Threat Source newsletter (May 11, 2023) — So much for that ransomware decline

Welcome to this week's edition of the Threat Source newsletter.

I wrote a few weeks ago about how, between the public and private sectors, the security community was making some strides in fighting back against ransomware.

Reports indicate that revenue for ransomware actors was down in 2022, and recent disruptions to larger ransomware networks like Hive have at least forced some actors offline for now.

It seems like if you were to survey various cybersecurity researchers, thought leaders and policymakers, there is a mixed consensus on whether ransomware is still the biggest problem defenders still face today.

The White House and U.S. Department of Justice seem bullish on their efforts to shut down ransomware gangs and dark web sites.

But recently, I've noticed that ransomware is still making headlines. This is completely anecdotal, but recent major examples come to mind:

• A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations, and potentially putting personal information at risk.
• Ransomware group BlackCat claims it was responsible for an attack on Western Digital, a computer drive manufacturer, including stealing partial credit card numbers from customers.
• San Bernadino County in California paid $1.1 million to resolve a ransomware incident.
• Capita, a U.K.-based outsourcing and professional services company, says a recent ransomware attack on its systems could cost the company up to $25 million, without saying whether that includes a ransom payment.

These are just a handful of examples of recent ransomware attacks, but these stories have made me rethink my stance on where we stand with ransomware in 2023. I am trying to look for the space where both things can be true – ransomware may not be as profitable for actors as it once was, but the volume of attacks may not be changing all that much.

As education around ransomware, cyber insurance and whether to pay a requested ransom improves, a company hit with ransomware may be better prepared to rebound and recover faster than they were in, say, 2020.

Many companies are now keeping incident response teams (like Talos IR) on retainer to help in real-time with attacks, and with everyone shouting from the rooftops about the importance of backups, ransomware victims may be less likely to pay the ransom than they once were and simply rely on backups and Golden Images to recover quickly and resume normal business operations.

It's too soon to make definitive statements about ransomware in 2023, but I'll definitely be interested to see the next round of "Year in Review" reports come February 2024 to find out if ransomware is still the one thing we should all be talking about.

The one big thing

Talos researchers have discovered a new phishing-as-a-service tool called "Greatness" that's being used in the wild to target businesses across multiple continents. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.

Why do I care?

Greatness creates convincing phishing pages to steal Microsoft Office login credentials from large organizations. Since it's an "as a service" tool, anyone could conceivably purchase access to this tool. We've already seen it be used in attacks dating back to mid-2022 so there's no reason to believe this threat won't be around for a while.

So now what?

Although Greatness is a new and advanced phishing threat, detection and prevention essentially remain the same as with all phishing and spam threats. All organizations should have education in place to teach users about the dangers of phishing and how to spot illegitimate emails, attachments and links.

Top security headlines of the week

Newer exploit code for the critical PaperCut vulnerability is now available that bypasses existing detection. The vulnerability, tracked as CVE-2023-27350, is an unauthenticated remote code execution vulnerability in PaperCut MF or NG versions 8.0 or later that attackers have actively used in ransomware attacks. Exploit code first became available several weeks ago, and the new POC can bypass Sysmon-based detections that are already in place. Microsoft security researchers also say that two Iranian state-sponsored actors are now exploiting the vulnerability in the PaperCut MF/NG print management software: MuddyWater and Charming Kitten. The vulnerability originally received a 9.8 CVSS severity score. (Bleeping Computer, SecurityWeek)

The FBI says it disrupted the infamous Russian Snake malware network this week, using a tool that forced the program to self-destruct on infected computers. A release from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated that Snake infrastructure was found in more than 50 different countries. Russia's Federal Security Service (FSA) was known for using Snake to target high-profile targets and collecting sensitive information, with the FBI calling it Russia's "premiere espionage tool." Cybersecurity agencies from several other countries have released details on how potentially infected machines can recover and additional steps taken to ensure Snake's functionality is continually impaired. (CBS News, CISA)

Two vulnerabilities being actively exploited in the wild headlined a relatively light Microsoft Patch Tuesday this week. In all, Microsoft disclosed 40 vulnerabilities, the fewest in a month since December 2019. One of the zero-day vulnerabilities, CVE-2023-29336, is an elevation of privilege vulnerability in the Win23k kernel mode drive that could allow an adversary to gain SYSTEM privileges. Another, CVE-2023-24932, is a Secure Boot Security Feature Bypass issue that the BlackLotus malware group is already exploiting. In all, this Patch Tuesday includes seven critical vulnerabilities and 33 that are considered "important." (Talos blog, Krebs on Security)

Can't get enough Talos?

• Talos Takes Ep. #137: Talos Incident Response livestream on top trends from the past quarter
• Researcher Spotlight: Jacob Finn creates his own public-private partnership at Talos
• Threat Roundup for April 28 - May 5
• FBI disrupts Turla espionage malware network
• New 'Greatness' service simplifies Microsoft 365 phishing attacks

Upcoming events where you can find Talos

BSidesFortWayne** (May 20)**

Fort Wayne, IN

Cisco Live U.S.** (June 4 - 8)**

Las Vegas, NV

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 **MD5:**2915b3f8b703eb744fc54c81f4a9c67f **Typical Filename:**VID001.exe **Claimed Product:**N/A Detection Name: Win.Worm.Coinminer::1201

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1 **MD5: **3e10a74a7613d1cae4b9749d7ec93515 **Typical Filename:**IMG001.exe **Claimed Product:**N/A Detection Name: Win.Dropper.Coinminer::1201

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934 **MD5:**93fefc3e88ffb78abb36365fa5cf857c **Typical Filename:**Wextract **Claimed Product:**Internet Explorer Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa **MD5:**df11b3105df8d7c70e7b501e210e3cc3 **Typical Filename:**DOC001.exe **Claimed Product:**N/A Detection Name: Win.Worm.Coinminer::1201

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c **MD5:**a087b2e6ec57b08c0d0750c60f96a74c **Typical Filename:**AAct.exe **Claimed Product:**N/A Detection Name: PUA.Win.Tool.Kmsauto::1201