Tipps wie man sich schützen kann, Erklärungen, Studien etc.

Billy Corgan Paid Off Hacker Who Threatened to Leak New Smashing Pumpkins Songs

Corgan got FBI involved to track down the cybercriminal, who had stolen from other artists as well, he said.

Smashing Pumpkins front man Billy Corgan was on a recent podcast to promote the band’s new album, and he told the hosts that a hacker stole several of the songs before the release and threatened to leak them without a payoff.

“A fan contacted me and said nine of the songs have leaked,” Corgan told the Klein/Ally Show, according to CBS News. “This is like six months ago. And they were all probably the most catchy, singley type songs.”

Corgan added he paid off the cybercriminal out of his own pocket. After Corgan contacted the FBI, the hacker was tracked down, he explained.

“What we were able to do was stop the leak from happening,” Corgan added, “because it was a mercenary person who had hacked somebody — I don’t want to say who, excuse me — and they had other stuff from other artists.”

 

(c) Dark Reading

Multiple Ransomware Groups Adapt Babuk Code to Target ESXi VMs

Two years ago, a popular ransomware-as-a-service group’s source code got leaked. Now other ransomware groups are using it for their own purposes.

Over the past year, 10 different ransomware families have utilized leaked Babuk source code to develop lockers for VMware ESXi hypervisors.

Hypervisors are programs used to run multiple virtual machines (VMs) on a single server. By targeting ESXi, hackers may be able to infect multiple VMs in an enterprise environment more directly than they could through conventional means.

A few of the Babuk-based ESXi ransomwares are associated with major threat actors like Conti and REvil. And according to Alex Delamotte, senior threat researcher at SentinelOne, a majority of them have been utilized in real-world attacks in recent months.

“It looks like it’s an effective model,” says Delamotte, who published the new research this week. “As long as they stay profitable, hackers are going to keep using these lockers. And it does seem like they work.”

How We Got Here

Babuk was a popular though imperfect ransomware-as-a-service (RaaS) offering, first circulated in early 2021.

In September 2021, its business model was interrupted when one of the original creators had a moment of reckoning. “One of the developers for Babuk ransomware group, a 17 year old person from Russia, has been diagnosed with Stage-4 Lung Cancer,” vx-underground, a repository for malware source code, wrote in a tweet. “He has decided to leaked the ENTIRE Babuk source code for Windows, ESXI, NAS.”

Babuk As a Baseline

Since then, threat actors have been using Babuk’s various leaked tools as a baseline for crafting new malicious payloads.

For instance, in their report published May 4, researchers from Sentinel Labs identified significant overlaps between the Babuk ESXi ransomware builder and ten other ransomware families: Cylance, Dataf Locker, Lock4, Mario, Play, Rorschach, RTM Locker, XVGV, RHKRC — closely associated with the REvil group’s Revix locker — and “Conti POC” — a proof of concept from the notorious and now largely defunct ransomware group.

Delamotte says Mario, Rorschach, XVGV, and Conti POC have all been utilized in attacks already, and users on Bleeping Computer forums have reported being victim to Dataf Locker and Lock4.

Why Hackers Target ESXi

VMware ESXi, a “bare metal” hypervisor, uses no operating system as a buffer (“bare metal”), instead interfacing directly with logic hardware. It’s installed directly onto a physical server with unfettered access and control over the machine’s underlying resources.

All of this is what makes ESXi a powerful platform for IT administrators and, by the same token, hackers. Bad actors can aim to hit multiple VMs running on a single virtual server, utilizing “built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files,” Delamotte explained in the report.

Enterprises running VMware’s ESXi need to be cautious, though the fix is straightforward.

“The most important thing is to ensure that any access — especially management access, to something like an ESXi hypervisor — is very limited,” Delamotte advises. “You want to have good role-based access controls and definitely MFA wherever possible on any service account.”

Strict, effective access controls should be enough to insulate the vulnerable. “I don’t really see any situation,” she says, “where somebody can move on to this kind of server without having admin privileges.”

