With contributions from Shingo Matsugaya
We delve into three of the most active ransomware families that dominated the first half of 2023: LockBit, Clop, and BlackCat.
Since 2022, our telemetry …
With contributions from Shingo Matsugaya
We delve into three of the most active ransomware families that dominated the first half of 2023: LockBit, Clop, and BlackCat.
Since 2022, our telemetry …
NOTE: I started this story before Operation Cronos. Hence you can see tiny details getting unfold before the FBI/Europol Compromise and afterwards. This article mainly focuses on the mighty comeback …
In late 2023, BlackBerry analysts identified a spear-phishing campaign by threat group FIN7 that targeted a large automotive manufacturer based in the United States. FIN7 identified employees at the …
This blog discusses the Darktrace Threat Research team’s investigation into Raspberry Robin, an evasive worm that is primarily distributed through infected USB drives. Once it has gained access to a …
S2W
·
Follow
Published in S2W BLOG · 13 min read ·
Feb 19, 2024
—
Author: Minyeop Choi, Sojun Ryu, Sebin Lee, HuiSeong Yang | BLKSMTH
Last Modified : …
This post is also available in: 日本語 (Japanese)
Executive SummaryThe ransomware landscape experienced significant transformations and challenges in 2023. The year saw a 49% increase in victims reported by …
2016年前后,勒索攻击的主流威胁形态已经从勒索团伙传播扩散或广泛投放勒索软件收取赎金,逐渐转化为RaaS+定向攻击收取高额赎金的运行模式。RaaS为Ransomware as a Service(勒索即服务)的缩写,是勒索团伙研发运营的勒索攻击基础设施,包括可定制的破坏性勒索软件、窃密组件、勒索话术和收费通道等。各种攻击团伙和个人租用RaaS攻击基础设施,在获得赎金后,与RaaS攻击组织分账结算。在众多勒索攻击组织中,LockBit组织最为活跃,从其公布的数据显示,LockBit的RaaS支撑了上千起的攻击活动,并因一例涉及中资企业海外机构案例被国内外广泛关注。
为有效应对RaaS+定向勒索风险,防御者需要更深入地了解定向勒索攻击的运行机理,才能构建有效的敌情想定,针对性的改善防御和响应能力。因此,择取典型案例,对此类攻击进行深度复盘极为重要。但由于相关涉我案例的分析支撑要素并不成熟,安天CERT在其他近期重大攻击案例中进行了筛选,选择了同样与LockBit组织相关,且可参考信息相对丰富的波音公司遭遇定向勒索攻击事件(以下简称本事件)展开了完整复盘分析。安天CERT长期关注和分析勒索攻击,对LockBit等攻击组织的持续关注,形成了较为系统的分析积累,依托安天赛博超脑平台的情报数据,CISA等机构对本事件公布的相关公开信息展开工作。从攻击过程还原、攻击工具清单梳理、勒索样本机理、攻击致效后的多方反应、损失评估、过程可视化复盘等方面开展了分析工作,并针对事件中暴露的防御侧问题、RaaS+定向勒索的模式进行了解析,并提出了防御和治理方面的建议。
2.事件背景和报告形成过程2023年10月下旬,波音公司成为了RaaS+定向勒索攻击的受害者[1]。由于LockBit是通过RaaS模式运营的攻击组织,本次攻击事件的实际攻击者暂时无法确认。2023年10月27日,LockBit所属的受害者信息发布平台发消息声称窃取了波音的大量敏感数据,并以此胁迫波音公司,如果不在2023年11月2日前与LockBit组织取得联系,将会公开窃取到的敏感数据。此后,波音一度从受害者名单中消失,直至11月7日,LockBit组织再次将波音公司列入受害者名单中,并声称波音公司无视其发出的警告,威胁要发布大约4GiB的数据。可能因双方谈判失败,LockBit组织于11月10日公开发布了从波音公司窃取到的21.6 GiB数据(媒体报道为43 GiB,系重复计算了压缩包和展开后的数据)。
安天长期持续跟踪和响应了从勒索软件传播到定向勒索攻击的活动演进。在历史分析成果中,对“勒索软件和蠕虫的合流”、“定向勒索将接近APT攻击水准”等,都发出了风险预警(参见附录四)。针对LockBit的本次攻击波,安天于11月17日以《LockBit 勒索软件样本分析及针对定向勒索的防御思考》[2]为题,发布了本报告的V1.0版。由于当时缺少相对丰富的信息,在技术层面仅展开了样本分析工作,并未进行攻击过程复盘。波音公司被勒索攻击之后,美国网络安全和基础设施安全局(CISA)对事件进行了取证调查,并于2023年11月21日发布了相关报告[3],相关报告给出了高质量的形式化情报,为分析复盘攻击事件提供了极为重要的参考,我们结合历史工作积累其他开源情报和对本报告进行完善。
