Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here.
NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
Table of Contents
Hacktivist group leverages ransomware for attention & not profit.
(TLP: CLEAR) Researchers have observed a potential shift in the tactics, techniques, and procedures (TTPs) of various hacktivist groups over time. Recent reporting indicates that politically motivated hacktivist groups are increasingly using ransomware to disrupt targets and draw attention to their causes. The Ikaruz Red Team, along with groups like the Turk Hack Team and Anka Underground, have leveraged leaked ransomware builders in their attacks. These groups have targeted entities in the Philippines, conducting website defacements, small-scale distributed denial of service (DDoS) attacks, ransomware attacks, and hijacking government branding from Computer Emergency Response Program (CERT-PH). According to researchers, the Ikaruz Red Team, once recognized for their website defacements, has shifted to small-scale ransomware attacks using modified LockBit 3 ransomware payloads. The group distributed these payloads and advertised data leaks from various organizations in the Philippines. Their ransom notes closely resemble the original LockBit templates. The group also employs other ransomware families, such as JellyFish, Vice Society, ALPHV, BianLian, 8base, and Cl0p. Investigators stress that this trend is part of increased hacktivist activities targeting the Philippines amid regional tensions with China. Over the past year, groups like Robin Cyber Hood, Philippine Exodus, Cyber Operations Alliance, and Philippine Hacking University have engaged in ransomware attacks, misinformation campaigns, and espionage.
(TLP: CLEAR) Comments: The Ikaruz Red Team is closely associated with the Anka Red Team and the Turk Hack Team, a pro-Hamas group known for website defacements and DDoS attacks. The Turk Hack Team has gained increased notoriety since the onset of the Israel-Hamas conflict. The Ikaruz Red Team has also appropriated imagery and branding from the Philippine Department of Information and Communications Technology’s Hack4Gov challenge in their defacements and social media profiles. This likely aims to mock the government’s cybersecurity efforts or disguise their activities behind official-looking icons.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.
Threat actor claiming access to AWS, Azure, MongoDB & Github API keys.
(TLP: CLEAR) According to a post on X (formerly known as Twitter), a threat actor, alias “carlos_hank,” claims to have accessed API keys for major cloud providers like Amazon Web Services (AWS), Microsoft Azure, and GitHub. These keys, described as “fresh and all working,” possess high permissions capable of compromising entire cloud infrastructures. Affected companies have acknowledged the claims and are investigating. Reporting suggests users rotate their API keys and implement additional security measures such as multi-factor authentication (MFA). This development follows the takedown of Breach Forums, a prominent marketplace for cybercriminals to buy and sell various services and access to organizations. Despite this, threat actors are turning to other platforms to continue their activities. The actor “carlos_hank” has not provided proof of the stolen API keys, leaving the legitimacy of the claim uncertain. Historically, cybercriminals have made false claims to gain attention and popularity within the cybercriminal community.
(TLP: CLEAR) Comments: With access to API keys, threat actors could gain unauthorized entry to sensitive data stored in cloud databases, potentially causing a large-scale data breach affecting millions of users. To mitigate this risk, organizations should implement several key practices: regularly rotate API keys, restrict access based on the principle of least privilege, use encryption and secure storage management services to protect keys from unauthorized access, and closely monitor API key usage to detect any unusual activity.
(TLP: CLEAR) Recommended best practices/regulations: OWASP API Top 10, API6:2023, “Unrestricted Access to Sensitive Business Flows”:
“The mitigation planning should be done in two layers:
“Business – identify the business flows that might harm the business if they are excessively used.
“Engineering – choose the right protection mechanisms to mitigate the business risk.
“Some of the protection mechanisms are more simple while others are more difficult to implement. The following methods are used to slow down automated threats:
“Device fingerprinting: denying service to unexpected client devices (e.g headless browsers) tends to make threat actors use more sophisticated solutions, thus more costly for them
“Human detection: using either captcha or more advanced biometric solutions (e.g. typing patterns)
“Non-human patterns: analyze the user flow to detect non-human patterns (e.g. the user accessed the ‘add to cart’ and ‘complete purchase’ functions in less than one second)
“Consider blocking IP addresses of Tor exit nodes and well-known proxies
“Secure and limit access to APIs that are consumed directly by machines (such as developer and B2B APIs). They tend to be an easy target for attackers because they often don’t implement all the required protection mechanisms.”
