The Good, the Bad and the Ugly in Cybersecurity – Week 28

The Good

According to a recent announcement, AstraLocker ransomware is ceasing development and shutting down its operations. As part of the shutdown, the ransomware’s developer has released its decryption keys to VirusTotal (via an uploaded ZIP archive). After testing a key against a recently encrypted file, researchers believe the keys are legitimate, and security experts are working on a universal decrypter for AstraLocker victims.

While it was based on leaked Babuk ransomware code, AstraLocker did not initially compromise the device by leveraging other malware or vulnerabilities to gain a foothold into a targeted device like other notable ransomware. Instead, the threat actor behind AstraLocker directly deployed malicious payloads through phishing emails. The malicious Microsoft Word documents attached to the phishing emails would conceal the payload within an OLE object. When opening the attachment, a target only has to click “Run” in the warning notification to deploy the payload.

Recent attacks following the release of AstraLocker 2.0 had brought the lesser-known ransomware into the spotlight, and experts speculate that the actors behind the ransomware decided to shut down operations to avoid being arrested by law enforcement.

Although those behind the distribution of AstraLocker have yet to be caught or identified, law enforcement continue to pursue cyber criminals. We hope that the fear of arrest will deter more threat actors, and that this shutdown will provide some degree of closure to AstraLocker victims.

The Bad

In a startling turn of events, a former cybersecurity employee was caught using security reports and company property for personal gain. In an incident report addressed to its customers, the vulnerability management and bug bounty firm HackerOne disclosed that an employee had anonymously disclosed vulnerability-related information outside of the HackerOne platform to claim additional bug bounties.

According to HackerOne’s timeline, one of their customers requested an investigation based on an off-platform communication with someone with the username “rzlr” disclosing a vulnerability. Due to the “intimidating language” in the disclosure, and the fact that it contained several similarities to an existing HackerOne disclosure, the security team quickly launched an incident investigation.

Upon expanding the scope of the investigation to look into other off-platform disclosures to HackerOne customers from “rzlr”, the firm’s security team first investigated the prospect of a group of insiders being responsible before focusing on a HackerOne employee account as a potential point of entry for a threat actor. The investigation found that the threat actor had leveraged a HackerOne sockpuppet account to collect bounties for a “handful of disclosures”. Information from payment providers confirmed that an employee with access to HackerOne systems between April 4th and June 23rd, 2022 was the threat actor in question. The employee identified was promptly dismissed.

It’s incredibly disheartening to see a cybersecurity employee break the trust of their coworkers and the customers that put their trust in them. Moreover, it acts as a stark reminder that organizations need to take insider threats seriously and ensure they have measures in place to protect themselves and their clients.

The Ugly

After announcing it would block VBA macros on downloaded documents by default in February, Microsoft has suddenly changed course without explanation or warning.

Microsoft customers initially noticed that Office was no longer blocking VBA macros this Wednesday, and began asking the company for clarification. Eventually, a Microsoft manager confirmed the unannounced rollback had taken place.

Microsoft rolls back decision to block Office macros by default – @sergheihttps://t.co/9BK0slNuEw

— BleepingComputer (@BleepinComputer) July 7, 2022

Customers and security professionals had been highly anticipating the change because VBA macros are a widely abused means of pushing ransomware like AstraLocker (see above), committing fraud through business email compromise and delivering various forms of malware, including Emotet, TrickBot, Qbot, and Dridex via phishing attacks with malicious Office document attachments.

In a notification on the Microsoft 365 message center on Thursday, Microsoft said it was rolling back the feature “based on feedback”, and that it was “working to make improvements in this experience”.

In response, customers accused Microsoft of sacrificing the safety of individual customers and smaller businesses and criticized the company for rolling back the blocking of macros without first notifying them.

Microsoft’s reversal is a major loss for security-conscious Windows users, and it is unfortunate that customers were not told about the decision ahead of time. We can only hope that Microsoft takes feedback from across its customer base onboard to produce a better, more secure experience for everyone.