<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. en-us info@decipher.sc (Amy Vazquez) Copyright 2024 3600 <![CDATA[DoJ Charges Iranian After Hacks of U.S. Defense Contractors]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/iranian-charged-after-hacks-of-defense-contractors-u-s-gov-entities https://duo.com/decipher/iranian-charged-after-hacks-of-defense-contractors-u-s-gov-entities

The Department of Justice has charged an Iranian national for his alleged involvement in a cyberattack that attempted to compromise both private sector companies and U.S. government entities, including the Treasury Department and State Department.

The individual, Alireza Shafie Nasab, 39, of Iran, remains at large, and in addition to the charges the U.S. government is offering a reward of up to $10 million for information leading to his identification or location. Nasab was allegedly a member of a hacking organization between 2016 to 2021 that targeted more than a dozen U.S. companies, including several cleared defense contractors that supported U.S. Department of Defense programs. Additionally, the group also targeted both a New York-based accounting firm and hospitality company.

“While purporting to work as a cybersecurity specialist for Iran-based clients, Mr. Nasab allegedly participated in a persistent campaign to compromise U.S. private sector and government computer systems,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division in a Thursday statement. “Today’s charges highlight Iran’s corrupt cyber ecosystem, in which criminals are given free rein to target computer systems abroad and threaten U.S. sensitive information and critical infrastructure.”

The group worked under the guise of an Iran-based cybersecurity services company called Mahak Rayan Afraz, and operated on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC). As part of the group, Nasab procured infrastructure by using a stolen identity to register a server and email accounts that were used for campaigns.

As part of these hacking campaigns, the group used spear-phishing tactics to infect victims with malware. They would first compromise an administrator email account for a defense contractor, allowing them to then create unauthorized accounts and send subsequent spear-phishing emails from those accounts to employees from a different defense contractor or private company. Social engineering was a large part of these campaigns, and the group impersonated others, usually women, to gain their trust.

In one incident, the group was able to compromise more than 200,000 victim employee accounts, and in another they targeted 2,000 employee accounts.

“In order to manage their spear-phishing campaigns, the group created and used a particular computer application, which enabled the conspirators to organize and deploy their spear-phishing attacks,” according to the Justice Department.

According to the Justice Department, Nasab is charged with counts of conspiracy to commit computer fraud, conspiracy to commit wire fraud, wire fraud and aggravated identity theft.

<![CDATA[Decipher Podcast: Source Code 3/1]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-source-code-3-1 https://duo.com/decipher/decipher-podcast-source-code-3-1

<![CDATA[New Malware Sets Stage For Persistence in Ivanti Exploits]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/new-malware-used-for-persistence-in-ivanti-exploits https://duo.com/decipher/new-malware-used-for-persistence-in-ivanti-exploits

As part of the continual mass exploitation activity against previously disclosed and patched Ivanti flaws, China-linked threat actors are using a new malware variant in an attempt to maintain a foothold on infected appliances across system upgrades, patches and factory resets.

While investigating exploitation efforts against one of several recent flaws in Ivanti Connect Secure and Policy Secure - a server-side request forgery bug (CVE-2024-21893) - Mandiant researchers found Chinese cyber espionage operator UNC5325 using a combination of living-off-the-land tactics and various strains of malware to evade detection and set up persistence mechanisms on impacted devices.

“UNC5325’s TTPs and malware deployment showcase the capabilities that suspected China-nexus espionage actors have continued to leverage against edge infrastructure in conjunction with zero days,” according to researchers in an analysis this week. “Mandiant expects UNC5325 as well as other China-nexus espionage actors to continue to leverage zero day vulnerabilities on network edge devices as well as appliance-specific malware to gain and maintain access to target environments.”

In “limited” incidents, researchers observed attackers using SparkGateway plugins in their attacks. SparkGateway is a legitimate Ivanti Connect Secure component that facilitates the use of remote access protocols like RDP over a browser, but attackers have been abusing the component to inject a shared object through the Java Native Interface.

This shared object - which consisted of malware that researchers classify as LITTLELAMB.WOOLTEA - then deployed backdoors and attempted to set up a deep level of persistence. The malware called a function to append its malicious components to an archive (/data/pkg/data-backup.tgz) in an attempt to survive system upgrades and patches, for instance. The malware also contains a function that continually monitors the filesystem for system upgrade events, and if such an event exists it appends its components into an archive that is decompressed during system upgrade processes.

“UNC5325’s TTPs and malware deployment showcase the capabilities that suspected China-nexus espionage actors have continued to leverage against edge infrastructure in conjunction with zero days."

“During a system upgrade or when applying a patch, data-backup.tgz contains a backup of the data directory that is restored after the upgrade event,” said Mandiant researchers. “In addition, the function timestomps data-backup.tgz by calling utimensat. This modification would ensure its malicious components (plugin.jar, libchilkat.so, and gateway.conf) persist across system upgrades and patches.”

The incidents - while they were unsuccessful in ensuring persistence for factory resets - reflect how Chinese threat actors are going the extra mile to maintain a foothold on infected systems. For end users of products impacted by vulnerabilities, such a deep level of persistence causes pain points for remediation efforts. Last year, an “aggressive” China-linked actor (UNC4841) targeted the well-known Barracuda Email Security Gateway (ESG) appliance flaw, and deployed additional tooling in the attacks allowing them to maintain their presence on infected appliances. Barracuda at the time urged certain impacted customers to replace their ESG appliances.

“Similar to UNC4841’s familiarity with Barracuda ESGs, UNC5325 demonstrates significant knowledge of the Ivanti Connect Secure appliance as seen in both the malware they used and the attempts to persist across factory resets,” said researchers. “While the limited attempts observed to maintain persistence have not been successful to date due to a lack of logic in the malware's code to account for an encryption key mismatch, it further demonstrates the lengths UNC5325 will go to maintain access to priority targets and highlights the importance of ensuring network appliances have the latest updates and patches.”

Ivanti, for its part, has rolled out patches for this vulnerability and other related ones in Connect Secure and Policy Secure. Customers are being urged to immediately apply the patches, and Mandiant researchers said a new version for the external Integrity Checking Tool (ICT) is available to help customers detect persistence attempts like these.

