Ransomware negotiations are usually shrouded in secrecy, but some security experts think that we should make them public and analyze them to glean insights. So that's exactly what we did.

But despite their increasing complexity, a great many initial intrusions that lead to data theft could be nipped in the bud if more organizations started looking for the telltale signs of newly-arrived cybercriminals behaving like network tourists, Cisco says.

“One of the most important things to talk about here is that in each of the cases we’ve seen, the threat actors are taking the type of ‘first steps’ that someone who wants to understand (and control) your environment would take,” Cisco’s Hazel Burton wrote. “Examples we have observed include threat actors performing a ‘show config,’ ‘show interface,’ ‘show route,’ ‘show arp table’ and a ‘show CDP neighbor.’ All these actions give the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have.” //

when those stolen resources first get used by would-be data thieves, almost invariably the attackers will run a series of basic commands asking the local system to confirm exactly who and where they are on the victim’s network.

This fundamental reality about modern cyberattacks — that cybercriminals almost always orient themselves by “looking up” who and where they are upon entering a foreign network for the first time — forms the business model of an innovative security company called Thinkst, which gives away easy-to-use tripwires or “canaries” that can fire off an alert whenever all sorts of suspicious activity is witnessed.

“Many people have pointed out that there are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage),” the Thinkst website explains. “Reliably alerting when a user on your code-sign server runs whoami.exe can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN.”

These canaries — or “canary tokens” — are meant to be embedded inside regular files, acting much like a web beacon or web bug that tracks when someone opens an email. //

Thinkst operates alongside a burgeoning industry offering so-called “deception” or “honeypot” services — those designed to confuse, disrupt and entangle network intruders. But in an interview with KrebsOnSecurity, Thinkst founder and CEO Haroon Meer said most deception techniques involve some degree of hubris. //

One nice thing about canary tokens is that Thinkst gives them away for free. Head over to canarytokens.org, and choose from a drop-down menu of available tokens

TechCrunch first discovered the vulnerability as part of a wider exploration of consumer-grade spyware. The vulnerability is simple, which is what makes it so damaging, allowing near-unfettered remote access to a device’s data. But efforts to privately disclose the security flaw to prevent it from being misused by nefarious actors has been met with silence both from those behind the operation and from Codero, the web company that hosts the spyware operation’s back-end server infrastructure.

The nature of spyware means those targeted likely have no idea that their phone is compromised. With no expectation that the vulnerability will be fixed any time soon, TechCrunch is now revealing more about the spyware apps and the operation so that owners of compromised devices can uninstall the spyware themselves, if it’s safe to do so.

Given the complexities in notifying victims, CERT/CC, the vulnerability disclosure center at Carnegie Mellon University’s Software Engineering Institute, has also published a note about the spyware.

What follows are the findings of a months-long investigation into a massive stalkerware operation that is harvesting the data from some 400,000 phones around the world, with the number of victims growing daily, including in the United States, Brazil, Indonesia, India, Jamaica, the Philippines, South Africa and Russia.

On the front line of the operation is a collection of white-label Android spyware apps that continuously collect the contents of a person’s phone, each with custom branding, and fronted by identical websites with U.S. corporate personas that offer cover by obfuscating links to its true operator. Behind the apps is a server infrastructure controlled by the operator, which is known to TechCrunch as a Vietnam-based company called 1Byte.

For user convenience, web browsers store the account and password entered into the login form when the user visits a website and provide the feature to enter them automatically upon revisiting. The password management feature is enabled by default on Chromium-based web browsers (Edge, Chrome).

Figure. Chrome pop-up suggesting to save password
The information entered when logging in is saved to the Login Data file via the password management feature.

Chrome C:\Users\<User name>\AppData\Local\Google\Chrome\User Data\Default\Login Data
Edge C:\Users\<User name>\AppData\Local\MicrosoftEdge\User\Default\Login Data

Login Data is an SQLite database file, and the account and password information are saved to the logins table. In addition to accounts and passwords, the time saved, URL of the login site, and the number of times of access is saved to the logins table.

