Category Archives: Reports

Researches and Reports

2022 Zero-Day exploitation continues at a worrisome pace

Experts warn that 55 zero-day vulnerabilities were exploited in attacks carried out by ransomware and cyberespionage groups in 2022.

Cybersecurity firm Mandiant reported that ransomware and cyberespionage groups exploited 55 zero-day flaws in attacks in the wild.

Most of the zero-day vulnerabilities were in software from Microsoft, Google, and Apple.

The figures show a decrease from 2021, but experts pointed out that they represent almost triple the number from 2020.

The majority of the zero-day vulnerabilities were exploited by China-linked threat actors as part of their cyberespionage campaigns.

The researchers reported that only four zero-day vulnerabilities were exploited by financially motivated threat actors, with 75% of these instances linked to ransomware attacks.

“Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years. The most exploited product types were operating systems (OS) (19), followed by browsers (11), security, IT, and network management products (10), and mobile OS (6). ” reads the report published by Mandiant.

According to the report, 13 zero-days in 2022 were exploited by cyber espionage groups, a figure that is consistent with 2021. Seven zero-days (CVE-2022-24682CVE-2022-1040CVE-2022-30190CVE-2022-26134CVE-2022-42475CVE-2022-27518, and CVE-2022-41328) were exploited in attacks in the wild by China-linked cyberespionage groups, while two zero-day vulnerabilities were exploited by suspected North Korea-linked APT groups.

“We identified four zero-day vulnerabilities for which we could attribute exploitation by financially motivated threat actors, a quarter of the total 16 zero-days for which we could determine a motivation for exploitation. 75% of these instances appear to be linked to ransomware operations, consistent with 2021 and 2019 data in which ransomware groups exploited the highest volume of zero-day vulnerabilities compared to other financially motivated actors.” continues the report. “However, the overall count and proportion of the total of financially motivated zero-day exploitation declined in 2022 compared to recent years.”

Multiple China-linked APT groups exploited the vulnerability CVE-2022-30190, aka Follina, while the exploitation of FortiOS vulnerabilities CVE-2022-42475 and CVE-2022-41328 was observed in particularly notable campaigns in 2022.

Mandiant believe that there is a shared development and logistics infrastructure behind the attacks.

Mandiant also observed two instances of Russian state zero-day exploitation. A first campaign carried out by the Russia-linked APT28 group exploited the CVE-2022-30190 flaw (aka Follina) in early June 2022. A second activity is related to a months-long campaign exploiting Microsoft Exchange vulnerability CVE-2023-23397 conducted by a threat actor tracked as UNC4697 (likely linked to the APT28 group).

The experts explained that increased focus on disrupting Russian cyber operations since Russia’s invasion of Ukraine may have discouraged Russia-linked groups from widely using zero-day exploits for access they expected to lose quickly. This implies that the exploitation of the CVE-2022-30190 flaw was likely opportunistic.

“Almost all 2022 zero-day vulnerabilities (53) were exploited for the purpose of achieving either (primarily remote) code execution or gaining elevated privileges, both of which are consistent with most threat actor objectives. While information disclosure vulnerabilities can often gain attention due to customer and user data being at risk of disclosure and misuse, the extent of attacker actions from these vulnerabilities is often limited.” concludes the report. “Alternatively, elevated privileges and code execution can lead to  lateral movement across networks, causing effects beyond the initial access vector.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

US govt agencies released a joint alert on the Lockbit 3.0 ransomware

The US government released a joint advisory that provides technical details about the operation of the Lockbit 3.0 ransomware gang.

The U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint advisory that provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the notorious LockBit 3.0 ransomware.

“The Federal Bureau of Investigation (FBI), CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) has released a joint cybersecurity advisory (CSA), #StopRansomware: LockBit 3.0. This joint advisory details known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) that FBI investigations correlated with LockBit 3.0 ransomware as recently as March 2023.” reads the advisory published by US agencies. “LockBit 3.0 functions as an affiliate-based ransomware variant and is a continuation of LockBit 2.0 and LockBit.”

The Lockbit gang has been active since at least 2019 and today it is one of the most active ransomware groups offering a Ransomware-as-a-Service (RaaS) model.

