CyberWire Daily - Developments in the ransomware underworld: ALPHV, Akira, Cactus, and Royal. Some organizations remain vulnerable to problems with unpatched Go-Anywhere instances.
Episode Date: May 8, 2023ALPHV claims responsibility for a cyberattack on Constellation Software. A new Akira ransomware campaign spreads. CACTUS is a new ransomware leveraging VPNs to infiltrate its target. Many organization...s are still vulnerable to the Go-Anywhere MFT vulnerability. Russian hacktivists interfere with the French Senate's website. Keith Mularski from EY, details their "State of the Hack" report. Emily Austin from Censys discusses the State of the Internet. And ransomware gangs target local governments in Texas and California. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/88 Selected reading. ALPHV gang claims ransomware attack on Constellation Software (BleepingComputer) Constellation Software hit by cyber attack, some personal information stolen (IT World Canada) Press Release of Constellation Software Inc. (GlobeNewswire News Room) Meet Akira — A new ransomware operation targeting the enterprise (BleepingComputer) New Cactus ransomware encrypts itself to evade antivirus (BleepingComputer) Pro-Russian Hackers Claim Downing of French Senate Website (SecurityWeek) Dallas cyberattack highlights ransomware’s risks to public safety, health (Washington Post) Hacked: Dallas Ransomware Attack Disrupts City Services (Dallas Observer) City of Dallas Continues Battling Ransomware Attack for Third Day (NBC 5 Dallas-Fort Worth) San Bernardino County pays hackers $1.1 million ransom after cyber attack (Victorville Daily Press) San Bernardino County pays $1.1M ransom after cyberattack disrupts Sheriff's Department systems (ABC7 Los Angeles) Atomic Data devastated by the unexpected death of CEO and co-owner Jim Wolford (Atomic Data) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Alf V claims responsibility for a cyber attack on Constellation Software.
A new Akira ransomware campaign spreads.
Cactus is a new ransomware leveraging VPNs to infiltrate its target.
Many organizations are still vulnerable to the go-anywhere MFT vulnerability.
Russian hacktivists interfere with the French Senate's website.
Keith Malarski from EY details their state of the hack report.
Emily Austin from Census discusses the state of the internet.
And ransomware gangs target local governments in Texas and California.
I'm Dave Bittner with your Cyber Wire Intel briefing for Monday, May 8th, 2023. Canadian software provider Constellation Software
disclosed last week what they're calling a cybersecurity incident
impacting the company's IT infrastructure.
IT World Canada writes that a disclosure from Constellation
shared that some IT systems within the company were breached
and that there were also leaks of some personal data.
The company said, the incident was limited to a small number of systems related to internal
financial reporting and related data storage by the operating groups and businesses of Constellation.
A limited amount of personal information of individuals was impacted by the incident.
A limited amount of data of the business partners of Constellation Businesses was also impacted.
Bleeping Computer explains that the Alfie ransomware gang
claimed the attack.
They've added a new entry for the company
to their data leak site.
The gang threatens to leak more than a terabyte of data
if the ransom demand is ignored.
The gang wrote,
We have been on your network for a long time and have
had time to analyze your business. We have stolen more than one terabyte of your confidential data.
If you ignore or refuse the deal, we will be forced to release all of your data to the public.
The Alf V gang, also known as Black Cat, is currently one of the most active ransomware operations.
Bleeping Computer reports that Akira ransomware has been observed slowly spreading worldwide and its demands have reached six figures. Akira claims to have conducted attacks against at least
16 companies, but doesn't seem to be targeting a particular sector. Akira has leaked the
information of four of its victims,
presumably for not paying the ransom.
Bleeping Computer writes,
The ransomware gang demands ransoms
ranging from $200,000 to millions of dollars.
They are also willing to lower ransom demands
for companies who do not need a decryptor
and just want to prevent the leaking of stolen data.
The ransomware is currently being analyzed for weaknesses,
and Bleeping Computer does not advise victims to pay the ransom
until it's determined if a free decryptor can recover the files.
