DOJ Fund Recovery, the Dark Web Bargain Bin, VBA Macros Update

Updates from Microsoft, new research on attack vectors, and good news from the Department of Justice. 

Latest Threat Intel News:

No Money Back Guarantee: DOJ Recovered Funds Paid to North Korean Ransomware Group

After being encrypted by Maui ransomware last year, two healthcare organizations found themselves with little choice but to pay up. It was either pay the ransom or lose the ability to provide critical care to their patients. The ransom payments were made in cryptocurrency and passed through money laundering services often employed by ransomware gangs. The FBI, however, was able to trace, seize, and ultimately return around $500,000 of the ransom funds.

Why This Matters

A positive headline in information security news is a welcome change, but victims of ransomware should never count on getting their money back. Especially as ransomware gangs employ alternate forms of privacy currency such as Monero and Zcash that are harder to trace. The goal is to prevent the need for paying a ransom altogether by having proper backups.

Additional Information:

• "DOJ seized ransoms paid by health centers in Kansas, Colorado after 2021 attacks" (The Record)

Dark Web Bargain Bin: The ROI for Attackers Couldn’t be Better

HP’s threat research team noted that despite nearly $7 billion in cyber losses last year, most malware and exploits to carry out these attacks are advertised for sale on the dark web for less than $10. In fact, many of these exploits were sold as “plug and play” malware kits or malware-as-a-service, reducing the need for serious technical skills to deploy the exploits on unwitting victims. Even more sophisticated or niche exploits ranged from $1,000–$4,000 or tens of thousands of dollars for zero days (exploits not yet publicly known).

Why This Matters

This research makes clear that criminals are focusing on low-hanging fruit like RDP, Microsoft Office, and web and email servers in order to get initial access to systems. While infosec moves quickly from one zero-day to the next, many serious attacks could be stopped by focusing on basic security controls (patching, MFA, etc).

Additional Information:

• "The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back" (HP Threat Research Blog)

Microsoft Reinstates Blocking VBA Macros by Default

After years of its VBA macros being a top vector for cyber criminals to gain initial access to a network, Microsoft announced earlier in 2022 that it would block the Office tool by default. After abruptly reversing course and pausing the change due to user feedback, Microsoft has announced it will resume blocking macros by default. See links below for more guidance aimed at users and IT professionals.

Why This Matters

Microsoft VBA macros are a widely-used legitimate tool. They have also become a favored way for cybercriminals to gain remote access to the networks of victims. Microsoft’s move to implicitly deny macros is a good first line of defense, but it isn’t the total solution.

Additional Information:

• "Macros from the internet will be blocked by default in Office" (Microsoft)

• "A potentially dangerous macro has been blocked" (Microsoft Support)

This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.