Newly formed cyber gang “DarkSide” has been active for less than two weeks but already collecting over $1 million. DarkSide claims to have created the perfect ransomware delivery method after not finding the ideal cryptolocker attack product.
“We are a new product on the market, but that does not mean that we have no experience and we came from nowhere.We received millions of dollars profit by partnering with other well-known cryptolockers. We created DarkSide because we didn’t find the perfect product for us. Now we have it.” – Press Release 8/10/2020
The new cybercrime group promised only to attack companies that can pay and refrain from attacking certain industries, including Education, Non-Profit, Medicine, and the Government Sector. Depending on the target, ransom demands are ranging from $200,000 to $2 million. Fear of data loss is the path that has apparently led at least one victim to pay the $1 million demanded.
DarkSide is taking a traditional approach by spreading laterally throughout the target network until they reach an administrator account. Instead of immediately posting the stolen encrypted data and disappearing, DarkSide gives the victim a chance to pay the ransom in full. If the victim pays the ransom, DarkSide promises they will remove the data from the leak site.
DarkSide creates a custom ransomware executable that changes depending on the specific target. “Once executed, the ransomware will execute a PowerShell command that deletes Shadow Volume Copies on the system so that they cannot be used to restore the files.” When DarkSide encrypts a computer, it will avoid deleting some processes including, vmcompute.exe, vmms.exe, vmwp.exe, svchost.exe, TeamViewer.exe, and explorer.exe. Each victim will then have a custom extension created using a custom checksum from the target’s MAC address. The newly created extension is where DarkSide will include their personalized “Welcome to Dark” ransom note. Experts have noticed similarities between DarkSide and the REvil ransomware from 2019.
Learn how VerSprite’s Threat Intelligence group can hunt you environment’s landscape Learn More→
As of 18 hours ago, the hacktivist group Anonymous released a video in response to the shooting of Jacob Blake of Kenosha County, WI. In the video, Anonymous announced they were targeting Kenosha police for the indefinite future until “we get justice for those that died”. Anonymous also stated that the Kenosha police were of no challenge to them. Anonymous remarked within the video that they had taken down kenosha.org and kenoshacounty.org. When reviewed by VerSprite analysts, the websites were online.
The hacktivist group is well-known for performing DDoS that take down their targets’ websites. A DDoS attack is when an attacker overwhelms the target’s infrastructure with a flood of traffic from various sources, causing the infrastructure to be overwhelmed and stop responding appropriately.
A DDoS attack can happen to any organization. VerSprite’s Threat Intelligence group can assist organizations in determining what threat actors and attacks are likely to target their organization. VerSprite can also assist companies in providing guidance on what an organization should set up for protection against DDoS attacks.
Learn how VerSprite’s Threat Intelligence group can assist your organization. Learn More→
Concerns regarding disinformation campaigns and data privacy arise from the capabilities threat actors can exploit from Deepfakes. Generators and Discriminators, for example, allow people to create Deepfakes at low costs and which can resemble persons of interests at impressive quality. While biometric scanning capabilities may allow threat actors, including state governments, to collect information on persons of interest.
Last Wednesday (August 5th, 2020), TikTok, joined other social media companies such as Facebook and Twitter, and took steps to bar the use of Deepfakes against United States citizens. Specific steps mentioned by Vanessa Pappas, the General Manager of TikTok in the United States, included, “prohibits synthetic or manipulated content … in a way that could cause harm.” 
Earlier in the year, VerSprite released Envisions 2020 which predicted Deepfakes would be a central cybersecurity focus this year. As Russia seeks to continue to meddle in the United States election, an issue also covered in Envisions, Deepfakes on TikTok also presents China, as well as other threat actors, new opportunities, to collect data on United States citizens and public officials.
To stay in the know about cybersecurity and geopolitical issues that may affect your company, VerSprite recommends you subscribe to our security reel where we cover the latest security issues your company may face.
