Archive for Mandiant

Ransomware Resurged In 2023 With 50 New Variants: Mandiant

Posted in Commentary with tags on June 4, 2024 by itnerd

In a report published by Mandiant on Monday, despite law enforcement operations against prolific ransomware groups such as ALPHV/BlackCat, ransomware activity increased in 2023 compared to 2022 with researchers observing 50 new ransomware variants and a third branching off of existing malware.

Researchers also saw a 75% increase in posts on ransomware groups’ data leak sites. This is consistent with a Chainalysis report stating that a record breaking $1bn was paid to ransomware attackers in 2023.

Code reuse, actor overlaps and rebrands have become common in the modern ransomware threat landscape. According to Mandiant, the increase in extortion activities is likely driven by factors including:

  • New entrants
  • New partnerships between groups
  • Ransomware services by actors previously associated with disrupted, prolific groups

Finally, Mandiant found that threat actors increased their reliance on remote management tools in ransomware operations, 41% in 2023 compared to 23% of intrusions in 2022.

Emily Phelps, Director, Cyware had this to say:

   “The proliferation of new ransomware variants and the surge in extortion activities reinforce the urgent need for a collective defense strategy. To get ahead of these threats, organizations must be enabled to share threat intelligence and defensive strategies. By adopting integrated solutions that facilitate seamless information sharing and collaboration, organizations can better defend against these sophisticated attacks and minimize the impact of ransomware on their operations.”

Given that I reported on an apparent ransomware attack as recently as this morning, this is something that requires a lot of focus. Because we’re on the edge of having ransomware get out of control. If it hasn’t already.

UPDATE: BullWall Executive, Carol Volk had this to say:

   “In promptly shutting down affected systems and reporting the incident to the SEC, Frontier demonstrated a solid response strategy. This approach, focused on containment and transparency, likely minimized the impact of the attack despite the sensitive data involved.

   “If the “containment they had in place was in fact a ransomware containment system, it would account for their quick turnaround in dealing with the breach.

   “This incident underscores the need for all organizations to have well-defined ransomware containment strategies. Frontier’s handling of the situation serves as a reminder of the critical importance of preparation and quick action in the face of cyber threats.”

Dave Ratner, CEO, HYAS adds this:

   “Preparation for this rise in ransomware requires more than confirming backups and checking configurations — without the implementation of cyber resiliency solutions, as suggested by everyone from CISA to the White House — organizations will remain vulnerable and susceptible.  The deployment of solutions like PDNS and others can be accomplished in short order, rapidly shift the tide, and should be done immediately.”

Leave a comment »

Google/Mandiant To The World: There are Lots Of Cyber Threats That Can Influence Elections

Posted in Commentary with tags , on April 27, 2024 by itnerd

From the “we better be paying attention to this” department comes Google’s recent Mandiant report that lists a dozen different ways cyber threat actors can influence elections. From the executive summary:

  • The election cybersecurity landscape globally is characterized by a diversity of targets, tactics, and threats. Elections attract threat activity from a variety of threat actors including: state-sponsored actors, cyber criminals, hacktivists, insiders, and information operations as-a-service entities. Mandiant assesses with high confidence that state-sponsored actors pose the most serious cybersecurity risk to elections.
  • Operations targeting election-related infrastructure can combine cyber intrusion activity, disruptive and destructive capabilities, and information operations, which include elements of public-facing advertisement and amplification of threat activity claims. Successful targeting does not automatically translate to high impact. Many threat actors have struggled to influence or achieve significant effects, despite their best efforts. 
  • When we look across the globe we find that the attack surface of an election involves a wide variety of entities beyond voting machines and voter registries. In fact, our observations of past cycles indicate that cyber operations target the major players involved in campaigning, political parties, news and social media more frequently than actual election infrastructure.  
  • Securing elections requires a comprehensive understanding of many types of threats and tactics, from distributed denial of service (DDoS) to data theft to deepfakes, that are likely to impact elections in 2024. It is vital to understand the variety of relevant threat vectors and how they relate, and to ensure mitigation strategies are in place to address the full scope of potential activity. 
  • Election organizations should consider steps to harden infrastructure against common attacks, and utilize account security tools such as Google’s Advanced Protection Program to protect high-risk accounts.

 Madison Horn (OK-5) Congressional Candidate had this comment:

In the recent Mandiant report by Google, a range of cyber threats to elections is detailed, but the proliferation of mis- and disinformation campaigns stands out as particularly alarming. These campaigns, which meticulously erode trust in governmental institutions and corrupt democratic processes, pose a severe threat that transcends political lines and demands immediate action.

