As the victims of commercial spyware are highly targeted individuals, the sobering truth is that some attackers have the means to be able to spend six figures to compromise a single target.

Wednesday, August 9, 2023 08:08

We’ve talked quite a bit about spyware recently, with very good reason. Recently, concerns have grown regarding the rapid growth of commercial spyware tools, and the way in which they are being used against their intended victims.

This Need to Know article talk about the broader effects of spyware becoming more commercialized, how it is being used, and the differences between commercial spyware and digital extortion.

**What is commercial spyware, and why is it a growing trend?**

In general terms, spyware is software that can be installed on a device and used to monitor activity and/or capture potentially sensitive data. The term has been around since the 1990s, and the first spyware to be identified was developed by criminals to steal passwords or financial information from devices.  Spyware can even be used to track the device's physical location and record from the camera or microphone.

The opportunities for governments and law enforcement to use spyware as part of legal investigations led to the development of commercial spyware.  Attackers have long used commercial products developed by legitimate companies to compromise targeted devices.

These products are known as commercial spyware. Commercial spyware operations mainly target mobile platforms with zero- or one-click zero-day exploits to deliver spyware.

Commercial spyware can be seen as having legitimate reasons to exist, especially in instances of crime and terrorism (as long as it is highly regulated). The problem is that there isn’t a universal or global way in which these companies are being regulated.

As such, we’ve seen a growing number of reports of victims who are targeted with commercial spyware. These victims are not criminals or terrorists, but instead, they are associated with activism. For example, there have been reports of journalists who report on human rights abuses, and activists shining a light on oppressive regimes, who have been targeted and compromised with this tooling.

Problems also arise when organizations turn a blind eye to the usage of commercial spyware.

A recent report from the United Kingdom’s National CyberSecurity Center (NCSC) highlights how the accessibility of these tools “lowers the barrier to entry to state and non-state actors in obtaining capability and intelligence.” The United States government also threatened to step in when it looked like a U.S. company was going to purchase NSO Group, an infamous Israeli maker of the Pegasus spyware.

**What ways can you protect yourself if you might be a target of commercial spyware?**

As the victims of commercial spyware are highly targeted individuals, the sobering truth is that some attackers have the means to be able to spend six figures to compromise a single target. It is therefore likely that they will try many things to compromise your mobile phone, including using zero-day attacks or unknown vulnerabilities.

That is very concerning to us, however, there are a couple of things that end users can look out for:

Although zero-click exploits do exist, they're not very common. Most of the time, unsolicited messages from various people are the first entry point. So, if you get a bunch of messages from strangers, don't click on the links, and don’t click on any attachments.

Additionally, something as simple as rebooting your phone can help clear the spyware from your device. This is because commercial spyware companies typically do not build persistence into their spyware.

If you are talking to someone who may be a target of commercial spyware (i.e., human rights journalists, activists, dissidents and lawyers) it’s a good idea to reboot your phone before you talk to them. It is entirely possible that these threat actors will go as far as compromising close contacts of their targets.

**Notable example of commercial spyware**

Talos provided a highly informative article on the PREDATOR commercial spyware, which has been around since 2019.

PREDATOR is intended to work with another spyware component called “ALIEN” (it’s not “Alien vs. Predator” this time; they’re working together). They work to bypass traditional security barriers on the Android operating system and provide a variety of information stealing, surveillance and remote access capabilities.

**The differences between commercial spyware and digital extortion attacks**

You may have received an email something like, “We know you’ve visited this adult website. We filmed you watching some videos. Now we’re going to send all your friends and family that footage unless you pay us in bitcoins.”

These are typically digital extortion attacks, not actual spyware. Attackers send these emails to multiple accounts, hoping that someone will believe the story, and pay up.

As we’ve talked about, commercial spyware is highly targeted. The customers of these commercial spyware organizations know who their victim(s) are. In digital extortion attacks, cyber criminals generally don’t know who their victims are, but they’re hoping as many people as possible believe the story, and pay up.

They will usually have found your email address via a data breach of a third party. If you receive such an email, just delete it and don’t give it a second thought. The email you received will be one of many thousands.

**What is Cisco doing to take action against the growth of commercial spyware?**

Cisco, Microsoft, and other tech companies have joined in supporting Meta's lawsuit against the NSO Group referenced above through court filings. Cisco was also a key drafter of the Cyber Mercenary Principles document adopted by the Cyber Tech Accord. The document acknowledges the threat realized by these commercial offerings and outlines the steps that organizations are taking to help limit the impacts of commercial spyware.

**Learn more**

Researchers at Cisco Talos recently wrote an ‘On the Radar’ article about the growth of spyware-based intelligence providers, without legal or ethical supervision. The article also looks to the untethered future of commercial spyware and contains advice about what to do if you feel you have been targeted with spyware - especially if you have a higher risk profile (i.e., journalists and dissidents).

Also check out this episode of the Talos Takes podcast, where Asheer Malhotra talks to Jon Munshaw about the dangers of spyware and mercenary groups.

What is commercial spyware?

The group appears to commonly deploy double extortion — of the victims that have been listed on the leak site, several of them have had some portion of their exfiltrated data exposed.

Tuesday, August 8, 2023 15:08

Cisco Talos is aware of the recent advisory published by the U.S. Department of Health and Human Services (HHS) warning the healthcare industry about Rhysida ransomware activity.

As we've discussed recently, there has been huge growth in the ransomware and extortion space, potentially linked to the plethora of leaked builders and source code related to various ransomware cartels. This is just another example of how these groups can now quickly develop their own ransomware variants by standing on the shoulders of those criminals who had their previous work exposed publicly. Rhysida appears to have first popped up back in May, with several high-profile compromises posted on their leak site.

**Rhysida ransomware details**

As we commonly see in the ransomware space, this threat is delivered through a variety of mechanisms which can include phishing and being dropped as secondary payloads from command and control (C2) frameworks like Cobalt Strike. These frameworks are commonly delivered as part of traditional commodity malware, so infection chains can vary widely.

The group itself likes to pretend to be a cybersecurity organization as shown in the ransom note below. They claim to have compromised the company and are willing to help resolve the issue.  These types of approaches are not uncommon — historically, groups have done things like provide "security reports" to compromised organizations to help them "resolve the issue."