“The exploitation of the Ivanti zero-days has likely impacted numerous appliances,” said researchers. “While much of the activity has been automated, there has been a smaller subset of follow-on activity providing further insights on attacker tactics, techniques, and procedures (TTPs). Mandiant assesses additional actors will likely begin to leverage these vulnerabilities to enable their operations.”

<![CDATA[CISA, FBI Warn of Continued BlackCat Ransomware Activity]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/cisa-fbi-warn-of-continued-blackcat-ransomware-activity https://duo.com/decipher/cisa-fbi-warn-of-continued-blackcat-ransomware-activity

It has been two months since the FBI and international law enforcement agencies disrupted some of the operations of the BlackCat ransomware group, but elements of the group have continued their intrusions and are mainly targeting health care organizations.

In a new advisory on the group’s activities, the FBI, the Department of Health and Human Services, and the Cybersecurity and Infrastructure Security Agency warned that BlackCat, also known as ALPHV, is still operating despite the law enforcement disruption and the release of a decryption tool to help victims recover their data. That disruption involved the use of a confidential informant inside the BlackCat operation and allowed law enforcement to gain access to the control panel used by the group’s affiliates and gather nearly 1,000 public/private Tor key pairs that BlackCat affiliates used for leak sites, victim sites, and other sites.

But the disruption didn’t completely stop BlackCat’s operations. Shortly after the law enforcement action, the administrator of the BlackCat ransomware asked affiliates to specifically go after health care organizations.

“Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized. This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023,” the advisory says.

About a year ago, BlackCat released a new version of the ransomware called Sphynx, which included some new defense-evasion features and the ability to encrypt Windows, Linux, and VMware instances. The group has hit more than 1,000 victims in total, and many of them have been hospitals or other health care organizations. Most recently, BlackCat has claimed responsibility for the intrusion at Change Healthcare this week. That incident is affecting not just Change Healthcare, but also pharmacies that rely on the company’s IT systems to process prescriptions.

"The actors also obtain passwords from the domain controller, local network, and deleted backup servers to move laterally."

BlackCat affiliates use a range of social engineering tactics to gain access to target networks, often posing as IT or help desk staff in order to establish trust with individual victims, The affiliates then typically install a legitimate remote access tool such as AnyDesk and use it for eventual data exfiltration.

“ALPHV Blackcat affiliates claim to use Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. ALPHV Blackcat affiliates use the open source adversary-in-the-middle attack framework Evilginx2, which allows them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies. The actors also obtain passwords from the domain controller, local network, and deleted backup servers to move laterally throughout the network,” the advisory says.

The continued operation of some BlackCat affiliates after the law enforcement action highlights the difficulty of completely taking a ransomware-as-a-service operation off the board. There have been many actions by law enforcement against ransomware groups over the years, including Hive, Ragna Locker, and most recently, LockBit. A conglomeration of international law enforcement agencies targeted the LockBit operation last week, taking down the group’s infrastructure, indicting two alleged LockBit operators, and freezing hundreds of cryptocurrency wallets. But within days, some LockBit affiliates were boasting of new intrusions. Although some of those claimed victims may have been compromised before the disruption and only leaked publicly afterward.

<![CDATA[White House Aims to Curb Data Broker Sales to Foreign Countries]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/white-house-aims-to-curb-data-broker-sales-to-foreign-countries https://duo.com/decipher/white-house-aims-to-curb-data-broker-sales-to-foreign-countries

A new executive order issued by the Biden administration aims to stop "countries of concern" - like China, Russia, Iran, North Korea, Cuba and Venezuela - from accessing sensitive American data.

Personal, financial, geolocation and biometric data is frequently accessed via breaches, but the executive order instead focuses on the collection of this type of data through the legal commercial market. While privacy experts have cited various concerns over the years with how data brokers broadly access, utilize and share information, the executive order specifically looks at data being sold to specific foreign countries. The concern, said the White House, is that sensitive American data would land in the hands of intelligence services, militaries or companies owned by governments, which could open the door for various privacy and counterintelligence risks - and potentially enable countries to collect information about activists or dissidents.

“The President’s Executive Order focuses on Americans’ most personal and sensitive information, including genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personally identifiable information,” according to the executive order, issued on Wednesday. “Bad actors can use this data to track Americans (including military service members), pry into their personal lives, and pass that data on to other data brokers and foreign intelligence services. This data can enable intrusive surveillance, scams, blackmail, and other violations of privacy.”

Currently, limited legal restrictions exist to prevent the trade of Americans’ personal data to companies and governments overseas, and lawmakers like Sen. Ron Wyden (D-Ore.) have pointed out how China in particular obtains vast amounts of personal data - like cell phone locations, credit card purchases and web browsing history - through the open market. Various governmental efforts have targeted different aspects of foreign data acquisition over the years, including a 2018 order by the Committee on Foreign Investment in the U.S. that prevented U.S.-based companies with large amounts of sensitive Amercians’ data from being sold to foreign firms. The Protecting Americans’ Data From Foreign Surveillance Act, proposed three years ago by Wyden, focused less on the companies holding the data and more on the data itself by introducing the concept of a license requirement for foreign companies to trade U.S. citizens’ personal information.

The executive order, on the other hand, looks to leverage the authorities of various governmental agencies to help set up “clear protections” for sensitive data, though detail on the scope and scale of these protections is yet to be seen. Under the executive order, the Attorney General is ordered to block the large-scale transfer of Americans’ personal data to certain countries, and the Justice Department is required to issue regulations that prohibit the transaction of certain types of data “that pose an unacceptable risk to national security.” This includes sensitive government-related data, like geolocation data on sensitive sites or information about military members.

The Justice Department and DHS are also mandated to set “high security standards” to prevent certain countries from accessing Americans’ data through commercial means, with the executive order citing commercial means like data available through investment, vendor and employment relationships. Finally, the Department of Health and Human Services, DoD, and Department of Veterans Affairs are ordered to "help ensure that Federal grants, contracts, and awards are not used to facilitate access to Americans’ sensitive health data by countries of concern, including via companies located in the United States."

Moving forward, as part of its role in the executive order, the Justice Department said it will issue a notice of proposed rulemaking that will publicly describe the categories of transactions that involve bulk sensitive personal data, and will seek public comment before its rule goes into effect.

In a statement, Wyden praised the White House's executive order as a necessary crackdown on "shady data brokers" - but said that the measures should extend beyond the listed "countries of concern."

