UNC2596 & Cuba Ransomware

March 01, 2022

UNC2596 & Cuba Ransomware

Industry: Construction Engineering, Education, Energy, Financial, Government, Healthcare, Legal, Manufacturing, Media, Oil, Technology and Transportation | Level: Tactical | Source: Mandiant

Mandiant reports activity from threat group, UNC2596, deploying Cuba/COLDDRAW ransomware utilizing Exchange vulnerabilities ProxyShell and ProxyLogon. The threat group has targeted over 10 countries with 80% of the organizations based in North America. Industry targets involved many different verticals including construction engineering, education, energy, financial, government, health care, legal, manufacturing, media, oil, technology and transportation. The threat group’s extortion model incorporates a shaming website distributed to victims since 2021. UNC2596 attack tactics have included Mimikatz and user account creation for privilege escalation. Reconnaissance has involved a ping sweeping tool and a PowerShell script that uses “Get-ADComputer”. Lateral movement is facilitated with the use of RDP, SMB, and PsExec. UNC2596 completes its operation by collecting, encrypting and exfiltrating data using batch scripts.

  • Anvilogic Use Cases:
    • Potential ProxyShell
    • Potential PHP Webshell
    • Mimikatz
    • Create/Add Local/Domain User
    • Potential Ping Sweep
    • Common Active Directory Commands
    • Remote Admin Tools
    • RDP Hijacking

CISA Advisory – BlackByte Ransomware

February 22, 2022

CISA Advisory – BlackByte Ransomware

Industry: Financial, Food and Government | Level: Tactical | Source: IC3

Cybersecurity & Infrastructure Security Agency (CISA) provides an advisory for BlackByte Ransomware as a Service (RaaS) group. The group’s activities, since November 2021, have been disruptive and highly impacting as “BlackByte ransomware has compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture).” Various techniques are used by the group including webshells, scheduled tasks, modifying registry keys, manipulating services including Windows Defender, shadow copies and services.

  • Anvilogic Scenario: BlackByte Behaviors
  • Anvilogic Use Cases:
    • Potential Web Shell
    • Create/Modify Schtasks
    • Encoded Powershell Command
    • Registry key added with reg.exe
    • Service Stop Commands

Blackbyte Ransomware Hits NFL 49ers

February 15, 2022

Blackbyte Ransomware Hits NFL 49ers

Industry: Entertainment | Level: Strategic | Sources: BleepingComputer & TheRecord

A spokesperson for NFL team, the San Francisco 49ers, disclosed a ransomware attack from operators of BlackByte ransomware to news outlets, The Record and BleepingComputer. Information is currently limited with the team working to recover impacted systems. A statement from the 49ers mentions, “While the investigation is ongoing, we believe the incident is limited to our corporate IT network; to date, we have no indication that this incident involves systems outside of our corporate network, such as those connected to Levi’s Stadium operations or ticket holders.” The 49ers are engaging with law enforcement and third-party cybersecurity firms to assist with the investigation.

Conti Ransomware Hits KP Snacks

February 08, 2022

Conti Ransomware Hits KP Snacks

Industry: Food | Level: Strategic | Source: BleepingComputer

On January 28th, 2022, British snacks producer, KP Snacks, was compromised by the Conti ransomware gang. Data compromised from the attack includes various sensitive documents, employee records and financial documents with Conti leaking data stolen from the company. A shortage of KP Snacks would be expected due to the disruption to its supply chain, causing deliveries to be delayed or canceled. The company has notified markets that the shortages may last until the end of March.

Swissport International Ransomware Attack

February 08, 2022

Swissport International Ransomware Attack

Industry: Aviation | Level: Strategic | Source: BleepingComputer

Swissport International, an Aviation services company, disclosed a ransomware attack from the company’s official Twitter, on February 4th, 2022. The main impact of the attack on the company’s IT infrastructure, has caused delays to flights as the company provides services for “cargo handling, security, maintenance, cleaning, and lounge hospitality for 310 airports in 50 countries. It handles 282 million passengers and 4.8 million tons of cargo every year, making it a vital link in the global aviation travel industry chain.” Throughout the day of February 4th the company’s website was inoperable returning visitors with 403 error codes. Despite issues with the IT infrastructure, ground services are available with some potential delays. Details have not been shared regarding the ransomware gang responsible for the incident and what data was compromised during the attack.

