A new backgrounder on the BlackCat ransomware gang, movement from REvil and millions stolen from another DeFi system.
Welcome to Cyber Security Today. It’s Friday April 22nd, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
The FBI has issued another in a series of background reports on ransomware gangs. This one is on the BlackCat or ALPHV gang. The purpose of these reports is to give IT defenders information on the tactics used by malware operators and indicators of compromise. The FBI estimates that as of last month the BlackCat operators had compromised at least 60 organizations around the world. Usually this gang or its affiliates use stolen user credentials to access the IT systems of victims, then they try to get into Active Directory to get hold of administrator accounts. After disabling security features Windows Task Scheduler is used to deploy the ransomware.
More on ransomware: After laying low for some months the REvil ransomware gang may have stirred. According to the Bleeping Computer news site the gang’s servers on the Tor network are redirecting to a new data leak site that lists two new victims. This new site is also being promoted on a criminal forum. A few months ago Russia announced some members of the REvil gang were arrested. It isn’t clear if that led to the disruption of the gang or the leaders have been sitting quiet — until now.
Cisco Systems has released a patch for a vulnerability in its Umbrella Virtual Appliance. Umbrella is a cloud-based cybersecurity service that combines a secure web gateway, firewall, and cloud access security broker for logins. Rated as high, the vulnerability could allow an unauthenticated remote attacker to impersonate a virtual appliance. As a result the patch needs to be installed promptly.
There’s more evidence that the digital coin industry still doesn’t understand cybersecurity, controlling business processes and human nature. According to researchers at Omniscia, the Beanstalk stablecoin project suffered a US$182 million loss of cryptocurrency last Sunday at the hands of a crook. How? First a definition of this project. It’s a decentralized finance, or DeFi, operation. Participants earn rewards by contributing funds to a central funding pool. Like many DeFi projects, it has a majority vote governance system. What happened was someone exploited a flaw in the voting code and initiated what’s called a flash loan. Flash loans are allowed by voters. But in this case someone gamed a newly-introduced system. In May Beanstalk will hold a fundraiser to try to restore funds.
Attention Facebook users: There’s a new scam going on trying to steal your login credentials. According to researchers at Abnormal Security, targets get an email claiming their account is about to be disabled because of repeated postings that violate Facebook’s policies. To avoid having the account killed the victim has to click on a link in the email to file an appeal. That leads to a form where the target has to enter their name, email address and Facebook password. Think carefully before entering a password after clicking on a link. If you’re worried after getting a message like this from any service you use don’t click on a link. Instead go to the site directly and log in to your account.
That’s it for now. But remember later today the Week in Review podcast will be available. Guest commentator David Shipley of Beauceron Security will join me to discuss ransomware, zero-day vulnerabilities and a new criminal marketplace hoping to sell stolen corporate data to other companies.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.