May 9, 2022
The Critical Start CTI team observed a pattern of breaches over the last five weeks related to higher education being targeted by ransomware. Two out of the four southern schools, Florida International University and North Carolina A&T University, have been linked to BlackCat (a.k.a., ALPHV). No threat actors have claimed responsibility for the latest, Austin Peay State University, reported on by Critical Start CTI earlier this month, but the school is still investigating. Around the country there have been at least 13 reported attacks against U.S. universities and colleges in 2022 so far. These include Kellogg Community College, targeted last week, Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas and National University College, to name a few.
BlackCat, (aka ALPHVM, ALPHV, and Noberus) is a newly emerged ransomware-as-a-Service (RaaS) group assessed to be a re-branding of BlackMatter and DarkSide groups. BlackCat ransomware emerged in November 2021 and is developed in Rust, a cross-compilation language allowing for rapid development of malware for Windows and Linux. The ransomware executable is highly customizable, with different encryption methods (AES, ChaCha20) and options allowing for attacks on a wide range of corporate environments. Common TTPs include the use of a signed binary proxy to download the ransomware, access token manipulation and UAC bypass for privilege escalation, deleting files and logs on host for defense evasion purposes, and the use of SMB and PsExec for lateral movement.
We Recommended That You
March 29, 2022
BazarCall was used by Ryuk and Conti in 2020/2021 and has made a reappearance in March 2022 targeting several companies across multiple industries. Using the BazarCall Tactic, Conti creates a fake call center from which calls are made to potential victims convincing them to open malicious email attachments. These malicious attachments exploit Atera remote monitoring software, Cobalt Strike, and Sliver C2 Framework, then delivers BazarLoader.
It’s important to note that phone calls are made following extensive social engineering and reconnaissance activities. Previous breaches involving these tactics have provided evidence that call center personnel have convincing information regarding target company operations.
We recommend that you:
March 28, 2022
CTO Randy Watkins provides more information about the group behind the breach in this informal breakdown of what we know now.
March 23, 2022
Critical Start is monitoring the recent breach against Okta and the associated third-party
service providers that support Okta’s operations.
Okta says 366 corporate customers, or about 2.5% of its customer base, were impacted by a security breach that allowed hackers to access the company’s internal network. The company only acknowledged the compromise after the Lapsus$ hacking and extortion group posted screenshots on Monday, nearly two months after the hackers first gained access to its network.
Key points to know:
Critical Start always recommends customers enable MFA for all user accounts. Passwords alone do not
offer the necessary level of protection against attacks. We strongly recommend the usage of hard keys,
as other methods of MFA can be vulnerable to phishing attacks.
Russian Cyber Attacks: Threat Actors and New Developments
Russia’s attack on Ukraine has heightened concerns around cyber threats. We dive into likely threat actors and emerging attacks like Hermetic Malware and WhisperGate in more detail.
Russian Focus Hides Iranian APT Activity 12:30pm CT
CTI is also monitoring the situation unfolding in Iran and the implications of the Russia/Ukraine situation functioning as a distraction for other APT activity
What we know now:
The following MITRE TTPs apply:
Additional reading and resources:
Hermetic Malware 10:45am CT
We are analyzing Hermetic Malware samples. We know that the initial indicators of this sample began circulating on 2/23/22 by way of a signed driver that erases windows devices after deleting their shadow copies.
We have several known IOCs which are being passed to our Detection Engineering team.
This appears to be a clear effort of destabilization via MDM strategy; Russia has a huge arsenal of cyber capabilities and we have a very consistent record of them targeting Ukraine in this way, thus Russia’s ability to take down critical infrastructure and control the Ukrainian narrative is not surprising.
Often, these attacks and campaigns are attributed to a nonstate actors or individual cyber criminals but the nod from the Russian Federation and the contractive interactions between them and the organized hackers provides a smoke screen between the APT and Russian leadership.
Log4Shell is a Remote Code Execution vulnerability with the Open Source Apache Log4j framework that is part of the Apache Logging Project. This is the most widely used logging framework on millions of systems worldwide and many governments have rated the risk a 10 out of 10, or “red” level risk of the highest severity.
To put this event into laymen’s terms: If 95% of all garage doors installed from 2016-2021 could be opened from any Internet Web Browser…from anywhere around the world… This is the significance of Log4shell.
CRITICALSTART takes a closer look at the SolarWinds breach through two January information sessions.
With the breach linked back to the use of Solarwinds’ updater as the distribution mechanism for the backdoor, finding out who had been affected was easy, and the results were devastating.