Security experts spent years warning enterprises to expect cyberattacks and to plan their defenses accordingly, now Sophos researchers are saying organizations shouldn’t be surprised if they get attacked multiple times.
In a 23-page report [PDF] released this week, the researchers unwind the multiple factors that are fueling a rise in the number of entities hit by more than one attack. For instance, in one case, a company was the victim of three ransomware attacks over two weeks.
“In recent months, we’ve noticed an uptick in the number of cases where organizations have been attacked multiple times,” wrote Matt Wixey, principal technical editor and senior threat researcher at Sophos. “Some attacks take place simultaneously; others are separated by a few days, weeks, or months. Some involve different kinds of malware, or double – even triple – infections of the same type.”
Some of this falls at the feet of the organizations themselves, which too often fail to address vulnerabilities and misconfigurations after the first attack, opening the door to ensuing attacks, according to the report.
Other factors are features of a rapidly evolving cybercrime environment, with different threat groups exploiting high-profile vulnerabilities like ProxyShell and Log4Shell, interdependence among groups, the rise of ransomware-as-a-service, and growing “coopetition” among the cybercrime gangs.
“Whatever the root cause, multiple attacks can be devastating for victims,” Wixey wrote. “Not only do they complicate remediation and business continuity plans, but the financial, reputational, and psychological impacts can be overwhelming. Just when you think that the worst has finally happened – and you now know for certain that it’s ‘when,’ and not ‘if’ – you’re hit with another attack.”
In cases that Sophos’s Managed Detection and Response and Rapid Response teams have investigated recently, there is usually a gap of about six weeks between attacks when an enterprise is hit multiple times.
In most instances, the root causes of multiple attacks are the failure to address significant software or hardware vulnerabilities and, after an attack, not dealing with the misconfigurations left in place by earlier attacks.
“But there’s a little more complexity to it than that,” he explains. “There’s often a specific sequence of exploitation – cryptominers (a proverbial canary in the coal mine) arrive first, followed by wormable botnet builders (such as Mirai), then malware delivery systems (webshells and/or [remote access trojans]), who may feed data to initial access brokers (IABs), and finally, ransomware.”
IABs do what their name suggests, gaining initial access into compromised systems. They then sell that access to other threat groups that use it to launch their own attacks.
John Gunn, CEO of authentication technology vendor Token, told The Register: “Victims of simultaneous attacks will be less likely to pay and may not be able to pay multiple attackers a full ransom. As such, you can expect IABs to charge a premium for first rights or exclusive rights for a target organization.”
Some of these are interdependent, such as IABs enabling ransomware attacks. Others co-exist, such as cryptominers and ransomware, which have disparate objectives and don’t interfere with each other. At the same time, organizations can be hit with multiple ransomware attacks because such threat groups often don’t care if others are attacking the same enterprise. In one case, Sophos saw the same attacker using first Conti ransomware and then Hive within days of each other against the same victim.
In another incident on May 1, after initial access was gained via the Remote Desktop Protocol (RDP) and Mimikatz was used for stealing credentials, a company was hit by Lockbit ransomware attack. Less than two hours later, a Hive ransomware affiliate attacked the same company and two weeks later, the organization was attacked a third time by a BlackCat ransomware group.
All three gangs used the same misconfigured RDP server to gain access. Sophos later found some files that had been encrypted by all three attackers, Wixey says.
The mixture of so many threat groups is a driver of the rise of multiple attacks on organizations, according to Peter Mackenzie, Sophos director of incident response.
“It’s likely due to an increasingly crowded market for threat actors, as well as ransomware-as-a-service (RaaS) becoming more professionalized and lowering the bar to entry,” Mackenzie said in a statement.
Coopetition is something enterprises want to keep in mind. Some operators, such as cryptominers, include code in their malware that will remove competitive malware from systems they infect. Others, like ransomware groups, aren’t worried about competition and at times will intentionally or incidentally help other attackers by leaving open backdoors or misconfigurations for others to use.
While shutting down the initial attack, enterprises need to ensure that no malicious code is left behind, according to Wixey.
