Good afternoon, Talos readers.
Just like everyone else in the security world, our week's been dominated by the Kaseya supply chain attack. We went live on pretty much every social media platform we could think of yesterday to update everyone on the current situation and provide some recommendations for how users can stay protected.
You can also stay up to date on all of our coverage around this attack, and associated ransomware campaigns, by reading our blog post, which we will update as more information becomes available.
Upcoming Talos public engagements
Speaker: Edmund Brumaghin
Date: July 10, 2021
Location: Miami Valley Research Park in Dayton, Ohio or virtual
Description: As telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows. Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organizational defenses. In this talk, Edmund will go over the recent campaigns we've seen in the wild targeting these types of collaboration apps.
Workshop: Analysing Android malware at VirusBulletin localhost 2021
Speaker: Vitor Ventura
Date: Oct. 7 - 8
Location: Virtual
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.
Cybersecurity week in review
- The Kaseya attack is the latest sign that ransomware groups' ambitions are growing. While most threat actors will use known vulnerabilities, it's telling that the attackers behind Kaseya exploited a zero-day exploit in Kaseya's software and are looking for a $70 million ransom.
- A small town in Maryland had to completely shut down its computer network after the Kaseya attack. Officials there say all but two of their machines were completely compromised, and now have to manually restore all of them.
- Security researchers reportedly discovered the vulnerability used in the Kaseya attack in April. Unfortunately, the company was not able to get out a patch in time before attackers went on the offense.
- Google Play removed nine malicious Android apps from its storefront. However, the apps were still downloaded 5.8 million times before they were banned.
- A vulnerability in Microsoft's print spooler service is still exploitable even after an emergency patch this week. Microsoft released an update Tuesday, but researchers on Wednesday discovered that the exploit could still bypass the patch.
- FancyBear, a well-known state-sponsored APT, is conducting password-spraying, brute-force attacks across the internet. It was most recently accused to carrying out the SolarWinds supply chain attack.
- A fast-growing, right-leaning social media app called "GETTR" was hacked just a few weeks after it launched. Many users' emails were exposed in the large data scrape, including former Secretary of State Mike Pompeo and Rep. Marjorie Taylor-Greene.
- U.S. President Joe Biden is preparing to formally respond to the recent wave of ransomware attacks against American organizations, including Kaseya. Biden met with his top cybersecurity experts this week to weigh various options, weeks after he met with Russian President Vladimir Putin to discuss disrupting ransomware operators.
- The attackers behind the WildPressure remote access trojan have developed a new Mac version of the malware to target Middle Eastern users. If installed, the RAT can download and execute commands from its operators, collect sensitive information on the victim machine and upgrade itself.
- Security researchers discovered 170 malicious Android apps that are secretly cryptocurrency miners. The apps have reportedly stolen an estimated $350,000 from users who paid to download the apps or phony subscriptions.
Notable recent security issues
Title: Kaseya supply chain attack affecting hundreds of companies
Description: Attackers are actively exploiting the Kaseya VSA endpoint monitoring software to conduct a widespread supply chain attack targeting a number of Managed Service Providers (MSPs), according to multiple reports. Organizations usually use Kaseya VSA to perform centralized orchestration of systems in customer environments. Attackers first infected victims via a malicious automatic update to the software, eventually delivering the REvil/Sodinokibi ransomware. Once active in victim environments, the ransomware encrypts the contents of systems on the network, causing widespread operational disruptions to a variety of organizations that use this software. REvil operates using a ransomware-as-a-service (RaaS) model, with affiliates leveraging a variety of tactics, techniques and procedures (TTPs) to infect victims and coerce them into paying to regain access to systems and data that are affected by the ransomware. In many cases, backup servers are also targeted during network-based ransomware attacks highlighting the importance of a regularly tested offline backup and recovery strategy. A text-based README is written into various directories on the system and functions as a ransom note.
References: /revil-ransomware-actors-attack-kaseya
Cisco Secure Endpoint signatures: Gen:Variant.Graftor.952042, W32.D55F983C99-100.SBX.TG, W32.File.MalParent, W32.RetroDetected
ClamAV signatures: Win.Dropper.REvil-9875493-0, Win.Ransomware.REvil-9875494-0
Cloud IOCs: W32.PingPredicatedDel.ioc, W32.DisableRealtimeMonitoring.ioc, W32.CertutilDecodedExecutableFile.ioc, W32.CertUtilCopy.ioc
Snort SID: 57879
Title: Babuk ransomware code leaks into the wild
Description: A threat actor is using leaked code from the Babuk ransomware to carry out its own attacks. Security researchers discovered last week that Babuk’s ransomware builder tool was uploaded to VirusTotal. Any threat actor could take the code and modify the enclosed ransom note to include their own contact information, and then run the build executable to create customized ransomware encryptors and decryptors that target Windows, VMware ESXi, Network Attached Storage (NAS) x86, and NAS ARM devices. This new actor intentionally misspells Babuk in its ransom note, and only requests $210 for its ransom payment, versus Babuk’s usual millions. Babuk was most recently known for targeting the Washington, D.C. police department.
Snort SIDs: 57873, 57874
Most prevalent malware files this week
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 9a74640ca638b274bc8e81f4561b4c48b0c5fbcb78f6350801746003ded565eb
MD5: 6be10a13c17391218704dc24b34cf736
Typical Filename: smbscanlocal0906.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 5807b6aed9040d1a605be638604177226d9eaed0cb260c45cef23abe6ed03fdf
MD5: 1c573e6d61b111dedd8ad2e936710cef
Typical Filename: flashhelperservice.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Auto:5807b6aed9.in03.Talos
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.