Jerry, Author at Safernet

REvil Ransomware infects network of diagnostics corporation Grupo Fleury

Post On: 29 August, 2021 By : Jerry

REvil Ransomware has struck the healthcare industry once again, infecting the network of healthcare giant Grupo Fleury, an attack that disrupted business operations and forced company systems offline. Grupo Fleury is a Brazilian healthcare company founded in 1926, whose main activity is the provision of medical services and diagnostic medicine. With around 60 million exams performed in 2016, it is the second-largest company in the area in Brazil. The company has 200 service centers and more than 10,000 employees in the region.

Since the attack, the Fleury website displayed an alert stating that they suffered an attack and systems were not accessible.

“Please be advised that our systems are currently unavailable and that we are prioritizing the restoration of services. The causes of this unavailability originated from the attempted external attack on our systems, which are having operations reestablished with all the resources and technical efforts for the rapid standardization of our services.” read the alert translated into English.

Announcement of the attack on the Grupo Fleury website

Due to the REvil Ransomware infection, patients are unable to schedule tests, be they lab or clinical.

While local media has received confirmation that the company has suffered a cyberattack, Grupo Fleury has not officially confirmed a ransomware attack. However, many independent cybersecurity researchers have been analyzing the incident, and researchers at BleepingComputer have confirmed it is a REvil Ransomware infection.

This ransomware operation is responsible for numerous high-profile attacks, including Brazil’s Rio Grande do Sul court system, nuclear weapons contractor Sol Oriens, and JBS, the world’s largest meat producer.

In the sample BleepingComputer is working with, it is believed that the ransom demanded by the gang in this case is $5 Million.

Ransom demands, discovered by REvil Ransomware

REvil is known for stealing files before encrypting devices and then using the stolen data as leverage to get a company to pay the ransom.

From the ransomware sample, no proof of stolen data or mention of the victim’s name has been shared by the attackers at this time.

If data has been stolen, Grupo Fleury’s data is of significant concern as it could contain enormous amounts of personal and medical data of patients.

REvil Ransomware Analysis

REvil Ransomware is a Ransomware-as-a-Service (RaaS), meaning it can be sold on a subscription basis and is usable by just about anybody. In 2020, it extorted large amounts of money for corporations and individuals. According to researchers, it is the most widespread ransomware strain. Groups using have a knack for shaking down businesses that don’t meet their demands, often through threats or leaking dating.

REvil Ransomware, also known as Sodinokibi, first appeared in April 2019 and rose to prominence after another RaaS gang called GandCrab shut down its service. REvil was first advertised on Russian-language cybercrime forums. The main actor associated with advertising and promoting REvil ransomware is called Unknown aka UNKN. In the early days of REvil, researchers and security firms identified it as a strain of GandCrab, or at least established multiple links between the two. An alleged member of the group, using the handle Unknown, confirmed in an interview that the ransomware was not a new creation and that it was built on top of an older codebase that the group acquired.

The group behind REvil Ransomware and other groups selling RaaS often do so on a commission basis. Usually, this means a cut of between 20% and 30% of the money earned through infecting victims with ransomware.

In 2020, the IBM Security X-Force Incident Response reported that 1 in 3 Ransomware infections were caused by REvil Ransomware.

In February 2021, the REvil ransomware operation posted a job notice where they were looking to recruit people to perform DDoS attacks and use VOIP calls to contact victims and their partners.

In March, a security researcher known as 3xp0rt discovered that REvil has announced that they were introducing new tactics that affiliates can use to exert even more pressure on victims.

These new tactics include a free service where the threat actors, or affiliated partners, will perform voice-scrambled VOIP calls to the media and victim’s business partners with information about the attack. The ransomware gang is likely assuming that warning businesses that their data may have been exposed in an attack on of their partners, will create further pressure for the victim to pay.

REvil Ransomware is also providing a paid service that allows affiliates to perform Layer 3 and Layer 7 DDoS attacks against a company for maximum pressure. A Layer 3 attack is commonly used to take down the company’s Internet connection. In contrast, threat actors would use a Layer 7 attack to take down a publicly accessible application, such as a web server.

It is highly configurable, and it can be customized to behave differently depending on the host. This makes it a highly attractive RaaS client. Some of its features include:

Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453.
Whitelists files, folders and extensions from encryption.
Kills specific processes and services prior to encryption.
Encrypts files on local and network storage.
Customizes the name and body of the ransom note, and the contents of the background image.
Exfiltrates encrypted information on the infected host to remote controllers.
REvil Ransomware uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers.

REvil ransomware exploits a kernel privilege escalation vulnerability in win32k.sys tracked as CVE-2018-8453 to gain SYSTEM privileges on the infected host. If the configuration instructs a sample to execute this exploit, it will allocate executable memory, decrypt the exploit code in the newly allocated region and invoke it.

Protection Against Ransomware

REvil Ransomware and other Ransomware clients are some of the most common and deadly cybersecurity threats out there today. Families and businesses should be aware of these threats, and equip the right tools to tackle them. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all

Intuit TurboTax Warns Customers of Identity Theft Following Data Breach

Post On: 29 August, 2021 By : Jerry

Identity Theft is on the cards again for users of Intuit TurboTax as the company has suffered a significant data breach – One of many in the last few years. The company notified customers of the breach, in which hackers stole personal and financial information following a series of account takeovers. In a breach notification letter sent to affected customers earlier this month, the company said that this was not a “systemic data breach of Intuit.” In account takeover attacks, cybercriminals gain access to their victims’ accounts using credentials stolen from other online services following past data breaches.

This type of attack works incredibly well against targets who use the same login credentials for multiple sites or services. “We have more than 100 million customers and see billions of transactions per year with ATO notifications going to less than .0003% of customers and some of those confirmed by the customer after the fact as their activity (not an ATO),” Rick Heineman, Intuit Corporate Communications Vice President, said in a statement to BleepingComputer.

