A new report from Cisco Talos reveals that commodity malware outpaced ransomware in Cisco Talos Incident Response (CTIR) engagements for the first time in over a year. The report also exposes the latest tactics, techniques, and procedures (TTPs) being deployed by cybercriminals. Next, we highlight a new UEFI firmware rootkit dubbed ‘CosmicStrand’ being actively used by Chinese-speaking threat actors to target individuals in different regions. Finally, intelligence from Censys reveals the existence of Russia-linked ransomware command- and- control (C2) infrastructure, which appears to have gained a foothold in at least one US-based network.
1. Cisco Talos’ Quarterly Report: Incident Response Trends in Q2 2022
The latest Incident Response Trends in Q2 2022 report from Cisco Talos contains a wealth of important cybersecurity insights.
Here are some of the top takeaways:
Commodity malware takes first place
The top observed threat this quarter is commodity malware, or malware that is readily available for purchase. This is significant when considering the overall decline in attacks leveraging commodity trojans in CTIR engagements stretching back to 2020.
According to Talos, these developments coincide with the resurgence of various email-based trojans in recent months after suffering disruptions at the hands of both law enforcement and technology companies.
This quarter also saw an increase in activity involving info stealers like Redline and QBot. These malware families have all initiated precursor infections for different payloads — chiefly for ransomware — at various points in time.
— Decipher (@DecipherSec) July 26, 2022
Compared to previous quarters, ransomware was involved in a significantly smaller percentage of engagements, comprising 15 percent of all threats observed this quarter, as compared to 25 percent last quarter.
Top ransomware/malware families:
- Remcos RAT
- Vidar InfoStealer
- Redline InfoStealer
- QBot trojan
- BlackCat (ALPHV) ransomware
- Conti ransomware
- Telecommunications: This vertical was also among the most targeted sectors in Q4 2021 and Q1 2022.
- Healthcare/medical: Healthcare is always a favorite target for extortionists, due to healthcare organizations’ overriding need to provide continuation of care and avoid outages at all costs.
- Education: Schools are another popular target for cybercriminals due to the perception that educational institutions have valuable resources and the ability to pay significant ransom demands.
- Other at-risk verticals listed in the report include financial services, local government, food services, retail/trade, automotive, IT, production equipment, and manufacturing.
Top overall threats
- Commodity malware
- Advanced persistent threat (APT)
- Exposed/Misconfigured applications
Honorable mentions: Insider threats, Log4j, pre-ransomware, and Wave browser (PUP).
Top initial infection vectors
- Exploit public-facing applications
- Valid accounts
Honorable mentions: External remote services and drive-by compromise.
According to Talos, a lack of multifactor authentication (MFA) remains one of the biggest impediments to enterprise security — suggesting organizations need to take advanced measures to protect user accounts.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“There are a few lingering questions related to the data presented above. First and foremost, we are curious about other potential contributing factors to commodity malware outpacing ransomware for the first time in ages.
- Did the rise of extortion-without-encryption threat actors (such as LAPSUS$) have an impact on the lower ransomware numbers?
- Will the several newly emerged pieces of malware discovered amidst the background of the Russia/Ukraine conflict affect the numbers in Talos’ next quarterly report?
- What about destructive malware? Will any of that make an appearance?
- What has precipitated the rise in the popularity of info-stealing malware?
- Have initial-access brokers played a role in the success currently being enjoyed by these info-stealing malware families?
Questions aside, we think the insights provided by some of the data in this report will prove to be useful to the cyber threat intelligence community.”
2. Experts uncover new ‘CosmicStrand’ UEFI firmware rootkit used by China-linked hackers
SecureList by Kaspersky recently uncovered a sophisticated new UEFI firmware rootkit dubbed CosmicStrand that is now being used by an unknown Chinese-speaking threat actor.
Victims reportedly consist of private individuals located in China, Vietnam, Iran, and Russia. As of right now, there is no evidence linking these victims to any specific organizations or industry verticals.
Despite being recently discovered, #CosmicStrand UEFI firmware rootkit seems to have been being deployed for quite a long time.
— Kaspersky (@kaspersky) July 28, 2022
What is CosmicStrand UEFI rootkit?
As SecureList explains, rootkits are malware implants designed to burrow themselves into the “deepest corners of the operating system.” Rootkits are often associated with top-tier cyber threat actors like state-sponsored APT groups, due to the complex technical challenges they pose.
Unfortunately, cybercriminals and APTs alike have become increasingly attracted to rootkits, mainly because this type of malware nests in levels so low within the operating system that it makes detection extremely difficult. Firmware rootkits also keep devices in a compromised state even after operating system reinstallation or hard drive replacement.
CosmicStrand is a UEFI firmware rootkit that utilizes a small, 96.84KB file. While CosmicStrand’s initial access vector has yet to be determined, post-compromise activity includes modifications to the CSMCORE DXE driver, the entry point of which has been patched to redirect to code added in the .reloc section. This code, executed during system startup, triggers a long execution chain which results in the download and deployment of a malicious component inside Windows. Ultimately, CosmicStrand’s goal is to deploy a kernel-level implant into a Windows system every time it boots, originating from the infected UEFI component.
