Tag Archives: Labs

Ransomware Groups Demystified: CyberVolk Ransomware

Post Syndicated from Rapid7 Labs original https://blog.rapid7.com/2024/10/03/ransomware-groups-demystified-cybervolk-ransomware/

Ransomware Groups Demystified: CyberVolk Ransomware

As part of our ongoing efforts to monitor emerging cyber threats, we have analyzed the activities of CyberVolk, a politically motivated hacktivist group that transitioned into using ransomware and has been active since June 2024. Unlike traditional ransomware groups, CyberVolk initially positioned itself as a hacktivist organization, and then started to use ransomware as a tool for retaliation. The group openly declares allegiance to Russia and operates within a broader hacktivist movement, launching attacks in response to geopolitical events. This report offers an in-depth analysis of CyberVolk’s ransomware tactics, underlying motivations, and technical behaviors.

Rapid7 Labs has an ongoing commitment to help organizations understand and mitigate risk from the complex world of ransomware, and this includes highlighting these newer groups. In this post we’re going to focus on CyberVolk’s shift from a hacktivist group to one that now uses ransomware as a key tool in its operations.

Intro to the CyberVolk group

CyberVolk emerged in June 2024 as a hacktivist group associated with pro-Russian activities. Before settling on its current identity it went through several name changes. Initially known as GLORIAMIST India on March 28, 2024, the group rebranded itself as Solntsevskaya Bratva on June 10, 2024. However, this name was short-lived, and on June 23, 2024, the group adopted the name CyberVolk. Their operations escalated after the arrest of members from the hacktivist group NoName57(16), known for targeting NATO-aligned countries. In response, CyberVolk, alongside more than 70 affiliated hacktivist groups, launched coordinated Distributed Denial of Service (DDoS) and ransomware attacks against Spain, which had arrested the NoName57(16) members. These attacks are part of a broader strategy to retaliate against governments opposing Russian interests.

Ransomware Groups Demystified: CyberVolk Ransomware
Figure 1: CyberVolk’s name rebranding form March-June 2024

CyberVolk uses a combination of ransomware and DDoS attacks to undermine their targets. Spanish institutions have been a primary focus, with 27 entities reportedly affected since the campaign began.

This isn’t the first time a hacktivist group has taken a stroll down the dark side. Just last year, we covered the GhostLocker group, which made an attempt to transition from the hacktivist realm to ransomware-as-a-service (RaaS). Side bar: their debut into the ransomware world didn’t exactly go as planned. After realizing that success in the RaaS game wasn’t in their best interest, they swiftly pivoted back to their old hacktivist ways, likely with a sigh of relief. But let’s go back to the CyberVolk (with “Volk” meaning “wolf” in Russian).

Technical analysis of CyberVolk ransomware

We analyzed a sample of the CyberVolk ransomware.

| SHA256 | 102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12 |

CyberVolk follows a standard execution flow typical to ransomware strains. One of the first actions it takes is saving an image file tmp.bmp to C:\Users\USER\AppData\Local\Temp\tmp.bmp and changing the victim’s desktop wallpaper — interestingly, this occurs before any files on the system are encrypted.

The ransomware then creates multiple threads to handle various tasks, including:

  • User interaction: A thread manages the interaction with the victim, displaying dialog boxes for the ransom message, decryption key entry, and cryptocurrency payment options for BTC (Bitcoin) and USDT ERC20. The addresses used are:
  • BTC: bc1q3c9pt084cafxfvyhn8wvh7mq04rq6naew0mk87
  • USDT: TXarMAbSLLmStn4RZj63cTH7tpbodGNGbZ At the time of writing, the BTC wallet had a balance of 0, and the USDT wallet held 34.79 USDT.
  • Task manager monitoring: Another thread checks repeatedly if Task Manager is running by searching for a window with the class name “TaskManagerWindow.” If found, it attempts to kill the process by sending a WM_CLOSE message. This action requires the ransomware to run with escalated privileges.
  • File scanning and encryption: CyberVolk performs a systematic scan of all available drive letters (from a to z) to identify valid drives for encryption. Once the encryption routine is triggered:
  • Files on the infected system are encrypted and given the .cvenc extension.
  • The ransomware methodically scans directories and subdirectories, encrypting files as it proceeds.
  • Decryption key management: After encrypting the files, CyberVolk presents the victim with an interface to input a decryption key following ransom payment. Here’s how the decryption process works:
  • Key validation: The ransomware checks if the entered decryption key is exactly 36 characters long. However, despite the full key being 36 characters, only the first 16 characters are passed to a substitution function that transforms part of the key using a predefined substitution table.
  • Substitution function: The function processes multiple encrypted string arrays and performs character substitution based on a preset character set. It compares each character from the first 16 characters of the entered key with encrypted string arrays and replaces them using the substitution table.
  • Writing the key: The transformed output is written to a file named dec_key.dat, which is then used to complete the decryption process. If the decryption key passes all checks, the ransomware decrypts the files.
  • Cleanup: After successful decryption, it removes files like dec_key.dat and time.dat from C:\Users\USER\AppData\Roaming\ to cover its tracks.
Ransomware Groups Demystified: CyberVolk Ransomware
Figure 2: CyberVolk dialog window

