New MOVEit transfer vulnerabilities that require patching (2024) - CyberTalk

New Post has been published on https://thedigitalinsider.com/new-moveit-transfer-vulnerabilities-that-require-patching-2024-cybertalk/

New MOVEit transfer vulnerabilities that require patching (2024) - CyberTalk

EXECUTIVE SUMMARY:

Remember last year’s MOVEit meltdown? Get ready for a reprise…

For anyone who missed last year’s madness, MOVEit Transfer is a popular managed file transfer product sold by Progress Software, which provides business applications and services to more than 100,000 organizations globally.

In 2023, the software code for the MOVEit Transfer product was found to contain multiple vulnerabilities, leading to a rash of ransomware attacks, and data exposure for thousands of organizations.

The level of business exploitation was so severe that it impacted the results of this year’s “Data Breach Investigations Report” (DBIR) from Verizon.

Earlier this month, Progress Software contacted users about two high-severity vulnerabilities, CVE-2024-5805 and CVE-2024-5806. Both are categorized as authentication bypass-style vulnerabilities. Each one has been assigned a 9.1 severity score.

To allow adequate time for patching, the information was under embargo until June 25th. This appears to have been a wise move, as just hours after being made public, at least one vulnerability is seeing active exploit attempts in the wild.

The Shadowserver Foundation has detected exploitation efforts that hone in on honeypot systems, in particular.

The new bugs

“To be clear, these vulnerabilities are not related to the zero-day MOVEit Transfer vulnerability we reported in May 2023,” said a Progress Software spokesperson.

CVE-2024-5806 is an improper authentication vulnerability in MOVEit’s SFTP module, which can potentially lead to authentication bypass in some instances.

Cyber security researchers have noted that this CVE could be weaponized to “impersonate any user on the server.”

CVE-2024-5805 is another SFTP-associated authentication bypass vulnerability, which affects MOVEit Gateway version 2024.0.0.

Action items

As a cyber security leader, have your team check on whether or not your MOVEit Transfer software is up-to-date. Patches are available for all vulnerabilities.

Communicate to your team that these vulnerabilities are a priority, as they have serious business implications. If patching hasn’t yet been completed, emphasize the importance of patching quickly. After patching, confirm successful implementation.

Additional considerations

Reassess your organization’s vulnerability to ransomware attacks. Take a layered approach to cyber security and consider additional cyber security measures. You might want to invest in proactive processes like vulnerability assessments and red teaming. In addition, review and update your incident response plan, as to address potential MOVEit Transfer exploitation attempts. Further information

As compared to the MOVEit Transfer exposure numbers from last year, experts say that the numbers appear similar – the geographies and networks where MOVEit Transfer is observed also mirror those of the 2023 incident.

See CyberTalk.org’s past MOVEit Transfer coverage here. Get more insights into software supply chain vulnerabilities here.

Lastly, to receive cyber security thought leadership articles, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.

On the eve of the anniversary of a massive, world-wide cybersecurity breach, the Nova Scotia government says the response to the MOVEit hack cost the province $3.8 million. The breach occurred May 30 and May 31, 2023, and affected multiple organizations and millions of people around the globe. The online hack involved a file transfer service called MOVEit, which is used by the private sector and governments, including Nova Scotia. The software is made by Burlington, Massachusetts-based company Ipswitch and allows organizations to transfer files and data between employees, departments and customers. In a news release Wednesday promoting the final report into the online hack, Nova Scotia’s minister in charge of Cyber Security and Digital Solutions said the province has learned a number of lessons from the MOVEit breach. [...]

Continue Reading.

Tagging: @newsfromstolenland

Exploit Attempts Recorded Against New MOVEit Transfer Vulnerability - Patch ASAP!

Source: https://thehackernews.com/2024/06/new-moveit-transfer-vulnerability-under.html

More info: https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806

In 2023, the world has felt like it was balanced on a precipice. A United States presidential election looms, with a resurgent candidate that threatens to bring with him all the chaos of 2016 and 2020. Artificial intelligence developed so quickly that it seemed to have suddenly sprung into being, heralding vast societal promise and disruption just around the bend of its exponential curve. And the world's richest man continued to use his power to push for a more reckless tech world, from free-for-all social media and oversold assisted-driving features to AI with a “rebellious streak.”

In the midst of that uncertainty, a new war between Israel and Hamas added more atrocities alongside the slow-burning horrors of Russia's invasion of Ukraine. These wars have echoed across the internet in propaganda, hate speech, and cyberattacks that triggered widespread real-world effects. Chinese state-sponsored hackers, meanwhile, sowed the seeds for a future cyberwar, and ransomware gangs resurged. It was a banner year for chaos, present and impending, and all reflected in the digital mirror.

Each year, WIRED assembles a list of the most dangerous people, groups, and organizations on the internet—both those who intentionally endanger innocent people and those whose actions, regardless of their intent, destabilize the world as we know it in myriad ways. Here, in no particular order, are our picks for 2023.

