Company research indicates ransomware gangs may be working in concert to orchestrate multiple attacks, explains Sophos’ John Shier.

Company research indicates ransomware gangs may be working in concert to orchestrate multiple attacks, explains Sophos’ John Shier.

Dark Reading

Company research indicates ransomware gangs may be working in concert to orchestrate multiple attacks, explains Sophos’ John Shier. And in at least one curious instance, a gang covered up tracks of a gang that was that there before them. Is the Hive-LockBit-BlackCat joint venture a harbinger of threats to come? Shier weighs in and explains how organizations can better defend against this emerging threat.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Editors' Choice

Robert Lemos, Contributing Writer, Dark Reading

Jai Vijayan, Contributing Writer, Dark Reading

Ericka Chickowski, Contributing Writer, Dark Reading

Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

Sophos Identifies Potential Tag-Team Ransomware Activity

InQuest’s Pedram Amini takes a deep dive into file detection and response as a way to prevent file-borne attacks.

InQuest’s Pedram Amini takes a deep dive into file detection and response as a way to prevent file-borne attacks.

Dark Reading

File-borne attacks are a mainstay of the threat landscape and InQuest’s Pedram Amini takes a deep dive into file detection and response as a way to prevent such attacks. He describes what automated threat hunting is and how it can make a difference; Amini also says automated thrteat hunting can help with the hiring and retention issues most organizations are facing. He also talks about how Inquest’s own automation capabilities are enabled.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Editors' Choice

Robert Lemos, Contributing Writer, Dark Reading

Jai Vijayan, Contributing Writer, Dark Reading

Ericka Chickowski, Contributing Writer, Dark Reading

Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

InQuest: Adding File Detection and Response to the Security Arsenal

Secureworks’ Nash Borges describes how his team has applied AI and ML to threat detection.

The marketing hyperbole is plenty loud when it comes to artificial intelligence and its subset, machine learning, in the SOC and data center, and Secureworks’ Nash Borges offers a reality check on the emerging technologies. Borges takes a deeper cut at what it takes to add AI into the technology mix in a SOC. In a practical example, he describes how his team has applied AI and ML to threat detection. Borges also addresses whether AI is the panacea it’s built up to be for security management.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Secureworks: How To Distinguish Hype From Reality With AI in SecOps

Novel ransomware was created with the Go open source programming language, demonstrating how malware authors increasingly are opting to employ the flexible coding language.

Cybercriminals are swarming to deploy an emerging ransomware variant called BianLian that was written in Go, the Google-created open source programming language.

BianLian has been rising popularity since it was first outed in mid-July, according to researchers at Cyble Research Labs, which published details on their study of the ransomware in a blog post last week. Threat actors so far have cast a wide net with the novel BianLian malware, which counts organizations in media and entertainment; manufacturing; education; healthcare; and banking, financial services, and insurance (BFSI) among its victims so far.

Specifically, the media and entertainment sector has taken the brunt of BianLian attacks, with 25% of victims in this industry so far, and 12.5% each in the professional services, manufacturing, healthcare, energy and utilities, and education sectors, according to Cyble.

Attackers using BianLian typically demand unusually high ransoms, and they utilize a unique encryption style that divides the file content into chunks of 10 bytes to evade detection by antivirus products, the researchers said. "First, it reads 10 bytes from the original file, then encrypts the bytes and writes the encrypted data into the target file," the Cybel researchers wrote in the post.

BianLian's operators also use double-extortion methods, threatening to leak key stolen data — such as financial, client, business, technical, and personal files — online if ransom demands aren't met within 10 days. They maintain an onion leak site for this purpose.

**How the Ransomware Variant Works**

BianLian functions similarly to other ransomware types in that it encrypts files once it infects a targeted system and sends a ransomware note to its victims letting them know how to contact the operators.

Upon execution of the ransomware, BianLian attempts to identify if the file is running in a WINE environment by checking the _wine\_get\_version()_ function via the _GetProcAddress()_ API, the researchers said. Then, the ransomware creates multiple threads using the _CreateThread()_ API function to perform faster file encryption, which also makes reverse engineering the malware more difficult, they said.

