed a ChatGPT generated legal brief and was found out. Many lawyers commented on this, some on youtube as well. Another major conundrum for AI is copyright law, since many of these AI models are trained on copyrighted works most often without the permission of those works' authors, the resulting work could be said to incorporate all those previous works. The United States Library of Congress Copyright Office is working on examining this question and President Biden issued an Executive Order on the matter. Not to be left behind, the New York Times has sued OpenAI over its use of NYT articles in training ChatGPT. Although, its not like human authors are free of this piecemeal copyright infringement. There's also the elephant in the room, the wild ride that was Sam Altman of OpenAI, making a deal with Microsoft, being fired by the OpenAI board, negotiating a position at Microsoft, then being rehired by OpenAI. That was quite a weekend. Outside that, Fullpath is putting out a ChatGPT product to allow chat customer support using AI rather than humans, its had some odd results. And the New York Times explored some of the other oddities.290Views4likes1CommentEnd of year summary and new year predictions, Dec 25th – 31st – F5SIRT This Week in Security
This Week in Security December- 25th – 31st , 2023 " End of year summary and new year predictions " Editor's introduction This week editor is Lior Rotkovitch. Another year went by, and it is a good time to start summarizing major security incidents in 2023. In the past year we saw increase in CVE hunting where threat actors are in a race to take over an unpatched system within few hours from publications. CVE hunting become a low hanging fruit attack where hackers just scan the web for vulnerabilities with the assumption that it takes at least 1-2 days to patch the system from publication time using this gap to randomly exploit the vulnerable targets and get value. One poplar CVE hunting vulnerabilities occurred at control plane that are facing the public internet. once the entry point has exploited, they leverage the hack into a full take over by embedding malware or ransomware with persistence and even installing common hacking tools to achieve more granular control over the compromised system. F5 SIRT is promoting the control plane protection for many years by reducing public access (DMZing ) or placing a WAF in front of it, this is important part of the security plan. Every end is also a beginning and as such there are security predictions for 2024.I guess the easiest prediction is just “more of everything” as the hacker’s playgrounds is expending all the time. Any hardware and software can and will be hacked at some points. While this is not encouraging, not all hope is lost, the security industry made a huge progress and created many products and services that provides the tooling needed to detect and mitigate those attacks. Building the right security plan, training personnel and well define security plan can get you in to a place where the mitigation time will be improved significantly. Until next time, happy and safe new year. Apache OFBiz RCE flaw exploited to find vulnerable Confluence servers In this case an open-source vulnerability affects commercial products. The interesting part is that the root cause for the CVE still exists when it was published due to incomplete fix. notable article quotes: “Acritical Apache OFBiz pre-authentication remote code execution vulnerability is being actively exploited using public proof of concept (PoC) exploits. Apache OFBiz (Open For Business) is an open-source enterprise resource planning system many businesses use for e-commerce inventory and order management, human resources operations, and accounting. OFBiz is part of Atlassian JIRA, a commercial project management and issue-tracking software used by over 120,000 companies worldwide. Therefore, any flaws in the open-source project are inherited by Atlassian's product. …. While investigating Apache's fix, which was toremove the XML-RPC codefrom OFBiz, SonicWall researchersdiscoveredthat the root cause for CVE-2023-49070 was still present. This incomplete fix still allowed attackers to exploit the bug in a fully patched version of the software.” https://www.bleepingcomputer.com/news/security/apache-ofbiz-rce-flaw-exploited-to-find-vulnerable-confluence-servers/ With car privacy concerns rising, automakers may be on road to regulation Cars security was a big issue few years ago but it never took off for some reason. With the fast growth of Electronic vehicles, the security aspect is back mostly because of privacy issues with the data that the vehicle computer storage. Synchronizing contacts and apps from your mobile phone or tables to the car makes it unclear what happens to this data. notable article quotes: “….sent a letterto 14 major auto manufacturers, condemning their privacy practices and declaring that consumers should not be trapped in a “massive data collection apparatus, with any disclosures hidden in pages-long privacy policies filled with legalese.” Markey pointed out that Bluetooth’s emergence has broadened car surveillance by letting companies extract data that “has nothing to do with a vehicle’s operation, such as data from smartphones that are wirelessly connected to the vehicle." https://therecord.media/car-privacy-concerns-road-to-regulation?