This Week in Cyber 01st March 2024

Analyst Insight

This week in cyber news, Lockbit has seen a resurgence, while a new version of the National Institute for Standards and Technology (NIST)'s Cybersecurity Framework (CSF) has been released, alongside novel attack methods continuing to be used by threat actors. Last week's post discussed the impact of law enforcement on the Lockbit ransomware group, but operators have swiftly resumed operations on the dark web. The US has offered a $15 million bounty for any information leading to the arrest of the leaders, emphasising the urgency due to Lockbit's rapid return. Additionally, a new NIST framework has gained popularity among large organizations, tailored to be more widely used, catering to businesses of all sizes with updated components and introducing new tools to assist end users. In geopolitical cyber news, the US has signed an executive order preventing the transfer of personal data of its citizens to countries deemed concerning.

All That is New in NIST CSF 2.0

The National Institute for Standards and Technology (NIST)’s Cybersecurity Framework (CSF) is back with a new version. The new 2.0 standard has changed many important aspects of the framework.

To start off, perhaps the most important change in 2.0 is the target audience. The CSF used to be primarily targeted at critical infrastructure organisations which by virtue of size can put forward large amounts of capital to secure their security interests. In this version however, NIST have opened the doors to everyone. The new framework aims to cater to businesses and organisations of every size, from the smallest non-profit to the largest of multinational organisations. NIST have stated that they anticipate “organizations will come to the CSF with varying needs and degrees of experience implementing cybersecurity tools”. This will hopefully open the door to encouraging better security postures for all.

Those already familiar with the NIST Cybersecurity Framework will already know the 5 core functions: Identify, Protect, Detect, Respond and Recover. 2.0 adds a 6th new function. Govern. This new function outlines how an organisations risk management strategy, expectations, and policy are properly established, communicated, and monitored. This is a sweeping change that will guide how, when and where the rest of the functions fall into organisational needs and abilities.

Alongside a vast number of individual changes and additions that reflect the current world of cyber security, NIST have also included several helpful features to further enhance user experiences in navigating and applying the framework. This includes several Quick-Start guides tailored to specific need cases ranging from Small Business to Enterprise Risk Management. NIST have also offered a reference tool that simplifies the implementation of the framework. The tool allows users to browse, search and digest data from the core guidance into both human readable and machine-readable formats. The reference lookup tool also allows users to cross-reference other NIST guidelines to see how the map onto the CSF.

SubdoMailing: Hijacking of Major Brand Subdomains

A massive spam operation has been uncovered, compromising over 8,000 domains and 13,000 subdomains belonging to esteemed brands and institutions. This malicious activity, dubbed “SubdoMailing”, leverages the trust associated with these domains to circulate spam and malicious phishing emails by the millions each day, cunningly using their credibility and stolen resources to slip past security measures.

The operation involves complex DNS manipulations for these domains, allowing the dispatch of vast quantities of spammy and outright malicious emails, falsely authorised under the guise of internationally recognised brands. The emails are cleverly crafted as images to dodge text-based spam filters. Interacting with any part of these emails triggers a series of click-redirects through different domains. These redirects check your device type and geographic location, leading to content tailored to maximize profit. This could be anything from an annoying ad or affiliate link to more deceptive tactics like quiz scams, phishing sites, or even a malware download aimed at swindling you out of your money more directly. 

Executive Order Addresses Personal Data Protection Concerns

U.S. President Joe Biden has signed an Executive Order preventing the mass transfer of Americans' personal data to countries deemed concerning. The order aims to safeguard sensitive information like genomic data, health records, and financial details from being exploited by threat actors, foreign intelligence services, and commercial data brokers. The directive also directs federal agencies to establish regulations to protect personal and government data and mandates oversight to ensure Federal grants and contracts do not facilitate access to sensitive data. Critics argue that restricting data flows only to certain countries is flawed, emphasising concerns about authoritarian regimes misusing personal data. Additionally, recent actions against companies like Chengdu Beizhan Electronics and Sandvine highlight ongoing concerns about surveillance and censorship facilitated by certain technologies.

IDAT and Remcos, a Competent Duo

The IDAT loader is a sophisticated piece of malware that employs several evasion techniques, including Process Doppelganging, DLL Search Order Hijacking, and Heaven’s Gate. It’s named after the method it uses to store the malicious payload in the IDAT chunk of PNG file format. This loader is distinguished by its modular architecture and unique features like code injection and execution modules. It also uses advanced techniques such as dynamic loading of Windows API functions, HTTP connectivity tests, process blocklists, and syscalls to evade detection.

The Remcos RAT is a fully-featured trojan that provides capabilities such as keylogging, screen capturing, and even audio/video surveillance. It’s a commercial RAT, which means attackers can quickly and easily control an infected computer, steal personal information, and monitor a victim’s activity without investing time or developing a tool with remote administrative capabilities. It also has the capability to harvest information from various applications, such as browsers, email clients, cryptocurrency wallets and more.

LockBit Ransomware Returns

Despite a brief interruption due to the international law enforcement operation, Operation Cronos, LockBit ransomware has quickly re-emerged in the cyber threat landscape. The operators have promptly resumed their activities on the dark web, strategically moving their data leak portal to a new .onion address after their servers were taken down.

In a follow-up message, a LockBit administrator admitted to the seizure of their websites, attributing the interruption to a likely exploitation of a critical PHP flaw (CVE-2023-3824). The administrator also claimed that the FBI had accessed their infrastructure without permission, seeing it as a reaction to a ransomware attack on Fulton County that happened in January.

Adding to the story, the message tried to cast doubt on law enforcement efforts by stating that the true identity of “Bassterlord” is still unknown. This development highlights the quick adaptability and resilience of cybercriminal operations, showing their ability to recover even when faced with coordinated law enforcement actions.