“As odd as it may sound, we could easily see scenarios where the ‘first-in’ attacker assumes the role of defending the victim network from follow-on attacks in order to protect their ability to realize the full ransom payout potential,” Gunn adds.
Disclosures of major vulnerabilities also creates a land rush of sorts among various threat groups looking to exploit them. The ProxyLogon and ProxyShell flaws disclosed last year saw cryptominers, RATs, botnets, “clipper” malware – which swaps crypto wallet addresses on a victim’s clipboard – and eventually ransomware all taking advantage.
The same pattern played out after the Log4Shell flaw was disclosed in December 2021 and the Atlassian vulnerability was detected last month, according to Sophos.
It highlights the need for enterprises to update everything and prioritize the most dangerous bugs first, Wixey wrote. That means focusing on critical bugs impacting an organization’s specific software stack and high-profile vulnerabilities that may affect its technology.
Organizations also need to ensure misconfigurations are fixed, particularly after an attack.
“Cryptominer operators, IABs, and ransomware affiliates always look for exposed RDP and VPN ports, and they’re among the most popular listings on most criminal marketplaces,” he wrote. “If you do need remote access and/or management over the internet, put it behind a VPN or a zero-trust network access solution that uses [multi-factor authentication] as part of its login procedure.” ®
Scammers have scammed their fellow cybercriminals out of more than $2.5 million on three dark web forums alone over the last 12 months, according to Sophos researchers.
In a Black Hat Europe session, Sophos threat hunters detailed their investigation, which examined scams on two well-established Russian-language marketplaces, Exploit and XSS. They also looked at BreachForums, which launched in April 2022 after a Europol-led operation shut down the earlier version of the stolen-data souk, RaidForums.
And it turns out that scammers gonna scam, even in the criminal underground.
“We saw referral cons, fake data leaks and tools, typosquatting, phishing, ‘alt rep’ scams (the use of sockpuppets to artificially inflate reputation scores), fake guarantors, blackmail, impersonated accounts, and backdoored malware,” writes Sophos senior security researcher Matt Wixey, in the research posted today. “We even found instances where threat actors got revenge by scamming the scammers who scammed them.”
Scams on these three cybercrime forums are so prevalent that all of them have dedicated “arbitration rooms.”
Exploit, which has about 2,500 reported scams, has two: one for claims and another, the Black List, for confirmed scams. These have been around since the mid-2000s, along with closed Russian attacker forum XSS, which reported around 760 scams on its site, according to Sophos. XSS also keeps a “ripper list” that indexes scam sites.
“Exploit is the worst for scams, both in terms of numbers of reports and money lost to scammers,” Wixey writes. “It does have around twice as many members as XSS, and may also attract more scammers because of its reputation.”
Exploit’s open claims’ room lists 211 claims totaling $1,021,998, while its Black List cited 236 exploits that cost other crooks $863,324.
In one case, an Exploit user opened an arbitration claim in an attempt to negotiate with ransomware gang Conti about decrypting a company’s assets. Exploit admins, however, closed that claim because ransomware is banned on the marketplace, so apparently there are some standards.
Meanwhile, XSS, for comparison, reported 120 open claims valued at $509,901. BreachForums’ arbitration room, which has only been around since that market opened in April, lists 21 claims worth $143,722.
While higher-end scams on all three forums hit six figures — $160,000 on Exploit and XSS are the most lucrative — some victims on these sites have filed claims for as little as $2, according to Wixey. “Threat actors seem to be as indignant about having their money stolen as anyone else, no matter the amount,” he notes.
Perhaps unsurprisingly, the claims processes sometimes descend into name calling, insults and general chaos with the accuser accusing the accused of scamming. In some cases the alleged victims end up getting banned from the sites for being dishonest.
While banning is the most common punishment for ripping off fellow criminals on these forums, BreachForums also publishes banned users’ email address, registration, and last-seen IP address, thus leaving them open for doxxing, the research says.
