FinCEN Alert: Malware/Ransomware Updates & New Perimeter Device Vulnerability
By: Lewis Brisbois' Data Privacy & Cybersecurity Team
FinCEN Alert: The first week of March involved a number of developments in cybersecurity due to the Russia/Ukraine conflict. The Financial Crimes Enforcement Network (FinCEN) released an alert on March 7 advising all financial institutions to be vigilant against efforts to evade sanctions imposed in connection with the Russian invasion of Ukraine. It does not impose new requirements, but outlines “red flags” to remind financial institutions of their Bank Secrecy Act (BSA) reporting obligations, including those pertaining to convertible virtual currency (CVC). The primary focus of the FinCEN alert appears to be eliciting cooperation of financial institutions in identifying hidden Russian and Belarusian assets.
Wiper Malware Explained: Modular forms of malware with either anti-forensic and/or wiping capabilities have been used maliciously for years, including in the infamous attack on Saudi Aramco in 2012. In that incident, Shamoon malware was used to wipe files and overwrite the Master Boot Record (MBR). This past week, new forms of malware with similar wiping capabilities have been identified, such as WhisperGate, HermeticWiper/Trojan.Killdisk, Windshield, and IsaacWiper.
While capabilities of certain wiper malware may vary, their destructive result is similar – the manipulation of files, by inserting random lines of code, render the files inaccessible. By overwriting the MBR, the operating systems and file systems are rendered inaccessible, and the hard drive is wiped entirely. Attacks with this type of malware are often accompanied by self-propagating properties, facilitating deployment across an entire environment. This creates substantial difficulties with restoration and results in the loss of evidence.
Conti Ransomware Update: Conti made international media headlines in their professed alliance with the Russian government. While this was walked back in a subsequent posting, it caused other groups to target their infrastructure and leak their internal chats on February 27. It appears that Conti then began destroying its previous infrastructure and rebuilding a new platform. It also appears that Conti is targeting the defense industrial base, but is also leveraging wide-scale vulnerabilities resident within VPN solutions, MS Exchange, and Log4j. While Conti is not specifically listed on any Office of Foreign Asset Control (OFAC) sanctions lists, a number of money services businesses (MSBs) and digital forensics firms have internally restricted communication and ransom payments related to Conti ransomware attacks.
TrickBot Leaks: On Tuesday, March 1, the source code, IOCs, and internal chats of TrickBot, a credential harvesting banking trojan used heavily by Conti, was leaked. Over the past two years, TrickBot has been slowly replaced by BazarLoader, another credential harvesting banking trojan that shares similarities to TrickBot. Contained within the TrickBot leaks are usernames and password combinations for accessing the previous Conti infrastructure.
Raid Forums Takedown: Created in 2015, RaidForums was a marketplace for stolen credentials and information obtained in various data breaches. RaidForums was taken down and seized by the FBI, but it had been taken down and rebuilt before, so it is possible that it will reappear, but perhaps not as quickly as in the past.
Potential Forthcoming SonicWall CVE: A recent posting on a crime forum claimed that an unidentified SonicWall RCE vulnerability was being offered at auction for a price of $100,000. Beyond stating that it was a SonicWall RCE vulnerability, the posting did not provide any additional information. There have been other SonicWall vulnerabilities exploited by ransomware groups, including HelloKitty. These groups leveraged common vulnerabilities and exposures (CVEs) in end-of-life firmware supporting SonicWall’s Secure Mobile Access and Secure Remote Access products in July 2021. These actors have developed expertise in exploiting these and other perimeter device vulnerabilities.
Takeaways: The Russia/Ukraine conflict will continue to drive scrutiny in the CVC market, and ransomware associated with Russia will continue to be voluntarily restricted by MSBs and digital forensics firms. In the meantime, information security must be at the forefront of every business decision pertaining to asset allocation. The cost of not securing vulnerabilities is likely to be much more expensive than implementing scalable information security solutions.
For more information on these developments, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.