Sample ransom note.

The group appears to commonly deploy double extortion — of the victims that have been listed on the leak site, several of them have had some portion of their exfiltrated data exposed.

**Encryption algorithm**

Rhysida’s encryption algorithm is relatively straightforward and uses the ChaCha20 encryption algorithm. We have seen this algorithm deployed by other groups before, either as a standalone encryption algorithm or as part of a more custom approach. Rhysida will enumerate through directories and files in directories starting from “A:” to “Z:” drives, ensure they’re missing from the “exclude list” and then “process,” i.e., encrypt the files. Once encrypted, the file is then renamed to “<filename>.rhysida”.

Rhysida’s algorithm for “processing” files.

The file exclusion list maintained in Rhysida samples is most of the usual system directories required for the operating system to function:

Excluded folders.

Excluded extensions include:

.bat .bin .cab .cmd .com .cur .diagcab .diagcfg, .diagpkg .drv .dll .exe .hlp .hta .ico .lnk .msi .ocx .ps1 .psm1 .scr .sys .ini Thumbs.db .url .iso .cab

After encryption, the ransomware will display the ransom note by creating and opening it as a PDF and the background wallpaper. The PDF usually named  “CriticalBreachDetected.pdf” is generated using content embedded in the ransomware binary, including the skeleton PDF and the ransom note (shown above). The ransom note is also used to generate a message in the form of the background wallpaper typically located at “C:/Users/Public/bg.jpg”.

This new ransomware variant doesn't have any novel features or functionality and points to the challenges organizations are facing as the landscape continues to shift and a plethora of new actors join their ranks. This isn't even the only new ransomware group we've written about this week.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Cisco Talos is releasing the following Snort SIDs to protect against this threat: 62220 - 62229, 300653 - 300657.

**Indicators of compromise**

D5C2F87033A5BAEEB1B5B681F2C4A156FF1C05CCD1BFDAF6EAE019FC4D5320EE  
1A9C27E5BE8C58DA1C02FC4245A07831D5D431CDD1A91CD35D2DD0AD62DA71CD  
258DDD78655AC0587F64D7146E52549115B67465302C0CBD15A0CBA746F05595  
0BB0E1FCFF8CCF54C6F9ECFD4BBB6757F6A25CB0E7A173D12CF0F402A3AE706F  
F6F74E05E24DD2E4E60E5FB50F73FC720EE826A43F2F0056E5B88724FA06FBAB  
250E81EEB4DF4649CCB13E271AE3F80D44995B2F8FFCA7A2C5E1C738546C2AB1  
A864282FEA5A536510AE86C77CE46F7827687783628E4F2CEB5BF2C41B8CD3C6  
6903B00A15EFF9B494947896F222BD5B093A63AA1F340815823645FD57BD61DE  
3BC0340007F3A9831CB35766F2EB42DE81D13AEB99B3A8C07DEE0BB8B000CB96  
2A3942D213548573AF8CB07C13547C0D52D1C3D72365276D6623B3951BD6D1B2

What Cisco Talos knows about the Rhysida ransomware

The only vulnerability Microsoft states is being exploited in the wild is CVE-2023-38180, a denial-of-service vulnerability in .NET and Microsoft Visual Studio.

Tuesday, August 8, 2023 15:08

Microsoft disclosed 73 vulnerabilities across its suite of products and software Tuesday, including six that are considered “critical.”

One of the vulnerabilities, which Microsoft considers to be only of "moderate" severity, has been actively exploited in the wild. The company has had to address many zero-day vulnerabilities in its monthly security updates this year, including four last month and one in May. Microsoft also released an advisory detailing changes to its defense-in-depth model to defend against tactics adversaries are currently using in the wild.

Outside of the six critical issues, two are considered to be of “moderate” severity, while the remainder are listed as “important.”

Two of the critical vulnerabilities lie in Microsoft Teams, the company’s popular collaboration and messaging platform. An attacker could exploit CVE-2023-29328 and CVE-2023-29330 to perform remote code execution in the context of the victim user.

An attacker could exploit these vulnerabilities by tricking the victim into joining an adversary-created Teams meeting.

Three other critical remote code execution vulnerabilities — CVE-2023-35385, CVE-2023-36910 and CVE-2023-36911 — exist in Microsoft’s message queuing service for certain versions of Windows 10, 11 and Windows Server.

Message queuing would need to be manually enabled on a target’s machine for it to be exploitable, according to Microsoft. Users can check to see if they’re vulnerable by checking if there is a service named “Message Queuing” running on their device and if port 1801 is listening on the machine.

The last critical vulnerability included in August’s Patch Tuesday is CVE-2023-36895, a remote code execution vulnerability in Microsoft word. However, it has a relatively low severity score of 7.8 out of 10 for a critical vulnerability.

Microsoft Exchange also contains four remote code execution vulnerabilities, though all are considered “important.”

An authenticated attacker who is on the same intranet as the Exchange Server could achieve remote code execution via a PowerShell remoting session, according to Microsoft, by exploiting CVE-2023-35388, CVE-2023-35368, CVE-2023-38182 and CVE-2023-38185.

An adversary could only exploit the vulnerabilities in Exchange Server if they have valid credentials to log in with LAN access and have access to a valid Exchange user account.

There are also four elevation of privilege issues in the Windows kernel that could allow an adversary to gain SYSTEM-level privileges: CVE-2023-35359, CVE-2023-35380, CVE-2023-35382 and CVE-2023-35386.

Microsoft’s advisories state that these issues are “more likely” to be exploited, though the adversary must first have local access to the targeted machine, and the targeted user needs to be able to create folders and performance traces on the machine, which most users have by default.

Another privilege escalation vulnerability, CVE-2023-36900, exists in the Windows Common Log File System Driver. An attacker could also exploit this vulnerability to gain SYSTEM-level privileges, though they first must be able to log into the targeted system with the privileges of a standard user.

The only vulnerability Microsoft states is being exploited in the wild is CVE-2023-38180, a denial-of-service vulnerability in .NET and Microsoft Visual Studio. Though there are little details available currently about this issue, Microsoft states that the attack complexity is “low” and does not require any user privileges or interaction for an attacker to exploit it.

