Tuesday, March 19, 2024

LogRhythm and SOC Prime Announce Partnership to Accelerate Threat ​Detection ​and Hunting​

New partnership combines LogRhythm Axon’s analytics and threat management with SOC Prime’s cutting-edge capabilities 

LogRhythm, the company helping security teams stop breaches by turning disconnected data and signals into trustworthy insights, today announced its partnership with SOC Prime, the world’s largest and most advanced platform for collective cyber defense. This collaboration combines LogRhythm Axon’s advanced analytics and threat management capabilities with SOC Prime’s innovative technology to empower security teams with enhanced threat hunting and detection capabilities. 

“In today’s diverse organizational environments, one-size-fits-all approaches to threat detection are no longer sufficient. The threat landscape is relentless and security teams need every advantage to safeguard their critical assets,” said Andrew Hollister, Chief Information Security Officer at LogRhythm. “Our partnership with SOC Prime arms customers with a powerful combination of threat hunting, analytics and automation, empowering them to detect and respond to threats faster and more effectively.” 

A proactive approach to cybersecurity is necessary in today’s evolving threat landscape, and this partnership equips security teams with the tools they need to stay ahead of malicious actors. Through the integration of LogRhythm Axon and SOC Prime’s Uncoder IO, security teams can develop high-quality detection code more efficiently and streamline IOC-based query generation. SOC Prime’s Uncoder AI further enhances this capability by providing sub-second performance on detection engineering tasks, including code validation, autocompletion, and automated cross-platform query translation          . 

Recognizing the diverse needs of different organizations, LogRhythm Axon empowers security teams to create and test custom threat detection rules tailored to their unique environments. Integration with SOC Prime expands LogRhythm Axon’s capabilities by increasing the availability of detection rules optimized for any organization’s requirements, enabling teams to detect and respond to threats more effectively. 

The joint solution also addresses the challenge of alert fatigue by enabling security teams to fine-tune detection rules and prioritize responses based on accurate threat intelligence. By enhancing the precision of alerts, organizations can focus their efforts on mitigating real threats, rather than sifting through overwhelming volumes of false positives. 

Additional benefits from this collaboration include: 

  • Utilize Collective Cyber Defense: By leveraging the combined power of LogRhythm Axon and SOC Prime, security teams can enhance their detection engineering methodologies, ensuring a robust defense against evolving cyber threats. 
  • Enhance Visibility: Gain deeper insights into organization-specific cyber threats, enabling proactive threat mitigation and response strategies. 
  • Increase Security Coverage: Expand coverage of security use cases, effectively reducing blind spots and enhancing overall security posture. 
  • Reduce Response Time: Streamline threat detection and response processes, significantly reducing the time to detect and respond to cyber incidents. 

“This partnership is a game-changer for security teams struggling to keep pace with the increasing volume and sophistication of cyber attacks,” said Alex Bredikhin, Chief Technical Officer and Co-founder at SOC Prime. “By combining our collective expertise, we are providing security professionals with the tools and intelligence they need to proactively identify and neutralize threats, ultimately improving their overall security posture.” 

Register here to attend the joint webinar from LogRhythm and SOC Prime on Thursday, April 18 at 12 p.m. EDT to learn more about the collaboration and best practices for elevating your cyber defenses at scale. 

To learn more about LogRhythm’s partnerships, please visit:  https://logrhythm.com/partners/partner-program/  

About LogRhythm

LogRhythm helps security teams stop breaches by turning disconnected data and signals into trustworthy insights. From connecting the dots across diverse log and threat intelligence sources to using sophisticated machine learning that spots suspicious anomalies in network traffic and user behavior, LogRhythm accurately pinpoints cyberthreats and empowers professionals to respond with speed and efficiency.

With cloud-native and self-hosted deployment flexibility, out-of-the-box integrations, and advisory services, LogRhythm makes it easy to realize value quickly and adapt to an ever-evolving threat landscape. Together, LogRhythm and our customers confidently monitor, detect, investigate, and respond to cyberattacks. Learn more at logrhythm.com.

About SOC Prime  

Headquartered in Boston, SOC Prime operates the world’s largest and most advanced platform for collective cyber defense based on global threat intelligence, crowdsourcing, zero-trust, and AI. SOC Prime’s innovation, backed by cutting-edge technology leveraging Roota, Sigma, MITRE ATT&CK® as benchmarks for collective cyber defense, is recognized by independent research companies, credited by the leading SIEM, EDR, Data Lake vendors & MDR providers, and trusted by 9,000+ organizations, including 42% of Fortune 100 and 21% of Forbes Global 2000, 14 CERTs, and 90 public sector and defense organizations in key NATO countries. SOC Prime is backed by DNX Ventures, Streamlined Ventures, and Rembrandt Venture Partners, having received $11.5M in funding in October 2021. For more information, visit https://socprime.com or follow us on LinkedIn & Twitter. 

The post LogRhythm and SOC Prime Announce Partnership to Accelerate Threat ​Detection ​and Hunting​ appeared first on LogRhythm.



from LogRhythm https://ift.tt/Fm3vfX6
via IFTTT

Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor

This post is also available in: 日本語 (Japanese)

Executive Summary

This article announces the publication of our first collaborative effort with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). This collaborative research focuses on recent Smoke Loader malware activity observed throughout Ukraine from May to November 2023 from a group the CERT-UA designates as UAC-0006.

Unit 42 has been collaborating with Ukraine for many years to share actionable intelligence and expertise. As the war in Ukraine enters its third year, Ukraine faces an all-time high in both volume and severity of cyberattacks. Global threat actors, including nation-states, cybercriminals and hacktivist groups, are seizing the opportunity presented by the Ukraine conflict for their malicious purposes. The SCPC SSSCIP has identified Smoke Loader as a prominent type of malware used in recent attacks.

A pictorial representation of Smoke Loader. A world map with location markers. Around it are icon of types of attacks: bugs, hacking, and other indicators of tools such as graphs.

Also known as Dofoil or Sharik, Smoke Loader is a backdoor targeting systems running Microsoft Windows. Threat actors have advertised this threat on underground forums since 2011. Primarily a loader with added information-stealing capabilities, Smoke Loader has been linked to Russian cybercrime operations and is readily available on Russian cybercrime forums.

Ukrainian officials have highlighted a surge in Smoke Loader attacks targeting the country’s financial institutions and government organizations. While Ukraine has seen a rise in Smoke Loader attacks, this malware remains a global threat and continues to be seen in multiple campaigns targeting other countries. However, this surge of attacks suggests a coordinated effort to disrupt Ukrainian systems and extract valuable data.

While Smoke Loader can be distributed through web-based vectors, attacks using this malware against Ukraine have been detected in malicious emails from phishing campaigns. The SCPC SSSCIP report provides detailed analysis on 23 waves of email-based attacks from May 10-Nov. 23, 2023. This report is most beneficial to security professionals who study trends in attack chains, analyze malware or are interested in deep technical analysis and detailed indicators of compromise.