Experiment: Decryption key testing with CyberVolk ransomware

As part of a small experiment, we attempted to execute the CyberVolk ransomware with a pre-created dec_key.dat file placed in C:\Users\USER\AppData\Roaming\. This file contained hardcoded strings we found in the code, such as fc99bb1c28a5ae006e567faf4cfc0d707c1528e and ce12f0967bd216d248cafda3d46ad1368d9f3dee.

Upon running the malware, the presence of the file successfully triggered the decryption routine. However, despite the original file names being restored, the files themselves were empty.

In another experiment, we manually entered 36 random characters into the decryption key dialog box. Again, this triggered the decryption process, and although the file names were restored, the files remained empty.

Additionally, the ransomware claims that it will delete files if an incorrect decryption key is entered. We tested this by entering an invalid key (aaaa). The malware displayed a warning, but when we proceeded, all files remained encrypted, and none were deleted.

Ransomware Groups Demystified: CyberVolk Ransomware
Figure 3: Correct key warning

CyberVolk’s decryption routine seems to have a weakness in its validation process, allowing it to proceed with decryption even with incorrect or random keys. However, without the correct key, the files are rendered unusable, suggesting that the key validation might only partially function or that the ransomware is designed to deceive victims into thinking decryption is occurring, when in reality, the files remain damaged. This could be a design flaw or a deliberate tactic to further frustrate victims.

The fact that files are not deleted as promised when an incorrect key is entered also indicates a discrepancy between the ransomware’s claims and its actual behavior. This could either be a design flaw or a deliberate tactic to further confuse and frustrate victims. Ultimately, even if the ransomware initiates decryption, without the correct key, files remain damaged and unusable.

Ransom note

After encryption, a file named CyberVolk_ReadMe.txt is placed in every affected folder. The ransom note contains the following message:

All your files have been encrypted by CyberVolk ransomware.
Do not attempt to recover your files without the decryption key, which I will provide after you make the payment.
Failure to do so may result in your files being permanently lost.
Follow my instructions carefully.

Payment Details:
Transfer $1000 in Bitcoin to the following address.
You can contact me via Telegram: @hacker7
Our team is available at https:[//]t.me/cubervolk. We look forward to receiving your payment.

The ransom note directs victims to a non-existing channel https:[//]t.me/cubervolk. Looks like the ransomware creators were in such a rush to demand the ransom that they forgot to double-check their own link.

Code reuse from Babuk ransomware

Our comparison of CyberVolk and Babuk ransomware using BinDiff revealed some similarities, particularly in cryptographic routines and system-level interactions. For example, the function CryptAcquireContextW and other cryptographic setups show significant overlap between the two, indicating that CyberVolk’s developers likely reused Babuk’s encryption framework.

However, CyberVolk has added unique functionality, such as:

  • Anti-analysis techniques: Efforts to evade detection through Task Manager termination.
  • AES encryption: Unlike Babuk, CyberVolk incorporates the AES encryption algorithm, enhancing its cryptographic capabilities and further differentiating the two strains.

Conclusion

CyberVolk ransomware shows off the usual ransomware tricks complete with a few bugs for good measure. By reusing some of Babuk’s code — particularly in its cryptographic routines — it’s clear that ransomware authors are getting creative with their remix skills, building on old frameworks to make their threats just a little more polished.CyberVolk also introduces some original features, such as attempting to terminate system processes like Task Manager. It succeeds in this task when run with elevated privileges.