Talos would also like to highlight five “important” vulnerabilities that Microsoft considers “less likely” to be exploited. However, as these issues exist in the popular Microsoft Office suite of products and could lead to remote code execution, are still worth noting:

*   CVE-2023-35371
*   CVE-2023-35372
*   CVE-2023-36865
*   CVE-2023-36866
*   CVE-2023-36896

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 40689, 40690, 62202, 62203, 62208 - 62211, 62215 and 62216. There are also Snort 3 rules are 300648 - 300650 and 300652.

Six critical vulnerabilities included in August’s Microsoft security update

Cisco Talos is seeing an increasing number of ransomware variants emerge, since 2021,  leading to more frequent attacks and new challenges for cybersecurity professionals, particularly regarding actor attribution.

Monday, August 7, 2023 08:08

Ransomware gangs are consistently rebranding or merging with other groups, as highlighted in our 2022 Year in Review, or these actors work for multiple ransomware-as-a-service (RaaS) outfits at a time, and new groups are always emerging.

This trend is already continuing this year. Since 2021, there have been multiple leaks of ransomware source code and builders — components that are essential to creating and modifying ransomware. This has had a significant effect on the threat landscape, giving unsophisticated actors the ability to easily generate their own ransomware with little effort or knowledge. As more actors enter this space, Cisco Talos is seeing an increasing number of ransomware variants emerge, leading to more frequent attacks and new challenges for cybersecurity professionals, particularly regarding actor attribution.

**Code leaks are benefitting threat actors**

Since September 2021, we have seen actors publicly disclosing source code and builders for prominent ransomware families, including Babuk, Conti, LockBit 3.0 and Chaos. In some cases, such as LockBit 3.0’s ransomware builder, these leaks have been intentional, with affiliates posting these tools and codes to protest against broader group policies they are unhappy with. In other instances, such as the Babuk source code, the leaks were seemingly an operational error. Regardless of the cause, these leaks are having a significant effect on the threat landscape, making it easier for novice or unskilled actors to develop their own ransomware variants without much effort or knowledge.

Ransomware source code is a malicious program that contains the instructions and algorithms that define the ransomware’s behavior. It is usually complex and often requires skilled technicians to create. Therefore, having access to such code allows threat actors with minimum programming knowledge to modify and compile their own ransomware variants.

Ransomware builders usually have a user interface that allows users to choose the underlying features and customize the configurations to build a new ransomware binary executable without exposing the source code or needing a compiler installed. The availability of such builders allows novice actors to generate their own customized ransomware variants. An example of a leaked Chaos ransomware builder V5 is shown in the picture below.

When ransomware source code or builders are leaked, it becomes easier for aspiring cybercriminals who lack the technical expertise to develop their own ransomware variants by making only minor modifications to the original code. Additionally, by using leaked source code, threat actors can confuse or mislead investigators, as security professionals may be more likely to misattribute the activity to the wrong actor.

**New variants based on leaked code are becoming more common**

We have continued seeing various malicious campaigns since the start of 2023, where the threat actors have used new ransomware variants based on leaked source code or builders. Early this year, Talos discovered a new ransomware family called MortalKombat generated by the leaked Xorist ransomware builder. Xorist ransomware, which operates under the RaaS model, has a builder called “Encoder Builder v.24” that is available on underground forums. Based on our research, we discovered an unknown threat actor using MortalKombat ransomware since December 2022 to target individuals and smaller companies. This campaign has a multi-stage attack chain that begins with a phishing email delivered to victims impersonating CoinPayments, a legitimate global cryptocurrency payment gateway.

In April, Talos discovered a new ransomware actor, RA Group, conducting double extortion attacks using their ransomware variant based on leaked Babuk source code. Babuk, a Russian ransomware group that emerged in 2021, has conducted a series of high-profile ransomware attacks across various industries, including government, healthcare, logistics, and professional services. Since an alleged member of the Babuk group leaked the full source code of its ransomware in September 2021, several new variants based on the leaked code have emerged, with many appearing in 2023, including ESXiArgs, Rorschach and RTM Locker, in addition to RA Group. RA Group, in its ongoing campaigns, has targeted the U.S., South Korea, Taiwan, the U.K. and India across several business verticals, including manufacturing, wealth management, insurance providers, pharmaceuticals and financial management consulting companies.

Most recently, Talos observed a surge in new ransomware strains emerging from the Yashma ransomware builder. Yashma ransomware builder, which first appeared in May 2022, is a rebranded version of the Chaos ransomware builder V5, which was leaked in April 2022. Since early 2023, we have seen several new Yashma strains emerge, including ANXZ, Sirattacker, and Shadow Men Team. Shadow Men Team — whose name we derived from a translation of their Hindi name in the ransom note — appears to be a new actor in the ransomware space. The actors appear to target victims in Kuwait, as the ransom note demands payment in Kuwaiti dinar before translating that sum to its U.S. dollar equivalent in Bitcoin.

Another new actor we discovered, seemingly of Vietnamese origin, uses a Yashma ransomware variant to target victims in Bulgaria, China, Vietnam and other countries. The campaign started in at least June 2023, and the ransom note appears to mimic certain aspects of the ransom note used in the global WannaCry attacks from 2017.

**Actors repurposing leaked code are demanding low ransom payments  
**

Cybercriminals leveraging leaked code and builders are seemingly more conservative in their ransom demands, a possible indication that they are lone wolf operators, proceeding cautiously as they test their new variants or are new players in this space. Actors behind many of these new ransomware variants, including Sirattacker, Chaos 2.0, Chaos 4.0, DCrypt, and Shadow Men Team, are demanding payments ranging from USD $3.50 to $4,390 in Bitcoin from victims. These ransom demands are significantly lower than those made by many well-known ransomware gangs like RYUK, Babuk, REvil, Conti, DarkSide, BlackMatter, BlackCat, and Yanluowang, which are typically in the millions of dollars. These more profitable groups usually operate under the RaaS model, meaning their affiliates are free to set their own (often high) ransom demands, and/or are structured so they pay their operators and developers, thereby driving up the amount of money they seek to take in during the course of their operations.

