This Week in Cyber 26th April 2024

Analyst Insight

This week, the troubling trend of ransomware has shown no signs of stopping, persisting in its exponential growth despite determined efforts by cyber security professionals and legislators alike. What's particularly concerning is the tactic of doubling down on attacks, effectively re-victimising already targeted organisations. With reported crypto-payments to the FBI surpassing $1 billion, ransomware operations continue to flourish unabated. Meanwhile, both the UK and EU have expressed apprehension regarding the use of end-to-end encryption (E2EE) by private firms, raising significant questions about privacy and security in the digital realm. Additionally, ToddyCat has been particularly prominent this week, demonstrating their capability for large-scale data theft from a diverse array of public and private entities.

MITRE Corporation Targeted in Cyber Attack Exploiting Ivanti Flaws

The MITRE Corporation recently disclosed that it was the victim of a sophisticated cyber attack by a nation-state actor, leveraging two zero-day vulnerabilities in Ivanti Connect Secure appliances, beginning in January 2024. The intrusion compromised MITRE's Networked Experimentation, Research, and Virtualisation Environment (NERVE), an unclassified research and prototyping network.

Exploiting CVE-2023-46805 and CVE-2024-21887, threat actors bypassed authentication and executed arbitrary commands, subsequently breaching MITRE's VMware infrastructure to deploy backdoors and web shells for persistence and credential harvesting. Although MITRE contained the incident and conducted forensic analysis, the initial exploitation was attributed to a nation-state actor. MITRE's disclosure underscores the imperative for all organisations, irrespective of cyber security measures, to remain vigilant against sophisticated cyber threats.

ToddyCat: Industrial scale Data-Theft

ToddyCat, a rising hacker group, is causing alarm in the cyber security world with their large-scale data theft from governmental and private organisations. They use a variety of sophisticated tools for data harvesting and maintaining access to compromised systems. Their toolkit includes Samurai, a passive backdoor for remote access, and data exfiltration tools like LoFiSe and Pcexter. They also use a suite of tunnelling and data gathering software, such as OpenSSH, SoftEther VPN, Ngrok, Krong, FRP client, Cuthead, WAExp, and TomBerBil.

These tools allow ToddyCat to maintain multiple connections from infected endpoints, ensuring persistent access even if a tunnel is discovered and closed. To guard against such threats, it’s advised to block resources and IP addresses of traffic tunnelling services and avoid storing passwords in browsers.

National Crime Agency and European Police Chiefs raise concerns over E2EE

The UK’s National Crime Agency Director General, Graeme Biggar, along with other European Police Chiefs, has raised concerns about the broad implementation of end-to-end encryption (E2EE) by technology companies. They believe that this could potentially hinder the investigation of serious crimes within the UK and across Europe.

The chiefs have called for a balanced approach where tech companies ensure their systems are safe by design, effectively balancing user privacy with public safety. This call to action underscores the UK’s commitment to public safety while navigating the complexities of digital privacy.

Ransomware Double-Dip: Re-Victimisation in Cyber Extortion

In the ever-evolving landscape of cyber threats, a new trend has emerged that is causing concern among security experts - the phenomenon of re-victimisation in ransomware attacks. This trend was observed in a dataset of over 11,000 victim organisations that have experienced a Cyber Extortion/Ransomware attack. The re-occurrence of victims raises questions about whether this is a second attack, an affiliate crossover (an affiliate moving to another Cyber Extortion operation with the same victim), or stolen data being misused. Regardless of the cause, the implications for the victims are severe.

The Cyber Extortion (Cy-X) or Ransomware threat has seen a significant increase of 46% between 2022 and 2023. The actual increase is even higher, with just under a 51% increase. This surge in attacks underscores the dynamic nature of the threat landscape and the continuous evolution of the ecosystem. While it’s difficult to predict whether this level of increase will be maintained, the current data suggests that the Cy-X victim count levels will remain steady.

Ransomware Task Force Report: Urgent Action Needed as Ransom Payments Surpass $1 Billion

The Ransomware Task Force (RTF) released a report titled "Doubling Down" in April 2024, highlighting the alarming rise of ransomware attacks. Despite collaborative efforts from various sectors, ransomware continues to pose a significant threat. The Institute for Security and Technology (IST), the think tank behind RTF, calls for intensified efforts, particularly legislative action from the US government.

The report also reveals alarming statistics, including a 37% increase in ransomware attacks on critical infrastructure reported to the FBI from 2022 to 2023, costing victims over $1 billion in crypto payments. Key areas needing action include harmonising incident reporting mechanisms, expanding international collaboration, and increasing deterrence efforts. The RTF emphasises the importance of disrupting ransomware profits and fostering partnerships with law enforcement and government cyber agencies. Overall, the report underscores the urgent need for intensified efforts from all stakeholders to combat ransomware, emphasising transparency and the severity of the issue due to its national security implications and economic losses.