EclecticIQ
nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Ransom Demands Hit a New Monetary Milestone

EclecticIQ Threat Research Team July 14, 2021

week-28-banner-biweekly

Summary of Findings

    • Marking the largest ransom demand to date, REvil asks for $70 million in Bitcoin from Kaseya to provide a decryptor tool following its widespread supply-chain attack.
    • Pacific Market Research, a contractor for Washington State’s Department of Labor & Industries, is hit by a ransomware attack, potentially compromising data of more than 16,000 employees.
    • The criminal group TA551 is using maldocs to deliver Trickbot as an initial stager for DarkVNC and Cobalt Strike.
    • The new ransomware variant Diavol shares similarities with Conti ransomware, suggesting possible links to the criminal group Wizard Spider.
    • Microsoft releases a patch for the so-called “PrintNightmare” vulnerability in Windows Print Spooler, but it does not fix local privilege escalation functionality.

REvil Hits Kaseya and its Customers in Major Supply-chain Attack

On July 2, 2021, REvil (Sodinokibi) carried out a supply-chain ransomware attack against Kaseya, a supplier of cloud-based remote monitoring and management (RMM) software to managed service providers (MSPs) [1]. The attack on the highly connected company encrypted data from MSPs that use Kaseya VSA and their end customers. The $70 million USD ransom demanded by REvil is the largest to date [2]. The previous milestone was $40 million paid by CNA Financial. If successful in getting such a large ransom amount, REvil may become even bolder in its future demands – and other criminal actors may follow suit.

Contractor Serving Washington State Suffers Ransomware Attack

On May 22, Pacific Market Research (PMR), a contractor for Washington State’s Department of Labor & Industries (L&I), was the victim of a ransomware attack [3]. An unauthorized third party accessed PMR’s system and encrypted its data, affecting at least one L&I file that listed contact information, claims numbers, and birthdates for 16,466 workers. The document did not contain medical information, Social Security numbers, bank details, or other personal information. PMR does not believe the L&I document was accessed or taken in the incident but cannot confirm this. PMR restored the affected file server through backups and reported the incident to law enforcement [4].

TA551 Shifts Payloads to Trickbot, DarkVNC, and Cobalt Strike

The financially motivated criminal group TA551 is distributing TrickBot through maldocs to install DarkVNC and Cobalt Strike [5]. DarkVNC is a remote access tool that gives a threat actor persistence on the target system [6]. Cobalt Strike is a commercially available post-exploitation tool often used by malicious actors for attacks [7]. TA551 historically pushed IcedID, Ursnif, and Valak through maldocs [8]. The group’s use of TrickBot, DarkVNC, and Cobalt Strike represents an aggressive shift in second- and third-stage payloads, with the likely aim of increasing post-exploitation activity on the system.

New Ransomware Diavol Shares Similarities with Conti

A sample of the new ransomware variant Diavol was discovered during a targeted attack that also deployed Conti (v3). Diavol shares nearly identical command-line parameters with Conti, and they are used for the same functions. They operate similarly with asynchronous input/output operations when queuing file paths for encryption. Diavol’s functionality overlap with Conti could suggest links to the cybercriminal group Wizard Spider [9]. Wizard Spider is an established Russia-based group that operates TrickBot banking malware and has evolved its toolset to include Ryuk, Conti, and BazarLoader [10]. The Diavol ransom note also shows a potential link to Egregor ransomware, but this could be a plant.

PrintNightmare Vulnerability Receives Critical Security Update

A security update for Microsoft’s PrintNightmare vulnerability CVE-2021-34527 was released on July 6, 2021 [11]. CVE-2021-34527 is a remote code execution vulnerability within the Windows Print Spooler service that allows unauthorized actors to perform privileged file operations. All versions of Windows are affected. The security update fixes the remote vector, but researchers found that local privilege escalation still functions, even with the update [12]. Defenders can refer to CERT/CCVulnerability Note VU#383432 [13] for a workaround for the local privilege escalation vulnerability.

References

1. https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021

2. https://www.bloomberg.com/news/articles/2021-05-20/cna-financial-paid-40-million-in-ransom-after-march-cyberattack

3. https://content.govdelivery.com/accounts/WADLI/bulletins/2e66ced

4. https://www.theolympian.com/news/state/washington/article252532918.html

5. https://www.malware-traffic-analysis.net/2021/06/30/index.html

6. https://reaqta.com/2017/11/short-journey-darkvnc/

7. https://redcanary.com/threat-detection-report/threats/cobalt-strike/

8. https://attack.mitre.org/groups/G0127/

9. https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider

10.https://www.crowdstrike.com/blog/wizard-spider-adversary-update/

11.https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

12. https://twitter.com/hackerfantastic/status/1412529895788486657?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1412529895788486657%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fmicrosoft%2Fmicrosofts-incomplete-printnightmare-patch-fails-to-fix-vulnerability%2F

13. https://www.kb.cert.org/vuls/id/383432

 

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

3 more posts you might like

All Blog Posts (121)

Explore all topics

© 2014 – 2021 EclecticIQ B.V.
EclecticIQ. Intelligence, Hunting, Response.
Get demo