Welcome to Cyber Security Today. From Toronto this is the Week in Review edition of the podcast for the week ending Friday, Feb. 23rd, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler of Cyology Labs will be here to discuss recent news. But first a review of headlines from the past seven days:
Law enforcement agencies from 10 countries hit the Lockbit ransomware gang where it hurts: They seized control of its website, 28 servers and more. This will be Topic 1 in the discussion, which will also include reports of organizations still seeing no alternative but to pay ransomware gangs.
We’ll also look at a report that the department of a U.S. state was compromised through a former employee’s credentials, the ending of a Canadian program to help small companies modernize their IT and why companies hit by data breaches don’t notify victims faster.
Also in the news this week, researchers at Cisco Systems said threat actors are increasingly taking advantage of the Google Cloud Run service in phishing attacks. Google Cloud Run enables developers to build and deploy web services on Google Cloud. But its also an inexpensive way to deploy malware distribution infrastructure that probably isn’t blacklisted by many security applications. The Cisco report includes URLs, IPs and domains to be blocked.
Hackers are increasingly getting hold of and exploiting valid account credentials as an initial way of breaking into IT networks. That’s according to a new IBM report that — again — emphasizes the need for IT departments to implement identity and access management controls.
Developers of the Anasta trojan that hides in malcious Android apps are more active. This malware steals the bank login credentials of victims foolish enough to download the bad apps. Researchers at ThreatFabric say the latest version has added more financial institutions to their target list. Researchers also say the latest version targets Samsung smartphones. Banks need to watch for suspicious withdrawals from mobile devices.
And two more malicious packages have been found on the open-source PyPI library for Python. Researchers at ReversingLabs say the pair of packages use DLL sideloading to launch malware. As with many phony packages, their names were close approximations of legitimate packages. The discovery is another reminder to developers to be cautious when taking code from open-source libraries.
(The following is an edited transcript of the first of five topics discussed )
Howard: Joining me now from Montreal is Terry Cutler of Cyology Labs. The LockBit ransomware gang suffered a major blow this week when law enforcement agencies led by the U.K. and the U.S. seized at least one of the gang’s websites, 28 servers, source code and possibly more. Question: How big a blow was it?
Terry Cutler: I think it was significant because law enforcement has disrupted a significant financial stream for the gang. It also highlights the capability of international collaboration. As you mentioned. the FBI worked with the U.K. and other countries to collect and share information to bring this gang down. For those of you who don’t know, this ransomware gang has earned about US$120 million from over 2,000 victims worldwide.
When they [police] got access to the server they also got access to sensitive internal workings of the gang — how the servers are configured — and they were also able to pull out over a thousand decryption keys. This way they’re able to go out and help victims decrypt their data without having them pay.
But the challenge that we’re seeing is that as a ransomware-as-a-service gang there’s potential for rebranding of the gang. We suspect that a lot of the members will just regroup.
Howard: Ransomware gangs have been known to rise from the dead in one way or another, either by resuscitating their infrastructure or by forming a new gang. How long do you think it’ll it’ll take LockBit to recover — or will it?
Terry: It’s going to come down to how fast they can Innovate. We’ll call this a hiccup.It gives the gang a chance to evaluate what went wrong, how did law enforcement get access to their information, what can they do better. Once they’ve had that little pause they’re going to regroup and rebuild, but during that time there’s probably going to be a little less ransoware attacks.
Howard: We recorded this podcast on Thursday, which is also when researchers at Trend Micro released a fascinating analysis of the Lockbit gang and its recent technical and operational troubles. The researchers also came across what looks like a new variant of the LockBit ransomware code the gang was probably working on. This would be the fourth generation of its code. Exposure of this code is going to hurt the gang and any plans that it had um to make use of it in the future.
Terry: What’s interesting is that in an October 2021 report [a researcher] interviewed LockBit, and they always felt there was a risk of them being hacked … Law enforcement is getting very savvy on collecting evidence properly and and going after these groups.
Howard: In late 2022 a Canadian member of the gang was arrested here. He pleaded guilty earlier this month to multiple charges and will be sentenced soon — and then he’s also wanted for extradition to the U.S. This is speculation, but could he have said anything that helped the LockBit takedown this week, or did the things that led to his arrest and that police seized from his house then set in in motion the events that we’ve seen this week?
Terry: When they arrested him they got access to his computer’s hard drives. I think it revealed a ton of juicy information to law enforcement. Not only that, because of his arrest the gang halted for a step, so they had to reevaluate their capabilities and during that time there was a bit of a slowdown with the ransomware.
Howard: Will other ransomware gangs be intimidated by the action taken this week against LockBit?
Terry: Yes and no. I think it’s going to hurt others in the short term because when high profile takedowns occur they want to know how did law enforcement infiltrate them [LockBit]? … What will happen is other ransomware gangs are going to share information with other ransomware groups.
(To hear the rest of the discussion play the podcast)