{"objects": [{"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": {"tlp": "white"}, "type": "marking-definition", "spec_version": "2.1"}, {"description": "\n \n \n \n \n \n Analyst Prompt 2021 issue #41\n \n \n \n
\n \n

Analyst Prompt 2021 issue #41

\n
\n \n
\n

Analysis

\n
\n

Policy and Governance: The Cyber Insurance Market is Changing Course Due to Continued High Rates of Ransomware.

High volumes of ransomware attacks against U.S.-based organizations are rapidly driving insurers to reorient their cyber insurance policies. Since 2020, payouts in cyber insurance related to ransomware have approximately halved, while charges for cyber insurance premiums have approximately doubled. The demand for cyber insurance remains strong despite these trends as evidenced by many clients who are still willing to pay. Rates in the UK have polarized even more. The industry-wide trend continues upward from the start of 2020, when the same source reported cyber insurance rates climbing 5%-25% higher than they were in 2019 (1).

Ransomware threat actors are now highly attuned to the cyber insurance market and attempt to match extortion demands to insurance payouts as part of a new pattern of attack TTPs (https://research.nccgroup.com/2021/11/12/we-wait-because-we-know-you-inside-the-ransomware-negotiation-economics/). Ransomware threat actors now perform more reconnaissance and discovery work to find the victim\u2019s specific insurance policies as a way of ensuring ransoms can be met.

Last year, increasingly expensive payouts for ransomware contributed to a large rise in insurers\u2019 measure of profitability calculations (2). Broker Aon calculated ransomware contributed over 1/5th of their total risk last year. The insurance market is repositioning itself against the risk from ransomware attacks by shifting more risk back to clients. The shift in risk back to clients will, in turn, put pressure back on governments to launch more law enforcement operations against ransomware cybercriminals and develop firmer policies of intervention, such as coordinated law enforcement operations to seize infrastructure or individuals. EclecticIQ analysts note 2021 has been a significant year for coordinated law enforcement operations against prominent cyber organizations (3). The number of similar cooperative law enforcement investigations and operations is likely to grow through 2022.

New and Noteworthy: Strict Removable Media Policy Will Best Protect Air Gapped Systems

As ransomware and APT attacks escalated against critical systems throughout 2021, perhaps the last solution to protect critical information is to leverage an air gapped network or system. Air gap systems are considered highly secure because a physical connection to the internet is not maintained (4). Nonetheless, air gapped systems remain vulnerable to intrusion, especially from APT groups. A recent, comprehensive analysis of APT attacks on air gapped networks by ESET found that all initial access used in all attacks over the past 15-years relied on introducing a compromised USB stick into the target environment. Replication Through Removable Media (MITRE ATT&CK technique T1091) initiated every air gap attack kill chain (5).

EclecticIQ analysts highly recommend that administrators of air gapped systems prioritize resources for enforcement of a strict removable media policy to mitigate against very high-risk attacks to physically isolated data.

Policy and Governance: Cyberthreats to Satellites Escalate Outside Established Norms.
Satellites remain an often overlooked but critical piece of infrastructure supporting many different cyber capabilities on earth. China, Russia, and the U.S. are currently supporting cyberattacks in space \u201cevery single day\u201d that qualify as \u201creversible attacks\u201d - attacks that interfere with a satellite\u2019s ability to communicate, according to the U.S. Space Force general (6). Operations are almost always recovered or return to normal in reversible attacks. Different countries including China and Russia are developing their own network of satellites, such as independent GPS networks, to support ground operations. The goal is technological independence in space-based communications.

Cyberthreats to space have, thus far, avoided \u201ckinetic attacks\u201d, or attacks that destroy satellites. There remains no common framework or bilateral agreements as to how threats to space-based asses should be mitigated or handled by conflicting nations. Kinetic attacks are prevented in part, through a deterrent effect. If a satellite is physically destroyed, the shrapnel created poses an immediate threat to all other satellites in that orbit. An escalation to kinetic attacks would guarantee further fallout in the form of additional damage and disruption to the IT infrastructure of other nation-owned satellites, which are not easily replaceable. Many nations are testing new TTPs against satellites (7). The current U.S. administration reportedly reached out to China to generate a dialogue specific to the issue of cyberattacks in space, in a global first, but so far efforts have not been successful.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.

\n
\n
\n
\n
\n\n \n \n", "object_refs": ["report--8631b0cb-5620-5451-bbb3-5fc504e5b634"], "type": "report", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-c4d05165-49e1-4970-b9d4-920a9981ed18", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "modified": "2021-12-06T14:40:10.099407Z", "name": "Analyst Prompt 2021 issue #41", "created": "2021-12-06T14:40:10.099407Z", "id": "report--8631b0cb-5620-5451-bbb3-5fc504e5b634", "published": "2021-12-06T00:00:00Z", "spec_version": "2.1"}, {"description": "\n \n \n \n \n \n The Analyst Prompt: 2021 Issue #37\n \n \n \n
\n \n

The Analyst Prompt: 2021 Issue #37

\n
\n \n
\n

Analysis

\n
\n

Policy and Governance: China and the U.S. Take Big (But Very Different) Steps to Regulate Cryptocurrency

On 24 September, the People\u2019s Bank of China issued a statement proclaiming all cryptocurrency transactions illegal in China. (4) Less than a week after the announcement crypto-related firms have begun shutting down business in mainland China. (5) China\u2019s reason for the ban was to address \u201cillegal financial activities\u201d which \u201c\u2026seriously endangers the safety of people\u2019s assets\u201d (4), but some experts assess the very idea of a cryptocurrency went contrary to Beijing\u2019s vision for a state-controlled economy. (6)

In a more targeted move, the U.S. Treasury\u2019s Office of Foreign Assets Control (OFAC) on 21 September announced sanctions against the cryptocurrency exchange SUEX \u201cfor its part in facilitating financial transactions for ransomware actors.\u201d (7) The announcement explains the sanctions prevent U.S. citizens from doing business with SUEX and \u201cblock\u201d any SUEX assets or property under U.S. jurisdiction. The Treasury also issued updated guidance on \u2018potential sanctions risks for facilitating ransomware payments\u2019 \u2013 which are not illegal but remain highly discouraged. (8)

These vastly different Chinese and U.S. actions illustrate the range of issues arising from increasing use of cryptocurrency, and the challenges governments face as they decide if and how to regulate crypto. The coming months will almost certainly bring more news of nations taking steps to regulate crypto in a way that they view as most beneficial\u2013 but these steps may be increasingly at odds with the actions or interest of other nation-states. These actions may also put governments at odds with threat actors who use cryptocurrency, including many successful ransomware gangs. EclecticIQ will watch for indicators that threat actors alter their modus operandi in reaction to sanctions and similar regulation.

Exploit Tools and Targets: Details Emerge About Backdoor FoggyWeb

Microsoft recently divulged more detail about a relatively new piece of malware exploiting MS systems called FoggyWeb. According to Microsoft, FoggyWeb is a persistent backdoor through which attackers can exfiltrate data from a compromised Active Directory Federated Services (AD FS) server, including token-signing and token-decryption certificates. FoggyWeb was first observed in April 2021 and has been used by the sophisticated Russian threat group NOBELIUM, which was behind the Sunburst backdoor used in the attack on SolarWinds. Microsoft\u2019s primary advice to counter this threat is to secure AD FS servers. A list of known IOCs for FoggyWeb is available here. (9, 10)

More research on FoggyWeb is sure to be forthcoming in coming weeks, along with more information about who has been targeted via the FoggyWeb backdoor. For now, looking to the SolarWinds attack may give limited insight on the possible scope of the damage. Given the value of FoggyWeb and that the actor behind it is the highly skilled group NOBELIUM, it is likely that many victims of FoggyWeb have yet to be identified \u2013 or even realize they may be compromised. Those who have been compromised by this exploit are likely to be government targets or government partners and service providers, as well as companies who work in critical infrastructure or who work with unique intellectual property. Nonetheless, EclecticIQ recommends all cyber defenders review Microsoft's blog post for identifying and responding to a FoggyWeb breach.

New and Noteworthy: The Netherlands Announces an Industry-Led Cyber Threat Information Sharing Community

The Dutch business community is moving forward with plans to set up a cyber defense warning and information sharing network which can share threat data more quickly than established government-led procedures, according to a 29 September article by The Hauge Security Delta (HSD). (1) The new sharing network will enable anybody who identifies a vulnerability to report it in the system, which will trigger an alert to the targeted individual or that person\u2019s internet provider. Prior to this initiative, threat information could be shared only via the Dutch National Cyber Security Center (NCSC). According to the director of Fox-IT, this new network is intended to complement the NCSC\u2019s efforts, and to pass information quickly when the government cannot.