TurboTax is a software package for the preparation of American income tax returns, produced by Intuit. TurboTax is a market leader in its product segment, competing with H&R Block Tax Software and TaxAct. TurboTax was developed by Michael A. Chipman of Chipsoft in 1984 and was sold to Intuit in 1993.

Intuit discovered the breach during a security review, in which they found an undisclosed number of TurboTax accounts were breached and customer info was exposed. This has lead to a fear of identity theft.

“By accessing your account, the unauthorized party may have obtained information contained in a prior year’s tax return or your current tax return in progress, such as your name, Social Security number, address(es), date of birth, driver’s license number and financial information (e.g., salary and deductions), and information of other individuals contained in the tax return,” Intuit explained.

“We deeply regret that this incident may affect you. Intuit has taken various measures to help ensure that the accounts of affected customers are protected. We are notifying you so you can take steps to help protect your information,” the company added.

After discovering the attacks, Intuit temporarily disabled the breached TurboTax accounts. Users who had their accounts deactivated must contact Intuit’s Customer Care department at 1-800-944-8596 and say “Security” when prompted.

This is not the first time a TurboTax breach has sparked identity theft concerns.

TurboTax customers were previously targeted in at least three other series of account takeover attacks in 2014/2015 and again in 2019.

Just as after the previous three incidents, Intuit provides one year of free identity protection, credit monitoring, and Experian IdentityWorks identity restoration services to impacted customers.

The Dangers of Identity Theft

Identity Theft can be absolutely devastating for an individual. Usually, in the world of malware, we know certain things can be harmed. Our devices may need to be replaced, we may lose access to accounts for a few days or even forever, we may even need to pay a ransom for access to our data. The point is, with most types of Malware, we can eventually rebuild, though it may take longer than we anticipate. The fallout from identity theft is much longer.

Once your stolen information is used once, it can take anywhere from a few days to six months for that one incident. But your information is out there for a very, very long time. This means you could end up dealing with identity theft for many years, even decades.

Identity Theft has been around for a very long time and predates our modern technology by thousands of years. There have always been individuals that try to impersonate others for their own gain, financial or otherwise. However, the internet’s birth and wide adoption have led to new attack vectors, dwarfing any possible past attempts.

Now more than ever do we have data tied into our personal identity. Email addresses, banking numbers, phone numbers, social security numbers, home addresses – All of these and more form a picture of us as lines in a database.

And when this information falls into the wrong hands, it can do a lot of damage. Bank accounts can be drained, and your credit rating can get rattled; you can end up with medical bills or even a criminal record. The list of potential mishaps that can arise from identity theft is endless.

To hackers, identity theft represents a lucrative stream of income, and they can very easily cover their tracks. After they have seized personal information, they sell it on the dark web. This information can be sold over time, repeatedly, meaning that if you notice your identity has been stolen and used, it can be used in several instances over a long period of years.

There are some guidelines from the US government in discovering if you are a victim of identity theft if it is not immediately obvious:

You stop receiving your regular bills and credit card statements.
You receive statements for accounts you never opened.
Debt collectors start calling you day and night about debts you’ve never heard of.
The IRS alleges you failed to report income for a company you never worked for.
You see withdrawals/charges on your bank or credit card statement that you didn’t make.
You try to file your taxes only to discover that someone else beat you to it.
You try to file your taxes and find someone claimed your child as a dependent already.
Your credit report includes lines of credit you never opened.
Your credit score fluctuates wildly and for no apparent reason.
The most obvious sign—you receive a notification that you’ve been the victim of a data breach.
If you are unsure, it is always best to check with the authorities on the US government’s identity theft website.

Protection

In some cases, a victim cannot be faulted for identity theft. For example, those affected by the data breach handed their information over to companies in good faith in the story above. Unfortunately, these companies, or more specifically the vendor, failed in protecting this information. However, many other times, business owners and families are singled out and targeted in their offices and homes.

For times like these, it is critical that you have the right tools to protect yourself. One of these tools is SaferNet.

Ransomware Hits Catering Service Supplier Edward Don

Post On: 29 August, 2021 By : Jerry

Ransomware has hit one of the nation’s largest catering service suppliers, Edward Don. Edward Don and Company is one of the largest distributors of foodservice equipment and supplies, such as kitchen supplies, bar supplies, flatware, and dinnerware. The ransomware attack has forced the company to take down parts of its network, affecting customer relations and communications. The infection has disrupted their business operations, including their phone systems, network, and email.

The email outage forced company employees to use personal Gmail accounts to communicate with customers and vendors regarding urgent orders or fulfillment issues.

Reporters at BleepingComputer have pressed the company for information regarding the ransomware attack, but Edward Don has yet to release a statement. However, employees have stated that they cannot accept new orders until the systems are brought back online.

As Edward Don is one of the leading distributors of foodservice supplies, this attack will cause a significant disruption in the supply chain for hospitals, restaurants, hotels, and bars.

There has yet to be confirmation on what strain of ransomware is responsible for the attack. However, given the current ransomware climate, it could be one of many. Despite this, Advanced Intel CEO Vitali Kremez stated that the company might have been infected by the Qbot malware based on their adversarial visibility.

Following Kremez’ suggestion, other researchers have confirmed the Qbot trojan was on Edward Don’s network, and as such likely became a foothold for ransomware to enter their system. In the past, the ProLock and Egregor ransomware gangs partnered with Qbot. Since their shutdown, the REvil ransomware gang has been utilizing the botnet.

The Qbot Trojan has been plaguing computer users and businesses for over a decade and the cybercriminals behind it are still coming up with new tricks that keep it one of the most prevalent and successful malware threats.

Qbot, also known as Qakbot or Pinkslipbot, started out as a banking Trojan focused on stealing online banking credentials, but has since evolved into a “Swiss Army knife” that’s used for a variety of purposes including distributing ransomware.

LAst year, a new Qbot variant started being distributed by another Trojan called Emotet as part of a new spam campaign that affected many organizations worldwide. That new variant exhibited new features and a new command-and-control infrastructure. This continued with a renewed Qbot distribution campaign late last year.

