Biomedical firms and their partners are being targeted by an Advanced Persistent Threat (APT) actor in a campaign that delivers Tardigrade malware. Initial analyses of Tardigrade malware suggest it is a sophisticated threat from the SmokeLoader malware family. SmokeLoader is a generic backdoor that provides threat actors with persistent access to victims’ networks and gives them the ability to download additional modules or other stealthier malware variants onto systems.
Tardigrade malware is a much stealthier and more dangerous malware variant than SmokeLoader. It is far more sophisticated and has greater autonomy. The malware can make decisions about the files to modify and can move laterally within victims’ networks without requiring communication with a command-and-control server. The malware is also capable of immediate privilege escalation to the highest level.
Tardigrade malware is thought to be used for espionage purposes but has far greater capabilities. In addition to exfiltrating sensitive data from pharmaceutical and biomedical firms and vaccine chain companies, the malware is capable of causing major damage to IT systems to disrupt critical processes, including preparing systems for ransomware attacks after sensitive data have been exfiltrated. The analysis of the malware is ongoing, and no specific threat actor has been identified as conducting the attacks, but the attacks are believed to be conducted by a nation-state threat actor.
BIO-ISAC warns of Targeted Attacks on the Biomanufacturing Sector
The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) has recently issued a warning about Tardigrade malware due to the threat it poses to vaccine manufacturing infrastructure, even though relatively little is currently known about the malware. The early disclosure is believed to be in the public interest.
All firms in the biomanufacturing sector and their partners have been warned that they are likely targets and should assume that attacks will occur. Steps should therefore be taken to ensure that appropriate cybersecurity measures have been implemented to block attacks and limit the damage that can be caused should n attack be successful.
It is too early to tell how many methods are being used to distribute Tardigrade malware, but from the infections detected so far, the APT group behind the attacks is known to be using phishing emails to deliver Tardigrade, with infected file attachments the most likely method of delivery. Hyperlinks in emails that direct individuals to malicious websites where infected files or malware installers are downloaded could also be used.
An analysis of the attacks also indicates the malware could infect USB drives and transfer the malware automatically when those storage devices are used on uninfected computers. That means that if USB drives are used on devices isolated from the network, they too could be infected.
Defending Against Tardigrade Malware
Defending against attacks requires an advanced antispam solution that is not reliant on antivirus engines to detect malicious files. Antivirus engines are effective at blocking known malware variants, but not against previously undetected variants. Since Tardigrade malware is metamorphic, machine learning technology and sandboxing are required to block samples that are not detected as malicious by AV engines. Antivirus software should be installed on all devices which is capable of behavioral analysis, as the malware itself may not be detected as malicious.
A web filter should be installed and should be configured to block downloads of executable files from the Internet, such as .js, .com, .exe, and .bat files. It is also important to raise awareness of the threat of malicious messages with the workforce and teach all employees how to identify phishing emails. Training should cover cybersecurity best practices and inform employees about the procedures to follow if a suspicious email is received. Spear phishing attacks will likely be conducted on key targets. It is therefore recommended to review LinkedIn and other social media posts to identify individuals who may be targeted.
Network segmentation is vital for preventing the spread of Tardigrade malware. In the event of a device being compromised, network segmentation will limit the harm that can be caused. Tests should be run to ensure that corporate, guest, and operational networks are properly segmented. All firms in the biomanufacturing sector should identify their most sensitive data and ensure that it is appropriately protected, and all key infrastructure should be regularly backed up, with backups stored offline. BIO-ISAC also recommends inquiring about lead times for key bio-infrastructure components that need to be replaced
A new Android banking Trojan named SharkBot has been identified that has capabilities that go beyond most mobile banking Trojans.
This new Android malware stands out due to its use of an Automatic Transfer System (ATS) technique that allows it to bypass multi-factor authentication controls and automate the process of stealing funds from victims’ accounts. In order to steal funds from accounts, most Trojans require human input. SharkBot keeps human interaction to a minimum by auto-filling fields, such as those that need to be completed to make money transfers.
SharkBot can intercept SMS messages, such as those containing multi-factor authentication codes sent by financial institutions, and can hide those SMS messages to make it appear that they have not been received. SharkBot can also perform overlay attacks, where a benign pop-up is displayed over an application to trick a user into performing tasks, such as giving permissions. SharkBot is also a keylogger and can record and exfiltrate sensitive information such as credentials to the attacker’s command and control server and bypasses the Android doze component to ensure it stays connected to its C2 servers.
The malware has been configured to steal money from bank accounts and cryptocurrency services in the United States, United Kingdom, and Italy, and targets 27 financial institutions – 22 banks and 5 cryptocurrency apps.
During installation, the user is bombarded with popups to give the malicious app the permissions it needs, with those popups only stopping appearing if the user provides the required permissions, which include enabling Accessibility Services. When the malicious app is installed, the app’s icon is not displayed on the home screen. Users are prevented from uninstalling the malware via settings by abusing Accessibility Services.