"I appreciate that the executive order in some ways mirrors my bipartisan Protecting Americans’ Data from Foreign Surveillance Act," said Wyden. "However, the Administration’s decision to limit personal data flows only to a handful of countries of concern, like China, is a mistake. Authoritarian dictatorships like Saudi Arabia and UAE cannot be trusted with Americans' personal data, both because they will likely use it to undermine U.S. national security and target U.S. based dissidents, but also because these countries lack effective privacy laws necessary to stop the data from being sold onwards to China."

Caitlin Fennessy, with the International Association of Privacy Professionals (IAPP), said the big question is whether the executive order should be considered “a stark deviation from decades of U.S. support for data flows or a targeted set of privacy protections for sensitive personal data in response to concrete national security threats.”

“Given longstanding difficulties advancing broad-based federal privacy legislation, the Administration may have viewed this executive order as the only viable alternative to address what it perceived as an imminent risk,” said Fennessy. “Privacy professionals will now turn their attention to the practical implications - which organizations, data and transfers are implicated now, which might be down the line and what is needed to comply.”

<![CDATA[FBI Warns of APT28 Attacks on Ubiquiti Routers]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/fbi-details-apt28-attacks-on-ubiquiti-edgerouters https://duo.com/decipher/fbi-details-apt28-attacks-on-ubiquiti-edgerouters

In a new joint advisory, law enforcement authorities from the U.S. and other countries are urging users of Ubiquiti EdgeRouters to take a number of measures to protect their devices against attacks by Russian threat actors, such as performing a hardware factory reset, upgrading to the latest firmware version and changing default credentials.

The advisory comes two weeks after the U.S. government announced that in January it had disrupted a botnet that was being used by Russia's GRU Military Unit 26165, also known as APT28. Law enforcement was able to neutralize the malware network made up of hundreds of Ubiquiti routers - but despite this disruption, the FBI this week said that device owners should still take remediation steps to prevent similar compromises. The agency on Tuesday released IoCs and highlighted TTPs for APT28 and for the malware associated with the botnet, in its advisory in coordination with the NSA, US Cyber Command, and international partners from Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom.

“This advisory provides observed tactics, techniques, and procedures, indicators of compromise, and recommendations to mitigate the threat posed by APT28 threat actors related to compromised EdgeRouters,” according to the FBI in a Tuesday update. “Given the global popularity of EdgeRouters, the FBI and its international partners urge EdgeRouter network defenders and users to apply immediately the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents associated with APT28 activity.”

According to the FBI, threat actors used compromised EdgeRouters as early as 2022 in order to target critical infrastructure sectors, including aerospace and defense, governments, hospitality and manufacturing, in countries including the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, United Arab Emirates, and the U.S. Threat actors used default credentials and trojanized OpenSSH server processes in order to access the routers, which they then leveraged to collect credentials, proxy network traffic, and host malicious landing pages. They also leveraged various custom post-exploitation tools, including a Python backdoor called MASEPIE that was capable of executing arbitrary commands on victim machines.

"In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns."

“For example, in early 2023, APT28 actors authored custom Python scripts to collect account credentials for specifically targeted webmail users," according to the FBI. "APT28 actors uploaded these custom Python scripts to a subset of compromised Ubiquiti routers to validate stolen webmail account credentials collected via cross-site scripting and browser-in-the-browser spear-phishing campaigns."

In their attacks, threat actors targeted zero-day vulnerabilities, including a critical elevation-of-privilege vulnerability in Microsoft Outlook on Windows (CVE-2023-23397), which they leveraged to collect NTLMv2 digests from targeted Outlook accounts. As part of these attacks the actors also installed publicly available tools - such as Impacket ntlmrelayx.py - to assist with NTLM relay attacks and for hosting malicious NTLMv2 authentication servers.

“In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns,” according to the FBI.

As the U.S. government initially outlined in its disruption announcement, one unique aspect to this botnet is that it leveraged the Mirai-based Moobot malware, which is associated with a cybercriminal group. Previous Russian-operated malware networks that U.S. law enforcement has disrupted have been instead created from scratch by the GRU, said the Justice Department.

The FBI is urging potentially targeted organizations to change their Ubiquiti passwords as many of the EdgeRouters are shipped with default credentials and limited to no firewall protections, and attackers have leveraged default credentials in to access the routers.

Additionally, “all network owners should keep their operating systems, software, and firmware up to date,” according to the FBI. “Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. For CVE-2023-23397, updating Microsoft Outlook mitigates the vulnerability. To mitigate other forms of NTLM relay, all network owners should consider disabling NTLM when feasible, or enabling server signing and Extended Protection for Authentication configurations.”

<![CDATA[Decipher Podcast: Alex Delamotte]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-alex-delamotte https://duo.com/decipher/decipher-podcast-alex-delamotte

<![CDATA[CISA Details Cloud-Focused Attack Techniques Used by APT29]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/cisa-details-cloud-focused-attack-techniques-used-by-apt29 https://duo.com/decipher/cisa-details-cloud-focused-attack-techniques-used-by-apt29

The United States government and several of its allies are warning organizations about new and evolving tactics being used by APT29, one of the more mature and active threat groups, to target cloud services and gain access to sensitive data.

APT29, also known widely as Cozy Bear, is a group associated with the Russian SVR intelligence service and is responsible for the SolarWinds supply chain attack in 2020, among other high-profile intrusions. The group is well-resourced and mature in its capabilities and tactics, and in the new advisory, the Cybersecurity and Infrastructure Security Agency and some of its foreign partner agencies said APT29 is adapting its techniques to target cloud providers and using a variety of methods to gain initial access. APT29 has targeted government agencies, energy companies, health care organizations, and policy groups in the past, but is now also going after military, aviation, and education targets.

“As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment. They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves,” the advisory says.

“To access the majority of the victims’ cloud hosted network, actors must first successfully authenticate to the cloud provider. Denying initial access to the cloud environment can prohibit SVR from successfully compromising their target. In contrast, in an on-premises system, more of the network is typically exposed to threat actors.”

Historically, APT29 has targeted exposed network devices for initial access, compromising servers, VPN devices, and endpoints through various means. Now as more and more organizations have moved much of their infrastructure and data to the cloud, attackers have had to adapt their techniques and targeting. APT29 in particular has begun using common techniques such as password spraying and brute forcing to gain access to service accounts and unused accounts on cloud platforms. Service accounts are particularly choice targets, as they are used to manage apps and services on cloud platforms, and they typically are not protected by MFA because there isn’t a specific real human behind them.

