Every year, Sophos X-Ops releases its annual threat report. This year, however, we took a slightly different approach. Rather than looking at the landscape as a whole, we zoned in on the biggest cybercrime threats to SMBs. A look at SophosLabs telemetry showed that the number one challenge for SMBs is data protection—which isn’t too surprising. Data and credential theft have become increasingly common, with attackers using the data for ransomware or unauthorized remote access.

Threat actors often use Bring Your Own Vulnerable Driver (BYOVD) attacks – where they abuse vulnerable drivers to gain privileges on a compromised machine – to terminate EDR solutions. Lots of drivers exist that can be abused in this way, and several threat actor groups (we've previously reported on Robbinhood, BlackByte, and other ransomware actors) routinely use this technique.

We’ve seen three more incidents of attackers attempting to move deeper into customer networks after exploiting a vulnerability in ConnectWise' ScreenConnect server. Two appeared to be from the same threat actor. /1 In one, the attacker attempted to execute some commands for reconnaissance on the ScreenConnect server, using PowerShell to try to run getlocaluser (to obtain a list of local user accounts on the server) and ipconfig (to get the local network interface information). /2

While the world digests what, precisely, the LockBit takedown this week entails and how much it’s likely to kneecap the ransomware gang, we’d just like to point out how prevalent the family is – literally, what Conti was to 2021, LockBit was to 2023. 1/11 Here’s a graphic from our upcoming Active Adversary Report , showing precisely how, as seen by the Sophos X-Ops Incident Response team, Conti in 2021 and LockBit in 2023 represented literally double the volume of infections of the nearest “competitors .” 2/11

A few weeks ago, we saw a challenge posted online where a technical user was looking for the most elaborate, complex Regular Expression (eg., regex) that someone uses on a regular basis for a practical reason.

https://twitter.com/timhwang/status/1694812433242612159

We asked around our team of researchers, and we found what might be the largest, most complex regex anyone has ever seen: 272,816 UTF-8 characters in length, created for our Data Loss Prevention product.

Last year, Sophos X-Ops uncovered a growing number of "liquidity mining" scams—a type of cryptofraud that takes advantage of mobile crypto wallets and decentralized finance (DeFI) apps. While we saw dozens of these last year, we're now seeing 100s of more sophisticated scams. /1 While the scams we first encountered were fairly simple in their attempts to convince targets to join their fraudulent “mining pools”, we have seen liquidity mining scams adopt Sha Zhu Pan (pig butchering) tactics to siphon funds from their victims. /2

Sophos X-Ops is currently tracking a campaign by threat actors targeting unpatched Citrix NetScaler systems exposed to the internet. Our data indicates strong similarity between attacks using CVE-2023-3519 and previous attacks using a number of the same TTPs. In the mid-August attack, once the target system was infected, the attackers used the Critical-class NetScaler vulnerability as a code-injection tool to conduct a domain-wide attack.
nvd.nist.gov/vuln/detail/CV…

Under investigation: During a hunt for DLL sideloading abuse of vmnat.exe, Sophos X-Ops uncovered a campaign targeting an organization in Southeast Asia. Aligning with TTPs previously attributed to the Mustang Panda threat group, we unraveled a complex, sustained intrusion. 1/10 The threat actor began by deploying PlugX (mscorsvc.dll) by using native WMIC to multiple systems, including a hypervisor. 2/10

https://t.co/QZS1XdDxw2news.sophos.com/en-us/tag/plug…

NEW: On a recent threat hunt, our MDR team uncovered multiple Raspberry Robin infections using a DLL spreader.

The USB worm was first spotted in Sept 2021 by Red Canary. Back then, its purpose wasn’t clear. Since then, it’s spread – a lot.

1/10 It’s been linked to various ransomware and malware groups (including LockBit and Dridex) and has been used as a loader for other malware, including IcedID and Bumblebee. 2/10

NEW: Are threat actors turning to archives and disk images as macro usage dwindles?

Following Microsoft’s announcement that macros from the internet will be disabled by default, threat actors are using alternative file types for malware delivery.

