- The Weekend Byte
- Posts
- Attackers Team Up with US Government Agency
Attackers Team Up with US Government Agency
Plus more reasons to hate online ads
Hey there,
In this week’s newsletter, we’re covering:
Attackers befriending the SEC
One more reason to hate online ads
What’s a living-off-the-land (LOTL) attack?
-Jason
Gif by AppleTV on Giphy
ALPHV/BlackCat Goes to Washington
One attack group is not above tattling…
In an apparent first, an affiliate of the ALPHV/BlackCat ransomware group filed an SEC complaint against MeridianLink, a company that builds loan software for financial institutions.
Instead of encrypting files and shutting MeridianLink, the attacker took a different route. They opted to steal data and threaten their victim with the release of that data. This is a growing trend in extortion attacks.
To increase pressure on their victim, the attacker filed an SEC complaint, accusing MeridianLink of failing to notify the SEC of a cyber security incident.
They cite a four-day rule to disclose a cyber attack…the cyber attack that the group executed…we’ll forgive the attackers for not knowing that the rule doesn’t go into effect until December 15, 2023.
From DataBreaches.net
This activity follows the SEC’s actions against SolarWinds and their CISO. If you missed the breakdown of that complaint, check out my previous newsletter here for the full breakdown.
This is yet another example of attackers seeking unique ways to apply more pressure to their victims. We’ll need to wait and see if the tactic is effective.
I personally don’t see these aggressive tactics being effective. There’s a tipping point where the tactics get so public or so ridiculous, that their victims are likely to dig in their heels. When attackers go public, much of the damage can be done instantly. Paying a ransom won’t put Pandora back in the box.
Additional Reading
DataBreaches.net Article
One More Reason Not to Click Ads!
Marketers and attackers love ads. Both use similar tactics and seek the same outcome: deliver a good hook to gain someone’s attention and drive them to a website. Where these two diverge from each other are the sites they direct users to.
In an attack known as malvertising, attackers lure users into clicking on their links with the promise of free software. The users are then directed to a website instructing them to download the software. Unsuspecting users download files laced with malware, often an infostealer capable of stealing passwords.
I made a YouTube short a while ago that explains this type of attack.
A recent report from eSentire shows that an affiliate of the ALPHV/BlackCat ransomware group picked this technique as an initial access method into their victim’s environments. This ultimately leads to ransomware being deployed throughout the environment.
Their initial lures are files corporate users want to download, like Slack or the Cisco AnyConnect VPN client. Of course, the payload is malicious and only benefits the attacker.
This affiliate is taking out Google ads promoting popular software, such as Advanced IP Scanner, Slack, WinSCP and Cisco AnyConnect, to lure business professionals to attacker-controlled websites.
In this case, the payload users download is the Nitrogen initial access malware. The Nitrogen malware provides the ability to download and execute additional malicious files on the system. The attacker uses that capability to run post-exploitation tools to escalate their privileges and move laterally through an environment. This sets the attacker up to deploy the ALPHV/BlackCat ransomware to the organization.
While malvertising is not a new tactic, this shows how creative attackers can be in gaining access into environments. The fact of the matter is that the barrier to entry for ransomware attacks is extremely low. Relatively unsophisticated attackers can start a lucrative career extorting companies.
The pressure on organizations to defend on multiple fronts has never been greater. This is why a defense-in-depth strategy is so important. Anticipate the fact that someone will gain access into your organization. Focus on building a resilient environment that can slow the attacker down and a tight detection and response capability that quickly alerts you of malicious activity.
Additional reading
eSentire blog post
Living off the Land (LOTL) Attacks
On Friday, I published a LinkedIn post that discussed how attackers are installing and using Remote Monitoring and Management (RMM) tools in their attacks. As a quick rehash, RMM tools are legitimate software that IT teams use to manage systems remotely. They provide full control over a system, which is why attackers love it just as much as IT teams do.
Several comments called this out as a Living-Off-The-Land (LOTL) attack.
I couldn’t disagree more. So I’m going to settle it here.
If you do a broad search for what a LOTL attack is, you’ll find general consensus that it involves using existing tools in an organization’s environment to carry out a cyber attack. Hence the term “living off the land”. You’re just using what is already available to you.
In the RMM tool scenario, the attackers install an RMM tool they brought. It is foreign to the environment. Call me a purist, but to me, that is the opposite of living off the land. You’re introducing something that hasn’t existed before into the environment.
Interestingly, some sources cite Mimikatz as a LOTL attack because it accesses Windows standard features to extract passwords. I think this is a stretch. Mimikatz is so widely used that any AV will flag it as malicious. If the intent of a LOTL attack is to stay stealthy by using what’s already on the system, this again makes no sense. Just because you build a tool that accesses legitimate Windows files/services for malicious purposes does not give you a LOTL badge.
Some sources say that if it is a fileless attack (e.g. it only lives in memory and doesn’t live on disk), it would be a LOTL attack. A common reference here is Cobalt Strike, which primarily operates in memory. Cobalt Strike is a post-exploitation framework that uses LOTL techniques like PowerShell to move around the environment.
If an attacker uses a vulnerability to get Cobalt Strike to run in memory and no files touch the disk, this enters a gray area. Technically, foreign code has been introduced, but if it wasn’t placed onto the disk. So the stealth level is there, at least more so than Mimikatz. I think we’ll just say that the tie goes to the runner here.
Gif by Jomboy on Giphy
The moral of the story is that we nerds always get hung up on little nuances like this, and it really doesn’t matter all that much. Many things in security end in a gray area because there are so many variables. The most common phrase in security is “it depends.”
Arguments like this don’t drastically change anything in your approach to defending your network, but it does make for a fun nerd dinner party debate.
Additional reading
CrowdStrike LOTL blog post
LOLBAS Listing of Windows LOTL Tools
Until next week…
Send me feedback, questions, or topics for future newsletters! Just reply to this email directly.
Not subscribed? Click here: | Share this with a friend! |
Reply