“Service accounts are often also highly privileged depending on which applications and services they’re responsible for managing. Gaining access to these accounts provides threat actors with privileged initial access to a network, to launch further operations,” the advisory says.

“SVR campaigns have also targeted dormant accounts belonging to users who no longer work at a victim organization but whose accounts remain on the system.”

In addition, SVR attackers have combined password spraying with MFA fatigue attacks in order to gain access to individual accounts on cloud platforms. Cybercrime groups commonly use this technique to target high-value people inside an organization.

“Once an actor has bypassed these systems to gain access to the cloud environment, SVR actors have been observed registering their own device as a new device on the cloud tenant. If device validation rules are not set up, SVR actors can successfully register their own device and gain access to the network,” the advisory says.

Common best practices such as implementing MFA wherever possible and using the principle of least privilege on service accounts can help organizations defend against these tactics.

<![CDATA[Nation-State Threat Actors Hit Change Healthcare]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/nation-state-threat-actors-hit-change-healthcare https://duo.com/decipher/nation-state-threat-actors-hit-change-healthcare

Health insurance company UnitedHealth Group said it is responding to a cyberattack by a nation-state threat actor impacting the IT systems of its Change Healthcare subsidiary.

According to a filing with the SEC last week, UnitedHealth said it found out on Feb. 21 that the actors gained access to some of Change Healthcare’s systems. After this discovery the company immediately disconnected Change’s systems to prevent further impact. Change Healthcare, which merged with Optum healthcare in 2022 and is owned by UnitedHealth, offers an array of healthcare solutions and applications for hospitals and pharmacies, including ones related to payments and revenue cycle, clinical and imaging and patient engagement.

“We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” according to a Monday update on Change Healthcare’s website. “We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day.”

In its SEC Form 8-K filing, UnitedHealth said the disruption is specific to Change Healthcare systems and other systems across the company don’t appear to be impacted. However, it did not detail the nature of the incident or how it occurred. UnitedHealth said it can’t estimate the duration of time that systems will be disconnected, or the extent of the disruption, but currently it “has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.” Optum’s website says that it serves 101 million unique consumers.

Pharmacies like CVS that rely on Change Healthcare IT systems are feeling an impact due to the cyberattack, but in a statement, a CVS spokesperson said "there is no indication that CVS Health’s systems have been compromised."

"We have business continuity plans in place to minimize disruption of service and apologize for any inconvenience our customers and members may experience," said the CVS spokesperson. "We’re continuing to fill prescriptions but in certain cases we are not able to process insurance claims, which our business continuity plan is addressing to ensure patients continue to have access to their medications."

The American Hospital Association (AHA) on Saturday recommended that all healthcare organizations that have been “disrupted or potentially exposed” by the incident disconnect from Change Healthcare applications. At the same time, each healthcare organization should continue to monitor and evaluate the updates from Change Healthcare “to inform its own risk-based decisions regarding non-impacted systems.”

“Due to its sector-wide presence and the concentration of mission critical services it provides, the reported interruption could have significant cascading and disruptive effects on the health care field within revenue cycle, pharmacy, certain health care technologies, clinical authorizations and other services,” according to the AHA.

Activity by ransomware and nation-state groups against the healthcare and public health sector has continued over the past few years, with threat actors like Daixin Team and the LockBit ransomware group targeting healthcare organizations and hospitals.

<![CDATA[Challenges Remain in Evaluating Ransomware Crackdowns]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/challenges-remain-in-evaluating-ransomware-crackdowns https://duo.com/decipher/challenges-remain-in-evaluating-ransomware-crackdowns

UPDATE - An international takedown operation targeting the LockBit ransomware group’s technical infrastructure, and hitting associated individuals with arrests, indictments and sanctions, was celebrated as a major win earlier this week.

However, questions remain about what types of long-term effects this law enforcement action will have, both on LockBit and on the ransomware threat landscape as a whole. Ransomware-as-a-service operations are distributed by nature, so even an operation as comprehensive as the one executed against the LockBit group isn't likely to completely eliminate the threat. The continued activity of some affiliates after this kind of disruption also illustrates the challenge of measuring the impact of these operations.

Over the last year, law enforcement agencies have carried out varying types of disruptive measures against ransomware groups, including efforts to target infrastructure, seize backend servers and take down darknet sites, as seen in the Hive and BlackCat disruptions. Other operations - including ones against Ragnar Locker - have gone a step further by taking action against the individuals behind these groups themselves, including arrests, sanctions and indictments. Many of the operations, including the one against LockBit, have also led to the release of decryptors for these ransomware families, allowing targeted businesses to recover their files.

While these takedown operations certainly have a positive impact, there are deep-rooted difficulties in measuring substantial long-term changes. Different factors make this assessment more difficult, including the varying scale of disruptions - whether they include a hit to infrastructure or if cybercriminals are being locked up, for instance - and the complexity of the ransomware ecosystem, which includes both operators and affiliates.

“It is actually really hard to track the impact of ransomware takedown operations for many of the same reasons that it is hard to track ransomware attacks overall,” said Allan Liska, intelligence analyst with Recorded Future. “A lot of the challenges stem from the fact that we are often reliant on cybercriminal reporting for tracking ransomware attacks. When a large operation, such as LockBit or Hive, is taken offline we often don't know if there is a real dip or if it is just taking a while for the regrouped ransomware actor to get a new data leak site online.”

Looking at the Ransom Data

Part of the problem stems from difficulties in measuring the scale of ransomware attacks themselves. The data available here is highly fragmented, but examining trends in the ransom payments that are made during these attacks can help provide valuable insight, said Jackie Burns Koven, head of Cyber Threat Intelligence at Chainalysis.

“Ultimately, we want to see total ransom payments decline over time, or at least make it harder for threat actors to cash out,” said Koven. “Measuring total ransom payments and their difference year-over-year is a good benchmark to track to understand the overall ransomware ecosystem.”

Chainalysis looked closely at the Hive takedown operation announced by law enforcement in 2023; as part of this operation, the FBI targeted infrastructure and released decryption keys to help victims. The FBI estimated that the release of the decryptor prevented $130 million in payments to Hive; however, that takes into account just the impact of the decryptor and does not take into account how the operation impacted the broader activities of ransomware affiliates, and Chainalysis estimated that the operation “significantly altered the ransomware landscape as a whole last year.”