Elon Musk

A year ago, it might have still been fair to regard Elon Musk as a brilliant technologist with occasional destructive, trollish tendencies. In 2023, those tendencies seemed to take over his public identity. Twitter, now renamed X thanks to Musk's branding whims, this year invited back conspiracy theorists like Alex Jones and even amplified one account's antisemitic statements. When advertisers complained, Musk managed in a single conversation to both apologize for that blunder and tell them, “Go fuck yourself.”

Before that, in July, Musk had said that his social media platform's ad revenue had fallen by half—all of which calls into question whether this once-central platform for online conversation will survive Musk's reign, and in what form.

In the midst of that meltdown, Musk's new startup xAI released Grok, an AI chatbot Musk celebrated for having fewer guardrails than OpenAI's ChatGPT. Musk faces calls for an SEC investigation for his comments about how monkeys died in experiments carried out by his brain implant startup Neuralink. And in mid-December, Tesla recalled nearly every model of its vehicles sold in the US to fix an Autopilot feature. The National Highway Traffic Safety Administration found that Tesla's safety measures for assuring that drivers paying attention—which many no doubt were not, perhaps thanks in part to Musk's own descriptions of the assisted-driving feature—were inadequate.

Five years ago, WIRED put Musk's face on the cover with a story that described his Dr. Jekyll and Mr. Hyde personality. These days, it's becoming clearer which side of that split personality dominates.

Cl0p

In 2023, ransomware resurged. According to cryptocurrency firm Chainalysis, it appears to be on track to be the second-worst year on record in terms of total extortion payments collected by the ransomware industry's coercive gangs of hackers. But perhaps no group did more damage this year than the people behind the Cl0p malware.

In May, the Cl0p gang began exploiting a zero-day vulnerability in the MOVEit file transfer software and used it to carry out a shocking spree of intrusions across more than 2,000 organizations, according to ransomware-focused security firm Emsisoft. A single victim, medical firm Maximus, lost control of the data of at least 8 million people in the breach. The hackers stole data from the state government of Maine on another 1.3 million. In total, at least 62 million people were affected, and Cl0p's hackers remain at large.

Alphv

If Cl0p were the most ruthless ransomware hackers of the year, Alphv, also known as Black Cat, were certainly in close contention. The group, which has ties to the hackers who carried out the 2021 cyberattack on the Colonial Pipeline, gained a new level of notoriety in September when it targeted MGM Resorts International, shutting down computer systems across the hotel and casino chain and ultimately doing $100 million in damage, by MGM's estimate. More broadly, the FBI says that Alphv has compromised over a thousand organizations and extracted more than $300 million in ransoms.

In mid-December, the FBI announced that it had seized the dark-web site where Alphv publishes its victims’ stolen data. Hours later, the site reappeared, and Alphv defiantly announced it had “unseized” it and would no longer abide by a rule not to target critical infrastructure systems. The site was soon taken down again. But given that no members of the group have been arrested or even indicted in absentia, its chaos will likely continue.

Hamas

No event of 2023 has shaken geopolitics as suddenly and shockingly as Hamas' atrocities against civilians in Southern Israel on October 7. The attacks, in which Hamas militants killed 1,200 people and took hundreds of hostages, immediately triggered a war that threatens to destabilize the region. It has also shaken the tech world, where it has raised questions about the digital technologies that have enabled Hamas, from the millions of dollars the group raised via cryptocurrency to its channels on Telegram, where it distributes propaganda and videos of its violence. When ISIS came to prominence in 2014, it forced every technology platform in the world to question whether and how it enabled extremist violence. Now, a decade later, a new round of horrific bloodletting shows how that reckoning continues.

Sandworm

Despite sanctions, indictments, and even a $10 million bounty, Russia's team of hyper-aggressive military intelligence hackers known as Sandworm are still out there—and still active. As Russia's invasion of Ukraine grinds toward its third brutal year, in fact, they appear to have turned their focus to that conflict.

This year, Sandworm was revealed to have carried out a third blackout cyberattack against a Ukrainian electric utility, this time in the midst of a Russian air strike hitting the same city. It later penetrated Ukrainian military communications in a more traditional espionage-focused effort to gain an advantage during Ukraine's counteroffensive. And evidence points to Sandworm's responsibility for a cyberattack just this month that hit the telecom Kyivstar, taking out internet and mobile communications for millions amid another series of strikes. The group, in other words, continues to earn its reputation as the Kremlin's most dangerous hackers.

Volt Typhoon

For years, the cybersecurity community has asked itself who might be the “Sandworm of China.” This year provided perhaps the closest thing yet to an answer. The hacker group dubbed Volt Typhoon by Microsoft was revealed in May to have planted malware in power grid networks across the continental US and Guam, in some cases with an apparent eye toward controlling the flow of electricity to US military bases. More recently, The Washington Post revealed that Volt Typhoon's targets have extended to other kinds of critical infrastructure too, from an oil and gas pipeline to a major West Coast port and a Hawaiian water utility.

