Les Bell

We're back! Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

IAPP Report Highlights Challenges for Responsible Use of AI

The latest Privacy and AI Governance Report from the International Association of Privacy Professionals (IAPP) explores the state of artificial intelligence (AI) governance through interviews with stakeholders in the tech, life sciences, telecommunications, banking, staffing and retail industries in North America, Europe and Asia. The interviews focused on where the stakeholders' organizations stood on five areas: governance, risk, processes, tools and skills.

The results show that formulating and deploying clear governance guidelines for the responsible use of AI is a challenging and complex task; the most mature organizations have rolled out responsible practices, but constitute only 20% of organizations surveyed. 10% of responding organizations have not yet formulated responsible AI guidelines, with the remainder in the process of including responsible AI in the governance or 'about to start' doing so.

The use of AI exposes enterprises to a whole new risk landscape. Perhaps the most obvious risk is bias in AI which results in harm to individuals, with consequent fines and judgements. This is further complicated by the changing regulatory environment, which has led to a lack of legal clarity surrounding the use of AI systems.

However, in 80% of organizations, guidelines for ethical use of AI consist only of high-level policy statements and strategic objectives, with no clear plan for how these can be achieved. While some tools do exist for addressing privacy and ethical risks of AI, the selection of these is difficult, as the field is rapidly evolving and lacks robust concepts and definitions.

Koerner, Katharina, and Jake Frazier, Privacy and AI Governance Report, International Association of Privacy Professionals, January 2023. Available online at https://iapp.org/media/pdf/resource_center/privacy_ai_governance_report.pdf.

DOJ Disrupts Hive Ransomware Variant

The US Department of Justice has revealed that, since July 2022, the FBI has penetrated the networks of the Hive ransomware group, captured its decryption keys and offered them to over 1,300 victims worldwide, so that they were spared paying up to $US130 million in ransoms. It also announced that, in coordination with German law enforcement (the German Federal Criminal Police and Reutlingen Police Headquarters-CID Esslingen) and the Netherlands National High Tech Crime Unit, it has seized control of the servers and websites that Hive uses to communicate with its members, disrupting Hive's ability to attack and extort victims.

Like many other ransomware developers, the Hive group offered ransomware-as-a-service (RaaS). The core group maintained the core software as well as the web infrastructure for C2 and payment processing, while recruiting affiliates who would perform initial compromise and deployment in exchange for 80% of the proceeds. The Hive developers also operated the Hive Leak Site, which would publish data exfiltrated from victims who refused to pay the extortion demand.

Uncredited, U.S. Department of Justice Disrupts Hive Ransomware Variant, press release, 26 January 2023. Available online at https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant.

Mimic Ransomware Uses Old Conti Code, Everything DLL API

Researchers from Trend Micro have discovered and analysed a new piece of ransomware which is partly based on old code from the Conti ransomware, as well as abusing the API's of a Windows local search engine tool called Everything. The new ransomware, christened Mimic, targets Russian and English-speaking users.

Analysis shows that Mimic is deployed as a dropper which unpacks several files, including a 7zip executable which is used to extract the malware payload from a password-protected archive called Everything64.dll - the genuine Everything search functionality is in Everything32.dll. After extracting its files, it copies them to a random directory under %LocalAppData% and renames the ransomware binary to bestplacetolive.exe.

Mimic seems to be highly capable; it can bypass UAC, disable Windows Defender, prevent system shutdown, prevent itself being killed, disable Windows telemetry, disable sleep mode, terminate multiple applications and services, and delete shadow copies. As it runs, it queries the Everything_SetSearchW() function to selectively match or avoid files for encryption, and it adds a .QUIETPLACE extension to the files that it encrypts.

Trend Micro's report includes suggested mitigations, as well as IoC's.

Morales, Nathaniel, Earle Maui Earnshaw, Don Ovid Ladores, Nick Dai and Nathaniel Gregory Ragasa, New Mimic Ransomware Abuses Everything APIs for its Encryption Process, blog post, 26 January 2023. Available online at https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.