March 22, 2023

In 2022, a spike in targeting third-party vendors almost doubled from 2021, with 63 attacks on vendors being reported and 298 victims. This trend of increasing attacks on third-party vendors has only continued in Q1 of 2023 as several third-party vendors have reported being attacked by malicious campaigns. There are several dangers when third-party vendors are attacked.

March 21, 2023

Two-step phishing attacks are on the rise as threat actors become more sophisticated in targeting potential victims and evading detection. These phishing attacks use legitimate vendors that the threat actor has previously compromised.

March 21, 2023

Microsoft disclosed a new zero-day vulnerability in Outlook identified as CVE-2023-23397. This flaw is an elevation-of-privilege (EoP) vulnerability that enables remote code execution capability as threat actors can steal NTLM credentials of Microsoft Outlook users.

March 17, 2023

After a brief hiatus, Emotet threat actors have re-commenced operations as of early March 2023. Originally tracked as a banking trojan, Emotet has evolved into a multi-purpose dropper/downloader malware.

March 8, 2023

Sharp Panda, (also known as APT19, Emissary Panda, or Iron Tiger) is a sophisticated Chinese Advanced Persistent Threat (APT) group. The group has been active since at least 2012 and is known for sharing tools and infrastructure with other Chinese APT groups.  

February 13, 2023

Recently, several malware operators have been spotted using OneNote attachments in their spam campaigns. OneNote is a powerful digital notebook tool offered by Microsoft. It provides users with a centralized location to store their thoughts, ideas, and notes in an organized manner. Cyber criminals have started new phishing campaigns delivering malicious OneNote attachments that deliver Formbook, Redline Stealer, AsyncRat or Qbot malware to unsuspecting victims.

February 3, 2023

Russian-based ransomware group LockBit continues to expand its arsenal with the addition of a new variant, LockBit Green. The acquisition of Green comes less than a year after the deployment of LockBit Black. Threat researchers at SentinelOne indicated a large portion of this variant overlaps with the Conti ransomware version whose source code was leaked last year. LockBit is expected to continue to dominate the ransomware arena as the operators make strides to increase its capabilities and versatility.

January 10, 2023

Adversary-in-the-middle (AiTM) phishing campaigns are a growing threat because they are highly effective and can bypass even the most advanced security measures. They are particularly dangerous when they target large organizations, which can have a significant impact on the organization’s operations and reputation. Phishing remains to be one of the most common techniques attackers use in their attempts to gain initial access to organizations. It remains important for organizations to be vigilant and aware of this type of attack and take steps to protect themselves.

November 1, 2022

OpenSSL published an advisory detailing two new vulnerabilities CVE-2022-3786 (“X.509 Email Address Variable Length Buffer Overflow”) and CVE-2022-3602 (“X.509 Email Address 4-byte Buffer Overflow”); both classified as high. Although initially assessed as a critical vulnerability, CVE-2022-3602, was downgraded to high due to unlikely remote code execution in common configurations. These vulnerabilities impact OpenSSL 3.0.0-3.0.6 ONLY. Users should upgrade to 3.0.7 as soon as possible. Those unable to immediately update should disable TLS client authentication. Currently there are no known exploits in the wild.

Our CTI team will continue to monitor these known vulnerabilities and work closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. For future updates the CTI team will continue to post on the Intelligence Hub and give updates via ZTAP bulletins.

October 31, 2022

Critical Start CTI team is aware of a new OpenSSL vulnerability that will be disclosed tomorrow, November 1st. Details and characteristics of the flaw have not been released, however due to the critical classification of the vulnerability we recommend updating to the new version of OpenSSL (version 3.0.7) being released on Tuesday, November 1st. The CTI team will be working closely with the Threat Detection Engineering (TDE) team and the SOC to implement any relevant detections. Critical Start CTI team will continue to monitor the situation.

July 7, 2022

In early June 2022, CISA published a Joint Cybersecurity Advisory (CSA) highlighting espionage activity related to Chinese state-sponsored advanced persistent threat (APT) groups targeting telecommunications companies. Furthermore, there has been an increase in open and closed-source identification and reporting of Chinese threat actor activities over the last month. Critical Start Cyber Threat Intelligence analysts will be monitoring this situation closely as it evolves.

Critical Start supports the CISA backed recommended actions listed below:

• Apply patches as soon as possible
• Disable unnecessary ports and protocols
• Replace end-of-life infrastructure
• Implement a centralized patch management system

May 19, 2022

The ransomware group formerly known as Conti is currently shut down.

The admin panel of the gang’s official website, Conti News, is shut down as is the negotiations service site. Meanwhile the rest of the infrastructure, to include chatrooms, messengers, servers, and proxy hosts are going through a massive reset. This was an intentional decision, months in the making, to attempt to shed some of the group’s toxic branding.

