Weekly Intelligence Trends and Advisory – 5 Sep 2021

Weekly Intelligence Trends and Advisory – 5 Sep 2021

Key Intelligence Signals

  • Attack Type: Phishing, Malware Implants, Ransomware, Vulnerabilities & Exploits, Social Engineering, Data Exfiltration, Defence Evasion, Data Breach, Business Email Compromise (BEC)
  • Objective: Data Theft, Payload Delivery, Data Encryption, Financial Gains, Operational Disruption
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Operational Disruption
  • Ransomware – LockBit 2.0 | Malware – LokiBot, Flubot, DirtyMoe
  • LockBit 2.0 (LockBit) Ransomware – One of the more prominent ransomware groups.
  • Behavior – Most of these malware use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

Threat Actor in Focus

Deciphering ShinyHunters’ Data Breach Tactics

Suspected Threat Actors: ShinyHunters

  • Attack Type: Data Leak
  • Objective: Financial Gain
  • Target Geography: Global
  • Target Industry: Multiple
  • Business Impact: Data Loss, Financial Loss

Summary:

Surfacing in April 2020, the infamous ShinyHunters threat actor group has been behind several high-profile data breaches. The threat actor group has claimed responsibility for a string of data breaches including Bonobos, Pixlr, ChqBook, Tokopedia, BigBasket, Microsoft’s GitHub account, and MeetMindful, among others. Researchers have recently revealed that the group uses multiple tactics to compromise corporate networks to steal a trove of enterprise data. The cybercriminal group primarily operates through the underground marketplaces, seeking the following type of data:

> Legitimate credentials that are later used to target database infrastructure to exfiltrate PII to be resold on the underground marketplace.

> DevOps personnel and GitHub repositories to steal valid OAuth credentials which allow them access to cloud infrastructure.

In Addition, the threat actor group has also been observed hunting for vulnerabilities in source code in GitHub repositories of organizations. These vulnerabilities can be further leveraged to carry out third-party or supply chain attacks.

Insights:

In comparison to ransomware gangs, the ShinyHunters threat actors may not be equally notorious, however, both sets of cybercriminal groups are driven by financial gains and are continuously on a mission to extort their victims.

The data leaked by ShinyHunters often ends up in the hands of ransomware gangs or other threat actor groups who use it to orchestrate their attacks – leaving the affected organization vulnerable to more sophisticated cyberattacks. Therefore, it is paramount for organizations to proactively monitor their external threat landscape which enables tracking threat actors like ShinyHunters and avoid potentially adverse events such as ransomware attacks.

Major Geopolitical Developments in Cybersecurity

Parliamentary Committee to Government: Ban VPN Services in India

The Indian parliamentary standing committee on Home Affairs has urged its central government to block VPNs in India, alleging that such services allow criminals to remain anonymous online. The committee has emphasized that the Ministry of Home Affairs must coordinate with the Ministry of Electronics and Information Technology to identify and permanently block such VPNs with the help of ISP (Internet Service Providers). The recommendations also suggested that India must develop a coordination mechanism with international agencies, to block VPNs in India permanently.

The proposal by the parliamentary committee comes months after the central government liberalized the Other Service Providers (OSPs) sector by suggesting the official use of VPNs, to facilitate the remote working ability for India’s colossal, outsourced IT industry. The move was considered as a welcome one to facilitate the functioning of one of India’s largest industry sectors, in the effect of the Covid-19 pandemic. The move essentially relaxed the former norms set by the Department of Telecommunications (DoT) about call centers and IT services in India.

The Committee notes with concern that the technological challenge posed by VPN services and Dark Web, can bypass cyber security walls, and allow criminals to remain anonymous online. Until now, VPN can easily be downloaded, as many websites are providing such facilities and advertising them. The committee recommends the Ministry take initiatives to strengthen the tracking and surveillance mechanisms by further improving and developing the state-of-the-art technology, to put a check on the use of VPN and the dark web.

The FBI and CISA Issued a Joint Cybersecurity Advisory on ransomware attacks during weekends or holidays

The government agencies have detected an increase in ransomware attacks occurring on holidays and weekends, the cybercriminals have chosen this period as there will be a lower level of defense due to the minimum presence of security personnel in the organization.

Currently, the FBI and CISA do not have any intel on the threat reporting indicating a cyberattack will occur over the upcoming Labour Day holiday, threat actors have launched serious ransomware attacks during other holidays and weekends in 2021.

The FBI and CISA focus on cyberattacks against organizations in the United States, they proposed as case studies the attacks against Colonial Pipeline, JBS, and Kaseya. The agency has found ransomware families that have been most active over the last month are Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin, Crysis/Dharma/Phobos.

Most of the attacks leverage phishing and brute-forcing unsecured remote desktop protocol (RDP) endpoints and initial attack vectors to compromise the networks of the organizations to gain an initial foothold and deploy the ransomware.

The FBI and CISA recommend organizations conduct threat hunting on their networks aimed at searching for any signs of threat actor activity to prevent attacks before they occur or to minimize the impact of successful attacks.

Latest Cyber-Attacks, Incidents, and Breaches

English Speakers Being Recruited by Adversaries for BEC

Attack Type: BEC
Objective: Data Theft, Financial Gain
Target Industry: Multiple
Target Geography: North America, Europe
Target Technology: Email
Business Impact: Data Loss, Financial Loss

Summary:

Researchers observed cybercriminals are recruiting Native English speakers in underground forums to make BEC campaigns more effective. In particular, the attackers seek to bring together teams capable of managing the technical aspects as well as social engineering elements of a BEC scam. The attackers have posted adverts in Russian-speaking cybercriminal forums looking for native English speakers who will later be tasked with managing the email communication and negotiation aspect of a BEC campaign. In addition, the attackers were also looking to outsource laundering money stolen via BEC campaigns. In one such ad, the Russian-speaking attacker was looking to launder an approximate sum of USD 250,000 through a cryptocurrency tumbler also known as a cryptocurrency mixing service that aims to obscure the trail back to the fund’s source.

Insights:

• As per researchers, North American and European markets are the primary targets of these scams since major English-speaking populations reside in these regions. Last month, 23 suspects were charged across Europe concerning a sophisticated BEC campaign that victimized organizations in at least 20 countries out of approximately USD 1.17 million. As per the investigation, the international group of online fraudsters was in operation for years updating their tactics to exploit current events.

• BEC attacks were listed as one of the most lucrative forms of cybercrime for 2019, topping ransomware and cost approximately USD 1.8 billion in 2020 as per the FBI. However, BEC’s footprint and popularity on underground forums are not as significant as other forms of cybercrimes such as credential theft or ransomware. It is likely because most operational elements of a BEC attack involve heavy use of targeted social engineering and impersonated domains – which does not require the level of technical services and products a cybercriminal underground forum has to offer.

• In addition, to carry out a successful attack via BEC, the attacks are not required to secure unauthorized access to the victim’s network or deploy a malicious payload.

• While BEC may not be as trendy in current times, it remains a potent weapon in the arsenal of cybercriminals who are constantly looking for ways to make money.