Emerging Threats

CISO Monthly Roundup, December 2022: The State of Encrypted Attacks 2022, evaluating the Okta breach, joining the JCDC, Indian banking SMS scam, plus Danabot, BlackBasta, and Nokoyama analysis

Dec 22, 2022
CISO Monthly Roundup December 2022 CISO Monthly Roundup December 2022

The CISO Monthly Roundup provides the latest threat research from Deepen Desai and the ThreatLabz team, along with insights on other cyber-related subjects. In December, ThreatLabz released the State of Encrypted Attacks 2022 annual report, partnered with the Joint Cyber Defense Collaborative, revealed an Indian banking SMS scam, published analysis of two new ransomware variants belonging to the BlackBasta and Nokoyama family, and analyzed Danabot.

Revelations from the ThreatLabz State of Encrypted Attacks 2022 report

The recently released ThreatLabz State of Encrypted Attacks 2022 Report is packed full of fresh insights on encrypted threats. The report leverages information from the over 300 trillion daily signals and 270 billion daily transactions happening in the Zscaler Zero Trust Exchange™. Specifically, ThreatLabz researchers looked at roughly 24 billion threats from October 2021 to September 2022.

Figure 1: A map of the five nations most targeted by encrypted attacks in 2022

Our research discovered over 85% of attacks in 2022 were found in encrypted traffic. This represents a 28%+ increase over the same number of encrypted attacks seen in 2020. We also discovered the overall attack volume for all threats has increased 20% since 2021. Encrypted traffic can be used to hide many types of threats including malware, adware, phishing, cryptomining, cross-site scripting (XSS), botnets, and others. The encrypted attacks we observed focused on several industries, with manufacturing, technology/communication, and services being the top three targets.

Figure 2: TLS inspection provides full visibility to block advanced threats

When SSL/TLS traffic is not inspected, it creates a blind spot that threat actors actively exploit by delivering threats over encrypted channels. It is critical for organizations to adopt a cloud native proxy-based architecture that scales to meet the demands of an organization's ever-growing encrypted traffic footprint and provide effective security.

Read the full ThreatLabz State of Encrypted Attacks 2022 Report  

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Data Loss Prevention.

Okta source code breach: evaluating the impact & protecting your organization

Identity access manager (IAM) Okta confirmed its private GitHub repositories have been hacked and its source code stolen. The exfiltrated source code is related to Okta’s Workforce Identity Cloud repository, not its Auth0 (Customer Identity Cloud) products. Upon learning of the attack, ThreatLabz performed a thorough investigation and determined the Okta breach does not impact Zscaler. While Zscaler uses Okta internally as an identity provider (IDP), our production environments require multiple other authentication steps. 

Figure 3: Okta’s GitHub repositories were hacked and their source code stolen

The Zscaler security team has developed a SOC playbook for identity providers and code repositories. The playbook guides security analysts and researchers on fast, effective ways to identify and remediate threats at the user level. The key is leveraging suspicious behaviors to immediately trigger a security action workflow. Further details, including security guidance and best practices, are available here.

SOC playbooks and guidance on security best practices to protect your organization

Zscaler joins JCDC to strengthen U.S. cybersecurity collaborative

Zscaler has joined the Joint Cyber Defense Collaborative (JCDC) in their mission to understand and respond to threats facing the nation. The JCDC was created by the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate cyber responses between the private sector and government agencies. Zscaler will contribute security insights gleaned from managing over 270 billion daily transactions through its zero trust cloud platform. The ThreatLabz team analyzes this data to identify threats, their countries of origin, target destinations, and other pertinent information on global threat actors.

Figure 4: ThreatLabz’s collaboration with the JCDC will improve security for the private and public sector

Zscaler also shares research and cloud data with the broader industry in an ongoing effort to promote internet security. This information is contained in ThreatLabz research reports, real-time dashboards, and specialized reports such as the State of Encrypted Attacks 2022.   

Read more on Zscaler/JCDC cybersecurity collaboration efforts

SMS scams target Indian banking customers

ThreatLabz has observed a sophisticated phishing campaign targeting users of Indian banks including HDFC, AXIS, and SBI. A previous campaign targeting Indian bank users sent malicious complaint forms via SMS that spread text stealing malware. This new campaign uses fake bank card update sites to infect users with Android-based phishing malware.

Figure 5: Two fake Indian bank sites targeting banking customers

Links to the fake banking sites usually arrive via SMS. Users clicking on the links are prompted to install software that is actually Android-based phishing malware. Users visiting the fake sites are encouraged to fill out an application to redeem points on their card for cash or a voucher.  Information stolen by the malware or entered by the user on a fake site is sent to the attacker’s C2 server.

