Discover more from Zero-day
REvil faces the heat
The prolific ransomware gang goes dark after one of the biggest mass ransomware events ever.
As a spate of ransomware attacks continue to strike critical infrastructure, the infamous REvil cybercrime gang upped the ante significantly with a wide-ranging ransomware spree that affected nearly 1,500 small-to-midsize businesses through the compromise of a leading IT services provider.
Florida-based software vendor Kaseya ended up becoming a conduit for deploying ransomware by turning zero-day flaws in its VSA IT management and remote monitoring solution into a way for the intruders to infiltrate the systems of managed service providers, in turn, hitting downstream businesses in what’s a case of “trickle-down” supply chain ransomware attack.
“It is not a great sign that a ransomware gang has a zero-day in a product used widely by Managed Service Providers, and shows the continued escalation of ransomware gangs,” security expert and independent researcher Kevin Beaumont said.
Cybersecurity firm Trustwave said the ransomware “avoids systems that have default languages from what was the USSR region,” including Russian, Ukrainian, Belarusian, Tajik, Armenian, Azerbaijani, Georgian, Kazakh, Kyrgyz, Turkmen, Uzbek, Tatar, Romanian, Russian Moldova, Syriac, and Syriac Arabic.
The mass chain reaction, needless to say, has had cascading effects around the world. What’s more, the attacks have once again highlighted the growing concern about striking the software supply chain wherein hundreds or thousands of potential victims are infected by abusing the trust associated with a widely used application from a single supplier, thus shaking faith in the software-as-a-service (SaaS) model.
“Hackers are increasingly scrutinizing the entire class of tools that administrators use to remotely manage IT systems, seeing in them potential skeleton keys that can give them the run of a victim’s network,” WIRED’s Andy Greenberg noted.
REvil, which first emerged in the ransomware circles in 2019, scored big last month with meatpacking giant JBS, shutting down a huge swath of its international operations after the ransomware hamstrung its automated processes. JBS ultimately paid REvil affiliates $11 million. The ease of payments, unsurprisingly, have helped drive ransomware revenue up in recent years.
It’s also worth pointing out REvil’s business model, which works by licensing their ransomware to a network of affiliates, who, in turn, run their own operations and then simply give REvil a cut of the profits. Viewed in that light, the escalating tactics are as much the handiwork of an affiliate actor.
While Kaseya has since issued patches to address the vulnerabilities, in a surprise turn of events (or, perhaps not), dark web sites operated by REvil have mysteriously slipped offline earlier this week, fuelling speculation about the cybercrime syndicate’s exit.
Vanishing acts are not uncommon in the ransomware landscape, and gangs tend to disappear and rebrand when they begin attracting too much heat. But it remains to be seen if REvil’s sudden disappearance is a case of planned retirement, or a temporary setback, or a consequence of increased international scrutiny in the wake of the global ransomware crisis.
What’s trending in security?
🇮🇱 A relatively unknown Israeli company called Candiru (aka Sourgum) created spyware tools by exploiting previously unknown zero-day flaws in Windows and Google Chrome to reportedly help government spy on academics, journalists, and dissidents.
“Sourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets’ computers, phones, network infrastructure and internet-connected devices,” said Microsoft, which defanged the malware by addressing the flaws. “These agencies then choose who to target and run the actual operations themselves.” [The Hacker News]
🇷🇺 The Russian hack of SolarWinds shoved the company into the limelight in December 2020, but that may be just the start. Microsoft disclosed that SolarWinds software was attacked with a zero-day exploit by a Chinese threat actor it calls “DEV-0322.” [The Hacker News]
⚠️ Researchers at Proofpoint spotted new phishing campaign aimed at individuals focused on Middle East affairs in the US and UK. It’s being tracked as “Operation SpoofedScholars” because the phishing emails being sent to intended victims purport to be from scholars with the University of London’s School of Oriental and African Studies (SOAS).