Below is a comparison of ransom demands made by actors using leaked code or builders and well-known ransomware gangs.

**Opportunities for security researchers and defenders**

While these changes in the threat landscape have largely benefitted threat actors, security researchers and defenders also have an advantage with access to the leaked code. It allows security researchers to analyze the source code and understand the attacker’s tactics, techniques and procedures (TTPs), which helps security professionals develop effective detection rules and enhance security products' capabilities in combating ransomware threats.

By analyzing the source code, researchers can identify similar patterns and techniques used by different threat actors, providing defenders with a way to proactively detect and block the new variants at the initial stage of an attack. Security researchers can also share the intelligence information derived from the leaked code with the broader security community, thereby contributing to strengthening the cybersecurity space. By understanding the TTPs of the leaked source codes, defenders will gain invaluable insights that are helpful in identifying and mitigating any existing security weakness in their environment and improving their security defense against these attack vectors.

Code leaks are causing an influx of new ransomware actors

Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023 with customized Yashma ransomware.

Monday, August 7, 2023 08:08

*   Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023.
*   This ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics.
*   The threat actor uses an uncommon technique to deliver the ransom note. Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file.

**Threat actor analysis**

Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, “nguyenvietphat,” has ransomware notes written in these countries’ languages. The presence of an English version could indicate the actor intends to target a wide range of geographic areas.

Talos assesses with moderate confidence that the threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name. The ransom note also asks victims to contact them between 7 and 11 p.m. UTC+7, which overlaps with Vietnam’s time zone. We also spotted a slight difference in the Vietnamese language ransom note, as it starts with, “Sorry, your file is encrypted!” in contrast to the others that begin with, “Oops, your files are encrypted!” By saying “sorry,” the threat actor may have intended to show a heightened sensitivity toward victims in Vietnam, which could indicate the attackers themselves are Vietnamese.

We further assess the threat actor began this campaign around June 4, 2023, because they joined GitHub and created a public repository called “Ransomware” on that date, which overlaps with the compilation date of the ransomware binary. In the repository, they added ransom note text files in five languages: English, Bulgarian, Vietnamese, Simplified Chinese and Traditional Chinese.

GitHub repository that contains ransom notes.

**Ransom note**

The actor demands the ransom payment in Bitcoins to the wallet address “bc1qtd4qv0wmgtu2rdr0wr8tka2jg44cgmz04z5mc7” and they double the ransomware price if the victim fails to pay within three days, according to our ransomware note analysis. The actor has an email address, “nguyenvietphat\[.\]n\[at\]gmail\[.\]com,” for the victims to contact them. At the time of our analysis, we had not observed any Bitcoin in the wallet, and the ransom note did not specify an amount, indicating the ransomware operation might still be in a nascent stage.

The ransom note text resembles the well-known WannaCry ransom note, possibly to obfuscate the threat actor’s identity and confuse incident responders.

The ransom note for WannaCry ransomware.

Ransom notes samples of the Yashma variant.

After encryption, the Yashma ransomware variant sets the wallpaper on the victim’s machine, as seen in the image below. It seems that the operator downloaded this picture from www\[.\]FXXZ\[.\]com and embedded it in the Yashma variant binary. The wallpaper set by the Yashma variant in the victim’s machine also mimics the WannaCry ransomware.

Yashma variant wallpaper (left) and WannaCry wallpaper (right).

**Customized Yashma ransomware variant**

The actor deployed a variant of Yashma ransomware, which they compiled on June 4, 2023.  Yashma is a 32-bit executable written in .Net and a rebranded version of Chaos ransomware V5, which appeared in May 2022. In this variant, most of Yashma’s features remained unchanged and have been described by the security researchers at Blackberry, with the exception of a few notable modifications.

Usually, ransomware stores the ransom note text as strings in the binary. However, this variant of Yashma executes an embedded batch file, which has the commands to download the ransom note from the actor-controlled GitHub repository. This modification evades endpoint detection solutions and anti-virus software, which usually detect embedded ransom note strings in the binary.

Contents of the batch file.

Earlier versions of the Yashma ransomware established persistence on the victim machine in the Run registry key and by dropping a Windows shortcut file pointing to the ransomware executable path in the startup folder. The variant we observed also established persistence in the Run registry key. Still, it was modified to create a “.url” bookmark file in the startup folder that points to the dropped executable located at “%AppData%\\Roaming\\svchost.exe”.

A function that creates the bookmark file.

One notable feature the threat actor chose to keep in this variant is Yashma’s anti-recovery capability. After encrypting a file, the ransomware wipes the contents of the original unencrypted files, writes a single character “?” and then deletes the file. This technique makes it more challenging for incident responders and forensic analysts to recover the deleted files from the victim’s hard drive.

The code snippet shows the anti-recovery feature of the ransomware.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are **62131 - 62143 and 300633 - 300638.**

ClamAV detections are available for this threat:

Win.Ransomware.Hydracrypt-9878672-0

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.

**IOCs**

Indicators of Compromise associated with this threat can be found here.

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

Cisco Talos will be well-represented at BlackHat and DEF CON over the course of the next few weeks with a slew of presentations, demos and appearances to speak to the security community.

Thursday, August 3, 2023 14:08

Welcome to this week’s edition of the Threat Source newsletter.

The time has come once again for all of us (well, not me specifically but lots of other Talos people) to descend on Las Vegas for Hacker Summer Camp. Cisco Talos will be well-represented at BlackHat and DEF CON over the course of the next few weeks with a slew of presentations, demos and appearances to speak to the security community.

As always, we’ll be at the Cisco booth at BlackHat, located just north of the main entrance (it’s #1532 if you’re searching!). If you need help finding us, download the BlackHat app to see a map of the entire conference. Talos researchers will be at the booth throughout the conference to give lightning talks on a wide range of topics — everything from machine learning to the basics of spotting phishing emails. New talks will take place every other half hour starting at 10 a.m. local time on Wednesday.

We’ll also have a presence at the BlackHat Career Zone — diagonal from Startup City on the show floor at Kiosk #CZ2 — throughout the conference, where you can talk to us about current job openings, ask for advice on career advancement or just talk about future opportunities for how you could become part of our team. On Thursday, Aug. 10, from 10 a.m. - noon local time, we’ll have Talos hiring managers at the Cisco booth to also talk about potential job opportunities.