(TLP: CLEAR) Vercara: Vercara UltraAPI, API Security/UltraAPI, offers a comprehensive solution to the complex challenges security teams face in safeguarding API applications against cyber threats. It provides thorough discovery of the entire API landscape, including external and internal APIs, assesses API risk posture to highlight critical vulnerabilities needing remediation, and delivers real-time protection to prevent API attacks, ensuring data safety, preventing fraud, and avoiding business disruptions. This solution stands out by addressing every phase of the API security lifecycle, promoting best practices in security and governance to eliminate risks effectively.
Source: https://cybersecuritynews.com/threat-actor-claiming-access/
Critical Fluent Bit flaw impacts all major cloud providers.
(TLP: CLEAR) Recent reporting has highlighted a critical vulnerability in Fluent Bit that has impacted major cloud providers and tech giants, exposing them to denial-of-service (DoS) and remote code execution-style attacks. Fluent Bit, a widely used logging and metrics solution for Windows, Linux, and macOS, is integral to major Kubernetes distributions. Its rapid adoption saw downloads rise to over 13 billion by March 2024, up from three billion in October 2022. The vulnerability in question, CVE-2024-4323, named “Linguistic Lumberjack” by security researchers, arises from a heap buffer overflow in Fluent Bit’s embedded HTTP server during trace request parsing. According to reporting, this vulnerability, discovered in version 2.0.7, allows unauthenticated attackers to trigger DoS attacks and capture sensitive information. Furthermore, it involves sending maliciously crafted requests to the monitoring API through endpoints such as /api/v1/traces and /api/v1/trace. By default, data types are assumed to be strings (MSGPACK_OBJECT_STR), which can be exploited by passing non-string values, leading to memory corruption.
(TLP: CLEAR) Comments: Under certain conditions, the aforementioned vulnerability can enable remote code execution. However, developing a reliable exploit for this is notably challenging and time-consuming, making it a less immediate but still significant threat. Additionally, security researchers revealed the vulnerability in Fluent Bit to the vendor on April 30, with a patch realised on May 15. The official patch release is expected in Fluent Bit 3.0.4. It was later advised that users upgrade to this version once available.
(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “The HTTP protocol used in web servers has been exploited by attackers in many ways, such as to place malicious software on the computer of someone browsing the web, or to fool a person into revealing private information that they might not have otherwise. Many of these exploits can be detected by specialized application firewalls called web application firewalls that reside in front of the web server.
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to the insertion of malware. Signatures for new vulnerabilities are constantly updated, along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots, including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.
Vercara UltraAPI Bot Manager, API Security/UltraAPI, detects and prevents sophisticated automated API attacks and business logic abuse using hundreds of ML rules that leverage an API threat database with billions of malicious behaviors, IP addresses, and organizations. Native, policy-based response options ensure that detected attacks are blocked in real-time without reliance on a third-party WAF or other security components.
Ransomware gang claims Atlas hack, one of the largest US oil distributors.
(TLP: CLEAR) Recent reporting has revealed that the Blackbasta ransomware gang has added Atlas, a major national fuel distributor in the US, to its data leak list. The group claims to have stolen 730GB of data from the company, including corporate, departmental, user, and employee information. As evidence, they have posted sample screenshots of the stolen data, which appear to include ID cards, data sheets, payroll requests, and a folder exfiltrated from a targeted system. Atlas distributes over 1 billion gallons of fuel annually across 49 continental US states. Additionally, Blackbasta has set a timer on the Atlas listing, indicating how long the company has to contact them and pay the demanded ransom. Atlas has yet to release an official statement, leaving the validity of the claims uncertain. If no contact is made, the full extent of the alleged 730GB of stolen data is expected to be released in approximately five days.