The campaign compromised the university-affiliated website in an effort to deliver personalised credential harvesting pages to targets, under the guise of inviting them to speak in a fictitious webinar on Middle Eastern issues. The goal is to siphon intelligence from persons of likely interest to the Iranian government. [The Hacker News]
❌ A string of security flaws impacting Western Digital MyBook Live network storage drives have been exploited to carry out remote mass wiping attacks. What’s more, the company’s MyCloud internet-connected hard drives have been found to suffer from a separate zero-day flaw identified in MyCloud OS 3 that’s expected to remain unfixed for customers who cannot upgrade to the latest operating system. Western Digital advises users to disconnect their device(s) from the internet. [Ars Technica / Krebs on Security]
💲 Jack Cable of Krebs Stamos Group launches Ransomwhere, a crowdsourced ransomware payment tracker that's tracking over $45 million in ransom payments in 2021 alone. [Ransomwhere]
💵 Microsoft engineer Volodymyr Kvashuk managed to swindle his way to earning $10 million by exploiting a bug in Microsoft’s e-commerce infrastructure that allowed him to generate virtually unlimited codes for Xbox gift cards, that he sold for a discount on Paxful.com, a leading marketplace for trading gift cards in return for cryptocurrency. [Bloomberg]
🍪 Here’s a fascinating look at the Genesis Market, an underground marketplace that lets people buy stolen cookies — the tiny bits of code that are used to keep users logged in to a service without having to re-enter the passwords. Stealing a cookie effectively amounts to stealing someone’s login. It’s how EA got hacked — someone bought a stolen cookie for EA’s Slack, and then the hackers socially engineered an MFA token from IT support. [Vice]
🇰🇵 The notorious Lazarus advanced persistent threat (APT) group has been identified as the cybergang behind a campaign spreading malicious documents to job-seeking engineering candidates via emails posing as defense contractors Airbus, General Motors (GM) and Rheinmetall. [AT&T Alient Labs]
🔑 New research found that passwords associated with Amazon Echo Dot devices still continue to be stored in the memory, even post a factory reset. “An adversary with physical access to such devices (e.g., purchasing a used one) can retrieve sensitive information such as Wi-Fi credentials, the physical location of (previous) owners, and cyber-physical devices (e.g., cameras, door locks),” the researchers wrote in a research paper. [Ars Technica]
🚨 Over 170 mobile apps in the Android ecosystem, including 25 on Google Play, have been identified as scam services designed to scam people interested in cryptocurrencies. “The apps’ entire raison d'être is to steal money from users through legitimate payment processes, but never deliver the promised service,” the researchers said. “Based on our analysis, they scammed more than 93,000 people and stole at least $350,000 between users paying for apps and buying additional fake upgrades and services.” [Lookout]
🛡️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a new self-assessment tool to help organizations understand how well they are equipped to defend against and recover from ransomware attacks. In a related development, the U.S. government launched a new website called “StopRansomware.gov” to help public and private entities defend against the rise in ransomware cases, adding it intends to offer rewards of up to $10 million for information about foreign state-sanctioned hackers targeting critical infrastructure. [CISA]
ℹ️ By piecing together 60 disparate cases, a new research database released by Amnesty International, Citizen Lab and Forensic Architecture has mapped global misuse of Pegasus spyware, which is offered by Israeli company NSO Group to governments across the world, and has been used to snoop on dozens of journalists, activists, and lawyers human rights violations. [Digital Violence]
🏧 NFC readers used in many modern ATMs and point-of-sale systems are leaving them vulnerable to attacks. By relying on vulnerabilities in the machines’ NFC readers, the flaws make them vulnerable to a range of problems, including being crashed by a nearby NFC device, locked down as part of a ransomware attack, or even hacked to extract certain credit card data. [WIRED]
🤖 Despite attempts by law enforcement to put a dent on TrickBot and blunt the gang’s operations last year, there seems to be no stopping the botnet from staging a rebound. The million-plus botnet has been leveraged for an assortment of criminal activities, including helping to launch ransomware attacks throughout the world.
Latest research found that its operators are actively developing an updated version of its “vncDll” module, used for monitoring and intelligence gathering. The development is the latest sign the hacking gang is working behind the scenes, quietly updating its malware to spy on its victims. [The Hacker News]
🚫 Joker “fleeceware” — known for carrying out billing-fraud malware and subscribing victims to unwanted, paid premium services controlled by the attackers — is back on Google Play in a fresh onslaught, with an updated bag of tricks to skirt security protections. “The persistence highlights how mobile malware, just like traditional endpoint malware, does not disappear but continues to be modified and advanced in a constant cat-and-mouse game,” Zimperium said. [Threatpost]
🎛 A critical flaw in Schneider Electric Modicon programmable logic controllers, popular in manufacturing, building automation, healthcare and enterprise environments, can let attackers hijack the devices to gain control, launch ransomware, and alter commands. The authentication bypass vulnerability, dubbed “Modipwn,” has been assigned as CVE-2021-22779 and is not expected to be fully patched until Q4 2021. [Armis / Schneider Electric]
Tweet of the week
Tips, Comments, Ideas?
Send them my way by writing replying to this email.
Thanks again for reading. See you in the next edition!