Search This Blog

Showing posts with label Security Researchers. Show all posts

Growing Cyber-Underground Market for Initial-Access Brokers

 

Ransomware groups are increasingly purchasing access to corporate networks from "vendors" who have previously placed backdoors on targets. 

Email is a well-known entry point for fraudsters attempting to breach a corporate network. According to researchers instead of doing the heavy lifting themselves, ransomware groups are teaming with other criminal groups who have already opened the path for access using first-stage software. 

As per the report released Wednesday by Proofpoint, researchers discovered a "lucrative criminal ecosystem" that works together to launch effective ransomware attacks, such as the ones that have lately made headlines (Colonial Pipeline) and caused substantial damage around the world. 

According to the analysis, recognized ransomware gangs such as Ryuk, Egregor, and REvil first link up with threat actors who specialize in initial infection utilizing various forms of malware, such as TrickBot, BazaLoader, and IcedID, before unleashing the ultimate ransomware payload on the network. 

“Cybercriminal threat groups already distributing banking malware or other trojans may also become part of a ransomware affiliate network.” states report. 

Proofpoint has identified at least ten threat actors who utilize malicious email campaigns to spread first-stage loaders, which are then exploited by ransomware groups to deliver the final payload. Researchers discovered that the relationship between such threat actors and ransomware groups is not one-to-one, as multiple threat actors employ the same ransomware payloads. 

“Ransomware is rarely distributed directly via email. Just one ransomware strain accounts for 95 percent of ransomware as a first-stage email payload between 2020 and 2021,” according to the report. 

Proofpoint has also seen ransomware spread via the SocGholish malware, which infects users with fake updates and website redirects, as well as the Keitaro traffic distribution system (TDS) and follow-on exploit kits that operators employ to avoid detection, according to researchers. 

About Attackers and Malware of Choice: 

Proofpoint identifies 10 threat actors that researchers have been watching as initial access enablers to their malware and techniques of choice for getting network access, which they subsequently sell to various ransomware groups for more sinister objectives, according to the study. 

Researchers discovered that TA800, a prominent cybercrime actor that Proofpoint has been tracking since mid-2019, provides banking malware or malware loaders to the Ryuk ransomware gang, including TrickBot, BazaLoader, Buer Loader, and Ostap. 

Since mid-2020, Proofpoint has been tracking TA577, a cybercrime threat actor that "conducts broad targeting across numerous businesses and regions" to distribute payloads such as Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike via emails with malicious Microsoft Office files. 

According to the research, the Sodinokibi or REvil ransomware organization is linked to TA577, which has had a 225 percent increase in activity in the last six months. 

Many other cybercrime groups were tracked like TA569, TA551, TA570, TA547, TA544, TA571, and TA575, which is a Dridex affiliate that has been tracked by Proofpoint since late 2020 and distributes malware via malicious URLs, Office attachments, and password-protected files, with each campaign transmitting an average of 4,000 emails to hundreds of businesses.

FIN7 is Spreading a Backdoor Called Lizar

 

Under the pretext of being a Windows pen-testing platform for ethical hackers, the infamous FIN7 cybercrime gang, a financially motivated organization, is spreading a backdoor called Lizar. 

Since mid-2015, the Russian criminal advanced persistent threat group FIN7 has targeted the retail, restaurant, and hospitality sectors in the United States. Combi Security, the front company for FIN7, manages a portion of the operation. It has been dubbed one of the world's most prolific criminal hacking organizations. FIN7 is also known as the Carbanak Group, but these two groups appear to be using the same Carbanak malware and are therefore monitored separately. 

FIN7 is posing as a legitimate company selling a security-analysis platform, according to the BI.ZONE Cyber Threats Research Team. According to the researchers, they go to great lengths to ensure authenticity: “These groups recruit workers who are unaware that they are dealing with actual malware or that their employer is a real criminal group.” 

The group usually targets victims with malware-laced phishing attacks in the hopes of infiltrating networks and selling bank-card data. It has also introduced ransomware/data exfiltration attacks to its arsenal since 2020, carefully choosing targets based on revenue using the ZoomInfo service, according to researchers. 

Its malware selection is often changing, with researchers sometimes being surprised by never-before-seen samples. However, the Carbanak remote-access trojan (RAT), which is highly complex and sophisticated in comparison to its peers, has been its go-to toolkit. Carbanak is commonly used for network reconnaissance and gaining a foothold. 

However, BI.ZONE researchers have recently discovered that the community is employing a new form of backdoor known as Lizar. According to an article published on Thursday, the new edition has been in use since February and provides a strong range of data extraction and lateral movement capabilities. 

 “Lizar is a diverse and complex toolkit,” according to the firm. “It is currently still under active development and testing, yet it is already being widely used to control infected computers, mostly throughout the United States.” 

Attacks on a gambling establishment, several educational institutions, and pharmaceutical firms in the United States, as well as an IT corporation headquartered in Germany and a financial institution in Panama, have been recorded so far.

Security Researchers Received More Than $6.7 MIllion by Google as Bug Bounty Rewards

 

Security experts from 62 nations were paid more than $6.7 million (nearly Rs. 49 crore) by Google for identifying susceptibilities in Google products last year. Google has successfully managed to run the Vulnerability Reward Programs (VRPs) for ten years and the company has paid nearly $28 million to the security experts for spotting the vulnerabilities in Google products.

Google stated this week that “the incredibly hard work, dedication, and expertise of our researchers in 2020 resulted in a record-breaking payout of over $6.7 million in rewards, with an additional $280,000 given to charity. Following our increase in exploit payouts in November 2019, we received a record 13 working exploit submissions in 2020, representing over $1 million in exploit reward payouts”.

According to the company, Guang Gong (@oldfresher) and the team of experts at the 360 Alpha Lab at Chinese cybersecurity firm Qihoo 360 discovered 30% of the total number of Android vulnerabilities as a part of the bug bounty program. The latest vulnerability spotted by this group is a 1-click remote root exploit in Android, Google said this team still hold the record for receiving the highest Android payout ($161,337) for spotting the vulnerability in 2019.

Last year, the tech giant paid $50,000 to the security experts for spotting the flaws in Android developer preview and introduced bounty programs for Android Auto OS, Android chipsets, and for writing fuzzers for Android code. In Google Play, Google expanded the standard for certified Android apps to incorporate apps utilizing the Exposure Notification API and executing contact tracing to fight Covid-19. 

Apart from bounty rewards, over 180 security researchers have received more than $400,000 from Google in the form of grants for submitting 200 bug reports that resulted in 100 confirmed susceptibilities in Google products and the open-source ecosystem. The other notable tech firms that have a similar bug bounty reward program are Facebook, OnePlus, Qualcomm, Mozilla, Microsoft, and Reddit.