U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Uncategorized

FBI and CISA published a new advisory on AvosLocker ransomware

FBI and CISA published a joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with AvosLocker ransomware. The joint Cybersecurity Advisory (CSA) published by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) provides known IOCs, TTPs, and detection methods associated with the AvosLocker ransomware variant employed […]

AvosLocker ransomware operators

FBI and CISA published a joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with AvosLocker ransomware.

The joint Cybersecurity Advisory (CSA) published by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) provides known IOCs, TTPs, and detection methods associated with the AvosLocker ransomware variant employed in recent attacks.

The joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort aimed at sharing technical details associated with various ransomware operations.

The AvosLocker ransomware-as-a-service emerged in the threat landscape in September 2021, since January the group expanded its targets by implementing support for encrypting Linux systems, specifically VMware ESXi servers.

AvosLocker operators already advertised in the past a Linux variant, dubbed AvosLinux, of their malware claiming it was able to support Linux and ESXi servers.

This joint CSA updates the advisory published by the US Government on March 17, 2022.

AvosLocker affiliates use legitimate software and open-source remote system administration tools to compromise the victims’ networks.

Some of the open-source tools used by the affiliates include:

  • Remote system administration tools—Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent—as backdoor access vectors [T1133].
  • Scripts to execute legitimate native Windows tools [T1047], such as PsExec and Nltest.
  • Open-source networking tunneling tools [T1572] Ligolo and Chisel.
  • Cobalt Strike and Sliver for command and control (C2).
  • Lazagne and Mimikatz for harvesting credentials [T1555].
  • FileZilla and Rclone for data exfiltration.
  • Notepad++, RDP Scanner, and 7zip.

AvosLocker affiliates were observed using custom PowerShell [T1059.001] and batch (.bat) scripts [T1059.003] for lateral movement, privilege escalation, and disabling antivirus software. Threat actors were also observed uploading and use custom webshells to enable network access [T1505.003].

The joint cybersecurity advisory also includes YARA rule for network defenders to detect the activity of the malware.

CISA and the FBI recommend to secure remote access tools by:

  • Implementing application controls;
  • Strictly limit the use of RDP and other remote desktop services;
  • Disable command-line and scripting activities and permissions;
  • Restrict the use of PowerShell;
  • Update Windows PowerShell or PowerShell Core;
  • Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations.

The advisory also recommends organizations exercise, test, and validate their security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.

FBI and CISA recommend testing existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AvosLocker ransomware)