Tuesday, January 23, 2024

🤫 Ransomware's secret weapon

Plus: SEC SIM swap | Tuesday, January 23, 2024
 
Axios Open in app View in browser
 
 
Axios Codebook
By Sam Sabin · Jan 23, 2024

Happy Tuesday! Welcome back to Codebook.

  • ☕️ Sorry if you're still recovering from Friday's news dump, but grab some coffee — we've got more to go through.
  • 📬 Have thoughts, feedback or scoops to share? codebook@axios.com.

🚨 Situational awareness: The U.S. Securities and Exchange Commission said yesterday afternoon that a recent hack of its account on X, formerly known as Twitter, was the result of a SIM swap attack.

Today's newsletter is 1,537 words, a 6-minute read.

 
 
1 big thing: How the cops are boxing in ransomware hackers
Illustration of binary code under a box trap

Illustration: Sarah Grillo/Axios

 

The end of ransomware gangs' reliance on critical security flaws could be near, according to a new report shared exclusively with Axios.

Why it matters: Ransomware hackers have had to turn to so-called zero-day vulnerabilities to help launch their attacks, in part because of the success of law enforcement in the last year.

Driving the news: Symantec, the threat intelligence team at semiconductor manufacturer Broadcom, released a report today detailing how ransomware gangs became reliant on zero-day flaws after law enforcement botnet takedowns.

  • But the report also says this vulnerability-heavy attack cycle could peter out in 2024 as hackers rebuild their own tools.

What they're saying: "As time goes on in 2024, more and more organizations [will] have patched their Citrix environment, their Exchange environments and whatever else is being used right now," Vikram Thakur, technical director at Symantec, told Axios.

  • "Barring the disclosure of yet another vulnerability in one of these major publicly available services, we'll see the needle slide back into the reliance of ransomware on botnets."

The big picture: Ransomware gangs have historically relied on a network of malware-infected computers, known as a botnet, to carry out attacks.

  • International law enforcement has taken note, launching several operations in the last year to make some of the most prolific botnets unusable.

The intrigue: Hackers are adaptable and usually have a backup plan.

  • Last year, hackers relied heavily on the darknet market, which only nation-state hackers typically bothered with.
  • It's the engine behind widespread exploitation of critical flaws in tools like Citrix, MOVEit and Ivanti.
  • "The motivation for them to go and find more vulnerabilities in public-facing infrastructure used by organizations is huge, it's massive," Thakur said. "Successful ransomware attacks will lead to more zero-days being disclosed in software like Ivanti or Citrix or Microsoft Exchange."

Between the lines: If a computer is infected with malware as part of a botnet, it's likely that an organization's virus-scanning tools will detect that malicious code within 24 hours and remove it, Thakur said.

  • But zero-days get their name because of their stealth. Usually, by the time a company notices these bugs, a hacker is already in or affected customers have zero days to patch before being vulnerable to a cyberattack.

Yes, but: Hunting and exploiting software vulnerabilities is a lot more work than relying on an already established set of malware-infected computers, Thakur said.

  • Ransomware gangs can be opportunistic and turn to tactics that require the smallest amount of work to get the biggest impact, he added.
  • "They already have a foot through the door in an org; all they need to do is pick it up from that standpoint," Thakur said about botnets.

Be smart: Broadcom recommends that organizations start aligning their defenses against hacking groups' tools, tactics and procedures rather than the specific ransomware strain they're using.

  • To do this, IT teams can audit each of the administrative tools their network administrators, and the rest of their employees, are running to make sure they're still needed and secured properly, Thakur said.

The bottom line: Ransomware has become endemic for companies.

  • "The hackers will adapt to the tools that are available in your network," Thakur said. "It doesn't matter what solution you might be using in your network, they're all susceptible to ransomware attacks."
Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 
2. Cyber basics keep haunting major companies
Illustration of a robber's hand taking away a block of the Microsoft logo.

Illustration: Aïda Amer/Axios

 

A recent Russian cyberattack against Microsoft is raising serious alarm bells about the cyber hygiene at some of the country's top companies.

Driving the news: Microsoft said Friday evening that the same Russian hacking group that targeted SolarWinds in 2020 had breached its networks and gained access to several executives' email inboxes.

  • The hackers had gone undetected on the company's networks since November, and they used a simple technique called password spraying to access an internal testing environment.
  • From there, the hacking group, which Microsoft calls Midnight Blizzard, was able to access and exfiltrate emails from senior leaders and members of the cybersecurity and legal teams.

Why it matters: Based on Microsoft's initial statement, the hackers used a fairly basic technique to break into one of the most valuable companies in the world.

Between the lines: The latest Microsoft hack is likely the result of poor password and software production management, Drew Rose, co-founder and chief security officer at Living Security, told Axios.

  • "In this case, as in many others, it was poor password management," Rose said. "When you have these types of development and staging environments — the nonproduction, legacy-type systems — there's usually some sort of known, shared password."
  • These passwords are rarely updated, in Rose's experience, and when they are, the new one is a variant of the original that's easy to guess.
  • "Everyone has this operating assumption that these systems are completely segregated, but not everybody is following those kinds of rules of segregation" between testing environments and live sites, Rose said.

The big picture: Microsoft is one of a handful of companies that have become go-to targets for hackers because of its prized client list and prominence in the tech sector.

Yes, but: This is Microsoft's second major breach in less than a year — and the other breach in July is still the subject of a major federal investigation.

