Vulnerable Internet-Exposed Applications Compromised in 24 Hours, Report Shows

A study conducted by researchers from Palo Alto Networks' Unit 42 found that vulnerable internet-exposed applications are compromised in just 24 hours.

Vulnerable internet-exposed applications once compromised pose a security risk to cloud environments within the same infrastructure. 

Honeypots

Between July 2021 and August 2021, Unit 42 researchers set up 320 honeypots to verify how fast threat actors compromise four vulnerable internet-exposed applications, namely, secure shell protocol (SSH), remote desktop protocol (RDP), Samba, and Postgres.

Honeypots are network-attached computers that are purposely set up to lure threat actors to access these network-attached computers. Honeypots are set up to study the attackers’ methodologies.

SSH is a protocol that allows users to open remote shells on other computers. Samba is a free software re-implementation of the Server Message Block (SMB) networking protocol. SMB is a communication protocol used for sharing access to files, printers, serial ports for Windows computers on the same network or domain.

RDP, meanwhile, is a network communications protocol developed by Microsoft, allowing users to remotely connect to another computer. Postgres, also known as PostgreSQL, is an enterprise-class open source database management system.

Access to any of these four standard applications allows attackers to remotely connect to the victim’s network and perform malicious activities such as further compromising cloud environments within the same network.

The honeypots deployed by the Unit 42 researchers had vulnerable SSH, Samba, RDP, and Postgres. For instance, they intentionally use weak usernames and weak passwords.

Weaknesses in SSH, Samba, RDP, and Postgres are often exploited by cyberattackers. Ransomware groups, including REvil and Mespinoza, are known to exploit internet-exposed applications to gain initial access to victims' environments.

In Q3 2021, Digital Shadows reported that RDP and SSH are among the top access of choice of Initial Access Brokers – individuals or groups that act as intermediaries in identifying vulnerable organizations and selling access to the networks of these vulnerable organizations to the highest bidder.

Unit 42 researchers found that 80% of the 320 honeypots were compromised within 24 hours and all of the honeypots were compromised within a week. Out of the four vulnerable internet-exposed applications, SSH was the most attacked application and on average, each SSH honeypot was compromised 26 times daily.

The researchers also found that one threat actor compromised 96% of 80 Postgres honeypots globally within 30 seconds. The researchers’ honeypots applied firewall policies to block IPs from known network scanners. They found that blocking known scanner IPs is ineffective in mitigating attacks as 85% of the attacker IPs were observed only on a single day.

"This number indicates that Layer 3 IP-based firewalls are ineffective as attackers rarely reuse the same IPs to launch attacks,” Unit 42 researchers said. “A list of malicious IPs created today will likely become outdated tomorrow.”

The researchers also found that vulnerable internet-exposed applications were compromised multiple times by multiple different attackers. As attackers competed for the victim’s resources, tools such as Rocke or TeamTNT were used to remove the malicious software (malware) left by other cyberattackers. 

Scanning Activities

"The speed of vulnerability management is usually measured in days or months,” Unit 42 researchers said. “The fact that attackers could find and compromise our honeypots in minutes was shocking. When a misconfigured or vulnerable service [application] is exposed to the internet, it takes attackers just a few minutes to discover and compromise the service.”

The speed at which threat actors find vulnerable internet-facing applications is achieved through the process called scanning. Threat actors aren’t alone in finding vulnerable internet-facing applications through scanning.

Legitimate scanning service providers, such as Shodan, Censys, and Shadowserver, allow users to find vulnerable internet-facing applications. These legitimate scanning service providers have fixed IP addresses. Threat actors, on the other hand, as shown in the findings of the Unit 42 researchers, don’t use fixed IP addresses, but rather change their IP addresses every day.

Unit 42 researchers identified an average of 75,000 unique scanner IP addresses globally that enumerated more than 9,500 different ports every day. The researchers found that Samba, Telnet (a protocol that allows users to connect to remote computers over a TCP/IP network, such as the internet), and SSH were the three most scanned services, accounting for 36% of scanning traffic globally.

Scanning, per se, doesn’t compromise vulnerable internet-facing applications. This method, however, is used by cybercriminals to identify potential victims.

Cybersecurity Best Practices

Here are some of the cybersecurity best practices to protect your organization’s vulnerable internet-exposed applications:

Keep to a bare minimum the exposure of applications to the internet. If internet-exposed applications aren’t used, disable them.

If there’s a need to expose these applications to the internet, secure them by applying in a timely manner the security updates, by using strong passwords, multi-factor authentication (MFA), and other security measures such as virtual private network (VPN).

In using a Firewall, use the whitelisting approach, rather than the blacklisting approach. In whitelisting, only the approved or whitelisted entities are given access to your organization’s network, blocking all others. Blacklisting, on the other hand, blocks known malicious IP addresses. As shown in the study conducted by Unit 42 researchers, cyberattackers regularly change their IP addresses defeating the purpose of blacklisting.

The Rise of Internet Access Brokers

Researchers from BlackBerry Research & Intelligence Team recently discovered three separate threat groups using the same IT infrastructure maintained by a threat actor dubbed as Zebra2104, which the researchers believe to be an Initial Access Broker.

What Is an Initial Access Broker?

As the name denotes, an Initial Access Broker either buys or sells goods or assets for others. In this case, what is being bought or sold for others is the initial access to the victim’s network.

Once an Initial Access Broker has access to an organization’s network, the broker then advertises this initial access to prospective buyers in the underground forums on the dark web. Initial Access Brokers typically sell access to the victim’s network to the highest bidder on underground forums. The winning bidder then deploys ransomware or other malicious software (malware) to steal or snoop the victim’s critical data.

Initial Access Broker is the first kill chain of many cyberattacks, including ransomware attacks. Initial access to victims’ networks comes in different forms. These include access to vulnerable and internet exposed remote desktop protocol (RDP) and virtual private network (VPN).

