Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Mandiant Investigation. Show all posts
Vulnerabilities and Exploits
Google Cloud Mandiant Investigation Patching Sensitive data Vulnerabilities and Exploits

Think You’re Safe? Cyberattackers Are Exploiting Flaws in Record Time

 


There has been unprecedented exploitation by attackers of vulnerabilities in the software, Mandiant announced. According to the newly released report of the Mandiant cybersecurity firm, after an analysis of 138 exploits published in 2023, on average, in five days an attacker already exploits a vulnerability. Because of this speed, very soon it has become paramount for organisations to make their system updates quickly. The study, published by Google Cloud bloggers, shows that this trend has greatly reduced the time taken for attackers to exploit both unknown vulnerabilities, known as zero-day, and known ones, called N-day.

Speed in the Exploitation Going Up

As indicated by Mandiant research, the time-to-exploit, which is a statistic indicating the average number of days taken by attackers to exploit a discovered vulnerability, has been reducing rapidly. During 2018, it took nearly 63 days for hackers to exploit vulnerabilities. However, in the case of 2023, hackers took merely five days for exploitation. This shows that the attackers are getting more efficient in exploiting those security vulnerabilities before the application developers could patch them satisfactorily.

Zero-Day and N-Day Vulnerabilities

The report makes a distinction between the zero-day vulnerabilities, being the undisclosed and unpatched flaws that attackers would exploit immediately, and N-day vulnerabilities, which are already known flaws that attackers aim at after patches have already been released. In the year 2023, types of vulnerabilities targeted by the attackers changed, with rates of zero-day exploitation, which rose to a ratio of 30:70 compared with N-day attacks. This trend shows that attackers now prefer zero-day exploits, which may be because they allow immediate access to systems and sensitive data before the vulnerability is known to the world.

Timing and Frequency of Exploitation

This again proves that N-day vulnerabilities are at their most vulnerable state during the first few weeks when the patch is released. Of the observed N-day vulnerabilities, 56% happened within the first month after a patch was released. Besides, 5% were attacked within just one day of the patch release while 29% attacked in the first week after release. This fast pace is something that makes the patches really important to apply to organizations as soon as possible after they are available.

Widening Scope for Attack Targets

For the past ten years, attackers have enormously widened their scope of attacks by targeting a growing list of vendors. According to the report, on this front, the count increased from 25 in the year 2018 to 56 in 2023. The widening of such a nature increases the trouble for teams, who have now encountered a significantly expanded attack surface along with the ever-increasing possibility of attacks at a number of systems and software applications.


Case Studies Exposing Different Exploits

Mandiant has published case studies on how attackers exploit vulnerabilities. For example, CVE-2023-28121 is a vulnerability in the WooCommerce Payments plugin for WordPress, which was published in March 2023. Although it had been previously secure, it became highly exploited after the technical details of how to exploit the flaw were published online. Attacks started a day after the release of a weaponized tool, peaking to 1.3 million attacks in one day. This fast growth shows how easy certain vulnerabilities can be in high demand by attackers when tools to exploit are generally available.


The case of the CVE-2023-27997 vulnerability that occurred with respect to the Secure Sockets Layer in Fortinet's FortiOS was another type that had a different timeline when it came to the attack. Even though media alert was very much all over when the vulnerability was first brought to the limelight, it took them about two or three months before executing the attack. This may probably be because of the difficulty with which the exploit needs to be carried out since there will be the use of intricate techniques to achieve it. On the other hand, the exploit for the WooCommerce plugin was quite easier where it only required the presence of an HTTP header.

Complexity of Patching Systems

While patching in due time is very essential, this is not that easy especially when updating such patches across massive systems. The CEO at Quarkslab says that Fred Raynal stated that patching two or three devices is feasible; however, patching thousands of them requires much coordination and lots of resources. Secondly, the complexity of patching in devices like a mobile phone is immense due to multiple layers which are required for updates to finally reach a user.

Some critical systems, like energy platforms or healthcare devices, have patching issues more difficult than others. System reliability and uninterrupted operation in such systems may be placed above the security updates. According to Raynal, companies in some instances even ban patching because of the risks of operational disruptions, leaving some of the devices with known vulnerabilities unpatched.

The Urgency of Timely Patching

Says Mandiant, it is such an attack timeline that organisations face the threat of attackers exploiting vulnerabilities faster than ever before. This is the report's finding while stating that it requires more than timely patching to stay ahead of attackers to secure the increasingly complex and multi-layered systems that make up more and more of the world's digital infrastructure.


Read more »
UNC
Basta Ransomware Cyber Attacks CyberCrime Cybersecurity CyberThreat Google Mandiant Investigation Qakbot UNC

Basta Ransomware Culprits Revealed by Mandiant Investigation

 


An extortion campaign begun early this year by an unknown hacking group to extort money has been characterized as using the Basta ransomware to stop victims from unlocking their files. This campaign was discovered by Google Mandiant, which uses the name UNC4393 to track the group. Since the beginning of the year, UNC4393 has been notorious for infecting targets with the Basta ransomware, but in the past 12 months, it has significantly changed how it gains access to its victims.