 

(c) Dark Reading

‘Very Noisy:’ For the Black Hat NOC, It’s All Malicious Traffic All the Time

Black Hat Asia’s NOC team gives a look inside what’s really happening on the cyberfront during these events.

BLACK HAT ASIA – Singapore – When you’re in an environment where the overwhelming majority of network traffic is classified as posing a severe cybersecurity threat, deciding what to be concerned about becomes not a needle in a haystack situation, but a needle in a needlestack problem.

That’s the word this week at Black Hat Asia, where Neil Wyler, global lead of active threat assessments at IBM X-Force, and Bart Stump, senior systems engineer for NetWitness, took to the stage to give attendees a look inside the event’s enterprise-grade network operations center (NOC). The duo oversaw the NOC’s design and led the security team for the show, which ran from May 9-12. The multi-vendor network supported attendee Wi-Fi access; internal operations such as registration; the needs of business hall stands; and the communications requirements of technical trainings, briefings, keynotes, and vendor demonstrations.

“When we discuss the traffic, try to explain to others that at Black Hat it’s bad all the time — all or most of the traffic is malicious,” Wyler explained. “That sounds scary, but for this crowd that traffic is normal. There are people demoing attacks, there are red teams trainings going on, etc., and that means that we don’t really block anything. We let that traffic fly because we don’t want to take down a demo on stage or on the expo floor. Unless we see a direct attack on our infrastructure, say the registration system, we let it go.”

So, in order to ferret out the actual bad, bad traffic, the NOC relies on a number of dashboards that allow a real-time view of everything flowing through the network, with the ability to capture stats on everything from device profiles to which cloud apps attendees are connecting to. It also captures raw packet data so NOC analysts can go back and rebuild sessions in the event something seems abnormally suspicious, to look at “every single thing someone is doing with every packet, in a way we can’t using just logs,” Wyler noted.

One of the more unusual dashboards put in place for the event offered a heat map of where Wi-Fi, Bluetooth, and even peer-to-peer wireless connections were being used, offering a quick look at where people were congregating and where there might be cyber issues afoot.

“It’s an interesting perspective,” explained Stump. “The bottom left corner of the map is actually the show floor, and after the business hall opened up, that got more red. You can see when breaks are happening and when they put the beverages out because people migrate. And overall, it’s a quick visualization for us to see where potential issues might be coming from, where we should focus our attention.”

HeatMap.jpg
A heat map of where devices connected to the network.

In all, the NOC tracked 1,500 total unique devices connecting to the network across mobile phones, Internet of things (IoT) gear, and other endpoints, with DNS queries at their highest for the event since 2018. About three-quarters (72%) of that traffic was encrypted — a refreshingly high amount, the researchers noted. And interestingly, a domain called Hacking Clouds hosted the most user sessions — more even than the show’s general Wi-Fi network for attendees.

In terms of the apps being used, TikTok made an appearance in the Top 10 for the first time, the team observed. Other top apps included Office 365 (no surprise there), Teams, Gmail, Facebook, and WhatsApp.

Interesting NOC Happenings

A few interesting incidents emerged from the data during the event, the duo noted. In one case, an individual was generating so much malicious activity that all of the NOC systems alerted at once.

“One particular person was so noisy that every NOC vendor partner saw their activity at the same time,” Wyler said. “We’re talking SQL injection on public-facing websites, WordPress compromises, lots and lots of scanning for vulnerabilities and open ports. It was like they learned something this week and went, ‘Let me see if it works. I’ve heard about Log4j, let me see what’s out there.’ They took a training class and now they’re spreading their wings and flying.”

After the person moved from attacking restaurant chain websites to probing payment sites, it was clear the activity wasn’t demo-related, so the team pinpointed the person and sent the individual a cease-and-desist email.

