United States: Malware/Ransomware Updates and New Perimeter Device Vulnerability
To print this article, all you need to do is be registered or log in to Mondaq.com.
By: Brendan Rooney (CEO of Tracepoint) and Sean B. Hoar
FinCEN Alert: The first week of March was marked by a number of developments in the field of cybersecurity due to the Russian-Ukrainian conflict. The Financial Crimes Enforcement Network (FinCEN) issued an alert on March 7 advising all financial institutions to be vigilant against efforts to evade sanctions imposed in connection with the Russian invasion of Ukraine. It does not impose new requirements, but outlines “red flags” to remind financial institutions of their reporting obligations under the Bank Secrecy Act (BSA), including those relating to convertible virtual currency (CVC). . The main purpose of the FinCEN alert appears to be to gain cooperation from financial institutions to identify hidden Russian and Belarusian assets.
Wiper Malware Explained: Modular forms of malware with anti-legal and/or erasing capabilities have been used for malicious purposes for years, including the infamous attack on Saudi Aramco in 2012. In this incident, the software malicious Shamoon was used to erase files and overwrite the Master Boot Record. (MBR). Last week, new forms of malware with similar erasing capabilities were identified, such as WhisperGate, HermeticWiper/Trojan.Killdisk, Windshield, and IsaacWiper.
Although the capabilities of some erasing malware may vary, their destructive result is similar – file manipulation, inserting random lines of code, makes files inaccessible. By overwriting the MBR, operating systems and file systems are made inaccessible and the hard drive is wiped entirely. Attacks with this type of malware often come with self-spreading properties, making it easier to deploy across an entire environment. This creates significant difficulties for restoration and leads to the loss of evidence.
Conti ransomware update: Conti made international media headlines in their alleged alliance with the Russian government. Although this was pushed back in a later post, it caused other groups to target their infrastructure and leak their internal discussions on February 27. It seems that Conti then started destroying his previous infrastructure and rebuilding a new platform. It also appears that Conti targets the defense industrial base, but also exploits large scale vulnerabilities residing in VPN, MS Exchange and Log4j solutions. Although Conti is not specifically on the Office of Foreign Asset Control (OFAC) sanctions lists, a number of money services businesses (MSBs) and digital forensics firms have internally restricted communications and ransom payments linked to Conti ransomware attacks.
TrickBot Leaks: On Tuesday, March 1, the source code, IOCs, and internal discussions of TrickBot, a banking credential harvesting Trojan widely used by Conti, were leaked. Over the past two years, TrickBot has been slowly replaced by BazarLoader, another banking credential harvesting Trojan that shares similarities with TrickBot. TrickBot leaks contain user names and password combinations to access previous Conti infrastructure.
Dismantling Raid Forums: Established in 2015, RaidForums was a marketplace for stolen credentials and information obtained during various data breaches. RaidForums was taken down and seized by the FBI, but it had been taken down and rebuilt before, so it’s possible that it will reappear, but maybe not as quickly as it once did.
Upcoming potential SonicWall CVE: A recent crime forum post claimed that an unidentified SonicWall RCE vulnerability was being auctioned for $100,000. Besides stating that it was a SonicWall RCE vulnerability, the post did not provide any additional information. Other SonicWall vulnerabilities have been exploited by ransomware groups, including HelloKitty. These groups exploited Common Vulnerabilities and Exposures (CVEs) in end-of-life firmware supporting SonicWall’s Secure Mobile Access and Secure Remote Access products in July 2021. These actors have developed expertise in exploiting these vulnerabilities and other device vulnerabilities.
Take away food: The Russia/Ukraine conflict will continue to draw attention to the CVC market, and ransomware associated with Russia will continue to be deliberately restricted by ESMs and digital forensics firms. In the meantime, information security must be at the forefront of every business decision relating to asset allocation. The cost of not securing vulnerabilities is likely to be much higher than implementing scalable information security solutions.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR ARTICLES ON: USA Technology