Tag Archive for: Focus

Financially Motivated UNC3944 Threat Actor Shifts Focus to Ransomware Attacks

/in


Sep 18, 2023THNThreat Intelligence / Ransomware

Ransomware Attacks

The financially motivated threat actor known as UNC3944 is pivoting to ransomware deployment as part of an expansion to its monetization strategies, Mandiant has revealed.

“UNC3944 has demonstrated a stronger focus on stealing large amounts of sensitive data for extortion purposes and they appear to understand Western business practices, possibly due to the geographical composition of the group,” the threat intelligence firm said.

“UNC3944 has also consistently relied on publicly available tools and legitimate software in combination with malware available for purchase on underground forums.”

The group, also known by the names 0ktapus, Scatter Swine, and Scattered Spider, has been active since early 2022, adopting phone-based social engineering and SMS-based phishing to obtain employees’ valid credentials using bogus sign-in pages and infiltrate victim organizations, mirroring tactics adopted by another group called LAPSUS$.

Cybersecurity

While the group originally focused on telecom and business process outsourcing (BPO) companies, it has since expanded its targeting to include hospitality, retail, media and entertainment, and financial services, illustrative of the growing threat.

A key hallmark of the threat actors is that they are known to leverage a victim’s credentials to impersonate the employee on calls to the organization’s service desk in an attempt to obtain multi-factor authentication (MFA) codes and/or password resets.

It’s worth noting that Okta, earlier this month, warned customers of the same attacks, with the e-crime gang calling the victims’ IT help desks to trick support personnel into resetting the MFA codes for employees with high privileges, allowing them to gain access to those valuable accounts.

In one instance, an employee is said to have installed the RECORDSTEALER malware via a fake software download, which subsequently facilitated credential theft. The rogue sign-in pages, designed using phishing kits such as EIGHTBAIT and others, are capable of sending the captured credentials to an actor-controlled Telegram channel and deploying AnyDesk.

The adversary has also been observed using a variety of information…

Source…

3 Reasons to Focus More on Cyber Resilience than Compliance

/in


To say our country is at war with cyber criminals is an understatement.

The onslaught of attacks is relentless, and the numbers are staggering. Last year, 800,944 cybercrime-related complaints – or nearly 2,200 per day – were reported to the FBI’s Internet Crime Complaint Center. While the number of complaints dipped by five percent, the dollar value of potential losses skyrocketed 48 percent to $10.2 billion. 

It seems that each day we hear or read about a new breach at some of our country’s most venerable private and public sector institutions. In mid-June, for example, Russia-linked criminals breached several federal agencies. Among those agencies was the Department of Energy, which oversees our country’s nuclear weapons – and whose cyber defenses were breached two years earlier. 

Recognizing that our country is in an unending war, lawmakers have proposed more funding for cybersecurity for fiscal year 2024, earmarking $13.5 billion for the Pentagon and another $12.7 billion for other agencies. The recommended funding package includes $3.1 billion for the Cybersecurity and Infrastructure Security Agency, which would represent a modest $145 million bump in the agency’s current budget. 

That is a positive step forward, but here is the problem: Our federal government has a long history of being obsessed with compliance-related rules and regulations. That mindset thwarts progress for a couple of reasons.

  • First, our adversaries do not have compliance standards to meet. They only care about winning each battle and causing maximum harm.
  • Second, a compliance mindset is reactive rather than proactive. With each successful breach, policymakers seek to “fix” the problem through improved compliance. It is a slow and ineffective approach because by the time new standards are approved and implemented, threat actors have found other ways to bypass the new safeguards. There is a long and growing list of organizations that met compliance standards, yet fell prey to criminals.
  • Compliance is the lowest rung on the cybersecurity ladder that also includes maturity and, at the top, effectiveness. The obsession with compliance has another negative consequence….

Source…

Go-based HinataBot latest botnet to focus on DDoS attacks

/in


A new Go-based malware is the latest botnet focused on distributed-denial-of-service (DDoS) attacks.

The malware apparently is named “Hinata” by the malware author after a character from the popular anime series Naruto.

In a blog post Thursday, Akamai researchers dubbed the new botnet “HinataBot.” The researchers said the threat actors behind HinataBot have been active since at least December 2022, but only began developing their own malware in mid-January 2023.

A sample of the malware was discovered in HTTP and SSH honeypots abusing weak credentials and old remote code execution vulnerabilities — one dating back almost a decade. The Akamai researchers said the infection attempts they observed include the exploitation of the minigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers (CVE N/A).

When asked where the attacks were targeted, Allen West, a security researcher at Akamai, said they haven’t been able to observe attacks outside of launching them at themselves so far.

“Once the C2 is back up we will get a clearer picture of this,” said West. “As far as machines targeted for infection, we can only point to the technologies containing the vulnerabilities we saw them exploiting.”

Once again we see that so much is on the internet, mainly because people deploy services and forget about managing the infrastructure, said John Bambenek, principal threat hunter at Netenrich. In this case, we saw the exploitation of a vulnerability that was nearly 10-years-old, said Bambenek.

“Attackers continue to find these resources and then use them to further attacks on other organizations,” said Bambenek. “A new DDoS botnet simply means more resources used by criminals to attempt to knock services offline. So, using DDoS protection services remains important because it’s only a growing attack particularly in a period of geopolitical and economic turmoil.”

Mike Parkin, senior technical engineer at Vulcan Cyber, added that malware authors doing more work in the Go language is a case of them “picking the right tool for the job.” 

“Go has become best known for its ability to cross-compile for different architectures…

Source…

It’s time to focus on information warfare’s hard questions

/in


Written by Gavin Wilde
Jan 5, 2023 | CYBERSCOOP

In 2016, Russia sparked our current era’s obsession with online information operations. By meddling in that year’s U.S. presidential election via a plethora of online tools, Moscow’s operatives illustrated what seemed like the boundless potential of digital manipulation.

Since then, social media companies and governments have made massive investments in catching these efforts. As a report published by Facebook parent company Meta at the tail end of 2022 illustrates, these efforts appear to have reached something of an equilibrium with Russian information operators. Russia, along with several other states, still run malign online information operations, but these campaigns to influence public opinion are detected and taken down with such speed that they rarely reach significant audiences.

This state of equilibrium means that it’s high time to ask more fundamental questions about online information operations and the resources being mustered in countering them. Such efforts — and the coverage of them — means that our collective attention is far more focused on content and mechanics, rather than real-world impact and our information ecosystem more broadly.

Six years into our collective preoccupation with information operations and how platforms wrestle with them, the question of whether they even work in the first place — and if so, how — has gotten lost. The incentives for all parties — platforms, governments and illicit actors alike — are stacked in favor of operating on the assumption that they do, while the science looks inconclusive at best.

Meta capped off 2022 by detailing how it has performed more than 200 takedowns of covert influence operations on its platforms, the culmination of a strategy first used against Russian actors in 2017. In a short five years, Facebook’s threat analysts have arguably served as the vanguard of a new industry — monitoring and countering malign activity online.

Five years on, this industry and those responsible for carrying out information operations — in particular, Russia — have become co-dependents….

Source…