Threat Briefing: May 24, 2023

The rapid development of new malware variants and ransomware-as-a-service is increasing the ability of cyber actors to launch cyber attacks, making detection and attribution a challenge for organizations. Additionally, cyber actors are increasing their focus on cloud environments, presenting additional attack vectors for cyber actors to exploit. The release of a new #STOP Ransomware guide by the U.S. government is a good reminder of the importance of both developing plans to detect, mitigate, and respond to a cyber incident and highlights the importance of continuing to build a strong cyber defensive posture to prevent all types of cybersecurity attacks.

LockBit Ransomware Leaks 1.5 TB of Data from Indonesian Bank, the data leaked includes personal information on bank employees as well as financial account information for approximately 15 million customers at Bank Syariah Indonesia, the largest Islamic Bank in Indonesia. Once the ransomware attack was discovered several of the banks services were unavailable starting May 8th as the bank took steps to remediate the activity and was able to reopen ATM and bank branch services several days later. The LockBit ransomware actors also released details of the conversations between the bank employees and the LockBit group, which demanded a $20 million ransom, however the bank only offered to pay a $10 million ransom. Bank Info Security

Cybercriminal Group FIN7 Deploys CL0P Ransomware, First Ransomware Attack by FIN7 Since 2021, the group has utilized a variety of other ransomware variants in previous attacks such as LockBit, Black Basta and REvil. To deploy CL0P, FIN7 has utilized a PowerShell script to a post-exploitation tool to gain access to a victim network. FIN7 has been increasing the use of ransomware to make money as the group has shifted from attacks focused on payment card data theft. The Hacker News

Newly Identified Ransomware Group Uses Leaked Ransomware Code to Conduct Attacks, Resulting in Theft of 2.5TB of Data Since April 2023, the ransomware group known as RA Group, has used the leaked source code for the Babuk ransomware variant to conduct ransomware attacks against entities in the U.S. and South Korea. As a result of the attacks, it has stolen approximately 2.5 TB of data from four victims since the group was first identified in April of 2023, with victims in the industry and financial services sector, as well as an electronics supplier. RA Group gives victims three days to pay the ransom before a sample of data is leaked online and will publish the data after seven days if no ransom is paid. CyberScoop

Cyber Actors Utilizing Qilin’s Ransomware-as-a-Service Receive Approximately 80% of Ransomware Payment, Qilin was first identified in August 2022 and has been utilized to attack education, healthcare, and other critical infrastructure sectors since its launch and victims have been identified in the U.S., Australia, U.K., Brazil, and Canada. Qilin provides cyber actors utilizing its service an administrative panel to coordinate and support ransomware attacks. Since its launch in 2022, Qilin has leaked data for 12 victims on its data leak site. The Hacker News

Tennessee and George Colleges Victims of Ransomware Attacks During Final Weeks of Semester, Chattanooga State Community College was the victim of a ransomware attack resulting in the cancelation of classes and impacted student services such as financial aid, bill payment, and transcript requests. Mercer University in Georgia also suffered an attack, with the Akira ransomware group claiming responsibility for the attack and, which resulted in the loss of data from the university. Akira had previously other schools, with an attack on a community college in West Virginia the weak before. The Record

Founder of Skynet Market, a Darknet “Carding” Site Pleads Guilty to Selling Stolen Financial Information, Michael Mihalo, was the creator of Skynet Market, and also sold financial information on other Darknet sites such as AlphaBay Market, Hansa Market, and Wall Street Market. Between February 2016 and October 2019, Mihalo sent or received information on over 49,000 stolen cards and earned approximately $1 million in cryptocurrency as proceeds of his activity. U.S. Department of Justice

Indonesian-Based Cybercriminal Group Compromising AWS Cloud Servers to Mine for Cryptocurrency, the group being tracked as GUI-vil, leverages known vulnerabilities to engage in remote code execution on GitLab instances or exploits AWS keys in publicly exposed code repositories. Once GUI-vil actors gain access to a victims AWS account, they create new user profiles and establish an EC2 instance to mine for cryptocurrency. The Hacker News

BEC Actors Purchasing Locally Generated IP Addresses to Bypass Security Detection Alerts, by doing so the BEC actors are able to mitigate security detection rules that flag activity if a user engages in activity at two different locations in a short time in which travel between the two locations would be difficult. BEC actors based in Asia or Eastern Europe were identified as being frequent users of this technique to engage in BEC attacks. Locally Generated IP services such as BulletProftLink, offer industrial-scale capabilities to generate residential IPs, allowing cyber actors to launch BEC attacks. Microsoft Security

