Is the LockBit ransomware gang slipping, or is IT allowing them to look good?
Welcome to Cyber Security Today. It’s Friday, April 21st, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Some of the people behind the LockBit ransomware gang may not be as skilled as the IT industry thinks. That’s the conclusion in a report this week by researchers at Avertium. LockBit is a ransomware-as-a-service operation. That means affiliates to do the initial compromises of targets. But there have been a few recent slips. Last week LockBit mistakenly listed security provider Darktrace as a victim on its data leak site when it meant a similar naned company. And there’s evidence that gang members have been clumsy in their attempts to exfiltrate data and in properly deploying the ransomware. Still, LockBit is prolific in the volume of its attacks.
But something else was interesting in the report. Avertium was called in to investigate a LockBit victim. It found signs the intruders were, again, clumsy: For example, they only encrypted about 10 per cent of the victim firm’s files despite their access. However, the IT department of the organization was inept. How did the attackers get in? By brute-forcing a vulnerable password and a poorly-configured firewall. This attack could have been stopped if IT had followed basic cybersecurity hygiene.
In my Week in Review podcast later today guest commentator Terry Cutler and I will discuss more cyber attacks that could have been stopped: They include ransomware attacks that exploited a vulnerability in the GoAnywhere MFT file transfer utility. In some cases the attackers were able to create fake user accounts after breaking in. That shouldn’t be possible. Another attack we’ll talk about is the compromise of the 3CX telephony app that started with an employee downloading a compromised trading app on his personal computer.
More on ransomware: The Black Basta ransomware gang briefly listed the U.K. IT services firm Capita as one of its victims this week. Capita hasn’t confirmed it was hit by ransomware, but it did say some limited data including customer names and supplier information might have been copied. It said the attack primarily impacted the company’s internal Microsoft Office 365 applications.
And an American healthcare insurer and services provider called Point32Health says it had to take some IT systems offline this week after a ransomware attack. Systems affected include websites and phone lines.
Everyone is interested in ChatGPT — even crooks. According to researchers at Palo Alto Networks, there are now lots of fake websites trying to attract unsuspecting victims into downloading what they think are ChatGPT apps or APIs. What they really get is malware. So be careful where you go to get ChatGPT. Its available at OpenAI.com. And it’s free. You’ve gone to the wrong site if it asks for money or personal information.
Finally, website administrators have to make sure their sites are locked down and can’t be compromised by the addition of malicious code. The reason I’m reminding you of this now is that researchers at Securi say threat actors are compromising WordPress by installing a very old plugin called Eval PHP to add a backdoor to the site’s database. How old is this plugin? It hasn’t been updated in over a decade. In fact it has very few real active installations today. But, says the report, since the beginning of April downloads of Eval PHP have jumped as crooks find ways of installing it. So WordPress admins should do a couple of things: Look for signs that Eval PHP might have been recently added to their sites. And lock down access to the site so unapproved plugins and code can’t be added.
As I mentioned earlier, later today the Week in Review edition will be available. I hope you have time to listen either today or over the weekend for a thoughtful discussion on the news.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.