Feb 24, 2024NewsroomActive Directory / Data Protection

Microsoft has expanded free logging capabilities to all U.S. federal agencies using Microsoft Purview Audit irrespective of the license tier, more than six months after a China-linked cyber espionage campaign targeting two dozen organizations came to light.

“Microsoft will automatically enable the logs in customer accounts and increase the default log retention period from 90 days to 180 days,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said.

“Also, this data will provide new telemetry to help more federal agencies meet logging requirements mandated by [Office of Management and Budget] Memorandum M-21-31.”

Microsoft, in July 2023, disclosed that a China-based nation-state activity group known as Storm-0558 gained unauthorized access to approximately 25 entities in the U.S. and Europe as well as a small number of related individual consumer accounts.

“Storm-0558 operates with a high degree of technical tradecraft and operational security,” the company noted. “The actors are keenly aware of the target’s environment, logging policies, authentication requirements, policies, and procedures.”

The campaign is believed to have commenced in May 2023, but detected only a month later after a U.S. federal agency, later revealed to be the State Department, uncovered suspicious activity in unclassified Microsoft 365 audit logs and reported it to Microsoft.

The breach was detected by leveraging enhanced logging in Microsoft Purview Audit, specifically using the MailItemsAccessed mailbox-auditing action that’s typically available for Premium subscribers.

The Windows maker subsequently acknowledged that a validation error in its source code allowed for Azure Active Directory (Azure AD) tokens to be forged by Storm-0558 using a Microsoft account (MSA) consumer signing key, and then use them to penetrate the mailboxes.

The attackers are estimated to have stolen at least 60,000 unclassified emails from Outlook accounts belonging to State Department officials stationed in East Asia, the Pacific, and Europe, Reuters reported in September 2023. Beijing has denied the allegations.

It also faced intense scrutiny for withholding basic-yet-crucial logging capabilities to entities that are on the more expensive E5 or G5 plan, prompting the company to make changes.

“We recognize the vital importance that advanced logging plays in enabling federal agencies to detect, respond to, and prevent even the most sophisticated cyberattacks from well-resourced, state-sponsored actors,” Microsoft’s Candice Ling said. “For this reason, we have been collaborating across the federal government to provide access to advanced audit logs.”

Feb 12, 2024NewsroomVulnerability / Data Recovery

Cybersecurity researchers have uncovered an “implementation vulnerability” that has made it possible to reconstruct encryption keys and decrypt data locked by Rhysida ransomware.

The findings were published last week by a group of researchers from Kookmin University and the Korea Internet and Security Agency (KISA).

“Through a comprehensive analysis of Rhysida Ransomware, we identified an implementation vulnerability, enabling us to regenerate the encryption key used by the malware,” the researchers said.

The development marks the first successful decryption of the ransomware strain, which first made its appearance in May 2023. A recovery tool is being distributed through KISA.

The study is also the latest to achieve data decryption by exploiting implementation vulnerabilities in ransomware, after Magniber v2, Ragnar Locker, Avaddon, and Hive.

Rhysida, which is known to share overlaps with another ransomware crew called Vice Society, leverages a tactic known as double extortion to apply pressure on victims into paying up by threatening to release their stolen data.

An advisory published by the U.S. government in November 2023 called out the threat actors for staging opportunistic attacks targeting education, manufacturing, information technology, and government sectors.

A thorough examination of the ransomware’s inner workings has revealed its use of LibTomCrypt for encryption as well as parallel processing to speed up the process. It has also been found to implement intermittent encryption (aka partial encryption) to evade detection by security solutions.

“Rhysida ransomware uses a cryptographically secure pseudo-random number generator (CSPRNG) to generate the encryption key,” the researchers said. “This generator uses a cryptographically secure algorithm to generate random numbers.”

Specifically, the CSPRNG is based on the ChaCha20 algorithm provided by the LibTomCrypt library, with the random number generated also correlated to the time at which Rhysida ransomware is running.

That’s not all. The main process of Rhysida ransomware compiles a list of files to be encrypted. This list is subsequently referenced by various threads created to simultaneously encrypt the files in a specific order.

“In the encryption process of the Rhysida ransomware, the encryption thread generates 80 bytes of random numbers when encrypting a single file,” the researchers noted. “Of these, the first 48 bytes are used as the encryption key and the [initialization vector].”

Using these observations as reference points, the researchers said they were able to retrieve the initial seed for decrypting the ransomware, determine the “randomized” order in which the files were encrypted, and ultimately recover the data without having to pay a ransom.

“Although these studies have a limited scope, it is important to acknowledge that certain ransomwares […] can be successfully decrypted,” the researchers concluded.

Wing Security announced today that it now offers free discovery and a paid tier for automated control over thousands of AI and AI-powered SaaS applications. This will allow companies to better protect their intellectual property (IP) and data against the growing and evolving risks of AI usage.

