Cybersecurity Update: December 2, 2022
Today’s update includes the following 3 topics:
• Topic 1: Trigona ransomware spotted in increasing attacks worldwide
• Topic 2: Crafty threat actor uses ‘aged’ domains to evade security platforms
• Topic 3: Defense Department Releases Zero Trust Strategy
For a YouTube Presentation of this article, please click here: https://youtu.be/aWwa4SdTGPc
Topic 1: Trigona ransomware spotted in increasing attacks worldwide
The Trigona ransomware was a previously “unnamed” ransomware has rebranded and renamed as ‘Trigona’. Trigona also launches a Tor negotiation site where Monero is accepted as ransom payments. Trigona is becoming progressively more active.
Trigona is the name of a family of large stingless bees, which is somewhat of a misnomer, since Trigona is becoming quite the pain! The ransomware operation has adopted a logo showing a person in a cyber bee-like costume, shown below. Trigona supports various command line arguments that determine whether local or network files are encrypted. We discuss this in my Certified Ethical Hacking course to quite an extent. When encrypting files, Trigona will encrypt all files on a device except those in specific folders (such as the Windows and Program Files folders). The Trigona ransomware will rename encrypted files to use the ._locked extension. As an example, the file 1.doc would be encrypted and renamed to 1.doc._locked, as shown below.
Source: BleepingComputer
When examining a locked file with some sort of Hex (hexadecimal) editor, the Trigona ransomware will (a) embed an encrypted decryption key within the file, (b) will embed the campaign ID, and © will embed the victim ID (company name) within the encrypted files. We talk about the use of hexadecimal and binary in my Certified Ethical Hacking course. If you’re not familiar with this, just drop me a note.
Source: BleepingComputer
The Trigona ransomware has a decent user interface. Hackers are getting more sophisticated. A ransom note named how_to_decrypt.hta will be created in each scanned folder. This note displays: (a) information about the attack, (b) a link to the Tor negotiation site, and © a link that copies an authorization key into the Windows clipboard needed by the victim to log in to the Tor negotiation site.
Source: BleepingComputer
After the victim logs into the Tor site, the victim will be shown information on how to buy Monero in order to pay the Trigona ransom. Monero is used as it is impossible to track down the source, as are other crypto currencies. Also, there is a support chat that the victim can use to negotiate with the Trigona threat actors.
Source: BleepingComputer
When the ransom is paid, the victim will receive a link to a decryptor tool that is used to decrypt their files. Also, they receive a keys.dat file that contains their private decryption key for the decryptor tool to unlock their files. The decryptor tool provided allows the victim to decrypt their individual files or folders on the local device and network shares.
Source: BleepingComputer
In summary, Bleeping Computer has indicated that it is not clear how the Trigona breaches networks or deploys its ransomware. While the Trigona ransom “notes” claim that it steals data during attacks, Bleeping Computer does not have proof of any theft of data. Trigona attacks have been increasing worldwide, and since Trigona has made a significant investment into the Tor platform, it is anticipated that Trigona will expand their efforts. Ransomware operators are increasingly getting more sophisticated in their attacks and even with their ‘more friendly’ user interfaces. It’s time to take much more caution.
Topic 2: Crafty threat actor uses ‘aged’ domains to evade security platforms
While hackers using older technology to evade detection has been done for many years, this is another ‘twist’ on an old theme that we should be aware of. A sophisticated threat actor named ‘CashRewindo’ has been using ‘aged’ domains in global “malvertising” campaigns that lead to investment scam sites. Malvertising the practice of incorporating malware in online advertisements. One of the most well-known methods of malvertising is clickjacking. Further, Malvertising, especially in this case, involved the injection of malicious JavaScript code in digital ads promoted by legitimate advertising networks, taking website visitors to pages that host phishing forms, drop malware, or operate scams.
The CashRewindo malvertising campaigns are spread across Europe, North and South America, Asia, and Africa, using customized language and currency to appear legitimate to the local audience. This is another aspect where hackers are looking to craft messages for the community, expanding their opportunity to social engineer their victims. A cybersecurity analysis organization has been tracking ‘CashRewindo’ since 2018 and noted that the threat actor stands out for an unusually crafty approach in setting up malicious advertising operations with great attention to detail.
Domain Aging is when threat actors register domains and wait years to use them, hoping to bypass security platforms. Domain Aging works as old domains that have not been involved in malicious activity for a long time earn trust on the Internet, making them unlikely to be flagged by security tools as suspicious. CashRewindo uses domains that have aged for at least two years before they are activated (have their certificates updated and a virtual server assigned).