The LockBit 3.0 ransomware (aka LockBit Black) was launched in June 2022 and is a continuation of previous versions of the ransomware, LockBit 2.0 (released in mid-2021), and LockBit.

The LockBit 3.0 ransomware is a modular malware that is more evasive than its previous versions, its shared similarities with Blackmatter and Blackcat ransomware.

“LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise).” reads the joint alert

“If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware.”

By protecting the code with encryption, the latest LockBit version can avoid the detection of signature-based anti-malware solutions.

The ransomware doesn’t infect machines whose language settings are included in an exclusion list, which includes Romanian (Moldova), Arabic (Syria), and Tatar (Russia).

Initial attack vectors used by affiliates deploying LockBit 3.0 ransomware include remote desktop protocol (RDP) exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts, and exploitation of public-facing applications.

Upon execution in the target network, the ransomware attempts to escalate privileges if they are not sufficient, terminate processes and services, delete logs, files in the recycle bin folder, and shadow copies residing on disk.

LockBit 3.0 attempts to perform lateral movement by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges.

Operators can also compile LockBit 3.0 for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol.

  • The RaaS’s affiliates use the following tools to exfiltrate data before encrypting it:
  • Stealbit, a custom exfiltration tool used previously with LockBit 2.0;
  • publicly available file-sharing services, such as MEGA.

The affiliates have been observed using various freeware and open-source tools furing their attacks.

“These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and Batch scripts
are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed.” continues the report.

The alert states that LockBit 3.0 is capable of bypassing User Account Control (UAC) to execute code with elevated privileges via elevated Component Object Model (COM) Interface. It also supports a Safe Mode feature to bypass endpoint antivirus and detection.

The alert also provides mitigations and security controls to prevent and reduce the impact of the threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RaaS)

Ransomware attacks hit 105 US local governments in 2022

In 2022, ransomware attacks targeted 105 state or municipal governments or agencies in the US, reads a report published by Emsisoft.

According to the “The State of Ransomware in the US: Report and Statistics 2022” report published by Emsisoft, the number of ransomware attacks against government, education and healthcare sector organizations is quite similar to the number of attacks in previous years.

The report aggregates data from disclosure statements, press reports, Tor leak sites, and third-party information feeds. Experts pointed out that some incidents will have escaped their attention and so the figures reported in the study could be just the tip of the iceberg.

It is important to note that figures reported in the study were dramatically affected by a single incident in Miller County, AK, where an infection of a mainframe caused the compromise of endpoints in 55 different counties.

Below are the attacks reported by Emsisoft:

  • 105 local governments
  • 44 universities and colleges
  • 45 school districts operating 1,981 schools
  • 25 healthcare providers operating 290 hospitals

“When it comes to cybersecurity incidents, it has always been hard to get accurate statistical information.” reads the report published by Emsisoft. “What data is available is based largely on publicly available reports, but not all incidents are made public, even in the public sector and, consequently, the true number of incidents in all sectors of the economy is and has always been higher than reported.”

The ransomware attack against local governments resulted in data theft in at least 27 of the 105 incidents (26 percent). The only local government known to have paid a ransom in 2022 was Quincy, MA., which paid a $500,000 ransom.

In 2022, 89 education sector organizations were impacted by ransomware, while in 2021 the number of impacted organizations in the same industry was 88. 

In at least 58 incidents (65 percent) the experts reported data breaches.

The most severe incident in 2022 was suffered by the Los Angeles Unified School District, which is the second-largest district in the U.S.

The report also states that 25 ransomware attacks involved hospitals and multi-hospital health systems, potentially impacting patient care at up to 290 hospitals.

The most significant incident of 2022 was the attack suffered by CommonSpirit Health, which resulted in the exposure of the personal data of 623,774 patients.

In at least 17 incidents (68 percent), threat actors exfiltrated data including Protected Health Information (PHI).

“Early ransomware attacks were simple and mostly automated. However, today’s attacks are often complex, human-directed events in which data is exfiltrated and encryption, if it happens at all, is the very last step in the attack chain.” concludes the report. “A better way of thinking about incidents is simply “data extortion events.” “Encryption-based data extortion” and “exfiltration-based data extortion,” which are not mutually exclusive, are subcategories to that.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Personal health information of 42M Americans leaked between 2016 and 2021

Crooks have had access to the medical records of 42 million Americans since 2016 as the number of hacks on healthcare organizations doubled.