The record reports that dozens of organizations are still exposed to cyberattacks
through a widely abused vulnerability in Go Anywhere MFT,
a web-based
tool that helps organizations transfer files, according to new research. The exploit, CVE-2023-0669,
was patched in February, but as Census reports, over two months after this zero day was disclosed,
Census continues to observe almost 180 hosts running exposed go-anywhere MFT admin panels,
with 30% of these showing indications of remaining unpatched and potentially vulnerable to this
exploit. A single vulnerable instance has the potential to serve as a gateway to a data breach
that could potentially impact millions of individuals. The number of vulnerable instances is trending slowly downward,
but ransomware in general is on the rise, with all of its attendant threat.
Experts recommend implementing patches and security updates,
as well as staying apprised of CISA's known exploited vulnerabilities catalog
for situational awareness with respect to exploitation of known vulnerabilities.
Researchers at Kroll have discovered a new ransomware family called Cactus. In a report
emailed to the CyberWire, Kroll wrote, Cactus has been observed leveraging documented vulnerabilities
in VPN appliances in order to gain initial access. The ransomware uses a novel encryptor requiring a key to decrypt it for implementation,
which likely allows it to remain undetected until the threat actors implement the ransomware attack.
Cactus is a new ransomware and as of yet hasn't been used enough to gather metrics regarding ransom prices
or the consequences of not paying the ransom.
ransom prices or the consequences of not paying the ransom. Kroll said,
As of the writing of this bulletin, Kroll had not yet identified a shaming site or victim identification-related blog authored by Cactus for purposes of sharing victim data if a ransom
was not paid. In terms of ransom, there is not currently enough data to provide an average
starting price. It is also yet to be seen what
would happen if a ransom were not paid and how successful any threat actor provided decryptor
may be. Researchers recommend updating all VPN services and implementing password managers to
minimize threat exposure. Kroll also recommends using multi-factor authentication to prevent lateral movement in the infected networks.
The No Name group, which has been heard from intermittently during Russia's war,
took to Telegram to claim credit for a distributed denial-of-service attack on Friday, Security Week reports.
Cyber News quotes No Name's explanation,
We read in the media that France is working with Ukraine on a new aid package,
which may include weapons,
and, without thinking twice, we crashed the website of the French Senate.
The Senate tweeted that it was remediating the attack
and working to restore full service.
The consequences of the ransomware attack against the city of Dallas escalated over the weekend.
The disruption the incident caused to emergency systems interfered with the response to the mass shooting that occurred there over the weekend.
Although police officers were able to respond to the incident, system outages kept relevant information from the officers.
WFAA reports that Dallas Police Department computers are still down after the
city's system was attacked by ransomware on Wednesday, so it's hard for them to get information
on prior calls to the home. Separately, ABC7 reported Saturday that San Bernardino County,
California paid a $1.1 million ransom to cyber extortionists, stating,
After negotiating with the hackers, the insurance company and county agreed to pay
to restore the system to its full functionality and secure data.
It remains unclear which gang was behind the attack on San Bernardino's networks.
Finally, we end on a sad note. James Walford, the CEO and co-owner of Atomic Data,
a company he co-founded 22 years ago, passed away suddenly at his home on Friday.
Our sincerest condolences to his colleagues, co-workers, and especially his family.
May they all receive comfort in their time of mourning. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I am pleased to be joined here with Keith Malarski.
He is America's Cyber Threat Resilience Leader at EY.
Keith, it is great to speak with you again.
Thank you for taking the time with us here at RSA Conference.
My pleasure, Dave. It's always good to chat with you and great to be back at RSA this year.
So I understand you are all on the verge
of releasing a new report here with some interesting information in it. What do we got?
Yeah, so we're about ready to publish a report called The State of the Hack. And this would be
a perspective of hacking the world's biggest companies over the last year. So everybody
publishes a report based off of their cyber threat intelligence on the state of the hack
or what they're getting from incident response.
We're going to take it from a good guy's perspective
on what we're seeing
that maybe not the bad guys are exploiting,
but maybe things that are still weak
that we're seeing out there
so that companies could respond to that
and be able to mitigate any kind of problems
or have increasing better resilience.
Well, let's walk through it together here. What are some of the key elements that caught your
attention? Yeah. So what we did, so this is after, you know, over the last 12 months,
one of the things that we did see was phishing still was effective, but lower. So out of that, we saw it was 38% effective out of all of our attacks out there.
So we really see that probably the increased effort of training for anti-phishing, the email gateways that are being used out there, like Microsoft and Proofpoint that's out there,
is making a difference at that.
