The IT Nerd

According to a new report from IBM’s X-Force, a widespread banking malware Grandoreiro has resurfaced in numerous new campaigns with improved functionality designed to make it a more meaningful threat.

The cybersecurity unit has been tracking several large-scale phishing campaigns since March including attacks impersonating Mexico’s Tax Administration Service, Federal Electricity Commission and Secretary of Administration and Finance, as well as the Revenue Service of Argentina and the South African Revenue Service.

“In each campaign, the recipients are instructed to click on a link to view an invoice or fee, account statement, make a payment, etc. depending on the impersonated entity.

“If the user who clicks on the links is within a specific country (depending on the campaign, Mexico, Chile, Spain, Costa Rica, Peru, or Argentina), they are redirected to an image of a PDF icon, and a ZIP file is downloaded in the background. The ZIP files contain a large executable disguised with a PDF icon, found to have been created the day prior to, or the day of the email being sent,” IBM X-Force said.

The malware has been observed since at least 2017 previously only targeting Spanish-speaking countries. The new Grandoreiro is a modular operation with the ability to target over 1500 global banking applications and websites in over 60 countries.

The latest version features updates that allow the malware to contact at least 12 different C2 domains per day. There are also new capabilities allowing it to spread more efficiently by harvesting victim data from targeted email clients.

“The updates made to the malware, in addition to the significant increase in banking applications across several nations, indicate that the Grandoreiro distributors are seeking to conduct campaigns and deliver malware on a global scale,” IBM X-Force concluded.

Emily Phelps, Director, Cyware:

   “This incident underscores the need for organizations to adopt more proactive cybersecurity strategies. A collective defense approach and the implementation of cyber fusion strategies can help organizations get ahead of threats, operationalizing relevant threat insights and breaking down silos so that security teams can rapidly take action. As adversaries evolve their tactics, our collective defense must be equally dynamic and resilient.”

This highlights the fact that threat actors are taking attack code that is already out there and making them a lot more dangerous. This is why having the sort of defence that Ms. Phelps describes is the best way to stop your organization from getting pwned.

According to IBM’s 2024 X-Force Threat Intelligence Index, data shows a 71% increase in cybercriminals exploiting legitimate credentials to access and compromise corporate networks, representing 30% of the total initial access vectors used in 2023.
 
Methods the cybercriminals use to access valid accounts include obtaining or buying credentials from the dark web and/or through infostealing malware. In 2023, X-Force observed a 266% increase in infostealing malware.
 
While 70% of attacks globally targeted critical infrastructure, 84% of observed incidents on critical infrastructure “could have been mitigated with best practices and security fundamentals, such as asset and patch management, credential hardening and the principle of least privilege.”
 
IBM assessed that AI hasn’t been a serious threat so far but could become one in the future. Charles Henderson, head of IBM X-Force, commented:

“While ‘security fundamentals’ doesn’t get as many head turns as ‘AI-engineered attacks,’ it remains that enterprises’ biggest security problem boils down to the basic and known – not the novel and unknown. Identity is being used against enterprises time and time again, a problem that will worsen as adversaries invest in AI to optimize the tactic.”

The 2024 X-Force Threat Intelligence Index is based on insights and observations from monitoring over 150 billion daily security events in more than 130 countries.

Dave Ratner, CEO, HYAS had this to say:

   “With so many attacks exploiting legitimate credentials for access and exploitation, the need for cyber resiliency solutions has never been greater, especially for critical infrastructure providers and MSSP/MSPs that may protect their smaller cousins.  The use of legitimate credentials means that much of the existing security stack is bypassed and ineffective — cyber resiliency solutions that see the anomalous behavior inside the environment, and track and shut down the command-and-control communication, provide security and safety regardless of the credentials being used for initial access.”

Troy Batterberry, CEO and Founder, EchoMark follows with this:

   “Employees continue to contribute to cybersecurity risks faced by organizations, either through their poor credential practices or worse, deliberate acts of theft or leakage. Organizations must holistically raise their cybersecurity bar, including through much better identity requirements for their employees and also broader insider risk programs.”

Hopefully organizations are paying attention to this IBM report because it proves where the weak points in your defences are, and where you need to invest to address them.

A new malware campaign that emerged in March 2023 used JavaScript web injections to try to steal the banking data of over 50,000 users of 40 banks in North America, South America, Europe, and Japan.

