Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 6/27/2022

    New LockBit Ransomware Phishing Campaign 

    Overview

    Security analysts at the AhnLab organization in Korea have identified a new LockBit Ransomware attack campaign. This new campaign utilizes phishing emails masquerading as copyright claims which contain malicious compressed file attachments. These files produce malicious files with PDF file icons; however, most are NSIS files that contain nsi scripts to perform initial compromise actions. 

    Post-compromise LockBit Ransomware is deployed and activated, effectively encrypting all data on the compromised system.

    Potential Impact

    LockBit Ransomware is one of the most successful ransomware variants currently seen in the wild, accounting for more than 40% of all 236 ransomware attacks reported in May 2022 (NCC). This is more than Conti, BlackBasta, Hive, and BlackCat combined. LockBit is actively compromising organization across the globe including North and South America and Europe. Most organizations compromised are then posted on LockBit’s name-and-shame Tor website.

    Recommended Actions

    As the most notable initial compromise approach for LockBit currently observed is phishing campaigns, it is imperative for organizations to conduct routine and intelligent security awareness training for all personnel. Additionally, products like Endpoint Detection and Response (EDR) should be utilized to protect endpoint devices from ransomware attacks.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Codesys Patches Critical Vulnerabilities for ICS Controllers

      Overview

      The Codesys organization has published patches for over a dozen vulnerabilities discovered within the last month. Most of which were discovered by security researchers at Cisco Talos along with Chinese Cybersecurity firm NSFocus. Codesys programmable logic controllers (PLCs) are widely used in the Industrial Control System (ISC) world, and thus could have a major impact if secured.

      Potential Impact

      One vulnerability, tracked as CVE-2021-33485, has been identified as a critical heap-based buffer overflow which can be exploited remotely with specially crafted requests. Additionally, several vulnerabilities are unsafe deserialization bugs that can lead to remote code execution. Although there has been no discovered active exploitation of these vulnerabilities yet, it is critical to patch all vulnerabilities addressed by Codesys.

      Recommended Actions

      Ensuring that technologies such as PLCs are properly secured and patched is critical to any ICS and should be at the forefront of any security team. Organizations can view these advisories and their individual patches at Codesys’ official advisory post – https://www.codesys.com/security/security-reports.html

      Sources

      https://www.securityweek.com/codesys-patches-dozen-vulnerabilities-industrial-automation-products
      https://blog.talosintelligence.com/2021/07/vuln-spotlight-codesys-.html
      https://www.codesys.com/security/security-reports.html

      Increase in RIG Exploit Kit Usage

      Overview

      Researchers from Bitdefender have noted an increase in RIG exploit kit usage since January of 2022. RIG is an actively used exploit kit that distributes various pieces of malware. This kit is primarily used in conjunction with website compromise and deploys malware such as trojans to visitors of the site. In the past, RIG has been seen deploying the Raccoon Stealer malware, a credential-stealing Trojan often seen on dark web forums for sale as a $200 USD a month malware-as-a-service offer. However, in recent months RIG has instead chosen to deploy the Dridex malware and its various iterations.

      Potential Impact

      Dridex is often used to impact the confidentiality of customer data and availability of systems for business processes. Dridex has been seen capturing screenshots, injecting into virtual machine processes, and establishing botnet activity on compromised systems. It can also be used to initialize post-compromise activities such as privilege escalation and the exfiltration of sensitive data.

      Recommended Actions

      RIG Exploit Kit is a website/webserver compromise tool. As such, organizations must ensure that their websites are properly tested and sanitizing input in all forums. Additionally, all webservers should be regularly patched and up to date.

      To combat the Dridex malware, solutions such as Endpoint Detection and Response (EDR) should be deployed, adequate patching schedules and vulnerability scans should also be utilized. Dridex has also been seen heavily utilized in phishing campaigns which, while not directly attributed to the RIG Exploit Kit, should also be addressed. This can be done by organizations conducting intelligent security awareness training for all personnel, stressing the importance of email security.

      Sources
      https://cyware.com/news/new-activities-of-rig-exploit-kit-observed-4e18e312
      https://www.bitdefender.com/blog/labs/rig-exploit-kit-swaps-dead-raccoon-with-dridex/
      https://www.cisa.gov/uscert/ncas/alerts/aa19-339a

      Suspect Convicted in Capital One Attack of 2019

      Overview

      Paige Thompson, a former AWS worker, was convicted of stealing data from misconfigured AWS buckets.  During her tenure with AWS, Thompson worked in the division handling Capital One’s data.

      Potential Impact

      The original impact of Thompson’s crimes involved leaking the personal information of more than 100 million people.  Cloud computing misconfigurations are a common source of cloud computing attacks.

      Commentary

      A combination of misconfigured cloud assets and insider threat, this story underscores the importance of vulnerability scanning of all assets, whether hosted in the cloud or on-premises.  

      Recommended Actions

      Hardware and software asset inventory needs to include all assets, whether on-premises, or in the cloud.  These assets all need to be included in regular vulnerability scanning and mitigation.  Tune in on July 14, 2022, for a webcast: “Managing Cloud Computing’s Cybersecurity and Information Risk” with GreyCastle Security.

      Sources
      https://www.securityweek.com/jury-convicts-seattle-woman-massive-capital-one-hack
      https://www.theregister.com/2022/06/20/captial_one_wire_fraud/

      CISA Publishes Advice on Securing PowerShell in Windows Environments

      Overview

      Last week, CISA released a document providing guidance on securing Windows PowerShell.   It is a collaborative effort by CISA, the NSA, New Zealand Cyber Security Centre (NZ NCSC), and the UK National Cyber Security Center (NCSC-UK).  The document offers several recommendations on how to ensure that PowerShell usage is effectively secured and restricted.

      Recommended Actions

      PowerShell is potent tool for system administration, incident response, and forensics. It is also an attractive tool for threat actors attempting to attack Windows Environments.   PowerShell, when configured effectively, and combined with staff training, can be one of an organization’s strongest security assets.

      Sources
      https://www.cisa.gov/uscert/ncas/current-activity/2022/06/22/keeping-powershell-measures-use-and-embrace

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from Youtube
      Vimeo
      Consent to display content from Vimeo
      Google Maps
      Consent to display content from Google
      Spotify
      Consent to display content from Spotify
      Sound Cloud
      Consent to display content from Sound
      Contact Us