To review the technical aspects of these Smoke Loader campaigns in Ukraine, refer to the SCPC SSSCIP report.

Readers can prevent Smoke Loader and similar malware attacks by prioritizing security measures and cultivating smart online habits. Be extremely cautious when opening email attachments or clicking links, especially from unknown senders. Stick to trusted websites for downloads. Create strong, unique passwords for online accounts, and stay informed of current cybersecurity threats. These measures can significantly reduce the risk of falling victim to malware like Smoke Loader.

Palo Alto Networks customers are better protected from the Smoke Loader samples in the SCPC SSSCIP report through Cortex XDR and XSIAM, as well as through our Next-Generation Firewall with Cloud-Delivered Security Services, including Advanced WildFire, DNS Security, Advanced Threat Prevention and Advanced URL Filtering.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Table of Contents

Background on Smoke Loader
The UAC-0006 Group
Scale of the Attacks
Conclusion

Background on Smoke Loader

Also called Dofoil or Sharik, Smoke Loader is a malicious program that loads other malware, although it has a range of other capabilities. A 2016 article on Smoke Loader noted that an early version was first advertised in the criminal underground as early as 2011. Various sources have documented Smoke Loader activity since then, and numerous reports have been published, including an analysis on Smoke Loader we released in 2018.

Smoke Loader has been distributed through email, and it has appeared as a payload from web-based vectors like Rig Exploit Kit. We have even seen Smoke Loader distributed as a payload from other malware like Glupteba.

Since it first appeared, reporting on Smoke Loader indicates that various groups have used it against different industries and organizations across the globe. These activities range from recent targeted cyberattacks in Ukraine to criminal activity resulting in Phobos ransomware infections.

As well-known and currently active malware as a service, Smoke Loader is one of many ideal candidates (from the threat actor perspective) for any attack, including those reported by Ukraine SCPC SSSCIP.

The UAC-0006 Group

On May 5, 2023, CERT-UA issued alert CERT-UA#6613, its first notification of Smoke Loader activity under the UAC-0006 identifier. Throughout the remainder of 2023, the CERT-UA published five additional notices on the UAC-0006 group.

According to CERT-UA, the UAC-0006 group ranked first in the category of financial crimes as of December 2023. UAC-0006 uses Smoke Loader to download other malware, and the group uses this additional malware in attempts to steal funds from Ukrainian enterprises. These attempts represent a significant potential for financial loss.

While CERT-UA has not confirmed a specific threat actor behind these Smoke Loader attacks, various sources suspect UAC-0006 might be associated with Russian cybercrime.

Scale of the Attacks

As previously noted, UAC-0006 ranks first in the category of financial crimes in Ukraine as of December 2023. By October 2023, CERT-UA reported a surge in UAC-006 activity, noting this group attempted to steal tens of millions of hryvnias (Ukrainian dollars) from August-September 2023.

The SCPC SSSCIP report documents 23 waves of Smoke Loader attacks from May through December 2023 based on our joint research. These campaigns have notably increased the threat level for accountants in Ukraine and represent the potential loss of 1 million hryvnias per week on average.

Conclusion

Palo Alto Networks collaborated with the SCPC SSSCIP to provide actionable threat intelligence to mitigate Smoke Loader attacks targeting Ukrainian organizations. Our joint research provides valuable insight into how attackers leverage Smoke Loader in real-world campaigns. This includes understanding initial attack vectors, types of secondary payloads and the overall objective of the attackers. Our research was used to help develop our mutual defenses and to disrupt the entire attack chain.

For a deeper understanding of the technical aspects of UAC-0006 Smoke Loader campaigns in Ukraine, read the SCPC SSSCIP report.

A crucial element of defense against Smoke Loader is prioritizing security measures and cultivating smart online habits. Be extremely cautious when opening email attachments or clicking links, especially from unknown senders. Stick to trusted websites for downloads, and create strong, unique passwords for all online accounts. Stay informed on current cybersecurity threats. Such vigilance should significantly reduce the risk of falling victim to malware like Smoke Loader.

Palo Alto Networks customers are better protected from Smoke Loader through Cortex XDR and XSIAM, as well as through our Next-Generation Firewall with Cloud-Delivered Security Services, including Advanced WildFire, DNS Security, Advanced Threat Prevention and Advanced URL Filtering.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team or call:

  • North America Toll-Free: 866.486.4842 (866.4.UNIT42)
  • EMEA: +31.20.299.3130
  • APAC: +65.6983.8730
  • Japan: +81.50.1790.0200

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Get updates from
Palo Alto
Networks!

Sign up to receive the latest news, cyber threat intelligence and research from us



from Unit 42 https://ift.tt/0Wk8b9Y
via IFTTT

Suspected Russian Data-Wiping 'AcidPour' Malware Targeting Linux x86 Devices

Mar 19, 2024NewsroomLinux / Cyber Espionage

A new variant of a data wiping malware called AcidRain has been detected in the wild that's specifically designed for targeting Linux x86 devices.

The malware, dubbed AcidPour, is compiled for Linux x86 devices, SentinelOne's Juan Andres Guerrero-Saade said in a series of posts on X.

"The new variant [...] is an ELF binary compiled for x86 (not MIPS) and while it refers to similar devices/strings, it's a largely different codebase," Guerrero-Saade noted.

AcidRain first came to light in the early days of the Russo-Ukrainian war, with the malware deployed against KA-SAT modems from U.S. satellite company Viasat.

An ELF binary compiled for MIPS architectures is capable of wiping the filesystem and different known storage device files by recursively iterating over common directories for most Linux distributions.

The cyber attack was subsequently attributed to Russia by the Five Eyes nations, along with Ukraine and the European Union.

AcidPour, as the new variant is called, is designed to erase content from RAID arrays and Unsorted Block Image (UBI) file systems through the addition of file paths like "/dev/dm-XX" and "/dev/ubiXX," respectively.

It's currently not clear who the intended victims are, although SentinelOne said it notified Ukrainian agencies. The exact scale of the attacks is presently unknown.

The discovery once again underscores the use of wiper malware to cripple targets, even as threat actors are diversifying their attack methods for maximum impact.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/ChXWkj1
via IFTTT

Monday, March 18, 2024

Streamlining your workday with new customizable Citrix Cloud landing pages!

Administrators are busy people. Whether it’s solving troubleshooting issues, updating software, or playing around with new features there never seems to be enough time in the day to get it all done. You need a streamlined experience to help you achieve everything even faster.

Most Citrix administrators access the same parts of our Cloud Console every day. Other admins only have access to specific parts of the Citrix Cloud tenant, like Citrix Monitor. To help get you exactly where you need to go in the console, directly from login, we have developed our new Citrix Cloud landing page setting! Reduce the number of clicks it takes you to get to your preferred console, and hit the ground running straight from logon. 