(TLP: CLEAR) Comments: Blackbasta was mentioned in previous Vercara reporting, highlighting the groups alleged responsibility in targeting Ascension hospitals. Based on recent reporting, this development follows a Cybersecurity and Infrastructure Security Agency (CISA) advisory on Blackbasta, which has impacted over 500 organizations globally as of May 2024, spanning businesses and critical infrastructure in North America, Europe, and Australia. The attack on Atlas highlights Blackbasta’s focus on critical infrastructure and underscores the importance of robust cybersecurity measures. CISA’s advisory provides key TTPs, IOCs, and best practices to defend against such threats. Recommendations include promptly installing updates for systems and software, implementing multi-factor authentication, and training users to recognize attack vectors like phishing.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyse DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Source: https://securityaffairs.com/163489/cyber-crime/blackbasta-claims-atlas-hack.html
Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a
Ransomware and AI-powered hacks drive cyber investment.
(TLP: CLEAR) Recent reporting has highlighted a surge in sophisticated cyber-attacks, underscoring the substantial financial repercussions for businesses. Ransomware attacks, in particular, have become increasingly prevalent and costly. These attacks not only involve ransom payments, often demanded in cryptocurrency, but also incur significant expenses related to incident investigation, system and data restoration, and revenue losses due to operational downtime. This trend emphasizes the critical need for robust cybersecurity measures to protect against such pervasive threats. Furthermore, reporting suggests that the average cost for businesses ranges from hundreds of thousands to millions of dollars, depending on the organization’s size and industry. Additionally, indirect costs, such as reputational damage and legal fees, can significantly exacerbate the financial burden. These costs highlight the critical importance of robust cybersecurity measures to protect against ransomware threats and mitigate their financial impact.
(TLP: CLEAR) Comments: The advent of AI-powered cyber-attacks introduces new challenges and potential costs for businesses. These attacks use machine learning algorithms to automate and enhance their effectiveness, making them significantly harder to detect and counteract. By leveraging AI, cybercriminals can craft more sophisticated and targeted attacks, increasing the complexity of defense strategies and potentially leading to greater financial and operational damage. As a result, businesses must adapt by implementing advanced security measures to combat this evolving threat landscape.
(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.” Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Source: https://securityaffairs.com/163489/cyber-crime/blackbasta-claims-atlas-hack.html
Chinese “orb” networks conceal APTs, render static IOCs irrelevant.
(TLP: CLEAR) According to recent reporting, Chinese-backed threat actors, including groups like Volt Typhoon, are increasingly using proxy networks known as operational relay boxes (ORBs) for cyber espionage. ORBs are mesh networks similar to botnets, composed of compromised devices such as virtual private servers (VPS), Internet of Things (IoT) devices, smart devices, and routers. These devices serve as global proxies, forming nodes in the ORB network. This effectively transforms them into covert outposts for intelligence services or cyber espionage groups, enhancing their ability to conduct sophisticated cyber operations. Researchers have classified ORB networks into two categories: provisioned and non-provisioned. Provisioned networks use commercially leased VPS space managed by ORB administrators, such as ORB3 or SPACEHOP, controlled by Chinese intelligence. Non-provisioned networks consist of compromised end-of-life routers and IoT devices, like ORB1 or ORBWEAVER and ORB3 or FLORAHOX. Hybrid networks combine both leased VPS devices and compromised devices. Administrators use various autonomous system number (ASN) providers across regions to minimize exposure and dependence on any single nation’s internet infrastructure. An ASN uniquely identifies a network or group of networks on the internet managed by a single administrative entity.
(TLP: CLEAR) Comments: ORBs facilitate cyber espionage by obfuscating traffic between command-and-control (C2) infrastructure and target environments, often exploiting zero-day vulnerabilities in edge devices. The extensive use of ORBs by Chinese threat actors confounds network defenses, making traditional indicators of compromise (IoC) futile due to frequent changes in network infrastructure. This tactic obfuscates the traffic’s origin, complicating attribution. Reporting suggests that the rise in ORB usage signifies a significant investment in advanced tactics and tools for enterprise exploitation, increasing defense costs and giving an advantage to espionage operators.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”
One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please visit our solutions overview page or contact us.
