This week in Security News in Review, you’ll find plans from the U.S. government on disrupting threat actor networks, more action from the DarkSide gang, and FIN7 masquerading as a security analysis firm.
US government plans to disrupt hackers behind Colonial Pipeline ransomware, Biden says -- In the wake of the Colonial Pipeline being hamstrung by ransomware this past week, President Biden said the U.S. government aims to disrupt the operations of ransomware networks within Russia. This did not extend to a retaliatory attack against DarkSide’s owners, but has thus far involved reaching out to Moscow to entreat the Russian government to take action against the cybercriminals residing within its borders. It remains to be seen whether the U.S. government will target DarkSide directly or the affiliate that used the group’s ransomware to target the Colonial Pipeline.
Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom -- According to reporting from Bloomberg, Colonial Pipeline paid a ransom of nearly $5 million to the DarkSide affiliate who used the ransomware to lock down their IT operations. This runs contrary to statements from the company that they had no intention of paying the ransom. The payment was made within hours of the attack, and the company was soon provided with a decryption key. According to Bloomberg, the decryption key was so slow that Colonial continued using their backups to also restore their systems. The FBI in general recommends against paying ransoms, as there is no guarantee that affected companies will actually get their files back.
Toshiba subsidiary confirms ransomware attack, as reports suggest possible DarkSide involvement -- European subsidiaries of Japanese manufacturer Toshiba confirmed yesterday that they were impacted by a ransomware attack. Toshiba Tec Group released a statement that a cyberattack caused them to sever the network connection between Europe and Japan. An unnamed spokesperson told CNBC that it appeared the DarkSide group was responsible for the attack, but there has been no additional confirmation of that. “[T]he extent of impact has been limited to some regions in Europe and we have not yet confirmed a fact that customer related information was leaked externally,” Toshiba Tec Group said in a statement. According to CyberScoop, The company also acknowledged the possibility “that some information and data may have been leaked by the criminal gang.”
Russian cybercrime forum XSS claims to ban ransomware following Colonial Pipeline hack -- In the wake of the Colonial Pipeline attack, reports are emerging that the XSS forum -- a popular destination for groups seeking to purchase attacks -- is banning the sale of ransomware, ransomware affiliate programs, and ransomware rentals. The forum claimed it was because ransomware had started to attract “too much attention” from outsiders, but it’s not uncommon for ransomware operators to conduct PR stunts. According to CyberScoop reporting, researchers and others who follow the cybercrime underground were unwilling to draw any conclusions.
FIN7 Backdoor Masquerades as Ethical Hacking Tool -- FIN7 is spreading the Lizar malware under the guise of being a Windows pen-testing tool for ethical hackers. Their tactics include pretending to be a legitimate organization providing a security analysis tool. According to researchers, the group’s tactics include hiring people who have no idea they’re working for a criminal gang to propagate these kinds of attacks.
France’s Largest Insurer Will No Longer Cover Ransomware Payments -- AXA France has announced that it will no longer cover ransomware payments made by customers within the country. The change applies to new policies going forward, as average payouts have spiked over the past year and governments around the world grapple with banning payments as a possible way to stem the rising tide of attacks.
Latest Microsoft Windows Updates Patch Dozens of Security Flaws -- Microsoft rolled out its regular Patch Tuesday updates this week, fixing 55 security flaws affecting Windows, Exchange Server, Internet Explorer, Office, Hyper-V, Visual Studio, and Skype for Business. Four are rated as critical, and 50 are rated as Important; unlike last month, none of the patched flaws are currently under active exploitation at the time of patching. The most serious of the patched vulnerabilities is a wormable RCE vulnerability in the HTTP protocol stack tracked as CVE-2021-31166.