While the intentions of the group and its overseers are still far from clear, cybersecurity and geopolitical analysts increasingly see it as laying the groundwork to disrupt key US systems in the event of a crisis—such as China invading Taiwan.

Donald Trump

Last year, for the first time since 2015, Donald Trump was not included on this list. Hope you enjoyed the break!

Less than 11 months out from the 2024 US presidential election, Trump leads Republican primary polls by a wide margin. He has used his rekindled relevance to launch disturbing attacks on his perceived enemies, largely from his own right-wing-dominated Truth Social platform.

In posts there, he has vowed, if elected, to launch federal investigations into media companies and journalists that criticize him and to prosecute President Biden. He has ranted about the wife of one of the judges overseeing a civil trial against him for fraud charges and blamed his political opponents for the criminal charges he faces for allegations of election interference and improper handling of classified information. And he has continued to tout his discredited claims of winning the 2020 election, which the US Department of Justice says fueled the January 6, 2021, storming of the US Capitol.

More to the point, all of this may be finding a receptive audience among Trump's base. That means it could help usher in another presidency of the kind that pulled the US out of the Paris Agreement on climate change, instituted a “Muslim ban” and family separation border policy, dismantled pandemic protections, and denied the seriousness of Covid-19 as hundreds of thousands of American died. Here we go again.

Israel Defense Forces

Since October 7, Israel's military has responded to Hamas' invasion of Israel with attacks that have killed at least 20,000 Palestinians—largely women and children—displaced nearly 2 million of Gaza's inhabitants, and cut off the flow of food, water, and medicine to the region. It has also at times taken out Gaza's telecommunications and internet to leave it in a near-total information blackout, even as it claims it's using those communication tools to warn civilians about its impending attacks on their homes.

In the midst of all of this, Israel's propaganda machine has been working to shape the public narrative about its military operations, from promoted tweets by the IDF in support of its campaign in Gaza appearing on X to Israeli accounts going so far as to claim that Palestinian deaths have been staged with dolls made to look like dead infants. All of that has played a role in silencing global criticism of the IDF's actions even as the death toll from its war against Hamas stretches an order of magnitude beyond that of Hamas' October 7 atrocities.

Sam Altman

Running the company that's arguably leading the race to develop the most disruptive technology ever imagined is enough to qualify anyone as one of the most dangerous people to exist—not just this year but in human history. Setting that small point aside, Altman might seem at a glance like the most benign personality imaginable to serve as OpenAI's CEO. He has chosen, surprisingly, to take no equity stake in the company. He argues for more government regulation of AI in interviews and congressional hearings. He genuinely seems to believe in a flourishing future for humanity in a post-singularity world.

But November's brief and dramatic power struggle within OpenAI exposed a less reassuring side to the company's leader and the newly consolidated circle of power that surrounds him. Altman had argued in the past that the strange structure of OpenAI, with a nonprofit overseeing a for-profit company, offered a form of self-restraint that would keep the company's technological ambitions on a safety-conscious leash. But when Altman was fired by OpenAI's board and almost immediately wrested back control of the company while ousting several board members—including two ethics-focused effective altruists—the leash snapped. OpenAI, in this new era, is now firmly under the control of one man and his executive team, as well as Microsoft, his $2.8 trillion corporate ally and investor.

So let's hope his plan for the future of this world-flipping technology is a good one. Either way, it will be very hard to stop him.

Predatory Sparrow

The group that calls itself Predatory Sparrow, a translation from the Persian Gonjeshke Darande, is hardly a household name in the cybersecurity world. But it raised alarms in 2022 when it carried out a cyberattack on several Iranian companies, including a steel mill where it claimed—and posted video to show—that it had somehow started a fire in the facility. The group, which styles itself as hacktivists but which the Iranian government has claimed is linked to the Israeli state, also leaked a collection of documents stolen in those breaches that the hackers said revealed the companies’ connections to the Iran Revolutionary Guard Corps.

Now, in the wake of the Israel-Hamas war, and as Houthi rebels fire Iranian missiles at Israel, Predatory Sparrow has carried out a second major cyberattack against Iran, this time reportedly disabling as many as 70 percent of gas stations across the country. This will be one to watch.

