Ransomware Roundup: 09.18.23

Akira Ransomware Gang Exploiting Cisco ASA Zero-Day

The Akira ransomware gang has been remotely exploiting a zero-day in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software (CVE-2023-20269) in brute-force attacks since at least August, the company said.

“This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features,” Security Weekly reports.

“In August 2023, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability once available and apply one of the suggested workarounds in the meantime.”

Cisco is said to be working on security updates to remedy the vulnerability in both Cisco ASA and FTD software.

Takeaway: Today’s ransomware attacks employ techniques that are far advanced from the ransomware campaigns of even just a year or two ago.  

Attackers are reinvesting ransom proceeds into hiring really talented developers who are constantly finding new ways to infect victims, evade detection, exfiltrate more sensitive data, and encrypt more files faster.

Ransomware attacks used to be clumsier and more random, basically a numbers game where massive email spam campaigns or drive-by watering hole attacks designed to infect as many individual devices as possible while asking for ransoms of a fraction of a bitcoin - but those days have largely passed.

It is highly unusual to see ransomware gangs using zero-days in attacks, as these exploits are valuable and usually leveraged in nation-state operations as opposed to cybercriminal attacks.

Overall, attackers are automating scans looking for vulnerable applications to exploit as we have seen in the massive Cl0p campaigns targeting the MoveIT and GoAnywhere software bugs.

They are also creating bespoke tools for more efficient collection and exfiltration of victim data and building out their RaaS platform services to smooth the negotiation and ransom payment process.

But the marked increase in the exploitation of zero-day vulnerabilities by ransomware gangs is concerning, and further evidence that criminal actors are employing increasingly complex techniques that we used to only see in nation-state operations.

Save the Children Hit by BianLian Data Extortion Gang

Data extortion gang BianLian announced they attacked a global non-profit organization and exfiltrated sensitive information including financial, health, and medical data.

That organization is likely the Save the Children Fund, more commonly known as Save the Children, an international NGO that helps improve the lives of impoverished children worldwide.

“BianLian bragged on its website it had hit an organization that, based on the gang's description of its unnamed victim, looks to be Save The Children International. The NGO, which employs about 25,000 people, says it has helped more than a billion kids since it was founded in 1919,” The Register reported.

“BianLian added that its victim, "the world's leading nonprofit," operates in 116 countries with $2.8 billion in revenues. The extortionists claim to have stolen 6.8TB of data, which they say includes international HR files, personal data, and more than 800GB of financial records. They claim to also have email messages as well as medical and health data.”

Takeaway: Whether it’s exposing clinical photographs of breast cancer patients or disrupting out a multi-state regional healthcare provider, data extortion and ransomware groups have shown time and time again that there is no line they will not cross for profit, even if it hurts the most vulnerable in society.

The BianLian ransomware gang first emerged in the summer of 2022, and successfully attacked several high-profile organizations. They engaged in double extortion, where they exfiltrated victim data prior to delivering the encryption payload, with the intent to use the data as additional leverage to compel the victim to pay the ransom demand.

The tactic was so successful, when a free decryption tool for the BianLian ransomware was released, BianLian decided not to abandon the ransomware payload stage of the attacks and focus on data exfiltration and extortion alone.

The fact that they don’t hit victims with ransomware anymore does not make BianLian any less of a threat to organizations and given they may have just attacked one of the world’s biggest and most impactful charities, it is safe to say no organization is safe from this threat.

Ransomware is a financially motivated crime. They want the money at any cost - and if they can reduce the resources required to be successful, they will. Attackers always consider ROI in their operations, so if ransomware groups can achieve their goals by simplifying the attack and still achieve the same results, they will.

While the absence of a ransomware payload means the charity’s networks are likely up and running, the attack still has the potential to be extremely damaging to operations, will result in an expensive remediation process, and will likely be damaging to the organization’s reputation and ability to raise funds.

Again, ransomware and data extortion attacks are financially motivated, and these threat actors simply don’t care who they hurt in the process, even if it’s the most vulnerable among us – children living in abject poverty.

Rust-Based Ransomware Variants Increase Speed and Stealth

Researchers documented a new ransomware strain dubbed “3AM” that was used as a secondary payload in an attack after an attempt to deploy LockBit ransomware on a targeted network failed.

It was assessed that 3AM is written in the Rust programming language and does not appear to be unrelated to any other known ransomware families.

