In addition to our Water Hydra APT zero day analysis, the Zero Day Initiative (ZDI) observed a DarkGate campaign which we discovered in mid-January 2024 where DarkGate operators exploited CVE-2024-21412.…
Tag: XDR
This post is also available in: 日本語 (Japanese)
Executive SummaryMuddled Libra stands at the intersection of devious social engineering and nimble technology adaptation. With an intimate knowledge of enterprise …
Cybersecurity giant CrowdStrike (NASDAQ: CRWD) on Tuesday announced plans to acquire of Flow Security, a cloud data runtime security solution, to enhance its cloud security capabilities and offer protection for …
Cybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.…
This post is also available in: 日本語 (Japanese)
Executive SummaryWhen reviewing a packet capture (pcap) of suspicious activity, security professionals may need to export objects from the pcap for …
This post is also available in: 日本語 (Japanese)
Executive SummaryWe recently found a new Linux variant of Bifrost (aka Bifrose), showcasing an innovative technique to evade detection. It uses …
When evaluating XDR, consider its value based on its ability to reduce complexity and improve threat detection and response times. The post Is XDR Enough? The Hidden Gaps in Your …
Bitdefender Labs recently helped with an investigation that unfortunately aligns with two key predictions we made for 2024: the rapid rise of opportunistic ransomware and the growing risk of coordinated …
On February 19, 2024, ConnectWise released a security patch addressing two vulnerabilities in the ScreenConnect software, potentially leading to Remote Code Execution (RCE). These vulnerabilities, identified as CVE-2024-1709 and CVE-2024-1708, …
Sophos X-Ops is tracking a developing wave of vulnerability exploitation targeting unpatched ConnectWise ScreenConnect installations. This page provides advice and guidance for customers, researchers, investigators and incident responders. This information …
This post is also available in: 日本語 (Japanese)
Executive SummaryDynamic-link library (DLL) hijacking is one of the oldest techniques that both threat actors and offensive security professionals continue to …
This post is also available in: 日本語 (Japanese)
Executive SummaryFeb. 13, 2024, ConnectWise was notified of two vulnerabilities impacting their remote desktop software application ScreenConnect. These vulnerabilities were first …
Crowdstrike.com estimated website worth is $ 101,498
CrowdStrike is a global cybersecurity leader with an advanced cloud-native platform for protecting endpoints, cloud workloads, identities and data.
Website Information Domain Age…This post is also available in: 日本語 (Japanese)
Executive SummaryInsidious Taurus (aka Volt Typhoon) is identified by U.S. government agencies and international government partners as People’s Republic of China …
The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, …
This Threat Analysis Report will delve into compromised YouTube accounts being used as a vector for the spread of malware. It will outline how this attack vector is exploited for …
This post is also available in: 日本語 (Japanese)
Executive SummaryGlupteba is advanced, modular and multipurpose malware that, for over a decade, has mostly been seen in financially driven cybercrime …
If you have anything to do with cyber security, you know it employs its own unique and ever-evolving language. Jargon and acronyms are the enemies of clear writing—and are beloved …
Throughout 2023, Sekoia.io’s Threat Detection & Research (TDR) team actively tracked and monitored adversary C2 infrastructures set up and used by lucrative and state-sponsored intrusion sets to carry out …
This post is also available in: 日本語 (Japanese)
Executive SummaryThe ransomware landscape experienced significant transformations and challenges in 2023. The year saw a 49% increase in victims reported by …
Companies are engaged in a seemingly endless cat-and-mouse game when it comes to cybersecurity and cyber threats. As organizations put up one defensive block after another, malicious actors kick their …
Cybereason issues Threat Alerts to inform customers of emerging impacting threats, including critical vulnerabilities such as the Ivanti Connect Secure VPN Zero-Day exploitation. Cybereason Threat Alerts summarize these threats and …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers recently discovered activity attributed to Mispadu Stealer, a stealthy infostealer first reported in 2019. We found this …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers discovered a large-scale campaign we call ApateWeb that uses a network of over 130,000 domains to deliver …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers have been tracking the BianLian ransomware group, which has been in the top 10 of the most …
Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, …
Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of …
This blog delves into the Phemedrone Stealer campaign’s exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malware’s payload.