BSI warnt: Erneut kritische Schwachstelle in MOVEit FTP-Modul

Bereits 2023 geriet MOVEit in die Schlagzeilen durch schwerwiegende Sicherheitslücken, besonders im FTP-Modul. Die Cl0p-Gruppe nutzt die Lücke aus und griff sofort viele Unternehmen an. Nun gibt es wieder eine kritische Lücke mit einem CVSS-Wert 9.1 von 10. und auch jetzt gibt es schon wieder aktive Angriffe. Für viele Unternehmen die MOVEit nutzen ist es wie ein Déjà-vu: erst letztes Jahr sorgten mehrere Schwachstellen für Angriffe durch die Cl0p-Gruppe. Es wurden viele Daten gestohlen und online zum Kauf angeboten. Jetzt warnt das BSI erneute wegen einer neuen Schwachstelle im SFTP-Modul und fordert zum sofortigen Patchen auf. Die CVE-2024-5806 beschreibt den Fehler im Produkt MOVEit Transfer und wurde mit einem CVSS Base-Score von 9.1 als "kritisch" bewertet. Entfernte Angreifenden können die Authentifizierung umgehen und so Zugriff auf vertrauliche Daten erhalten (Lesen, Bearbeiten, Löschen). Aktive Angriffe auf MOVEit laufen bereits Nach aktuellem Kenntnisstand benötigen Angreifende dafür die Kenntnis über einen verwendeten Nutzernamen, der sich von extern authentifizieren kann bzw. darf und zudem muss der SFTP Dienst exponiert sein. Allerdings: Bereits kurz nach der Veröffentlichung wurden Angriffsversuche der Schwachstelle CVE-2024-5806 von der Gruppe ShadowServer erkannt. Das BSI fordert Unternehmen auf die MOVEit nutzen den angebotenen Patch sofort einzuspielen: - Für MOVEit Transfer sichern die Versionen 2023.0.11, 2023.1.6 und 2024.0.2 vor der Schwachstelle CVE-2024-5806. - Für MOVEit Gateway steht die Version 2024.0.1 zum Schließen der Schwachstelle CVE-2024-5805 zur Verfügung. Kommentar von Trend Micro Vor fast genau einem Jahr im Mai und Juni 2023 stand Move-IT ganz oben in den IT-Security-Schlagzeilen. Auch damals ging es um Schwachstellen. Auch damals gab es schnell Angriffe. Auch damals warnte das BSI. Je mehr Aufmerksamkeit ein Cyberangriff in ihren Kreisen verursacht, desto höher die Lust nachzueifern. Und der Move-IT-Angriff von 2023 hatte es in sich. Die Verursacher, eine Untergrundorganisation namens „Clop“, stahlen Daten von etwa 1.000 Unternehmen, darunter viele aus dem Bereich des Finanzwesens und der Energiebranche. Über Wochen gab es Nachrichten dazu, weil immer wieder Firmen erklärten, nun auch betroffen zu sein. Und es floss Geld. Nach Untersuchungen der Firma Chainalysis waren das Millionen. Schwachstellen als Geschäftsmodell Im Jahr 2023 wurden mehr als 28.000 Schwachstellen mit einer CVE-Nummer beziffert. Die spannendsten Schwachstellen sind in weit verbreiteten Produkten und einfach zu verwenden. Liegt so etwas vor, dann stürzt man sich drauf. Aber natürlich tun das auch alle anderen. Und nachdem auch bei Verbrechern Marktgesetze wie Angebot und Nachfrage eine Rolle spielen, wird je nach Anzahl der kriminellen Angreifer die Anzahl der verwundbaren „Kunden“ kleiner. Ein Großteil der bereits genannten 28.000 Sicherheitslücken sind deshalb nicht unbedingt „neu“ im Sinne von „unvorhersehbar“. Werden Lücken geschlossen, weil sie als brandgefährlich gelten oder bereits von Angreifern genutzt werden, dann zählt Geschwindigkeit. Man schließt erstmal das nötigste und patcht nach, sobald dafür Luft ist, oder neue Angreifer es erzwingen. Das Katz-und-Maus-Spiel geht weiter und die eigentlichen Opfer, die Unternehmen, die diese Patche installieren müssen, kommen nicht mehr hinterher. Die so genannte „Meant Time to Patch“ (MTTP) – die durchschnittliche Zeit für das Ausrollen eines Patches liegt bei etwa 33 Tagen für Lücken, die als gefährlich eingestuft werden. Die Angriffsgeschwindigkeiten ist sogar bei „normalen“ Patchen - also solchen, die der betroffene Hersteller selbst findet und veröffentlicht - im Bereich von Stunden. So Richard Werner, Security Advisor bei Trend Micro.     Passende Artikel zum Thema Lesen Sie den ganzen Artikel

MOVEit Transfer Seeing Exploit Attempts Via New Critical Vulnerability: Researchers http://dlvr.it/T8pBFn

New MOVEit Transfer Vulnerability Under Active Exploitation - Patch ASAP!

http://i.securitythinkingcap.com/T8p6M7

Ransomware Victims Pay Out a Record-Breaking $1.1 Billion in 2023

The Escalation of Ransomware Attacks in 2023

  Throughout 2023, malicious actors specializing in ransomware significantly amplified their assault on prominent entities and essential infrastructure. These included healthcare facilities, educational institutions, and government bodies. Noteworthy supply chain attacks, exploiting widely used file transfer software such as MOVEit, affected a broad spectrum of organizations – from broadcasting giant BBC to the renowned British Airways. The culminating effect of these and other similar intrusions led ransomware syndicates to an unprecedented feat – amassing over $1 billion in extorted digital currency payments from their victims. The developments of the past year underscore the progressive nature of this cyber menace and its mounting impact on international institutions and overall security.