VPN, in principle, establishes a protected network connection when using public networks. In the past few years, a number of vulnerabilities have been discovered in many VPN products. RDP, short for remote desktop protocol, is a network communications protocol developed by Microsoft, allowing a computer user to remotely connect to another computer.

In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks", Microsoft Defender Security Research Team said that computers with RDP exposed to the internet are an attractive target for attackers as they offer attackers a simple and effective way to gain access to a network. According to Microsoft Defender Security Research Team, brute-forcing RDP doesn’t need a high level of expertise or the use of exploits.

“RDP connections almost always take place at port 3389, and attackers can assume that this is the port in use and target it to carry out man-in-the-middle attempts, amongst other attacks,” Digital Shadows researchers said in the blog post “Initial Access Brokers In Q3 2021”.

Digital Shadows researchers reported that during the third quarter of 2021, RDP and VPN continued to be the access of choice for Initial Access Brokers. During the third quarter of 2021, the average price for VPN was $1869, while the average price for RDP was $1902. According to Digital Shadows researchers, RDP and VPN were also the most popular access of choice for Initial Access Brokers Q1 and Q2 2021.

“This [popularity of RDP and VPN] is likely due to a combination of the increased use of both technologies as a result of the COVID-19 pandemic and the opportunities afforded to an actor purchasing a VPN or RDP access,” Digital Shadows researchers said.

Digital Shadows researchers added that the VPN-RDP combination – referring to access type that uses VPN access to a victim’s RDP dedicated server – was significantly more expensive in Q3 than the last quarter. “It’s realistically possible that this access type [VPN-RDP] may represent a more secure method of gaining access to targeted networks, and as a result, become more desirable for interested actors,” Digital Shadows researchers said.

Digital Shadows researchers reported that Initial Access Brokers are advertising various accesses to RAMP (Ransom Anon Mark Place), a recently relaunched Russian-language cybercriminal forum.

Zebra2104

In the blog post "Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware", BlackBerry researchers said they uncovered a connection between the criminal activities of three distinct threat groups, MountLocker, Phobos, and StrongPity. “While it might seem implausible for criminal groups to be sharing resources, we found these groups [MountLocker, Phobos, and StrongPity] had a connection that is enabled by a fourth; a threat actor we have dubbed Zebra2104, which we believe to be an Initial Access Broker (IAB),” BlackBerry researchers said.

MountLocker is a ransomware group that has been active since July of 2020. Phobos is another ransomware group that was first seen in early 2019. Phobos has been victimizing small-to-medium-sized organizations across a variety of industries. StrongPity, also known as Promethium, is an espionage group that has been active since at least 2012.

According to BlackBerry researchers, a single domain led them down a path where they uncovered multiple ransomware attacks by MountLocker, Phobos, and a command-and-control (C2) of StrongPity. “The path also revealed what we believe to be the infrastructure of an IAB: Zebra2104,” BlackBerry researchers said.

Cybersecurity Best Practices

Cybercrime groups nowadays mimic multinational organizations’ business models. Similar to multinational organizations, cybercrime groups establish partnerships and alliances with other organizations, in this case, with Initial Access Brokers.

Considering that RDP and VPN are the popular initial accesses, it’s important to guard these two gateways. Here are some of the best practices to guard RDP and VPN:

• Keep operating systems and VPN up to date. For instance, in the past, Microsoft included in its updates patches to known vulnerabilities of RDP. VPN vendors, meanwhile, have released patches to known vulnerabilities to their VPN products.
• Use strong passwords for RDP and VPN.
• Use multi-factor authentication (MFA) for RDP and VPN to add an extra layer of protection in addition to a mere password.
• Practice network segmentation. In network segmentation, your organization’s network is subdivided into subnetworks. Organizations that use VPN access to RDP dedicated server benefit by separating this subnetwork from the other critical subnetworks. In a segmented network, criminals who have already compromised an internet-exposed VPN-RDP will be prevented from escalating their malicious activities to other critical subnetworks.

Some of the most widespread and devastating cyberattacks, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have included multiple vulnerabilities – a cyberattack methodology known as “chaining”.

What Is Chaining?

Chaining is a type of cyberattack that uses a combination of multiple cybersecurity vulnerabilities rated “critical”, “high”, “medium”, or even “low”.

Today’s publicly disclosed cybersecurity vulnerabilities are listed or cataloged under CVE, which stands for Common Vulnerabilities and Exposures. Each cybersecurity vulnerability in the list is given an identification number.

For example, CVE-2021-26855 is the identification number given to a part of an attack chain against Microsoft Exchange Server. This security vulnerability has a “critical” rating under CVSS, which stands for Common Vulnerability Scoring System. 

Although sponsored by the U.S. Department of Homeland Security (DHS) and CISA, CVE is run by the non-profit organization MITRE. The Forum of Incident Response and Security Teams (FIRST) provides a standard for CVSS numerical score and qualitative representation (critical, high, medium, and low) for CVE entries. The National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), meanwhile, provides a free CVSS calculator for CVE entries. 

Real-World Examples of Chaining Attacks

CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 are four security vulnerabilities that are part of an attack chain against Microsoft Exchange Server.

Microsoft describes the four security vulnerabilities this way:

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM [named given by Microsoft to the group behind this chain attack] the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

In the blog post "HAFNIUM targeting Exchange Servers with 0-day exploits", Microsoft said CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 vulnerabilities were used by the threat actor HAFNIUM to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. 

According to CISA, attackers don’t rely only on “critical” vulnerabilities to achieve their goals. For instance, some attackers use lower score vulnerabilities to first gain a foothold, then exploit additional vulnerabilities to escalate privilege on an incremental basis.

In the above-mentioned real-world example of chaining attacks, CVE-2021-26855 has a critical CVSS rating, while CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 have a high CVSS rating.