“We figured out they were sitting in the hallway looking out at the Bay, just attacking company after company after company,” Wyler said. “We explained that it’s still illegal to do what they’re doing, so please discontinue attempting to execute vulnerabilities on public-facing websites. This is a violation of the Black Hat Code of Conduct and we will come find you if it doesn’t stop — love, the NOC. They got that and everything stopped.”

Other incidents involved VPN issues, including one that was transmitting the user’s location information in clear text. The team captured the data, plugged it into Google Maps and generated a view of exactly where the person had been during the day.

Location.jpg
A VPN leak allowed the team to create a map of the user’s location.

Yet another issue involved an endpoint detection and response (EDR) vendor that was sending all of the usage data it was collecting on the endpoints of its users in clear text back to its servers; one antivirus vendor was found sending unencrypted SMTP emails containing pricing quotes and other information in an unencrypted fashion, along with login credentials — allowing easy harvesting.

“An attacker could have pulled down quotes, changed quotes, gathered internal work information and customer information, definitely not good,” said Stump. “It could be used to craft phishes or to manipulate pricing.”

In all cases, the team worked with the problematic entities to resolve the issues. The NOC, quite simply, is on the case, according to Stump.

“People often say that at Black Hat, you shouldn’t even get on the network because it’s dangerous,” said Stump. “But our goal is actually to leave attendees more secure than when they arrived. And that’s why we do things like letting people know they’re sending passwords in clear text, or when we see cryptomining activity, we’ll alert them. We’re committed to that.”

 

(c) Dark Reading

Microsoft Authenticator to Enforce Number Matching

As a way to enhance MFA security, Microsoft will require users to authorize login attempts by entering a numeric code into the Microsoft Authenticator app.

Multifactor authentication (MFA) is an essential element of identity and access management, but it is not fail-proof, especially as attackers increasingly employ social-engineering tactics to bypass MFA controls. To enhance the security of MFA, Microsoft is enforcing “number matching” for all users of its Microsoft Authenticator app.

Previously, the process flow for Microsoft Authenticator displayed a prompt in the app when the user tried to log in. The user tapped the prompt on the secondary device to authorize the transaction. Number matching adds another step by forcing users to have the secondary device and see the login screen on the primary device. Instead of just tapping the prompt, users will now have to enter a number that is displayed on the application’s login screen. A person logging into Office 365, for example, would see a message on the original login screen with a numeric code. The person would enter that code into the Authenticator app on their secondary device to approve the transaction. There is no way to opt out of entering the code.

“Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator,” Microsoft said in a supporting article. “We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023.”

Attacks Are More Prevalent

Number matching was originally introduced in Microsoft Authenticator as an optional feature in October, after attackers started spamming users with MFA push notification requests. Users were granting access to the attackers just to get the spam notifications to stop or by mistake. Number matching is designed to help users avoid accidentally approving false authentication attempts. MFA fatigue – overwhelming users with MFA push notifications requests – has “become more prevalent,” according to Microsoft, which observed almost 41,000 Azure Active Directory Protection sessions with multiple failed MFA attempts last August, compared with 32,442 in 2021. Last year 382,000 attacks employed this tactic, Microsoft said.

It was also recently used in attacks against Uber, Microsoft, and Okta.

Number matching with Authenticator will be used for actions such as password resets, registration, and access to Active Directory. Users will also see additional context, such as the name of the application and the location of the login attempt, to prevent accidental approvals. The idea is that users cannot accept a login attempt if they are not in front of the login screen at that time.

How to Enable Number Matching

While number matching was enabled by default for Microsoft Azure in February, users will see some services start using this feature before others. Microsoft recommends enabling number matching in advance to “ensure consistent behavior.” Administrators can enable the setting by navigating to Security – Authentication methods – Microsoft Authenticator in the Azure portal.

  1. On the Enable and Target tab, click Yes and All users to enable the policy for everyone or add selected users and groups. The Authentication mode for these users and groups should be either Any or Push.
  2. On the Configure tab for Require number matching for push notifications, change Status to Enabled, choose who to include or exclude from number matching, and click Save.

