A ransomware gang innovates, putting pressure on victims but also exposing itself | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Welcome to The Cybersecurity 202! It’s funny what playing one video game a lot does to your brain. “Baldur’s Gate 3” has me constantly hearing a bunch of random voice lines in my head by people on the streets of the city when I’m not playing, with “Bigger, bigger, bigger” and “I know how to use this bow” currently annoying me the most.

Was this forwarded to you? Sign up here.

Below: A government board’s decision splits civil rights groups and intelligence officials, and an agency investigates if its physical security was compromised in a cyberattack.

A change in how Cl0p publishes victim data is a trade off for the group

The gang behind arguably the biggest ransomware attack ever recently adopted an innovative way of pressuring its victims to pay — one that a researcher says is faster and therefore potentially more effective, but that also exposes more information about how the gang operates.

The crime outfit, known as Cl0p or Clop, exploited a vulnerability in the MOVEit file transfer service to conduct a sweeping ransomware attack this summer, one that by some estimates has affected more than 2,000 organizations and touched more than 60 million people.

Usually ransomware gangs list their victims on the dark web — which can be accessed through software known as Tor — to embarrass them into paying. But Cl0p announced last month it would begin publishing victim data via torrents, a quicker method of distributing files than the dark web.

The MOVEit attacks forced the change, said Jeff White, threat research manager at Palo Alto Networks’ Unit 42.

“The traditional way they were doing it wasn’t really working for the amount of data they have, so they tried to evolve and change their tactics that they were using,” he told me. “Through this mechanism of changing their tactics, they had basically exposed or provided us visibility into infrastructure that we wouldn’t normally have visibility into.”

  • “It gives us better insight into how they’re operating, their mind-set for what activities they’re doing and why they’re doing it,” he continued. “And then ideally, by exposing this kind of information, it provides companies or governments or law enforcement agencies that have visibility that we don’t have a way to go in and understand more about what is going on behind the scenes with the threat actor in question.”

Palo Alto Networks shared its research with The Cybersecurity 202 first.

The development coincides with ransomware having a bigger 2023 than 2022, when attacks plateaued.

The history and the trade off

Two other ransomware groups, CryptBB and Akira, have used torrents before, White said. The difference is, they were smaller groups who couldn’t do it on the massive scale Cl0p is doing it now, White said.

The sheer amount of data makes it harder to use Tor, which stands for The Onion Router, due to how slow it is.

“Threat actors have stolen and leaked terabytes upon terabytes of data already, and a dizzying amount of data is expected to continue to drop. It’s an amount of data that hasn’t been seen before with this type of activity,” White wrote. “Unexpectedly, this almost benefits the victims because it can be impractical to acquire some of the leaks over the Onion network. Why pay a ransom when no one will even be able to download the stolen data?”

  • “Instead of trying to download a 128 GB ZIP file over the Onion network that could take days or even weeks to obtain, people can now download them at much more reasonable speeds,” he wrote. “Thus the pressure is back on the victims to pay.”

But using torrents is a trade off, White told me. Looking at the torrents from on high, White could learn things about Cl0p itself.

“They are telling us basically which servers are owned or operated by them,” he said. “While we might have limited visibility into those servers, and who is connecting to those servers, who is sending data to the server, what logs may exist on our servers — other companies and organizations might not have that limitation.

“And so as an example, a government agency might have the visibility into traffic that was going to the server and they might be able to then start piecing together the puzzle, to say, ‘These people were connecting to this server at this time frame,’” White said. 

Cl0p’s innovation isn’t the only one ransomware gangs have embraced lately. The FBI warned industry this week to be on the lookout for multiple ransomware attacks on the same victim, a trend it took note of in July.

“This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments,” it said. “Second ransomware attacks against an already compromised system could significantly harm victim entities.”

Ransomware gangs have diversified their initial access points, using a mix of methods like phishing and social engineering campaigns, said Allan Liska, senior security architect at cybersecurity firm Recorded Future.

Tracking the number of ransomware attacks is a tricky enterprise, given that some metrics — like the names of victims posted on leak sites — rely on ransomware gangs telling the truth about their deeds. 

Palo Alto Networks counted 2,679 impacted organizations in 2022, but as of this week, the company already counted 2,833 impacted organizations in 2023.

There are a few possible reasons to explain this year’s ransomware bounceback.

  • Liska told me there’s been an explosion in the number of groups, and in their geographic distribution, for which ransomware had largely been a Russian phenomenon.
  • They’ve also gotten better at sharing information and learning how to use their technological tools thanks to improved instructions, Liska said.
  • White told me that a shift toward extortion and away from data destruction means there are lower technical and other barriers to manage.

Civil rights groups, intel community split over oversight board’s Section 702 views

Civil rights organizations and intelligence community representatives have taken respective sides of opposing viewpoints released in a report by a key government oversight body on a contested surveillance tool, according to comments and reactions sent to The Cybersecurity 202.

The government privacy panel known as the Privacy and Civil Liberties Oversight Board yesterday unveiled opposing guidance on the Foreign Intelligence Surveillance Act’s Section 702 authority, which grants warrantless surveillance of foreign targets but occasionally sweeps up communications with Americans.

The 3-2 split hinged on three Democrats that recommended U.S. intelligence authorities get court approval before viewing Americans’ communications. The panel’s two Republicans opposed that recommendation, though both sides agreed the tool is vital for U.S. national security purposes. Debates over the surveillance power have reignited in recent months because it expires at the end of the year unless it’s reauthorized by Congress.

