The attack may have been "a major wake-up call" about the need for greater resilience in IT environments, but have security teams hit the snooze bar one too many times?

Cybersecurity experts have warned about vulnerabilities within the critical infrastructure for years. It came to fruition in May 2021, when Colonial Pipeline was hit with a ransomware attack. The response, of course, was the company temporarily shut down oil and gasoline delivery, which resulted in major panic and shortages all over the East Coast.

"The Colonial Pipeline attack was a major wake-up call to improve cyber defenses for critical infrastructure," says Tom Badders, senior product manager at Telos. "The attack vector for ransomware has typically been targeted to information technology networks. This was the first major attack on an operational technology network."

The attack brought much-needed attention to risks to the critical infrastructure and how something as simple as a stolen password can create a national nightmare. The immediate response was to come up with ways to prevent a similar attack (and there has not been one as of yet), but over the past year, have we really learned any lessons from Colonial Pipeline? Has anything changed in the way we think about protecting our systems, particularly critical infrastructure?

**Wake-Up Call  
**The Colonial Pipeline attack offered everyone, from government officials to ordinary citizens, a glimpse into what could happen and why it is vital to have a good security team with a solid mitigation plan in place, says Willy Leichter, CMO at LogicHub.  

"In terms of wake-up calls, the Colonial Pipeline cyberattack was a good jolt of caffeine to the country," he says. "The Colonial security teams acted quickly, cautiously, and probably correctly to shut down the pipeline, although it took six days to get it back online."

But then the country hit the snooze button.

"Unfortunately, I think very little has changed," says Den Jones, CSO at Banyan Security.

Many companies still operate under the "it won't happen to me" assumption, Jones points out, and smaller organizations don't have the resources in place — or don't think they need them — to address a major cyber incident. When organizations do have security teams in place, they are spread thin.

"And perhaps worst of all," Jones adds, "organizations of all shapes and sizes haven't dramatically improved their basic security hygiene. This includes having sound, repeatable, audible processes for keeping systems patched and up to date, directory systems current, and making use of important tools like MFA. Remember, having a process doesn't mean it has to be complicated."

**Some Progress Made  
**Little change isn't the same as no change, however. There have been signs of progress in the wake of the Colonial Pipeline attack.

"Government agencies have been more active in issuing security recommendations and creating much stricter rules about breach notification," says Leichter. Days after the ransomware attack was revealed, for example, the White House released an executive order requiring improvements to federal cybersecurity efforts. At the state level, more than 250 bills were introduced that deal directly with improving cybersecurity both overall and to directly protect government entities.

In addition, operational technology security services demand has doubled since Colonial Pipeline, according to Darren Van Booven, cyber advisory practice lead at Trustwave. The increase, he says, "has mostly been driven from the board and C-level as a direct response to Colonial Pipeline. Organization leaders are calling for security system audits and assessments, ransomware protection strategies, and detection and response capabilities for advanced threats, such as cybergangs."

Another positive to come from the Colonial Pipeline attack was the public/private partnership to get the pipeline back into operational mode quickly. That effort has continued to see positive steps forward with the Biden administration's prioritization of such cooperation, codified by the Cybersecurity and Infrastructure Security Agency (CISA) when it launched the Joint Cyber Defense Collective to coordinate government and industry response to cyberattacks.

"Eighty-five percent of the nation's critical infrastructure is managed by the private sector," says Telos' Badders. "These organizations need the support of the US government to defend the country's vital infrastructure."

**The Bad Guys Are Learning, Too  
**One of the greatest challenges facing cybersecurity teams is the knowledge that threat actors have access to the same technologies and intelligence that they do.

"The Colonial Pipeline ransomware attack exposed weaknesses in the US's critical infrastructure," says Jason Rebholz, CISO at Corvus Insurance. "For nation-states such as Russia, it served as a case study on how a single cyberattack can cause devastating impacts and incite chaos. The significance of that knowledge, given the current geopolitical environment, is cause for concern."

The bad guys may also be learning another lesson: targeting US critical infrastructure was too risky. 

"Following the Colonial Pipeline attack, the DarkSide ransomware infrastructure was shut down and a portion of the ransom payment paid in Bitcoin was actually recovered," Rebholz explains. "Ransomware actors saw that they could not operate without repercussions — a clear line in the sand had been drawn."

