Blog
by titanadmin | Feb 29, 2024 | Network Security |
Phobos ransomware may not be the most prolific ransomware group, but the group poses a significant threat, especially to municipal and county governments, emergency services, education, and healthcare organizations. The group issues ransom demands for millions of dollars and the group’s attacks have caused hundreds of millions of dollars in losses. Phobos is a ransomware-as-a-service operation where the infrastructure to conduct attacks and encrypt files is provided to affiliates – individuals who specialize in breaching company networks – in exchange for a percentage of any ransom payments they can generate. The affiliates benefit from being able to concentrate on what they do best, and the ransomware group makes up for the loss of a percentage of the ransom by conducting many more attacks than would be possible on their own.
The group engages in double extortion tactics involving data theft and file encryption. Threats are issued to publicly leak stolen data on the group’s data leak site and payment is required for the keys to decrypt data and prevent data exposure. Several ransomware variants are connected to Phobos based on the tactics, techniques, and procedures (TTPs) used in attacks, including Elking, Eight, Devos, Faust, and Backmydata ransomware. The latter variant was recently used in an attack in Romania that affected around 100 hospitals.
Affiliates use several methods to gain initial access to victims’ networks, with phishing one of the most common. The phishing attacks conducted by the group usually involve spoofed email attachments with hidden payloads, with one of the favored payloads being the Smokeloader backdoor trojan. Smokeloader gives the group initial access to victims’ networks, from where they use a variety of methods and legitimate networking tools for lateral movement, credential theft, privilege escalation, and data exfiltration. These include 1saas.exe or cmd.exe for privilege escalation, Windows shell functions for control of systems, and built-in Windows API functions to bypass access control and steal authentication tokens. Open source tools such as Bloodhound and Sharphound are used to enumerate the Active Directory, Mimikatz for obtaining credentials, and WinSCP and Mega.io for file exfiltration. Other methods used for initial access include the use of legitimate scanning tools such as Angry IP Scanner to search for vulnerable RDP ports, and then open source brute-forcing tools are used to guess weak passwords.
To improve defenses against Phobos ransomware attacks, businesses should follow the guidance in the recently published security alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC), which includes latest Indicators of Compromise (IoCs) and TTPs observed in recent attacks. The guidance can be found in the #StopRansomware section of the CISA website.
Mitigations are concerned with improving defenses against the initial access vectors – phishing and remote access software. An email security solution is required to block phishing emails, consider disabling hyperlinks in emails, and adding banners to emails from external sources. An email security solution should be used that has both signature and behavioral threat detection capabilities to identify malicious files. End user training should be provided to improve resilience to phishing attempts, web filtering to block malicious file downloads, phishing-resistant multi-factor authentication to prevent the use of compromised credentials from granting access, strong password policies to improve resilience to brute force attacks, and strict controls on RDP and other remote desktop services. Robust backup processes are required, including maintaining offline backups of data, and an incident response policy for ransomware attacks should be developed and tested to ensure the fastest possible recovery in the event of an attack.
by titanadmin | Feb 29, 2024 | Network Security |
A coordinated law enforcement operation – Operation Cronos – headed by the UK National Crime Agency (NCA) and coordinated by Europol seized the infrastructure of the notorious LockBit ransomware group earlier this month. 34 servers were seized in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom, along with 200 cryptocurrency wallets, and the keys to decrypt the data of some of the group’s victims. Two LockBit actors were also arrested in Poland and Ukraine, and three arrest warrants and five indictments were issued by judicial authorities in France and the United States. The decryption keys allowed an automated decryptor to be developed, which was added to the No More Ransom website.
The group’s affiliate portal was seized along with its data leak sites and messages were uploaded for affiliates warning them that names and locations were known and they could receive a visit from law enforcement very soon. The NCA threatened to release the name of the group’s figurehead, LockBitSupp, and even added a countdown timer to the data leak site, as LockBit would do when adding victims to the leak site. However, the NCA did not disclose the details and instead added a statement confirming LockBitSupp’s real name, location, and financial worth were known. The NCA also added that LockBitSupp has engaged with law enforcement.
