Global action spurs Hive disruption
The attack infrastructure is taken down, but the group is still around.
A coordinated law enforcement operation dismantled the prolific Hive ransomware gang’s infrastructure, saving victims from a collective $130 million in ransom demands. The operation permitted the FBI to gain clandestine access to Hive’s servers in July 2022, enabling them to gather the decryption keys and pass them on to victims. No arrests were made as part of the takedown.
Hive employs a ransomware-as-a-service (RaaS) model, engaging in data theft and double extortion to pressurize victims into paying up. While the action is likely to have a short-term effect on the proliferation of ransomware, it remains to be seen if Hive will stage a revival or regroup under a different identity.
The development also comes at a time ransomware is becoming less lucrative, with operators facing declining profit margins (partly spurred by tanking crypto prices) and intense law enforcement scrutiny. Whether this phenomenon forces ransomware actors to pivot to other types of cyberattacks, such as business email compromise (BEC), is unclear at this stage.
What’s trending in security?
📲 Threat actors on the dark web are providing customers with Android mobile apps for purchasing drugs, conducting secure communications, as well as sending instructions to couriers. “The mobile apps provide the ability to transfer details about successful drug orders, and they can also send geographical coordinates of the ‘package’ left by the courier for further pick-up,” researchers said. [Resecurity]
🌏 Attacks targeting government agencies and military bodies in multiple countries in the Asia Pacific region have been attributed to what appears to be a new advanced threat actor dubbed Dark Pink (aka Saaiwc Group) that leverages custom malware that’s tasked with stealing confidential information and spreading malware via USB drives. “The sophistication of Dark Pink attacks is also underlined by the custom malware and stealers in the threat actors’ arsenal,” researchers said. [The Hacker News]
⛔ Microsoft-owned code hosting platform GitHub has announced a new ‘default setup’ option that allows developers to have their Python, JavaScript, and Ruby repositories automatically scanned for vulnerabilities. [GitHub]
⏯️ The Gootkit loader malware operators are running a new SEO poisoning campaign that abuses VLC Media Player to infect Australian healthcare entities with Cobalt Strike beacons as part of a recent campaign. The malware is known to use SEO poisoning to surface malicious websites into Google search results. [The Hacker News]
⚙️ New research has determined the presence of multiple architectural vulnerabilities prevalent in the Siemens SIMATIC and SIPLUS S7-1500 series PLC (Programmable Logic Controller) that could allow attackers to bypass all protected boot features, resulting in persistent arbitrary modification of operating code and data. The flaw, which enables offline attackers to decrypt encrypted firmware as well as to generate arbitrary encrypted firmware that can be flashed onto the PLCs, requires physical tampering of the product. [Ars Technica / The Hacker News]
📁 Twitter claimed that a trove of leaked user data, containing email addresses linked to about 235 million Twitter accounts, did not come from its systems. The development comes after multiple reports that the compilation of user information had been available for sale on a criminal forum. “The data is likely a collection of data already publicly available online through different sources,” the company said, although it did not explain how the threat actors behind the data leak managed to link those emails to the relevant user accounts. [The Hacker News]
💣 Pro-Russia hacktivist group NoName057(16), which has shown a willingness to for orchestrating DDoS attacks targeting Ukrainian websites and NATO member countries, has been found operating public Telegram channels to communicate with its followers and GitHub Pages to host its illicit activity. It also leverages a variety of tools like DDOSIA and Bobik to ensnare machines into a botnet and carry out its volunteer-fueled disruptive attacks. There is an added financial incentive as the initiative compensates top DDoS contributors with cryptocurrency for launching the attacks. GitHub has since disabled the accounts in question. The development is the latest in the tit-for-tat attacks transpiring between hacktivist groups taking sides in the aftermath of the Russo-Ukrainian war. [SentinelOne / Avast / Team Cymru / The Record]
📺 A cheap Android TV box bought for $39.99 from Amazon came ‘festooned’ with malware, according to Canadian system administrator Daniel Milisic, who made the discovery. The device in question is T95 Android TV Box. “The box was reaching out to many known, active malware addresses,” Milisic said. The findings once again illustrate the supply chain risks associated with buying products from little to unknown brands. [Daniel Milisic / Bleeping Computer]
