Vercara’s Open-Source Intelligence (OSINT) Report – October 18 – October 24, 2024

New Qilin.B ransomware variant emerges with improved encryption and evasion tactics.

(TLP: CLEAR) The new QilinB variant uses sophisticated encryption methods to lock files, making them inaccessible to victims. It employs evasion techniques to bypass security solutions, complicating detection and response efforts by cybersecurity teams. The variant has been observed in active campaigns, with attackers demanding significant ransoms to restore access to encrypted data and poses a substantial risk to various sectors, emphasizing the need for heightened cybersecurity measures

(TLP: CLEAR) Comments: Security professionals advise organizations to adopt a multi-layered security strategy, which includes:

• Implementing robust endpoint protection solutions.
• Conducting regular security awareness training for employees to help recognize phishing attempts and other common attack vectors.
• Regularly backing up data and ensuring backups are secure.

(TLP: CLEAR) Recommended best practices/regulations:
PCI-DSS V4.0 Section 5.2: “Malicious software (malware) is prevented or detected and addressed.

“An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.

“The deployed anti-malware solution(s):

• Detects all known types of malware.
• Removes, blocks, or contains all known types of malware.

“Any system components that are not at risk for malware are evaluated periodically to include the following:

• A documented list of all system components not at risk for malware.
• Identification and evaluation of evolving malware threats for those system components.
• Confirmation whether such system components continue to not require anti-malware protection.

“The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.”

Section 5.2 lays out requirements for malware detection and blocking across all devices in the Cardholder Data Environment. Every device inside of the CDE should have malware protection that is updated, monitored, and actions taken when an infection is detected.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Source: https://thehackernews.com/2024/10/new-qilinb-ransomware-variant-emerges.html

Gophish framework wsed in phishing campaigns to deploy remote access trojans.

(TLP: CLEAR) Gophish is an open-source phishing toolkit that simplifies the creation and management of phishing campaigns. The framework includes features like email templates, tracking, and analytics to measure the effectiveness of phishing campaigns. These campaigns are designed to steal credentials and sensitive information, utilizing social engineering tactics to trick users into providing their details. Attackers typically craft convincing emails that link to Gophish-hosted malicious landing pages. Once users input their credentials, the attackers capture this information for further exploitation.

(TLP: CLEAR) Comments: The use of Gophish in phishing schemes highlights the dual-use nature of security tools, where legitimate frameworks can be repurposed for malicious intent. Implementing robust email filtering and authentication protocols (like SPF, DKIM, and DMARC) can help mitigate phishing risks. Regular training and awareness programs for employees are critical to recognize and report phishing attempts.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users.  This can be done via a protective DNS or forward web proxy solution with website categories feeds.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Source: https://thehackernews.com/2024/10/gophish-framework-used-in-phishing.html 

UnitedHealth says data of 100 million stolen in Change Healthcare breach.

(TLP: CLEAR) The incident involves unauthorized access to Change Healthcare’s systems, leading to the compromise of personal and medical data. Affected information includes names, dates of birth, Social Security numbers, health insurance details, and medical records. The breach was identified during a routine security audit, with evidence suggesting the unauthorized access occurred over several months. Change Healthcare has reported the incident to law enforcement and is collaborating with cybersecurity firms to investigate the breach.

(TLP: CLEAR) Comments: Following the breach, Change Healthcare is enhancing its security protocols, including improving access controls and monitoring for unusual activity. The article highlights a major data breach affecting UnitedHealth Group via Change Healthcare, emphasizing the need for robust cybersecurity measures in protecting sensitive health information.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware, phishing, and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://www.bleepingcomputer.com/news/security/unitedhealth-says-data-of-100-million-stolen-in-change-healthcare-breach/

Cisco fixes VPN DoS flaw discovered in password spray attacks.

(TLP: CLEAR) The flaw, identified as CVE-2024-2021, affects multiple Cisco VPN devices, including AnyConnect Secure Mobility Client and Adaptive Security Appliance (ASA). Attackers could leverage this vulnerability to perform password spraying, where they attempt to access multiple accounts with a few commonly used passwords.  Successful exploitation of the vulnerability could lead to a DoS condition, resulting in the affected devices becoming unresponsive or crashing. The vulnerability was discovered during security assessments that highlighted the potential for DoS through repeated failed authentication attempts.

(TLP: CLEAR) Comments: Administrators are encouraged to implement additional security measures, such as rate limiting and monitoring for unusual authentication attempts, to further protect against password spraying attacks. Organizations are advised to adopt multi-factor authentication (MFA) to enhance security and reduce the effectiveness of password spraying attacks. Regularly reviewing and updating security protocols is essential to safeguard against emerging threats.

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust protections against larger or more advanced DDoS attacks. Protect systems and services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.”

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.
Source: https://www.bleepingcomputer.com/news/security/cisco-fixes-vpn-dos-flaw-discovered-in-password-spray-attacks/