LockBit is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct attacks using LockBit ransomware. As payment for those attacks, affiliates receive a percentage of any ransoms they generate. LockBit engaged in double extortion tactics, where sensitive data was stolen in addition to file encryption. Payments are required to prevent the release of the stolen data on the group’s data leak site and to obtain the keys to decrypt data. LockBit then moved to triple extortion, where in addition to data theft and file encryption, Distributed Denial-of-Service (DDoS) attacks are conducted on victims to pile on the pressure and get them to pay the ransom.
LockBit has been in operation since September 2019 and rapidly became a major player in the RaaS market. At the time of the takedown, LockBit was behind 25% of all ransomware attacks and had around 180 affiliates conducting attacks. The next biggest player is Blackcat with an 8.5% market share. The LockBit group has extorted more than $120 million from organizations around the world and its attacks have caused billions of dollars of damage.
The law enforcement operation was significant and a major embarrassment for the group, potentially causing significant damage to the group’s reputation. However, it did not take long for LockBit to respond. A few days after the announcement about the law enforcement action, LockBit created a new data leak site and populated it with the names of 12 recent victims. A note was also added explaining that the FBI most likely exploited an unpatched PHP bug, which hadn’t been addressed out of laziness, which allowed access to be gained to its servers. LockBit claimed the takedown was conducted when it was because data was going to be released from an attack on Fulton County in Georgia, where one of Donald Trump’s lawsuits is being heard, and the release of that data could affect the upcoming Presidential Election.
Typically after a successful law enforcement operation, ransomware gangs rebrand but LockBit appears to be defiant and looks set to continue under the same name. LockBitSupp claimed that the attacks could not stop as long as he was alive, and the group would be updating its infrastructure to make it harder for any future law enforcement operations to succeed. A little more than a week after the law enforcement announcement, the LockBit group appears to be conducting attacks again using new infrastructure, a new data leak site, a new negotiation site, and a new encryptor. It is unclear how many affiliates have been retained but the group has announced that it is recruiting again and is looking for new pen testers, indicating some have decided to leave the operation. What is clear is the group is back and remains a significant threat.
by titanadmin | Feb 29, 2024 | Network Security |
There is growing evidence that cybercriminal groups are leveraging artificial intelligence in their cyberattacks, specifically large language models (LLMs) such as ChatGPT, despite the restrictions OpenAI has put in place. There are also LLMs that are being marketed directly to cybercriminals such as WormGPT. WormGPT is a blackhat AI tool that has been specifically developed for malicious uses and can perform similar tasks to ChatGPT but without any ethical restrictions on uses. The tool can be used for generating convincing phishing and business email compromise emails in perfect English, free from the spelling mistakes and grammatical errors that are often found in these emails.
It is not only cybercriminal groups that are using these AI tools. Nation state hacking groups are exploring how these tools can help them gain initial access to targeted networks. Recently published research from Microsoft and OpenAI confirmed that threat actors from Russia, China, Iran, and North Korea and using AI tools to support their malicious activities. Microsoft and OpenAI found the most common uses of LLMs by nation state actors were for translation, finding coding errors, running basic coding tasks, and querying open-source information. While it does not appear that they are using LLMs to generate new methods of attack or write new malware variants, these tools are being used to improve and accelerate many aspects of their campaigns.
The threat actor tracked by Microsoft as Crimson Sandstorm, which is affiliated with the Islamic Revolutionary Guard Corps (IRGC), a multi-service primary branch of the Iranian Armed Forces, has been using LLMs to improve its phishing campaigns to gain initial access to victims’ networks. Microsoft and OpenAI also report that the hacking group has been using LLMs to enhance its scripting techniques to help them evade detection. The North Korean APT group, Emerald Sleet, is well known for conducting spear phishing and social engineering campaigns and is using LLMs to assist with researching think tanks and key individuals that can be impersonated in its spear phishing campaigns. Threat groups linked to the People’s Republic of China such as Charcoal Typhoon and Salmon Typhoon have been using LLMs to obtain information on high-profile individuals, regional geopolitics, US influence, and internal affairs and for generating content to socially engineer targets. OpenAI says it has terminated the accounts of five malicious state actors and has worked with Microsoft to disrupt their activities, and OpenAI and Microsoft have been sharing data with other AI service providers to allow them to take action to prevent malicious uses of their tools.