In a chaining attack, threat actors don’t necessarily exploit multiple security vulnerabilities in one application. There are cases in which threat actors exploit vulnerabilities in multiple applications during a single attack.

Mitigating the Risks of Chaining Attacks

The best cybersecurity best practice against chaining attacks is by keeping all software up to date.

Keeping all software up to date, however, is easier said than done. As of November 11, 2021, there are a total of over 160,000 CVE records. Organizations need to properly assess and prioritize which security vulnerabilities should be patched first.

In the study "Historical Analysis of Exploit Availability Timelines", researchers at Carnegie Mellon University found that only 4% of the total number of CVEs have been publicly exploited in the wild. The researchers further found that out of the 4% publicly exploited CVEs, 42% are being used on day 0 of disclosure; 50% within 2 days of disclosure; and 75% within 28 days of disclosure. The CVSS ratings of some of these publicly exploited CVEs have “medium” or even “low” severity ratings.

CISA recently established a “living” catalog of CVEs that are exploited in the wild. The agency calls these publicly exploited CVEs as “Known Exploited Vulnerabilities (KEVs)”. CISA initially listed 182 vulnerabilities from 2017-2020 and 108 from 2021.

CISA said that the CVSS scores or ratings don’t always accurately depict the danger or actual hazard that a CVE presents.

Instead of only focusing on vulnerabilities that carry a specific CVSS rating, KEVs target vulnerabilities for remediation that have known exploits and are being actively exploited by malicious cyber actors. CISA recommends that these KEVs have to be remediated within a more aggressive timeline.

CISA said these are two of the reasons for a more aggressive remediation timeline for KEVs:

1. Cyber criminals and malicious actors were able to scan the internet for known vulnerabilities and exploit them within much smaller time frames; and
2. The adaptability, sophistication, and speed at which cyber adversaries were targeting and exploiting known vulnerabilities outpaced agencies improved remediation time.

Ransomware Attack Shuts Down Several Toronto Transit Commission (TTC) Services

Toronto Transit Commission (TTC), the public transport agency that provides public transportation services to commuters in Toronto and from surrounding municipalities, is still reeling days after a ransomware attack hit the agency’s computer network.

In a statement released last October 29th, TTC said that last October 28th, it learned it was the victim of a ransomware attack. The agency said TTC IT staff detected "unusual network activity" and attackers "broadened their strike on network servers."

TTC said the impacted services and systems include:

• Loss of the TTC's Vision system, used to communicate with vehicle operators
• Next vehicle information on platforms screens, through trip planning apps and on the TTC website is unavailable
• Online Wheel Trans bookings are unavailable
• Internal TTC email service is offline

In the absence of the TTC's Vision system, operators have been forced to communicate with Transit Control with radios. Customers of Wheel Trans van service who couldn’t book online were asked to phone to reserve pickup. And without email service, customers are asked to call.

Shabnum Durrani, TTC head of corporate communications, told IT World Canada that she couldn’t say what ransomware strain attacked TTC. She couldn’t say also if the attackers were able to copy emails of employees, nor could she say if any corporate data was copied. When asked whether TTC has been in contact with the ransomware attackers, Durrani said, “I cannot comment on that at this time.”

As of November 3, TTC spokesperson Stuart Green said that Wheel Trans online booking system is now up and running.

Ransomware Attacks on Public Transport Systems

In December 2020, Metro Vancouver's transportation network TransLink confirmed that it was a victim of a ransomware attack.

“We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure,” TransLink CEO Kevin Desmond said in a statement. “This attack included communications to TransLink through a printed message.” 

The ransomware attack on TransLink led to multi-day transit payment problems.

Back in 2016, the San Francisco Municipal Transportation Agency (SFMTA) confirmed that it was a victim of a ransomware attack. SFMTA said the ransomware attack affected approximately 900 office computers, and SFMTA's payroll system was temporarily affected. The transportation agency said no data was accessed from any of its servers.

What Is Ransomware?

Ransomware is a type of malicious software (malware) that encrypts victims’ files, preventing victims from accessing their files. Ransomware attackers demand ransom payment from victims in exchange for the decryption tool that promises to unlock the encrypted files.

A few years back, there was no transparency on whether ransomware attackers also steal data from victims. Today, ransomware attackers are open that aside from encrypting files, they also steal data from victims. The acknowledgment that ransomware attackers steal data from victims gives rise to double extortion, and lately triple extortion.

In triple extortion, ransomware attackers demand ransom payment for each of these attack tactics:

1. File Encryption

Ransomware attackers first demand ransom payment for the decryption tool that promises to unlock the encrypted files.

2. Data Theft

Ransomware attackers now acknowledge that before encrypting files, they exfiltrate or steal data. Many ransomware attackers now maintain a website that names ransomware victims. These victims are threatened that stolen data from their computer networks will be published online if payment for the non-publication of the stolen date won’t be paid.

3. Distributed Denial-of-Service (DDoS) Attacks

What used to be a stand-alone attack, Distributed Denial-of-Service (DDoS) has been made part of the whole attack process of some ransomware attackers. Darkside, the group behind the Colonial Pipeline ransomware attack has been known to add DDoS attack to their attack tactics.

In a DDoS attack, attackers overwhelm the target or its surrounding infrastructure with a flood of Internet traffic. One example of a DDoS attack is flooding a corporate website with malicious Internet traffic, preventing legitimate users from accessing the corporate website.

Adding DDoS on top of encryption and stealing data, adds pressure to IT staff who are already overwhelmed with the encryption and stolen data issues.

Security researchers also refer to ransomware triple extortion as an expansion of demand payments to victims’ customers, partners, and other third parties. Vastaamo, a Psychotherapy Center in Finland with nearly 40,000 patients, declared bankruptcy after attackers breached for nearly a year the Center’s computer network.