During routine threat hunting, …
Authors: Karthickkumar Kathiresan, Shilpesh Trivedi
Known for its history of relentless cyber-attacks against Ukrainian targets, the UAC-0050 threat group is at it again. But this time, Uptycs researchers have discovered …
2016年前后,勒索攻击的主流威胁形态已经从勒索团伙传播扩散或广泛投放勒索软件收取赎金,逐渐转化为RaaS+定向攻击收取高额赎金的运行模式。RaaS为Ransomware as a Service(勒索即服务)的缩写,是勒索团伙研发运营的勒索攻击基础设施,包括可定制的破坏性勒索软件、窃密组件、勒索话术和收费通道等。各种攻击团伙和个人租用RaaS攻击基础设施,在获得赎金后,与RaaS攻击组织分账结算。在众多勒索攻击组织中,LockBit组织最为活跃,从其公布的数据显示,LockBit的RaaS支撑了上千起的攻击活动,并因一例涉及中资企业海外机构案例被国内外广泛关注。
为有效应对RaaS+定向勒索风险,防御者需要更深入地了解定向勒索攻击的运行机理,才能构建有效的敌情想定,针对性的改善防御和响应能力。因此,择取典型案例,对此类攻击进行深度复盘极为重要。但由于相关涉我案例的分析支撑要素并不成熟,安天CERT在其他近期重大攻击案例中进行了筛选,选择了同样与LockBit组织相关,且可参考信息相对丰富的波音公司遭遇定向勒索攻击事件(以下简称本事件)展开了完整复盘分析。安天CERT长期关注和分析勒索攻击,对LockBit等攻击组织的持续关注,形成了较为系统的分析积累,依托安天赛博超脑平台的情报数据,CISA等机构对本事件公布的相关公开信息展开工作。从攻击过程还原、攻击工具清单梳理、勒索样本机理、攻击致效后的多方反应、损失评估、过程可视化复盘等方面开展了分析工作,并针对事件中暴露的防御侧问题、RaaS+定向勒索的模式进行了解析,并提出了防御和治理方面的建议。
2.事件背景和报告形成过程2023年10月下旬,波音公司成为了RaaS+定向勒索攻击的受害者[1]。由于LockBit是通过RaaS模式运营的攻击组织,本次攻击事件的实际攻击者暂时无法确认。2023年10月27日,LockBit所属的受害者信息发布平台发消息声称窃取了波音的大量敏感数据,并以此胁迫波音公司,如果不在2023年11月2日前与LockBit组织取得联系,将会公开窃取到的敏感数据。此后,波音一度从受害者名单中消失,直至11月7日,LockBit组织再次将波音公司列入受害者名单中,并声称波音公司无视其发出的警告,威胁要发布大约4GiB的数据。可能因双方谈判失败,LockBit组织于11月10日公开发布了从波音公司窃取到的21.6 GiB数据(媒体报道为43 GiB,系重复计算了压缩包和展开后的数据)。
安天长期持续跟踪和响应了从勒索软件传播到定向勒索攻击的活动演进。在历史分析成果中,对“勒索软件和蠕虫的合流”、“定向勒索将接近APT攻击水准”等,都发出了风险预警(参见附录四)。针对LockBit的本次攻击波,安天于11月17日以《LockBit 勒索软件样本分析及针对定向勒索的防御思考》[2]为题,发布了本报告的V1.0版。由于当时缺少相对丰富的信息,在技术层面仅展开了样本分析工作,并未进行攻击过程复盘。波音公司被勒索攻击之后,美国网络安全和基础设施安全局(CISA)对事件进行了取证调查,并于2023年11月21日发布了相关报告[3],相关报告给出了高质量的形式化情报,为分析复盘攻击事件提供了极为重要的参考,我们结合历史工作积累其他开源情报和对本报告进行完善。
3.LockBit攻击组织的历史情况和部分历史攻击事件 3.1 组织基本情况LockBit组织最早于2019年9月被发现,因其加密后的文件名后缀为.abcd,而被称为ABCD勒索软件;该组织在2021年6月发布了勒索软件2.0版本,增加了删除磁盘卷影和日志文件的功能,同时发布专属数据窃取工具StealBit,采用“威胁曝光(出售)企业数据+加密数据”双重勒索策略;2021年8月,该组织的攻击基础设施频谱增加了对DDoS攻击的支持;2022年6月勒索软件更新至3.0版本,由于3.0版本的部分代码与BlackMatter勒索软件代码重叠,因此LockBit 3.0又被称为LockBit Black,这反映出不同勒索攻击组织间可能存在的人员流动、能力交换等情况。使用LockBit RaaS实施攻击的相关组织进行了大量攻击作业,通过第三方获取访问凭证、漏洞武器化和搭载其他恶意软件等方式入侵至受害者系统后投放勒索软件,大量受害者遭受勒索和数据泄露。LockBit攻击组织在2022年实施的多次勒索攻击活动及影响突显了其为该年度全球最活跃的勒索攻击组织,甚至主动采取了传播和PR活动。该组织面向Windows、Linux、macOS、以及VMware虚拟化平台等多种主机系统和目标平台研发勒索软件,其生成器通过简单交互即可完成勒索软件定制。LockBit勒索软件仅对被加密文件头部的前4K数据进行加密,因此加密速度明显快于全文件加密的其他勒索软件,由于在原文件对应扇区覆盖写入,受害者无法通过数据恢复的方式来还原未加密前的明文数据。
表3-1 LockBit攻击组织基本情况
组织名称
LockBit
组织曾用名
ABCD
出现时间
2019年9月
典型突防方式
钓鱼攻击、第三方获取访问凭证、漏洞武器化和搭载其他恶意软件
典型加密后缀…
Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute …
The Sophos MDR Threat Intelligence team previously published the blog Akira Ransomware is “bringin’ 1988 back” in May 2023, roughly two months after the group is reported to have begun …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers have observed threat actors using malicious JavaScript samples to steal sensitive information by abusing popular survey sites, …
In early September 2023, ReliaQuest detected suspicious process executions within a customer’s environment, originating from the Windows debug directory. Our subsequent investigation revealed these executions as part of a more …