IBM’s security team discovered the threat and reports the campaign had been under preparation since at least December 2022, when the malicious domains were purchased. Though not specified, the initial infection is likely through malvertizing, phishing, etc.

The FBI discovered that the JS script targets a specific page structure common across multiple banks. When the page contains a certain keyword and a login button with a specific ID, new malicious content is injected to intercept user credentials and one-time passwords (OTPs).

“The retrieved script is intentionally obfuscated and returned as a single line of code, which includes both the encoded script string and a small decoding script.

“In the past, we observed malware that directly injected the code into the compromised web page. However, in this campaign, the malicious script is an external resource hosted on the attacker’s server. It is retrieved by injecting a script tag into the head element of the page’s HTML document, with the src attribute set to the malicious domain.”

The malicious script masquerades as legitimate JavaScript CDNs (cdnjs[.]com and unpkg[.]com) to avoid detection and includes checks for specific security tools before executing.

Emily Phelps, Director, Cyware has this comment:

Cyber threats are continuously evolving to bypass detection mechanisms. This evolution accentuates the critical importance of proactive threat intelligence and trusted intelligence sharing, especially in sectors like finance which are frequently targeted due to their access to valuable data. Relying on tactics that exploit human behavior – such as phishing and malvertising – along with the development of technologies that circumvent traditional safeguards, security teams need real-time, context-rich threat intelligence to outpace threat actors.

Ted Miracco, CEO, Approov Mobile Security follows with this:

   “This attack highlights that the financial services sector is extremely vulnerable to fraud, especially when it is simply relying on user authentication and one time passwords (OTPs). Credential theft is the focus of attackers, and this JS attack demonstrates how vulnerable consumers are even with multi-factor authentication (MFA). 

   “Banks need additional security layers especially with mobile banking apps and can implement measures like app tampering detection, mobile app attestation, and runtime application self-protection (RASP) techniques to prevent attacks on APIs. These measures help prevent unauthorized modifications to the app that could introduce malicious code and may also prevent fraud from credentials that were stolen using web-based techniques like this.”

David Ratner, CEO, HYAS Infosec adds this comment:

   “Criminals will continue to find new and innovative ways to steal data and money.  However, the infrastructure needed to conduct and carry out their attacks must be procured and setup in advance.  Focusing on the adversary infrastructure layer is one of the best ways to drive resiliency and protection when the attack vector and technique will constantly change.”

Hopefully the fact that this malware is now getting attention will mean that it will be less effective for whomever is behind this. But as always, there will be a new threat that will emerge that will threaten users out there. Thus it would make sense to be on guard for anything and everything that could possibly be a threat.

According to new IBM research, AI vs. human deceit: Unravelling the new age of phishing tactics, generative AI tools can save phishing attackers 16 hours of work designing a scam email, but it still doesn’t have the human effect for creating convincing emails.

Researchers used five prompts, such as top areas of concern for employees and social engineering techniques, which churned out convincing phishing emails in just 5 minutes.

Meanwhile, the IBM X-Force Red social engineering team created their own phishing emails which tapped “creativity and a dash of psychology” to resonate more authentically with their targets which social engineering expert for IBM X-Force Red, Stephanie Carruthers, claimed is hard for AI to replicate. This process generally takes the IBM X-Force Red team about 16 hours and that’s not factoring in the infrastructure set-up.

A round of A/B testing revealed a 14% click rate for the human-generated phishing email which was slightly higher than the 11% rate of the AI-generated email. Also, the human-generated email was reported less frequently (52%) than the AI version (59%).

“Humans may have narrowly won this match, but AI is constantly improving. As technology advances, we can only expect AI to become more sophisticated and potentially even outperform humans one day,” Carruthers concluded.

Emily Phelps, Director, Cyware had this to say:
 
   “Generative AI is a huge tool for adversaries to expedite common threat tactics such as phishing. Although humans may have the edge for now, AI technologies are improving with each passing day. The time to prepare for these evolving tactics is now. We can no longer rely on poor grammar and typos to clue us in to phishing emails so we must bolster regular security awareness training. Organizations must strengthen security controls to better validate who can access data. As adversaries continuously adapt their tactics, organizations must as well, updating threat detection, improving threat intelligence orchestration, and maintaining vigilance across all levels to defend against today’s threats.”