Attackers demand from Vastaamo to pay nearly half a million US dollars in Bitcoin. Patients’ personally identifiable information, including the actual written notes that therapists had taken, was stolen by the attackers. A few years after the breached period, attackers started sending extortion messages to the patients, asking them to pay a certain amount of money to prevent their data from being published. The attackers already leaked online the private data of hundreds of patients.

Cybersecurity Best Practices

Here are some cybersecurity best practices against ransomware attacks:

• Implement the 3-2-1 backup rule which means that 3 copies of important data must be kept, 2 copies in different media formats, and one copy off-site for disaster recovery.
• Keep all software up to date.
• Practice network segmentation, that is, subdividing your computer network into sub-networks so that in case one network encounters a problem, the other sub-networks won’t be affected.
• Use an automated DDoS solution.
• Raise your organization’s security precautions during weekends and holidays – data shows that ransomware attackers are likely to attack during these times.

How to Prevent Supply-Chain Attacks

Kaspersky researchers recently reported that they continue to observe in the 3rd quarter of 2021 supply-chain attacks.

“We continue to see supply-chain attacks, including those of SmudgeX, DarkHalo and Lazarus,” Kaspersky researchers said in their “APT trends report Q3 2021.”

What Is Supply-Chain Attack?

Supply-chain attack is a type of cyberattack in which an attacker inserts malicious code into a legitimate software.

In a supply-chain attack, an attacker turns the compromised software into a Trojan horse. A Trojan horse is a type of malicious software (malware) that’s introduced onto a victim’s computer as it’s disguised as legitimate software.

In a supply-chain attack, by compromising a single software, attackers gain access to hundreds or hundreds of thousands of customers of a legitimate software.

The three common supply-chain attack techniques include hijacking updates, undermining code signing, and compromising open-source code. Attackers may use these three common supply-chain attack techniques simultaneously.

Supply-Chain Attacks Examples

DarkHalo

DarkHalo is the name given by researchers to the group that launched the SolarWinds supply-chain attack. Other researchers call the group behind the SolarWinds supply-chain attack Nobelium.

SolarWinds supply-chain attack is one of the high-profile supply-chain attacks that was exposed in December 2020. According to SolarWinds, the "vulnerability" was inserted within the company's Orion products and existed in updates released between March and June 2020.

In a report to the U.S. Securities and Exchange Commission (SEC), SolarWinds said that nearly 33,000 of its more than 300,000 customers were Orion customers, and that fewer than 18,000 customers may have had installed the Orion product that contained the malicious code. One of the notable victims of the Solarwinds supply chain attack is Microsoft.

According to Kaspersky researchers, evidence suggests that DarkHalo had spent six months inside OrionIT’s networks to perfect their attack.

“In June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers to computers under their control – probably achieved by obtaining credentials to the control panel of the victims’ registrar,” Kaspersky researchers said. “When victims tried to access their corporate mail, they were redirected to a fake copy of the web interface. Following this, they were tricked into downloading previously unknown malware. The backdoor, dubbed Tomiris, bears a number of similarities to the second-stage malware, Sunshuttle (aka GoldMax), used by DarkHalo last year. ”

SmudgeX

Kaspersky researchers called the supply-chain incident in which a threat actor modified a fingerprint scanner software installer package as SmudgeX. The fingerprint scanner software is used by government employees of a country in South Asia for attendance recording.

Kaspersky researchers said the threat actor changed a configuration file and added a DLL with a .NET version of a PlugX injector to the installer package. “On installation, even without network connectivity, the .NET injector decrypts and injects a PlugX backdoor payload into a new svchost system process and attempts to beacon to a C2 [command and control infrastructure],” Kaspersky researchers said.

The Trojanized installer version of the fingerprint scanner software appeared to have been staged on the distribution server from March to June, Kaspersky researchers said.

Lazarus

According to Kaspersky researchers, evidence showed that the threat group known as Lazarus is building supply-chain attack capabilities. The researchers said that one supply-chain attack from this threat group originated from a compromised legitimate South Korean security software.

Another supply-chain attack launched by this group, Kaspersky researchers said, stemmed from a hijacked asset monitoring solution software in Latvia.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), meanwhile, reported that in 2017, Kaspersky Antivirus was being used by a foreign intelligence service for spying. The U.S. government directed government offices to remove the vendor’s products from networks.

Cybersecurity Best Practices Against Supply-Chain Attacks

Supply-chain attacks aren’t easy to protect against. Your organization’s software vendors, even the top big IT software vendors, are as vulnerable to supply-chain attacks.

Here are some of the cybersecurity best practices against supply-chain attacks:

• Maintain an inventory of all software licenses
• Find out how each software license is supported by its vendor. For example, are regular or out-of-schedule patches provided?
• Configure software to automatically check for patches or security updates.
• Follow the software vendor’s instructions on how to harden the security of the software.
• If software vendor specifies URLs or IP ranges and ports to and from which software should communicate, establish firewall rules to make sure that such communications don’t happen outside these parameters.
• Implement basic network segmentation, that is, sub-dividing your organization’s network into sub-networks to ensure that in case one sub-network is compromised, the other sub-networks won’t be compromised.
• Identify and remove unauthorized software that isn’t part of your organization’s software inventory.
• Have a contingency and continuity plan to switch to a new software vendor when critical software becomes unavailable or compromised.

Supply-chain attackers target not just software. They also target hardware. Attackers compromised hardware components with the end view of compromising hardware users. In 2016, attackers hijacked the design of a mobile phone. The phones sold to customers encrypted users’ text and call details and transmitted the data to a server every 72-hours.

Most of the cybersecurity best practices against software supply-chain attacks also apply to hardware supply-chain attacks.

How to Implement Best Cyber Defense Against BlackMatter Ransomware Attacks

Three U.S. government agencies, the Cybersecurity, and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), recently issued a cyber security alert and defense tips against BlackMatter ransomware attacks.

What Is BlackMatter Ransomware?