As cyber threats grow, non-governmental sharing networks will be increasingly helpful in identifying solutions to time-sensitive problems and in addressing issues outside the government\u2019s purview. The degree of success for this group and others like it will be determined largely by the presence of strong leadership with clear vision, proper resourcing, and acceptance by the wider community as the venue for information sharing and problem solving. Also, the success of non-governmental networks can be amplified by effective partnership with government. The NCSC is leaning forward with its own efforts to improve cyber threat sharing, including establishing its own information sharing network, Secure Net (detail available here) and in setting up its own network of partnerships (see the NCSC\u2019s website here). (2, 3) EclecticIQ sees both industry and government-led efforts as necessary and will continue supporting both government and industry partners to counter cyber threats.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please give us your feedback by filling in this quick survey. It takes less than a minute.

https://forms.office.com/r/6TZswkuGYN

\n
\n
\n
\n
\n\n \n \n", "object_refs": ["campaign--13a0362d-c013-5b15-877c-8d4820fd01cc"], "type": "report", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-6ea6c7ec-9d9d-4053-985d-db8e103b34f8", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "modified": "2021-10-06T18:46:02.61699Z", "name": "The Analyst Prompt: 2021 Issue #37", "created": "2021-10-06T18:46:02.61699Z", "id": "report--bf04d287-605f-560d-993d-18179bc83dde", "published": "2021-10-06T18:46:01.37946Z", "spec_version": "2.1"}, {"description": "\n \n \n \n \n \n Analyst Prompt: 2021 Issue #39\n \n \n \n
\n \n

Analyst Prompt: 2021 Issue #39

\n
\n \n
\n

Analysis

\n
\n

Policy and Governance: Tensions Rise between Ransomware Gangs and Western Governments

After the second government takedown of ransomware group REvil\u2019s online infrastructure on 22 October 2021 [1], ransomware gangs Arvin, Groove, and Conti all posted comments sympathetic to REvil and inflammatory toward the U.S. on their respective data leak sites.

Groove operators called for partner programs to stop competing with one another and coordinate attacks on the US Public Sector. They urged their partners to not attack Chinese interests in case they need to flee their \u201chomeland\u201d. Shortly after making this announcement, the Groove operator announced that the Groove project was a hoax to troll western media. The next day both posts had been removed from the site and replaced with a new victim [2]. A few days prior, a Groove associate posted on the RAMP cybercrime forum that they will target U.S. hospitals, government agencies and will also consider some EU countries specifically \u201cItalian Hospitals\u201d as targets [3]. While the credibility of such threats is questionable these actions do speak the general sentiment of some ransomware operators towards western media and interests.

The Conti gang stopped short of asking partners to coordinate an attack on the U.S. private sector, but their post does show a similar disdain as Groove toward the United States. The Arvin Club posted a Simpsons meme which suggested the takedown of REvil was not warranted and wished REvil success [4].

As of 1 November 2021, the Arvin and Groove leaks sites and the RAMP forum were no longer accessible by EclecticIQ researchers. At this time, it is unknown if there has been a coordinated government effort to take down these sites or if the site administrators shut them down.

While some ransomware gangs are looking to counter recent efforts by Western law enforcements by ramping up the targeting of the U.S. private sector, others such as BlackMatter appear content to lay low and shut down operations. On 1 November 2021, BlackMatter announced in an apparent message to affiliates they would shut down their \u201centire infrastructure\u201d within 48 hours. The group cites \u201cpressure from authorities\u201d and \u201cpart of the team is no longer available, after the latest news\u201d as the reasons for the shutdown [5]. While it is not clear what the group is referring to by the \u201clatest news,\u201d that the timing suggests they are referring to the coordinated Europol effort to target 12 individuals who have been involved in ransomware attacks against critical infrastructure [6]. The BlackMatter leak and support pages were no longer accessible by the EclecticIQ Research Team as of 4 November 2021.

Despite the efforts of law enforcement, the EclecticIQ Threat Research Team has not identified a significant reduction in reports of ransomware nor a reduction in the infrastructure used in attacks. For this reason, organizations should continue to prioritize defenses against the ransomware threat.

New and Noteworthy: Falsified Digital COVID Certificates Under Investigation

As countries continue to recover from the Coronavirus pandemic, a number of countries are creating COVID certificates to allow the vaccinated, and those who have recently tested negative or recovered, to travel, access the hospitality, cultural and events industries. The implementation of such a system has sparked concerns over privacy and protests throughout Europe. This has also created a marketplace for falsified COVID certificates.

In the past week, falsified certificates for Adolf Hitler, Mikey Mouse, and SpongeBob were posted online that return valid results from official COVID19 validator apps of certain countries. The European Commission immediately launched an investigation into how these valid certificates were generated [7]. The Italian wire service, ANSA, reported on October 27th that some of the private keys used to sign the health certificates were stolen [8]. However just a day later the French and Polish authorities announced there was \u201cno cryptographic compromise\u201d [7]. Security researchers tracking fake certificates via a github repository speculate that it is more plausible that the chain of trust between the government and those authorized to generate certificates was compromised, or that someone managed to install malware on system with access to generate certificates [10].

EclecticIQ Researchers also believe it is very unlikely the private keys were stolen. Stealing the keys would likely require significant technical capabilities as protecting these keys is a high priority. The theft of such keys would allow threat actors the ability to mark any COVID19 certificate as valid. Every individual would require a reissued COVID19 certificates. It is more likely either authorized individuals are generating the false certificates to be sold, or unauthorized individuals have gained access to a system that can generate certificates. It is likely European governments will implement new measures to protect the chain of trust and improve security to systems with access to generate certificates.

Policy and Governance: NSO Group Added to US Trade Blacklist

On 5 November 2021, the U.S. Commerce Department\u2019s Bureau of Industry and Security (BIS) announced that the Israeli military-grade spyware manufacturer, NSO Group, would be added the Entity List for developing and suppling spyware to \u201cforeign government officials, journalists, businesspeople, activists, academics and embassy workers [11].\u201d The Entity List is a tool leveraged by the BIS to restrict exports to an individual, organization, or company.

The NSO Group\u2019s spyware, Pegasus, was linked to the killing and dismemberment of Washington Post Columnist Jamal Khashoggi by Saudi Operatives, the targeting of human rights activists and even found on French President Emmanuel Marcon\u2019s Phone [12] [13].

Three other offensive security companies were added to the Entity List on Wednesday including Candiru (Israel), Positive Technologies (Russia) and Computer Security Initiative Consultancy PTE. LTD (Singapore) [11].

Being subjected to the Entity List essentially cuts these organization off from the US technology industry. EclecticIQ Researchers expect this to cause significant disruption to business operations for these companies and could lead to shutting down operations unless they are able to retool without utilizing U.S. software and hardware technologies.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please give us your feedback by filling in this quick survey. It takes less than a minute.

\n https://forms.office.com/r/pAp63skNuj\n

\n
\n
\n
\n
\n\n \n \n", "object_refs": ["report--31a0efe3-9906-51ab-bf61-ba234815bf17"], "type": "report", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-163bbe05-cadc-4878-827a-4915d243a5ab", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "modified": "2021-11-05T14:17:04.423067Z", "name": "Analyst Prompt: 2021 Issue #39", "created": "2021-11-05T14:17:04.423067Z", "id": "report--31a0efe3-9906-51ab-bf61-ba234815bf17", "published": "2021-11-05T13:39:52.971369Z", "spec_version": "2.1"}, {"description": "\n \n \n \n \n \n The Analyst Prompt - 2022 Issue #03 - SPECIAL EDITION\n \n \n \n
\n \n

The Analyst Prompt - 2022 Issue #03 - SPECIAL EDITION

\n
\n \n
\n

Analysis

\n
\n

Threat Actors: Conti Ransomware Group Announces it will Use \u2018Retaliatory Measures\u2019 Against \u2018Western Warmongers\u2019

On Friday, February 25th security researcher Brett Callow shared on Twitter a statement from the ransomware group Conti stating "The Conti Team is officially announcing a full support of Russian government. If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy." (1) By Sunday evening the Conti Team modified their statement to be more nuanced, beginning with \u201cAs a response to Western warmongering and American threats to use cyber warfare against the citizens of Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world\u2026..\u201d (2) While still politically charged, the updated Conti statement attempts to distance the group from the Russian government while threatening cyberattacks toward the U.S. and the West.

By Sunday, February 27th, an unidentified actor leaked alleged Conti Group internal communications, concluding that message with \u2018Glory to Ukraine!\u2019 (3) The leaked information included information about Conti\u2019s relationship with other cybercrime organizations, details of ransom negotiations, Bitcoin addresses, and more. (4)

In the year a half since Conti was first observed, it seemed to enjoy a permissive environment in which their Russian benefactors allowed them significant autonomy. For example, Conti has been known for targeting critical infrastructure; in May 2021 the FBI released an advisory describing sixteen Conti ransomware attacks targeting U.S. healthcare and first responder networks. (5) The long-term impact of the Russia-Ukraine conflict on cybercriminal organizations like Conti Group is yet to be seen. With the Russia-Ukraine conflict bringing more scrutiny to cyber as a tool of war, EclecticIQ analysts speculate that the Conti Group and others like it may be forced to change their modus operandi. Increased public awareness of cybercrimes, a host government which is increasingly isolated, and even the group\u2019s own internal divisions over issues like Russia\u2019s invasion of Ukraine may force cybercriminal groups to adapt in unexpected ways. One of the more likely scenarios for the near term is an escalation on both sides of cyber conflict; increasingly aggressive and government-directed attacks on one side, with growing defense and counter measures on the other.