It should come as no surprise that cybercriminals and nation state actors are using AI to improve productivity and the effectiveness of their campaigns and are probing the capabilities of AI-based tools, and while this is a cause of concern, there are steps that businesses can take to avoid falling victim to AI-assisted attacks. The best way to combat AI-assisted attacks is to leverage AI for defensive purposes. SpamTitan has AI and machine learning capabilities that can detect zero day and AI-assisted phishing, spear phishing, and business email compromise attacks and better defend against AI-0assisted email campaigns.
With fewer spelling mistakes and grammatical errors in phishing emails, businesses need to ensure they provide their workforce with comprehensive training to help employees recognize email and web-based attacks. The SafeTitan security awareness training and phishing simulation platform is an ideal choice for conducting training and phishing simulations and improves resilience to a range of security threats. TitanHQ’s data shows susceptibility to phishing attacks can be reduced by up to 80% through SafeTitan training and phishing simulations. Businesses should also ensure that all accounts are protected with multi-factor authentication, given the quality of the phishing content that can be generated by AI tools, and ensure that cybersecurity best practices are followed, and cybersecurity frameworks are adopted. The most important advice that we can give is to take action now and proactively improve your defenses, as malicious uses of AI are only likely to increase.
by titanadmin | Feb 28, 2024 | Phishing & Email Spam |
Cybercriminals are increasingly offering services that make it easy for anyone to conduct an attack. Skilled malware developers can concentrate on writing their malware and making it available for others to use for a fee, ransomware-as-a-service allows hackers who are skilled at breaching networks to conduct lucrative ransomware attacks without having to develop encryptors and pay for the infrastructure to their support attacks, and phishing-as-a-service provides a platform for conducting attacks to steal credentials and access accounts. These services benefit all parties and allow even more attacks to be conducted.
Phishing campaigns may appear simple, but they require a lot of time and skill to set up. Stephanie Carruthers, who leads an IBM X-Force phishing research project, said it takes her team about 16 hours to craft a phishing email, not including the time it takes to set up all the necessary infrastructure to send the email and steal credentials. Setting up the infrastructure is time-consuming and costly, and many businesses now have multi-factor authentication (MFA) to thwart attacks.
With phishing-as-a-service (PhaaS), anyone who wants to run a phishing campaign can simply pay a subscription and will be provided with all the tools they need to conduct attacks. They do not need to craft the phishing emails, they just need to set a few parameters and provide the email addresses for the campaign. PhaaS makes conducting sophisticated attacks simple and significantly lowers the bar for conducting campaigns.
Take LabHost, for example, a PhaaS platform that recently introduced functionality for targeting financial institutions and banks in North America and Canada. Since this new functionality was included in the first half of 2023, attacks have increased considerably. A monthly subscription is paid, and customers are provided with a turnkey phishing kit, which includes the infrastructure for hosting phishing pages, a content generator for creating phishing emails, and a portal for monitoring the progress of campaigns. Customers can choose to pay $179 per month to target Canadian banks, $249 per month to expand the targets to North America, and $300 a month to also target 70 financial institutions worldwide. Customers are also provided with phishing pages for collecting credentials or a variety of other companies, including music streaming sites, delivery services, and telecommunications companies.
Important to the success of any campaign is the ability to defeat multi-factor authentication. The LabHost phishing kit incorporates LabRat, a phishing tool that allows real-time management of phishing campaigns and allows adversary-in-the-middle attacks where two-factor authentication codes and cookies are obtained in addition to usernames and passwords. That means the additional security processes on the online portals of banks can be circumvented. The platform also allows SMS-based attacks to be conducted.