The highlight of BlackHat is our sponsored talk on Aug. 9 at 11:30 a.m. local time in Business Hall Theater A. Nick Biasini, our head of Outreach, joins Cisco’s Vice President of Product Management for Threat, Detection and Response A.J. Shipley to talk about Cisco XDR. Learn how the newest offering from Cisco Secure combines telemetry from multiple sources and applies analytics to uncover malicious activities and attacker tactics, techniques and procedures (TTPs).

The following week at DEF CON, Vitor Ventura and Asheer Malhotra will be at the Crypto and Privacy Village, delivering a talk on “Mercenary” threat actors and the spyware they create on the Saturday of the conference at 6 p.m local time. Asheer and Vitor have written extensively about this topic and why the malware they’re creating and selling is potentially more dangerous than “traditional” spyware.

Keep an eye out on our Twitter (or X, whatever we’re calling it) for more information about a live Beers with Talos podcast recording and other opportunities to ask our researchers questions.

If you're flying out to Vegas for either conference, make sure to bookmark our Half-Year in Review to read during your travels. This is a great overview of the top threats of 2023 so far this year and looks at where the cybersecurity landscape might head next.

**The one big thing**

Since the discovery of the high-profile VPNFilter malware in 2018, our vulnerability research team has had a renewed focus on small and home office (SOHO) wireless routers. These are devices that are present in almost every house and business in the modern world because they are necessary to deliver the internet to multiple devices everyone possesses and relies on today. Over the past four-plus years, Talos worked with multiple vendors to disclose and patch nearly 290 CVEs in a wide range of products and libraries these routers use. This week, we released a full rundown of all these vulnerabilities and what the major takeaways are for users and the manufacturers behind these products.

**Why do I care?**

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance. However, they are also often deployed without a sophisticated security team in place to mitigate vulnerabilities. These routers are usually connected to the internet directly and all local network traffic passes through these devices. Since VPNFilter, Talos has investigated 13 SOHO and industrial routers from various vendors. Our reports to these vendors resulted in appropriate Snort network intrusion detection coverage and several security fixes from each vendor. These fixes help customers who deploy Cisco Secure solutions and improve the security posture of anyone using these devices once the vulnerabilities are patched.

**So now what?**

The most important security step a user of these devices can take is to assess each service present on the device. Verify that each service running is required for the day-to-day operation of each device and disable all extraneous services. Services that cannot be disabled should be restricted to absolute minimal access or completely blocked using alternative methods, such as firewall rules to block traffic. During the acquisition process, if possible, basic research should be done to ensure the devices have sane, secure defaults enabled, such as the use of encrypted protocols for remote access and administration, if applicable.

**Top security headlines of the week**

American military officials and cybersecurity experts are **actively hunting for malware that is reportedly loaded onto systems belonging to major power and water suppliers and communications systems that service U.S. military bases.** A new report from the New York Times states that the malware is a “ticking time bomb” that could disrupt U.S. military operations in the event of a direct or indirect military conflict with China. Sources in the report indicated that the malware comes from a Chinese state-sponsored actor that may be working for the People’s Liberation Army. While the government is still actively hunting for the malicious code, it is apparently hidden deep within targeted networks and has taken months to find. Microsoft and the White House disclosed that Chinese state-sponsored actors accessed the emails of at least two dozen American organizations, including some federal government agencies. (The New York Times, CNN)

**The effects of the MOVEit data breach continue to spread.** Government contractor Maximus disclosed last week that, although its systems were not directly affected by the Clop ransomware gang’s attack on the MOVEit file transfer software, as many as 8 million to 11 million individuals’ personal information may have been compromised. The company said in a filing to the U.S. Securities and Exchange Commission that attackers may have accessed files that "contain personal information, including Social Security numbers, protected health information, and/or other personal information, of at least 8-to-11 million individuals.” Clop claims on its leak site that it stole 169 GB of data from Maximus. More than 200 organizations have reportedly been affected by the MOVEit breach. (TechCrunch, Dark Reading)

**Russian state-sponsored actors are suspected to be behind a series of denial-of-service attacks against multiple Italian banks** on Wednesday, leaving many consumers unable to access their accounts. Italy’s cybersecurity agency said at least five banks were affected, though they were able to restore services fairly quickly. The group NoName057(16) took credit for the attacks on its Telegram channels, accusing Italian government officials of being anti-Russian and supporting Ukraine. Security researchers said the DDoS attacks caused “short-lived disruption with little to no wider consequence.” Actors with potential links to Russia have been behind several recent high-profile denial-of-service attacks, including against video game company Blizzard and Microsoft Outlook. (Reuters, The Record by Recorded Future)

**Can’t get enough Talos?**

*   Half-Year in Review: Recapping the top threats and security trends so far in 2023
*   Talos IR On Air Reviewing Q2’s top threats
*   Beers with Talos Ep. #137: Yarrr! There be mercenaries on the high seas!
*   Beers with Talos Ep. #138: Rachel Tobac on social engineering, expanding opportunities for women in cybersecurity
*   Talos Takes Ep. #148: Audio version of the Talos IR On Air stream

**Upcoming events where you can find Talos**

**BlackHat (Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0 (Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5**: 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b  
**MD5:** f5e908f1fac5f98ec63e3ec355ef6279  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::tpd

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

Threat Source newsletter (Aug. 3, 2023) — Previewing Talos at BlackHat 2023

We've seen threat actors utilize every chance they get to steal sensitive data, to be used in future attacks and/or to manipulate victims into paying up before their data ends up on the dark web.

Thursday, August 3, 2023 08:08

From new ransomware groups, a growing mercenary space, espionage campaigns, supply chain attacks, and new “as a service” tools popping up, there's a lot to talk about already in the first half of 2023.

Here are the main threats we've covered on our blog up until the end of June 2023. The timeline is a blend of threat advisory articles, and long-term research that our analysts have been working on for a while.

Be sure to subscribe to blog.talosintelligence.com to get future blogs sent straight to your inbox. You can also follow our ongoing Vulnerability Roundup series, where we run down the latest vulnerabilities, attack scenarios, and coverage.