SecureList believes that these modifications may have been the work of an automated patcher. If this turns out to be accurate, it may indicate that the attackers gained prior access to the victim’s computer to extract, modify and overwrite the motherboard’s firmware. This could be achieved via a precursor malware implant already deployed on the computer – or by obtaining physical access to the device.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“While the emergence of a new firmware rootkit is notable on its own, its suspected development by, use by – and potential links to – Chinese-speaking threat actors is also of interest.
While there is certainly still a lot to be learned about CosmicStrand’s attack chain and the operators behind its deployment, the technological challenge presented to developers seeking to create such a piece of malware suggests that CosmicStrand’s authors are fairly sophisticated, and that they may have access to considerable resources. This would align with historic China-linked cyber activity. The inability to definitively link this activity to a known threat actor/APT may also suggest that CosmicStrand’s operators place a premium on operational security (OPSEC), an attribute common to many of China’s top-tier state-linked hackers.
Another piece of potential evidence linking CosmicStrand activity to a state-aligned entity is the fact that so far, all known attacks have targeted individuals. While there does not yet appear to be a common link between these individuals with regard to organizations or industries, the Chinese government is known to target individuals of national interest for surveillance and intelligence gathering – sometimes even going so far as to disguise such efforts as non-targeted activity – such as supply-chain attacks that at first glance appear designed to impact thousands, but upon further inspection, turn out to be intended only to infect a few hundred individuals of interest to the Chinese government.
Again, at time of reporting, this is all speculative. Time will tell what the true motive is.”
3. Research firm Censys finds Russia-based ransomware network with foothold in U.S.
Researchers at attack surface management firm Censys claim to have discovered a Russia-based ransomware command and control (C2) network with a foothold in at least one U.S. network.
The activity was first observed by Censys researchers around June 24, 2022, when, during a scan of over 4.7 million Russian-based hosts, they discovered two Russian hosts containing the Metasploit exploitation tool along with the Deimos C2 tool.
It should be explained that Censys was running the scans to reveal the top 1,000 software products currently observable amongst over 4.7 million hosts discovered in Russia by the company’s researchers. Further historical analysis revealed that one of these hosts had previously used the PoshC2 tool. These tools all contain features that enable penetration testers and hackers to gain remote access to – and manage – target hosts.
Researchers at Censys leveraged details from the PoshC2 certificate to locate additional Russian hosts in various global locations, including two additional hosts using the PoshC2 certificate, located within the U.S. Censys identifies these systems as Russian hosts, and states that they also contained malware packages — including a ransomware kit — as well as a file with a link to two Russian Bitcoin hosts.
According to Censys, researchers located a host in Ohio which also contained the Deimos C2 tool, which is the same tool discovered on the initial Russian host. Further historical analysis reveals that the Ohio host also possessed a malware package consistent with the ransomware discovered on the Russian hosts containing the PoshC2 tool mentioned above.
Editor’s note: To avoid confusion, we’ll refer to the initially discovered Russian hosts possessing Metasploit and Deimos C2 as Hosts A & B, and the subsequently discovered hosts possessing malware and ransomware kits as Hosts F & G (the naming convention will make more sense if you take a look at Censys’ extremely thorough technical report).
After more digging, Matt Lembright, who is director of federal applications at Censys and the man responsible for the initial scanning activity, discovered along with his team that the hosts described above exhibited connections with MedusaLocker ransomware, as well as Karma ransomware.
As stated by Lembreight and co., the discovery of these hosts’ ransomware connections was particularly novel because most ransomware incidents are discovered after an attack, and this was a rare instance of researchers finding evidence of groups setting the stage for an attack.
Censys assesses that the initially discovered Russian Hosts A & B with Metasploit and Deimos C2 are possibly initial attack vectors to take over victim hosts, while Russian Hosts F & G possess malware capable of disabling anti-virus and performing a ransomware attack, with beacons to two Bitcoin nodes that likely receive ransomware payment from victims.
Censys was able to link the hosts to the MedusaLocker ransomware operation thanks to the contents of a Cybersecurity and Infrastructure Security Agency (CISA) report released nearly a month ago, which highlighted the group’s methodology and provided indicators of compromise (IOCs) associated with the infrastructure leveraged by the group, such as email addresses, IP addresses, and TOR node addresses.
Analyst comments from Tanium’s Cyber Threat Intelligence Team
“Censys has shared its findings with the FBI and is currently working with the law enforcement agency to confirm whether the hosts were leveraged in attacks on a hospital and a library last year. The sharing of this type of information is especially commendable, as other organizations may be able to recognize these hosts or the patterns involved in Censys’ reporting and potentially thwart a larger attack if this discovery turns out to be part of precursor activity supporting a larger, future attack.”
Visit our Tanium User Community
Head over to our user community to access discussion forums, announcements, updates on emerging issues, and cybersecurity best practices. Check it out.