Our decryption tests revealed that ransomware has some flaws. CyberVolk’s key validation is weak enough that even random keys trigger the decryption routine, though files remain unusable without the correct key. Despite its warnings about deleting files if an incorrect key is entered, we found that files remained encrypted but were not deleted, highlighting a gap between what the ransomware claims and what it actually does.

Still, CyberVolk has caused significant disruption, particularly in Spain. With its mix of DDoS and ransomware attacks, it’s becoming a more serious threat. As the group refines its tactics, cybersecurity professionals should keep a close eye on its continued evolution.

Cybersecurity professionals should keep this ransomware on their radar. Despite its bugs, CyberVolk is evolving and has already proven effective, causing significant damage to entities in Spain. It adds enough new tricks to the traditional ransomware formula to evade detection and create serious headaches for its victims.

Read up on additional ransomware groups and get other insights from Rapid7 Labs here.

Ransomware Groups Demystified: Lynx Ransomware

Post Syndicated from Rapid7 Labs original https://blog.rapid7.com/2024/09/12/ransomware-groups-demystified-lynx-ransomware/

Ransomware Groups Demystified: Lynx Ransomware

As part of our research and tracking of threats, Rapid7 Labs is actively monitoring new and upcoming threat groups and the ransomware domain is known for having a large number of them. In the Ransomware Radar Report, Rapid7 Labs shared the observation that in the first half of 2024, 21 new or rebranded ransomware groups surfaced. Many of those are not immediately coming into the spotlight as abusing some fancy new or recently discovered vulnerability, or — as we measure activity — posting a large number of data leaks.

Rapid7 Labs has an ongoing commitment to help organizations understand and mitigate the complex world of ransomware, and this includes highlighting these newer groups. In this post we’re going to focus on the recently-emerged Lynx ransomware group.

Intro to the Lynx group

The Lynx ransomware group was identified in July 2024, and has claimed more than 20 victims in various industry sectors to date. The group is using both single and double extortion techniques against their victims; however, they claim to be “ethical” with regards to choosing victims, according to their press release on July 24th:

“Lynx Ransomware core motivation is grounded in financial incentives, with a clear intention to avoid undue harm to organizations. We recognize the importance of ethical considerations in the pursuit of financial gain and maintain a strict policy against targeting governmental institutions, hospitals, or non-profit organizations, as these sectors play vital roles in society.”

When a victim has been hit, the infamous readme.txt surfaces on desktops and contains the link to the Tor site of Lynx and the ID needed to enter the portal:

Ransomware Groups Demystified: Lynx Ransomware

Along with the portal for victims to log in, the group is hosting a public blog and also a leaks page where victims are showcased in an attempt to enforce payment.

Analyzing Lynx ransomware

In order to conduct our analysis, we took a sample that had been observed being used in August 2024.

Ransomware Groups Demystified: Lynx Ransomware

Underground rumors claim that the Lynx group has purchased the source code from another group Rapid7 tracks: INC ransomware. When conducting a binary diff on the samples of Lynx and INC ransomware, the overall results show a 48 percent similarity score, where the functions have a score of 70.8 percent:

Ransomware Groups Demystified: Lynx Ransomware

Based on the diff and some other comparisons we conducted, there are overlaps in functions and arguments, but in our opinion not enough to prove fully that Lynx was derived from INC ransomware’s source code.

An initial look at the Lynx ransomware sample finds that in the code, three URLs stand out as already pointing to suspicious sites:

hxxp://lynxblog[.]net/

hxxp://lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd[.]onion/login

hxxp://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd[.]onion/disclosures

In addition, the ransomware has several command line options to run:

Ransomware Groups Demystified: Lynx Ransomware

Inside the ransomware, the readme.txt — aka the ransomware notification — is hidden using Base64 to decode the message. The ID to log into the portal will be generated, but overall the note is similar to other ransomware notes:

Your data is stolen and encrypted.

Download TOR Browser to contact with us.

ID

~ %id%

Chat site:

~ TOR Network: http://lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad.onion/login

~ TOR Mirror #1: http://lynxchatfw4rgsclp4567i4llkqjr2kltaumwwobxdik3qa2oorrknad.onion/login

~ TOR Mirror #2: http://lynxchatohmppv6au67lloc2vs6chy7nya7dsu2hhs55mcjxp2joglad.onion/login ~ TOR Mirror #3: http://lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd.onion/login

Key ransomware functionalities:

1.Process and Service Management:

  • The ransomware attempts to kill various system processes and services using methods like the RestartManager. It specifically targets services that might hinder the encryption process, such as backup-related services.
  • It enumerates and stops dependent services and processes, utilizing system APIs such as EnumDependentServicesW and ControlService.

