This week was another successful week with regards to law enforcement operations against ransomware actors. Early in the week, news broke regarding the arrest of an Egregor ransomware operation running out of the Ukraine. The individuals were affiliate operators as opposed to the actual ‘authors’ or ‘source’ of the ransomware.
The arrests were part of a joint operation between French and Ukrainian law enforcement agencies. It is said that the apprehended individuals were responsible for affiliate-based deployment of Egregor ransomware, along with the relevant breaching of the targeted environment.
Egregor has been utilized in numerous high-profile attacks over the last 6 months. It has also been associated with other malware families and is often observed being used in tandem with these threats (e.g., Qbot). It is not confirmed to be related, but the Egregor payment portal and victim blogs (both TOR-based and clearnet) have been down for weeks. The momentum of Egregor has definitely slowed and taken a hit, at least partially due to these law enforcement operations. It remains to be seen what the future holds for Egregor, but at the moment, it appears to be left-for-dead. It may be that the threat actors are also moving away to newer platforms, as they did from Maze. We will be watching these groups closely in the coming weeks.
This week, CISA (Cybersecurity and Infrastructure Security Agency) released Alert AA21-048A. This is the latest joint alert covering malicious activity out of North Korea. Specifically, the alert covers AppleJeus, a well-known tool in the DPRK (aka Lazarus) arsenal used for cryptocurrency theft. This latest advisory comes to us from the FBI, CISA, and the Department of Treasury.
According to the alert, Lazarus has been launching targeted cryptocurrency-stealing operations in over 30 countries in the past year alone but has a much longer history going back to at least 2018. The malware is delivered via specially-crafted cryptocurrency trading applications (JMT Trading, Celas Trade Pro, UnionCrypto, Kupay Wallet, CoinGoTrade, Dorusio, Ants2Whale).
For extra credibility, the threat actors built custom websites with SSL certified domains to fool unwary crypto users into using the malicious apps, which were fully functional and based on copies of open-source cryptocurrency exchange programs like Q.T. Bitcoin Trader and Blackbird Bitcoin Arbitrage.
While much of the alert focuses on the macOS platform, it should be noted that there are Windows variants of the malware as well. The alert covers, in detail, seven versions of the cryptocurrency-thieving malware and includes a number of IOCs and other actionable intelligence data. We recommend that all review the latest alert, and stay on top of all malicious behavior coming from the Lazarus APT group.
This past Saturday, Kia noted a widespread outage of many critical systems. The effects were felt internally and externally as the attack also affected the use of many of the company’s mobile applications. In addition, all U.S. dealer-specific platforms, IT Servers, phone-based support systems, and self-payment phone systems were affected by the attack. While availability of Kia systems and services across the United States has been severely impacted, international systems appear to be less affected.
As these attacks become more prevalent, we are increasingly seeing ‘household names’ on the victim list. Once again, this highlights the critical need for quality preventative controls. Attackers knowingly target vulnerable systems, even when certain security tools are installed, because threat actors know it is trivial to bypass them.
In this ongoing cat and mouse game, it is vital to have full visibility across your environment, along with a trusted XDR platform. Mix that with regular and continually updated user education (how to spot phishing attacks and similar) and we are all in a much better position to prevent these attacks all together.