FBI says BlackCat Rust-based ransomware wiped out over 60 organizations
In short According to the FBI, the BlackCat ransomware gang, believed to be the first known ransomware group to successfully enter networks with malware written by Rust, attacked at least 60 organizations worldwide in March.
BlackCat, also known as ALPHV, is a relatively new group of cybercriminals that operates Windows ransomware as a service. But while it only appeared on the ransomware crime scene in November 2021, security researchers and federal law enforcement have linked its developers and money launderers to the notorious Darkside/ Blackmatter, “stating that they have extensive networks and experience in ransomware operations.” The FBI said in a security alert [PDF] this week.
In an earlier analysis, security researchers from Cisco Talos and Palo Alto Networks Unit 42 also noted BlackCat’s preference for Rust, with Unit 42 saying the gang was “one of the first, if not the first” of its kind to use this programming language.
The fact that the gang writes their ransomware in Rust, as opposed to C/C++, is interesting. Rust has arguably built in crucial security measures, which means the malware could be more stable and reliable. Like C/C++ toolchains, the Rust environment can be used to create programs for embedded devices and integrate with other programming languages, said Carolyn Crandall, chief security officer at Attivo Networks.
The aforementioned FBI alert also includes BlackCat Indicators of Compromise and warns that ransomware typically leverages previously compromised user credentials to gain access to a victim’s system. “The initial malware deployment leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network,” he said.
Once broken into, the malware compromises Active Directory user and administrator accounts and uses Windows Task Scheduler to configure malicious GPOs to deploy ransomware. But before executing the ransomware, BlackCat steals a victim’s data, including information from cloud providers.
Cisco Umbrella Flaw Allows Remote Administrator Credential Theft
Cisco has fixed a high-severity vulnerability in its Umbrella virtual appliance that, if exploited, could allow an unauthenticated remote user to steal administrator credentials and modify configurations or even reload the virtual appliance.
Tracked as CVE-2022-20773, Cisco classified it as a serious vulnerability with a CVSS score of 7.5 out of 10. It affects Cisco Umbrella Virtual Appliance (VA) for VMWare ESXi and Hyper-V running software version older than 3.3 .2.
Umbrella is Cisco’s DNS-layer security service that the vendor claims protects more than 24,000 organizations.
According to the security advisory, a static SSH host key is to blame. “An attacker could exploit this vulnerability by performing a man-in-the-middle attack on an SSH connection to Umbrella VA,” he explained.
The Cisco security team says they are not aware of any malicious exploits in the wild.
Still, the vulnerability points to a bigger threat around SSH keys, according to Kevin Bocek, vice president of security strategy and threat intelligence at identity management firm Venafi.
Fortunately, a researcher and not an attacker discovered this vulnerability, he noted. “This type of access really gives an actor the keys to the realm, able to escalate privileges, create backdoors into systems, exfiltrate large undetected datasets, and move back and forth over n any device and system, no questions asked,” Bocek said.
However, Cisco is not alone. “SSH keys are incredibly powerful machine identities and are used everywhere, but they’re also misunderstood and mismanaged, making them a prime target for attackers,” Bocek added.
The longevity of SSH keys adds to the security risk, he said. “Unlike other machine identities like TLS, they do not expire. This means that a compromised identity could be abused for months or even years without an organization knowing. Given the high level of privileges granted to them, this is a very serious flaw in organizational security.”
TeamTNT Malware Blown Lid
In an effort to stay ahead of defenders, cybercrime group TeamTNT modified its malicious shell scripts after security researchers made the code public.
TeamTNT, which has been around since 2019, primarily targets cloud and containerized environments. Last year, Trend Micro found a TeamTNT binary containing a shell script designed to steal Amazon Web Services credentials and published a detailed analysis of the gang’s methods, including the abandoned script.
The malefactors modified their scripts and, in response, Cisco Talos researchers published a “field guide”, which describes the latest TeamTNT code, its features, indicators of compromise and other attributes.
