This major criminal hacking group just switched to ransomware attacks

mood · Oct 14, 2020

This major criminal hacking group just switched to ransomware attacks
...they've switched to ransomware because it's the biggest and easiest pay day
October 14, 2020
https://www.zdnet.com/article/this-major-criminal-hacking-group-just-switched-to-ransomware-attacks/

A widespread hacking operation that has been targeting organisations around the world in a phishing and malware campaign which has been active since 2016 has now switched to ransomware attacks, reflecting how successful ransomware has become a money-making tool for cyber criminals.

Dubbed FIN11, the campaign has been detailed by cybersecurity researchers at FireEye Mandiant, who describe the hackers as a 'well-established financial crime group' which has conducted some of the longest running hacking campaigns.
Click to expand...

The group started by focusing attacks on banks, retailers and restaurants but has grown to indiscriminately target a wide range of sectors in different locations around the world, sending thousands of phishing emails out and simultaneously conducting attacks against several organisations at any one time.

But now FIN11 is using its extensive network as means of delivering ransomware to compromised networks, with the attackers favouring Clop ransomware and demanding bitcoin to restore the network.
Put simply, this shift in tactics is all about making as much money as possible – and ransomware has become a quick and easy way for cyber criminals to make money from a wider variety of targets.

"FIN11 has likely shifted their primary monetization method to ransomware deployment because it is more profitable than traditional methods such as deploying POS malware," Genevieve Stark, analyst at Mandiant Threat Intelligence told ZDNet.
Click to expand...

FireEye: FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft

Mandiant Threat Intelligence recently promoted a threat cluster to a named FIN (or financially motivated) threat group for the first time since 2017. We have detailed FIN11's various tactics, techniques and procedures in a report that is available now by signing up for Mandiant Advantage Free.

In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity. There are significant gaps in FIN11’s phishing operations, but when active, the group conducts up to five high-volume campaigns a week.
Click to expand...

mood · Oct 15, 2020

FIN11 Spun Out From TA505 Umbrella as Distinct Attack Group
October 14, 2020
https://www.securityweek.com/fin11-spun-out-ta505-umbrella-distinct-attack-group

FIN11 is a new designation for a financially motivated threat actor that may previously have been obscured within the activity set and group usually referred to as TA505. Although there are similarities and overlaps in the TTPs of both groups, researchers have discovered enough differences to separate the groups.

TA505 is largely defined by its large-scale phishing campaigns. It has distributed Dridex and dropped multiple types of ransomware, including GlobeImposter and Philadelphia.
The group now defined by Mandiant (FireEye) Threat Intelligence researchers as FIN11 similarly uses large-scale phishing campaigns, but is primarily defined by its unique use of the CLOP ransomware. The researchers also believe that the code families known as FlawedAmmyy, FRIENDSPEAK and MIXLABEL are unique to FIN11.
Click to expand...

It isn't known how many organizations have fallen victim to FIN11 because of the apparently growing tendency for victims to simply pay for a decryption key. This can be assumed because of the rapidly increasing ransomware demands.
The CLOP group engages in what is sometimes referred to as 'double extortion'.

The CL0P^_- LEAKS website suggests that there have been FIN11 victims in North America, India and Europe. The majority are located in Europe, and about half of those in Germany. "FIN11," say the researchers, has used German-language lures in many of their 2020 campaigns, suggesting that they have actively targeted German organizations."
Click to expand...

mood · Jan 15, 2021

FIN11 e-crime group shifted to CL0P ransomware and big game hunting
January 15, 2021
https://www.scmagazine.com/home/sec...fted-to-cl0p-ransomware-and-big-game-hunting/

The financially motivated FIN11, which increasingly incorporated CL0P ransomware into their operations in 2020, appeared to rely on low-effort volume techniques like spamming malware for initial entry, but put a substantial amount of effort into each follow-up compromise.

“Several of their recent ransom notes explicitly name data stolen from workstations that belong to top executives (including founders/CEOs) of the respective enterprises,” Senior Cybersecurity Analyst Thomas Barabosch wrote in a blog post detailing new research from Deutsche Telekom. “This is likely based on the hope that using data stolen from top executives in the extortion process raises their chances that the victim pays.”
The research sheds new light on how cybercriminals from the threat group, described as a relentless, big game ransomware hunter that rarely goes more than a day or two between attacks, used the popular CL0P ransomware in their exploitations.
Click to expand...

Telekom’s research contains indicators of compromise for FIN11’s most recent spam-phishing activities through December 2020.
Click to expand...

mood · Oct 21, 2021

TA551 Shifts Tactics to Install Sliver Red-Teaming Tool
A new email campaign from the threat group uses the attack-simulation framework in a likely leadup to ransomware deployment
October 21, 2021
https://threatpost.com/ta551-tactics-sliver-red-teaming/175651/

The criminal threat group known as TA551 has added the Sliver red-teaming tool to its bag of tracks – a move that may signal ramped up ransomware attacks ahead, researchers said.

According to Proofpoint researchers, TA551 (aka Shathak) has been mounting cyberattacks that start with email thread hijacking – an increasingly popular tactic in which adversaries insert themselves into existing email conversations. In one offensive seen just this week, the messages contained password-protected zipped Word documents. If opened and macros enabled, the attachments ultimately lead to the download of Sliver, an open-source, cross-platform adversary simulation and red-team platform.
Click to expand...

