Thought leadership. Threat analysis. Cybersecurity news and alerts.
The Rise of Internet Access Brokers
Researchers from BlackBerry Research & Intelligence Team recently discovered three separate threat groups using the same IT infrastructure maintained by a threat actor dubbed as Zebra2104, which the researchers believe to be an Initial Access Broker.
What Is an Initial Access Broker?
As the name denotes, an Initial Access Broker either buys or sells goods or assets for others. In this case, what is being bought or sold for others is the initial access to the victim’s network.
Once an Initial Access Broker has access to an organization’s network, the broker then advertises this initial access to prospective buyers in the underground forums on the dark web. Initial Access Brokers typically sell access to the victim’s network to the highest bidder on underground forums. The winning bidder then deploys ransomware or other malicious software (malware) to steal or snoop the victim’s critical data.
Initial Access Broker is the first kill chain of many cyberattacks, including ransomware attacks. Initial access to victims’ networks comes in different forms. These include access to vulnerable and internet exposed remote desktop protocol (RDP) and virtual private network (VPN).
VPN, in principle, establishes a protected network connection when using public networks. In the past few years, a number of vulnerabilities have been discovered in many VPN products. RDP, short for remote desktop protocol, is a network communications protocol developed by Microsoft, allowing a computer user to remotely connect to another computer.
In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks", Microsoft Defender Security Research Team said that computers with RDP exposed to the internet are an attractive target for attackers as they offer attackers a simple and effective way to gain access to a network. According to Microsoft Defender Security Research Team, brute-forcing RDP doesn’t need a high level of expertise or the use of exploits.
“RDP connections almost always take place at port 3389, and attackers can assume that this is the port in use and target it to carry out man-in-the-middle attempts, amongst other attacks,” Digital Shadows researchers said in the blog post “Initial Access Brokers In Q3 2021”.
Digital Shadows researchers reported that during the third quarter of 2021, RDP and VPN continued to be the access of choice for Initial Access Brokers. During the third quarter of 2021, the average price for VPN was $1869, while the average price for RDP was $1902. According to Digital Shadows researchers, RDP and VPN were also the most popular access of choice for Initial Access Brokers Q1 and Q2 2021.
“This [popularity of RDP and VPN] is likely due to a combination of the increased use of both technologies as a result of the COVID-19 pandemic and the opportunities afforded to an actor purchasing a VPN or RDP access,” Digital Shadows researchers said.
Digital Shadows researchers added that the VPN-RDP combination – referring to access type that uses VPN access to a victim’s RDP dedicated server – was significantly more expensive in Q3 than the last quarter. “It’s realistically possible that this access type [VPN-RDP] may represent a more secure method of gaining access to targeted networks, and as a result, become more desirable for interested actors,” Digital Shadows researchers said.
Digital Shadows researchers reported that Initial Access Brokers are advertising various accesses to RAMP (Ransom Anon Mark Place), a recently relaunched Russian-language cybercriminal forum.
In the blog post "Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware", BlackBerry researchers said they uncovered a connection between the criminal activities of three distinct threat groups, MountLocker, Phobos, and StrongPity. “While it might seem implausible for criminal groups to be sharing resources, we found these groups [MountLocker, Phobos, and StrongPity] had a connection that is enabled by a fourth; a threat actor we have dubbed Zebra2104, which we believe to be an Initial Access Broker (IAB),” BlackBerry researchers said.
MountLocker is a ransomware group that has been active since July of 2020. Phobos is another ransomware group that was first seen in early 2019. Phobos has been victimizing small-to-medium-sized organizations across a variety of industries. StrongPity, also known as Promethium, is an espionage group that has been active since at least 2012.
According to BlackBerry researchers, a single domain led them down a path where they uncovered multiple ransomware attacks by MountLocker, Phobos, and a command-and-control (C2) of StrongPity. “The path also revealed what we believe to be the infrastructure of an IAB: Zebra2104,” BlackBerry researchers said.
Cybersecurity Best Practices
Cybercrime groups nowadays mimic multinational organizations’ business models. Similar to multinational organizations, cybercrime groups establish partnerships and alliances with other organizations, in this case, with Initial Access Brokers.
Considering that RDP and VPN are the popular initial accesses, it’s important to guard these two gateways. Here are some of the best practices to guard RDP and VPN:
What Is Kubernetes and How to Protect This Attack Surface
Kubernetes is fast becoming the target of attackers to steal data, steal computing power, or cause a denial of service.
