Symantec Security Summary - October 2021

Ransomware continues to be a persistent corporate scourge. A new research paper from Symantec’s Threat Hunter Team found that targeted ransomware activity is on the rise these last 18 months, fueled by a proliferation of new actors and the growing sophistication of the ransomware-as-a-service (RaaS) market. According to the research, the number of confirmed attacks reported by organizations increased by 83% in that timeframe, from 81 in January 2020 to 148 in June 2021. Symantec researchers believe the real number of attacks is likely much higher because many targeted attacks are stopped before payload deployment, so they’re not identified as actual ransomware.

The problem is getting so serious, it’s caught the attention of the White House. President Biden announced that the United States would meet with representatives from 30 countries, including NATO allies and G7 partners, to cooperate on combating cyber crime, with a particular focus on ransomware. As described in a press release, the partners will work together to improve law enforcement collaboration, stem the illicit use of cryptocurrency, and engage on these issues diplomatically. “We are building a coalition of nations to advocate for and invest in trusted 5G technology and to better secure our supply chains,” the press release said. “We are bringing the full strength of our capabilities to disrupt malicious cyber activity, including both the risks and opportunities of emerging technologies like quantum computing and artificial intelligence.”

Continuing on the theme of ransomware: CISA, FBI, and the NSA released a joint Cyber Security Advisory on BlackMatter Ransomware.  Since July 2021, malicious cyber actors have used BlackMatter ransomware to target multiple U.S. critical infrastructure entities, including a U.S. Food and Agriculture Sector organization. Broadcom Software was named as contributing to the analysis by CISA.

Conti malware was front and center in other ransomware-related news. Attackers using this type of ransomware are leveraging a new tactic and are taking aim squarely at users of Veeam’s backup solutions to delete backups on victim’s networks. Research from Advanced Intel found that the attackers are hunting for privileged Veeam users and stealing their credentials so they can impersonate them to exfiltrate backups using rclone before deleting them from the victim’s networks. In a statement, Veeam officials advises users to maintain a separate domain to run backup software in the event a primary domain is compromised.

The operators of the Conti ransomware (also known as Miner or Wizard Spider) are also threatening to leak victim data if transcripts or screen shots of ransom negotiations are publicly shared. The reason: The growing number of media reports memorializing the details of ransom negotiations are making their exploits a bit tricker to pull off.

Cryptocurrency also took a cyber security hit. A bug in Coinbase’s SMS-based two-factor authentication systems let attackers steal funds from more than 6,000 customers of the cryptocurrency exchange. The breaches, which occurred between March and May 2021, were the result of attackers getting access to a customer's email address, password, and phone number associated with the account, which enabled them to get in through a 2FA failure. Coinbase said it would reimburse users who lost funds in these transactions, and it updated its SMS Account Recovery protocols to prevent further incidents.

In the meantime, the Justice Department took steps to shore up security surrounding cryptocurrencies. U.S. Deputy Attorney General Lisa Monaco announced the launch of the National Cryptocurrency Enforcement team, which will include a mix of anti-money laundering and cyber security experts who will be tasked with “strengthening” the Justice Department’s ability to disable financial markets allowing cyber criminals to “flourish.” The effort is also aimed at mitigating the uptick in ransomware, which demands payment typically paid in cryptocurrency.

“Cryptocurrency exchanges want to be the banks of the future,” said Monaco in a virtual speech at the recent Aspen Cyber Summit. “We need to make sure that folks can have the confidence when they’re using these systems and we need to be poised to root out abuse.” 

The Harvester group is new to the ransomware scene. A previously unseen actor, likely nation-state-backed, is targeting organizations in South Asia, with a focus on Afghanistan, in what appears to be an information-stealing campaign using a new toolset.

According to Broadcom Software’s Threat Intelligence team, The Harvester group uses both custom malware and publicly available tools in its attacks, which began in June 2021, with the most recent activity seen in October 2021. Sectors targeted include telecommunications, government, and information technology (IT). The capabilities of the tools, their custom development, and the victims targeted, all suggest that Harvester is a nation-state-backed actor.