2.Shadow Copy Deletion:

  • A major target of this ransomware is deleting volume shadow copies, which are often used to restore data. The string “Successfully delete shadow copies from %c:” suggests the use of vssadmin or other similar commands to ensure backup files are removed.

3.File Encryption:

  • It encrypts files across the system, including network shares and drives (Encrypt network shares, Load hidden drives). The use of terms like “Encrypting file: %s” and “Encrypt only specified directory” indicates the ransomware can focus on specific folders or file types, increasing its precision.
  • There is also the ability to encrypt only selected files, directories, or network shares based on configuration (–file, –dir <dirPath>, –encrypt-network).

Lynx: Ones to watch

While the Lynx ransomware group says it takes an “ethical” stance, there is no scenario where attacking and extorting victims can be viewed in that way. Lynx’s aggressive targeting and dual extortion tactics make them a threat to watch. With overlaps in functionality between Lynx and INC ransomware, the potential for source code sharing and evolution among ransomware groups remains a critical concern for defenders.

As organizations navigate these threats, it’s crucial to stay vigilant, invest in robust security measures, and be prepared to respond quickly to ransomware incidents. Rapid7 Labs will continue to monitor and analyze the activities of groups like Lynx to provide timely insights and actionable intelligence for the community.

Rapid7’s Ransomware Radar Report Shows Threat Actors are Evolving …Fast.

Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2024/08/06/rapid7s-ransomware-radar-report-shows-threat-actors-are-evolving-fast/

Rapid7’s Ransomware Radar Report Shows Threat Actors are Evolving …Fast.

Few issues keep cybersecurity professionals up at night more than the threat of ransomware. The ubiquity of targets, the relative organization of threat actors, and their multiple paths of entry make combating ransomware particularly formidable.

But there is one more facet to this threat that makes ransomware a vexing problem across all organizations: it’s evolving, constantly.

In a new report released today by Rapid7 Labs, researchers, threat intelligence experts, and detection & response teams have put together the latest state-of-play in the ransomware space. The Ransomware Radar Report offers some startling insights into who ransomware threat actors are and how they’ve been operating in the first half of 2024.

The fact of the matter is, ransomware as a business is booming. Over the first half of 2024, Rapid7 researchers found an increase of 23% in the number of posts ransomware groups were making to their leak sites. This correlates with the amount of extortion attempts these groups are attempting as they are rarely quiet about who they infiltrate. Surprisingly, one of the newest groups, RansomHub, made the second-most number of posts among the groups studied, with 181 over that six-month period. But, to put that into perspective, the leader, well-established LockBit, made 474 posts over the same time period.

This leads us to another intriguing finding: the number of new (or revamped) ransomware groups. We found that among a total of 68 unique groups posting extortion attempts, some 21 were either net new or rebranded from previous groups. The rebranded groups may indicate a bit of a silver lining as they are potentially due to the success of some recent law enforcement actions against ransomware threat actors.

However, threat actors are only half of the equation. The report also notes that the ransomware ecosystem may be moving away from the attacks on “big fish” we had seen in the past and toward smaller organizations as juicier targets. For instance, organizations with $5 million in annual revenue were five times more likely to be targeted than their larger counterparts. This could be for a lot of reasons, not the least of which is that these smaller organizations contain many of the same data threat actors are after, but they often have less mature security precautions in place.

Ransomware actors are also getting more sophisticated as businesses. They have their own marketplaces, sell their own products, and in some cases have 24/7 support. They also seem to be creating an ecosystem of collaboration and consolidation in the kinds of ransomware they deploy. Rapid7 researchers looked at different ransomware variants and found three distinct clusters of similarities. Essentially, many of these ransomware strains resemble one another. This could indicate collaboration among groups, reuse of source code, or the use of common builders. Other research avenues indicated that the number of ransomware families is going down — potentially showing that threat actors are focusing their efforts on more effective or specialized approaches.

The takeaways in this blog post are only the tip of the iceberg. The Ransomware Radar Report goes deep into the kinds of encryption algorithms that are trending at the moment and why, details on prevailing coding languages, and the varied tactics threat actors use to infiltrate organizations. To get the latest on ransomware and ensure your organization is well-informed and prepared for the fight against these threat actors, download the report here.