**Where Do We Go From Here?  
**Colonial Pipeline's ransomware attack highlights the need for greater resilience in IT environments. "Security is no longer about only keeping the bad actors out but must include building a malleable environment that can withstand attacks," says Rebholz.

Moving forward in a post-Colonial Pipeline cyber environment, organizations are making adjustments. Cyber insurance carriers, for example, have implemented mandatory controls including, but not limited to, network segmentation and robust backup solutions, resulting in the number of ransomware claims requiring a ransom payment decreasing. And the concept of zero trust, with the US government's endorsement, is getting more attention as a security approach.

"This attack showed that perimeter security can be defeated with a single password," says LogicHub's Leichter. "We must have defense-in-depth that understands context \[and\] assumes that threats can come from anywhere, and security systems \[that\] have the ability to detect and respond to new attacks at any stage."

What We've Learned in the 12 Months Since the Colonial Pipeline Attack

An operational slip-up led security researchers to an attacker associated with Nigerian letter scams and malware distribution, after he infected himself with Agent Tesla.

In what can only be described as a case of karmic irony, a Nigerian scammer responsible for stealing more than 800,000 credentials from some 28,000 victims over the past several years recently infected his own machine with info-stealing malware that resulted in his identity being exposed.

Researchers from Malwarebytes got on his trail when they identified a group they track as "Nigerian Tesla" among numerous threat actors targeting Ukrainian entities. Malwarebytes had tracked the group for years initially while it was engaged in a string of so-called 419 advance fee fraud (aka Nigerian letter scams), where victims receive emails promising them a generous commission for facilitating a money transfer involving a large sum.

Over the past two years, Malwarebytes researchers had observed the threat actor switching from 419 scams to distributing Agent Tesla, a widely used remote-access Trojan (RAT) for stealing personal data from infected systems.

Malwarebytes recently identified Nigerian Tesla attempting to distribute the malware via an email with a subject header titled "Final Payment" in Ukrainian. Recipients who clicked on the link in the email were directed to a file-sharing site, which then downloaded the Agent Tesla binary to the user's system.

The attack chain involved the command-and-control server (C2) sending a message to Agent Tesla on infected systems, designed to confirm that the malware had been properly configured for remote communication. In examining the campaign, researchers detected an oddity — multiple messages containing the text "Test successful" coming from the attacker's own machine. There's only one logical conclusion: The attacker had somehow managed to self-inflict Agent Tesla malware.

A member of Malwarebytes' threat intelligence team tells Dark Reading that the threat actor made several mistakes: "The biggest one was to infect his own computer with the Agent Tesla stealer," he says. "By doing so, all the credentials from their machine, stored in common applications such as browsers, were collected and exfiltrated. In a sense, they became just another victim, but in this case of their own malware."

An examination of the test emails exposed the attacker's IP address, which then led the researchers down a path that ultimately revealed to them the attacker's real identity, address, photos, and a copy of his Nigerian driver's license.

**A Trail of Bread Crumbs**  
One of the first things Malwarebytes discovered when investigating the threat actor's IP address was that he had sent more than two dozen additional emails from the same IP address. The researchers were unable to figure how the attacker had managed to infect his own system. But the emails revealed several other services that the threat actor used as part of his attack infrastructure.

These included a service that could be used as a source for victim emails, another for extracting emails from compromised systems, file hosting and storage services, virtual private servers, and VPN and DNS services. The researchers also discovered several assumed names that the Nigerian Tesla group used in past email scams, along with numerous email accounts that were used in phishing scams and data theft campaigns.

An investigation of the emails and the personae associated with them showed that the Nigerian Tesla group had been engaged in criminal cyber activities going back to at least 2014. At that time the group was primarily engaged in 419 scams involving emails from fictitious people going by names such as Rita Bent, Lee Chen, and John Cooper. Malwarebytes found the threat making a switch to malware distribution in 2020, and identified the tools the attacker used to obfuscate their binaries and to test whether they could be detected.

During their investigation Malwarebytes researchers found a couple of photos of the individual that appeared to have started the operation, as well as the Agent Tesla-infected person's driver's license. Malwarebytes identified the individual only as "E.K" and as someone born in 1985.