AI could seriously tip the scales in favour of the bad guys on a number of fronts. Hopefully we heed the warnings that IBM have presented and come up with countermeasures that tip the scales back in our favour.

The IBM X-Force Cloud Threat Landscape Report 2023 tracked 632 new cloud-related vulnerabilities between June 2022 and June 2023 and saw a 194% increase over the previous year bringing the total number tracked by the vendor to 3900, a number that has doubled since 2019. 

In 36% of the real-world cloud incidents, the top initial access point for cloud compromises was the use of valid credentials either attained during an attack or stolen prior to targeting a specific victim. That is a significant jump from the 9% observed the previous year.  

“[It] highlights the need for organizations to move beyond human-reliant authentications and prioritize technological guardrails capable of securing user identity and access management,” IBM analyst Chris Caridi said. 

The X-Force team found examples of poor security practices such as plaintext credentials located on user endpoints in 33% of incidents involving cloud environments. 

The next two most common access strategies, each 14% of engagements, were exploitation of public-facing applications and phishing and spear phishing.

Dave Ratner, CEO, HYAS had this to say:

   “Chris Caridi is correct that organizations need to do a better job of securing and authenticating user identity.  At the same time, bad actors will always break in, so the report also highlights the need for improved visibility and observability of anomalous communication patterns via Protective DNS — the telltale sign of an initial breach beaconing out to its command-and-control for instructions.  Only through a defense-in-depth strategy will organizations truly be able to implement business and operational resiliency.”

With the cloud being as pervasive as it is within most organizations, there really needs to be a focus on clouds security to ensure that this isn’t a threat to an organization’s security.

According to IBM’s Cost of a Data Breach Report released today, the average healthcare data breach has reached $10.93 million which is an 8% jump from a year ago, when the average cost topped $10 million for the first time.  

For the 13th year in a row, the healthcare industry has suffered more expensive data breaches than any other sector. By comparison, the average cost of a data breach across all industries is less than half at $4.45 million.  

“We’re seeing a very big increase for healthcare organizations, probably because they’re really in the crosshairs of attackers. And there is no relenting so far,” said Limor Kessem, a senior cybersecurity consultant for IBM Security.  

Meanwhile, healthcare organizations have trailed other industries in their cybersecurity defenses as health systems have had trouble attracting top cybersecurity talent, because other industries pay better.  

“Security folks are going to work for places where they could get the bigger paycheck, and it’s not always going to be a healthcare organization,” Kessem says. “It’s a tough industry to get very skilled staff.” 

I have three comments on this. The first is from Carol Volk, EVP, BullWall:

   “Work smarter, not harder. There is good affordable automation available (and coming) in the cybersecurity field. Even the best cybersecurity teams get overwhelmed by too many alerts, so there is a serious effort to automate the filtering of those “alerts” to just those requiring immediate human interaction, effectively slowing down the alert pace to a manageable, human speed.  This is why the automation of detection and containment of attacks is more and more the focus. The attack is slowed or stopped before data can be affected, allowing defenders time to respond. The application of AI is expected to greatly accelerate this effort of determining what must be reviewed by humans for response.”

The second is from Emily Phelps, Director, Cyware: 

   “Healthcare will always be an attractive target for threat actors because of the valuable data they collect and store. Adversaries don’t only outnumber available cybersecurity pros; they collaborate effectively too. To mitigate the risks, healthcare organizations should leverage automation tools that enable lean security teams to efficiently address threats; they should ensure they invest in regular security awareness training so employees are armed to recognize and avoid common threat tactics such as phishing attacks; and they should consider partner with security providers that can act as an extension of their teams, gaining expertise that is more difficult to resource and retain internally.”

And the last is from Stephen Gates, Principal Security SME, Horizon3.ai:

   “The healthcare industry is being impacted by an enormous threat landscape with vast numbers of threat actors who are looking to breach organizations’ networks, steal their data, hold them for ransom, and potentially destroy their businesses. The defensive technologies they have in place are proving to be insufficient in blocking today’s attacks. Continuously assessing your network attack surface, finding your weaknesses, remediating them immediately, and verifying that your remediations worked is the best way organizations can stay ahead of attackers. Consider attacking yourself daily, then fixing what matters most.”