“One of Qbot’s new tricks is particularly nasty, as once a machine is infected, it activates a special ‘email collector module’ which extracts all email threads from the victim’s Outlook client, and uploads it to a hardcoded remote server,” Check Point researchers said in a report. “These stolen emails are then utilized for future malspam campaigns, making it easier for users to be tricked into clicking on infected attachments because the spam email appears to continue an existing legitimate email conversation.”

Qbot Trojan Analysis: A Foothold For Ransomware

Note: This analysis of Qbot was carried out by independent cybersecurity researcher Abdallah Elshinbary.

QBot can be delivered in various different ways including Malspam (Malicious Spam) or dropped by other malware families like Emotet.

The infection flow for this campaign is as follows:

First, the victim receives a phishing email with a link to a malicious zip file. The zip file contains a very obfuscated VBS file which downloads and launches Qbot executable. The VBS file tries to download Qbot from several addresses.

Most of QBot strings are encrypted (stored in a continuous blob) and they are decrypted on demand. The decryption routine accepts one argument which is the index to the string then it XORs it with a hardcoded bytes array until it encounters a null byte.

QBot spawns a new process of itself with the “/C” parameter, this process is responsible for doing Anti-Analysis checks. The trojan performs this to try stop researchers examining it.

In VMWare, communication with the host is done through a specific I/O port (0x5658), so QBot uses the in assembly instruction to detect VMWare by reading from this port and checking the return value in ebx if it’s equal to VMXh. Another Anti-VM trick is to check hardware devices against known devices names used by VMs and Sandboxes.

The last check is done using CPUID instruction. First it is executed with EAX=0 to get the CPU vendor and compares it with GenuineIntel (Intel processor). Then it is executed with EAX=1 to get the processors features. On a physical machine the last bit will be equal to 0. On a guest VM it will equal to 1.

After the Anti-Analysis checks, QBot drops a copy of itself along with a configuration file at “%APPDATA%\Microsoft\”. Finally, QBot starts the dropped copy in a new process and overwrites itself with a legitimate executable.

The dropped configuration file is accessed frequently by Qbot, this file is RC4 encrypted.

QBot obfuscates its communication with the C2 (Command-and-Control) server by encrypting the payloads using RC4 and encoding the result using Base64. The communication is also done over SSL.

After establishing communication, the C2 server will send commands indexes to be executed.

QBot can spread through the network by enumerating network shares using WNetOpenEnumW() and WNetEnumResourceW() then it drops a copy of Qbot into the shared folders.

When Qbot ensures it is not in analysis, and communication to the C2 server has been established, it can begin delivering other malware such as ransomware onto the system.

Protection

Ransomware is a serious online threat, one that is faced by businesses and families globally. It is critical that you use the right tools to keep your digital life protected. One of these tools is SaferNet.

REvil Ransomware Strikes US Nuclear Weapons Contractor

Post On: 29 August, 2021 By : Jerry

REvil Ransomware has struck again, this time at Sol Oriens, a subcontractor for the Department of Energy (DOE). Sol Oriens works on nuclear weapons with the National Nuclear Security Administration (NNSA). The REvil Ransomware attack occurred last month. The companies website has been unreachable since June 3rd, but Sol Oriens spokespeople confirmed to Fox News and CNBC that they became aware of the REvil Ransomware infection a month ago. The REvil Ransomware operators said of the attack, “We hereby keep a right to forward all of the relevant documentation and data to military agencies of our choice.”

The company said in a statement, “In May 2021, Sol Oriens became aware of a cybersecurity incident that impacted our network environment. The investigation is ongoing, but we recently determined that an unauthorized individual acquired certain documents from our systems. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved. We have no current indication that this incident involves client classified or critical security-related information. Once the investigation concludes, we are committed to notifying individuals and entities whose information is involved.”

Eamon Javers of CNBC noted, “we don’t know everything this small company does,” but he posted a sample job posting that indicates that it handles nuclear weapons issues: “Senior Nuclear Weapon System Subject Matter. Expert with more than 20 years of experience with nuclear weapons like the W80-4.” The W80 is a type of nuclear warhead carried on air-launched cruise missiles.

According to an archived version of the companys’ LinkedIn profile, Sol Oriens is a “small, veteran-owned consulting firm focused on managing advanced technologies and concepts with strong potential for military and space applications” that works with the “Department of Defense and Department of Energy Organizations, Aerospace Contractors, and Technology Firms (sic) carry out complex programs. We focus on ensuring that there are well-developed technologies available to maintain a strong National Defense.”

Brett Callow, a threat analyst and ransomware expert at the security firm Emsisoft, told Mother Jones that he had spotted Sol Oriens’s internal information posted to the REvil Ransomware’s dark web blog.

According to Callow, the leaked information so far seems relatively benign. Callow described the data as, “a company payroll form from September 2020, outing a handful of employees’ names, social security numbers, and quarterly pay. There’s also a company contracts ledger, and a portion of a memo outlining worker training plans.”

It remains to be seen if the REvil Ransomware gang has got its hands on more sensitive information. Regardless, the attack is concerning for many, given that a company working with nuclear armaments was able to be breached from the outside. As Mother Jones pointed out, the NNSA is responsible for maintaining and securing the nation’s nuclear weapons stockpile and works on nuclear applications for the military, along with other highly sensitive missions.

The REvil Ransomware gang blamed the victim in the attack, stating Sol Oriens “did not take all necessary action to protect personal data of their employees and software development for partner companies.”

REvil Ransomware Analysis

In 2020, the IBM Security X-Force Incident Response reported that 1 in 3 Ransomware infections were caused by REvil Ransomware.

In February 2021, the REvil ransomware operation posted a job notice where they were looking to recruit people to perform DDoS attacks and use VOIP calls to contact victims and their partners.