Policy and Governance: Governments Across the World Warn of (or Brace For) Conflict-Related Cyberattacks

Last week, EclecticIQ noted cyberattacks against Ukrainian websites were likely to continue as tensions between Russia and Ukraine increased. We also noticed warnings from authorities in Germany, Australia, and the U.S. that Russia may launch cyberattacks targeting assets of Ukraine and its allies, and that organizations should take measures to secure and defend their networks. (6,7,8) This week, our analysts note a spate of cyberattacks targeting organizations around the world, including against McDonalds, a supplier for Toyota plants in Japan, satellite giant Viasat (which enables remote control of wind turbines in Germany), and a Bridgestone tire plant in Iowa (U.S.). (9, 10, 11, 12)

More aggressive cyberattacks are probably increasingly likely once economic sanctions targeting Russian actors and assets are in place. So far, only one of the four recent attacks mentioned above has been claimed by Russian-linked threat actors (McDonalds). It is possible that the other three attacks could have been in the works for weeks or months. The timing of these attacks coincides with news that each of these nations will impose sanctions on Russia, but so far there is no definitive evidence Russia initiated attacks because of sanctions. (13, 14.) EclecticIQ analysts will watch for indicators that any forthcoming attacks may be specifically targeting nations which are most vocal in their opposition to Russian military action as a form of retribution, which could indicate Russian criminal actors shifted from a financial motivation to more ideological driven attacks.

New and Noteworthy: Many Industries, Including Big Tech, Find Themselves with a Role to Play as the War of Words Intensifies

This conflict is one of the clearest examples to date of private corporations using their business reach to participate in shaping the narrative surrounding the conflict. The EU announced part of its sanctions package against the Kremlin would include banning Russian state TV channels RT and Sputnik and their subsidiaries from sowing \u2018division in our union.\u2019 (15) U.S. tech giants Meta and Google announced they are disallowing Russian state-owned media from monetizing their platforms or spreading disinformation, and energy companies from the UK and Norway reduced or eliminated their cooperation with Russian partners. (16) Even more symbolic moves are gaining media attention; international soccer governing bodies FIFA and UEFA banned Russian teams from competing, but Polish and Swedish teams had already declined to play Russia in this spring\u2019s World Cup qualifying matches. (17) Many U.S. state governors and business owners in the U.S. and Canada assumed a different tactic\u2014either banning or refusing to sell Russian vodka in liquor stores and bars. (18) Russia is being equally aggressive in its aim to influence the narrative. Internal to Russia, where commerce and governance are more tightly controlled, the government asserted its control over the narrative by shutting down some free press outlets and banning press from describing Russia\u2019s actions as an attack, an invasion, or a war. (19)

Most interesting to EclecticIQ is how the information warfare angle of the conflict is playing out when large TV stations, social media companies, and internet providers decide to amend information or access to it. Both sides are playing the media game with specific intent: Ukraine to garner quick international support of any kind (especially military support), and Russia to convince a domestic audience of the legitimacy of the conflict. Unlike normal CTI analysis of indicators and artefacts, the measure of success in a war of words comes down to popular opinion\u2014or, as the phrase goes \u2018winning hearts and minds.\u2019

One measure of the effectiveness of the war on words is the myriad of players who recently entered the hacktivism space willingly. In addition to Conti declaring support for the Russian government (discussed above), reporting indicates several hacking groups including Anonymous will use their skills to support Ukrainian cyber objectives. (20, 21) Ukraine\u2019s Vice Prime Minister Fedorov called supporters to create an \u2018IT army\u2019 to fight Russian cyber intrusions. (22) EclecticIQ analysts will continue reporting on the success and challenges associated with this phenomenon as the conflict continues.

We would love to hear from you.\u202fPlease\u202fsend us your feedback by\u202femailing\u202fus at\u202fresearch@eclecticiq.com.

\n
\n
\n
\n
\n\n \n \n", "object_refs": ["report--e906884d-1a9d-5e09-8d30-f2a8e0567b2d"], "type": "report", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-a32ca501-a18a-4f95-bba9-ecccf7cb588a", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "modified": "2022-03-01T15:40:35.396859Z", "name": "The Analyst Prompt - 2022 Issue #03 - SPECIAL EDITION", "created": "2022-03-01T15:40:35.396859Z", "id": "report--e906884d-1a9d-5e09-8d30-f2a8e0567b2d", "published": "2022-03-01T15:40:33.478025Z", "spec_version": "2.1"}, {"description": "\n \n \n \n \n \n The Analyst Prompt: 2021 Issue #42\n \n \n \n
\n \n

The Analyst Prompt: 2021 Issue #42

\n
\n \n
\n

Analysis

\n
\n

Malware: Ransomware Attacks Don Not Let Up at the End of 2021

In what seems like an appropriate end to a year defined by an increased focus on ransomware, December proved to be a busy month for cyber defenders. Organizations of all kinds around the world fell victim to or became aware of ransomware attacks. Among them were the Brazilian ministry of health, which lost access to a system used to issue vaccination certificates, and a medical group in the U.S. which learned 750K patient records were compromised earlier this year. Two organizations associated with HR software and functions were hit, as were some parts of the Virginia state legislature. And in a more bizarre incident, the Twitter account of Indian Prime Minister Modhi was hacked with hackers falsely tweeting that New Dehli would distribute cryptocurrency to the public.

EclecticIQ\u2019s Threat Research team sees no indication that the rate of cyberattacks will drop off toward the end of the year; in fact, criminal actors may seek to leverage minimal staffing during the holiday season to execute attacks. This recent spate of attacks is line with 2021\u2019s steady rate of reports coming to light about ransomware attacks and other intrusions. Furthermore, these recent attacks prove that no industry or geography is safe from attack; the era in which cyber security personnel could confidently assume their network was safe is long gone. Defenders\u2019 best choice is to remain proactive in addressing vulnerabilities as quickly as possible in both their internal network and their supply chain\u2019s network.

Policy and Governance: Scrutiny of Tech Companies Tied to Social Justice Issues

In mid-December, the U.S. government added eight Chinese firms, several of them technology firms, to the \u2018entity list\u2019\u2014meaning U.S. investors are unable to invest in those firms. Among those added to the entity list were facial and image recognition software, AI, cyber security, and cloud computing companies. Part of the justification for adding these companies to the entity list was the Chinese government\u2019s alleged treatment of its Muslim Uyghur population. (7) Separately, California-based Meta announced it will ban certain Facebook activity by Myanmar\u2019s military. (8) This followed two lawsuits, filed earlier this month in the U.S. and UK, which each alleged Facebook materially contributed to genocide against the Rohingya. (9)

Another often overlooked theme of 2021 was the growing call for a closer look at the role and impact of technology on individuals and societies. This issue was pushed further to the forefront when a former Facebook employee leaked company communications detailing internal foreknowledge about the potential deleterious effects of social media on society in early Fall. (10) The European Commission in May proposed guidelines which would more easily combat misinformation online, but these guidelines are not yet final. (11) This fall, Australia took it a step further by enacting a law forcing social media platforms to identify uses posting defamatory comments. (12) EclecticIQ\u2019s Threat Research team expects initiatives to regulate social media content and increase accountability to platforms to gain more momentum in 2022. Increased study of the long-term effects of social media will provide a more nuanced understanding of social media. With a better understanding, societies could choose to enact sensible safeguards which harness social media\u2019s potential while minimizing its risks.

Infrastructure and Vulnerabilities: NIST Data Show Slight Drop in High Severity CVEs in 2021, but Log4j Illustrates the Potential Impact of an Individual CVE

The U.S. National Institute for Standards and Technology (NIST) recently released data about the number of low, medium and high severity CVEs identified in 2021. The data show the overall number of CVEs identified in 2021 grew from 2020 numbers, but only slightly. The number of low and medium severity CVEs each grew, but the number of high severity CVEs fell from 2020 to 2021. (13)

\n \n \n \n \n

Figure 1: Low, Medium, and High Severity CVEs: 2001 \u2013 2021 (NIST)

In the shadow of Log4j, it is encouraging that fewer high-severity CVEs were found in 2021 than the year prior, and that the overall number of CVEs identified demonstrated only a modest increase. What this graph cannot capture is the potential damage that could arise from even one single high severity CVE such as Log4j, and the tremendous effort devoted to mitigating it. It is possible that with each year, the potential impact of a single CVE could grow over the year prior, not because the CVE is any more severe, but rather because a single vulnerability may affect so many more networks. EclecticIQ is cautiously optimistic that 2021\u2019s media coverage and government attention to cyber issues will bring attention and resources needed to make 2022 more secure by both preventing and detecting the emergence of highly disruptive vulnerabilities.

