1. FBI Cautions Congress Against Banning Ransomware Payments
- Senior FBI officials advised the U.S. Congress not to mitigate ransomware threats by making ransom payments illegal. While the FBI cautioned organizations against sending ransomware payments to cybercriminals, the assistant director of the FBI (cyber division) argues that if Congress were to ban ransom payments, it could create opportunities for further extortion by attackers.
- Many organizations currently fail to report ransomware payments to the public due to fear of reputational damages. Therefore, the FBI leadership believes that if Congress bans ransomware payments, such a move could most likely kickstart a massive blackmailing campaign, whereby cybercriminals would threaten to report ransom transactions to the authorities if consistent ransom payments aren’t made.
- While the government moves towards compulsory reporting requirements for ransom payment demands, most organizations still believe that deciding whether to pay or not to pay a ransom demand should remain a business decision.
Expert Commentary: The FBI estimated that between 25% and 35% of cybersecurity incidents go unreported by victimized organizations, thus making it challenging for the law enforcement agency to determine the full scope of cybercriminal activities associated with ransomware attacks. As a result, taking a legislative approach to ransomware payments could cause organizations to take on a self-preservative stance by refusing to disclose ransomware attacks altogether. However, security experts believe that Congress should use legislative measures to increase the reporting of security incidents instead of penalizing companies for being victims. Victim blaming is always wrong.
2. A New Ransomware Player, BlackMatter, Is in Town
- Security researchers discovered a new ransomware gang, BlackMatter, that debuted its operation this week. BlackMatter gang appears to combine the most lethal features of the now obsolete ransomware gangs, REvil and Darkside. In a recent ad on dark-web forums, the new ransomware gang appears to be recruiting affiliates with initial access brokerage (IAB) experience.
- Per BlackMatter’s ad, the gang seeks to form partnerships with IABs who can break into corporate networks belonging to organizations with revenues of $100 million/year or larger. Most significantly, the BlackMatter ransomware gang aims to corporate systems with at least 500 to 15,000 local systems located in the U.S., U.K., Canada, and Australia.
- While bragging about its capabilities, the ransomware attackers disclosed that they possess the ability to encrypt multiple cloud infrastructures and operating systems (OS), including WinOS, LinuxOS, VMWare virtual endpoints, and network-attached storage architectures.
Expert Commentary: Initial access brokers (IABs) are becoming one of the most critical players in the ransomware ecosystem. To shorten their attack cycle, ransomware actors are leveraging the expertise of lone-wolf IABs. Unfortunately, the latter is willing and able to compromise an organization’s network and sell access credentials. Based on the forensic investigations into some of the widespread ransomware attacks that occurred this year, IT forensic experts discovered that poor access management practices are usually the first errors that threat actors exploit on a corporate network.
3. Threat Actors Target Kubernetes Using Misconfigured Argo Workflows
- An attack campaign was discovered in the wild, targeting Kubernetes using misconfigured Argo Workflows to facilitate malicious crypto mining activities. In most organizations, Argo Workflow is used to define task sequences, automate deployments, and scale task management in Kubernetes environments.
- Cyberattackers discovered a misconfiguration vulnerability in Argo Workflows that allows them to deploy unauthorized code on a target’s environment. Whenever task permissions are misconfigured, this opens an avenue for attackers to access an Argo dashboard and deploy their workflows. Thus, they are exploiting the flaw to mine for Monero cryptocurrency.
- While Argo Workflows is an open-source application, security researchers discovered several unprotected instances currently managed by major organizations across critical industries, including technology, finance, logistics, manufacturing, etc. Typically, an average instance contains a trove of sensitive information, including access credentials, source codes, system permission configurations, etc.
Expert Commentary: Since the cryptocurrency boom, security researchers have discovered that Kubernetes has been extensively targeted as a piece in the cryptojacking cycle. Although cryptojacking is a basic attack tactic that threat actors with any skill level can implement, ransomware attackers tend to leverage it to launder their spoil. Because of the contents of Argo Workflow hosts, a successful compromise could have a significant impact on Kubernetes users as it can lead to the leakage of sensitive data. Learn More
4. President Biden Warned That Continuous Cyberattacks Could Lead to Kinetic Warfare
- While speaking at the National Counterterrorism Center of the Office of the Director of National Intelligence this week, President Biden warned that if cyberattacks continue to be strategically targeted at critical national infrastructures, it could lead to kinetic warfare between major world powers.
- During his speech in front of U.S. intelligence officials, the President discussed actions by Russian intelligence agencies to destabilize U.S. elections and Chinese-sponsored threat actors, causing real-world destructions from launching malicious cyber operations against critical national infrastructures.
- While NATO officially compared cyberattacks to kinetic attacks on the same level (a comparison that the United Nations have continued to shy away from), it is unclear whether the U.S. government plans to respond to future cyberattacks with kinetic weapons. However, it appears that President Biden is considering taking all necessary actions to defend U.S. national infrastructures against state-sponsored cyber attackers.
Expert Commentary: Responding to cyberattacks with kinetic weapons is a slippery slope because attribution is still challenging in cyberspace. Meaning there is a chance that taking action against a wrong IP address could result in the deaths of innocent civilians. As such, the United Nations have refused to officially approve the use of kinetic weapons to respond to cyberattacks – the margin of error relating to attribution in cyberspace is very dynamic. Nevertheless, to date, the U.S. and Israel happen to be the only nations that have responded to cyberattacks with airstrikes.
5. Threat Actors Leverage Windows 11 To Spread Malware
- Using the launch of a new product or device to lure victims is nothing new. Although Microsoft’s Windows 11 operating system (WinOS) will be made available later in the Fall season, threat actors exploit the excitement and eagerness of end-users by spreading malware via a fake WinOS installer package.
- Many fake WinOS 11 installer packages are sent as a downloadable file, mimicking the legitimate Microsoft installer file by structure, size, and installer instructions.
- When the WinOS 11 installer package is eventually running, a second malicious .exe file is dropped onto the target’s system, and it includes malicious code used to facilitate spyware operations.
Expert Commentary: Cyber attackers enjoy taking advantage of highly anticipated events to lure as many people as possible. While Microsoft promises to fix many security challenges in the Windows 11 operating system, threat actors have decided to use a classic ‘low hanging fruit’ tactic to begin exploitation. As more people become excited about WinOS 11, it is strongly advisable to avoid third-party platforms when downloading the new operating system to prevent drive-by download and other unnecessary cybercriminal garbage.