TRIAGE - Threat Reporting and Intelligence on Attacks and General Exploits #27
James Beal
Security Architect and Threat Intelligence Researcher, Aeterneus Intel Founder. TRIAGE'ing the evolving threat landscape to help Infosec Teams and Execs keep their organizations safe!
Howdy everyone, welcome to volume number 27 of TRIAGE Tuesday! First we look at a new pentesting tool that has also now been co-opted by attackers to try to stay a couple steps under the radar now that Cobalt Strike is becoming such a well known property. Our second story of the week is tied to Microsoft making a good security change and then “temporarily” rolling it back to disable the change. We move to ransomware gangs setting up a database to search stolen data in what can be seen as triple extortion. Microsoft has been generating some very good security reports and a new one from them looks at further BEC/phishing techniques everyone needs to be familiar with if we are going to attempt to stop this activity. We finish off the week with a big twist on job applications and how they can be abused by criminals! Enjoy a closer look at all 5 stories below!
Technical issues led to a gap last week a delay this week, please enjoy both versions of the newsletter covering the last two weeks of activity!
If you are not already, get this awesome weekly update delivered directly to your inbox! The?newsletter!
1.?Attackers Picking Up Brute Ratel as an Alternative to Cobalt Strike
Overview: A report from Palo Alto Unit 42 claims that some cybercriminals are now moving away from Cobalt Strike to using Brute Ratel. The tool was released by an ex-red teamer at Mandiant and CrowdStrike in 2020. The change in tactics is a major update in tactics, as BRc4 is developed to avoid detection by EDR and anti-malware solutions. At first, almost all security software failed to detect it as malicious. Having such capability allowed the tool to stay out of the limelight. Separately, the researchers observed a piece of malware that 56 anti-malware products failed to detect. It was created using Brute Ratel (BRC4) by Russia's Cozy Bear (APT29).
TRIAGE: Cobalt Strike is a commercial software tool that has been stolen by attacker groups and used for years now, with multiple iterations being leaked online and converted from professional pentesting tool to near the top of the results for attacker toolsets outside the ransomware packages. Here we have new research showing that another pentesting tool is being used as an attempt to stay under the active attack radar by attackers. Everyone involved in security needs to stay aware of tooling changes like this and have a general idea of how those software packages function within attacks for incident response and defensive actions.
2.?Microsoft rolls back blocking Office VBA macros by default - follow up news shows it may be temporary
Overview: Microsoft is rolling back a planned change to block Visual Basic for Applications (VBA) macros by default in a variety of Office apps. Announced earlier this year, Microsoft had been planning to prevent Office users from easily enabling certain content in files downloaded from the internet that include macros, in a move to improve security against malicious files. Microsoft had been testing this change ahead of a planned rollout to all Microsoft 365 users in June, but suddenly reverted the block on June 30th.
Update: Microsoft says last week's decision to roll back VBA macro auto-blocking in downloaded Office documents is only a temporary change. Redmond announced in February that Microsoft Office would automatically block VBA macros in all documents downloaded from the Internet after a rollout stage between April and June.
TRIAGE: When this was initially announced, I was very disheartened by the news and shared my opinion, as I celebrated the news when it was released that Microsoft would be blocking macros by default a couple months ago. My concerns now sit with the phrase “temporary rollback” and what the actual time frame will be on this issue. They have implemented the rollback but as of now, I have still not seen anything close to a definitive answer on what temporary means, which could leave the world with a great feature being rolled out and then disabled, then months or years before it is even permanently fixed by changing it back to blocked by default.
领英推荐
3.?Ransomware gang now lets you search their stolen data
Overview: Two ransomware gangs and a data extortion group have adopted a new strategy to force victim companies to pay threat actors to not leak stolen data. The new tactic consists in adding a search function on the leak site to make it easier to find victims or even specific details. At least two ransomware operations and a data extortion gang have adopted the strategy recently and more threat actors are likely to do the same.
TRIAGE: Here we have more examples of crime/criminals and how things evolve in response to actions against it. We started out with extorsion by ransomware being tied to encrypting data and demanding money to release the key(s) to unlock it. Then double extorsion became a tactic, to encrypt data and demand payment for a decryption key while also demanding more/another payment to not release the data to the public. Now we are looking at triple extorsion, with the first two options and now adding to it by releasing publicly assessible portions of the data to not only prove they have real data, but to “name and shame” the company to the world and their own employees who will put further pressure into paying. This has also created a market with exponentially rising ransomware payment costs as the attacker groups use all of these methods in tandem to get higher payouts for each attack. We’ve seen multiple examples of ransomware groups being run like legitimate businesses and here is another business move to gather more money per attack to cover extended internal infrastructure costs for the attacker groups.
4.?From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud
Overview: A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA). The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets. Based on our threat data, the AiTM phishing campaign attempted to target more than 10,000 organizations since September 2021.
TRIAGE: The original 2021 MDDR report is an excellent read and everyone should take a look, but here we now have a follow-up report showing further BEC activity that needs to be on everyone’s radar as well. These reports have great overview level descriptions along with a good amount of technical depth for those of us dealing with these actions from the trenches on a daily basis who need to know how to prepare for these attacks.
5.?How a fake job offer took down the world’s most popular crypto game
Overview: Rarely has a job application backfired more spectacularly than in the case of one senior engineer at Axie Infinity, whose interest in joining what turned out to be a fictitious company led to one of the crypto sector’s biggest hacks. Ronin, the Ethereum-linked sidechain that underpins play-to-earn game Axie Infinity, lost $540 million in crypto to an exploit in March. While the US government later tied the incident to North Korean hacking group Lazarus, full details of how the exploit was carried out have not been disclosed.
TRIAGE: As we have seen above, ransomware and BEC still get a huge amount of press and rightly so, as they are the major attack vectors. There are other attack methods that continue to happen and everyone needs to be aware of how they function as well to keep everyone safe. In this case this is also a massive financial impact not only to the people and company involved, but more reasons why cryptocurrency is going to be a hot topic for years to come and may end up seeing a lot more regulations than many people would prefer as it moves to become a major financial space worldwide.
If you are not already, get this awesome weekly update delivered directly to your inbox! The?newsletter!