Tag Archive for: pivots

BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion

/in


The BianLian ransomware group is ramping up its operations and maturing as a business, moving more swiftly than ever to compromise systems. It’s also moving away from encryption to pure data-theft extortion tactics, in cyberattacks that have so far bagged at least 116 victims, researchers have found.

BianLian, first discovered last July, hasn’t deviated much from its initial tactic: deploying a custom go-based backdoor once it infiltrates a network. The functionality of the malware essentially remains the same except for a few tweaks, researchers from Redacted said in a blog post published today.

However, the swiftness with which the group’s command-and-control server (C2) deploys the backdoor has increased, and the group notably has moved away from ransoming encrypted files to focusing more on pure data-leak extortion as a means to extract payments from victims, the researchers said.

“BianLian has discovered that they don’t need to actually encrypt victim networks to get paid,” Adam Flatley, vice president of intelligence at Redacted, says.

This shift to focus on data-leak extortion is “extremely dangerous,” because it allows the group to take the time and effort to tailor the threats to specific victims and exert more pressure to pay ransoms, he adds.

“BianLian will have an even stronger pressure position on trying to force their victims to not work with the FBI, to not report the incident, and just pay the ransom and move on,” Flatley says.

BianLian’s motivation for changing its encryption strategy is likely a response to Avast’s release of an encryption tool for organizations that have been targets of the group to unlock their files, the researchers noted.

Given that BianLian has used double-extortion methods from the outset — threatening to release a victim organization’s stolen data online if a ransom wasn’t paid by a certain deadline — the group decided to skip the encryption step and go right to extortion, according to Redacted.

Maturing As a Cyberattack Business

This shift is part of BianLian’s overall evolution and maturation as a business, the researchers said. While from its inception the group has had “a high level of operational security and skill in network…

Source…

Ransomware Business Models: Future Pivots and Trends

/in


RDP port 3389 remains a popular service abused by ransomware actors to gain initial access to systems located and connected to on-premise infrastructure. However, as more organizations shift to the cloud services for file storage and active directory systems, ransomware groups will look for more opportunities to develop and/or exploit vulnerabilities not yet leveraged at scale.

Evolutions

Gradual evolutions in the current modern ransomware models as we know them are expected to be tweaked in order to adapt to the triggers that prompt them. From a business perspective, these are “naturally occurring” movements that prompt movement from their current state.  In this section, we list two gradual evolutions that ransomware actors will likely be undergoing to adapt to the upcoming triggers in the short term. For the full list of evolutions and their respective discussions, you can download our paper here.

Evolution 1: Change of targeted endpoints – The internet of things (IoT)/Linux

The Mirai botnet, which emerged in 2016, was a decisive point that realized the possibility of expanding its reach to Linux devices and the cloud. While it’s not ransomware, the availability of the botnet’s source code allowed parties with the interest and skillset to simply download and recompile the code to infect Linux-based routers to create their own botnet. These address two points for this specific evolution:

  • They have the code ready to target Linux-based devices and can simply recode for other similar devices.
  • They are ready to use this capability as soon as there are visible targets with internet-facing security gaps.

From these two points, ransomware groups can find new Linux-based targets or tweak the threat they currently have at hand to target new platforms such as cloud infrastructures, prompting possible developments:

  • Ransomware groups focus their sights on regular Linux servers
  • Ransomware groups start targeting backup servers
  • Ransomware groups start targeting other IoT Linux-based devices

With the increased use of Linux-based servers, the cloud, and — as another entry point — the internet of things (IoT), ransomware groups have realized an opportunity in attacks against…

Source…

Network Pivots, Patch Bypasses: Exploits Hit Hard …

/in


An analysis of 50 vulnerabilities finds a spectrum of risk, from widespread vulnerabilities exploited by a variety of attackers to serious issues that will likely be exploited in 2021.

In 2020, security teams had to endure a great deal of chaos — not just from the events caused by the pandemic, but by a significant series of changes in the vulnerability landscape, according to Rapid7.

In its “2020 Vulnerability Intelligence Report,” released today, the security firm documented 50 vulnerabilities representing shifts that defenders had to contend with. Fourteen vulnerabilities were exploited by nation-state actors and cybercriminals in indiscriminate campaigns that impacted a wide variety of organizations, 16 vulnerabilities were used in targeted attacks by sophisticated actors, and 20 flaws have not yet been seen in the wild but are expected to be used by attackers in their campaigns.

The company delves into the threats to offer defenders a better understanding of what constituted dangerous vulnerabilities in 2020, says Caitlin Condon, manager of software engineering at Rapid7.

“There was a pervasive feeling in the information-security community, especially among defenders, that the sky was falling nearly all the time,” she says. “It is often very difficult for the people in charge of security to look at all the research materials and all the artifacts — at all the information about a vulnerability — and determine why a vulnerability may matter or not matter for their risk model.”

In the report, Rapid7 breaks down the threats into flaws exploited indiscriminately in widespread attacks (28%), security issues — often, zero-day vulnerabilities — used in targeted attacks (32%), and vulnerabilities the company considers to be impending threats (40%).

Among the most serious threats were attacks on network and security appliances that allowed the attacker to pivot from outside the network to the internal network. So-called network pivots were discovered in Citrix NetScaler, SonicWall SonicOS, Palo Alto Networks PAN-OS, and the Sophos XG Firewall.

“For many network defenders, June 29 through July 29, 2020 was a particularly nightmarish stretch of an already challenging year: No…

Source…