Cyber Actors Engage in VIP Invoice Authorization Fraud to Defraud Businesses, cyber actors craft a fraudulent email to an employee of the victim organization for an invoice to be paid, and then the cyber actors reply to the email pretending to be the employee’s boss, increasing the legitimacy of the fraudulent email. Impersonating both a trusted vendor and the boss of an employee can increase the urgency to pay the fraudulent invoice. Armorblox

Cybercriminal Group 8220 Gang Exploits 2017 Vulnerability to Gain Access to Victim Systems and Distribute Cryptocurrency Mining Malware, 8220 Gang is known for utilizing port 8220 for C2 network communications. The group has exploited CVE-2017-3506 to engage in the execution of arbitrary commands remotely and then deploy various PowerShell payloads to disable a Windows security feature and download a crypto mining payload. The Hacker News

Former Employee of New York-based Technology Company Sentenced for Scheme to Extort Employer and Cover Up Details of Security Breach, in December 2020 the employee stole gigabytes of his employer’s data and then posed as an anonymous hacker to cover up the breach. The employee extorted the company for $2 million in order to return the files and engaged in actions resulting in misleading news articles being published about the company. The individual also posed as a whistleblower to report the security incident, claiming the company had been attacked by a cyber actor, resulting in the company’s stock price to sharply decline. U.S. Attorney’s Office, Southern District of New York

Congress Passes Legislation Expanding CISA’s Portfolio of Responsibilities, under the legislation CISA would be required to create voluntary cybersecurity recommendations for space and develop a commercial public satellite system clearinghouse. Additionally, CISA would be required to engage with the open source community and create a framework to asses the risk of open source software components used by federal agencies, and was developed in response to the Log4Shell vulnerability. Congress also passed legislation to develop a pilot civilian cyber reserve program for incident response and to identify potential DHS employees to be converted into cybersecurity positions. CyberScoop

U.S. Government Charges Russian National for Ransomware Attacks Victims in Multiple Critical Infrastructure Sectors in the U.S., as of 2020 Mikhail Matveev allegedly participated in multiple conspiracies to deploy three different ransomware variants, LockBit, Babuk, and Hive. The victims were in the education, healthcare, government, and law enforcement sector and paid approximately $200 million in ransoms since 2020. Several of the victims also had data stolen and were extorted to pay the ransom amount or risk having their stolen data published. The U.S. Treasury Department also sanctioned Matveev for his role in engaging in ransomware attacks against critical infrastructure sector entities in the U.S. U.S. Department of Justice

Meta Fined $1.3 Billion Over Data Transfers to the U.S. in Violation of the General Data Protection Regulation, the Irish Data Protection Commission led the investigation into Meta and discovered Meta had illegally transferred data to the U.S. on citizens of the European Union. The initial investigation into Meta’s violation of the GDPR began almost a decade ago, and has involved multiple legal proceedings. Meta has been instructed to delete or repatriate the data back to Europe by November 2023. However, the U.S. and European Union are currently working on a new law regarding a data sharing agreement which could address similar data transmission concerns in the future. The Record

U.K. Citizen Pleads Guilty to Multiple Cyber Crimes After Extradition to the U.S., the individual was extradited from Spain in April 2023, and was engaged in several schemes to engage in SIM swapping to gain access to social media accounts and gain access to a New York-based cryptocurrency company. After engaging in a SIM swap attack, the individual and his co-conspirators were able to gain access to the accounts of a cryptocurrency company’s computer systems and steal approximately $794,000 in cryptocurrency and then laundered it through multiple cryptocurrency exchanges.. Additionally, the individual compromised multiple social media accounts and his the access to engage in fraud schemes and also threatened to release sensitive data obtained as a result of the compromise of the social media accounts. U.S. Department of Justice

U.S. Government Releases Updated #StopRansomware Guide, the guide was prepared by the Joint Ransomware Task Force, a joint effort by members of the U.S. government, and is an update to a ransomware guide previously released by the U.S. government in September 2020. The updated version includes new recommendations to address initial infection vectors, address zero trust architecture, and also addresses CISA’s Cross-Sector Cybersecurity Performance Goals. The guide is split into two parts: one focused on best practices for prevented and mitigated ransomware threats and the second part focused on responding to a ransomware attack. CISA

