CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Website Subscribe

Episode 65: July 24 2023

July 24, 2023 Jim Guckin CyberSecurity News Byte Weekly 34:3248.36M Comments Off on Episode 65: July 24 2023

Links

https://decoded.avast.io/martinchlumecky/hotrat-the-risks-of-illegal-software-downloads-and-hidden-autohotkey-script-within/
https://www.coveware.com/blog/2023/7/21/ransom-monetization-rates-fall-to-record-low-despite-jump-in-average-ransom-payments
https://www.bleepingcomputer.com/news/security/cybersecurity-firm-sophos-impersonated-by-new-sophosencrypt-ransomware/
https://news.sophos.com/en-us/2023/07/18/sophos-discovers-ransomware-abusing-sophos-name/
https://www.hackread.com/fortiguard-labs-zip-domains-phishing-attacks/

Risks of Illegal Software Downloads

  • HotRat
    • Automatic Script
      • Utilizes the icon for cracked software.
      • This runs the HotRat RAT
        • Remote Access Trojan
        • Variant of AsyncRaT
          • Available on GitHub
  • Victims
    • Download software from
      • Torrent
      • Cracked site.
    • Popular Software
      • Adobe
        • Illustrator, Master Collection, Photoshop
      • Microsoft
        • Office, Windows
      • Video games
        • Battlefield 3
        • Age of Empires IV
        • Red Alert 2
        • The Sims 4
      • Premium software
        • IObit Driver Booster
        • VMware Workstation
        • Revo Uninstaller Pro
  • Attack Path
    • AutoHot Key (needs Admin)
      • Removes User Access Control
        • Requiring operations to run without permission.
      • Uninstalls Avira AV
      • Modify’ s Windows Defender
    • Creates Scheduled task.
      • Using PowerShell
        • Runs the new task as a misspelled administrator.
      • Every 2 hours
      • Runs a VBS loader.
        • Visual Basic Scripting language
      • Adds RegAsm.exe to Windows Defender exclusion list.
    • .NET extractor
      • unpack malicious files.
        • like the HotRAT payload
      • detect the most frequently used antivirus software.
        • attempt to deactivate them using IObit Unlocker
    • Once the coast is safe
      • Deploy HotRAT
      • Using PowerShell and 2 png files
        • Image files

Hacking and a business

  • Coveware
    • 2032 Second Quarter
      • Ransomware payments fell.
        • Down to 34%
    • Chart shows
      • 85% in Q1 2019
  • cyber extortion opportunity cost curve
    • takes five different examples of extortion strategies.
      • characteristics
      • economics
    • Chart
      • monetary impact felt by the victim of the attack.
        • Business disruption is the largest driver.
      • Effort threat actor must exert to conduct the attack.
        • total expected profit
          • multiplying the probability that an attack will result in a ransom being paid.
          • multiplied by the actual amount of the ransom that may be paid.
    • Examples
      • Example 1
        • Malicious actor uses leaked data.
        • Steal files from user.
        • Sole proprietor
        • Low Impact Target, Low cost to malicious actor
          • Only need a little money to be cost effective.
      • Example 2
        • $500,000 to acquire a 0-day vulnerability.
        • 4 weeks of manual reconnaissance work and lateral movement
        • Unknown target impact, but high cost
          • Need a big payout to make it profitable.
    • Types of Attacks on Chart
      • Phantom
        • mass orchestrated social engineering attempts
        • easy to automate.
        • Low Effort, Low Payout
          • $1k-$5k
        • Formula
          • No Business Impact
          • No or low chance of payout.
          • The payout amounts low.
          • Low medium cost to actor
      • ‘spray’ attacks
        • same tactics of phantom incidents
        • data is deleted.
          • no exfiltration of data
        • Formula
          • Zero/Low Business Impact
          • low chance of payout
          • The payout amount is low.
          • Low Zero cost to actor
      • NAS (Network Attached Storage) encryption attack.
        • Formula
          • Low/Medium Business Impact
          • medium chance of payout
          • Payout amounts is low.
          • Low/Medium cost to actor
        • scanning and deployment of payloads tend to be automated.
          • scale the costs of impacting lots of NAS devices.
      • Data exfiltration attacks
        • Formula
          • Low/Medium/High Business Impact
          • Low/medium chance of payout
          • The payout amounts are medium/high.
          • Medium cost to actor
        • No encryption only exfiltration
        • extorts the victim over its public release.
        • probability of a ransom being paid is less than 50%
        • ransom demand on attacks is relatively high.
      • Encryption ransomware
        • Formula
          • High Business Impact
          • higher chance of payout
          • The payout amounts high.
          • High cost to actor
        • MOST amount of threat actor work/costs
          • skillfully navigate the victim’s network
        • acquire access to a victim company’s network.
          • Initial Access Broker

Sophos impersonated by new SophosEncrypt ransomware

  • Malware Hunter Team
    • Found ransomware encryptor.
      • Thought was a Sophos red team exercise.
      • It was not.
        • Sophos X-Ops team tweeted that they did not create the encryptor and that they are investigating its launch.
    • One person submitted to ID Ransomware service.
      • Live and active threat
  • SophosEncrypt
    • Written in Rust
    • Uses C:\Users\Dubinin\ path.
    • When run it prompts for an affiliate token.
      • Available to owner via the panel
      • verify if the token is valid.
        • connect to 179.43.154.137:21119.
          • Cobalt Strike C2 servers
    • asks for more information.
      • contact email, jabber address, and a 32-character password, which Gillespie says is used as part of the encryption algorithm.
      • Encrypt on or all files.
    • AES-256 encryption
    • File encrypted with info as file name.
      • entered token.
      • the entered email
      • .sophos extension
    • Creates the information.hta
      • Which will open when completed
      • Contact info from set up loaded in here.
    • change the Windows desktop wallpaper.
      • boldly displaying the ‘Sophos’ brand

FortiGuard Labs Discovers .ZIP Domains Fueling Phishing Attacks

  • FortiGuard Labs Global Threat Landscape Report 2022
    • July 17, 2023
    • phishing the primary attack method to acquire initial access in a network breach.
  • TLD
    • Top Level Domains
      • .COM
      • .ORG
      • .NET
      • .GOV
      • Etc.
  • gTLD
    • generic TLD
    • .CAT
    • .TRAVEL
    • .MOBI
    • .BIZ
  • .ZIP domain is the latest tactic.
    • creating confusion
      • particularly among non-techno-savvy users
    • user would consider it a file extension and download it without hesitation.
  • Defense
    • FortiGuard Labs
      • block .ZIP domains at the firewall level
      • use web filters and browser extensions to assess the authenticity of a website.
      • double-check URLs before clicking.
      • update antivirus programs, operating systems, and web browsers to patch the latest security flaws.

CyberSecurity News Byte is a weekly podcast, condensing the latest cybersecurity news, in an easily digestible format. News that you need to know to keep yourself and your organization safe from today’s threats.

Facebook Twitter Instagram

© 2021-2022 All Rights Reserved. Developed By Podcrease