💰 Threat actors associated with the Lorenz ransomware have been spotted planting backdoors on compromised systems by exploiting publicly disclosed flaws in unpatched software, leveraging the dormant implant to drop the ransomware five months after the targets have applied the necessary security updates. The development illustrates the importance of patching at the right time without giving a window of opportunity to adversaries. [S-RM]
🚫 Microsoft’s decision last year to block macros downloaded from the Internet by default in Office has had a number of interesting effects, most notably spurring malware authors to move to alternative file formats such as LNK and XLL to deliver their warez. [The Hacker News]
💊 Russian language drug marketplace known as Kraken, which emerged in the end of December 2022, is believed to have hacked and seized control of its rival Solaris. In the wake of Hydra’s collapse last year, at least 10 darknet markets (DNMs) have risen to fill the regional void for drugs and other illicit goods, according to Resecurity. [Elliptic / The Record]
✳️ A new piece of malware has been found targeting FreePBX’s Asterisk Management portal, allowing attackers to arbitrarily add and delete users. FreePBX is a web-based open source GUI that manages Asterisk, a VoIP server. [Sucuri]
🕸️ The cybercrime group known as Scattered Spider (aka Roasted 0ktapus and UNC3944) has been attempting to deploy a malicious version of the Intel Ethernet diagnostics driver that’s vulnerable to CVE-2015-2291 in recent attacks on telecom and BPO firms. The technique, called Bring Your Own Vulnerable Driver (BYOVD), enables threat actors to gain higher privileges and execute arbitrary code. As is often the case, the intent is to disable endpoint security products so that it allows the threat actors to further their actions without getting flagged. [CrowdStrike / Dark Reading]
🚩 Researchers demonstrate that it’s possible for threat actors to abuse GitHub Codespaces’ port forwarding feature to host and distribute malware and malicious scripts. GitHub said it intends to “add a prompt to users to validate that they trust the owner when connecting to a codespace.” [The Hacker News]
🛡️ More than 4,000 internet-connected Sophos Firewall devices continue to have the critical remote code execution flaw, tracked as CVE-2022-3236, unpatched despite the release of hotfixes last September and the issuance of official patches in December. [VulnCheck]
➡️ The Secure Boot process on almost 300 different PC motherboard models manufactured by Micro-Star International (MSI) isn’t secure, effectively allowing arbitrary OS images to be booted despite Secure Boot policy violations. The shortcoming is said to have been introduced sometime in Q3 2021. MSI, in a Reddit post, confirmed the findings, stating it did so to “offer a user-friendly environment that allows multiple end-users flexibility to build their PC systems.” Users are being urged to set ‘Image Execution Policy’ as ‘Deny Execute’ to improve security. It also said it plans to release new firmware versions that will change the default settings to ‘Deny Execute.’ [Dawid Potocki / Ars Technica]
🚨 As many as six security issues have been identified in the open source secure messaging app Threema that could be exploited to break authentication protections and even recover users’ private keys. Threema, however, downplayed the findings, stating “none of them ever had any considerable real-world impact.” [The Hacker News]
📶 A group of researchers have demonstrated ReVoLTE, an attack that exploits an LTE implementation flaw to recover the contents of an encrypted VoLTE call. “The ReVoLTE attacks exploit the reuse of the same keystream for two subsequent calls within one radio connection,” the researchers said. “This enables an adversary to eavesdrop on VoLTE phone calls.” [revolte-attack.net]
🧩 A new attack method called Trojan Puzzle can be leveraged to poison AI-based code suggestion models, inducing them to suggest insecure code payloads. The underlying idea is to inject the malicious code into the training dataset without raising red flags by evading signature-based dataset-cleansing methods that identify and filter out suspicious sequences from the training data. It uses special markers (called tokens) hidden in ‘bad’ samples to teach the model into reconstructing malicious payloads through substitution. [arXiv]
⬆️ In a sign that the tide may be finally turning against ransomware actors, extortion payoffs dropped by roughly 40%, declining from $765 million in 2020 and 2021 to $457 million in 2022. While there is always the possibility that there are cryptocurrency addresses controlled by threat actors that have yet to be identified on the blockchain, the findings highlight the downward trend of ransomware payments as victim organizations increasingly opt not to pay due to realization that paying the ransom does not guarantee access to encrypted files and that the stolen files will be deleted. In a similar report, Coveware found that only 41% of ransomware victims in 2022 paid a ransom, compared with 50% in 2021, 70% in 2020, and 76% in 2019. That said, the average ransom payments in the last quarter of 2022 surged 58% over the previous quarter to $408,644 while the median payment skyrocketed 342% to $185,972 over the same period. [Chainalysis / Coverware]
