Cyber threats of the past 30 days as seen by Gatewatcher's CTI analysts
Identified Indicators of Compromise (IOCs)
Identified compromise reports
Highlight of the month
This month we focus on Lockbit one of the most dangerous ransomwares.
Known worldwide for its fast attacks, Lockbit has a unique ability that allows it to self-propagate in a computer system. This self-propagating ability is coupled with the fact that it can perform different stages of the attack at the same time.
Lockbit is a Ransomware-as-a-Service (or RaaS), which means that it can be bought or rented on the dark web. Profits from a successful attack are shared between the developers and affiliates. Ransomware is usually the final phase of a cyberattack, once the hacker has compromised the system and gained a foothold in the company. Lockbit entered the scene in September 2019 under the initial name ABCD, as it encrypted files and renamed the extension to “.abcd”. It then changed the extension to “.lockbit” which is now generated at runtime.
It is also an example of “dual threat” ransomware, which means that not only does it threaten to delete confidential files if the victim does not pay the ransom, but it also threatens to publish the files online on the dark web. LockBit is now demanding a ransom of about $40,000 per organization on average. It has targeted leading companies around the world, in the US, Europe, India and China but, interestingly, never in Russia.
In March 2022, less than a year after LockBit 2.0 emerged, researchers and threat hunters observed waves of a new variant they called LockBit 3.0, aka “LockBit Black.” Researchers noted that parts of LockBit 3.0’s code appear to be borrowed from the BlackMatter ransomware, hence the LockBit Black nickname.The ransomware was back in the news at the end of June this year, as its authors launched a “bug bounty” program with rewards ranging from $1,000 to $1 million (USD) for detecting flaws and weaknesses in its portfolio. This new iteration puts LockBit at the forefront of the ransomware landscape and also speaks to the growing use and increased sophistication of the ransomware-as-a-service (RaaS) model.
common vulnerabilities & exposures
Definition of the month
Command & Control , also abbreviated “C2” or “C&C”, is a process used by cybercriminals to maintain communications with infected systems within a target network.
Once the malware is introduced into a network, the compromised machine sends a signal to the attacker’s server looking for its next instruction. The infected computer executes the commands from the C2 server and can install additional software. Establishing a command and control link is often the primary goal of malware. The attacker, who has full control over the victim’s computer, can execute any code that usually spreads to other computers, creating a network of infected machines (botnet) that will themselves communicate with the Command & Control server.
Attackers typically attempt to mimic normal, expected traffic to blend in and avoid detection. There are many ways for a cybercriminal to establish a command and control system, 16 techniques are referenced by the MITRE ATT&CK organization (an organization we discussed in May). Among the most common C2 tools we can mention Cobalt Strike. Intended for pentesting teams, it provides the ability to emulate post-exploitation actions, such as setting up tags to connect to C2 servers.
About the cyber threats barometer
Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by LastInfoSec, Gatewatcher’s Cyber Threat Intelligence (CTI) platform.
LastInfoSec’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.