By Waqas
Cybercriminals are leveraging two exploit chains (ProxyNotShell/OWASSRF) to target Microsoft Exchange servers, as warned by Bitdefender Labs.
This is a post from HackRead.com Read the original post: New Wave of Cyberattacks Targeting MS Exchange Servers

Most of the attacks occurred in the U.S. in November 2022, but some organizations in Austria, Poland, and Turkey were also targeted.

Bitdefender Labs has shared its findings on a new wave of untargeted cyberattacks in which attackers are abusing two exploit chains to target on-premises **MS Exchange servers**.

**Findings Review**

Bitdefender noted that, at the end of November 2022, there was an increase in attacks leveraging two exploit chains identified as **ProxyNotShell** and OWASSRF to target MS Exchange servers. The researchers found that cybercriminals prefer to exploit on-premises Exchange servers 2013, 2016, and 2019.

**Vulnerabilities explained**

Attackers use two tactics in their new attacks against the MS Exchange servers. The first is the ProxyNotShell vulnerability, a combination of two already-disclosed vulnerabilities tracked as **CVE-2022-41082** and **CVE-2022-41080**. It requires threat actors to authenticate to the vulnerable server; this vulnerability was patched in November 2022.

OWASSRF is the other vulnerability exploited in this attack chain. This exploit uses the same two vulnerabilities but in a different way. It is capable of bypassing the ProxyNotShell mitigation solutions; it was used in the Rackspace attack in December 2022.

**Attack Details**

Technically, the attack is called **server-side request forgeries/SSRF**. It allows threat actors to send a specially crafted request from a vulnerable server to another server to access resources and fulfil their malicious objectives on the vulnerable server.

Using the two vulnerabilities will allow the attacker to carry out **remote code execution** if they have the login credentials. They don’t necessarily have to be an administrator to perform desired actions, as any account can be used.

Microsoft **patched** these vulnerabilities on September 30th and November 8th, 2022. This means only those companies that haven’t yet fixed their systems are at risk. Most of the attacks, according to Bitdefender’s **blog post**, occurred in the U.S. in November 2022, but some organizations in Austria, Poland, and Turkey were also targeted.

The attackers target companies from various sectors, including law and brokerage firms, real estate, consultancy firms, and wholesalers. So far, over 100,000 organizations worldwide have been targeted by SSRF attacks.

**What is SSRF Attack?**

SSRF attacks are increasingly popular among cybercriminals because, if a web app is vulnerable to SSRF, the attacker can send a request from the vulnerable server to any local network resource which isn’t otherwise accessible to the attacker. Otherwise, the attacker would send a request to an external server, e.g., a cloud platform, to carry out specific actions on behalf of the vulnerable server.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

New Wave of Cyberattacks Targeting MS Exchange Servers

The security vulnerability allows attackers to spoof a target certificate and masquerade as any website, among other things.

Researchers have developed a proof-of-concept (PoC) exploit for a public x.509 certificate-spoofing vulnerability in the Windows CryptoAPI that the NSA and the National Cyber Security Center (NCSC) reported to Microsoft last year.

Microsoft quietly patched the bug, tracked as CVE-2022-34689, in its August 2022 monthly Patch Tuesday security update, but only publicly disclosed it in October. At the time, it assessed the vulnerability as one that attackers were more likely to exploit. But it offered scant details on the bug or how an attacker might exploit it.

"When the patch was released, this bug was missing from \[Microsoft's\] release notes," says Yoni Rozenshein, security researcher at Akamai. "It was announced retroactively two months later, in October, and there seems to be no information available that describes the vulnerability and how it's exploited."

**Proof-of-Concept Attack for CVE-2022-34689**

Researchers at Akamai who have been analyzing the vulnerability for the past several months this week released details of an attack they developed for it, which they said would allow attackers to spoof the target certificate and masquerade as any website, with the ability to take a variety of malicious actions.  
"The vulnerable browser would show the green lock icon indicating a secure connection even though the connection is completely controlled by the attacker," Rozenshein says. He described Akamai's PoC for it as the first for the bug.

CryptoAPI is a Windows application programming interface that developers use to enable support for cryptography for their applications. One of CryptoAPI's roles is to verify the authenticity of digital certificates. And it is in this function where the vulnerability exists, Rozenshein says.

To verify the authenticity of a certificate, CryptoAPI first checks to see if it already exists in the receiving application's certificate cache. If it does, CryptoAPI treats the received certificate as verified. Prior to Microsoft's patch for it, CryptoAPI determined whether a received certificate was already in the certificate cache or not merely by comparing MD5 hash thumbprints. If the received certificate's MD5 thumbprint matched the MD5 thumbprint of a certificate in cache, CryptoAPI treated the received certificate as verified, even if the actual contents of the two certificates did not match exactly.

