Posted: 4 Min ReadFeature Stories
Translation: 日本語

Symantec Security Summary - October 2021

BlackMatter, Conti and the Harvester group

Ransomware continues to be a persistent corporate scourge. A new research paper from Symantec’s Threat Hunter Team found that targeted ransomware activity is on the rise these last 18 months, fueled by a proliferation of new actors and the growing sophistication of the ransomware-as-a-service (RaaS) market. According to the research, the number of confirmed attacks reported by organizations increased by 83% in that timeframe, from 81 in January 2020 to 148 in June 2021. Symantec researchers believe the real number of attacks is likely much higher because many targeted attacks are stopped before payload deployment, so they’re not identified as actual ransomware.

The problem is getting so serious, it’s caught the attention of the White House. President Biden announced that the United States would meet with representatives from 30 countries, including NATO allies and G7 partners, to cooperate on combating cyber crime, with a particular focus on ransomware. As described in a press release, the partners will work together to improve law enforcement collaboration, stem the illicit use of cryptocurrency, and engage on these issues diplomatically. “We are building a coalition of nations to advocate for and invest in trusted 5G technology and to better secure our supply chains,” the press release said. “We are bringing the full strength of our capabilities to disrupt malicious cyber activity, including both the risks and opportunities of emerging technologies like quantum computing and artificial intelligence.”

President Biden announced that the United States would meet with representatives from 30 countries, including NATO allies and G7 partners, to cooperate on combating cyber crime, with a particular focus on ransomware.

Continuing on the theme of ransomware: CISA, FBI, and the NSA released a joint Cyber Security Advisory on BlackMatter Ransomware.  Since July 2021, malicious cyber actors have used BlackMatter ransomware to target multiple U.S. critical infrastructure entities, including a U.S. Food and Agriculture Sector organization. Broadcom Software was named as contributing to the analysis by CISA.

Conti malware was front and center in other ransomware-related news. Attackers using this type of ransomware are leveraging a new tactic and are taking aim squarely at users of Veeam’s backup solutions to delete backups on victim’s networks. Research from Advanced Intel found that the attackers are hunting for privileged Veeam users and stealing their credentials so they can impersonate them to exfiltrate backups using rclone before deleting them from the victim’s networks. In a statement, Veeam officials advises users to maintain a separate domain to run backup software in the event a primary domain is compromised.

The operators of the Conti ransomware (also known as Miner or Wizard Spider) are also threatening to leak victim data if transcripts or screen shots of ransom negotiations are publicly shared. The reason: The growing number of media reports memorializing the details of ransom negotiations are making their exploits a bit tricker to pull off.

Cryptocurrency also took a cyber security hit. A bug in Coinbase’s SMS-based two-factor authentication systems let attackers steal funds from more than 6,000 customers of the cryptocurrency exchange. The breaches, which occurred between March and May 2021, were the result of attackers getting access to a customer's email address, password, and phone number associated with the account, which enabled them to get in through a 2FA failure. Coinbase said it would reimburse users who lost funds in these transactions, and it updated its SMS Account Recovery protocols to prevent further incidents.

The operators of the Conti ransomware (also known as Miner or Wizard Spider) are also threatening to leak victim data if transcripts or screen shots of ransom negotiations are publicly shared

In the meantime, the Justice Department took steps to shore up security surrounding cryptocurrencies. U.S. Deputy Attorney General Lisa Monaco announced the launch of the National Cryptocurrency Enforcement team, which will include a mix of anti-money laundering and cyber security experts who will be tasked with “strengthening” the Justice Department’s ability to disable financial markets allowing cyber criminals to “flourish.” The effort is also aimed at mitigating the uptick in ransomware, which demands payment typically paid in cryptocurrency.

“Cryptocurrency exchanges want to be the banks of the future,” said Monaco in a virtual speech at the recent Aspen Cyber Summit. “We need to make sure that folks can have the confidence when they’re using these systems and we need to be poised to root out abuse.” 

The Harvester group is new to the ransomware scene. A previously unseen actor, likely nation-state-backed, is targeting organizations in South Asia, with a focus on Afghanistan, in what appears to be an information-stealing campaign using a new toolset.

According to Broadcom Software’s Threat Intelligence team, The Harvester group uses both custom malware and publicly available tools in its attacks, which began in June 2021, with the most recent activity seen in October 2021. Sectors targeted include telecommunications, government, and information technology (IT). The capabilities of the tools, their custom development, and the victims targeted, all suggest that Harvester is a nation-state-backed actor.

Symantec Enterprise Blogs
You might also enjoy
Threat Intelligence4 Min Read

Harvester: Nation-State-Backed Group Uses New Toolset to Target Victims in South Asia

Previously unseen attack group targets victims in the IT, telecoms, and government sectors in espionage campaign.

Symantec Enterprise Blogs
You might also enjoy
Feature Stories4 Min Read

Symantec Security Summary - September 2021

Ransomware, Crypto and Blockchain updates

About the Author

Beth Stackpole

Journalist

Beth is a veteran journalist covering the intersection of business & technology for more than 20 years. She's written for most of the leading IT industry publications and web sites as well as produced custom content for a range of leading technology providers.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.