However, Sophos also cites a few cases “involving serial scammers” who were banned, and simply created new profiles, paid another registration fee, and carried on with their criminal ways.
As Wixey notes: “If there’s a takeaway from all this, it’s that no user is immune; any trade on criminal forums involves an inherent risk of scams.” ®
Prof Sally Ann Lynch talks about the complexity of DNA tests and the work that led to her winning the HRCI Research Impact Award.
Last Thursday (1 December), consultant geneticist Prof Sally Ann Lynch won the inaugural Health Research Charities Ireland (HRCI) Research Impact Award for her contribution to the field of research.
The award highlights the role of health research charities in funding research as well as principal investigators who have participated in the joint funding scheme from HRCI and the Health Research Board.
Lynch’s work, which was supported by the National Children’s Research Centre and the Children’s Health Foundation, Temple Street, was recognised for its real-world impact and for making a positive difference to patients’ lives.
Specifically, Lynch and her team undertook two projects under the scheme, which identified a total of 11 genes that have been responsible for significant health issues for people.
One of these genes, the LARS gene, and its association with a failure to thrive in babies was a brand-new discovery.
With the remaining 10 genes, Lynch discovered new clinical symptoms that were not previously associated with diseases for these genes, from lung disease to neurological conditions.
Lynch told SiliconRepublic.com more about her research, which started 10 years ago.
“We were using new technology to try and make diagnoses in families where routine testing was negative. It was done in collaboration with a team in UCD [University College Dublin],” she said.
“We successfully identified new diagnoses in a number of families using this. Now, this technology forms part of routine diagnostic testing in the investigation of children and adults with various different clinical problems.”
‘I do feel it is important to try and find diagnoses where one hasn’t been found’ – SALLY ANN LYNCH
Lynch said the LARS gene had not been previously recognised as a gene that caused human disease.
“This gene, if it is not working properly, causes children to fail to thrive. Many had evidence of anaemia and liver problems and when these children got a dose of flu or other viral illnesses, they could get very ill and go into liver failure,” she said.
“A colleague working in the metabolic unit in Temple Street had identified a small number of families who had affected children so we collaborated together and received consent from the families to use this new technology to see if we could identify the cause of the liver failure. We found genetic alterations in this gene, LARS.”
The discovery can help many children around the world be diagnosed as well and, while a new treatment has not been developed yet, a greater understanding of the condition can help with day-to-day management.
The challenges around genetic testing
While discoveries such as these can be amazing for diagnostics, medicine and innovations in health, the work is not without its challenges.
Because there is so much variation in DNA, trying to work out if these variations are causing a disease or if they are completely benign can be extremely difficult.
“It is important that due care and attention is paid to genetic test reports as they are not always black and white. The biggest challenge we face is interpreting DNA changes and trying to work out if we have reached a diagnosis or if it still remains elusive,” said Lynch.
She added that DNA tests are often misconstrued as easy to organise and have the ability to give a yes or no answer, when the reality is far more complex.
“DNA tests might give you a diagnosis, they might not give you a diagnosis. Sometimes a gene change is found and no one is sure whether a diagnosis has been reached or not because there is not enough evidence to be completely sure. DNA tests need consent. DNA tests need thought.”
Upon winning the Research Impact Award, Lynch spoke about her passion for solving rare diseases and said that an estimated 300,000 people in Ireland are living with a rare disease.
“Rare diseases undoubtedly get less bite of the funding cherry than other conditions, even though they are more in number and are just as, if not more, challenging. This needs to change.”
She added that identifying new genes is the first step in a long road that will hopefully one day lead to a new treatment.
On a rural industrial estate five miles outside Honiton, under the flight path of a nearby aerodrome, sits a rather nondescript warehouse. Only one feature marks it out: in front is a graveyard of stripped arcade cabinets, slowly rotting in the cold and damp.
I am here to visit Play Leisure, a company that restores and sells old arcade games. It has a compelling TikTok account where it shares new discoveries – a recent post showed off a Deadstorm Pirates machine with its enormous sit-in cabinet and giant cinematic display. I’ve dragged my friend and fellow arcade fanatic Joao Sanches along, and now I’m feeling nervous and responsible because, walking up to the unmarked entrance, I’ve no idea if they will have anything interesting in stock after our 90-minute drive.
