ransomware & Vulnerability

---

TI10 Summary: Government agencies & state leaders partner to thwart cyberattacks on water systems

Article Title: White House and EPA warn of hackers breaching water systems

Threat Type: Ransomware, Vulnerability 

Industry: Utilities (Water)

Impact to Business: Disruption, Financial, Physical Damage

Additional Info: In recent months, Iranian & Chinese state-backed hackers have targeted & breached U.S. water systems

Mitigation: 

• Reduce Exposure to the Public-Facing Internet
• Conduct Regular Cybersecurity Assessments
• Change Default Passwords Immediately
• Conduct an Inventory of Operational Technology/Information Technology Assets
• Develop and Exercise Cybersecurity Incident Response and Recovery Plans
• Backup OT/IT Systems
• Reduce Exposure to Vulnerabilities
• Conduct Cybersecurity Awareness Training

Source: https://www.bleepingcomputer.com/news/security/white-house-and-epa-warn-of-hackers-breaching-water-systems/

TI10 Summary: Content provider lures victims into downloading malware with wallpaper, games or software ads

Article Title: The rise of Charcoal Stork

Threat Type: Social Engineering, Malware

Industry: Not specific

Impact to Business: Information Disclosure

Additional Info: Named Charcoal Stork; “A suspected pay-per-install (PPI) content provider that’s responsible for the malvertising or the search engine optimization (SEO) that gets the user (otherwise known as the victim) to download its affiliate’s malware.” - Laura Brosnan & Christina Johns

Mitigation:

• Conduct cybersecurity & social engineering awareness training
• Implement ad blocking (for malvertising protection)

Source: https://redcanary.com/blog/charcoal-stork/

TI10 Summary: Phishing campaign lures victims into downloading malicious software leading to unauthorized access 

Article Title: VCURMS: A Simple and Functional Weapon

Threat Type: Malware

Industry: Not specific

Impact to Business: Information Disclosure, Unauthorized Access

Additional Info: The hackers operation deploys multiple malicious programs including remote access trojans, infostealers & keyloggers to collect sensitive data from the victim. The hacker uses obfuscation techniques to avoid detection & email for communicating with the command & control server.

Mitigation: 

• Phishing awareness training
• Implement File Integrity Monitoring tools to detect unauthorized changes on file systems
• Implement Endpoint Detection & Response solutions to detect & respond to advanced threats
• Block malicious traffic to known command & control servers
• Additional guidance from Cybersecurity and Infrastructure Security Agency (CISA): Avoiding Social Engineering and Phishing Attacks

Source: https://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon

TI10 Summary: Russian hackers accessed Microsoft’s source code & likely stole credentials

Article Title: Microsoft says Russian hackers breached its systems, accessed source code

Threat Type: Cyber Espionage, Password Spray

Industry: Information Technology (& others including Government)

Impact to Business: Information Disclosure

Additional Info: Hacker group named 'Midnight Blizzard’ used a password spray attack to gain access to Microsoft’s corporate email servers and likely steal authentication tokens, API keys, or credentials.

“A password spray is a type of brute force attack where threat actors collect a list of potential login names and then attempt to log in to all of them using a long list of possible passwords. If one password fails, they repeat this process with other passwords until they run out or successfully breach the account. For this reason, companies must configure MFA on all accounts to prevent access, even if credentials are correctly guessed.” - Bleeping Computer

Mitigation: 

• Block IP address of attacker
• Changed user's password of suspected compromise
• Enable Active Directory Federation Services (ADFS) Extranet Lockout
• Disabled Legacy authentication
• Enabled Azure Identity Protection
• Enabled Multi-Factor Authentication
• Enabled Password Protection
• Deploy Microsoft Entra Connect Health for ADFS

Additional mitigation from Microsoft

Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-says-russian-hackers-breached-its-systems-accessed-source-code/

TI10 Summary: Hackers employ stealth leveraging legitimate software to exfiltrate data & establish persistence in victim networks

Article Title: Data Exfiltration: Increasing Number of Tools Leveraged by Ransomware Attackers

Threat Type: Ransomware

Industry: Not specific 

Impact to Business: Disruption, Financial 

Additional Info: “Data exfiltration is now a key step in the attack chain for most ransomware actors and many see stolen data as their most effective way of extorting organizations.  While some malware is still being authored for this purpose, many attackers are turning to legitimate software packages in the belief that they are less likely to trigger alerts when deployed on their victims’ networks.” - Symantec

Mitigation:

• Monitor outbound traffic for unusual patterns & communications
• Monitor the use of dual-use tools inside your network
• Monitor registry & system changes made on your network
• Lock down PowerShell
• Ensure you are using the latest version of PowerShell to leverage enhanced logging & auditing capabilities
• Restrict access to RDP Services
• Use multi-factor authentication (MFA)
• Implement proper audit & control of administrative account usage
• Implement application whitelisting

Source: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-data-exfiltration

TI10 Summary: Ransomware attacks target government & critical infrastructure via phishing or exposed services

Article Title: Phobos Ransomware Aggressively Targeting U.S. Critical Infrastructure