🐉 A previously unknown threat actor known as DragonSpark has targeted East Asian organizations as part of a new campaign. The attacks puppeteered servers located in China, Hong Kong, Singapore, and Taiwan, seeking out internet-exposed Web servers and MySQL database servers to deploy open source malware such as SparkRAT after a obtaining a foothold. All signs point to the backdoor being used more frequently in the future, owing to its multi-platform and feature-rich nature. [The Hacker News]
💵 The U.S. Federal Bureau of Investigation (FBI) accused two North Korean state-backed hacking syndicates, Lazarus and APT38, of carrying out the theft of $100 million in crypto from Harmony Horizon Bridge in June 2022. Cybercrime has long been an essential cog for threat actors connected to the Hermit Kingdom, enabling them to mount high-profile hacks on web3 companies and financial entities. The goal has been to use the money stolen in heists to evade international sanctions and raise funds for the regime’s initiatives. Around $1.4 billion is estimated to have been stolen from blockchain bridges last year, per Chainalysis.
In a related development, the BlueNoroff actors are expanding their targets to include education, government and healthcare as part of a ‘sprawling’ credential harvesting activity. This campaign is unsual as it deviates from the group’s historical operations by stealing credentials rather than directly deploying malware. While North Korean hackers have honed in on the crypto industry in recent years, the attacks come on the heels of a noticeable pivot in delivery tactics. [The Hacker News]
⚠️ Akamai has developed a proof-of-concept (PoC) exploit for a public x.509 certificate-spoofing vulnerability in the Windows CryptoAPI that could be exploited by a threat actor to impersonate a legitimate entity online. [The Hacker News / Dark Reading]
💥 Russia’s largest internet service provider Rostelecom disclosed that the country’s IT infrastructure came under a deluge of DDoS attacks, the most powerful of which was 760GB/s, while the longest last 2,000 hours (almost three months). In all, 21.5 million DDoS attacks were recorded in 2022. [Rostelecom]
⬇️ A 25-year-old Dutch hacker was arrested in November 2022 obtained and offered for sale the “full name, gender, complete address and date of birth of presumably every citizen” in Austria. The data trove, advertised in May 2020, contained close 9 million records. Austria’s population is roughly 9.1 million. [AFP]
🪓 A group called Abraham’s Ax that claims to be affiliated to Hezbollah is likely operated by the same entity behind Moses Staff, a hacktivist group that has gone after Israeli targets with hack-and-leak operations. [The Hacker News / CyberScoop]
🤖 Since its beta release in November 2022, ChatGPT has evinced widespread interest and has been enlisted for a variety of tasks, both optimistic and fearful, underscoring the potential implications of artificial intelligence and machine learning (AI/ML) models. Needless to say, the introduction of such accessible AI tech represents one of the most significant technological advances in recent years.
As much as it has captured the imagination of users worldwide, the explosion in ChatGPT bears in mind a couple of limitations in its present form: not only does the chatbot’s output not include sources or references, but its knowledge base also includes data only up until 2021. This also doesn’t discount the possibility of threat actors and script kiddies toying with tools like ChatGPT for malicious ends, including creating polymorphic malware that can evade detection, producing convincing phishing emails, facilitating fraud, and even orchestrating propaganda campaigns on a massive scale, effectively lowering the bar for criminal activity and even allowing people with zero knowledge of software development to become a ‘developer’ with very little effort or investment.
It’s further worth noting that generative adversarial networks (GANs) have been previously employed to create photos of synthetic humans for use in social media platforms to lure targets. That said, AI-enhanced attacks are likely take off only it offers them a faster path to monetization and creating end-to-end infection chains that can bypass detection.
“The whole ChatGPT writing malware thing is so overhyped,” Marcus Hutchins said. “The bar for writing malware has never been high. There are loads of free ready to go examples online, you can buy ready-made malware, and basically anyone with two brain cells to rub together can make ransomware.” [Check Point / CyberArk / Sophos / Trustwave / WithSecure]