BlackMatter is a relatively new ransomware. It was first observed in the wild in July 2021. This new ransomware exhibits the typical features of a modern-day ransomware, including the double extortion modus operandi.

In double extortion, the ransomware group steals data from victims. After stealing data, the attackers then encrypt victims’ data, preventing victims from accessing their data. After data encryption, attackers demand from victims ransom payment in exchange for a decryption tool that purportedly would unlock the encrypted data.

In double extortion, failure on the part of the victims to pay the ransom payment for the decryption tool leads to the activation of the second ransom demand, that is, victims are named on a leak site as victims of ransomware attacks. These victims are then threatened that their data will be published in case they won’t pay ransom.

Some ransomware actors still demand the second ransom payment – for the non-publication of the stolen data – despite the payment of the first ransom payment, that is, payment for the decryption tool.

Like other modern-day ransomware, BlackMatter ransomware is operated under the scheme called ransomware-as-service (RaaS). In RaaS, the ransomware developer (the one who creates the ransomware custom exploit code) works with affiliates – a different kind of cyberattackers who have existing access to corporate networks.

In a public advertisement posted on the underground forum Exploit, BlackMatter said it wants to buy access to corporate networks in the U.S., Canada, Australia, and Great Britain.

The group further said that it’s willing to pay $3,000 to $100,000 per network, provided the network passed the following criteria:

• Corporate revenue is $100 million or more
• Corporate network contains 500-15,000 devices
• Network hasn’t been previously targeted by other threat actors.

To signify that it's serious about its offer, BlackMatter has deposited 4 bitcoins ($256,000) on the forum Exploit.

“The [BlackMatter] ransomware is provided for several different operating systems versions and architectures and is deliverable in a variety of formats, including a Windows variant with SafeMode support (EXE / Reflective DLL / PowerShell) and a Linux variant with NAS support: Synology, OpenMediaVault, FreeNAS (TrueNAS). According to BlackMatter, the Windows ransomware variant was successfully tested on Windows Server 2003+ x86/x64 and Windows 7+ x64 / x86,” Recorded Future reported. “The Linux ransomware variant was successfully tested on ESXI 5+, Ubuntu, Debian, and CentOs. Supported file systems for Linux include VMFS, VFFS, NFS, VSAN.”

On BlackMatter website, the group said it doesn't attack hospitals, critical infrastructure, oil and gas industry, defense industry, non-profit companies, and government sector.

According to the joint cybersecurity advisory by CISA, FBI, and NSA, since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two food and agriculture sector organizations in the U.S., and have demanded ransom payments ranging from $80,000 to $15,000,000 in cryptocurrencies Bitcoin and Monero.

In September 2021, BlackMatter attacked the U.S. farmers cooperative NEW Cooperative and demanded from the victim $5.9 million for the decryptor and for the non-publication of the stolen data. 

"Your website says you do not attack critical infrastructure,” a NEW Cooperative representative told BlackMatter during a negotiation chat (screenshots of the said negotiation chat were shared online). “We are critical infrastructure... intertwined with the food supply chain in the US. If we are not able to recover very shortly, there is going to be very very public disruption to the grain, pork, and chicken supply chain."

BlackMatter Ransomware Tactics, Techniques, and Procedures

The CISA, FBI, and NSA advisory said that sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting showed that BlackMatter ransomware uses the following tactics, techniques, and procedures:

• BlackMatter harvests credentials from Local Security Authority Subsystem Service (LSASS) memory using procmon.
• BlackMatter uses Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to discover all hosts in the Active Directory (AD).
• BlackMatter uses NtQuerySystemInformation to enumerate running processes.
• BlackMatter uses EnumServicesStatusExW to enumerate running services on the network.
• BlackMatter uses srvsvc.NetShareEnumAll MSRPC function to enumerate and SMB to connect to all discovered shares, including ADMIN$, C$, SYSVOL, and NETLOGON.
• BlackMatter uses legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks.
• BlackMatter exfiltrates data.
• BlackMatter remotely encrypts shares via SMB protocol and drops a ransomware note in each directory.
• Rather than encrypting backup systems, BlackMatter wipes or reformats backup data stores and appliances.

Cybersecurity Best Practices

The CISA, FBI, and NSA advisory recommends the following cybersecurity defense tips against BlackMatter ransomware attacks:

• Use strong passwords for service account, admin accounts, and domain admin accounts.
• Use multi-factor authentication (MFA) for vital services, including webmail, virtual private networks (VPNs), and accounts that access critical systems.
• Keep all software up to date.
• Eliminate unnecessary access to administrative shares.
• Use a host-based firewall – a firewall installed on a server to monitor and control incoming and outgoing network traffic.
• Implement network segmentation to prevent the spread of ransomware.
• Disable command-line and scripting activities and permissions.
• Keep all backup data offline, encrypted, and immutable.
• Disable the storage of clear text passwords in LSASS memory.
• Disable or limit New Technology Local Area Network Manager (NTLM) and WDigest Authentication.

Microsoft recently revealed that one of its Azure customers was hit by a 2.4 Tbps distributed denial-of-service (DDoS) attack last August.

In the blog post “Business as usual for Azure customers despite 2.4 Tbps DDoS attack,” Amir Dahan Senior Program Manager at Microsoft’s Azure Networking said the 2.4 Tbps DDoS attack is 140 percent higher than 2020’s 1 Tbps attack and higher than any network volumetric event previously detected on Azure.

Dahan said the 2.4 Tbps DDoS attack on Azure infrastructure originated from approximately 70,000 sources and from multiple countries in the Asia-Pacific region, including Malaysia, Vietnam, Taiwan, Japan, and China, as well as from the United States.

“The attack vector was a UDP reflection spanning more than 10 minutes with very short-lived bursts, each ramping up in seconds to terabit volumes,” Dahan said. “In total, we monitored three main peaks, the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.”