Scammer Infects His Own Machine With Spyware, Reveals True Identity

By Deeba Ahmed
The malware Raspberry Robin is distributed via external drives and uses Microsoft Standard installer to execute malicious commands.…
This is a post from HackRead.com Read the original post: USB-based Wormable Raspberry Robin Malware Targeting Windows Installer

The malware Raspberry Robin is distributed via external drives and uses Microsoft Standard installer to execute malicious commands.

Red Canary’s Detection Engineering team has discovered a new worm-like Windows malware being distributed via removable USB drives. The malware was detected in several customer networks, mainly in the manufacturing and technology sectors.

**About Raspberry Robin**

Red Canary intelligence analysts attributed the malware to the Raspberry Robin cluster, noting that the worm leverages “Windows Installer” to access QNAP-linked domains and download a malicious DLL.

Raspberry Robin’s activity was first documented in September 2021. The operator’s objective is unclear, and researchers are also clueless about when and how the external drives get infected. They suspect that this infection occurs offline.

**Attack Chain Details**

> Raspberry Robin’s attack chain starts with connecting an infected external/USB drive to a Windows device. Researchers noted that adversaries use msiexec.exe to deliver malware while “Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.
> 
> Lauren Podber and Stef Rand  
> Red Canary

The external drive is equipped with the worm payload that appears as a .LNK shortcut file in a legit folder. The worm creates a new process using cmd.exe to read/execute the malicious file on the USB drive.

According to Red Canary’s blog post, once this is done, the worm launches explorer.exe and msiexec.exe. The latter is used to establish network communication with a rogue domain and for downloading/installing the DLL library file.

Raspberry Robin event outline (Red Canary)

This DLL file is loaded and executed using legitimate Windows utilities like rundll32.exe, fodhelper.exe, and odbcconf.exe to bypass the UAC (User Account Control). Researchers also detected an outbound C2 contact involving regsvr32.exe, dllhost.exe, and rundll32.exe processes to IP addresses linked with Tor nodes.

Regarding why the worm installs a malicious DLL, the researchers were unclear. They hypothesized that it could be done to maintain persistence on the infected machine.

**More Windows Malware News**

1.  Beware of Fake Windows 11 Update Delivering Malware
2.  LodaRAT Windows malware now hunting Android devices
3.  New malware tool can steal files from air-gapped PCs using USBs
4.  PyMICROPSIA Windows malware steals browsing data, records audio
5.  Fake Windows website dropped Redline malware as Windows 11 upgrade

USB-based Wormable Raspberry Robin Malware Targeting Windows Installer

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 29 and May 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics,...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

Threat Roundup for April 29 to May 6

Activity dubbed ‘Raspberry Robin’ uses Microsoft Standard Installer and other legitimate processes to communicate with threat actors and execute nefarious commands.

Activity dubbed ‘Raspberry Robin’ uses Microsoft Standard Installer and other legitimate processes to communicate with threat actors and execute nefarious commands.

Credit: Red Canary

Wormable malware dubbed Raspberry Robin has been active since last September and  is wriggling its way through USB drives onto Windows machines to use Microsoft Standard Installer and other legitimate processes to install malicious files, researchers have found.

Researchers at Red Canary Intelligence first began tracking the malicious activity in the fall when it began as a handful of detections with similar characteristics first observed in multiple customers’ environments by Jason Killam from Red Canary’s Detection Engineering team.

Once the worm spreads via a USB drive to someone’s machine, the activity relies on msiexec.exe to call out to its infrastructure–which is often comprised of QNAP devices–using HTTP requests that contain a victim’s user and device names, Red Canary’s Lauren Podber and Stef Rand wrote in a blog post published Thursday.

Researchers also observed Raspberry Robin use TOR exit nodes as additional command and control (C&C) infrastructure, they wrote. Eventually the worm installs malicious dynamic link library (DLL) files found on the infected USB.

While researchers first noticed Raspberry Robin as early as September 2021, most of the activity observed by Red Canary occurred during January of this year, researchers said.

****Unanswered Questions****

Though researchers observed various processes and executions by the malicious activity, they acknowledged that these observations have left a number of unanswered questions.

The team has not yet figured out how or where Raspberry Robin infects external drives to perpetuate its activity, though it’s likely this infection occurs offline or “otherwise outside of our visibility,” researchers said.

They also don’t know why Raspberry Robin installs a malicious DLL, although they believe it may be to  attempt to establish persistence on an infected system–though there is not enough evidence to make this conclusive, researchers acknowledged.

