Author name: Prayukth K V

The recent exploits of the BlackCat ransomware group have underscored many factors that are worrying cybersecurity teams across verticals and law enforcement agencies. The sudden spike in the number of victims of this ransomware clearly points to the emergence of new operational models that hackers are using to spread the ransomware and target more entities. Let us examine how this group was able to scale its operations so quickly and turn into a significant threat to cyberspace in a short period of time. How does the BlackCat Ransomware group operate? The BlackCat group has been operating in one form or other since September 2021 when we first lifted a few digital prints of the group as a distinct entity from an attack on a powerplant in the Middle East. This was one of the earliest attacks attributed to the group. The breach was not successful but yet, the power plant operator got multiple ransom demand notes and calls from around the world.     The group began by modifying a code it inherited from another ransomware group. Since then, the group has revised its playbook to recruit new ‘affiliates’ to spread the malware thereby turning into a ransomware-as-a-service shop that lends its tools to other groups for a monetary consideration. The BlackCat group perfected the playbook to such an extent that today it has a unique approach which is an offshoot of its core model wherein the hacker(s) borrowing ransomware from it can pay a small amount upfront and later pay a percentage (30-50 percent) of the ransom collected from a victim as a commission. Also Read: Why are Chinese APT groups increasing their global footprint and cyber attacks? So in a way, the group collaborates with its affiliates to spread its ransomware while earning proportionately from the ransom received. Affiliates are recruited aggressively with groups that have worked with other ransomware groups previously being preferred by it.  Such affiliates are paid a bigger slice of the ransom collected. It is also possible that the group is also training some of its affiliates as well. There are also indications that the group uses a unique vetting process to remove non-serious affiliates or potential law enforcement teams that are trying to spy on it, its affiliates, and its activities. It has also developed its own payment and effort validation methods to ensure that all its affiliates report the right earning numbers to it (this is specifically for affiliates who have opted for the revenue share model. Why the BlackCat group is growing to be a bigger threat than imagined? In order to incentivize early payments, the group has now started offering discounts to victims who pay up early. This is another tactic that the group is deploying to ensure early payment of ransom by victims. The group also threatens to release sample data in batches to key stakeholders of the victim’s businesses to put added pressure on the victims. If this threat doesn’t work, then a threat of a massive DDoS attack is made. On the technical side, the ransomware is written using Rust which is memory safe and reduces the chances of creation of bugs that security researchers can exploit. It is designed for faster deployment and encryption. It can also target multiple OS eco-systems by being compatible with Windows and Linux. The malware also bears a low detection signature and is potentially undetectable especially when it comes to static analysis tools. From the FBI report on the ransomware and the group’s activities and Indicators of Compromise, it also seems that the ransomware is actually designed to steal data including user credentials before it targets key systems. This is an example of what we call a gain of features, capabilities, and function over the parent variant of this ransomware which was primarily developed to exfiltrate data.     Also Read: Why IoT Security is Important for Today’s Networks? Overall, the malware seems to be architected to target as many victims as possible in the shortest possible time before they appear on the law enforcement radar. The malware is also built to appeal to a larger set of players including affiliates, rookies, and revenge hackers. The level of focus on monetization of its ransomware shows how hacker groups have evolved to create specific malware that meets diverse requirements of not just the developers and users but also of other groups that may use the source code to develop more potent variants in the future. Explore our malware reports here: Malware Reports  Participate in the CISO Peer Survey 2022 and make your opinion count now, fill up our uniquely designed survey here: CISO Peer Survey 2022 Book a demo now to see our IT, OT and IoT security solution in action: Request a Demo Try our threat intelligence feeds for free for the next two weeks. Get access to enriched IoT-focused cyber threat intelligence for free for 15 days  