If the user refuses to save account and password information of a site, in order to remember this, the blacklisted_by_user field will be set as 1, the username_value and password_value fields will not have accounts or passwords, and only the origin_url information is saved to the logins table. //

– Collecting and stealing information saved to browsers
– Login account and password
– Cookies
– Autofill
– Credit card information
– Browsers targeted for attack
– All Chromium-based browsers
– All Gecko-based browsers
– Cryptocurrency wallet information
– Seed file saved to the system

Microsoft Defender Application Guard protects your networks and data from malicious applications running in your web browser, but you must install and activate it first. //

Activation for TPM 2.0 and HVCI were explained before, but now we will look at the activation procedures for Microsoft Defender Application Guard in Windows 10. MDAG uses virtualization-based technology to help safeguard your systems from malicious and criminal websites that you visit with your enabled web browsers like Edge, Chrome and Firefox. //

MDAG is included with Windows 10 Professional, Enterprise and Educational versions by default. MDAG is part of Windows Features for those versions, so we will have to call up the Control Panel. //

The easiest way to get to the screen we need is to type "windows features" into the search box on your Windows 10 desktop. Be sure to select the Turn Windows Features On or Off item from the search results. //

Scroll down the list of features until you see Microsoft Defender Application Guard. Place a check in the checkbox for that item and click the OK button. The MDAG application will install and then ask you to reboot to activate. //

Now that MDAG is installed and activated, it is time to check its settings. Click or tap the Start Menu button and select Settings (gear icon). On the Settings page, select Update & Security and then select the Windows Security item from the left-hand navigation bar, //

From the right windowpane, click the App & Browser Control //

The security settings under MDAG are stricter than many of us are used to, so you may find yourself wanting to make some tweaks. Click the Change Application Guard settings link on this page to see a list of security features that you may want to turn on or off depending on your activity.

Tip #1: Have a Plan
Let us start easy: Have a plan. If you have not suffered a ransomware attack, congrats! You now have time on your side – hopefully. Use that to get a plan in place, even if you do not have a security team. Start with this simple question: If you got hit by an attack right now, how would you respond? //

Tip #2: Work Together: Ransomware is More than Security.
Ransomware is no longer just a “security problem.” A ransomware attack impacts users, legal, HR, finance and many others, including of course the security team. You cannot successfully defend against an attack if the organization is siloed within itself. //

Tip #3: Audit, and Limit, Highly-Privileged Accounts in Active Directory
One of the first objectives for attackers in a victim environment is to find and gain elevated credentials. These credentials are often necessary to achieve their objectives – they need privileges to find additional systems, move laterally around the environment, execute certain commands, establish persistence, etc. Far too often in our investigations we uncover environments with simply too many highly privileged accounts – and attackers are betting on this. //

Tip #5: Implement and Simulate. Wash, Rinse and Repeat.
Once you have account protections in place, utilize open-source tooling or a security vendor to test your environment. No need to ransom yourself – instead, focus on earlier stages of an attack such as credential theft or lateral movement. What did you detect, what were you able to achieve? Frequent testing will not only give you more insight into your environment, but it will also show you where you have detection gaps and coverage.

We cannot simply plug in tools and expect to be defended with the “push of a button.” Proper information security requires knowledge of the environment and frequent testing and tuning. If you have not suffered an attack, good. Do not wait for the “if” – instead, minimize the “when.”

As ransomware evolved, cybercriminals realized that the same network access levels they needed to plant ransomware files also lent well to exfiltrating data -- and allowed them to get around the pesky backup files that stood in between them and an immediate payday. Enter double extortion, also known as “encrypt and exfiltrate,” which extended ransomware attacks to include data breaches. In addition to encrypting victims’ files, cybercriminals also steal them, then threaten to sell or publicly release the data if the victim doesn’t pay the ransom.

Five months before DarkSide attacked the Colonial pipeline, two researchers discovered a way to rescue its ransomware victims. Then an antivirus company’s announcement alerted the hackers. //

On January 11, antivirus company Bitdefender said it was “happy to announce” a startling breakthrough. It had found a flaw in the ransomware that a gang known as DarkSide was using to freeze computer networks of dozens of businesses in the US and Europe. Companies facing demands from DarkSide could download a free tool from Bitdefender and avoid paying millions of dollars in ransom to the hackers.

