header image

Cyber Threat Intelligence Briefing: 6 November 2020

Billy Gouveia, Mona Damian 6 November 2020
6 November 2020    Billy Gouveia, Mona Damian

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders

Download Report

The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.

OVERVIEW

  • Ransomware continues to make the news this week. Prolific ransomware strain Maze appears at a dead-end, as its operators announce they will no longer deploy the malware, while new ransomware strain, RegretLocker, targets Windows virtual machines.
  • In other news this week, social media giants attempt to stop the spread of misinformation in the midst of the US presidential election, and the US Department of Justice jails a Russian hacker for participating in a botnet scheme.

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

Security Round-up

Finally, an end to the Maze?
  • On Monday, the ransomware group known as Maze announced the end to their operations and that there will be no further data leaks posted to the site. In a ransomware case involving Maze, the threat actor would both encrypt and steal data, demanding ransoms to both unlock the infected systems and prevent the release of this stolen data on a dedicated dark web portal.[1]
  • This form of extortion conducted by Maze on the group’s leak blog has been replicated by almost all major ransomware operations, each with their own data leak site.

So what for security teams? While Maze may claim to be retiring, during recent cases we have noted similarities with Egregor, in both the associated malware used in the attacks and the source code of the ransomware executable itself. In the most recent case, the Egregor ransomware payload piggy-backed off of the banking trojans Ursnif and IcedID, a common combination in Maze infections. As phishing remains a key point of entry for these attacks, remain vigilant for malicious emails and for signs of data exfiltration, which is usually detectable prior to the encryption of the data.

RegretLocker targets Windows virtual machines
  • A new ransomware variant called RegretLocker uses several advanced features to target Windows virtual machines.
  • According to Advanced Intel’s Vitali Kremez, RegretLocker does not encrypt virtual disk images because the size of the file would slow down the encryption process. Instead, RegretLocker mounts a virtual disk file so each of its files can be individually encrypted at a much faster rate.[2]

So what for security teams? Ransomware variants continue to proliferate with many adopting advanced features or modules to improve their ability to impact the infected networks as much as possible. It is therefore important to remain up to date with the latest attack strategies and exploits. Virtual machines are particularly prevalent when users are forced to work from home, and so as many countries impose stricter measures to combat COVID-19, it is crucial to consider how threat actors will continue to adopt new strategies to target changes in how we work.

Election day misinformation
  • Facebook, Twitter, and YouTube have implemented policies with the aim of stopping the spread of false information that may influence this week’s US election.[3]
  • Facebook stated that its Election Operations Centre was monitoring issues ranging from voter suppression content to real-time incidents.
  • Social media analysts have said that hashtags used on social media, such as ‘#stopthesteal’, were being used to generate uncertainty about around the voting process. Throughout Tuesday’s election night and the following days, researchers, specialising in mis- and disinformation, kept watch and called out false and misleading information online.

So what? This story highlights the power of social media and how it has been leveraged for influence operations. While the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) reported Tuesday night that Election Day passed “without any significant or disruptive cyberattacks”,[4] misinformation on social media remains a story to watch; at time of writing, votes (especially mail-in ballots and oversees votes) are still being counted, and the risk of misinformation spreading online, causing confusion or provoking unrest, remains palpable.

Russian hacker jailed for botnet scheme
  • Russian national Aleksandr Brovko has been jailed for eight years for running a botnet scheme available for purchase on elite dark web forums that has caused over USD 100 million in financial damages.[5]
  • Brovko developed tools that were able to parse log data from botnet sources and query the data for Personally Identifiable Information (PII) and account credentials. The information was used to commit financial fraud.
  • This comes after the news last month that researchers discovered a sophisticated botnet targeting websites’ Content Management System (CMS) platforms.[6] 

So what for leadership? This story underscores the importance of monitoring dark web forums for credential leaks. Establishing a threat intelligence feed to query employee credentials allows passwords to be proactively changed, prior to exploitation by a threat actor.  

