Surefire Cyber Inc.

In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns. Octo Tempest is known for sophisticated social engineering techniques, identity compromise and persistence, focus on targeting VMWare ESXi servers, and deployment of BlackCat ransomware. RansomHub is a ransomware as a service (RaaS) payload used by more and more threat actors, including ones that have historically used other (sometimes defunct) ransomware (like BlackCat), making it one of the most widespread ransomware families today. Notably, RansomHub was observed in post-compromise activity by Manatee Tempest following initial access by Mustard Tempest via FakeUpdates/Socgholish infections. In addition to RansomHub and Qilin, other notable ransomware families in this period include BlackSuit, LockBit, Medusa, Black Basta, and Play. Several new ransomware families emerged this quarter. Fog, which uses the .flocked extension, was first observed in May in campaigns by Storm-0844, a threat actor known for distributing Akira. To deploy Fog, Storm-0844 uses VPN clients to gain initial access, likely via valid accounts. They use open-source tools like ADFind, Rubeus, and Advanced IP Scanner for network discovery and lateral movement. They also use rclone for staging files to be exfiltrated. By June, Storm-0844 was deploying Fog in more campaigns than Akira. FakePenny is another new ransomware family we uncovered during this period. In April, we observed North Korean threat actor Moonstone Sleet (formerly Storm-1789) deploying FakePenny, part of a wide-ranging tradecraft that also includes a malicious tank game: https://msft.it/6046lOdRi Threat actors like Octo Tempest focus on identity compromise in their intrusions to access and persist in on-premises and cloud environments for data exfiltration and ransomware deployment. This quarter, Storm-0501 was observed adopting similar tactics, utilizing open-source toolkits like AADInternals for domain federations and other techniques to facilitate latter stages of attacks, which culminate in the deployment of Embargo ransomware. Threat actors also continue to leverage remote management and monitoring tools in ransomware campaigns. In May, we published research on Storm-1811 misusing Quick Assist in social engineering attacks, which were followed by delivery of various malicious tools, leading to Black Basta deployment: https://msft.it/6047lOdRc Users and organizations are advised to follow security best practices, especially credential hygiene, principle of least privilege, and Zero Trust. We publish reports on ransomware threat actors and associated activity in Microsoft Defender Threat Intelligence and Microsoft Defender XDR threat analytics. For more information and guidance, visit https://msft.it/6048lOdRY

Let's go again! if you're not there you are square! The lineup is live! The Cyber Security Leadership Virtual Summit is THIS FRIDAY at 2p EST!! Patrick Beggs from ConnectWise will be there to talk through the Cyber Leadership from the Top. What is it that the big guys are seeing and helping to protect us as MSPs? Dr. Jerry Craig of Ntiva, Inc. and Tim Weber of Cyber74 will be chatting through the Cybersecurity reality checks. What the vendors and zeitgeist say that really isn't reality. I am really excited about this session as some of us try so hard to be 'best in class', but it's merely impossible to achieve. and to wrap it all up, Amanda Berlin of Blumira will be joined by Karla Reffold of Surefire Cyber Inc. to chat through the Human Side of Incident response. Yes, there is a human side we all miss. In a major event, is your team fed? Have your clients employees been catered to? Is there enough cashflow to make payday? All things we sometimes miss. Make sure to add this to your calendar, repost, and send this to your team to insure they get the most up to date information. It's free and fun, so click the link: https://lnkd.in/enqXtWrj Oh, and btw, after hours, our friends from the IRGame Bob Miller, Ethan Tancredi, and Matt Lee, CISSP, CCSP, CFR, PNPT will be having a live IRGame session to walk through the worse possible day of your MSP. It was really eye opening when I play with Roddy Bergeron, CISSP, CCSP, CSAP and Shawn Torres and think EVERY MSP employee should have to run through this tabletop game. Anywho, it's this Friday, 2p EST. See you then!