Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Advisory. Show all posts

FBI and CISA Reveals: ‘Royal’ Ransomware Group Targeted 350 Victims for $275 Million


In a joint advisory, the FBI and CISA have revealed a network breach conducted by the ‘Royal ransomware gang’ that has targeted nearly 350 organizations globally since 2022. 

Giving further details of the original advisory published in March, in the information acquired during the FBI investigation, the agencies noted that the ransomware campaign was connected to ransom demands totalling more than $275 million.

"Since September 2022, Royal has targeted over 350 known victims worldwide and ransomware demands have exceeded 275 million USD," the advisory reads.

"Royal conducts data exfiltration and extortion prior to encryption and then publishes victim data to a leak site if a ransom is not paid. Phishing emails are among the most successful vectors for initial access by Royal threat actors."

In March, the two agencies shared their initial indicators of an apparent compromise, along with a list of tactics, methods, and procedures (TTPs), in order to assist defenders in identifying and thwarting attempts to deploy Royal ransomware payloads onto their networks.

The Department of Health and Human Services (HHS) security team discovered in December 2022 that the ransomware operation was responsible for several attacks against U.S. healthcare organizations. This led to the release of the joint advisory.

Royal to BlackSuit

The advisory update also states that BlackSuit ransomware shares several coding traits with Royal, suggesting that Royal may be planning a rebranding campaign and/or a spinoff variation.

While it was anticipated that the Royal ransomware operation would rebrand in May, during the course of the BlackSuit ransomware operation, the rebranding never happened. 

According to a report published by BleepingCompter in June, the Royal ransomware gang was apparently testing a new BlackSuit encryptor, similar to the operation’s conventional encryptor. 

At the time, Partner and Head of Research and Development at RedSense – Yelisey Bohuslavskiy believed that this experiment did not in fact go well.

However, since then, Royal was able to rebrand into BlackSuit and restructure into a more centralized business, following the same blueprint as Team 2 (Conti2) when they were a member of the Conti syndicate.

"In September 2023, Royal accomplished a full rebrand into BlackSuit, most likely entirely dismantling their Royal infrastructure. Moreover, according to the primary source intel, Royal has also accomplished a broader reorganization during the rebrand, making the group structure more corporate and more similar to their Conti2 origins," said Yelisey Bohuslavskiy.  

CISA Alerts on Serious Flaws in Industrial Equipment & Infrastructure

 

According to the US government's CISA and private security researchers, 56 vulnerabilities have been discovered in industrial operational technology (OT) systems from ten global manufacturers, including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk. 

Some of these flaws obtained CVSS severity ratings as high as 9.8 out of 10. This is especially unfortunate given that these devices are employed in vital infrastructure throughout the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and construction and automation industries. 

Remote code execution (RCE) and firmware vulnerabilities are the most serious security problems. If exploited, these flaws might allow criminals to shut down electricity and water infrastructure and damage the food supply. This is not to claim that all or any of these situations are practically achievable; rather, these are the kind of devices and processes involved. 

Forescout's Vedere Labs uncovered the flaws in devices produced by 10 vendors and used by the security firm's customers and termed them OT:ICEFALL. As per the researchers, the vulnerabilities affect at least 324 enterprises worldwide – a figure that is likely to be far higher in reality because Forescout only has access to its own clients' OT devices. In addition to the previously mentioned firms, the researchers discovered weaknesses in Bently Nevada, Emerson, JTEKT, Omron, Phoenix Contact, and Yokogawa devices.

OT Devices are insecure by design

The majority of issues are found in level 1 and level 2 OT devices. Physical processes are controlled by level 1 devices such as programmable logic controllers (PLCs) and remote terminal units (RTUs), whereas level 2 devices include supervisory control and data acquisition (SCADA) and human-machine interface systems.

In addition to the 56 highlighted in a Vedere report today, the threat-hunting team uncovered four more that are still being kept under wraps owing to responsible disclosure. One of the four allows an attacker to compromise credentials, two let an attacker to change the firmware of OT systems, and the fourth is an RCE through memory write flaw. 

Many of these flaws are the consequence of OT products' "insecure-by-design" build, according to Forescout's head of security research Daniel dos Santos. Several OT devices lack fundamental security protections, making them simpler for criminals to exploit, he said. 

Since that earlier analysis, "there have been real-word real incidents, real malware that has abused insecure-by-design functionality of devices to cause disruption and physical damage, like Industroyer in Ukraine in 2016, or Triton in the Middle East in 2017. One instance of insecure-by-design is unauthenticated protocols. So basically, whenever you interact with the device you can call sensitive functions on the device, invoke this function directly without it asking for a password," dos Santos stated.

The security researchers found nine vulnerabilities related to protocols that have no authentication on them: CVE-2022-29953, CVE-2022-29957, CVE-2022- 29966, CVE-2022-30264, CVE-2022-30313, CVE-2022-30317, CVE-2022-29952 and CVE-2022-30276. 