But peering inside, I spot it immediately, sat there in the cramped reception area amid piles of cardboard boxes: a pristine 1992 Street Fighter II machine, the backboard sporting a wild illustration of Ryu kicking Ken, each special feature on the playfield named after famous Street Fighter attacks. I almost gasp.
Matt Conridge, the owner of Play Leisure, has always been interested in arcade machines. “Like a lot of us in our 30s and 40s, it comes from back when I was a kid,” he explains as he comes to greet us. “I used to visit arcades at seaside resorts – places like Dawlish and Lynmouth.”
Three years ago, Conridge was running a video game bar in Bideford, north Devon, when Covid hit. Facing disaster, he decided to close up and use his contacts in the arcade scene to pivot into a new project: restoration. He rented a warehouse, employed a small team of specialist engineers and started buying up all the old coin-ops he could get his hands on. The plan was to repair them and sell them on to private collectors and retro theme bars, after the pandemic.
“Back then, we were only buying small quantities so it usually came from collectors. Now we take them on an industrial scale,” says Conridge. “At the moment, with what’s happening in the economy, arcades are cutting costs, getting rid of some of the lower performing machines that cost them more to run than they make in revenue. We get clearances from arcades, play centres, trampoline parks … ”
Another problem is that older coin-ops require specialist engineers to maintain them. “A lot of the people who used to build and service these machines have retired,” says Conridge. “That knowledge is dying.”
Matt takes us through to the main warehouse space, where we’re momentarily stunned again. Crammed into a space about the size of a tennis court are 200-odd arcade machines from throughout gaming history. The first thing I spot is the twin cabinet version of Sega’s brilliant 1995 racing game Manx TT Super Bike, which allowed players to sit on reproduction motorcycles and compete against each other along narrow country lanes. Nearby there’s Konami’s thrilling Silent Scope 2: Fatal Judgement, complete with its authentic sniper rifle controller, and further back in this electronic labyrinth is a twin cab of Final Furlong, the crazy Namco horse racing game that you control by sitting on a plastic horse and jumping up and down.
I’m taken back to the first time I visited Japan in 2000 to attend the Tokyo Game Show. I walked into an arcade in Akihabara and saw salarymen on their lunch hour, dozens of them in rows playing this game, grimacing with effort in the darkness.
The machines arrive in huge shipping containers and Conridge is never quite sure what games he’ll find or what condition they will be in. “The problem is, arcade operators don’t generate any more money by keeping machine internals clean,” he says. “If you open it up and start cleaning the inside you may end up causing issues. We’ve opened them and found coins, tools … We found a porno mag in the back of a machine once. We’ve just got one from Blackpool, a crane machine that dispensed sweets – it’s been left for a few years and the sweets have fallen inside and rotted, then the flies got in there … ugh.”
Will they clean that? “No,” laughs Conridge. “We’ll sell it off and let someone else deal with it.”
Conridge is however, conscientious about whom he sells brittle older machines to. “There are some retro machines that we advise people not to buy unless they’re technically minded,” he says. “There’s a pinball machine, a 1966 electromechanical model we’re just about to put on sale, and we’ll refuse to sell that to nine out of 10 people who contact us because we know it won’t be suitable for them. These machines are like classic cars: they are specialist pieces of equipment and need constant care. If I sell it to someone who just wants a working machine, they’ll be fed up after five minutes – we’ve got to choose the right customer for it. Someone who is able to tinker.”
It’s not just ancient pinball machines that are problematic. The big video arcade games of the 1990s – the technical peak of the industry – often used proprietary hardware that is simply impossible to replace or reproduce. “The Sega Model arcade boards used custom Lockheed Martin chips, which you just can’t source,” explains Chris, the lead engineer. “We have to decide whether to harvest parts from less interesting games and use them to resupply classics like Sega Rally.” Around the outskirts of the warehouse space, there are shelves groaning under the weight of esoteric parts, haphazardly piled or collected in boxes.