SaaS applications seem to be multiplying by the day, and so does their integration of AI capabilities. According to Wing Security, a SaaS security company that researched over 320 companies, a staggering 83.2% use GenAI applications. While this statistic might not come as a surprise, the research showed that 99.7% of organizations use SaaS applications that leverage AI capabilities to deliver their services. This usage of GenAI in SaaS applications that are not ‘pure’ AI often goes unnoticed by security teams and users alike.

70% of the most popular GenAI applications may use your data to train their models, and in many cases it’s completely up to you to configure it differently.

When examining hundreds of AI-using SaaS applications, Wing Security was able to categorize the different ways in which these applications use organizational data, as well as offer a solution to this new threat:

Data storing: In some cases, data is stored by the AI for very long periods of time; in others, it can be stored for short periods only. Storing data allows AI learning models, and future models, to continually train on it. That said, the main concern is when considering the many different types of attacks seen on SaaS applications. When an application is compromised, the data it stores might be compromised too.

Model training: By processing vast amounts of information, AI systems can identify patterns, trends, and insights that may elude human analysis. Through machine learning algorithms, AI models learn from data and adapt over time, refining their performance and accuracy, resulting in better service to their end users. On the downside, allowing these models to learn your code, patents, sales, and marketing know-how provides AI-using applications with the potential means to commoditize your organization’s competitive edge. To some, these knowledge leaks are considered more significant than data leaks

The human element: Certain AI applications leverage human validation to ensure the accuracy and reliability of the data they gather. This collaborative approach, often referred to as human-in-the-loop or human-assisted AI, involves integrating human expertise into the algorithmic decision-making process. This results in higher accuracy for the AI model, but also means a human, working for the GenAI application, is exposed to potentially sensitive data and know-how.

Leveraging automation to combat AI-SaaS risks

Wing’s recently released AI solution guarantees security teams will better adapt to, and control, the ever-growing and practically unstoppable AI usage in their organizations. Their solution follows three basic steps – Know, Assess, Control.

Know: As with many security risks, the first step is to discover them all. In the case of AI, it is not enough to simply flag the “usual suspects” or the pure GenAI applications such as ChatGPT or Bard. With thousands of SaaS applications now using AI to improve their service, discovery must include any application leveraging customer data to improve their models. As with their previous solutions, Wing is offering this first and fundamental step as a free, self-service solution for users to self-onboard and start discovering the magnitude of AI-powered applications used by their employees.

Assess: Once AI-using SaaS has been uncovered, Wing automatically provides a security score and details the ways in which company data is used by the AI: How long is it stored for? Is there a human factor? And perhaps most importantly, is it configurable? Providing a detailed view of the application’s users, permissions, and security information. This automatic analysis allows security teams to make better-informed decisions.

Control: Wing’s discovery and analysis pin-points the most critical issues to address, allowing security teams to easily understand the level of risk and types of actions needed. For example, deciding whether or not they should permit a certain application’s usage or simply configure the AI elements to better match their security policy.

The Secret: Automating All Of The Above

By automating Discovery, Assessment and Control, security teams save time on figuring out where to focus their efforts instead of spreading themselves thin trying to solve a huge and evolving attack surface. Subsequently, this significantly reduces risk.

Wing’s automated workflows also allow for a unique cross-organizational solution: By allowing users to directly communicate with the application’s admin or users, Wing prompts better-informed security solutions alongside a stronger security culture of inclusion rather than simple black or white listing.

In an era where SaaS applications are omnipresent, their integration with artificial intelligence raises a new type of challenge. On the one hand, AI usage has become a great tool for boosting productivity, and employees should be able to use it for its many benefits. On the other hand, as the reliance on AI in SaaS applications continues to surge, the potential risks associated with data usage become more pronounced.

Wing Security has responded to this challenge by introducing a new approach, aimed at empowering organizations to navigate and control the escalating use of AI within their operations, while involving the end users in the loop and ensuring they may use the AI-SaaS they need, safely. Their automated control platform provides a comprehensive understanding of how AI applications utilize organizational data and know-how, addressing issues such as data storing, model training, and the human element in the AI loop. Security teams can save precious time thanks to clear risk-prioritization and user involvement.

Jan 10, 2024NewsroomRansomware / Data Security

A decryptor for the Tortilla variant of the Babuk ransomware has been released by Cisco Talos, allowing victims targeted by the malware to regain access to their files.

The cybersecurity firm said the threat intelligence it shared with Dutch law enforcement authorities made it possible to arrest the threat actor behind the operations.

The encryption key has also been shared with Avast, which had previously released a decryptor for Babuk ransomware after its source code was leaked in September 2021. The updated decryptor can be accessed here [EXE file].

“A single private key is used for all victims of the Tortilla threat actor,” Avast noted. “This makes the update to the decryptor especially useful, as all victims of the campaign can use it to decrypt their files.”

The Tortilla campaign was first disclosed by Talos in November 2021, with the attacks leveraging ProxyShell flaws in Microsoft Exchange servers to drop the ransomware within victim environments.

Tortilla is one among the many ransomware variants that have based their file-encrypting malware on the leaked Babuk source code. This includes Rook, Night Sky, Pandora, Nokoyawa, Cheerscrypt, AstraLocker 2.0, ESXiArgs, Rorschach, RTM Locker, and RA Group.