In March, a security researcher known as 3xp0rt discovered that REvil has announced that they were introducing new tactics that affiliates can use to exert even more pressure on victims.

It is highly configurable, and it can be customized to behave differently depending on the host. This makes it a highly attractive RaaS client. Some of its features include:

Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453.
Whitelists files, folders and extensions from encryption.
Kills specific processes and services prior to encryption.
Encrypts files on local and network storage.
Customizes the name and body of the ransom note, and the contents of the background image.
Exfiltrates encrypted information on the infected host to remote controllers.
REvil Ransomware uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers.

Protection Against Ransomware

Prometheus Ransomware Emerges and Targets Businesses Globally

Post On: 28 August, 2021 By : Jerry

Prometheus Ransomware is an emerging threat in the malware scene, and it has breached 30 business organizations in just four months since it went operational. The strain is somewhat riding on the coattails of another notorious ransomware syndicate, REvil. Prometheus Ransomware was first spotted in the wild in February 2021, and researchers quickly deduced it was a rebuild of another infamous strain named Thanos. Thanos had previously seen action when deployed against government organizations in Africa and the Middle East last year.

The targets of Prometheus Ransomware are varied, and they include government, financial services, manufacturing, logistics, consulting, agriculture, healthcare services, insurance agencies, energy and law firms in the U.S., U.K., and a dozen more countries in Asia, Europe, the Middle East, and South America. These attacks have been tracked and reported by Palo Alto Networks’ Unit 42 threat intelligence team.

Like many ransomware operations, Prometheus Ransomware carries out double-extortion tactics on its victims, where it names new victims and leaks data from a Dark Web site. This is often done to put pressure on the target to pay the ransom.

“Prometheus runs like a professional enterprise,” Doel Santos, Unit 42 threat intelligence analyst, said. “It refers to its victims as ‘customers,’ communicates with them using a customer service ticketing system that warns them when payment deadlines are approaching and even uses a clock to count down the hours, minutes and seconds to a payment deadline.”

Unit 42 discovered just 4 of the 30 affected organizations opted to pay the ransom to date. These include a Peruvian agricultural company, a Brazilian healthcare services provider, and two transportation and logistics organizations in Austria and Singapore.

Manufacturing was the most impacted industry among the victim organizations observed by researchers, closely followed by the transportation and logistics industry.

Prometheus Ransomware has strong links to Thanos, yet the gang claims to be a “group of REvil.” The REvil gang is one of the most infamous ransomware-as-a-service (RaaS) cartels in recent years. Researchers are speculating that this could be an attempt to deflect attention from Thanos or a deliberate ploy to trick victims into paying up by piggybacking on an established operation.

Prometheus Ransomware attack vector is unclear currently, though it is expected the gang targets networks by using spear-phishing attacks. Following a successful compromise, the Prometheus modus operandi involves terminating backup and security software-related processes on the system to lock the files behind encryption barriers.

“The Prometheus ransomware operators generate a unique payload per victim, which is used for their negotiation site to recover files,” Santos said, adding the ransom demand ranges anywhere between $6,000 and $100,000 depending on the victim organization, a price that gets doubled if the victim fails to pay up within the designated time period.

Prometheus Ransomware Analysis

Note: This analysis was carried out by Doel Santos of Unit 42.

When Prometheus ransomware is executed, it tries to kill several backups and security software-related processes, such as Raccine, a ransomware prevention tool that tries to stop ransomware from deleting shadow copies in Windows.

Prometheus ransomware appends an extension using the following format .[XXX-XXX-XXXX]. Unit 42 found that the extensions are hardcoded into the sample. They believe that the Prometheus ransomware operators generate a unique payload per victim, which is used for their negotiation site to recover files. Researchers obfuscated the extensions because they could be used to identify the victims on the leak site. Prometheus also adds an hexadecimal string of GotAllDone at the end of all encrypted files.

After the backup and security processes are terminated and encryption is complete, Prometheus ransomware drops two ransom notes: a RESTORE_FILES_INFO.TXT file and a RESTORE_FILES_INFO.TXT.hta file , both containing the same information.

The ransom note also includes instructions for contacting Prometheus ransomware operators to recover files, as well as informing the victim that, if the demands are not met, the threat actors will release the data to the public or sell it to a third party.

Since the extensions are used as a victim identifier, by following the instructions on the ransom note, we were able to take a look at the negotiation part of their site using the extensions ID to gain access. Interestingly, this group uses a ticketing system for tracking victims. The tickets include a tracking ID, created date, resolution status and priority. A victim can even open a ticket with the threat actors to request data recovery – though this will cost you extra, according to the site.

The Prometheus ransomware operators include a status per victim. Unit 42 found that some of the information posted on the leak site has already been sold to an unknown third party. There are also posts showing that victims within impacted industries paid the ransom and their data was removed from the site.

Protection

Malware is an ever-present threat for governments, businesses, and homes. It is important to also have the tools necessary for protection against threats at any level. One of these tools is SaferNet.

Canada Post Suffers Data Breach As Supplier Ensnared By Lorenz Ransomware

Post On: 28 August, 2021 By : Jerry

Lorenz Ransomware has claimed its latest victim – a third-party supplier to Canada Post, which resulted in a sizeable data breach for the postal service. Last week, Canada Post informed 44 of its largest customers that the Lorenz Ransomware attack on a third-party service supplier took place, which exposed shipping information belonging to their customers. Canada Post is the primary postal operator in Canada, and serves 16.5 Million residential and business addresses.

The data exposed in the attack includes manifest information for large parcel business customers, which is made up of send and receiver contact information, names, and mailing addresses.

In total, the breach affected 44 Canada Post commercial customers and 950,000 receiving customers.

“After a detailed forensic investigation, there is no evidence that any financial information was breached. In all, the impacted shipping manifests for the 44 commercial customers contained information relating to just over 950 thousand receiving customers. After a thorough review of the shipping manifest files, we’ve determined the following:

The information is from July 2016 to March 2019
The vast majority (97%) contained the name and address of the receiving customer
The remainder (3%) contained an email address and/or phone number”

In December 2020, Lorenz Ransomware posted on their Dark Web leak site that they had successfully breached Commport Communications. Since that date, the Lorenz Ransomware gang has leaked over 35GB of data stolen in the attack.