That opens the door for cyberattackers to introduce an imposter certificate.

**MD5 Thumbprints: An Incorrect Assumption**

Prior to the patch, "Microsoft inherently trusts the validity of cached certificates and doesn’t perform any additional validity checks after an end certificate is found in the cache," Akamai said in its report. While this by itself is a reasonable assumption, CryptoAPI's trust that two end certificates are identical if their MD5 thumbprints match "is an incorrect assumption that can be exploited, and was the genesis of the patch," Akamai noted.

To prove how an attacker could exploit the issue, Akamai researchers first generated two certificates — one legitimately signed and the other malicious — and rigged them so they would both end up having the same MD5 thumbprints. They then devised a way to serve the first, legitimate certificate to an application with a vulnerable version of CryptoAPI (in this case, an old version of Chrome — v48). Once the application had verified the certificate and stored it in its end certificate cache, Akamai showed how an attacker could then use a man-in-the-middle attack to serve the second malicious certificate to the same application and have it be verified as authentic.

Two conditions need to exist for the attack to work, Rozenshein says. One is that the application needs to be missing the Windows patch that Microsoft released last August. The other is that the application must use CryptoAPI for certificate verification and enable a CryptoAPI feature called "end certificate caching." The feature is disabled by default on CryptoAPI, but some applications enable it to boost performance. It is these applications that attackers can target, if an organization has not patched them.

"We are still actively researching and looking to find more vulnerable applications," Rozenshein says.

**Easy to Exploit**

Rozenshein says an attacker with control over a network can exploit the flaw without much difficulty. "They will need to compute an MD5 collision, but this can be done in advance, cheaply and in only a few hours," he says pointing to previous research that has shown how it is possible for an attacker to generate two certificates with the same MD5 thumbprint.

Once the MD5 thumbprint is calculated, the attack can be carried out easily, Rozenshein says. How an attacker carries out the next two phases of the attack (serving the two certificates) depends on the type of application being targeted, he adds: "In the case of Web browsers, we have found that simply resetting the connection after the first phase has been completed causes the browser to immediately try to reconnect. This is when the attack switches to the second phase."

Microsoft did not immediately respond to a request for comment on Akamai's research or PoC attack.

CVE-2022-34689 is the second flaw in CryptoAPI that the NSA has disclosed to Microsoft in recent years. In 2020, they reported a similar issue, tracked as CVE-2020-061, or the Curveball vulnerability. Akamai assessed the more recently disclosed flaw as presenting less of a threat than CurveBall because there are more prerequisites attached to it and therefore has a more limited scope of vulnerable targets.

Researchers Pioneer PoC Exploit for NSA-Reported Bug in Windows CryptoAPI

A massive campaign has infected over 4,500 WordPress websites as part of a long-running operation that's been believed to be active since at least 2017.
According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain named "track[.]violetlovelines[.]com" that's designed to redirect visitors to unwanted sites.
The latest operation is

Website Security / WordPress

A massive campaign has infected over 4,500 WordPress websites as part of a long-running operation that's been believed to be active since at least 2017.

According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain named "track\[.\]violetlovelines\[.\]com" that's designed to redirect visitors to unwanted sites.

The latest operation is said to have been active since December 26, 2022, according to data from urlscan.io. A prior wave seen in early December 2022 impacted more than 3,600 sites, while another set of attacks recorded in September 2022 ensnared more than 7,000 sites.

The rogue code is inserted in the WordPress index.php file, with Sucuri noting that it has removed such changes from more than 33,000 files on the compromised sites in the past 60 days.

"In recent months, this malware campaign has gradually switched from the notorious fake CAPTCHA push notification scam pages to black hat 'ad networks' that alternate between redirects to legitimate, sketchy, and purely malicious websites," Sucuri researcher Denis Sinegubko said.

Thus when unsuspecting users land on one of the hacked WordPress sites, a redirect chain is triggered by means of a traffic direction system, landing the victims on pages serving sketchy ads about products that ironically block unwanted ads.

Even more troublingly, the website for one such ad blocker named Crystal Blocker is engineered to display misleading browser update alerts to trick the users into installing its extension depending on the web browser used.

The browser extension is used by nearly 110,000 users spanning Google Chrome (60,000+), Microsoft Edge (40,000+), and Mozilla Firefox (8,635).