Medical records of 42 million Americans are being sold on the dark web since 2016, this information comes from cyberattacks on healthcare providers.

Researchers from Jama Network analyzed trends in ransomware attacks on US hospitals, clinics, and health care delivery organizations between 2016 and 2021.

Common operational disruptions included canceled appointments/surgeries, electronic system downtime, and ambulance diversion. The researchers calculated the operational disruption duration and other data related to the attacks.

From 2016 to 2021, the annual number of ransomware attacks passed from 43 to 91. 

“In this cohort study of 374 ransomware attacks, the annual number of ransomware attacks on health care delivery organizations more than doubled from 2016 to 2021, exposing the personal health information of nearly 42 million patients.” reads the report published by Jama Network. “During the study period, ransomware attacks exposed larger quantities of personal health information and grew more likely to affect large organizations with multiple facilities.”

During the study period, the researchers documented 374 ransomware attacks on healthcare systems that exposed the personal health information (PHI) of 41 987 751 individuals.

The exposure of personal health information increased more than 11-fold, from roughly 1.3 million in 2016 to close to 16.5 million in 2021.

Approximately one in five (20.6%) healthcare organizations that suffered a ransomware attack were able to restore data from backups. For 15.8% of ransomware attacks, threat actors leaked stolen PHI by posting it on dark web forums.

Ransomware attacks mainly targeted clinics, followed by hospitals, other delivery organization types, ambulatory surgical centers, mental/behavioral health organizations, dental practices, and post–acute care organizations. 

Experts also reported that 52.9% of all ransomware attacks affected multiple facilities within the attacked organization.

“The results of this cohort study suggest that from 2016 to 2021, ransomware attacks on health care delivery organizations increased in frequency and sophistication. These attacks exposed PHI and frequently disrupted health care delivery, but further research is needed to more precisely understand the operational and clinical care consequences of these disruptions.” concludes the report. “As policy makers craft legislation aimed at countering the threat of ransomware attacks across multiple industries, we urge them to focus on the specific needs of health care delivery organizations, for which operational disruptions may carry substantial implications for the quality and safety of patient care.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, healthcare)

[adrotate banner=”5″]

[adrotate banner=”13″]

US HHS warns healthcare orgs of Royal Ransomware attacks

The US Department of Health and Human Services (HHS) warns healthcare organizations of Royal ransomware attacks.

The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars.

The Health and Human Services (HHS) is aware of attacks against the Healthcare and Public Healthcare (HPH) sector.

Unlike other ransomware operations, Royal doesn’t offer Ransomware-as-a-Service, it appears to be a private group without a network of affiliates.

“Royal is a human-operated ransomware that was first observed in 2022 and has increased in appearance. It has demanded ransoms up to millions of dollars. Since its appearance, HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector. Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector.” reads the report published by HHS.

Once compromised a victim’s network, the threat actors deploy the post-exploitation tool Cobalt Strike to maintain persistence and perform lateral movements.

Originally, the ransomware operation used BlackCat’s encryptor, but later it started using Zeon. The ransom notes (README.TXT) include a link to the victim’s private negotiation page. Starting from September 2022, the note was changed to Royal.

The Royal ransomware is written in C++, it infected Windows systems and deletes all Volume Shadow Copies to prevent data recovery. The ransomware encrypts the network shares, that are found on the local network and the local drives, with the AES algorithm.

The Royal ransomware can either fully or partially encrypt a file depending on its size and the ‘-ep’
parameter. The malware changes the extension of the encrypted files to ‘.royal’.

In November, researchers from the Microsoft Security Threat Intelligence team warned that a threat actor, tracked as DEV-0569, is using Google Ads to distribute various payloads, including the recently discovered Royal ransomware. The DEV-0569 group carries out malvertising campaigns to spread links to a signed malware downloader posing as software installers or fake updates embedded in spam messages, fake forum pages, and blog comments.

