Weekly Intelligence Report – 11 Nov 2022

Weekly Intelligence Report – 11 Nov 2022

Weekly Intelligence Trends/Advisory

Key Intelligence Signals:

  • Attack Type: Ransomware, Vulnerabilities & Exploits, Ransomware-as-a-Service (RaaS), Malware Implants, Data Exfiltration, Data Leak, Distributed Denial-of-Service (DDoS), Authentication Bypass
  • Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Operational Disruption
  • Ransomware – Hive | Malware – Limepad
    • Hive – One of the ransomware groups.
    • Please refer to the trending malware advisory for details on the following:
    • Malware – Limepad
  • Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

FIN7 Linked to Black Basta Ransomware Group

Suspected Threat Actors: FIN7

  • Attack Type: Ransomware, Privilege Escalation, Vulnerabilities & Exploits
  • Objective: Unauthorized Access, Data Theft
  • Target Technology: Windows, Windows Server
  • Business Impact: Data Loss, Financial Loss

Summary:
In a recent report detailing the Black Basta ransomware group’s operational TTPs and revealing previously unknown tools and techniques, researchers have also tied it to the FIN7 threat actor group. Researchers found that in multiple Black Basta incidents, the threat actors made use of a custom cyber defence impairment tool that was developed by FIN7. According to Researchers “the exact nature of the involvement is open to speculation, but it is based on signing certificates used by FIN7 to sign ransomware or the presence of FIN7 backdoors and toolkits in ransomware incidents”. The report’s findings have been confirmed by several ransomware experts and noting that the two had been previously tied based on the tools used.

Researchers assert that it may not be surprising if Black Basta is a FIN7-owned operation and note that the “level of collaboration likely goes beyond selling/buying some tool advertised in some cybercrime forum somewhere. The report also details the way Black Basta operators leverage popular vulnerabilities which include ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42287, CVE-2021-42278), and PrintNightmare (CVE-2021-34527).

Insights:
The FIN7 threat actor group initially used POS (Point of Sale) malware to conduct financial frauds. However, since 2020 they switched to ransomware operations, affiliating with REvil, and Conti, and conducting their own operations: first as Darkside and later rebranded as BlackMatter.

FIN7 has also been tied to multiple threat actor clusters by other researchers with varying levels of confidence. One important detail the report highlights are that researchers assess Black Basta to be a private operation and not a Ransomware-as-a-service (RaaS) with high confidence. A private operation as seen in the case of Conti, TA505 and Evilcorp allows a high level of control over the operation and special trust in the different possible affiliations.

Major Geopolitical Developments in Cybersecurity

Microsoft: China Uses Mandated Disclosure to Develop Zero-Days

According to Microsoft, China seems to be using its law on vulnerability disclosure to gain access to vulnerabilities before they are revealed publicly. This enables APTs sponsored or run by the Beijing government to develop and deploy zero-day exploits during their brief window of opportunity before the security patches are released after the disclosure. The focus of Chinese intelligence services remains on espionage and intellectual property theft with the suspected mounting of an IP theft campaign following the US CHIPS Act, denying China access to cutting-edge semiconductor technologies.

The US Hosted Global Ransomware Summit

The White House hosted 36 countries and EU officials at the International Counter Ransomware Initiative Summit with the goal of information exchange and attack prevention practices development. This year’s summit focused on preventing ransomware attacks from disrupting nations’ critical infrastructure. Participants included nations such as Israel, Ukraine and India. Russia, North Korea and Iran, major havens for ransomware gangs, were not invited. The summit also dealt with the partnership of the private sector and government needed to secure infrastructure or counter the use of cryptocurrency by cyber criminals and hold threat actors accountable for ransomware attacks. Ransomware gangs were able to extract over a billion dollars in the past year in the US alone and represent a major threat in all developed economies, not even mentioning the developing countries, where there is a lower potential for extraction by the easier operating environment for the criminals as low-income countries often depend on outdated software, hardware and security processes.

EU Body Warns against Spyware in Europe

Spyware is being deployed by state-run organizations across the European Union to snoop on politicians and journalists with virtually no EU-level oversight, according to a recent EU parliament report. According to the document virtually all EU member states have purchased some commercial spyware such as Pegasus, developed by Israel-based NSO Group to conduct operations in the cyber environment.
The report was presented after the EU parliament sent a fact-finding mission to Greece earlier this month; the Greek government plans to introduce a bill banning the use of spyware by private companies in the country. The report also states that Cyprus and Bulgaria serve as export centers for the illicit software while Ireland offers favorable fiscal arrangements to large companies in the business, which then use Luxembourg as a hub for banking services.

Cybersecurity on US Election Day

With the US midterms elections underway, US officials and CISA went into the final day of voting with confidence that the elections would not be disrupted by cyberattacks that sought to directly attack voting or the election infrastructure like manipulating vote counts, for example, or interfering with reporting.

Foreign influence operations, however, did emerge as expected. The high-profile Russian oligarch Yevgeny Prigozhin, who runs the most famous troll farm for the Kremlin (known as Internet Research Agency) and who also finances the Russian mercenary known as the Wagner Group has been quoted in the middle of the vote count in an unusually frank avowal of what Washington has long accused Moscow of, stating that Russians” have interfered, are interfering and will interfere. Carefully, precisely, surgically and in our way, as we know how to do” in the current elections process.

New York Times has reported a recent surge in Russian disinformation deployed against US voters and quoted strong activity from Prigozhin Internet Research Agency’s networks of bots and paid users. How successful the influence campaign will be is unclear, although widespread awareness that it is in progress will blunt such effect as it may have. CISA, the Washington Post says, is taking a hands-off approach to specific disinformation. The agency will not, for example, flag specific false claims on social media.

Rise in Malware/Ransomware and Phishing

Cornwell Tools (Cornwell Quality Tools) Impacted by Hive Ransomware

  • Attack Type: RaaS, Data Exfiltration, Data Leak
  • Target Industry: Manufacturing
  • Target Geography: US
  • Ransomware: Hive
  • Objective: Financial Gains, Data Theft
  • Business Impact: Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed Cornwell Tools (cornwelltools.com) – manufacturer of tools for the automotive and aviation industries – being impacted by the Hive ransomware group. The ransomware group claimed Cornwell Tools as one of their victims by disclosing the update on their dedicated leak site on 11th November. It is suspected that a large amount of business-critical and sensitive data has been exfiltrated. According to the information published on Hive’s dedicated leak site, the data was encrypted on 23rd September.

Insights:
The Hive ransomware was first observed in June 2021 and is suspected of running as affiliate-based ransomware like most of the ransomware groups at current times. The ransomware group employs a wide array of tactics, techniques, and procedures (TTPs) in their attacks. They leverage multiple methods to compromise an organization’s networks, which include phishing emails with malicious attachments to foothold into the network and exploiting Remote Desktop Protocol (RDP) for lateral movement.

It uses a double-extortion strategy for attacks. The attackers threaten to publish the exfiltrated data (victim data) if the victims are not ready to pay the ransom.

The ransomware operators implemented a new IPfuscation (obfuscation) technique to conceal the Cobalt strike beacon payload. The payload was disguised as an array of ASCII IPv4 addresses in the malware executable binary. Code obfuscation is a technique that helps threat actors hide malicious code from security analysts or security software to evade detection.

The Hive ransomware operators changed its VMware ESXi Linux encryptor to the Rust programming language to make it more difficult for security researchers to eavesdrop on victims’ ransom conversations. This feature is implemented from the BlackCat ransomware operation.