The malware then identifies the system drives (from A:\\ to Z:\\) using the _GetDriveTypeW()_ API function and encrypts any files available in the connected drives before dropping its ransomware note, the researchers said.

BianLian also is notable in that uses Go as its foundational language, giving threat actors more flexibility in both developing and deploying the malware, the researchers said. "We have seen many threats developed using the Go language, such as Ransomware, RAT, Stealer, etc.," they wrote.

Go's cross-platform capability enables a single codebase to be compiled into all major operating systems. This makes it easy for threat actors — such as the ones behind BianLian — to make constant changes and add new capabilities to a malware to avoid detection, the researchers said.

Other cyber threats written in the so-called GoLang that have been active in the past year include a botnet called Kraken that recently resurfaced, as well as Blackrota, a heavily obfuscated backdoor.

While increased efforts by international law enforcement to crack down on the actors behind major cybercriminal groups has had some impact on ransomware, new threat operators and ransomware variants have perennially risen to replace now-defunct ones.

Cyble reiterated in its blog post some best practices for ransomware defense: running regular, offline backups; keeping device software updated, ideally using automatic software updates; running anti-malware software on devices; and avoiding opening any suspicious or unknown links and attachments.

New 'BianLian' Ransomware Variant on the Rise

Tanium’s Chris Hallenbeck explains how converged endpoint management helps overcome obstacles to endpoint visibility.

Tanium’s Chris Hallenbeck explains how converged endpoint management helps overcome obstacles to endpoint visibility.

Dark Reading

Thanks to the pandemic and working from home, endpoint visibility remains one of the biggest challenges for infosec professionals. Tanium’s Chris Hallenbeck explains how converged endpoint management helps overcome those obstacles. He also addresses the reality of siloed systems and how security professionals can overcome the challenges with integrating them. And Hallenbeck discusses what organizations can do to maximize endpoint visibility in order to keep their users and their data secure.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Editors' Choice

Robert Lemos, Contributing Writer, Dark Reading

Jai Vijayan, Contributing Writer, Dark Reading

Ericka Chickowski, Contributing Writer, Dark Reading

Joshua Goldfarb, Fraud Solutions Architect - EMEA and APCJ, F5

Tanium: Taking A Deeper Cut At Converged Endpoint Management

Pentera’s Omer Zucker outlines exposure management’s biggest challenges in closing security gaps.

Exposure management is a combination of attack surface mapping, vulnerability assessment, and validation, and seeks to keep networks more secure. Pentera’s Omer Zucker outlines exposure management’s biggest challenges in closing security gaps. He also describes how security pros can combine attack surface mapping, vulnerability assessment, and validation to enhance their security posture. And Zucker offers some tips for getting started with exposure management.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Pentera Helps Enterprises Reduce Their Security Exposure

Threat intel has changed over the years and that’s changed how customers use it, says Matt Olney, director of Talos threat intelligence and interdiction at Cisco.

Threat intel has changed over the years and that’s changed how customers use it, says Matt Olney, director of Talos threat intelligence and interdiction at Cisco.

Dark Reading

Threat intel has changed over the years and that’s changed how customers use it, says Matt Olney, director of Talos threat intelligence and interdiction at Cisco. He discusses new ransomware dangers and what users can do to protect themselves. And he describes in detail how Cisco intelligence was used to respond to a recent large-scale security event. He closes with some tips about how to better protect your organization against ransomware.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Cisco: All Intelligence is Not Created Equal

Replacing passwords is not as easy as people think, but there is hope.

Although analysts have predicted the death of passwords for many years, passwords are still the predominant authentication credential used for many applications and IT systems. The reason for this is simple — everyone knows how passwords work, which makes them more convenient to use.

As a result, 80% of all company data breaches and hacking incidents result from stolen or compromised passwords. It's not hard to see why. The average user has more than 90 online accounts — almost all requiring a password that more than half of those same users reuse. And with a record 1,862 data breaches in 2021 at an average cost of $4.24 million per breach, it's no wonder that more than 555 million passwords are available on the Dark Web.

Passwords are proliferating across our digital world and getting stolen in record numbers every year, but it doesn't have to be this way.

