A threat actor leverages Windows BitLocker in ransomware attacks, beware of ORB networks, and more.
Welcome to Cyber Security Today. It’s Friday May 24th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
 |
 |
 |
A threat actor is using Windows’ BitLocker encryption capabilities as a ransomware tool. According to researchers at Kaspersky, that saves crooks the trouble of creating or renting a ransomware package and finding a way to download it onto victims’ computers. It’s another version of a “living off the land” attack, which is using tools already on PCs and servers. Kaspersky spotted the BitLocker trick being used recently against organizations in Mexico, Indonesia and Jordan. It may be coming to other countries as well. Abusing BitLocker is not a new tactic. But in these cases the threat actor took steps to maximize the damage and erase evidence of its presence. Kaspersky doesn’t say how the threat actors initially got into corporate IT networks. But it does say IT departments must use a robust endpoint detection solution to spot attacks on BitLocker, limit the number of employees allowed to use BitLocker, ensure access to BitLocker is only through strong passwords, and store BitLocker recovery keys in a secure location.
The LockBit ransomware gang yesterday released what it says is some of the data it stole last month from Canadian retail chain London Drugs. According to Brett Callow, Canadian-based threat researcher for Emsisoft, three files were posted. One is 309 GB in size, a second is 57 MB and the third is 24 MB. CTV News says the gang demanded $25 million or stolen data of employees would be released.
Chinese espionage groups are using proxy networks of rented virtual private servers as well as compromised smart devices and routers to help conceal their attacks. That’s according to researchers at Mandiant. These are called operational relay box networks, or ORB networks for short. An advantage of an ORB mesh network is that its size can be easily grown. Mandiant notes that these networks aren’t controlled by a single threat actor. Instead they are networks administered by contractors who sell access to multiple threat groups. In fact ORB networks are created and torn down after lasting as little as 31 days. So blocking an ORB IT infrastructure isn’t as effective as blocking a command and control network run by botnet. ORB networks shouldn’t be seen as an indicator of compromise, Mandiant says. Instead an ORB network should be seen as an evolving entity, like an advanced persistent threat group.
A Moroccan-based threat actor Microsoft calls Storm-0539, which specializes in tricking employees into falling for gift card scams, is increasing its activity. Tactics include sending phishing and smishing messages to employees. Sometimes the gang impersonates help desk staff in messages to employees. They also create websites that impersonate charities and then ask service providers for technical services they give to non-profits. And the gang will create free trials or student accounts on cloud service platforms, which are then used to launch operations. Organizations need to include this information in their regular employee security awareness training, adopt phishing-resistant multifactor authentication, and, if they have a gift card program, implement fraud protection solutions.
Your WiFi router may be giving away location information. That may not be important if your access point is at home or in an office, but it may be a worry to those who use mobile access points. That’s the implication of a blog by security reporter Brian Krebs on work done by University of Maryland researchers. Briefly, tracking can be done because of the way Apple collects and publicly shares data about the precise location of all Wi-Fi access points its iPhones, iPads and other devices it sees. If you want to do something about it the solution is to change the SSID, which is the name you give to your router that gets publicly broadcast, to add the extension “_nomap”. So your router name changes from “Howard” to “Howard_nomap”. That stops Apple from collecting certain data. Of course it means also changing the login name of every wireless device you have that connects to the access point. To get a more detailed explanation see the link to the article in the text version of this podcast at TechNewsday.com.
Finally, backup administrators using Veeam products should act on a patch the manufacturer has issued to plug a critical vulnerability. The hole in Veeam Backup Enterprise Manager’s web console, could allow an unauthenticated attacker to log in and do nasty things. Veeam also released patches to for two other vulnerabilities rated high, and one rated low.
That’s it for now. But later today my Week in Review podcast will be out. My guest is Anita Anand, head of Canada’s Treasury Board, which just announced the first cyber strategy for Canadian government IT systems. There’s also a video version of the show.
Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.