Administrators can also limit the number of MFA authentication requests allowed per user and lock the accounts or alert the security team when the number is exceeded.

Users should upgrade to the latest version of Microsoft Authenticator on their mobile devices. Number matching does not work for wearables, such as Apple Watch, or other Android devices. Rather, users will have to key in the number via the mobile device.

 

(c) Dark Reading

New Ransomware Gang RA Group Hits U.S. and South Korean Organizations

A new ransomware group known as RA Group has become the latest threat actor to leverage the leaked Babuk ransomware source code to spawn its own locker variant.

The cybercriminal gang, which is said to have been operating since at least April 22, 2023, is rapidly expanding its operations, according to cybersecurity firm Cisco Talos.

“To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals,” security researcher Chetan Raghuprasad said in a report shared with The Hacker News.

RA Group is no different from other ransomware gangs in that it launches double extortion attacks and runs a date leak site to apply additional pressure on victims into paying ransoms.

Cybersecurity

The Windows-based binary employs intermittent encryption to speed up the process and evade detection, not to mention delete volume shadow copies and contents of the machine’s Recycle Bin.

“RA Group uses customized ransom notes, including the victim’s name and a unique link to download the exfiltration proofs,” Raghuprasad explained. “If the victim fails to contact the actors within three days, the group leaks the victim’s files.”

It also takes steps to avoid encrypting system files and folders by means of a hard-coded list so that it allows the victims to download the qTox chat application and reach out to the operators using the qTox ID provided on the ransom note.

What sets RA Group apart from other ransomware operations is that the threat actor has also been observed selling the victim’s exfiltrated data on its leak portal by hosting the information on a secured TOR site.

Ransomware

The development comes less than a week after SentinelOne disclosed that threat actors of varying sophistication and expertise are increasingly adopting the Babuk ransomware code to develop a dozen variants that are capable of targeting Linux systems.

“There is a noticeable trend that actors increasingly use the Babuk builder to develop ESXi and Linux ransomware,” the cybersecurity firm said. “This is particularly evident when used by actors with fewer resources, as these actors are less likely to significantly modify the Babuk source code.”

Other ransomware actors that have adopted the Babuk source code over the past year include AstraLocker and Nokoyawa. Cheerscrypt, another ransomware strain based on Babuk, has been linked to a Chinese espionage actor called Emperor Dragonfly that’s known for operating short-lived ransomware schemes such as Rook, Night Sky, and Pandora.

The findings also follow the discovery of two other new ransomware strains codenamed Rancoz and BlackSuit, the latter of which is designed to target both Windows and VMware ESXi servers.

“The constant evolution and release of new ransomware variants highlight the advanced skills and agility of [threat actors], indicating that they are responding to cybersecurity measures and checks being implemented and customizing their ransomware accordingly,” Cyble said.

 

(c) Ravie Lakshmanan

Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign

Government, aviation, education, and telecom sectors located in South and Southeast Asia have come under the radar of a new hacking group as part of a highly-targeted campaign that commenced in mid-2022 and continued into the first quarter of 2023.

Symantec, by Broadcom Software, is tracking the activity under its insect-themed moniker Lancefly, with the attacks making use of a “powerful” backdoor called Merdoor.

Evidence gathered so far points to the custom implant being utilized as far back as 2018. The ultimate goal of the campaign, based on the tools and the victimology pattern, is assessed to be intelligence gathering.

“The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted,” Symantec said in an analysis shared with The Hacker News.

“The attackers in this campaign also have access to an updated version of the ZXShell rootkit.”

Cybersecurity

While the exact initial intrusion vector used is currently not clear, it’s suspected to have involved the use of phishing lures, SSH brute-forcing, or the exploitation of internet-exposed servers.

The attack chains ultimately lead to the deployment of ZXShell and Merdoor, a fully-featured malware that can communicate with an actor-controlled server for further commands and log keystrokes.

