EclecticIQ
nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

Longtime Threat Actor Group REvil May be Returning to the Cyber Fight

This issue of The Analyst Prompt examines a possible REvil comeback, a recently disclosed “critical” vulnerability in F5 software, and a dubious milestone in the history of malware—the permanent closure of a victim organization, in part, due to the impact of ransomware.

EclecticIQ Threat Research Team May 18, 2022

tap-9

Threat Actor Update: Newly Seen Variant Indicates a Possible REvil Comeback

On April 29, researchers from Avast blocked a ransomware sample in the wild which bears hallmarks of the Russia-based ransomware group REvil. (1) Also in April, REvil’s TOR network infrastructure was brought back online. REvil’s previously used TOR domain re-directs users to sites with new domain names. These sites allegedly contained information on previous REvil victims, as well as new victims. (2) According to one article, a sample of the variant is compiled from REvil’s source code. The sample also leaves a ransomware note identical to REvil’s previous notes. (3)

Over the past year, members of REvil garnered international press after successes and setbacks. REvil carried out a successful attack against Kaseya (6), then going offline allegedly to avoid unwanted attention. (7) The group’s members were arrested and infrastructure was taken offline in late 2021 due to an international law enforcement action. (4, 5) Despite this public success against the group, there were no indications that all REvil members were arrested, nor were there any subsequent announcements that the group ceased operations permanently. It is most likely that REvil members who remained at large throughout the winter and spring 2021 chose this moment to resume operations. The deterioration of Russian relations with the West since February almost certainly guarantees that Moscow will not succumb to international pressure to act against REvil (or other Russia-based cyber threat actors), giving the group more freedom to restart cyberattacks.

Exploit Tools and Targets: F5 Announces Critical Vulnerability; Security Researchers Develop Trivial Exploit

Software company F5 disclosed in a security advisory last week a vulnerability, now tracked as CVE-2022-1388, which has a “critical” severity score of 9.8/10. (8, 9) The vulnerability allows attackers to bypass iControl REST authentication protocols and “execute arbitrary system commands, create or delete files, or disable services.” As of mid-May, social media posts indicated hackers were able to run commands using this exploit without authentication. (15) Versions 11 to 16 of the BIG-IP software are vulnerable to this CVE. (10) Very shortly after disclosure, security researchers were able to create exploits targeting this vulnerability. (11)

EclecticIQ analysts assess vulnerabilities such as these (critical severity but easy to exploit) are likely to be exploited almost immediately by threat actors looking to gain remote access to private networks. So far, it is unclear how widespread the vulnerability is, but F5 claims BIG-IP software is used by 48 of 50 Fortunte50 companies, including banks, telecom providers and government entities. (16) This exploit is judged trivial to execute, so experts urge BIG-IP administrators to install patches immediately, or to update legacy versions of the software not covered by the fix (versions 11 and 12). Details can be found on F5’s CVE-2022-1388 webpage. (10)

New and Noteworthy: U.S. College Cites Ransomware Costs for Permanent Closure

Lincoln College (in Illinois, USA) recently announced it would permanently shut its doors due to the college’s financial duress. In an explanation on its website, the college cited low enrollment due to Covid-19 and the costs and business delays associated with a ransomware attack last December. According to the note, the college’s recruitment and fundraising systems were inoperable until March as a direct result of the ransomware attack, which left the university unable to perform key administrative functions needed to assess the college’s overall wellbeing in a timely manner. (12)

This is probably not the first organization to shutter operations entirely after a ransomware attack, and it is unlikely to be the last. It is likely that the ransomware attack was not the sole factor in the decision to close. However, this attack underscores that organizations urgently need to have strong defense and response plans for worst-case cyberattacks. Sophos’ “State of Ransomware 2021” report, published in April 2021, noted that while numbers of ransomware attacks declined from the year prior, the amount paid per ransom more than doubled in a 12-month period. In addition, only a small minority (8%) of organizations that paid a ransom received all their data back. (13) In its education-specific report, Sophos reports the total cost of ransomware recovery to an educational institution was $2.73 Million; the highest cost borne across all business sectors measured. (14) EclecticIQ analysts assess the best defense is one which mandates backing up data regularly to a secure alternate location, implementing backup plans and testing the plans by running cyberattack drills. The costs of preparing for and operating under the assumption that ‘it will happen to us, we just don’t know when’ are very likely to be less than post-attack recovery, considering ransom payment, network reconstruction and recovery, and lost production time.

You might also be interested in:

REvil and Darkside Successor Launches Operations as United States Establishes Joint Cyber Defense Collaborative

An Accelerating Ransomware Threat Needs a Strong Cyber Defense

Countering the Ransomware Threat When There Is No Silver Bullet

Appendix

  1. https://twitter.com/JakubKroustek/status/1520135975262957568
  2. https://www.itpro.com/security/ransomware/367455/revil-ransomware-groups-infrastructure-comes-back-online-hinting-at
  3. https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new-malware-sample-confirms-gang-is-back/
  4. https://www.washingtonpost.com/national-security/cyber-command-revil-ransomware/2021/11/03/528e03e6-3517-11ec-9bc4-86107e7b0ab1_story.html
  5. https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged
  6. https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/
  7. https://www.france24.com/en/americas/20210714-ransomware-gang-revil-s-websites-go-offline-sparking-speculation
  8. https://support.f5.com/csp/article/K55879220
  9. https://nvd.nist.gov/vuln/detail/CVE-2022-1388
  10. https://support.f5.com/csp/article/K23605346
  11. https://www.bleepingcomputer.com/news/security/exploits-created-for-critical-f5-big-ip-flaw-install-patch-immediately/
  12. https://lincolncollege.edu/
  13. https://www.sophos.com/en-us/press-office/press-releases/2021/04/ransomware-recovery-cost-reaches-nearly-dollar-2-million-more-than-doubling-in-a-year
  14. https://assets.sophos.com/X24WTUEQ/at/g523b3nmgcfk5r5hc5sns6q/sophos-state-of-ransomware-in-education-2021-wp.pdf
  15. https://arstechnica.com/information-technology/2022/05/hackers-are-actively-exploiting-big-ip-vulnerability-with-a-9-8-severity-rating/
  16. https://www.darkreading.com/dr-tech/how-to-check-if-your-f5-big-ip-device-is-vulnerable
  17. https://www.bleepingcomputer.com/news/security/cisa-tells-federal-agencies-to-fix-actively-exploited-f5-big-ip-bug/ 

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

You may also download the content as eiq_json, stix1_2, stix2_1.

Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

Explore all topics

© 2014 – 2022 EclecticIQ B.V.
EclecticIQ. Intelligence, Hunting, Response.
Get demo