The development comes as German cybersecurity firm Security Research Labs (SRLabs) released a decryptor for Black Basta ransomware called Black Basta Buster by taking advantage of a cryptographic weakness to recover a file either partially or fully.

“Files can be recovered if the plaintext of 64 encrypted bytes is known,” SRLabs said. “Whether a file is fully or partially recoverable depends on the size of the file.”

“Files below the size of 5000 bytes cannot be recovered. For files between 5000 bytes and 1GB in size, full recovery is possible. For files larger than 1GB, the first 5000 bytes will be lost but the remainder can be recovered.”

Bleeping Computer reported late last month that the Black Basta developers have since fixed the issue, preventing the tool from working with newer infections.

The U.S. Justice Department (DoJ) has officially announced the disruption of the BlackCat ransomware operation and released a decryption tool that more than 500 affected victims can use to regain access to files locked by the malware.

Court documents show that the U.S. Federal Bureau of Investigation (FBI) enlisted the help of a confidential human source (CHS) to act as an affiliate for the BlackCat group and gain access to a web panel used for managing the gang’s victims, in what’s a case of hacking the hackers.

The confiscation effort involved collaboration and assistance from multiple law enforcement agencies from the U.S., Germany, Denmark, Australia, the U.K., Spain, Switzerland, and Austria.

BlackCat, also called ALPHV, GOLD BLAZER, and Noberus, first emerged in December 2021 and has since gone on to be the second most prolific ransomware-as-a-service variant in the world after LockBit. It’s also the first Rust-language-based ransomware strain spotted in the wild.

The development puts an end to speculations of a rumored law enforcement action after its dark web leak portal went offline on December 7, only to resurface five days later with just a single victim.

The FBI said it worked with dozens of victims in the U.S. to implement the decryptor, saving them from ransom demands totaling about $68 million, and that it also gained insight into the ransomware’s computer network, allowing it to collect 946 public/private key pairs used to host the TOR sites operated by the group and dismantle them.

One important thing to note here is that creating a hidden service with the .onion URL on the TOR anonymization network generates a unique key pair comprising a private and public key (aka the identifier) that can be used to access and control the URL.

An actor who is in possession of the key pair can, therefore, broadcast a new route redirecting traffic for the .onion site to a different server under their control.

BlackCat, like several other ransomware gangs, uses a ransomware-as-a-service model involving a mix of core developers and affiliates, who rent out the payload and are responsible for identifying and attacking high-value victim institutions.

It also employs the double extortion scheme to put pressure on victims to pay up by exfiltrating sensitive data prior to encryption.

“BlackCat affiliates have gained initial access to victim networks through a number of methods, including leveraging compromised user credentials to gain initial access to the victim system,” the DoJ said.

In all, the financially motivated actor is estimated to have compromised the networks of more than 1,000 victims across the world to earn nearly $300 million in illegal revenues as of September 2023.

Image Source: Resecurity

If anything, the takedown has proven to be a blessing in disguise for rival groups like LockBit, which is already capitalizing on the situation by actively recruiting displaced affiliates, offering its data leak site to resume victim negotiations.

Speaking to malware research group vx-underground, a BlackCat spokesperson said “they have moved their servers and blogs,” claiming that the law enforcement agencies only had access to a “stupid old key” for the old blog site which was deleted by the group a long time ago and has since not been used.

The threat actor’s newest leak website remains operational as of writing. “On December 13, the group published the first victim to its new leak site,” Secureworks said. “As of December 19, five victims were posted to the new site, demonstrating the group retained some operational capacity.”

However, hours after the takedown, the BlackCat group took steps to “unseize” the main leak site using the same set of cryptographic keys necessary to host the hidden service on the TOR network and post its own seizure notice.

It has also given affiliates the green light to infiltrate critical infrastructure entities such as hospitals and nuclear power plants as well as other targets with the exception of those inside the Commonwealth of Independent States (CIS) as a retaliatory measure. The FBI has since re-seized the website.

“The threats seem like ‘now you’ve done it’ posturing but, this group has a documented history of attacking healthcare and energy infrastructure targets already, so it feels like bluster,” Secureworks Counter Threat Unit (CTU) told The Hacker News.

“Given that such activity appears more likely to bring law enforcement attention – which is why many groups explicitly avoid it – it seems unlikely that affiliates will choose to specifically target such organizations, especially as ransomware is a crime of opportunity for the most part and based on available access to victim networks.”

“That said, some less risk averse affiliates may be more willing to target energy and healthcare organizations. The flip side is that it is just as likely that the uncertainty caused by the law enforcement disruption will drive affiliates away from BlackCat into the arms of other ransomware operators, such as LockBit. Such interventions breed distrust and paranoia among ransomware group members and affiliates.”

In a conversation with vx-underground, a LockBit administrator described the situation as “unfortunate” and that security loopholes in their infrastructure are a primary threat to “my business.”

(The story was updated after publication to include additional information about the infrastructure seizure.)