Defending Against APTs: A Learning Exercise with Kimsuky

Post Syndicated from Raj Samani original https://blog.rapid7.com/2024/07/16/defending-against-apts-a-learning-exercise-with-kimsuky/

Defending Against APTs: A Learning Exercise with Kimsuky

The “evolving threat landscape” is a term we often hear within webinars and presentations taking place across the cybersecurity industry. Such a catch-all term is intended to capture the litany of threat groups and their evolving tactics, but in many ways it fails to truly acknowledge the growth in their capabilities. This is particularly true of APT groups who have for years demonstrated a remarkable increase in their capabilities to remain undetected and carry out instructions from those orchestrating the broader campaigns under which they operate.

The latest research paper coming out of Rapid7 Labs examines the tactics of North Korea’s Kimsuky threat group. It is published to serve as a learning on the evolving capabilities of a highly adept and industrious threat group, and, more importantly, to provide the necessary insights for supporting security teams in the implementation of defensive strategies.

In this post I will cover some of the key insights to be found in this new research.

Targeting capabilities

The paper details Kimsuky’s delivery method as largely focused on email, but of course, a key component of this is determining who to target and what the most effective lure is likely to be. Historically, this threat group has been particularly successful at the latter with considerable time and expense taken to identify “individuals” on whom their attention should be focused.

It is all too easy to shrug and comment on the need for security awareness as the panacea control to prevent all such initial entry vectors. The reality is that we all remain susceptible, given the right hook. And the ability of this threat group to target and compromise individuals around the globe reveals an alarming level of capability to elicit a response from victims.

Evolving technical capabilities

As detailed earlier this year, we are seeing technical innovation borne from the need to evade security controls within the victim environment. In this instance we detail the use of .LNK file payloads derived from an LNK builder proof of concept. This, however, is just the tip of the iceberg, with many other payloads delivered using alternate methods.

What this reveals — with a very high degree of confidence — is that there is an element to continual tooling improvements. Much like a component of this group dedicated to strong OSINT (as above), there is likely a subset of the group dedicated to technical innovation as a means to evade detection.

This allows the group to develop an arsenal of malware, for example, that can be used at will; but more importantly, it can be built upon and developed as defensive techniques improve.

Always on the move

The historic dependency upon reputations as a vehicle to identify malicious infrastructure is fast becoming less than effective. Politely put — and as demonstrated within the paper — we see Kimsuky establish infrastructure across the globe but quickly leverage new domains as needed. This is just another example of how this group understands and develops the ability to quickly move as it identifies new targets.

Subsequently, the publication provides tactical, actionable insights into the defensive measures that can be taken. For example, full details of coverage are included within the paper, as well as persistence measures undertaken by the threat actor, which are a critical indicator of compromise during retroactive threat hunts. All TTPs detailed within the paper are also incorporated into detection coverage across the Rapid7 portfolio, as detailed within the final section.

Click here to read the research paper now.

What’s New in Rapid7 Products & Services: Q2 2024 in Review

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2024/07/11/whats-new-in-rapid7-products-services-q2-2024-in-review/

What’s New in Rapid7 Products & Services: Q2 2024 in Review

This quarter we continued to make investments that provide security professionals with a holistic, actionable view of their entire attack surface. In Q2, we focused on enhancing visualization, prioritization, and integration capabilities across our key products and services. Below we’ve highlighted key releases and updates from the quarter across Rapid7 products and services—including InsightCloudSec, InsightVM, InsightIDR, Managed Detection and Response, and Rapid7 Labs.

Rapid7 acquires Noble to deliver comprehensive visibility and command of your attack surface

Rapid7 has acquired Noble, a leading provider of continuous cyber asset inventory, visibility, and management. This acquisition further enhances our ability to provide customers with the necessary control to monitor and manage exposures across their entire attack surface – from endpoint to cloud – with confidence. Visit our announcement overview page to learn more and stay tuned for additional details coming this summer.

Anticipate imminent threats from endpoint to cloud

Uncover multiple paths to risky compromised resources across cloud environments

We continue to enhance Attack Path Analysis in InsightCloudSec, most recently adding a new visualization that shows all of the various paths to a potentially compromised resource, providing a better understanding of the potential blast radius of an attack. We’ve also added the ability to export Attack Path graphs as a PDF, JPG, PNG, or SVG for easy sharing with additional stakeholders.