&web_view=true Hackers see wealth of information to steal in children’s school records Protecting data at large scale is always a challenge. Children at schools are not aware of security aspectsprovide great playground for hackers while the mitigations solutions are not always easy to accomplish.notable article quotes: “Our school’s digital doors are rattled, pinged, probed and prodded thousands of times each day by well-resourced adversaries from all over the globe,” Cybercriminals seeking ransom payouts or identity thieves going after a student’s spotless credit can gain access to identifying information, assessments, assignments, grades, homework, health records, attendance history, discipline records, special education records, home communications and more. He advises moving away from methods like SMS confirmation, which can be intercepted through Bluetooth, and says that physical hardware security tokens would be safer. Of course, as Young said, “Some of the time we’re talking about kids as young as five and six years old with technology in their hands.” In these cases, lost technology is a real threat, and the most secure solution is not necessarily the one that makes the most sense. This paradox is yet another mountain that school information security teams must climb.” https://www.cnbc.com/2023/12/27/hackers-see-wealth-of-information-to-steal-in-kids-school-records.html Lockbit ransomware disrupts emergency care at German hospitals Hospitals are a target over and over.. notable article quotes: “recent service disruptions at three hospitals were caused by a Lockbit ransomware attack. "Unknown actors have gained access to the systems of the IT infrastructure of the hospitals and have encrypted data," At the time of writing, the Lockbit ransomware gang hasn't added KHO to its extortion portal on the dark web, so whether or not the cybercriminals stole patient data or other sensitive information hasn't been determined yet. “ https://www.bleepingcomputer.com/news/security/lockbit-ransomware-disrupts-emergency-care-at-german-hospitals/ 2023 summary Few of the attacks mentioned are T-Mobile API attack, MOVEit attack and the MGM resorts breach. https://www.infosecurity-magazine.com/news-features/top-cyber-attacks-2023/ https://www.scmagazine.com/news/data-leaks-ai-and-ransomware-topped-the-headlines-in-2023-for-sc-media https://www.welivesecurity.com/en/cybersecurity/year-review-10-biggest-security-incidents-2023/ 2024 Predictions Social engineer backed by AI – fake images, deep fake phishing is just a matter of time . Cloud – multi cloud hybrid environment incidents and CICD attack are expected to increase. More : https://www.securitymagazine.com/articles/100271-top-cybersecurity-predictions-of-2024445Views3likes0CommentsNISC, NoMoreRansom, AsterX, BTC ETF, March 3rd – March 9th - This Week in Security
Editor's Introduction This week in security editor is Koichi this week. Today's TWIS I chose topics of Japanese related ones, NISC, No More Ransom, AsterX, and Bitcoin ETF. We in F5 SIRT invest a lot of time understanding the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, and your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT NISC and cyber attack on a port The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) is an organization established in the Cabinet Secretariat to develop the information security policies of the Japanese government, monitor and analyze malicious activities against information systems of administrative departments, provide necessary advice and information, and other assistance in ensuring cyber security, conducts audits, etc. It also serves as a general coordinator for cyber security, not only with administrative agencies but also with certain critical infrastructure operating companies. NISC regularly has meetings to decide its action plans. On March 8, the 39th meeting of the Cybersecurity Strategy Headquarters was held, and according to the publication, ports were added to the critical infrastructure monitoring items for Japan's cybersecurity. As the background of this decision, the ransomware incident in last year is listed. On July 4, 2023, Nagoya United Terminal System (NUTS) at a container terminal at the Port of Nagoya, was attacked by the ransomware group "LockBit", resulting in halted container loading and unloading operations for approximately three days. This incident was the cyber attack of ransomware, conducted by "LockBit," an attacker group believed to be of Russian origin. The incident revealed that there wasn't a person in charge of cyber security for the port operation systems, which needs to be improved. Then, Let us discuss about LockBit in the next item. Source: https://www.nisc.go.jp/pdf/about/nisc_gaiyou.pdf (Japanese) , https://www.nisc.go.jp/pdf/council/cs/dai39/39cs_press.pdf (Japanese) "No More Ransom" LockBit is a ransomware group that provides ransomware as an attack infrastructure, the so-called "RaaS (Ransam as a Service)", explained in the previous TWIS. The news source reports that nearly a