Read details on the latest Indian banking phishing campaign

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Data Loss Prevention.

Breaking down the latest BlackBasta ransomware 

Zscaler ThreatLabz identified new samples of BlackBasta ransomware on November 16th, 2022. These samples have significantly lower antivirus detection rates than previous versions. The BlackBasta ransomware group first received widespread public attention in April 2022, after launching a rapid series of double-extortion attacks. The original BlackBasta ransomware was developed in February 2022. 

Figure 6: BlackBasta 2.0 ransom note (November 2022)

Early BlackBasta ransomware shared many similarities with defunct samples used by Conti, although there was no code duplication. The updated BlackBasta ransomware includes new file encryption algorithms, stack-based string obfuscation, and per-victim file extensions. Many of these modifications appear to be aimed at better evading EDR and AV detection. The current ransomware codebase is significantly different from the original, leading us to label the November 2022 variant “BlackBasta 2.0.”  

See the changes in BlackBasta 2.0

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Advanced Cloud Sandbox.

Nokoyawa Ransomware: Rust or Bust

Nokoyawa ransomware first came to public attention in February 2022. The original version of the malware was written in C and used Elliptic Curve Cryptography (ECC) with SECT233R1 and Salsa20 for file encryption. It notably shared code with the Karma ransomware family, and is ultimately a descendant of Nemty ransomware. In September 2022 a new variant, Nokoyawa 2.0 appeared. This version was written in Rust and uses ECC with the Curve25519 and Salsa20 for file encryption.

Figure 7: Post-encryption ransom note dropped by Nokoyama 2.0

Nokoyama 2.0 gives attackers run-time flexibility by offering a configuration parameter that is passed via the command line. It is likely the threat actors behind Nokoyama 2.0 used Rust to improve file encryption speeds and evade EDRs that do not recognize the language. Victims of Nokoyama 2.0 attacks may be subjected to double extortion as the group also hosts a data leak site. Zscaler can detect indicators related to this ransomware and will flag it in the Cloud Sandbox.

Read the full technical analysis of Nokoyama 2.0

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Data Loss Prevention, Advanced Cloud Sandbox

Revealing DanaBot obfuscation techniques

The DanaBot malware-as-a-service platform has been active since 2018. It is widely used for wire fraud, stealing cryptocurrency, or performing espionage. Threat actors have previously used DanaBot to steal usernames, passwords, session cookies, account numbers, and other personally identifiable information (PII). Recently, threat researchers have seen a newer version (2646) of DanaBot circulating in the wild.

Figure 8: DanaTools, the DanaBot website 

The Danabot malware is heavily obfuscated and has earned a reputation for being difficult to analyze. Threatlabz has developed specialized tools to reverse engineer this threat and developed IDA python scripts to aid binary analysis. These tools make analyzing DanaBot considerably easier, and assisted with our technical analysis of new DanaBot obfuscation techniques. 

Discover effective ways to analyze DanaBot

Zscaler Zero Trust Exchange Coverage: Advanced Threat Protection, SSL Inspection, Data Loss Prevention, Advanced Cloud Sandbox.

Notable vulnerabilities organizations should prioritize for patching:

  1. FreeBSD Ping Stack-Based Overflow CVE-2022-23093

A stack overflow vulnerability in the ping utility affecting all supported versions of the FreeBSD operating systems was disclosed on December 1st, 2022. This flaw affects the pr_pack() function and can be used to cause a stack overflow, leading to a crash or possibly remote code execution. ThreatLabz published a security advisory providing further details here.

About ThreatLabz

ThreatLabz is the embedded research team at Zscaler. This global team includes security experts, researchers, and network engineers responsible for analyzing and eliminating threats across the Zscaler security cloud and investigating the global threat landscape. The team shares its research and cloud data with the industry at large to help promote a safer internet.


The Zscaler Zero Trust Exchange

Zscaler manages the world’s largest security cloud. Each day, Zscaler blocks over 150 million threats to its 6000+ customers, securing over 240 billion web transactions daily. The Zscaler ThreatLabz security research team uses state-of-the-art AI and machine-learning technology to analyze Zscaler Zero Trust Exchange traffic and share its findings.


What to read next: 

State of Encrypted Attacks 2022 Report

Surge of Fake FIFA World Cup Streaming Sites Targets Virtual Fans

2022 ThreatLabz State of Data Loss Report