With the adoption of cloud services, Dahan said, “Bad actors, now more than ever, continuously look for ways to take applications offline.’

In the blog post "Azure DDoS Protection—2021 Q1 and Q2 DDoS attack trends," Alethea Toh Program Manager at Microsoft’s Azure Networking reported that the first half of 2021 saw a sharp increase in DDoS attacks on Azure resources per day. Toh said Microsoft’s Azure mitigated an average of 1,392 DDoS attacks per day in the first half of 2021, the maximum reaching 2,043 attacks on May 24, 2021.

“In total, we mitigated upwards of 251,944 unique [DDoS] attacks against our global infrastructure during the first half of 2021,” Toh said.

Toh added that in the first half of 2021, the average DDoS attack size was 325 Gbps, with 74 percent of the attacks being 30 minutes or less and 87 percent being one hour or less.

In 2020 Google, meanwhile, revealed a 2.5 Tbps DDoS attack on its infrastructure. In the blog post “Exponential growth in DDoS attack volumes,” Damian Menscher, Security Reliability Engineer at Google, said that Google’s infrastructure was hit by a 2.5 Tbps DDoS attack in September 2017. This 2.5 Tbps DDoS attack on Google infrastructure, Menscher said, was a culmination of a six-month campaign that utilized multiple methods of attack, simultaneously targeting Google’s thousands of IPs.

“The attacker used several networks to spoof 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SNMP servers, which would then send large responses to us,” Menscher said.

Top Attack Vectors

DDoS is a type of cyberattack that floods targets with gigantic traffic volumes with the aim of choking network capacity.

“While UDP attacks comprised the majority of attack vectors in Q1 of 2021, TCP overtook UDP as the top vector in Q2,” Toh of Microsoft's Azure said. “From Q1 to Q2, the proportion of UDP dropped from 44 percent to 33 percent, while the proportion of TCP increased from 48 percent to 60 percent.”

According to Toh, in Q1 of 2021, a total of 33% attack vectors came from UDP flood, 24% from TCP other flood, 21% from TCP ACK flood, 11% from UDP amplification, 7% from IP protocol flood, 3% from TCP SYN flood.

For Q2 of 2021, Toh said, a total of 23% attack vectors came from UDP flood, 29% from TCP other flood, 28% from TCP ACK flood, 10% from UDP amplification, 6% from IP protocol flood, and 3% from TCP SYN flood.

In January, Toh said, Microsoft Windows servers with Remote Desktop Protocol (RDP) enabled on UDP/3389 were being abused to launch UDP amplification attacks, with an amplification ratio of 85.9:1 and a peak at approximately 750 Gbps.

In February, Toh said, video streaming and gaming customers were getting hit by Datagram Transport Layer Security (D/TLS) attack vector which exploited UDP source port 443.

In June, Toh said, reflection attack iteration for the Simple Service Delivery Protocol (SSDP) emerged. SSDP normally uses source port 1900. The new mutation, Toh said, was either on source port 32414 or 32410, also known as Plex Media Simple Service Delivery Protocol (PMSSDP).

Cybersecurity Best Practices

Organizations with internet-exposed workloads are vulnerable to DDoS attacks. Some DDoS attacks focus on a specific target from application layer (web, DNS, and mail servers) to network layer (routers/switches and link capacity). Some DDoS attackers may not focus on a specific target, but rather, attack every IP in your organization’s network.

Microsoft and Google have their own DDoS mitigating measures that can absorb multi-terabit DDoS attacks. On the part of Google, the company said it reported thousands of vulnerable servers to their network providers, and also worked with network providers to trace the source of the spoofed packets so they could be filtered.

Small and medium-sized organizations can now avail of a DDoS protection solution that can absorb multi-terabit DDoS attacks. Today’s DDoS protection solution operates autonomously, without human intervention. Failure to protect your organization’s resources from DDoS attacks can lead to outages and loss of customer trust.

We can also help in preventing DDoS attacks from happening by ensuring that our computers and IoT devices are patched and secured.

2 ‘Prolific’ Ransomware Operators Arrested in Ukraine

Europol has announced the arrest of two “prolific” ransomware operators known for extorting ransom demands between $6 million to $81 million.

In a statement, Europol said that the arrest of the two ransomware operators last September 28th in Ukraine was a coordinated strike by the French National Gendarmerie, the Ukrainian National Police, and the United States Federal Bureau of Investigation (FBI), with the coordination of Europol and INTERPOL.

The arrest of the two ransomware operators, Europol said, led to the seizure of $375,000 in cash, seizure of two luxury vehicles worth $251,000, and asset freezing of $1.3 million in cryptocurrencies.

The arrested individuals, Europol said, are part of an organized ransomware group suspected of having committed a string of ransomware attacks targeting large organizations in Europe and North America from April 2020 onwards.

The group’s modus operandi, Europol said, includes deployment of malicious software (malware), stealing sensitive data from target companies before encrypting these sensitive files.

After data encryption and stealing of data, Europol further said, the group then offers a decryption tool in exchange for a ransom payment. When ransom demand isn’t met, Europol added, the group threatens to leak the stolen data on the dark web.

Authorities refused to give the names of the two arrested individuals. The name of the ransomware group wasn’t disclosed as well.

Disrupting Ransomware Operations

In June 2021, the Cyber Police Department of the National Police of Ukraine arrested six members of the Clop ransomware group. Computer equipment, cars, and about $185,000 in cash were confiscated by the authorities.

“Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies,” the Cyber Police Department of the National Police of Ukraine said in a statement.

According to the Cyber Police Department of the National Police of Ukraine, the Clop ransomware group is responsible for $500 million worth of damages worldwide. The arrest of the six members of the Clop ransomware group was a joint operation from law enforcement agencies in Ukraine, South Korea, and the United States.

A few days after the arrest of the six members of the Clop ransomware group, the group claimed other victims, showing that the arrest of the members didn’t disrupt the operation of the Clop ransomware group. 

