This Week in Cyber 08th March 2024

This Week in Cyber News: Ransomware Landscape Shifts and Proactive Measures - Analyst Insight

Recent developments in the cyber threat landscape have underscored the unpredictable nature of ransomware groups. Let’s delve into some key highlights: BlackCat, a notorious ransomware group, appears to be at a crossroads. They have either initiated a transition away from their current ransomware product or are rebranding altogether. Their recent actions include a fake take-down notice, to disguise how they stolen from their own affiliates. Additionally, BlackCat has publicly announced their intention to sell their source code. These moves signal a precarious future for the group.

Ciaran Martin, former head of the UK’s National Cyber Security Centre (NCSC), has taken a strong position against ransom payments. He believes that it should be illegal for UK firms to pay off ransomware attackers. This stance aims to disrupt the financial incentives that fuel ransomware operations. GhostSec and Stormous, two prolific cyber gangs, have joined forces to create a new strain of ransomware. This malicious software has already begun spreading rapidly across south-Asia and south-America. The collaboration between these groups suggests that we may witness yet another evolution in ransomware tactics.

Aztets, a cybersecurity research firm, emphasises the need for vigilance. While many companies claim to be free from security issues, medium to small-sized businesses remain vulnerable. Their limited resources often result in inadequate cyber-security response measures. It’s crucial for such organisations to prioritise security practices and seek professional guidance. JetBrains have released a security patch for their TeamCity product addressing critical vulnerabilities. Using this our analysts have also identified some frightening trends regarding the speed of vulnerability exploitation.

BlackCat Ransomware Group Targets Their Own Affiliates

It should come as no surprise that cyber criminals are not a nice bunch, even to those within their own ranks. There is no camaraderie amongst cyber criminals, in fact instead it is stiff competition. The infamous BlackCat Ransomware group have staged an exit scam against their affiliates. BlackCat use a ransomware as a service (RaaS) model for their operations. This method of malware distribution aims to distance the creating group from attacks carried out. By letting affiliates handle the intrusions and deployment of ransomware, the group can take a percentage of the paid ransoms with limited involvement.

BlackCat have been the target of law enforcement agencies for some time. Their infrastructure was seized by agencies in December 2023, however they managed to restart their operation shortly after. Using the target on their back to justify their disappearance, the group have seemingly run away. Not without settling a £17 million ransom payment from a recent victim and not distributing the funds to the participating affiliate. Leaving a message on a forum, they stated, “the feds screwed us over” and that “the source code will be sold” referring to the source code of their ransomware. Their own site had far less information, containing only a bogus takedown notice from law enforcement. The National Crime Agency told Reuters that they had no connection with the notice.

Rumours circulating on related forums suggest that the group may be rebranding, others disagree. By destroying their reputation, the group may genuinely be looking to exit the world of cyber-crime, taking advantage of the current high cryptocurrency prices to rest on their ill gained laurels. This also begs the question, what of the affiliate who has been left high and dry? We are sure that law enforcement would be happy to help the "victim" track them down!

GTPDOOR Targets Linux Systems at Telecom Carrier Networks

New Linux binaries have been unearthed exposing a novel C2 method. The threat actors operating GTPDOOR have focused on systems in close relation to GPRS Roaming exchanges. These exchanges the backbone for connections for roaming users in mobile networks. The security researcher HaxRob who identified the new threat has also attributed to actors behind it to LightBasin, a prolific group in Telecommunications espionage.

This new threat utilises the GPRS Tunnelling Protocol (GTP) to communicate with the C2. By taking advantage of the nature of UDP packets, GTPDOOR has a “wakeup packet” that does not require an active service or socket to accept. A heartbeat request from GTP-C will always find its way into the user space through raw sockets. GTPDOOR is particularly covert in its activities, masquerading the syslog process, and if GTP-C is authorised to communicate over the firewall, minimal changes need to be made by GTPDOOR to operate.

The Azets Barometer Indicates UK Businesses' Cybersecurity Blind Spot

The Azets Barometer January 2024 survey reveals a troubling oversight in the cyber security readiness of UK businesses. Despite the growing threat of cyber-attacks globally, only 1 in 5 businesses reported experiencing a cyber security incident in the past year. This low reporting rate suggests that many UK businesses may not fully grasp the cyber risks they face.

Among UK respondents, 74% reported no cyber security incidents, while 2% chose not to disclose and 5% were unsure. This lack of incident reporting underscores potential gaps in awareness or transparency regarding cyber security issues. Of the 20% of businesses that did report incidents, most suffered only one incident (16%), while a smaller percentage experienced multiple incidents.

Interestingly, there's a disparity in incident reporting between business sizes, with larger companies, especially upper medium-sized ones, showing higher rates of no incident reporting compared to the overall average. This discrepancy could stem from stronger cyber security measures in larger companies but may also indicate a false sense of security.

Paul Kelly, UK Head of Cyber Services at Azets, highlights the discrepancy between reported incidents and the estimated frequency of cyber-attacks, emphasising the importance of cyber security education and investment. Despite the cost, strategic investment in cyber security is a top priority for businesses, viewed as a long-term investment to safeguard against evolving threats. The Azets Barometer provides valuable insights into the business climate, particularly for mid-market, owner-managed, and family-owned businesses across multiple countries.

Former NCSC Head Of Staff Weighs in on Ransomware Payments

Ciaran Martin, the founding CEO of the UK’s National Cyber Security Centre (NCSC), has renewed calls for a ban on ransom payments to hackers. In an opinion piece for The Times, Martin implied the need to criminalise the act of paying a ransom demanded by cybercriminals. He likens the practice to financing terrorist activities. Research from security vendor Proofpoint reveals that 82% of UK ransomware victims pay the money demanded by attackers, compared to a global figure of 58%. This near 30% difference suggests that UK companies are more likely to pay the ransom due to the lack of compensating controls and backups.

There are reasons as to why the payments have yet to be made criminal; Martin acknowledges that several factors have previously hindered outlawing these payments, including reluctance from US legislators, which discourages other countries from taking a different approach. He challenges the notion that prohibiting payments could push victims to deal with attackers via unregulated channels, labelling it as one of the “terrible arguments” against a ban. While the UK government has not yet implemented a full ban, it recently announced that no Whitehall agency has ever paid a ransom demand, and this policy will remain in place. The global Counter Ransomware Initiative also calls for public bodies to adopt a similarly staunch stance against paying ransoms.

JetBrains TeamCity: The Worrying Speed of Exploitation

JetBrains TeamCity, a popular enterprise CI/CD service, recently released a security patch for a critical vulnerability CVE-2024-27198 and CVE-2024-27199. The vulnerabilities could allow attackers via HTTP(S) to bypass security and get admin control of their TeamCity server. The severity of the vulnerability makes this development important. Any organisation using TeamCity should immediately patch their systems to account for the potential of exploits.

Our analysts conducted an investigation shortly after the security patch was released in order to see how quickly exploitation would be seen in the wild. Using threat indicators related to the vulnerability, some interesting findings came to light. Within hours of the patch and vulnerability being publicised, several dozen scanners were seen probing our network. While it is hard to ascertain the intentions of these scanners, the proof is plain. Experts can start to explore and find vulnerable systems before most organisations may even have the time to patch these critical vendor vulnerabilities, even if these scanners were potentially for research purposes, the arms race had begun at a frighteningly quick pace. Proper patch management is essential as always, but clearly sometimes it may not be enough as it can take time to rollout updates across many sites and services for some organisations. Active network monitoring from a SOC or MDR service may be the only acceptable protection from these threats.