  A Turning Point for Ransomware

  The year 2023 marked a significant resurgence for ransomware, characterized by a record-breaking surge in payments and a substantial escalation in the scale and sophistication of attacks. This was a marked contrast to the downturn observed in 2022, a trend we had cautioned about in our Mid-Year Crime Update. Ransomware payments in 2023 exceeded the $1 billion threshold, the highest figure ever recorded. Despite a reduction in the volume of ransomware payments in 2022, the overall trajectory from 2019 to 2023 suggests an escalating issue with ransomware. It’s important to remember that this figure doesn’t account for the economic repercussions of lost productivity and recovery expenses linked to these attacks. Cases like the audacious targeting of MGM resorts by ALPHV-BlackCat and Scattered Spider exemplify this, with MGM estimating damages costing the company upwards of $100 million, despite not paying the demanded ransom.

  The Continually Expanding Ransomware Landscape

  The ransomware landscape is not just prolific but continuously expanding, posing a challenge to keep track of every incident or trace all ransom payments made in digital currencies. Our figures represent conservative estimates, with the potential to rise as new ransomware addresses are uncovered over time. For example, our initial reporting for 2022 in last year’s crime report indicated $457 million in ransoms, a figure that has since been adjusted upward by 24.1%.

  2022 – A Deviation, Not a Pattern

  A combination of factors likely led to the reduction in ransomware activities in 2022, including geopolitical events such as the Russian-Ukrainian conflict. This conflict not only disrupted the operations of some cyber actors but also shifted their focus from financial gain to politically motivated cyberattacks intended for espionage and destruction. As we highlighted in our 2023 Crypto Crime Report, other contributing factors to this downturn included hesitance among some Western entities to pay ransoms to specific strains due to potential sanctions risks. The ransomware strain Conti, in particular, faced complications due to its reported ties to sanctioned Russian intelligence agencies, the exposure of the organization’s internal communications, and overall internal turmoil. This led to a decrease in their activities and contributed to the overall reduction in ransomware incidents in 2022. However, researchers have observed that many ransomware actors associated with Conti have continued to migrate or launch new strains, making victims more inclined to pay.

  Law Enforcement’s Response to Ransomware: The Hive Intervention

  A significant factor in the reduction of ransomware in 2022 was the successful penetration of the Hive ransomware strain by the Federal Bureau of Investigation (FBI), as announced by the Department of Justice early in 2023. Our analysis emphasizes the considerable impact of this single enforcement action. During the Hive infiltration, the FBI managed to supply decryption keys to over 1,300 victims, effectively eliminating the need for ransom payments. The FBI estimates that this intervention prevented approximately $130 million in ransom payments to Hive. But the influence of this intervention extends beyond that. The total tracked ransomware payments for 2022 currently stand at just $567 million, indicating that the ransom payments averted by the Hive infiltration significantly reshaped the ransomware landscape last year.

  The Full Impact of the FBI’s Hive Operation: A Comprehensive Analysis

  The $130 million that the FBI saved by infiltrating Hive doesn’t provide a complete picture of the operation’s success. This figure only considers the ransoms that were avoided by supplying the decryptor keys and doesn’t take into account the ripple effects. The Hive operation likely had a wider impact on Hive affiliates’ operations, potentially reducing the number of additional attacks they could launch.

  During the six months the FBI was within Hive, the total ransomware payments across all strains amounted to $290.35 million. However, our statistical models predict a total of $500.7 million for that period, based on the behavior of attackers in the months before and after the operation. This is a cautious estimate. Given this figure, we estimate that the Hive operation may have prevented at least $210.4 million in ransomware payments.

  David Walker, the Special Agent in Charge of the FBI’s Tampa Division, provided further insights into the significance of the operation. He stated, “The Hive investigation exemplifies the gold standard for implementing the key services model. The FBI continues to witness the significant positive impact of actions like the Hive takedown on cyber threat actors through its investigations and victim engagements. We will persist in implementing proactive disruptive measures against adversaries.”

  The Resurgence of Ransomware: A Look at the 2023 Threat Landscape

  In 2023, there was a significant increase in the frequency, scale, and volume of ransomware attacks. These attacks were conducted by a diverse range of actors, from large syndicates to smaller groups and individuals, and their numbers are on the rise, according to experts. Allan Liska, a Threat Intelligence Analyst at cybersecurity firm Recorded Future, stated, “We are witnessing a significant increase in the number of threat actors carrying out ransomware attacks.” In 2023, Recorded Future reported 538 new ransomware variants, indicating the emergence of new, independent groups.