Analyzing AsyncRAT’s Code Injection into Aspnet_Compiler.exe Across Multiple Incident Response Cases
This blog entry delves into MxDR’s unraveling of the AsyncRAT infection chain across multiple cases, shedding light on the misuse of aspnet_compiler.exe, a legitimate Microsoft process originally designed for precompiling …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers recently discovered two separate campaigns targeting job-seeking activities linked to state-sponsored threat actors associated with the Democratic …
The Trend Micro Managed XDR team encountered malicious operations that used techniques similar to the ones used by Genesis Market, a website for facilitating fraud that was taken down in …
Microsoft Threat Intelligence has uncovered a supply chain attack by the North Korea-based threat actor Diamond Sleet (ZINC) involving a malicious variant of an application developed by CyberLink Corp., a …
Authors: Shilpesh Trivedi and Nisarga C M
In April 2023, the cybersecurity community faced a significant challenge with the discovery of CVE-2023-38831, a vulnerability affecting versions of WinRAR prior to …
This post is also available in: 日本語 (Japanese)
Executive SummaryTensions between China and the Philippines have risen sharply over the past several months. In early August, a Chinese Coast …
In this blog post, we delve into the notable trends shaping the cyber threat landscape over the past month. Hot topics this month revolve around the expanding use of generative …
This post is also available in: 日本語 (Japanese)
Executive SummarySince the end of August 2023, we have observed a significant rise in compromised servers specializing in clickbait and ad …
We encountered the Cerber ransomware exploiting the Atlassian Confluence vulnerability CVE-2023-22518 in its operations.
On October 31, 2023, Atlassian published an advisory on CVE-2023-22518, an Improper authorization vulnerability involving the …
This post is also available in: 日本語 (Japanese)
Executive SummaryDuring our analysis of a July 2023 campaign targeting groups supporting Ukraine’s admission into NATO, we discovered a new vulnerability …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers have identified an active campaign we are calling EleKtra-Leak, which performs automated targeting of exposed identity and …
The hacker collective called GhostSec has unveiled an innovative Ransomware-as-a-Service (RaaS) framework called GhostLocker. They provide comprehensive assistance to customers interested in acquiring this service through a dedicated Telegram channel. …
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 researchers have investigated a series of destructive cyberattacks beginning in January 2023 and continuing as recently as October …
Earlier this year, a software vendor was compromised by the Lazarus malware delivered through unpatched legitimate software. What’s remarkable is that these software vulnerabilities were not new, and despite warnings …