In-console announcement of customized landing page

Use case

Currently when you login to Citrix Cloud, you are automatically brought to our Citrix Cloud dashboard which shows you all the cloud features you have access to:

Default landing page when logging into cloud.citrix.com

This provides a good starting point within your Cloud account, however a lot of admins use the same pages everyday (such as the DaaS page to make changes) or only have access to parts of the tenant (like Monitor). With our new landing page feature, you are able to customize your landing page. 

The following pages are currently available, with more on the way:

  • DaaS
  • DaaS Monitor
  • NetScaler Console (formerly ADM Service)
  • General (platform functions)
  • WEM
  • Citrix Analytics
  • Citrix Analytics for Security
  • Citrix Analytics for Performance

This setting is optional and is set on a per account basis so each administrator can customize their own experience within Citrix Cloud. All admins (whether custom or full) have access to this feature. If you change your mind after configuring a landing page, you can always reset your account to the default home page. 

How to get started

Setting up your custom landing is quick and simple. Just go to Account Settings > Customization > My landing page to configure. The options you have are determined by the permissions your admin account has within the Citrix Cloud tenant.

Setting location in the console

To experience your newly configured landing page, log out of your account, open a new tab, and go to citrix.cloud.com  or use your bookmark and sign in again. Note: if you sign in again on the same page where you just signed out, it will take you back to your last viewed page (Account Settings) instead of your new landing page. 

What’s next

We are working internally to onboard all the Cloud services into the landing page options. Comment below to tell us if there’s any specific pages you’d like to see added to this feature!

To try this feature out yourself, head over to citrix.cloud.com and follow the instructions above.


Disclaimer: This publication may include references to the planned testing, release and/or availability of Cloud Software Group, Inc. products and services. The information provided in this publication is for informational purposes only, its contents are subject to change without notice, and it should not be relied on in making a purchasing decision. The information is not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for products remains at the sole discretion of Cloud Software Group, Inc.



from Citrix Blogs https://ift.tt/UF5PL2y
via IFTTT

Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool

Mar 18, 2024NewsroomVulnerability / Threat Mitigation

Fortra has released details of a now-patched critical security flaw impacting its FileCatalyst file transfer solution that could allow unauthenticated attackers to gain remote code execution on susceptible servers.

Tracked as CVE-2024-25153, the shortcoming carries a CVSS score of 9.8 out of a maximum of 10.

"A directory traversal within the 'ftpservlet' of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended 'uploadtemp' directory with a specially crafted POST request," the company said in an advisory last week.

"In situations where a file is successfully uploaded to web portal's DocumentRoot, specially crafted JSP files could be used to execute code, including web shells."

The vulnerability, the company said, was first reported on August 9, 2023, and addressed two days later in FileCatalyst Workflow version 5.1.6 Build 114 without a CVE identifier. Fortra was authorized as a CVE Numbering Authority (CNA) in early December 2023.

Security researcher Tom Wedgbury of LRQA Nettitude has been credited with discovering and reporting the flaw. The company has since released a full proof-of-concept (PoC) exploit, describing how the flaw could be weaponized to upload a web shell and execute arbitrary system commands.

Also resolved by Fortra in January 2024 are two other security vulnerabilities in FileCatalyst Direct (CVE-2024-25154 and CVE-2024-25155) that could lead to information leakage and code execution.

With previously disclosed flaws in Fortra GoAnywhere managed file transfer (MFT) coming under heavy exploitation last year by threat actors like Cl0p, it's recommended that users have applied the necessary updates to mitigate potential threats.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/6r5hycA
via IFTTT

Key Components of a Robust Cloud Security Maturity Strategy

A cloud security maturity strategy is dynamic and evolves over time to address new threats, technologies, and business requirements. It involves a holistic and proactive approach to security, emphasizing continuous improvement and adaptability in the ever-changing landscape of cloud computing. The goal is to progress through different stages of maturity, from basic to advanced, ensuring that security practices align with an organization’s evolving needs and the dynamic nature of cloud technology.

If you’re not sure where you are now and where you should be headed, Forrester offers the insights and tools you need to gain this visibility. Forrester’s cloud security readiness assessment evaluates cloud security maturity and provides actionable guidance to improve and expand cloud security coverage to more effectively protect cloud workloads and data. You can find it, and additional information on the topic here.

Understanding Cloud Security Maturity

Cloud security maturity refers to an organization’s evolving ability to effectively manage and protect its data, applications, and infrastructure in cloud environments. It involves the systematic development and implementation of security measures, policies, and practices to adapt to the dynamic nature of cloud technology and emerging cyberthreats.

As businesses in all industries increasingly rely on cloud services, a mature cloud security strategy becomes crucial for safeguarding sensitive information, maintaining compliance, and ensuring resilience against cyberthreats. It enables your organization to align its security practices with its business goals, mitigate risks, and foster a proactive and adaptive security culture.

Maturity Levels and the Journey

Within the realm of cloud security, organizations progress through various maturity levels. These are typically categorized as the following:

Basic Security: At the initial stage, organizations focus on foundational security measures such as user authentication and basic access controls. The team often has a limited awareness of cloud-specific threats at this stage.

Intermediate Security: Organizations can improve their cloud security by implementing more comprehensive measures, including encryption, regular security assessments, and incident response planning. Awareness of cloud-related risks increases at this stage.

Advanced Security: In this stage, organizations adopt advanced technologies like automation, AI-driven threat detection, and robust identity and access management. Continuous monitoring, proactive threat hunting, and agile incident response characterize advanced security maturity.

The journey involves a continuous cycle of assessment, improvement, and adaptation to evolving threats and technologies. By moving from reactive, compliance-driven approaches to proactive, risk-informed strategies, organizations achieve a higher level of maturity in securing their cloud environments.

Assessment and Baseline Establishment

Before you move forward in any way, you must establish where you are now. Conducting a thorough assessment of your current security posture is essential for a robust cloud security maturity strategy. It provides your organization with a clear understanding of your existing strengths, weaknesses, and potential vulnerabilities in the cloud environment.

Establishing a baseline not only serves as a benchmark for measuring progress but also helps you identify specific areas for improvement. This proactive approach empowers your organization to tailor your security measures to address current challenges, adapt to emerging threats, and systematically advance to higher maturity levels. All of this ensures a resilient and effective cloud security framework.

Defining Security Objectives and Policies

The next critical step on your journey is to define your security objectives and policies. Clear security objectives aligned with business goals provide a strategic framework for implementing effective security measures tailored to your organization’s specific needs. These objectives serve as a roadmap, ensuring that your team’s security efforts are not only robust but also contributing directly to overall business success.

