Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

More Ransomware Attacks Target Ukraine, Poland

Microsoft Threat Intelligence Center (MSTIC) has been tracking a ransomware campaign rageting logistics and transportation firms in Ukraine and Poland. This follows earlier attacks on the same industry, presumably to weaken Ukraine's defences against Russia, but is quite distinct from the previous attacks, which used AprilAxe (ArguePatch) / CaddyWiper or Foxblade (HermeticWiper) to target Ukrainian critical infrastructure over the last two weeks.

The new malware identifies itself, in its ransom note, as "Prestige ranusomeware", and was deployed over a one-hour period on 11 October. In all cases, the attacker had already gained highly-privileged access, such as domain admin privileges - perhaps from a previous compromise. Three distinct methods were used to deploy the ransomware; two copy the malware to the ADMIN$share on a remote system and  make use of the Impacket WMIexec tool to either create a scheduled task or run a PowerShell command to run it. The second technique copies the payload to an AD domain controller and then distributes it via Group Policy.

The MSTIC report provides a complete analysis, IoC's and recommended customer actions.

Microsoft Threat Intelligence Center, New "Prestige" randomware impacts organizations in Ukraine and Poland, blog post, 14 October 2022. Available online at https://www.microsoft.com/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/.

Yet Another Australian Privacy Breach

Australia continues a long streak of privacy breaches - or perhaps it's just that the media, with heightened awareness following last month's Optus breach, is keener to report them. The latest victim is online wine dealer Vinomofo, which reports that "an unauthorised third party unlawfully accessed our database on a testing platform that is not linked to our live Vinomofo website".

Vinomofo is believed to have approximately half a million customers, but it is not clear how much, or what kinds of, information was accessed, but likely at risk are names, addresses, email addresses, phone numbers and - required for alcohol sales - dates of birth. The company has reported the breach and warned customers to be alert for scam activity.

Shepherd, Tory, Vinomofo data breach: 500,000 customers at risk after wine dealer hit by cyber-attack, The Guardian, 18 October 2022. Available online at https://www.theguardian.com/australia-news/2022/oct/18/vinomofo-data-breach-cyber-attack-hack-australian-wine-seller.

QAKBOT Adds Brute Ratel as Second Stage

QAKBOT, which first emerged as an infostealer in 2007, gradually morphed into a 'malware-installation-as-a-service' model that was often a precursor to ransomware infections. Now, Trend Micro researchers report on a new phase of QAKBOT operations, shifting to the distribution of the recently-cracked Brute Ratel post-exploitation framework.

The new campaign starts with a spam email containing a malicious link to a password-protected .ZIP file which, in turn, contains a .ISO file- likely a way to escape the Windows "Mark of the Web" which flags files downloaded from the Internet as untrusted. The .ISO image contains a shortcut named "Contract" along with two hidden subdirectories, which in turn contain the actual malware. A JavaScript fragment runs a batch file which then invokes the QAKBOT DLL.

Ten minutes later, the malware makes contact with the QAKBOT C2 servers, and then waits a further 6 minutes before performing some automated reconnaisance using LOLbin commands. Five minutes later, it drops the Brute Ratel DLL, and a few minutes after that, manual reconnaisance activities begin.

Curiously, Cobalt Strike is used for lateral movement which, if not stopped, will likely end with domain-wide ransomware deployment.

Kenefick, Ian, Lucas Silva and Nicole Hernandez, Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike, blog post, 12 October 2022. Available online at https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.