Welcome to this week’s edition of the Threat Source newsletter.
Between the Talos Takes episode last week and helping my colleague Hazel with the Half-Year in Review, I realized how much I had already forgotten about 2023 already.
It’s been a whirlwind, personally and professionally, and I think it’s important for the security community to take a step back occasionally, to look back on what’s already happened in a year and what that tells us about the coming months.
For me, in reading the Year in Review so far and reflecting on it on the podcast, I had completely forgotten about supply chain attacks. I personally think the MOVEit file transfer breach, and follow-on breaches and compromises, has been placed on the back burner because it’s almost too big for us to even conceive of. At this point, nearly every Fortune 500 company has been affected by this in some way.
The dangers of the MOVEit breach continue to grow, with Clop now using torrents to leak targets’ information, potentially making the leaks more dangerous and faster for bad actors to download.
The list of affected organizations grows every day, with the Clop ransomware group adding more names to its leak site, and public companies having to make disclosures about potential data leaks or theft. Yet the news around this seems to have been relegated to regular news posts about, “Company X just got added to the Clop leak site” rather than reflecting on the dangers of supply chain attacks.
I’ve written before about how we aren’t talking about supply chain attacks enough already, and this year alone we’ve seen MOVEit (which, in my opinion, kind of straddles the line as a “traditional” supply chain attack because it’s more of a data breach with more follow-on data breaches), 3CX, and another attack against CircleCI, a continuous integration platform vendor.
3CX was a big deal in the moment, but looking at the Half-Year in Review, I feel like we moved past it so quickly. Instead, headlines are still dominated by ransomware attacks and big-game hunting, which are certainly no less important on the security landscape — but it is so easy to get swept up in the day’s goings-on by looking for the latest, fastest updates on security social media.
With BlackHat and “Hacker Summer Camp” going on over the next few weeks, this seems like the right time to step back and reflect on what’s happened so far this year. This could include just taking time to look back on personal successes, team wins, or just one or two things that happened in February that you may have already forgotten about.
The one big thing
Our researchers recently discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that’s been going on since at least June 4. This ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics. The threat actor uses an uncommon technique to deliver the ransom note. Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file.
Why do I care?
This new actor appears to target users and companies all over the world, including a variety of English-speaking nations, Bulgaria, China and Vietnam. Victims hit with this malware are asked to pay a requested ransom in the form of Bitcoin, an amount that doubles if it’s not made within three days post-infection. This Yashma variant also appears to be harder to recover from than the average ransomware — after encrypting files, the ransomware wipes the contents of the original, unencrypted file and then replaces the file name with a “?”.
So now what?
Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here. There are also numerous protections in place to detect and defend against this malware, as outlined in our blog post.
Top security headlines of the week
Dozens of hospitals and healthcare facilities across the U.S. are still recovering after a large healthcare system was forced to take its computer systems offline as the result of a ransomware attack. Prospect Medical Holdings, a chain that operates hospitals and outpatient facilities, in California, Connecticut, Pennsylvania and Rhode Island, first disclosed the incident last week, announcing it was having to shut down some emergency rooms and reroute ambulances to other facilities. The FBI announced it was launching an investigation into the cause, and actors behind, the attack. Some outpatient facilities, like radiology and heart health clinics, had to close altogether temporarily because they could not function without the use of the company’s computer systems. (CBS News, NBC News)
Cult of the Dead Cow, an infamous hacking group once known for shaming companies into improving their security, is planning to launch a new app framework that puts privacy first. The system will allow individuals and companies to create social media and messaging apps that do not hold onto users’ personal data. Traditional social media companies make a large chunk of their profits off selling that information to advertisers and other companies looking to reach certain demographics. Representatives from the hacking collective are expected to discuss the framework more at the upcoming DEF CON conference. Creators say the framework uses the in-house “Veilid” protocol for end-to-end encryption that could make it difficult for even governments to view information on the apps without proper authorization. However, they still face the challenge of convincing developers and companies to design apps that are compatible with Veilid. (Washington Post, DarkReading)
The U.K.’s Electoral Commission revealed this week it was the target of a “complex cyber attack” that potentially exposed the personal details of millions of British voters. The Commission said adversaries stole copies of the electoral registers from August 2021, but the breach was not discovered until October 2022. However, they’ve yet to “conclusively” determine what files, exactly, were accessed. An early report on the attack from the Electoral Commission found that the personal data found on the registers did not present a “high risk” to the individuals listed on it. However, that information could be paired with other public information or stolen data from other attacks to “identify and profile individuals.” The adversaries were removed from the network as soon as the breach was discovered in October. (Infosecurity Magazine, BBC)
Can’t get enough Talos?
- What Cisco Talos knows about the Rhysida ransomware
- Code leaks are causing an influx of new ransomware actors
- The Need to Know: What is commercial spyware?
- Six critical vulnerabilities included in August’s Microsoft security update
- Cisco Talos Discusses Flaws in SOHO Routers Post-VPNFilter
- Suspected Vietnamese hacker targets Chinese, Bulgarian organizations with new ransomware
- Sloppy security from cybercriminals is creating a new generation of ransomware gangs
Upcoming events where you can find Talos
Upcoming events where you can find Talos
BlackHat (Aug. 5 - 10)
Las Vegas, Nevada
Grace Hopper Celebration (Sept. 26 - 29)
Orlando, Florida
Caitlin Huey, Susan Paskey and Alexis Merritt present a “Level Up Lab” titled “Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence.” Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.
ATT&CKcon 4.0 (Oct. 24 - 25)
McLean, Virginia
Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.
Most prevalent malware files from Talos telemetry over the past week
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6
MD5: 4c9a8e82a41a41323d941391767f63f7
Typical Filename: !!Mreader.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Generic::sheath
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991
SHA 256: 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b
MD5: f5e908f1fac5f98ec63e3ec355ef6279
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::tpd
Article Link: Reflecting on supply chain attacks halfway through 2023