"And while the extensions indeed have ad blocking functionality, there is no guarantee that they are safe to use — and may contain undisclosed functions in the current version or in future updates," Sinegubko explained.

Some of the redirects also fall into the outright nefarious category, with the infected websites acting as a conduit for initiating drive-by downloads.

This also includes retrieving from Discord CDN an information-stealing malware known as Raccoon Stealer, which is capable of plundering sensitive data such as passwords, cookies, autofill data from browsers, and crypto wallets.

The findings come as threat actors are setting up lookalike websites for a variety of legitimate software to distribute stealers and trojans through malicious ads in Google search results.

Google has since stepped in to block one of the rogue domains involved in the redirect scheme, classifying it as an unsafe site that installs "unwanted or malicious software on visitors' computers."

To mitigate such threats, WordPress site owners are advised to change passwords and update installed themes and plugins as well as remove those that are unused or abandoned by their developers.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Over 4,500 WordPress Sites Hacked to Redirect Visitors to Sketchy Ad Pages

By Waqas
The service outage began on Wednesday, January 25th, 2023, at around 8:30 AM, Greenwich Mean Time (GMT).
This is a post from HackRead.com Read the original post: Micorosft Down – Xbox, Azure, MS365 and MS Teams  Down

Is Microsoft down at your end? You are not alone; many of the Microsoft services are down in many parts of the world.

Microsoft is experiencing a service outage. Its services, including Xbox Live, Minecraft, Microsoft Teams, Outlook, Azure, LinkedIn, and Microsoft 365, are down and unavailable for users around the world.

A look at Downdetector, a platform that tracks online service disruptions, shows users have been complaining about connectivity issues. On the other hand, Microsoft has acknowledged the issue and tweeted that “We’re investigating issues impacting multiple Microsoft 365 services.”

It is yet unclear whether these services are down due to a cyberattack or a result of a technical glitch. However, in a tweet update, Microsoft claimed to have identified “a potential networking issue” that the company believes is “causing impact.”

> We’ve isolated the problem to networking configuration issues, and we're analyzing the best mitigation strategy to address these without causing additional impact. Refer to the admin center MO502273 or https://t.co/lZs9s6KLnh for more information.
> 
> — Microsoft 365 Status (@MSFT365Status) January 25, 2023

Microsoft is working to mitigate the issue

It is worth noting that Microsoft Azure has over 700 million active users, with 85% of the Fortune 500 companies using Microsoft Cloud. Linkedin, which **Microsoft bought in 2016**, has over 900 million users across the globe. Microsoft Teams, a business communication platform, is home to over 270 million active users, while Xbox has almost 100 million users.

Here are some tweets from Microsoft users reacting to the issue:

Hackread.com is keeping an eye on the issue, and this article will be updated accordingly, so stay tuned!

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Micorosft Down – Xbox, Azure, MS365 and MS Teams  Down

By Waqas
It’s a decision tree that’s all about you (and your company). That’s a bit of an oversimplification, but…
This is a post from HackRead.com Read the original post: What is Stakeholder-Specific Vulnerability Categorization?

It’s a decision tree that’s all about you (and your company). That’s a bit of an oversimplification, but the idea behind a Stakeholder-Specific Vulnerability Categorization (**SSVC**) is that you should prioritize addressing your vulnerabilities in a way that benefits you and your organization. 

Once you’ve prioritized, there are things you can do to mitigate the risk from your most critical vulnerabilities. A **WAF solution** is one option, or you might consider other types of virtual patching to reduce your risk.

**Why Categorize Vulnerabilities**

If your company is like most, it faces overwhelming numbers of vulnerabilities from many different aspects. From human error **to backdoors** in open-source code embedded in your web apps, there’s no telling when you’ll be attacked or where the attack will come from. Unless you categorize.

Categorizing enables you to differentiate between low-risk vulnerabilities and critical threats. If you want to know which threat to neutralize first, categorization can help you sort that out. **Many vulnerabilities** don’t pose a threat or perhaps pose no immediate threat.

On the other hand, some of your weaknesses are highly susceptible to exploitation, and you need to remedy that as soon as possible.

It’s best to focus your limited resources on addressing threats that are likely to create a problem. Among other things, this might mean it’s easy or practical for an attacker to exploit them, it’s financially rewarding for an attacker (and thus **devastating to your company**), or your company can be used as a vector for a supply chain attack. 

However, if you have vulnerabilities that are highly impractical to exploit, for example, this might be a lower risk to you, and so it can wait to be patched until you’ve addressed more critical issues.

