Conti and Trickbot code leaks
We previously covered the pro-Ukranian member of the Conti ransomware gang who leaked the group’s chat logs as a result of Conti’s pro-Russian stance. Now a data dump from March 1st, shared by vx-underground, provides older chat logs from 2020 and training materials, as well as source code for Conti Locker v2 and a ransomware decryptor. This decryptor does not appear to be the latest version however and will likely not work on its latest victims. It also contains chat logs with the operators of the TrickBot trojan, as well as some server-side TrickBot source code.
API attacks surge in 2021
A new report from Salt Security found that API attack traffic increased 681% last year. While part of this increase was fueled by the overall increase in API traffic last year, attack traffic actually outpaced it. The report found overall APIs per customer increased over 200% to 135 in 2021, while traffic increased 321%. Salt found that part of this increase in traffic comes down to how APIs are developed, with most security considerations handled pre-production, while most logic flaw exploits used in attacks are only found once an API has entered production. This is exacerbated by the 34% of companies without any overall API security strategy.
Log4Shell still being used in the wild
Researchers at Barracuda found that while there have been minor changes in attempts to exploit Log4Shell over the past few months, the overall volume has remained relatively constant. The vast majority of these attacks originate from US-based IP addresses, while the remaining 14% comes from Japan, central Europe and Russia. Most of the exploit attempts come from the Mirai botnet. The report said ransomware gangs aren’t significantly exploiting Log4Shell on things like exposed VMWare installations, rather using it as an insider threat once a network is already compromised.
Updates on the tech response to the war in Ukraine
Meta President of Global Affairs Nick Clegg said Instagram will let users in Ukraine and Russia switch to encrypted messaging, something already available in WhatsApp and Messenger. Clegg also said it will demote posts with links to Russian state media on Facebook and Instagram.
Meanwhile Google began removing user-submitted locations in Google Maps within the borders of Russia, Ukraine, and Belarus and will pause new edits. The company said this was done out of an abundance of caution. Google also blocked apps connected with the Russian media outlets RT and Sputnik from the Google Play Store. Apple also made these apps unavailable in the App Store outside of Russia.
(Protocol, BuzzFeed News, Reuters)
There are many misconceptions about security automation, so Torq is debunking a security automation myth each day this week.
Not true. Any business that attempts to automate security will quickly find that most high-stakes security issues are far too complex to be detected and remediated by automation tools alone. Human security professionals need to take the lead delivering nuanced insight about the business impact of a large-scale breach. To learn more about the realities of automation, head to torq.io.
Healthcare org hit by two ransomware organizations
We’ve covered the increasing prevalence of ransomware attacks since day one here on Cyber SEcurity Headlines. It’s now reached a point where multiple ransomware organizations are vying for the same victims. An unnamed Canadian healthcare organization was hit by both the Conti and Karma ransomware gangs. Both were operating in the organization’s network simultaneously. Karma actors struck first, exfiltrating data and asking for a ransom to not publish it. Conti struck after, actually encrypting the organization’s machines, including ransom notes from Karma. Both gained access to an Exchange server using the same ProxyShell exploit.
TeaBot trojan brews up new features
Security researchers at Cleafy note that the Android remote access trojan TeaBot was recently upgraded with new features. As of March 1st, TeaBot can now target over 400 applications, signaling a move to more advanced tactics. TeaBot initially focused on “smishing” attacks, attempting to trick people into clicking on malicious links in SMS messages. Researchers also found that TeaBot managed to infiltrate the Google Play Store through the use of malicious dropper apps. Once installed, TeaBot operates like other banking trojans, using accessibility features to overlay login pages, log passwords, and intercept 2FA codes.
(ZDNet)
Security Vendors respond to Ukraine crisis
CSO put together a list of security vendor responses to the cyber security crisis in light of Russia’s invasion of Ukraine. Vectra AI offers a slate of free tools and services to those in the conflict region, including scanning of Azure Active Directory, Microsoft 365 and AWS environments for signs of attack and surveillance. SentinelOne is offering its XDR platform free for 90 days. Bitdefender will offer tech consulting and threat intelligence as part of its collaboration with Romania’s National Cyber Security Directorate. CrowdStrike is offering a free tool to decrypt “PartyTicket” ransomware. And Cloudflare removed all customer cryptographic data from its servers in Ukraine.
Microsoft Defender looks to the mid-market
This week, Microsoft announced general availability for Defender for Business, which provides anti-malware, EDR, and threat management across desktop and mobile. This is specifically designed for organizations with up to 300 employees. This comes as part of a bigger push for mid-market security offerings from Microsoft. THe company also announced the integration of Microsoft 365 Lighthouse with Defender for Business to provide a unified admin portal to view devices, users, and data for managed service providers.