The Good, the Bad and the Ugly in Cybersecurity – Week 27

The Good

An alleged ransomware affiliate has reached a plea deal in the United States for collaborating with a ransomware-as-a-service (RaaS) gang.

The U.S. Department of Justice has identified the threat actor as a former employee of Public Services and Procurement Canada, the Canadian government’s department for the federal government’s real estate activity. According to a recent report, the defendant pleaded guilty to hacking-related charges as a member of the NetWalker threat group. This particular threat group offers ransomware-as-a-service to target law enforcement, schools, higher education institutions, and hospitals based in the United States.

New: A former Canadian government employee just agreed to plead guilty to working for ransomware gang that hacked hospitals through the pandemic.

US cops ~$28 million when they took him into custody.

court docs: https://t.co/v9lta8fCtn pic.twitter.com/pX7hIajWab

— Jeff Stone (@jeffstone500) June 28, 2022

Since its first sighting in 2020, security experts believe that the threat actors behind NetWalker have collected over $46 million in ransoms. But in March 2022, the Department of Justice announced that the U.S. government had extradited the defendant from Canada to Florida, seizing approximately $28 million USD of Bitcoin in the process.

This is a major victory for both victims of the NetWalker ransomware gang and international law enforcement. Many threat actors operate in areas that are difficult for U.S. law enforcement to reach, and as a result, often escape the trial process and accountability for their actions. Moreover, the defendant’s plea deal also contains an agreement to cooperate with prosecutors on related investigations, potentially giving international law enforcement the leads they need to eliminate other major threats in the cybersecurity landscape.

The Bad

The Black Basta ransomware group has struck again. Recently, New Peoples Bank, a community bank serving Virginia, West Virginia, Tennessee, and North Carolina, notified their customers of an “interruption” to their services that they discovered on June 15th, 2022.

Since its first sighting in April 2022, Black Basta has gained notoriety for launching double extortion attacks by leveraging older malware to establish a foothold in infected systems.

In their statement, New Peoples Bank detailed their investigation and response efforts, which includes involving law enforcement, regulators and a third-party cybersecurity firm in the investigation. According to the latest findings, a threat actor gained access to the bank’s systems on June 9th and managed to evade existing security controls to access personally identifiable information, including customers’ Social Security numbers, driver’s license numbers, financial account information, and electronic signatures.

Despite their system outages, New Peoples Bank has confirmed that at the time of publication, all of the bank’s systems have been restored, and all transactions from June 15th onwards have been processed. However, the bank has cautioned people to keep an eye on their account statements and credit reports for suspicious activity, and are offering a one-year membership to an identity protection and monitoring program to provide extra visibility.

Incidents like these show how emerging threats can impact organizations and enterprises, even when they have a security framework in place, and how vital it is to ensure that your cybersecurity program can stay ahead of new vulnerabilities and sophisticated threats.

The Ugly

This week, the FBI and the Western District of Oklahoma uncovered a group running a piracy scheme involving millions of dollars worth of stolen software licenses.

According to a press release from the U.S. Department of Justice, authorities have indicted three individuals for violating wire fraud and money laundering statutes while running an operation to sell over $88 million USD worth of licenses stolen from Avaya Holdings Corporation. These licenses were affiliated with Avaya’s IP Office phone system, and allowed customers to unlock premium features, including an expansion of a small or medium-sized business’ phone network or the addition of voicemail.

While these software licenses can only be generated by Avaya and sold by authorized distributors and resellers, one defendant used his system administrator privileges to not only generate software license keys to sell but also hijack accounts that belong to former Avaya employees to generate even more keys, and conceal his activity from the corporation for years.

While detailing the evidence surrounding the defendants’ money laundering, the indictment also discussed the unseen consequences of this piracy scheme. According to the press release, the $88 million in revenue these actors brought in allowed them to “undercut the global market” for Avaya’s software by selling software licenses for significantly below the company’s wholesale price. One defendant was even quoted as saying their collaboration could “corner” Avaya’s market.

This scheme offers a sobering reminder of how internal actors can pose a serious threat by leveraging lateral movement and privilege escalation. Although many design their cybersecurity programs to keep pace with outside threats, it’s important to have measures in place to detect and prevent suspicious activity from the inside. Without this preparation, companies stand to lose much more in the long run.