The majority of these may be used to download and run firmware and logic on other people's devices, resulting in RCEs, or shutdowns and reboots that can create a denial of service circumstances. In an ideal world, equipment employing these protocols is not linked to computers and other systems in such a way that a network intruder may abuse them. 

Credential compromise: Most common issue

Five of the flaws were noted more than once by Vedere Labs because they had various possible consequences. More than a third of the 56 vulnerabilities (38%) can be exploited to compromise user login credentials, while 21% might allow a criminal to change the firmware if exploited, and 14% are RCEs. 

Other vulnerability categories include denial of service and configuration manipulation (eight percent), authentication bypass (six percent), file manipulation (three percent), and logic manipulation (two percent). 

Fixing these security flaws will be difficult, according to the researchers, since they are the consequence of OT products being vulnerable by design, or because they need modifications in device firmware and supported protocols. 

As a result, they did not reveal all of the technical information for the faulty OT devices, which explains the lack of depth. They did, however, advise users to read each vendor's security advisory, which is expected to be released today or soon. Furthermore, where possible, the security shop suggests disconnecting OT and industrial control system networks from corporate networks and the internet.

CISA Updates Conti Ransomware Alert with Around 100 Domain Names

 

The US Cybersecurity and Infrastructure Security Agency (CISA) has upgraded the Conti ransomware advisory to include indications of compromise (IoCs) that comprise almost 100 domain names utilized in criminal operations. 

The advisory, which was first issued on September 22, 2021, contains facts about Conti ransomware assaults that attacked organizations in the United States, as observed by CISA and the Federal Bureau of Investigation (FBI). It's worth noting that the US Secret Service's data is included in the latest cybersecurity advisory. Internal data from the Conti ransomware operation began to surface at the end of February after the group publicly declared their support for Russia in the Ukraine invasion. 

The leak came from a Ukrainian researcher, who originally issued private messages exchanged by the members of the group and then released the source code for the ransomware, administrative panels, and other tools. Domains used in compromises with BazarBackdoor, the malware used to gain initial access to networks of high-value targets, were also found in the cache of data. Conti, according to CISA, has infiltrated over 1,000 businesses around the world, with TrickBot malware and Cobalt Strike beacons being the most common attack vectors. 

The agency has published a list of 98 domain names that have "registration and naming characteristics identical" to those used in Conti ransomware attacks. While some of the domains were used in malicious operations, the agency warns that others of them may be abandoned or may share similar features coincidentally. The list of domains linked to Conti ransomware assaults does not appear to be the same as the hundreds of domains released from BazarBackdoor infections by the Ukrainian researcher. 

Conti did not halt its activities despite the negative attention it earned recently as a result of the exposure of its internal discussions and tools. Conti has listed more than two dozen victims on its website since the beginning of March in the United States, Canada, Germany, Switzerland, the United Kingdom, Italy, Serbia, and Saudi Arabia.

Intuit Alerted About Phishing Emails Threatening to Delete Accounts

 

Customers of accounting and tax software supplier Intuit have been warned of an ongoing phishing attack masquerading the organisation and attempting to mislead victims with fraudulent account suspension notifications. 

Customers who were notified and told that their Intuit accounts had been disabled as a result of a recent server security upgrade prompted Intuit to issue the advisory. 

The attackers stated in the phishing messages, masquerading as the Intuit Maintenance Team, "We have temporarily disabled your account due to inactivity. It is compulsory that you restore your access within next 24 hours. This is a result of recent security upgrade on our server and database, to fight against vulnerability and account theft as we begin the new tax season." 

To regain access to their accounts, the receivers need to visit https://proconnect.intuit.com/Pro/Update right away. By clicking the link, they will most likely be redirected to a phishing site controlled by the attacker, which will seek to infect them with malware or steal their financial or personal information. 

Those who hesitate before clicking the embedded link are warned that they risk losing access to their accounts permanently. The financial software company stated the sender "is not associated with Intuit, is not an approved agent of Intuit, nor is their use of Intuit's brands authorised by Intuit," and that it isn't behind the emails. 

Customers who have received phishing emails are advised not to click any embedded links or open attachments, according to the maker of TurboTax and QuickBooks. 

To avoid being infected with malware or redirected to a phishing landing page that would try to steal the credentials, it's best to delete the emails. Customers who have already opened attachments or clicked links in phishing emails should take the following steps: 
  • Delete any downloaded files immediately. 
  • Scan their systems using an up-to-date anti-malware solution. 
  • Change their passwords
On its support page, Intuit also provides information on how users can safeguard themselves from phishing assaults. 

QuickBooks clients were also cautioned in October about phishing attacks that used bogus renewal charges as bait. Fraudsters contacted QuickBooks users via websites in the same month, telling them to upgrade to prevent their databases from being destroyed or corporate backup files automatically erased, with the intent of taking over their accounts.