General Worldwide activity:

1st: How the FBI nuked Qakbot malware from infected Windows PCs

Overview: The FBI announced today the disruption of the Qakbot botnet in an international law enforcement operation that not only seized infrastructure but also uninstalled the malware from infected devices. During this past weekend’s law enforcement operation, Operation Duck Hunt, the FBI redirected the botnet’s network communications to servers under its control, allowing agents to identify approximately 700,000 infected devices (200,000 located in the U.S.). After they took control of the botnet, the FBI devised a method to uninstall the malware from the victims’ computers, effectively dismantling the botnet’s infrastructure, from the victims’ PCs to the malware operators’ own computers.

Breakdown: This was a huge operation and takedown of a major cybercrime botnet. A worldwide takeover on hundreds of thousands of systems is great news on any day as a win for general internet safety. Seizing the botnet itself is the typical way this is done, and congratulations are in order to the involved agencies for getting this done. An interesting aspect of this takedown is the move to create a removal tool that reached out through the botnet itself and uninstalled the malware from infected systems. Outside of a law enforcement action, this would violate laws worldwide, as that action would be “accessing a machine without the owner’s permission”. That activity would lead to a felony charge in the U.S. and similar charges in many other countries. I see this a bold move due to the potential impacts of the software removal tool on affected systems and how much testing may or may not have been done ahead of time. We hope and assume it was thoroughly tested against sample machines, but any kind of data deletion or even access on certain core systems can have dire consequences. If an interaction of this removal code with a medical device caused it to shut down during a procedure or while it was functioning in a life-saving capacity, or any other impacts to network availability, could have massive consequences and lead to dangerous situations. There has been a debate for many years around the idea of law enforcement or “vigilante” actions to write code to clean up systems from infections, and it will continue to be a hot topic of consideration around any activity of this kind.

2nd: Phishing-as-a-Service Gets Smarter: Microsoft Sounds Alarm on AiTM Attacks

Overview: Microsoft is warning of an increase in adversary-in-the-middle (AiTM) phishing techniques, which are being propagated as part of the phishing-as-a-service (PhaaS) cybercrime model. In addition to an uptick in AiTM-capable PhaaS platforms, the tech giant noted that existing phishing services like PerSwaysion are incorporating AiTM capabilities. “This development in the PhaaS ecosystem enables attackers to conduct high-volume phishing campaigns that attempt to circumvent MFA protections at scale,” the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter). Phishing kits with AiTM capabilities work in two ways, one of which concerns the use of reverse proxy servers (i.e., the phishing page) to relay traffic to and from the client and legitimate website and stealthily capture user credentials, two-factor authentication codes, and session cookies. A second method involves synchronous relay servers.

Breakdown: Microsoft has been doing a great job lately publishing more of their security research and detailed technical breakdowns on attacker activity. The referenced article is a good overview of the info released by Microsoft, I would recommend reading over the source info and their links as well to get the full picture.

3rd: BlackBerry Global Threat Intelligence Report

Overview: In this new issue, our global BlackBerry Threat Research and Intelligence team examines the challenges to governments and public entities, vulnerabilities in the healthcare sector, risks to financial institutions, and the criticality of safeguarding vital infrastructure. We also include a new geopolitical analysis and comments section that provides additional context and gives a strategic perspective to the data presented. The report covers March 2023 to May 2023. From March 2023 to May 2023, BlackBerry Cybersecurity solutions stopped over 1.5 million attacks. On average, threat actors deployed approximately 11.5 attacks per minute. These threats included roughly 1.7 novel malware samples per minute. This represents a 13 percent increase from the previous reporting period’s average of 1.5 new samples per minute, demonstrating that attackers are diversifying their tooling in an attempt to bypass defensive controls, especially those legacy solutions based on signatures and hashes.

Breakdown: BlackBerry’s threat research team has dropped their second quarter report for 2023 and it’s a very worthwhile read to catch up on general events and see their data, based on the access they have into organizations working with their systems. The callout on an increase of “attacks per minute” is an interesting fact compared to the first quarter of 2023.

4th: Malvertisers up their game against researchers

Overview: Threat actors constantly take notice of the work and takedown efforts initiated by security researchers. In this constant game of cat and mouse chasing, tactics and techniques keep evolving from simple to more complex, and more covert. This is a trend we have observed time and time again, no matter the playing field, from exploit kits to credit card skimmers. As defenders, we may have mixed reactions: on the one hand, as technical people we naturally appreciate a well-written exploit or piece of code and the challenge it creates. There is something about it that sparks our interest and curiosity. On the other hand, we know that the people behind it have bad intentions and intend on doing harm.

Breakdown: Security research and publication of that research to benefit the security community is also obviously publicly available to bad actors as well. Looking at the flip side of our second story above, we have research into the response that malware serving criminal groups take when presented with mature challenges. This is a great technical breakdown on current threat actor behavior and the tech used by those threat actor groups.

5th: Triple Extortion Ransomware and the Cybercrime Supply Chain

Overview: Ransomware is traditionally associated with threat actors utilizing encryption to lock companies of data, systems, and IT infrastructure. However, in recent years, ransomware groups have evolved their tactics to not only encrypt data but also exfiltrate it, making it a double-edged weapon for extortion. This new approach allows them to not only hold organizations hostage by denying access to their own data, but also threaten to leak or sell the stolen information if the ransom demands are not met. This shift in strategy has proven to be highly profitable for ransomware groups, as organizations are often willing to pay large sums to prevent the public exposure of their sensitive data, which allows groups to profit off of victims even if the victim has an effective backup and recovery system. The rise of data extortion ransomware has coincided with a dramatic increase in both the number of groups active and the number of attacks against organizations. Data extortion was originally added to the arsenal of ransomware groups as a double extortion technique, to be used in addition to encryption. However, recently many groups have begun resorting to triple extortion, in some cases blackmailing individual employees, harassing third-party organizations of the victim, and even DDoSing websites in addition to data encryption and exfiltration.

Breakdown: We have discussed and covered maturity in the ransomware space many times in the past and will continue to do so as methods change. Ransomware remains the largest threat to most organizations today as techniques advance and groups continue to be successful with payouts from attacks. Maturity in this space, from the attacker point of view, unfortunately leads to more ways in which they can try to guarantee getting paid for their time invested. This has led to double extortion and triple extortion attacks, and here we have a great overview of the current state on those attacks and how criminal groups are handling themselves.

Contact Us

contact@hunterstrategy.net

Our Website

Top five Cyber Threat Intel stories of the week: 08/28 to 09/01/2023