interview Today, according to Sergey Lozhkin, Kaspersky’s lead security researcher, criminal software targeting banks and other financial services companies has sophisticated features and evasion tools.
“The darkest hour is now for the financial industry, especially for large and medium-sized companies,” Lozhkin said during a panel discussion on threats to financial services companies.
BlackLotus, a Unified Extensible Firmware Interface (UEFI) firmware rootkit used for backdoor Windows machines, is one such newly discovered tool. Kaspersky has yet to release full research on the malicious implant, but Lozhkin said it was put up for sale on the cybercrime scene earlier this month with a $5,000 price tag.
This malicious code allows criminals to bypass the computer’s secure boot feature, which is designed to prevent unauthorized software from running on the computer. Instead, by targeting UEFI, the BlackLotus malware loads before anything else in the boot process, including the operating system and any security tools that might stop it.
“So if an attacker gains access to a network or a computer, they can install this tool and it will be completely undetected and completely persistent at the UEFI level,” Lozhkin said.
If an attacker gains access to a network or computer, they can install this tool and it will be completely undetected and completely persistent at the UEFI level
BlackLotus and other sophisticated malware are typically, but not exclusively, deployed by government-level teams with deep pockets and highly skilled developers on the payroll. Criminals can also get hold of the tools.
“These threats and technologies were previously only accessible to people developing advanced persistent threats, mostly governments,” Lozhkin claimed. “Now these types of tools are in the hands of criminals on all forums.”
As soon as he saw BlackLotus on a forum like this, “I wanted it right away because I need to reverse engineer it and warn our customers right away,” Lozhkin added.
How to catch a crook
Lozhkin spends his days monitoring criminal underground forums and reverse engineering malware shared through these nefarious channels, and he was previously vice president of cybersecurity operations at JP Morgan Chase.
While he won’t name the cybercrime gangs he sees lurking in the shadows for ongoing investigation purposes, these financially motivated cybercriminals have gotten really good at reusing government-created cyberespionage tools to pull off massive bank heists — like the $1 billion robbery , which infiltrated more than 100 financial institutions in 40 countries.
Lozhkin was one of the private security researchers involved in the shutdown, led by the Spanish National Police with the support of Europol, the US FBI and the Romanian, Moldovan, Belarusian and Taiwanese authorities.
“Modern crimeware is really sophisticated, and the people who code these tools are really, really smart,” Lozhkin said. “And sometimes they don’t have to program anything at all. Why write your own code when you can just as easily buy it online?”
Red Team tools have gone bad
Case in point: ransomware gangs and Cobalt Strike. This is a legitimate penetration testing tool that has now become a preferred method for cyber criminals to laterally move through victims’ networks, establish persistence, and download and execute malicious payloads.
“And then we have Brute Ratel,” Lozhkin said.
This, of course, is the post-exploitation toolkit developed by a former Mandiant Red Teamer. The nearly undetectable malware, which can bypass antivirus and endpoint detection and response software, was sold for $3,000 before a cracked version existed leaked for free in underground forums.
“I’ve seen a huge increase in the use of legal tools to attack financial institutions over the last year,” Lozhkin said. “Cobalt Strike is everywhere. Brute Ratel is everywhere.”
This highlights the “biggest problem” with this type of software tool, which emulates adversaries in an IT environment and is designed to remain undetected, he added.
“If you create a weapon – and I consider this a cyber weapon, a really dangerous tool that could be used to infiltrate any organization, any company – cybercriminals immediately get that tool and use it against organizations,” Lozhkin said.
Meanwhile, the ransomware economy is booming
Furthermore, all these malicious tools for sale also contribute to the booming economy of first access brokers. These are the criminals who sell or provide a path to an organization for a fee or a cut in profits. This access is then used by extortionists to harvest sensitive data, encrypt files with ransomware, and demand payment to keep the intrusion silent and clean up the mess.
“These guys are everywhere: They hack into an organization and sell access,” Lozhkin said, adding that the price for initial access to high-revenue companies that criminals believe will pay ransom demands is up to US$50,000 – Dollars and more.
“The end users of this data are ransomware groups,” he noted. Ransomware gangs have their own forums, and they too are getting better and better at trading, using modern programming languages to write code, non-standard cryptography to lock organization’s files, and even professional business models.
Ransomware developers are also becoming more professional, and the recent market decline and layoffs of major tech companies aren’t helping, according to Lozhkin. “A lot of people come to the dark side because the dark side is ending.”
Somehow he remains optimistic. “The darkest hour is just before dawn. There is a light. There is always a light,” Lozhkin said.
After weeks of ransomware attacks on schools and hospitals and publicity stunts targeting US airports, it’s hard to share that optimism. But here’s hoping he’s right. ®
https://www.theregister.com/2022/10/13/blacklotus_malware_kaspersky/ Banks face their ‘darkest hour’ as crimeware ramps up • The Register