Automatically prioritize the most at-risk resources based on Layered Context

Layered Context provides insight into the riskiest resources running across cloud environments by taking into account a variety of risk signals from vulnerabilities to identity-related risk and public accessibility. This context makes it easier for security teams to effectively and efficiently prioritize cloud risk remediation efforts.

We recently released the following updates to Layered context:

  • Automatic prioritization of riskiest resources by taking into account the presence of toxic combinations to assign a relative risk score to all cloud resources.
  • A new risk tab, located on the Resource Details panel, that details all the risks impacting a resource in one view, transparently and efficiently diagnosing what is risky and why.

Access agent-based policy assessment results with InsightVM’s Bulk Export API.

Agent-based policy assessment is used to conduct configuration assessments of IT assets against widely used industry benchmarks or custom internal policies. Now customers can use the new Bulk Export API to export the policy assessment results data to their business intelligence tools and build custom visualizations and workflows that meet their reporting needs. Additionally, this API allows for efficient request and download of large data sets directly from the Insight Platform, avoiding unnecessary load on the Security Console and giving greater flexibility in handling the high volume of data that policy assessments produce.

Insight Agent support for ARM-based Windows 11 devices in InsightVM

Take advantage of the ARM processor chip’s great performance and low power requirements while maintaining agent-based visibility and assessment of remote assets within InsightVM. We also released enhanced vulnerability coverage for Windows 11 to provide customers with even higher quality, accurate vulnerability content.

Pinpoint critical signals of an attack and act confidently against threats

Rapid7 AI Engine extended to include Generative AI, driving improved MDR efficiency

Enhancements to the Rapid7 AI Engine have brought new Generative AI capabilities to the Rapid7 SOC, improving the efficacy and efficiency of our MDR services. These new additions include:

  • The new SOC Assistant that guides our internal SOC and MDR analysts through complex investigations and streamlines response workflows by querying sources like the Rapid7 MDR Handbook, keeping our analysts a step ahead.
  • The ability to automatically generate incident reports once investigations are closed out, streamlining a typically manual and time-intensive process. Every report that is generated by the Rapid7 AI Engine is reviewed and enhanced as needed by our SOC teams, making certain every data point is accurate and actionable.

Stop attacks before they begin with Rapid7’s patented Ransomware Prevention

Rapid7’s patented, preemptive Ransomware Prevention technology focuses on disrupting the evasive behaviors that ransomware and other forms of malware leverage, preventing both known and unknown (zero-day) attacks before they start. Coexisting alongside NGAV, EDR, and EPP solutions, Ransomware Prevention:

  • Provides an additional layer of protection on the endpoint focused on mitigating the risk associated with ransomware by using proprietary Data Encryption detection and response technology.
  • Focuses on the inner techniques that malicious and evasive attacks employ and embed in processes (instead of passively looking for patterns and analyzing processes and behaviors on runtime or post-execution), manipulating their logic so that they refrain from execution.

Monitor Crowdstrike Falcon EDR alerts within InsightIDR for streamlined alert triage

Simplify operations and optimize resource allocation by further integrating third party endpoint detection and response solutions with Rapid7. Managed Detection and Response customers can integrate CrowdStrike Falcon Endpoint with InsightIDR and leverage Rapid7’s highly skilled and experienced MDR SOC to help triage incoming alerts.

A growing library of actionable detections in InsightIDR

In Q2 2024 we added over 750 new detection rules. See them in-product or visit the Detection Library for descriptions and recommendations.

New research from Rapid7 Labs: The 2024 Attack Intelligence Report

Since 2020, Rapid7 has tracked huge increases in zero-day exploits, ransomware attacks, mass compromise incidents, and evolutions in attacker behavior. In our 2024 Attack Intelligence Report, Rapid7 Labs analyzed 14 months of attacker behavior and marquee vulnerabilities and provides expert analysis and practical guidance for security professionals.

Dive into key findings—like how 36% of the widely exploited vulnerabilities Rapid7 tracked involved network edge technology—in the report here.

In May we partnered with AWS for our Take Command 2024 Cybersecurity Summit, where we took a deep dive into new attack intelligence technologies like AI that are disrupting the threat landscape, macro influences on SOC teams, MDR services to build cyber resilience, and more. The sessions deliver clear guidance to zero in on threats and proactively prevent breaches—check them out on demand here.

Stay tuned for more!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in product and service investments at Rapid7.

