The IT Nerd

Symantec has spotted a new Russia-linked threat actor Dubbed Graphiron deploying a new information-stealing malware against targeting Ukraine. The malware is attributed to a group known as Nodaria, which is tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0056. 

The Symantec paper is worth your time to read, but here’s the TL:DR:

• The malware is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files.
• Graphiron is a two-stage threat consisting of a downloader (Downloader.Graphiron) and a payload (Infostealer.Graphiron).
• The downloader contains hardcoded command-and-control (C&C) server addresses. When executed, it will check against a blacklist of malware analysis tools by checking for running processes.
• The group’s usual infection vector is spear-phishing emails, which are then used to deliver a range of payloads to targets.

David Maynor, Senior Director of Threat Intelligence at Cybrary:

   “Ukraine has the dubious honor of serving as a canary in a coal mine for tools, techniques, and procedures of Russian attacks. That’s why I pay close attention to CERT-UA for new attacks.”

You should pay attention to this threat actor as well because it is only a matter of time before this group starts going after targets in the west.

Symantec has released a blog post detailing a new threat actor named “Billbug” which appears to be a nation state actor that is going compromised a certificate authority as well as government agencies:

Symantec, by Broadcom Software, was able to link this activity to a group we track as Billbug due to the use in this campaign of tools previously attributed to this group. Billbug (aka Lotus Blossom, Thrip) is a long-established advanced persistent threat (APT) group that is believed to have been active since at least 2009. Symantec has previously published on this group’s activity in 2018 and 2019 under the Thrip name, but following our 2019 investigation, we determined that Thrip and Billbug were most likely the same group so now track all activity under the Billbug name.

In activity documented by Symantec in 2019, we detailed how the group was using a backdoor known as Hannotog (Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex). Both these tools were also seen in this more recent activity.

The victims in this campaign included a certificate authority, as well as government and defense agencies. All the victims were based in various countries in Asia. Billbug is known to focus on targets in Asian countries. In at least one of the government victims, a large number of machines on the network were compromised by the attackers.

The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines. It could also potentially use compromised certificates to intercept HTTPS traffic. However, although this is a possible motivation for targeting a certificate authority, Symantec has seen no evidence to suggest they were successful in compromising digital certificates. Symantec has notified the cert authority in question to inform them of this activity.

This activity has been ongoing since at least March 2022.

Kevin Bocek, VP of Security Strategy and Threat Intelligence, Venafi had this to say

“The compromise of a digital certificate authority (CA) is bad news. CAs are a vital centerpiece in the system of identity that keeps our online world running securely. A CA issues companies with TLS certificates – a type of machine identity that enables secure machine-to-machine communication. This identity tells other machines that it can be trusted. It is this system that enables the green padlock we are all so familiar with now. If a CA is compromised, all the identities associated with it come into question. 

In this particular case, the attack on the CAs has all the tell-tale signs of a sophisticated nation state attack. However, this doesn’t just impact the CAs – every business, consumer and government that relies on these CAs to know whether a digital service is real or fake, and whether communications are private or tapped, is impacted. An attacker could use this position of power to conduct man-in-the-middle attacks, to intercept encrypted traffic, or to issue identities for malicious or fraudulent services to enable them to be trusted by major browsers and operating systems. We’ve seen this play out with attacks such as DigiNotar in the Netherlands.  

To remediate the problem, just as you change your passwords if they are breached, CISOs, CIOs and CEOs must do the same for machine identities. In today’s age of businesses running in the cloud, organizations must quickly identify and remove all certificates associated with unknown and untrusted CAs, and replace them with new certificates from trusted sources. Yet an organization could have hundreds, if not thousands of identities to replace. This is why organizations need to invest in a control plane that can automate the management of machine identities.” 

Sitaram Iyer, Senior Director of Cloud Native Solutions, Venafi had this to add:

“This compromise of a certificate authority (CA) highlights the importance of managing all machine identities in an enterprise. If the compromised were to be the root CA, then the attacker can potentially gain full control over the entire PKI infrastructure and compromise the trust in the system. Revocation of all the certificates issued by this CA must be revoked and replaced. This certainly comes at a high-cost effort – and in most cases, credibility of the organization.  

This can be even more catastrophic as organizations create subordinate CAs that are used for signing workloads in cloud native environments for managing pod or mesh identities. The sheer volume of these identities and the need to revoke all subordinates, recreate them and issue identities for workloads is a huge effort.  

Protecting and managing all the machine identities, irrespective of where and how it’s used, is critical for creating an enterprise security posture. Manual processes need to be eliminated, and all machine identity management should be 100% automated with security teams having the right kind of observability.” 

Clearly this is a threat actor that needs monitoring as they aren’t going away. In fact it seems that the longer they are around, the more sophisticated that they get.

