Symantec Security Summary - September 2021

Ransomware continues to dominate cyber security headlines as new variants appear amidst signs that hackers are maturing their strategies and becoming ever-more intentional about selecting their targets.

For the first time, the FBI published an alert warning of a ransomware affiliate operator known as OnePercent, which has been targeting U.S. organizations since November 2020 using a consistent set of tools, tactics, and procedures (TTPs). The group uses malicious phishing email attachments to unleash the IcedID banking Trojan infection vector and then employs Cobalt Strike on compromised endpoints to move laterally throughout the victim’s network to exfiltrate sensitive data. The final step involves deploying a ransomware payload with a note linking to the gang’s Onion website. The FBI alert links the OnePercent Group to the notorious REvil (Sodinokibi) ransomware gang, which was behind many of the recent high-profile attacks. REvil went dark earlier this summer after attacks drew worldwide condemnation, including tough talk from President Biden to Russia’s Putin, but appears to have recently resurfaced, according to reports.

As part of its stepped up policing of ransomware, the FBI also warned of new attacks targeting the agri-food industry. The alert said the increased dependence of smart technologies, industrial control systems (ICS), and Internet-based automation systems makes the industry a more attractive target. Possible fallout could be financial losses, soaring food prices, and disruption to the food supply chain, the warning said. The alert encouraged companies in the sector to take steps to secure their IT networks, including shoring up weakly secured RDP endpoints and patching Internet-facing devices to prevent vulnerabilities.

Ransomware infections are also spreading to universities and towns. Nearly 400 cities and towns have fallen victim to ransomware attacks in recent years, impeding emergency responders, bringing down core systems, and stalling tax payments, among a litany of disruptions, according to a Washington Post report. Howard University suffered a ransomware attack just as students headed back to school earlier this month. The HBCU was forced to cancel all online and hybrid undergraduate classes after an attack compromised its networks.

Ransomware wish list. Threat intelligence firm KILA has analyzed the underground forum posts of ransomware actors on the hunt for collaborators and has come up with a wish list, of sorts, for the preferred victim. Ransomware gangs are primarily targeting organizations with revenues greater than $100 million in the United States, Canada, Europe, and Australia. The healthcare and education sectors are somewhat off limits for many attackers while others are avoiding government and non-profits. Researchers concluded that avoidance of those sectors is less about altruism and more likely about dodging controversy and avoiding the attention of law enforcement.

The red-hot field of cryptocurrency is looking like the next frontier for cyber security attacks. Poly Network, a Chinese company that processes cryptocurrency transactions across blockchain platforms, revealed that over $611 million in cryptocurrency was stolen from its platform. Poly Network attributed the breach to the hacker exploiting a vulnerability between contract calls and advised its customers, including cryptocurrency exchanges like Binance and Coinbase Pro, to refuse transactions from specific wallet addresses to stave off the thieves. Days later, the threat actor returned almost $260 million worth of the stolen cryptocurrency. The supposed thief claimed the heist was less about stealing the money and more about teaching Poly Networks a lesson by exposing their vulnerability. More likely, the turnaround was due to Slowmist claiming to have the goods on the attacker’s identity.

Cyber criminals have developed a blockchain analytics tool to assist in laundering cryptocurrency. According to Elliptic, the Antinalysis blockchain analytics tool has been launched on the dark web—its mission to check bitcoin addresses for links to criminal activity. What this means, according to Elliptic’s co-founder and CEO, is that criminals can “test whether their funds will be identified as proceeds of crime by regulated exchanges,” which is an asset in hiding their activity.

Cyber security legal eagles. In its continuing effort to combat cyber crime and escalating threats, the Department of Justice (DOJ) announced a new fellowship program tasked with training a new generation of prosecutors and attorneys on cyber security issues. Selected attorneys will participate in a three-year rotation through multiple departments and work on cases that “prosecute state-sponsored cyber threats, transnational criminal groups, ransomware attacks, and the use of cryptocurrency and money laundering to finance and profit from cyber-based crimes,” according to a DOJ news release.

If this month’s activity is any indication, they’re going to have a lot of work ahead of them.