**The Twin Dilemma of Security vs. Convenience**

Enterprises can address this problem today. In fact, many are already enhancing existing passwords with a second factor — for example, sending an out-of-band code via SMS or email. The technology exists for even stronger login credentials, but these often significantly impact the user experience, which hurts adoption with internal users (employees) or retention with external users (consumers).

Organizations are faced with a complex balancing act: They need to improve their authentication process so that login credentials provide the needed security while being easy to use. But those credentials also have to be difficult for hackers to steal or compromise. Oh, and let's not forget that this enhanced authentication mechanism must be cost effective, too.

Over the years, many types of login credentials emerged that were effective in one or two areas but fell short in the others. But, there is hope.

**Size and Scope**

The size and scope of the problem must also be taken into consideration. For large enterprises, these challenges are multiplied because of the sheer number of applications running across their hybrid environments, from the cloud to the mainframe. You hear a lot about the cloud, but how often do you hear someone mention the mainframe? Did you know that mainframes handle 90% of all credit card transactions, or that mainframes handle 68% of world's production IT workloads? For many of our strategic customers, the mainframe is more mission critical than anything running in the cloud.

A truly effective identity security solution needs to cover all aspects of an organization's infrastructure — everything from the mainframe to distributed servers, from virtualized to multicloud environments, managing access across business applications, privileged accounts, and everything in between.

**The Convergence of Technology and Standards**

The missing link in efforts to improve this identity security challenge is a failure to recognize that replacing the password is not as easy as people think. But there are several trends that may help accelerate the death of the password once and for all.

The first is the smartphone. According to Ericsson, the number of smartphone users in the world today is about 6.6 billion, which translates to almost 84% of the world's population. These devices are not only ubiquitous but are also responsible for teaching users how to use their fingerprint to unlock their devices and take a selfie. Biometrics is not an abstract concept anymore — it is becoming familiar even to people who struggle to use a computer.

The second trend is one of standardization, specifically the growing support for FIDO or Open ID Connect. These new security standards help facilitate the exchange of identity and authentication information between an identity provider and an application. These standards eliminate the need for passwords and replace them with passwordless techniques, such as biometrics (a single finger swipe on your phone). However, there are many mainframe and web applications that were never designed with support for these standards and therefore cannot leverage passwordless authentication — that is, not without major redesign or a little help.

For newer or smaller enterprises, it may be relatively easy to modify applications to be compatible with FIDO or OpenID Connect. However, for larger enterprises this problem is significant because the bulk of their mission-critical apps may need to be modified, and this may not be financially feasible. As a result, while newer applications are built with passwordless authentication mechanisms, they are addressing only a subset of enterprise applications, networks, and environments.

An effective security system needs to cover all an organization's digital assets. If not, the bad guys will always find the weakest link. Only through a holistic approach can enterprises solve the biggest pain points in identity security by replacing the need for passwords with a single passwordless sign-on procedure for everything in our digital world.

Identity Security Pain Points and What Can Be Done

Sumedh Thakar, CEO of Qualys, explains how moving to a cloud-based asset management platform can simplify their strategies and improve overall security.

Siloed security solutions often don’t improve security or reduce risk. Sumedh Thakar, CEO of Qualys, explains how moving to a cloud-based asset management platform can simplify their strategies and improve overall security. With cybersecurity spending topping $150 billion annually, customers are looking for more improvement and better results, Thakar adds. He also addresses how to deal with network complexity in an era of cloud computing, the Internet of Things, and a personnel shortage.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

How Qualys Reduces Risk and Enables Tool Consolidation

What happens when businesses' smart devices break? CSOs have things to fix beyond security holes.

So many everyday items in the developed world are now connected to the Internet, often inexplicably. It adds another layer of potential technology failure that for personal appliances can be something of an amusing annoyance: blinds that won't open, microwaves that don't adjust for time changes, refrigerators that need firmware updates.

But in the enterprise, when Internet of Things devices fail, it's no Twitter-thread joke. Factory assembly lines grind to a halt. Heart-rate monitors in hospitals switch offline. Elementary school smart boards go dark.

Smart device failures are an increasing risk in the enterprise world, and not just because of the oft-discussed security worries. It's because some of these devices' root certificates — necessary for them to connect to the Internet securely — are expiring.