**What is SSVC?**

Aside from being a way to categorize that is tailored to your company, SSVC originated as a way for government agencies and critical infrastructure organizations to assess their cybersecurity weaknesses, and it is now an effective way for private companies to do the same.

CISA’s executive assistant director Eric Goldstein **explains** that this methodology was designed to assess vulnerabilities, and it prioritizes remediation according to the status of exploitation, as well as the safety impacts and pervasiveness of the product within a singular system.

A singular system refers to the individual company (stakeholder), and the goal is to prioritize finding the vulnerabilities for that system rather than following a more general risk assessment’s recommendations. The newest guidelines focus on managing the number and complexity of vulnerabilities. 

Here’s a **summary** of how the SSVC decision tree works, but to sum up – here are 4 possible decisions for each vulnerability:

*   **Track**: Keep an eye on the vulnerability, but it doesn’t require immediate action. 
*   **Track**\*: Monitor the vulnerability. Immediate action is not required, but you should find a fix by the time the next update rolls out.
*   **Attend**: Supervisors need to pay attention to this vulnerability. They may need to seek help or information regarding the vulnerability. Depending on the severity, they may need to notify employees or consumers. This should be fixed before the next standard update.
*   **Act**: Leadership must get help and information. They should notify employees and consumers regarding the vulnerability and create a response plan. This level of vulnerability must be fixed as quickly as possible.

To decide how to label each vulnerability, consider 5 factors:

*   **Exploitation status:** Is the vulnerability currently being exploited?
*   **Technical impact:** Would malicious actors be able to acquire credentials by exploiting this vulnerability? How much access would they have to the rest of the system? 
*   **Automatability:** How easy is it for an attacker to repeatedly exploit this vulnerability? Could the exploit be automated?
*   **Mission prevalence:** Would an exploit of this vulnerability have an adverse and significant effect on your business operations? How much downtime would it cause you? How much money would you lose if consumers can’t access your products or services through your web app?
*   **Public well-being impact:** Will an exploit cause physical, mental, emotional, or environmental harm? How will the public be affected adversely if an attack occurs? Will there be a financial loss for your consumers, or will you break compliance regulations?

If these factors are significant in a **particular vulnerability**, you should prioritize that vulnerability.

CISA’s SSVC Tree

**Prioritized Risk and Vulnerability Management**

Once you’ve gone through the SSVC, you should have a pretty good idea of where to start patching. The remaining question, then, is how you should patch efficiently and effectively. If there is a major code issue, that should be updated as soon as possible. For less urgent, more difficult fixes, there are ways to help protect your system from external threats.

Virtual patching is often a good way to reduce the risk of lower-level threats or to get protection quickly while you take some time to address the code problems. A web app firewall (**WAF**) or a Web Application and API Protection (**WAAP**) protocol protect web apps from attack by securing data and filtering traffic.

You could use a cloud-based or a **SaaS solution**, depending on your company’s needs. Although this approach will not fix the vulnerabilities in your system, it can help keep attackers at bay.

Whatever method you choose, virtual patching can go a long way toward keeping your data safe while you sort out your vulnerabilities. Once you’ve prioritized those vulnerabilities with SSVC, you can begin to implement fixes first for the Act category, then for Attend, then for Track\*, and finally for Track.

Organizing your resources this way will give you the best chance of fixing the most important issues while still protecting the less critical vulnerabilities.

1.  Cloud Hacking – Why API Remains the Biggest Threat?
2.  Vulnerability exposes 5G core network slicing to DoS attacks
3.  Microsoft Office Most Exploited Software in Malware Attacks

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

What is Stakeholder-Specific Vulnerability Categorization?

The company will block the configuration files, which interact with Web applications — since threat actors increasingly use the capability to install malicious code.

Microsoft plans to add a feature to Office Excel that will make it harder for cyberattackers to exploit the spreadsheet application's "add-ins" function to run malicious code on a victim's computer.

And while it's a welcome development, Microsoft's countermeasure is just the latest go-around in the cat-and-mouse game going on between major software makers and cyberattackers, researchers say.

**Microsoft Takes Aim at XLLs **

In an update to its Microsoft 365 road map last week, the company stated that it is currently "implementing measures to block XLL \[add-in files\] coming from the internet," with a goal to have the feature in general availability sometime in March. 

Excel add-in files are designated with the XLL file extension. They provide a way to use third-party tools and functions in Microsoft Excel that aren't natively part of the software; they're similar to dynamic link libraries (DLLs) but with specific features for Excel spreadsheets. For cyberattackers, they offer a way to read and write data within spreadsheets, add custom functions, and interact with Excel objects across platforms, Vanja Svajcer, a researcher with Cisco's Talos group, said in a December analysis.