Threat Type: Ransomware

Industry: Critical Infrastructure, Government 

Impact to Business: Disruption, Financial 

Additional Info: “Attack chains involving the ransomware strain have typically leveraged phishing as an initial access vector to drop stealthy payloads like SmokeLoader. Alternatively, vulnerable networks are breached by hunting for exposed RDP services and exploiting them by means of a brute-force attack.” - Bleeping Computer

Mitigation: 

1. Secure RDP ports to prevent threat actors from abusing and leveraging RDP tools.

2. Prioritize remediating known exploited vulnerabilities.

3. Implement EDR solutions to disrupt threat actor memory allocation techniques.

Additional mitigation provided by Cybersecurity and Infrastructure Security Agency (CISA) 

Source: https://thehackernews.com/2024/03/phobos-ransomware-aggressively.html

TI10 Summary: Ransomware shuts down production at German steel company’s automotive unit

Article Title: Steel giant ThyssenKrupp confirms cyberattack on automotive division

Threat Type: Ransomware

Industry: Automotive

Impact to Business: Disruption

Additional Info: ThyssenKrupp is continuing to investigate the incident. “At this point, the spokeswoman said, there is no indication data has been stolen or altered, and other parts of its Automotive Technology division haven’t been affected.” - WSJ

Mitigation: 

• Vulnerability management
• Implement endpoint protection
• Implement email security
• Enable multi-factor authentication
• Basic cybersecurity training
• Use strong encryption
• Implement strong passwords & password policy
• Revoke credentials for departing workforce
• Basic incident planning & preparedness
• Separate user and privileged accounts
• Vendor/Supplier cybersecurity requirements

Source: https://www.bleepingcomputer.com/news/security/steel-giant-thyssenkrupp-confirms-cyberattack-on-automotive-division/

https://www.wsj.com/articles/thyssenkrupp-auto-unit-hit-by-cyberattack-34b41469

https://cybersocialhub.com/csh/german-steelmaker-thyssenkrupp-confirms-ransomware-attack/

TI10 Summary: Malware takes steps to evade analysis & hide its network traffic

Article Title: Xeno RAT Abuses Windows DLL Search To Avoid Detection

Threat Type: Malware

Industry: Not specific 

Impact to Business: Information Disclosure

Additional Info: Named, Xeno RAT.  This malware uses defense evasion, obfuscation, anti-debugging, & other techniques to avoid detection. 

“It is delivered via a shortcut file and multi-stage payload downloader. Xeno RAT abuses the Windows DLL search order to load a malicious DLL into legitimate processes. It has capabilities like monitoring, hidden VNC, SOCKS5 proxy, process injection, and C2 communication.” - AlienVault

Mitigation: Scan endpoints for indicators of compromise (IOCs)

Source: https://cybersecuritynews.com/xeno-rat-windows-dll-evasion/

https://otx.alienvault.com/pulse/65ddf674e5b73a7b24306fde 

TI10 Summary: Healthcare organizations advised to implement mitigation to defend against BlackCat ransomware attacks 

Article Title: FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks

Threat Type: Ransomware

Industry: Healthcare

Impact to Business: Information Disclosure, Business Disruption 

Additional Info: ALPHV/Blackcat gang has raked in at least $300 million in ransoms from over 1,000 victims until September 2023.

Mitigation: Healthcare and Public Health (HPH) Cybersecurity Performance Goals https://hphcyber.hhs.gov/performance-goals.html

• Vulnerability management
• Implement endpoint protection
• Implement email security
• Enable multi-factor authentication
• Basic cybersecurity training
• Use strong encryption
• Implement strong passwords & password policy
• Revoke credentials for departing workforce
• Basic incident planning & preparedness
• Separate user and privileged accounts
• Vendor/Supplier cybersecurity requirements

Source: https://www.bleepingcomputer.com/news/security/fbi-cisa-warn-us-hospitals-of-targeted-blackcat-ransomware-attacks/

TI10 Summary: Russian hackers target cloud infrastructure using compromised credentials, dormant accounts, & stolen access tokens

Article Title: Russian hackers shift to cloud attacks, US and allies warn

Threat Type: Initial Access (brute force & password spraying)

Industry: Government, Healthcare, Energy & Utilities, Aviation, Education, Law Enforcement, Financial, Military

Impact to Business: Information Disclosure

Additional Info: Tracked as APT29 (also tracked as Cozy Bear, Midnight Blizzard, The Dukes) breached multiple U.S. federal agencies following the SolarWinds supply-chain attack they orchestrated more than three years ago.

"As organizations continue to modernize their systems and move to cloud-based infrastructure, the SVR has adapted to these changes in the operating environment.”

"They have to move beyond their traditional means of initial access, such as exploiting software vulnerabilities in an on-premises network, and instead target the cloud services themselves." - CISA joint advisory

Mitigation: 

• Enable Multi-Factor Authentication
• Implement strong passwords & password policy
• Revoke credentials for departing workforce
• Use the principle of least privilege system & service accounts
• Reduce session lifetimes to block the use of stolen session tokens
• Only allow device enrollment for authorized devices 
• Monitor for indicators of compromise & TTP’s for initial access, associated with APT29 Russian Foreign Intelligence Service (SVR)

Source: https://www.bleepingcomputer.com/news/security/russian-hackers-shift-to-cloud-attacks-us-and-allies-warn/