Friday Five: Ransomware Gangs Taken Down, a Rise in Zero-Day Exploitation, & More
While two ransomware gangs were taken down this past week, an increase in zero-day exploitations and shifting tactics by Gootloader and Jupyter are keeping enterprises on their toes. Catch up on these stories and more in this week's Friday Five!
FEEL-GOOD STORY OF THE WEEK: TWO RANSOMWARE GANGS MEET THEIR DEMISE BY DAN GOODIN
This week saw the takedown of two ransomware groups: Trigona and Ragnar Locker. Trigona was allegedly hacked by a group claiming allegiance to Ukraine called Ukrainian Cyber Alliance, leading to the replacement of its dark-web victim naming-and-shaming site content with a banner stating, "Trigona is gone!" The second group, Ragnar Locker, was targeted in an action conducted by Europol in Czechia, Spain, and Latvia. The "key target" was arrested in Paris, and the ransomware's infrastructure was seized in the Netherlands, Germany, and Sweden, with the associated data leak website on Tor taken down in Sweden. The arrests and takedowns come after years of investigation by Europol, the FBI, and Ukrainian authorities.
DEFENSE FIRMS CAN TAKE STEPS NOW TO COMPLY WITH ENHANCED CYBER STANDARDS, INDUSTRY OFFICIALS SAY BY EDWARD GRAHAM
As the U.S. Department of Defense prepares to release the proposed final rule for Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0), industry officials emphasize the importance of enhanced cybersecurity standards for the defense industrial base. The CMMC program, implemented in 2020, establishes baseline security requirements for over 70,000 firms conducting business with the Pentagon. CMMC 2.0 is expected to be more rigorous, addressing the diverse nature of large and small defense-related companies. Industry representatives suggest that companies, especially smaller ones, take proactive steps to strengthen their relationships with federal agencies, ensure compliance with best-practice cyber standards, and leverage government initiatives designed to enhance cybersecurity in the defense industrial base.
CISA SEES INCREASE IN ZERO-DAY EXPLOITATION, OFFICIAL SAYS BY MATT BRACKEN
The exploitation of zero-day vulnerabilities is surging globally, significantly impacting federal agencies, according to Michael Duffy, Associate Director at the Cybersecurity and Infrastructure Security Agency (CISA). In the past month, there's been a notable increase in zero-day activity affecting federal government networks. Despite a decline last year, the sophistication of state-backed hacking campaigns using zero-days is said to be growing. Darren Turner, Chief of Critical Networks Defense at the National Security Agency, emphasized the need for alignment across government agencies and industry. CISA also reported an uptick in ransomware and DDoS activity within federal agencies in fiscal year 2023. Coordination among the Biden administration, Congress, and federal agencies on cybersecurity has improved, ensuring a thoughtful strategy.
GOOTLOADER AIMS MALICIOUS, CUSTOM BOT ARMY AT ENTERPRISE NETWORKS BY BECKY BRACKEN
The Gootloader Group, initially known as an initial access broker and malware operator, has introduced a destructive post-compromise tool named GootBot. Operating since 2014, Gootloader employs SEO poisoning to trick victims into downloading infected business document templates for initial compromise. Previously, Gootloader would broker access to other threat groups, but GootBot now deploys a hard-to-detect bot army controlled by individual command-and-control servers on breached WordPress sites. The bots search for a domain controller, posing a heightened risk for post-exploitation stages, including potential ransomware affiliate activity. As of November 6, GootBot has no detections on VirusTotal, increasing its threat level.
EVASIVE JUPYTER INFOSTEALER CAMPAIGN SHOWCASES DANGEROUS VARIANT BY JAI VIJAYAN
A sophisticated variant of the Jupyter information stealer, also known as Yellow Cockatoo, Solarmarker, and Polazert, has been targeting users of Chrome, Edge, and Firefox browsers. The new version of Jupyter utilizes PowerShell command modifications and legitimate-looking, digitally signed payloads. The malware can backdoor machines, harvest credentials, and function as a full-fledged backdoor with capabilities such as command and control, dropper and loader for other malware, hollowing shell code, and executing PowerShell scripts. The operators leverage valid certificates for digital signing, making detection challenging. The malware has been distributed through various techniques, including search engine redirects and phishing.