Screen Capture from Lorenz Ransomware Data Leak Site

While Canada Post states that at the time of the attack, Commport did not believe that any of their data was accessed, based on the leaked data, it appears that this was not the case. Canada Post states that they have hired external cybersecurity experts to assist in the investigation and have notified the Office of the Privacy Commissioner of Canada.

Lorenz Ransomware first appeared in December. It targets organizations around the world with customized attacks, showing that the operators behind the malware are skilled individuals.

According to cybersecurity researcher Michael Gillespie, Lorenz Ransomware shares much of the same code as the ThunderCrypt Ransomware operation. It is believed that Lorenz Ransomware is perhaps a reworking of ThunderCrypt.

Like other ransomware attacks, Lorenz Ransomware breaches a network and spreads laterally to other devices until it gains access to Windows domain administrator credentials.

Lorenz Ransomware Analysis

Note: The following is an analysis of ThunderCrypt, carried out by TrendMicro. Though there are some differences between ThunderCrypt and Lorenz, the core of the malware as shown below is the same.

Generally, Lorenz Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It adds the following processes:

It adds the following mutexes to ensure that only one of its copies runs at any one time:

{Organization Name}

Lorenz Ransomware registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

Lorenz Ransomware Additional Registry Keys

Lorenz Ransomware then carries out the following:

It only proceeds to its encryption routine if its filename is MoUsoCoreWorker program.
It encrypts FIXED, REMOVABLE, and NETWORK Drives.
It appends the extension .sz40 to the file that it is currently encrypting and will rename the file back to its original filename without the appended extension after the encryption has finished.
It uses SpVoice Interface functionality to play the following message:
- You’ve been hacked! Your files are stolen and encrypted. Follow our instructions!
It creates a one-time remote scheduled task to execute its copy.
It sends the information it gathers to the following URL:
- {BLOCKED}.{BLOCKED}.251.27:55

Task Name: voise
Trigger: Daily
Task Action: %Windows%\tWjdf.js
Task Name: sz40
Trigger: ONLOGON
Task Action: \{Domain}.net\NETLOGON\sinhost.e x e

Lorenz Ransomware avoids encrypting files found in the following folders:

$Recycle.Bin
All Users
Local
Microsoft
Packages
Program Files
Program Files (x86)
ProgramData
Temp
WINDOWS
Windows

It drops the following file(s) as ransom note:

%Desktop%\HELP_SECURITY_EVENT.html
%Desktop%\{Encrypted Directory}\HELP_SECURITY_EVENT.html

Protection

Ransomware is a crowded scene, with new threats rising and falling almost every day. It is important that business owners and families have the best tools for the job when it comes to protecting their devices. One of these tools is SaferNet.

Solarwinds Cybercrime Gang Used 4 New Malware Strains in USAID Phishing Campaign

Post On: 28 August, 2021 By : Jerry

Malware research teams at Microsoft are on high alert this month, as it was revealed that a Russian hacking gang used four new malware strains in a recent phishing campaign in which they impersonated the United States Agency for International Development (USAID). Last week the Microsoft Threat Intelligence Center (MSTIC) reported that the group APT29, also known as Nobelium, had breached USAIDs’ Constant Contact account. With a legitimate account under their control, Nobelium could impersonate USAID flawlessly and engage in a phishing campaign that aimed to deliver malware to targets.

The phishing campaign involved sending emails to over 3,000 email accounts at more than 150 different organizations, including government agencies and organizations devoted to international development, humanitarian, and human rights work.

“This week we observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations. This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations. While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work.” the report said.

Microsoft also identified Nobelium in the report, the group behind last year’s SolarWinds attack.

“Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020. These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.”

Phishing Email From the USAID Constant Contact Account

Following the initial report, the MSTIC issued an additional report concerning the types of malware payloads involved in the campaign.

The four new malware strains include an HTML attachment named ‘EnvyScout‘, a downloader known as ‘BoomBox,’ a loader known as ‘NativeZone‘, and a shellcode downloader and launcher named ‘VaporRage.’

“The actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone.” the report stated.

Analysis of the 4 Malware Strains

Note: The Malware strains were analysed by the Microsoft Threat Intelligence Center (MSTIC) and BleepingComputer.

EnvyScout

NV.html, tracked by Microsoft as EnvyScout, can be best described as a malicious dropper capable of de-obfuscating and writing a malicious ISO file to disk. EnvyScout is chiefly delivered to targets of NOBELIUM by way of an attachment to spear-phishing emails.

Distributed as a file named NV.html, when opened, the HTML file will attempt to load an image from a file:// URL. When doing this, Windows may send the logged-in user’s Windows NTLM credentials to the remote site, which attackers can capture and brute-force to reveal the plain text password.

Microsoft states that the attachment is also used to convert an embedded text blob into a malicious ISO saved as NV.img to the local file system.

BoomBox

BOOM, tracked by Microsoft as “BoomBox”, can be best described as a malicious downloader. The downloader is responsible for downloading and executing the next-stage components of the infection. These components are downloaded from Dropbox (using a hardcoded Dropbox Bearer/Access token).

When executed, BoomBox ensures that a directory named NV is present in its current working directory; otherwise it terminates. If the directory is present, BoomBox displays the contents of the NV directory in a new Windows Explorer window (leaving it up to the user to open the PDF file).

After decrypting the downloaded files, BoomBox will save them as %AppData% MicrosoftNativeCacheNativeCacheSvc.dll and %AppData%SystemCertificatesCertPKIProvider.dll, and execute them using rundll32.exe.

NativeCacheSvc.dll is configured to launch automatically when a user logs into Windows and is used to launch CertPKIProvider.dll.

