Good afternoon, Talos readers.
We're writing this on Wednesday for PTO reasons, so apologies if we miss any major news that happens after Wednesday afternoon.
Above, you can watch our awesome live stream from Monday with Brad Garnett from Cisco Talos Incident Response. Brad sat down for a long discussion about the basics of engaging with an incident response team, provided some tips for hybrid work and answered questions live from the audience.
On the written front, we just published new research on the recent wave of cyber attacks against users on the Indian Subcontinent. We recently spotted another set of threat actors trying to spread RATs to India and Afghanistan. Our blog has the latest information on why that matters, and what defenders can do to stay protected.
Upcoming Talos public engagements
Resilient Incident Response: Effective strategies for blocking ransomware attacks at SANS Cyber Solutions Fest
Speaker: Brad Garnett
Date: Oct. 22 at 8:30 a.m. ET
Description: In this session, Brad Garnett, the general manager of Cisco Talos Incident Response, will discuss practical incident response strategies that every CISO and business leader faces with a hybrid workforce. Brad will share his insights from the front lines in the fight against ransomware and why organizations need to re-evaluate existing incident response plans and share how Talos is fighting the good fight against evolving adversaries.
Cybersecurity week in review
- The REvil ransomware group is going dark once again after their payment portal and data leak websites were breached. This threat actor already went quiet for a few months earlier this year after the U.S. government blamed it for the Kaseya supply chain attack.
- Many local TV stations across the U.S. experienced disruptions this week after Sinclair Broadcast Group was hit with a ransomware attack. As of Monday afternoon, the company told employees the full extent of the attack was still unknown.
- Twitter suspended two accounts believed to be connected with North Korean state-sponsored actors. The accounts allegedly tried to lure security researchers into clicking on malicious links.
- The U.S. government released a warning last week that attackers are increasingly targeting the country’s water and wastewater systems sector. The report highlights three major campaigns targeting these critical infrastructure organizations since 2020.
- The Biden Administration took several steps over the past week to crack down on illegal cryptocurrency transactions, especially those linked to cyber attacks. This included a warning to private companies that they could face the consequences of sanctions if they deal with virtual currencies that facilitate ransomware payment.
- Rural communities in the U.S. are particularly susceptible to ransomware attacks. As a new profile shows, it can sometimes shut down key resident services for weeks because the community's IT departments are so under-prepared.
- The number of ransomware victims who have paid extortion payments has already risen 30 percent this year from 2020. A new report from the U.S. Department of Treasury found ransomware attacks cost victims $590 million in the first six months of 2021.
- Electronics company Acer announced it was hit with a second cyber attack in less than a week. The attackers behind both campaigns said they wanted to prove a point that the company is behind on its data security practices.
- Hackers reportedly hailing from Turkey compromised a portion of former President Donald Trump's website. A portion of the site briefly displayed positive messages regarding Turkish President Recep Tayyip Erdoğan.
Notable recent security issues
Predecessor to DarkSide ransomware game could make waves in coming weeks
Major U.S. government agencies released a warning this week that the BlackMatter ransomware could strike major organizations or public sector targets. An advisory from the U.S. Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency stated that BlackMatter is likely a predecessor to DarkSide, the ransomware group known for attacking the Colonial Pipeline earlier this year. The advisory warns businesses that they should implement multi-factor authentication and enact stronger credential rules to prepare for potential BlackMatter attacks. According to the report, the ransomware has already targeted two large food cooperatives in the U.S.
Snort SIDs: 58237, 58238
Multiple vulnerabilities in ZTE MF971R LTE router
Snort SID: 57749 - 57752, 57798, 57799, 57802, 57803, 57829
Most prevalent malware files this week
SHA 256: f0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4
Typical Filename: sqhost.exe
Claimed Product: sqhost.exe
Detection Name: W32.Auto:f0a5b257f1.in03.Talos
SHA 256: 8639fd3ef8d55c45808f2fa8a5b398b0de18e5dd57af00265e42c822fb6938e2
Typical Filename: SqlBase.exe
Claimed Product: SqlServerWorks.Runner
Detection Name: W32.8639FD3EF8-95.SBX.TG
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 0e043149a1970990d0098bf986585bf2f224e4be7407348ff91efe89f8c5999c
Typical Filename: S A Service.exe
Claimed Product: S_A_Service
Detection Name: W32.Auto:0e043149a1.in03.Talos
SHA 256: 33677846134841aa2541b5707102646aeedb1fc32a717a58e89a6ff69f0ef7bb
Typical Filename: 461502.exe
Claimed Product: N/A
Detection Name: W32.3367784613-100.SBX.TG
Keep up with all things Talos by following us on Twitter. Snort, and ClamAV also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.