Threat Intel Roundup

Published: 30 June 2022

Content

01. Summary
02. Threat Spotlight
  • The curious case of a ransomware gang lying about breaching Mandiant

03. Quick News Bites
  • BlackCat/ALPHV group introduce surface web “check yourself” button for stolen personal information in the latest extortion technique

  • Black Basta ransomware adds support for encrypting ESXI systems to its toolkit

  • Microsoft patch MSDT remote code execution zero-day vulnerability named follina

  • Conti ransomware group ceases operating by shutting down public infrastructure

  • Cisco patch ADM vulnerability that lets attackers reset admin credentials

04. Conclusion

A Note From The Cyber Threat Response Team

When will phishing ever become less effective? The answer is simple: you remove the human aspect out of the equation.

Phishing via social engineering continues to be one of the most successful methods of initial compromise. Multi-factor authentication (MFA) - allegedly invented in 2013 by Kim Dotcom - was a great start to preventing unauthorised logins and protecting a large percentage of breaches. This is good, you might think, but just over the past few months, the CTR team has seen a huge uptick in compromises whereby MFA completely failed.

“How did it fail?” you might ask, and the answer is the same as above: human nature. We are lazy creatures that opt for the easy way in life. Therefore, when you approve your MFA every time you log in, you’re probably going to be more inclined to accept each MFA prompt without much thought.

That is what happened during a recent incident that Integrity360 dealt with. The victim had received an MFA prompt at two in the morning, opened their phone and accepted the prompt whilst half-asleep. It goes without saying that this defeats the goal of the MFA... The company ended up having their entire mailbox compromised, including mass reputational damage when the attackers spammed every customer of their address book.

I will refrain from talking too much about the recent “Follina” vulnerability given it’s been covered in the news at the end of May/beginning of June, but it was certainly an interesting example of where even Microsoft’s dedicated security protections (disabling of macros by default) did not work.

It is only a matter of time before more vulnerabilities like this are discovered.

Threat Spotlight

The curious case of a ransomware gang lying about breaching Mandiant

On June 6th, 2022, the LockBit ransomware group announced via their dark web leak site that they breached the cyber security firm Mandiant. As the leak timer ended and no credible data appeared, the next obvious question became identifying the motive behind such an incendiary claim that turned out to be false.

The consensus among the security community points to a blog post released by Mandiant on June 2nd, 2022, which categorically attributes many LockBit attacks with “UN2165” or as the Russian cybercriminal group, which is more widely known as “Evil Corp”. The attribution focused on infrastructure overlap and tooling similarities.

Although this would appear to be semantics, Evil Corp has an infamous reputation going back to at least 2007 having been attributed to the “Dridex” banking trojan that subsequently caused the group to be added to a U.S. Department Office of Foreign Assets Control (OFAC) sanction list.

Being on this list makes it illegal in some countries for victims to pay ransoms following attacks. Therefore, LockBit viewed any remote comparison to a group currently sanctioned as potentially devastating to their lucrative ransomware activities. To reiterate, an official association by OFAC or similar bodies linking LockBit and Evil Corp would mean authorities could criminally prosecute victims who choose to pay ransoms. With Conti now-defunct LockBit are the largest ransomware operator in existence.

Quick News Bites

BlackCat/ALPHV group introduce surface web “check yourself” button for stolen personal information in the latest extortion technique

The BlackCat/ALPHV ransomware group has debuted a new extortion scheme to pressure organisations into ransom payment. The feature - first discussed on the Russian cybercriminal forum XSS but later confirmed via the group’s dark web leak site - will allow victims to search for any personal data following a ransomware attack.
What makes this development interesting also is the use of a surface web leak site to compliment the “check yourself” button. Whereas previously victims would need to navigate to an obscure dark website using tools such as Tor, which are not ubiquitous among the general populace. Thus, this will further shame the victim company into ransom payment and is, yet another example of the length ransomware operators will go to.

 

Black Basta ransomware adds support for encrypting ESXI systems to its toolkit

While certainly not the first to use this devastating technique, Black Basta joins prolific names such as BlackMatter, LockBit and AvosLocker, who attempt to encrypt victims' VMware ESXI machines. For many threat actors, targeting ESXI is the sole reason they developed a Linux version at all. Most other ESXI encryptors target the /vmfs/volumes directory, which, from the attackers’ point of view, speeds things up by encrypting multiple virtual machines at once.
Naturally, as type-1 hypervisors require powerful hardware, the ransomware uses multi-threading to speed up the encryption process. The algorithm employed is chacha20, which is considerably faster than alternatives, such as AES.

 

Microsoft patch MSDT remote code execution zero-day vulnerability named Follina

Although originally believed to be a flaw in Microsoft Office, the vulnerability (CVE-2022-30190) relates to the Microsoft Support Diagnostic Tool (MSDT) which collects troubleshooting information to report back to Microsoft. This can be found on all currently supported versions of Windows.
Traditionally, malicious files delivered required users to enable macros subsequently allowing code to run and infect a user’s machine, Follina circumvents this by abusing the MSDT protocol scheme. Below is a typical example of exploitation:

  1. User opens a malicious file (possibly a document delivered to their inbox).
  2. The file has a https URL that will be downloaded.
  3. This URL links to a HTML file that contains suspicious JavaScript code.
  4. This JavaScript will reference a URL using the ms-msdt protocol identifier instead of https.
  5. This will now open the MSDT tool and run any prior supplied malicious code. Ms-msdt link execution allows command line arguments.

 

Conti ransomware group ceases operating by shutting down public infrastructure

Conti were behind the catastrophic ransomware attack on the Irish health service (HSE) in 2021, which resulted in approximately 80% of the organisation's systems being encrypted. In May 2022, after crippling ransomware attacks on Costa Rica, the country’s president declared a state of emergency and proclaimed they are “at war” with the Conti group.

Also, in May 2022, the U.S. Department of State offered a $10 million bounty for information leading to the identification of members who hold leadership positions within the group. This accumulative heat likely made the group go underground and split into cell structures or sometimes join different ransomware operators.

 

Cisco patch ADM vulnerability that lets attackers reset admin credentials

The vulnerability being tracked as CVE-2022-27511 with a CVSS score of 8.1, relates to all currently supported versions of Citrix’s Application Delivery Management (ADM) solution. Once exploited, upon reboot, an unauthenticated attacker with SSH access can log on to the ADM using the default administrator password. In addition to applying the necessary patches, Cisco recommends employing IP address segmentation to diminish risk.

Closing Summary

It is worth mentioning that the specific MFA incident mentioned the opening note could have easily been avoided if the MFA required a code since this would have required another layer of social engineering whereby the attacker got the victim to forward the code. Therefore, it is strongly recommended that all organisations enable MFA by code, rather than a simple approval prompt across all their authentication methods.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively email us at TBD@integrity360.com for a complimentary, no-commitments consultation. Also feel free to explore the many cyber security resources available on our website by clicking here.  

If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services, such as Managed SIEM and Managed Detection and Response (MDR).

We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.

 

Disclaimer

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.

Need advice?

If you are worried about any of the threats outlined in this roundup or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager or fill in the form for a complimentary no-commitment consultation.

More detailed threat intelligence news?

If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.

We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.