As a final stage, the BoomBox malware will gather information about the Windows domain, encrypts the collected data, and then sends it to a remote server under the attacker’s control.

“As the final reconnaissance step, if the system is domain-joined, BoomBox executes an LDAP query to gather data such as distinguished name, SAM account name, email, and display name of all domain users via the filter (&(objectClass=user)(objectCategory=person)),” Microsoft explains.

NativeZone

NativeCacheSvc.dll, tracked by Microsoft as “NativeZone” can best be described as a malicious loader responsible for utilizing rundll32.exe to load the malicious downloader component CertPKIProvider.dll.

The malicious functionality of NativeCacheSvc.dll is located inside a DLL export named configNativeCache.

As shown above, the export function executes rundll32.exe to load %AppData%\SystemCertificates\Lib\CertPKIProvider.dll by calling its export function named eglGetConfigs.

VaporRage

CertPKIProvider.dll, tracked by Microsoft as “VaporRage” can best be described as a shellcode downloader. This version of VaporRage contains 11 export functions including eglGetConfigs, which houses the malicious functionality of the DLL.

When launched, the malware will connect back to a remote command and control server, where it will register itself with the attackers and then repeatedly connect back to the remote site for a shellcode to download.

When shellcodes are downloaded, the malware will execute them to perform various malicious activities, including the deployment of Cobalt Strike beacons.

Protection

With regards to protection against Phishing attacks, here at SaferNet we often recommend that businesses and families educate their members on how to spot fraudulent emails. These 4 new Malware strains highlight a different scenario however – The email comes from a trusted account, which makes it much more difficult to discern. In times like these, it is important to have a tool that can tell the difference for you, like SaferNet.

BazaLoader Malware Hides in Bogus Movie-Streaming Site

Post On: 28 August, 2021 By : Jerry

BazaLoader Malware continues to find novel attack vectors in 2021, following on from call-center attacks covered earlier this year by SaferNet. BazaLoaders’ most recent offering comes in the form of a fake movie-streaming service called BravoMovies, with some questionable movies available. The site makes use of flashy graphics and interesting movie titles, but all that is available to download if BazaLoader

BazaLoader is a loader used to deploy ransomware or other malware types and steal sensitive data from victimized systems. Proofpoint has conducted the majority of research on BazaLoader, including with regards to the latest attack.

Multiple threat actors use the downloader, which is written in C++, to load malware such as Ryuk and Conti ransomware. Proofpoint researchers said they’re confident that there’s a “strong overlap” between the distribution and post-exploitation activity of BazaLoader and the threat actors behind The Trick malware, also known as Trickbot.

The BravoMovies campaign uses an elaborate infection chain that’s in keeping with BazaLoader affiliates, who coax their victims into jumping through several hoops to trigger the malware payloads. It starts with an email telling recipients that their credit cards will be charged unless they cancel their subscription to the service – a subscription that they never signed up for, of course.

BravoMovies infection chain – Similar to the call center attacks

Some of the subject headers used to bait the trap:

Your trial period M0012064753012345 is going to be expired soon. Thankfully you made a decision to stick with us!
Demo stage is expired! Your account #M0272028060812345 will be automatically transferred to premium plan!

The email includes a phone number for the customer service line. This directs to the call center that has live humans standing by, reading to participate in the scheme. The apparent purpose of the call is to cancel the victim’s subscription to the bogus movie site. The site directs those who fall for the con to instead download a boobytrapped Excel spreadsheet that will spring macros that download BazaLoader.

The fake movie-streaming service looks just like a legitimate movie and TV streaming service, complete with fake movie titles as a landing page. In fact, the threat actors jerry-rigged fake posters. “The threat actors used fake movie posters obtained from various open-source resources including an advertising agency, the creative social network Behance, and the book ‘How to Steal a Dog’”, researchers said.

Proofpoint researchers wrote that BravoMovies has the charade down pat. The fake movie-streaming service looks just like a legitimate movie and TV streaming service, complete with fake movie titles as a landing page. In fact, the threat actors jerry-rigged fake posters. “The threat actors used fake movie posters obtained from various open-source resources including an advertising agency, the creative social network Behance, and the book ‘How to Steal a Dog’”, researchers said.

The call-center operators tell their targets to visit the BravoMovies site, to pull up the Frequently Asked Questions page and to follow the directions to unsubscribe via the “Subscribtion” page. Next, they’ll be instructed to download an Excel Sheet.

The Excel sheet contains the macros that will download BazaLoader if enabled. Proofpoint researchers haven’t yet observed the second-stage payload in this campaign, they said.

Sherrod DeGrippo, senior director of threat research and detection for Proofpoint, stated that for now, the BazaLoader threat actors are the most active when it comes to using call centers as part of an attack chain. “We have also observed The Trick [also known as Trickbot] delivered by similar campaigns,” she said via email. “Phone-based threats like “tech support scams” have existed for a few years, but these threats are separate from what we’re seeing in our data. It’s a novel way of inserting a different threat vector into the attack chain.”

It’s relatively new activity for the BazaLoader threat actors, DeGrippo continued: She described the method an emerging threat that’s become more prevalent since January 2021.

Proofpoint researchers first observed the BravoMovies campaign earlier this month. They noted that its complicated nature is successful in a counterintuitive way. Namely, this campaign “demonstrates an inversely proportional relationship between successful infection rates and asking people to complete complicated steps – the more steps required by the user, the less likely they are to complete the attack chain,” they explained. “However, despite being counterintuitive, the techniques used by the threat actors in this, and similar, campaigns help bypass fully automated threat detection systems.”

Proofpoint is forecasting that the threat actors behind BazaLoader and Trickbot will keep using these carefully crafted techniques in the future.

BazarLoader Malware Analysis

BazarLoader has been analysed in depth by cybersecurity researchers at AT&T Cybersecurity department.

The BazarLoader authors have produced an advanced module, with a significant amount of obfuscation. The BazarLoader uses multiple routines to hide API calls and embedded strings, which are then decrypted and resolved at runtime.