Equally important is the development and communication of robust security policies governing cloud environments. These policies establish the rules and guidelines for securing data, applications, and infrastructure in the cloud. They help standardize security practices, ensure compliance with regulations, and create a shared understanding of expectations among employees and stakeholders.

Communication is key. It promotes awareness and adherence to security policies throughout your organization. By fostering a culture of security, your organization empowers its employees to become active participants in safeguarding sensitive information, reducing the risk of human error, and contributing to the overall effectiveness of your cloud security strategy.

Develop a Comprehensive Risk Management Framework

Developing a comprehensive risk management framework is crucial for a robust cloud security maturity strategy as it enables your organization to systematically identify, assess, and prioritize potential risks in its cloud environment.

Regularly updating risk assessments is equally vital, because it allows you to adapt to the dynamic landscape of evolving cyberthreats and business requirements. This ensures that your security measures remain effective and aligned with your organization’s overall risk tolerance and objectives. You need to be proactive, as this will empower your organization to make informed decisions, allocate resources efficiently, and maintain a resilient security posture in the face of emerging challenges.

Incident Response and Recovery

Developing and testing an incident response plan for cloud environments is essential to a robust cloud security maturity strategy. Doing so ensures that your organization is well-prepared to effectively manage and mitigate security incidents.

Implementing mechanisms for quick detection, response, and recovery further strengthens your organization’s resilience by minimizing potential damage, reducing downtime, and swiftly restoring normal operations — ultimately safeguarding against the potential impact of security breaches in cloud environments.

If you’re developing a process for this, check out this free incident response template that can help guide your planing.

The Importance of Continuous Monitoring and Improvement

Continuous monitoring of your cloud infrastructure and applications is vital for maintaining a proactive cloud security maturity strategy. It enables your organization to detect and respond promptly to any irregularities, potential threats, or vulnerabilities in real time, ensuring a resilient security posture.

Create a feedback loop, based on monitoring insights, to facilitate regular reviews and updates to your organization’s security policies and controls. This will ensure that your security strategy remains adaptive and effective. Establishing an iterative process of monitoring, reviewing, and updating enhances your organization’s overall security resilience and readiness.

Make Use of Automation

Integrating automation into your organization’s cloud security maturity strategy is instrumental for efficiency and effectiveness. By leveraging automation and orchestration tools, it’s much easier to streamline security processes — reducing manual effort and response times.

Automation enhances the consistency and speed of security tasks, allowing for swift and standardized responses to potential threats in cloud environments. It’s also worth noting that automated security measures contribute to faster threat detection and remediation, ensuring that your organization can proactively identify and address security incidents in real time. This not only strengthens your security posture but also allows for a more agile and adaptive approach to handling emerging threats.

The Adoption of Emerging Technologies

Making use of automation is simple when you stay abreast of emerging technologies, such as artificial intelligence (AI) and machine learning (ML), for advanced threat detection. By incorporating AI and ML into your cloud security strategy, your organization can enhance its capabilities to automatically analyze vast amounts of data, identify patterns, and detect anomalies that might signify potential security threats.

This proactive use of cutting-edge technologies not only simplifies the integration of automation but also empowers organizations to stay ahead of evolving cyberthreats, making their cloud security posture more adaptive, intelligent, and resilient. We highly encourage you to incorporate these innovative solutions into your security strategy.

Regular Audits and Assessments

Conducting regular internal and external audits is crucial for evaluating the effectiveness of your cloud security maturity program. These audits provide a systematic review of security measures, identifying strengths and weaknesses in your organization’s defense against potential threats.

The process helps pinpoint areas for improvement, enabling a proactive approach to strengthening security controls and strategies. Additionally, regular audits play a pivotal role in ensuring ongoing compliance with industry regulations and standards. By regularly assessing and validating its security program through audits, your organization not only enhances your resilience against emerging threats but also maintains a robust and compliant posture in the ever-evolving landscape of cloud security.

Here are useful tips from the LogRhythm Labs research and compliance team on conducting security risks assessments successfully.

Assess Your Cloud Security Readiness

A cloud security maturity strategy is a systematic and phased approach adopted in order to enhance your level of security readiness and resilience in the context of cloud computing. It involves the development and implementation of measures, processes, and technologies to effectively address security challenges associated with cloud environments. The importance of continuous improvement and adaptability in cloud security cannot be overstated.

In Forrester’s report, you’ll learn more about the fact that although the cloud creates numerous benefits, it also creates numerous security headaches when it comes to planning migrations from on-premises to the cloud and protecting data and resources in the new cloud workloads. One thing the report makes clear is that technology tools deliver automation to free you up for strategy decisions. Cloud security is easier and less expensive to automate using tools.

Wondering about your organization’s cloud security readiness? Looking to improve a low security maturity model score? We encourage you to read Forrester’s report on how to assess your cloud security maturity across six major technology competencies.

How SIEM Can Improve Your Cloud Security Maturity

If you’re ready to learn more about security tools that enable your team to reduce risk to the business, a security information and event management system helps you monitor data and protect your environment in a central console.

LogRhythm Axon is a cloud-native SIEM platform that enables small security teams who are early in their cloud security maturity to manage, enforce, and audit:

  • Administrative access to cloud service provider consoles
  • Data encryption and decryption in cloud workloads
  • All network egress and ingress points
  • Sensitive cloud data governance
  • Analytics to detect threats and misconfiguration
  • The integration of third-party threat analytics to provide a 360-degree view of their threat model
  • Cloud workload security solutions that continually track and manage security posture of cloud workloads
  • Cloud security gateways to intercept and block sensitive or malicious data moving between workloads

For more tips on protecting cloud environments, read this third-party analyst report to “Learn Why Insights Matter for Cloud Application Security.”

The post Key Components of a Robust Cloud Security Maturity Strategy appeared first on LogRhythm.



from LogRhythm https://ift.tt/nGVf7Mg
via IFTTT

Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites

Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called AZORult in order to facilitate information theft.

"It uses an unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on an external website," Netskope Threat Labs researcher Jan Michael Alcantara said in a report published last week.

The phishing campaign has not been attributed to a specific threat actor or group. The cybersecurity company described it as widespread in nature, carried out with an intent to collect sensitive data for selling them in underground forums.

AZORult, also called PuffStealer and Ruzalto, is an information stealer first detected around 2016. It's typically distributed via phishing and malspam campaigns, trojanized installers for pirated software or media, and malvertising.

Once installed, it's capable of gathering credentials, cookies, and history from web browsers, screenshots, documents matching a list of specific extensions (.TXT, .DOC, .XLS, .DOCX, .XLSX, .AXX, and .KDBX), and data from 137 cryptocurrency wallets. AXX files are encrypted files created by AxCrypt, while KDBX refers to a password database created by the KeePass password manager.

The latest attack activity involves the threat actor creating counterfeit Google Docs pages on Google Sites that subsequently utilize HTML smuggling to deliver the payload.

