Headline
Threat Source newsletter (May 11, 2023) — So much for that ransomware decline
A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations and potentially putting personal information at risk.
Thursday, May 11, 2023 14:05
Welcome to this week’s edition of the Threat Source newsletter.
I wrote a few weeks ago about how, between the public and private sectors, the security community was making some strides in fighting back against ransomware.
Reports indicate that revenue for ransomware actors was down in 2022, and recent disruptions to larger ransomware networks like Hive have at least forced some actors offline for now.
It seems like if you were to survey various cybersecurity researchers, thought leaders and policymakers, there is a mixed consensus on whether ransomware is still the biggest problem defenders still face today.
The White House and U.S. Department of Justice seem bullish on their efforts to shut down ransomware gangs and dark web sites.
But recently, I’ve noticed that ransomware is still making headlines. This is completely anecdotal, but recent major examples come to mind:
A ransomware attack on the city of Dallas, Texas is still disrupting many social services as of Wednesday, including hampering police communications and operations, and potentially putting personal information at risk.
Ransomware group BlackCat claims it was responsible for an attack on Western Digital, a computer drive manufacturer, including stealing partial credit card numbers from customers.
San Bernadino County in California paid $1.1 million to resolve a ransomware incident.
Capita, a U.K.-based outsourcing and professional services company, says a recent ransomware attack on its systems could cost the company up to $25 million, without saying whether that includes a ransom payment.
These are just a handful of examples of recent ransomware attacks, but these stories have made me rethink my stance on where we stand with ransomware in 2023. I am trying to look for the space where both things can be true — ransomware may not be as profitable for actors as it once was, but the volume of attacks may not be changing all that much.
As education around ransomware, cyber insurance and whether to pay a requested ransom improves, a company hit with ransomware may be better prepared to rebound and recover faster than they were in, say, 2020.
Many companies are now keeping incident response teams (like Talos IR) on retainer to help in real-time with attacks, and with everyone shouting from the rooftops about the importance of backups, ransomware victims may be less likely to pay the ransom than they once were and simply rely on backups and Golden Images to recover quickly and resume normal business operations.
It’s too soon to make definitive statements about ransomware in 2023, but I’ll definitely be interested to see the next round of “Year in Review” reports come February 2024 to find out if ransomware is still the one thing we should all be talking about.
The one big thing
Talos researchers have discovered a new phishing-as-a-service tool called “Greatness” that’s being used in the wild to target businesses across multiple continents. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.
Why do I care?
Greatness creates convincing phishing pages to steal Microsoft Office login credentials from large organizations. Since it’s an “as a service” tool, anyone could conceivably purchase access to this tool. We’ve already seen it be used in attacks dating back to mid-2022 so there’s no reason to believe this threat won’t be around for a while.
So now what?
Although Greatness is a new and advanced phishing threat, detection and prevention essentially remain the same as with all phishing and spam threats. All organizations should have education in place to teach users about the dangers of phishing and how to spot illegitimate emails, attachments and links.
Top security headlines of the week
Newer exploit code for the critical PaperCut vulnerability is now available that bypasses existing detection. The vulnerability, tracked as CVE-2023-27350, is an unauthenticated remote code execution vulnerability in PaperCut MF or NG versions 8.0 or later that attackers have actively used in ransomware attacks. Exploit code first became available several weeks ago, and the new POC can bypass Sysmon-based detections that are already in place. Microsoft security researchers also say that two Iranian state-sponsored actors are now exploiting the vulnerability in the PaperCut MF/NG print management software: MuddyWater and Charming Kitten. The vulnerability originally received a 9.8 CVSS severity score. (Bleeping Computer, SecurityWeek)
The FBI says it disrupted the infamous Russian Snake malware network this week, using a tool that forced the program to self-destruct on infected computers. A release from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated that Snake infrastructure was found in more than 50 different countries. Russia’s Federal Security Service (FSA) was known for using Snake to target high-profile targets and collecting sensitive information, with the FBI calling it Russia’s “premiere espionage tool.” Cybersecurity agencies from several other countries have released details on how potentially infected machines can recover and additional steps taken to ensure Snake’s functionality is continually impaired. (CBS News, CISA)
Two vulnerabilities being actively exploited in the wild headlined a relatively light Microsoft Patch Tuesday this week. In all, Microsoft disclosed 40 vulnerabilities, the fewest in a month since December 2019. One of the zero-day vulnerabilities, CVE-2023-29336, is an elevation of privilege vulnerability in the Win23k kernel mode drive that could allow an adversary to gain SYSTEM privileges. Another, CVE-2023-24932, is a Secure Boot Security Feature Bypass issue that the BlackLotus malware group is already exploiting. In all, this Patch Tuesday includes seven critical vulnerabilities and 33 that are considered “important.” (Talos blog, Krebs on Security)
Can’t get enough Talos?
- Talos Takes Ep. #137: Talos Incident Response livestream on top trends from the past quarter
- Researcher Spotlight: Jacob Finn creates his own public-private partnership at Talos
- Threat Roundup for April 28 - May 5
- FBI disrupts Turla espionage malware network
- New ‘Greatness’ service simplifies Microsoft 365 phishing attacks
Upcoming events where you can find Talos
BSidesFortWayne (May 20)
Fort Wayne, IN
Cisco Live U.S. (June 4 - 8)
Las Vegas, NV
Most prevalent malware files from Talos telemetry over the past week
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201
Related news
Microsoft patched a record number of 147 new CVEs this month, though only three are rated "Critical."
PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files. This leads to remote code execution when external device integration is enabled (a very common configuration).
It's unclear why the NSA issued in-depth mitigation guidance for the software boot threat now, but orgs should take steps to harden their environments.
The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. To that end, the agency is recommending that "infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition." BlackLotus is an advanced
Details have emerged about a now-patched actively exploited security flaw in Microsoft Windows that could be abused by a threat actor to gain elevated privileges on affected systems. The vulnerability, tracked as CVE-2023-29336, is rated 7.8 for severity and concerns an elevation of privilege bug in the Win32k component. "An attacker who successfully exploited this vulnerability could gain
Plus: Microsoft patches two zero-day flaws, Google’s Android and Chrome get some much-needed updates, and more.
Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2023, including vulnerabilities that were added between April and May Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. It’s been a […]
The threat actors behind the nascent Buhti ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems. "While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec said in a
U.S. cybersecurity and intelligence agencies have warned of attacks carried out by a threat actor known as the Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the education facilities sector in the country. The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a
By Deeba Ahmed The two groups exploiting the vulnerability are Mango Sandstorm and Mint Sandstorm. Both are linked to the Iranian government and intelligence agencies. This is a post from HackRead.com Read the original post: Microsoft reports two Iranian hacking groups exploiting PaperCut flaw
Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and
Microsoft has rolled out Patch Tuesday updates for May 2023 to address 38 security flaws, including one zero-day bug that it said is being actively exploited in the wild. Trend Micro's Zero Day Initiative (ZDI) said the volume is the lowest since August 2021, although it pointed out that "this number is expected to rise in the coming months." Of the 38 vulnerabilities, six are rated Critical and
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: CVE-2023-29336 Tags: CVE-2023-24932 Tags: bootkit Tags: CVE-2023-29325 Tags: Outlook Tags: preview Tags: CVE-2023-24941 Tags: Apple Tags: Cisco Tags: Google Tags: Android Tags: VMWare Tags: SAP Tags: Mozilla Microsoft's Patch Tuesday round up for May 2023 includes patches for three zero-day vulnerabilities and one critical remote code execution vulnerability (Read more...) The post Update now! May 2023 Patch Tuesday tackles three zero-days appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: CVE-2023-29336 Tags: CVE-2023-24932 Tags: bootkit Tags: CVE-2023-29325 Tags: Outlook Tags: preview Tags: CVE-2023-24941 Tags: Apple Tags: Cisco Tags: Google Tags: Android Tags: VMWare Tags: SAP Tags: Mozilla Microsoft's Patch Tuesday round up for May 2023 includes patches for three zero-day vulnerabilities and one critical remote code execution vulnerability (Read more...) The post Update now! May 2023 Patch Tuesday tackles three zero-days appeared first on Malwarebytes Labs.
Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.
Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.
One of the vulnerabilities is being actively exploited in the wild, according to Microsoft, the fourth month in a row in which this is the case.
Iranian nation-state groups have now joined financially motivated actors in actively exploiting a critical flaw in PaperCut print management software, Microsoft said. The tech giant's threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to achieve initial access. "This activity shows Mint
**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** An attacker who successfully exploited this vulnerability could bypass Secure Boot.
**What privileges could be gained by an attacker who successfully exploited this vulnerability?** An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Summary Summary Today, Microsoft is releasing CVE-2023-24932, and associated configuration guidance, to address a Secure Boot bypass vulnerability used by the BlackLotus bootkit to exploit CVE-2022-21894. Customers will need to closely follow the configuration guidance to fully protect against this vulnerability. This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled.
LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. (Read more...) The post Ransomware review: May 2023 appeared first on Malwarebytes Labs.
Cybersecurity researchers have found a way to exploit a recently disclosed critical flaw in PaperCut servers in a manner that bypasses all current detections. Tracked as CVE-2023-27350 (CVSS score: 9.8), the issue affects PaperCut MF and NG installations that could be exploited by an unauthenticated attacker to execute arbitrary code with SYSTEM privileges. While the flaw was patched by the
AI-generated spam comments on Amazon, the latest on the 3CX supply chain attack and more security headlines from the past week.
PaperCut NG/MG version 22.0.4 suffers from an authentication bypass vulnerability.
Categories: News Tags: PaperCut Tags: server Tags: exploit Tags: attack Tags: authentication Tags: update Tags: patch We take a look at urgent updates needed for users of PaperCut, after two exploits were found in the wild. (Read more...) The post Update your PaperCut application servers now: Exploits in the wild appeared first on Malwarebytes Labs.
Customers should apply updates to the print management software used by more than 100 million organizations worldwide, with typical US customers found in the SLED sector.
Print management software provider PaperCut said that it has "evidence to suggest that unpatched servers are being exploited in the wild," citing two vulnerability reports from cybersecurity company Trend Micro. "PaperCut has conducted analysis on all customer reports, and the earliest signature of suspicious activity on a customer server potentially linked to this vulnerability is 14th April 01
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The three vulnerabilities are as follows - CVE-2023-28432 (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability CVE-2023-27350 (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control