For the last couple of weeks, we have been hearing about increased Chinese APT activity in APAC. One of the APT groups involved is Deep Panda (a.k.a. purple ghost, Kungfu Kitten), and the countries affected are India, Australia, and Vietnam.  Deep Panda is among the older APT groups and has been around in one form or another since 2011. The group was among the first ones to be trained to target high-value targets and complex installations such as those connected with governments, telecom, defense, and parts of critical infrastructure. Deep Panda’s primary mission is to snoop on official channels to exfiltrate data of importance to the group’s sponsors. Deep Panda is also known to maintain a very high level of interest in intercepting communication between various government departments including state secrets and data such as those linked to Covid-19 numbers (sometimes it harvests and transmits terabytes of data to global C&C servers which is handed over to a team that sorts the information manually). It has known links with other Chinese APT groups and has collaborated on at least one project with the notorious North Korean APT group Lazarus Also read: Why IoT Security is Important for Today’s Networks? Deep Panda uses a wide array of tools including multi-phase RATs and also uses various Zero Day exploits to push malware into target networks. Recently we came across many instances of the group trying to infect servers with the Fire Chili rootkit. Deep Panda’s expertise lies in running complex social engineering campaigns to lure multiple victims in the target organization to activate more lines of data interception. In the last two weeks alone, Sectrio’s research team has come across Deep Panda’s footprints in our honeypots across Europe, Asia-Pacific, and North America. Cicada (a.k.a. APT10, Stone Panda) and Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416, or RedDelta) are the other Chinese APT groups that have become very active in the last few weeks.  Mustang Panda is currently running an espionage campaign to target diplomatic missions, think tanks, and NGOs in several countries.  Why are the Chinese APT groups becoming more active of late? In 28 of the 77 active honeypots run by Sectrio, a Chinese APT group activity was recorded. Some groups are also trying to access control systems linked to OT deployments as well as firmware connected with IoT devices. The increased wave of activity indicates rising sponsor interest in espionage and long-term reconnaissance on targets in addition to disruption. In India, the activity of Deep Panda was logged against attacks on utility infrastructure. We first detected Deep Panda’s reconnaissance activity in November 2019 when the group launched an attempt to penetrate a power grid and a New Delhi-based think tank (later in June 2020). The group also ran a campaign to target Indian missions in a few countries through a phishing campaign using emails that were engineered to appear to have come from India’s External Affairs ministry. This group has been maintaining a very high level of interest in India, Vietnam, and Australia since at least 2014. The increase in Chinese APT activity is connected to the ongoing retreat of Russian APT groups from cyberspace. Russian APT groups are now focusing only on a few sectors unlike earlier when they used to go after all critical infrastructure projects in target countries. Russian APT actors are now focusing more on energy infrastructure along with water and wastewater treatment plants and Maritime sectors. Russian groups are also bogged down by a huge spike in inbound cyberattacks on Russian targets and it does seem that their sponsors have now moved some of the APT groups to focus on either defending infrastructure or going after groups that are attacking Russia in cyberspace.    This has opened the door for Chinese APT groups to step in and increase their operations and these groups are exploiting the opportunity and replacing Russian APT groups in cyberspace. Going by the increase in the scale of operations, one can guess that the sponsors of Chinese APT groups are also providing these groups with more funds and manpower to continue their efforts and ramp up their operations. It is only a matter of time before these groups diversify their operations and start logging more success. Enterprises and governments have to act with caution and diligence to keep such groups at bay.   Amplifying the voice of CISO Haven’t filled up the CISO Peer Survey form yet? If not, you are missing a lot. Over 270 CISOs have already filled up this survey form. Fill up today and you will get a pre-release copy of the survey report complete with information, analysis, and commentary on areas such as: Cybersecurity budgets The latest strategies to keep threats at bay What tools are CISOs leveraging to secure their businesses? What has changed since Feb 24? How are organizations responding to emerging cybersecurity challenges To make your opinion count, fill up the uniquely designed form here: CISO Peer Survey 2022 Try our threat intelligence feeds for free to identify the threats your SIEM is missing out on. Book a demo now to see our IT, OT and IoT security solution in action: Request a Demo Talk to our cybersecurity experts today to get to know more about our IT-IoT-OT cybersecurity solutions and threat intelligence. Book here. We invite all cybersecurity leaders across verticals and countries to participate in this survey. Your participation will enable us to turn the survey into a more participative and comprehensive effort: CISO survey 2022 Try our threat intelligence feeds for free for the next two weeks. Get access to enriched IoT-focused cyber threat intelligence for free for 15 days  

