Episode 55: April 30 2023
Links
https://cyware.com/news/rtm-group-launches-its-linux-ransomware-eea307ae
https://techcrunch.com/2023/04/26/hackers-are-breaking-into-att-email-accounts-to-steal-cryptocurrency/https://cyware.com/news/atomic-new-macos-info-stealer-in-town-34496257
New Tactics for Extorting Payments
- Story
- GuidePoint Security published its GRIT Ransomware Report for Q1 2023, which provides insight into the ransomware threat landscape. Here are some shocking ransomware statistics for the quarter.
- Serving numbers
- GRIT monitored 849 ransomware victims that were publicly disclosed and claimed by 29 distinct threat groups.
- According to the report, there has been a 27% rise in publicly disclosed ransomware victims as compared to Q1 2022 and a 25% rise as compared to Q2 2022.
- The manufacturing and technology sectors continue to be the most impacted by ransomware. However, the legal industry observed a 65% surge in publicly posted victims from Q4 2022 to Q1 2023, with 70% of these attacks being attributed to the most active “double-extortion” ransomware groups such as LockBit, AlphV, Royal, and BlackBasta.
- In the education sector, there was a 17% rise in publicly disclosed victims during the same period, with Vice Society being responsible for 27% of all attacks in the education industry.
- U.S.-based organizations constituted the majority of ransomware victims, accounting for 46% (395 out of 851) of all observed victims, followed by the U.K (7.7%) and Germany (4.4%).
- Coercion tactics
- The researchers noticed a rise in the adoption of innovative coercive strategies by several prominent ransomware groups that employ the double extortion modus operandi. Medusa and AlphV were observed leaking sensitive information to pressure victims into paying up.
- At the beginning of 2023, the LockBit ransomware group released chat logs of a negotiation with one of its victims, Royal Mail, which the group claimed had failed.
- Although this method is not entirely new, it is probably intended to deter aggressive negotiation tactics and bolster the effectiveness of shaming strategies employed by the ransomware operators.
- Other coercive measures adopted by ransomware groups include launching DDoS attacks and selectively leaking data to the public to garner media attention and harm the reputation of targeted organizations.
- The bottom line
- The uptick in reported ransomware victims during Q1 2023 is indicative of the persistent and industry-agnostic nature of ransomware as a global threat. The researchers anticipate that ransomware activity is not likely to go down in the long term.
RTM Group Launches its Linux Ransomware
- Story
- RTM group (aka Read The Manual gang), the provider of RTM Locker RaaS, has developed a new ransomware binary designed to target Linux-based machines. The ransomware is capable of infecting Linux, ESXi, and NAS hosts. It seems to be inspired by the leaked source code of Babuk ransomware.
- The RTM Locker
- According to Uptycs, this Linux variant of RTM Locker is specifically aimed at ESXi hosts, as it includes two related commands.
- It uses asymmetric and symmetric encryption, which makes it impossible to decrypt files without a private key.
- The initial infection vector is at present not known. However, after successful encryption, victims are told to contact the support team within 48 hours via Tox or risk getting their data published.
- The ransomware group leverages affiliates for the very purpose.
- Babuk connection?
- Several similarities have been observed between the Babuk ransomware and RTM Locker. Both malware use the same random number generation method and asymmetric encryption. However, what makes them different is the asymmetric encryption. Babuk uses sosemanuk for asymmetric encryption, while RTM Locker uses ChaCha20.
- Additional technical details
- RTM Locker targets ESXi hosts by aborting all virtual machines running on a compromised host before the encryption process starts.
- It is statically stripped and compiled, allowing the binary to target more systems while making reverse engineering more challenging. The encryption uses pthreads to speed up execution.
- For encryption, it uses Elliptic-curve Diffie–Hellman (ECDH) for both asymmetric encryption (via Curve25519 algorithm) and symmetric encryption (via Chacha20 algorithm).
- The gang intentionally avoids high-profile targets such as law enforcement, critical infrastructure, and hospitals.
- Conclusion
- RTM Locker is already a challenge to reverse engineer and shares similarities with the leaked code of Babuk ransomware. Further, this Linux ransomware strain targets NAS/ESXi hosts. The experts suggest using the YARA tool or a third-party tool to scan dubious processes to stay protected. Additionally, deploy a security solution that comes with advanced detection capabilities.
Hackers are breaking into AT&T email accounts to steal cryptocurrency
- unknown hackers are breaking into the accounts of people who have AT&T email addresses, and using that access to then hack into the victim’s cryptocurrency exchange’s accounts and steal their crypto, TechCrunch has learned.
- At the beginning of the month, an anonymous source told TechCrunch that a gang of cybercriminals have found a way to hack into the email addresses of anyone who has an att.net, sbcglobal.net, bellsouth.net and other AT&T email addresses.