Major vulnerabilities identified this week
  • Security firm FireEye announced that it had discovered that a threat actor called UNC1945 has been exploiting a zero-day vulnerability in the Oracle Solaris operating system in its attacks against corporate networks.[7] The zero-day, CVE-2020-14871, is a vulnerability that allows threat actors to bypass authentication procedures and install a backdoor on Solaris servers that are exposed to the internet. Oracle released a patch to the vulnerability in October after being notified by FireEye.
  • Almost two weeks after its recent critical security update for its web browser, Google has released patches for two newly discovered actively exploited zero-day vulnerabilities in Chrome (CVE-2020-16009 & CVE-2020-16010), although the latter only impacts the Chrome for Android browser.[8] The update also addresses 10 further security vulnerabilities.
  • Adobe has also released updates to its Reader and Acrobat PDF products that patches several critical security vulnerabilities. The update removes all components of the well-known Adobe Flash Player, which is due to be officially discontinued by Adobe in December 2020.[9]

So what for security teams? These announcements and updates act as a reminder to ensure that systems are running the latest versions of software, with all available patches installed. Patching remains arguably the most important thing an organisation can do to remain secure and should be a priority for any security team.  

Indicators of compromise

The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with some of the campaigns discussed in this week's set of stories. We have also added several IOCs from recent Egregor ransomware cases.

Egregor phishing campaign – malicious document titles:

Report.[date].doc

Statistics.[date].doc

Facts.[date].doc

Legal paper.[date].doc

Instruct.[date].doc 

Egregor phishing emails – the payload (SHA-256):

9824f9a2cf13a4cac7912986e04fb7ff28b70479c538b5c3cbb2d2a4a3f42f00

Ursnif trojan:

9824f9a2cf13a4cac7912986e04fb7ff28b70479c538b5c3cbb2d2a4a3f42f00

949485ba939953642714ae6831d7dcb261691cac7cbb8c1a9220333801f60820

a101d3605f8d1ca5cfb10c48dbdb24c45f2627c48f44a2bd2604b88c7b90d5f0

b2a702312061389b9fb2b3130ef735e168c259fa153708a98717179c945ca547

fed7203295d03ca711baea74f3088c5a9a84d7150f6c2a1def438147c6b09adb

df1b78848c12927d06528ec988fc2cfbabcdc8b113c1a61e3417fe900a510e2e

66ac2ff2a0c49f78f5c3823681ecef6c60da5eca1bdf003cc1536c4ba4f209ff

4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1

IcedID trojan:

05e4b98300a5680b9138675fe2e85df051ddac0b243087010a7d84d95a6d61f8

9e76ba80e0319634f16998cfc953a5e88b1e11cbe6ba18ffb58a48053b68b564

d869e953f2f08fb99cec6fab9d7d7f46a5171e3ae6aaaad67285172a16e35392

4a972445c2e4efb46da028abe143821026a37b1560c95a34c0947c587e74b2b6

2c1d4e6cf06ac0c3e3fd8259adf262d49494c8b451bad5bf6581375bc4b9df9d

98446aa72a7afd31e577a2c0ebdeb8ef63734b0696b05bf4db1cb13816b207a6

a22eafe1f7572ab44cf0de9f1388e45f0ad881f266b83c9824a8345231c00286

63efe02cbe692608362ba9f15f4a8f8f270c8e44e77671c3238993c95412c15f

3ab248cff837377224a7fb54b0c8dc58a7d278e97ba1a839d3d84e68a864b6d8

Egregor ransomware payload:

2d01c32d51e4bbb986255e402da4624a61b8ae960532fbb7bb0d3b0080cb9946

3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55

 

References:

[1] ‘Maze ransomware shuts down operations, denies creating cartel, Bleeping Computer, 2 November 2020.

[2] ‘New RegretLocker ransomware targets Windows virtual machines’, Bleeping Computer, 3 November 2020.

[3] ‘Social media firms on alert for election day misinformation’, Security Week, 3 November 2020.

[4] ‘Election Day was largely free from disruptive cyberattacks, as efforts shift to combating misinformation’, TechCrunch, 3 November 2020.

[5] ‘Russian hacker jailed over botnet data scraping scheme that drained victim bank accounts’, ZDNet, 3 November 2020.

[6] ‘CMS platforms succumb to KashmirBlack botnet as businesses rush online’, ITPro, 22 Oct 2020.

[7] ‘Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945’, FireEye, 2 November 2020; ‘Hacker group uses Solaris zero-day to breach corporate networks’, ZD Net, 2 November 2020.

[8] ‘Google patches second Chrome zero-day in two weeks’, ZD Net, 2 November 2020.

[9] ‘Update your Adobe software now to fix these ‘critical’ threats’, Tech Radar, 4 November 2020.

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy Gouveia Senior Managing Director Email Billy
Mona Damian
Mona Damian Senior Analyst Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report