HC3 added that threat actors continue to use multiple attack vectors associated with this ransomware, including phishing, Remote Desktop Protocol (RDP) compromises and credential abuse, compromises of exploited vulnerabilities, such as VPN servers, and compromises in other known vulnerabilities” HHS notes.

“Royal is a newer ransomware, and less is known about the malware and operators than others. Additionally, on previous Royal compromises that have impacted the HPH sector, they have primarily appeared to be focused on organizations in the United States. In each of these events, the threat actor has claimed to have published 100% of the data that was allegedly extracted from the victim.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Google to Pay a record $391M fine for misleading users about the collection of location data

Google is going to pay $391.5 million to settle with 40 states in the U.S. for secretly collecting personal location data.

Google has agreed to pay $391.5 million to settle with 40 US states for misleading users about the collection of personal location data. The settlement is the largest attorney general-led consumer privacy settlement ever, states the announcement published by DoJ.

“Google misled its users into thinking they had turned off location tracking in their account settings, when, in fact, Google continued to collect their location information. In addition to the multimillion-dollar settlement, as part of the negotiations with the AGs, Google has agreed to significantly improve its location tracking disclosures and user controls starting in 2023.” reads the DoJ’s press release.

Oregon Attorney General Ellen Rosenblum, who led the settlement along with Nebraska AG Doug Peterson, pointed out that for years Google has prioritized profit over their users’ privacy.

The authorities started the investigation into Google collection practice following a 2018 Associated Press article that revealed Google “records your movements even when you explicitly tell it not to.”

According to the article, there are two settings responsible for the location data collection, the “Location History” and “Web & App Activity”. The former is “off” by default while the latter is automatically enabled when users set up a Google account, including all Android users.

Location data represent the core of the digital advertising business of the IT giant. However, location data can be used to expose a person’s identity and routines, and even infer personal details.

Google violated state consumer protection laws by misleading consumers about its location tracking practices since at least 2014. Google confused its users about the use of the account and device settings to limit Google’s location tracking.

The settlement requires Google to be more transparent about its practices. In particular, Google must:

  1. Show additional information to users whenever they turn a location-related account setting “on” or “off”;
  2. Make key information about location tracking unavoidable for users (i.e., not hidden); and
  3. Give users detailed information about the types of location data Google collects and how it’s used at an enhanced “Location Technologies” webpage.

Following the settlement, Google announced it has introduced more transparency and tools to help users manage their data and minimize the data it collects. Below are the measures announced by the company:

  • Launched auto-delete controls, a first in the industry, and turned them on by default for all new users, giving you the ability to automatically delete data on a rolling basis and only keep 3, 18 or 36 months worth of data at a time.
  • Developed easy-to-understand settings like Incognito mode on Google Maps, preventing searches or places you navigate to from being saved to your account.
  • Introduced more transparency tools, including Your Data in Maps and Search, which lets you quickly access your key location settings right from our core products.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, privacy)

[adrotate banner=”5″]

[adrotate banner=”13″]

Zero-day are exploited on a massive scale in increasingly shorter timeframes

Microsoft warns of an uptick among threat actors increasingly using publicly-disclosed zero-day exploits in their attacks.

According to the Digital Defense Report published by Microsoft, threat actors are increasingly leveraging publicly-disclosed zero-day vulnerabilities to target organizations worldwide.

The researchers noticed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability and remarked on the importance of the patch management process.

“As cyber threat actors—both nation state and criminal—become more adept at leveraging these vulnerabilities, we have observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability. This makes it essential that organizations patch exploits immediately.” reads the report.

Microsoft noted that it only takes 14 days on average for the exploitation of the flaw in the wild after its public disclosure, and it takes 60 days for the release of the exploit code on GitHub.

The experts observed that the zero-day vulnerabilities are initially exploited in highly targeted attacks, then they are quickly adopted in attacks in the wild.

Many nation-state actors have developed capabilities to create exploits from unknown vulnerabilities,
China-linked APT groups are particularly proficient in this activity.

“China’s vulnerability reporting regulation went into effect September 2021, marking a first in the world for a government to require the reporting of vulnerabilities into a government authority for review prior to the vulnerability being shared with the product or service owner.” continues the report. “This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them.”