Driven by motives ranging from shifting electoral outcomes to undermining public confidence and generating profit, these disinformation efforts are often orchestrated by state-backed entities from nations such as China, Russia, and Iran. Their impact is undeniable, as seen in instances like Russia’s involvement in the 2016 U.S. election and China’s ongoing global influence operations, which starkly demonstrate their capacity to sway public opinion and disrupt electoral integrity.

The avenues for these campaigns are primarily popular social media platforms—X, Telegram, Facebook—and YouTube, making the digital battlefield as accessible as it is dangerous. The consequences are profound, resulting in increased voter disengagement, the rise of unqualified leaders, and the destabilization of nations.

This is an urgent security issue that cannot be politicized. The integrity of our democracy is in jeopardy, making it imperative that we elect officials who grasp the complexity of these modern challenges. We need leaders who are committed to implementing robust cybersecurity measures, enhancing digital literacy, and fostering international cooperation to counteract the pervasive influence of state-sponsored disinformation. Our response must be swift and resolute to safeguard our democratic processes.

My opinion is that we all need to be paying attention to this and acting on this report to make sure that elections regardless of where they are are conducted in a free and fair manner without interference. The thing that concerns me is that we live in such a partisan environment at the moment that this could become a partisan issue. And it shouldn’t be regardless wherever on the political spectrum you happen to be on.

Leave a comment »

Mandiant Discovers Pro Chinese Information Operations Campaign

Posted in Commentary with tags on August 4, 2022 by itnerd

Mandiant today has released their findings on an ongoing Pro-PRC IO campaign leveraging infrastructure from a Chinese PR firm to spread content to inauthentic news sites. Mandiant identified at least 72 suspected sites and a number of suspected social media assets which disseminate content strategically aligned with the political interests of the People’s Republic of China (PRC). The sites present themselves primarily as independent news outlets from different regions across the world, publishing content in 11 languages. The sites are believed to be linked to Shanghai Haixun Technology Co., Ltd, a Chine PR firm.

Chris Olson, CEO of The Media Trust had this comment:

     “By now it’s widely recognized that the Web is a dangerous tool for spreading propaganda, manipulating elections and changing public opinion – but we rarely recognize how deep the problem goes. Aside from creating fake websites to spread their message, foreign adversaries regularly leverage otherwise legitimate news platforms to spread their stories in the U.S and around the world.

With the help of third-party code – which includes promoted content features and programmatic advertising – nation-state actors can reach consumers across social media and entertainment sites, mobile apps, news platforms and more. Until publishers, developers and legislators commit to defending our digital borders – not just our physical ones – misinformation and propaganda will continue to spread unchecked.”

This really underscores the line “don’t believe everything that you read”. But you can buy into the Mandiant report and it is very much worth reading as the detail level of this campaign is excellent and will give you a great view into how this campaign works.

Leave a comment »

2021 Accounted For 40% Of Zero-Days In The Last Decade

Posted in Commentary with tags , on April 23, 2022 by itnerd

Researchers with Mandiant have released findings on 80 zero-days exploited “in the wild”, a surge in verified zero-day exploits over the course of the last year. Additionally, Google’s Project Zero said Tuesday that they tracked 58 cases of zero-day exploits in the wild last year. 2021 accounted for 40% of zero-day attacks undertaken in the last decade. That’s massive explosion of zero-days which means that users are less safe as a result.

I have two comments from industry experts. The first is from Saumitra Das, CTO and Cofounder, Blue Hexagon:

“Zero-day exploits and variants of malware that go after them have been on consistent rise as attackers invest in automation and research. Many of the zero-days discovered in old software like print spooler (print nightmare) are being discovered by overseas research teams. These can then be weaponized at scale and quickly by attackers using mutated malware to get in. In many cases, attacker use an existing foothold and simply try out a new POC at a victim.”

The second comment is from Chris Olson, CEO, The Media Trust:

“Not only is the number of zero-day attacks rising, but malicious actors are exploiting them faster than ever before. In December, Chinese actors were targeting the Log4Shell vulnerability only hours after its initial disclosure. With the cybersecurity landscape dominated by increasingly sophisticated threat actors, we can expect the incidence of zero days to rise in 2022, especially with heightened political tensions around the world.”

“In response, organizations should be particularly vigilant against underemphasized attack surfaces such as websites and mobile apps if they want to protect their customers. Based on our observations, we expect a rise in attacks based on polymorphic and obfuscated code, rapid URL shifting and other advanced techniques to deliver ransomware and other malicious executables.”

Zero-days are now the new normal, which means that organizations need to hunt down these threats make sure your ensure their defences are on point. Because the bad guys are out there hunting for zero-days that they can exploit. Which means that you are under threat as a result.