And indeed, attackers started experimenting with XLLs in 2017, with more widespread usage coming after the technique became part of common malware frameworks, such as Dridex. The add-in functionality has become increasingly popular with attackers since then; in fact, according to an Arctic Wolf report from early 2022, the use of XLL files increased nearly 600% in 2021.

One of the reasons for that is because Microsoft Office does not block the feature but raises a dialogue box instead, a common approach that Microsoft has taken in the past, Svajcer wrote: "Before an XLL file is loaded, Excel displays a warning about the possibility of malicious code being included. Unfortunately, this protection technique is often ineffective as a protection against the malicious code, as many users tend to disregard the warning."

That could be an issue even after blocking is in place, Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading.

"Unfortunately, it's unclear at this point whether it's just going to be a warning that users can easily click through, a more proactive 'off by default' setting, or whether they are going to disable it entirely for XLL files downloaded from the Internet," he notes.

**Staying Ahead of the Cyberattackers?**

For more than two decades, cybersecurity firms have sought to strip out potential avenues for malicious scripts in common files types — such as Office formats or PDF files — but attackers have always adapted. 

For instance, Visual Basic for Applications (VBA) and Excel 4.0 macros both became so popular over the past five years for malware delivery that Microsoft blocked Office macros by default in the summer of 2022, disallowing macros from running when they have been assigned a Mark of the Web (MotW) tag, which indicates that the document came from the Internet.

Following that decision, threat actors began incorporating Shell Link (LNK) files as payloads for a number of malware families, with their use peaking in October with a spike in usage by the operators behind Qakbot, according to an analysis this week by researchers in Cisco's Talos intelligence group.

And LNK files aren't the only file type that's becoming a more popular way to hide malicious code in the wake of blocking macros. In the third quarter of 2022, for example, zip archives and HTML files became the most common file types for malware delivery, with 44% of malware files hidden in archives, according to the third quarter "HP Wolf Security Threat Insights Report." 

Even if these alternative approaches are not as efficient or powerful, attackers will have to adopt them to continue to successfully compromise victim's systems, because companies are hardening their products against more common attack techniques, Dave Storie, an adversarial collaboration engineer at cybersecurity-services firm Lares Consulting, said in a statement sent to Dark Reading.

"When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternate avenues," he said. "This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their objectives."

Microsoft to Block Excel Add-ins to Stop Office Exploits

Manufacturer complacency ‘translates into an unacceptable risk for consumers’, warns security expert

Manufacturer complacency ‘translates into an unacceptable risk for consumers’, warns security expert

IoT vendors are making slow progress in making it easy for security researchers to report security bugs, with only 27.1% of suppliers offering a vulnerability disclosure policy.

The figure, based on the latest annual report from the IoT Security Foundation (IoTSF), compares to the 9.7% of IoT (Internet of Things) vendors that were reported to have a disclosure policy in the 2018 edition of the same study.

BACKGROUND IoT Security Foundation launches vulnerability disclosure platform for smart device vendors

Vulnerability management ought to be a cornerstone of connected product security, widely recommended in 30 cybersecurity guidance initiatives including the IoTSF’s IoT Security Assurance Framework.

Straightforward reporting of security issues is essential for security lifecycle maintenance, and vendors risk falling foul of newly enacted UK regulations if they ignore best practice mandates.

The UK’s Product Security and Telecoms Infrastructure – which became law in early December 2022 – requires that IoT manufacturers, importers, and distributors offer a vulnerability disclosure policy, with suppliers who breach this risking potential sanctions including penalties of up to £20,000 per day in the most severe cases.

Catch up on the latest vulnerability disclosure policy news

The IoTSF’s latest study was based on a review of practice of 332 companies who sell consumer-focused IoT products. The review, carried out by mobile and IoT security consultancy Copper Horse, covered security practices tied to a range of products ranging from tablets and routers to smart home lighting controls and smart speakers.

Vendors from Asia tended to be better at establishing vulnerability disclosure programs, with European suppliers trailing significantly behind (34.7% versus 14.5%, respectively).

Laurie Mercer, senior manager of security engineering at HackerOne, said: “Knowing about security vulnerabilities within products and services through a Vulnerability Disclosure Policy (VDP) is an important way to identify and rectify them as part of the product security lifecycle.

“It’s a best practice that customers are increasingly looking for their supplier to adopt, but this research suggests it is not yet common practice.”