Before, the threat group essentially relied exclusively on known Qakbot infections to gain initial network access, which was often delivered through phishing emails. In the wake of U.S. law enforcement authorities' takedown of the Qakbot infrastructure last year, the threat group briefly switched from using the DarkGate malware as an initial access loader to set up the backdoor, before finally turning to SilentNight as a backdoor this year's attacks. 

Mandiant noted, "There are hundreds of victims of the Basta ransomware that are listed on the data leak sites, and this appears to be credible, given UNC4393's rapid operational speed," he noted. Another fact to note is that the group takes about 42 hours to ransom a victim at a time. A specialist unit, UNC4393, has demonstrated its ability to conduct reconnaissance quickly, exfiltrate data, and promptly complete objectives. 

Besides Silent Night, some other types of initial access tactics have been employed by the group in addition to Silent Night. During recent campaigns in February, UNC4393 has used stolen credentials as well as brute-force tactics to conduct attacks that attempted to deploy ransomware, extort personal information, and steal data. It also features a plug-in framework that facilitates the delivery of flexible functionality for attacks, such as screenshot capture, keylogging, access to cryptocurrency wallets, and manipulation of web browsers, which might be used to target credentials by attackers. 

Initially, backdoors were discovered in 2019, then, briefly for a few months in 2021, they disappeared again and were not detected until later in the decade. Hacking groups rely on initial access brokers as a means of gaining access to networks worldwide. One of these affiliates is UNC2633 and UNC2500, for example, which Mandiant tracks as UNC2633 and UNC2500, respectively, to compromise networks using phishing emails with QakBot as part of their main scheme of compromising networks. 

As a result of the researchers' analysis of the affiliates' operations, they have determined that the actor is most likely currently linked to the defunct Trickbot and Conti organizations. For the initial access to the network, they started to rely on another malware variant called DarkGate, which was found to be more sophisticated than the malware the FBI and other international law enforcement agencies previously used. 

Changes to UNC4393's initial entry points reveal the long-term effects of the August 2023 takedown of the Qakbot botnet which harmed the access vectors of UNC4393. The takedown of Qakbot has had a wide range of effects across the threat landscape. In some cases, it's been able to remove malware that isn't directly related to Basta (also known as Black Basta), such as Revil and Conti, while in others it's been able to remove malware that was not. 

Chainalysis conducted a research study earlier this year that explored the impact of several disruptions to law enforcement by threat groups, for instance, based on several disruptions to the law enforcement efforts of threat groups. Chainalysis discovered that the Qakbot takedown caused "substantial operational friction" on ransomware groups, but that eventually they were able to adapt to the changes by switching to new malware families. 

The report identified a significant decline in Black Basta ransomware payments coinciding with the Qakbot takedown. Nevertheless, activity resumed after several months, suggesting that the threat groups behind Black Basta adapted to using new malware. Mandiant researchers observed a steady decline in the number of Basta victims between March and July this year, positing that this decrease may reflect challenges in securing a consistent stream of initial access. 

Genevieve Stark, Mandiant's Manager of Cybercrime Analysis for Google Cloud, remarked that the overall professionalization and commoditization of cybercrime within underground communities have fostered resilience, enabling threat actors to seamlessly transition from one service or partner to another. Stark further explained, "Since the August 2023 law enforcement takedown, threat actors previously distributing Qakbot have largely shifted to alternative malware families or ceased operations. 

For instance, while limited UNC2500 Qakbot activity was observed in early 2024, this threat actor has predominantly deployed Pikabot. It is also possible that UNC2500 is diversifying its operations, as evidenced by May campaigns leading to credential phishing sites and February activities designed to harvest NTLMv2 hashes. Although UNC2500 remains active, its overall activity volume has decreased. Additionally, UNC2633, a Qakbot distribution cluster closely affiliated with UNC2500, has seemingly been inactive since the takedown." 

After achieving initial access, UNC4393 employs several open-source attack mapping tools, including BloodHound, AdFind, and PSnmap, to analyze the victim's network. The attackers utilize credentials and brute-forcing methods to authenticate externally facing network appliances or servers. Initially, the group manually deployed Basta, but it later adopted Knotrock, a custom .NET-based utility, to deliver Basta. 

Knotrock provides capabilities such as rapid encryption during large-scale attacks. In one instance, researchers observed the group using SilentNight, a malware variant inactive since 2023, to gain persistence and bypass security detection. The recent surge in SilentNight activity, starting earlier this year, has primarily been delivered via malvertising, marking a notable shift away from phishing as UNC4393's sole method of initial access. 

Beyond shifts in initial access, UNC4393's changes to its tactics, techniques, and procedures (TTPs) this year demonstrate the group's adaptability to the cybercrime landscape. The group has increasingly turned towards custom malware development rather than relying on publicly available tools. Mandiant researchers reported responding to over 40 separate UNC4393 intrusions across 20 industry verticals since 2022. However, this number is relatively small compared to the overall victim count of 500 that the ransomware group claims on its leak site. 

The researchers noted, "While UNC4393's TTPs and monetization methods remain relatively consistent with previous operations, the group appears to be diversifying its initial access sources. Its evolution from opportunistic Qakbot infections to strategic partnerships with initial access brokers underscores a willingness to diversify and optimize its operations."
Read more »
Subscribe to: Posts (Atom)