Cyber Intel Brief: March-17-23, 2022
By Eric Ford
Conti Puts the ‘Organized’ in Organized Crime
- Intel 471 was able to piece together the inner workings of the Conti ransomware group due to the recent leaks of information tied to the group.
- Intel 471 identiﬁed communications linked to a Conti division with its own speciﬁc purpose. This division was in charge of gathering information on targets for current and future attacks, writing phishing scripts for use over the phone and email, and exerting numerous forms of pressure during ransomware negotiations using the previously compiled information.
The Deepwatch Threat Intel Team assesses with high conﬁdence that Conti will continue operations as normal, as team members and practices are not easily disbanded or replaced, and the amount of time and effort that went into building and resourcing the individual teams would be hard to let go. Therefore, it is recommended that customers conduct their own reconnaissance, using the methods employed by Conti, to identify and remediate any deﬁciencies.
FBI and FinCEN Release Advisory on AvosLocker Ransomware
- The FBI and the Department of Treasury’s Financial Crimes Enforcement Network released a joint Cybersecurity Advisory that identiﬁes some of the Indicators of Compromise associated with AvosLocker ransomware.
- AvosLocker is a Ransomware-as-a-Service (RaaS) threat group based in the United States that has targeted victims in a variety of critical infrastructure sectors, including, but not limited to, ﬁnancial services and manufacturing.
The Deepwatch Threat Intel Team assesses with moderate conﬁdence that AvosLocker threat actors will continue to use Microsoft Exchange Server vulnerabilities to gain initial access into organizations and conduct data exﬁltration activities using the ﬁle transfer tool, PuTTY Secure Copy Client (pscp.exe), Rclone, and Cobalt Strike during their attacks. To mitigate the risk of AvosLocker, the Deepwatch Threat Intel Team encourages customers to review the technical details and Indicators of Compromise published in the joint Cybersecurity Advisory.
DEV-0537 (LAPSUS$) Criminal Actor Targeting Organizations for Data Exﬁltration and Destruction
- Microsoft recently published a report on the recent claim that LAPSUS$, who Microsoft tracks as DEV-0537, breached their network and publicly disclosed source code. Additionally, Microsoft details the tactics, techniques, and procedures used by DEV-0537 in their data extortion and destruction attacks.
- Microsoft states, “No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”
Deepwatch Threat Intel Team assesses with high conﬁdence that DEV-0537 (LAPSUS$) will continue to target high-proﬁle organizations to increase their proﬁle and draw more publicity to their actions, thereby increasing their chances of successfully extorting the target organization. The Deepwatch Threat Intel Team recommends customers follow Microsoft’s mitigation guidance.
Exposing Initial Access Broker With Ties to Conti
- Google’s Threat Analysis Group recently investigated the threat actor Exotic Lily, which they believe operates as an initial access broker, exploiting a vulnerability in Microsoft MSHTML (CVE-2021-40444).
- TAG observed Exotic Lily exhibiting TTPs that are traditionally associated with more targeted attacks, such as masquerading as companies and employees through email campaigns as a means of gaining the trust of a targeted organization. It is believed that these email campaigns are run by real human operators using little-to-no automation. Additionally, they leverage legitimate ﬁle-sharing services such as: WeTransfer, TransferNow, and OneDrive, to deliver the payload, hoping to evade detection mechanisms.
The Deepwatch Threat Intel Team assesses with moderate conﬁdence that Exotic Lily will continue to use the techniques described by Google’s TAG to gain initial access to targeted organizations. To mitigate this risk, it is recommended that customers implement an end-user phishing email awareness program and incorporate known threat actor TTPs in phishing simulation exercises. In addition, it’s recommended that customers establish an organizational standard of how and what ﬁle types should be transferred both internally and externally and restricting or quarantining non-business-related ﬁle attachment types, such as .iso ﬁles.
Mēris and TrickBot Standing On the Shoulders of Giants
- Avast’s researchers believe that cryptomining malware campaigns they previously covered were all distributed by the same C2 server. Additionally, it is believed that this C2 serves as a botnet-as-a-service that controls nearly 230,000 MikroTik routers.
- According to Avast research, there are indicators that lead the researchers to believe that this botnet may be the Meris botnet. It is speculated that default credentials and unpatched routers allowed the threat actors to control these devices.
Deepwatch Threat Intel Team assesses with moderate conﬁdence that threat actors will continue to target unpatched routers and IoT devices in general to incorporate them into a botnet-as-a-service. To mitigate the risk to your routers and IoT devices, it is recommended that customers update routers, set up a strong password, and ﬁnally, disable the administration interface from being able to be accessed from the internet.
From BlackMatter to BlackCat: Analyzing Two Attacks From One Affiliate
- Researchers from Cisco Talos investigated a BlackCat (ALPHV) ransomware incident from December 2021 and discovered that there are similarities between this attack and a BlackMatter ransomware incident from September 2021.
- The investigation revealed similarities in the tools, infrastructure, and the tactics, techniques, and procedures used between the two incidents. Cisco Talos assesses with moderate conﬁdence that the two attacks were carried out by the same threat actor.
The Deepwatch Threat Intel Team assesses with low to moderate conﬁdence that BlackCat (ALPHV) is a rebrand of the BlackMatter ransomware. To mitigate this risk, it is recommended that customers implement a phishing awareness program that includes simulated exercises, employ multi-factor authentication, and patch vulnerabilities as soon as possible, with a focus on known exploited vulnerabilities. Additionally, it is also recommended that customers monitor for log disablement, dumping of the LSASS process memory, and the exﬁltration of large amounts of data.
New Browser-in-the-Browser Attack Spoofs Chrome’s Single Sign-on Login Windows
- The Hacker News and Bleeping Computer published articles covering a new Browser-in-the-Browser (BitB) phishing technique that masquerades as a single sign-on phishing login form using a fake Chrome browser window.
- The templates are freely available on GitHub and allows threat actors to customize the pop-ups title, logo of the website being spoofed, and gives the threat actor the ability to customize the domain name and path to make it appear legitimate.
Deepwatch Threat Intel Team assesses with moderate conﬁdence that threat actors will begin to incorporate the BitB technique into phishing domains they create. To mitigate this risk, customers are encouraged to incorporate this technique in their phishing awareness training and simulation exercises.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.