One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 6780007 |
| Date de publication | 2022-09-07 23:23:10 (vue: 2022-09-08 07:05:42) |
| Titre | Joint CyberSecurity Advisory on Vice Society (AA22-249A) |
| Texte | On September 6th, a joint cybersecurity advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) on Vice Society ransomware group that has been active since the middle of 2021 and targets multiple industry sectors including education, healthcare, and government. The threat actor uses double extortion tactics, which victims are threatened for permanently losing encrypted files and leaking stolen data to the public should ransom payment is not made.Why is this Significant?This is significant because alleged Vice Society victims listed on the data leak site includes organizations in education, healthcare, and government sector, which are often exempted by other major ransomware groups. Of the last ten victims (as of September 7, 2022), more than half of them are in education and healthcare sectors.Once the threat actor sets foot into the victim's network, it laterally moves around the network, exfiltrates valuable information, and deploys ransomware which encrypts files on the compromised machine. The stolen data will be made available to the public, which may cause damage to the reputation of the affected companies.What is Vice Society Ransomware Group?Vice Society is a ransomware group that has been active since at least the middle of 2021 and targets both Windows and Linux systems. What's unique about this ransomware group is that it deploys third-party ransomware to its victims instead of developing its own ransomware. Such ransomware reportedly includes HelloKitty, FiveHands and Zeppelin ransomware.Below is a typical ransom note left behind by the Vice Society threat actor:As the ransom note states, deployed ransomware encrypts files on the compromised machines. Before the ransomware was pushed by the threat actor, it propagates through the victim's network using tools such as SystemBC, PowerShell Empire, and Cobalt Strike, and exfiltrate confidential information. The ransom note also provides a few contact email addresses. The threat actor puts additional pressure onto the victim by stating that stolen information will be released to the public if the victim does not email the attacker within seven days. The threat actor operates its own leak site where the threat actor lists victims and releases stolen data. The alleged victims are in many countries around the globe that include but not restricted to Argentina, Australia, Australia, Beirut, Brazil, Canada, Columbia, France, French Guiana, Germany, Greece, Indonesia, India, Italy, Kuwait, Malaysia, Netherland, New Zealand, Poland, Saudi Arabia, Singapore, Spain Sweden, Switzerland Thailand, and United Kingdom, United States.Top page of Vice Society leak siteA reported infection vector used by the Vice Society ransomware group is exploitation of vulnerabilities (CVE-2021-1675 and CVE-2021-34527) that affect Microsoft Windows Print Spooler. CVE-2021-34527 is also known as PrintNightmare, which FortiGuard Labs previously released Outbreak Alert and Threat Signal on. For more information PrintNightmare, see the Appendix for a link to "Microsoft PrintNightmare" and "#PrintNightmare Zero Day Remote Code Execution Vulnerability".Microsoft released a patch for CVE-2021-1675 and CVE-2021-34527 in June and July 2021 respectively.What is the Status of Coverage?FortiGuard Labs provides the following AV signatures against known ransomware samples used by Vice Society threat actor:W32/Buran.H!tr.ransomW32/Filecoder.OJI!trELF/Filecoder.8BB5!tr.ransomW32/Generic.AC.171!trFortiGuard Labs has the following IPS coverage in place for the "PrintNightmare" vulnerability (CVE-2021-34527) as well as CVE-2021-1675:MS.Windows.Print.Spooler.AddPrinterDriver.Privilege.EscalationAll network IOCs are blocked by the WebFiltering client. |
| Envoyé | Oui |
| Condensat | #printnightmare 1675 1675:ms 171 2021 2022 249a 34527 6th 8bb5 aa22 about active actor actor:as actor:w32/buran additional addprinterdriver addresses advisory affect affected against agency alert alleged also analysis appendix arabia are argentina around attacker australia available because been before behind beirut below blocked both brazil but canada cause center cisa client cobalt code columbia companies compromised confidential contact countries coverage cve cybersecurity damage data day days deployed deploys developing does double education email empire encrypted encrypts escalationall execution exempted exfiltrate exfiltrates exploitation extortion files fivehands following foot fortiguard france french germany globe government greece group groups guiana half has healthcare hellokitty include includes including india indonesia industry infection information infrastructure instead iocs ips isac issued italy its joint july june kingdom known kuwait labs last laterally leak leaking least left link linux listed lists losing machine machines made major malaysia many may microsoft middle more moves multi multiple netherland network new not note often oji once onto operates organizations other outbreak own page party patch payment permanently place poland powershell pressure previously print printnightmare privilege propagates provides public pushed puts ransom ransomw32/filecoder ransomw32/generic ransomware released releases remote reported reportedly reputation respectively restricted samples saudi sector sectors security see september sets seven sharing should signal signatures significant since singapore site sitea society spain spooler state states stating status stolen strike such sweden switzerland systembc systems tactics targets ten thailand than them third threat threatened through tools top trelf/filecoder trfortiguard typical unique united used uses using valuable vector vice victim victims vulnerabilities vulnerability webfiltering well what where which why will windows within zealand zeppelin zero |
| Tags | Ransomware Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.