**Increased regulation**

Lawmakers across the world are looking to introduce regulations in order to push IoT vendors into making their products more secure. For example in the US lawmakers have established the IoT Cybersecurity Improvement Act (2020).

The draft European Cyber Resilience Act covers similar ground.

David Rogers, CEO of Copper Horse, told The Daily Swig: “The trend is towards mandating it – which makes you wonder again, why aren’t companies realising this? The writing is on the wall!”

Rogers added: “Even with the threat of incoming legislation, there is complacency in manufacturers that translates into an unacceptable risk for consumers when it comes to the security of IoT devices.”

During the study, researchers identified increases in the use of the ‘/security’ contact page, the use of machine-readable ‘secuity.txt’ files and a small decline in PGP key usage for secure submissions.

Other trends uncovered were an increase in the number of vendors that updated their policies and a rise in the number of companies using a third-party ‘proxy service’ to host and maintain their policies.

**Best practice**

It’s not all doom and gloom, however, as the report did highlight examples of good practice by some vendors.

Rogers explained: “Some companies and industries are starting to act in a much better way – there are some examples in the car industry such as Volkswagen Group where they have completely transformed their approach, in a positive way.

“I think these companies can set a good example to their peers in showing that you can work with the security research community without all the brinksmanship.”

Vendors would do well to have a safe harbor policy, a legal framework that allows ethical hackers to look for flaws in systems with risking legal threats or potential prosecution. LG, for example, operates a safe harbor policy for its IoT products.

Looking more broadly, the IoTSF report commends 34 vendors that “meet or exceed what will be required by legislation” based on a review of their policies by security researchers from Copper Horse. Firms listed include Bosch, BT, Canon, Huawei, LG, Logitech, Microsoft, Peloton, Samsung, and Wink.

YOU MAY ALSO LIKE WAGO fixes config export flaw threatening data leak from industrial devices

IoT vendors faulted for slow progress in setting up vulnerability disclosure programs

The notorious Russian-speaking cybercriminals grew successful by keeping a low profile. But now they have a target on their backs.

High-profile ransomware attacks have become a fact of life in recent years, and it’s not unusual to hear about major monthly attacks perpetrated by Russia-based gangs and their affiliates. But since late 2019, one group has been steadily making a name for itself on a multi-year rampage that has impacted hundreds of organizations around the world. The LockBit ransomware gang may not be the most wildly unhinged of these criminal groups, but its callous persistence, effectiveness, and professionalism make it sinister in its own way.

One of the most prolific ransomware groups ever, the LockBit collective has attempted to maintain a low profile in spite of its volume of attacks. But as it has grown, the group has gotten more aggressive and perhaps careless. Earlier this month, the LockBit malware was notably used in an attack on the United Kingdom’s Royal Mail that hobbled operations. After other recent visible attacks, like one on a Canadian children’s hospital, all eyes are now on LockBit.   

“They are the most notorious ransomware group, because of sheer volume. And the reason for their success is that the leader is a good businessman,” says Jon DiMaggio, chief security strategist at Analyst1 who has studied LockBit’s operations extensively. “It’s not that he’s got this great leadership capability. They made a point-and-click ransomware that anyone could use, they update their software, they’re constantly looking for user feedback, they care about their user experience, they poach people from rival gangs. He runs it like a business, and because of that, it is very, very attractive to criminals.”

Keep It Professional

For the Royal Mail, LockBit was a chaos agent. On January 11, the UK postal service’s international shipping ground to a halt after being hit with a cyberattack. For more than a week, the company has told customers not to send new international parcels—adding further disorganization after workers went on strike over pay and conditions. The attack was later linked to LockBit.

Just before Christmas, a LockBit member attacked the SickKids hospital in Canada, impacting its internal systems and phone lines, causing delays to medical images and lab tests. The group quickly backtracked after the attack, providing a free decryptor and saying it had blocked the member responsible. In October, LockBit also demanded an unusually high $60 million payment from a UK car dealership chain. 

Adding to its infamy, LockBit is also one of the most prolific and aggressive ransomware groups when it comes to targeting manufacturing and industrial control systems. Security firm Dragos estimated in October that in the second and third quarters of 2022, the LockBit malware was used in 33 percent of ransomware attacks on industrial organizations and 35 percent of those against infrastructure.

In November, the US Department of Justice reported that LockBit’s ransomware has been used against at least 1,000 victims worldwide, including in the United States. “LockBit members have made at least $100 million in ransom demands and have extracted tens of millions of dollars in actual ransom payments from their victims,” the Justice Department wrote. The FBI first began investigating the group in early 2020. In February 2022, the agency released an alert warning that LockBit “employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense.”