For over two months, the Conti collective silently created subdivisions that began operations before the start of the shutdown process. These subgroups either utilize existing Conti alter egos and locker malware or took the opportunity to create new ones. The group is adopting a network organizational structure, more horizontal and decentralized than the previously rigid Conti hierarchy.

The new network will include the following types of groups:

• Fully autonomous (Karakurt, BlackBasta, BlackByte)
• Semi-autonomous (AlphV/BlackCat, HIVE, HelloKitty/FiveHands, AvosLocker)
• Independent affiliates
• Mergers & acquisitions

This model is more flexible and adaptive than the previous Conti hierarchy but is more secure and resilient than Ransomware-as-a-Service (RaaS).

The other major development for this new ransomware model is the transition from data encryption to data exfiltration. Relying on pure data exfiltration maintains most major benefits of a data encryption operation, while avoiding the issues of a locker altogether. Most likely, this will become the most important outcome of Conti’s re-brand.

May 9, 2022

The Critical Start CTI team observed a pattern of breaches over the last five weeks related to higher education being targeted by ransomware. Two out of the four southern schools, Florida International University and North Carolina A&T University, have been linked to BlackCat (a.k.a., ALPHV). No threat actors have claimed responsibility for the latest, Austin Peay State University, reported on by Critical Start CTI earlier this month, but the school is still investigating. Around the country there have been at least 13 reported attacks against U.S. universities and colleges in 2022 so far. These include Kellogg Community College, targeted last week, Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas and National University College, to name a few.  

About BlackCat 

BlackCat, (aka ALPHVM, ALPHV, and Noberus) is a newly emerged ransomware-as-a-Service (RaaS) group assessed to be a re-branding of BlackMatter and DarkSide groups. BlackCat ransomware emerged in November 2021 and is developed in Rust, a cross-compilation language allowing for rapid development of malware for Windows and Linux. The ransomware executable is highly customizable, with different encryption methods (AES, ChaCha20) and options allowing for attacks on a wide range of corporate environments. Common TTPs include the use of a signed binary proxy to download the ransomware, access token manipulation and UAC bypass for privilege escalation, deleting files and logs on host for defense evasion purposes, and the use of SMB and PsExec for lateral movement.  

We Recommended That You 

• Implement a user training program to raise awareness surrounding email phishing and social engineering techniques 
• Limit and monitor usage of RDP and SMB, to include disabling SMB version 1
• Implement a timely patch management schedule 
• Ensure Multi-Factor Authentication is in use for all VPN connections, webmail, and access to critical systems, and enforce strong password usage 
• Continuously review third-party security postures

March 29, 2022

BazarCall was used by Ryuk and Conti in 2020/2021 and has made a reappearance in March 2022 targeting several companies across multiple industries. Using the BazarCall Tactic, Conti creates a fake call center from which calls are made to potential victims convincing them to open malicious email attachments. These malicious attachments exploit Atera remote monitoring software, Cobalt Strike, and Sliver C2 Framework, then delivers BazarLoader.

It’s important to note that phone calls are made following extensive social engineering and reconnaissance activities. Previous breaches involving these tactics have provided evidence that call center personnel have convincing information regarding target company operations.

We recommend that you:

• Train users to identify social engineering techniques (vishing) and spearphishing emails
• Disable macro scripts from Microsoft Office files transmitted via email
• Enable strong Spam filters to prevent phishing emails from reaching end users
• Monitor for beaconing activity. BazarLoader requires consistent communication with C2 servers via Cobalt Strike, Sliver, or Atera

March 28, 2022

CTO Randy Watkins provides more information about the group behind the breach in this informal breakdown of what we know now. 

Listen to the Podcast >

March 23, 2022

Critical Start is monitoring the recent breach against Okta and the associated third-party
service providers that support Okta’s operations.

Okta says 366 corporate customers, or about 2.5% of its customer base, were impacted by a security breach that allowed hackers to access the company’s internal network. The company only acknowledged the compromise after the Lapsus$ hacking and extortion group posted screenshots on Monday, nearly two months after the hackers first gained access to its network.

Key points to know:

• The Okta service has not been breached and remains fully operational.
• There are no corrective actions that need to be taken by customers.
• Any Okta customer that could have potentially been impacted has already been identified and contacted directly by email.
• There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.
• The security breach did not impact legacy Sitel Group systems or networks; only legacy Sykes’ network was affected.
• Lapsus$ has targeted several big-name companies in recent weeks, including Nvidia and Samsung. Microsoft also reported a possible associated security breach.

Critical Start always recommends customers enable MFA for all user accounts. Passwords alone do not
offer the necessary level of protection against attacks. We strongly recommend the usage of hard keys,
as other methods of MFA can be vulnerable to phishing attacks.