Mirai Security | Cyber Security Blog

Security Impurities: News of the Week (August 17th - 23rd)

Written by Alex Morgan | Aug 22, 2022

Hack-a-Mine: Meet the Hacktivist Group Targeting Latin American Mines:

While hacking is often about monetary gain, sometimes hackers operate in the belief that they are working towards a collective good. Examples of this phenomenon could be seen this week in actions of Guacamaya, a "hacktivist" group operating in Latin America that has claimed to commit multiple attacks against oil and mining companies to protest resource exploitation.

What Type of Hacker is a Hacktivist?

Hacktivists (a combination of the term 'hacker' and 'activist') are actors who commit cyber-attacks in the name of a specific cause, such as environmentalism or political upheaval. Hacktivists generally view their hacking as a form of active protest against injustices perpetrated by the entities they choose to target, whether they be government agencies or private companies.

Who are Guacamaya Targeting and Why?

Guacamaya (Mayan for "macaw") are targeting resource extraction companies and government entities that they believe are profiting off of the natural resources of Latin America, including the Guatemalan Ministry of Environment and Natural Resources and the Venezuelan oil company Oryx Resources. Guacamaya sees these entities as complicit in the destruction of natural resources and the exploitation of indigenous peoples who occupy the lands in which they operate. Beyond the leaking of thousands of private emails, Guacamaya has published a manifesto in which they have decried western corporations and their local enablers for being party to "five centuries (529 years) of genocide, terricide (sic), pillage, and violations of our territory of Abya Yala."

While it does not seem that Guacamaya has gone past the leaking of internal messages, their message and fervor illustrate the socially conscious spirit that imbues hacktivist groups worldwide and why their zeal may make them more tenacious than your average hackers.

RUN-PLC: Thinking Like a Hacker to Pre-Empt the Next Generation of PLC Attacks

Part of the inventiveness of threat actors is their ability to put a new spin on old attacks, which is why some cybersecurity experts have attempted to stay ahead of the curve by theorizing new avenues for attacks and how to prevent them before they are even undertaken. Team82 (the research arm of the Claroty cybersecurity platform) is one of the groups at the forefront of this research, as they have recently found a way to turn programmable logic controllers (PLCs) from a target into a weapon.

How Team82 is Rethinking PLC Attacks

In a recently published research paper, Team82 details how PLCs - which have long been a target for advanced cyber-attacks - can be turned into "predator rather than prey," through the Evil PLC Attack. Such an attack involves a PLC being weaponized so that it can then attack other PLCs on an OT network, altering their logic and turning one compromised engineer's workstation into a network-wide calamity.

While such an outcome is undoubtedly worrisome, Team82 also conceptualized how such a weaponization could be used as a defensive cybersecurity measure. If a company pre-weaponizes a decoy PLC to work as a 'honey-pot,' it can conceivably lure attackers into trying to compromise it, resulting in a weaponized code being enacted that would attack the attacker. This ingenuity highlights the importance of groups like Team82, and why it can sometimes be fortuitous for a cybersecurity entity to think like a hacker.

Back in BlackByte: The Hacker Group is Back with a Brand-New Website

As detailed in July's article on Raccoon Stealer 2.0, sometimes malicious operations can appear dormant for extended periods of time before re-emerging to pose new and challenging threats to the cybersecurity landscape. This week's return of Black Byte is just such an example, as the group has returned to launch its new data leak site.

What is Black Byte?

BlackByte is a malware operation that gained notoriety in the summer of 2021 with its ransomware attacks on high-profile corporate networks, including the NFL's San Francisco 49ers and members of the American critical infrastructure sectors.

What Have They Done Now?

This week, Black Byte has been promoting its new data leak site, which includes options to download the stolen data, ensure this data's destruction, or extend the ransom window for 24 hours, all in exchange for sizeable fees. This approach (borrowed from LockBit 3.0's similar extortion model) is targeted both at the victims of the Black Byte ransomware and at other malicious actors who wish to purchase this stolen data. While cybersecurity firm KELA has uncovered the fact that the Black Byte website is broken, as the options for buying or destroying the data feature incorrect embedding and cannot be completed, this kind of blatant, showy extortion is proof that not all ransomware prioritizes covert dealings. Groups like Black Byte are banking on the public attention increasing the likelihood that ransoms are paid, as targets are faced with the distressing proof that their data is on sale to whoever wants it.