Adding to the value of these machines now is the fact that arcades historically dumped old units when they stopped being profitable. “Ten to 15 years ago companies just didn’t foresee that there would be any interest from collectors,” says Conridge. “We just sold an Addams Family pinball machine for £10,000 – that would have been chucked in a skip 15 years ago. People didn’t expect anyone would want them.”
This was especially true of larger speciality machines, such as rhythm action games, with their bulky floor pads and complicated controllers, and driving games with their realistic race car cabinets. Not only did they take up valuable floor space, they were expensive to maintain. Their growing rarity represents an interesting challenge for Play Leisure, because games like Dance Mania and Guitar Hero are exactly the sorts of machines that the new era of retro gaming bars – such as the NQ64 chain, which has just taken on £2m of funding – are looking for: not only are they fun to play in a bar environment, they’re fun to watch, too. “Dance Mania is now a £3k machine,” Conridge says.
When cabinets arrive, their condition is assessed. For Conridge there is a delicate balance between restoration and preservation. He shows me a Point Blank machine that’s just come in: Namco’s entertaining light gun shooter, which was also popular on the PlayStation, is a currently a hit with buyers. He will aim to repair these machines whatever state they arrive in – even though the guns themselves, with their delicate recoil mechanic, are often busted beyond repair (“they get really smashed by kids in the arcade”).
On this cabinet, the lavishly illustrated decals on the sides are peeling off: do they change the artwork for a modern reproduction? “If we do, it will look better but it won’t be original,” says Conridge. “It’s a challenge. We don’t tend to sell perfect-looking machines. When we went into arcades as children, the machines would have cigarette burns – that’s how you remember them. There’s a certain charm to that.”
Some arcade cabinets are not economically viable to repair, but that doesn’t mean they’re unsellable. “We sell quite a lot of project machines,” he says. “For a collector working in their garage, that’s fine. We had a Star Wars 1982 Atari machine come in about 14 months ago. We put it on TikTok and Facebook – someone rang and they were desperate for it. It was nice to save this original machine from being scrapped.”
If they can’t be repaired, they’re stripped for parts: circuit boards, cathode ray monitors, joysticks, motors. Almost none of these are manufactured any more, so they’re all saved. Even completely stripped cabinets can have value: people often use them as a shell for their own arcade machines, using a PC and LED monitor. “Our customers can be really creative,” says Conridge. “We have people turning them into cocktail cabinets, stands for DVD players and games consoles. It’s nice because they’re not ending up in a landfill site – they’re getting another life.”
Conridge reckons half his machines go to retro bars and modern arcades. The rest are bought by private collectors. There’s a highly active arcade-collecting community, based around Discord servers and forums such as UKVAC, and Covid brought in a lot of new customers who started building gaming dens in the midst of lockdown.
Besides retro pinball tables and 1990s hits, the big sellers are attached to film or TV licences. Play Leisure has sold three Star Wars Battle Pods, really big immersive machines, for £10,000 each. An Aerosmith-branded arcade game named Revolution X will sell for £1,500, an X-Files pinball table for £3,500. There’s an odd market too for old coin-pushing machines, mostly thanks to the TV quiz show Tipping Point and the growing popularity of TikTok accounts that specialise in coin-pushing live streams.
Joao and I spend the whole day here, snaking between the machines, peering into their exposed innards. We photograph everything. A long time ago we worked together on the video game magazine Edge, often reporting on arcade shows – these machines, which are now antiques, were the newest, hottest tech when we started our careers.
And before that, as a kid, I hung out in arcades in the 1980s. Donkey Kong, Defender, Space Harrier, Out Run; a pocket full of 10 pence coins, a whole day to waste. It is bittersweet to see the machines here, their CRT monitors cracked or missing, light gun holsters worn and split.
It is good that these things are being saved. To many of us, these are more than just disposable commercial products: they are works of art containing within them the experiences of thousands of players, my own included.