Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label UNC. Show all posts
UNC
Basta Ransomware Cyber Attacks CyberCrime Cybersecurity CyberThreat Google Mandiant Investigation Qakbot UNC

Basta Ransomware Culprits Revealed by Mandiant Investigation

 


An extortion campaign begun early this year by an unknown hacking group to extort money has been characterized as using the Basta ransomware to stop victims from unlocking their files. This campaign was discovered by Google Mandiant, which uses the name UNC4393 to track the group. Since the beginning of the year, UNC4393 has been notorious for infecting targets with the Basta ransomware, but in the past 12 months, it has significantly changed how it gains access to its victims.

Before, the threat group essentially relied exclusively on known Qakbot infections to gain initial network access, which was often delivered through phishing emails. In the wake of U.S. law enforcement authorities' takedown of the Qakbot infrastructure last year, the threat group briefly switched from using the DarkGate malware as an initial access loader to set up the backdoor, before finally turning to SilentNight as a backdoor this year's attacks. 

Mandiant noted, "There are hundreds of victims of the Basta ransomware that are listed on the data leak sites, and this appears to be credible, given UNC4393's rapid operational speed," he noted. Another fact to note is that the group takes about 42 hours to ransom a victim at a time. A specialist unit, UNC4393, has demonstrated its ability to conduct reconnaissance quickly, exfiltrate data, and promptly complete objectives. 

Besides Silent Night, some other types of initial access tactics have been employed by the group in addition to Silent Night. During recent campaigns in February, UNC4393 has used stolen credentials as well as brute-force tactics to conduct attacks that attempted to deploy ransomware, extort personal information, and steal data. It also features a plug-in framework that facilitates the delivery of flexible functionality for attacks, such as screenshot capture, keylogging, access to cryptocurrency wallets, and manipulation of web browsers, which might be used to target credentials by attackers. 

Initially, backdoors were discovered in 2019, then, briefly for a few months in 2021, they disappeared again and were not detected until later in the decade. Hacking groups rely on initial access brokers as a means of gaining access to networks worldwide. One of these affiliates is UNC2633 and UNC2500, for example, which Mandiant tracks as UNC2633 and UNC2500, respectively, to compromise networks using phishing emails with QakBot as part of their main scheme of compromising networks. 

As a result of the researchers' analysis of the affiliates' operations, they have determined that the actor is most likely currently linked to the defunct Trickbot and Conti organizations. For the initial access to the network, they started to rely on another malware variant called DarkGate, which was found to be more sophisticated than the malware the FBI and other international law enforcement agencies previously used. 

Changes to UNC4393's initial entry points reveal the long-term effects of the August 2023 takedown of the Qakbot botnet which harmed the access vectors of UNC4393. The takedown of Qakbot has had a wide range of effects across the threat landscape. In some cases, it's been able to remove malware that isn't directly related to Basta (also known as Black Basta), such as Revil and Conti, while in others it's been able to remove malware that was not. 

Chainalysis conducted a research study earlier this year that explored the impact of several disruptions to law enforcement by threat groups, for instance, based on several disruptions to the law enforcement efforts of threat groups. Chainalysis discovered that the Qakbot takedown caused "substantial operational friction" on ransomware groups, but that eventually they were able to adapt to the changes by switching to new malware families. 

The report identified a significant decline in Black Basta ransomware payments coinciding with the Qakbot takedown. Nevertheless, activity resumed after several months, suggesting that the threat groups behind Black Basta adapted to using new malware. Mandiant researchers observed a steady decline in the number of Basta victims between March and July this year, positing that this decrease may reflect challenges in securing a consistent stream of initial access. 

Genevieve Stark, Mandiant's Manager of Cybercrime Analysis for Google Cloud, remarked that the overall professionalization and commoditization of cybercrime within underground communities have fostered resilience, enabling threat actors to seamlessly transition from one service or partner to another. Stark further explained, "Since the August 2023 law enforcement takedown, threat actors previously distributing Qakbot have largely shifted to alternative malware families or ceased operations. 

