Cybersecurity experts have shed light on a new cybercrime group known as ShadowSyndicate (formerly Infra Storm) that may have leveraged as many as seven different ransomware families over the past year.
网络安全专家已经揭示了一个名为ShadowSyndicate(以前是Infra Storm)的新网络犯罪组织,可能在过去一年中使用了多达七种不同的勒索软件家族。
"ShadowSyndicate is a threat actor that works with various ransomware groups and affiliates of ransomware programs," Group-IB and Bridewell said in a new joint report.
“ShadowSyndicate是一个与各种勒索软件组和勒索软件计划的附属机构合作的威胁行动者,”Group-IB和Bridewell在一份新的联合报告中说。
The actor, active since July 16, 2022, has linked to ransomware activity related to Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play strains, while also deploying off-the-shelf post-exploitation tools like Cobalt Strike and Sliver as well as loaders such as IcedID and Matanbuchus.
该行动者自2022年7月16日以来一直与Quantum、Nokoyawa、BlackCat、Royal、Cl0p、Cactus和Play等勒索软件活动相关联,同时还部署了诸如Cobalt Strike和Sliver等现成的后渗透工具,以及IcedID和Matanbuchus等加载程序。
The findings are based on a distinct SSH fingerprint (1ca4cbac895fc3bd12417b77fc6ed31d) discovered on 85 servers, 52 of which have been used as command-and-control (C2) for Cobalt Strike. Among those servers are eight different Cobalt Strike license keys (or watermarks).
这些发现基于发现的85台服务器上的不同SSH指纹(1ca4cbac895fc3bd12417b77fc6ed31d),其中52台被用作Cobalt Strike的命令和控制(C2)服务器。其中有八个不同的Cobalt Strike许可证密钥(或水印)。
A majority of the servers (23) are located in Panama, followed by Cyprus (11), Russia (9), Seychelles (8), Costa Rica (7), Czechia (7), Belize (6), Bulgaria (3), Honduras (3), and the Netherlands (3).
大多数服务器(23台)位于巴拿马,其次是塞浦路斯(11台),俄罗斯(9台),塞舌尔(8台),哥斯达黎加(7台),捷克共和国(7台),伯利兹(6台),保加利亚(3台),洪都拉斯(3台)和荷兰(3台)。
Group-IB said it also found additional infrastructure overlaps that connect ShadowSyndicate to TrickBot, Ryuk/Conti, FIN7, and TrueBot malware operations.
Group-IB说,他们还发现了与TrickBot、Ryuk/Conti、FIN7和TrueBot恶意软件操作相关的ShadowSyndicate的其他基础设施重叠。
"Out of the 149 IP addresses that we linked to Cl0p ransomware affiliates, we have seen, since August 2022, 12 IP addresses from 4 different clusters changed ownership to ShadowSyndicate, which suggests that there is some potential sharing of infrastructure between these groups," the companies said.
“我们将149个与Cl0p勒索软件附属机构相关联的IP地址中的12个IP地址自2022年8月以来从4个不同的集群中更改为ShadowSyndicate的所有权,这表明这些组织之间存在一些潜在的基础设施共享,”这些公司说。
The disclosure comes as the German law enforcement authorities announced a second targeted strike against actors associated with the DoppelPaymer ransomware group, some of whom were targeted earlier this March, executing search warrants against two suspects in Germany and Ukraine.
这一披露发生在德国执法部门宣布对与DoppelPaymer勒索软件组织相关的行动者进行第二次有针对性的打击之际,其中一些行动者于今年三月早些时候被定位,对德国和乌克兰的两名嫌疑人执行了搜查令。
The individuals, a 44-year-old Ukrainian and a 45-year-old German national, are alleged to have held key responsibilities within the network and received illicit proceeds from the ransomware attacks. Their names were not disclosed.
这两名个人分别是一名44岁的乌克兰人和一名45岁的德国国民,据称他们在该网络中担任关键职责,并收到了勒索攻击的非法收益。他们的姓名没有被披露。
The development also follows a joint advisory issued by the U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) about a double extortion actor called Snatch (formerly Team Truniger) that has targeted a wide range of critical infrastructure sectors since mid-2021.
此外,美国联邦调查局(FBI)和网络安全和基础设施安全局(CISA)发出了一份关于名为Snatch(以前称为Team Truniger)的双重勒索行动者的联合建议,该行动者自2021年中以来一直在广泛范围内攻击关键基础设施部门。
"Snatch threat actors employ several different methods to gain access to and maintain persistence on a victim's network," the agencies said, calling out their consistent evolution of tactics and the ability of the malware to evade detection by rebooting Windows systems into Safe Mode.
“Snatch威胁行动者采用多种不同的方法来获取对受害者网络的访问权限并保持持久性,”这些机构说,并指出了它们不断进化的战术以及该恶意软件通过将Windows系统重新启动到安全模式来躲避检测的能力。
"Snatch affiliates primarily rely on exploiting weaknesses in Remote Desktop Protocol (RDP) for brute-forcing and gaining administrator credentials to victims' networks. In some instances, Snatch affiliates have sought out compromised credentials from criminal forums/marketplaces."