  The graph below shows the most active ransomware strains by quarter from the start of 2022 through 2023. There are also significant variations in the victimization strategies of the top ransomware strains, as shown in the chart below, which plots each strain’s median ransom size against its attack frequency. The chart also shows a number of new entrants and offshoots in 2023, who are known to reuse existing strains’ code. This suggests a rising number of new actors, drawn by the potential for high profits and lower entry barriers.

  The Changing Tactics of Ransomware Strains

  Some strains, such as Cl0p, embody the “big game hunting” strategy, conducting fewer attacks than many other strains, but collecting large payments with each attack. Cl0p exploited zero-day vulnerabilities that allowed it to extort many large, deep-pocketed victims simultaneously, prompting the strain’s operators to adopt a strategy of data exfiltration instead of encryption.

  Over the past few years, big game hunting has emerged as the dominant strategy, with an increasing share of all ransomware payment volume consisting of payments of $1 million or more.

  Other strains, like Phobos, have adopted the Ransomware as a Service (RaaS) model, where outsiders, known as affiliates, can access the malware to conduct attacks, and in return, pay the strain’s core operators a portion of the ransom proceeds. Phobos simplifies the process for less technically advanced hackers to launch ransomware attacks, using the typical encryption process that is the hallmark of ransomware. Despite targeting smaller entities and demanding lower ransoms, the RaaS model increases the strain’s capacity to conduct a large number of these smaller attacks.

  ALPHV-BlackCat is another RaaS strain like Phobos, but it is more selective about the affiliates it allows to use its malware, actively seeking and interviewing potential candidates for their hacking abilities.

  The Evolution of Ransomware Attacks: A Closer Look at the Tactics and Tools

  The landscape of ransomware attacks is ever-evolving, with groups constantly adapting their strategies to target larger entities for more substantial ransoms. One common tactic is the rebranding of ransomware strains or the simultaneous use of several strains by affiliates. This strategy allows attackers to disassociate themselves from strains that have been publicly sanctioned or have attracted too much attention. Furthermore, it enables them to strike the same victims under different strain names, thus increasing their chances of success.

  The Rise of Ransomware-as-a-Service (RaaS) and Initial Access Brokers (IABs)

  The proliferation of Ransomware-as-a-Service (RaaS) and hacking tools has simplified the process of launching a successful ransomware attack. This development has been further facilitated by the emergence of Initial Access Brokers (IABs), who infiltrate potential victims’ networks and sell the access to ransomware attackers for a nominal fee.

  Our research has identified a correlation between the flow of funds into IAB wallets and a surge in ransomware payments. This suggests that monitoring IAB activities could offer early warning signs and open up opportunities for intervention and mitigation of attacks. The combination of IABs and RaaS has significantly reduced the technical skills required to execute a successful ransomware attack. Andrew Davis, General Counsel at Kivu Consulting, a cybersecurity incident response firm, sheds more light on this phenomenon.

  “The surge in attack volume can be attributed to the ease of access provided by the affiliate model and the adoption of ransomware-as-a-service, an alarmingly effective business model for cybercriminals,” Davis explains.

  Tracking Ransomware Funds: The Journey and Destination

  Understanding how ransomware funds move is crucial in identifying the methods and services used by threat actors. This knowledge enables law enforcement agencies to target and disrupt the financial networks and infrastructure of these actors.

  It’s worth noting that threat actors may take a considerable amount of time to launder their ransomware proceeds. The laundering observed in 2023, for instance, includes proceeds from attacks that took place in the past.

  Historically, centralized exchanges and mixers have been the go-to methods for laundering ransomware payments. However, 2023 witnessed the adoption of new laundering services such as bridges, instant exchangers, and gambling services. This shift is likely due to the disruption of preferred laundering methods, the implementation of stricter Anti-Money Laundering (AML) and Know Your Customer (KYC) policies by some services, and the unique laundering preferences of new ransomware actors.

  Concentration of Laundering Services and Lessons from 2023

  There is a significant concentration of specific services within each category that ransomware actors use for laundering. Exchanges exhibit the lowest level of concentration, while gambling services, cross-chain bridges, and sanctioned entities show the highest levels. Mixers, no-KYC exchanges, and underground exchanges fall in between, with about half of all funds from ransomware wallets going to one service.

  The concentration of mixers may have increased due to the takedown of Chipmixer, a popular choice for ransomware attackers. This concentration might expose ransomware actors to bottlenecks, making them vulnerable as law enforcement could disrupt operations by targeting a relatively small number of services.

  The ransomware landscape underwent significant changes in 2023, characterized by shifts in tactics and affiliations among threat actors, as well as the continued spread of RaaS strains.

  Enhanced Speed and Efficacy in Cyber Attacks

  The year 2023 witnessed a significant shift in the strategies employed by cybercriminals. The speed of attack execution was notably improved, indicating a more aggressive and efficient modus operandi. The constant shuffling of affiliates underlines the fluid dynamics of the ransomware underworld, as well as the relentless pursuit of more profitable extortion strategies.