Increase in Malware Development Resulting in Identification of a New Malware Variant Every Minute, based on data collected and analyzed by BlackBerry from December 2022 through February 2023, identified over 200,000 unique malware samples during the time frame, which breaks down to 1.5 new malware variants being identified each minute. Cyber actors launch an average of 12 attacks a minute, which translated to over 17,000 samples a day during the three-month period BlackBerry analyzed. Over 50 percent of malware attacks were identified in the U.S., with Japan, Canada, Brazil and Mexico rounding out the top 5 destinations for new malware variants. BlackBerry

Capabilities in Microsoft Teams Could Be Exploited to Deliver Malware or Phish Users, throughout the second half of 2022, Teams was one of the top targeted sign-in applications, with approximately 40% of organizations having one unauthorized login attempt. If a cyber actor gains access to an organization’s Teams platform, they can utilize the website tab feature to direct users to a credential phishing page or deliver malware, as the tab does not show users the website URL, obfuscating where users are being directed. Teams meeting invites can also be changed to redirect users to malicious websites. ProofPoint

Apple Removes Approximately A Half-Million Developer Accounts Due to Fraud, and blocked over 100,000 Apple Developer Program enrollments, while also preventing approximately $2 billion in fraudulent transactions during 2022. Apple also prevented approximately 1.7 million apps with privacy violations, undocumented capabilities, or misleading features from being released. Furthermore, 282 million customer accounts were disrupted for engaging in fraud and 147 million fraudulent reviews or ratings were blocked. Dark Reading

Golang Variant of Cobalt Strike Used to Compromise Apple’s macOS System, the variant called Geacon was originally released in 2020. Two newer versions were released in October by two Chinese developers. One of the versions, geacon_pro, was identified in March 2023 as being able to bypass Microsoft Defender. Recently, an increase in Geacon payloads has been identified in VirusTotal. The Hacker News

Four Nations Join NATO’s Cooperative Cyber Defense Center of Excellence, the new members include Iceland, Ireland, Japan and Ukraine, bringing the total to over 30 countries now a part of the Cooperative Cyber Defense Center for Excellence (CCDCOE). Japan joins other non-NATO countries, such as Australia and South Korea, who have joined the CCDCOE, which unites countries to share cyber knowledge and address cyber-attacks. The CCDCOE was founded in 2008, following a cyber attack on Estonia by Russia. The Record

Increased Malicious Cyber Activity Against Taiwan Likely A Result of Tensions between China and Taiwan, the increased activity has included an uptick in the delivery of malware and also the theft of sensitive information, and has focused heavily on the networking, logistics, and manufacturing industries. There has also been a significant increase in detections of PlugX, a remote access trojan used by multiple Chinese threat actors as a backdoor to Windows systems in order to control victims’ machines. The spike in activity occurred over a roughly week-long period in early April 2023. The Hacker News

Russian Individual Sentenced to Three Years Imprisonment for Engaging in Pro-Ukraine DDos Attacks Against Russian Government, the attacks occurred in February 2022 and were directed against the websites for the Russian President and the Russian Ministry of Defense. The sentence by the Russian government may represent a warning sign for other pro-Ukraine hackers living in Russia. The Record

Employment Scam Resulting in Labor Trafficking in Southeast Asia, Victims Forced to Participate in Cryptocurrency Fraud Schemes, individuals, primarily in Asia have responded to fraudulent job advertisements for call center customer service representatives, tech support personnel, or beauty salon technicians. Once victims accept a job, they are sent to a foreign country where their travel documents are confiscated and threats of violence are used to coerce victims to work at compounds engaging in cryptocurrency investment fraud schemes. Victims are forced to work to pay back debts to their traffickers, with travel fees and room and board of the victims being considered debts. Labor traffickers will sometimes sell victims or transfer victims to other compounds. FBI

China to Ban U.S.- Manufactured Micron Computer Chips on Key Infrastructure Projects Due to “National Security Risks”, the decision follows an investigation by the Chinese government to assess network security risks to China’s national critical information infrastructure. China has indicated the results of their investigation identified cybersecurity concerns that violate Chinese laws and regulations, but did not indicated specific cybersecurity vulnerabilities with Micron’s products. The Hacker News

U.S. Government Sanctions 22 Individuals and 104 Entities in 20 Countries for Supporting Sanction Evasion by Russian Individuals, the sanctions include the use of cryptocurrency to evade U.S. sanctions on Russian individuals. One of the newly-sanctioned individuals has helped Russian nationals obtain fraudulent passports as well as move money out of Russia and into the U.A.E, and worked for a company specializing in citizenship by investment services. Chainalysis

Content from this threat briefing was provided by Nelnet’s CyberSecurity Threat Intel.