Australia Considers Ban on Ransomware Payments: Cyber Threat Intelligence Roundup
A new APT41 subgroup, Australia’s plan to ban ransomware payments, and Twitter’s mounting security woes
In this week’s report, CTI investigates a tactical intel report relating to the discovery of a previously undocumented subgroup of APT41, called Earth Longzhi. Next is an overview of the Australian government’s proposal to potentially implement a ban on ransomware and extortion payments — taking into account what that could mean for cybercriminals, security professionals, law enforcement, cyber insurers, and more. Also included is a summary of some recent developments at Twitter, and how security professionals believe the company’s leadership changes may be impacting the social media platform’s security posture.
1. Earth Longzhi: a new APT41 subgroup using custom Symatic Cobalt Strike loader
Trend Micro recently revealed the existence of a previously undocumented subgroup of the Chinese state-backed hacking group, APT41, called Earth Longzhi. The subgroup has been active since 2020 and uses custom versions of Cobalt Strike loaders to plant persistent backdoors on target systems.
Trend Micro investigated an incident in early 2022 in which a company in Taiwan was compromised. The malware leveraged in the incident was a custom Cobalt Strike loader that led researchers to additional incidents, dating back to 2020, in which a similar loader was deployed. Trend Micro dubbed this group Earth Longzhi, and has observed two large campaigns carried out by the operation.
The first Earth Longzhi malware campaign
The first Earth Longzhi campaign took place between May 2020 and February 2021 and targeted government, infrastructure, academic, and health industries in Taiwan, along with the banking sector in China.
This campaign leveraged spear-phishing emails as the primary entry vector to deliver its malware and leveraged a custom Cobalt Strike loader, Symatic loader, in addition to other custom hacking tools.
Earth Longzhi prepares and leverages an all-in-one hacking tool for its post-exploitation activities. This all-in-one tool combines all the necessary utilities into one package and includes many that are either publicly available or which were deployed in previous attacks. It allows the threat actor to complete multiple operations while using a single executable. Some of its functions include launching a process with higher privileges, gathering information about local or remote drives, modifying a file’s timestamp, disabling Windows File Protection, and so on.
The second campaign
The second campaign took place from August 2021 to June 2022 and targeted high-profile victims in the defense, aviation, insurance, and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.
As was the case with the first campaign, this campaign primarily leveraged spear-phishing emails as its initial entry. Earth Longzhi deployed various types of customized Cobalt Strike loaders in this campaign, which Trend Micro dubbed CroxLoader, BigpipeLoader, OutLoader, and MultipipeLoader.
Trend Micro also collected multiple hacking tools while investigating the second campaign. The tools collected were intended for privilege escalation (PrintNightmare and PrintSpoofer), credential dumping (Mimikatz), and defense evasion (disablement of security products). Rather than using public tools, Earth Longzhi either reimplements or develops its own tools based on some open-source projects.
Earth Longzhi attribution
Trend Micro attributed this activity to APT41’s subgroup Earth Longzhi based on the following factors:
- Victimology: The impacted regions and targeted sectors are countries of interest located in the East and Southeast Asia, which is close to the victimology of another APT 41 subgroup, Earth Baku.
- Shared Cobalt Strike metadata: Researchers found that most of the Cobalt Strike payloads shared the same watermark and public key. This watermark/public key combination is also used by other APT41 subgroups and indicates that Earth Longzhi shares the same Cobalt Strike team server with other APT41 subgroups.
- Code similarities: Researchers discovered that the decryption algorithms in Symatic Loader and CroxLoader are very similar to the one identified with GroupCC, another APT41 subgroup.
- Overlapping TTPs: Earth Longzhi has adopted the Python Fastly CDN leveraged by GroupCC to hide the actual command and control (C2) server address. Researchers believe this is evidence of a relationship between the two subgroups.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“APT41 is incredibly sophisticated, and any potential subgroups (such as Earth Longzhi) should be treated with the same degree of caution typically afforded their umbrella group. The two Earth Longzhi campaigns observed by Trend Micro lasted for several months — further evidence of the group’s sophistication and commitment to operational security (OPSEC), as the activity remained unattributed for more than two years.”
2. Australia considers banning ransomware payments
Australia is currently considering banning ransomware payments as an effort to undermine the extortion-based aspect of the cybercriminal business model.
Clare O’Neil, minister for home affairs and cybersecurity, has confirmed that the government is looking at not only banning ransomware payments but at also criminalizing extortion payments as part of the government’s overall cyber strategy.
Why Australia may ban ransomware payments
Australia has experienced numerous high-profile cybersecurity incidents as of late. One of the most notable breaches is the Medibank incident which occurred earlier this month. Medibank, one of Australia’s largest private health insurers, recently disclosed that hackers managed to gain access to its customers’ personal data. The organization stated that it would not be making a ransom payment to the threat actors, a decision reportedly based on advice received from cybercrime experts.
The Medibank incident occurred just weeks after Australia’s second-largest telecommunications company, Optus, experienced a cyberattack. These attacks ultimately prompted the Australian government’s current deliberations regarding a possible ban on ransomware payments.
What else is Australia doing?
Australia’s contemplation of completely banning ransom payments began just one day after the minister announced a new permanent joint standing operation between the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD) — the country’s top law enforcement and cyber and signals intelligence agencies, respectively — to combat cybercrime.
This new initiative aims to “disrupt cybercriminal syndicates with a priority on ransomware threat groups” and will “collect intelligence and identify ringleaders, networks and infrastructure in order to disrupt and stop their operations – regardless of where they are.”
Will Australia’s ransomware plan work?
The banning of ransomware payments is a loaded proposition and one that’s likely to elicit varying responses depending on who you ask.
