Connect with us

Cyber Security

Tenable Research Reveals “Do-It-Yourself” Ransomware Kits Have Created Thriving Cottage Industry of Cybercrime

Published

on

The shift to the subscription economy has created a new norm in the as-a-service world. And it’s not just Netflix and Spotify that have adopted this business model. New research from Tenable, the Cyber Exposure company, found that one of the main reasons ransomware has prospered is due to the advent of ransomware-as-a-service (RaaS) which has catapulted ransomware from a fledgling threat into a force to be reckoned with. The service model has significantly lowered the barrier of entry, allowing cybercriminals who lack the technical skills to commoditize ransomware.

In 2020 alone, ransomware groups reportedly earned $692 million from their collective attacks, a 380% increase over the previous six years combined ($144 million from 2013-2019). The success of RaaS has also attracted other players such as affiliates and initial access brokers (IABs) who play prominent roles within the ransomware ecosystem – oftentimes more than ransomware groups themselves.

Affiliates who earn between 70%-90% of the ransom payment, are charged with the task of doing the dirty work to gain access to networks through tried-and-true methods such as spearphishing, deploying brute force attacks on remote desktop protocol (RDP) systems, exploiting unpatched or zero-day vulnerabilities and purchasing stolen credentials from the dark web. Affiliates may also work with IABs, which are individuals or groups that have already gained access to networks and are selling access to the highest bidder. Their fees range on average from $303 for control panel access to as much as $9,874 for RDP access.

The research found that ransomware’s current dominance is directly linked to the emergence of a technique known as double extortion. The tactic, pioneered by the Maze ransomware group, involves stealing sensitive data from victims and threatening to publish these files on leak websites, while also encrypting the data so that the victim cannot access it. Ransomware groups have recently added a variety of other extortion techniques to their repertoire, including launching DDoS attacks to contacting customers of their victims, making it even more challenging for defenders. These tactics are part of the ransomware gangs’ arsenal for placing additional pressure on victim organizations.

“Ransomware continues to impact businesses around the world, both in terms of ransom paid and cost of remediation, and the Middle East is not exempt. With sophisticated RaaS techniques being used, including double extortion, it is imperative that enterprises prepare themselves in advance, gaining insights and understanding that help them mitigate and remediate these attacks,” explains Satnam Narang, senior staff research engineer at Tenable.

A recent global survey, by Vanson Bourne, found that the total cost of remediation following a ransomware attack has increased in the United Arab Emirates (UAE) and Saudi Arabia. In UAE the total cost increased from $0.52M in 2020 to $1.26M in 2021, and for Saudi Arabia it increased from $0.21M to $0.65M. Remediation costs typically include downtime, people’s hours, device and network costs, lost productivity and opportunities, and the ransom paid.

“Enterprises cannot throw people and money into the situation and expect it to be a permanent fix. They need to align with the right partners, select the right technologies and build the right internal skills. These are wise investments with longer term returns,” Satnam concludes.

Cyber Security

ESET Research Uncovers Iran-Aligned BladedFeline Spying on Iraqi, Kurdish Officials

Published

on

The Iran-aligned threat group BladedFeline has targeted Kurdish and Iraqi government officials in a recent cyber-espionage campaign, according to ESET researchers. The group deployed a range of malicious tools discovered within the compromised systems, indicating a continued effort to maintain and expand access to high-ranking officials and government organizations in Iraq and the Kurdish region. The latest campaign highlights BladedFeline’s evolving capabilities, featuring two tunneling tools (Laret and Pinar), various supplementary tools, and, most notably, a custom backdoor Whisper and a malicious Internet Information Services (IIS) module PrimeCache, both identified and named by ESET.

Whisper logs into a compromised webmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments. PrimeCache also serves as a backdoor: it is a malicious IIS module. PrimeCache also bears similarities to the RDAT backdoor used by OilRig Advanced Persistent Threat (APT) group.

Based on these code similarities, as well as on further evidence presented in this blogpost, ESET assesses that BladedFeline is a very likely subgroup of OilRig, an Iran-aligned APT group going after governments and businesses in the Middle East. The initial implants in the latest campaign can be traced back to OilRig. These tools reflect the group’s strategic focus on persistence and stealth within targeted networks.

BladedFeline has consistently worked to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in the government of Iraq.

ESET Research assesses that BladedFeline is targeting the Kurdish and Iraqi governments for cyberespionage purposes, with an eye toward maintaining strategic access to the computers of high-ranking officials in both governmental entities. The Kurdish diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate. In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the US invasion and occupation of the country.

In 2023, ESET Research discovered that BladedFeline targeted Kurdish diplomatic officials with the Shahmaran backdoor, and previously reported on its activities in ESET APT Activity reports. The group has been active since at least 2017, when it compromised officials within the Kurdistan Regional Government, but is not the only subgroup of OilRig that ESET Research is monitoring. ESET has been tracking Lyceum, also known as HEXANE or Storm-0133, as another OilRig subgroup. Lyceum focuses on targeting various Israeli organizations, including governmental and local governmental entities and organizations in healthcare.

ESET expects that BladedFeline will persist with implant development in order to maintain and expand access within its compromised victim set for cyberespionage.

Continue Reading

Cloud

SentinelOne Simplifies Secure Cloud Migrations on AWS

Published

on

SentinelOne today announced its participation in the Amazon Web Services (AWS) Independent Software Vendor (ISV) Workload Migration Program. This initiative supports AWS Partner Network (APN) members with SaaS offerings on AWS to accelerate and streamline workload migrations.

Through the program, SentinelOne will provide AWS customers with accelerated, secure cloud migration support, leveraging modern AI-powered CNAPP capabilities to ensure rapid and protected transitions. With access to AWS funding, technical resources, and go-to-market support, SentinelOne will help organizations reduce migration timelines and costs while maintaining robust security.

SentinelOne’s Singularity Cloud Security delivers real-time visibility and protection throughout the migration journey—whether from on-premises or another cloud—enabling a secure, seamless transition to AWS.

“Through our participation in the AWS ISV Workload Migration Program, SentinelOne is helping customers accelerate secure cloud migrations with end-to-end protection and visibility,” said Ric Smith, President of Product, Technology, and Operations at SentinelOne. “Whether moving from on-prem or another cloud to AWS, organizations can count on us to deliver the security they need throughout their journey—realizing the performance, speed, agility, and cost benefits of the cloud.”

Singularity Cloud Security combines agentless and agent-based protection for deep visibility, continuous posture management, and real-time threat detection across hybrid and multi-cloud environments. By collaborating with AWS and ecosystem partners, SentinelOne ensures seamless integration into migration projects, helping customers move faster, reduce risk, and scale confidently in the cloud.

Availability: SentinelOne’s solutions are available globally.

Continue Reading

Cyber Security

Beyond Blocklists: How Behavioural Intent Analysis Can Safeguard Middle East Businesses from Rising AI-Driven Bot Threats

Published

on

The Middle East is facing an unprecedented surge in AI-driven bot attacks, with malicious automation now outpacing traditional defenses. Mohammad Ismail, Vice President for EMEA at Cequence Security, warns that legacy tools like IP blocklists and rate limiting are no match for today’s sophisticated threats (more…)

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.