shift change 01-24-2024
1. LockBit continues to evolve—who or what is LockBit and how are they evolving?
LockBit is a ransomware-as-a-service provider—the group builds ransomware tools, and sells those tools (and the support needed to successfully use the tools) to threat actors. LockBit’s tools are prolific, but being prolific in the RaaS industry comes with uncomfortable attention, whether from governments, or non-state actors and groups:
"There is no question that, whether it is law enforcement pressure or the defenders getting better, that we are seeing that these groups are forced to evolve — they have to get better at what they are doing," says Jon Clay, vice president of threat intelligence for Trend Micro.
They also have to keep up with the Dark-Web Joneses. To that end, the latest version now requires a key to obfuscate its main routines and hinders reverse engineering and analysis, for example — a technique used by other ransomware families, such as Egregor, cybersecurity firm Trend Micro stated in an advisory published on Tuesday. The new version of the ransomware program also enumerates available application programming interfaces (APIs), a feature identical to the BlackMatter ransomware program, the company stated.
They have also expanded their services to attack bigger targets–Subway:
"LockBit's recent claim of breaching Subway has raised eyebrows, but what’s most interesting is that it's not their typical gig," says Ferhat Dikbiyik, head of research at the Black Kite cybersecurity firm. "Their average prey consists of companies with about $100 million in revenue, signaling that while they've taken a bite out of a billion-dollar brand [now], the majority of their targets are midsize or small."
SIM swapping is not new, is easily prevented (use non-SMS multi-factor authentication), and an even vaguely responsible government agency that supervises industry standards owes the public better.
ExTwitter took a lot of flack from the security community for turning off SMS based MFA (because it is susceptible to a SIM swapping or SS7 attack) but it was turning off an expensive (for the volume of text messages the company needed to send) and vulnerable security feature. Maybe the community should’ve focused on the actual security implications and not stamping its feet in indignation. Maybe the SEC should do some of the basics. Have they checked out the Markup’s Gentle January series? Some real pointers there.
Mike Masnick at TechDirt did a great write up of end of SMS 2fa for Twitter—I guess the SEC missed it.
3. The Markup’s “Gentle January” continues with a neat (but now out-of-date) way to protect information on your iPhone from exposure if someone gets access to your device, followed by never-out-of-date advice: stop feeding your children’s pictures and information to the internet; and then: get what you’ve given to the internet off the internet (with the help of an automated service, absolutely!).
## The shift change is a collection of timely stories of interest in the security, privacy, and intelligence worlds. Thanks for reading, and feel free to reach out to will@signaltonoise.fyi for any questions, comments, or thoughts on items you’d like to see highlighted.