SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Campaign involving SolarWinds could extend to other software
Description: U.S. officials say a suspected state-sponsored attack on U.S. government agencies and companies may have further-reaching consequences than just SolarWinds products. A new report states that the attackers linked to the SolarWinds breach may have exploited other vulnerabilities to gain an initial foothold on victims' networks other than the ones already disclosed in SolarWinds products. The effects of this campaign are potentially staggering, and officials and security researchers are still unpacking the attack. Victims reportedly include government agencies and consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East, according to FireEye. Several reports also indicate that the U.S. Treasury and Commerce departments were also targeted in what is likely related to the same activity.
References: https://www.wsj.com/articles/suspected-russian-hack-extends-far-beyond-solarwinds-software-investigators-say-11611921601 (paywall)
Snort SIDs: 56660 - 56668
AMP: Trojan.Sunburst.[A-Z], Trojan.Teardrop.[A-Z]
ClamAV: Win.Countermeasure.Sunburst-9816012-0, Win.Countermeasure.Sunburst-9809153-0, Win.Countermeasure.Sunburst-9816013-0, Win.Countermeasure.Sunburst-9809152-0, Win.Dropper.Teardrop-9808996-3, PUA.Tool.Countermeasure.DropperRaw64TEARDROP-9808998-0
Title: LockBit ransomware operator provides insight into targets, vulnerabilities exploited
Description: Cisco Talos recently spent several weeks speaking to an operator associated with the LockBit ransomware. The actor's TTPs they disclose are yet another reminder for all organizations to remain vigilant about these seemingly unsophisticated, common cybercriminals who, despite their straightforward approach to targeting and operations, continue to be highly successful in compromising companies and wreaking havoc on unsuspecting victims. Other findings include that many cybercriminals rely almost exclusively on common open-source tools that are readily available on the internet and easy to use and they rely solely on victims who have unpatched environments.
Reference: https://blog.talosintelligence.com/2021/02/interview-with-lockbit-ransomware.html
Snort SIDs: 54910-54917