Never assume the end of an attack infrastructure

In February 2024, Operation Cronos, a coalition of international law enforcement agencies led by the UK’s National Crime Agency and the US FBI, took control of the attack infrastructure of the infamous Lockbit ransomware gang, considered the “most malicious cyber group” in the world. There was a sigh of relief throughout the infosec community, with many believing this marked the end of an ongoing nightmare. However, the reality turned out to be different: less than a week later, the ransomware-as-a-service operator was back online with a new leak site, listing five victims and counting down timers for the publication of the stolen information.

This revival is not atypical. These threat groups are increasingly deploying advanced attack infrastructure and extensive backups that allow them to become operational again. I will outline three recent examples that demonstrate the resilience of these groups in the face of law enforcement interventions.

Paolo Passeri

Cyber ​​Intelligence Director, Netskope.

The resilience of Lockbit

Ironically, in order to take over the LockBit website, law enforcement agencies exploited CVE-2023-3824, a vulnerability affecting PHP – which mirrored one of the main attack vectors used by the LockBit group, especially the exploitation of vulnerabilities. According to the threat actor, “personal negligence and irresponsibility” led to the delay in applying the patch and enabled the takeover. And yet, LockBit’s immediate comeback was made possible by the availability of backups – an essential best practice for any organization. After the takedown, LockBit confirmed the breach, but also claimed that they only lost servers running PHP, while their backup systems without PHP remained intact.

Before the brief shutdown, LockBit was one of the biggest threats to the financial industry. It is no surprise that attacks via the LockBit ransomware and its variants continued into 2024 even after the takeover. This persistence was partly due to another complication common across the threat landscape: the malware builder’s source code had already been leaked online by an angry developer, creating multiple variants that continue to plague companies around the world, fueled by the continued exploitation of vulnerabilities.

The existence of backups indicates that the attackers built a resilient infrastructure with a contingency plan, anticipating the possibility of being taken over. At its core, cybercrime is a business, so threat actors employ the best practices that every enterprise should follow, building robust infrastructures to ensure protection against outages or disruptive events, such as taking out law enforcement. This serves as an important wake-up call, reminding us that even if law enforcement agencies dismantle a criminal infrastructure, the operation may not be over for good.

A BlackCat exit

A second demonstration of the resilience of a malicious infrastructure is a similar event involving another ransomware operation. In December 2023, law enforcement agencies led by the US FBI – and involving agencies from the United Kingdom, Denmark, Germany, Spain and Australia – seized the BlackCat/ALPHV infrastructure. However, two months later, the ransomware group unexpectedly resurfaced and claimed responsibility for several high-profile attacks in the financial and healthcare sectors.

An interesting twist in this comeback was the attack on Change Healthcare, which ended with the victim organization paying a ransom of $22 million in Bitcoins. Two days after the payment was made, allegations surfaced that the ransomware operation had defrauded other affiliates of their share of the bounty, and four days after the payment (two days after the allegations) the FBI and other law enforcement agencies appeared to to have done. the leak location was taken over again.

However, law enforcement agencies denied any involvement in this second shutdown and this aspect, coupled with the fact that the page that appeared on the leak site after the second apparent shutdown resembled a copy of the original page of the December 2023 takeover, experts say. to speculate that the threat actors may have executed an exit strategy: happily leaving the stage with $22 million in their pockets, cutting ties with their subsidiaries, and possibly selling the ransomware-as-a-service source code for $5 million – a common practice recently adopted by the Knight 3.0 ransomware. This evidence suggests that the emergence of variants will extend the life cycle of this malware well beyond the shutdown of the original operation.

The way this story appears to have ended suggests that not only are organized criminal operations resilient and often able to survive the efforts of law enforcement agencies, but also that threat actors may decide to leave the scene voluntarily. They may do this because they believe they have achieved their lucrative goals, or because they feel that market conditions are no longer favorable. In the case of BlackCat/ALPHV, it is believed that the fluctuation in the price of Bitcoin, or even a possible shift in focus to other targets such as Ukraine (as the threat actors are of Russian origin) may have influenced their decision. to stop the operation.

Evading law enforcement

The comebacks of malicious operations following shutdown attempts by law enforcement are not limited to ransomware operations. A third notable example is the short-lived takedown of the infamous Qakbot botnet via Operation Duck Hunt, conducted by the FBI and its partners in 2023. Qakbot is one of the most flexible weapons for threat actors due to its modular nature, which allows it to deliver multiple malicious payloads to spread, including various types of ransomware, resulting in hundreds of millions of dollars in damages. Predictably, this apparent victory was short-lived. Just two months into the law enforcement operation, the threat actors quickly adapted their malicious infrastructure to distribute additional payloads.

More Qakbot campaigns were detected, with new variants featuring malware improvements. These campaigns included the distribution of Cyclops and Remcos remote access tools via malicious PDF documents to the hospitality industry in October 2023 under the guise of fake IRS communications, as well as a fake Windows installer in January 2024. According to Netskope Threat Labs, Qakbot was one of the top threats targeting the retail sector between March 2023 and February 2024, demonstrating the resilience and flexibility of an attack infrastructure.

Stay vigilant

Cybercrime is now big business, with attackers having enormous resources to build increasingly pervasive and resilient threats. To combat these advanced attacks, organizations must adopt a comprehensive security strategy that is continuous, ubiquitous and resilient. This includes the implementation of multi-layered defense mechanisms, continuous monitoring, real-time threat detection and regular security assessments.

Additionally, it would be wise to follow the example and lessons of these resilient threat actors, foster a culture of cybersecurity awareness, maintain up-to-date systems, and have robust incident response and disaster recovery plans. Eliminating all cybersecurity blind spots is critical, as even minor vulnerabilities can lead to significant breaches. Organizations must be prepared to defend against all types of threats and attack groups.

We have the best cloud antivirus.

This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Related Post