Threat Source newsletter (Sept. 22, 2022) — Attackers are already using student loan relief for scams

Ukraine is again the target of a state-sponsored actor, with the Gamaredon APT launching information-stealing malware against organizations and users there. Gamaredon is a well-known actor that’s been around for several years and usually aligns with Russian state interests. The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine. Talos researchers discovered the use of a custom-made information stealer implant that can exfiltrate victim files of interest and deploy additional payloads as directed by the attackers. 

Why do I care? 

Gamaredon is actively targeting Ukrainian entities, specifically government organizations and critical infrastructure. These are all crucial industries to protect during Russia’s invasion of Ukraine, as they’ll likely be targeted regularly by state-sponsored actors. And as we outlined in last week’s Talos Takes, Gamaredon’s activities are not likely to remain isolated to Ukraine. 

So now what?

There are new Cisco Secure product protections in place to protect against this actor’s activities. Additionally, if you fear you could be targeted by this campaign, there are two artifcats to scan for on the system that can indicate a compromise: 

• A registry key is created under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the name "Windows Task" for persistence. 
• A mutex is created with the name Global\flashupdate_r. 

 

Top security headlines from the week

Rideshare app Uber blamed the Lapsus$ ransomware group for a recent data breach. The company said the actor gained access to multiple internal Uber systems after stealing a third-party contractor's credentials and then tricking that user into approving a multi-factor authentication request. Uber engaged the U.S. Department of Justice and the FBI shortly after learning about the breach and is still investigating it. However, it does not appear that attackers accessed any customer or user data stored by its cloud providers, though they did download some internal messages and information from an internal finance team. (ZDNet, Washington Post) 

New York’s Suffolk County is still recovering from a cyber attack that’s affected multiple areas of the local government. The county’s 911 system was still offline as of Tuesday, with responders forced to switch to pen and paper for tracking emergency calls. They’ve also had to enlist the help of the New York City Police Department to assist with background checks. The attackers may have also stolen and leaked some residents’ personal information and have allegedly posted images of stolen documents on the dark web. The adversaries say they’ve demanded an unspecified “small amount” of money for the return of access to its computers. (NBC 4 New York, Newsday) 

The ChromeLoader malware is more dangerous than ever, according to new research from VMWare and Microsoft. Security researchers at the companies say the malware — which started as a browser-hijacking credential stealer — is now being used as a tool to deliver ransomware and steal sensitive information. The updated version of ChromeLoader has been used in hundreds of attacks over the past few weeks targeting enterprise networks in the education, government, health care and business services industries. Attackers are disguising ChromeLoader as legitimate Chrome browser services and plugins, such as OpenSubtitles, a site designed to help users to find subtitles for popular TV shows and movies. (Dark Reading, The Register) 

Can’t get enough Talos? 

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week