1/13 Malicious macros in Office documents have long been a favorite tactic of threat actors. So Microsoft’s announcement in February 2022 that macros in documents originating from the internet would be blocked by default came as welcome news. 2/13

You can’t always get what you want on Patch Tuesday, especially if you’re a Microsoft Exchange Server administrator. 1/8 Microsoft today released 83 patches for five product families – Windows, Office, Sharepoint, Azure, and Visual Studio / .NET. It may feel as if something is missing in that list. 2/8

NEW: Excel 4.0 macros, also known as XLM 4.0 macros, have been around for a long time – 30 years! They’ve become very popular with threat actors as an alternative to VBA macros. 1/14 These macros are specific to Excel and are commonly used by organizations, but can easily be weaponized. Add in a wide variety of obfuscation techniques, and it’s no wonder that threat actors love them. 2/14

The real excitement in this month’s 121-CVE #PatchTuesday collection wasn’t the size of the haul; it was the part where Microsoft took us all the way back to 2019 for a moment.

1/6 Remember Follina, the MSDT issue that rolled onstage in late May? Turns out that vulnerability (CVE-2022-30190) has a cousin. An *older* cousin. 2/6

3 attackers, 2 weeks – 1 entry point...

Lockbit, Hive, and BlackCat attack an automotive supplier in this triple #ransomware attack.

After gaining access via RDP, all three threat actors encrypted files, in an investigation complicated by event log clearing and backups.

1/17 In May 2022, an automotive supplier was hit with three separate ransomware attacks. All three threat actors abused the same misconfiguration – a firewall rule exposing Remote Desktop Protocol (RDP) on a management server – but used different ransomware strains and tactics. 2/17

NEW: Multiple attackers increase pressure on victims, complicate incident response

Sophos’ latest Active Adversary report explores the issue of organizations being hit multiple times by attackers...

1/17 There’s a well-worn industry phrase about the probability of a cyberattack: “It’s not a matter of if, but when.”

Some of the incidents @Sophos recently investigated may force the industry to consider changing this: The question is not if, or when – but how many times? 2/17

Hey, @threatresearch here.

I’ve previously reported on how various threat actors have adopted the CVE-2021-40444 exploit in malicious documents. Because there’s a patch, nobody is vulnerable anymore, right? 😉 Just look at the document title in this alert. 1/16 Researchers can set alerts in Virustotal to flag when a file of interest gets submitted. I get periodic bursts of these -40444 #maldocs, but there was something notable about the document titles in this batch last week: They all parrot specific Russian disinformation topics. 2/16

NEW: Reconstructing PowerShell scripts from multiple Windows event logs

On the trail of malicious #PowerShell artifacts too large to be contained in a single log? Help is on the way.

1/19 Adversaries continue to abuse PowerShell to execute malicious commands and scripts. It's easy to understand its popularity among attackers: Not only is it present on all versions of Windows by default (and crucial to so many Windows applications that few disable it)... 2/19

NEW on #Log4Shell...

Horde of miner bots and backdoors leveraged #Log4J to attack VMware Horizon servers

1/14 In the wake of December 2021 exposure of a remote code execution vulnerability (dubbed “Log4Shell”) in the ubiquitous Log4J Java logging library, we tracked widespread attempts to scan for and exploit the weakness—particularly among cryptocurrency mining bots. 2/14

NEW 🧵on Conti...

We published some news this week about Conti. In brief, a #Conti affiliate infiltrated the network of a healthcare provider that a different #ransomware threat actor had already penetrated.

The technical debt in healthcare is dangerous.

1/23 But Conti, in particular, attracts a particularly aggressive group of affiliates. And we have another, previously untold, Conti-adjacent story about one of their ransomware affiliates.

It serves as a cautionary tale that not all attackers are necessarily after a ransom. 2/23

NEW: Avos Locker remotely accesses boxes, even running in Safe Mode

Infections involving this relatively new ransomware-as-a-service spiked in November and December...

1/16 Over the past few weeks, an up-and-coming ransomware family that calls itself Avos Locker has been ramping up attacks while making significant effort to disable endpoint security products on the systems they target. 2/16

NEW: Attackers test “CAB-less 40444” exploit in a dry run

An updated exploit takes a circuitous route to trigger a Word document into delivering an infection without using macros...

1/11 In September, Microsoft published mitigation steps and released a patch to a serious bug (CVE-2021-40444) in the Office suite of products. Criminals began exploiting the Microsoft MSHTML Remote Code Execution Vulnerability at least a week before September’s Patch Tuesday... 2/11