CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Subscribe

Episode 65: July 24 2023

July 24, 2023 Jim Guckin CyberSecurity News Byte 34:3248.36M Comments Off on Episode 65: July 24 2023

Links

https://decoded.avast.io/martinchlumecky/hotrat-the-risks-of-illegal-software-downloads-and-hidden-autohotkey-script-within/
https://www.coveware.com/blog/2023/7/21/ransom-monetization-rates-fall-to-record-low-despite-jump-in-average-ransom-payments
https://www.bleepingcomputer.com/news/security/cybersecurity-firm-sophos-impersonated-by-new-sophosencrypt-ransomware/
https://news.sophos.com/en-us/2023/07/18/sophos-discovers-ransomware-abusing-sophos-name/
https://www.hackread.com/fortiguard-labs-zip-domains-phishing-attacks/

Risks of Illegal Software Downloads

  • HotRat
    • Automatic Script
      • Utilizes the icon for cracked software.
      • This runs the HotRat RAT
        • Remote Access Trojan
        • Variant of AsyncRaT
          • Available on GitHub
  • Victims
    • Download software from
      • Torrent
      • Cracked site.
    • Popular Software
      • Adobe
        • Illustrator, Master Collection, Photoshop
      • Microsoft
        • Office, Windows
      • Video games
        • Battlefield 3
        • Age of Empires IV
        • Red Alert 2
        • The Sims 4
      • Premium software
        • IObit Driver Booster
        • VMware Workstation
        • Revo Uninstaller Pro
  • Attack Path
    • AutoHot Key (needs Admin)
      • Removes User Access Control
        • Requiring operations to run without permission.
      • Uninstalls Avira AV
      • Modify’ s Windows Defender
    • Creates Scheduled task.
      • Using PowerShell
        • Runs the new task as a misspelled administrator.
      • Every 2 hours
      • Runs a VBS loader.
        • Visual Basic Scripting language
      • Adds RegAsm.exe to Windows Defender exclusion list.
    • .NET extractor
      • unpack malicious files.
        • like the HotRAT payload
      • detect the most frequently used antivirus software.
        • attempt to deactivate them using IObit Unlocker
    • Once the coast is safe
      • Deploy HotRAT
      • Using PowerShell and 2 png files
        • Image files

Hacking and a business

  • Coveware
    • 2032 Second Quarter
      • Ransomware payments fell.
        • Down to 34%
    • Chart shows
      • 85% in Q1 2019
  • cyber extortion opportunity cost curve
    • takes five different examples of extortion strategies.
      • characteristics
      • economics
    • Chart
      • monetary impact felt by the victim of the attack.
        • Business disruption is the largest driver.
      • Effort threat actor must exert to conduct the attack.
        • total expected profit
          • multiplying the probability that an attack will result in a ransom being paid.
          • multiplied by the actual amount of the ransom that may be paid.
    • Examples
      • Example 1
        • Malicious actor uses leaked data.
        • Steal files from user.
        • Sole proprietor
        • Low Impact Target, Low cost to malicious actor
          • Only need a little money to be cost effective.
      • Example 2
        • $500,000 to acquire a 0-day vulnerability.
        • 4 weeks of manual reconnaissance work and lateral movement
        • Unknown target impact, but high cost
          • Need a big payout to make it profitable.
    • Types of Attacks on Chart
      • Phantom
        • mass orchestrated social engineering attempts
        • easy to automate.
        • Low Effort, Low Payout
          • $1k-$5k
        • Formula
          • No Business Impact
          • No or low chance of payout.
          • The payout amounts low.
          • Low medium cost to actor
      • ‘spray’ attacks
        • same tactics of phantom incidents
        • data is deleted.
          • no exfiltration of data
        • Formula
          • Zero/Low Business Impact
          • low chance of payout
          • The payout amount is low.
          • Low Zero cost to actor
      • NAS (Network Attached Storage) encryption attack.
        • Formula
          • Low/Medium Business Impact
          • medium chance of payout
          • Payout amounts is low.
          • Low/Medium cost to actor
        • scanning and deployment of payloads tend to be automated.
          • scale the costs of impacting lots of NAS devices.
      • Data exfiltration attacks
        • Formula
          • Low/Medium/High Business Impact
          • Low/medium chance of payout
          • The payout amounts are medium/high.
          • Medium cost to actor
        • No encryption only exfiltration
        • extorts the victim over its public release.
        • probability of a ransom being paid is less than 50%
        • ransom demand on attacks is relatively high.
      • Encryption ransomware
        • Formula
          • High Business Impact
          • higher chance of payout
          • The payout amounts high.
          • High cost to actor
        • MOST amount of threat actor work/costs
          • skillfully navigate the victim’s network
        • acquire access to a victim company’s network.
          • Initial Access Broker

Sophos impersonated by new SophosEncrypt ransomware

  • Malware Hunter Team
    • Found ransomware encryptor.
      • Thought was a Sophos red team exercise.
      • It was not.
        • Sophos X-Ops team tweeted that they did not create the encryptor and that they are investigating its launch.
    • One person submitted to ID Ransomware service.
      • Live and active threat
  • SophosEncrypt
    • Written in Rust
    • Uses C:\Users\Dubinin\ path.
    • When run it prompts for an affiliate token.
      • Available to owner via the panel
      • verify if the token is valid.
        • connect to 179.43.154.137:21119.
          • Cobalt Strike C2 servers
    • asks for more information.
      • contact email, jabber address, and a 32-character password, which Gillespie says is used as part of the encryption algorithm.
      • Encrypt on or all files.
    • AES-256 encryption
    • File encrypted with info as file name.
      • entered token.
      • the entered email
      • .sophos extension
    • Creates the information.hta
      • Which will open when completed
      • Contact info from set up loaded in here.
    • change the Windows desktop wallpaper.
      • boldly displaying the ‘Sophos’ brand

FortiGuard Labs Discovers .ZIP Domains Fueling Phishing Attacks

  • FortiGuard Labs Global Threat Landscape Report 2022
    • July 17, 2023
    • phishing the primary attack method to acquire initial access in a network breach.
  • TLD
    • Top Level Domains
      • .COM
      • .ORG
      • .NET
      • .GOV
      • Etc.
  • gTLD
    • generic TLD
    • .CAT
    • .TRAVEL
    • .MOBI
    • .BIZ
  • .ZIP domain is the latest tactic.
    • creating confusion
      • particularly among non-techno-savvy users
    • user would consider it a file extension and download it without hesitation.
  • Defense
    • FortiGuard Labs
      • block .ZIP domains at the firewall level
      • use web filters and browser extensions to assess the authenticity of a website.
      • double-check URLs before clicking.
      • update antivirus programs, operating systems, and web browsers to patch the latest security flaws.