A single security firm was able to identify at least 487 domains used by the particular threat actor, some having been registered as far back as 2008 and used for the first time in 2022. Note that this is only one security firm, so the ‘dataset’ of 487 is limited to 1 threat actor. Victims end up on these landing sites by clicking on infected ads found on legitimate sites.
As with the previous topic, threat actors are crafting their message to a given audience. Each CashRewindo campaign targets a particular audience, so the landing pages are configured to either show the scam or an innocuous or blank page for invalid targets. This is done by checking the time zone, device platform, and language used on the visitor’s system. Users and devices outside the target audience clicking the embedded “Click Here” button will be redirected to an innocuous site. Valid targets, on the other hand, will execute JavaScript code with the malicious code hiding inside a common library to evade request inspection.
Data analysis has listed the top 20 countries that have been a victim to this sort of attack. Note the high numbers in Hungary and Poland, possibly due to careful message crafting by the threat actors.
In Conclusion, investment scams are widespread, but usually, threat actors prefer quantity over quality, pushing their hastily crafted fake sites to large pools of users and hosting the scam platforms on recently registered domains doomed to go offline quickly.CashRewindo follows a different approach that requires more work but significantly improves the chances of success for the threat actor. Any investment opportunity that guarantees returns is most likely a scam, so treat this as a big red flag and run an extensive background check before depositing any funds. The bottom line is to always due your ‘due diligence’ and take ‘due care’ on the Internet.
Topic 3: Defense Department Releases Zero Trust Strategy
It’s coming and we each have to get prepared for the Department of Defense Zero Trust Strategy. On Nov. 22, the U.S. Department of Defense released their Zero Trust Strategy. Zero Trust is a new approach to countering cyber attacks. ZT employs a “‘never trust, always verify’” mindset, deviating from the DoD’s previously used perimeter defense model. The strategy is prompted by the “rapid growth” of offensive cyber threats. DoD aims to fully implement the Zero Trust model by fiscal year 2027.
Zero Trust Defined: Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location. Zero Trust is a framework for securing infrastructure and data for today’s modern digital transformation. It uniquely addresses the modern challenges of today’s business, including securing remote workers, hybrid cloud environments, and ransomware threats. Zero Trust will impact how you learn about and how you manage networks/organizational systems.
Following the strategy’s release, all Defense Department components are required to “adopt and integrate Zero Trust capabilities, technologies, solutions, and processes across their architectures, systems, and within their budget and execution plans” and to integrate this mindset into their training processes. Note: This impacts all Defense suppliers/contractors! So the implication is quite broad.
The Zero Trust document released by DoD urges every member of the the department, “regardless of whether they work in technology or cybersecurity or the Human Resource department,” to develop a “Zero Trust Solution Architecture]” using the guidelines in the strategy. The four major strategic goals of Zero Trust include:
1. Zero trust cultural adoption
2. Defense Department information systems secured
3. Defended, technology acceleration
4. Zero trust enablement.
Zero trust is coming down the pike. We each need to be prepared for this, whether or not we’re working directly with DoD, as the ‘long arm of the government’ reaches into many venues.
References
· Topic 1: Trigona ransomware spotted in increasing attacks worldwide: https://www.bleepingcomputer.com/news/security/trigona-ransomware-spotted-in-increasing-attacks-worldwide/
· Topic 2: Crafty threat actor uses ‘aged’ domains to evade security platforms: https://www.bleepingcomputer.com/news/security/crafty-threat-actor-uses-aged-domains-to-evade-security-platforms/
· Topic 3: Defense Department Releases Zero Trust Strategy: https://www.lawfareblog.com/defense-department-releases-zero-trust-strategy
About the Author
Ron McFarland, PhD, CISSP is a Senior Cybersecurity Consultant at CMTC (California Manufacturing Technology Consulting) in Torrance, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, MSc in Computer Science from Arizona State University, and a Post-Doc graduate research program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security and other Cisco courses and was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications.
CONTACT Dr. Ron McFarland, PhD, MSc, CDNA, CISSP
· CMTC Email: rmcfarland@cmtc.com
· Email: highervista@gmail.com
· LinkedIn: https://www.linkedin.com/in/highervista/
· Website: https://www.highervista.com
· YouTube Channel: https://www.youtube.com/@RonMcFarland/featured
