Threat Briefing: February 9, 2024

This week has seen the emergence of two significant news stories: First, the revelation that ransomware payments surged beyond $1 billion in 2023, marking a record high. Second, reports indicate that Chinese cyber actors are actively targeting the computer systems of critical infrastructure entities, particularly in anticipation of potential conflict with the U.S.

These narratives shed light on different facets of cyber activity: On one hand, cyber threat actors are driven by financial motives, consistently escalating their gains each year. On the other hand, these actors demonstrate patience, aiming to maintain persistent access to systems to leverage it for future purposes.

Consequently, cybersecurity teams face the dual challenge of addressing immediate threats while also safeguarding against potential long-term vulnerabilities that could grant adversaries prolonged access. Regardless of their specific objectives, cyber threat actors perpetually seek out weaknesses within victim networks. It is imperative for cybersecurity teams to collaborate effectively in order to fortify their collective defenses against such threats.

Ransomware Payments Received by Cyber Actors Exceed $1 Billion in 2023 – This marks the highest sum ever garnered by ransomware actors. Throughout 2023, a staggering 538 ransomware variants were detected, including several iterations derived from existing strains. There was a notable uptick in payments exceeding $1 million. Subsequently, a significant portion of these ransom proceeds finds its way to sanctioned entities, cross-chain bridges, and gambling services. Chainalysis

Chinese Cyber Actors Likely Pre-Positioning to Engage in Cyber Attacks According to U.S. and Allied Governments – The Chinese cyber group known as Volt Typhoon has been discovered targeting organizations within the communication, water, energy, and transportation sectors across both mainland and non-mainland United States territories. Volt Typhoon is implicated in the theft of data from operational technology systems and has managed to infiltrate the information technology networks of certain entities for up to five years. Their method of operation often involves exploiting vulnerabilities present in public-facing network devices, with a primary objective of acquiring administrator credentials to sustain access to victim networks. The Record

Iranian Sponsored Cyber Actors Increasing Scale and Scope of Cyber Operations Since Start of Israel-Hamas Conflict – Microsoft has observed a rise in the count of Iranian cyber groups under surveillance, growing from nine to 14. Iran has intensified its efforts in conducting influence operations against Israel, leveraging artificial intelligence to bolster these activities. Iran has extended its cyber attacks to include targets in additional countries. Microsoft

Operator of Unlicensed Money Service Business Used to Launder Proceeds from Cybercrime Indicted by U.S. – Aliaksandr Klimenka allegedly operated BTC-e, a digital currency exchange and two other companies, which operated in the U.S. BEC-e was allegedly utilized to launder proceeds from ransomware scams, identity theft schemes, tax refund fraud schemes and other illicit activity. Klimenka was previously arrested in Latvia in 2023 and extradited to the United States. U.S. Department of Justice

New Banking Trojan Affects Customers of 61 Financial Institutions in Brazil – The trojan called Coyote, uses the Nim programming language. Once launched, Coyote will take screenshots, display fake overlays, and capture keystrokes. Coyote also utilizes an open-source tool called Squirrel to help mask its functionality. Dark Reading

Credential Stealing Malware Distributed Through Malicious Facebook Advertisements – The Ov3r_Stealer is used to steal account credentials and cryptocurrency wallet apps, as well as data from browser extensions. The malware is distributed through fake job advertisements about a digital advertising role on Facebook. Once the data has been collected, it is exfiltrated to a Telegram bot. Bleeping Computer

Office of National Cyber Director (ONCD) Reviewing Options to Increase Accountability on Software Manufacturers – The ONCD is researching how to develop different “liability regimes” and pinpointed issues with memory safety bugs and memory safe coding languages. Additionally, the ONCD is working to encourage code developers in the private and public sectors to ensure software design secure by design approaches. The Record

U.S. Will Implement New Policy to Restrict Visas for People Linked to Abusing Spyware – The policy will be focused on individuals engaged in “developing, directing, or operationally controlling companies that furnish technologies such as commercial spyware to governments, or those acting on behalf of governments, that engage in activities.” However, the U.S. government is still working to finalize details of the policy and has previously sanctioned several companies providing commercial spyware that has been utilized globally. The Record

Representatives from Foreign Countries and Technology Companies Meet to Discuss Commercial Cyber Tools Used for Surveillance – The conference resulted in a joint statement agreeing to boost action against the misuse of spyware. The market for commercial surveillance tools has doubled every 10 years according to the U.K.’s National Cyber Security Centre. These tools can be utilized to monitor calls, remotely operate a camera in a phone, and access photos. Security Week