Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Affiliates. Show all posts

The Professionalization of Cybercrime: Exploits and Experts


Your adversaries are doing exactly, what you are doing in terms of keeping up with the latest news, tools, and thought leadership. This will enable them to defend your organization against cyber criminals. Their efforts mainly focus on networking on forums, evaluating the latest software tools, interacting with potential buyers, and searching for ways to outsmart your security systems. 

Considering their capabilities reveals that they can outmaneuver well-funded security teams and corporate security tools, especially when compared with legacy solutions such as signature-based antivirus solutions. As a result, several security operation centers (SOCs) fail to prioritize the real threats but instead waste their time and energy on solving problems that, realistically, they will never be able to address at scale. 

To effectively defend against cyberattacks, security experts need to move beyond the mental image they tend to associate with the lone hooded figure sitting in a dimly lit basement where cigarette smoke seeps from a filthy ashtray. Consider the state of cybercrime in the modern world as it stands today: strategic, commoditized, and collaborative (especially in a world where there is money to be made). 

Every attack is backed by strategic intent

Every time a piece of malware is released, there is a purpose for it. There is always a plan for what the malware will do. First and foremost, cybercriminals spy on your environment to gain access to it. They are looking for something they can steal and potentially re-sell to another person or organization. Once an attacker gains access to your environment, they quickly recognize the value that can be accessed as soon as they become aware of it. This is even if they do not know what they may do with it.

During reconnaissance, these attackers may exploit misconfigurations or open ports. This is often facilitated by the known CVE databases and free network scanners, which make this task easier. There is also a possibility that a breach can be facilitated at the beginning by stealing the credentials of a user to gain access to the environment. This process can sometimes be a lot simpler than identifying assets later. 

Cyber weapons' black market is maturing at a rapid pace


There is an underground marketplace managed by cybercriminals that have developed over the years. The evolution of tools from relatively inexpensive and low-tech products to more advanced capabilities that are delivered using business models familiar to legitimate consumers, such as software as a service (SaaS), has helped improve their accessibility to legitimate consumers. The commoditization of hacking tools is a phenomenon that threat hunters have been experiencing recently. 

There was a time when phishing kits, pre-packaged exploits, and website cloning tools were very common and used by several people. This tool is designed to simulate the login pages used by many websites for authentication purposes. For example, Microsoft Office 365 or Netflix has been pretty effective at collecting passwords from the user for many years. There has been a considerable amount of response to this type of activity over the past 20 years. This response includes pattern recognition, URL crawling, and the sharing of threat intelligence tools. Through tools such as VirusTotal, it has become almost instantaneous for data on malicious files to be shared with the security community. This is within a few days of discovery. As a result, adversaries have adapted to these conditions and are well aware of their presence.

Phishing: A New Methodology 

By taking advantage of the rise of multi-factor authentication (MFA), today's adversaries have also been able to steal the verification process to benefit their activities. 

The EvilProxy phishing scam is a new type of phishing scam that has emerged. In the same way as previous kits, this kit mimics the login page on the user's website to trick them into providing their login credentials. In contrast to the one-off purchases of phishing kits of the past, these updated methodologies are sold by companies specializing in access compromise and operate via a rental model where the company rents out space on its server to conduct fraud campaigns. 

This company hosts a proxy server that works similarly to a SaaS model in terms of how it operates. To access the service for ten days, it costs about $250. It enables SaaS providers to earn more money, as well as gives them the possibility to analyze the information they collect. This will make them able to publish it on forums for hackers. In this way, they will be able to market their products and compete against other sellers who sell similar products. 

As part of the redesigned model, several built-in protections are included to protect the phishing environment against an uninvited visitor. To prevent web crawlers from indexing their sites, they implement bot protection to block crawlers. As well as using nuanced virtualization detection technology to ward off reconnaissance teams using virtual machines (VMs), the security operations team also relies on automation detection to avoid security researchers crawling their kit websites from different angles by using automation detection. 

A scenario is known as "Adversary in the Middle" 


Serving as a reverse proxy to authenticate login page content created by bypassing MFA presents several problems for detecting phishing attacks. Using the reverse proxy server, the adversary can acquire access to sensitive information such as the username, password, and session cookie. This information was previously set by MFA between the user and the target website. By replaying the session, the user can then access the website and assume the role of the user at the destination they are visiting. 

At first, everything appears normal to the user. A cybercriminal can create the impression that the website is authentic by using slight variations in the names in the URLs. This will disguise the fact that everything works as it should. As a result, they have gained unauthorized access through that user. After gaining unauthorized access to the website, they may be able to exploit it or sell it for profit to the highest bidder. 

What is the business model of the adversary? 

Malware is being sold illegally over the Internet, and new phishing techniques are also. The malware is sold in a gray area, near the line between legal and illegal. It is one of many companies offering security software like BreakingSecurity.net, which aims to provide enterprises with remote surveillance tools. 