And actually, there was a report last year that actually, not ours, but from another
vendor that said initial access through exploitation of CVEs had exceeded phishing for the first
time.
So we kind of confirmed that.
Okay.
So 38% effective.
The other thing that we saw that really jumped out at us,
because everybody talks about MFA and that you need to have MFA, we found that 70% of MFA was
misconfigured in one way or another. Really? Yeah. Or that we were able to bypass that by either
getting in and being able to set up another account to then initiate an MFA request to then get in there and escalate privileges.
But that was one of the other big things that really stood out for us from the last year.
Before we move on to some of the other things that you gathered here, help me understand.
Are these numbers coming from you and your colleagues doing pen testing?
Is that primarily what we're talking about?
Yeah, so this would be pen testing.
So this is the white hats going in to try to find vulnerabilities
and be able to then talk to our clients to then say,
hey, you may have a problem here.
Let's fix this before it's really exploited.
Right, right.
Well, let's dig into some of the other elements here that you've gathered. Yeah. So the technique that we used to gain initial access the most that was most affected
was via password spraying. So we hear about password spraying a lot. And again, so that was
used the most to gain that initial access. Some of the other things that number two on the list
were man-in-the-middle attacks, SMB relays, unsecured credentials.
So those were some of those other things that we did
to get that initial access there.
The median time to get domain administrator access
once we got that initial access was one day.
So when you think about all of that,
that's pretty quick when you're thinking about that.
And the average number of steps,
so techniques that we took in order to get that domain administrator access
was five.
So five different steps to get there.
So being able to move pretty quickly.
So I think from that, one of the biggest takeaways in that that we recommend is with the speed is automation.
So being able to have SOAR in place, to be able to detect quickly.
Because sometimes we were detected and there were alerts that were getting fired off, but the blue team didn't react fast enough
to quarantine us.
So automation and speed is really of the essence.
Wow.
Some of the other things that we found here
where this kind of goes with that password spraying
was domain and password lockout policies
were really susceptible to password guessing.
So ensuring that you do have that in place because then the password spraying would be ineffective.
Right.
Outdated Windows, so that's, you know, or versions of software.
So that exploitation as well.
Yeah.
So those were some of the biggest takeaways, you know, that we saw that I wanted to share with you.
We're going to get in
much more detail when this gets published here in the next couple of weeks, you know, with all the
particular techniques and all that utilized. I'm curious from an internal point of view, you know,
you and your team there, do you come up with your own playbook over time that, you know, just to
save yourselves amount of work, you probably say,
well, here are the things that work 90% of the time. So we're going to start there.
Is that, does that happen in behind the scenes? Yeah, absolutely. You know, hey, you know,
we were able to bypass this, you know, in this situation, let's try that in other places. And
then our goal is to then, if we find that vulnerability, you know,
we want to get the word out there that, hey, this is vulnerable and this is what you need to do to
fix that. So based on the information you gathered here, what are your recommendations? How should
people best use their time and resources to defend themselves? Yeah. So again, you know,
vulnerability management is really key, you know, on that with, you know, going away from phishing to exploitating, unpatched CVEs.
So that's key number one.
Again, the automation, so SOAR, key number two.
And just having, you know, good hygiene, you know, from your password policies and things like that.
Those would be my three big takeaways to share with you today.
It's remarkable that year after year,
we keep beating that drum about the basics,
and yet year after year,
we keep beating the drum about the basics, right?
Well, to use a sports analogy,
you always see the teams that do the basics right,
a block and tackle or just situational hitting if you're a baseball, those are the teams that do the basics right, a block and tackle or, you know,
just hit situational hitting if you're a baseball,
those are the teams that are successful.
So again, if you're just doing the basics
and you're doing that effectively,
you're going to be one step ahead of everybody else.
Yeah.
Keith Malarski from EY.
Thank you so much for joining us.
My pleasure, Dave. Emily Austin is senior security researcher at Census. I caught up with her at
the RSA conference for details from their 2023 State of the Internet report.
At Census, we have the most comprehensive internet-wide scan data set available.
And the creation of this report, this is the second year we've done it,
and the goal really is to sort of illustrate some of the power of that data
and kind of show off what you can do with the data, what we're able to see.
And in this year's report, we actually focused on the web.
We decided to drill deep into that.
I mean, the web is such a,
it's a huge presence in our lives.