State-Sponsored Threat Actors Target Security Researchers

Post Syndicated from boB Rudis original https://blog.rapid7.com/2021/01/26/state-sponsored-threat-actors-target-security-researchers/

State-Sponsored Threat Actors Target Security Researchers

This blog was co-authored by Caitlin Condon, VRM Security Research Manager, and Bob Rudis, Senior Director and Chief Security Data Scientist.

On Monday, Jan. 25, 2021, Google’s Threat Analysis Group (TAG) published a blog on a widespread social engineering campaign that targeted security researchers working on vulnerability research and development. The campaign, which Google attributed to North Korean (DPRK) state-sponsored actors, has been active for several months and sought to compromise researchers using several methods.

Rapid7 is aware that many security researchers were targeted in this campaign, and information is still developing. While we currently have no evidence that we were compromised, we are continuing to investigate logs and examine our systems for any of the IOCs listed in Google’s analysis. We will update this post with further information as it becomes available.

Organizations should take note that this was a highly sophisticated attack that was important enough to those who orchestrated it for them to burn an as-yet unknown exploit path on. This event is the latest in a chain of attacks—e.g., those targeting SonicWall, VMware, Mimecast, Malwarebytes, Microsoft, Crowdstrike, and SolarWinds—that demonstrates a significant increase in threat activity targeting cybersecurity firms with legitimately sophisticated campaigns. Scenarios like these should become standard components of tabletop exercises and active defense plans.

North Korean-attributed social engineering campaign

Google discovered that the DPRK threat actors had built credibility by establishing a vulnerability research blog and several Twitter profiles to interact with potential targets. They published videos of their alleged exploits, including a YouTube video of a fake proof-of-concept (PoC) exploit for CVE-2021-1647—a high-profile Windows Defender zero-day vulnerability that garnered attention from both security researchers and the media. The DPRK actors also published “guest” research (likely plagiarized from other researchers) on their blog to further build their reputation.

The malicious actors then used two methods to social engineer targets into accepting malware or visiting a malicious website. According to Google:

  • After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional pre-compiled library (DLL) that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled command and control (C2) domains.

State-Sponsored Threat Actors Target Security Researchers
Visual Studio Build Events command executed when building the provided VS Project files. Image provided by Google.

  • In addition to targeting users via social engineering, Google also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers followed a link on Twitter to a write-up hosted on blog[.]br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. As of Jan. 26, 2021, Google was unable to confirm the mechanism of compromise.

The blog the DPRK threat actors used to execute this zero-day drive-by attack was posted on Reddit as long as three months ago. The actors also used a range of social media and communications platforms to interact with targets—including Telegram, Keybase, Twitter, LinkedIn, and Discord. As of Jan. 26, 2021, many of these profiles have been suspended or deactivated.

Rapid7 customers

Google’s threat intelligence includes information on IOCs, command-and-control domains, actor-controlled social media accounts, and compromised domains used as part of the campaign. Rapid7’s MDR team is deploying IOCs and behavior-based detections. These detections will also be available to InsightIDR customers later today. We will update this blog post with further information as it becomes available.

Defender guidance

TAG noted in their blog post that they have so far only seen actors targeting Windows systems. As of the evening of Jan. 25, 2021, researchers across many companies confirmed on Twitter that they had interacted with the DPRK actors and/or visited the malicious blog. Organizations that believe their researchers or other employees may have been targeted should conduct internal investigations to determine whether indicators of compromise are present on their networks.

At a minimum, responders should:

  • Ensure members of all security teams are aware of this campaign and encourage individuals to report if they believe they were targeted by these actors.
  • Search web traffic, firewall, and DNS logs for evidence of contacts to the domains and URLs provided by Google in their post.
  • According to Rapid7 Labs’ forward DNS archive, the br0vvnn[.]io apex domain has had two discovered fully qualified domain names (FQDNs)—api[.]br0vvnn[.]io and blog[.]br0vvnn[.]io—over the past four months with IP addresses 192[.]169[.]6[.]31 and 192[.]52[.]167[.]169, respectively. Contacts to those IPs should also be investigated in historical access records.
  • Check for evidence of the provided hashes on all systems, starting with those operated and accessed by members of security teams.

Moving forward, organizations and individuals should heed Google’s advice that “if you are concerned that you are being targeted, we recommend that you compartmentalize your research activities using separate physical or virtual machines for general web browsing, interacting with others in the research community, accepting files from third parties and your own security research.”

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.