In February 2021, French and Ukrainian law enforcement agencies arrested in Ukrain several members of the Egregor ransomware group. Trend Micro, in a statement, said that the arrest of several members of the Egregor ransomware group was made possible, in part, of its assistance.

“Since its first appearance in September 2020, Egregor ransomware has been involved in high-profile attacks against retailers, human resource service companies, and other organizations,” Trend Micro said. “It operated under the ransomware-as-a-service (RaaS) model where groups sell or lease ransomware variants to affiliates, making it relatively easier even for inexperienced cybercriminals to launch attacks. Like some prominent ransomware variants, Egregor employs a ‘double extortion’ technique where the operators threaten affected users with both the loss and public exposure of the encrypted data.”

Ransomware

Ransomware is a persistent and rapidly evolving cybersecurity problem. Ransomware, in general, is a malware that’s traditionally meant to encrypt victim files – preventing victims from accessing their files. After data encryption, attackers then demand from victims ransom payment in exchange for the decryption tool that purportedly could unlock the encrypted files.

Early ransomware attackers demand from their victims to pay only one ransom payment, that is, for the decryption tool. Today’s ransomware attackers demand from their victims two ransom payments, also known as double extortion, one for the decryption tool and the second for the non-publication of the stolen data exfiltrated prior to data encryption.

Clop ransomware enters the victims’ networks through any of the following methods:

. Phishing emails sent to employees of the target organization

. Remote Desktop Protocol (RDP) compromise via brute-force attacks

. Exploitation of known software security vulnerabilities

Similar to Clop ransomware, Egregor ransomware enters the victims’ networks through phishing emails sent to employees of the target organization and RDP compromise. Egregor ransomware has also been known to access victims’ networks through VPN exploits.

Many of today’s notorious ransomware programs are operated under the ransomware-as-a-service (RaaS) model. In a RaaS model, the ransomware developer sells or leases the ransomware program to affiliates who are responsible for spreading the ransomware and generating infections. The developer takes a percentage of the ransom payment and provides the affiliates share of the ransom payment. 

Cybersecurity Best Practices

Here are some of the cybersecurity best practices in preventing or mitigating the effects of ransomware attacks:

. Avoid clicking on links and downloading attachments in emails from questionable sources

. Keep all software up to date

. Protect RDP servers with strong passwords, multi-factor authentication (MFA), virtual private networks (VPNs), and other security protections

. Implement the 3-2-1 backup rule: Make three copies of sensitive data, two copies should be in different formats, and keep one duplicate should be kept offsite.

DDoS Attackers Target VoIP Providers

Over the past few weeks, Voice over Internet Protocol (VoIP) providers have been targeted by distributed denial-of-service (DDoS) attackers.

DDoS is a form of cyberattack that often uses a botnet to attack one target. A botnet is a group of infected computers, including Internet of Things (IoT), and controlled by attackers for malicious activities such as DDoS attacks.

VoIP, meanwhile, refers to a technology that allows voice calls over an Internet connection instead of the traditional analog phone line. As VoIP uses the Internet and requires servers, portals, and gateways to be publicly accessible, this technology is a prime target of DDoS attackers.

In DDoS attacks against VoIP providers, attackers will flood VoIP servers, portals, and gateways with requests, making VoIP services unavailable to legitimate users.

Recent Attacks Against VoIP Providers

On August 31, 2021, London-based Voipfone disclosed that it was under DDoS attack.

"We have identified a further DDoS attack, we will post updates as the situation develops,” Voipfone said in a statement. “Our team is working extremely hard to address the ongoing issues that are currently affecting our network. We sincerely apologize for the disruption this must be causing you, and fully understand how frustrating this must be.”

A week after the intermittent DDoS attacks, Voipfone said it has fully resolved the DDoS attacks.

On September 16, 2021, Montreal-based VoIP.ms became the victim of a DDoS attack. On its website, VoIP.ms said it serves 80,000 customers in 125 countries.

“We have identified a large-scale Distributed Denial of Service (DDoS) attack which has been directed at our DNS and POPs,” VoIP.ms said in a statement posted on its website. “Our team is deploying continuous efforts to profile incoming attacks and mitigate them as best they can. We apologize for the inconvenience caused and thank you for your patience while we work on resolving the issue.”

The DDoS attack against VoIP.ms targeted the company’s DNS name servers. In the absence of DNS, VoIP.ms advised customers to configure their HOSTS file to point the domain at their IP address to bypass DNS resolution. In response, the attackers launched DDoS attacks directly at that IP address. To mitigate the DDoS attacks, VoIP.ms moved their website and DNS servers to Cloudflare.

As of September 28th, VoIP.ms said on its Twitter account that it’s advancing towards a more stable and secure network. The company, however, said that its main US carrier is still experiencing issues in their network which is impacting their clients all across North America.

On September 28, 2021, another VOIP provider admitted that it’s under DDoS attack. “Bandwidth and a number of critical communications service providers have been targeted by a rolling DDoS attack,” Bandwidth CEO David Morken, in a statement, said. “While we have mitigated much intended harm, we know some of you have been significantly impacted by this event. For that I am truly sorry.”

North Carolina-based Bandwidth said on its website that it provides local VoIP phone numbers together with outbound and inbound calling, powering popular platforms including Microsoft Teams/Skype for Business, Zoom Phone, and Google Voice. Bandwidth also serves as an upstream provider for VoIP vendors such as Accent.

“The upstream provider continues to acknowledge the DDoS attack is impacting their network and they are actively working to mitigate its effects,” Accent said in a statement. “Accent is seeing a limited impact to inbound calling for our services for certain phone numbers. We will continue to monitor the situation and update the status as appropriate.”

