Newsletter compiled by Jon Munshaw.
Good afternoon, Talos readers.
We are excited to finally share this LockBit research paper with you all after months of work. Some of our researchers spoke to a ransomware operator, which provided us insight into a threat actor’s day-to-day goals and tactics.
The paper includes information on how the attacker chooses its targets and why it’s easier for the attacker to operate in some countries than others.
Upcoming public engagements with Talos
Date: Feb. 6 - 7
Speakers: Edmund Brumaghin and Nick Biasini
Overview: As the volume of malware samples in the wild has continued to explode in recent years, a lot of effort has been put into the development of automated analysis platforms. These platforms typically execute files in controlled environments to observe their behavior and determine if the file is benign or malicious. As the use of these technologies has increased, adversaries have invested significant resources in developing techniques to circumvent automated analysis and evade detection. Malware developers are also implementing various techniques to make analysis more difficult. Modern botnets have begun leveraging new technologies to make their infrastructure more resilient to disruption by security organizations and law enforcement. This presentation will describe the latest techniques employed by adversaries to evade analysis and detection. It will also cover the new technologies being leveraged to establish C2 communications channels that are resilient against intervention by the security industry and law enforcement. We will discuss specific examples and walk through detailed case studies where these techniques are being employed, as well as how to defend against them more effectively.
Title: Cisco Live 2021
Date: March 30 – April 1
Speakers: Nick Biasini, more TBA
Overview: Join us for the annual Cisco Live conference, this year taking place across the globe at the same time virtually for the first time. Cisco Live is your destination for year-round technical education and training. There will be many on-demand sessions to choose from throughout the conference. Nick Biasini of Talos Outreach will provide a broad overview of the past year’s threats and trends we’ve been seeing, with a specific focus on dual-use tools and supply chain attacks. Additional sessions will be announced in the coming weeks.
Cybersecurity week in review
- A joint effort by American and European law enforcement agencies led to the takedown of the Emotet botnet. The joint effort dismantled the infamous threat by taking over C2 domains and redirecting that traffic.
- Facebook is working on a notification that will prompt users to opt into personalized ads as Apple works on a change to its privacy settings. A future version of iOS will allow users to restrict what types of information apps collect on them.
- A separate state-sponsored actor may have exploited a different SolarWinds vulnerability than the one already disclosed. The attackers may have breached the U.S. Department of Agriculture.
- Fewer ransomware victims are opting to pay the requested extortion payments in return for access to their locked files. But this has driven up the price of the ransom requests actors are making.
- The popular WallStreetBets forum on Reddit was flooded with bots this week looking to capitalize on its recent rise of fame. The subreddit is at the center of the recent rise in GameStop stock, and bots were hoping to capitalize by convincing users to invest in other stocks.
- Last month’s riot on the U.S. Capitol showed how accessible facial recognition technology has become. Average internet users have been able to identify several participants and report them to law enforcement.
- A county in South Carolina is still reeling weeks after a cyber attack. Officials from the local government say it could be days before the court system and treasurer’s office are back to normal operations.
- Cryptocurrency scams are on the rise on Discord. The popular chatting platform has seen private servers targeted by promises of free virtual currency, pointing users to malicious links.
- A new version of the Agent Tesla trojan adds new delivery and evasion techniques. Security researchers say the malware is targeting Microsoft Anti-Malware Software Interface to bypass detection.
Notable recent security issues
Description: U.S. officials say a suspected state-sponsored attack on U.S. government agencies and companies may have further-reaching consequences than just SolarWinds products. A new report states that the attackers linked to the SolarWinds breach may have exploited other vulnerabilities to gain an initial foothold on victims’ networks other than the ones already disclosed in SolarWinds products. The effects of this campaign are potentially staggering, and officials and security researchers are still unpacking the attack. Victims reportedly include government agencies and consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East, according to FireEye. Several reports also indicate that the U.S. Treasury and Commerce departments were also targeted in what is likely related to the same activity.
Snort SIDs: 56660 - 56668
AMP: Trojan.Sunburst.[A-Z], Trojan.Teardrop.[A-Z]
ClamAV: Win.Countermeasure.Sunburst-9816012-0, Win.Countermeasure.Sunburst-9809153-0, Win.Countermeasure.Sunburst-9816013-0, Win.Countermeasure.Sunburst-9809152-0, Win.Dropper.Teardrop-9808996-3, PUA.Tool.Countermeasure.DropperRaw64TEARDROP-9808998-0
Description: Cisco Talos recently spent several weeks speaking to an operator associated with the LockBit ransomware. The actor’s TTPs they disclose are yet another reminder for all organizations to remain vigilant about these seemingly unsophisticated, common cybercriminals who, despite their straightforward approach to targeting and operations, continue to be highly successful in compromising companies and wreaking havoc on unsuspecting victims. Other findings include that many cybercriminals rely almost exclusively on common open-source tools that are readily available on the internet and easy to use and they rely solely on victims who have unpatched environments.
Snort SIDs: 54910-54917
Most prevalent malware files this week
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Variant.24cl.1201
Typical Filename: pmropn.exe
Claimed Product: PremierOpinion
Detection Name: PUA.Win.Adware.Relevantknowledge::231753.in02
Typical Filename: svchost.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
Typical Filename: santivirusservice.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.