Threat Source newsletter (May 11, 2023) — So much for that ransomware decline

Welcome to this week’s edition of the Threat Source newsletter.

I wrote a few weeks ago about how, between the public and private sectors, the security community was making some strides in fighting back against ransomware.

Reports indicate that revenue for ransomware actors was down in 2022, and recent disruptions to larger ransomware networks like Hive have at least forced some actors offline for now.

It seems like if you were to survey various cybersecurity researchers, thought leaders and policymakers, there is a mixed consensus on whether ransomware is still the biggest problem defenders still face today.

The White House and U.S. Department of Justice seem bullish on their efforts to shut down ransomware gangs and dark web sites.

But recently, I’ve noticed that ransomware is still making headlines. This is completely anecdotal, but recent major examples come to mind:

A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations, and potentially putting personal information at risk.
Ransomware group BlackCat claims it was responsible for an attack on Western Digital, a computer drive manufacturer, including stealing partial credit card numbers from customers.

San Bernadino County in California paid $1.1 million to resolve a ransomware incident.
Capita, a U.K.-based outsourcing and professional services company, says a recent ransomware attack on its systems could cost the company up to $25 million, without saying whether that includes a ransom payment.

These are just a handful of examples of recent ransomware attacks, but these stories have made me rethink my stance on where we stand with ransomware in 2023. I am trying to look for the space where both things can be true — ransomware may not be as profitable for actors as it once was, but the volume of attacks may not be changing all that much.

As education around ransomware, cyber insurance and whether to pay a requested ransom improves, a company hit with ransomware may be better prepared to rebound and recover faster than they were in, say, 2020.

Many companies are now keeping incident response teams (like Talos IR) on retainer to help in real-time with attacks, and with everyone shouting from the rooftops about the importance of backups, ransomware victims may be less likely to pay the ransom than they once were and simply rely on backups and Golden Images to recover quickly and resume normal business operations.

It’s too soon to make definitive statements about ransomware in 2023, but I’ll definitely be interested to see the next round of “Year in Review” reports come February 2024 to find out if ransomware is still the one thing we should all be talking about.

The one big thing

Talos researchers have discovered a new phishing-as-a-service tool called “Greatness” that’s being used in the wild to target businesses across multiple continents. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.

Why do I care?

Greatness creates convincing phishing pages to steal Microsoft Office login credentials from large organizations. Since it’s an “as a service” tool, anyone could conceivably purchase access to this tool. We’ve already seen it be used in attacks dating back to mid-2022 so there’s no reason to believe this threat won’t be around for a while.

So now what?

Although Greatness is a new and advanced phishing threat, detection and prevention essentially remain the same as with all phishing and spam threats. All organizations should have education in place to teach users about the dangers of phishing and how to spot illegitimate emails, attachments and links.

Top security headlines of the week

Newer exploit code for the critical PaperCut vulnerability is now available that bypasses existing detection. The vulnerability, tracked as CVE-2023-27350, is an unauthenticated remote code execution vulnerability in PaperCut MF or NG versions 8.0 or later that attackers have actively used in ransomware attacks. Exploit code first became available several weeks ago, and the new POC can bypass Sysmon-based detections that are already in place. Microsoft security researchers also say that two Iranian state-sponsored actors are now exploiting the vulnerability in the PaperCut MF/NG print management software: MuddyWater and Charming Kitten. The vulnerability originally received a 9.8 CVSS severity score. (Bleeping Computer, SecurityWeek)

The FBI says it disrupted the infamous Russian Snake malware network this week, using a tool that forced the program to self-destruct on infected computers. A release from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated that Snake infrastructure was found in more than 50 different countries. Russia’s Federal Security Service (FSA) was known for using Snake to target high-profile targets and collecting sensitive information, with the FBI calling it Russia’s “premiere espionage tool.” Cybersecurity agencies from several other countries have released details on how potentially infected machines can recover and additional steps taken to ensure Snake’s functionality is continually impaired. (CBS News, CISA)

Two vulnerabilities being actively exploited in the wild headlined a relatively light Microsoft Patch Tuesday this week. In all, Microsoft disclosed 40 vulnerabilities, the fewest in a month since December 2019. One of the zero-day vulnerabilities, CVE-2023-29336, is an elevation of privilege vulnerability in the Win23k kernel mode drive that could allow an adversary to gain SYSTEM privileges. Another, CVE-2023-24932, is a Secure Boot Security Feature Bypass issue that the BlackLotus malware group is already exploiting. In all, this Patch Tuesday includes seven critical vulnerabilities and 33 that are considered “important.” (Talos blog, Krebs on Security)

Can’t get enough Talos?

Upcoming events where you can find Talos

BSidesFortWayne (May 20)

Fort Wayne, IN

Cisco Live U.S. (June 4 - 8)

Las Vegas, NV

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

Intelligence Center

Vulnerability Information

Security Resources

Media

Company

Could the Brazilian Supreme Court finally hold people accountable for sharing disinformation?

The internet is already scary enough without April Fool’s jokes

There are plenty of ways to improve cybersecurity that don’t involve making workers return to a physical office