You might remember that a few weeks ago, a very dangerous router malware named VPNFilter was discovered, and it caused massive levels of concern as it installed itself on routers and was hard to get rid of. Today Symantec is offering up a tool to check to see if you’re infected. Simply go to this site, and follow the simple instructions to see if you are infected. If you are, the site provides instructions on how to get rid of the infection. I’d strongly recommend using this tool to ensure that you’re not infected as you can’t be too careful these days.

Canadians are confident they’re safe online, but hackers have proven otherwise, stealing $1.8 billion from 10 million Canadians in the past year according to the 2017 Norton Cyber Security Insights Report, released today by Norton by Symantec.

Globally, cybercrime victims share a similar profile: they are everyday consumers who use multiple devices whether at home or on the go, but have a blind spot when it comes to cyber security basics. This group tends to use the same password across multiple accounts or share it with others. Equally concerning, 39 per cent of global cybercrime victims, despite their experience, gained trust in their ability to protect their data and personal information from future attacks and 33 per cent believed they had a low riskof becoming a cybercrime victim.

Canadians Slow to Embrace Cyber Security Safety Measures and Leave Their Virtual Door Unlocked

Canadians are adopting device protection technologies such as fingerprint ID, pattern matching and facial recognition, but appear to be doing so at a slower pace than American consumers. Thirty-three per cent of Canadian cybercrime victims used fingerprint ID (45 per cent in the U.S.), 13 per cent used a personal VPN (19 per cent in the U.S.), 9 per cent used pattern matching (21 per cent in the U.S.) and 6 per cent used facial recognition (16 per cent in the U.S.). However, consumers who adopted these technologies often still practice poor password hygiene and fell victim to cybercrime.

• Consumers express confidence, but are more prone to attacks as they protect newer and more devices. Thirty-four per cent of Canadian cybercrime victims owned a smart device for streaming content, compared to 25 per cent of non-victims.
• Despite experiencing a cybercrime within the past year, 52 per cent of cybercrime victims in Canada shared their passwords for at least one device or account with others. By comparison, only 31 per cent of non-cybercrime victims share their passwords with others. Cybercrime victims in Canada were also more likely to share their passwords for potentially sensitive online accounts such as banking (17 per cent cybercrime victims vs. 12 per cent non-cybercrime victims), social media (20 per cent cybercrime victims vs. 12 per cent non-cybercrime victims) and email accounts (22 per cent cybercrime victims vs. 14 per cent non-cybercrime victims).

Consumer Boundaries Skewed Between Cybercrime and “Real Life”

Eighty-four per cent of Canadian consumers believe cybercrime should be treated as a criminal act. However, when pressed, contradictions emerged. Eighteen per cent believe stealing information online was not as bad as stealing property in ‘real life.’ Additionally, when presented with examples of morally questionable online behavior, 38 per cent of Canadians believed the activities were sometimes acceptable. Those activities included reading someone’s emails without their consent (23 per cent), using a false photo or someone else’s photo to identify themselves online (18 per cent), and even accessing someone’s financial accounts without their permission (12 per cent).

The State of Consumers’ Trust

Despite this year’s cyberattacks, Canadians generally continue to trust the institutions that manage their data and personal information. However, they are not as trusting of some institutions and organizations.

• Canadians gained or maintained trust in organizations such as banks and financial institutions (86 per cent), and identity theft protection service providers (79 per cent) despite the attacks that made headlines this year.
• Alternatively, 38 per cent of Canadians lost trust in their government to manage their data and personal information within the past year. Thirty-five per cent lost trust in social media platforms.
• Twenty-nine per cent of Canadian cybercrime victims trust in themselves to manage their data and personal information.

To learn more about the real impact of cybercrime and how consumers can protect their digital information, go here for more information.

About the Norton Cyber Security Insights Report

The Norton Cyber Security Insights Report is an online survey of 21,549 individuals ages 18+ across 20 markets, commissioned by Norton by Symantec and produced by research firm Reputation Leaders. The margin of error for the total sample is +/-.7%. The Canadian sample reflects input from 1,120 Canadian adults ages 18+. The margin of error is +/- 2.9% for the total Canada sample. Data was collected Oct. 5 – Oct. 24, 2017 by Reputation Leaders.

How Norton Defines Cybercrime

The definition of cybercrime continues to evolve, as avenues open up that allow cybercriminals to target consumers in new ways. Each year, Norton will evaluate current cybercrime trends and update the report’s methodology as needed to ensure the Norton Cyber Security Insights Report provides an accurate snapshot of the impact of cybercrime as it stands today. In the 2017 Norton Cyber Security Insights Report, a cybercrime is defined as, but not limited to, a number of specific actions, including identity theft, credit card fraud or having your account password compromised. For the purposes of this report, a cybercrime victim is a survey respondent who confirmed one or more of these incidents took place.

Cyber criminals revealed new levels of ambition in 2016 – a year marked by extraordinary attacks, including multi-million dollar virtual bank heists and overt attempts to disrupt the U.S. electoral process by state-sponsored groups, according to Symantec’s Internet Security Threat Report (ISTR), Volume 22, released yesterday.