Typically, the end goal for TA551 has been to drop an initial-access/banking trojan such as IcedID, Qbot or Ursnif (and Emotet in the past), which eventually led to ransomware attacks.
For instance, IcedID implants were associated with Maze and Egregor ransomware events in 2020, the firm determined.

“Typically, TA551 use more commodity malware like banking trojans,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told Threatpost.
Now with Sliver, they don’t need to rely on other groups for access. The threat actor is able to break in on their own with much more flexibility to pushing ransomware, stealing data or doing any lateral movements through the target organization.”
Click to expand...

Proofpoint: TA551 Uses ‘SLIVER’ Red Team Tool in New Activity

mood · Nov 9, 2021

Clop gang exploiting SolarWinds Serv-U flaw in ransomware attacks
November 9, 2021
https://www.bleepingcomputer.com/ne...solarwinds-serv-u-flaw-in-ransomware-attacks/

The Clop ransomware gang, also tracked as TA505 and FIN11, is exploiting a SolarWinds Serv-U vulnerability to breach corporate networks and ultimately encrypt its devices.

The Serv-U Managed File Transfer and Serv-U Secure FTP remote code execution vulnerability, tracked as CVE-2021-35211, allows a remote threat actor to execute commands on a vulnerable server with elevated privileges.
SolarWinds released an emergency security update in July 2021 after discovering a "a single threat actor" exploiting it in attacks.
Click to expand...

Vulnerability used in ransomware attacks
According to a new report by the NCC Group, there's been an uptick in Clop ransomware infections in the past couple of weeks, with most of them starting with the exploitation of CVE-2021-35211.

In the new attacks spotted by NCC, the threat actors exploit Serv-U to spawn a sub-process controlled by the attackers, thus enabling them to run commands on the target system.
This opens up the way for malware deployment, network reconnaissance, and lateral movement, essentially laying the ground for a ransomware attack.
Click to expand...

For persistence, the actors hijack a legitimate scheduled task that is used for regularly backing up registry hives and abuse the associated COM handler to load 'FlawedGrace RAT.'
FlawedGrace is a tool that TA505 has been using since at least November 2017, and it remains a reliable part of the group's arsenal.
Click to expand...

NCC Group: TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access

NCC Group’s global Cyber Incident Response Team has observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. TA505 is a known cybercrime threat actor, who is known for extortion attacks using the Clop ransomware. We believe exploiting such vulnerabilities is a recent initial access technique for TA505, deviating from the actor’s usual phishing-based approach.

We are sharing this information as a call to action for organisations using SolarWinds Serv-U software and incident responders currently dealing with Clop ransomware.
Click to expand...

mood · Nov 10, 2021

TrickBot teams up with Shatak phishers for Conti ransomware attacks
November 10, 2021
https://www.bleepingcomputer.com/ne...shatak-phishers-for-conti-ransomware-attacks/

A threat actor tracked as Shatak (TA551) recently partnered with the ITG23 gang (aka TrickBot and Wizard Spider) to deploy Conti ransomware on targeted systems.

The Shatak operation partners with other malware developers to create phishing campaigns that download and infect victims with malware.
Researchers from IBM X-Force discovered that Shatak and TrickBot began working together in July 2021, with what appears to be good results, as the campaigns have continued until today.
Click to expand...

Attack starts with a phishing email
A recent technical analysis from Cybereason provides more details on how the two distinct actors partnered to deliver ransomware attacks.
According to an October report by IBM X-Force, Shatak commonly uses reply-chain emails stolen from previous victims and adds password-protected archive attachments.

The next step is data exfiltration, which is the final stage before the file encryption, with Conti using the 'Rclone' tool to send everything to a remote endpoint under their control.
After harvesting all valuable data from the network, the threat actors deploy the ransomware to encrypt devices.
Click to expand...

Cybereason: THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware

KEY FINDINGS

Beware of Shatak Emails: In partnership with the ITG23 threat group, the Shatak threat group distributes ITG23’s TrickBot and BazarBackdoor malware as password-protected archive files attached to phishing emails. The archive files contain malicious documents whose macros download and execute the TrickBot or BazarBackdoor malware. Malicious actors actively use this malware to deploy ITG23’s Conti ransomware on compromised systems.

Average Two Days Time-to-Ransom (TTR): Conti actors do not deploy ransomware immediately after initial infection using the TrickBot or BazarBackdoor malware—the actors first conduct other activities, such as reconnaissance, credential theft, and data exfiltration. We observed an average TTR of approximately two days after initial infection.

Click to expand...

Detected and Prevented: The Cybereason Defense Platform detects and prevents infections that use the TrickBot and BazarBackdoor malware that the Shatak threat group distributes, as well as malicious activities that Conti actors conduct.

Cybereason Managed Detection and Response (MDR): The Cybereason GSOC has zero tolerance towards attacks that involve ransomware, such as the Conti ransomware, and categorizes such attacks as critical, high-severity incidents. The Cybereason GSOC MDR team issues a comprehensive report to customers when such an incident occurs. The report provides an in-depth overview of the incident, which helps to scope the extent of compromise and the impact on the customer’s environment. In addition, the report provides attribution information when possible, as well as recommendations for mitigating and isolating the threat.

Click to expand...

IBM X-Force: Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds

Log in or Sign up

This major criminal hacking group just switched to ransomware attacks

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team

mood Updates Team