The price point associated with each malware is intended to motivate it to achieve some results. The results of these attacks have a clear business intent in mind. This is whether it's stealing credentials, generating cryptocurrency, requesting a ransom, or gaining spy capabilities to snoop around a network's infrastructure to steal information. 

Today, developers of these tools have partnered with buyers through affiliate programs to create a connection between these two parties. The affiliate marketing scheme functions very similarly to a multi-level marketing scheme. The affiliate will be told to come to the affiliate company when they have an affiliate product that they wish to sell. They will even give them product guarantees and 24/7 customer support if they decide to split profits with them. By doing so, they can build a hierarchy and scale their business.

Chrome Extensions with 1M+ Installs Hijack Targets’ Browsers

 

Guardio Labs researchers have discovered Dormant Colors, a new malvertising campaign to deliver malicious Google Chrome extensions. 

Chrome extensions are used to hijack searches and insert affiliate links into web pages. The campaign was dubbed Dormant Colors by experts because the extensions permit color customization. 

“It starts with the trickery malvertising campaign, continues with a crafty novel way to side-load the real malicious code without anyone noticing (until now!), and finally with stealing not only your searches and browsing data, but also affiliation to 10,000 targeted sites — a capability that is easily leveraged for targeted spear phishing, account takeover and credential extraction — all using this powerful network of millions of infected computers worldwide!” reads the post published by the Guardio Labs. 

The researchers discovered at least 30 variants of these extensions in both the Chrome and Edge web stores by mid-October 2022. Over a million people installed malicious browser extensions. Experts discovered that the code of Chrome extensions does not contain malicious components in its initial state, but malicious snippets are later added to the code. The attack chain is based on malvertising messages designed to trick victims into clicking on the install button, as seen in the video. Victims are prompted to install a color-changing extension after clicking the 'OK' or 'Continue' button.

Once installed, these extensions redirect users to various pages that side-load malicious scripts that alter browser behavior. The extensions can hijack searches and return affiliate links in the results. This scheme enables threat actors to profit from traffic to these websites while also stealing data.

According to experts, these malicious extensions are more than just other search hijackers because they include "stealth modules for code updating and telemetry collection, as well as a backbone of servers harvesting data from millions of users." The collected data is used to categorize potential targets and select the best social engineering attack vectors to target and steal from them.

Dormant Colors' operations rely on affiliation with 10,000 targeted sites and a global network of millions of infected computers. The attackers add affiliate tags to the URL, and any purchases made on the site result in a commission for the operators. The researchers released a video that depicts affiliate hijacking for the shopping site 365games.co.uk. The video depicts the address bar being filled with data from affiliation sources. The same method can clearly be used to redirect victims to phishing pages in order to steal credentials for popular services such as Microsoft 365, online banking, and social media platforms.

“This campaign is still up and running, shifting domains, generating new extensions, and re-inventing more color and style-changing functions you can for sure manage without. Adding to that, the code injection technique analyzed here is a vast infrastructure for mitigation and evasion and allows leveraging the campaign to even more malicious activities in the future.” concludes the report that also includes Indicators of Compromise (IoCs) for this campaign. 

“At the end of the day, it’s not only affiliation fees being collected on your back, this is your privacy as well as your internet experience being compromised here, in ways that can target organizations by harvesting credentials and hijacking accounts and financial data. No extension that makes a fine-looking website look dark and ugly is worth it…”

Conti Group Exploited Vulnerable Microsoft Exchange Servers

 

According to cybersecurity consultancy firm Pondurance, the Conti ransomware gang is now using backdoors that are still active. On-premises Microsoft Exchange email servers that have been patched are still vulnerable. 

Pondurance researchers stated, "Despite patching, thousands of devices might still be compromised". Conti appears to be targeting firms that patched the Exchange issues initially attacked by Chinese attackers but failed to detect and remove the backdoor access that had already been installed.

On March 4th, Microsoft released emergency fixes for four vulnerabilities in its on-premises Exchange email servers. The Biden administration officially accused a group working for China's Ministry of State Security in July of running a string of attacks against vulnerable Microsoft Exchange email servers this year that disrupted thousands of firms in the United States and around the globe. 

The US has not authorized China for its aggressive cyber operations, according to Anne Neuberger, the US deputy national security advisor for cyber and emerging technologies, who stated last week that the US is first aiming to establish an international consensus on how to respond. 

Meanwhile, Chinese advanced persistent threat organizations have been discovered abusing vulnerabilities in Microsoft Exchange servers to breach telecommunications provider networks in Southeast Asia in an attempt to capture confidential communications from customers. 

The Pondurance researchers discovered one instance in which an unlicensed and exploited remote monitoring and management agent was deployed on an on-premises Exchange server. 

"The unauthorized RMM tool remained present on the victim machine for approximately four months and granted the ability for remote interaction with the victim machine," Pondurance says. "In July, the RMM tool was used by outside actors to install additional malicious frameworks, including Cobalt Strike. The resulting actions concluded with the installation of Conti ransomware." 

According to the researchers, the company patched Exchange without first ensuring that any previously established backdoor access had been deleted. 