3.LockBit攻击组织的历史情况和部分历史攻击事件 3.1 组织基本情况LockBit组织最早于2019年9月被发现,因其加密后的文件名后缀为.abcd,而被称为ABCD勒索软件;该组织在2021年6月发布了勒索软件2.0版本,增加了删除磁盘卷影和日志文件的功能,同时发布专属数据窃取工具StealBit,采用“威胁曝光(出售)企业数据+加密数据”双重勒索策略;2021年8月,该组织的攻击基础设施频谱增加了对DDoS攻击的支持;2022年6月勒索软件更新至3.0版本,由于3.0版本的部分代码与BlackMatter勒索软件代码重叠,因此LockBit 3.0又被称为LockBit Black,这反映出不同勒索攻击组织间可能存在的人员流动、能力交换等情况。使用LockBit RaaS实施攻击的相关组织进行了大量攻击作业,通过第三方获取访问凭证、漏洞武器化和搭载其他恶意软件等方式入侵至受害者系统后投放勒索软件,大量受害者遭受勒索和数据泄露。LockBit攻击组织在2022年实施的多次勒索攻击活动及影响突显了其为该年度全球最活跃的勒索攻击组织,甚至主动采取了传播和PR活动。该组织面向Windows、Linux、macOS、以及VMware虚拟化平台等多种主机系统和目标平台研发勒索软件,其生成器通过简单交互即可完成勒索软件定制。LockBit勒索软件仅对被加密文件头部的前4K数据进行加密,因此加密速度明显快于全文件加密的其他勒索软件,由于在原文件对应扇区覆盖写入,受害者无法通过数据恢复的方式来还原未加密前的明文数据。
表3-1 LockBit攻击组织基本情况
组织名称
LockBit
组织曾用名
ABCD
出现时间
2019年9月
典型突防方式
钓鱼攻击、第三方获取访问凭证、漏洞武器化和搭载其他恶意软件
典型加密后缀…
Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute …
Research by: Marc Salinas Fernandez
Key Points Check Point Research (CPR) provides a case study of some of the most recent ransomware attacks targeting Linux systems and ESXi systems which…On November 8 2023, SysAid published an advisory for CVE-2023-47246 regarding a critical zero-day vulnerability on their SysAid On-Premise software. SysAid describes the vulnerability as a path traversal vulnerability …
Written by Sasha Shapirov CTO @ SysAid & Profero Incident Response Team
On Nov 2nd, a potential vulnerability in our on-premise software came to our security team’s attention. We immediately …
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims …
We found that malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application …
In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment …
On 19th April 2023, PaperCut released a Security alert stating, “We have evidence to suggest that unpatched servers are being exploited …
Our team is tracking in-the-wild exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.
UPDATE #1 – 4/25/23 @ 11am …
On 02 February 2023, an alert triggered in a Huntress-protected environment. At first glance, the alert itself was fairly generic – a combination of certutil using the urlcache flag …
In this blog entry, we’d like to highlight our findings on Vice Society, which includes an end-to-end infection diagram that we were able to create using Trend Micro internal telemetry.…
Published On : 2022-12-15
Executive SummaryCYFIRMA Research Team has been tracking three campaigns – Evian, UNC064, and Siberian bear – that are potentially operated by Russian-speaking threat groups on …
Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor …
The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information …
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather.
DEV-0206 is now tracked as Mustard Tempest DEV-0243…Overview
Ordinarily, attackers install malware through various methods such as spear phishing emails with a malicious attachment, malvertising, vulnerabilities, and disguising the malware as normal software and uploading them to …
일반적으로 공격자들은 스피어 피싱 메일의 첨부 파일이나 멀버타이징, 취약점, 정상 소프트웨어로 위장하여 악성코드를 웹사이트에 업로드하는 등 다양한 방식으로 악성코드를 설치한다. 설치되는 악성코드로는 감염 시스템의 정보를 탈취하기 위한 인포스틸러나 파일들을 …
Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. Like other malware strains, it …
It started with a seemingly benign email, dealing with the purchase of a vehicle, and ended in a reveal of a months’ long campaign targeting German organizations. Most of …