Below is a list of vulnerabilities first developed and deployed by China-linked threat actors in attacks, before being publicly disclosed and spread among other actors in attacks in the wild:

Microsoft urges organizations to prioritize patching of zero-day vulnerabilities as soon as they are released, it also recommends to document and inventory all enterprise hardware and software
assets to determine their exposure to attacks.

“Vulnerabilities are being picked up and exploited on a massive scale, and in increasingly shorter timeframes.” the company concludes.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]

The 10th edition of the ENISA Threat Landscape (ETL) report is out!

I’m proud to announce the release of the 10th edition of the ENISA Threat Landscape (ETL) on the state of the cybersecurity threat landscape.

The Europen Agency for cybersecurity ENISA releases its ENISA Threat Landscape 2022 (ETL) report, which is the annual analysis of the state of the cybersecurity threat landscape.

This is the 10th edition of the annual report and analyzes events that took place between July 2021 and July 2022.

The report highlights the impact of the geopolitical context on thethreat landscape, during the above period ENISA experts observed the rise in malicious activities associated with cyberwarfare and hacktivism.

The geopolitical situations, particularly the ongoing Russian invasion of Ukraine, caused a significant increase in the number of state-sponsored attacks with cyberespionage, sabotage, and misinformation purposes. Another alarming trend that emerged from the report is the increase in the number of threats, the experts observed a proliferation of zero-day exploits and AI-enabled disinformation and deepfakes.

Ransomware continues to be one of the most dangerous threats for organizations worldwide, more than 10 terabytes of data are stolen monthly. According to the report, phishing campaigns are not identified as the most common initial vector of such ransomware attacks.

Below is the list of the top threats during the reporting period of the ETL 2022:

  • Ransomware:
    • 60% of affected organisations may have paid ransom demands
  • Malware:
    • 66 disclosures of zero-day vulnerabilities observed in 2021
  • Social engineering:
    • Phishing remains a popular technique but we see new forms of phishing arising such as spear-phishing, whaling, smishing and vishing
  • Threats against data:
    • Increasing in proportionally to the total of data produced
  • Threats against availability:
    • Largest Denial of Service (DDoS) attack ever was launched in Europe in July 2022;
    • Internet: destruction of infrastructure, outages and rerouting of internet traffic.
  • Disinformation – misinformation:
    • Escalating AI-enabled disinformation, deepfakes and disinformation-as-a-service
  • Supply chain targeting:
    • Third-party incidents account for 17% of the intrusions in 2021 compared to less than 1% in 2020

“Today’s global context is inevitably driving major changes in the cybersecurity threat landscape. The new paradigm is shaped by the growing range of threat actors. We enter a phase which will need appropriate mitigation strategies to protect all our critical sectors, our industry partners and therefore all EU citizens.” said EU Agency for Cybersecurity Executive Director, Juhan Lepassaar.

For each of the identified threats, the report proposed attack techniques, notable incidents and trends, the document also includes mitigation measures.

Below are the categories of threat actors analyzed in the report:

  • State-sponsored actors
  • Cybercrime actors
  • Hacker-for-hire actors
  • Hacktivists.

The ENISA Threat Landscape 2022 includes an impact assessment of cyber threats that reveals 5 types of impact:

  • damages of reputational
  • digital,
  • economical
  • physical
  • social nature.

“The ETL report maps the cyber threat landscape to help decision-makers, policy-makers and security specialists define strategies to defend citizens, organisations and cyberspace. This work is part of the EU Agency for Cybersecurity’s annual work programme to provide strategic intelligence to its stakeholders.” states the announcement. “The report’s content is gathered from open sources such as media articles, expert opinions, intelligence reports, incident analysis and security research reports; as well as through interviews with members of the ENISA Cyber Threat Landscapes Working Group (CTL working group).”

Enjoy the report:

ENISA Threat Landscape 2022 – Infographic

ENISA Threat Landscape Report 2022

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ENISA Threat Landscape 2022)

[adrotate banner=”5″]

[adrotate banner=”13″]

Ransomware activity and network access sales in Q3 2022

Ransomware activity report: Threat actors are selling access to hundreds of organizations, with a cumulative requested price of around $4M.