What Is Kubernetes?
Kubernetes is an open-source system that’s often hosted in the cloud. It’s used to automate the deployment, scaling, and management of applications. Companies that use Kubernetes include Google and Tesla.
Google originally developed and released Kubernetes as open-source in 2014. Google Cloud is the known birthplace of Kubernetes. Kubernetes development drew inspiration from Google’s Borg.
“Google's Borg system is a cluster manager that runs hundreds of thousands of jobs, from many thousands of different applications, across a number of clusters each with up to tens of thousands of machines,” Google said. “It achieves high utilization by combining admission control, efficient task-packing, over-commitment, and machine sharing with process-level performance isolation. It supports high-availability applications with runtime features that minimize fault-recovery time, and scheduling policies that reduce the probability of correlated failures. Borg simplifies life for its users by offering a declarative job specification language, name service integration, real-time job monitoring, and tools to analyze and simulate system behavior.”
While Kubernetes offers users a way to automate the deployment, scaling, and management of applications, it presents complexities. "Kubernetes clusters can be complex to secure and are often abused in compromises that exploit their misconfigurations,” the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency said in the advisory “Kubernetes Hardening Guidance.”
In February 2018, researchers at RedLock discovered that attackers had infiltrated Tesla’s Kubernetes console which wasn’t password protected. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry,” RedLock researchers said.
According to RedLock researchers, attackers in the Tesla case stole the computing power for crypto mining from within one of Tesla’s Kubernetes pods. The researchers added that the attackers used the following evasion techniques to hide the illicit crypto mining:
. The attackers didn’t use a well-known public “mining pool” in this attack, making it difficult for standard IP/domain-based threat intelligence feeds to detect the malicious activity.
. The attackers hid the true IP address of the mining pool server behind a free content delivery network (CDN) service, making IP address-based detection of crypto mining activity difficult.
. The mining software was configured to listen on a non-standard port, making it difficult to detect malicious activity based on port traffic.
. The attackers configured the mining software to keep the usage low to evade detection.
Common Sources of Compromise in Kubernetes
According to the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency, the three common sources of compromise in Kubernetes are malicious threat actors, supply chain risks, and insider threats.
Malicious Threat Actors
According to the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency, malicious threat actors often target the following Kubernetes architecture for remote exploitation: control plane, worker nodes, and containerized applications.
The Kubernetes control plane is used to track and manage the cluster. The agencies said the Kubernetes control plane lacking appropriate access controls is often taken advantage by attackers.
The Kubernetes worker nodes host the kubelet and kube-proxy service. According to the said agencies, worker nodes are potentially exploitable by attackers.
The agencies added that the containerized applications running inside the Kubernetes cluster are common targets. "An actor can then pivot from an already compromised Pod or escalate privileges within the cluster using an exposed application’s internally accessible resources,” the agencies said.
Supply Chain Risks
In supply chain risks, attackers may compromise a third-party software and vendors used to create and manage the Kubernetes cluster.
A malicious third-party application running in Kubernetes could provide attackers with a foothold. The compromise of the underlying systems (software and hardware) hosting Kubernetes could provide attackers with a foothold as well.
Insiders threats refer to individuals from within the organization who use their special knowledge and privileges against Kubernetes clusters. These individuals can be administrators, users, and cloud service or infrastructure provider.
According to the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency, Kubernetes administrators have control over the Kubernetes environment, giving them the ability to compromise the Kubernetes environment.
Users who have knowledge and credentials to access containerized services in the Kubernetes cluster could compromise the Kubernetes environment as well. Cloud service or infrastructure provider, meanwhile, has access to physical systems or hypervisors managing Kubernetes nodes. This access could be used to compromise a Kubernetes environment.
Cybersecurity Best Practices
The U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency recommend the following best practices in order to protect your organization’s Kubernetes environment:
Cyberattack Surface Widens As World Sees Increase in Remote Work
With much of the world now working remotely and likely to remain this way after the COVID-19 pandemic, the attack surface that could be exploited by cyberattackers has widened, a new study showed.
A new study by RiskIQ showed that with much of the global economy being run from homes, attackers now have far more access points to probe and exploit. Attack surface, as defined in the study, refers to everything that needs defending, starting from inside the corporate network and extending all the way to the internet and into the homes of workers working from home. RiskIQ identified the following attack areas:
Web-Based Attack Surface
Across the internet in just over two weeks, RiskIQ observed 2,959,498 new domains (equivalent to 211,392 per day) and 772,786,941 new unique hosts to the web (equivalent to 55,199,067 per day). New domains, also known as new websites, and new unique hosts to the web, according to RiskIQ, represent as possible targets for threat actors.