But Bitdefender wasn’t the first to identify this flaw. Two other researchers, Fabian Wosar and Michael Gillespie, had noticed it the month before and had begun discreetly looking for victims to help. By publicizing its tool, Bitdefender alerted DarkSide to the lapse, which involved reusing the same digital keys to lock and unlock multiple victims. The next day, DarkSide declared that it had repaired the problem, and that “new companies have nothing to hope for.”

“Special thanks to BitDefender for helping fix our issues,” DarkSide said. “This will make us even better.” //

It wasn’t the first time Bitdefender trumpeted a solution that Wosar or Gillespie had beaten it to. Gillespie had broken the code of a ransomware strain called GoGoogle, and was helping victims without any fanfare, when Bitdefender released a decryption tool in May 2020. Other companies have also announced breakthroughs publicly, Wosar and Gillespie said.

“People are desperate for a news mention, and big security companies don’t care about victims,” Wosar said.

Even when you pay for a decryption key, your files may still be locked up by another strain of malware.

Windows 10 comes with its own baked-in antivirus solution called Windows Defender, and it is enabled by default when setting up a new PC. At the very least, that affords you some basic protection against the many malware threats out in the wild. But did you know there is an added optional layer that can keep your pictures, videos, work documents, and other files safe in the event of a ransomware infection? The caveat is that you have to manually enable ransomware protection in Windows 10.

Or more specifically, a feature called 'Controlled folder access.'

To enable it, type 'Ransomware protection' in the Windows search bar, or take the long way by navigating to Settings > Update & Security, click on Open Windows Security, click on Virus & threat protection, then scroll down and click on Manage ransomware protection.

The Controlled folder access toggle is set to 'off' by default (or at it least it was on my PCs). Turning it on designates specific folders that only trusted apps have permission to access, and you can add folders beyond the ones that are selected by default. There's also a section to grant specific apps permission to access your protected folders, if need be.

DarkSide, like a great many other malware strains, has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS) — former Soviet satellites that all currently have favorable relations with the Kremlin, including Azerbaijan, Belarus, Georgia, Romania, Turkmenistan, Ukraine and Uzbekistan. The full exclusion list in DarkSide (published by Cybereason) is below:Simply put, countless malware strains will check for the presence of one of these languages on the system, and if they’re detected the malware will exit and fail to install.

Will installing one of these languages keep your Windows computer safe from all malware? Absolutely not. There is plenty of malware that doesn’t care where in the world you are. And there is no substitute for adopting a defense-in-depth posture, and avoiding risky behaviors online.

But is there really a downside to taking this simple, free, prophylactic approach? None that I can see, other than perhaps a sinking feeling of capitulation. The worst that could happen is that you accidentally toggle the language settings and all your menu options are in Russian.

If this happens (and the first time it does the experience may be a bit jarring) hit the Windows key and the space bar at the same time; if you have more than one language installed you will see the ability to quickly toggle from one to the other. //

But James says he loves the idea of everyone adding a language from the CIS country list so much he’s produced his own clickable two-line Windows batch script that adds a Russian language reference in the specific Windows registry keys that are checked by malware. The script effectively allows one’s Windows PC to look like it has a Russian keyboard installed without actually downloading the added script libraries from Microsoft. https://github.com/Unit221B/Russian

Play stupid games...
May 14, 2021

Sounds like DarkSide learned what dictators and cybercriminals alike have known for decades:

Want to shut down international logistics and shipping? Ok. Kill people by shutting down hospitals? The FBI will get around to investigating it. Commit some war crimes here and there? Maybe a condemnation and some sanctions.

F*** with America’s oil? Get ready to learn about American liberty. And by liberty, I mean you’re going to liberated from everything you hold dear.

Let’s listen to Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger explain that whether or not Colonial Pipeline pays ransom to these attackers is a “private sector decision” when a reporter asks what they are going to do about it and what’s the timeline for this problem being addressed. //

Now, there are a lot of things to consider in such an attack, but when it’s a pipeline that is so critical to our infrastructure you don’t just fluff it off as if it really doesn’t matter, as though we don’t really give a darn or the impact isn’t significant to the country. They didn’t give the company any input or express an opinion? This is a national security issue and a serious federal crime. If you encourage the payment of ransom, you encourage similar attacks.