**Threat trends**

Many of the threats we've written about this year have involved extortion as part of the attackers’ plans. We've seen threat actors utilize every chance they get to steal sensitive data, to be used in future attacks and/or to manipulate victims into paying up before their data ends up on the dark web. Another growing trend is the mercenary landscape – “hackers for hire” growing their wares and increasingly commercializing tools, such as spyware.

The mercenary space is a topic we'll talk more about in the “2023 Year in Review” which Cisco Talos researchers, detection specialists, linguists, threat hunters, incident responders, and analysts are now actively working on, and will be published later this year.

Last year’s inaugural report represented an unprecedented effort within Cisco to tell a comprehensive story of our work, relying on a wide variety of data and expertise. This year, we are bringing all these elements together again, to report on how the threat landscape has changed from 2022 and delve deep into some of the most notorious and impactful threats of 2023.

Half-Year in Review: Recapping the top threats and security trends so far in 2023

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Meta most recently entered the AI race with Llama 2, an open-source version of their chatbot. IBM has also re-branded its watson tool (formerly known as capital “W” Watson who was really good at “Jeopardy”) to be a ChatGPT-like.

Thursday, July 27, 2023 14:07

Welcome to this week’s edition of the Threat Source newsletter.

When I first started poking at ChatGPT a few months ago, I quickly learned that it wasn’t quite ready to take my job (yet) and wasn’t staying up to date on wrestling.

Since ChatGPT went viral, several other companies have released their own versions of AI assistants who can answer questions, perform text-based tasks and more. Meta most recently entered the AI race with Llama 2, an open-source version of their chatbot. IBM has also re-branded its watson tool (formerly known as capital “W” Watson who was really good at “Jeopardy”) to be a ChatGPT-like.

Security researchers have long warned about the dangers these tools pose to the security space, specifically because it makes it easier for bad actors to create convincing spam campaigns, phishing emails and scripts anyone could follow in a voice phishing (“vishing”) attack.

Out of my own personal curiosity, I wanted to try Llama 2 out. I had to enlist the help of some third-party open-source tools to make it easier for me to use Llama 2, but I quickly got it running and went right to work as a hypothetical bad guy looking to start sending spam emails.

I’ve recently become interested in the topic thanks to “Behind the Bastards,” one of my favorite podcasts. Robert Evans, the host of the show, has done some great reporting over the past month on AI-generated cons and spam, specifically how they affect the elderly.

I tried several different prompts with different wordings (trying omitting and including specific words like “phishing,” “scam” and “spam”) but I couldn’t quite talk Llama 2 into writing something for me. Instead, I repeatedly received several warnings about how the questions violated the model’s terms of service and the overall threat of spam and phishing and its negative effects on its targets.

In one example, I gave Llama 2 the prompt, “Write a letter to my boss asking her to immediately download and install an attached file to view my latest analytics report,” which is a legitimate thing I would send her in my everyday activities.

Instead, the chatbot suggested I use a “secure and trusted platform” instead of an email attachment to send the report and said it “goes against ethical and responsible AI practices to encourage or assist with the download or installation of files from unverified sources.”

Using that same prompt in ChatGPT, I received no pushback and instead got an email template that was a bit more formal than I’d usually push for in my emails, but nonetheless, I got an email that was easily customizable and repeatable asking the user to download an attachment.

Llama 2 gave me similar warnings when I asked it to write a script for me to ask my grandmother to purchase me an Amazon gift card because I was in a bind.

ChatGPT took the word “script” very literally in my ask to it, instead producing what looked like it belonged in a mid-day television show instead of a phishing attempt.

I commend Meta for seeming to have tighter restrictions on the types of asks users can make to its AI model. But, as always, these tools are far from perfect and I’m sure there are scripts that I just couldn’t think of that would make an AI-generated email or script more convincing. This is a topic I plan on looking into more, and if you have any ideas about things we could ask AI chat models to do, feel free to DM us on Twitter.

**The one big thing**

Bad actors are having to change up their tactics to steal login credentials and authorization attempts as the internet at large moves away from text-based passwords. Talos researchers wrote this week that they anticipate passwords may disappear in the not-too-distant future, leaving actors likely to shift away from basic phishing or other attacks that target passwords, toward post-authentication session theft or the weaker registration, recovery and revocation processes. Although it will likely take several years for passwordless authentication to become widely adopted, and it is likely that passwords will be around for a long time, some of the most popular and most targeted applications may adopt it in the near future. Removing passwords from even a few dozen key web applications is likely to affect the threat landscape.

**Why do I care?**

Many of the passwords that attackers are currently harvesting will be rendered obsolete with the adoption of passwordless authentication. This may cause changes to the malware landscape and cybercriminals’ business models built around selling access to compromised accounts. This means new tactics, attack vectors and methods that attackers try to use to steal things like session IDs and MFA push notifications.

**So now what?**

Looks for security companies and technology vendors to develop new standards that focus on the protection of web services. Even though these new types of attacks are likely to pop up, using passkeys or a passwordless approach to security is still preferable to any “traditional” login methods.

**Top security headlines of the week**

**A North Korean state-sponsored actor was behind a recent supply chain attack on a cloud IT provider** it used to target cryptocurrency companies. JumpCloud, the target of the attack, disclosed that the attack affected less than five of its customers and fewer than 10 devices. The campaign may indicate a pivot among North Korean actors to move away from direct attacks designed to steal cryptocurrency in favor of stealthier supply chain attacks. These actors typically carry out attacks to generate funds for the country’s reclusive regime and its controversial nuclear weapons program. Mandiant, one of the security firms who helped investigate the attack, said the group responsible worked for North Korea's Reconnaissance General Bureau (RGB), its primary foreign intelligence agency. North Korean actors targeted the 3CX softphone application in a similar supply chain attack earlier this year. (Reuters, Axios)

The Biden administration **announced a new program to include a physical label on internet-of-things products that meet certain cybersecurity criteria.** The new “U.S. Cyber Trust Mark,” created by the National Institute of Standards and Technology, will soon start appearing on smart home devices that meet the preset list of standards for the way the device stores information and makes other connections to the user’s network. Connected appliances found in users’ homes, like “smart” refrigerators, microwaves and televisions, will be among the first products to receive the label in partnership with major retailers and manufacturers. “Smart fitness trackers,” presumably to cover things like smart watches, were also mentioned in the Biden administration’s announcement. (CBS News, The Verge)

