Healthcare has long been a primary target for ransomware attacks. This is not changing and is not likely to change. Claroty/Team82’s State of CPS Security – Healthcare 2023 discusses the …
Tag: ACTIVE DIRECTORY
Microsoft issued patches for 60 unique CVEs in its Patch Tuesday security update for March, only two of which are rated as “critical” and needing priority attention. Both affect the …
Security researchers have created a knowledge base repository for attack and defense techniques based on improperly setting up Microsoft’s Configuration Manager, which could allow an attacker to execute payloads or …
This post is also available in: 日本語 (Japanese)
Executive SummaryMuddled Libra stands at the intersection of devious social engineering and nimble technology adaptation. With an intimate knowledge of enterprise …
The NSA and the Cybersecurity and Infrastructure Security Agency (CISA) have released five joint cybersecurity bulletins containing on best practices for securing a cloud environment.
Cloud services have become immensely …
On February 19, 2024, ConnectWise published a security advisory detailing the discovery of two significant vulnerabilities, CVE-2024-1708 (Path Traversal) and CVE-2024-1709 (Authentication Bypass), affecting ScreenConnect version 23.9.8.
Successful exploitation of …
Analysis by the Japanese government of a recent data breach at the widely popular Asian messaging application Line has resulted in a directive for the organization to break up its …
Sandworm is a highly sophisticated Russian adversary, active since at least 2009, that has been attributed to Russia’s Main Intelligence Directorate (GRU) for Special Technologies (GTsST) military Unit 74455.
Sandworm …
Courageous action by defenders can prevent maximum damage from attackers.
Incident response firm Sygnia was contacted by a company to investigate suspect activity on its network. Sygnia rapidly concluded the …
PRESS RELEASE
SAN FRANCISCO, March 5, 2024 /PRNewswire/ — Delinea, a leading provider of solutions that seamlessly extend Privileged Access Management (PAM), today announced the introduction of Privilege Control for Servers on the Delinea Platform, …
U.S. cybersecurity and intelligence agencies have warned of Phobos ransomware attacks targeting government and critical infrastructure entities, outlining the various tactics and techniques the threat actors have adopted to deploy …
This post is also available in: 日本語 (Japanese)
Executive SummaryWhen reviewing a packet capture (pcap) of suspicious activity, security professionals may need to export objects from the pcap for …
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories …
The Cybersecurity and Infrastructure Security Agency (CISA) and the following partners (hereafter referred to as the authoring organizations) are releasing this joint Cybersecurity Advisory to warn that cyber threat …
Bitdefender Labs recently helped with an investigation that unfortunately aligns with two key predictions we made for 2024: the rapid rise of opportunistic ransomware and the growing risk of coordinated …
This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are …
Published On : 2024-02-23
EXECUTIVE SUMMARYAt CYFIRMA, we are dedicated to providing current insights into prevalent threats and strategies utilized by malicious entities, targeting both organizations and individuals. This …
Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.
The team found Tycoon Group during a regular investigation …
VMware is urging users to uninstall the deprecated Enhanced Authentication Plugin (EAP) following the discovery of a critical security flaw. Tracked as CVE-2024-22245 (CVSS score: 9.6), the vulnerability has been …
Today’s attackers are taking advantage of changing business dynamics to target people everywhere they work. Staying current on the latest cybersecurity attack vectors and threats is an essential part of …
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization’s network environment after …
Identifier: TRR240201.
