We urge all our readers to sign up to a ransomware breach monitoring service. These services frequently monitor well-known ransomware operator breach notifications in real-time. Just take one quick glance at the last month and you will see why. Lockbit (Bitwise Spider) and Conti group, to name a few, have had a very successful March. The drastic increase in activity from both aforementioned groups may be a result of the war in Ukraine as they are both allegedly Russian based groups.
One example of this is Lockbit which the Incident Response team at Integrity360 investigated multiple instances of in March. The Lockbit tactics, techniques and procedures observed by the team here were regarded as extremely effective at achieving their goal (exfiltration, disruption and mass encryption). In one particular case, the damage was so bad the client had no business functions for a full week.
These top-tier ransomware groups are very professional, providing support phone lines, chat-lines and ticketing systems that make it easier to pay the ransom. Crypto-currencies having become increasingly mainstream over the past few months and years does not help also, as it is not just those that trade on the black market that use them anymore. For example, you can now buy certain car brands with Bitcoin!
A relatively new threat actor we have come across this month is the BlackCat ransomware group. Their malware is notorious for being written in Rust, meaning it is highly portable for both Windows and Unix based operating systems. They uniquely target Vmware ESXi appliances, gaining access via SSH and destroying/encrypting the virtual machines it is hosting. This causes mass disruption because it renders the entire virtual machine unusable, not just the files on it. We at Integrity360 cannot stress enough that a robust and secure backup system needs to be in place.
The Lapsus$ cyber-extortion group is not your typical hacking organisation. Typical groups try to stay out of the limelight and cover their tracks, unlike Lapsus$ who are extremely bold and frequently boast about the access and data they have obtained from their victims. Historically, the group has mostly targeted prominent US and South Korean-based technology companies, leading to allegations that the Lapsus$ group are based in North Korea, though this has not been confirmed and the Lapsus$ members are known to communicate in Portuguese and English, leading some to think they are related to Brazil. Some of the major victims of the group have been Nvidia, Microsoft, Okta, LGE and Samsung where digital signatures and source code have been stolen.
Since the Ukraine/Russia war started, the cyber-hacktivist group Anonymous have been calling for a global collective effort against the Russian government. So far there has been government data leaked, Russian TV stations hacked into and state websites DDoS’ed. Anonymous have recently announced that multinational companies still operating in Russia must suspend their activities in Russia in 48 hours at the time of them writing it, else they will become a target for DDoS and/or website defacement.
Security researchers have reported that new malware, dubbed B1txor20, has been attacking Linux ARM, X64 CPU architecture devices to form a botnet. B1txor20 exploits the Log4j vulnerability to compromise devices, before adding them to its botnet to steal sensitive data, install rootkits, create reverse shells, and act as web traffic proxies. Researchers noted that B1txor20 uses Domain Name System (DNS) tunnelling for communication with its command-and-control (C2) server: The malware uses DNS requests to send and receive commands, as well as to send stolen data back to the C2 server. DNS tunnelling is not a novel technique and is a reliable way to evade detection while conducting C2 communications.
On 17 March 2022, researchers reported that the credit bureau TransUnion South Africa had been compromised. The group taking responsibility, “N4aughtysecTU”, claims to have accessed 54 million personal records and is demanding USD 15 million in Bitcoin for the return of over 4TB of stolen data. TransUnion confirmed that a criminal third party had accessed its South African server by exploiting the legitimate credentials of a TransUnion client. The credit bureau stated that the breach was limited to South Africa, and that it will not pay the ransom. TransUnion has offered free identity protection products to anyone affected by the breach. In communication with researchers, N4aughtysecTU claimed the information stolen contains credit scores, banking details, identity numbers, and information on more than 200 corporate clients.
On 07 Mar 2022, it was reported that a cyber-security researcher had disclosed a Linux vulnerability and details of a proof of concept (PoC) exploit. The vulnerability, tracked as CVE-2022-0847 and dubbed Dirty Pipe, affects Linux Kernel versions 5.8 and later. If exploited, the vulnerability can allow local users to access root privileges through publicly available exploits. In addition to the disclosure, the researcher released the PoC exploit, demonstrating that the vulnerability could be successfully exploited.
On 5 March 2022, security researchers reported that a code signing certificate was among the data/documents stolen and leaked online after a cyber-attack against multinational chip and graphics processing unit (GPU) manufacturer Nvidia. The attack, purportedly conducted by the “Lapsus$” threat group, included more than 70,000 employee email addresses, and hashed passwords for NT LAN Manager. Code signing certificates are used to digitally sign and verify code; stolen certificates could be used to deceive victims into thinking that malicious code is legitimate and safe to receive and execute.
On 15 March 2022, Germany’s Federal Office for Information Security (BSI) advised German citizens not to use the products and services of Russia-based Kaspersky, in light of concerns about the company’s reliability. In a press statement, the BSI explained that anti-virus software typically possesses high-level privileges on a user’s device, allowing a permanent, encrypted, unverifiable connection to the software provider’s servers. The advisory does not explicitly state that Kaspersky has been aiding the Russian government but warned of the realistic possibility that Russia-linked IT companies are involved in Russia-linked cyber-threat operations: Such IT companies may be used, with or without their permission, to carry out offensive activity. They may also be targeted for espionage or used to pivot to other targets.
With the Lockbit group certainly taking the spotlight in terms of successful attacks in March, who knows which group is going to take April’s trophy. All we can see at Integrity360 is that ransomware 2.0 is not slowing down by any means and still remains extremely profitable for cyber criminals.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.