Plaintext: Ransomware Gangs Are Changing Tactics

Welcome to Dark Reading in Plaintext, brought to your inbox this week by HeroDevs. In this issue of Plaintext, we look at ways ransomware gangs are changing their tactics. We are also aware of recent firings at the National Security Agency. What's going on over there? If you enjoy Plaintext, please share with friends and colleagues!

Ransomware Gangs Adopt New Tactics, Names. Ransomware gangs have to be able to adapt to changes in defender activity by adopting new attack techniques and changing infrastructure. One way is by using the 'fast flux' technique, which refers to rapidly changing the Domain Name System (DNS) records associated with a domain name. Fast flux is on the radar now because an advisory from US, Australia, Canada, and New Zealand noted that ransomware gangs are now adopting the practice to hide the location of infrastructure they are using in their attacks.

Compromised devices and endpoints have to "call home" to the server under the attackers' control to receive instructions, download malware, or transfer stolen information. By rapidly changing the DNS records, it makes it harder to identify the malicious servers and to detect the malicious traffic between the compromised system and the server. Fast flux also makes IP blocking ineffective and irrelevant.

Fast flux is not new, as hacker forums and marketplaces have used the technique in the past to limit the impact of law enforcement takedowns. The advisory noted that ransomware gangs such as Hive and Nefilim are using this tactic.

"Service providers, especially Protective DNS providers, should track, share information about, and block fast flux as part of their provided cybersecurity services." —CISA advisory.

Another example of how ransomware groups are evolving their tactics comes from ransomware-as-a-service group Hunters International. The group recently claimed an attack on Indian engineering firm Tata Technologies. Group-IB suggests that Hunters is actually a rebrand of Hive, the ransomware group which had its operations disrupted by law enforcement back in January 2023. Group-IB also believes that Hunters is looking to move away from file-encrypting ransomware and focus on data theft and extortion.

Dark Reading in Plaintext is brought to you by HeroDevs

Best Practices for Managing EOL Open Source Software

Software end-of-life events create security vulnerabilities putting organizations at risk. Learn about actionable strategies for managing EOL open source software in this comprehensive guide.

What's Happening in the US Government? The Trump Administration has reportedly fired General Tim Haugh, the director of the National Security Agency and the head of US Cyber Command, per the Washington Post. "At a time when the United States is facing unprecedented cyber threats, as the Salt Typhoon cyberattack from China has so clearly underscored, how does firing him make Americans any safer?" Senator Mark Warner (D-Va), vice-chair of the Senate Intelligence Committee, said in a statement. The Administration has also fired several other members of the National Security Council and reassigned the NSA's civilian deputy, Wendy Noble, to a different Pentagon role.

And if the fact that the national security adviser Mike Waltz had a Signal chat group to discuss an active military operation wasn't disturbing enough, Politico reports that Waltz's team has set up at least 20 Signal chats for official discussions on Ukraine, China, Gaza, Middle East Policy, Africa, and Europe. A chorus of veteran security officials have warned that publicly available messaging apps and email services do not have the same level of safety features as secure government communications tools, and that it is easier for adversaries to intercept messages sent over public platforms than it is to compromise official channels.

“Communication systems approved for government officials meet security requirements and government records management requirements,” Lorrie Cranor, a professor on security and privacy technology at Carnegie Mellon University’s CyLab, told Politico.

“Attackers frequently target government officials and attempt to gain access to their messages as well as break into their accounts so that they can impersonate them. So, appropriate security is important.” — Lorrie Cranor , CMU CyLab

What We Are Reading

• [HeroDevs] Protecting Your Business from EOL Software Vulnerabilities
• Chris Novak (Verizon Threat Research Advisory Center) on cyber-risks and defenses.
• [DR Global] Japan's Active Cyber Defense Bill will boost the country's ability to combat cyber threats.
• [The Edge] A rise in cyber-physical attacks means IT and OT security teams have to stop working in silos.
• [DR Technology] Looking at how secure communications apps do more than just end-to-end encryption.

What We Heard On-Air

Tune in to our on-demand webinar Tips on Managing Cloud Security in a Hybrid Environment.

"I thought we were past this, but please stop storing credentials in code." —Jake Williams, Hunter Strategy

From Our Library

Check out some of the latest reports from our Dark Reading Library!

[HeroDevs] Securing Legacy Vue.js Apps: The Statista Success Story

Dark Reading Reports: The State of Enterprise Application Security: Growing Risks, Maturing Responses

Tech Insight: EDR, SIEM, SOAR, and More: What's The Right Endpoint Strategy

Dark Reading Reports: Understanding Social Engineering Attacks, What to Do About Them

Dark Reading Reports: What Issues and Challenges Cybersecurity Pros Care About

On That Note

This is such a perplexing story: Indiana University has scrubbed all mention of XiaoFeng Wang, a top privacy and data security expert and a cybersecurity professor at the university for over 20 years, from its site. Wired reported that the university fired the professor the same day the FBI searched his home. Wang and his wife have disappeared, but their attorney told Wired they are safe. No one knows what is happening and no one is talking. Stay tuned.

Dark Reading in Plaintext is brought to you by HeroDevs