For instance, while limited UNC2500 Qakbot activity was observed in early 2024, this threat actor has predominantly deployed Pikabot. It is also possible that UNC2500 is diversifying its operations, as evidenced by May campaigns leading to credential phishing sites and February activities designed to harvest NTLMv2 hashes. Although UNC2500 remains active, its overall activity volume has decreased. Additionally, UNC2633, a Qakbot distribution cluster closely affiliated with UNC2500, has seemingly been inactive since the takedown." 

After achieving initial access, UNC4393 employs several open-source attack mapping tools, including BloodHound, AdFind, and PSnmap, to analyze the victim's network. The attackers utilize credentials and brute-forcing methods to authenticate externally facing network appliances or servers. Initially, the group manually deployed Basta, but it later adopted Knotrock, a custom .NET-based utility, to deliver Basta. 

Knotrock provides capabilities such as rapid encryption during large-scale attacks. In one instance, researchers observed the group using SilentNight, a malware variant inactive since 2023, to gain persistence and bypass security detection. The recent surge in SilentNight activity, starting earlier this year, has primarily been delivered via malvertising, marking a notable shift away from phishing as UNC4393's sole method of initial access. 

Beyond shifts in initial access, UNC4393's changes to its tactics, techniques, and procedures (TTPs) this year demonstrate the group's adaptability to the cybercrime landscape. The group has increasingly turned towards custom malware development rather than relying on publicly available tools. Mandiant researchers reported responding to over 40 separate UNC4393 intrusions across 20 industry verticals since 2022. However, this number is relatively small compared to the overall victim count of 500 that the ransomware group claims on its leak site. 

The researchers noted, "While UNC4393's TTPs and monetization methods remain relatively consistent with previous operations, the group appears to be diversifying its initial access sources. Its evolution from opportunistic Qakbot infections to strategic partnerships with initial access brokers underscores a willingness to diversify and optimize its operations."
Read more »
UNC
CrowdStrike Cyber Security cybercriminals Financial Threat Google Cloud Google Mandiant Mandiant Threat Intelligence UNC

Protecting Your Business from Snowflake Platform Exploitation by UNC5537

 

A recent report from Mandiant, a subsidiary of Google Cloud, has uncovered a significant cyber threat involving the exploitation of the Snowflake platform. A financially motivated threat actor, identified as UNC5537, targeted around 165 organizations' Snowflake customer instances, aiming to steal and exfiltrate data for extortion and sale. Snowflake, a widely-used cloud data platform, enables the storage and analysis of vast amounts of data. The threat actor gained access to this data by using compromised credentials, which were obtained either through infostealer malware or purchased from other cybercriminals. 

UNC5537 is known for advertising stolen data on cybercrime forums and attempting to extort victims. The sold data can be used for various malicious purposes, including cyber espionage, competitive intelligence, and financial fraud. The joint statement from Snowflake, Mandiant, and cybersecurity firm CrowdStrike clarifies that there is no evidence of a vulnerability, misconfiguration, or breach within Snowflake’s platform itself. 

Additionally, there is no indication that current or former Snowflake employees' credentials were compromised. Instead, the attackers acquired credentials from infostealer malware campaigns that infected systems not owned by Snowflake. This allowed them to access and exfiltrate data from the affected Snowflake customer accounts. Mandiant's research revealed that UNC5537 primarily used credentials stolen by various infostealer malware families, such as Vidar, Risepro, Redline, Racoon Stealer, Lumma, and Metastealer. Many of these credentials dated back to November 2020 but remained usable. The majority of credentials exploited by UNC5537 were exposed through previous infostealer malware incidents. 