However, the biggest question mark surrounding the worm is the objective of the threat actors behind it, researchers said.

“Absent additional information on later-stage activity, it’s difficult to make inferences on the goal or goals of these campaigns,” they acknowledged.

****Initial Access and Execution****

Infected removable drives—typically USB devices—introduce the Raspberry Robin worm as a shortcut LNK file masquerading as a legitimate folder on the infected USB device, researchers said. LNK files are Windows shortcuts that point to and are used to open another file, folder, or application.

Soon after the infected drive is connected to the system, the worm updates the UserAssist registry entry and records execution of a ROT13-ciphered value referencing a LNK file when deciphered. For example, researchers observed the value q:\\erpbirel.yax being deciphered to d:\\recovery.lnk, they wrote.

Execution commences when Raspberry Robin uses cmd.exe to read and execute a file stored on the infected external drive, researchers said.

“The command is consistent across Raspberry Robin detections we have seen so far, making it reliable early evidence of potential \[worm\] activity,” they noted.

In the next phase of execution, cmd.exe typically launches explorer.exe and msiexec.exe. The former’s command line can be a mixed-case reference to an external device–a person’s name, like LAUREN V; or the name of the LNK file, researchers said.

The worm “also extensively uses mixed-case letters in its commands,” most likely to avoid detection, researchers added.

****Secondary Execution****

Raspberry Robin uses the second executable launched, msiexec.exe , to attempt external network communication to a malicious domain for command and control purposes, researchers revealed.

In several examples of the activity that researchers have observed, the worm has used msiexec.exe to install a malicious DLL file although, as mentioned before, they still aren’t certain what the purpose of the DLL is.

The worm also uses msiexec.exe to launch a legitimate Windows utility, fodhelper.exe, which in turn spawns rundll32.exe to execute a malicious command, they observed.

“Processes launched by fodhelper.exe run with elevated administrative privileges without requiring a User Account Control prompt,” researchers noted. As this is unusual behavior for the utility, this activity can be used to detect the presence of Raspberry Robin on an infected machine, they said.

The rundll32.exe command then starts another legitimate Windows utility– odbcconf.exe–and passes in additional commands to execute and configure the recently-installed malicious DLL file, researchers said.

USB-based Wormable Malware Targets Windows Installer

From surveillance to search-and-rescue, consumer drones are having an unprecedented impact on Ukraine’s defense against Russia.

In the snowy streets of the north Ukrainian town of Trostyanets, the Russian missile system fires rockets every second. Tanks and military vehicles are parked on either side of the blasting artillery system, positioned among houses and near the town’s railway system. The weapon is not working alone, though. Hovering tens of meters above it and recording the assault is a Ukrainian drone. The drone isn’t a sophisticated military system, but a small, commercial machine that anyone can buy.

Since Vladimir Putin invaded Ukraine at the end of February, drones of all shapes and sizes have been used by both sides in the conflict. At one end of the scale are large military drones that can be used for aerial surveillance and to attack targets on the ground. In contrast, small commercial drones can be flown by people without any specific training and carried around in a suitcase-sized box. While both types of drones have been used in previous conflicts, the current scale of small, commercial drone use in Ukraine is unprecedented.

Drone videos shared and posted to social media depict the brutality of the war and reveal what has happened during battles. Drones have captured fighting in the destroyed Ukrainian city of Bucha, with lines of tanks moving around streets and troops moving alongside them. Commercial drones have helped journalists document the sheer scale of destruction in Kyiv and Mariupol, flying over burnt-out buildings that have been reduced to rubble.

Russian troops have been caught on camera allegedly shooting at citizens holding their hands in the air. Drone videos show Ukrainian troops shelling Russian positions, monitoring their movements in real time, and ambushing Russian troops. In one video, a drone spots Russian military vehicles leaving troops behind—they run after the transport and fall in the snow. In another, the drone hovers in the air and records a helicopter being shot down as it flies past.

“Drones changed the way the war was supposed to be,” says Valerii Iakovenko, the founder of Ukrainian drone company DroneUA. “It is all about intelligence, collecting and transferring data about enemy troops' movements or positionings, correcting artillery fire. It is about counter-saboteurs' actions, and it is of course search-and-rescue operations.” Iakovenko estimates that Ukrainian forces are operating more than 6,000 drones for reconnaissance and says these can link up with Elon Musk’s Starlink satellite systems to upload footage. “In 2014, drones became the center of attention of intelligence units, but their scale cannot be compared to what we see today,” he says. (Russia first began its invasion of Ukraine in 2014 with its annexation of Crimea.)