In the last two weeks, several U.S. government agencies issued multiple joint alerts warning businesses and critical infrastructure operators about the discovery of malicious cyber tools that could be used to gain access to industrial control systems. While the important alert from the Energy Department, the Homeland Security Department, the FBI, and the National Security Agency (NSA) did not specifically identify the actor behind the malware, what has caught the attention of these agencies is the sheer sophistication of the malware involved. The APT group behind the malware created it specifically to target liquified petroleum gas and electric power targets in the USA.   Operating in the background In the last decade, APT groups have managed to gain Gigabytes of data on critical infrastructure operators across the globe through reconnaissance attacks. Such attacks have either gone unnoticed or have not been taken up for action or analysis by the impacted cybersecurity teams. This has resulted in a situation where bad actors have gained tons of data that could be used in an actual cyberattack or for the development of crafted malware. This includes data relating to: Security frameworks and incident response depths and capabilities related to critical facilities Supply chain entry points for loading malware to target entities downstream Ways to keep malware latent for prolonged periods of time. This includes periods of facility shut down, renovation, change of components, etc. Methods to infiltrate malware through non-conventional means including designating specific CI employees as targets for multi-stage phishing campaigns Identifying disgruntled employees who could be targeted more easily Further, through contaminated firmware residing in less than complex IoT systems such as smart surveillance, data and credentials have either been exfiltrated or copied onto other systems for exfiltration. The data gleaned is then used for creating modified malware variants that are often more effective in breaching the target networks than non-modified variants. Such malware are then deployed through the same route used during the reconnaissance attack (if the malware loader is still available or if the exploit is still unattended to). What does this translate into for cybersecurity teams? More targeted attacks and breaches that could lead to more loss of information or a huge ransom demand Malware evolution cycles have shrunk to months and weeks from years Malware can be repeatedly tweaked for improving its effectiveness by evading defenses This would increase the success rate for malware developers and bad actors who can then build on this success IoT deployments and OT-based critical infrastructure face an immediate threat Want to learn more on how to deflect targeted attacks? Learn more about our adaptive cybersecurity solutions today. Try our threat intelligence feeds for free and block over 18 million cyberattacks each day.   Talk to our cybersecurity experts today to get to know more about our IT-IoT-OT cybersecurity solutions and threat intelligence. Book here. We invite all cybersecurity leaders across verticals and countries to participate in this survey. Your participation will enable us to turn the survey into a more participative and comprehensive effort: CISO survey 2022 Try our threat intelligence feeds for free for the next two weeks. Get access to enriched IoT-focused cyber threat intelligence for free for 15 days  

While many critical infrastructure segments such as oil pipelines, offshore refineries, utility companies, and water treatment plants were registering a spike in cyberattacks, the number of background attacks on shipping companies and assets quietly rose to an all-time high yesterday. When analyzed in the context of growing attacks on global supply chains, this does present many reasons for cybersecurity planners to not just worry about securing their assets but also act to improve cybersecurity across the Maritime industry. After almost two-quarters of decline, cyberattacks on maritime assets started rising in February this year. The rise was not a steep one but instead, the volume kept rising till touching an all-time high of 1,09,333 as of noon yesterday. One of the attacks isolated by Sectrio’s researchers involves the use of info stealers The sequence of events is triggered by a phishing mail that invites the user to download ‘clearance certificates’ from various multilateral agencies for port operations. The document hosted on shady websites does indeed contain a fake certificate. On preview, it shows the viewer a portion of the document that looks authentic. When downloaded, the document asks the user to enable parts of the content that relate to malicious macros.   