Leave a comment »

Mandiant Uncovers Threat Actors Known As FIN7

Posted in Commentary with tags on April 6, 2022 by itnerd

Mandiant research has disclosed a threat actor group known as FIN7 which has leveraged multiple methods of initial and secondary access into victim networks including phishing, compromising third-party systems, RDP and more to target software, consulting, cloud services and medical equipment organizations. The activity following FIN7 as well as the technical overlaps suggest FIN7 actors have been associated with various ransomware operations over time.

Yaron Kassner, CTO and Cofounder, Silverfort had this comment on the Mandiant research:

“According to Mandiant’s report Fin7 were using Kerberoasting, a method to break service account passwords. They were also stealing credentials to move laterally with RDP and SSH. These are common methods used in cyber-attacks because they are simple ways to gain access to additional systems and these interfaces aren’t always protected with MFA. Organizations should monitor authentication traffic to detect these techniques. They should also use MFA for human accounts, and virtual fencing for service accounts, to make sure the attacker doesn’t get beyond the initial point of access.”

Besides using MFA, passwordless authentication options should be considered as well. Many vendors either have these solutions already in the marketplace, or they are coming to market to respond to threat actors like FIN7.

Leave a comment »

1 in 7 Ransomware Attacks Leak Critical OT Info: Mandiant

Posted in Commentary with tags , on February 1, 2022 by itnerd

Mandiant Threat Reporting research has recently disclosed 1 in 7 Ransomware Extortion Attacks Leak Critical Operational Technology Information. In 2021, Mandiant Threat Intelligence observed ransomware operators extorting thousands of victims by disclosing terabytes of stolen info on shaming sites. This trend, called “Multifaceted Extortion” impacted over 1,300 organizations from critical infrastructure and industrial production sectors in just one year:

Based on our analysis, one out of every seven leaks from industrial organizations posted in ransomware extortion sites is likely to expose sensitive OT documentation. Access to this type of data can enable threat actors to learn about an industrial environment, identify paths of least resistance, and engineer cyber physical attacks. On top of this, other data also included in the leaks about employees, processes, projects, etc. can provide an actor with a very accurate picture of the target’s culture, plans, and operations.

That in effect implies that the attack surface that an enterprise would have to protect is huge. And I’m not the only one who thinks so. Sam Jones, VP of Product Management, Stellar Cyber:

“The reality of today’s enterprises is that data is everywhere. It is on the computer, it is in SaaS apps, it is in homegrown apps, and it is likely now on employee personal computing assets. Unless a holistic data protection plan is in place, and an enterprise is detecting across all forms of the attack surface, this will likely be a worsening problem for most enterprises.”

I’d encourage enterprises of all sizes to read this report. Then they should consider how best to defend themselves. Be it using software, hardware, policies, or whatever is needed to get the job done.

UPDATE: Sanjay Raja, VP of Products and Solutions for Gurucul added this comment:

“The Mandiant report highlights how ransomware isn’t a ‘one-and-done’ attack campaign. While ransomware is seemingly focused on getting paid to unlock your sensitive data, threat actors often return multiple times once they are successful at an attack, knowing the victim has paid once. We also knew they often replicate the data for themselves for sale even as they lock organizations out of their own data. However, this additional extortion through threats of posting the already stolen data is another example of how threat actors find ways to extract more out of their victims. It feels like a never-ending cycle for targeted organizations. This reinforces the need to evaluate newer and more advanced technologies beyond current XDR and SIEM platforms as part of ongoing threat detection and response initiatives within security operations to prevent a successful detonation of ransomware. Prioritizing solutions that automate detection, prioritize seemingly random indicators of compromise for further investigation and even automating responses with a high-level of confidence and low impact are critical in deciding where to invest.”

UPDATE #2: Saumitra Das, CTO and Cofounder, Blue Hexagon added this commentary:

“The IT/OT barrier is more a logical separation than an actual one. Attacks typically start on the IT side and propagate into OT because of improper network segmentation and privilege limitations. In light of this report, focusing on the IT/OT boundary and protecting access to the OT networks is critical because defending against a threat once inside the OT network is much harder. Attackers can not only use IT network compromise to laterally move to OT but can now obtain detailed information and diagrams so they can plan their attack into the OT side.”

Leave a comment »

Mandiant Shows How Chinese Hackers Did Their Dirty Work

Posted in Commentary with tags , , on February 21, 2013 by itnerd

Never heard of Mandiant? You’ll be paying attention to them after you read their report [Warning: PDF] on a group of Chinese hackers called APT1. Mandiant also has a video on this topic for your viewing pleasure:

Now, if you want to protect yourself, they can help with that too. The linked zip file contains everything you need to stop your organization from being attacked by APT1. At least they’re simply not scaring people.

Given how dangerous Chinese hackers are, I believe it’s prudent for companies to heed these warnings. Even if your not a corporation, the report is worth a read just to see how much hacking has evolved.

Leave a comment »