Research published by threat intelligence firm KELA related to ransomware activity in Q3 reveals a stable activity in the sector of initial access sales, but experts observed a rise in the value of the offerings.

“In Q3 actors offered more expensive listings since the total number of listings remained almost the same. On average, there were around 190 access listings in each month of Q3, slightly higher than in Q2.” reads the report published by the experts.

KELA identified around 600 victims by analyzing ransomware actors’ blogs and negotiation portals, data leak sites and public reports. Compared to the second quarter of 2022, the activity decreased by 8%, falling from July to August but increasing from August to September. On average, the experts observed 200 attacks each month of Q3 compared to 216 victims in Q2.

In Q3 2022, the most prolific ransomware and data leak actors in Q3 were LockBit, Black Basta, Hive, Alphv(aka BlackCat) and the new entry BianLian group.

Giving a look at the geographical distribution of the attack, we can observe that the most targeted country is the US (40%), followed by France, Germany, and Spain.

The most targeted sector was professional services.

The average price for access was around $2800, while the median price was $1350.

One of the most worrisome findings of the report is the number of network access listings for sale in Q3, KELA experts traced over 570 offers, with a cumulative requested price of around $4 million.

“In Q3 2022, KELA traced over 570 network access listings for sale, with a cumulative requested price of around USD 4 million; one access was offered for USD 3 million. This constitutes a significant increase compared to the total amount of about USD 660,000 demanded in Q2.” continues the report. “However, excluding this one USD 3 million access, the difference wouldn’t be so serious,”

Ransomware is a profitable business, and for this reason, new ransomware gangs are entering the cyber arena, is some cases the groups are composed of members of now-defunct prominent extortion groups. In Q3, new data leak sites emerged in the cybercrime ecosystem, including BianLian, 0mega, Daixin Team, and Donut Leaks.

“Ransomware and data-leak actors continue to operate vigorously while new gangs emerged in Q3 2022. IABs offers continued to be in demand and to increase in quantity and price.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

North Korea-linked APT spreads tainted versions of PuTTY via WhatsApp

North Korea-linked threat actor UNC4034 is spreading tainted versions of the PuTTY SSH and Telnet client.

In July 2022, Mandiant identified a novel spear phish methodology that was employed by North Korea-linked threat actor UNC4034. The attackers are spreading tainted versions of the PuTTY SSH and Telnet client. The attack chain starts with a fake job opportunity at Amazon sent to the victims via email. Subsequently, UNC4034 communicated with them over WhatsApp and after the communication is established with the victim over WhatsApp, then threat actors tricked victims into downloading a malicious ISO image masqueraded as a fake job.

The archive holds a text file containing an IP address and login credentials, and an a backdoored version of PuTTY that was used to load a dropper called DAVESHELL, which deploys a newer variant of a backdoor dubbed AIRDRY. AIRDRY, also known as BLINDINGCAN, is one of the backdoors used by North Korea-linked APT groups in previous attacks.

Clearly, the attackers convinced the victim to launch a PuTTY session using the credentials contained in the TXT file to connect to the remote host.

“The initial lead was a file downloaded to the host named amazon_assessment.iso. ISO and IMG archives have become attractive to threat actors because, from Windows 10 onwards, double-clicking these files automatically mounts them as a virtual disk drive and makes their content easily accessible.” Reads the post published by Mandiant. “Detecting malicious IMG and ISO archives served via phishing attachments is routine for Mandiant Managed Defense. The payloads contained within such archives range from commodity malware to advanced backdoors like the sample analyzed in this blog post.”

Experts pointed out that earlier versions of AIRDRY supported numerous backdoor commands, including file transfer, file management, and command execution. The most recent version replaces the traditional backdoor commands with a plugin-based approach that supports multiple communication modes. 

Experts published Indicators of Compromise (IoCs) and MITRE ATT&CK Mapping for this campaign.

The development is yet another sign that the use of ISO files for initial access is gaining traction among threat actors to deliver both commodity and targeted malware.

The shift is also attributable to Microsoft’s decision to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros for Office apps downloaded from the internet by default.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, North Korea)

[adrotate banner=”5″]

[adrotate banner=”13″]