Kasseika Ransomware: BYOVD Tactic Unleashed!

Jan 25 2024

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s going to war against cybercrime like the British army with Yemen #topical πŸ˜‚πŸ˜‚πŸ˜‚ Sometimes I ask myself: do you really despise scammers? And I quickly respond: #Yemen 😏

Today’s hottest cybersecurity news stories:

  • 🍬 Sweet Sensation when you don’t get ransomwared, right? πŸ’°

  • 🚨 You’ve got Gmail: Gmail takeover on Google Kubernetes! πŸŒπŸ”

  • πŸ’§ Emergency Alert: Ransomware strikes Veolia North America! πŸ’»πŸ”’

Who’s the Marky Mark? πŸ‘€πŸ™ˆπŸ’€

🚨 Kasseika Ransomware: BYOVD Tactic Unleashed! 🦠

Ransomware group Kasseika has adopted the Bring Your Own Vulnerable Driver (BYOVD) attack, following groups like Akira, AvosLocker, BlackByte, and RobbinHood. πŸ’»

πŸ›‘οΈ Disarming Security Measures

BYOVD allows threat actors to disable antivirus processes, aiding in ransomware deployment, as observed in Kasseika's attack on Windows hosts.

πŸ€” BlackMatter Connection

Kasseika shows ties to the now-defunct BlackMatter, indicating a potential handover or acquisition of BlackMatter's access by experienced threat actors.

πŸ”— Attack Chain

Phishing emails grant initial access, leading to RATs for privileged access. The use of Sysinternals PsExec facilitates lateral movement within the target network.

πŸ•΅οΈ Martini.sys Driver

Kasseika employs the "Martini.sys" driver to disable 991 security tools, enhancing defence evasion capabilities.

🌐 Global Targets

The ransomware encrypts data using ChaCha20 and RSA algorithms, demanding a 50 bitcoin payment within 72 hours, with victims required to share payment proof in a Telegram group.

🀫 Covering Tracks

Kasseika wipes event logs using wevtutil.exe, operating discreetly to evade security tools.

🌐 BianLian Group Shift

In a parallel development, BianLian ransomware group shifts from double extortion to encryption less extortion attacks, impacting various sectors globally.

πŸ”— BianLian and Makop Ties

BianLian shares a custom .NET-based tool with Makop, hinting at potential connections or shared developer services.

🚦 Cybersecurity Alert

Stay vigilant with robust security measures, regular updates, and awareness against phishing attempts to mitigate ransomware risks. πŸ›‘οΈπŸ‘€πŸ’»

Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Epic Gmail, as the kids say πŸ’€πŸ’€πŸ’€

🚨 Critical Vulnerability in Google Kubernetes Engine (GKE): Sys:All Exploit Alert! πŸ›‘

Cybersecurity researchers at Orca have unearthed a critical loophole, codenamed Sys:All, affecting Google Kubernetes Engine (GKE), potentially giving threat actors control over Kubernetes clusters.

🌐 Scope: Approximately 250,000 active GKE clusters globally are estimated to be vulnerable to this attack vector.

πŸ‘₯ Vulnerability Origin

Stemming from a widespread misconception, the flaw arises from an incorrect understanding that the system:authenticated group includes only verified identities. In reality, it encompasses any Google-authenticated account, even those outside the organisation.

🌐 Attack Implications

An external threat actor with a Google account could exploit this misconfiguration, utilising their Google OAuth 2.0 bearer token to hijack the cluster. This could lead to subsequent exploitation, including lateral movement, cryptomining, denial-of-service, and sensitive data theft.

🚨 Stealthy Exploitation

The approach used in this attack does not leave a trace linked back to the Gmail or Google Workspace account that acquired the OAuth bearer token.

πŸ›‘οΈ Mitigation Measures

Following responsible disclosure, Google has taken corrective actions, blocking the binding of the system:authenticated group to the cluster-admin role in GKE versions 1.28 and later. Users are advised not to bind the system:authenticated group to any RBAC roles and to assess and remove unsafe bindings from ClusterRoleBindings and RoleBindings.

πŸ” Secure Your Clusters

While no large-scale attacks have been recorded, the potential threat emphasises the need for users to secure their cluster access controls promptly.

🚦 Stay Vigilant

Regularly update GKE clusters, adhere to security best practices, and remain vigilant against potential exploitation of misconfigurations. πŸŒπŸ”’πŸš¨

🎣 Catch of the Day!! 🌊🐟🦞

πŸƒΒ The Motley Fool: β€œFool me once, shame on β€” shame on you. Fool me β€” you can't get fooled again.” Good ol’ George Dubya πŸ˜‚ Let us tell who’s not fooling around though; that’s the CrΓΌe πŸ‘€ at Motley Fool. You’d be a fool (alright, enough already! πŸ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! πŸ› Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets πŸ€‘Β (LINK)


🚡 Wander: Find your happy place. Cue Happy Gilmore flashback πŸŒοΈβ›³πŸŒˆπŸ•ŠοΈ Mmmm Happy Place… πŸ˜‡ So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway 🏞️😍 (LINK)


🌊 Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts βšΎπŸ‘»πŸΏ (Great movie, to be fair πŸ™ˆ). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty πŸ˜‘). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho πŸ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! 🌿 (LINK)

Hackers: Water you waiting for? Pay up! πŸ’°πŸ’°πŸ’°

🚨 Ransomware Alert: Veolia North America Hit! πŸŒπŸ›‘

Veolia North America, a subsidiary of the global conglomerate Veolia, has reported a ransomware attack impacting systems within its Municipal Water division. The breach prompted defensive measures, including temporarily taking affected systems offline.

βš”οΈ Response Measures

Veolia is actively collaborating with law enforcement and third-party forensics experts to assess the full impact of the attack. Defensive actions, including taking back-end systems offline, have been implemented to contain the breach.

πŸ’Ό Operational Impact

Although some online bill payment systems experienced delays due to the defensive measures, Veolia assures customers that payments made during the event have been applied, and accounts reflect updated information. No penalties or interest charges will be incurred due to the service interruption.

πŸ’§ Water Services Unaffected

Importantly, the incident appears confined to Veolia North America's internal back-end systems, with no evidence suggesting an impact on water or wastewater treatment operations.

πŸ” Data Impact

A limited number of individuals may have been affected, and Veolia is diligently working with a third-party forensics firm to assess the breach's extent on operations and systems.

πŸ›‘οΈ Security Measures

Veolia encourages vigilance but affirms the incident hasn't disrupted its critical water infrastructure operations. The company continues to prioritise security to safeguard its extensive water and wastewater services.

🌐 Industry-Wide Threats: Recent ransomware attacks on water facilities globally, including Southern Water in the UK, highlight the escalating threats to critical infrastructure. Authorities like CISA and the FBI are actively issuing guidance to enhance the cybersecurity posture of water utilities.

🚦 Stay Secure

Organisations in critical sectors are urged to bolster cybersecurity defences, regularly update systems, and leverage incident response guides to mitigate the impact of potential ransomware attacks. Vigilance is key! πŸ”’πŸŒŠπŸš¨

πŸ—žοΈ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran 'Wealthy Primate' might be able to help you climb that tree πŸ’πŸŒ΄ with his stick and banana approach 🍌😏

  • Techspresso:Β Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles