The infamous cybercriminal group behind the Conti ransomware has publicly announced its full support for the Russian government while the country’s army is invading Ukraine and threatened to strike the critical infrastructure of anyone launching cyberattacks or war actions against Russia.

The move comes after Twitter accounts claiming association with the Anonymous hacktivist collective declared “cyberwar” against the Russian government and took credit for distributed denial-of-service (DDoS) attacks against the websites of Russia Today, the Kremlin and the Russian Ministry of Defense.

The involvement of hacktivists and cybercrime groups in the conflict, supporting one side or another, could spiral into a wave of escalating attacks and provide cover for destructive cyber actions directed by government agencies.

To read this article in full, please click here

Read More

President Biden joined European leaders this week in enacting economic sanctions against Russia in response to its invasion of Ukraine. The West has promised tougher sanctions are coming, but experts warn these will almost certainly trigger a Russian retaliation against America and its allies, which could escalate into cyber attacks on Western financial institutions and energy infrastructure.

Michael Daniel is a former cybersecurity advisor to the White House during the Obama administration who now heads the Cyber Threat Alliance, an industry group focused on sharing threat intelligence among members. Daniel said there are two primary types of cyber threats the group is concerned about potentially coming in response to sanctions on Russia.

The first involves what Daniel called “spillover and collateral damage” — a global malware contagion akin to a NotPeyta event — basically some type of cyber weapon that has self-propagating capabilities and may even leverage a previously unknown security flaw in a widely-used piece of hardware or software.

Russia has been suspected of releasing NotPetya, a large-scale cyberattack in 2017 initially aimed at Ukrainian businesses that mushroomed into an extremely disruptive and expensive global malware outbreak.

“The second level [is that] in retaliation for sanctions or perceived interference, Russia steps up more direct attacks on Western organizations,” Daniel said. “The Russians have shown themselves to be incredibly ingenious and creative in terms of how they come up with targets that seem to catch us by surprise. If the situation escalates in cyberspace, there could be some unanticipated organizations that end up in the crosshairs.”

What kinds of attacks are experts most concerned about? In part because the Russian economy is so dependent on energy exports, Russia has invested heavily in probing for weaknesses in the cyber systems that support bulk power production and distribution.

Ukraine has long been used as the testing grounds for Russian offensive hacking capabilities targeting power infrastructure. State-backed Russian hackers have been blamed for the Dec. 23, 2015 cyberattack on Ukraine’s power grid that left 230,000 customers shivering in the dark.

Experts warn that Russia could just as easily use its arsenal of sneaky cyber exploits against energy systems that support U.S. and European nations. In 2014, then National Security Agency Director Mike Rogers told lawmakers that hackers had been breaking into U.S. power utilities to probe for weaknesses, and that Russia had been caught planting malware in the same kind of industrial computers used by power utilities.

“All of that leads me to believe it is only a matter of when, not if, we are going to see something dramatic,” Rogers said at the time.

That haunting prophecy is ringing anew as European leaders work on hammering out additional sanctions, which the European Commission president says will restrict the Russian economy’s ability to function by starving it of important technology and access to finance.

A draft of the new penalties obtained by The New York Times would see the European Union ban the export of aircraft and spare parts that are necessary for the maintenance of Russian fleets.

“The bloc will also ban the export of specialized oil-refining technology as well as semiconductors, and it will penalize more banks — although it will stop short of targeting VTB, Russia’s second-largest bank, which is already crippled by American and British sanctions,” The Times wrote.

Dmitri Alperovitch is co-founder and former chief technology officer at the security firm CrowdStrike. Writing for The Economist, Alperovitch said America must tailor its response carefully to avoid initiating a pattern of escalation that could result in a potentially devastating hot war with Russia.

“The proposed combination of sanctions on top Russian banks and implementation of export controls on semiconductors would be likely to severely debilitate the Russian economy,” Alperovitch wrote. “And although many in the West may initially cheer this outcome as righteous punishment for Russia’s blatant violation of Ukrainian sovereignty, these measures will probably trigger significant Russian retaliation against America. That prospect all but guarantees that the conflict will not come to an end with an invasion of Ukraine.”

Faced with a potentially existential threat to its economic well-being — and seeing itself as having nothing more to lose — Russia will have several tools at its disposal with which to respond, he said: One of those will be carrying out cyber-attacks against American and European financial institutions and energy infrastructure.

“Having already exhausted the power of economic sanctions, America and its European allies would have few choices other than to respond to these attacks with offensive cyber-strikes of their own,” Alperovitch wrote. “This pattern of tit-for-tat cyber retaliation could place Russia and the West on a worrying path. It could end with the conflict spilling out of cyberspace and into the realm of a hot conflict. This outcome—a hot conflict between two nuclear powers with extensive cyber capabilities—is one that everyone in the world should be anxious to avoid.”

In May 2021, Russian cybercriminals unleashed a ransomware attack against Colonial Pipeline, a major fuel distributor in the United States. The resulting outage caused fuel shortages and price spikes across the nation. Alperovitch says a retaliation from Russia in response to sanctions could make the Colonial Pipeline attack seem paltry by comparison.

“The colonial pipeline is going to be like child’s play if the Russians truly unleash all their capability,” Alperovitch told CNBC this week.

For example, having your organization’s computers and servers locked by ransomware may seem like a day at the park compared to getting hit with “wiper” malware that simply overwrites or corrupts data on infected systems.

Kim Zetter, a veteran Wired reporter who now runs her own cybersecurity-focused Substack newsletter, has painstakingly documented two separate wiper attacks launched in the lead-up to the Russian invasion that targeted Ukrainian government and contractor networks, as well as systems in Latvia and Lithuania.

One contractor interviewed by Zetter said the wiper attacks appeared to be extremely targeted, going after organizations that support the Ukrainian government — regardless of where those organizations are physically located.

“The wiper, dubbed HermeticaWiper, appears to have been in the works for months but was only released on computers today,” Zetter wrote. “It follows on a previous wiper attack that struck Ukrainian systems in January called WhisperGate. Like that previous infection, HermeticaWiper is designed to overwrite files on systems to render them inoperable.”

A joint advisory last week by the FBI, National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) warned that Russian cyber actors have been targeting cleared defense contractors, and that since January 2020 and continuing through this month, the cyber actors had maintained a persistent presence on those contractor networks. The advisory said the attackers exfiltrated email and data, and were able to “acquire sensitive, unclassified information, as well as proprietary and export-controlled technology.”

A report Thursday by NBC News suggested President Biden had been presented with options for massive cyberattacks against Russia, including the disruption of Internet access across Russia, shutting off the power, and stopping trains in their tracks.

But White House National Security Council spokesperson Emily Home told Reuters the NBC News report was “wildly off base and does not reflect what is actually being discussed in any shape or form.”

That’s good news, according to Jim Lewis, director of the public policy program at the Center for Strategic and International Studies. Lewis said the United States and its allies have far more to lose if the West gets embroiled in an escalation of cyber attacks with Russia over sanctions.

“The asymmetry in pressure points makes the idea of us doing something probably not a good idea,” Lewis told KrebsOnSecurity. “If Putin hasn’t gone completely nuts, he’ll be cautious of doing anything that might be construed under international law as the use of force through cyber means.”

Lewis said a more likely response from Russia would include enlisting cybercriminals throughout Russia and the Commonwealth of Independent States to step up ransomware and other disruptive attacks against high-impact targets in specific industries.

“The pressure points for Putin are his political support — the oligarchs and security services,” Lewis said. “If we want to squeeze him, that’s where we have to squeeze, things like seizing all their real estate in Miami Beach, or putting them on no-fly lists. If you want to hurt Putin, a cyberattack probably wouldn’t do it. Unless it was against his bank account.”

In a call to action issued earlier this week dubbed “Shields Up,” CISA warned that Russia could escalate its destabilizing actions in ways that may impact others outside of Ukraine. CISA also published a new catalog of free public and private sector cybersecurity services.

Read More

Volunteer hackers and security experts sought to help Ukraine with cyber defense

Read More

This blog was jointly written with Santiago Cortes. 

Executive summary

AT&T Alien Labs™ is writing this report about recently created ransomware malware dubbed BlackCat which was used in a January 2022 campaign against two international oil companies headquartered in Germany, Oiltanking and Mabanaft. The attack had little impact on end customers, but it does serve to remind the cybersecurity community of the potential for threat actors to continue attacks against critical infrastructure globally.

Key takeaways:

The ransomware BlackCat is coded in Rust and was created in November 2021.
Following trends observed last year by Alien Labs, the ransomware targets multiple platforms (Windows and Linux), and it uses additional code to infect VMware’s ESXi hypervisor.
Blackcat uses a “wall of shame” website to both blackmail victims, prove, and promote their latest campaigns publicly.
Campaigns remain active, with 16 known incidents in February 2022 as of the publishing of this report.

Background

The 2021 ransomware attack on US-based Colonial Pipeline, which impacted the fuel supply on the East Coast of America for several days, raised awareness of the reality that adversaries are well prepared to launch future cyberattacks globally that could severely impact a country’s infrastructure. Now, with confrontations in the Ukrainian region taking on new levels of urgency, there is heightened expectation of future threat actor campaigns against the critical infrastructure of western countries. The campaigns could take the form of ransomware attacks or data wiper attacks, as these have been the highly successful in recent years, especially when combined with supply chain attacks.

Analysis

German newspaper Handelsblatt stated the oil companies Oiltanking and Mabanaft had been affected by a ransomware attack on January 29, 2022, that impacted one of the key oil providers in the area. The attacks allegedly caused Shell to re-route their supplies in order to avoid severe impacts to the German fuel supply. Even with these actions, it’s been stated that 233 gas stations across Germany have been affected by the incident, resulting in those stations having to run some processes manually and only taking cash payment.

The malware behind these attacks is known as BlackCat ransomware, aka ALPHV, as reported by the same newspaper. The group operates with a ransomware-as-a-service (RaaS) business model, where the ransomware authors are entitled to 10-20% of the ransom payment, while the rest is kept by the affiliates deploying the payload. After a successful attack, victims who refuse to pay the ransom have their details posted on dark web forums to make attacks public, increasing their notoriety and shaming the affected organizations. According to these blogs, at least 10 companies may have been impacted by these ransomware campaigns in the first two weeks of February.

Since the malware family operates as a RaaS, the initial access vector depends on the affiliate party deploying the payload and can vary from one attacker to another. However, all of them appear to attempt to exfiltrate victims’ data before starting the encryption process, gaining extortion power for subsequent requests.

The BlackCat gang first appeared in mid-November 2021, and its payload is written in the Rust programming language, which is considered to have a similar performance to C/C++, but with better memory management to avoid memory errors and concurrent programming. Additionally, it is a cross platform language, allowing developers to target several operating systems with the same code. For these reasons, it has been voted as the “most loved programming language” in Stack Overflow since 2016.

Aside from the developing advantages Rust offers, the attackers also take advantage of a lower detection ratio from static analysis tools, which aren’t usually adapted to all programming languages. For this same reason, Go Language had become more popular among malware coders during last year, as seen in other blogs released by Alien Labs, including:

Blog TeamTNT Delivers Cryptomining Malware Using New Memory Loader
Blog BotenaGo

Rust has been present in malware samples for many years, but BlackCat is the first professionally/commercialized distributed malware family using it, and the most prosperous thus far.

When executed, the malware offers several options for customizing its execution. These options have evolved since its first version, shown in figure 2 which compares one of the first samples available (reported by MalwareHunterTeain December 2021) to the latest samples/versions.

Figure 1. @malwrhunterteam screenshot of execution.

Most arguments are optional, but access-token is enforced to bypass the dynamic analysis performed by automated sandboxes. However, any token provided bypasses the restriction and enables malware execution. This token, in addition to the host universally unique identifier (UUID), is later used to identify the victim in a Tor website hosted by the attackers, which displays the price for the files decryptor.

Among these options, Alien Labs has observed how some of them are specific to VMware ESXi. This inclusion follows trends observed in 2021 among other popular RaaS groups, like DarkSide or REvil,  who added Linux capabilities to include VMware ESXi in their scope of potential targets. The hypervisor ESXi allows multiple virtual machines (VM) to share the same hard drive storage. However, this also enables attackers to encrypt the centralized virtual hard drives used to store data from across VMs, potentially causing disruptions to companies.

The BlackCat malware has code very similar to its predecessors. It first aims to stop any running VMs in ESXi. By doing this, the attacker ensures no other VM is handling the files to be encrypted, avoiding corruption issues of the encrypted files. Additionally, any ESXi snapshots are removed to harden recovery from the attack.

Additional preparation procedures are performed by the BlackCat malware on Windows systems. For example, it carries out some noisy activities that can be detected with Alien Labs correlation rules, as seen in Appendix A:

Delete Volume Shadow Copies Services to harden recovery from the attack. The command used is ‘vssadmin.exe Delete Shadows /all /quiet’.
Disables the recovery mode in BCDedit: ‘bcdedit.exe /set {default} recoveryenabled No’.
Maximize the value of network requests the Server Service can take by changing the value in the registry to 65535. This change eludes issues accessing too many files at once during the encryption process. The command used is: ‘reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters /v MaxMpxCt /d 65535 /t REG_DWORD /f ’.
If enabled, it attempts to propagate with psexec into different systems. The command runs from the %TEMP% folder, leveraging the credentials in the config file and the parent’s execution options for propagation options. ‘psexec.exe -accepteula \{Target} -u {user} -p {password} -s -d -f -c {payload}.exe {inherited execution flags}’.
Clears all the event logs with wevtutil with the command: ‘cmd.exe /c for /F “tokens=*” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl “%1″’.

In addition to the options shown in figure 1, the latest samples have added three additional functions that increase the ransomware capabilities. These changes maintain the line of work already seen, without including any major changes to the way the malware operates.

Figure 2. Latest sample executed.

The current default configuration file appended with the latest observed executable, includes among others:

The public key
The file extension to use for encrypted files, which corresponds to seven alphanumeric characters (0hzoagy for one of the latest samples)
A ransom note (see figure 3) contains the victim’s name multiple times as well as the type of files BlackCat has exfiltrated
A list of pre-obtained credentials from the victim that are to be used during execution
A list of services the victim should kill according to the attacker, before executing the encryption process — usually services modifying files that could corrupt files or backup services that could become counter-productive to the malicious execution. The list includes: mepocs, memtas, veeam, svc$, backup, sql, vss, msexchange, sql$, mysql, mysql$, sophos, MSExchange, MSExchange$, WSBExchange, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser, BackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService, GxBlr, GxVss, GxClMgrS, GxCVD, GxCIMgr, GXMMM, GxVssHWProv, GxFWD, SAPService, SAP, SAP$, SAPD$, SAPHostControl, SAPHostExec, QBCFMonitorService, QBDBMgrN, QBIDPService, AcronisAgent, VeeamNFSSvc, VeeamDeploymentService, VeeamTransportSvc, MVArmor, MVarmor64, VSNAPVSS, AcrSch2Svc.

Figure 3. Example of ransom note.

A list of processes to be killed before executing the encryption process, with a similar target as the services list: agntsvc, dbeng50, dbsnmp, encsvc, excel, firefox, infopath, isqlplussvc, msaccess, mspub, mydesktopqos, mydesktopservice, notepad, ocautoupds, ocomm, ocssd, onenote, oracle, outlook, powerpnt, sqbcoreservice, sql, steam, synctime, tbirdconfig, thebat, thunderbird, visio, winword, wordpad, xfssvccon, *sql*, bedbh, vxmon, benetns, bengien, pvlsvr, beserver, raw_agent_svc, vsnapvss, CagService, QBIDPService, QBDBMgrN, QBCFMonitorService, SAP, TeamViewer_Service, TeamViewer, tv_w32, tv_x64, CVMountd, cvd, cvfwd, CVODS, saphostexec, saposcol, sapstartsrv, avagent, avscc, DellSystemDetect, EnterpriseClient, VeeamNFSSvc, VeeamTransportSvc, VeeamDeploymentSvc.
A list of excluded directories, filenames and file extensions to ensure the computer is operative after the encryption.

Directories: system volume information, intel, $windows.~ws, application data, $recycle.bin, mozilla, $windows.~bt, public, msocache, windows, default, all users, tor browser, programdata, boot, config.msi, google, perflogs, appdata, windows.old.
Filenames: desktop.ini, autorun.inf, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, ntuser.ini, ntuser.dat.log.
File extensions: themepack, nls, diagpkg, msi, lnk, exe, cab, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, diagcab, diagcfg, pdb, wpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack, shs ,ldf, theme, mpa, nomedia, spl, cpl, adv, icl, msu.

The ransom note then points to a Tor onion domain with the field ‘access-key=’ to identify the victim and show the price to recover their files with the Decrypt App. Prices are indicated in Bitcoin and Monero, the latest has a discount over Bitcoin.

Recommended actions

Maintain software with the latest security updates.
Monitor and strongly, regularly communicate to employees to not open and report suspicious emails.
Use a backup system to backup server files.
Install Antivirus and/or endpoint detection and response on all endpoints.
Make sure two-factor authentication is enabled in all services.

Conclusion

Recent ransomware attacks performed on German oil suppliers were successful, but they did not have a significant impact on the country’s infrastructure. However, considering geo-political events in Eastern Europe, these attacks should serve as a strong reminder that organizations must remain on high alert against cyberattacks. They should examine recent campaigns such as those run with BlackCat malware to educate  teams and maintain up-to-date detections for the latest threat actor tactics, techniques, and procedures (TTPs). Like most attacks and threat actor campaigns, BlackCat ransomware can achieve Initial Access using many different variations that are dependent on the affiliate operating the attack. However, the payload will be very similar for infections. Blue teams can use this technical information to improve their readiness against the latest RaaS attacks.

Alien Labs will continue to monitor variations of BlackCat malware and will update any activities on the Alien Labs Open Threat Exchange™, which is a free, global open threat intelligence community with more than 200,000 users publishing updated threat intelligence daily. We deliver this information in the form of “pulses” that can be shared publicly and privately. In addition, members of OTX can download millions of indicators of compromise (IOCs), including those associated with BlackCat through integration with the platform.

Alien Labs is tracking IOCs associated with the geo-political conflict in Eastern Europe, through tagged pulses that track incident and related threat intelligence. To get the most updated information join OTX and visit this URL to see the full list of pulses associated with potential campaigns that may be related to the Ukranian/Russian conflict and threat actors targeting other countries.   

Appendix A. Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

USM Anywhere Correlation Rules

Removed all snapshots using vimcmd

Windows Shadow Copies Deletion

Windows PSExec Usage

Windows PSExec Service Usage

Windows SMB Server Maximum Concurrent Requests Set To Maximum Value

Windows Event Log Removed with wevtutil

Suspicious Bcdedit Usage

 

YARA RULES

rule BlackCat : WindowsMalware {

meta:

author = “AlienLabs”

description = “Detects BlackCat payloads.”

SHA256 = “6660d0e87a142ab1bde4521d9c6f5e148490b05a57c71122e28280b35452e896”

strings:

$rust = “/rust/” ascii wide

$a0 = “vssadmin.exe Delete Shadows /all /quietshadow” ascii

$a1 = “bcdedit /set {default}bcdedit /set {default} recoveryenabled No” ascii wide

$a2 = “Services\LanmanServer\Parameters /v MaxMpxCt /d 65535” ascii wide

$a3 = “.onion/?access-key=${ACCESS_KEY}” ascii wide

$b0 = “config_id” ascii

$b1 = “public_key” ascii

$b2 = “extension” ascii

$b3 = “note_file_name” ascii

$b4 = “enable_esxi_vm_kill” ascii

$b5 = “enable_esxi_vm_snapshot_kill” ascii

condition:

uint16(0) == 0x5A4D and filesize < 5MB and $rust and 2 of ($a*) and 3 of ($b*)

}

rule LinuxBlackCat : LinuxMalware {

meta:

author = “AlienLabs”

description = “Detects BlackCat payloads.”

SHA256 = “5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42”

strings:

$rust = “/rust/” ascii wide

$a0 = “esxcli vm process kill –type=force –world-id=” ascii wide

$a1 = “.onion/?access-key=${ACCESS_KEY}” ascii wide

$b0 = “config_id” ascii

$b1 = “public_key” ascii

$b2 = “extension” ascii

$b3 = “note_file_name” ascii

$b4 = “enable_esxi_vm_kill” ascii

$b5 = “enable_esxi_vm_snapshot_kill” ascii

condition:

uint32(0) == 0x464c457f and filesize < 5MB and $rust and all of ($a*) and 3 of ($b*)

}

Appendix B. Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE

INDICATOR

DESCRIPTION

SHA256

f2b3f1ed693021b20f456a058b86b08abfc4876c7a3ae18aea6e95567fd55b2e

Windows BlackCat Payload

SHA256

cefea76dfdbb48cfe1a3db2c8df34e898e29bec9b2c13e79ef40655c637833ae

Windows BlackCat Payload

SHA256

7e363b5f1ba373782261713fa99e8bbc35ddda97e48799c4eb28f17989da8d8e

Windows BlackCat Payload

SHA256

f837f1cd60e9941aa60f7be50a8f2aaaac380f560db8ee001408f35c1b7a97cb

Windows BlackCat Payload

SHA256

731adcf2d7fb61a8335e23dbee2436249e5d5753977ec465754c6b699e9bf161

Windows BlackCat Payload

SHA256

7b2449bb8be1b37a9d580c2592a67a759a3116fe640041d0f36dc93ca3db4487

Windows BlackCat Payload

SHA256

38834b796ed025563774167716a477e9217d45e47def20facb027325f2a790d1

Windows BlackCat Payload

SHA256

40f57275721bd74cc59c0c59c9f98c8e0d1742b7ae86a46e83e985cc4039c3a5

Windows BlackCat Payload

SHA256

b588823eb5c65f36d067d496881d9c704d3ba57100c273656a56a43215f35442

Windows BlackCat Payload

SHA256

f815f5d6c85bcbc1ec071dd39532a20f5ce910989552d980d1d4346f57b75f89

Windows BlackCat Payload

SHA256

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479

Windows BlackCat Payload

SHA256

c5ad3534e1c939661b71f56144d19ff36e9ea365fdb47e4f8e2d267c39376486

Windows BlackCat Payload

SHA256

7154fdb1ef9044da59fcfdbdd1ed9abc1a594cacb41a0aeddb5cd9fdaeea5ea8

Windows BlackCat Payload

SHA256

658e07739ad0137bceb910a351ce3fe4913f6fcc3f63e6ff2eb726e45f29e582

Windows BlackCat Payload

SHA256

5bdc0fb5cfbd42de726aacc40eddca034b5fa4afcc88ddfb40a3d9ae18672898

Windows BlackCat Payload

SHA256

c8b3b67ea4d7625f8b37ba59eed5c9406b3ef04b7a19b97e5dd5dab1bd59f283

Windows BlackCat Payload

SHA256

bd337d4e83ab1c2cacb43e4569f977d188f1bb7c7a077026304bf186d49d4117

Windows BlackCat Payload

SHA256

28d7e6fe31dc00f82cb032ba29aad6429837ba5efb83c2ce4d31d565896e1169

Windows BlackCat Payload

SHA256

15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed

Windows BlackCat Payload

SHA256

4e18f9293a6a72d5d42dad179b532407f45663098f959ea552ae43dbb9725cbf

Windows BlackCat Payload

SHA256

13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31

Windows BlackCat Payload

SHA256

c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40

Windows BlackCat Payload

SHA256

1af1ca666e48afc933e2eda0ae1d6e88ebd23d27c54fd1d882161fd8c70b678e

Windows BlackCat Payload

SHA256

3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83

Windows BlackCat Payload

SHA256

722f1c1527b2c788746fec4dd1af70b0c703644336909735f8f23f6ef265784b

Windows BlackCat Payload

SHA256

d767524e1bbb8d50129485ffa667eb1d379c745c30d4588672636998c20f857f

Windows BlackCat Payload

SHA256

aae77d41eba652683f3ae114fadec279d5759052d2d774f149f3055bf40c4c14

Windows BlackCat Payload

SHA256

be8c5d07ab6e39db28c40db20a32f47a97b7ec9f26c9003f9101a154a5a98486

Windows BlackCat Payload

SHA256

9f6876762614e407d0ee6005f165dd4bbd12cb21986abc4a3a5c7dc6271fcdc3

Windows BlackCat Payload

SHA256

79802d6a6be8433720857d2b53b46f8011ec734a237aae1c3c1fea50ff683c13

Windows BlackCat Payload

SHA256

2cf54942e8cf0ef6296deaa7975618dadff0c32535295d3f0d5f577552229ffc

Windows BlackCat Payload

SHA256

bacedbb23254934b736a9daf6de52620c9250a49686d519ceaf0a8d25da0a97f

Windows BlackCat Payload

SHA256

3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc

Windows BlackCat Payload

SHA256

67d1f4077e929385cfd869bf279892bf10a2c8f0af4119e4bc15a2add9461fec

Windows BlackCat Payload

SHA256

5a604a8f0e72f3bf7901b7b67f881031a402ab8072269c00233a554df548f54d

Windows BlackCat Payload

SHA256

6660d0e87a142ab1bde4521d9c6f5e148490b05a57c71122e28280b35452e896

Windows BlackCat Payload

SHA256

f8c08d00ff6e8c6adb1a93cd133b19302d0b651afd73ccb54e3b6ac6c60d99c6

Linux BlackCat Payload

SHA256

5121f08cf8614a65d7a86c2f462c0694c132e2877a7f54ab7fcefd7ee5235a42

Linux BlackCat Payload

SHA256

3a08e3bfec2db5dbece359ac9662e65361a8625a0122e68b56cd5ef3aedf8ce1

Linux BlackCat Payload

SHA256

f7a038f9b91c40e9d67f4168997d7d8c12c2d27cd9e36c413dd021796a24e083

Linux BlackCat Payload

SHA256

9802a1e8fb425ac3a7c0a7fca5a17cfcb7f3f5f0962deb29e3982f0bece95e26

Linux BlackCat Payload

Appendix C. Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

TA0005: Defense Evasion

T1070: Indicator Removal on Host

T1070.001: Clear Windows Event Logs

T1078: Valid Accounts

T1078.003: Local Accounts

T1562: Impair Defenses

T1562.001: Disable or Modify Tools

TA0010: Exfiltration

T1048: Exfiltration Over Alternative Protocol

T1048.002: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

TA0040: Impact

T1486: Data Encrypted for Impact

Appendix D. Reporting context

The following list of sources was used by the report author(s) during the collection and analysis process associated with this intelligence report.

https://www.varonis.com/blog/alphv-blackcat-ransomware
https://unit42.paloaltonetworks.com/blackcat-ransomware

Alien Labs rates sources based on the Intelligence source and information reliability rating system to assess the reliability of the source and the assessed level of confidence we place on the information distributed. The following chart contains the range of possibilities, and the selection applied to this report..

Source reliability A1

RATING

DESCRIPTION

A – Reliable

No doubt about the source’s authenticity, trustworthiness, or competency. History of complete reliability.

B – Usually Reliable

Minor doubts. History of mostly valid information.

C – Fairly Reliable

Doubts. Provided valid information in the past.

D – Not Usually Reliable

Significant doubts. Provided valid information in the past.

E – Unreliable

Lacks authenticity, trustworthiness, and competency. History of invalid information.

F – Reliability Unknown

Insufficient information to evaluate reliability. May or may not be reliable.

 

Information reliability A2

RATING

DESCRIPTION

1 – Confirmed

Logical, consistent with other relevant information, confirmed by independent sources.

2 – Probably True

Logical, consistent with other relevant information, not confirmed.

3 – Possibly True

Reasonably logical, agrees with some relevant information, not confirmed.

4 – Doubtfully True

Not logical but possible, no other information on the subject, not confirmed.

5 – Improbable

Not logical, contradicted by other relevant information.

6 – Cannot be judged

The validity of the information can not be determined.

Feedback

AT&T Alien Labs welcomes feedback about the reported intelligence and delivery process. Please contact the Alien Labs report author or contact labs@alienvault.com.

Read More

Cyberdefense and response company Mandiant is offering a new Ransomware Defense Validation service for its SaaS-based XDR (extended detection and response) platform, Mandiant Advantage, to help organizations measure the ability of their security systems to prevent ransomware attacks. 

The subscription service, now generally available, is designed to combine threat intelligence, ransomware reconfiguration capabilities, and an automated validation infrastructure to help security leaders understand how effectively their existing security controls can prevent specific ransomware attacks and multifaceted extortion campaigns. 

To read this article in full, please click here

Read More

Suspects allegedly chatted to undercover officers posing as minors online and arranged to meet them for sex

Read More

The Conti ransomware gang says that it supports the Russian government’s invasion of Ukraine… and if anyone launches a retaliatory cyber attack against Russia, they will hit back hard – launching attacks on critical infrastructure.

Read More

Quick mental math challenge: How many Apple Watches can you buy with $118 billion dollars? If you guessed around 296 million watches congrats, you’re smarter than the writer of this blog! We had to use a calculator. The point is that’s the predicted size of the US wearable market by 2028 according to a recent report. That means for as much wearable tech as we have in our lives already, even more, is on the way. 

If you own a piece of wearable tech it’s easy to understand why it’s so popular. After all, it can track our fitness, provide contextual help in daily life, and, in the case of hearing aids, even do cool things like sync with Bluetooth. As VR and AR gains a foothold who knows what other incredible tech might be headed our way by 2028? However wearable tech also comes with certain risks. The most prominent: cybercriminals potentially gaining access to your data. 

How can criminals gain access to your wearable data? 

The weakest link in the wearables space is your mobile phone, not the actual wearable device itself. That’s because wearables tend to link to your mobile device over a short-range wireless spectrum known as “Bluetooth.” This spectrum is used to send and receive data between your wearable device and your mobile. That makes your mobile a prime target for hackers. 

Most commonly, hackers gain access to the data on your mobile through malware-laden apps. These apps are oftentimes designed to look like popular apps, but with enough differences that they don’t flag copyright suspicion. 

What are they doing with my wearable data?

Hackers can use these malicious apps to do a variety of things from making phone calls without your permission, sending and receiving texts, and extracting personal information—all potentially without your knowledge. They can also, with the help of your wearable, track your location through GPS and record any health issues you’ve entered into your wearable. The point is: once they have permissions to your mobile device, they have a lot of control and a lot of resources. 

The hacker can then use this data to conduct varying forms of fraud. Need a special prescription from your doctor that happens to sell well on the black market? Well, so does the hacker. Going out for a jog in the morning? Good information for a burglar to know. These personal details just scratch the surface of information available for the taking on your mobile devices.

Beyond wearables and into the internet of things

These types of threats aren’t limited to wearables, however. The Internet of Things—the phenomenon of devices connected to the Internet for analysis and optimization—encompasses all sorts of other electronic devices such as washing machines and refrigerators that can put your data at risk as well. But these life-changing devices can be secured through education and industry standards. Two things we’re working on day and night. 

Defend your wearables and your personal information

Use a PIN. All of your mobile devices ought to have a personal identification number (PIN). This basic security method is a great way of dissuading casual hackers or thieves from stealing your data. 
Limit what you share. Most wearables don’t need access to every piece of information about you. You can lessen the likelihood of your wearable sharing sensitive information by only entering the information your wearable device requires. On the flip side, always double-check the permissions that the wearables app is requesting on your mobile device. Does it really need access to your location, camera roll, and address book? If not, be sure to alter these settings appropriately. 
Use identity protection. Identity protection can monitor your accounts online – accounts tied to your wearable – so you can receive alerts if that information has been compromised or found online. If it has, a service like McAfee’s Identity Protection Service may also provide insurance and loss remediation as well.

Of course, securing the weakest link in your wearables environment, your phone will go a long way towards keeping your data safe. But what happens when your computer, where you store backups of your smartphone, is compromised too? We’ve got you covered with McAfee LiveSafe service, our comprehensive security solution that provides protection for your entire online life. 

The post The Wearable Future Is Hackable. Here’s What You Need To Know appeared first on McAfee Blog.

Read More

Authored by Oliver Devane and Vallabh Chole  

Notifications on Chrome and Edge, both desktop browsers, are commonplace, and malicious actors are increasingly abusing this feature. McAfee previously blogged about how to change desktop browser settings to stop malicious notifications. This blog focuses on Chrome notifications on Android mobile devices such as phones and tablets, and how McAfee Mobile Security protects users from malicious sites leveraging these notifications.  

Where do these notifications come from? 

Most users are unaware of the source of these notifications. Permission is granted when a user clicks ‘Allow’ on a prompt within Android Chrome. 

Many malicious websites use language and images like the one above that entice the user to click ‘Allow’ such as ‘Just one more step! Click “Allow” to continue. Once allow is clicked, the website is added to a site permissions list, which will enable it to send notifications.  

What do they look like? 

The notifications will look like a usual Android notification which you will be used to seeing such as you have a new WhatsApp message or email. To identify the source of the notification, we need to look for the application name which is like the one highlighted in the red box below.  

The image above shows the notification came from Chrome and it is from the website premiumbros[.]com. This is something you should pay attention to as it will be needed when you want to stop annoying notifications.  

How are some they malicious? 

Some notifications like the ones in this blog are malicious as they attempt to trick users into believing that their mobile device is infected with a virus and some action is required. When the users click the notification, Chrome will load a website which will present them with a fake warning like the example below: 

Clicking either Cancel or Update Now on the above website will result in the same behavior. The browser will redirect the user to a google play store app so that they can download and install it.  

The malicious websites will flood your phone with several notifications. The screenshot below shows an example of this: 

Why do malicious actors do this? 

You may ask yourself, why do malicious actors try to get me to install a google play application? The people behind these scams receive a commission when these applications are installed on devices. They rely on deceptive tactics to trick users into installing them to maximize profits. 

How can I remove notifications? 

To remove a website’s notification permission, you need to change a Chrome setting. 

1- Find out the name of the website which is sending these notifications. This can be done by looking at the notification and noting down the name of the website. If we use this blog as an example, it would be premiumbros[.]com

2- Open the Chrome browser app which can be found by performing the following search: 

3- Click the three … on the top right hand of the application 

4- Scroll down and click on settings 

5- Click on Notifications 

6- Scroll down until you find the website which you identified in step 1 

7- Pres the blue radio button so it turns grey 

8- Notifications will now be disabled for that website. If you want to block multiple websites, click the radio button for them as well.  

How does McAfee Protect me? 

McAfee customers who have McAfee Mobile Security are protected against these malicious websites as long as they enable the ‘Safe Browsing’ feature within the application.  

Upon trying to access a malicious website such as the one in the blog it will be blocked as shown in the image below: 

 

Please read this guide on enabling the Safe Browsing feature within the Mobile Security Application. 

https://service.mcafee.com/?locale=en-US&articleId=TS103142&fromSearch=true&page=shell&shell=article-view  

The post Why Am I Getting All These Notifications on my Phone? appeared first on McAfee Blog.

Read More

US and UK raise the alarm over Iranian government-sponsored APT actors

Read More