Ransom DDoS Attacks

A threat actor using the name “REvil” claimed responsibility in the VoIP.ms DDoS attack. The ransom note to VoIP.ms was posted on Pastebin. This ransom note has since been removed from Pastebin. REvil also posted updates about VoIP.ms DDoS attack on Twitter. These updates have since been removed from Twitter.

REvil demanded one bitcoin from VoIP.ms. After a failed negotiation, REvil raised the ransom demand to 100 bitcoins.

REvil originally refers to a threat group behind a number of high-profile ransomware attacks. On July 13, 2021, this group stopped its operation. In September 2021, the group resumed its ransomware operations. The original REvil group, however, hasn’t been known to launch DDoS attacks and publicly demanding ransom out of DDoS attacks.

To date, there’s no report of whether Voipfone and Bandwidth received a ransom demand similar to the one received by VoIP.ms.

Ransom DDoS (DDoS) attacks have been around for years. RDDoS attack occurs when a malicious actor extorts money from a target by threatening the target with a DDoS attack.

Threat actors may carry out a DDoS attack first and then followed by a ransom note. Another approach by threat actors is giving the ransom note first and then followed by a DDoS attack. In the last approach, the ransom note may be an empty threat with the threat actor not really capable of launching an actual DDoS attack. However, there’s a possibility that the DDoS threat is a real thing.

Paying the ransom gives ransom DDoS victims false hope that the attack will stop. Paying the ransom can only make your organization the subject of future DDoS attacks as the attackers know that your organization is willing to pay ransom. 

What Is Phishing-As-A-Service and How to Protect Your Organization

Microsoft 365 Defender Threat Intelligence Team recently published their findings on a large-scale phishing-as-a-service operation called “BulletProofLink.”

What Is Phishing-as-a-Service?

Phishing-as-a-service follows the software-as-a-service model in which cybercriminals pay an operator to launch an email-based phishing campaign. 

In an email-based phishing campaign, the target receives an email from a seemingly legitimate origin. The email, however, is a malicious one, masquerading as coming from a legitimate source. Clicking a link on this malicious email will lead to a compromised or fake website. The login details entered by the target who believes he or she is logging into a legitimate website will then be harvested for criminal activities.

BulletProofLink

BulletProofLink, also known as BulletProftLink and Anthrax, is an example of a phishing-as-a-service. This phishing-as-a-service was first reported by OSINT Fans in October 2020. According to OSINT Fans, the phishing campaign launched by BulletProofLink started with a phishing email impersonating a Sydney-based accounting firm. The email looked legitimate, with no sign of broken English or a spoofed email sender.

Inside this email is the Remittance Advice receipts.pdf link. Clinking this link, OSINT Fans said, leads to a pixel-perfect clone of the Microsoft 365 login page. “If a victim enters their password on this page, the login credentials are sent straight to the criminals rather than Microsoft,” OSINT Fans said.

In the blog post “Catching the big fish: Analyzing a large-scale phishing-as-a-service operation,” Microsoft 365 Defender Threat Intelligence Team said BulletProofLink offers phishing-as-a-service at a relatively low cost, offering a wide range of services, including email templates, site templates, email delivery, site hosting, credential theft, credential redistribution, and "fully undetected" links/logs.

Microsoft 365 Defender Threat Intelligence Team said BulletProofLink has over 100 available phishing templates that mimic known brands and services. The BulletProofLink operation, the Team said, is responsible for many of the phishing campaigns that impact enterprises today.

The Team also reported that BulletProofLink used a rather high volume of newly created and unique subdomains – over 300,000 in a single run. The Team added that BulletProofLink is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for BulletProofLink’s operators.

BulletProofLink’s monthly service costs as much as $800, while the one-time hosting link costs about $50 dollars. The common mode of payment is Bitcoin.

Infinite Subdomain Abuse

According to Microsoft 365 Defender Threat Intelligence Team, the operators behind BulletProofLink use the technique, which the Team calls “infinite subdomain abuse.” The Team said infinite subdomain abuse happens when attackers compromise a website’s DNS or when a compromised site is configured with a DNS that allows wildcard subdomains.

Microsoft 365 Defender Threat Intelligence Team said infinite subdomain abuse is gaining popularity among attackers for the following reasons:

“It serves as a departure from previous techniques that involved hackers obtaining large sets of single-use domains. To leverage infinite subdomains for use in email links that serve to redirect to a smaller set of final landing pages, the attackers then only need to compromise the DNS of the site, and not the site itself.

“It allows phishing operators to maximize the unique domains they are able to use by configuring dynamically generated subdomains as prefix to the base domain for each individual email.

“The creation of unique URLs poses a challenge to mitigation and detection methods that rely solely on exact matching for domains and URLs.”

Double Theft

Microsoft 365 Defender Threat Intelligence Team said that BulletProofLink's phishing-as-a-service is reminiscent of the ransomware-as-a-service model. Today’s ransomware attacks involve, not just data encryption, but exfiltrating or stealing data as well. In a ransomware-as-a-service scenario, the ransomware operator doesn’t necessarily delete the stolen data even if the ransom has already been paid.

In both ransomware and phishing, Microsoft 365 Defender Threat Intelligence Team said that operators supplying resources to facilitate attacks maximize monetization by assuring stolen data are put to use in as many ways as possible. Victims’ credentials, the Team said, are likely to end up in the underground economy. “For a relatively simple service, the return of investment offers a considerable motivation as far as the email threat landscape goes,” Microsoft 365 Defender Threat Intelligence Team said.

Cybersecurity Best Practices

To protect Microsoft 365 users from phishing-as-a-service operations, Microsoft 365 Defender Threat Intelligence Team recommends the following cybersecurity best practices:

• Use anti-phishing policiesto enable mailbox intelligence settings
• Configure impersonation protection settings for specific messages and sender domains
• Enable SafeLinksto ensure real-time protection by scanning at time of delivery and at time of click
• Secure the Azure AD identity infrastructure
• Enable multifactor authentication
• Block sign-in attempts from legacy authentication