About\u202fEclecticIQ\u202fThreat Research

EclecticIQ\u202fis a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the\u202fEclecticIQ\u202fThreat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you.\u202fPlease\u202fsend us your feedback by\u202femailing\u202fus at\u202fresearch@eclecticiq.com.

\n
\n
\n
\n
\n\n \n \n", "object_refs": ["report--bfd16d0a-c0e7-5910-9d23-d500276152c6"], "type": "report", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-03e1c083-3e11-487f-9a17-fe40aaf011ab", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "modified": "2021-12-17T19:45:33.202986Z", "name": "The Analyst Prompt: 2021 Issue #42", "created": "2021-12-17T19:45:33.202986Z", "id": "report--bfd16d0a-c0e7-5910-9d23-d500276152c6", "published": "2021-12-17T19:45:33.31364Z", "spec_version": "2.1"}, {"description": "\n \n \n \n \n \n The Analyst Prompt: 2022 Issue #2\n \n \n \n
\n \n

The Analyst Prompt: 2022 Issue #2

\n
\n \n
\n

Analysis

\n
\n

Policy and Governance: Making a Case for Cryptocurrency Threat Intelligence

In late January, Blockchain Bridge, a Fintech organization in the Decentralized Finance (DeFi) space that provides 3rd party services to support six blockchains, suffered the second-highest loss (to Poly Network) of cryptocurrency assets so far (1). Threat actors exploited a Boolean logic fallacy in code used in a proprietary approval protocol for cross-chain transactions, enabling theft of around $320M in assets. The code-based vulnerability becomes apparent only after reverse engineering and triaging the transaction protocol. Threat actors are flocking to Fintech. The amount of stolen crypto assets in 2021 reached between $2.3-4.5 billion (2). This represents a 1330% increase from 2020, and the 2020 total represents a 335% increase over the total stolen from DeFi platforms in 2019. Risks and solutions are better discerned by analyzing attack patterns and the types of threat actors beginning to establish over the past two years.

EclecticIQ analysts and other threat intelligence organizations are taking notice of important and rapidly growing niches regarding threat intelligence applications in the DeFi space (3). Existing standards including the Diamond model and the Kill-Chain can be leveraged with open-source data and tooling from existing Cyber Threat Intelligence to produce a strong foundation for analysis, and to develop and illuminate new DeFi security use cases. There are already some highly relevant and consistent intelligence feeds which provide valuable data on cryptocurrency transactions (bitcoinabuse.com, whale-alert.io). Government and Financial policy makers as well as developers and executives in Fintech will find it increasingly useful to highlight common attack patterns, describe threat actors and associate their activity to aid attribution, and understand how risk in the DeFi space changes.

Threat Actor Update: NSO Group May Rebrand, But Copycats Will Persist, Morph, and Proliferate

The NSO Group, the Israeli tech company behind the \n \n \n \n \n \n \n Malware: Pegasus\n spyware, is likely to sell and rebrand under new ownership (4). Even with a rebranding, EclecticIQ analysts assess the group is very likely to persist in developing further zero-day exploits for mobile platforms. Ubiquitous cell phone use can provide a wealth of detailed, on-demand, targeted intelligence, which is highly valuable and thus potentially highly lucrative. Other organizations in the same grey space of high-end 3rd party exploitation retail already exist and have developed further leading mobile exploits (5). The details of NSO Groups tooling, reported by CitizenLabs and recent publicization is not likely to stop the wider private espionage industry from persisting and succeeding unless wider action is taken against the sector.

The best defense for overly invasive and possibly illegal mobile surveillance is to hold companies accountable by at least bringing formal charges to the individuals central to the direction and development of the company, as the US does with ransomware cybercriminals (6). This at the very least can restrict the assets and movements of key individuals. Barring that, individuals\u2019 next best option is to seek out mobile communication applications that hold high standards of encryption and lowest possible data retention. This will provide better, but not complete protection from new zero-days and potentially narrow impact.

New and Noteworthy: PwnKit Requires Initial Access to the Network

PwnKit, first disclosed 18th November 2021 by Qualys\u2019 researchers and effective since May 2009, affects Unix and is tracked as \n \n \n \n \n \n \n CVE-2021-4034\n with a severity score of 7.8. PwnKit is a local privilege escalation vulnerability leading to arbitrary code execution. The vulnerability resides in the PKEXEC command of POLKIT, which leads to a memory corruption flaw when null data is passed to it (7). The vulnerability will allow escalation to full Root privileges on default installation most of the popular Linux flavors.

Proof of concepts have been released publicly. Potential threats can be hunted by looking in logs for unexpected environmental variables running under POLKIT or a null value is present for the SHELL variable within the program. Looking for new unexpected processes spun up as a root user after suspicious connections to the internal network may also provide incident-response leads. Removing the command option is a temporary workaround, but subsequent reliant processes are likely to break. Overall threat risk is moderate because it is not remotely accessible.

About\u202fEclecticIQ\u202fThreat Research

EclecticIQ\u202fis a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the\u202fEclecticIQ\u202fThreat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please give us your feedback by filling in \n this quick survey\n . It takes less than a minute.

\n
\n
\n
\n
\n\n \n \n", "object_refs": ["report--5da0e6a8-2cc1-5d48-86aa-a80439597aae"], "type": "report", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-2610ece5-bb56-4701-9ba0-75b514aefdd2", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "modified": "2022-02-07T14:18:35.862179Z", "name": "The Analyst Prompt: 2022 Issue #2", "created": "2022-02-07T14:18:35.862179Z", "id": "report--5da0e6a8-2cc1-5d48-86aa-a80439597aae", "published": "2022-02-04T00:00:00Z", "spec_version": "2.1"}, {"description": "\n \n \n \n \n \n Analyst Prompt: 2021 issue #38\n \n \n \n
\n \n

Analyst Prompt: 2021 issue #38

\n
\n \n
\n

Analysis

\n
\n

New and Noteworthy: Fake Media Will Likely Become a Mainstream Tactic in 2022
Cybercriminals used technology to recreate or clone the voice of the director of a bank in the U.A.E. so that a bank manager would authorize a transfer of $35 million to cybercriminals, under the pretext of a new acquisition (1). Reporting indicates they spoofed both voice and email, which could count as successfully subverting multi-factor authentication. Investigators believe the threat actor group comprised at least 17 people.

The attack represents an evolved form of a classic BEC (Business Email Compromise) scam; only this time voice is the primary medium for the attack. Voice cloning is well suited to this type of attack because it is more convincing and immediate. There is low risk of being caught once the criminals receive the transferred money, so BEC and social engineering scammers are very likely to be early adopters of unproven new attack vectors such as this. EclecticIQ analysts expect cybercriminals will rapidly adapt voice and visual cloning technologies in new attacks first for financially motivated cyber-crimes and next, in highly strategic APT attacks. There are many social engineering opportunities to which this can be applied. Most people are unprepared with prudent training or protocols for recognizing spoofed audio and video.

Policy and Governance: Escalating Threat of Ransomware Will Drive Regional Cooperation to Address Attacks in Lieu of a Global Framework

Data from Checkpoint indicates a current surge in both ransomware infections and botnets able to deliver ransomware since the Covid-19 pandemic began in early 2020, with companies in North America experiencing the highest growth in attack volume (2).\u00a0 EclecticIQ analysts note an annual relative increase in ransomware occurred last year at this time, but was largely aimed at the US education sector (3). The attack increase this year is occurring across a broader set of industries. Another significant sign of ransomware escalation comes from US disclosure of four ransomware attacks against water facilities in the past two years (4). The public disclosure contains the largest number of ransomware attacks against US critical infrastructure announced at one time.

Pressures from ransomware led the US and 30 other countries to meet virtually for an introductory forum on how to better address ransomware (5). The absence of an invitation to China and Russia is a strong signal that regional coalitions to combat ransomware syndicates are likely to form instead of global efforts. New policies resulting from regional coalitions will very likely involve cross-border law enforcement cooperation, reporting of ransomware attacks, and accountability policies aimed at tracking and disincentivizing ransom payment.\u00a0 Cooperation among smaller groups of states in dealing with ransomware is likely to be effective at restricting ransomware attacks because cooperative policy will likely aid law enforcement operations against ransomware threat actors across borders.

Individually, The Netherlands announced it is escalating its response to ransomware against critical infrastructure and national security (6). The government plans to prioritize prevention, attribution, and response to critical ransomware incidents. The announcement is likely aimed at deterrence, in an effort to protect the Netherlands\u2019 tech startups and vulnerable businesses. Ransomware attacks to critical industry could possibly have a greater impact in the Netherlands than they would have on a larger nation with a larger distributed infrastructure and resources. EclecticIQ analysts note it remains extremely difficult to establish firm attribution to State-linked ransomware attacks, making formal military and diplomatic channels nearly impossible to work through. Given this fact it is unclear how the escalated efforts will be directed. The Dutch government stated it is prepared to share further specific intelligence on ransomware with private businesses.