"Devices need to know what to trust, so the root certificate is built into the device as an authentication tool," explains Scott Helme, a security researcher who has written extensively about the root certificate expiration issue. "Once the device is in the wild it tries to call 'home' — an API or manufacturer's server — and it checks against this root certificate to say, 'Yes, I'm connecting to this correct secure thing.' Essentially \[a root certificate is\] a trust anchor, a frame of reference for the device to know what it's speaking to."

In practice this authentication is like a web or a chain. Certificate authorities (CAs) issue all kinds of digital certificates, and the entities "talk" to each other, sometimes with multiple levels. But the first and most core link of this chain is always the root certificate. Without it, none of the levels above could make the connections possible. So if a root certificate stops working, the device can't authenticate the connection and won't link to the Internet.

Here's the problem: The concept of the encrypted Web developed around 2000 — and root certificates tend to be valid for about 20 to 25 years. In 2022, then, we're smack in the middle of that expiration period.

The CAs have issued plenty of new root certificates in the last two-plus decades, of course, well ahead of expirations. That works well in the personal device world, where most people frequently upgrade to new phones and click to update their laptops, so they would have these newer certs. But in the enterprise, it can be far more challenging or even impossible to update a device — and in sectors like manufacturing, machines may indeed still be on the factory floor 20 to 25 years later.

Without an Internet connection, "these devices aren't worth a thing," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, provider of machine identity management services. "They essentially become bricks \[when their root certs expire\]: They can't trust the cloud anymore, can't take commands, can't send data, can't take software updates. That's a real risk, particularly if you're a manufacturer or an operator of some kind."

**A Warning Shot**

The risk isn't theoretical. On September 30, a root certificate issued by the massive CA Let's Encrypt expired — and several services across the Internet broke. The expiration wasn't a surprise, as Let's Encrypt had long been warning its customers to update to a new cert.

Still, Helme wrote in a blog post 10 days before the expiration, "I'm betting a few things will probably break on that day." He was right. Some services from Cisco, Google, Palo Alto, QuickBooks, Fortinet, Auth0, and many more companies failed.

"And the weird thing about that," Helme tells Dark Reading, "is that the places using Let's Encrypt are by definition very modern — you can't just go to their website and pay your $10 and download your certificate by hand. It has to be done by a machine or via their API. These users were advanced, and it was still a really big problem. So what happens when we see \[expirations\] from the more legacy CAs that have these big enterprise customers? Surely the knock-on effect will be larger."

**The Path Forward**

But with some changes, that knock-on effect doesn't have to happen, says Venafi's Bocek, who views the challenge as one of knowledge and chain of command — so he sees solutions in both awareness and early collaboration.

"I'm really excited when I see chief security officers and their teams getting involved on the manufacturer and developer level," Bocek says. "The question is not just, 'Can we develop something that is safe?' but 'Can we continue to operate it?' There's often a shared responsibility of operation on these high-value connected devices, so we need to be clear on how we're going to handle that as a business."

Similar conversations are happening in the infrastructure sector, says Marty Edwards, deputy CTO for operational technology and IoT at Tenable. He's an industrial engineer by trade who has worked with utility companies and the US Department of Homeland Security.

"Quite frankly, in the industrial space with utilities and factories, any event that leads to a production outage or loss is concerning," Edwards says. "So in these specialty circles the engineers and developers are certainly looking at the impacts \[of expiring root certificates\] and how we can fix them."

Though Edwards stresses he's "optimistic" about those conversations and the push for cybersecurity considerations during the procurement process, he believes more regulatory oversight is also needed.

"Something like a baseline standard of care that perhaps includes language on how to maintain the integrity of a certificate system," Edwards says. "There's been discussions between various standards groups and governments about traceability for mission-critical devices, for example."

As for Helme, he'd love to see enterprise machines set for updates in a way that's realistic and not arduous for the user or the manufacturer — a new certificate issued and update downloaded every five years, perhaps. But manufacturers won't be incentivized to do that unless enterprise customers push for it, he notes.

"In general, I do think that this is something the industry needs to fix," Edwards agrees. "The good news is most of these challenges aren't necessarily technological. It's more about knowing how it all works, and getting the right people and procedures in place."

Source

DARKReading