Following the publication of a report regarding the Cuba ransomware group’s recent activities, the SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team leveraged SecurityScorecard’s unique data to enrich the indicators of compromise (IoCs) linked to this activity. 

STRIKE Team researchers identified additional IoCs not explicitly linked to the Cuba threat actor group in prior public reporting.

The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team conducted further research into indicators of compromise (IoCs) connected to the China-backed Flax Typhoon threat actor group. This has revealed additional IP addresses the group may use.

The threat actor group, Money Message ransomware, first appeared in March 2023, demanding million-dollar ransoms from its targets. Its configuration, which contains the services and processes to stop a ransomware attack, can be found at the end of the executable. The ransomware creates a mutex and deletes the Volume Shadow Copies using vssadmin.exe.

The files are encrypted using the ChaCha20 algorithm, with the key being encrypted using ECDH (Elliptic-curve Diffie-Hellman). The extension of the encrypted files isn’t changed, however the structure of the files indicates they were encrypted.

On August 24, Microsoft published its analysis of espionage activity it attributes to a new threat actor group tracked as Flax Typhoon assesses to act on behalf of the People’s Republic of China.

The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team consulted SecurityScorecard’s Attack Surface Intelligence tool and a strategic partner’s network flow (NetFlow) data to develop further insight into the group’s activity and identify a population of servers the group appears to use in addition to those Microsoft identified in its report.

On July 11th, 2023, Microsoft disclosed that a threat actor had obtained a Microsoft private encryption key that allowed attackers to generate tokens enabling access to customers’ Exchange Online and Outlook.com accounts. Microsoft attributed the attack to a threat actor group it tracks as Storm-0558, which it assesses conducts espionage on behalf of the People’s Republic of China.

The Underground ransomware is the successor of the Industrial Spy ransomware and was deployed by a threat actor called Storm-0978. The malware stops a target service, deletes the Volume Shadow Copies, and clears all Windows event logs.

The files are encrypted using the 3DES algorithm, with the key and IV being encrypted using an RSA public key. The ransomware deletes itself after the file encryption is complete. The extension of the encrypted files isn’t changed, but four specific bytes are added at the end of them.

On June 28, a LockBit-associated threat actor known as “Bassterlord” claimed to have mounted a ransomware attack against a major semiconductor manufacturer and posted screenshots suggesting access to its systems in a series of since-deleted tweets. Despite the possibility that LockBit has again exaggerated its claims, the STRIKE Team consulted internal SecurityScorecard data, a strategic partner’s traffic data, and public reporting on the incident to offer further insight into the group’s recent claims.

VoidRAT is based on the open-source RAT called Quasar. The malware steals information from web browsers and applications such as FileZilla and WinSCP. It also implements a keylogger functionality that saves and exfiltrates the pressed keys. Read our whitepaper for more insights.

The malicious application is based on the open-source Android RAT called AhMyth. It has the following capabilities: taking pictures, exfiltrating phone call logs and phone contacts, stealing files and SMS messages from the phone, tracking the device’s location, recording audio, and sending SMS messages.

On May 1, local media reported that a city government had suffered a disruption resulting from an attack claimed by the Royal ransomware group. Researchers leveraged SecurityScorecard’s exclusive access to network flow (NetFlow) data to collect a sample of traffic involving IP addresses attributed to the affected government.

On May 1, the Avoslocker ransomware group claimed responsibility for an attack against a small U.S. university. Shortly after news of the incident surfaced, the SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team consulted internal and external sources to collect and analyze intelligence about the attack. These sources yielded findings that enabled STRIKE Team researchers to develop a hypothesis regarding attackers’ initial access to university systems.

In mid-March, two Australian financial and professional services firms reported data breaches. These were followed by a series of cyber incidents affecting large Australian firms throughout 2022 and early 2023. As a result, some reporting on the incidents presented them as indications of systematic shortcomings in the country’s cyber defenses. 

Using access to network flow (NetFlow) data furnished by a strategic partner, SecurityScorecard’s STRIKE Team researchers sampled the traffic that occurred over roughly one month leading up to the breach disclosures and involved a group of IP addresses that SecurityScorecard’s ratings platform attributes to the affected organizations.