quarter of all ransomware submissions are by LockBit. In February, law enforcement agencies of 14 countries joined forces to launch "Operation Cronos" to defend against LockBit and other criminal groups. In addition to arresting some of the individuals involved, they have taken countermeasures such as seizing related assets such as leaked websites, crypto asset (virtual currency) accounts, and decryption keys. The joint team and some security companies also launched "No More Ransom" website to educate the people and give prevention advice. Through Operation Cronos, the European Criminal Police Organization announced the Japanese National Police Agency developed a tool, the "Decryption Checker" which allows users to investigate how much they can decrypt the victim files, but just to know how much, not decrypting it. It is uploaded in "No More Ransom" website. For LockBit, LockBit 3.0 Decrypter is also available in"No More Ransom" website. Source:https://www.security-next.com/154009(Japanese) AsterX Space CyberDefense exercise The French Air and Space Force (Armée de l'Air et de l'Espace Française) conducts AsterX, the space cyber attack/defense exercise annually. However, participants have been limited to Europe countries and the United States until recently. In this year, AsterX (AsterX 24) will be held in France from April 4 to April 15. 16 countries and European-based aerospace companies like MBDA and Ariane Group will participate, and from this year, Japan's Self-Defense Forces will participate as well. The AsterX will be held in the style of a real-time war game. In the scenario, a fictional adversary threatens the space assets of the neighboring countries (it is fictional as well), and a Joint task force of participants will try to defend the allied country. Some sources of this news see the fictional adversary as a simulation of Russian cyberattacks. One of the good effects of participating in international exercises is to increase partnerships with other countries and companies, which will affect when a real cyber-attack happens. Source: https://asia.nikkei.com/Politics/Defense/Japan-to-take-part-in-AsterX-space-defense-drill-with-NATO-members https://air.defense.gouv.fr/asterx/dossier/presentation-asterx-2024 Bitcoin ETF Bitcoin has reached its ATH (all-time high). The Bitcoin ETF is believed to be the reason for the surge, due to the large inflow of funds. You can check the amount of inflows into that ETF and heatmap at Bitcoin ETF Overview. So Bitcoin becomes a more valuable asset. How about security? Over 10 years the Bitcoin system, with its robust system, has not been brought down or stopped by attacks. The only successful thefts to date have occurred outside of the Bitcoin protocol. The Bitcoin network’s security is multi-layered. Transaction hashing, mining, block confirmations, and game theory all work together to make Bitcoin’s blockchain impenetrable. The most well-known threat to Bitcoin might be quantum computing (its ability to decrypt the public key to get its private key). According to researchers at the University of Sussex, a quantum computer with 1.9 billion qubits of processing power would beneeded to break into the Bitcoin network within 10 minutes. (1 block = 10 minutes, so the attacker needs to decrypt within 10 minutes) As far as I know, it is unlikely to happen with the current quantum computer's ability. And if it is going to happen, and the threat comes to mind of Bitcoin developers, a new Bitcoin Improvement Proposal (BIP) will be filed to adapt post-quantum cryptography.146Views2likes0CommentsSupplement To The 2021 App Protect Report
We frequently get requests to break down threats in a specific vertical. So, as a follow up to the F5 Labs, 2021 Application Protection Report (APR), we analyzed and visualized the attack chains of more than 700 data breaches looking for relationships between sectors or industries and the tactics and techniques attackers use against them. This effort produced the F5 Labs 2021 APR Supplement: Sectors and Vectors, where we found that while there are some attack patterns that correspond with sectors, the relationships appear indirect and partial, and counterexamples abound. The overall conclusion is that sectors can be useful for predicting an attack vector, but only in the absence of more precise information such as vulnerabilities or published exploits. This is because the types of data and vulnerabilities in the target environment, which determine an attacker’s approach, are no longer tightly correlated with the nature of the business. Look for more details about your sector (Finance, Education, Health Care, Scientific, Retail, etc) in the F5 Labs, 2021 APR Supplement: Of Sectors and Vectors.213Views2likes0CommentsVulnCon, Big Brother, School Daze, and More - Jan 22nd-28th, 2024 - F5 SIRT - This Week in Security
This time around the F5 SIRT This Week In Security covers the upcoming VulnCon, nasty tricks on US citizens by the NSA using data brokers, the failure of university computer science programs to teach security, how we should learn to stop living in fear and love CVE, and what drastic measures it might take to curtail the ransomware epidemic.164Views1like0Comments