RiskIQ found that 2,480 of the Alexa top 10,000 domains were running at least one potentially vulnerable web component, and 8,121 potentially vulnerable web components in total were found in the Alexa top 10,000.
To highlight the attack surface faced by organizations, RiskIQ conducted a study on the companies that comprise the FTSE-30 – a group of 30 large-cap organizations in the UK. RiskIQ found that on average, each FTSE-30 organization has 324 expired certs, 25 SHA-1 certs, 743, potential test sites, 28 insecure login forms, 385 total insecure forms, 46 web frameworks with known vulnerabilities, 80 PHP 5.x instances with end of life (EOL) end of the year, and 664 web servers at release levels with known vulnerabilities.
In addition, last March, with the spike of online shopping due to COVID-1, RiskIQ reported that it detected a 30% increase in Magecart skimmers – a type of cyberattack that involves digital credit card theft by skimming online payment forms.
Modern websites are made up of common features such as underlying operating systems, frameworks, third-party applications, plugins, and trackers. "This commonality of approach is attractive to malicious actors, as a successful exploit written for a vulnerability or exposure on one site can be reused across many sites," RiskIQ said.
A recent report from Verizon Data Breach Report, showed that external-facing web applications, in which network security tools have no visibility, were exploited the most by cyberattackers.
Remote Access Attack Surface
According to RiskIQ, the rush to stand up new systems outside the firewall to enable a remote workforce has expanded attack surfaces quicker, with virtual private network (VPN) usage surged 112% over just six weeks, and a 26.11% increase in Microsoft Remote Access Gateway instances, peaking around March 20 when stay-at-home orders took full effect.
RiskIQ found that on average, each FTSE-30 organization has 45 mail servers, 7,790 cloud-hosted apps (Amazon and Azure), 26 potentially vulnerable Citrix Netscaler instances, 8 potentially vulnerable Palo Alto GlobalProtect instances, 9 potentially vulnerable Pulse Connect instances, 25 potentially vulnerable Fortinet instances, and 1,464 remote access service instances.
Mobile Attack Surface
There's more to mobile apps than Apple and Google Play Mobile App Stores as there are hundreds of online stores in which threat actors sell their mobile apps. RiskIQ said malicious actors compromise legitimate apps and launch fake apps in other app store ecosystem and the open internet.
In 2019, RiskIQ found 170,796 blacklisted mobile apps across 120 mobile app stores and the open internet. Eighty-six percent of the blacklisted apps, RiskIQ said, claimed the READ_SMS permission, which allows the app to read messages and can be used for nefarious activities such as circumventing two-factor authentication.
Social Engineering Attack Surface
Social engineering refers to the impersonation of domains, subdomains, landing pages, websites, mobile apps, and social media profiles to trick employees and consumers in installing malicious software (malware) or into giving up login credentials and other personal information.
In the first quarter of 2020, RiskIQ identified 21,496 phishing domains impersonating 478 unique brands. For the same period, it also identified 720,188 instances of domain infringement across 170 unique brands. RiskIQ noted that 317,000 new websites related to “COVID-19” or “coronavirus” in the two weeks between March 9 and 23.
Cybersecurity Best Practices in Securing Your Organization's Attack Surface
Traditional cybersecurity measure uses a firewall that acts as a barrier between a trusted internal network and untrusted external network such as the internet. The COVID-19 pandemic and the resulting government-mandated stay-at-home measure leaving organizations no option but to allow workers to work from home, has widened the attack surface as the boundaries of what are inside the firewall and what are outside the firewall are no longer clear.
Here are some cybersecurity best practices in securing your organization's attack surface:
Whether it's for the web, mobile or operating systems, all software used for these platforms should be kept up to date. Failure to apply the latest software update leaves this attack surface vulnerable for attack.
Malicious actors can simply probe into your organization's vulnerable internet-connected assets by conducting a simple internet scan. It's important to conduct a regular full inventory of these internet-connected assets, determining, for instance, what assets need software update.
Early detection of social engineering attempts that impersonate your organization's domains, subdomains, landing pages, websites, mobile apps, and social media profiles that target your employees and customers and letting them know about these social engineering attempts is one of the effective measures in disrupting
Steve E. Driz, I.S.P., ITCP