Ransom Gangs with Network Sellers collaboration. Deadly combođź‘ą

Accenture Cyber Threat Intelligence team outlined a trend of collaboration between network access sellers and ransomware gangs. Several cybercriminals are increasingly offering initial network access to already-compromised companies used by Ransomware gangs

Deadly deals

Researchers have warned that hackers are seen selling credentials for RDP connections, Citrix, and Pulse Secure VPN clients to ransomware groups such as Avaddon, Exorcist, Lockbit, Maze, NetWalker, and Sodinokibi.

  • Ransomware operators get direct access to corporate and government networks. Thus, they can concentrate on establishing persistence and moving laterally.
  • The network-access sellers have been observed using attack vectors such as remote working tools, zero-day exploits, or malware such as Cerberus Trojan to attempt corporate network access in the future.
  • The network access credentials are usually offered between $300 and $10,000, depending on the size and revenue of the victim.

The destructive relationship

Accenture has tracked more than 25 persistent network access sellers, as well as the occasional one-off seller, with more entering every week.

  • In August, four actors were seen utilizing the source code of Cerberus Trojan to gain corporate and government network access credentials, which they sold to other cybercrime groups for a handsome profit.
  • In July, the threat actor Frankknox aborted a sale of a self-developed Zero-day targeting a well-known brand of a mail server and began exploiting the vulnerability to gain corporate network access to multiple victims. Until September, Frankknox has advertised access to 36 corporations for between $2,000 and $20,000, of which at least 11 they claim to have sold.

CHERI Architecture đź’­Microsoft think to reduce Patches count

Microsoft has just completed a study of an experimental architecture that it now thinks would have mitigated about two-thirds of the memory-safety vulnerabilities fixed in 2019. 70% of the bugs are of memory safety bugs happened when software access the memory

The abundance of memory-safety bugs is one reason Microsoft is exploring the Rust programming language as a potential replacement for some Windows components written in C++.

Rewriting old code in another language like Rust is one option. Another option in Microsoft’s “quest to mitigate memory-corruption vulnerabilities” is CHERI or Capability Hardware Enhanced RISC (reduced instruction set computer) Instructions.

CHERI provides memory-protection features against many exploited vulnerabilities, or in other words, an architectural solution that breaks exploits.

The group assessed the “theoretical impact” of CHERI on all the memory-safety vulnerabilities that Microsoft received in 2019 and concluded that it would have “deterministically mitigated” at least two-thirds of all those issues.

Its memory-protection features allow historically memory-unsafe programming languages such as C and C++ to be adapted for protection against widely exploited vulnerabilities.

CHERI ISA has the potential to save Microsoft a lot of money in delivering security patches in each month’s Patch Tuesday update, which regularly exceed 100 patches a month.

With additional mitigations recommended in its research paper, Microsoft also estimates the CHERI protections could have deterministically mitigated nearly half the vulnerabilities the MSRC addressed through a security update in 2019.

IPStorm Bots are Anonymous

While botnets have been used for anything from performing DDoS attacks to stealing data and even sending spam, Researchers have found signs that the Interplanetary Storm botnet could be used for different purposes

This Golang-written botnet could be used as an anonymization proxy-network-as-a-service and potentially rented using a subscription-based model.

While the botnet has come under previous scrutiny, constant monitoring of the development lifecycle of Interplanetary Storm has revealed that threat actors are both proficient in using Golang and development best practices, and well-versed at concealment of management nodes.

Interplanetary Storm also has a complex and modular infrastructure designed to seek and compromise new targets, push and synchronize new versions of the malware, run arbitrary commands on the infected machine and communicate with a C2 server that exposes a web API.

IPStorm propagates by attacking Unix-based systems (Linux, Android and Darwin) that run Internet-facing SSH servers with weak credentials or unsecured ADB servers.

Key findings:

  • Botnet potentially rented as an anonymous proxy network
  • Built to use compromised devices as proxies
  • Botnet mapping reveals global presence
  • Rented using multi-tier subscription-based pricing model
  • More than 100 code revisions to date
  • Detailed analysis of the infrastructure behind the Interplanetary Storm botnet

Mac ,Linux Malwares are like Sweet Pancakes

Threat actors continuously updating their code with new threat vectors and obfuscation techniques is nothing new. A surge in malware targeting particular device groups reveals much about the shifting paradigm.

TeamTNT reinforces Black-T

TeamTNT is known to exfiltrate AWS credential files on compromised cloud systems and mine for Monero (XMR). 

  • Unit 42 researchers came with a new variant of cryptojacking malware named Black-T, the brainchild of the TeamTNT cybercrime group, boosting its capabilities against Linux systems.
  • The added potential includes memory password scraping via mimipy (works on Windows/Linux/OSX) and mimipenguin (Linux desktop)—two open-source Mimikatz equivalents targeting *NIX desktops.

IPStorm prepares for thunders

The IPStorm botnet has been targeting Windows systems until now. Its size has quadrupled from around 3,000 systems in May 2019 to more than 13,500 devices by September end.

  • IPStorm now boasts of newer versions targeting Android, Linux, and Mac devices.
  • Linux and Mac devices are infected after the gang performs a brute-force technique against SSH services.
  • However, the Android systems are infected when the malware scans the internet for devices that had left their ADB (Android Debug Bridge) port exposed online.

FinSpy’s malware spin

A new surveillance campaign was reported targeting Egyptian civil society organizations.

  • FinSpy, also known as FinFisher, used new variants that target macOS and Linux users. The spyware already had tools for Windows, iOS, and Android users.
  • Besides keylogging, call interception, and screen recording, the malware’s additional capabilities included stealing emails by installing a malicious add-on to Apple Main and Thunderbird and collecting Wi-Fi network information.

Concluding phrase

Cybercriminals unfurling tools targeting Linux and Mac devices put a dent in the broadly held opinion that those operating systems are more secure and not susceptible to malicious code, unlike others. Experts recommend checking network settings and avoiding using unnecessary online applications to ensure safety. Other useful tips include configuring the firewall, filtering traffic, and protecting locally stored SSH keys used for network services.