  • Section 702 allows the FBI and National Security Agency to gather electronic data without a traditional warrant based on probable cause when the target is a foreigner overseas and the data gathering is for foreign intelligence purposes. But those intercepted exchanges sometimes include conversations with Americans, raising skeptics’ fears that American communications are warrantlessly swept up in the process.
  • Meanwhile, intelligence and national security officials argue the tool is vital to U.S. operations and that information sourced from Section 702 makes up a large chunk of President Biden’s daily briefings.

Civil liberties advocates applauded the majority’s recommendations. “The message of the Board’s report is clear: individualized judicial review of U.S. person queries is critical to protect Americans’ rights and prevent further abuses. The report flatly rejects the government’s self-serving claim that individualized judicial review is unworkable,” said a statement from a coalition of groups including the Brennan Center for Justice at NYU School of Law, American Civil Liberties Union and the Center for Democracy and Technology.

Meanwhile, the National Security Council said that obtaining a warrant to view already collected American communications would be cumbersome and a possible security risk. “[Seeking additional court approval] is operationally unworkable and would blind us to information already in our holdings that, often, must be acted upon in time-sensitive ways in order to prevent lethal plotting on U.S. soil, the recruitment of spies by hostile actors, the hacking of U.S. companies, and more,” an NSC spokesperson told The Cybersecurity 202.

Citing risks from China, Mayorkas urges Latin America to make U.S. its cybersecurity friend

Homeland Security Secretary Alejandro Mayorkas on Thursday told Latin American cybersecurity officials that the United States is eager to work with them on building out their cyber operations and capabilities, in an effort to sway allied nations south of the United States to consider possible security implications of low-cost technology partnerships they have with China.

Mayorkas was speaking to an audience of cyber delegates from various Latin American countries at a first-of-its-kind Western Hemisphere cybersecurity conference in D.C., where he stressed that, while the United States isn’t aiming to force anyone’s hand, a threat to any U.S. ally’s communications networks in the region is a threat to everyone in the region.

“Each of your governments must decide which choice best delivers what your countries need, which choice affords you with the most trust in your critical cyber infrastructure and which choice comes with strings attached,” he said.

  • The secretary used an example from 2017 where Malaysia faced cyberattacks from Chinese-backed hackers that were likely triggered after the nation said it would renegotiate whether to rescind billions of dollars worth of aid from China to bolster its national infrastructure, including a railway.
  • “Dozens of countries have been offered new, physical, digital, and security upgrades at too good to be true prices. These countries have paid for their new infrastructure with their data, their privacy, and their long-term security,” he said.

A major talking point of the conference has been China’s “Digital Silk Road” and “Belt and Road Initiative,” which seek to create new economic and technological links with other nations. Beijing has been steadily working to export its technologies into Latin America, a dynamic that Mayorkas deems as risky to the Western Hemisphere’s communications security.

  • The remarks come amid recent reports showing that the United States has been aware of a Chinese spy base in Cuba since at least 2019. Some national security analysts have warned that the base may expand beyond its use as an intelligence-gathering tool.

DHS investigating whether contractor hack exposed agency floor plans, security info

Senior Department of Homeland Security officials are working to determine if a ransomware attack on a government contractor compromised physical security information of the agency’s facilities, CNN’s Priscilla Alvarez and Sean Lyngaas report, citing internal department correspondence reviewed by the outlet.

They write: “Johnson Controls, a major manufacturer of alarm and building automation systems, ‘holds classified/sensitive contracts for DHS that depict the physical security of many DHS facilities,’ according to the internal memo.” 

  • “Until further notice, we should assume that [the contractor] stores DHS floor plans and security information tied to contracts on their servers,” the memo said. “We do not currently know the full extent of the impact on DHS systems or facilities.” It is not known if any cybercriminals exfiltrated data, CNN notes.
  • A possible government shutdown, which could happen this weekend, has made the matter especially time sensitive, the memo adds.
  • A Homeland Security Department spokesperson did not immediately return a request for comment from CNN. Johnson Controls International spokesperson Trent Perrotto declined to comment on details of the incident and referred Alvarez and Lyngaas to the company’s Securities and Exchange Commission filing that detailed the cyberattack.

“The incident is a stark reminder for US officials of the cybersecurity risks they take on by working with private contractors for key government services,” the CNN report says. “The Biden administration has tried to tighten cybersecurity for government contractors by compelling them to meet a minimum set of security standards.”

The report echoes a recent breach of Microsoft’s cloud services that allowed China-linked hackers to access email accounts and exchanges of top U.S. officials. 

White House to issue ‘broad’ executive order addressing AI risks and standards (Nextgov/FCW)

Musk ousts X team curbing election disinformation (Politico Europe)

China’s chip equipment firms see revenue surge as Beijing seeks semiconductor self-reliance (CNBC)

Progress Software says business impact ‘minimal’ from MOVEit attack spree (Cybersecurity Dive)

China is investing billions in global disinformation campaign, U.S. says (Wall Street Journal)

Security researcher stopped at US border for investigating crypto scam (Bleeping Computer)

Dallas: Royal ransomware gang infiltrated networks weeks before striking (The Record)

Bing Chat responses infiltrated by ads pushing malware (Bleeping Computer)

Norway asks EU regulator to fine Facebook owner Meta over privacy breach (Reuters)

Food delivery robots are feeding camera footage to the LAPD, internal emails show (404 Media)

Google patches zero-day exploited by commercial spyware vendor (TechCrunch)

Thanks for reading. See you next week.


Click Here For The Original Source.

National Cyber Security