“Before starting to encrypt files, 3AM tries to stop multiple services running on the infected system for various security and backup products from vendors like Veeam, Acronis, Ivanti, McAfee, or Symantec,” Bleeping Computer reports.

“Once the encryption process completes, files have the .THREEAMTIME extension and the malware also attempts to delete Volume Shadow copies that could be used to recover the data.”

Takeaway: More ransomware variants written in the Rust language continue to emerge in the wild, which should be concerning for security teams, as Rust allows for advanced evasion capabilities by disabling security tools and evading sandbox analysis.

Rust a secure programming language that offers exceptional performance for concurrent processing and cross-platform development, superior memory management and compilation speeds versus languages like C++ and Golang, and leveraging Rust makes extraction of a decryptor key much more difficult to achieve.

BlackCat/ALPHV was the first ransomware group using Rust back in 2021 followed by the Hive ransomware gang, and other Rust-based variants have been observed from groups like RansomExx, Nokoyawa, and Qilin.

The emergence of the Rust-based 3AM ransomware family is strong evidence that ransomware operators continue to put a considerable amount of resources into development and the advancement of their capabilities.

The cross-platform capabilities Rust provides also means we are likely to see more variants designed to target Linux systems. With groups like Icefire, LockBit, Black Basta and Cl0p targeting Linux environments, we can expect some attacks to cause widespread disruptions across several key sectors, impacting a larger population of collateral victims.

Attacks on Linux systems are potentially devastating and have a broad impact, and the greater the pain these threat actors can bring to targets, the more they anticipate they can demand in ransom payments.

Linux is favored for large network applications, and data centers and drives most of the U.S. government and military networks, our financial systems, and even the backbone of the internet.

The continued development of ransomware variants written is Rust – particularly those targeting Lnux systems - is something we should definitely keep an eye on.

MGM Gets Popped: Ridiculous News Coverage and Some Takeaways

MGM got popped and customer data exposed. Per usual, there are way too many unanswered at this point in the investigation, but that does not stop the media from trying to report, and there ais not shortage of “experts” to call on, so we end up with articles like this one from Bloomberg that say things like:

“Charles Carmakal, chief technical officer for Mandiant Inc., part of Google Cloud, described the hackers as ‘one of the most prevalent and aggressive threat actors impacting organizations in the United States today.’ Mandiant first came across the group in May 2022.”

Really? Some skiddie affiliates are one of the most prevalent threat actors? Ooof... And we get assessments like this:

“In the MGM hack, Scattered Spider may have worked with ALPHV, according to two people familiar with the group’s operations.”

Congratulations Bloomberg, you just discovered the business model driving the ransomware economy. Great reporting (facepalm).

The Bloomberg article was not very well researched and basically misses the mark as far as accurately explaining anything. Scattered Spider sounds like an affiliate group made up of young threat actors.  

Whether they are as prolific as Mandiant asserts is debatable - there are a lot of independent threat actor groups made up of a mix of members who most likely identify as members of multiple groups - nothing new here.  

They likely leased use of the BlackCat/ALPHV RaaS platform - nothing new here either, as that is the RaaS model - so describing the groups as possible "working together" is just a tragically uniformed way of describing what we have known for a long time: affiliate actors can rent RaaS platforms from developers.  

Basically, the Bloomberg writer has zero idea how any of this works so presents all with fresh eyes and amazement – it would be cute if it was not so damaging to have such a high-profile outlet like Bloomberg to generate such ill-informed coverage.

Takeaway: But it gets better... now the SEC will get involved because MGM is publicly traded and the SEC has new rules about reporting breaches, so expect this will probably be another clown show.  

More visibility and accountability in regard to security-related events at publicly traded companies is a good thing – that's a no-brainer, but we do have to be careful to not confuse disclosing information about a cyberattack with actually informing investors as to why an attack should be considered in their investment decisions.  

The fact is that publicly traded companies are attacked every day, and if the company is really big, they may be attacked hundreds of times in a day. As we in the security trade already know, you can’t stop cyberattacks, but you can stop an attack from being successful and attaining its intended objective.

That said, the real challenge with this new SEC ruleset is going to be twofold: first, the onus is on corporate officers to decide if and when a security event reaches the threshold of being “material” to investors.  

This leaves quite a bit of room for subjectivity, plausible deniability, and – if not structured correctly – could produce a culture where there is pressure on security teams to conceal security events from the executive suite, so the event goes unreported.