HTML smuggling is the name given to a stealthy technique in which legitimate HTML5 and JavaScript features are abused to assemble and launch the malware by "smuggling" an encoded malicious script.

Thus, when a visitor is tricked into opening the rogue page from a phishing email, the browser decodes the script and extracts the payload on the host device, effectively bypassing typical security controls such as email gateways that are known to only inspect for suspicious attachments.

The AZORult campaign takes this approach a notch higher by adding a CAPTCHA barrier, an approach that not only gives a veneer of legitimacy but also serves as an additional layer of protection against URL scanners.

The downloaded file is a shortcut file (.LNK) that masquerades as a PDF bank statement, launching which kicks off a series of actions to execute a series of intermediate batch and PowerShell scripts from an already compromised domain.

One of the PowerShell scripts ("agent3.ps1") is designed to fetch the AZORult loader ("service.exe"), which, in turn, downloads and executes another PowerShell script ("sd2.ps1") containing the stealer malware.

"It executes the fileless AZORult infostealer stealthily by using reflective code loading, bypassing disk-based detection and minimizing artifacts," Michael Alcantara said. "It uses an AMSI bypass technique to evade being detected by a variety of host-based anti-malware products, including Windows Defender."

"Unlike common smuggling files where the blob is already inside the HTML code, this campaign copies an encoded payload from a separate compromised site. Using legitimate domains like Google Sites can help trick the victim into believing the link is legitimate."

The findings come as Cofense revealed the use of malicious SVG files by threat actors in recent campaigns to disseminate Agent Tesla and XWorm using an open-source program called AutoSmuggle that simplifies the process of crafting HTML or SVG smuggled files.

AutoSmuggle "takes a file such as an exe or an archive and 'smuggles' it into the SVG or HTML file so that when the SVG or HTML file is opened, the 'smuggled' file is delivered," the company explained.

Phishing campaigns have also been observed employing shortcut files packed within archive files to propagate LokiBot, an information stealer analogous to AZORult with features to harvest data from web browsers and cryptocurrency wallets.

"The LNK file executes a PowerShell script to download and execute the LokiBot loader executable from a URL. LokiBot malware has been observed using image steganography, multi-layered packing and living-off-the-land (LotL) techniques in past campaigns," SonicWall disclosed last week.

In another instance highlighted by Docguard, malicious shortcut files have been found to initiate a series of payload downloads and ultimately deploy AutoIt-based malware.

That's not all. Users in the Latin American region are being targeted as part of an ongoing campaign in which the attackers impersonate Colombian government agencies to send booby-trapped emails with PDF documents that accuse the recipients of flouting traffic rules.

Present within the PDF file is a link that, upon click, results in the download of a ZIP archive containing a VBScript. When executed, the VBScript drops a PowerShell script responsible for fetching one of the remote access trojans like AsyncRAT, njRAT, and Remcos.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/lpknzO3
via IFTTT

WordPress Admins Urged to Remove miniOrange Plugins Due to Critical Flaw

Mar 18, 2024NewsroomWebsite Security / Vulnerability

WordPress users of miniOrange's Malware Scanner and Web Application Firewall plugins are being urged to delete them from their websites following the discovery of a critical security flaw.

The flaw, tracked as CVE-2024-2172, is rated 9.8 out of a maximum of 10 on the CVSS scoring system. It impacts the following versions of the two plugins -

It's worth noting that the plugins have been permanently closed by the maintainers as of March 7, 2024. While Malware Scanner has over 10,000 active installs, Web Application Firewall has more than 300 active installations.

"This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password," Wordfence reported last week.

The issue is the result of a missing capability check in the function mo_wpns_init() that enables an unauthenticated attacker to arbitrarily update any user's password and escalate their privileges to that of an administrator, potentially leading to a complete compromise of the site.

"Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would," Wordfence said.

"This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content."

The development comes as the WordPress security company warned of a similar high-severity privilege escalation flaw in the RegistrationMagic plugin (CVE-2024-1991, CVSS score: 8.8) affecting all versions, including and prior to 5.3.0.0.

The issue, addressed on March 11, 2024, with the release of version 5.3.1.0, permits an authenticated attacker to grant themselves administrative privileges by updating the user role. The plugin has more than 10,000 active installations.

"This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise," István Márton said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/HraWes2
via IFTTT

APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme

Mar 18, 2024NewsroomCyber Warfare / Malware

The Russia-linked threat actor known as APT28 has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America.

"The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production," IBM X-Force said in a report published last week.

The tech company is tracking the activity under the moniker ITG05, which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028.

The disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing Israel-Hamas war to deliver a custom backdoor dubbed HeadLace.

APT28 has since also targeted Ukrainian government entities and Polish organizations with phishing messages designed to deploy bespoke implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK.

Other campaigns have entailed the exploitation of security flaws in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to plunder NT LAN Manager (NTLM) v2 hashes, raising the possibility that the threat actor may leverage other weaknesses to exfiltrate NTLMv2 hashes for use in relay attacks.

The latest campaigns observed by IBM X-Force between late November 2023 and February 2024 leverage the "search-ms:" URI protocol handler in Microsoft Windows to trick victims into downloading malware hosted on actor-controlled WebDAV servers.

There is evidence to suggest that both the WebDAV servers, as well as the MASEPIE C2 servers, may be hosted on compromised Ubiquiti routers, a botnet comprising which was taken down by the U.S. government last month.

The phishing attacks impersonate entities from several countries such as Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S., putting to use a mix of authentic publicly available government and non-government lure documents to activate the infection chains.

"In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations," security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr said.

The climax of APT28's elaborate scheme ends with the execution of MASEPIE, OCEANMAP, and STEELHOOK, which are designed to exfiltrate files, run arbitrary commands, and steal browser data. OCEANMAP has been characterized as a more capable version of CredoMap, another backdoor previously identified as used by the group.

"ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities," the researchers concluded.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/qLEdG6x
via IFTTT

Sunday, March 17, 2024

What if the CNCF was private equity?

For years, the CNCF has been the central governance body for cloud-native projects. But are there too many projects now? What if the CNCF was less governance and more like private equity?

SHOW: 804

CLOUD NEWS OF THE WEEK - http://bit.ly/cloudcast-cnotw

CHECK OUT OUR NEW PODCAST - "CLOUDCAST BASICS"

SHOW SPONSORS:

SHOW NOTES:

WHY DOESN’T THE CNCF RECOMMEND A CLOUD-NATIVE STACK? 

  • Originally the CNCF was just trying to get projects to use them for governance. 
  • Many people wanted them to “define” a cloud-native stack. 
  • Defining a stack would have held back their business model - accepting projects and adding sponsors

HOW MANY PROJECTS WOULD GET “CNCF APPROVED” IF THEY TOOK A PRIVATE EQUITY APPROACH?

