Ransomware
New Ransomware Group: Money Message
Impacted Industries: Financial and Insurance Services, Healthcare, Manufacturing, Transportation and Logistics, and Professional, Technical, and Scientific Services
What You Need To Know:
On 6 April 2023, Cyble discovered a new ransomware group named Money Message that targets Windows and Linux operating systems with nine known victims. The ransomware enumerates and stops various services and processes, including Veeam, Volume Shadow Copy Service (VSS), and Sophos, and deletes all VSS snapshots. The ransomware also attempts to laterally move to administrative network shares using credentials hardcoded in its configuration file. The threat is operating now, targeting various organizations based in the US in which customers in the financial and insurance services, healthcare, manufacturing, transportation and logistics, and professional services industries fit the adversary’s interest, and make the likelihood of compromise higher than normal. ATI recommends mitigative action occur within the normal business cycle, which includes establishing an incident response plan with frequent tests.
Ransomware
New Ransomware Discovered: Cylance
Impacted Industries: All
What You Need To Know:
On 7 April 2023, Cyble analyzed a new ransomware family dubbed Cylance, Palo Alto first reported in a tweet. It is unclear how the operators gain access and deliver the ransomware and the number of victims, as there is no known data leak site. The ransom note instructs victims to communicate with operators via email, and it is unknown if the operators exfiltrate or leak data. The ransomware offers four different encryption processing modes, full, fast, split, or custom. It allows the operator to debug other processes, modify system security settings, and create scheduled tasks for automatic execution on the victim’s computer. As there is no information regarding the total number of victims and the industries they operate in or if the cybercriminals are operating now. Out of an abundance of caution, we assess that all customers may fit the adversary’s interest which makes the likelihood of compromise consistent with normal expectations. ATI recommends mitigative action occur within the normal business cycle, which includes establishing an incident response plan with frequent tests.
Ransomware
Windows Zero-Day Used to Deploy Ransomware
Impacted Industries: Retail & Wholesale trade, Manufacturing, Healthcare, and Information
What You Need To Know:
On 11 April 2023, Kaspersky reported that the Nokoyawa ransomware group exploited a zero day elevation of privilege vulnerability, tracked as CVE-2023-28252, which affects the Windows Common Log File System Driver. To exploit the vulnerability, the adversary must be authenticated with user access and have the ability to run code on the target system. The cybercriminals exploited the vulnerability to dump the contents of the HKEY_LOCAL_MACHINE\SAM registry hive and deploy a Cobalt Strike Beacon. The advanced threat is highly likely operating now, targeting organizations who run vulnerable Windows versions in the retail & wholesale trade, manufacturing, healthcare, and information industries in which customers operating in these industries likely fit the adversary’s interest and make the likelihood of compromise higher than normal. ATI recommends mitigative action occur within the normal business cycle, which includes updating vulnerable devices.
Phishing
QuickBooks Being Used for BEC 3.0
Impacted Industries: All
What You Need To Know:
On 11, April 2023, Avanan reported that Quickbooks is now being used within BEC 3.0 type scams. The danger with this threat is that emails will come from a legitimate Quickbooks domain which means this mail traffic will pass security system checks and likely be delivered to the user. The threat is likely operating now. There is no information regarding the total number of victims and the industries this threat targets. Due to the publication of this technique, we assume that cybercriminals, like the operators of BazarCall campaigns, will employ this technique. Therefore, all customers will likely fit the adversary’s interest which makes the likelihood of compromise consistent with or higher than normal. ATI recommends mitigative action occur within the normal business cycle which includes educating users on this new variant of BEC.
Malware
New Malware Campaign Involves XWorm & AgentTesla
Impacted Industries: Accommodation
What You Need To Know:
On 7 April 2023, a new malware campaign involving XWorm and AgentTesla was discovered by Elastic Security Labs. Threat actors are using custom .NET loaders to distribute malware. The final payload of this attack chain can steal sensitive data and execute commands on the compromised system. There is no information regarding the total number of victims and the industries this threat targets. Therefore, all customers will likely fit the adversary’s interest which makes the likelihood of compromise consistent with or higher than normal. ATI recommends mitigative action occur within the normal business cycle, which includes keeping routers and IoT devices up-to-date with the latest security patches, changing default passwords and disabling unnecessary services. Additionally, it is important to keep users educated with up to date phishing techniques that are used by malicious actors.
Threat Actors
DEV-1084 Partners to Deploy Ransomware, Destroy Data, & Systems
Impacted Industries: Telecommunications, public administration, utilities, and educational services
What You Need To Know:
On 7 April 2023, Microsoft observed Mercury (MuddyWater) passing access off to a threat actor they track as DEV-1084, who deployed ransomware and performed destructive attacks within on-premise and cloud environments. Mercury likely exploited known vulnerabilities in unpatched applications to gain initial access and then handed off access to DEV-1084, who conducted extensive reconnaissance, established persistence, and moved laterally throughout the network. DEV-1084 deployed the Darkbit ransomware and used highly privileged compromised credentials to laterally move to the cloud environment, where they destroyed server farms, virtual machines, storage accounts, and virtual networks, as well as sent emails to internal and external recipients. The advanced threat is likely operating now and limited. It is unknown who the targets are, but previous reporting has attributed attacks against telecommunications, public administration, utilities, and educational services to the two groups. ATI recommends mitigative actions occur in the normal business cycle, which includes creating offline backups of sensitive data that occur within the normal business cycle.
Threat Actors
Latest Additions to Data Leak Sites
Impacted Industries: Manufacturing, Professional Services, Healthcare and Social Assistance, Educational Services, and Construction
What You Need To Know:
In the past week, monitored ransomware threat groups added 53 victims to their leak sites. Of those listed, 35 are based in the US. The most popular industry listed was manufacturing with 20 victims. They were followed by five in professional services, four each in health care and social assistance, educational services, and construction.This information represents victims whom cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims.
Exploited Vulnerabilities
CISA Adds 8 CVEs to its Known Exploited Vulnerabilities Catalog
Impacted Industries: All
What You Need To Know:
On 10 and 11 April, CISA added eight CVEs to its Known Exploited Vulnerabilities Catalog. The CVEs added this week are CVE-2021-27876, CVE-2021-27877, CVE-2021-27878, CVE-2019-1388, CVE-2023-26083, CVE-2023-28205, CVE-2023-28206, CVE-2023-28252. The vulnerabilities affect products from Veritas, Microsoft, Arm, and Apple. CVE-2023-28252 was exploited to elevate privileges to dump the contents of the HKEY_LOCAL_MACHINE\SAM registry hive and deploy a Cobalt Strike Beacon in a Nokoyama ransomware incident. ATI recommends the following mitigative action occur according to the mitigation “Due Date” recommended by CISA.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.
Share