Symantec’s ISTR provides a comprehensive view of the threat landscape, including insights into global threat activity, cyber criminal trends and motivations for attackers. Key highlights include:

Subversion and Sabotage Attacks Emerge at the Forefront

Cyber criminals are executing politically devastating attacks in a move to undermine a new class of targets. Cyber attacks against the U.S. Democratic Party and the subsequent leak of stolen information reflect a trend toward criminals employing highly-publicized, overt campaigns designed to destabilize and disrupt targeted organizations and countries. While cyber attacks involving sabotage have traditionally been quite rare, the perceived success of several campaigns – including the U.S. election and Shamoon – point to a growing trend to criminals attempting to influence politics and sow discord in other countries.

Nation States Chase the Big Scores

A new breed of attackers revealed major financial ambitions, which may be an exercise to help fund other covert and subversive activities. Today, the largest heists are carried out virtually, with billions of dollars stolen by cyber criminals. While some of these attacks are the work of organized criminal gangs, for the first time nation states appear to be involved as well. Symantec uncovered evidence linking North Korea to attacks on banks in Bangladesh, Vietnam, Ecuador and Poland. 

Attackers Weaponize Commonly Used Software; Email Becomes the Weapon of Choice

In 2016, Symantec saw cyber criminals use PowerShell, a common scripting language installed on PCs, and Microsoft Office files as weapons. While system administrators may use these common IT tools for daily management tasks, cyber criminals increasingly used this combination for their campaigns as it leaves a lighter footprint and offers the ability to hide in plain sight. Due to the widespread use of PowerShell by attackers, 95 percent of PowerShell files seen by Symantec in the wild were malicious.

The use of email as an infection point also rose, becoming a weapon of choice for cyber criminals and a dangerous threat to users. Symantec found one in 131 emails contained a malicious link or attachment – the highest rate in five years. Further, Business Email Compromise (BEC) scams, which rely on little more than carefully composed spear-phishing emails – scammed more than three billion dollars from businesses over the last three years, targeting over 400 businesses every day.

Caving in to Digital Extortion: Americans Most Likely to Pay Ransom Demands

Ransomware continued to escalate as a global problem and a lucrative business for criminals. Symantec identified over 100 new malware families released into the wild, more than triple the amount seen previously, and a 36 percent increase in ransomware attacks worldwide.

However, the United States is firmly in the crosshairs of attackers as the number-one targeted country. Symantec found 64 percent of American ransomware victims are willing to pay a ransom, compared to 34 percent globally. Unfortunately, this has consequences. In 2016, the average ransom spiked 266 percent with criminals demanding an average of$1,077 per victim up from $294 as reported for the previous year.

Cracks in the Cloud: The Next Frontier for Cyber Crime is Upon Us

A growing reliance on cloud services has left organizations open to attacks. Tens of thousands of cloud databases from a single provider were hijacked and held for ransom in 2016 after users left outdated databases open on the internet without authentication turned on.

Cloud security continues to challenge CIOs. According to Symantec data, CIOs have lost track of how many cloud apps are used inside their organizations. When asked, most assume their organizations use up to 40 cloud apps when in reality the number nears 1,000. This disparity can lead to a lack of policies and procedures for how employees access cloud services, which in turn makes cloud apps riskier. These cracks found in the cloud are taking shape. Symantec predicts that unless CIOs get a firmer grip on the cloud apps used inside their organizations, they will see a shift in how threats enter their environment.

About the Internet Security Threat Report

The Internet Security Threat Report provides an overview and analysis of the year in global threat activity. The report is based on data from Symantec’s Global Intelligence Network, which Symantec analysts use to identify, analyze and provide commentary on emerging trends in attacks, malicious code activity, phishing and spam.

Symantec will host a webinar on this year’s ISTR results on May 16 at 10 a.m. Pacific / 1 p.m. Eastern. For more information or to register, please go here . Please visit Symantec’s website to download the full report plus supplemental assets.

If you’re a fan of Poker, you’ll recognize the name of Masaaki Kagawa. For those who who aren’t into poker, he’s an avid and successful poker tournament player who won more than $1 million in worldwide tournaments. He also had a side hobby. He ran operation that dealt in Android Marware. Mr. Kagawa’s operation began around September, 2012 and ceased in April, 2013 when authorities in Tokyo raided the company office. Symantec confirmed around 150 domains were registered to host malicious Android apps during this span. The group was able to collect approximately 37 million email addresses from around 810,000 Android devices. As a result, the company earned approximately $3.9 million US dollars by running a fake online dating service called Sakura site. Spam used to lure victims to the dating site was sent to the addresses collected by the malware.

If you want more detail about Kagawa and how Symantec helped to take him down and stop this threat to Android users click here. It shows how security companies like Symantec is making the digital world safe for all.