Sugar Ransomware

February 08, 2022

Sugar Ransomware

Industry: N/A | Level: Strategic | Source: Medium

New Ransomware-as-a-Service (RaaS), was identified in November 2021 by the Walmart Security Team. The new RaaS gang isn’t targeting large corporations, but rather individual devices or small businesses. The ransom demanded is reported to be only a few hundred dollars. No relevant tactical details have yet to be identified with the ransomware, but analysis have found it uses the SCOP encryption algorithm. A similarity in website design was found with Cl0p ransomware’s ransom page and Sugar RaaS.

Koxic Ransomware

February 08, 2022

Koxic Ransomware

Industry: N/A | Level: Tactical | Source: Cyble

Research from Cyble Research Labs provides a deep-dive analysis of Koxic ransomware. During malware execution, the sample collects system information and modifies registry keys to assist with lateral movement and tamper with system defenses such as Windows Defender and anti-virus. Any security apps running are terminated and shadow copies are deleted. Prior to ransomware encryption, sensitive information is collected and output to a file in TEMP. Once the desired data is collected, it is exfiltrated to the attacker with the ransomware note distributed to victim hosts on the environment. Encrypted files are appended with the extension “KOXIC_KLIBD.”

  • Anvilogic Scenario: Koxic Ransomware
  • Anvilogic Use Cases:
    • Executable Process from Suspicious Folder
    • Modify Registry Key
    • Inhibit System Recovery commands
    • Output to File

RRD Victim of Conti Ransomware Attack

January 25, 2022

RRD victim of Conti Ransomware Attack

Industry: Communications & Marketing | Level: Strategic | Source: BleepingComputer

Communications company R.R. Donnelley & Sons (RRD) was the victim of a Conti ransomware attack in December 2021, filing disclosure with the SEC on December 27th, 2021. The compromise led to the shut down of the company’s network in order to mitigate the attack resulting in an interruption in business operations. Initially, RRD did not identify the compromise of client data, the Conti gang claimed on January 15th that 2.5 GB of data were stolen. It appears both sides are cooperating on the ransomware, given Conti removing the leaked data from public view. The issue and impact are still developing with the following statement from RRD in its SEC filing, “At this time, however, the Company has become aware that certain of its corporate data was accessed and exfiltrated, the nature of which is being actively examined. Based on information known to date, the Company believes the access and exfiltration was in connection with the previously disclosed systems intrusion and not a new incident.”

Mandiant – AVADDON Ransomware

January 25, 2022

Mandiant – AVADDON Ransomware

Industry: N/A | Level: Operational  | Source: Mandiant

Mandiant has provided research on AVADDON ransomware operating between June 2020 and June 2021, when the group shut down since private encryption keys were released. The ransomware was advertised initially on Russian-speaking forums and targeted a variety of industry verticals. Nearly all sectors were impacted however, the highest based on victim count was in education, finance, government, healthcare, and technology. Based on the RaaS TTPs, Mandiant has speculated a potential link between AVADDON, BLACKMATTER and SABBATH. TTP observations included utilizing initial access brokers for compromised credentials, BLACKCROW and DARKRAVEN for custom web shells, RDP for lateral movement, EMPIRE and POWERSPLOIT for post-exploitation, scheduled tasks for persistence, 7zip for data archival, and MEGAsync for data staging and exfiltration.

  • Anvilogic Scenario: Avaddon Ransomware – Behaviors
  • Anvilogic Use Cases:
    • Potential Web Shell
    • Mimikatz
    • RDP Hijacking
    • Create/Modify Schtasks
    • PowerSploit Get-system.ps1