"Pondurance recommends searching for unauthorized ScreenConnect services installed on on-premises Exchange servers that were vulnerable to [the flaw exploit] at some point," Pondurance stated.

"These services should be present within the registry and would have generated 'Service Created' event logs (event ID 7045) at the time of install in March 2021. You may also find ScreenConnect-related folders created in the filesystem under 'C:ProgramData,' 'C:Program Files (x86),' and 'C:WindowsTemp.'" 

Fat Face, a British clothing and accessory retailer paid Conti a $2 million ransom in March to unlock its computers after Conti accessed numerous files containing sensitive data. The organization has also been linked to healthcare-related attacks. After a Conti ransomware assault on Ireland's Health Service Executive in May, the FBI issued a warning to healthcare institutions and first responder networks, urging them to take precautions to avoid being a victim. 

Furthermore, after complaining about the profit share, a dissatisfied Conti affiliate reportedly released important training material from the ransomware group. Conti, a ransomware-as-a-service group, recruits affiliates to hack networks and encrypt devices in exchange for a cut of the ransom money.

According to Bleeping Computer, a security researcher published a post written by an outraged Conti affiliate who publicly exposed information about the ransomware campaign. 

According to the study, this information contains IP addresses for Cobalt Strike C2 servers as well as a 113 MB package including many tools and training materials for conducting ransomware operations. As per the Bleeping Computer report, the affiliate also wrote on a prominent Russian-speaking hacking site claiming he had been paid $1,500 as part of an attack, while the gang members made millions.

Operations of the LockBit Ransomware Group: A Quick Look

 

Researchers have investigated on how LockBit, one of the more recent ransomware organisations, operates. 

As per the instances this year, ransomware has emerged as one of the most disruptive forms of cybercrime. So far, the world has witnessed the Colonial Pipeline ransomware crisis, which resulted in fuel supply shortages throughout sections of the United States; continuous troubles with Ireland's national health care; and systematic interruption for meat processing major JBS as a result of the infection. 

By 2031, ransomware assaults are expected to cost $265 billion globally, and settlements are now routinely in the millions of dollars, as in the case of JBS. However, there is no guarantee that decryption keys are suitable for their intended use, or that paying once guarantees that a business will not be targeted again. 

According to a Cybereason report issued this week, up to 80% of organisations that were victimised by ransomware and paid the ransom have experienced a second attack, possibly by the same threat actors. 

The danger of ransomware to businesses and essential infrastructure has grown to the point where it was brought up during a meeting between US President Joe Biden and Russian President Vladimir Putin at the Geneva summit. 

Prodaft Threat Intelligence (PTI) published a study (.PDF) on LockBit and its affiliates on Friday. 

According to the study, LockBit, which was previously known as ABCD, uses a RaaS model to give affiliate groups a central control panel where they can produce new LockBit samples, monitor their victims, make blog articles, and view statistics on the success — or failure — of their attacks. 

LockBit affiliates frequently purchase Remote Desktop Protocol (RDP) access to servers as an initial attack vector, however, they may also employ traditional phishing and credential stuffing approaches. 

"Those kinds of tailored access services can be purchased in as low as $5," Prodaft says, "making this approach very lucrative for affiliates." 

Exploits are also utilised to attack vulnerable systems, including Fortinet VPN vulnerabilities on victim machine that have not been fixed. As per the forensic studies of machines attacked by LockBit affiliates, threat organisations will frequently try to find "mission-critical" systems first, such as NAS devices, backup servers, and domain controllers. The data is subsequently exfiltrated, and packages are typically uploaded to services such as MEGA's cloud storage platform. 

After that, a LockBit sample is manually installed, and files are encrypted using an AES key that is generated. Backups are erased, and the system wallpaper is replaced with a ransom notice with a link to a.onion website address where decryption software can be purchased. The website also offers a free decryption 'trial,' in which one file (less than 256KB in size) can be decoded. 

If victims contact attackers, a chat window in the LockBit panel is used to communicate with them. The ransom demand, payment date, method (typically in Bitcoin (BTC)), and directions on how to obtain bitcoin are frequently discussed. Prodaft gained access to the LockBit panel, which revealed affiliate usernames, victim counts, registration dates, and contact information. 

The study team stated that evidence in the affiliate names and addresses indicate that some may also be linked with Babuk and REvil, two other RaaS organisations; however, the inquiry is still ongoing. 

LockBit affiliates look for an average of $85,000 from each victim, with 10 to 30% of that going to the RaaS operators, and the ransomware has attacked thousands of machines around the world. The software and services industry accounted for more than 20% of the victims on the dashboard. 

"Commercial and professional services as well as the transportation sector also highly targeted by the LockBit group," Prodaft says. "However, it should be noted that the value of the ransom is determined by the affiliate after various checks using online services. This value does not solely depend on the sector of the victim." 

LockBit's leak site was unavailable at the time of publication. After breaking into LockBit's systems, the researchers decrypted all of the platform's accessible victims.