  • "We use, around the world, Microsoft's operating systems and applications, and if they're not open and transparent, we have a serious conversation that needs to be had," Michael Sentonas, president at CrowdStrike, told Axios.

What we're watching: Microsoft will likely share more details in the coming weeks about how many email accounts hackers accessed and whether the Russian group broke into other parts of the company's networks.

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 
3. ICYMI: Feds investigate possible agency hacks
Illustration of a US flag, but the starts are replaced with binary numbers.

Illustration: Maura Losch/Axios

 

The Cybersecurity and Infrastructure Security Agency confirmed Friday that it's investigating potential hacks of some government agencies through recently discovered, high-severity flaws in some Ivanti products.

Why it matters: Nation-state hackers, including a group tied to the Chinese government, are believed to be targeting the flaws discovered this month in some of Ivanti's popular remote access tools.

  • Ivanti has yet to release a fix for the flaws, but it has released guidance that can keep hackers from exploiting them.

Driving the news: CISA issued an emergency directive Friday calling on all civilian agencies to mitigate the flaws in Ivanti's Connect Secure VPN devices (formerly known as Pulse Secure) and its Policy Secure tools by end-of-day yesterday.

  • After running any mitigation guidance, agencies using Ivanti's products are also required to run their tools through Ivanti's external integrity checker tool to ensure hackers aren't still lingering in their networks.
  • Eric Goldstein, executive assistant director for cybersecurity at CISA, told reporters that the federal government is investigating "some initial targeting of federal agencies as part of the broader opportunistic campaign."
  • He added that it's too soon to say if any agency was successfully compromised.

Catch up quick: Ivanti confirmed this month that hackers are actively exploiting critical vulnerabilities in two of its products — confirming earlier reports from third-party security researchers.

  • If they successfully exploit these flaws, hackers could bypass user authentication protocols and remotely navigate around a victim's network — allowing them to steal configuration data, login credentials and more.
  • Ivanti has more than 40,000 total customers, and hackers are believed to have been targeting these flaws for at least a month before Ivanti discovered them.

Details: Roughly 15 government agencies were using affected Ivanti products, Goldstein told reporters Friday, but each of those offices has already applied Ivanti's mitigation guidance.

  • CISA declined to say which agencies were affected and where the potential intrusions were uncovered.
  • "At this point, we are assessing that the potential exposure on the federal civilian government is limited," Goldstein said. "We are not assessing a significant threat to the federal enterprise, but we know that that risk is not zero."

Read the rest.

👀 Have details on which federal agencies are still using Ivanti VPNs? I'm all ears.

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 

A message from Axios

Your trusted source for policy news
 
 

Axios Pro: Policy takes you into the halls of Congress, with an insider's look at the Hill and everything happening.

Subscribe today.

 
 
4. Catch up quick

@ D.C.

🚔 Someone swatted CISA Director Jen Easterly's home late last month, the agency confirmed. (The Record)

☎️ The New Hampshire attorney general's office is investigating a robocall that's impersonating President Joe Biden using an AI-generated voice. (Axios)

💰The Australian government used its cyber sanction laws for the first time on a Russian hacker for his role in the Medibank breach of 2022. (ABC News Australia)

@ Industry

📉 Venture funding flowing to cybersecurity startups dipped to its lowest levels since 2018, totaling $8.2 billion across 692 deals last year. (Crunchbase News)

💰 Palantir Technologies' revenue from U.S. government contracts has shrunk in recent quarters as agencies, including the Pentagon, are looking at less-expensive competitors. (Wall Street Journal)

@ Hackers and hacks

🏡 Mortgage lender LoanDepot says ransomware hackers stole personal data belonging to approximately 16.6 million people. (BleepingComputer)

🏦 Hackers launched a series of distributed denial-of-service attacks against Monobank, Ukraine's largest mobile-only bank, over the weekend. (Kyiv Independent)

✈️ AerCap, the world's largest aircraft leasing company, said in a filing yesterday that it's responding to a ransomware attack that hit its networks last week. (Reuters)

Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 
5. 1 fun thing
Photos of a vinyl record player and an orange cat

Photos: Sam Sabin/Axios

 

I've been having fun learning about and playing around with the vinyl record player that I got for Christmas.

  • The downside: My cat Barry is starting to have fun with it, too....
Share on Facebook Tweet this Story Post to LinkedIn Email this Story
 
 

A message from Axios

Your trusted source for policy news
 
 

Axios Pro: Policy takes you into the halls of Congress, with an insider's look at the Hill and everything happening.

Subscribe today.

 

☀️ See y'all Friday!

Thanks to Scott Rosenberg and Megan Morrone for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.

HQ
Are you a fan of this email format?
Your essential communications — to staff, clients and other stakeholders — can have the same style. Axios HQ, a powerful platform, will help you do it.
 

Axios thanks our partners for supporting our newsletters.
Sponsorship has no influence on editorial content.

Axios, 3100 Clarendon B‌lvd, Arlington VA 22201
 
You received this email because you signed up for newsletters from Axios.
To stop receiving this newsletter, unsubscribe or manage your email preferences.
 
Was this email forwarded to you?
Sign up now to get Axios in your inbox.
 

Follow Axios on social media:

Axios on Facebook Axios on Twitter Axios on Instagram
 
 
                                             

No comments:

Post a Comment

Your Weekly Recommended Reads

Powered by AI, personalised for you Catch up on key news and analysis from the week gone by with The Business of Fashion's My...