By Jon Munshaw.
The one big thing
Our researchers recently studied a trove of leaked chat logs between the Conti and Hive ransomware operators and their victims. From them, we learned more about how the groups choose their victims, how a triple-extortion attempt usually goes down and more about the inner workings of these actors. In our latest research paper, we run through these findings and provide a look into these chats so other security researchers and potential targets can be more prepared to fight these groups and spot their weaknesses.Why do I care?
The chats we studied are completely new from the Conti leaks from earlier this year, so we continue to learn more about this group as time goes on. For starters, victims should take away from this research that if the plan is to pay the ransom, never take the actor’s first offer, they almost always reduce their asking price over time. We now know more about these groups’ negotiating tactics, which can be helpful for anyone who may be a future target or victim of these groups.
So now what?
Pretty much the same as always if the goal is to never be hit with one of these ransomware attacks. This is a reminder to all organizations to implement a strong patch management system and keep all systems up to date. Organizations should also perform general system hardening that includes removing services or protocols running on endpoints where they are unnecessary.
Other newsy nuggets
For many years, Russia was viewed as off-limits for cyber attacks over the risk of potential retaliation. But after the country’s invasion of Ukraine, the floodgates have opened to hactivists and volunteers who are hitting the country’s networks at an unprecedented rate. Even some ransomware groups have gotten in on the action. Even early in the invasion, Russia suffered a major setback because actors in Belarus disrupted the country’s railway system that was still relying on Windows XP, slowing down Russia’s supply lines and potentially staving off an invasion of Kyiv, the country’s capital. (Washington Post, Wired, ComputerWorld)
Users can now opt-out of having their personal information appear in Google search results. The search engine recently loosened its policies on this opt-out. Previously, users had to show a threat of doxxing or other harm that could come to them should something like their phone number, address or email show up when you searched their name. Now, the company says people can ask for their information to be removed even if there is no clear risk. This is not a catch-all step to protecting your identity online, but it’s a solid start for anyone looking to be more privacy-conscious. (NPR, CNET)
A Chinese state-sponsored actor has been snooping on more than 30 major companies’ networks for more than two years to steal intellectual property. Security researchers say the APT41 threat actor used what they dubbed "Operation Cuckoo Bees” to steal trillions of dollars' worth of everything from engineering blueprints to experimental diabetes treatments and solar panel designs. As of this week, the campaign is still ongoing. (SC Magazine, CBS News)
Can’t get enough Talos?
Upcoming events where you can find Talos
RSA 2022 (June 6 – 9, 2022)
San Francisco, California
Cisco Live U.S. (June 12 – 16, 2022)
Las Vegas, Nevada
Most prevalent malware files from Talos telemetry over the past week
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201
SHA 256: 1b94aaa71618d4ecba665130ae54ef38b17794157123675b24641dc85a379426
MD5: a841c3d335907ba5ec4c2e070be1df53
Typical Filename: chip 1-click installer.exe
Claimed Product: chip 1-click installer
Detection Name: Win.Trojan.Generic::ptp.cam
SHA 256: 7cfdf65b1f93bd600a4e7cadbcfeccc634d0c34b5b098740af1cf2afa7c64b97
MD5: 258e7698054fc8eaf934c7e03fc96e9e
Typical Filename: samsungfrp2021.exe
Claimed Product: N/A
Detection Name: W32.7CFDF65B1F-85.TPD2.RET.SBX.TG34
0 Comments