The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.
- Ransomware continues to make the news this week. Prolific ransomware strain Maze appears at a dead-end, as its operators announce they will no longer deploy the malware, while new ransomware strain, RegretLocker, targets Windows virtual machines.
- In other news this week, social media giants attempt to stop the spread of misinformation in the midst of the US presidential election, and the US Department of Justice jails a Russian hacker for participating in a botnet scheme.
Finally, an end to the Maze?
- On Monday, the ransomware group known as Maze announced the end to their operations and that there will be no further data leaks posted to the site. In a ransomware case involving Maze, the threat actor would both encrypt and steal data, demanding ransoms to both unlock the infected systems and prevent the release of this stolen data on a dedicated dark web portal.
- This form of extortion conducted by Maze on the group’s leak blog has been replicated by almost all major ransomware operations, each with their own data leak site.
So what for security teams? While Maze may claim to be retiring, during recent cases we have noted similarities with Egregor, in both the associated malware used in the attacks and the source code of the ransomware executable itself. In the most recent case, the Egregor ransomware payload piggy-backed off of the banking trojans Ursnif and IcedID, a common combination in Maze infections. As phishing remains a key point of entry for these attacks, remain vigilant for malicious emails and for signs of data exfiltration, which is usually detectable prior to the encryption of the data.
RegretLocker targets Windows virtual machines
- A new ransomware variant called RegretLocker uses several advanced features to target Windows virtual machines.
- According to Advanced Intel’s Vitali Kremez, RegretLocker does not encrypt virtual disk images because the size of the file would slow down the encryption process. Instead, RegretLocker mounts a virtual disk file so each of its files can be individually encrypted at a much faster rate.
So what for security teams? Ransomware variants continue to proliferate with many adopting advanced features or modules to improve their ability to impact the infected networks as much as possible. It is therefore important to remain up to date with the latest attack strategies and exploits. Virtual machines are particularly prevalent when users are forced to work from home, and so as many countries impose stricter measures to combat COVID-19, it is crucial to consider how threat actors will continue to adopt new strategies to target changes in how we work.
Election day misinformation
- Facebook, Twitter, and YouTube have implemented policies with the aim of stopping the spread of false information that may influence this week’s US election.
- Facebook stated that its Election Operations Centre was monitoring issues ranging from voter suppression content to real-time incidents.
- Social media analysts have said that hashtags used on social media, such as ‘#stopthesteal’, were being used to generate uncertainty about around the voting process. Throughout Tuesday’s election night and the following days, researchers, specialising in mis- and disinformation, kept watch and called out false and misleading information online.
So what? This story highlights the power of social media and how it has been leveraged for influence operations. While the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) reported Tuesday night that Election Day passed “without any significant or disruptive cyberattacks”, misinformation on social media remains a story to watch; at time of writing, votes (especially mail-in ballots and oversees votes) are still being counted, and the risk of misinformation spreading online, causing confusion or provoking unrest, remains palpable.
Russian hacker jailed for botnet scheme
- Russian national Aleksandr Brovko has been jailed for eight years for running a botnet scheme available for purchase on elite dark web forums that has caused over USD 100 million in financial damages.
- Brovko developed tools that were able to parse log data from botnet sources and query the data for Personally Identifiable Information (PII) and account credentials. The information was used to commit financial fraud.
- This comes after the news last month that researchers discovered a sophisticated botnet targeting websites’ Content Management System (CMS) platforms.
So what for leadership? This story underscores the importance of monitoring dark web forums for credential leaks. Establishing a threat intelligence feed to query employee credentials allows passwords to be proactively changed, prior to exploitation by a threat actor.
Major vulnerabilities identified this week
- Security firm FireEye announced that it had discovered that a threat actor called UNC1945 has been exploiting a zero-day vulnerability in the Oracle Solaris operating system in its attacks against corporate networks. The zero-day, CVE-2020-14871, is a vulnerability that allows threat actors to bypass authentication procedures and install a backdoor on Solaris servers that are exposed to the internet. Oracle released a patch to the vulnerability in October after being notified by FireEye.
- Almost two weeks after its recent critical security update for its web browser, Google has released patches for two newly discovered actively exploited zero-day vulnerabilities in Chrome (CVE-2020-16009 & CVE-2020-16010), although the latter only impacts the Chrome for Android browser. The update also addresses 10 further security vulnerabilities.
- Adobe has also released updates to its Reader and Acrobat PDF products that patches several critical security vulnerabilities. The update removes all components of the well-known Adobe Flash Player, which is due to be officially discontinued by Adobe in December 2020.
So what for security teams? These announcements and updates act as a reminder to ensure that systems are running the latest versions of software, with all available patches installed. Patching remains arguably the most important thing an organisation can do to remain secure and should be a priority for any security team.
Indicators of compromise
The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with some of the campaigns discussed in this week's set of stories. We have also added several IOCs from recent Egregor ransomware cases.
Egregor phishing campaign – malicious document titles:
Egregor phishing emails – the payload (SHA-256):
Egregor ransomware payload:
 ‘Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945’, FireEye, 2 November 2020; ‘Hacker group uses Solaris zero-day to breach corporate networks’, ZD Net, 2 November 2020.