LockBit emerged at the end of 2019, first calling itself “ABCD ransomware.” Since then, it has grown rapidly. The group is a “ransomware-as-a-service” operation, meaning that a core team creates its malware and runs its website while licensing out its code to “affiliates” who launch attacks.

Typically, when ransomware-as-a-service groups successfully attack a business and get paid, they’ll share a cut of the profits with the affiliates. In the case of LockBit, Jérôme Segura, senior director of threat intelligence at Malwarebytes, says the affiliate model is flipped on its head. Affiliates collect payment from their victims directly and then pay a fee to the core LockBit team. The structure seemingly works well and is reliable for LockBit. “The affiliate model was really well ironed out,” Segura says.

Though researchers have repeatedly seen cybercriminals of all sorts professionalizing and streamlining their operations over the past decade, many prominent and prolific ransomware groups adopt flamboyant and unpredictable public personas to garner notoriety and intimidate victims. In contrast, LockBit is known for being relatively consistent, focused, and organized. 

“Of all the groups, I think they have probably been the most businesslike, and that is part of the reason for their longevity,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “But the fact that they post a lot of victims on their site doesn’t necessarily equate to them being the most prolific ransomware group of all, as some would claim. They are probably quite happy with being described that way, though. That’s just good for recruitment of new affiliates.”

The group certainly isn’t all hype, though. LockBit seems to invest in both technical and logistical innovations in an attempt to maximize profits. Peter Mackenzie, director of incident response at security firm Sophos, says, for example, that the group has experimented with new methods for pressuring its victims into paying ransoms. 

“They've got different ways of paying,” Mackenzie says. “You could pay to have your data deleted, pay to have it released early, pay to extend your deadline,” Mackenzie says, adding that LockBit opened its payment options to anyone. This could, theoretically at least, result in a rival company buying a ransomware victim’s data. “From the victim's perspective, it's extra pressure on them, which is what helps make people pay,” Mackenzie says.

Since LockBit debuted, its creators have spent significant time and effort developing its malware. The group has issued two big updates to the code—LockBit 2.0, released in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also known as LockBit Red and LockBit Black, respectively. Researchers say the technical evolution has paralleled changes in how LockBit works with affiliates. Prior to the release of LockBit Black, the group worked with an exclusive group of 25 to 50 affiliates at most. Since the 3.0 release, though, the gang has opened up significantly, making it harder to keep tabs on the number of affiliates involved and also making it more difficult for LockBit to exercise control over the collective.

LockBit frequently expands its malware with new features, but above all, the malware’s characteristic trait is that it's simple and easy to use. At its core, the ransomware has always offered anti-detection capabilities, tools for circumventing Microsoft Windows defenses, and features for privilege escalation within a compromised device. LockBit uses publicly available hacking tools when it can, but it also develops custom capabilities. The 2022 FBI report noted that the group sometimes uses previously unknown or zero day vulnerabilities in its attacks. And the group has the capability to target many different types of systems.

“It's not just Windows. They'll attack Linux, they'll go after your virtual host machines,” Mackenzie says. “They offer a solid payment system. There's a lot of backend infrastructure that comes with this. It's just a well-made product, unfortunately.” In October, it was reported that LockBit’s malware was deployed after a zero day was used to hack Microsoft Exchange servers—a relatively rare occurrence when it comes to ransomware gangs.

“Theer are additional features that make the ransomware more dangerous—for example, having worm components to it,” Segura adds. “They've also discussed things like doing denial-of-service attacks against victims, in addition to the extortion.”  

With the release of LockBit 3.0, the group also signaled its intention to evolve. It introduced the first ransomware bug bounty scheme, promising to pay legitimate security researchers or criminals who could identify flaws in its website or encryption software. LockBit said it would pay anyone $1 million if they could name who is behind LockBitSupp, the public persona of the group.

The core members at the top of LockBit seem to include its leader and one or two other trusted partners. Analyst1’s DiMaggio, who has tracked the actors for years, notes that the group claims to be based in the Netherlands. Its leader has said at various times that he personally operates out of China or even the United States, where he has said he is a part owner of two restaurants in New York City. LockBit members all seem to be Russian-speaking, though, and DiMaggio says that while he cannot be certain, he believes the group is based in Russia.

“The leader doesn’t seem to have any concern about being arrested. He thinks he’s a supervillain, and he plays the part well,” DiMaggio says. “But I do believe he has a healthy concern that if the Russian government were to get their hooks in him, he would have to make the decision to turn over most of his money to them or do work for them like helping them with the Ukraine war.”

