Dubbed ChaChi by BlackBerry researchers, RAT recently shifted its focus from government agencies to schools in the United States.
Remote Access Trojan targets schools and universities with ransomware attacks. Named ChaChi by the BlackBerry Threat Research and Intelligence SPEAR team, the RAT is used by operators of PYSA ransomware, according to a report released by BlackBerry on Wednesday. Specifically, ChaChi has been discovered in data breaches of K-12 schools and higher education institutions in the United States as well as the United Kingdom.
SEE: File: A winning strategy for cybersecurity (free PDF) (TechRepublic)
ChaChi is designed to exfiltrate data, steal credentials, and deploy malware to compromise its victims. The RAT takes root in an organization through a series of stages.
PowerShell scripts are used to uninstall or disable antivirus and other security services. Account credentials are captured by flushing the contents of the Windows Local Security Authority Subsystem service memory. Port scan is used to find vulnerable or open ports. ChaChi is then installed as a service.
Attackers move sideways across the network using tools such as Remote Desktop Protocol and PsExec. The data is probably exfiltrated through a tunnel created by ChaChi. The RAT then communicates with the attackers command and control center.
Originally spotted in the first half of 2020 without much hubbub, the first ChaChi variant was used to attack networks of government agencies in France and was seen as an indicator of compromise by CERT France, BlackBerry said. PYSA and ChaChi then moved the goals to healthcare organizations and private businesses before focusing on educational institutions from early 2021.
ChaChi is written in Go, also known as Golang, a relatively new programming language. Because Go is still fresh, code analysis can be difficult, creating challenges for security researchers.
Cybercriminals often target schools because they know they are ready to be attacked. Schools may not have the budgets for strong security protection. They cannot necessarily exercise the strict security controls adopted by large companies. And they have to deal with students and others connecting to their networks from external devices that may not be secure.
“Cyber security attacks have increased in volume and ferocity since the COVID-19 pandemic began a year ago,” Eric Milam, vice president of research and intelligence at BlackBerry, told TechRepublic. “This includes ChaChi and PYSA changing focus to take advantage of the COVID pandemic to attack educational institutions. Many universities are forced to act as ISPs for their student body, which adds a layer of complexity as they are limited on boundaries and oversight. options can be put in place with respect to other organizations.
To protect schools and universities from cyber attacks, Milam offers several tips.
- User training. Conduct user awareness training on phishing attacks and suspicious links and attachments in emails to combat the threat on a human level.
- Update your systems. Technologically, be sure to patch your operating systems and applications, and implement endpoint protection technology.
- Monitor and audit. For more sensitive areas of a university environment, configure auditing, logging, and monitoring of endpoint and network activity. Also monitor the use of critical account credentials.
- Check for weaknesses. Performing detailed vulnerability assessments and penetration testing can help locate critical vulnerabilities that need to be mitigated.
“The main focus here is how vital it is to secure an environment at an appropriate level and put in place the right checks and balances to identify any anomalies,” Milam said.
“If you have built a secure internal infrastructure, access to other critical resources is prevented, although some areas of the network must have relatively free access,” added Milam. “While it can be difficult to fight a breach at the access point, organizations can take steps to make systems much harder to compromise and more defendable against attack, as well as resilient and recoverable when attacks succeed ”.