Both Ukraine and Russia have used military drones during the war—and Ukraine received donations of drones from the US. These military drones can often fly at high altitudes for long periods of time and fire upon targets, including ships. However, the use of smaller commercial drones in such high numbers stands out, researchers say. These drones, which can sometimes be flimsy and can’t fly far from their operators or stay in the air for long periods, have provided tactical advantages in some cases. (Commercial drones have been used in previous conflicts, for instance in Syria, but not as extensively as in Ukraine.)

A Ukranian serviceman stands next to a downed Russian drone in the area of a research institute, part of Ukraine's National Academy of Science, after a strike, in northwestern Kyiv, on March 22, 2022.

Photograph: ARIS MESSINIS/Getty Images

Civilian drone researcher Faine Greenwood has tracked and logged almost 350 incidents in which consumer drones have been used in Ukraine, with the video footage shared on Twitter, Telegram, YouTube, and other social media. Many of the clips, which Greenwood has also mapped, are recorded by military forces, but others have been captured by civilians and journalists. The documented incidents are likely to be only a small fraction of the drone usage in Ukraine. Iakovenko says that in addition to collecting footage for possible war crimes, drones are being used to inspect buildings that have been hit and to help restore power supplies that have been damaged or knocked out.

“You get cheap airborne surveillance, or even strike capabilities, by using these,” says Ulrike Franke, a senior policy fellow at the European Council on Foreign Relations who has studied the use of drones in war. The drones allow troops on the ground to immediately surveil forces around them, retarget weapons, and take action that could stop enemy advances or save lives. “You have individuals or small militia groups that all of a sudden have their own airborne surveillance capability—that’s something you wouldn’t have had 10 years ago. There certainly have been tactical advances and tactical victories because of that.”

Beyond providing direct surveillance that can contribute to intelligence, the videos being captured by consumer drones could contribute to accountability after the war ends. “This is one of the first cases we have had where drones have collected so much really applicable information for war crimes investigations against civilians,” Greenwood says. Although there are questions about what kinds of footage will be admissible in trials, Greenwood and others are backing up and saving video from drones in Ukraine.

Chief among the commercial drones being used in Ukraine are those from Chinese firm DJI, particularly its Mavic line of devices. Its consumer drones are considered to be some of the easiest to purchase and fly. Both Ukrainian and Russian forces have been seen using the drones, Greenwood says. Early in the war, Ukrainian authorities accused DJI of allowing Russian forces to use its drone detection system to target troops, although the company strongly denies this and no strong evidence has been presented.

At the end of April, DJI announced it was temporarily suspending sales in both Russia and Ukraine. The company has consistently said it doesn’t market its products for military use, and it has refused to enable modifications that would allow such use. “DJI has taken this action not to make a statement about any country, but to make a statement about our principles,” DJI spokesperson Adam Lisberg says. “DJI abhors any use of our drones to cause harm, and we are temporarily suspending sales in these countries in order to help ensure no one uses our drones in combat.”

Despite DJI’s opposition to military uses of its products, the drones have been weaponized during the war. “I don't think people have expected commercial DJI drones to be used at such scale,” says Samuel Bendett, an advisor with nonprofit research organization CNA who focuses on Russia and unmanned and autonomous military systems. “This raises the question of whether drone proliferation can be stopped altogether in any conflict.” Charities, companies, and individuals have donated consumer drones from around the world to Ukrainian forces. (Greenwood says they have seen claims that the Russian military is being supplied with donated drones, too. They also point out Telegram messages that claim to show pro-Russian fighters discussing the use of commercial drones).

While the use of consumer drones in conflicts is not new, the machines are not designed for a hostile environment. “The downside of these drones is that they're not military-grade,” Bendett says, adding they can be targeted by anti-drone technology designed to take them out of the sky. All the drone specialists we spoke to for this article say they haven’t seen as many incidents of drones being shot out of the sky as they would have expected—particularly by Russian forces.

