Threat Updates

Stay up-to-date on current vulnerabilities, malware and breaches being tracked by CRITICALSTART‘s Cyber Research Unit (CRU).

Conti Ransomware Group Rebrand and Reorganization

May 19, 2022

The ransomware group formerly known as Conti is currently shut down.

The admin panel of the gang’s official website, Conti News, is shut down as is the negotiations service site. Meanwhile the rest of the infrastructure, to include chatrooms, messengers, servers, and proxy hosts are going through a massive reset. This was an intentional decision, months in the making, to attempt to shed some of the group’s toxic branding.

For over two months, the Conti collective silently created subdivisions that began operations before the start of the shutdown process. These subgroups either utilize existing Conti alter egos and locker malware or took the opportunity to create new ones. The group is adopting a network organizational structure, more horizontal and decentralized than the previously rigid Conti hierarchy.

The new network will include the following types of groups:

  • Fully autonomous (Karakurt, BlackBasta, BlackByte)
  • Semi-autonomous (AlphV/BlackCat, HIVE, HelloKitty/FiveHands, AvosLocker)
  • Independent affiliates
  • Mergers & acquisitions

This model is more flexible and adaptive than the previous Conti hierarchy but is more secure and resilient than Ransomware-as-a-Service (RaaS).

The other major development for this new ransomware model is the transition from data encryption to data exfiltration. Relying on pure data exfiltration maintains most major benefits of a data encryption operation, while avoiding the issues of a locker altogether. Most likely, this will become the most important outcome of Conti’s re-brand.


Ransomware Targets US Higher Education

May 9, 2022

The Critical Start CTI team observed a pattern of breaches over the last five weeks related to higher education being targeted by ransomware. Two out of the four southern schools, Florida International University and North Carolina A&T University, have been linked to BlackCat (a.k.a., ALPHV). No threat actors have claimed responsibility for the latest, Austin Peay State University, reported on by Critical Start CTI earlier this month, but the school is still investigating. Around the country there have been at least 13 reported attacks against U.S. universities and colleges in 2022 so far. These include Kellogg Community College, targeted last week, Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas and National University College, to name a few.  

About BlackCat 

BlackCat, (aka ALPHVM, ALPHV, and Noberus) is a newly emerged ransomware-as-a-Service (RaaS) group assessed to be a re-branding of BlackMatter and DarkSide groups. BlackCat ransomware emerged in November 2021 and is developed in Rust, a cross-compilation language allowing for rapid development of malware for Windows and Linux. The ransomware executable is highly customizable, with different encryption methods (AES, ChaCha20) and options allowing for attacks on a wide range of corporate environments. Common TTPs include the use of a signed binary proxy to download the ransomware, access token manipulation and UAC bypass for privilege escalation, deleting files and logs on host for defense evasion purposes, and the use of SMB and PsExec for lateral movement.  

We Recommended That You 

  • Implement a user training program to raise awareness surrounding email phishing and social engineering techniques 
  • Limit and monitor usage of RDP and SMB, to include disabling SMB version 1
  • Implement a timely patch management schedule 
  • Ensure Multi-Factor Authentication is in use for all VPN connections, webmail, and access to critical systems, and enforce strong password usage 
  • Continuously review third-party security postures

Conti BazarCall Vishing Resurgence

March 29, 2022

BazarCall was used by Ryuk and Conti in 2020/2021 and has made a reappearance in March 2022 targeting several companies across multiple industries. Using the BazarCall Tactic, Conti creates a fake call center from which calls are made to potential victims convincing them to open malicious email attachments. These malicious attachments exploit Atera remote monitoring software, Cobalt Strike, and Sliver C2 Framework, then delivers BazarLoader.


It’s important to note that phone calls are made following extensive social engineering and reconnaissance activities. Previous breaches involving these tactics have provided evidence that call center personnel have convincing information regarding target company operations.

We recommend that you:

  • Train users to identify social engineering techniques (vishing) and spearphishing emails
  • Disable macro scripts from Microsoft Office files transmitted via email
  • Enable strong Spam filters to prevent phishing emails from reaching end users
  • Monitor for beaconing activity. BazarLoader requires consistent communication with C2 servers via Cobalt Strike, Sliver, or Atera

Okta Breach – Lapsus$ hacker group

March 28, 2022

CTO Randy Watkins provides more information about the group behind the breach in this informal breakdown of what we know now. 

Listen to the Podcast >

March 23, 2022

Critical Start is monitoring the recent breach against Okta and the associated third-party
service providers that support Okta’s operations.

Okta says 366 corporate customers, or about 2.5% of its customer base, were impacted by a security breach that allowed hackers to access the company’s internal network. The company only acknowledged the compromise after the Lapsus$ hacking and extortion group posted screenshots on Monday, nearly two months after the hackers first gained access to its network.

Key points to know:

  • The Okta service has not been breached and remains fully operational.
  • There are no corrective actions that need to be taken by customers.
  • Any Okta customer that could have potentially been impacted has already been identified and contacted directly by email.
  • There is no impact to Auth0 customers, and there is no impact to HIPAA and FedRAMP customers.
  • The security breach did not impact legacy Sitel Group systems or networks; only legacy Sykes’ network was affected.
  • Lapsus$ has targeted several big-name companies in recent weeks, including Nvidia and Samsung. Microsoft also reported a possible associated security breach.

Critical Start always recommends customers enable MFA for all user accounts. Passwords alone do not
offer the necessary level of protection against attacks. We strongly recommend the usage of hard keys,
as other methods of MFA can be vulnerable to phishing attacks.


Russia-Ukraine Cybersecurity Updates

Log4Shell Updates

Log4Shell is a Remote Code Execution vulnerability with the Open Source Apache Log4j framework that is part of the Apache Logging Project. This is the most widely used logging framework on millions of systems worldwide and many governments have rated the risk a 10 out of 10, or “red” level risk of the highest severity.
 

To put this event into laymen’s terms:  If 95% of all garage doors installed from 2016-2021 could be opened from any Internet Web Browser…from anywhere around the world… This is the significance of Log4shell.

 

Navigate Aftermath of SolarWinds Attack

CRITICALSTART takes a closer look at the SolarWinds breach through two January information sessions.

With the breach linked back to the use of Solarwinds’ updater as the distribution mechanism for the backdoor, finding out who had been affected was easy, and the results were devastating.

©2020 CRITICALSTART. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

CRITICALSTART® and MOBILESOC® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: ZTAP™, Zero Trust Analytics Platform™, and Trusted Behavior Registry™. Any unauthorized use is expressly prohibited.