It has been widely observed that many ransomware families specifically avoid targeting Commonwealth of Independent States (CIS) countries via language-based whitelists that prevent malware installation (7). It has been strongly speculated that the Russian government turns a blind eye to attacks that operate outside of the CIS region (8). This intolerance to local ransomware attack has led ransomware syndicates to prevent targeting countries of the CIS region. If other countries express similar intolerance via frameworks that allow prosecution of operators more easily regionally, then overall ransomware operations may become more scarce because law enforcement will be able to more readily disrupt operations.

Regional cooperation against ransomware may force ransomware syndicates to expand similar blanket-style whitelists to their ransomware operations to avoid being targeted and shutdown by law enforcement (as the REvil group has now experienced twice (9)). Ransomware gangs shutdown operations if law enforcement pressure reaches certain thresholds resulting from specific ransomware attacks. The shutdowns greatly affect operations and profit. If Ransomware whitelisting against certain regions expands, it could restrict the growth potential of current operating ransomware families and establish reverse incentives for the development of new ransomware families.

\n
\n
\n
\n
\n\n \n \n", "object_refs": ["report--5279d43f-fa7b-5900-971a-38915696ebd1"], "type": "report", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-d86a3140-4beb-4b7c-b98d-eddfa533c455", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "modified": "2021-10-25T14:03:51.980849Z", "name": "Analyst Prompt: 2021 issue #38", "created": "2021-10-25T14:03:51.980849Z", "id": "report--5279d43f-fa7b-5900-971a-38915696ebd1", "published": "2021-10-25T00:00:00Z", "spec_version": "2.1"}, {"description": "\n \n \n \n \n \n The Analyst Prompt: Issue 1 #2022\n \n \n \n
\n \n

The Analyst Prompt: Issue 1 #2022

\n
\n \n
\n

Analysis

\n
\n

Exploit Tools and Targets: Threat Actors Continue to Leverage the Log4j Exploit

According to a recent research article by CrowdStrike, AQUATIC PANDA, a China-based group known for intelligence collection and industrial espionage, has been observed exploiting CVE-2021-44228 to target a large academic institution (1). The threat actor likely used a modified version of the Log4j exploit with the goal of installing a reverse shell and credential harvesting (1). The actor used a Base64-encoded PowerShell command to retrieve three files from a C2 server, which were decoded and believed to constitute the reverse shell (1). They made multiple attempts of credential harvesting using living-off-the-land binaries and dumping the LSASS process (1). AQUATIC PANDA used WinRAR to compress the memory dump for exfiltration and deleted all executables from ProgramData and Windows\\temp\\ directories to cover their activity (1).

Similarly, Checkpoint noted that APT35, a suspected Iranian nation-state actor known for espionage operations, exploited CVE-2021-44228 to install a modular PowerShell backdoor named CharmPower, which is used to gain persistence, collect information and execute commands (2). The exploit retrieves a malicious Java class which executes a PowerShell command with a base64-encoded payload to download the main module. The main module is responsible for validating the network connection, basic system enumeration, decode the command and control (C2) domain and to receive, decrypt and execute the following modules:

  • Applications module
  • Screenshot module
  • Processes Module
  • System Information Module
  • Command Execution module
  • Cleanup Module

AQUATIC PANDA\u2019s and APT35\u2019s recent use of the Log4j exploit highlights the continued risk CVE-2021-44228 poses to organizations. Nation-state and criminal groups added CVE-2021-42288 into their toolset from release (3), and the recent activity by AQUATIC PANDA and APT35 shows that advanced groups are still exploiting the vulnerability. This trend is almost certainly going to continue due to the ease of exploitation and the wide threat surface, with there being more than 2,800 distinct products that contain Log4j and an estimate of hundreds of millions of individual devices affected (4).

Malware: New Web Skimmer Targets Real Estate Websites

Researchers from Palo Alto Networks identified a new webskimmer which infected over 100 real estate websites through a supply chain attack (5). The unknown threat actor injected malicious JavaScript code into the player of a cloud video platform used by real estate websites (5). When the real estate sites imported the video, they became infected with the webskimmer (5). The webskimmer is designed to steal a user\u2019s sensitive information they input into the real estate website such as credit card details, name, and email address (5).

Supply chain attacks are an increasing risk to organizations moving forward. The nature of the supply chain attack allows an actor to have oversized impact by successfully executing a single attack which affects multiple downstream stakeholders. Criminal and nation-state groups recognized this and are using supply chains attacks such as SolarWinds (6) and the Kaseya attack (7) to achieve their objectives. Organizations are likely to push for more visibility into their vendor security practices to reduce the risk posed by supply chain attacks.

About\u202fEclecticIQ\u202fThreat Research

EclecticIQ\u202fis a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the\u202fEclecticIQ\u202fThreat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please give us your feedback by filling in this quick survey. It takes less than a minute. https://forms.office.com/r/VzfuC78Lk6

\n
\n
\n
\n
\n\n \n \n", "object_refs": ["report--da6841c0-8970-5a43-b44d-47e5a8b8708d"], "type": "report", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-ac089666-3a3d-490a-9127-82fcc15da848", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "modified": "2022-01-16T17:12:23.086169Z", "name": "The Analyst Prompt: Issue 1 #2022", "created": "2022-01-16T17:12:23.086169Z", "id": "report--da6841c0-8970-5a43-b44d-47e5a8b8708d", "published": "2022-01-16T16:57:44.941445Z", "spec_version": "2.1"}, {"description": "\n \n \n \n \n \n The Analyst Prompt: 2022 Issue #5\n \n \n \n
\n \n

The Analyst Prompt: 2022 Issue #5

\n
\n \n
\n

Analysis

\n
\n

RUSSO-UKRAINIAN WAR 2022: Cyberattacks Reported At High Frequency

As anticipated in the last Analyst Prompt, the spate of cyberattacks targeting Ukraine and Western organizations continued in week three of the war. It is almost certain that the frequency of cyberattacks, as well as mis- and disinformation operations will remain high in coming weeks. EclecticIQ analysts note that reported damage from cyberattacks to date appear rather confined. Large scale cyber-attacks with major impact on Ukrainian infrastructure or services have not been observed. Analysts acknowledge that in the fog of war, government entities or private institutions likely have not identified nor reported all cyber-incidents.

On March 15th, research firm ESET reported a new data-wiping malware targeting Ukraine named CaddyWiper. [\n 1\n ] The malware \u201cdestroys user data and partitions information from attached drives\u201d. According to ESET, CaddyWiper shares \u201cno major code similarities to either HermeticWiper or IsaacWiper\u201d - two other data wiper malware observed since the beginning of the invasion.

On March 15th, the FBI and CISA released a report about Russian state sponsored actors targeting an unnamed NGO. [\n 2\n ] The threat actor leveraged a set of misconfigured Multi-Factor Authentication (MFA) accounts that enabled it to enroll a new device for MFA and to access the victim network. The actors then exploited the Windows Print Spooler vulnerability \u201cPrintNightmare\u201d (CVE-2021-34527) to run arbitrary code and to move laterally in the target environment.

On March 12th, Ukraine's Computer Emergency Response Team (UA-Cert) warned about phishing emails impersonating Ukrainian government entities. [\n 3\n ] The emails redirected victims to a website delivering fake antivirus updates that eventually downloaded Cobalt Strike beacons, or two custom Go malware variants named GraphSteel and GrimPlant. The UA-Cert attributes the activity to UAC-0056.

Viasat Inc., a provider of high-speed satellite broadband, is investigating a possible attack against the KA-SAT satellite system. KA-SAT, run in cooperation with French satellite operator EUTELSAT, supplies Europe and the Mediterranean with satellite internet connection and, due to its independence from terrestrial infrastructure, connects endpoints in remote areas. KA-SAT operates 82 "spot beams", i.e., antennas that create a grid of ellipses on the earth's surface. One such beam is located over Kyiv. On the earth\u00b4s surface the beams are connected to eight gateway stations in Europe. Experts believe that Russian forces, in an attempt to cut internet connectivity in Ukraine, attacked an regional gateway, but knock-on effects also took down other gateways in Europe. [\n 4\n ]

Policy and Governance: German BSI Issus Warning For Kaspersky Products

The German Federal Office for Information Security (BSI) issued a warning about the use of Kaspersky products. [\n 5\n ] EclecticIQ researchers note the BSI does not ban Kaspersky products, unlike the US or The Netherlands which prohibited buying and installing Kaspersky software on government computers and other devices well prior to the Russian invasion. Instead, the BSI encourages German companies and private users to replace applications from Kaspersky's virus protection software with alternative products.