Once executed, the loader will allocate memory to store and decrypt its shellcode, which will be allocated to a NUMA node for faster execution. After allocation and decryption, the next instructions will jump to the shellcode that will be executed on the heap.

Next, BazaLoader will try to communicate with .bazar domain C2 servers. Once the C2 has been established, the loader will try to inject its payload into a system process using the process hollowing technique (T1093), which will create a suspended thread, unmap the destination image from memory, allocate new memory in the target process, copy the shellcode into the target process, set the thread context, and resume the process.

The malware uses the Windows API “VirtualAllocExNuma” function to allocate memory for its shellcode to be executed. The “VirtualAllocExNuma” function is used to allocate memory on a NUMA node, which allows for faster execution. The implementation can be seen In Figure 1 below. It is interesting to note that the “VirtualAllocExNuma” function is not commonly used in process injection.

API Resolution and Shellcode Decryption Routines

The BazarLoader authors have created dozens of decryption routines, and with almost each string including APIs, DLLs, and C2s there is a once per use unique decryption routine. The loader uses the same decryption technique described above to resolve the API calls it uses during execution.

For injection, the malware resolves APIs from the ntdll.dll after it loads from disk and checks that there are no inline hooks within its function, that could be created for example by AV software that tracks those API calls.

The load order of APIs called in the injection procedure is:

CreateProcessA (CREATE_SUSPENDED | CREATE_NEW_CONSOLE)
NtGetContextThread
NtReadVirtualMemory
NtUnmapViewOfSection
VirtualAllocExA
NtWriteVirtualMemory
NtSetContextThread
NtResumeThread

he obfuscated C2 servers are decrypted in the function shown below:

C2 Domains forgame[.]bazar and bestgame[.]bazar

Protection

Education is also the key to defense against attacks like these. Outwitting social engineering attempts is the only guaranteed way not to fall victim to campaigns like BazarLoader. For times when a dupe may be unclear, it’s important to have the tools necessary to back you up. One of these tools is SaferNet.

StrRAT Fake Ransomware RAT Proliferates Via Email

Post On: 28 August, 2021 By : Jerry

StrRAT has been discovered by Microsoft Security, embedded within malicious PDFs which download the Java-based Malware. StrRAT can steal credentials and change file names, though in reality, it doesn’t encrypt these files. Due to StrRAT being a Remote-Access-Trojan(RAT), it has the capabilities to take control of a system. What makes the strain unusual is its habit of presenting itself as Ransomware, when it has no such ability. The Microsoft Security Intelligence (MSI) team has outlined details of a “massive email campaign” delivering the StrRAT malware that they observed last week and reported in a series of tweets earlier this week.

“StrRAT is a Java-based remote access tool which steals browser credentials, logs keystrokes and takes remote control of infected systems—all typical behaviors of RATs” MSI researchers described in documentation posted on GitHub about the malware. The RAT also has a module to download an additional payload onto the infected machine based on command-and-control (C2) server command, they said.

StrRAT’s unique feature is that it boasts a “ransomware encryption/decryption module” that changes filenames in a way that would suggest that encryption is the next step. StrRAT appends the file name extension .crimson, but it does not actually encrypt the files.

To launch the campaign, attackers used compromised email accounts to send several different emails. Some of the messages use the subject line “Outgoing Payments.” Others refer to a specific payment supposedly made by the “Accounts Payable Department,” which is how the emails are signed.

The campaign includes several different emails that all use social engineering around payment receipts to encourage people to click on an attached file that appears to be a PDF but that actually has malicious intent.

One email informs the recipient that it includes an “Outgoing Payment” with a specific number – presumably, the attached PDF. Another addresses the message to a “Supplier” and appears to let the receiver know that “your payment has been released as per attached payment advice,” asking the recipient to verify adjustments made in the attached PDF.

In all of these cases, the attached file is not a PDF but instead connects to a malicious domain to download StrRAT. It then connects to the C2 server.

The version of the RAT that researchers observed was 1.5, which is “notably more obfuscated and modular than previous versions,” according to one of the tweets. However, it maintains the same backdoor functions as previous versions of StrRAT that researchers have observed. These include collecting browser passwords, running remote commands and PowerShell, and logging keystrokes, among others.

StrRAT Analysis

Note: The analysis for StrRAT has been carried out by Gdata Software.

The infection starts with a rather ordinary spam email that has a malicious attachment named NEW ORDER.jar.

The Email shows a relationship to the Jar file. It is not clear if the uploader of the email redacted the email body or if the threat actors didn’t want to take their time to add any content. It should be noted that Outlook prevents access to email attachments with .jar extension. In this case, researchers applied a registry change to display it.

The NEW ORDER.jar is a simple dropper. It retrieves a VBScriptfrom the resources, saves the script as bqhoonmpho.vbs to the home directory of the user and executes it using wscript.exe.

The VBScript has a large string in it and uses PowerShell to replace characters in this string. The resulting base64 string is subsequently decoded and executed by PowerShell.

The unpacked layer is again a VBScript. This script will copy the packed version of itself to %APPDATA%\edeKbMYRtr.vbs. It will also download a Java Runtime Environment and add it to the registry. That way it may be prepared to infect systems that don’t have Java installed. It even has a built-in check that runs javaw.exe with the -version parameter to verify that the JRE has the version 1.6, 1.7 or 1.8.

The email attachment already requires a Java Runtime Environment (JRE) on the system, which means the current infection chain misses the opportunity to work regardless of the JRE installation. If this VBScript is ever shipped with a different initial infection step, it may enable the RAT to work on more systems.

The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.

STRRAT also allows installation of RDPWrap. The file is downloaded from hxxp://wshsoft.company/multrdp(.)jpg. RDWrap is an open source tool that enables Remote Desktop Host support on Windows.

There is also a ransomware module.

The commands used for the ransomware component are rw-encrypt for “encrypting” files, rw-decrypt for “decrypting” files and show-msg for displaying the ransom note.

