JetBrains Breach, US Formally Blames Russia for SolarWinds Hack; Babuk Ransomware – Cybersecurity News and Trends

1. A Widely Used Software Company, An Entry Point For Huge U.S. Government Compromise

• State intelligence agencies disclosed that a popular software company (JetBrains), based in the Czech Republic and founded by three Russian engineers, is likely the entry point that Russian-sponsored threat actors used to insert back doors into numerous large technology companies and major U.S. government systems.
• SolarWinds, one of JetBrains 300,000 clients, was the pivot company that played a substantial role in permitting sophisticated threat actors into secured government and private networks.
• According to U.S. Intelligence reports, JetBrain’s product (TeamCity) is responsible for the testing and exchange of software codes prior to being released to the 79 of the Fortune 100 companies it counts as customers. It is most likely that threat actors corrupted software codes in TeamCity, which kickstarted the SolarWinds incident.

SME Comment: The exact scope of the compromise has yet to be determined, but initial cyber investigation suggests that the number of confirmed compromised U.S. government agencies is less than 10, with the U.S Treasury, State, Homeland Security, Energy, Commerce, and Justice departments being the most prominent targets.

Link to article

2. State Intelligence Agencies Formally Blame Russia For Massive SolarWinds Attack

• A joint investigation by the FBI, ODNI, CISA, and the NSA have officially attributed the SolarWinds compromise to Russia. The joint investigation into the sophisticated APT threat actors’ activities at FireEye, SolarWinds, and top U.S. government agencies have yet to be widely accepted by the cybersecurity industry.
• Although U.S. Intelligence has officially attributed the SolarWinds hack to Russia, the mainstream cybersecurity industry is still searching for concrete evidence to substantiate the allegation. One thing is clear: the incoming Administration is expected to take a firm stance to combat the effects of large scale cyberespionage activities against U.S. government infrastructures.
• Fewer than 10 U.S. government agencies and departments have fallen victim to this security incident thus far. More impact reports are likely to follow later this year.

SME Comment: The SolarWinds security incident affected ~18,000 users of SolarWinds Orion platform in the United States alone. Security researchers discovered the presence of at least three unique malwares (‘Sunspot,’ ‘StellarParticle,’ and ‘Sunburst.’) Extensive investigations are ongoing, and expected to continue well into the rest of the year.

Link to article

3. Babuk Locker: The First Enterprise Ransomware of 2021

• A newly discovered ransomware operation, known as Babuk Locker, has made its way into the cyber world. This brand new ransomware uses a per-victim customized 32-Bit executable generating ransom note, Tor URL, and hardcoded extensions of the encrypted data to facilitate its operation.
• The Babuk Locker threat actors are using a hacker forum to leak the stolen data of victims who refuse to pay the ransom. Among five victims of the ransomware, at least one victim has agreed to pay the ransom amount of $85K.
• Security researchers suggest that the Babuk Locker ransomware is designed by amateurs, but uses strong encryption techniques whose decrypting keys are not available in the wild.

SME Comment: The Babuk ransom executable lacks any obfuscation measures and its method of propagation has yet to be confirmed. Each folder holding the encrypted data will have a ransom note titled “How To Restore Your Files.txt,” which contains relevant information about the attack and how to contact the ransomware operatives for negotiation.

Link to article

4. State-sponsored Threat Actors Move To Ransomware Attacks

• A set of ransomware incidents targeting several companies is believed to have links to Chinese-sponsored threat groups. Investigations suggest that the malware lacks the usual technical sophistication, however evidence shows similarities with other malicious codes that have been linked to APT 27, a Chinese-sponsored cyberespionage group.
• The threat actor relied on BitLocker, the native drive encryption tool in Windows, to facilitate its ransomware operation. Although not very sophisticated, their attacks targeted five global companies and successfully encrypted several core servers.
• This particular ransomware attack was successful because the attackers reached their targets via third-party service providers, which had been infected through another third-party provider.

SME Comment: Most Chinese-sponsored threat actors are managed by China’s Ministry of State Security (MSS). State-sponsored threat actors have also been known to freelance as standard cybercriminals, but their attack signatures are never too far behind.

Link to article

5. In 2021, Ransomware Gets Personal: Ransomware Gangs Are Targeting Top Execs To Pressure Companies Into Paying

• Ransomware groups are pushing a new trend focused on stealing sensitive data from systems that are used by top level executives and managers. The goal is to successfully extract valuable (personal) information that can be used to motivate organizations into paying ransoms.
• Threat actors leverage a mixture of extortion, blackmail, and general ransomware tactics to increase their ransomware profits by personalizing the attack chain.
• The Clop ransomware gang are well known to implement this type of personalized and extremely lucrative attack tactic against top C-suite executives.

SME Comment: The technique of targeting top-level management can threaten a business’s reputation in addition to the financial demands most common in ransom negotiations.

Link to article