“During the six months the FBI infiltrated Hive, total ransomware payments across all strains hit $290.35 million,” according to Chainalysis. “But our statistical models estimate an expected total of $500.7 million during that time period, based on attacker behavior in the months before and after the infiltration — and that’s a conservative estimate. Based on that figure, we believe the Hive infiltration may have averted at least $210.4 million in ransomware payments.”

While this is one source of information, looking solely at the ransom payments has its limitations. For one, this data doesn’t take into account organizations that have been hit but opted not to pay a ransom; such as MGM Resorts International, which was hit by a ransomware attack last year in which it did not pay (though the incident still cost the company approximately $100 million). Tracking ransom payments also excludes external factors that may influence the ransomware ecosystem, including the infighting or dysfunctional operations that occasionally play out within ransomware groups.

The FBI, for its part, said that for every FBI cybercriminal case it has looked at the impact that the operation has had on the victims.

"Going back as far as Sodnokibi, then Hive, Blackcat, and now Lockbit the FBI and our partners have provided decryption capabilities to victims of ransomware attacks," according to the FBI. "We also look at the impact to the cyber criminal ecosystem and what we call the key services, malware, infrastructure, communications, and finances. Taking out one of the key services disrupts the threat actors abilities to attack victims. In Lockbit, the NCA and FBI seized and destroyed all Lockbit's infrastructure. While a subject can stand up new infrastructure, we made it more difficult for them to operate and prevented countless new victims.”

When following up on the impact of the LockBit takedown operation, “we could conduct an analysis similar to the one we conducted around Hive,” said Koven.

“But overall we will be looking to see how Lockbit affiliates adapt after the takedown and how other ransomware actors potentially change their operating procedures in light of the actions taken against LockBit. Will they lose trust and leave the illicit business? Will LockBit affiliates migrate to work more with other groups? Will new ransomware strains emerge?”

More Public Data

Another way to measure ransomware operations - and thus the impact of law enforcement crackdowns - is by tracking the attacks via public incident reporting, through the number of victims posted to extortion sites or in privately collected data from incident response.

This data paints a somewhat different perspective of the Hive takedown. Recorded Future’s Liska said researchers tracked a “fairly significant” dip in reported ransomware attacks the month after that disruption, but Hive’s affiliates soon migrated to use ransomware like LockBit or BlackCat (also known as ALPHV), and attacks soon picked back up. Again, when law enforcement disrupted BlackCat infrastructure in December 2023, researchers with Recorded Future saw a “big drop” in January 2024.

“What will be interesting to see is what impact the stacking of these takedowns, ALPHV followed so quickly by LockBit has on the numbers - in other words, how disruptive back-to-back major government actions against ransomware groups really is,” said Liska.

Still, there are challenges here in capturing the full picture and making direct correlations. The current availability of public data is limited, and even with that data available there are several unknowns about who the victims are, if a ransom was paid, and whether any specific aspects of a law enforcement operation - whether an arrest or a sanction - had a more meaningful impact.

“It’s a work in progress,” said Megan Stifel, the chief strategy officer at the Institute for Security and Technology and co-chair of the Ransomware Task Force. “There are facts and figures that have been cited in this [LockBit] press release, but unfortunately any efforts to measure at this stage are still not where we want them to be because we don’t have reporting requirements in place yet. Once we do, I think that it will go a long way toward helping us better measure the impact of arrests and takedowns.”

From a long-term perspective, more consistent cyber incident data reporting could translate to a fuller picture about the scope, scale and impact of ransomware attacks, which in turn could help interpret whether certain steps are effective in hindering cybercriminals, such as sanctions by governments or disruption efforts.

Currently, however, a number of challenges are preventing that full picture from coming together. The government relies on regulatory policies for cyber incident reporting, but the current regulatory landscape is made up of a patchwork of different guidelines across several agencies, adding layers of complexity to the process of reporting incidents. There are also concerns about the government’s realistic ability to process and analyze data once it has been reported - and on the other side, the right incentives are needed for organizations that have historically feared reputational backlash from reporting.

In the meantime, Stifel hopes that a better relationship between the government and private sector will maximize the information sharing needed to track takedown efforts like the one against LockBit.

“The ongoing monitoring of the impact of this takedown is important,” said Stifel. “It’s important here that law enforcement engage with the industry to look for reflections of this takedown. Once you throw the rock there will be impacts - it will create ripples, and it’s important to watch where those ripples reach other targets.”

This article was updated on Feb. 26 to include comments from the FBI.

<![CDATA[Decipher Podcast: Source Code 2/23]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-source-code-2-23 https://duo.com/decipher/decipher-podcast-source-code-2-23

<![CDATA[Critical ScreenConnect Flaw Under Active Exploitation]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/critical-screenconnect-flaw-under-active-exploitation https://duo.com/decipher/critical-screenconnect-flaw-under-active-exploitation

UPDATE--Attackers are actively exploiting the critical authentication bypass in the ConnectWise ScreenConnect software disclosed on Monday and there is now proof-of-concept exploit code available for the flaw, as well.

The flaw (CVE-2024-1709) affects all versions of ScreenConnect below 23.9.8 and researchers who’ve analyzed it found that the bug is quite easy to exploit, and there are reports of confirmed exploitation of vulnerable instances by several research and incident response teams. The Shadowserver Foundation has identified about 3,800 vulnerable instances of ScreenConnect online. But that doesn't approximte the real potential for damage, since each of those servers could controls hundreds or thousands of endpoints.

"I feel like people are sleeping on the blast radius of this. One server could have eighty or a hundred organizations managed for remote support. It’s not just about the splash, it’s the ripple that’s gonna cach people," said Kyle Hanslovan, CEO of Huntress, which has done extensive research on the vulnerability and its effects.

ConnectWise issued an advisory for the authentication bypass vulnerability, along with a path traversal bug, on Monday, but there was very little technical information in it, and for good reason as it turns out.

“There was not much information available as to what these vulnerabilities really consisted of, how they might be taken advantage of, or any other threat intelligence or indicators of compromise to hunt for. Once we recreated the exploit and attack chain, we came to the same conclusion: there should not be public details about the vulnerability until there had been adequate time for the industry to patch. It would be too dangerous for this information to be readily available to threat actors,” researchers from Huntress wrote in an analysis.

