Cyber Intel Brief: March-24-30, 2022
By Eric Ford,
Conti Ransomware Attacks Persist With an Updated Version Despite Leaks
- Zscaler’s ThreatLabz discovered an updated version of the Conti ransomware that was released prior to, and was not part of, the leak of the source code for two versions of Conti’s ransomware and their chat logs.
- The most recent updates enable the ransomware to reboot systems in Windows Safe Mode and the ability to search for users that have admin privileges.
The Deepwatch Threat Intel Team assesses with high conﬁdence that Conti will continue to conduct cyber attacks and update their tools, tactics, techniques, and procedures. Due to the recent leaks it is very likely that Conti will harden their infrastructure rather than replace it completely. Therefore, organizations should patch systems with a focus on known exploited vulnerabilities, implement multi-factor authentication, develop a phishing awareness and simulation exercise program, monitor for the use of non-business approved file transfer software like Rclone and MegaSync, and finally, monitor for suspicious authentication attempts from users with administrative privileges.
SunCrypt Ransomware Gains New Capabilities in 2022
- Minerva discovered a new ransomware variant from SunCrypt. The new variant is not very sophisticated, but its encryption routine is unique as it does not use the system API.
- This new variant, which seems to still be in development, allows the ransomware to terminate processes, stop services and clean logs of any evidence of the ransomware execution.
The Deepwatch Threat Intel Team assesses with moderate conﬁdence that the ransomware actor SunCrypt will continue to refine their ransomware variant. Therefore, to reduce the risk of a ransomware event, organizations should patch systems with a focus on known exploited vulnerabilities, ensuring system backups are being conducted on a regular basis and kept on a resource not easily accessible by domain affiliated credentials, implement multi-factor authentication, develop a phishing awareness and simulation exercise program, monitor for the use of non-business approved file transfer software, and finally, monitor for suspicious authentication attempts from users with administrative privileges.
Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability
- Google released a security update for a Chrome vulnerability, tracked as CVE-2022-1096, after their Threat Analysis Group disclosed details of the North Korean-supported Lazarus Group exploiting the flaw.
- According to Google, the threat actors are “targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries. However, other organizations and countries may have been targeted.” The actors used an exploit kit that included various stages and components. The actors included links to the exploit kit within hidden iframes on both their own and compromised websites.
Deepwatch Threat Intel Team assesses with high conﬁdence that nation state-sponsored threat actors, like the Lazarus Group, will continue to conduct vulnerability research against widely used client-side applications, such as Chrome, to identify Zero-Day vulnerabilities with stable exploit code to gain access to networks of interest and carry out their mission. To mitigate this threat, it is recommended that organizations using Google Chrome should update to the current version 100.0.4896.60 (as of March 30, 2022) for Windows, Mac, and Linux. Users of Chromium-based browsers such as Microsoft Edge and Opera should update as soon as they are released.
CISA Adds 98 Vulnerabilities to Known Exploited Vulnerabilities Catalog
- CISA has added 98 new vulnerabilities to its Known Exploited Vulnerabilities Catalog. Notable software affected includes Google Chrome, Sonicwall Secure Remote Access (SRA), and Confluence.
- Threat actors have been observed actively exploiting these vulnerabilities.
The Deepwatch Threat Intel Team strongly urges all organizations to prioritize timely remediation of vulnerabilities featured in CISA’s Known Exploited Vulnerabilities Catalog as part of their vulnerability management practice.
Vidar Malware Launcher Concealed in Help File
- Trustwave investigated a phishing campaign where a threat actor appended a malicious file to an unsuspecting file format to deliver the information stealing malware Vidar.
- The attachment is actually an ISO file that holds two file types, a Microsoft Compiled HTML Help file, a proprietary Microsoft online help file format normally used for software documentation, and an executable. Executing either one will compromise the machine.
Deepwatch Threat Intel Team assesses with moderate conﬁdence that threat actors will continue to incorporate and improve on this technique, as it is highly effective in deceiving the unsuspecting user. To reduce the risk of executing this type of malware, it is encouraged to block any file extensions that are of risk. In this case it would be “.iso” files. as most organizations do not utilize this type of attachment for business purposes. Educating users on this type of malicious example can also increase awareness and keep them from falling victim to malicious files.
New Conversation Hijacking Campaign Delivering IcedID
- Intezer discovered that threat actors are compromising Microsoft Exchange servers to send phishing emails masquerading as replies to existing email conversations. Additionally, the emails are originating from the account the email was stolen from.
- The emails contain a zip archive that contains a single ISO file that contains two files, a LNK file named “document” and a DLL file named “main.” The icon for the LNK file is a typical one for documents, clicking on the LNK file will execute the DLL, which is a loader for the ICedID payload.
The Deepwatch Threat Intel Team assesses with moderate conﬁdence that threat actors will continue to exploit unpatched Microsoft Exchange servers to send out phishing emails. Therefore, it is recommended that organizations patch Exchange servers, implement an end-user phishing email awareness program, and incorporate known threat actor TTPs in phishing simulation exercises.
Lapsus$ and SolarWinds Hackers Both Use the Same Old Trick to Bypass MFA
- Ars Technica reported on how threat actors, both sophisticated and unskilled, have used MFA prompt bombing to defeat the protections that MFA allows.
- Threat actors may send multiple MFA requests, one or two requests per day, or even calling the user with the hope that the user accepts one of the requests, thereby allowing the threat actor access to the account.
Deepwatch Threat Intel Team assesses with moderate conﬁdence that threat actors will incorporate MFA prompt bombing in their tactics, techniques, and procedures. To mitigate the risk of MFA prompt bombing, organizations are encouraged to add this technique to cybersecurity and phishing awareness training. Additionally, monitoring for multiple MFA requests in a short time span could indicate that credentials may have been compromised and may need to be reset thus reducing the risk of a threat actor gaining initial access to your organizations digital resources.
Mitigating Attacks Against Uninterruptable Power Supply Devices
- According to a CISA Insights whitepaper, threat actors have gained access to internet-exposed uninterruptible power supply (UPS) devices. The whitepaper also provides guidance that organizations can use to mitigate the risk.
- It is believed that threat actors are able to access these devices through unchanged default usernames and passwords.
Deepwatch Threat Intel Team assesses with moderate conﬁdence that threat actors will continue to target UPS devices to cause disruption to targeted organizations or conduct further attacks. To mitigate the risk posed by internet-exposed UPS devices the Threat Intel Team recommends organizations follow CISA’s guidance under the “Recommended Actions” section of their CISA Insights whitepaper. This includes, but is not limited to, changing the default usernames and passwords, enabling timeout features for logging in and logging out, and if possible, making sure your UPS’s are not accessible from the internet.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.