Edition 1

Keypoints

• Slack changes passwords after invitation links leaked hashes. After fixing a bug that let salted password hashes be seen in invitation links, Slack reset the passwords of about 0.5% of its users.
• The Zero Trust Architecture (ZTA) will stop cybercriminals from moving laterally within a network.
• With Zero Trust and better visibility into all data, the average time for a criminal to stay in a place can be cut from 285 days to 120 days, which is a big change.
• The advisory talked about remote access trojans (RATs), banking trojans, information thieves, and ransomware.
• During a Venafi investigation, 475 webpages with advanced ransomware products and services were found.
• 87 percent of the ransomware on the dark web can send out malicious macros to infect the systems it is meant for.
• In marketplace listings and forum discussions, 30 different "brands" of ransomware were found.
• The most expensive item was a customized version of Darkside ransomware that cost $1,262.
• LockBit says that it stole 98 GB of data from the Italian tax agency L'Agenzia delle Entrate.

Availability vs. security is a constant conflict in IT that needs to be solved

In IT, the security and operations teams are always at odds with each other. In the end, both want secure systems that are hard to break into. But security can get in the way of accessibility, and accessibility can get in the way of security. The "five nines" uptime goal sets a very high standard: a system needs to be up and running 99.999 percent of the time. The main goal of security teams is to lock down systems as much as possible. 

Stability and, by extension, availability will always be at the top of the list for operations teams. When vulnerabilities like Log4j or CVE-2022-31626, a PHP vulnerability, are made public, they are often used right away. Maintenance windows don't fix things quickly enough to protect against new threats. You can either patch faster to make operations more secure at the cost of availability or performance, or you can patch more slowly and take unacceptable security risks. 

By leaving systems without patches for too long, top-to-bottom patching can cause problems and make security less safe. Your security team should look for tools that make patching as easy as possible, like live patching. With live patching, you can apply updates much faster than you could during regular maintenance windows, and you never have to restart services. Even if your business uses applications that aren't supported, you don't have to worry about a programming language flaw letting hackers into your systems. You also don't have to update the application code.

Dark Utilities' "C2-as-a-Service" is being used in more and more malware attacks

Dark Utilities is a new service, but its command-and-control (C2) services have already brought in 3,000 users. Users are given a dashboard that lets them make new payloads that work with a certain operating system and can then be sent to victim hosts and run there. The goal is to let threat actors go after multiple architectures without having to do a lot of work on development. Dark Utilities is thought to have been made by a threat actor in the cybercrime underground who goes by the name Inplex-sys. The malware artifacts are hosted in the InterPlanetary File System (IPFS) solution, which makes them resistant to content moderation or law enforcement intervention in a way that is similar to "bulletproof hosting."

Slack changes passwords after invitation links leaked hashes

After fixing a bug that let salted password hashes be seen in invitation links, Slack reset the passwords of about 0.5% of its users. All users who made or deleted shared invitation links between April 17, 2017, and July 17, 2022 were affected by the bug. The hashed passwords were not visible to Slack clients. To get to them, someone had to actively watch encrypted network traffic from Slack's servers. The company says there is no reason to think that plaintext passwords were accessed before the bug was fixed. Slack also recommends that users turn on two-factor authentication and make passwords that they don't use for any other online services.

Ransom payments are going down because less people are paying hackers

Stats from the second quarter of 2022 about ransomware show that the ransoms paid to extortionists are worth less than they used to be. The median ransom payment was $36,360, which was a big drop of 51% from the last quarter. This is part of a trend that has been going down since Q4 2021, when the average ransomware payment was $332,168 and the median payment was $117,116. This quarter, the actors were looking for smaller but still financially healthy companies, so the median size of the companies they were going after went down even more. BlackCat is at the top of the list, with 16.9% of the published attacks. LockBit is in second place, with 13.1%. Data exfiltration was the main way that many attackers tried to get money, which means that file encryption wasn't used in many of the incidents.

What Zero Trust has to do with fighting ransomware

The "trust no one" strategy is being pushed by SecOps teams to help fight the rising risk of cybercrime. According to research done by Gigamon, 70% of IT leaders agree that Zero Trust would make their IT strategy better. With this approach to cybersecurity, internal traffic on a network no longer gets the implicit trust that is often given to it. With bring-your-own-device policies and working from home, it is important that trust is earned and not just given out. Zero trust figures out how trustworthy something is by looking at how it works and figuring out if an organization has a good reason to trust it. 