SummaryFollowing an X post by IntezerLab about an attack campaign that they dubbed “SameCoin”, we analyzed the samples they discovered and found a few identical variants. The …
Last updated at Tue, 27 Feb 2024 17:16:10 GMT
*Rapid7 Incident Response consultants Noah Hemker, Tyler Starks, and malware analyst Tom Elkins contributed analysis and insight to this blog.*
Rapid7 …
On February 7, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) assessing …
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking …
On January 10, 2024, the software company Ivanti disclosed two vulnerabilities impacting Ivanti Connect Secure VPN, formerly Pulse Secure, and Ivanti Policy Secure appliances. Successful exploitation of these vulnerabilities could …
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. …
On Jan. 12, 2024, Mandiant published a blog post detailing two high-impact zero-day vulnerabilities, CVE-2023-46805 and CVE-2024-21887, affecting Ivanti Connect Secure VPN (CS, formerly Pulse Secure) and Ivanti Policy Secure (PS) appliances. On …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers have been tracking the BianLian ransomware group, which has been in the top 10 of the most …
Summary: TOTP (Time-Based One-Time Password) is a common two-factor authentication method that generates time-sensitive passcodes. However, it has become outdated and vulnerable to brute force attacks. In this article, the …
One hacker collective continues to confound federal law enforcement and cybersecurity experts — the Scattered Spider. Known by a multitude of aliases such as Muddled Libra, UNC3944, Starfraud, and Octo Tempest, …
Volexity has uncovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. An official security advisory and knowledge base article have been …
Ransomware-as-a-Service (RaaS) is a cybercrime business model where operators maintain software, websites, infrastructure, and other features needed to conduct ransomware attacks. Affiliates of the RaaS …
On December 19, 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a join Cybersecurity Advisory (CSA) that disseminates Indicators of Compromise (IOCs) …
2016年前后,勒索攻击的主流威胁形态已经从勒索团伙传播扩散或广泛投放勒索软件收取赎金,逐渐转化为RaaS+定向攻击收取高额赎金的运行模式。RaaS为Ransomware as a Service(勒索即服务)的缩写,是勒索团伙研发运营的勒索攻击基础设施,包括可定制的破坏性勒索软件、窃密组件、勒索话术和收费通道等。各种攻击团伙和个人租用RaaS攻击基础设施,在获得赎金后,与RaaS攻击组织分账结算。在众多勒索攻击组织中,LockBit组织最为活跃,从其公布的数据显示,LockBit的RaaS支撑了上千起的攻击活动,并因一例涉及中资企业海外机构案例被国内外广泛关注。
为有效应对RaaS+定向勒索风险,防御者需要更深入地了解定向勒索攻击的运行机理,才能构建有效的敌情想定,针对性的改善防御和响应能力。因此,择取典型案例,对此类攻击进行深度复盘极为重要。但由于相关涉我案例的分析支撑要素并不成熟,安天CERT在其他近期重大攻击案例中进行了筛选,选择了同样与LockBit组织相关,且可参考信息相对丰富的波音公司遭遇定向勒索攻击事件(以下简称本事件)展开了完整复盘分析。安天CERT长期关注和分析勒索攻击,对LockBit等攻击组织的持续关注,形成了较为系统的分析积累,依托安天赛博超脑平台的情报数据,CISA等机构对本事件公布的相关公开信息展开工作。从攻击过程还原、攻击工具清单梳理、勒索样本机理、攻击致效后的多方反应、损失评估、过程可视化复盘等方面开展了分析工作,并针对事件中暴露的防御侧问题、RaaS+定向勒索的模式进行了解析,并提出了防御和治理方面的建议。
2.事件背景和报告形成过程2023年10月下旬,波音公司成为了RaaS+定向勒索攻击的受害者[1]。由于LockBit是通过RaaS模式运营的攻击组织,本次攻击事件的实际攻击者暂时无法确认。2023年10月27日,LockBit所属的受害者信息发布平台发消息声称窃取了波音的大量敏感数据,并以此胁迫波音公司,如果不在2023年11月2日前与LockBit组织取得联系,将会公开窃取到的敏感数据。此后,波音一度从受害者名单中消失,直至11月7日,LockBit组织再次将波音公司列入受害者名单中,并声称波音公司无视其发出的警告,威胁要发布大约4GiB的数据。可能因双方谈判失败,LockBit组织于11月10日公开发布了从波音公司窃取到的21.6 GiB数据(媒体报道为43 GiB,系重复计算了压缩包和展开后的数据)。
