Insight into a ransomware gang, email used in cyberattacks on Ukraine, and more,
Welcome to Cyber Security Today. It’s Monday February 7th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
The origin of the ALPHV ransomware gang that emerged late last year has perhaps been revealed. This comes after the publication on Friday of an interview in The Record, a news service of a cyber intelligence firm called Recorded Future. A Recorded Future analyst spoke in Russian with a representative of ALPHV about its ransomware, also called BlackCat by some researchers. The ALPHV rep said the gang was an affiliate of the DarkSide/BlackMatter ransomware-as-a-service operation, but it was disrupted when security firm Emsisoft was able to crack its encryption method and issued a free decryptor for victims. That apparently led to the creation of ALPHV. As part of the news story Emsisoft threat researcher Brett Callow was quoted suggesting those behind BlackMatter might have replaced their entire development team as a result of his company’s success. Going further, the Bleeping Computer news service notes that Callow also tweeted his belief that the ALPHV team wasn’t an affiliate of BlackMatter — they most likely are BlackMatter. But, he explained, the group wants to distance itself from BlackMatter because after Emsisoft released its decryptor the ransomware gang’s distributors saw their revenue drop.
By the way, according to a news report German authorities believe the ALPHV/BlackCat ransomware strain was used in last week’s huge cyberattack on two German oil companies.
More on ransomware. We saw last year that law enforcement agencies went after ransomware gangs more aggressively. There’s good news and bad news in that, according to an analysis of attacks in the fourth quarter by security researchers at Coveware. On the one hand the number of ransomware attacks may drop as attackers get more selective of their targets. On the other hand the amount of ransom being demanded is going up. The average ransom paid in the fourth quarter of last year was just over $320,000. By comparison the average payment in the third quarter was about $117,000.
There’s a lot of hacking attacks on government websites in Ukraine as a result of the crisis with Russia. Most of these attacks are blamed on Russian-based groups. On Friday Microsoft published details of the tactics used by a group called Gamaredon. What’s interesting to cybersecurity teams around the world is that one of the most common tactics of this group is tricking employees into opening spear-phishing emails with malicious macro attachments. The gang uses a range of lures, including pretending to be messages from the World Health Organization. The lesson is email is still a prime way attackers get their first step into an organization.
Last week’s revelation that someone got away with about $320 million in digital currency from the Wormhole cryptocurrency bridge still has industry analysts buzzing. Jake Williams of the SANS Institute wrote in a commentary that it looks like the hacker saw a security fix being uploaded to GitHub that had not yet been deployed to the Wormhole’s open-source network. Most decentralized architectures will suffer from this issue, he said, where the publication of a security fix can lead to exploitation before the fix can be deployed to the network. One solution is to publish closed source patches, though this flies in the face of the open-source movement — and probably violates licensing. Organizations underpinned by so-called decentralized networks will need to figure out how they can securely provide security updates before this technology can be more widely adopted, Williams said.
Finally, there’s another reason why Apple iPhone users need to install patches as soon as possible. The Reuters news agency says a flaw in the iOS operating system was not only exploited by the Israeli cyber company NSO Group and its Pegasus spying software, it was also exploited by another Israeli company called QuaDream. Both companies sell smartphone hacking tools to governments. Their solutions are worrisome because victims don’t have to click on a link to be compromised. The vulnerability was fixed last September. Last November the U.S. imposed sanctions on the NSO Group for its spyware.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.