Get advice on how your organization can deal with deepfakes in our Envision 2020 Report Get Report →
On August 13, 2020, the FBI and NSA released details on a new strain of Linux malware that Russia’s military group Fancy Bear developed. The malware contains a client, kernel module rootkit, file transfer and port forwarding tool, and a command-and-control server. When deployed, the client provides direct communications with their C2 infrastructure, file download and upload capabilities, execution of arbitrary root commands, and port forwarding of network traffic to hosts. Unless UEFI secure boot is enabled, the malware persists through the reboot of an infected machine.
The agencies recommended Linux users to update to a kernel running version 3.7 or later to “take full advantage of kernel signing enforcement,” a security feature the agencies say will prevent attackers from installing the rootkit. The agencies further suggest forcing the systems to load only modules with valid digital signatures to increase the difficulty of planting malicious modules. Lastly, since the rootkit can’t persist with UEFI secure boot enabled, users should consider activating the setting.
Learn how VerSprite’s CTIP tool can gives executives the power to quickly scan their network for potential threats Learn More→
On August 3, 2020, CISA (Cybersecurity and Infrastructure Security Agency), DOD, and the FBI published an alert (https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a) warning US private companies about new versions of the Remote Access Trojan Taidoor. The malware was first seen 12 years ago in 2008 and again in 2012 and 2013. The three government agencies reported attackers using Taidoor in new attacks against public and private organizations in the industries of research, manufacturing, and government institutions. According to the groups, the new Taidoor versions run 32- and 64-bit versions and install them on systems such as a DLL (dynamic link library).
Reports conclude the DLL to contain two files. “Attackers load the first file and start it as a service. The loader decrypts the second file and executes it in memory – which is the main Remote Access Trojan.” (ZDNet)
Once the DLL is on the victim system, the RAT is used by Chinese hackers to access the systems and exfiltrate data or deploy malware. The FBI states that attackers deploy Taidoor with proxy servers to hide the malware operator’s point of origin. The FBI has “high confidence” that Chinese actors are using the proxy servers to maintain their presence on the victim’s system and further their network exploitations.
The loader file observed took the name of “ml.dll” (taking the name of a legitimate DLL file) or rasautoex.dll. When run, the file uses the export function “MyStart” to decrypt and then load “svchost.dll” (another valid DLL name). The DLL loaded was identified as being the Taidoor malware. After loading the malware, it then uses GetProcessHeap, GetProcAddress, and LoadLibrary API calls to load KERNEL32.dll, ADVAPI.dll, WS2_32.dll which are used by Taidoor.
After the attackers load the DLLs, the loader uses the export function “Start” in its svchost.dll, which starts the process of decrypting import strings from the DLLs mentioned above. Once they finish the decryption process, it tries to connect to its C2 server (cnaweb.mrslove.com, 126.96.36.199), where it begins its handshake process. After connecting with the C2, it creates a Windows INI configuration file where it copies cmd.exe into it.
CISA recommends following security best practices such as keeping Windows and antivirus solutions up to date, maintaining email hygiene, and disabling unnecessary services.
Traffic to be aware of should include requests to 188.8.131.52 (cnaweb.mrslove.com) and 184.108.40.206 (infonew.dubya.net) which are the C2 domains used by Taidoor malware. Analysts should be mindful of ml.dll making requests to svchost.dll and making API calls to KERNEL32.dll, ADVAPI.dll, WS2_32.dll.
Learn more about VerSprite’s customized, and strategic approach to Incident Response Get Report →
On July 28, 2020 cybersecurity researchers at Intezer released a finding report for new backdoor malware “Doki” that is infecting Docker containers in cloud platforms with the Ngrok Mining Botnet. While Ngrok botnet is not new, the technique that uses the blockchain wallet Dogecoin to generate command-and-control domain names employed by Doki is. The new malware, Doki, provides a persistent capability for code-execution on the victim host.