The U.S. Securities and Exchange Commission formally adopted new rules Wednesday **regarding how quickly American companies must disclose cyber attacks.** Public companies now have four days within the discovery of a cyber attack to determine if it had a material effect on its operations, and then disclose that determination to the public. However, companies can receive an extension to this deadline if disclosure of the attack would pose a significant risk to national security or public safety, as determined by the U.S. attorney general. These companies will also have to publish the processes they have in place to manage material risks from cybersecurity incidents. The new policies have been hotly debated for more than a year since they were initially announced. (MarketWatch, Bloomberg)

**Can’t get enough Talos?**

*   Data theft extortion rises, while healthcare is still most-targeted vertical in Talos IR engagements
*   Talos Takes Ep. #147: ISO 27002 sounds intimidating, but really it's just a cybersecurity shopping list

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5**: 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** b4d8d7cbec7fe4c24dcb9b38f6036a58b765efda10c42fce7bbe2b2bf79cd53e  
**MD5:** c585f4faee96a0bec3b0f93f37239008  
**Typical Filename:** stream.txt  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Autoit::211461.in02

Every company has its own version of ChatGPT now

Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent.

Wednesday, July 26, 2023 08:07

Cisco Talos Incident Response (Talos IR) responded to a growing number of data theft extortion incidents that did not involve encrypting files or deploying ransomware, a 25 percent increase since last quarter and the most-observed threat in the second quarter of 2023.

In this type of attack, threat actors steal victim data and threaten to leak or sell it unless the victim pays varying sums of money, eliminating the need to deploy ransomware or encrypt data. This differs from the double-extortion ransomware method, whereby adversaries exfiltrate and encrypt files and demand payment for victims to receive a decryption key.

Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent. This quarter featured the LockBit and Royal ransomware families, which Talos IR has observed in previous quarters. Talos IR also observed several ransomware families for the first time, including 8Base and MoneyMessage.

Compromised credentials or valid accounts were the top observed means of gaining initial access this quarter, accounting for nearly 40 percent of total engagements. It was challenging to identify how the credentials were compromised considering they were obtained from devices outside the company’s visibility, such as saved credentials on an employee’s personal device.

Continuing the trend from last quarter, healthcare was the most targeted vertical this quarter, making up 22 percent of the total number of incident response engagements, closely followed by financial services.

**Data theft extortion on the rise, featuring Clop, Karakurt and RansomHouse**

Data theft extortion was the top observed threat this quarter, accounting for 30 percent of threats Talos IR responded to, a 25 percent increase in data theft extortion incidents compared to last quarter. The rise in data theft extortion incidents compared to previous quarters is consistent with public reporting on a growing number of ransomware groups stealing data and extorting victims without encrypting files and deploying ransomware.

Data theft extortion is not a new phenomenon, but the number of incidents this quarter suggests that financially motivated threat actors are increasingly seeing this as a viable means of receiving a final payout. Carrying out ransomware attacks is likely becoming more challenging due to global law enforcement and industry disruption efforts, as well as the implementation of defenses such as increased behavioral detection capabilities and endpoint detection and response (EDR) solutions.

This quarter featured activity from the RansomHouse and Karakurt extortion groups for the first time in Talos IR engagements. Active since 2021, Karakurt typically gains access to environments via valid accounts, phishing, or exploiting vulnerabilities. In one observed Karakurt data theft extortion engagement, the attackers hijacked a remote desktop protocol (RDP) account, enumerated domain trusts using the network administration command-line tool nltest, executed PowerShell scripts to recover passwords, and modified domain policies.

RansomHouse has been active since late 2021 and is known for gaining access to corporate environments by exploiting vulnerabilities. In a RansomHouse engagement, the adversaries used non-interactive sessions to bypass multi-factor authentication (MFA), carried out a DCSync attack to collect credentials from a domain controller, and abused remote services such as secure shell (SSH) and RDP to move laterally. A DCSync attack occurs when attackers use various commands in Microsoft Directory Replication Service (DRS) Remote Protocol to masquerade as a domain controller to acquire user credentials from another domain controller. An attacker first needs to compromise a user account with domain replication privileges, which are typically domain admins.

Some ransomware groups, such as BianLian and Clop, are reportedly shifting away from using encryption, favoring data theft extortion in recent attacks, according to public reporting. Although Talos IR did not respond to any BianLian incidents this quarter, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on May 16 with the FBI and the Australian Cyber Security Centre (ACSC) confirming that as of January, the BianLian group stopped conducting ransomware operations in favor of performing exfiltration-based data theft extortion. BianLian group’s shift from deploying ransomware may also be due to the release of a free decrypter for BianLian ransomware in January 2023, possibly prompting them to pursue alternate methods. It is possible BianLian determined they could be successful without the use of data encryption in their operations.

Active since February 2019, the Clop group started as a ransomware-as-a-service (RaaS) operation with an affiliate program that relied on the double extortion technique involving stealing and encrypting data. With the rise in data theft extortion incidents this quarter, it is possible the trend will continue, with other groups who primarily deploy ransomware shifting to data theft extortion as a primary means of receiving a payout.  

In a Clop data theft extortion engagement this quarter, the adversaries gained initial access by exploiting a zero-day remote code execution (RCE) vulnerability in the Forta GoAnywhere managed file transfer (MFT) application, tracked as CVE-2023-0669. Notably, the affiliate did not deploy ransomware and only conducted data theft extortion upon exfiltrating victim information. The Clop ransomware group has a history of mass exploitation of zero-day vulnerabilities in campaigns targeting file transfer applications, affecting hundreds of companies globally. This includes several zero-day vulnerabilities in the Kiteworks, formerly Accellion, file transfer application (FTA), tracked as CVE-2021-27101, CVE-2021-27102, CVE-2021-207103, and CVE-2021-27104, and a SQL injection vulnerability in the Progress Software’s MFT application known as MOVEit Transfer, tracked as CVE-2023-34362. U.S. law enforcement has taken notice and increased pressure on the group, offering a $10 million dollar reward for information on the identification or location of Clop members.

