Cybersecurity researchers have detailed the various measures ransomware actors have taken to obscure their true identity online as well as the hosting location of their web server infrastructure. Most ransomware operators use hosting providers outside their country of origin (such as Sweden, Germany, and Singapore) to host their ransomware operations sites. The actors use VPS hop-points as a proxy to hide their true location when they connect to their ransomware web infrastructure for remote administration tasks. These groups also use the TOR network and DNS proxy registration services to provide an added layer of anonymity for their illegal operations.[1]
But by taking advantage of the threat actors' operational security missteps and other techniques, investigators recently disclosed that they could identify TOR hidden services hosted on public IP addresses, some of which are previously unknown infrastructure associated with DarkAngels, Snatch, Quantum, and Nokoyawa ransomware groups.
While ransomware groups are known to rely on the dark web to conceal their illicit activities ranging from leaking stolen data to negotiating payments with victims, investigators disclosed that they were able to identify "public IP addresses hosting the same threat actor infrastructure as those on the dark web. The methods used to identify the public internet IPs involved matching threat actors' [self-signed] TLS certificate serial numbers and page elements with those indexed on the public internet.
In addition, TLS certificate matching, a second method employed to uncover the adversaries' clear web infrastructures, entailed checking the favicons associated with the darknet websites against the public internet using web crawlers like Shodan. In the case of Nokoyawa, a new Windows ransomware strain that appeared earlier this year and shares substantial code similarities with Karma, the site hosted on the TOR hidden service was found to harbor a directory traversal flaw that enabled the researchers to access the "/var/log/auth.log" file used to capture user logins.
The findings demonstrate that not only are the criminal actors' leak sites accessible for any user on the internet, other infrastructure components, including identifying server data, were left exposed, effectively making it possible to obtain the login locations used to administer the ransomware servers. Further analysis of the successful root user logins showed that they originated from two IP addresses, 5.230.29[.]12 and 176.119.0[.]195, the former of which belongs to GHOSTnet GmbH, a hosting provider that offers Virtual Private Server (VPS) services.
176.119.0[.]195 belongs to AS58271, listed under the name Tyatkova Oksana Valerievna. The operator possibly forgot to use the German-based VPS for obfuscation and logged into a session with this web server directly from their true location at 176.119.0[.]195.
The development comes as the emerging Black Basta ransomware operators expanded their attack arsenal by using QakBot for initial access and lateral movement and taking advantage of the PrintNightmare vulnerability (CVE-2021-34527) to conduct privileged file operations.
See: https://redskyalliance.org/xindustry/black-basta
The LockBit ransomware gang recently announced the release of LockBit 3.0 with the message "Make Ransomware Great Again!," in addition to launching their own Bug Bounty program, offering rewards ranging between $1,000 and $1 million for identifying security flaws and "brilliant ideas" to improve its software. The release of LockBit 3.0 with the introduction of a bug bounty program is a formal invitation to cybercriminals to help assist the group in its quest to remain at the top," Satnam Narang, senior staff research engineer at Tenable, said in a statement. "A key focus of the bug bounty program is defensive measures: Preventing security researchers and law enforcement from finding bugs in its leak sites or ransomware, identifying ways that members, including the affiliate program boss, could be doxed, as well as finding bugs within the messaging software used by the group for internal communications and the Tor network itself."
See: https://redskyalliance.org/xindustry/emerging-ransomware-groups-replace-old-favorites
The threat of being doxed or identified signals that law enforcement efforts are clearly a great concern for groups like LockBit. Finally, the group is planning to offer Zcash as a payment option, which is significant as Zcash is harder to trace than Bitcoin, making it harder for researchers to keep tabs on the group's activity.
It is up to all organizations to take steps and adopt procedures to protect themselves from ransomware attacks. No government can stop these attacks except for the counties sponsoring or benefitting from the ransom payments.
The following is what Red Sky Alliance recommends:
- All data in transmission and at rest should be encrypted.
- Proper data backup and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company-wide.
- For USA readers, join and become active in your local Infragard chapter; there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services, and devices to be used by all at-home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications directed at your domains. RedXray service is $500 a month and provides threat intelligence on ten (10) cyber threat categories, including Keyloggers, without having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2022/07/researchers-share-techniques-to-uncover.html
Comments