Also Read: Maritime Cybersecurity: Rising cyber threats The macros then start assembling multiple payloads from various sources on the web. Once the final payload is assembled on the victim system, the payloads start executing and mopping up all kinds of information from the infected machine in addition to using the machine as part of a wider botnet. Top 5 reasons why the Maritime sector is being attacked     With global sea commerce rising, hackers feel shipping companies may be easy targets when it comes to paying a ransom Many of the systems across OT and IoT have not been patched since 2020 or even earlier this has given bad actors a chance to access networks and resources using security gaps that have emerged since Bad actors may be trying to disrupt global supply chains to push the prices of commodities even higher Some of these attacks could be motivated by geopolitical factors Some of the major ports are also key target cities for APT groups and other sophisticated hackers Also Read: Why IoT Security is Important for Today’s Networks? Top 5 impacts Hackers are targeting navigation systems and this could cause a major accident on the high seas or even when the ships are returning to their ports Delay in economic recovery if some of these attacks succeed Loss of commodities could lead to a rise in prices Supply chain attacks could create challenges downstream as a delay in the arrival of input components may cause an escalation of costs or a temporary shutdown of production lines An ecological disaster could potentially result from a successful cyberattack on a shipping vessel So how can Maritime companies defend themselves against such attacks? Sectrio’s cybersecurity solutions and threat intelligence can help maritime companies operate with adequate levels of security by detecting threats and risks early and mitigating them. We are among the few companies with a solution deployed on ships and onshore maritime infrastructure. Talk to our cybersecurity experts today to get to know more about our IT-IoT-OT cybersecurity solutions and threat intelligence. Book here. We invite all cybersecurity leaders across verticals and countries to participate in this survey. Your participation will enable us to turn the survey into a more participative and comprehensive effort: CISO survey 2022 Try our threat intelligence feeds for free for the next two weeks. Get access to enriched IoT-focused cyber threat intelligence for free for 15 days  

As the pandemic eases its grip on the global economy and business imperatives, new organizational priorities are fast emerging on the horizon. The last two years have forced businesses to pay more attention to cybersecurity and risk management practices and priorities across managed and unmanaged environments while revisiting resource allocation, staffing, and board attention. Businesses and cybersecurity leaders are also taking a closer look at their operational threat envelope and risk exposure with regulatory cybersecurity advisories coming in almost on a weekly basis.   Some of the new cybersecurity challenges that have emerged in the last two years include:  More regulatory attention on critical infrastructure operators and businesses connected with supply chains   Regulatory bodies are streamlining reporting requirements to remove ambiguity and to ensure that all events are reported within a stipulated period of time. Regulatory bodies and governments are also incentivizing better cybersecurity measures   Reduction in visibility into various networks because of the sudden increase in the number of connected assets   Over 700 percent (as per the findings of Sectrio’s 2022 IoT and OT Threat Landscape Assessment and Analysis Report) increase in sophisticated cyberattacks and complex phishing and data theft activity    Targeted attacks on OT and IoT devices, networks, and on facility-level infrastructure    Security Operations Center fatigue triggered by a huge spike in false positives in threat detection   Institutional threat hunting capabilities have not kept pace with the growth in threats  Significant rise in undetected and unaddressed vulnerabilities   Discipline in patching devices was lost during the initial days of the pandemic which has led to trojans becoming embedded in various parts of the digital infrastructure   Rise of supply chain attacks emerging from entities that are loosely connected with downstream businesses   Rise of APT trained independent actors who are widening the threat spectrum and exposing businesses to new threats   Access and privilege management challenges caused by the use of multiple devices by employees     With these changes, CISOs are having to juggle multiple priorities, ensure nod from the board at all times, and keep investors and shareholders assured while having to do more with less. With such a roster of responsibilities, it is no wonder that CISOs in many organizations are driving innovation, efficiency, and optimization of assets and solutions used to get things done faster.    What’s really keeping CISOs up at night?  We are sure that you can relate to these challenges. But what about your peers in the industry?  What new challenges are they dealing with? How are they managing the new regulatory mandates, shortage of skilled staff, and expansion of threat surfaces tied to digital transformation endeavors? Has the new level of scrutiny that they are being subject to from within and outside the organization opening up doors for improvement or are they getting bogged down in some way?   Sectrio’s CISO Peer Survey 2022 will offers answers to these questions and provide deep insights into the strategies and tactics cybersecurity leaders are working with to address such challenges.   A chance to win  We invite all cybersecurity leaders across verticals and countries to participate in this survey. Your participation will enable us to turn the survey into a more participative and comprehensive effort.   