“Flying a simple commercial drone in conflict puts the operators in danger as well,” Bendett says. Civilians, journalists, and humanitarian workers using drones in Ukraine are being put at greater risk when they fly consumer drones, Greenwood adds. “The big problem with consumer drones and conflict zones, which humanitarian aid workers are very conscious of, is that you can't tell them apart; they look exactly the same.” A consumer drone being flown by a civilian appears no different from the same drone being flown by a soldier.

This means there are questions about what will happen under humanitarian laws if people flying drones are targeted, Greenwood says. “What happens if an aid worker is flying a drone and people assume it's a drone, it must be being flown by a combatant, and therefore this is a valid target and I'm going to kill it?”

Small Drones Are Giving Ukraine an Unprecedented Edge

A pay-per-install (PPI) malware service known as PrivateLoader has been spotted distributing a "fairly sophisticated" framework called NetDooka, granting attackers complete control over the infected devices.
"The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (

A pay-per-install (PPI) malware service known as PrivateLoader has been spotted distributing a "fairly sophisticated" framework called NetDooka, granting attackers complete control over the infected devices.

"The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol," Trend Micro said in a report published Thursday.

PrivateLoader, as documented by Intel 471 in February 2022, functions as a downloader responsible for downloading and installing additional malware onto the infected system, including SmokeLoader, RedLine Stealer, Vidar, Raccoon, GCleaner, and Anubis.

Featuring anti-analysis techniques, PrivateLoader is written in the C++ programming language and is said to be in active development, with the downloader malware family gaining traction among multiple threat actors.

PrivateLoader infections are typically propagated through pirated software downloaded from rogue websites that are pushed to the top of search results via search engine optimization (SEO) poisoning techniques.

"PrivateLoader is currently used to distribute ransomware, stealer, banker, and other commodity malware," Zscaler noted last week. "The loader will likely continue to be updated with new features and functionality to evade detection and effectively deliver second-stage malware payloads."

The framework, still in its development phase, contains different modules: a dropper, a loader, a kernel-mode process and file protection driver, and a remote access trojan that uses a custom protocol to communicate with the command-and-control (C2) server.

The newly observed set of infections involving the NetDooka framework commences with PrivateLoader acting as a conduit to deploy a dropper component, which then decrypts and executes a loader that, in turn, retrieves another dropper from a remote server to install a full-featured trojan as well as a kernel driver.

"The driver component acts as a kernel-level protection for the RAT component," researchers Aliakbar Zahravi and Leandro Froes said. "It does this by attempting to prevent the file deletion and process termination of the RAT component."

The backdoor, dubbed NetDookaRAT, is notable for its breadth of functionality, enabling it to run commands on the target's device, carry out distributed denial-of-service (DDoS) attacks, access and send files, log keystrokes, and download and execute additional payloads.

This indicates that NetDooka's capabilities not only allow it to act as an entry point for other malware, but can also be weaponized to steal sensitive information and form remote-controlled botnets.

"PPI malware services allow malware creators to easily deploy their payloads," Zahravi and Froes concluded.

"The use of a malicious driver creates a large attack surface for attackers to exploit, while also allowing them to take advantage of approaches such as protecting processes and files, bypassing antivirus programs, and hiding the malware or its network communications from the system."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Using PrivateLoader PPI Service to Distribute New NetDooka Malware

April 2022 saw the arrival of three new ransomware gangs and the unwelcome return of an old enemy.
The post Ransomware: April 2022 review appeared first on Malwarebytes Labs.

The Malwarebytes Threat Intelligence team monitors the threat landscape continuously and produces monthly ransomware reports based on a mixture of proprietary and open-source intelligence.

April 2022 was most notable for the emergence of three new ransomware-as-a-service (RaaS) groups—**Onyx**, **Mindware**, and **Black Basta**—as well as the unwelcome return of **REvil**, one of the world’s most notorious and dangerous ransomware operations.

**An old enemy returns**

**REvil** (aka Sodinokibi) first appeared in May 2020 and has been responsible for numerous high-profile ransomware attacks, including arguably the biggest ransomware attack of all time—a supply-chain attack on Kaseya VSA in July 2021 that is thought to have affected over 1,000 businesses.

REvil disappeared shortly after the Kaseya attack, only to emerge again a few months later, before being forced offline on October 21, 2021, by a multi-country operation. A string of arrests followed, and then in January—in an act of unprecedented co-operation—Russia’s Federal Security Service (FSB) announced that it had dismantled the REvil group and charged its members, thanks to information provided by the USA.