ZXShell, first documented by Cisco in October 2014, is a rootkit that comes with various features to harvest sensitive data from infected hosts. The use of ZXShell has been linked to various Chinese actors like APT17 (Aurora Panda) and APT27 (aka Budworm or Emissary Panda) in the past.

“The source code of this rootkit is publicly available so it may be used by multiple different groups,” Symantec said. “The new version of the rootkit used by Lancefly appears to be smaller in size, while it also has additional functions and targets additional antivirus software to disable.”

Another Chinese link comes from the fact that the ZXShell rootkit is signed by the certificate “Wemade Entertainment Co. Ltd,” which was previously reported by Mandiant in August 2019 to be associated with APT41 (aka Winnti).

Lancefly’s intrusions have also been identified as employing PlugX and its successor ShadowPad, the latter of which is a modular malware platform privately shared among multiple Chinese state-sponsored actors since 2015.

That said, it’s also known that certificate and tool sharing is prevalent among Chinese state-sponsored groups, making attribution to a specific known attack crew difficult.

“While the Merdoor backdoor appears to have been in existence for several years, it appears to only have been used in a small number of attacks in that time period,” Symantec noted. “This prudent use of the tool may indicate a desire by Lancefly to keep its activity under the radar.”

 

(c) Ravie Lakshmanan

New ‘MichaelKors’ Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems

A new ransomware-as-service (RaaS) operation called MichaelKors has become the latest file-encrypting malware to target Linux and VMware ESXi systems as of April 2023.

The development points to cybercriminal actors increasingly setting their eyes on the ESXi, cybersecurity firm CrowdStrike said in a report shared with The Hacker News.

“This trend is especially noteworthy given the fact that ESXi, by design, does not support third-party agents or AV software,” the company said.

“In fact, VMware goes as far as to claim it’s not required. This, combined with the popularity of ESXi as a widespread and popular virtualization and management system, makes the hypervisor a highly attractive target for modern adversaries.”

Cybersecurity

The targeting of VMware ESXi hypervisors with ransomware to scale such campaigns is a technique known as hypervisor jackpotting. Over the years, the approach has been adopted by several ransomware groups, including Royal.

What’s more, an analysis from SentinelOne last week revealed that 10 different ransomware families, including Conti and REvil, have utilized leaked Babuk source code in September 2021 to develop lockers for VMware ESXi hypervisors.

Other notable e-crime outfits that have updated their arsenal to target ESXi consist of ALPHV (BlackCat), Black Basta, Defray, ESXiArgs, LockBit, Nevada, Play, Rook, and Rorschach.

Part of the reason why VMware ESXi hypervisors are becoming an attractive target is that the software runs directly on a physical server, granting a potential attacker the ability to run malicious ELF binaries and gain unfettered access over the machine’s underlying resources.

Attackers looking to breach ESXi hypervisors can do so by using compromised credentials, followed by gaining elevated privileges and either laterally moving through the network or escaping the confines of the environment via known flaws to advance their motives.

VMware, in a knowledge base article last updated in September 2020, notes that “antivirus software is not required with the vSphere Hypervisor and the use of such software is not supported.”

“More and more threat actors are recognizing that the lack of security tools, lack of adequate network segmentation of ESXi interfaces, and [in-the-wild] vulnerabilities for ESXi creates a target rich environment,” CrowdStrike said.

Ransomware actors are from the only outfits to strike virtual infrastructure. In March 2023, Google-owned Mandiant attributed a Chinese nation-state group to the use of novel backdoors dubbed VIRTUALPITA and VIRTUALPIE in attacks aimed at VMware ESXi servers.

To mitigate the impact of hypervisor jackpotting, organizations are recommended to avoid direct access to ESXi hosts, enable two-factor authentication, take periodic backups of ESXi datastore volumes, apply security updates, and conduct security posture reviews.

“Adversaries will likely continue to target VMware-based virtualization infrastructure,” CrowdStrike said. “This poses a major concern as more organizations continue transferring workloads and infrastructure into cloud environments – all through VMWare Hypervisor environments.”