  • CNCF currently has 184 projects, up 4x over the last 4 years. 
  • 14% graduates, 20% incubating, 62% sandbox 
  • Does the CNCF suffer from the “Big Tent” problem that caused so many issues with OpenStack? 
  • KubeCon keynotes are just a list of projects giving status updates - they could be an email. 
  • How many projects should the CNCF sponsor? How many categories should remain?
  • How would a private equity group apply metrics to CNCF projects? 

FEEDBACK?



from The Cloudcast (.NET) https://ift.tt/Wzpx3Me
via IFTTT

Saturday, March 16, 2024

Hackers Using Cracked Software on GitHub to Spread RisePro Info Stealer

Mar 16, 2024NewsroomMalware / Cybercrime

Cybersecurity researchers have found a number of GitHub repositories offering cracked software that are used to deliver an information stealer called RisePro.

The campaign, codenamed gitgub, includes 17 repositories associated with 11 different accounts, according to G DATA. The repositories in question have since been taken down by the Microsoft-owned subsidiary.

"The repositories look similar, featuring a README.md file with the promise of free cracked software," the German cybersecurity company said.

"Green and red circles are commonly used on Github to display the status of automatic builds. Gitgub threat actors added four green Unicode circles to their README.md that pretend to display a status alongside a current date and provide a sense of legitimacy and recency."

The list of repositories is as follows, with each of them pointing to a download link ("digitalxnetwork[.]com") containing a RAR archive file -

  • andreastanaj/AVAST
  • andreastanaj/Sound-Booster
  • aymenkort1990/fabfilter
  • BenWebsite/-IObit-Smart-Defrag-Crack
  • Faharnaqvi/VueScan-Crack
  • javisolis123/Voicemod
  • lolusuary/AOMEI-Backupper
  • lolusuary/Daemon-Tools
  • lolusuary/EaseUS-Partition-Master
  • lolusuary/SOOTHE-2
  • mostofakamaljoy/ccleaner
  • rik0v/ManyCam
  • Roccinhu/Tenorshare-Reiboot
  • Roccinhu/Tenorshare-iCareFone
  • True-Oblivion/AOMEI-Partition-Assistant
  • vaibhavshiledar/droidkit
  • vaibhavshiledar/TOON-BOOM-HARMONY

The RAR archive, which requires the victims to supply a password mentioned in the repository's README.md file, contains an installer file, which unpacks the next-stage payload, an executable file that's inflated to 699 MB in an effort to crash analysis tools like IDA Pro.

The actual contents of the file – amounting to a mere 3.43 MB – act as a loader to inject RisePro (version 1.6) into either AppLaunch.exe or RegAsm.exe.

RisePro burst into the spotlight in late 2022 when it was distributed using a pay-per-install (PPI) malware downloader service known as PrivateLoader.

Written in C++, it's designed to gather sensitive information from infected hosts and exfiltrate it to two Telegram channels, which are often used by threat actors to extract victims' data. Interestingly, recent research from Checkmarx showed that it's possible to infiltrate and forward messages from an attacker's bot to another Telegram account.

The development comes as Splunk detailed the tactics and techniques adopted by Snake Keylogger, describing it as a stealer malware that "employs a multifaceted approach to data exfiltration."

"The use of FTP facilitates the secure transfer of files, while SMTP enables the sending of emails containing sensitive information," Splunk said. "Additionally, integration with Telegram offers a real-time communication platform, allowing for immediate transmission of stolen data."

Stealer malware have become increasingly popular, often becoming the primary vector for ransomware and other high impact data breaches. According to a report from Specops published this week, RedLine, Vidar, and Raccoon have emerged as the most widely-used stealers, with RedLine alone accounting for the theft of more than 170.3 million passwords in the last six months.

"The current rise of information-stealing malware is a stark reminder of constantly evolving digital threats," Flashpoint noted in January 2024. "While the motivations behind its use is almost always rooted in financial gain, stealers are continually adapting while being more accessible and easier to use."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/g1vibLx
via IFTTT

Friday, March 15, 2024

Talos launching new machine learning-based exploit detection engine








By Brandon Stultz.

Every day, new vulnerabilities are discovered in the software critical to the function of the modern world. Security analysts take apart these new vulnerabilities, isolate what is necessary to trigger them and write signatures to block any exploits targeting them. For Snort, these signatures are called Snort rules — and they’re extremely versatile. They can access specific network service fields, locate a vulnerable parameter and scan that parameter for the presence of an exploit. They can also leverage numerous rule options to traverse protocols and file formats. Written well, these rules can have high efficacy and performance with few or no false positives. This approach to defense is very good at protecting networks from known threats, but what if the threat is unknown? What if a vulnerability is discovered, an exploit for it is written, and the security community has no knowledge of it? We need another approach to defense that doesn’t require prior knowledge of the attack to function. Over the past year at Cisco, we have been prototyping and building this new approach into a new detection engine for Snort. Today, I am proud to announce we are open-sourcing this engine to the community in the latest Snort 3 release (version 3.1.82.0). This new detection engine is called “SnortML.” SnortML is a machine learning-based detection engine for the Snort intrusion prevention system. At a high level, there are two components to this new detection engine. The first component is the snort_ml_engine itself, which loads pre-trained machine learning models, instantiates classifiers based on these models and then makes the classifiers available for detection. The second is the snort_ml inspector, which subscribes to data provided by Snort service inspectors, passes the data to classifiers, and then acts on the output of the classifiers. Currently, the snort_ml_engine module only has one model type, namely the http_param_model, but we plan on building other models in the future. This http_param_model is used for classifying HTTP parameters as malicious or normal. Once the snort_ml_engine loads the http_param_model, it can be used in the snort_ml inspector to detect exploits. The inspector subscribes to the HTTP request data provided by the HTTP inspector through the publish/subscribe interface. It then passes this data (HTTP URI query and optionally HTTP POST body) to a binary classifier based on the http_param_model. This classifier then returns the probability that it saw an exploit. Based on this probability, SnortML can generate an alert, similar to a Snort rule alert, which can be configured to block malicious traffic. Now that you know how the machine learning engine works, let’s get into how the models work. SnortML models are designed to be extremely flexible, much like their Snort rule counterparts. To that end, we based our models and our inference engine on TensorFlow. The TensorFlow project is a free and open-source library for machine learning and artificial intelligence. Any TensorFlow model can be a SnortML binary classifier model so long as it satisfies three conditions, namely, the model must have a single input tensor and a single output tensor, the input and output tensor types must be 32-bit floating point, and finally, the output tensor must have only a single element. We plan on adding other model types in the future (including multiclass classifiers), but right now, this is the only model type currently supported. The SnortML engine uses TensorFlow through a support library we call LibML. The LibML library handles loading, configuring and running machine learning models for Snort. It also includes the XNNPACK accelerator needed to run CPU-bound models at line rate. The easiest way to build a SnortML model is to use the TensorFlow Keras API. If you are new to machine learning, don’t worry, Keras is a simple but powerful deep-learning framework that allows you to build neural networks and train them in a few lines of Python. To get started, import the following:

import os

import numpy as np

import tensorflow as tf

from tensorflow.keras import layers

from urllib.parse import unquote_to_bytes

We are going to train our example model on just two samples, but a real production model would use far more:

