SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: FBI warns of BlackByte ransomware resurgence
Description: The FBI and U.S. Secret Service released a warning early this week that the BlackByte ransomware gang had compromised multiple American and foreign businesses, including three attacks targeting U.S. critical infrastructure. The targets span several industries, including U.S. government facilities, financial services and food and agriculture. BlackByte is a ransomware-as-a-serivce group that sells its ransomware infrastructure to other threat actors. This malware emerged in July 2021, targeting the manufacturing, health care and construction sectors. The group went quiet several months ago when security researchers released a decryptor key for the ransomware, but this recent activity indicates the group is back.
References:
- https://techcrunch.com/2022/02/14/blackbyte-critical-infrastructure-ransomware/
- https://www.ic3.gov/Media/News/2022/220211.pdf
SNORT® SIDs: 58791 - 58794
Title: South Asian APTs sharing VBA code in wave of RAT infections
Description: Cisco Talos recently identified shared VBA code between multiple threat actors in South Asia that are deploying RATs to victims across the globe. The code reuse, which is easily visible to anyone inspecting the code, is confirmed by objective code similarity detection methods. This is also commonly seen with cyber threat actors, with known examples, such as the Olympic Destroyer campaign and it is likely to continue in the future. Code sharing between threat actors is to be expected. Open-source tools are a useful source of functionality and adopting techniques from successful attacks conducted by other groups are likely to be sources of misleading evidence leading to false attribution. We can expect sophisticated threat actors to continue to take advantage of code reuse and false flags, to integrate evidence designed to fool analysts and lead to attribution of their attacks to other groups.
References: https://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html
SNORT® SIDs: 57551, 57562, 57842 – 57849