 

(c) Ravie Lakshmanan

Microsoft Follina Bug Is Back in Meme-Themed Cyberattacks Against Travel Orgs

A two-bit comedian is using a patched Microsoft vulnerability to attack the hospitality industry, and really laying it on thick along the way.

A threat actor is exploiting last year’s Follina (RCE) remote code execution vulnerability to deploy the XWORM remote access trojan (RAT) and data-stealer against targets in the hospitality industry.

On May 12, researchers from Securonix broke down the campaign, which uses Follina to drop Powershell code onto target machines, which is rife with various 4Chan and meme references. Thus, the researchers refer to the campaign as “MEME#4CHAN,” due to the amorphous line it draws between stealth and internet humor.

The MEME#4CHAN Attack Flow

MEME#4CHAN attacks begin with a phishing email, with a hospitality hook in the subject line — something like “Reservation for Room.” Attached will be a Microsoft Word document furthering the theme, such as “Details for booking.docx.”

Once a victim clicks on the document, they’re presented with a dialogue box: “This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?” But regardless of whether they click “Yes” or “No,” a Word document opens, containing stolen images of a French driver’s license and debit card.

The choice of a .docx file is notable. Hackers often used to use malicious macros in Office files to gain a foothold in a target machine, which isn’t as effective of a tactic now that Microsoft decided to block macros from Internet files by default.

Without that option, MEME#4CHAN instead turns to Follina. Follina (CVE-2022-30190) is an RCE vulnerability that carries a “high” CVSS score of 7.8. It allows attackers to create specially-crafted Microsoft Word files that trick Microsoft’s Diagnostic Support Tool into downloading and executing malicious code from an attacker-controlled server. The bug was disclosed and patched a year ago.

Through Follina, MEME#4CHAN downloads an obfuscated Powershell script once the Word document is opened. The script is notable for its labored references, memes, and uninspiring jokes. The author laments at multiple points “why my ex left me,” for example, and gives directories, variables, and functions such names as “mememan,” “shakalakaboomboom,” and “stepsishelpme.”

The jokes are a unique stealth tactic, designed to instantly repel any researcher of good taste, Securonix researchers noted, but added that the attack uses other more traditional obfuscation as well.

In fact, the researchers found variables in the Powershell code ranging from “semi-” to “heavily” obfuscated they said, including a “heavily obfuscated” .NET binary which, once decoded, revealed itself as the XWORM RAT.

“The relative amount of effort invested into obfuscation and covertness is higher than for the similar attacks we observed,” says Oleg Kolesnikov, vice president of threat research and detection at Securonix, “and it is not yet clear why.”

What Is XWORM?

XWORM is a bit of a Swiss Army knife of a RAT.

On one hand, it does RAT things — checking for antivirus, communicating with a command-and-control (C2) server, opening a backdoor to a machine, and creating an autorun entry to ensure persistence across restarts.

At the same time, it comes replete with espionage features, including capabilities for accessing a device’s microphone and camera, and keylogging; and it can instigate follow-on attacks like distributed denial of service (DDoS) or even ransomware.

That said, the malware is of dubious quality, some note.

Multiple iterations of XWORM have been leaked online in recent months, including a 3.1 version just last month. The individual who published the 3.1 code to GitHub didn’t appear to hold it in high regard.

“There are so many sh*tty Rat [sic], XWorm is one of them. I’m sharing it so that you don’t pay for such things for nothing,” the person wrote in a README file.

“Compared to some of the other similar underground attack tools for which source code was leaked recently,” Kolesnikov judges, “XWORM does appear to have arguably somewhat less advanced capabilities, though [it’s usefulness] often depends on the specific capability [required]. It depends on how the malicious threat actors use the tool as part of an attack.”

Which Cybercriminals Are Behind MEME#4CHAN?

According to the researchers, it’s likely the author behind MEME#4CHAN is English-speaking, due to all the 4Chan references in their code.