“The ‘exploit’ is trivial and embarrassingly easy.”

ScreenConnect is a remote desktop support and administration application used in a variety of scenarios in enterprises, often for remote technical support.

"Some people don't even know they have it in their environments. They can't patch it and the best they can do is remove it," Hanslovan said.

The Huntress analysis found that the issue is related to the way the setup wizard for ScreenConnect works. A quirk in the code allows users–or attackers–to gain access to the setup wizard under circumstances that shouldn’t be allowed.

“If the request path does not match “/SetupWizard.aspx,” then the setup wizard will be allowed regardless of the setup state of the instance. This would normally not be exploitable, but .Net has weird functionality that allows URL path components after a mapped legitimate URL to be passed along to the application,” the Huntress analysis says.

“Putting this together, it means we can simply request “/SetupWizard.aspx/literallyanything” and we should be allowed to access the setup wizard on already-configured ScreenConnect instances.”

The setup wizard sets up the administrative user for the software and installing the license key. Once the initial admin user is created, which happens before the license is installed, the attacker has the ability to execute arbitrary code.

“Once you have administrative access to a compromised instance, it is trivial to create and upload a malicious ScreenConnect extension to gain Remote Code Execution (RCE). This is not a vulnerability, but a feature of ScreenConnect, which allows an administrator to create extensions that execute .Net code as SYSTEM on the ScreenConnect server,” the analysis says.

Hanslovan said the initial exploitation attempts began late Tuesday night and he worries that it could ramp up quickly, given the ease of exploitation. Also, there is a Metsploit module available that implements the exploit, which adds more urgency to the patching process.

"We know it's being exploited by initial access brokers. It's a lot of the playbook that reminds me of SolarWinds. The attackers didn't just go after government agencies, but they hit telcos and service providers. It's that one-to-many scenario that could be the same here," Hanslovan said.

ConnectWise updated its advisory on Tuesday to include confirmation of active exploitation, as well as three IP addresses known to have attempted to exploit vulnerable instances. Organizations running vulnerable on-premises instances should upgrade to the fixed version immediately.

This story was updated on Feb. 21 to add comments from Kyle Hanslovan.

<![CDATA[Decipher Podcast: Jennifer Leggio Returns]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-jennifer-leggio-returns https://duo.com/decipher/decipher-podcast-jennifer-leggio-returns

<![CDATA[Europol, FBI Announce LockBit Ransomware Crackdown]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/lockbit-ransomware-takedown-includes-arrests-decryptor-release https://duo.com/decipher/lockbit-ransomware-takedown-includes-arrests-decryptor-release

An international takedown operation has hit the infamous LockBit ransomware group on multiple levels, with law enforcement agencies targeting its technical infrastructure, making arrests and releasing a decryption tool for victims to recover encrypted files without paying a ransom.

The sweeping operation, announced Tuesday, was coordinated by Europol and Eurojust, and involved law enforcement from 10 countries, including France, Germany, the Netherlands, Sweden, Australia, Canada, Japan, the UK, the U.S. and Switzerland. It signifies a massive crackdown on both the operators and affiliates behind LockBit, which was labeled last year as the most active ransomware group and has targeted over 2,000 victims.

The breadth of the takedown itself is multifaceted and impacts everything from LockBit’s infrastructure backbone to members’ ability to access cryptocurrency accounts linked to the ransomware group. On the technical infrastructure side, the operation took down 34 servers in various countries, froze 200 cryptocurrency accounts and closed several thousand “rogue accounts” responsible for exfiltration. Two LockBit actors were also arrested in Poland and Ukraine at the request of the French judicial authorities, and three international arrest warrants and five indictments have also been issued by French and U.S. judicial authorities.

“For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world,” said Attorney General Merrick B. Garland in a statement. “Today, U.S. and U.K. law enforcement are taking away the keys to their criminal operation. And we are going a step further — we have also obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data.”

“This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure and criminal assets linked to these criminal activities."

While the infrastructure takedown poses major hurdles for LockBit, the arrests, indictments and identifications of individuals linked the group is truly significant. Europol gave no further details on the two LockBit actors that were arrested, but the Justice Department on Tuesday indicted two Russian nationals who have both allegedly engaged in LockBit ransomware attacks: Ivan Gennadievich Kondratiev, a LockBit affiliate and leader of an affiliate sub-group called the National Hazard Society, and Artur Sungatov, a LockBit ransomware group affiliate.

“A common point of dissatisfaction for using law enforcement mechanisms to reduce this risk is that we’ll never get these guys,” said Megan Stifel, the chief strategy officer for the Institute for Security and Technology and executive director of the Ransomware Task Force. “Well, guess what? Several of them are now in custody. I think that’s indicative of where we’re seeing progress.”

The operation has also attempted to aim at the financial epicenter of LockBit, which over the years has received more than $120 million in ransom payments and has made ransom demands totaling hundreds of millions of dollars. In addition to authorities freezing the 200 cryptocurrency accounts linked to the organization, the U.S. Treasury Department on Tuesday also issued sanctions against Kondratiev and Sungatov. The sanctions ban all transactions between these individuals and people in the U.S.

The announcement also reveals two short-term wins for businesses hit by the LockBit ransomware. First, a decryption tool was developed by the FBI, UK’s National Crime Agency and Japanese police. This tool is now available on the No More Ransom portal, and LockBit victims can use it for free in order to recover their encrypted files. Second, LockBit’s data stolen from victims appears to now be in the hands of law enforcement - though there’s no guarantee that there aren’t other copies of this stolen data floating around, said Stifel. Still, “at the very least additional investigative work can help victims understand what was taken and help them to better assess their risk from further damage from the release of that data,” said Stifel.

Europol acknowledged that this “vast amount of data gathered throughout the investigation is now in the possession of law enforcement” and stressed that it could support future operations.

“This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure and criminal assets linked to these criminal activities,” according to Europol.

“The more organizations are working together, the more isolated these individuals will become and the greater the net that can be leveraged to bring them into custody.”

While it’s often difficult to coordinate international takedown efforts like these - especially with the safe harbor challenges that shape the ransomware landscape - law enforcement agencies in the U.S. and elsewhere have touted increased international cooperation when it comes to identifying and disrupting cybercriminals.