  Adapting to Changing Landscapes

  Despite the ever-evolving tactics of threat actors, they consistently demonstrate their ability to adapt to changes in regulations and law enforcement actions. However, 2023 was not without its triumphs in the battle against ransomware. These victories were largely due to the collaborative efforts of international law enforcement, impacted organizations, cybersecurity companies, and blockchain intelligence.

  Law Enforcement’s Proactive Stance

  Lizzie Cookson from Coveware highlighted the importance of these collaborative efforts, citing the successful takedown of Hive and the disruption of BlackCat as prime examples. She noted, “These operations underscore the FBI’s commitment to assisting victims, providing aid, and imposing penalties on malicious actors.” Andrew Davis of Kivu Consulting echoed these sentiments, observing an increase in proactive involvement from law enforcement. This indicates a more resolute and determined approach to providing support to victims and tracking down cybercriminals.

https://www.infradapt.com/news/ransomware-victims-pay-out-a-record-breaking-1-1-billion-in-2023/

MOVEit, Capita, CitrixBleed and more: The biggest data breaches of 2023

This year, 2023, was a hell of a year for data breaches, much like the year before it (and the year before that, etc.). Over the past 12 months, we’ve seen hackers ramp up their exploitation of bugs in popular file-transfer tools to compromise thousands of organizations; ransomware gangs adopt aggressive new tactics aimed at […] © 2023 TechCrunch. All rights reserved. For personal use…

View On WordPress

Delta Dental of California Data Breach Exposed Info of Seven Million People

Delta Dental of California and its affiliates have suffered a data breach, affecting almost seven million patients. The breach occurred through a vulnerability in the MOVEit Transfer software, allowing unauthorized access by threat actors.

View On WordPress

CMS Notifies Additional Individuals Potentially Impacted by MOVEit Data Breach

CMS Notifies Additional Individuals Potentially Impacted by MOVEit Data Breach https://ift.tt/Cer45V7 As part of an ongoing investigation into the May 2023 data breach of Progress Software’s MOVEit Transfer software on the corporate network of Maximus Federal Services, Inc. (Maximus Federal Services), a contractor to the Medicare program, the Center for Medicare & Medicaid Services (CMS) has learned of additional individuals whose personally identifiable information (PII) may have been compromised among files maintained by Maximus Federal Services.  As a result, this week, CMS and Maximus Federal Services are sending letters to 330,000 current people with Medicare who may have been impacted, notifying them of the breach and explaining actions being taken in response.  via Newsroom Feeds https://www.cms.gov/

The Nova Scotia government says it is investigating the theft of personal information stolen through a global privacy breach to a third-party file transfer system the province was using.

The province has yet to determine what information may have been taken or how many Nova Scotians could be affected by the breach to software company MoveIt's products, Cyber Security and Digital Solutions Minister Colton LeBlanc said in a Sunday news conference.

Full article

Tagging: @politicsofcanada

Lillian Tweten Daily Caller News Foundation At least 1.3 million residents in Maine were impacted by a government data breach earlier this year, The Hill reported. A massive cyberattack in May affected the MOVEit file transfer system, a software program used by many government...

Zero-Day Alert: Lace Tempest Exploits SysAid IT Support Software Vulnerability

The Hacker News : The threat actor known as Lace Tempest has been linked to the exploitation of a zero-day flaw in SysAid IT support software in limited attacks, according to new findings from Microsoft. Lace Tempest, which is known for distributing the Cl0p ransomware, has in the past leveraged zero-day flaws in MOVEit Transfer and PaperCut servers. The issue, tracked as CVE-2023-47246, concerns a path traversal http://dlvr.it/Syhjlk Posted by : Mohit Kumar ( Hacker )