Dark Reading also independently observed several variables in the code referencing Indian cultural touchpoints, indicating either that the hacker is of Indian origin, or familiar enough with Indian culture to fake it.

Taking further evidence into account adds color and cloudiness to the attribution picture. “The attack methodology is similar to that of TA558, a cybercriminal gang, where phishing emails were delivered targeting the hospitality industry,” the Securonix researchers explained.

He added, however, that “TA558 also typically uses a wide range of C2 campaign artifacts and payloads similar, but not positively in line with what we witnessed through the MEME#4CHAN campaign.”

Whoever’s behind it, it doesn’t appear that this campaign is over with, as several of its associated C2 domains are still active.

The researchers recommended that to avoid becoming potential victims, organizations should avoid opening any unexpected attachments, watch out for malicious file hosting websites, and implement log anomaly detection and application whitelisting.

 

(c) Dark Reading

TSA Official: Feds Improved Cybersecurity Response Post-Colonial Pipeline

US Transportation Security Agency (TSA) administrator reflects on how the Colonial Pipeline incident has moved the needle in public-private cooperation.

In the wake of the ransomware attack on the Colonial Pipeline, the US Transportation Security Agency — the agency that regulates pipelines as well as air travel, railways, highways, and mass transit systems — brought together the CEOs of more than two dozen critical pipeline operators for a top-secret briefing in the White House.

The TSA planned to hand down security directives to drive pipeline operators to enhance security, and they knew those companies’ CISOs would have to ask their CEOs for more resources and higher priority, David Pekoske, administrator of the Transportation Security Administration, told attendees at the Hack the Capitol conference in McLean, Va. on May 11.

During that meeting, the TSA and other administration officials outlined the threat to critical infrastructure and why the pipeline operators needed to work with the government to make pipeline operations more resilient, he said.

“We knew we were going to be asking a lot of the industry — we want the CEOs themselves to see what the threat was, or see why we were so concerned about this,” Pekoske said. “I would label that as an absolute best practice, because that really paved the way for rapid implementation and really paved the way for continued top-level communications between myself and those CEOs.”

The TSA took the same approach to each of its critical infrastructure sectors as well, which resulted in creating a better approach to implementing a concept to which the government has repeatedly referenced for more than a decade: The public-private partnership. Along with cybersecurity experts at the Joint Cyber Defense Collaborative (JCDC) and government officials with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the TSA worked with critical-infrastructure operators and industrial control systems partners to adapt its approach to cybersecurity, Pekoske told attendees.

“We have pivoted over the course of these two years to become, in our view, even more effective in cybersecurity with our partners in the transportation sector,” he said. The goal is to “build resiliency within that infrastructure sector, so that if attacked, the services that the critical infrastructure sector provides could come back online quickly.”

Performance, Not Prescription

Following the Colonial Pipeline attack, the TSA initially focused on prescribing specific cybersecurity measures, but quickly realized — after listening to industry feedback — that if the agency maintained that approach, the technology would change in the next 12 to 18 months, leaving their recommendations outdated.

“We can’t turn the crank on the regulatory process within that time frame,” he said. “So instead, we’ve gone into this performance-based model, which is something that the national cyber strategy calls for and is really, I think, the way to go.”

The performance-based model requires that specific outcomes be achieved, including focusing on resiliency, creating a cybersecurity implementation plan, establishing regular cyber assessments, and creating a plan for response, Pekoske said.

Cyber Resiliency Requires Collaboration

Working with industry, meeting with cybersecurity teams and executives, and understanding their business concerns are all critical to creating a resilient cyber infrastructure, he told Hack the Capitol attendees.

“To me, success as the administrator is when something’s really bothering a CEO, that person feels like they can call me and just say, ‘Hey, I’m hearing this, I’m really concerned about it. Can you help me out here?'” he said. “As a taxpayer, that’s kind of really what I think ought to happen in government … you can always make 10 or 15 minutes, particularly for somebody who’s running a critical piece of our national infrastructure.”