The challenges with securing the healthcare space need to be fixed, and that needs to happen now. Whether that’s through automation, people, or both, the status quo cannot be allowed to continue.

Security researchers with Rapid7 have disclosed threat actors are exploiting a critical vulnerability in an IBM file-exchange application to install ransomware on servers. The IBM Aspera Faspex critical vulnerability, tracked at CVE-2022-47986, was patched by IBM in January.

Sylvain Cortes, VP of Strategy at Hackuity had this comment:

     “It is unsettling to note that for the same vulnerability (CVE-2022-47986) many cyber security companies have their own information that remains fragmented. It is important to be able to unify this information from several vendors in order to maximize its defense operations and trigger the right response. Solutions that aggregate vulnerability-related data from vulnerability scanners, EDRs or even service practices provide organizations with the critical visibility they depend on.”

This reminds me of the  GoAnywhere file transfer solution vulnerability that has led to multiple organizations being pwned by the Cl0p ransomware group. Except that we haven’t seen threat exploit this to the same degree that Cl0p has. If you use IBM Aspera, you should be applying these patches ASAP, assuming you haven’t already so this doesn’t turn into another GoAnywhere situation.

According to IBM, ransomware prevention saw massive improvements in 2022, while ransomware time to deploy (TTD) dopped by 94%, just two findings derived from billions of datapoints collected in 2022 from network and endpoint devices by IBM and reported on in their “X-Force Threat Intelligence Index 2023.” This is a wide-ranging report with excellent stats:

• 27% – Percentage of attacks included extortion – 30% aimed at manufacturing
• 21% – Share of incidents that saw backdoors deployed – the top action on objective
• 17% – Ransomware’s share of attacks (down from 21% in 2021)
• 41% – Percentage of incidents involving phishing for initial access
• 26% – Exploited public-facing applications
• 100% – Increase in the number of thread hijacking attempts per month

Top impacts 2022

• 21% – Extortion
• 19% – Data theft
• 11% – Credential harvesting
• 11% – Data leak
• 9% – Brand reputation

This is a bit of mixed bag. But at least the fact that ransomware is being stopped is good news.

Morten Gammelgaard, EMEA, co-founder of BullWall had this to say:

   “It is excellent news that ransomware prevention is improving, if for no other reason than it diverts cybercriminals away from executing attacks to developing new tactics, which they will. With extortion, data theft, data leaks and brand reputation being the top 4 out of 5 ways ransomware impacted organizations in 2022, organizations cannot rely solely on prevention and need to also consider active defense/containment strategies to catch the attacks that bypass prevention-based tools. When an active attack is unable to encrypt or exfiltrate data, organizations are given time to respond, eliminating 80% of the potential impact to their business.”
 

David Maynor, Senior Director of Threat Intelligence at Cybrary followed up with this:

“There are three kinds of lies: lies, damn lies, and ransomware stats. For the last couple of months depending on who you ask ransomware attacks and becoming less of a problem or they are increasing. If your risk model is based on arbitrary thresholds like at 20% we don’t address it but we take it seriously at 21% of attacks seen…you have already lost and a ransomware actor is probably watching you read this.”

Hopefully when this report comes out in 2024, we see more ransomware being stopped which means by extension that ransomware is less profitable for the people behind ransomware.

The tech layoffs continue with IBM being the latest company to lay staff off. They announced yesterday that nearly 4000 had gotten the axe:

Chief Financial Officer James Kavanaugh told Reuters that the company was still “committed to hiring for client-facing research and development”.

The layoffs — related to the spinoff of its Kyndryl business and a part of AI unit Watson Health — will cause a $300 million charge in the January-March period, IBM said.

But here’s the really bad part about this. Investors don’t think the cuts went far enough:

Shares of the company fell 2% in extended trading, erasing earlier gains on the largely upbeat results. Analysts said news of the job cuts and free cash flow miss was behind the drop.

“It seems as if the market is disappointed by the size of its announced job cuts, which only amounted to 1.5% of its workforce,” said Jesse Cohen, senior analyst at Investing.com.

“Investors were hoping for deeper cost-cutting measures.”

If that is true it really is a sad commentary on the times that we live in. Having people lose their jobs shouldn’t be seen as a sport where the biggest job cuts announced by a company wins. But clearly that’s how Wall Street sees things. And that’s sad.