Cyber threats of the past 30 days as seen by Gatewatcher's CTI analysts
Identified Indicators of Compromise (IOCs)
Identified compromise reports
Highlight of the month
On September 21, the LockBit 3.0 builder was leaked. Last August, we reported on version 3 of this highly publicized ransomware, released last June. The reason for this leak is said to be related to a dispute between a former developer of the ransomware and the “management” of LockBit. If this is a severe blow for this malicious group, it is also a significant one for companies. Indeed, malicious operators as well as beginners in the industry now have access to one of the most dangerous and sophisticated ransomware of its kind, the generator allowing to quickly create an executable with a powerful encryptor thanks to 4 files generated by a batch script (an encryption key generator, the builder, a configuration file, and the batch script).
The Bl00Dy group has already started using it by attacking a Ukrainian entity. The particularly rich configuration file of LockBit 3.0, allowing, among other things, to modify the ransom note, the command & control server, the processes and services to be stopped, etc., it was not long before a group used it.
This is not the first time a ransomware manufacturer has fallen victim to such a malicious disclosure opportunistically exploited by other competing players. In June 2021, this was the case with Babuk, a ransomware targeting Windows and VMWare ESXi machines. Last March, the Conti group also had its source code leaked, quickly exploited by the Russian hacker group NB65.
This leak would not have slowed down the group’s actions, as we saw with the data exfiltration of the Corbeil-Essonnes Hospital, on September 23 in France.
common vulnerabilities & exposures
Definition of the month
Open Source INTelligence (OSINT) is the act of collecting and analyzing publicly available data for intelligence purposes.
Since a good understanding of the actors and threats involved are essential elements in the development of an effective attack or defense strategy, OSINT is now a key tool in the field of cyber security.
The sources of OSINT are mainly media (television, newspapers…), Internet (social networks, forum, deep and dark web, blog…), commercial data, grey literature (technical reports, pre-publication, patent…) or governmental data.
In this context, OSINT can be used to measure its exposure to risk, via penetration tests. The aim is to evaluate the potential harmfulness of the data exposed to an external attacker (who would, for example, want to use social engineering).
About the cyber threats barometer
Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by LastInfoSec, Gatewatcher’s Cyber Threat Intelligence (CTI) platform.
LastInfoSec’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.