The attackers first look for misconfigured Docker API ports. Once they find publicly accessible Docker servers, they create their own Docker image using public images from Docker Hub. They take the image they created and then perform a “create API” request. The body of this request contains configuration parameters for the containers, one of which being “bind”. This parameter lets the user configure which file or directory on the host machine to mount into a container. In this attack, the container is configured to bind the /tmpXXXXXX directory to the root directory of the hosting server which then allows a Docker escape.
At this point, attackers use Ngrok to “craft unique URLs with a short lifetime and use them to download payloads during the attack by passing them to the curl-based image” (SOURCE). The Doki payload is included in this download and acts as a backdoor that allows the execution of code. It is used in the attack to contact its command and control domain using the Dogecoin blockchain by spinning off its own process and then performing queries to dogechain.info API. After contacting the API, the malware hashes the blockchain’s response to use as a subdomain. The name of the hash is appended with “ddns.net”.
To mitigate this threat, Intezer recommends Docker admins check for any exposed ports, verify there are no foreign or unknown containers among the existing ones and monitor resources to ensure no excessive use.
Leverage VerSprite’s extensive experience in digital forensics to properly analyze potential attacks on your organization s Get Report →
On July 30th, 2020 Cisco released a warning of several critical and high-severity flaws in its DCNM (Data Center Network Manager) which is used for managing network platforms and switches that run NX-OS. NX-OS is the network operating system for Cisco’s Nexus-series ethernet switches and MDS-series fibre channel storage area network switches. The flaws that exist in the DCNM are in the REST API. Cisco mentioned the most severe vulnerability (CVE-2020-3382) exists because “different installations share a static encryption key. An attacker could exploit this vulnerability by using the static key to craft a valid session token. A successful exploit could allow the attacker to perform arbitrary actions through the REST API with administrative privileges”.
All installed deployment modes of Cisco DCNM devices using .ova or .iso installers are vulnerable. It affects software versions 11.0, 11.1, 11.2, 11.3. Cisco stated this vulnerability doesn’t impact DCNM instances that were installed on customer-provided OSes using the installer for Windows or Linux, or software releases 7.x-10.x. While Cisco did release software updates that address the vulnerability, there are no workarounds to address it.
Cisco stated they patched five high-severity flaws in the same devices that could allow an authenticated remote attacker to inject arbitrary commands. This discovery is a path traversal issue that allows remote attackers to conduct directory traversal attacks leading to an improper authorization flaw that allows low-privileged account bypass authorization on the API. It also leads to a bypass glitch that allows unauthenticated remote attackers to bypass authentication and execute arbitrary actions.
These vulnerabilities could impact companies using Cisco DCNM device (ones installed using .ova or .iso installers) or those that utilize Cisco’s SD-WAN vManage Network Management System. Security teams need to install the already existing vulnerability patches on the affected devices.
Get more information on our Cyber Threat Intelligence Tool (CTIP) and how executives can gain access to quick, real time reporting. Read More →
Cosmic Lynx, the BEC gang, has stepped up its game by conducting over 200 campaigns in over 46 countries since being discovered last July. Their defined target criteria are quite abnormal compared to most BEC, developing their targets around senior-level executives with around 75% being a vice president, director, or general manager. In contrast, most BEC impersonates Business Executives such as CEO, Managers, and directors. Since COVID-19, there have been 47 reported campaigns.
Cosmic Lynx emails their target by impersonating someone from within the company, informing the targeted executive with details about a merger and acquisition of another company. They request the potential merger is kept confidential. They ask the target to work with an external legal entity to coordinate payments for acquiring the new company. Once they have built a rapport with their victim, they begin to introduce them to the so-called legal counsel that they would be making payments too.
Attached below are two sample emails.
Learn how Threat intel can inform your company of these potential threats before they even happen. Read More →
View our security advisories detailing vulnerabilities found in major products for MacOs, Windows, Android, and iOS.