“Snatch附属机构主要依赖于利用远程桌面协议(RDP)中的漏洞进行暴力破解和获得受害者网络的管理员凭据。在某些情况下,Snatch附属机构还从犯罪论坛/市场获取了受损的凭据。”
The U.S. Department of Homeland Security (DHS), in its latest Homeland Threat Assessment report, noted that ransomware groups are continuously developing new methods to improve their ability to financially extort victims, making 2023 the second most profitable year after 2021.
美国国土安全部(DHS)在其最新的国土威胁评估报告中指出,勒索软件组织正在不断开发新方法,以提高其勒索受害者的能力,使2023年成为继2021年之后的第二个利润最丰厚的年度。
"These groups have increased their use of multilevel extortion, in which they encrypt and exfiltrate their targets' data and typically threaten to publicly release stolen data, use DDoS attacks, or harass the victim's customers to coerce the victim to pay," the DHS report said.
“这些组织增加了多层勒索的使用,其中他们加密并外泄了目标数据,并通常威胁公开发布被盗数据,使用DDoS攻击或骚扰受害者的客户来迫使受害者支付,”DHS报告说。
Akira is a case in point. The ransomware has expanded its reach since emerging as a Windows-based threat in March 2023 to include Linux servers and VMWare ESXi virtual machines, underscoring its ability to quickly adapt to trends. As of mid-September, the group has successfully hit 110 victims in the U.S. and the U.K.
阿基拉就是一个例子。这款勒索软件自2023年3月以来一直作为基于Windows的威胁存在,并扩展到包括Linux服务器和VMWare ESXi虚拟机,突显了其快速适应趋势的能力。截至九月中旬,该组织已成功攻击了美国和英国的110名受害者。
The resurgence of ransomware attacks has also been accompanied by a spike in cyber insurance claims, with overall claims frequency increasing 12% in the first half of the year in the U.S. and victims reporting an average loss amount of more than $365,000, a 61% jump from the second half of 2022.
勒索软件攻击的复苏伴随着网络保险索赔的激增,今年上半年美国的索赔频率增加了12%,受害者报告的平均损失金额超过了2022年下半年的61%。
"Businesses with more than $100 million in revenue saw the largest increase in frequency, and while other revenue bands were more stable, they also faced surges in claims," cyber insurance firm Coalition said.
“收入超过1亿美元的企业看到索赔频率最大的增加,而其他收入段相对稳定,但也面临索赔的激增,”网络保险公司Coalition表示。
The constant flux in the threat landscape is best exemplified by BlackCat, Cl0p, and LockBit, which have remained some of the most prolific and evolutionary ransomware families in recent months, primarily targeting small and large enterprises spanning banking, retail, and transportation sectors. The number of active RaaS and RaaS-related groups has grown in 2023 by 11.3%, rising from 39 to 45.
威胁景观的不断变化最好由BlackCat、Cl0p和LockBit来体现,它们一直是最近几个月中最多产和进化的勒索软件家族之一,主要针对银行、零售和交通等各种大小企业。2023年,RaaS和与RaaS相关的组织数量增长了11.3%,从39个增加到了45个。
A report from eSentire last week detailed two LockBit attacks in which the e-crime group was observed leveraging the victim companies' internet-exposed remote monitoring and management (RMM) tools (or their own) to spread the ransomware across the IT environment or push it to their downstream customers.
eSentire上周的一份报告详细介绍了两起LockBit攻击事件,其中观察到电子犯罪集团利用受害公司的Internet公开的远程监视和管理(RMM)工具(或他们自己的工具)来在IT环境中传播勒索软件或将其推送给其下游客户。
The reliance on such living-off-the-land (LotL) techniques is an attempt to avoid detection and confuse attribution efforts by blending malicious and legitimate use of IT management tools, the Canadian company said.
依赖这种“生活在陆地上”(LotL)技术是为了避免检测并混淆归因努力,将IT管理工具的恶意和合法使用相融合,这家加拿大公司表示。
In another instance of a BlackCat attack highlighted by Sophos this month, the attackers were seen encrypting Microsoft Azure Storage accounts after gaining access to an unnamed customer's Azure portal.
Sophos本月突出显示的另一起BlackCat攻击事件中,攻击者在获得对一个未透露名称的客户的Azure门户的访问权限后,被发现加密了Microsoft Azure Storage账户。
"During the intrusion, the threat actors were observed leveraging various RMM tools (AnyDesk, Splashtop, and Atera), and using Chrome to access the target's installed LastPass vault via the browser extension, where they obtained the OTP for accessing the target's Sophos Central account, which is used by customers to manage their Sophos products," the company said.
“在入侵过程中,我们观察到威胁行动者利用了各种RMM工具(AnyDesk、Splashtop和Atera),并使用Chrome访问目标安装的LastPass存储库,从而获得了访问目标Sophos Central帐户的OTP,该帐户用于客户管理其Sophos产品,”该公司说。
"The adversary then modified security policies and disabled Tamper Protection within Central before encrypting the customer's systems and remote Azure Storage accounts via ransomware executable with the extension .zk09cvt."
“然后,攻击者修改了Central中的安全策略,并在通过带有扩展名.zk09cvt的勒索软件可执行文件加密了客户的系统和远程Azure存储账户之前禁用了篡改保护。”
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...