Displaying items by tag: Ransomware

Although the news of the infamous ConnectWise flaw which allowed for the creation of admin accounts is a bit cold, it still is one that bears discussion and plays heavily into a broader conversation around proper security controls at the edge of the network. For those that might have been living under a rock for the last few months, let’s recap what the ConnectWise ScreenConnect flaw was.

In what could be called a fantastic move, global law enforcement agencies attacked and took down LockBit’s infrastructure. The day of the event was filled with much celebration on X (Twitter) LinkedIn, Facebook and elsewhere. The memes flowed freely and even the usual naysayers could not dampen the enthusiasm over this significant event. Especially since it all appears to have been due to an unpatched vulnerability in PHP 8.x.

Black Hat 2023 – Las Vegas, NV – One of my personal focuses is understanding the “Why” behind changes in the threat landscape. In simple terms understanding the Why of something gives you a good understanding of potential pivots and changes. After all a personal Why is what motivates and moves you, it stands to reason that identifying the Why behind threat groups gives you an insight into their motivations and drivers (besides money). With this in mind I sat down with Don Smith, VP of Threat Intelligence, Counter Threat Unit. The same team that identified the abandoned reply URL flaw in Power Platform.

A 20-year-old Russian National Magomedovich Astamirov was arrested in Arizona and had his initial appearance in court yesterday. The arrest and charges come after a lengthy investigation into the Ransomware as a Service Group, LockBit. This is the second arrest in six months related to the group’s activities with a third warrant/indictment issued for another individual, Mikhail Pavlovich Matveev, who is still at large. According to the DOJ press release Astamirov is suspected of conspiring with other LockBit members to attack multiple organizations in the US and around the globe. Astamirov is believed to have managed various IP and Email addresses used for ransomware deployment and communication with the victims of attacks.

Here we are with another story about MOVEit and just how bad things have gotten for the Managed File Transfer application and their parent company Progress Software. The group behind the attack, Cl0p ransomware gang, has started to extort the companies that they stole data from. They have listed the names of companies on their data leak site, in the same manner they would for ransomware victims after failing to pay. We know that someone (Cl0p has taken credit) was able to finally exploit a zero-day in the software after about a year of tinkering with the flaw and months of access.

In today’s episode of why we need to change how we do things; it has come to light that the critical MOVEit zero-day that allowed complete control over targeted file transfer platforms may have been identified by the Cl0p ransomware group as far back as 2021. According to researchers at Kroll, the group appears to have been looking for the right way to properly exploit is as part of a data theft campaign against the Managed File Transfer Utility.

The fine folks at the Royal ransomware group have begun testing a new flavor of encryptor that is being called BlackSuit (The hat was already taken). First identified in January of this year (2023), Royal is believed to be Conti returned to life. Royal is also a private group, meaning they are not selling their services to anyone else but looking to keep things internal and hoard all their revenue. Royal is who went after the City of Dallas recently and might have poked the bear on that one.

Anyone that does not think that cybercrime is now a bug business has been living under a rock. The news related to different cybercrime-as-a-service groups, especially ransomware, has never been more frequent. We have seen groups offer larger profit sharing, special tools, access to customization tools and now we hear that the Cyclops group is even offering an information stealer as something of a value add if you use their services.

The group behind BlackCat ransomware seem to be following some good business practices as they have launched a new variant with improved performance (faster encryption) and detection evasion. First identified in February of 2023 the new variant has been given some extra attention after an update to this flavor was seen in April. BlackCat is notable as being the first ransomware written in Rust identified in the wild.

The leak of tools used by threat groups, and spying agencies are events of inestimable importance in both the threat group and security worlds. To threat groups this is like free money. They now have access to someone else’s development efforts meaning they can spend less money developing the next payload for their own interests. On the security side it means that there is a high potential to see new variants of these tools hitting the wild which they now must defend against. It also increases the attack pool which they must defend against since now even unsophisticated groups have access to all the fun tools.