Crowd Strikes with Claroty for ICS

A partnership has been announced between Claroty and CrowdStrike, resulting in an integration between the Claroty Platform and the CrowdStrike Falcon platform.

The integration will deliver visibility into industrial control system (ICS) networks and endpoints. ICS threats can be detected across the IT/OT boundary without the need for added connectivity, signature reconfiguration, or manual updates — resulting in more efficient IT/OT security governance, according to the two partnering companies.

IT and OT have converged even further, and digital transformation has caused once-isolated OT networks to become interconnected with the rest of the enterprise through the IT network. Resulting in attack surface widen

The integration delivers IT/OT visibility and threat detection for ICS networks through Claroty’s OT expertise and monitoring technology, as well as CrowdStrike’s IT endpoint telemetry.

“This integration with Claroty allows our customers to leverage the CrowdStrike Falcon platform to improve the security posture of their OT environments, bridging the gap between IT and OT.”

Key capabilities include:

Threat detection

Asset discovery and enrichment

Stantinko Bots Targets Russia

An adware and coin-miner botnet targeting Russia, Ukraine, Belarus, and Kazakhstan. the trojan masquerades as HTTPd, a commonly used program on Linux servers, and is a new version of the malware belonging to a threat actor tracked as Stantinko.

Stantinko has been traditionally a Windows malware, the expansion in their toolset to target Linux didn’t go unnoticed, but observed to be a Linux proxy version .

Upon execution, “httpd” validates a configuration file located in “etc/pd.d/proxy.conf” that’s delivered along with the malware, following it up by creating a socket and a listener to accept connections from what the researchers believe are other infected systems.

An HTTP Post request from an infected client paves the way for the proxy to pass on the request to an attacker-controlled server, which then responds with an appropriate payload that’s forwarded by the proxy back to the client.

In the event a non-infected client sends an HTTP Get request to the compromised server, an HTTP 301 redirect to a preconfigured URL specified in the configuration file is sent back.

Stating that the new version of the malware only functions as a proxy, Stantinko is the latest malware targeting Linux servers to fly under the radar, alongside threats such as Doki, IPStorm and RansomEXX.

Manchester United FC Attacked

disclosed a cyber attack, but according to the football club it is not “currently aware of any breach of personal data associated with our fans and customers”.

The club confirmed the security breach on Friday evening, it shut down its systems to prevent the malware from spreading within.

“Manchester United confirm that the club has experienced a cyber attack on our systems. The club has taken swift action to contain the attack and is currently working with expert advisers to investigate the incident and minimise the ongoing IT disruption.” reads a statement issued by the Manchester United and reported by The Guardian.

Although this is a sophisticated operation by organised cyber criminals, the club has extensive protocols and procedures in place for such an event and had rehearsed for this eventuality. Our cyber defences identified the attack and shut down affected systems to contain the damage and protect data.”

“Club media channels, including our website and app, are unaffected and we are not currently aware of any breach of personal data associated with our fans and customers.”

“We are confident that all critical systems required for matches to take place at Old Trafford remain secure and operational and that tomorrow’s game against West Bromwich Albion will go ahead.”

“These type of attacks are becoming more and more common and are something you have to rehearse for.” said a spokesman for the club.

RaaS landscape widens

Ransomware-as-a-Service is a cyber-security term referring to criminal gangs that rent ransomware to other groups, either via a dedicated portal or via threads on hacking forums.

RaaS portals work by providing a ready-made ransomware code to other gangs. These gangs, often called RaaS clients or affiliates, rent the ransomware code, customize it using options provided by the RaaS, and then deploy in real-world attacks via a method of their choosing.

These methods vary between RaaS affiliate and can include email spear-phishing attacks, en-masse indisciriminate email spam campaigns, the use of compromised RDP credentials to gain access to corporate networks, or the use of vulnerabilities in networking devices to gain access to internal enterprise networks.https://9decc16ac028a02c144f7ab21dc2da2a.safeframe.googlesyndication.com/safeframe/1-0-37/html/container.html

Payments from these incidents, regardless of how the affiliates managed to infect a victim, go to the RaaS gang, who keeps a small percentage and then forwards the rest to the affiliate.

RaaS offerings have been around since 2017, and they have been widely adopted as they allow non-technical criminal gangs to spread ransomware without needing to know how to code and deal with advanced cryptography concepts.

The RaaS tiers

According to a report published today by Intel 471, there are currently around 25 RaaS offerings being advertised on the underground hacking

While there are ransomware gangs who operate without renting their “product” to other groups, the number of RaaS portals available today far exceeds what many security experts thought could be available and shows the plethora of options that criminal gangs have at their disposal if they ever choose to dip their toes in the ransomware game.

But not all RaaS offerings provide the same features. Intel 471 says it’s been tracking these services across three different tiers, depending on the RaaS’ sophistication, features, and proven history.

Tier 1 is for the most well-known ransomware operations today. To be classified as a Tier 1 RaaS, these operations had to be around for months, proven the viability of their code through a large number of attacks, and continued to operate despite public

This tier includes the likes of REvil, Netwalker, DopplePaymer, Egregor (Maze), and Ryuk.

With the exception of Ryuk, all Tier 1 operators also run dedicated “leak sites” where they name-and-shame victims as part of their well-oiled extortion cartel.

These gangs also use a wide variety of intrusion vectors, each depending on the type of affiliates they recruit. They can breach networks by exploiting bugs in networking devices (by recruiting networking experts), they can drop their ransomware payload on systems already infected by other malware (by working with other malware cartels), or they can gain access to company networks via RDP connections (by working with brute-force botnet operators or sellers or compromised RDP credentials).null

Tier 2 is for RaaS portals that have gained a reputation on the hacking underground, provide access to advanced ransomware strains, but have yet to reach the same number of affiliates and attacks as Tier 1 operators.

This list includes the likes of Avaddon, Conti, Clop, DarkSide, Mespinoza (Pysa), RagnarLocker, Ranzy (Ako), SunCrypt, and Thanos — and these are effectively the up-and-comers of the ransomware world.

raas-tier-2.png

Tier 3 is for newly launched RaaS portals or for RaaS offerings about which there’s limited to no information available. In some cases, it is unclear if any of these are still up and running or if their authors gave up after trying and failing to get their portals off the ground.null

This list currently includes the likes of CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, Xinof, Zeoticus, and (late arrival) ZagreuS.

raas-tier-3.png

All in all, while the underground cybercrime ecosystem is generating profits through criminal activity, it is still a market, and, just like all markets, it is governed by the same principles that guide any other market today.

A large number of service providers is the tell-tale sign of a booming economy that is far from being saturated. Saturating the RaaS market will only happen when criminals create more RaaS portals than affiliate groups are willing to sign up for or when companies bolster their security measures, making intrusion harder to carry out, drying up profits for crooks.

Source : zdnet