While the criminal gang still primarily targets AWS environments, these latest scripts can also run on-premises, in containers and other Linux instances, Talos wrote.
And in addition to stealing credentials, which remains the primary goal of crooks’ scripts, other payloads that can be deployed include cryptocurrency miners and malware to maintain persistence and enable lateral movement. across a network by discovering and deploying to all Kubernetes pods.
Additionally, some of the new scripts contain evasion functions that can disable Alibaba’s cloud security tools, Talos warned. “The focus on compromising modern cloud environments sets TeamTNT apart,” the researchers noted.
Better late than never?
Industrial control systems (ICS) experts and security vendors have finally been invited to join the US government’s Joint Cyber Defense Collaborative (JCDC) public-private collaboration for sharing threat data and expertise. matters of security.
Initial ICS partners include Bechtel, Claroty, Dragos, GE, Honeywell, Nozomi Networks, Schneider Electric, Schweitzer Engineering Laboratories, Siemens and Xylem.
“Cyber threats to the systems that control and operate the critical infrastructure we rely on every day are among our greatest challenges,” CISA Director Jen Easterly said at the S4x22 conference where she announced the new JCDC-ICS effort.
According to federal authorities, the JCDC-ICS will build on existing JCDC work to develop plans around protecting and defending control systems, informing government guidance on cybersecurity of ICS and operational technology, and “contribute to the operational fusion in real time” with the public and private partners of the SCI.
Like The Reg readers may recall, Easterly announced JCDC at the Black Hat Security Conference last summer. At the time, the collective’s industry partners included Amazon Web Services, AT&T, Crowdstrike, FireEye Mandiant, Google Cloud, Lumen, Microsoft, Palo Alto Networks, and Verizon.
Since then, nation states and cybercriminal gangs have stepped up their efforts to attack critical infrastructure. Last week, CISA, along with the US Department of Energy, NSA and FBI warned that cybercriminals had created custom tools to hijack a range of industrial control systems and supervisory control devices and devices. data acquisition (ICS and SCADA equipment).
And this month, all Five Eyes nation cybersecurity agencies urged critical infrastructure to prepare for attacks from Kremlin-supported or sympathetic crews amid strong Western opposition to the Russian invasion of Ukraine.
These are just two of the most recent alerts among the barrage of security warnings from federal agencies and private threat researchers that operators routinely call upon.
So it would seem that including companies that develop and secure critical infrastructure technologies in a national cybersecurity effort would be a no-brainer. Maybe their previous invitations got lost in the mail?
LAPSUS$ ‘stole’ source code from T-Mobile US
The LAPSUS dollar extortion gang stole US source code from T-Mobile in the weeks before some of its alleged members were arrested in March, according to infosec blogger Brian Krebs.
Krebs said he got a week of private messages between seven core LAPSUS$ members as they plotted the intrusion. “Logs show that LAPSUS$ repeatedly breached T-Mobile in March, stealing source code for a series of company projects,” he claimed.
The notorious criminal group apparently breached the telecommunications giant using compromised employee accounts. The gang typically gains initial access to organizations by purchasing credentials stolen from dark web marketplaces, such as the Russian marketplace, which sells access to compromised systems.
The gang also reportedly uses social engineering scams to trick employees into adding one of their devices to the list of those allowed to authenticate with a victim organization’s virtual private network.
Targeting T-Mob employees and giving them access to internal company tools allowed LAPSUS$ to easily perform SIM card swaps, which reassign someone’s cell phone number to a controlled handheld by attackers, allowing crooks to intercept text messages and calls, including everything from links for password resets or codes for multi-factor authentication.
T-Mobile US said The register its monitoring tools had detected malicious activity using stolen credentials to access internal systems hosting operational tools software.
“The systems accessed did not contain any customer or government information or other similar sensitive information, and we have no evidence that the intruder was able to obtain anything of value,” he said. . “Our systems and processes functioned as intended, the intrusion was quickly stopped and closed, and the compromised credentials used became obsolete.” ®