The second challenge is whether or not investors are educated enough about all things cyber to know what to do with information about an incident – and this is the real rub here. There can be a very significant amount of time that passes between “we are under attack” and “we understand the full nature of and potential impact of the attack.”

Forensic investigations are difficult, and they take time. The disclosure rule set by the SEC, if not supported by investor education efforts, has the potential to create a situation where an attack is disclosed but the details are murky because it could be weeks or months before the organization can adequately assess the information the SEC is requiring be reported.

But investors, once informed of an attack, will want the details, and want them now. This could create situations where company leadership appears incompetent because they can’t answer tough questions about an event, undermining investor confidence.  

Also, the company's leadership would then be in a position where they trickle out incomplete information over time as the investigation progresses, and simply end up dying by a thousand cuts. he inability to provide concrete answers immediately will likely create confusion and anxiety for investors, causing them to overreact to an event that - while reportable per SEC rules – may in fact not be that serious of an event from a security standpoint.  

Any requirements on victim organizations to report material security events to investors needs to come with a concerted effort to educate investors on the nuances of attacks, security operations, and risk, or the SEC will just be creating more problems than they are actually solving.

There is so much to go on in this Bloomberg article that adds to confusion amongst the non-cyber audience, it would be exhausting to try to sort it all out here, as more than a few key takeaways from the attack were missed.

First of all, it's obvious the casino did not practice any network segmentation, so they made the attack far worse than it would have been. MGM (and everyone) also needs to reconsider whether they need to store all that PII on their customers - it's bad idea to collect and store PII unless it is really, really necessary, and loyalty programs don't rise to that level.  

And as far as third-party vendors – we need more details on this, like what kind of vendor etc. to understand if they needed to have access to the casino's network and how that access was structured - but for the most part it sounds like the vendor had too much access and the casino had poor security protocols for managing that access.  

There is a lot organizations can do to assure their vendors are not putting them at risk, but in the end all risk is owned by the organization, and they need to make sure that their practices do not exceed their risk tolerance - with a casino you would expect risk tolerance to be very, very low.

But given the relative ease with which the attackers appear to have carried out the operation, it seems likely that MGM’s security did not adequately reflect their risk tolerance - not by a long shot.

Alleged Message from BlackCat/ALPHV on MGM Attack Released

A message purported to be from the BlackCat/ALPHV ransomware gang was posted to GitHub. The note allegedly contains details about the attack against hotel and casino giant MGM Resorts, which reported outages due to a ransomware attack earlier this week.

The message suggests it offers details about the attack that are, at the very least, unflattering in regard to MGM’s incident response playbook, as well as casting doubt on attribution claims made in the media:

The full message can be found here: https://gist.githubusercontent.com/BushidoUK/20b81335c6729dc8e0b5997ca83fa35f/raw/a0697117e905f5094e7a5feae928806b2ba65b20/gistfile1.txt

CybersecurityHub posted a nice timeline summary of what we (think we) know about the attack thus far:

• September 7: A social engineering attack is launched against the IT support vendor employed by Caesar’s Entertainment by hacking gang Scattered Spider. The hotelier pays around half of the $30 million ransom to the hackers. This gang is later linked to the MGM Resorts cyber attack.
• September 11: MGM Resorts puts out a statement saying a “cyber security incident” has affected some of the company’s systems. An investigation into the cyber attack is launched and the relevant authorities contacted.
• September 12: MGM Resorts makes a second statement reporting that all “resorts including dining, entertainment and gaming are still operational” and that its guests “continue to be able to access their hotel room and [its] Front Desk is ready to assist our guests as needed”.
• September 12: Guests report a number of issues with MGM Resorts’ online booking system and casino. The company's main website is reported as being down.
• September 13: VX Underground, host of “one of the largest collection of malware source code, samples, and papers on the internet”, makes a post on X saying the MGM cyber attack was the result of vishing. VX Underground also reports that ransomware gang, ALPHV, were responsible for the attack.
• September 13: Sources close to the cyber attack say that the hacking group, Scattered Spider, are responsible for the hack.
• September 13: Financial services company Moody’s says the cyber attack may negatively impact MGM’S credit. The company also notes that the cyber security incident highlights “key risks” in MGM’s reliance on technology.

‍

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile (PDF), and check out the Recent Ransomware Attacks resource site.