REvil now seems to have returned to the fray with new payloads, and a new leak blog displaying a mixture of new victims and old victims known to have been attacked by REvil.

**New gangs emerge**

**Black Basta** made a name for itself very quickly by coming out of nowhere and carrying out at least eleven successful breaches in April 2022. That ability to perform so many attacks so quickly has led some to speculate that Black Basta is a re-brand of an existing group that already has affiliates.

**Onyx** is a new ransomware gang based on the old Chaos builder. At first, some suspected that Onyx may be a wiper rather than ransomware because it destroyed files larger than 2MB instead of encrypting them. It seems likely that this behavior is the result of a bug in the notoriously poorly-written ransomware builder though.

Another newly-emerged gang is **Mindware**, which appears to have started operations in mid-March using a well-known ransomware strain called SFile2 (aka Escal)—but it was not until April that it began to practice “double extortion”, where data is stolen before it’s encrypted so that victims are faced with the twin threats of data they can’t decrypt, and leaks of sensitive information.

****Ransomware attacks in April 2022****

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

****Attacks by ransomware type****

Despite its rapid start, the activities of Black Basta and the other newly-emerged types of ransomware were dwarfed in April by three established threats: LockBit, Conti, and AlphV, which made up 60 percent of all the known breaches in our analysis.

Known ransomware attacks in April 2022 by type of ransomware

Known ransomware attacks in April 2022 by country

Known ransomware attacks in April 2022 by industry

****Ransomware mitigations****

Source: IC3.gov

*   Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
*   Implement network segmentation, such that all machines on your network are not accessible from every other machine.
*   Install and regularly update antivirus software on all hosts, and enable real-time detection.
*   Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
*   Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
*   Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
*   Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
*   Consider adding an email banner to emails received from outside your organization.
*   Disable hyperlinks in received emails.
*   Use double authentication when logging into accounts or services.
*   Ensure routine auditing is conducted for all accounts.
*   Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

****How Malwarebytes protects against ransomware****

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

Ransomware: April 2022 review

The same attack that allowed a threat actor to steal data from private Heroku GitHub repositories also resulted in the compromise of customer credentials, the company now says.

Salesforce subsidiary Heroku on Thursday said that the threat actor that stole Heroku GitHub integration OAuth tokens in April also accessed an internal database containing hashed and salted passwords belonging to the company's customers.

The discovery prompted Heroku to force a reset of all compromised user passwords and rotate internal Heroku credentials as well. In a security notification, which the company has been constantly updating since April 15, Heroku said it had also put additional detection mechanisms in place to mitigate future issues, without elaborating on what they were.

"We continue to work diligently in response to this Heroku incident first announced on April 15, 2022," the platform-as-a-service vendor said. "We worked with GitHub, our threat intelligence vendors, other industry partners, and have been in touch with law enforcement to assist in our investigation."

**Refresher: The Original GitHub Repo Breach**  
GitHub on April 13 disclosed to Heroku that it had detected a threat actor downloading a subset of Heroku's GitHub private repositories, including source code, on April 9. Heroku said GitHub had notified it about the threat actor gaining access to OAuth tokens issued to the company and using them to enumerate customer accounts. Heroku described the tokens as giving the threat actor read and write access to private customer GitHub repos connected to Heroku.

In an April 15 blog, GitHub CSO Mike Hanley said the threat actor used OAuth user tokens issued to Heroku and another third-party integrator, Travis-CI, to download data from repositories belonging to dozens of organizations, including npm, the node package manager used by millions of developers worldwide.

Hanley said GitHub's investigation showed the attackers also mined the contents of the downloaded GitHub private repositories for data that could be used to attack other infrastructure. He added that the attacks appeared highly targeted because of the way the attackers used the stolen OAuth tokens: First, they listed all the impacted organizations, then selected private repositories of interest and cloned them.

Heroku's investigation of the incident showed that the threat actor had used a stolen OAuth token associated with an internal "machine account" to access a Heroku database containing OAuth tokens that are used for customer GitHub integration.

The threat actor gained access to the Heroku database on April 7 and downloaded the stored tokens — then used them to download customer data two days later, Heroku said. Following that discovery, Heroku revoked all its GitHub integration OAuth tokens to prevent customers from deploying apps via GitHub using Heroku's dashboard or automation.