Participate in this quick survey and get a chance to win a $100 voucher along with lifetime access to Curated Regulatory Compliance Kits from Sectrio.  Every respondent will also get a complimentary copy of the survey report once it is published in May 2022. The survey report will analyze the findings segregated as per various verticals and geographies and will also have suggestions and inputs from prominent cybersecurity leaders on dealing with these cybersecurity challenges. Begin the survey now! Don’t wait up. Book a free and no-obligation slot with our IT, IoT, and OT cybersecurity analysts and consultants to learn more about complying with the new recognition scheme. Book here. Learn more about our IoT, IT, and OT cybersecurity solution through an interactive demo. Try our threat intelligence feeds for free for the next two weeks. Get access to enriched IoT-focused cyber threat intelligence for free for 15 days  

What is it all about? Singapore’s Cyber Security Agency (CSA) recently announced the launch of a new cyber security certification program that will call out or rather certify firms that have implemented good cyber security practices through a certification. This is a great way of incentivizing cybersecurity among businesses. The program is divided into two halves based on the size of the organization being certified. The first part called Cyber Essentials is targeted at encouraging small and medium-sized businesses that often have to deal with limited resources and manpower to implement good cybersecurity practices including access management and control, incident response, and disaster recovery. Cyber Trust, the second half, deals with larger and more digitized enterprises including MNCs. It will offer a risk management approach that helps them understand their risk exposure, raise contextual awareness and help them focus on various areas related to cyber resilience to address and mitigate security risks and challenges. The overall security posture of the enterprise will also be assessed.   Also Read: Why IoT Security is Important for Today’s Networks? CSA has put together 5 cybersecurity preparedness tiers that align with an enterprise’s unique risk profile. Each tier covers between 10-22 domains including cyber governance, awareness and education, asset protection, and cyber resilience. These preparedness tiers will be a part of a Technical Reference (TR) for cyber security standards that will be rolled out in the second quarter of this year. What will the TR contain? The TR will essentially offer a tiered approach towards deploying cybersecurity measures including: Establishing a comprehensive process to secure sensitive data Installing anti-malware solutions Securing backups from any form of unauthorized access Understanding different risk profiles of enterprises. The tiered measures take into account the operational imperatives of organizations operating in Singapore. The use of the TR, when it becomes available, together with CSA’s certification scheme, will help businesses secure and protect their digital assets, and personal data and enhance cybersecurity preparedness in a phased manner.  What kind of support is CSA offering for companies that wish to obtain these marks? CSA has developed a toolkit for IT teams and curated an early ecosystem of partners with product and service offerings to help businesses meet these requirements. The toolkit for IT teams is part of a  suite of cybersecurity toolkits put together by CSA and are targeted at key enterprise stakeholders. It includes resources that enterprises can utilize to prepare for cybersecurity certification. There are templates for tracking the state of various information assets included in these kits. Do these cybersecurity marks cover specific products or offerings? No, they are only related to cybersecurity best practices adopted by an organization at an institutional level. Is it mandatory? As of now, no. Who will be the certifying authority here? CSA has announced the appointment of 8 certification bodies that will act independently.  These firms will be responsible for certifying the companies that apply to be part of this program. How will businesses benefit from this unique exercise? In addition to improving trust and credibility, a certification in cybersecurity best practices will also help the brand at various levels. Businesses can flaunt this new certification in all their outbound communication to convey the level of cybersecurity maturity attained as well as the priority the management and employees of the business accord to cybersecurity. Sectrio recommends that all businesses go for this certification at the earliest. This is one way of adding momentum to your cybersecurity journey as well as putting cybersecurity on your organization’s priority agenda. How can Sectrio help in this certification? If we split the requirements of this certification into further components, we can essentially call out 3 major outcome areas: Best cybersecurity measures Raising cybersecurity awareness levels of all stakeholders Putting together a roadmap for improving security on an ongoing basis Sectrio can help secure digital assets across IT, OT, IoT, and converged environments. Sectrio