The Good, the Bad and the Ugly in Cybersecurity – Week 43

The Good

Officials have busted two SIM hijackers for a six-month cyber crime spree which stripped a total of $550,000 from prominent cryptocurrency figures across the U.S. This week, Eric Meiggs (24) and Declan Harrington (22) were charged with wire fraud, conspiracy, computer fraud and abuse, and aggravated identity theft, earning them each two year sentences.

The DoJ reports that Meiggs and Harrington used SIM swapping and hacking tactics to take over their targets’ email addresses, social media handles, and cell phone numbers linked to cryptocoin accounts. The scheme included sending hostile messages to the targets, sometimes threatening their family members if they did not comply with the demands. The pair focused their sights on cryptocurrency executives and blockchain-based business owners.

SIM Swapping

SIM swapping exploits the process in which cell phone providers assign numbers to new devices. Threat actors pose as the victim to convince the provider to reassign the number from the victim’s original SIM card to one controlled by the actor. This method allows threat actors to divert password reset links and authentication codes to their own device so they can later break into crypto exchanges, online banking accounts, and email and social media accounts.

Threat actors are escalating their use of SIM swapping to target early adopters of cryptocurrency and heavy investors. The FBI have implored users to be on high alert and to avoid posting any personal data or information about their financial assets online. They also recommend users to remove sensitive documents from email accounts and to add PINs to mobile phone accounts. As the cryptocurrency space is still a relatively young one, the need for digital identity protection continues to be significant in guarding against developing crypto-related threats.

The Bad

URSNIF (aka ISFB) malware has had a makeover, and it’s still not pretty. The one-time banking trojan has shed its origins and has been revamped into a generic backdoor built to enable ransomware or data theft extortion operations. Researchers this week published an analysis on the malware’s milestone shift, hypothesizing that the change was to stay consistent with the broader changes in the crimeware landscape.

Prestige ransomware

The new variant, dubbed LDR4, was first seen in a recent attack chain where fake invoices and job postings were emailed to unsuspecting users to lure them to visit a legitimate domain. Then, interaction with the CAPTCHA would prompt a download of a Microsoft Excel spreadsheet hiding the malware payload.

LDR4 leaves behind many features characteristic of previous URSNIF forms such as the FJ.exe steganography tool used to hide payloads in files. All banking features have been removed and its new set of commands are capable of loading DDL modules, starting and stopping cmd.exe reverse shells, running arbitrary commands, and terminating processes.

URSNIF has seen a fragmented timeline of changes prior to its latest transformation. The latest change trails the footsteps of other malware families that also had roots in banking fraud like Trickbot, Emotet, and Qakbot. More widely, threat actors are continuing to evolve their approach in extorting money from organizations, with many now shifting to pure data extortion without ransomware or adopting techniques such as partial encryption.

The Ugly

Private Ukrainian and Polish transportation and logistics companies are finding themselves the target of a novel ransomware strain dubbed Prestige. Only seen in the wild as of last Tuesday, researchers have already found that Prestige shares victimology with recent Russian state-aligned activity. Perhaps not surprisingly, Prestige ransomware victims overlap with those of another malware, HermeticWiper, which had been detected in hundreds of computers in Ukraine just hours before Russia launched a full-scale military invasion on the country.

The researchers state that the initial access vector in the recent string of attacks is still unknown, but in all instances the attack timeline began with the theft of highly privileged credentials such as Active Directory admin accounts. Tracked by Microsoft as DEV-0960, the threat actors behind Prestige ransomware have been observed using tools such as winPEAS, comsvcs.dll, and ntdsutil.exe to access the credentials needed to facilitate the deployment. Remote execution utilities were also noted in the campaign including RemoteExec, a tool often used for agentless software execution, and impacket WMIexec, an open-source and script-based solution used to manipulate network protocols.

While the new ransomware seems to be operating independently of known threat actor groups, concerns of the strain spreading to other countries are rising. Just earlier this year, President Biden released a statement warning firms to be on guard for potential malicious cyber activity backed by the Russian government as a response to the economic sanctions the U.S. has imposed upon Russia. As the cyber threat landscape further develops, the emergence of new malware strains and TTPs will remain a regular theme.  SentinelOne’s full response to the situation in Ukraine can be found here.