安天长期持续跟踪和响应了从勒索软件传播到定向勒索攻击的活动演进。在历史分析成果中,对“勒索软件和蠕虫的合流”、“定向勒索将接近APT攻击水准”等,都发出了风险预警(参见附录四)。针对LockBit的本次攻击波,安天于11月17日以《LockBit 勒索软件样本分析及针对定向勒索的防御思考》[2]为题,发布了本报告的V1.0版。由于当时缺少相对丰富的信息,在技术层面仅展开了样本分析工作,并未进行攻击过程复盘。波音公司被勒索攻击之后,美国网络安全和基础设施安全局(CISA)对事件进行了取证调查,并于2023年11月21日发布了相关报告[3],相关报告给出了高质量的形式化情报,为分析复盘攻击事件提供了极为重要的参考,我们结合历史工作积累其他开源情报和对本报告进行完善。
3.LockBit攻击组织的历史情况和部分历史攻击事件 3.1 组织基本情况LockBit组织最早于2019年9月被发现,因其加密后的文件名后缀为.abcd,而被称为ABCD勒索软件;该组织在2021年6月发布了勒索软件2.0版本,增加了删除磁盘卷影和日志文件的功能,同时发布专属数据窃取工具StealBit,采用“威胁曝光(出售)企业数据+加密数据”双重勒索策略;2021年8月,该组织的攻击基础设施频谱增加了对DDoS攻击的支持;2022年6月勒索软件更新至3.0版本,由于3.0版本的部分代码与BlackMatter勒索软件代码重叠,因此LockBit 3.0又被称为LockBit Black,这反映出不同勒索攻击组织间可能存在的人员流动、能力交换等情况。使用LockBit RaaS实施攻击的相关组织进行了大量攻击作业,通过第三方获取访问凭证、漏洞武器化和搭载其他恶意软件等方式入侵至受害者系统后投放勒索软件,大量受害者遭受勒索和数据泄露。LockBit攻击组织在2022年实施的多次勒索攻击活动及影响突显了其为该年度全球最活跃的勒索攻击组织,甚至主动采取了传播和PR活动。该组织面向Windows、Linux、macOS、以及VMware虚拟化平台等多种主机系统和目标平台研发勒索软件,其生成器通过简单交互即可完成勒索软件定制。LockBit勒索软件仅对被加密文件头部的前4K数据进行加密,因此加密速度明显快于全文件加密的其他勒索软件,由于在原文件对应扇区覆盖写入,受害者无法通过数据恢复的方式来还原未加密前的明文数据。
表3-1 LockBit攻击组织基本情况
组织名称
LockBit
组织曾用名
ABCD
出现时间
2019年9月
典型突防方式
钓鱼攻击、第三方获取访问凭证、漏洞武器化和搭载其他恶意软件
典型加密后缀…
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These …
The Sophos MDR Threat Intelligence team previously published the blog Akira Ransomware is “bringin’ 1988 back” in May 2023, roughly two months after the group is reported to have begun …
In early September 2023, ReliaQuest detected suspicious process executions within a customer’s environment, originating from the Windows debug directory. Our subsequent investigation revealed these executions as part of a more …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. …
Cybereason issues Threat Alerts to inform customers of emerging impacting threats. The Cybereason Incident Response (IR) team documented such critical attack scenarios, which started from a GootLoader infection to ultimately …
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive …
In early September, an automated retroactive indicator of compromise (IoC) threat hunt identified an indicator of compromise (IoC) in the environment of one of our customers. The detected IP address, …
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. …
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware …
Resecurity has identified an alarming rise in ransomware operators targeting the energy sector, including nuclear facilities and related research entities. Over the last year, ransomware attackers have targeted energy installations …
In early 2023, Secureworks® Counter Threat Unit™ (CTU) researchers discovered how to manipulate the consenting process of a legitimate verified publisher application to implant malicious unverified applications within a Microsoft Entra ID (formerly known as Azure …
Update November 13, 2023
This CSA is being re-released to add new TTPs, IOCs, and information related to Royal Ransomware activity.
End of Update
Note: This joint Cybersecurity Advisory …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers have investigated a series of destructive cyberattacks beginning in January 2023 and continuing as recently as October …
Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla)
This post is also available in: 日本語 (Japanese)
Executive SummaryWhile tracking the evolution of Pensive Ursa (aka Turla, Uroburos), Unit 42 researchers came across a new, upgraded variant of …