This level of coordination has been key to several other big ransomware crackdowns, including disruptions against BlackCat in December and Ragnar Locker in October, as well as a series of arrests of high-ranking ransomware group members in November.

Europol painted a detailed picture of the coordination efforts needed in the takedown, starting with the case being opened at Eurojust in April 2022 at the request of the French authorities. Over the course of the operation, Europol’s European Cybercrime Centre organized 27 operational meetings and four technical one-week sprints, all the while trading analytical, forensic and crypto-tracing information and preparing for the final takedown phase of the investigation.

Stifel said that the number of countries participating in this operation is “reflective of the way this threat needs to be managed.”

“The more organizations are working together, the more isolated these individuals will become and the greater the net that can be leveraged to bring them into custody,” said Stifel.

<![CDATA[Decipher Podcast: LockBit Takedown]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-lockbit-takedown https://duo.com/decipher/decipher-podcast-lockbit-takedown

<![CDATA[Decipher Podcast: Source Code 2/16]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-source-code-2-16 https://duo.com/decipher/decipher-podcast-source-code-2-16

<![CDATA[U.S. Government Disrupts Botnet Used by Russian GRU Hackers]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/u-s-government-disrupts-botnet-used-by-russian-gru-hackers https://duo.com/decipher/u-s-government-disrupts-botnet-used-by-russian-gru-hackers

The Justice Department on Thursday announced that it has disrupted a botnet operated by Russia's GRU Military Unit 26165, also known as APT28.

The DoJ said that during a January operation it was able to neutralize the malware network made up of hundreds of Ubiquiti Edge OS routers. These small office/home office (SOHO) routers were being leveraged by APT28 in order to enable and hide various spearphishing and credential harvesting attacks launched against U.S. government officials and military, security and enterprise organizations. APT28, also known as Fancy Bear, is associated with Russia’s GRU military intelligence unit and is known for previous destructive malware attacks.

“Russia’s GRU continues to maliciously target the United States through their botnet campaigns,” said FBI Director Christopher Wray in a Thursday statement. “The FBI utilized its technical capabilities to disrupt Russia’s access to hundreds of routers belonging to individuals in addition to small and home offices. This type of criminal behavior is simply unacceptable, and the FBI, in coordination with our federal and international partners, will not allow for any of Russia’s services to negatively impact the American people and our allies.”

While previous Russian-operated malware networks that U.S. law enforcement has disrupted were created from scratch by the GRU, this botnet was unique in that it instead leveraged malware called Moobot, which is associated with a cybercriminal group. The Mirai-based Moobot botnet, first discovered in 2019, is known to target IoT devices and routers typically using vulnerability exploits or brute force attacks via weak default passwords.

“Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords,” according to the DoJ. “GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform.”

"This type of criminal behavior is simply unacceptable, and the FBI, in coordination with our federal and international partners, will not allow for any of Russia’s services to negatively impact the American people and our allies.”

The DoJ obtained court authorization to use the Moobot malware to copy and delete stolen data and malicious files from compromised routers, and then neutralize the devices by modifying the routers’ firewall rules in order to block remote management access to the devices. The DoJ said law enforcement also temporarily collected non-content routing data in order to expose the GRU's attempts to thwart the operation.

“As described in court documents, the government extensively tested the operation on the relevant Ubiquiti Edge OS routers,” according to the DoJ. “Other than stymieing the GRU’s ability to access to the routers, the operation did not impact the routers’ normal functionality or collect legitimate user content information. “

The DoJ said that impacted users have the ability to roll back the firewall rule changes by performing factory resets on their routers or through accessing their routers through their local network. However, in addition to the factory reset users should be sure to change the default administrator passwords on the devices, which would block the routers from reinfection.

The operation marks the latest disruption by U.S. law enforcement on malicious cyber operations. They have recently targeted the BlackCat ransomware group in December, a botnet used by a PRC state-sponsored group called Volt Typhoon in January and the Turla’s Snake espionage malware in May 2023.

“With these operations, and many more like them, we’ve set our sights on all the elements that we know from experience make criminal organizations tick: their people—a term we define broadly to include not just ransomware administrators and affiliates, but their facilitators, like bulletproof hosters and money launderers; their infrastructure; their servers, botnets, etc.; and their money, the cryptocurrency wallets they use to stash their ill-gotten gains, hire associates, and lease infrastructure,” said Wray while speaking Thursday at the Munich Security Conference.

<![CDATA[APT Exploits Microsoft Zero-Day in Malware Attacks]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/apt-exploits-microsoft-zero-day-in-malware-attacks https://duo.com/decipher/apt-exploits-microsoft-zero-day-in-malware-attacks

An APT group has been exploiting a Microsoft zero-day vulnerability in attacks in order to bypass Microsoft Defender SmartScreen and infect financial market trader companies with the DarkMe malware.

Researchers with Trend Micro’s Zero Day Initiative said that the known APT group, called Water Hydra, was leveraging the flaw (CVE-2024-21412) in order to bypass Defender SmartScreen, Microsoft’s feature in Windows 10 and 11 that is aimed at preventing phishing and malware attacks. The attack was first found by the researchers in late December, and Microsoft on Tuesday disclosed the important-severity flaw and issued a fix as part of its regularly scheduled Patch Tuesday updates.

“Threat actors are constantly finding new ways of identifying and exploiting gaps to bypass security measures,” said Trend Micro researchers on Tuesday. “We found that the bypass of CVE-2023-36025 (a previously patched SmartScreen vulnerability) led to the discovery and exploitation of CVE-2024-21412. This highlights how threat actors can circumvent patches by identifying new vectors of attack around a patched software component.”

Water Hydra was first discovered in 2021 and has previously launched attacks against banks, cryptocurrency platforms, gambling sites and casinos, and stock trading platforms. The group has previously used undisclosed vulnerabilities - including the WinRAR code execution flaw (CVE-2023-38831) - as part of its attack chain to target the financial industry.

The Attack

Researchers observed the group leveraging the Microsoft flaw as part of what they called a streamlined infection process since late January. The attack started with the group launching spear-phishing attacks in forex trading forums and stock trading Telegram channels in order to target potential traders with the DarkMe malware. The group would post messages with links, which pretended to ask for trading advice or share financial tools.

These posts instead linked back to a landing page hosted on a compromised Russian language forex, stock, and cryptocurrency news site, which served a second link to a JPEG file.