# Example data

data = [

{ 'str':'foo=1', 'attack':0 },

{ 'str':'foo=1%27%20OR%201=1%2D%2D', 'attack':1 }

]

The next thing we need to do is prepare our data. SnortML models expect input data to be zero-padded which is what we are going to do here:

# Prepare Data

maxlen = 1024

X = []

Y = []

def decode_query(str):

return unquote_to_bytes(str.replace('+',' '))

for item in data:

arr = decode_query(item['str'])[:maxlen]

arrlen = len(arr)

seq = [0] * maxlen

for i in range(arrlen):

seq[maxlen - arrlen + i] = arr[i]

X.append(seq)

Y.append(item['attack'])

Now, we need to construct a neural network that can classify our data. This example uses a simple LSTM (Long Short-Term Memory) network, but other combinations of layers available in Keras work here as well. LSTM is a type of neural network that is keenly suited to identify patterns in sequences of data, such as the sequences of bytes in HTTP parameters. To translate the bytes on the wire to tensors that the LSTM can accept, we can place an embedding layer in front of it. Embedding layers are a kind of association layer, they can learn relationships between input data (bytes in our case) and output those relationships as tensors that the LSTM neurons can accept. Finally, we will converge the output of our LSTM neurons to a single output neuron with a Dense layer. This will serve as the output of the neural network.

#

# Build Model (Simple LSTM)

#

model = tf.keras.Sequential([

layers.Embedding(256, 32, input_length=maxlen, batch_size=1),

layers.LSTM(16),

layers.Dense(1, activation='sigmoid')])

model.compile(loss='binary_crossentropy', optimizer='adam', metrics=['accuracy'])

model.summary()

Now for the fun part — let’s train this neural network: # # Train Model # model.fit(np.asarray(X).astype(np.float32), np.asarray(Y).astype(np.float32), epochs=100, batch_size=1) Training output: Model: "sequential" ----------------------------------------------------------------- Layer (type) Output Shape Param # ================================================================= embedding (Embedding) (1, 1024, 32) 8192 lstm (LSTM) (1, 16) 3136 dense (Dense) (1, 1) 17 ================================================================= Total params: 11,345 Trainable params: 11,345 Non-trainable params: 0 ----------------------------------------------------------------- Epoch 1/100 2/2 [==============================] - 1s 129ms/step - loss: 0.6910 - accuracy: 0.5000 ... Epoch 100/100 2/2 [==============================] - 0s 134ms/step - loss: 0.0208 - accuracy: 1.0000

As you can see above, the accuracy of our network increased, and the loss dropped. These metrics show that the neural network learned to differentiate attack from normal in our example dataset. Now, let’s save this model to a file so we can load it in Snort:

#

# Save Model

#

converter = tf.lite.TFLiteConverter.from_keras_model(model)

snort_model = converter.convert()

with open('snort.model', 'wb') as f:

f.write(snort_model)

Now that we have a model file, we can run it against PCAPs with Snort 3:

$ snort -q --talos \

--lua 'snort_ml_engine = { http_param_model = "snort.model" };' \

--lua 'snort_ml = {};' \

-r test.pcap

##### test.pcap #####

[411:1:0] (snort_ml) potential threat found in HTTP parameters via Neural Network Based Exploit Detection (alerts: 1)

#####

If you have Snort 3 built with debug messages enabled, you can even trace the ML engine input and output.

$ snort -q --talos \

--lua 'trace = { modules = { snort_ml = { all = 1 } } };' \

--lua 'snort_ml_engine = { http_param_model = "snort.model" };' \

--lua 'snort_ml = {};' \

-r test.pcap

P0:snort_ml:classifier:1: input (query): foo=1' OR 2=2-- P0:snort_ml:classifier:1: output: 0.971977 P0:snort_ml:classifier:1: <ALERT> ##### test.pcap ##### [411:1:0] (snort_ml) potential threat found in HTTP parameters via Neural Network Based Exploit Detection (alerts: 1) #####

P0:snort_ml:classifier:1: input (query): foo=1' OR 2=2--

P0:snort_ml:classifier:1: output: 0.971977

P0:snort_ml:classifier:1: <ALERT>

##### test.pcap ##### [411:1:0] (snort_ml) potential threat found in HTTP parameters via Neural Network Based Exploit Detection (alerts: 1) #####

##### test.pcap #####

[411:1:0] (snort_ml) potential threat found in HTTP parameters via Neural Network Based Exploit Detection (alerts: 1)

#####

Notice that even with variations in the SQL injection attack above, we still detected it. For years, we had dreamed about tackling the zero-day problem, providing coverage for attacks that were like those we had seen before, but targeting different applications or parameters. Now, with SnortML, this dream is becoming a reality. You can find the SnortML and LibML code here. Feel free to join the conversation on our Discord or on the Snort users mailing list if you have any questions or feedback. 



from Snort Blog https://ift.tt/gW60LlU
via IFTTT

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

In ancient Greek mythos, the mighty Hercules faced a seemingly insurmountable challenge when he encountered the Lernaean Hydra. This fearsome serpent had a terrifying ability: For every head that Hercules severed, two more would spring forth, creating a never-ending cycle of regrowth and renewal. 

Much like the Hydra, modern ransomware gangs present society with a daunting task. When law enforcement manages to take one adversary or low-level member off the streets, the victory is often short-lived. In the hidden depths of these criminal organizations, the heads — or leaders — remain shrouded in shadow, orchestrating their operations often with impunity. 

And so, as one member falls, two more may rise to take their place, perpetuating an enduring saga of illicit activity that are the challenges of our time: the ransomware ecosystem. A landscape where affiliates tend to move from ransomware group to ransomware group, following the money, bringing their skills and tools with them to conduct new attacks.

In this blog, we’ll explore the recent law enforcement takedown of LockBit, a group who previously held the title of the number one most deployed ransomware variant for two years running. Just seven days after the takedown, LockBit claimed to resume their operations.

The History of LockBit

LockBit emerged around 2019. Since then, it has continually evolved and innovated to update their ransomware and build their RaaS program.

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

 

For the past two years, LockBit ransomware operations accounted for over 25 percent of the total number of posts made to data leak sites. CISA’s assessment is also that LockBit has been the most deployed ransomware variant in recent years.