 

(c) Dark Reading

The new info-stealing malware operations to watch out for

The information-stealing malware market is constantly evolving, with multiple malware operations competing for cybercriminal customers by promoting better evasion and increased ability to steal data from victims.

Information stealers are specialized malware used to steal account passwords, cookies, credit card details, and crypto wallet data from infected systems, which are then collected into archives called ‘logs’ and uploaded back to the threat actors.

These logs of stolen data are used to fuel further attacks or sold on marketplaces for prices ranging between $1 to $150, depending on the victim.

Cybersecurity intelligence firm KELA has compiled a report presenting the rise of variants and malware-as-a-service (MaaS) operations that have grown substantially in the first quarter of 2023, raising the associated risk for organizations and individuals.

“In this report, KELA focuses on new infostealers like Titan, LummaC2, WhiteSnake, and others who have recently emerged from the cybercrime underground and have already gained popularity among threat actors,” Cyber Threat Intelligence Analyst Yael Kishon said in a report shared with BleepingComputer.

The emerging info-stealers

Although older strains like RedLine, Raccoon, and Vidar continue to have a significant presence, and newer families like Aurora, Mars, and Meta are still growing, new malware families are also trying to make a name for themselves this year.

Raccoon remains the most prolific MaaS
Raccoon remains the most prolific MaaS operation (KELA)

KELA highlights the following four information-stealing operations that launched over the past year:

Titan: Titan first appeared on Russian-speaking hacker forums in November 2022, promoted as a Go-based info-stealer targeting data stored in 20 web browsers.

Its Telegram channel counts over 600 subscribers. On March 1, 2023, its authors released version 1.5, and on April 14, and teased an upcoming new version, indicating that this is a very active project.

New versions of Titan announced on Telegram
New versions of Titan announced on Telegram

Titan is sold for $120/month (beginners), $140/month (advanced), or $999/month (teams).

LummaC2: LummaC2 targets over 70 browsers, cryptocurrency wallets, and two-factor authentication extensions.

In January 2023, the project had a reboot on Telegram, which currently has over a thousand subscribers, and since February 2023, it has been offered for purchase through ‘RussianMarket.’

LummaC2's pricing tiers
LummaC2’s subscription tiers

LummaC2 sells for $250 to $1000 per month, depending on the selected features, and KELA says the malware enjoys a very good reputation in the cybercrime underground.

LummaC2 also runs a reseller program, giving agents a 20% cut for new subscriptions they bring on the platform.

Stealc: First analyzed by SEKOIA in February 2023, Stealc is a lightweight stealer with automated exfiltration that targets over 22 web browsers, 75 plugins, and 25 desktop wallets.

It is sold for $200/month, and its popularity is constantly increasing.

Stealc author promoting the malware on Russian forums
Stealc author promoting the malware on Russian forum

Previously, it has been seen distributed via YouTube videos that promote laced cracked software.

WhiteSnake: This strain was first promoted on hacker forums in February 2023 as an email, Telegram, Steam, and cryptocurrency wallet stealer.

It can target both Windows and Linux systems, which is rare in this field.

WhiteSnake promo page
WhiteSnake promo page

WhiteSnake has over 750 subscribers on Telegram, selling for $140/month or $1,950 for lifetime access.

Cloud of Logs

KELA’s report also highlights a new product type that has emerged lately, named “Clouds of Logs,” which is to sell subscriptions to access private cloud-hosted log collections created by threat actors distributing info-stealer malware.

Clouds of logs is a more private and, presumably, safer alternative to automated log markets, created to give data sellers a simpler way to monetize their activity without the involvement of middlemen.

Seller promoting their private logs repository on Telegram
Seller promoting their private logs repository on Telegram

The emergence of new info-stealers priced competitively lowers the entry barrier for cybercriminals, especially in the case of Titan, which sells for just $120/month.

KELA believes that the Malware-as-a-Service market will preserve its popularity this year, so the use of info-stealers will continue to be substantial.

 

(c) Bill Toulas