Threat Source newsletter (March 2, 2023) — Little victories in the fight against ransomware

Welcome to this week’s edition of the Threat Source newsletter.

For years, we as a cybersecurity community have been discussing ways we can fight the global ransomware problem. This included things like pushing for more sanctions against international ransomware groups, new laws from federal governments and decreased access to virtual currency often used by actors to stay undetected.

Now, here’s the crazy thing: It might be working.

As Talos discussed in our Year in Review report, ransomware engagements made up a smaller portion of Cisco Talos Incident Response’s engagements in 2022 compared to the previous year, and there’s been a greater democratization of ransomware families, meaning they’re less siloed and more focused into a few larger groups.

A study from blockchain analysis group Chainanalysis also found that ransomware groups extorted about $456.8 million from victims in 2022, a roughly 40 percent decrease from 2021 and 2020. The Wall Street Journal also recently reported that the U.S. government finally feels it’s on the offensive when it comes to ransomware.

U.S. Deputy Attorney General Lisa Monaco told the paper that recent ransomware trends reflect "the pivot that we have made to a posture where we’re on our front foot. We’re focusing on making sure we’re doing everything to prevent the attacks in the first place.”

Yes, there are still major ransomware attacks happening (take the recent Dole cyber attack that halted production briefly for the food giant). But I feel like it’s not being talked about enough that defenders may be actually making some headway here thanks to private companies (like Talos) and global governments working together.

It seems to be a confluence of several things and not just one magic solution. Governments are taking more frequent and serious action to sanction ransomware actors and the individuals behind them, such as the recent penalties against Trickbot members. And some actors are even being arrested and being served criminal charges and jail time.

With improved backups, many ransomware targets are also bouncing back better than ever before and can hopefully avoid paying the requested ransom to their attackers. And asset seizures and freezes have even forced some ransomware groups to lay off people.

2022 could be an aberration. As we also pointed out in our Year in Review, there was a brief pause in ransomware activity at the onset of Russia’s invasion of Ukraine. It could also just be that the defenders got lucky.

This isn’t the time to take our foot off the gas and start turning our attention toward things like AI chatbots — ransomware continues to be a major threat to everyone, including some of society’s most important institutions like hospitals and schools. But I do think it’s important to step back every once in a while to enjoy the victories.

The one big thing

The U.S. Cybersecurity and Infrastructure Security Agency is warning that attackers are actively exploiting CVE-2022-36537, an unspecified vulnerability in ZK Framework AuUploader. This poses a significant threat to the software supply chain if any instances are still unpatched, and CISA warned the vulnerability “poses a significant risk to the federal enterprise.” Attackers are reportedly using the vulnerability to install backdoors on servers, specifically through ConnectWise’s R1Soft Server Backup Manager, which utilizes the ZK Framework.

Why do I care?

ZK is an open-source Ajax Web app framework written in Java, allowing users to create GUIs for web applications without a deep knowledge of programming. Many open-source projects and software utilize the framework, so the impact of this vulnerability could be wide-reaching. Open-source reporting indicates that attackers could exploit the vulnerability in ConnectWise R1Soft to bypass authentication, upload a backdoor and gain the ability to execute remote code.

So now what?

Researchers first disclosed this vulnerability in October, so projects and products that utilize the framework have had plenty of time to patch. ConnectWise released its own patch on Oct. 28.

Top security headlines of the week

The Pentagon is investigating a potential yearslong email leak from the U.S. military’s Special Operations Command. A security researcher discovered that anyone who knew the IP address of the server could access the data without a password. However, the server was secured once the researcher disclosed their findings. The emails leaked included information about U.S. military contracts and messages from Department of Defense employees asking to have various pieces of paperwork processed. SOCOM said there was no evidence that anyone hacked the organization’s network and this was merely an error. (CNN, Bloomberg)

A journalist accessed his own bank account using an AI-generated voice, bypassing the bank’s automated phone system. The reporter used a fake version of his voice using a readily available AI tool online and was able to read off a list of recent transactions and account balances. Real-world abuse of this system is likely rare at this point, but it showcases why banks and other services should drop voice identification as a login method. Users have already started using AI voice tools to make memes and fake videos of noted individuals saying outlandish things. (Vice)

Satellite TV provider Dish confirmed a ransomware attack was responsible for a multi-day outage and that attackers may have exfiltrated data from its systems. The company said in a filing to the U.S. Securities and Exchange Commission that the attackers obtained “certain data” from its IT systems, potentially including personal information, though it was unclear if that information belonged to Dish employees, customers or both. As of Wednesday morning, the attack was still affecting the company’s main website, its mobile apps and customer support systems, and Dish’s Sling TV streaming service. (TechCrunch, Bleeping Computer)

Can’t get enough Talos?

• Threat Roundup for Feb. 17 - 24
• Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities
• Evaluating the Cyberwar Set Off by Russian Invasion of Ukraine
• SBOM is a ‘massive galaxy of mess’ for supply chain security

Upcoming events where you can find Talos

WiCyS (March 16 - 18)

Denver, CO

RSA (April 24 - 27)

San Francisco, CA

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
Typical Filename: mssqlsrv.exe
Claimed Product: N/A
Detection Name: Trojan.GenericKD.65065311

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423
MD5: 954a5fc664c23a7a97e09850accdfe8e
Typical Filename: teams15.exe
Claimed Product: teams15
Detection Name: Gen:Variant.MSILHeracles.59885

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

Article Link: Threat Source newsletter (March 2, 2023) — Little victories in the fight against ransomware