Ransomware “encrytion” and “decryption” methods are in the class strpayload.l.

However, the so called “encryption” only renames files by appending the .crimson extension. This might still work for extortion because such files cannot be opened anymore by double-clicking. Windows associates the correct program to open files via their extension. If the extension is removed, the files can be opened as usual.

There is no ransom note template in the client of the RAT. The attacker can display anything they like with the show-msg command. It is possible that the server provides ransom note templates.

Protection

StrRAT is yet another attack that relies on phishing and social engineering to succeed. The first line of defense against these attacks is education – learning how to spot fakes. These attacks are becoming more and more common, and it is important that business leaders and home owners use the right tools to protect themselves from evolving threats. One of these tools is SaferNet.

Insurance Firm AXA Crippled By Avaddon Ransomware Days After Ceasing Ransomware Insurance

Post On: 28 August, 2021 By : Jerry

Avaddon Ransomware has taken down several branches of insurance giant AXA. Branches in Thailand, Malaysia, Hong Kong, and the Philippines have fallen victim to the ransomware strain which has been stealing headlines in May. The Avaddon Ransomware group has claimed on their Dark Web leak site that they have stolen 3TB worth of sensitive data from AXA’s operations in Asia. Furthermore, the Avaddon Ransomware hackers are conducting an ongoing DDOS campaign against AXA’s global websites, making them inaccessible. Presumably, this will continue until the ransom is paid or the hackers otherwise stop their attacks.

Axa.com.hk still inaccessible days after the initial attack

There is a sense of irony in AXA getting hit – Less than a week before the attack, AXA stated that they would be dropping reimbursement for ransomware extortion payments when underwriting cyber-insurance policies in France.

The Avaddon ransomware gang first announced in January 2021 that they will launch DDoS attacks to take down victims’ sites or networks until they reach out and begin negotiating to pay the ransom.

The Avaddon gang also threatened AXA that the insurance company had about ten days to communicate and cooperate with them, after which they would leak AXA’s valuable documents.

The company has hired a forensic team to investigate the incident and said it notified business partners as well as regulators while it prepares to support all of the clients who may have been impacted.

The group claims to have obtained 3 TB of data belonging to AXA including:

customer medical reports (including those containing sexual health diagnosis)
customer claims
payments to customers
customers’ bank account scanned documents
material restricted to hospitals and doctors (private fraud investigations, agreements, denied reimbursements, contracts)
Identification documents such as National ID cards, passports, etc.

Avaddon is a Ransomware as a Service (RaaS) operation that asks affiliates to follow certain rules and pays each one of them with 65% of the ransom payments they bring in, with the operators getting a 35% share.

Avaddon are actively leaking documents until the ransom is paid, as seen by passport leaks on their website.

The Avaddon ransomware gang follows the same MO as other ransomware groups such as breaching the security of its target, exfiltrating data and locking the files on the victim’s system, and demand ransom payment for a decryption key.

Avaddon ransomware samples were first found and identified in February 2019, with Avaddon starting the recruitment of affiliates in June 2020 after the launch of a massive spam campaign that was targeting users worldwide.

The attacks comes days after SaferNet reported on a warning from the Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) on global attack campaign being carried out by the gang.

Ransomware attacks on organizations continue to grow and cause disruptions for many with attackers demanding exorbitant ransom payments.

AXA has not yet commented on the ransom amount demanded by the Avaddon Ransomware gang.

Avaddon Ransomware Analysis

The analysis of Avaddon Ransomware was provided by TrendMicro.

Avaddon Ransomware was initially detected as Ransom.Win32.AVADDON.YJAF-A. A trojan (detected as Trojan.JS.AVADDON.YJAF-A) downloads the ransomware from malicious sites and runs them on the system. This has been reported in a series of twitter posts by TMMalAnalyst.

The ransomware is propagated through emails with an attachment named IMG{6 random number}.jpg.js.zip that contains a JavaScript file named IMG{6 random number}.jpg.js.

As seen in the preceding figure, the email body contains a single smiley. The emails for the Avaddon campaign also follow the footsteps of past malware campaigns that use particular subjects to spark the curiosity of the users, thus prompting them to open the message and download the attachment. Most of these emails have photo-related subjects, which might be particularly enticing for users at a time when gadgets with built-in cameras have now become widely available. These subjects include “Look at this photo!”, “You look good here”, “Is this you?” and similar enticing lines.

After the attachment is downloaded and ran, it uses a PowerShell command and the BITSAdmin command-line tool to download and run the ransomware payload. After this, the affected users will see that the ransomware has encrypted the files and appended them with the .avdn file extension. Users will see that their system desktop’s wallpaper has been automatically changed to an image that states that “all your files have been encrypted” and refers to the ransom note: “Instruction 270015-readme.html” (following the {Encrypted Directory}{random numbers}-readme.html format).

The ransom note gives instructions on how the affected user can recover the encrypted files.

This ransomware encrypts files found in the following folders:

Program Files\Microsoft\Exchange Server
Program Files (x86)\Microsoft\Exchange Server
Program Files\Microsoft SQL Server
Program Files (x86)\Microsoft SQL Server

It adds the following processes that deletes backup copies of the system, making it difficult to restore:

wmic.exe SHADOWCOPY /nointeractive
wbadmin DELETE SYSTEMSTATEBACKUP
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
bcdedit.exe /set {default} recoveryenabled No
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
vssadmin.exe Delete Shadows /All /Quiet

It terminates services and processes, many of which are related to scanning, storing and retrieving files, and scheduling tasks.

Protection

The attack vector for Avaddon Ransomware is extremely common – A phishing email intended to trick the user into opening a file. It is important that business owners and family’s exercise caution when it comes to opening emails from unknown senders, and that employees and family members are educated to understand the risks of cybersecurity.

Sometimes phishing emails will be successful, no matter how well the human is trained to spot them. To avoid falling into this trap, use SaferNet.