Beware the Spotlight

Despite LockBit’s relative professionalism, the group has, at times, slipped into showboating and bizarre behavior. During desperate efforts to get attention—and attract affiliates—in its early months, the criminal group held an essay-writing competition and paid prizes to the winners. And in September 2022, the group memorably posted a message on a cybercrime forum claiming it would pay anyone $1,000 if they got the LockBit logo tattooed on themselves. Around 20 people shared photos and videos with their feet, wrists, arms, and chests all branded with the cybercrime gang’s logo.

LockBit’s meteoric rise and recent attacks against high-profile targets could ultimately be its downfall, though. Notorious ransomware groups have been infiltrated, exposed, and disrupted in recent years. Before Russia’s full-scale invasion of Ukraine in February 2022, the Russian Federal Security Service (FSB) arrested high-profile REvil hackers, although the group has since returned. Meanwhile, the US military hacking unit Cyber Command has admitted to disrupting some ransomware groups. And a Ukrainian cybersecurity researcher contributed to the downfall of the Conti ransomware brand last year after infiltrating the group and publishing more than 60,000 of the group’s internal chat messages.

These deterrent actions appear to be having some impact on the overall ransomware ecosystem. While it is difficult to determine real totals of how much money ransomware actors take in, researchers who track cybercriminal groups and those who specialize in cryptocurrency tracing have noticed that ransomware gangs seem to be taking in less money as government enforcement actions impede their operations and more victims refuse to pay. 

The screws are already turning on LockBit. An apparently disgruntled LockBit developer leaked its 3.0 code in September, and Japanese law enforcement has claimed it can decrypt the ransomware. US law enforcement is closely watching the group as well, and its recent attacks can only have raised its profile. In November 2022, the FBI revealed that an alleged LockBit affiliate, Mikhail Vasiliev, 33, had been arrested in Canada and would be extradited to the US. At the time, deputy attorney general Lisa O. Monaco said officials had been investigating LockBit for more than two and a half years.

“I think LockBit is going to have a rough year this year and potentially see their numbers go down,” Analyst1’s DiMaggio says. “They are under a lot of scrutiny now, and they also may have lost their main developer, so they could have development issues that bite them in the ass. It’ll be interesting to see. These guys don’t care about anyone or anything.”

LockBit has seemingly been so dangerous and prolific because it maintained standards for the types of targets its affiliates could hit and avoided attracting too much attention while casting a wide net. But times have changed, and shutting down the UK’s international mail exports for more than a week isn’t exactly keeping a low profile.

“They do have a bit of a PR problem when it comes to their affiliates at this point, because they obviously can't seem to handle them very well,” Malwarebytes’ Segura says. “The bragging, hitting some pretty critical infrastructure, and high-visibility targets is a very dangerous game they're playing. LockBit has a big target on its back right now.”

The Unrelenting Menace of the LockBit Ransomware Gang

The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID.
Emotet, which officially reemerged in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via

Cyber Threat / Cyber Crime

The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID.

Emotet, which officially reemerged in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via phishing emails.

Attributed to a cybercrime group tracked as TA542 (aka Gold Crestwood or Mummy Spider), the virus has evolved from a banking trojan to a malware distributor since its first appearance in 2014.

The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities.

Two latest additions to Emotet's module arsenal comprise an SMB spreader that's designed to facilitate lateral movement using a list of hard-coded usernames and passwords, and a credit card stealer that targets the Chrome web browser.

Recent campaigns involving the botnet have leveraged generic lures with weaponized attachments to initiate the attack chain. But with macros becoming an obsolete method of payload distribution and initial infection, the attacks have latched on to other methods to sneak Emotet past malware detection tools.

"With the newest wave of Emotet spam emails, the attached .XLS files have a new method for tricking users into allowing macros to download the dropper," BlackBerry disclosed in a report published last week. "In addition to this, new Emotet variants have now moved from 32bit to 64bit, as another method for evading detection."

The method involves instructing victims to move the decoy Microsoft Excel files to the default Office Templates folder in Windows, a location trusted by the operating system to execute malicious macros embedded within the documents to deliver Emotet.

The development points to Emotet's steady attempts to retool itself and propagate other malware, such as Bumblebee and IcedID.

"With its steady evolution over the last eight-plus years, Emotet has continued to become more sophisticated in terms of evasion tactics; has added additional modules in an effort to further propagate itself, and is now spreading malware via phishing campaigns," the company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Emotet Malware Makes a Comeback with New Evasion Techniques

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Tag

#microsoft