Welcome to this week’s edition of the Threat Source newsletter.

The war in Ukraine has involved misinformation since before Russia’s ground forces invaded the country. So, it’s not really a shock that we’ve reached the stage of information warfare where deepfake videos are involved.

Last week, a video made its rounds on social media appearing to show Ukrainian President Volodymr Zelensky telling Ukrainian soldiers to lay down their arms against Russian forces. It was, thankfully, quickly debunked as being fake and manipulated. On its face, that’s good news, but the bad news is pretty much anyone would have noticed the video was fake.

On first watch, I could clearly see that the video was overly pixelated, his voice sounded deeper than what I was used to hearing in other news coverage, and his head just seemed...off. It didn’t take long for the internet at large to catch on and for Zelensky himself to debunk the video. The problem is, this was the best-case scenario for a deepfake video because it was so obvious.

The next time there’s a deepfake video used in the information warfare portion of this invasion, it may not be as clearly fake. Even just days after that Zelensky video hit Twitter, another one appeared of Russian leader Vladimir Putin appearing to declare peace. This one was immediately much harder for me to notice as fake, but thankfully, Twitter sleuths and the media had already done some digging for me to flag it before I saw it.

That Putin video, and other infamous deepfakes like this one of Jordan Peele pretending to be Barack Obama, show that bad actors have gotten incredibly good at creating deepfake videos and photos, as we’ve outlined in previous posts.

The Zelensky video made for a great opportunity for social media companies to take a victory lap that they quickly blocked and banned the video. But what happens when more talented actors spread the next, inevitable deepfake? Will it take social media companies more than a few hours to see it? Will even the most seasoned internet users be fooled? The next time you see a video, I encourage you to check it against this list of steps MIT created to spot a deepfake. Things are too high-risk in Ukraine right now to risk sharing any misinformation, even if it’s just to a few of your friends or followers.

The one big thing

Ransomware actor names are so confusing — we’ve got BlackCat, BlackMatter, DarkSide (which is the same thing as BlackMatter, apparently) and Babuk, which sounds like the name of the monster I used to be afraid was living under my bed when I was little. Many of these threat actors will have affiliates and individuals jump between them — but is there a deeper connection?

Our researchers recently looked at BlackCat and BlackMatter to see if the two groups do more than just share code. The actors have publicly said there’s no formal relationship between the two, but even if that’s the case, we found several connections between their tactics, techniques and procedures (TTPs) that show how larger ransomware groups fit into the broader ransomware community.

Why do I care? 

Ransomware-as-a-service has been on the rise over the past few years. These groups offer their tools to threat actors (for a fee, of course) and then a cut of whatever profits those actors make off attacks using those tools.  

The fact that many individuals have jumped ship from BlackMatter to BlackCat shows that the RaaS trend isn’t going anywhere any time soon. Plus, it’s further proof that BlackCat is the next big ransomware group to watch, considering BlackMatter was part one of the largest cyber attacks in 2021 by targeting the Colonial Pipeline and disrupting gas services to the Eastern U.S. 

Groups around the world are already being targeted by BlackCat, though of particular note is that U.S.-based companies have so far made up 30 percent of their targets. 

So now what? 

While we don't know how related BlackCat is to BlackMatter, we assess with moderate confidence that based on the tools and techniques of these attacks and overlapping infrastructure, BlackMatter affiliates were likely among the early adopters of BlackCat. 

As we have seen several times before, RaaS services come and go. Their affiliates, however, are likely to simply move on to a new service. And with them, many of the TTPs are likely to persist. It’s not really a matter of if, but when, your organization will be the target of a ransomware attack. The important thing is catching the attack early and having a plan in place to remeidate the situation as quickly as possible. 

Other newsy nuggets

The White House doubled down on warnings that Russian state-sponsored actors could soon launch cyber attacks against U.S. companies and critical infrastructure. The U.S. government has warned for months that attacks are eminent as Russia looks to respond to Western sanctions over the invasion of Ukraine. So far, the invasion has not involved wide-scale attacks as many security experts expected. But it’s unclear why that’s the case, or whether the pattern will hold as the conflict drags on and economic penalties mount for Russia. (The New Yorker, CBS News)

The Lapsus$ threat actor made waves this week, reportedly targeting Microsoft and authentication company Okta in successful cyber attacks. Okta officials said attackers obtained remote access to a company machine and took several screenshots, which could affect more than 360 customers. Several major companies use Okta’s software to authenticate internal users, including FedEx and Moody’s Inc. Meanwhile, Microsoft confirmed the same group also broke into their network, though “no customer data or code” was affected, despite Lapsus$ bragging that it stole Microsoft source code. (Reuters, TechMonitor, Bleeping Computer)

The losses keep piling up for the Conti ransomware group. After a trove of data and chat logs were leaked earlier this year, a leaker posted the source code of the Conti ransomware version 3 to VirusTotal. There’s a password to access the archive, but it’s very easy for any user to guess. On top of that, Google also disclosed the existence of an initial access broker who was working with Conti and a Russian state-sponsored actor. It’s not all bad for Conti, though. As reporters continue to dive into the leaked documents from the group, they found that the average Conti member earns roughly $1,800 a month. (Google, ThreatPost, ZDNet)

Can’t get enough Talos?

Upcoming events where you can find Talos

RSA 2022 (June 6 – 9, 2022)
San Francisco, California

Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201

SHA 256: 94e50729a9ccf722ecc62bf766404e1520d5a5a9b44507c7d74dc4ff5cad991c
MD5: 376ead6e862e2957628576a77c08d1e1
Typical Filename: LyricsTube.exe
Claimed Product: LyricsTube
Detection Name: PUA.Win.Adware.Addlyrics::dk

SHA 256: 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6
MD5: 4c9a8e82a41a41323d941391767f63f7
Typical Filename: !!mreader.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Generic::sheath