The initial compromise often occurred on contractor systems used for personal activities like gaming and downloading pirated software, which are common vectors for spreading infostealers. Once obtained, the threat actor used these credentials to access Snowflake accounts and extract valuable customer data. UNC5537 also purchased credentials from cybercriminal marketplaces, often through Initial Access Brokers who specialize in selling stolen corporate access. The underground market for infostealer-obtained credentials is robust, with large lists of stolen credentials available for free or for purchase on the dark web and other platforms. 

According to Mandiant, 10% of overall intrusions in 2023 began with stolen credentials, making it the fourth most common initial intrusion vector. To protect your business from similar threats, it is crucial to implement robust cybersecurity measures. This includes regular monitoring and updating of all systems to protect against infostealer malware, enforcing strong password policies, and ensuring that all software is kept up to date with the latest security patches. Employee training on cybersecurity best practices, especially regarding the dangers of downloading pirated software and engaging in risky online behavior, is also essential. 

Moreover, consider using multi-factor authentication (MFA) to add an extra layer of security to your accounts. Regularly audit your systems for any unusual activity or unauthorized access attempts. Engage with reputable cybersecurity firms to conduct thorough security assessments and implement advanced threat detection solutions. By staying vigilant and proactive, businesses can better protect themselves from the threats posed by cybercriminals like UNC5537 and ensure the security and integrity of their data.
Read more »
UNC
CCTV Cyber Attacks DarkSide Ransomware Supply Chain UNC

Supply Chain Attack Conducted by Darkside Operator

 

Mandiant researchers have identified a supply chain attack against a CCTV provider by a Darkside ransomware gang affiliate that has been distinguished as UNC2465. UNC2465 and other linked gangs identified by FireEye/Mandiant as UNC2628 and UNC2659 are regarded as one of the key affiliates of the DARKSIDE Group. 

The intrusion began on 18 May 2021, a day after the public suspension of the DARKSIDE general program (Mandiant Advantage background). Mandiant believes that although no ransomware has been discovered, membership groups that have performed DARKSIDE attacks could employ several ransomware affiliate programs and switch to each other at any time. 

Mandiant found that the installers were malicious at the commencement of June and informed the CCTV firm of a possible compromise on this website, making it possible for UNC2465 to substitute legitimate and Trojanised files.

Although Mandiant does not anticipate that many individuals have been affected, this strategy is reported to boost awareness. 

Software supply chain attacks can be very complex, from the recent attacks discovered by FireEye to attacks targeting smaller suppliers. A single infiltration of the software supply chain attack gives access to all businesses running the software of a victim company – in this situation, UNC2465 has modified the installer instead of the software itself.

Mandiant noted in mid-May 2021, that numerous threat players quoted a notice that the operators of the service seemed to share with the DARKSIDE RaaS members. That notification indicated that it had lost the access and would be closing its service to its infrastructure, including its blog, payment, and CDN servers. 

Since then, other underground members have claimed that they are unpaid DARKSIDE affiliates, and in certain cases privately gave forum admins with proof indicating their claims are legitimate. 

Mandiant consulting responded to an intrusion in June 2021; The first vector, which Mandiant found was a trojanized security camera PVR installer from a reputable website. As a result of ongoing infrastructure use and equipment use since October 2020, Mandiant has attributed the general intrusion to DARKSIDE affiliate UNC2465. 

On 18 May 2021, a person accessed the Trojanized link in the concerned organization and installed a ZIP. A chain of Downloads and Scripts was run when the software was installed which led to SMOKEDHAM and afterward NGROK on the computer of the victim. 

Further malware use like BEACON is also reported to have taken place. The trojan program was enabled in Mandiant's opinion between 18 May 2021, and 08 June 2021. 

Mandiant indicates that the majority of publicly identified victims of ransomware shaming websites have progressed steadily over the last month. Despite the recent restriction on posts concerning ransomware in underground forums, threat actors may still exploit private chats and links to find ransomware services.
Read more »
Subscribe to: Posts (Atom)