- According to the tipster, the hackers are able to do that because they have access to a part of AT&T’s internal network, which allows them to create mail keys for any user. Mail keys are unique credentials that AT&T email users can use to log into their accounts using email apps such as Thunderbird or Outlook, but without having to use their passwords.
- With a target’s mail key, the hackers can use an email app to log into the target’s account and start resetting passwords for more lucrative services, such as cryptocurrency exchanges. At that point it’s game over for the victim, as the hackers can then reset the victim’s Coinbase or Gemini account password via email.
- The tipster provided a list of alleged victims. Two of the victims replied, confirming they have been hacked.
- AT&T spokesperson Jim Kimberly said that the company “identified the unauthorized creation of secure mail keys, which can be used in some cases to access an email account without needing a password.”
- “We have updated our security controls to prevent this activity. As a precaution, we also proactively required a password reset on some email accounts,” the spokesperson said, forcing the account owners to reset their passwords.
- AT&T declined to say how many people have been hit in this wave of hacks. “This process wiped out any secure mail keys that had been created,” the spokesperson added.
- One victim told TechCrunch that hackers stole $134,000 from his Coinbase account. The second victim said that “it has been happening repeatedly since November 2022 — probably 10 times at this point. I notice it has been done when my Outlook client fails to ‘connect’ and I quickly login to my [AT&T] site and delete their key and create a new one.”
- “Very frustrating because it is obvious that the ‘hackers’ have direct access to the database or files containing these customer Outlook keys, and the hackers don’t need to know the user’s AT&T website login to access and change these outlook login keys,” the victim added.
- Also, several people with AT&T and other related email addresses said on Reddit that they have been hacked.
- “Hello, my email was compromised back in March of this year and I have done everything I can to reset password, security questions, etc but occasionally I’m still getting emails that a secure mail key has been created on my account without my knowledge,” one user wrote. “They would even delete the email notification so I don’t see it but I recently changed to another email for profile updates so they don’t have access. This sounds like someone still has access to my account but how?”
- Another person wrote: “I’ve had the same issue for months and just started again, password wasn’t changed but account locked out and a Mail Key keeps being created somehow.”
- The tipster claims that the hackers can “reset any” AT&T email account, and that they have made between $15 and $20 million in stolen crypto. (TechCrunch could not independently verify the tipster’s claim.)
- TechCrunch has seen a screenshot apparently coming from a Telegram group chat, where one of the hackers claims that the gang “have the entire AT&T employee database,” which allows them to access an internal AT&T portal for employees called OPUS.
- “Only thing we are missing is a certificate, which is the last key to accessing the [AT&T] VPN servers,” the hacker wrote in the Telegram channel, according to the screenshot.
- The tipster said that the gang now has access to AT&T’s internal VPN.
- Kimberly, the AT&T’s spokesperson, denied that the hackers had any access to internal company systems. “There was no intrusion into any system for this exploit. The bad actors used an API access.”
New macOS Info-stealer called Atomic
- Story
- A new info-stealer malware has been discovered, designed to steal a plethora of sensitive information, including local files, cookies, financial details, and passwords stored in browsers of macOS. Named Atomic macOS Stealer (aka AMOS, or simply Atomic), it is being actively enhanced with new features by its developer, and the latest update was released on April 25.
- Atomic – expensive yet efficient
- According to the Cyble research team, Atomic is available on a private Telegram channel for a subscription of an amount of $1,000 per month.
- The buyer receives a DMG installer file, a cryptocurrency checker, the brute-forcing tool MetaMask, and a web panel to manage attack campaigns.
- The malicious DMG file is designed to evade detection and is flagged as malware on just one (out of 59) AV engines on VirusTotal.
- When this DMG file is executed by the victim, it displays a password prompt masquerading as a macOS system notification, urging the user to enter the system password.
- After obtaining the system password, it attempts to steal the passwords stored in the default password manager utility Keychain. This includes passwords for WiFi, credit card details, web logins, and other sensitive information.
- Key capabilities
- Atomic is designed with several data-theft capabilities, allowing its operators to target multiple browsers and crypto wallets, among others.
- It scans the system for the installed software to steal details from them. Targeted applications include cryptocurrency wallets (Binance, Electrum, Atomic, and Exodus) and web browsers (Google Chrome, Microsoft Edge, Firefox, Opera, Yandex, and Vivaldi).
- It further targets more than 50 cryptocurrency wallet extensions, including Coinbase, Yoroi, BinanceChain, Jaxx Liberty, and Guarda.
- In addition, it attempts to steal system information, including Model name, RAM size, count of cores, serial number, UUID number, and more.
- Ending notes
- Atomic is another example of the fact that an increasing number of cyber threats are looming over macOS. In the past week, researchers have already revealed two more threats, the RustBucket Malware and a new LockBit variant, showing interest in Apple’s primary OS powering Mac devices. Thus, it is high time for Mac users to realize the ever-increasing threat and tighten up their security posture.