Voice-Scamming Site “iSpoof” Seized, 100s Arrested in Massive Crackdown
(published: November 25, 2022)
Background:
iSpoof was a threat group offering spoofing for caller phone numbers (also known as Caller ID, Calling Line Identification). iSpoof core group operated out of the UK with presence in other countries. In the 12 months until August 2022 around 10 million fraudulent calls were made globally via iSpoof. On November 24, 2022, Europol announced a joint operation involving Australia, Canada, France, Germany, Ireland, Lithuania, Netherlands, Ukraine, the UK, and the USA, that led to the arrest of 142 suspects and seizure of iSpoof websites.
Takeaway:
Threat actors can spoof Caller ID (Calling Line Identification) similar to spoofing the “From:” header in an email. If contacted by an organization you should not confirm any details about yourself, take the caller’s details, disconnect and initiate a call back to the organization yourself using a trusted number. Legitimate organizations understand scams and fraud and do not engage in unsolicited calling.
New Ransomware Attacks in Ukraine Linked to Russian Sandworm Hackers
(published: November 25, 2022)
Background:
On November 21, 2022, multiple organizations in Ukraine were targeted with new ransomware written in .NET. It was dubbed RansomBoggs by ESET researchers who attributed it to the Russia-sponsored Sandworm Team (aka Iridium, BlackEnergy). Sandworm distributed RansomBoggs from the domain controller using the same PowerShell script (PowerGap) that was seen in its previous attacks. RansomBoggs encrypts files using AES-256 in CBC mode using a randomly generated key. The key is RSA encrypted prior to storage and the encrypted files are appended with a .chsch extension.
Takeaway:
Ransomware remains one of the most dangerous types of malware threats and even some government-sponsored groups are using it. Sandworm is a very competent actor group specializing in these forms of attack. Organizations with exposure to the military conflict in Ukraine, or considered by the Russian state to be providing support relating to the conflict, should prepare offline backups to minimize the effects of a potential data-availability-denial attack.
Learn about our Penetration Testing Services
Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies
(published: November 23, 2022)
Background:
Cybereason researchers detected a new Qakbot campaign distributing the Black Basta ransomware. The attackers were targeting companies in the US in a fast-moving fashion, achieving domain administrator privileges in less than two hours and moving to ransomware deployment in less than 12 hours. The infection starts with a phishing email delivering an IMG or an ISO disk image file with a VBS script downloading Qakbot. The attackers proceed to steal credentials and Domain Administration accounts, deploying Cobalt Strike, moving laterally, and globally deploying the Black Basta ransomware.
Takeaway:
Organizations should invest in comprehensive anti-phishing training. Network defenders are advised to disable auto-mounting of disk image files (such as .IMG, .ISO, .VHD, and .VHDX).
RansomExx Upgrades to Rust
(published: November 22, 2022)
Background:
The double-extortion DefrayX ransomware group (aka Hive0091) has rewritten its C++ RansomExx malware in the Rust programming language. It has allowed the studied RansomExx sample to stay undetected in the VirusTotal platform for at least 2 weeks after its initial submission. This sample detected by IBM researchers is targeting Linux, but the DefrayX group typically releases both Linux and Windows malware versions.
Takeaway:
Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 3-2-1 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable through segmentation, off-line storage, encrypting data at rest, and limiting the storage of personal and sensitive data.
Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti
(published: November 22, 2022)
Background:
Trellix researchers analyzed over 3,000 messages leaked from the Yanluowang ransomware group internal Matrix chat. The group communicates in Russian and appears to be from Russia, despite portraying themselves as Chinese and privately discussing a possibility to plant a Ukrainian false-flag. Yanluowang members include leader and payroll manager Saint, lead developer Killanas (aka coder0) and pen-testers Felix and Shoker. The group appears to be connected to Conti and HelloKitty ransomware groups, use Babuk ransomware code to develop their own Linux crypter and cooperate with LockBit for Bitcoin laundering.
Takeaway:
Researchers should be extremely mindful of false-flags and other attribution mistakes. Hidden cooperation between multiple ransomware groups allows for quick evolution and adaptability of threat actors.
Google Seeks to Make Cobalt Strike Useless to Attackers
Background:
Various threat actors often rely on abusing the Cobalt Strike attack framework. They mostly use leaked and cracked versions that are powerful but cannot be upgraded easily. Google researchers analyzed various Cobalt Strike components: the stagers (small shellcode, diskless implants-downloaders), templates, and beacons (final stage implants), including the XOR encodings used by Cobalt Strike. This allowed them to create a collection of 165 Cobalt Strike-specific YARA rules (up to and including Cobalt Strike version 4.7).
Takeaway:
Despite the growing number of alternatives, Cobalt Strike remains one of the most frequently abused tools. Network defenders are advised to use the Yara rules shared by Google to help with the Cobalt Strike detection.
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
