Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 6/7/2022

    Conti Ransomware Gang Rebranding in the Midst of Attacks on Costa Rica

    Overview

    A particularly well-branded, brazen and prolific ransomware group, the Russia-based “Conti” gang attacked several Costa Rican government institutions in early May, 2022.  On May 31, 2022, the Costa Rican Social Security agency was attacked by the “Hive” ransomware group.  This attack crippled the country’s healthcare system last week.  Ransomware researchers suspect collaboration between the Hive and Conti groups, and further suggest that this collaboration is part of a rebranding effort by Conti, in order to evade law enforcement, a bounty offered by the US government, and other such actions.

    Potential Impact

    As governments and international law enforcement pursues criminal gangs, rebranding efforts will likely become more common, and may  add difficulty to associating tools, techniques, and procedures with particular threat actor groups, which adds to the complexity of defending corporate networks.  Furthermore, this news story emphasizes the fact that ransomware continues to be a massive global problem.

    Recommended Actions

    Implement an effective vulnerability management program: Regular assessment and remediation of vulnerabilities is a key foundation to any information security program.

    Acquire an incident response retainer with a reputable cybersecurity company and contact them early in the incident response process.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Advanced Phishing Combines Reverse Tunnels and URL Shortening

      Overview

      Traditional phishing links lead to registered domains that hosting providers provide. This poses a challenge to threat actors as, normally, hosting providers will respond to complaints and actively take down phishing sites. To combat this some threat actors are now combining the use of reverse tunnel services and URL shorteners to bypass detection and response capabilities. 

      Reverse tunnels allow threat actors to host phishing pages on their local computers and route connections through external services. Additional URL shortening services can allow for rapid generation of new links to obscure the activity and bypass detection. Some phishing links are even being refreshed in less than 24 hours. CloudSEK, a digital risk protection company, has identified the most widely abused reverse tunnel services to be Ngrok, LocalhostRun, and Cloudflare’s Argo; along with that they have identified Bit.ly, is.gd, and cut.ly as the primary URL shortening services.

      (image source: CloudSEK)

      Potential Impact

      As these malicious sites are hosted directly on threat actor-owned computers, victim data is immediately stored and no longer requires exfiltration from the domain. Most of these sites are impersonating banking organizations and attempt to steal credentials, PAN card numbers, unique identification numbers, and mobile phone numbers. This information can then be sold on the dark web for other threat actors to initiate different attacks. 

      Recommended Actions

      Conduct Regular Social Engineering Testing
      When it comes to security, employees are not unlike servers: they require constant ‘patching’ (security awareness training) and ‘updates’ (security reminders) in conjunction with regular testing in order to reduce vulnerabilities and susceptibility to exploitation. Therefore, all personnel should continue to undergo regular awareness training and testing.  Seek to pair testing services chronologically with training services in order to have the greatest effect on increasing awareness and reducing susceptibility to social engineering attacks.

      Conduct Security Awareness Training
      Without proper cybersecurity awareness training, you can’t trust that employees are up to date on the latest cyber risks and how stay protected. Awareness is as much about psychology as security.  It is important to provide a complete suite of education, training, testing and measurement services which are all designed to change behaviors and reduce risk.

      Sources
      https://www.bleepingcomputer.com/news/security/evasive-phishing-mixes-reverse-tunnels-and-url-shortening-services/?&web_view=true

      Github Releases Patch for Account Takeover Vulnerability

      Overview

      On June 1, 2022, GitLab Enterprise Edition (EE) 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, and all versions starting from 15.0 before 15.0.1 are affected by an account take over vulnerability tracked as CVE-2022-1680. The vulnerability was discovered by the internal GitLab team and no exploitation has been observed.

      Potential Impact

      Any owner of a Premium group can invite users through their username and email and then change those users’ email addresses via SCIM to take over the accounts. This can occur in the absence of multifactor authentication and when group SAML SSO is configured.

      Recommended Actions

      Short Term:
      GitLab has fixed CVE-2022-1680 in the latest version and all installations running an affected version should be updated as soon as possible.

      Long Term:
      Consider a Cloud Security Assessment
      As organizations continue to move infrastructure, services, applications and other critical data stores from on-premises networks to public or private cloud environments, there’s an immediate need for more robust security solutions. It’s crucial not to assume the transition to cloud platforms is secure by default. Organizations should also consider that not all legacy cybersecurity tools can transition seamlessly into virtualized Cloud environments. 

      Be sure to examine cloud and related elements to ensure that organizations don’t rely on default or typical security settings to protect critical data. Rely on quality assessments to help you align with best practices and strike the ideal balance between operation and security.

      Sources
      https://securityonline.info/cve-2022-1680-gitlab-account-take-over-vulnerability/
      https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/
      https://thehackernews.com/2022/06/gitlab-issues-security-patch-for.html

      Krebs: Despite New Policy, Current Laws Discourage ‘Good Samaritan’ Security Work

      Overview

      Brian Krebs recently published a review of the US Department of Justice’s recent policy revision on charging violations of the Computer Fraud and Abuse Act of 1986 (!), which stand as the primary statute used in cybercrime cases. Recent changes aim to define what sort of violations are cybercrime, distinct from efforts performed in “good faith” such as security research or investigation to detect and report vulnerabilities. 

      Potential Impact

      It is important to note that this is just a change in interpretation and enforcement by the current DOK, and it underlines the need for changes, updates, and creation of modern laws concerning cybersecurity practitioners and the industry at large. Several notable cases of corporations and municipals entities regarding “friendly” cybersecurity experts as hostile and/or malicious, even when they’ve been contractually engaged to test the security posture of the organization. 

      Notices or submission of issues are ignored until they are exploited by malicious actors, at which point the organization seeks a scapegoat in the form of the researcher who tried responsibly disclosing an issue and, likely, had no part in the later compromise, even from an informational standpoint. 

      There is also some uncertainty in the new policy about provisions concerning preventing harm to third parties.  Also keep in mind that a policy does nothing to protect a  cybersecurity practitioner from civil suits. While the new policy is a step in the right direction, new laws must be formulated to protect and encourage well-meaning cybersecurity researchers and white hat activists, while shifting the advantage away from cybercriminals.

      Sources
      https://krebsonsecurity.com/2022/06/what-counts-as-good-faith-security-research/

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.


      Let’s Discuss Your Cybersecurity Needs

      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from Youtube
      Vimeo
      Consent to display content from Vimeo
      Google Maps
      Consent to display content from Google
      Spotify
      Consent to display content from Spotify
      Sound Cloud
      Consent to display content from Sound
      Contact Us