SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Kaseya supply chain attack affecting hundreds of companies
Description: Attackers are actively exploiting the Kaseya VSA endpoint monitoring software to conduct a widespread supply chain attack targeting a number of Managed Service Providers (MSPs), according to multiple reports. Organizations usually use Kaseya VSA to perform centralized orchestration of systems in customer environments. Attackers first infected victims via a malicious automatic update to the software, eventually delivering the REvil/Sodinokibi ransomware. Once active in victim environments, the ransomware encrypts the contents of systems on the network, causing widespread operational disruptions to a variety of organizations that use this software. REvil operates using a ransomware-as-a-service (RaaS) model, with affiliates leveraging a variety of tactics, techniques and procedures (TTPs) to infect victims and coerce them into paying to regain access to systems and data that are affected by the ransomware. In many cases, backup servers are also targeted during network-based ransomware attacks highlighting the importance of a regularly tested offline backup and recovery strategy. A text-based README is written into various directories on the system and functions as a ransom note.
Cisco Secure Endpoint signatures: Gen:Variant.Graftor.952042, W32.D55F983C99-100.SBX.TG, W32.File.MalParent, W32.RetroDetected
ClamAV signatures: Win.Dropper.REvil-9875493-0, Win.Ransomware.REvil-9875494-0
Cloud IOCs: W32.PingPredicatedDel.ioc, W32.DisableRealtimeMonitoring.ioc, W32.CertutilDecodedExecutableFile.ioc, W32.CertUtilCopy.ioc
Snort SID: 57879
Title: Babuk ransomware code leaks into the wild
Description: A threat actor is using leaked code from the Babuk ransomware to carry out its own attacks. Security researchers discovered last week that Babuk’s ransomware builder tool was uploaded to VirusTotal. Any threat actor could take the code and modify the enclosed ransom note to include their own contact information, and then run the build executable to create customized ransomware encryptors and decryptors that target Windows, VMware ESXi, Network Attached Storage (NAS) x86, and NAS ARM devices. This new actor intentionally misspells Babuk in its ransom note, and only requests $210 for its ransom payment, versus Babuk’s usual millions. Babuk was most recently known for targeting the Washington, D.C. police department.