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

As we wrote in the 2023 Talos Year in Review report, posts made to the group’s data leak site ebbed and flowed from September 2022 to August 2023. Detections of LockBit activity appear to spike in March, partially coinciding with LockBit’s deployment against vulnerable instances of the printer management software PaperCut, where it has remained consistently high.

💡
In 2020, Talos researchers made contact with a self-described LockBit operator. Over several weeks, we conducted multiple interviews that gave us a rare, first-hand account of a ransomware operator’s cybercriminal activities. Confirmed theories included LockBit having a profit-sharing requirement that the affiliate has to meet for the first four or five ransoms. This also used to be the case for Maze. Also, keeping your word to the victim is an important part of LockBit’s business model. Read the interview in full here.

The Collaboration Trend

For the past two years, Talos researchers have written about a growing ransomware trend, wherein actors are increasingly collaborating with each other and sharing tools and infrastructure (aka the affiliate model).

For example, Talos recently reported on how the GhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries. The two groups have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various options for their affiliates.

We are seeing more diversified groups employing multiple encryption programs, as well as less sophisticated actors “standing on the shoulders” of giants by using leaked ransomware code. Some players are exiting the game altogether, but not before selling their source code to the highest bidder. This is posing significant challenges to the security community, especially when it comes to attributing attacks.

In the case of LockBit, this was also a group that operated as a RaaS model. They recruited affiliates by offering them shares of profits and encouraging them to conduct ransomware attacks using LockBit’s tools and infrastructure. These affiliates were often unconnected, and as a result, there were many variations in the attacks that used LockBit ransomware.

Notably, the LockBit ransomware group posted on a Russian-speaking dark web forum in December 2023 offering to recruit ALPHV (BlackCat) and NoEscape ransomware affiliates and any of the ALPHV developers, after the Federal Bureau of Investigation (FBI)’s announcement of a disruption campaign against the ALPHV ransomware operation.

Operation Cronos

The NCA, working closely with the FBI and supported by international partners from nine other countries, covertly investigated LockBit as part of a dedicated taskforce called Operation Cronos

On Feb. 20, 2024, after infiltrating the group’s network, the NCA took control of LockBit’s primary administration environment. This environment enabled affiliates to build and carry out ransomware attacks, as well as host the group’s public-facing leak site on the dark web, which was used to threaten the publication of data stolen from victims. 

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

The technical infiltration and disruption were only the beginning of a series of actions against LockBit and their affiliates. In wider actions coordinated by Europol, at least three LockBit affiliates were arrested in Poland and Ukraine, and more than 200 cryptocurrency accounts linked to the group have been frozen.

The Return

Seven days after the operation, messages and leak information was published on a new LockBit page. Here are screenshots of their leak site taken daily from Feb. 27 – March 4, with a huge increase of cards on March 3.

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

The site lists both pre- and post-takedown victims, suggesting LockBit may not have lost access to their entire dataset or infrastructure. 

Of particular interest is the fbi.gov card in the lower right corner that links to a lengthy writeup (in English and Russian), stating what LockBit thinks happened during the operation. They talk about lessons learned, speculations and discredit the law enforcement agencies. Talos believes the operation was carried out by the NCA, not the FBI, as LockBit stated.

A recurring theme

While LockBit is currently dominating the headlines, we’ve seen similar stories before following takedown attempts. For example, the commodity trojan Trickbot had its infrastructure dismantled in February 2022.

However, Talos telemetry picked up Trickbot activity throughout 2023, as covered in our Year in Review.

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

Still open for business

Talos has intelligence that Lockbit is still accepting affiliates into their program. 

Does this mean that law enforcement operations are pointless? Far from it. Takedown attempts such as Operation Cronos severely disrupt their operations, and forces ransomware operators to change their attacks. The operation against LockBit doesn’t appear to have inflicted the final blow against the ransomware group, but it has wounded them. 

We also know that law enforcement was able to obtain troves of intelligence through their operation. That intelligence will only serve to be useful in further disruptions, undermining Lockbit's growth. Therefore, if you put Lockbit into a market perspective, they appear to be quite exposed. 

Crucially, as with the case of LockBit, decryption tools can be released so that victims of ransomware can gain access to their systems again. In January Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor.

Therefore, it’s important not to view this operation as a “one and done” effort. Sustained, targeted approaches from law enforcement and the defender community can and do have a significant impact. For example, following the FBI’s actions against BlackCat/ALPHV, the group reportedly denied an affiliate a $22 million ransomware payment before subsequently going out of business in early March, as Brian Krebs wrote about on his website a few days ago.

Azim Khodjibaev from Talos’ threat interdiction and intelligence organization team discusses the ebs and flows of ransomware groups after a takedown in the episode of Talos Takes below. This episode was recorded in 2022 after a separate law enforcement operation to disrupt LockBit.

The lucrative affiliate model

One of the major issues when tackling ransomware crime is the nature of the affiliate program, with actors often working for multiple RaaS outfits at a time. In underground forums, we are seeing increased advertisements by RaaS groups showcasing their affiliate programs and offering profit shares. They can offer large profits, as threat actors can conduct multiple campaigns using the encryption programs that are offered or distributed. 

In the case of the GhostSec group, they have a business model that offers affilates three different options: a paid version, a free version and a version that allows actors who don’t want to become a member ransomware gang but would like to publish victim data on their leak site.

We are also seeing multiple groups working together, sharing their malicious tooling with each other, then falling out, and then building trust back up with each other, adding to the difficulty in attributing attacks. Here are Talos’ Nick Biasini and Matt Olney talking about the impact of leaked ransomware code, where Matt describes the situation as “The Real Housewives of Eastern Europe:”

Fundamentally, ransomware continues to be hugely profitable and widespread. In the last quarter, the Talos Incident Response team responded to ransomware incidents involving Play, Cactus, BlackSuit and NoEscape ransomware for the first time, and there was a 17% rise in ransomware incidents in this quarter.

In the end, Operation Cronos may have disrupted LockBit’s operations temporarily with valuable assets gained, a weaker market position for the group, and a few affiliates are now sitting in jail. However, the Hyrdra’s roots run deeper, and this is why we may continue to see LockBit activity throughout the course of the year.

Where to go from here

Like Hercules who outwitted the Hydra with a blend of strength and strategy, our law enforcement’s relentless efforts are essential and commendable. It’s going to take persistent, strategic efforts to significantly damage RaaS operations and weaken the regenerative power of these gangs. Arrests at the top will be a key part of this. In the case of LockBit, it appears as though the leaders of the group have evaded arrest on this occasion.  

At the very same time the people of Lerna (or us, the private defenders), need to pay attention to the entire threat landscape. We can’t rely on just Hercules to take them down. Just like we can’t be sure there is just a single Hydra.

Read more about the recent ransomware operations Talos Incident Responders engaged in.



from Cisco Talos Blog https://ift.tt/dG7MeIK
via IFTTT