can also offer its threat intelligence feeds to improve threat hunting to detect and remediate threats early. Sectrio’s offerings can also enhance the overall cybersecurity posture by helping with cybersecurity requirements around: Network security Asset security Visibility into networks and assets Information on the state of vulnerabilities and patches Micro-segmentation to contain threats and apply policies at a micro level We can offer IoT and OT focused threat intelligence In addition, Sectrio also offers compliance kits to align your internal cybersecurity practices and measures to standards such as IEC 62443 and those recommended by NIST. We can also help your business embrace a Zero Trust approach and secure your business from sophisticated attacks at all levels including those that emerge at various points in your extended supply chain. Don’t wait up. Book a free and no-obligation slot with our IT, IoT, and OT cybersecurity analysts and consultants to learn more about complying with the new recognition scheme. Book here. Learn more about our IoT, IT, and OT cybersecurity solution through an interactive demo. Try our threat intelligence feeds for free for the next two weeks. Get access to enriched IoT-focused cyber threat intelligence for free for 15 days  

The dangerous Escobar malware’s key capabilities are being modified dynamically. It was originally an old banking trojan called Aberebot that has now been modified into the deadly Escobar malware that has been reported from over 119 countries so far. Its most deadly feature is the ability to strike at the heart of user authentication with the diversion of multi-factor authentication codes and theft of login credentials and personal data.    Also Read: Is NIST working on a potential cybersecurity framework update? The new variant has been peddled under the guise of an anti-virus application (it even has the same icon). However, unlike the original anti-virus app, the fake version is not available on Playstore. It has to be downloaded from third-party sites to which unsuspecting users are lured by hackers.  Once installed, the Escobar malware asks for as many as 26 permissions and captures your personal information through fake login screens, by capturing and rerouting two-factor authentication tokens or one-time passwords from banks or the Google Authenticator 2FA app. It doesn’t stop there. It can also take pictures, copy and transmit your media files, take pictures, install and uninstall apps, monitor your online activity, track phone calls and messages, copy contact information, modify app information, steal keys, and even copy chat information. Since it masquerades as a genuine anti-virus application, users may be tricked into ignoring red flags or any signs of infection that they may come across. Also Read: The state of OT and IoT cybersecurity in North America Escobar represents a new breed of malware that strikes at multi-factor authentication enablement means. While the mode of deploying it is quite simple, what it does post-installation is not. The malware takes over the victim’s phone completely and if they are using the same phone for official work as well, then chances of an enterprise-level breach could also arise. Why should we worry about this new variant of Aberebot(Escobar)? Twin-factor authentication is being touted as a strong measure to keep users safe from breaches and cyberattacks but with the emergence of such malware, even this frontier could be breached Sectrio’s researchers have identified at least one variant which is now masquerading as a popular gaming app. This means that the hackers are already working on making more fake apps to trick users The activity footprint of this malware is significant yet, on popular versions of Android phones, it doesn’t create a lag or delay in any form that may alert users about a suspicious app running in the background. Escobar is sequencing its activities to prevent becoming a bandwidth and memory guzzling application The malware is based on a multi-level deception. Level one is that of an anti-virus application, level two involves routing victims to fake sites, level 3 involves preventing screen lock and other mechanisms, level 4 involves exfiltration of data to enable hackers to target non-banking sites connected with the victim. Sectrio’s researchers have come across sites that are offering this malware for rent for anywhere between 500 USD (low grade with simple functions) to USD 4500 (all functions and a guarantee on performance) per month Escobar could potentially be used to target enterprises and government agencies from here on. Considering the breadth of its functions, it could potentially turn into a tool for corporate espionage, blackmail, or even theft and sale of financial data. The only way to stay safe from this malware is by downloading apps only from the Google Play Store.  Join our upcoming webinar: Key Takeaways from the Sectrio’s Global Threat Landscape Assessment Report 2022 IoT and OT focused threat Intelligence feeds free for 15 days! Try it right now: Threat Intelligence Also Read: Why IoT Security is Important for Today’s Networks? We also have the right cybersecurity solutions for your critical infrastructure. Allow us to give you a sneak preview of its capabilities through a no-obligation demo.