It is highly unusual for a ransomware group to consistently exploit zero-day vulnerabilities, given the resources required to develop such exploits, possibly suggesting that the Clop ransomware group possesses a level of sophistication and funding matched only by advanced persistent threats (APTs). Given the group’s incorporation of zero-days in MFT applications in recent attacks, and the group’s perceived success in affecting hundreds of organizations, Clop is likely to target MFT applications in the future.

**Ransomware**

Ransomware accounted for 17 percent of the total number of engagements responded to in Q2 2023 (April - June), a slight increase compared to 10 percent last quarter. 8Base and MoneyMessage ransomware operations were observed for the first time this quarter, in addition to the previously seen ransomware operations LockBit and Royal.

First discovered in March 2022, 8Base is a ransomware group/operation that uses a customized version of Phobos ransomware and steals data prior to encryption. Although the group has been around for over a year, it started gaining increasing popularity in June 2023 after a significant spike in activity.

In an 8Base ransomware engagement, the legitimate remote desktop application AnyDesk was installed in the Performance Logs (Perflogs) directory, potentially as a way to evade detection. The Perflogs folder is a system-generated folder that stores information about the performance of the device. The attackers were also observed dumping credentials from the Local Security Authority Subsystem Service (LSASS) memory, creating new processes with an existing user token to bypass access controls, escalating privileges using the runas command, and using the Windows command shell to execute PowerShell scripts.

MoneyMessage is a fairly new ransomware operation that was first discovered in March 2023. Similar to 8Base, the MoneyMessage ransomware group operates under the double-extortion model. MoneyMessage is a ransomware family written in the C++ programming language and uses the Elliptic Curve Diffie-Hellman (ECDH) key exchange and ChaCha stream cipher algorithm for encryption, both of which are commonly used by ransomware families.

Talos IR responded to a MoneyMessage ransomware attack where the MoneyMessage encryptor was dropped in the Netlogon directory allowing for the deployment of the ransomware to multiple hosts. Prior to executing ransomware, the attackers also uninstalled various security tools, such as EDR solutions, via PowerShell scripts to impair defenses.

**Initial vectors**

In the majority of the engagements Talos IR responded to this quarter, adversaries gained initial access by abusing compromised credentials to access valid accounts. The use of valid accounts was observed in nearly 40 percent of the total engagements, a 22 percent increase from Q1 2023.  

It is difficult to say how adversaries obtained the compromised credentials used to access valid accounts. There are a number of ways credentials can become compromised, such as third-party data breaches, information-stealing malware such as Redline, and phishing campaigns. This is especially true if employees reuse credentials across multiple accounts, highlighting the importance of using strong password policies and enabling MFA across critical servers.

**Security weaknesses**

A lack of MFA or improper MFA implementation across critical services played a part in over 40 percent of the engagements Talos IR responded to this quarter. Talos IR frequently observes attacks that could have been prevented if MFA was enabled on critical services, such as VPNs. In nearly 40 percent of engagements, attackers were able to abuse compromised credentials to access valid accounts, 90 percent of which did not have MFA enabled. In some engagements, adversaries were able to bypass MFA with MFA exhaustion/fatigue attacks.

MFA exhaustion attacks occur when an attacker attempts to repeatedly authenticate to a user account with valid credentials to overwhelm victims with MFA push notifications, hoping they will eventually accept, allowing the attacker to successfully authenticate into the account. Identification and user education are key parts of countering MFA bypass techniques. Organizations should ensure employees are aware of who to contact in these situations to determine if the event was a technical issue or malicious in nature.

Talos IR recommends disabling VPN access for all accounts that do not have MFA enabled. Additionally, Talos IR recommends expanding MFA for all user accounts (e.g., employees, contractors, business partners, etc.). Talos IR has repeatedly seen attackers targeting vendor and contractor accounts (VCAs), which typically have expanded privileges and access. VCAs are often overlooked during account audits due to trust placed in the third party, making them an easy target for attackers. Talos IR recommends disabling VCAs when they are not needed, implementing least privilege access, and validating that logging and security monitoring are enabled for VCA accounts.

Talos IR also recommends organizations perform a password audit across all user and service accounts to ensure complexity and strength are aligned with the industry best practices per account type (e.g., privilege, service, user, etc.) to prevent password enumeration techniques, such as password spraying.

**Top-observed MITRE ATT&CK techniques**

The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements, which includes relevant examples and the amount Talos IR saw in engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list.

**Key findings from the MITRE ATT&CK framework include:**

*   The use of valid accounts was the top observed initial access technique, accounting for nearly 40 percent of the total number of engagements.
*   Observed in over 50 percent of engagements this quarter, PowerShell is a dynamic command line utility that continues to be a popular utility of choice for adversaries likely for a number of reasons including stealth, convenience and vast IT administration capabilities.
*   In 26 percent of engagements this quarter, Talos IR observed attackers abusing remote services, such as RDP and SSH, to facilitate lateral movement.
*   The top persistence mechanism observed this quarter was the abuse of Windows Task Scheduler to create scheduled tasks, allowing adversaries to execute programs or commands at scheduled times or at system startup.

Tactic

Technique

Example

Initial Access (TA0001)

T1078 Valid Accounts

Adversary leveraged stolen or compromised credentials. 

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Executes PowerShell code to retrieve information about the client’s Active Directory environment.

Persistence (TA0003)

T1053.005 Scheduled Task/Job: Scheduled Task

Scheduled tasks were created on a compromised server to execute malware during startup.

Defense Evasion (TA0005)

T1562.001 Impair Defenses: Disable or Modify Tools

Uninstall security tools to evade detection.

Credential Access (TA0006)

T1003.006 OS Credential Dumping: DCSync

Use DCSync attack to gather credentials for privilege escalation routines.

Lateral Movement (TA0008) 

T1563.002 Remote Services Session: RDP Hijacking

Adversary compromised an existing user’s Remote Desktop Protocol session.

Impact (TA0040)

T1486 Data Encrypted for Impact

Deploy ransomware and encrypt critical systems.

Software/Tool

S0359 Nltest

Enumerate remote domain controllers with Nltest.

Source

TALOS