The BSI wrote that \u201cactions of military and/or intelligence forces in Russia and the threats made by Russia against the EU, NATO and the Federal Republic of Germany in the course of the current armed conflict are associated with a considerable risk of a successful IT attack. A Russian IT manufacturer can conduct offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation or be used as a tool for attacks against its own customers.\u201d

In its response to the warning, Kaspersky argued that the decision by the BSI was made on political grounds, and should not be interpreted as a technical assessment of Kaspersky products. [\n 6\n ]

Similarly, since the start of the war, the National Agency for the Security of Information Systems (ANSSI) in France questioned the use of Kaspersky software, and Italian Undersecretary to the Prime Minister warned of threats from Russian anti-virus products. [\n 7\n ] [\n 8\n ]

New and Noteworthy: Lapsus$ Claims Responsibility for Cyber-Attacks on Nvidia, Samsung, Ubisoft and Vodafone

A previously unknown cybercriminal actor named Lapsus$ claimed responsibility for recently reported security incidents targeting Nvidia [\n 9\n ], Samsung [\n 10\n ], Ubisoft [\n 11\n ] and Vodafone [\n 12\n ]. EclecticIQ analysts note the modus operandi differs from other ransomware operations. Current OSINT reporting indicates that the actor does not to deploy any file-encrypting ransomware in the target environment, but solely focuses on data theft and extortion.

It is unknown how Lapsus$ obtains initial access. It is plausible that the adversary buys access to target environments. In a post made in a Telegram group - allegedly run by the actor - the adversary recruits employees working at telecommunication, technology, or software companies. The same post also asks for credentials to virtual private network or virtual desktop infrastructure.

Lapsus$ was first seen in December 2021 attacking several websites of Brazil\u2019s Ministry of Health, allegedly extracting data, and demanding a ransom for returning the stolen data. [\n 13\n ] In the beginning of 2022, the group claimed responsibility for hacking and extorting Impresa - the largest media company in Portugal. [\n 14\n ]

Nvidia confirmed a cybersecurity incident on February 23rd and reported that a threat actor successfully \u201ctook employee passwords and some NVIDIA proprietary information from [its] systems and has begun leaking it online.\u201d [9] The leak contained two expired code-signing certificates. OSINT reporting shows [\n 15\n ] that the expired certificates were used to sign hacking tools and malware including Cobalt Strike Beacon, remote access trojans.

In a statement on March 7th, Samsung confirmed a security breach involving \u201csome source code relating to the operation of [its] Galaxy devices\u201d. EclecticIQ analysts note that access to the source code (or parts of it) could allow adversaries to identify new vulnerabilities for later exploitation. On March 10th, Ubisoft reported a cyber security incident. A post in the Telegram channel implied that Lapsus$ took responsibility for the breach. Another post in the channel claimed releasing hundreds of gigabytes of stolen source code from Vodafone. On March 13th, Vodafone confirmed an investigation into claims made. \u2003

Threat Actor Update: Conti Ransomware Group Restored Operations

EclecticIQ analyst assess that the ransomware group Conti replaced its infrastructure after it was exposed [\n 16\n ] in late February so it can continue attacking new targets with its ransomware malware. Like other cyber-criminal operations (e.g., Trickbot, Emotet), the members behind Conti are almost certainly highly skilled network engineers, system architects, and developers who have accounted for resilience in their infrastructure and operational setup; thus were able to quickly recover from the intermediate setback.

EclecticIQ analysts noted a minor dip in the frequency of drops added to the Conti News Tor blog following the first batch of leaks on February 27th, but new drops appeared as of March 1st.

It is unknown if Conti had been completely inactive, since:

  • Organizations may not disclose ransomware attacks.
  • Conti does not publish details of victims that have paid the ransom.
  • Conti did not post daily drops on the extortion site under normal operation.

Critical Vulnerabilities: Dirty Pipe - A Privilege Escalation Vulnerability in Linux Kernel

On March 7th, security researcher Max Kellerman disclosed [\n 17\n ] a critical vulnerability (CVE-2022-0847) in the Linux kernel 5.8 and later. The vulnerability named \u201cDirty Pipe\u201d could allow an attacker with local access to gain root privileges, for example by altering sensitive files such as \u201c/etc/passwd\u201d or modifying any setuid-root binary by overwriting the ELF with malicious code. Kellerman and other experts released proof-of-concept exploits. Patches have been released in the Linux kernel and EclecticIQ analysts strongly recommend upgrading the Linux kernel to one of the following versions: 5.16.11, 5.15.25, 5.10.102.

\n
\n
\n
\n
\n\n \n \n", "object_refs": ["report--812c8b8c-517b-5484-ad8d-5fa2626f77c9"], "type": "report", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-1945cce4-27a5-40df-83fc-73ada90ff0ae", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "modified": "2022-03-22T15:35:18.6474Z", "name": "The Analyst Prompt: 2022 Issue #5", "created": "2022-03-22T15:35:18.6474Z", "id": "report--812c8b8c-517b-5484-ad8d-5fa2626f77c9", "published": "2022-03-22T00:00:00Z", "spec_version": "2.1"}, {"description": "\n \n \n \n \n \n The Analyst Prompt: 2022 Issue #4\n \n \n \n
\n \n

The Analyst Prompt: 2022 Issue #4

\n
\n \n
\n

Analysis

\n
\n

Threat Actor Update: Iranians State Sponsored APT Conducts Cyber Espionage and Ransomware Activities

EclecticIQ researchers assess MuddyWater is a well-funded, state supported, and skilled adversary group based on the variety of tactics, tools, and targets used by the group which can cause significant damage to both government and enterprises through data theft and ransomware.

MuddyWater is the first APT group attributed as a subordinate element to the Iranian Ministry of Intelligence and Security (MOIS) by The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom\u2019s National Cyber Security Centre (NCSC-UK). MuddyWater has been observed conducting cyber espionage and other cyber activities targeting telecommunication, defense, government, oil and natural gas in Asia, Europe, and North America since approximately 2018 [1].

The attribution of MuddyWater to MOIS likely signals the growth of Iranian cyber capabilities. According to a report by the US Federal Research Division, MOIS is the most powerful and well supported ministry of all Iranian ministries and ranks as \u201cone of the largest and most dynamic intelligence agencies in the Middle East.\u201d [2]

EclecticIQ Researchers assess it is likely MuddyWater will target strategic government agencies, organizations and individuals that have contrasting interests or have dissented with the leadership of Iran. In 2017, MOIS\u2019s powers and responsibilities were formally expanded [3]. The increase of activities abroad has included extensive monitoring and targeting of dissidents and defectors according to the Washington Institute for Near East Policy.

The actor is known to utilize spearphising, exploit publicly known vulnerabilities and use open-source tools to gain access to sensitive data and deploy ransomware. Spearphishing campaigns have lured victims into downloading ZIP files containing a macro enabled Excel document or a PDF file that drops a malicious file to initiate command and control (C2) communications [1].

Once initial access is established, MuddyWater utilizes a variety of malware to accomplish its objectives. The malware suit includes: [1]

\u00b7 PowGoop

\u00b7 Small Sieve

\u00b7 Canopy

\u00b7 Mori

\u00b7 POWERSTATS

\u00b7 Survey Scripts

\u00b7 Custom PowerShell Backdoor

MuddyWater may also be known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros by various vendors.

Policy and Governance: Joint Advisory Shows Increased Globalized Threat of Ransomware

A joint advisory released by the United States, UK and Australian cyber security authorities reports an increase in 2021 of \u201csophisticated, high-impact ransomware incidents against critical infrastructure organizations globally.\u201d [4] According to the report, ransomware tactics continued to evolve in 2021 which demonstrated the continued technical growth of threat actors and an increased threat to organizations globally.

EclecticIQ Researchers also assess the ransomware threat will continue to grow in 2022. The increase in professionalism of threat groups including improved victim assistance, and negotiation services; as well as evolving tactics such as targeting cloud infrastructure, supply chains and use of triple extortion (threaten to publicly release sensitive information, disrupt victim\u2019s internet access, and inform victim partners, shareholder, and suppliers of the incident) all show that the RaaS ecosystem is growing. This growth is likely to mean targeting more organizations across the globe to increase profits.

We would love to hear from you. Please give us your feedback by filling in this quick \n survey\n . It takes less than a minute

\n
\n
\n
\n
\n\n \n \n", "object_refs": ["report--67b9c305-d114-5799-b4ce-8879979c8abd"], "type": "report", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-b3d040f1-25f0-40ee-b437-f39741ea7124", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "modified": "2022-03-04T14:40:21.228834Z", "name": "The Analyst Prompt: 2022 Issue #4", "created": "2022-03-04T14:40:21.228834Z", "id": "report--67b9c305-d114-5799-b4ce-8879979c8abd", "published": "2022-02-18T09:38:16.274339Z", "spec_version": "2.1"}, {"description": "\n \n \n \n \n \n The Analyst Prompt: 2021 Issue #40\n \n \n \n
\n \n

The Analyst Prompt: 2021 Issue #40

\n
\n \n
\n

Analysis

\n
\n

Threat Actor Update: TA505 Shifts Towards Exploitation of Publicly Exposed Applications for Initial Access

The cybercriminal group known as TA505 exploits publicly available SolarWinds Serv-U servers vulnerable to CVE-2021-35211 (1) for initial access (2). Exploitation executes Base64 encoded PowerShell deploying Cobalt Strike Beacon. TA505 occasionally hijacks theRegIdleBackup scheduled task and abuses the COM handler to gain persistence and to execute the FlawedGrace remote access trojan. The intrusions are likely preparation for the deployment of ransomware (3).

