Ransomware
Uncovering the TTPs of Royal Ransomware
Impacted Industries: All
What You Need To Know:
The FBI and CISA have released a Cybersecurity Advisory (CSA) that disseminates known Royal ransomware observables, Indicators of Compromise (IoCs), and cybercriminals’ tactics, techniques, and procedures (TTPs). Royal ransomware has been targeting multiple industries since September 2022, and it is unknown if it operates as a closed organization or a Ransomware-as-a-Service (RaaS). The cybercriminals have used various initial access vectors, including phishing, RDP compromise, and purchasing access from initial access brokers. Once they gain access, they use multiple tools and techniques to move laterally across the network, maintain persistence, and exfiltrate stolen data using US-based hop points. The cybercriminals will likely continue using these high-level tactics but employ differing techniques. Therefore, organizations must ensure their defense-in-depth strategy addresses the various methods cybercriminals can use to carry out these tactics.
Policy
National Cybersecurity Strategy: What You Need to Know
Impacted Industries: All
What You Need To Know:
The Biden Administration has released the National Cybersecurity Strategy to enhance collaboration around five pillars to bolster the nation’s cybersecurity. These pillars include defending critical infrastructure, disrupting and dismantling threat actors, shaping the market to improve security and resilience, investing in secure and resilient next-generation technologies and infrastructure, and forging international partnerships. The strategy involves establishing cybersecurity requirements for critical sectors, collaborating with the private sector to enhance data-sharing mechanisms, and updating federal response plans and processes. Additionally, the government aims to disrupt and dismantle threat actors by expanding the capacity to coordinate takedown and disruption campaigns and increasing the scale and speed of cyber threat intelligence sharing between the federal and private sectors. Furthermore, the strategy declares cybercrime operations and ransomware national security threats. It aims to improve security and resilience by transferring liability and consequences of poor cybersecurity to those who can most bear it while establishing a “safe harbor framework” to demonstrate that they are making cybersecurity a central concern.
Threat Landscape
The DFIR Report’s 2022 Year-in-Review
Impacted Industries: All
What You Need To Know:
The DFIR Report’s year-in-review, based on their publicly available reports from 2022, highlights that phishing remains the primary initial access tactic for cybercriminals, followed by the execution of malicious files, PowerShell, and Windows Command Shell. Cybercriminals maintain persistence using techniques such as Registry Run Keys, Scheduled Tasks, or Remote Access Software tools. The report shows that cybercriminals will often dump the LSASS memory and use the same command parameters with tools such as ADFIND.exe and Invoke-ShareFinder. Remote Desktop Protocol and Server Message Block access are the two most common methods used for lateral movement, with AnyDesk being the most popular remote access tool. The report acknowledges that visibility gaps are likely, and not all incidents are publicly reported. Nonetheless, the TTPs used to deploy prominent threats, such as Qakbot, are expected to be used again in future attacks.
Malware
AresLoader: A New Loader Masquerading as Legitimate Software
Impacted Industries: All
What You Need To Know:
Flashpoint recently analyzed a new loader advertised on a Russian-language cybercrime forum and discovered that it is designed to masquerade as legitimate software and load any chosen payload. After registering with the command and control server (C2), the loader downloads and executes the expected legitimate file and creates a Registry AutoRun key for persistence. The loader is currently being sold with limited seats available for purchase. As of 7 March 2023, only eight cybercriminals have purchased access, indicating that the loader has not been used in many attacks. The loader’s C2 IP address belongs to the bulletproof hosting provider Partner LLC, which also hosts other malicious infrastructure. It is unclear why the developer is limiting access to the loader. Deepwatch will continue to monitor this threat for developments.
Malware
Emotet Returns After 3-Month Hiatus
Impacted Industries: All
What You Need To Know:
Spam email campaigns delivering Emotet have resumed, containing an attachment of a .zip file containing a macro-enabled Word document. The document uses the “Red Dawn” template and prompts the user to enable editing and content to preview it, which downloads and executes the Emotet .dll file. The emails appear to be replying to existing email chains, with themes including finances and insurance and the attachment is not password protected. While it is unclear how long this campaign will last, historical trends suggest it could last a few weeks, as Emotet activity usually occurs in three phases each year.
Threat Actors
Latest Additions to Data Leak Sites
Impacted Industries: All
What You Need To Know:
In the past week, monitored threat groups added 31 victims to their leak sites. Twelve of those listed are US-based. They were followed by three in Germany and two each in the UK, Spain, and Brazil. The most popular industry listed was manufacturing, with nine victims. They were followed by three in professional services, information and construction industries, and two in the transportation industry. This information represents victims whom cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims.
Exploited Vulnerabilities
CISA Adds 3 CVEs to its Known Exploited Vulnerabilities Catalog
Impacted Industries: All
What You Need To Know:
CISA added three vulnerabilities targeting Zoho ManageEngine ADSelfService Plus, Apache Spark, and Teclib GLPI to CISAs Known Exploited Vulnerabilities Catalog. These vulnerabilities could allow remote code execution or command injection, which cybercriminals could exploit to gain access to sensitive information. In addition, based on first.org’s Exploit Prediction Scoring System, several other CVEs will likely be exploited in the next thirty days, including ZyXEL P660HN-T1A v1 router and Joomla 3.7.x, DNS servers, and Zoho ManageEngine Netflow Analyzer.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.
Share