“In Water Hydra’s case, the group used internet shortcuts disguised as a JPEG image that, when selected by the user, allows the threat actor to exploit CVE-2024-21412,” said researchers. “The group can then bypass Microsoft Defender SmartScreen and fully compromise the Windows host as part of its attack chain.”

The DarkMe malware allowed the APT to gather information on the victim companies and establish a command-and-control (C2) connection for further malicious activity.

Microsoft Flaws

Microsoft in its regularly scheduled updates on Tuesday released over 70 fixes for other vulnerabilities, including a second actively exploited bypass bug in Windows SmartScreen Security (CVE-2024-21351). Microsoft said an attacker that successfully exploited this flaw could bypass the SmartScreen user experience, but that an authorized attacker would need to first send targets a malicious file and convince them to open it.

Overall, researchers said CISOs can strategically position themselves to prepare for zero-day vulnerabilities like this one by implementing vulnerability management procedures into their security programs - as well as threat intelligence and incident response processes - to better identify and prioritize flaws.

“Given the potential impact of a successful zero-day vulnerability exploitation, it is important that chief information security officers (CISOs) and other decision-makers are able to adopt a multilayered approach to prepare for and address the risks of zero-day vulnerabilities,” said researchers.

<![CDATA[The Creeping Threat of Security Debt]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/the-creeping-threat-of-security-debt https://duo.com/decipher/the-creeping-threat-of-security-debt

Nearly half of all organizations have critical security debt–high-risk flaws in their applications that go unremediated for more than a year–and more than 70 percent of organizations have security debt overall, according to a new study on enterprise software security trends.

There are a number of factors that contribute to the existence of known security flaws in applications over the long term, not the least of which are the high volume of bugs published every year and the need to allocate scarce developer resources to other tasks.

“Security debt is endemic. It’s everywhere,” said Chris Eng, chief research officer at Veracode, which published the latest version of its State of Software Security report on Wednesday, much of which focused on the issue of security debt.

Interestingly, though security debt exists in the vast majority of organizations, it is not evenly distributed among organizations or across applications. Larger applications are more likely to have security debt and critical security debt than small and medium-sized apps. And in general, the older the app, the more security debt it carries, according to Veracode’s data. Also, development teams tend not to prioritize fixing the more-serious flaws over less-serious ones.

“It is a choice they have to make and when it comes to working down the debt, are they doing it in the most efficient way? They’re not. They’re fixing critical and normal flaws at basically the same rate,” Eng said.

“I don’t think it’s being dictated by the people who are thinking about risk management. It could be something the developer thinks is easier to fix or actually is easier to fix, or maybe there’s just so much in front of them that they’re making the decisions as best they can.”

“This all comes down to better habits."

Most modern applications are a complex mix of first- and third-party code, often including open source libraries and other components that in-house development teams don’t have any control over. That can make addressing known security flaws even more challenging. Veracode’s data shows that 63 percent of apps have vulnerabilities in first-party code, while 70 percent have vulnerabilities in third-party code. The bugs in third-party code are more likely to end up becoming security debt, too. According to Veracode’s data, flaws in third-party code have a 48 percent likelihood of turning into security debt, while flaws in first-party code have a 41 percent chance.

“They have to draw the line somewhere and most of the security debt is in first-party code, but most critical security debt is in third-party code, and honestly I was initially surprised by that. But then I thought about the fact that developers never update libraries and CVEs are coming out all the time,” Eng said.

In terms of improving an organization’s skill at fixing flaws, Eng said it generally comes down to improving the organization’s capacity, its prioritization, or its efficiency. None of those is a simple change to make. Increasing capacity generally means spending more money on developers, tools, or both. And shifting priorities means taking resources away from other tasks.

“This all comes down to better habits,” Eng said.

<![CDATA[U.S. Organizations Targeted in Bumblebee Malware Campaign]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/u-s-organizations-targeted-in-bumblebee-malware-campaign https://duo.com/decipher/u-s-organizations-targeted-in-bumblebee-malware-campaign

A number of U.S.-based organizations were targeted with emails last week that attempted to spread the well-known Bumblebee malware. The campaign uses a slightly modified attack chain for Bumblebee and marks the return of the malware after a four-month absence from the threat landscape.

Bumblebee is a sophisticated downloader first spotted in March 2022, which was used by several threat groups to download and execute shellcode and the Cobalt Strike and Sliver tools. The malware was in active development when it was first discovered and included several complex detection evasion tactics, but it abruptly disappeared from Proofpoint researchers’ threat data starting in October 2023.

Now, with this latest campaign that included over 2,000 emails, researchers said the malware’s sudden return to the threat landscape is indicative of a more widespread surge of cybercriminal threat activity from several threat actors.

“2024 has started off with a bang for cybercriminal threat actors, with activity returning to very high levels after a temporary winter lull,” said researchers with the Proofpoint threat research team on Tuesday. “Proofpoint researchers continue to observe new, creative attack chains, attempts to bypass detections, and updated malware from many threat actors and unattributed threat clusters.”

Organizations in the U.S. received emails purporting to tell them that they missed a voice call and asking them to click on a link to listen to the voice message. The messages contained the subject "Voicemail February" and were from the sender "info@quarlesaa[.]com.” The OneDrive URL led to a malicious Word document that pretended to be a message from a consumer electronics company called Humane. Once clicked, the document used macros to execute a file with a PowerShell command, which eventually led to the download of the Bumblebee DLL.

The attack chain’s use of VBA macro-enabled documents is notable and a bit peculiar as many threat actors have stopped using macros, said researchers. After Microsoft began blocking macros by default in 2022, threat actors - including those leveraging Bumblebee - started to diversify their own methods to spread malware without relying on macros, including using XLL files, ISO images, Microsoft shortcut files and MSI files.

“Out of the nearly 230 Bumblebee campaigns identified since March 2022, only five used any macro-laden content; four campaigns used XL4 macros, and one used VBA macros,” said researchers.

Researchers said that the Bumblebee loader can be used as an initial access facilitator to deliver follow-on payloads, like ransomware. Due to the use of email here an an initial access vector, researchers said that organizations should continue to focus their efforts on preventing email-based attacks, including training end users to recognize potentially suspicious activity.

"In this case, the actor also used macro-enabled documents, and users should never enable macros, or unblock them, from untrusted or unknown sources," said Selena Larson, senior threat intelligence analyst with Proofpoint.