Much of the logic behind the potential banning of ransomware payments comes down to the oft-repeated fact that those on the receiving end of a ransomware attack are forced into dealing with criminals. This begs the obvious question: How is one supposed to trust a criminal, particularly during a negotiation? While a threat actor may claim that paying the ransom ensures the exfiltrated data will not be published and any encrypted files will be restored, there’s just no guarantee at the end of the day.
The only sure thing is that paying the ransom only rewards the threat actor, providing positive reinforcement by proving their efforts to be effective and fruitful. Furthermore, the paying of ransoms could make victim organizations and their respective industries a bigger target. Once threat actors realize a certain company/sector/country is willing to pay a ransom, that target becomes even more attractive.
On the flip side, criminalizing ransomware payments could have the opposite of its intended impact. As The Record calls out, this could “push visibility of attacks further underground by forcing companies to keep quiet about incidents to avoid regulatory scrutiny.”
Forcing the payment of ransoms underground hides these crimes and makes the response from law enforcement even more difficult than it already is.
What does this mean for cybercriminals?
Cybercriminals could respond in a few ways if Australia does decide to move forward with banning ransomware payments.
On one hand, the threat actors may no longer see Australia as a lucrative threat for ransomware operations. Why go through the trouble and effort of conducting ransomware operations if it’s illegal for the victim to pay the ransom? What is there to gain? Of course, this outcome is totally reliant upon the pretense that every Australian organization is committed to following the letter of the law, regardless of what it may cost them in terms of downtime, outages, and reputational damage.
Threat actors could also take this on as a challenge. After all, companies hit with ransomware may try to hide the fact that they’ve paid a ransom if it becomes criminalized. If this were to happen, a threat actor could come back demanding an additional ransom payment to keep the first one quiet — yet another form of blackmail for ransomware actors to add to their extortion arsenal.
Threat actors may also pivot from ransomware to other methods of generating revenue. Whether or not threat actors decide to refocus efforts away from Australia and to other countries or take advantage of the potential for additional ransom payments is unclear.
How this impacts cyber insurance
Cyber insurance varies for each company depending on the time of policy but many of them may cover ransom payments along with other financial losses associated with cyberattacks. Cyber insurers and those with cyber insurance would likely need to revisit and make changes to existing policies if ransom payments became criminalized.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“Australia’s consideration to ban ransom payments could make some serious waves in the ransomware marketplace. After all, banning ransom payments will not end cybercrime and will likely encourage threat actors to change their tactics.”
“The possibility of an outright ban brings to mind America’s prohibition era, when the Volstead Act banned alcohol. Rather than keeping people from consuming alcohol, the action simply increased gang violence and generated new underground markets. The latter circumstance would likely occur following the outright banning of ransom payments.”
“Other questions now abound. Will threat actors pivot from ransomware to other means of revenue generation in countries that ban ransom payments? And will threat actors pivot away from these countries all together? CTI will continue to track evolutions regarding Australia’s decision to ban ransom payments and will make note of any impacts resulting from such a choice.”
3. Twitter’s growing security problem
Twitter is currently facing a variety of security risks as the company continues to undergo leadership and personnel changes.
For example, the company’s top security brass recently resigned following the acquisition by Elon Musk.
From Politico: “Twitter’s top security officials — including its chief information security officer, chief privacy officer, chief compliance officer and head of trust and safety — all resigned Thursday, citing the risk of implementing some of Musk’s new revenue grabs (like the new check-mark policy) amid an ongoing Federal Trade Commission probe.”
A mass exodus of officers responsible for implementing Twitter’s security policies does not bode well for the company’s ability to defend itself against hackers. Twitter’s cybersecurity posture was already a matter of concern for many and prompted a whistleblower complaint filed by former head of security Peiter Zatko earlier this year. Now, the situation appears to be deteriorating further.
Dramatic staff reduction
Exacerbating the already tense situation are numerous reports claiming that Twitter laid off over 4,000 of the company’s 5,500 contract employees.
Affected roles are said to include those that comprise Twitter’s “core infrastructure services,” along with positions in content moderation and marketing. Various first-hand tweets from those affected by the cuts would seem to suggest that plenty of employees involved in Twitter’s trust and safety teams were also impacted.
The platform has caught plenty of flack for its handling of the firings, which has largely been described by former Twitter employees as being carried out in a highly impersonal manner. Many employees learned of their fate via email, while others were simply left to figure things out on their own when their system access was suddenly revoked.
Top security concerns
One of the top security concerns at Twitter has to do with the vast amount of data that the company stores, beyond merely email addresses and passwords. The company also stores data inside direct message inboxes but does not use end-to-end encryption.
Twitter is also struggling with the fallout of widespread hoax accounts following the attempted overhaul of its blue checkmark system, which was initially designed to increase confidence in the reliability of information on the platform.
In early November, Twitter launched the $7.99 Blue subscription service in its iPhone app. The service allowed users to buy the coveted blue checkmark, a designator that had previously been a symbol of an account’s veracity and authenticity. More recently, the ability for users to sign up for Twitter Blue disappeared from the app.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“The most immediate and visible outcome of these recent events are the dips in stock prices, as well as the growing number of advertisers which have paused spending with Twitter.”
“There is also reason to be concerned about the human cost of Twitter’s security exodus. By all appearances, Twitter’s entire security apparatus (which was, by some accounts, a fledgling enterprise) may have been given walking papers.”
“Of course, Twitter was already rife with misinformation, hoaxes, and scams. The developments described above will likely exponentially increase the frequency with which your average Twitter user encounters such things.”
“CTI urges caution when engaging in any interactions on a social media platform. Question everything.”
Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.
For further reading, catch up on our recent cyber threat intelligence roundups.