Oh No Arigato, Mr. Roboto: The Rise of Robo-Texting
Robocalls have long been a nuisance to people and organizations alike, but recent data shows that new legislation to combat these scams may have inadvertently paved the way for robotexts to fill the gap. Following a 2021 FCC mandate that required telecommunications carriers to implement voice authentication protocols, robocalls in the US have halved over the past year. While this has helped to combat the annoyance of robocalls, some threat actors have opted to pivot to robotexts, utilizing techniques such as “smishing” (SMS phishing) to separate targets from their personal data.
Though smishing and robotexts have had a place in the phishing landscape for years (to read more about phishing and its variants, check out our phishing primer), they have reached record highs in 2022, with spam-blocker RoboKiller reporting that 12 billion robotexts were sent in June alone. This rise has coincided with the increased use of sophisticated malware kits that use robotexts as their entry point. Flubot, a MaaS banking trojan, has done considerable damage in Europe through its spread via robotexts, which claimed to targets that they were to be expecting a package delivery, leading them to a page where they would unsuspectingly download the credential-stealing malware. Flubot can be seen as just one example of the way hackers are upping their robotext game, and why cyber vigilance must be practiced on all devices.
Ransomware Premonitions: Securing Critical Infrastructure and “Closing the Gap”
Good, preventative cybersecurity is often unglamorous, a job that, if done correctly, can appear like nothing has been done at all. Because it lacks the heroics of reactive cybersecurity, it can sometimes be easy for organizations to remain lax on preventative measures, particularly if they interpret the calls for tighter security from experts as fearmongering used to justify their expenses. Though commonplace, this way of thinking is incredibly dangerous, as evidenced by a talk given by Kim Zetter (a titan of cybersecurity journalism) on the May 2021 Colonial Pipeline hack.
Speaking at this past week’s Black Hat Briefings cybersecurity conference, Zetter argued that the hack - which caused the pipeline to be temporarily shut down, leading to transportation disruptions across the eastern United States - was “foreseeable” due to the numerous warnings given by cybersecurity experts regarding the vulnerability of American critical infrastructure, and the high probability that an attack like this would occur. Using two-plus decades of research to show how ill-equipped critical infrastructure is to deal with a serious cyber attack, Zetter states that there is a clear, dangerous gap between what cybersecurity professionals advocate as best practices for critical infrastructure and what is actually paid for and implemented by the companies that oversee it. She points to Colonial not even having a CISO on their payroll as a key indicator that these organizations do not value cybersecurity nearly as much as they should, and steps need to be taken to ensure that experts and organizations work together to close the gap between what is recommended and what is put into practice.
This requires CISOs and other experts to cut through the apathy of non-technical executives when it comes to evaluating hypothetical threats and instilling in them a straightforward understanding of the benefits of preventative cybersecurity. The Colonial Pipeline hack remains a cautionary tale for all organizations that oversee critical infrastructure, and there is hope that more attacks of greater or equal magnitude need not occur for the message of cybersecurity’s importance to be received loud and clear.
LockBit 3.0: When Antivirus Gets Exploited
Antivirus software is a key part of any cybersecurity framework, but what happens when hackers can exploit these protections? LockBit 3.0, the latest version of the LockBit Ransomware as a Service (RaaS), has gained notoriety by utilizing a popular antivirus software to launch its attacks. Windows Defender, an anti-malware software featured on Windows platforms and devices, has been shown to be exploitable by LockBit 3.0, as the ransomware deploys Cobalt Strike, a penetration testing tool that bypasses Defender’s detections and drops several malicious payloads, which can lead to data theft and other ransom opportunities. This is done through the exploitation of Microsoft Defender’s command line tool “MpCmdRun.exe,” which Defender uses to scan for malware. LockBit (utilizing Cobalt Strike) exploits this to trick Defender into side-loading Dynamic Link Libraries (DLLs) that decrypt and deploy the Cobalt Strike payloads. While Microsoft taking steps to improve Defender would make its customers feel more secure in the future, RaaS like LockBit 3.0 can exploit the very software that consumers use to protect themselves.