TA505\u2019s exploitation of CVE-2021-35211 represents a shift in initial access techniques. Historically, TA505 relied on socially engineered phishing campaigns with a malicious attachment or link (4). This technique requires users to manually click on the attached file or link for execution, whereas exploitation of public facing vulnerable servers requires no user execution for initial access. EclecticIQ recommended SolarWinds Serv-U users visit the official SolarWinds security advisory for affected products and patches (1).

Threat Actor Update: Iranian Nation State Groups use of Ransomware Highlights Continued Dominance of Ransomware Threat

Six Iranian threat groups are deploying ransomware with the goal to disrupt or collect funds from their targets (5). PHOSPHORUS gained initial access by exploiting vulnerabilities affecting Fortinet FortiOS SSL VPN (CVE-2018-13379) and - in the latter half of 2021 - by targeting unpatched on-premises Exchange Servers vulnerable to ProxyShell (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). After compromise the actor moved laterally deploying Bitlocker to encrypt and ransom the victim. Multiple Iranian groups are also moving away from unsolicited phishing emails towards targeted social engineering for user execution and credential theft.

Ransomware is and will remain the most significant cyber threat for public and private organizations. Iranian based threat groups use of ransomware represents a growing emphasis by threat groups (6) on ransomware, for both financial and non-financial motivations. This shift will continue due to the effectiveness of encrypting an organization\u2019s or individual\u2019s data for monetary or disruptive reasons.

New & Noteworthy: U.S. Justice Department Charges Ukrainian and Russian Nationals in Continued Escalation Against Ransomware Threat

The U.S. Justice Department charged one Ukrainian and one Russian national for their involvement in deploying Sodinokibi/REVil ransomware against U.S. businesses and government entities (7). Yaroslav Vasinskyi, a Ukrainian national and Yevgeniy Polyanin, a Russian national have been charged with conducting ransomware attacks, including the Kaseya attack in July 2021 (8). The Department also seized $6.1 million USD, traceable to ransom payments obtained by Yevgeniy Polyanin. Vasinskyi was taken into custody in Poland awaiting extradition by request from the U.S. Polyanin remains at large.

The charges against Vasinskyi and Polyanin represent a continued escalation by the U.S. government in response to the ransomware threat. The charges are part of a larger effort by the U.S. government and the newly setup Ransomware Task Force to directly disrupt and counter ransomware groups using four lines of effort (9). The U.S. Department of the Treasury sanctioned the cryptocurrency exchange SUEX in September for its role in facilitating financial transactions related to ransomware (10), showing the willingness of the U.S. to disrupt financial infrastructure used by ransomware groups. International partnerships are also key, with the arrest of Vasinskyi involving multiple international partners including Poland (7).

About\u202fEclecticIQ\u202fThreat Research

EclecticIQ\u202fis a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the\u202fEclecticIQ\u202fThreat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please give us your feedback by filling in this quick survey. It takes less than a minute.

https://forms.office.com/Pages/ShareFormPage.aspx?id=tXq37P9XA0CfybqRjWdI5i68gaYvaDJGupd4xaVnUMVUMEFPWlpUUTZHN05EUEROSEdGQ1VDRTM2QiQlQCN0PWcu&sharetoken=uA0GFoqSR8pi3AOkJbPT

\n
\n
\n
\n
\n\n \n \n", "object_refs": ["report--0f5ef542-7b3c-5a12-93f5-aeba8d169314"], "type": "report", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}report-7cafd28e-c9ae-4996-93b8-d2509cab3943", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "modified": "2021-11-23T18:55:20.246519Z", "name": "The Analyst Prompt: 2021 Issue #40", "created": "2021-11-23T18:55:20.246519Z", "id": "report--0f5ef542-7b3c-5a12-93f5-aeba8d169314", "published": "2021-11-23T18:55:03.373227Z", "spec_version": "2.1"}, {"description": "

Microsoft reports it was attacked again by the Russia-linked Nobelium group. The attackers compromised a MS customer support agent. Nobelium used that info to launch further targeted spearphishing attacks that are known to have compromised at least 3 clients.