PhaaS allows unskilled hackers to conduct effective campaigns that they otherwise would not be able to conduct. Further, with the use of AI to craft convincing phishing emails, phishing emails are becoming much harder for humans and security solutions to detect, and even MFA and other security measures can be bypassed.
Defending against attacks is therefore challenging, and there is no single cybersecurity solution that will block all attacks. What is needed is a defense-in-depth approach, with multiple, overlapping layers of protection. Cybersecurity solutions are required to block the phishing emails. SpamTitan is an advanced email security solution with AI and machine learning capabilities for identifying novel phishing threats. SpamTitan blocks known malware through AV controls and unknown malware through sandboxing. The message sandboxing feature uses pattern filtering to identify malware from its behavior, which allows zero-day malware threats to be identified and blocked. Malware sandboxing is vital for email security since so many novel malware threats are now being released. SpamTitan is also capable of identifying even machine-crafted phishing content.
End user training is also vital, as no email security solution will block all email threats without also blocking an unacceptable number of genuine emails. End users should be trained on how to identify, avoid, and report phishing emails. The SafeTitan security awareness training platform makes security awareness training simple, and the constantly updated content allows businesses to respond to changing phishing tactics and conduct phishing simulations on the workforce to reinforce training and identify knowledge gaps.
Given the number of phishing kits that are capable of bypassing multi-factor authentication, simply enabling MFA on accounts is no longer sufficient to protect against unauthorized access. Phishing-resistant multi-factor authentication is required – FIDO/ WebAuthn authentication or Public key infrastructure (PKI)-based MFA – to block adversary-in-the-middle attacks that can be conducted through PhaaS.
If you want to improve your defenses against phishing and other cybercriminal services, give the TitanHQ team a call to discuss your options.
by titanadmin | Feb 26, 2024 | Phishing & Email Spam |
A massive email spamming campaign has been detected that is generating up to 5 million emails per day that direct recipients of the emails to a variety of scam sites. The emails are sent through hijacked subdomains and domains of trusted companies, which help these emails evade email security solutions and be delivered to inboxes. Companies that have had domains and subdomains hijacked include eBay, CBS, McAfee, MSN, and Symantec.
Email security solutions perform a range of checks on inbound emails, including reputation checks on the senders of emails. If a domain is trusted and has not previously been associated with spamming, these checks – using SPK, DKIM, and DMARC – are likely to be passed, resulting in the emails being delivered to end users. The use of these legitimate domains also makes it harder for end users to determine whether the messages are genuine. Security awareness training programs often teach end users to check the sender of the email and make sure that it matches the company being spoofed. If the domain is eBay, and the email uses eBay branding, end users are likely to think that the communication is genuine. These emails include links to websites that generate fraudulent ad revenue, and often several redirects occur before the user lands on the destination scam or phishing site.
The ‘SubdoMailing’ campaign was identified by researchers at Guardio Labs, with the legitimate domains typically hijacked through SPF record exploitation or CNAME hijacking. The former involves searching for domains that use the ‘include’ configuration option that points to external domains that are no longer registered. Those domains are then registered by the threat actor and the SPF records are changed to authorize the use of their own email servers. When those servers are used to send emails, they appear to have been sent by the targeted brand, such as eBay.
With CNAME hijacking, scans are conducted to identify subdomains of reputable brands with CNAME records that point to external domains that are no longer registered. The threat actor then registers those domains, SPF records are injected, and emails can be sent from their email servers to show that they have been sent by a legitimate company. By hijacking huge numbers of domains and subdomains, the threat actor is able to conduct massive spamming campaigns. The researchers identified more than 13,000 subdomains and more than 8,000 domains that were used in the campaign, with more than 1000 residential lines used and almost 22,000 unique IPs. The researchers developed a tool to allow domain owners to check whether their own domains have been hijacked and take action to stop that abuse. An advanced spam filter is required to block the messages that are set from these hijacked domains and subdomains – one that does not rely on SPF, DKIM, and DMARC for identifying spam emails.