**Broader Impact Than Initially Assumed**  
Heroku on Thursday said that its ongoing investigation of the breach showed the attacker had used the same machine-account OAuth token to access the internal database containing the hashed usernames and passwords belonging to the company's customers.

The incident has highlighted why organizations need to pay close attention to the security of their OAuth authentication mechanisms, security experts say.

Casey Bisson, head of product and developer relations at BluBracket, says an attack using OAuth tokens can interact with the service that issued the tokens using all the permissions that were granted to the original client. "People and companies depend on OAuth integrations to securely allow another service to access code in private repos, as is needed to support CI tests and run code coverage reports," he says, pointing to two examples.

**OAuth: Better Account Protection, As Long as Tokens Are Safe**  
Compared to the alternative of sharing passwords between services, OAuth tokens enable more secure data sharing. For example, if it had been passwords that were stolen, the level of access the attackers might have gained would likely be even greater. And the initial mitigation and long-term fix would become more complex, Bisson says.

However, OAuth tokens are commonly used to automate cloud services such as code repositories and DevOps pipelines, notes Ray Kelly, fellow at NTT Application Security. So, a malicious actor with a stolen token can steal corporate IP or modify source code in repositories such as GitHub. Or they could use it to spread malware or steal sensitive data from organizations, he says. "Special care should always be taken when it comes to protecting tokens. They should never be publicly available or shared outside of the organization," Kelly says.

GitHub itself has said that starting the end of 2023, it would require all developers who contribute code to the repository to use multifactor authentication to access their accounts. The company described it as a move designed to bolster the security of code and IP stored in GitHub repositories amid a surge in attacks targeting the software supply chain.

Heroku: Cyberattacker Used Stolen OAuth Tokens to Steal Customer Account Credentials

By Waqas
CIA’s darknet website will be accessible to Russians through the Tor internet browser. The Central Intelligence Agency (CIA)…
This is a post from HackRead.com Read the original post: CIA Wants Russians to Share Secret Info with the Agency via its Darknet Site

**CIA’s darknet website will be accessible to Russians through the Tor internet browser.**

The Central Intelligence Agency (CIA) of the United States has issued instructions for Russians unhappy with their president Vladimir Putin’s invasion of Ukraine and trying to get in touch with the agency.

The CIA has published a comprehensive guide in English and Russian languages on how Russian citizens can share secrets with the agency. The guidelines appeared on the agency’s Instagram page on Monday. 

> “Our global mission demands that individuals can contact us securely from anywhere.”
> 
> CIA

**About CIA’s Darknet Site**

The step-by-step guide explains how “concerned Russians” can access the CIA’s darknet site, which is exactly like its regular homepage but can be accessed only via the encryption-based Tor anonymity browser.

It is worth noting that the CIA’s darknet site was launched in 2019 and is accessible through The Onion Router, aka Tor browser. The browser routes internet traffic across multiple third parties to hide the user’s location and identity.

Once downloaded, the browser requires users to enter a long string of characters followed by .onion to strip away any tracking of users’ digital activities, such as through cookies.

**More Darknet aka Dark Web News**

1.  Latest Top 6 Dark Web Search Engines for 2022
2.  Tor Anonymity: Things NOT To Do While Using Tor
3.  Records with data on 129M Russian car owners sold on dark web
4.  Russian Dark Web Market Hydra Taken Down; $25M in BTC Seized
5.  Twitter Goes on Tor with New Dark Web Domain to Evade Censorship

**CIA Urges Russian Tipsters to be Careful**

The CIA claims that it isn’t safe to directly engage America in the Russian domestic issues “physically or virtually,” hence, it has requested Russians to contact them securely via Tor since it will protect them from Russian snooping.

“There are concerned Russians who are desperately trying to reach the CIA,” a CIA official quoted by AP, declining to mention how many Russians have tried to contact the agency so far.

CIA has requested “tipsters” to provide their full name and country from where they are contacting the agency, their official position, and the information they intend to deliver. The agency asked the tipsters not to use their office or home computer to connect with the agency.

Moreover, the CIA urged Russians to use a VPN based out of Russia, China, or any country that’s not a US ally and avoid using free VPN services to evade online monitoring.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Tag

#intel