", "created": "2021-10-25T12:43:59.358233Z", "type": "campaign", "x_eiq_json_id": "{https://www.eclecticiq.com/ns}campaign-3f2b0eaa-b886-47eb-95c4-687879016791", "confidence": 100, "first_seen": "2021-05-01T00:00:00Z", "last_seen": "2021-05-31T00:00:00Z", "aliases": ["Nobelium Activity May 2021", "new breach discovered in probe of suspected SolarWinds hackers"], "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "modified": "2021-10-25T12:43:59.358233Z", "name": "Nobelium Activity May 2021", "labels": ["Admiralty Code - Confirmed by other sources", "Malware - Information Stealer Harvester", "Admiralty Code - Completely reliable", "Threat Actors - APT", "Industry Sector - Software"], "objective": "Advantage", "id": "campaign--13a0362d-c013-5b15-877c-8d4820fd01cc", "spec_version": "2.1"}, {"description": "A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.\n\nReferences:\n- https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt\n- https://access.redhat.com/security/vulnerabilities/RHSB-2022-001\n- https://bugzilla.redhat.com/show_bug.cgi?id=2025869\n- https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683\n- http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html\n- http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html\n\nCVSS Version 3.x:\nVector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\nAttack Vector: LOCAL\nAttack Complexty: LOW\nPrivileges Required: LOW\nUser Interaction: NONE\nScope: UNCHANGED\nConfidentiality Impact: HIGH\nIntegrity Impact: HIGH\nAvailability Impact: HIGH\nBase Severity: HIGH\nBase Score: 7.8\n\nCVSS Version 2.0\nVector String: AV:L/AC:L/Au:N/C:C/I:C/A:C\nAuthentication: NONE\nConfidentiality Impact: COMPLETE\nIntegrity Impact: COMPLETE\nAvailability Impact: COMPLETE\nBase Score: 7.2\n\nSeverity: HIGH\nExploitability Score: 3.9\nImpact Score: 10.0\n", "type": "vulnerability", "x_eiq_json_id": "{https://cloud.nvd.com/}exploit-target-9946da0c-8fec-5bc8-bab3-42c60c163bcd", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "external_references": [{"source_name": "cve", "external_id": "CVE-2021-4034", "url": "https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt"}, {"source_name": "cve", "external_id": "CVE-2021-4034", "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2022-001"}, {"source_name": "cve", "external_id": "CVE-2021-4034", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025869"}, {"source_name": "cve", "external_id": "CVE-2021-4034", "url": "https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683"}, {"source_name": "cve", "external_id": "CVE-2021-4034", "url": "http://packetstormsecurity.com/files/166196/Polkit-pkexec-Local-Privilege-Escalation.html"}, {"source_name": "cve", "external_id": "CVE-2021-4034", "url": "http://packetstormsecurity.com/files/166200/Polkit-pkexec-Privilege-Escalation.html"}], "modified": "2022-03-05T10:01:15.879612Z", "name": "CVE-2021-4034", "labels": ["CVSS v2 - Attack Complexty - HIGH", "CVSS v2 - Authentication - NONE", "CVSS v2 - Availability Impact - COMPLETE", "CVSS v2 - Confidentiality Impact - COMPLETE", "CVSS v2 - Integrity Impact - COMPLETE", "CVSS v3 - Attack Complexty - LOW", "CVSS v3 - Attack Vector - LOCAL", "CVSS v3 - Availability Impact - HIGH", "CVSS v3 - Base Severity - HIGH", "CVSS v3 - Confidentiality Impact - HIGH", "CVSS v3 - Integrity Impact - HIGH", "CVSS v3 - Privileges Required - LOW", "CVSS v3 - Scope - UNCHANGED", "CVSS v3 - User Interaction - NONE"], "created": "2022-03-05T10:01:15.879612Z", "id": "vulnerability--79789200-b403-5b6d-8de7-1481bc8e47b9", "spec_version": "2.1"}, {"description": "Windows Print Spooler Remote Code Execution Vulnerability\n\nReferences:\n- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34527\n\nCVSS Version 3.x:\nVector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\nAttack Vector: NETWORK\nAttack Complexty: LOW\nPrivileges Required: LOW\nUser Interaction: NONE\nScope: UNCHANGED\nConfidentiality Impact: HIGH\nIntegrity Impact: HIGH\nAvailability Impact: HIGH\nBase Severity: HIGH\nBase Score: 8.8\n\nCVSS Version 2.0\nVector String: AV:N/AC:L/Au:S/C:C/I:C/A:C\nAuthentication: SINGLE\nConfidentiality Impact: COMPLETE\nIntegrity Impact: COMPLETE\nAvailability Impact: COMPLETE\nBase Score: 9.0\n\nSeverity: HIGH\nExploitability Score: 8.0\nImpact Score: 10.0\n", "type": "vulnerability", "x_eiq_json_id": "{https://cloud.nvd.com/}exploit-target-d92e706e-ea55-5c69-9b54-bf7956919e45", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "external_references": [{"source_name": "cve", "external_id": "CVE-2021-34527", "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34527"}], "modified": "2022-03-22T08:20:30.33577Z", "name": "CVE-2021-34527", "labels": ["CVSS v2 - Attack Complexty - HIGH", "CVSS v2 - Authentication - SINGLE", "CVSS v2 - Availability Impact - COMPLETE", "CVSS v2 - Confidentiality Impact - COMPLETE", "CVSS v2 - Integrity Impact - COMPLETE", "CVSS v3 - Attack Complexty - LOW", "CVSS v3 - Attack Vector - NETWORK", "CVSS v3 - Availability Impact - HIGH", "CVSS v3 - Base Severity - HIGH", "CVSS v3 - Confidentiality Impact - HIGH", "CVSS v3 - Integrity Impact - HIGH", "CVSS v3 - Privileges Required - LOW", "CVSS v3 - Scope - UNCHANGED", "CVSS v3 - User Interaction - NONE", "PrintNightmare"], "created": "2022-03-22T08:20:30.33577Z", "id": "vulnerability--10a2236f-aefd-574b-911c-ebd65ef8c8b0", "spec_version": "2.1"}, {"description": "A flaw was found in the way the \"flags\" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.\n\nReferences:\n- https://bugzilla.redhat.com/show_bug.cgi?id=2060795\n- https://dirtypipe.cm4all.com/\n- http://packetstormsecurity.com/files/166229/Dirty-Pipe-Linux-Privilege-Escalation.html\n- http://packetstormsecurity.com/files/166230/Dirty-Pipe-SUID-Binary-Hijack-Privilege-Escalation.html\n- http://packetstormsecurity.com/files/166258/Dirty-Pipe-Local-Privilege-Escalation.html\n\nCVSS Version 3.x:\nVector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\nAttack Vector: LOCAL\nAttack Complexty: LOW\nPrivileges Required: LOW\nUser Interaction: NONE\nScope: UNCHANGED\nConfidentiality Impact: HIGH\nIntegrity Impact: HIGH\nAvailability Impact: HIGH\nBase Severity: HIGH\nBase Score: 7.8\n\nCVSS Version 2.0\nVector String: AV:L/AC:L/Au:N/C:C/I:C/A:C\nAuthentication: NONE\nConfidentiality Impact: COMPLETE\nIntegrity Impact: COMPLETE\nAvailability Impact: COMPLETE\nBase Score: 7.2\n\nSeverity: HIGH\nExploitability Score: 3.9\nImpact Score: 10.0\n", "type": "vulnerability", "x_eiq_json_id": "{https://cloud.nvd.com/}exploit-target-6bfabeba-1e78-54e8-8a98-c5df1cf7d35d", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "external_references": [{"source_name": "cve", "external_id": "CVE-2022-0847", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060795"}, {"source_name": "cve", "external_id": "CVE-2022-0847", "url": "https://dirtypipe.cm4all.com/"}, {"source_name": "cve", "external_id": "CVE-2022-0847", "url": "http://packetstormsecurity.com/files/166229/Dirty-Pipe-Linux-Privilege-Escalation.html"}, {"source_name": "cve", "external_id": "CVE-2022-0847", "url": "http://packetstormsecurity.com/files/166230/Dirty-Pipe-SUID-Binary-Hijack-Privilege-Escalation.html"}, {"source_name": "cve", "external_id": "CVE-2022-0847", "url": "http://packetstormsecurity.com/files/166258/Dirty-Pipe-Local-Privilege-Escalation.html"}], "modified": "2022-03-22T08:21:36.794168Z", "name": "CVE-2022-0847", "labels": ["CVSS v2 - Attack Complexty - HIGH", "CVSS v2 - Authentication - NONE", "CVSS v2 - Availability Impact - COMPLETE", "CVSS v2 - Confidentiality Impact - COMPLETE", "CVSS v2 - Integrity Impact - COMPLETE", "CVSS v3 - Attack Complexty - LOW", "CVSS v3 - Attack Vector - LOCAL", "CVSS v3 - Availability Impact - HIGH", "CVSS v3 - Base Severity - HIGH", "CVSS v3 - Confidentiality Impact - HIGH", "CVSS v3 - Integrity Impact - HIGH", "CVSS v3 - Privileges Required - LOW", "CVSS v3 - Scope - UNCHANGED", "CVSS v3 - User Interaction - NONE", "Dirty Pipe"], "created": "2022-03-22T08:21:36.794168Z", "id": "vulnerability--b4849558-8c70-5712-9899-e648f953989c", "spec_version": "2.1"}, {"description": "Florian Roth", "type": "identity", "roles": ["Initial Author"], "identity_class": "unknown", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "external_references": [{"source_name": "", "url": "https://twitter.com/ESETresearch/status/1503436420886712321?s=20&t=xh8JK6fEmRIrnqO7Ih_PNg"}], "modified": "2014-08-27T14:00:00.000Z", "name": "", "created": "2014-08-27T14:00:00.000Z", "id": "identity--093059e6-4c11-57e1-858f-ae8feabe6bbf", "spec_version": "2.1"}, {"type": "identity", "identity_class": "unknown", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "external_references": [{"source_name": "Florian Roth", "url": "https://twitter.com/ESETresearch/status/1503436420886712321?s=20&t=xh8JK6fEmRIrnqO7Ih_PNg"}], "modified": "2014-08-27T14:00:00.000Z", "name": "Florian Roth", "created": "2014-08-27T14:00:00.000Z", "id": "identity--762bf90f-1efb-5189-b54f-1f74cce7b27b", "spec_version": "2.1"}, {"description": "Detects CaddyWiper malware", "type": "indicator", "pattern": "rule MAL_WIPER_CaddyWiper_Mar22_1\n{\n\tmeta:\n\t\tdescription = \"Detects CaddyWiper malware\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"https://twitter.com/ESETresearch/status/1503436420886712321?s=20&t=xh8JK6fEmRIrnqO7Ih_PNg\"\n\t\tdate = \"2022-03-15\"\n\t\tscore = 85\n\t\thash1 = \"1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176\"\n\t\thash2 = \"a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea\"\n\t\thash3 = \"ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72\"\n\t\thash4 = \"f1e8844dbfc812d39f369e7670545a29efef6764d673038b1c3edd11561d6902\"\n\n\tstrings:\n\t\t$op1 = { ff 55 94 8b 45 fc 50 ff 55 f8 8a 4d ba 88 4d ba 8a 55 ba 80 ea 01 }\n\t\t$op2 = { 89 45 f4 83 7d f4 00 74 04 eb 47 eb 45 6a 00 8d 95 1c ff ff ff 52 }\n\t\t$op3 = { 6a 20 6a 02 8d 4d b0 51 ff 95 68 ff ff ff 85 c0 75 0a e9 4e 02 00 00 }\n\t\t$op4 = { e9 67 01 00 00 83 7d f4 05 74 0a e9 5c 01 00 00 e9 57 01 00 00 8d 45 98 50 6a 20 }\n\n\tcondition:\n\t\tuint16(0)==0x5a4d and filesize <50KB and 3 of them or all of them\n}\n", "confidence": 67, "x_eiq_json_id": "{https://www.eclecticiq.com/ns}indicator-fb5665d7-4c60-4160-b784-3244f6118a82", "created_by_ref": "identity--093059e6-4c11-57e1-858f-ae8feabe6bbf", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "pattern_type": "yara", "valid_from": "2022-03-15T00:00:00Z", "external_references": [{"description": "Florian Roth", "source_name": "", "url": "https://twitter.com/ESETresearch/status/1503436420886712321?s=20&t=xh8JK6fEmRIrnqO7Ih_PNg"}, {"source_name": "Florian Roth", "url": "https://twitter.com/ESETresearch/status/1503436420886712321?s=20&t=xh8JK6fEmRIrnqO7Ih_PNg"}], "modified": "2022-03-17T11:05:22.773261Z", "name": "YARA rule for MAL_WIPER_CaddyWiper_Mar22_1", "labels": ["yara", "MAL_WIPER_CaddyWiper_Mar22_1"], "created": "2022-03-17T11:05:22.773261Z", "id": "indicator--68789ffe-ff3a-5256-b210-64600fa288cd", "spec_version": "2.1"}, {"type": "relationship", "object_marking_refs": ["marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"], "modified": "2022-03-17T11:05:22.773261Z", "created": "2022-03-17T11:05:22.773261Z", "id": "relationship--36a7aadb-81f7-51c4-9602-ab583da27f78", "x_eiq_test_mechanism_identity": true, "spec_version": "2.1", "source_ref": "indicator--68789ffe-ff3a-5256-b210-64600fa288cd", "relationship_type": "related-to", "target_ref": "identity--762bf90f-1efb-5189-b54f-1f74cce7b27b"}], "type": "bundle", "id": "bundle--4f16a4c2-06f0-491c-944b-51d242696f47"}