A very well known electronics firm was in the news this month as an alleged and unfortunate victim of a Maze ransomware attack¹. This attack involved various services, including their corporate email, USA website, and other internal applications. It seems very apparent that this attack was delivered using the Maze ransomware toolset. A few weeks earlier, two other prominent electronics and technology companies were also allegedly the victim of Maze ransomware².
The Maze threat group and their Maze ransomware have been out there since their discovery in May 2019. On 10.29.2019, the Infoblox Cyber Intelligence Unit (CIU) detected a campaign distributing Maze ransomware to Italian-speaking Users. Maze ransomware in this scenario was delivered using emails or exploits kits such as Fallout and Spelevo.
Early on, there was no publicly available decryption tool for Maze ransomware. The private key needed to decrypt the encrypted files is solely available from the Maze threat actors. You can see some of our threat intelligence on this and our notes on vulnerabilities and mitigations related to Maze here:
What can you do with Threat Intelligence?
Infoblox Threat Intelligence research has been able to highlight likely threats sometimes early in their life cycles. This data works best when you have the organizational processes and tools to assess it and act upon it promptly. The rapid resolution of open questions is essential. Is this attack likely for our industry, geography, business size, and other factors that may apply? Can our team handle this new type of attack? What are the tactics and techniques the threat actors are using? What are the incidents of compromise (IOC) of which our team needs to be aware? What threat group uses this IOC? Can our team successfully detect, mitigate, and rapidly recover from this attack?
The need for speed in all facets of defense and mitigation is real. You need to get inside your attacker’s decision cycle and gain the advantage. The goal is to bring your defenses to the highest state of capability, which must be ideally continually ahead of the offenses of your prospective attackers. Improving your defenses requires a deep understanding of threat actor technology and the techniques they use, or might use to protect better, detect, and mitigate cyberattacks. Threat intelligence is an essential part of the defensive toolset.
If Maze is a likely threat to your environment, you need to take rapid advantage of information like this. You need to know if your defenses can stand up to Maze. You need to minimize the probability of becoming the next victim. Maze is coming – will you be ready? Do you have the intelligence, data, personnel, and processes to prevail? Do you understand the tactics and techniques of the Maze threat actors?
What else is out there?
Another recent example has been that of the threat group Evil Corp. which has been very prominent in the news in past months. Evil Corp has been active in releasing new malware called WastedLocker and continuing the assault on banking and finance with its existing Dridex malware toolset. Dridex continues to be a highly successful threat, particularly in banking and finance, and Evil Corp continually evolves the capabilities of Dridex.
Over several years, we have provided threat intelligence on the Dridex Banking Trojan since the initial discovery in 2011. In one of the first Dridex campaigns, we were involved with the Dridex-related phishing emails masqueraded as messages from eFax – a global leader in online fax services. During the week of 12.2.2019, our CIU observed a malicious email campaign distributing the Dridex banking trojan. Like our first Dridex report, the emails had password-protected Microsoft Office document attachments that used macros with hardcoded URLs to download and execute Dridex payloads. Then, on 5.4.2020, our CIU observed a malicious spam (malspam) campaign using Microsoft Excel (XLS) documents to deliver the Dridex banking trojan via embedded PowerShell commands.
The malspam distributed in this campaign impersonated messages from another leading company, Intuit, the software company behind TurboTax and QuickBooks. Aspects of this campaign differ slightly from those we previously reported on, but the goal of stealing credentials has remained the same. You can find out more about these Dridex campaigns by reviewing some of our threat intelligence here:
Lets put the Dridex threat in a serious context. Evil Corp. was indicted³ by the U.S. in December 2019. The indictment names the two partners as leading figures in a criminal enterprise, which has used their malware against targets in “dozens of countries” to embezzle more than $100 million from corporations and local governments. The forces behind Dridex represent a serious and dangerous threat to banking and financial institutions, credit card companies, investment firms, and more. The Treasury Department intimated that these founders worked for the Russian Federal Security Service of the Russian Federation (FSB RF). Evil Corp. and Dridex are about as bad as it can get for a threat. Evil Corp. is yet another case where nation-states align with organized crime to target your enterprise.
The takeaway is that threat intelligence is a critical weapon with which to defend your enterprise. Much of the information about threat actors and their tools your organization is likely to face may be available now if you own the right threat intelligence tools. Threat intelligence can help you make the best decisions to reduce your exposure to any potential attack and to rapidly detect, mitigate, and recover from an ongoing attack.
There are powerful tools and resources you can bring to solve these problems – Infoblox can help.
- Check out our Threat Intelligence service here: https://www.infoblox.com/products/threat-intelligence/.
- Check out our Dossier Threat Research Tool to accelerate threat investigation and response here: https://www.infoblox.com/resources/videos/dossier-for-faster-threat-investigation/ and here https://www.infoblox.com/wp-content/uploads/infoblox-solution-note-infoblox-dossier.pdf.
If you want to know more, please reach out to us directly via firstname.lastname@example.org.