And we decided to specifically drill into HTTP,
service that represents a lot of what we see on the internet,
over 80% of the services that we see.
And after that, we get into a little bit of TLS
and encryption on the internet.
So we start digging into the presence of certificates. And finally that, we get into a little bit of TLS and encryption on the internet. So we start
digging into the presence of certificates. And finally, we close out the report by looking at
misconfigurations and exposures across the web. Well, let's dig into some of the specifics here.
What are some of the things that surfaced from the report that caught your eye?
Yeah. So there's a little bit of good news and a little bit of bad news. I love the good news
because I think in security, we don't get a lot of good news all the time, right? there's a little bit of good news and a little bit of bad news. I love the good news because I think in security we don't get a lot of good news all the time, right?
Right.
It's a little bit more rare.
Sure.
So for good news, we know from research from Google that about 90% of web traffic these days is encrypted,
which is a far cry from where it was even five to seven years ago, so it's huge.
And from looking at our own data, looking at HTTP services that use TLS, use encryption,
we see that about 95% of them use or negotiate
one of the two latest versions of TLS,
so 1.2 or 1.3.
And further, we've seen steady growth
in TLS 1.3 adoption over the last year.
So this, I think, is kind of a win
for user security and privacy
for just the everyday person
on the internet. Like this is huge, right? So that's positive. But of course with security,
you know, nothing gold can stay, right? Pony boy. Exactly, right. So on the flip side,
exposures and misconfigurations are still a huge problem internet-wide. As an example, we found over 8,000 servers
hosting open directories that contained
really anything you can think of
that would be something you don't want
on the public internet, right?
So credentials files, SSL and SSH private keys,
database backups, CSVs and Excel files
with sensitive data.
And to be clear, we didn't actually look at these files,
but based on the naming conventions of them, we can surmise what's in them.
This is a little disappointing to me just because this is something that takes
just a few minutes to find if you know how to look for it. And it's essentially just giving
a threat actor a foothold into an organization really easily.
So that's still a huge, huge problem.
Can you give me some insights on how you all went about gathering this data?
What is the view that you all have
that allows you to gather this stuff up?
Yeah, so we scan the entire IPv4 space all the time,
constantly we're scanning.
And so we have that all collected
into our universal internet data set.
It's also available at search.census.io.
And so we take that, and it is a little bit like boiling the ocean in some ways, right? You kind
of have to figure out, well, what is the perspective we want to take on this? And like I said, this
year we decided really to focus on the web so that that gets into HTTP. So that's a huge chunk
of services right there. And then starting to drill into, well, what's the software and what's the products that we see running over HTTP?
Because it's not just websites.
A lot of it is, but that's not everything.
And then kind of fanning out into adjacent technology,
encryption of those things.
So kind of thinking about the story of,
this is a technology that's pervasive
and it's in our lives every day, so let's dig into it.
And I think that's kind of how we approached it. Any other specifics that you want to shine a light on? Yeah. So I think
one final thing on the misconfiguration exposure side, we found over 200,000 Prometheus monitoring
instances on the internet. Prometheus is unauthenticated by default in the documentation.
It's expected that you as the developer, the maintainer of the tool, will set up authentication in some way or protect
it. And we found that about 48% of the endpoints being monitored in Prometheus tools that we could
see existed in private IP and DNS zones. So this is akin to, so if you think about the public
internet, right? This is akin
to if you're going to rob a building and you can see the public IP addresses, this is kind of
driving by the building, seeing where the windows are, seeing where the doors are. But for the
private IP addresses and DNS space, this is like someone's giving you a blueprint to the inside of
the building. They've labeled all the offices. They've labeled where the network closet is.
So again, very easy to find and very useful for a threat actor performing reconnaissance.
So what are the take-homes here? I mean, based on the information you all have gathered,
what are your recommendations? As unexciting as it may be, security hygiene is really,
really important. We don't talk about it a lot. It's
not a fancy, fun topic in the news. It's not a remote code execution or a zero day. But by and
large, this is still the stuff that's going to get you hacked, particularly if someone happens upon
it in an opportunistic way, because it is easy to find. So patch management, asset management,
vulnerability management, they're not necessarily glamorous or exciting, but they are so critical to securing your
organization. That's Emily Austin from Census.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment called Security, huh? I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed.
Thank you. in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent
intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by John Petrick.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.