Ransomware: der Hauptbedrohungstrend 2023

Im Jahr 2023 wurde die Bedrohungslandschaft von Big-Game-Ransomware und Zero-Day-Ransomware geprägt. Auch Mac-Systeme geraten zunehmend ins Visier der Angreifer, so der State-of-Malware-Report 2024. Die Threat Intelligence-Analysten von Malwarebytes fassen die zentralen Entwicklungen aus den Bereichen Cyberbedrohungen und Cybersicherheit in ihrem jährlichen Lagebericht zu Malware zusammen. Insgesamt werden die Bedrohungslandschaft und damit auch die für Bedrohungsabwehr notwendigen Maßnahmen komplexer. Gleichzeitig sehen sich Sicherheitsverantwortliche zunehmend mit Kürzungen ihrer Budgets und damit mit begrenzten Ressourcen konfrontiert. Das Jahr 2023 war durch sechs große Bedrohungstrends geprägt, die nicht alle unter die traditionelle Definition von Malware fallen: Big-Game-Ransomware, Malvertising, Zero-Day-Ransomware, Living-off-the-Land-Angriffe, Android-Banking-Trojaner sowie neue Schadsoftware-Taktiken, die speziell auf Mac-Geräte abzielen. Insbesondere die Trends Big-Game-Ransomware, Zero-Day-Ransomware und Mac-spezifische Malware sind hervorzuheben: 1. Big-Game-Ransomware Big-Game-Ransomware ist eine der gefährlichsten, aktuellen Cyberbedrohungen, die auf finanzstarke Unternehmen („Big Game“ – „Großwild“) abzielt, da diese die oft signifikant hohen Lösegelder der Angreifer bezahlen können. Weltweit ist im Jahr 2023 die Anzahl der bekannten Big-Game-Ransomware-Angriffe um 68 Prozent gestiegen, in Deutschland um 36 Prozent. Mit diesem Trend geht auch Ransomware-as-a-Service (RaaS) einher: Obwohl Angriffe auf große Unternehmen ein potenziell lukratives „Geschäft“ für die Angreifer sein können, benötigen sie ein großes Maß an Vorbereitung, Planung und technischer Expertise, um die oftmals soliden Cybersicherheitsmaßnahmen der Unternehmen zu umgehen. Damit stehen Angreifer vor dem Problem der Skalierbarkeit ihrer Angriffe. Mit RaaS-Ansätzen umgehen Angreifer dieses Problem mithilfe von Spezialisierung: Bestimmte kriminelle Gruppen bereiten die Angriffe vor, indem sie die Ransomware programmieren und Zugänge zu Unternehmensnetzwerken erlangen, während andere Gruppen die Angriffe ausführen und die Lösegeldverhandlungen führen. Das erbeutete Lösegeld wird dann unter allen beteiligten Angreifern aufgeteilt. In Deutschland kamen im Jahr 2023 die Services der RaaS-Anbieter LockBit, PLAY und CL0P am häufigsten zum Einsatz. 2. Zero-Day-Ransomware Ein weiterer Ansatz für Angreifer, um das Skalierbarkeitsproblem ihrer kriminellen Aktivitäten zu lösen, sind automatisierte Angriffe auf der Basis von Zero-Day-Exploits. Dabei handelt es sich um Sicherheitslücken in Systemen und Anwendungen, die gerade erst entdeckt wurden, weshalb Entwickler und Hersteller noch keine Gelegenheit hatten, sie zu beheben. Dementsprechend ist es für Unternehmen schwierig, sich auf diese Art Angriff ausreichend vorzubereiten. Im Jahr 2023 nutzte CL0P diesen Ansatz und wurde damit innerhalb von wenigen Wochen zu einer der aktivsten Ransomware-Gruppen. In vielen Fällen war es für CL0P nicht einmal notwendig, Ransomware und die Verschlüsselung von Daten einzusetzen. Durch die noch nicht entdeckten Sicherheitslücken konnten die Angreifer einfach in die Systeme und Netzwerke ihrer Opfer eindringen und Informationen für Lösegeldforderungen direkt entwenden. Auf diese Weise konnte sich CL0P signifikante finanzielle Mittel verschaffen (mit seiner MOVEit Transfer Zero-Day-Kampagne zum Beispiel geschätzt rund 92 Millionen Euro). Es kann davon ausgegangen werden, dass andere Gruppen versuchen werden, den Ansatz von CL0P in Zukunft zu replizieren. 3. Neue Mac-Malware-Taktiken mit Fokus auf macOS Malware machte im Jahr 2023 elf Prozent aller auf Mac-Betriebssystemen erkannten Bedrohungen aus. Diese Zahl steht im Gegensatz zur weit verbreiteten Meinung, dass Schadsoftware auf Mac-Systemen nicht existiert. Tatsächlich nimmt sie jedoch, verglichen mit Windows-Betriebssystemen, nur andere, oftmals spezialisierte Formen an. Angriffe auf Macs bestehen statt aus Ransomware beispielsweise viel öfter aus aggressiver, unerwünschter Adware. Hinzu kommt, dass die zunehmende Nutzung von macOS-Geräten es für Angreifer immer lukrativer macht, diese Geräte gezielt ins Visier zu nehmen oder Schadsoftware zu entwickeln, die auch auf Mac-Betriebssystemen funktioniert. Zum Beispiel war im November 2023 ClearFake im Umlauf, eine gefälschte Browser-Update-Kette, die sich als Browser-Sicherheitsupdate ausgab und Nutzer zum Herunterladen von Malware verleitete, darunter auch die InfoStealer-Malware Atomic Stealer (AMOS). Nicht nur ist AMOS ein InfoStealer, der gezielt auf Mac-Systemen Passwörter, Browserdaten und andere sensible Informationen an Angreifer weiterleitet, die Kampagne ist auch so aufgebaut, dass automatisch ermittelt wird, welchen Browser das Opfer nutzt, um das passende, gefälschte Update anzuzeigen.     Passende Artikel zum Thema Lesen Sie den ganzen Artikel