The ATS technique used by the malware allows it to redirect payments. When a user attempts to make a bank transfer, information is auto-filled to direct payments to an attacker-controlled account, unbeknown to the victim.
The malware was analyzed by researchers at Cleafy, who found no similarities with any other malware variants. Since the malware has been written from scratch, it currently has a low detection rate. The researchers believe the malware is still in the early stages of development, and new capabilities could well be added to make it an even bigger threat.
One of the main problems for developers of malware targeting Android devices is how to get the malware installed on a device. Google performs checks of all apps available before adding them to the Google Play Store, so getting a malicious app on the Play Store is difficult. Even if that is achieved, Google is quick to identify and remove malicious apps.
SharkBot has been identified masquerading as a variety of apps such as an HD media player, data recovery app, and live TV streaming app, which is delivered via sideloading on rooted devices and by using social engineering techniques on compromised or attacker-owned websites to convince victims to download the fake app.
SharkBot uses a wide range of techniques to prevent detection and analysis, including obfuscation to hide malicious commands, an anti-emulator to check if it has been installed on a real device, by downloading malicious modules once it has been installed, and by encrypting all communications between the malware and the C2 servers.
Users of mobile phones tend not to be as cautious as they are with laptops and computers, but the same cybersecurity best practices should be followed. It is important to avoid clicking hyperlinks in emails and to only download apps from official app stores. The malware also serves as a reminder that while multi-factor authentication is an effective security measure, it is not infallible.
2021 has been a particularly bad year for cyberattacks. There are still 6 weeks of 2021 left, but there have already been more publicly reported data breaches than in all of 2020, according to the Identity Theft Resource Center (ITRC). 2020 was a record-breaking year for cyberattacks, and that record looks set to be beaten once again.
ITRC said supply chain attacks increased by 42% in the first quarter of 2021, ransomware attacks have been occurring at record levels, and phishing attacks remain a constant threat. It is not just the number of data breaches being reported that I a cause for concern, but also the severity of those breaches.
This year has seen several high-profile attacks, including the ransomware attack on Colonial Pipeline in the United States that disrupted fuel supplies to the East Coast for a week, and a ransomware attack on the Irish Department of Health and the Health Service Executive in May 2021, which resulted in data theft and major disruption to healthcare services.
Attacks on critical infrastructure have a devastating impact on people businesses can suffer catastrophic losses. Given the current threat level and frequency at which data breaches are being reported, it has never been more important to invest in cybersecurity.
Cybersecurity is now a priority for Irish businesses following a series of devastating cyberattacks in the country. Those attacks have hammered home the message that all Irish companies need to take steps to improve their defenses and keep hackers at bay.
Think Business, Ireland has recently raised awareness of the risk of cyberattacks and is helping businesses in the country find the solutions they need, by highlighting the excellent work being conducted by Irish cybersecurity firms. Many cybersecurity firms have a base in Ireland, with the country producing some incredible homegrown cybersecurity talent in the form of consultants, security experts, and companies that offer cutting-edge cybersecurity solutions that are protecting companies and data all around the world.
To help Irish businesses find companies that can meet their cybersecurity needs, Think Business, Ireland recently compiled a list of the top Irish 26 cybersecurity companies to watch out for in 2021 and beyond, with the report highlighting the wide range of cybersecurity solutions that have been developed by innovative Irish companies that are making their mark on the global stage.
The list includes TitanHQ, a Galway-based cybersecurity firm that has been developing innovative security solutions for 25 years. TitanHQ’s award-winning email security, web security, and email archiving solutions are now used by more than 12,000 businesses in over 150 countries, with more than 2,500 managed service providers using the solutions to protect their own and their clients’ networks from cyber threats such as malware, ransomware, viruses, botnets, and phishing.
While many businesses have been struggling through the pandemic, TitanHQ has gone from strength to strength and has continued to enjoy impressive growth. Investment from Livingbridge investor group has helped the company invest even more in product development and people and over the past 18 months, the company has doubled its workforce to more than 90 employees.
TitanHQ solutions have been developed to be easy to implement and use by all businesses and, importantly, the solutions were built from the ground up by managed service providers to help MSPs better protect their clients. The solutions save MSP’s support and engineering time by stopping problems at the source and are easy to fit into existing service stacks. That’s part of the reason why TitanHQ is now the leading provider of cloud-based cybersecurity solutions to MSPs serving the SMB market.
“We are delighted to be listed next to some of the biggest names in the Irish cybersecurity space,” said Ronan Kavanagh, CEO, TitanHQ. “As the threat landscape continues to be a significant risk to organizations across the globe, we are dedicated to continuous innovation to provide consistent, secure, and reliable protection to our customers.”
Left to Right: Ronan Kavanagh, CEO, Diane Wright, people operations manager, Sean Morris, chief technical officer, Gina Mc Grath, digital marketing executive, and Dryden Geary, marketing director.