By using micro-segmentation, companies can stop one hacked device from bringing down the whole network. In one well-known case, a Las Vegas casino's IoT thermometer in an aquarium in the lobby was broken into. The Zero Trust Architecture (ZTA) will stop cybercriminals from moving laterally within a network. This means that enemies will no longer be able to hide on a network without being found. In the world we live in now, an attack is usually carefully planned and aimed at organizations that are known to be weak and that store important data. With Zero Trust and better visibility into all data, the average time for a criminal to stay in a place can be cut from 285 days to 120 days, which is a big change.

CISA and ACSC reveal the types of malware used to spread ransomware and make it easier to steal information

Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot, and GootLoader are the top malware strains of 2021. The advisory talked about remote access trojans (RATs), banking trojans, information thieves, and ransomware. It was released on Thursday by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC). Most of the most dangerous types of malware have been around for more than five years, and their code bases have changed into many different types. Cybercriminals used COVID-19 pandemic themes in Formbook, Agent Tesla, and Remcos malware used in mass phishing campaigns in 2021 to steal personal information and credentials from businesses and people. 

Because of this, organizations need to make sure that their anti-virus software and the files it uses are up to date. The advice said that the people who made these top 2021 strains of malware continue to fix, improve, and spread them over a number of years. The CISA-ACSC advisory lists the top strains of malware that are used in attacks for financial gain (banking trojans) and to help ransomware attacks happen in many different industries. Malicious emails, either with attachments or links to websites outside of the email, are the most common way for malware to spread. There's no one way to stop these kinds of attacks.

An investigation of the dark web finds a market for ransomware

During a Venafi investigation, 475 webpages with advanced ransomware products and services were found. 87 percent of the ransomware on the dark web can send out malicious macros to infect the systems it is meant for. In marketplace listings and forum discussions, 30 different "brands" of ransomware were found. The most expensive item was a customized version of Darkside ransomware that cost $1,262. In Microsoft Office, macros are built-in codes that are used to automate common, repetitive tasks. 

Malware, like ransomware, can be sent by attacks using the exact same method. In February, Microsoft announced a big change that was meant to stop the rapid growth of ransomware attacks that use malicious macros to spread. Researchers also found a wide range of services and tools that make it easier for people with few technical skills to launch ransomware attacks.

Twitter confirms that a zero-day bug was used to get into the accounts of 5.4 million people

The information about 5.4 million Twitter accounts was leaked by a threat actor who used a flaw in the popular social media site that has since been fixed. On the popular hacking forum Breached Forums, a threat actor put up for sale the data that had been stolen. The person selling the database told RestorePrivacy that he wants at least $30,000 for the whole thing. Twitter's code was changed in June 2021, and in January 2022, a bug was found that let someone find out an account's email address or phone number. Two different threat actors bought the information for less than what it was originally sold for. The company is letting the users who are affected know about the breach. It also said that it is aware of the risks that come with the breach.

The Italian Tax Agency may have lost about 100 GB of data because of a Lockbit Ransomware attack

LockBit says that it stole 98 GB of data from the Italian tax agency L'Agenzia delle Entrate. If its demands for money weren't met, the gang said it would release the information. LockBit says it stole documents from the tax agency that the agency wants to keep secret. IT company Sogei SpA said that the ransomware attack wasn't true and that its investigation didn't show any signs of a data breach. The FBI put out a flash alert about the increased activities of the Ransomware-as-a-Service (RaaS) group and its signs of compromise (IoC). 

In May 2022, LockBit was behind 40% of ransomware attacks, which made the gap between it and other top APTs like Conti even bigger. The LockBit ransomware gang was one of the most active ones in 2022, according to Digital Shadows. LockBit has sworn allegiance to Russia, and their main method of attack is to steal data and then demand money. Dr. Darren Williams, CEO and Founder of BlackFog, said that LockBit has been very busy in the last few days, taking credit for 12 of the 18 attacks that have happened. He told organizations to get good visibility into their networks so they can find attacks early and cut down on how long they stay.

Genesis IAB Market gives the dark web a polish

Genesis has a list of more than 400,000 bots (systems that have been hacked) in more than 200 countries, with Italy, France, and Spain at the top of the list. The invitation-only marketplace is one of the first full-fledged markets for IABs. Over time, it has become more polished and sophisticated. Users are charged a fee based on how much information the bot has on the targeted bot. Ransomware groups and their partners are thought to use the service the most. The Genesis market stands out because it is very well organized. This gives people who want to do harm more information about the context of stolen data. 

This could lead to even more clever ways to attack. In November 2021, Digital Shadows said that the number of cybercriminals using IABs had gone up.

If you enjoyed reading this post or found it valuable, please consider subscribing and sharing this newsletter. I hope this small step can help many to keep well-updated on cybersecurity related issues.