News

As part of our ongoing (really never ending) series on modern ransomware, we are taking a look at a recent study of one Ransomware as a Service operation. In this case the look is at the Qilin scheme which was brought to light by Group-IB. They were able to infiltrate the group through a conversation with a recruiter (nothing like being invited in). The cybersecurity firm started their inside look in March of 2023 and what they found was eye opening. It shows that RaaS clearly pays well and that services like this make things easy and profitable for people looking to get in on the “fun” but might not have the skill set or infrastructure to do it on their own.

Google owned Mandiant has released findings on a group known as Roasted 0ktapus, Scattered Spider and UNC3944 (sort of rolls off the tongue there). This group has been seen to abuse the Microsoft Azure Serial Console to push out their own remote management tools in previously compromised environments. The fact that this new technique is not available from outside of an existing environment is a good thing, but it does mean organizations should monitor access and improve controls to avoid account compromise.

Attackers are always looking to get targets coming and going. As such you have a very rich ecosystem of attack types to cover as much ground as possible. A concerning one has always been direct supply chain attacks. These attacks seek to compromise software during the development stage, so the malicious pieces get bundled into the released code and signed with a trusted certificate. The highly publicized attack on SolarWinds is one of those types of attacks and shows just how effective and dangerous they can be. Supply chain attacks some in multiple flavors including (but certainly not limited to) compromising code repositories, poisoned plugins or open-source packages, and targeting of developer systems.

The same Ransomware gang that hit MSI recently also appears to have hit Pharmacy services provider PharMerica and stole information on 5.8 million patents. The data that was exfiltrated as part of the attack includes social security numbers, full name and address, health insurance, medications, and date of birth. PharMerica disclosed the breach to the Maine Attorney General on March 12th, 2023.