One Article Review
| Source |  Mandiant |
|---|---|
| Identifiant | 8546627 |
| Date de publication | 2024-07-29 14:00:00 (vue: 2024-07-29 14:18:26) |
| Titre | Unc4393 entre doucement dans la nuit silencieuse UNC4393 Goes Gently into the SILENTNIGHT |
| Texte | Written by: Josh Murchie, Ashley Pearson, Joseph Pisano, Jake Nicastro, Joshua Shilko, Raymond Leong
Overview In mid-2022, Mandiant\'s Managed Defense detected multiple intrusions involving QAKBOT, leading to the deployment of BEACON coupled with other pre-ransomware indicators. This marked Mandiant\'s initial identification of UNC4393, the primary user of BASTA ransomware. Mandiant has responded to over 40 separate UNC4393 intrusions across 20 different industry verticals. While healthcare organizations have not traditionally been a focus for UNC4393, several breaches in the industry this year indicate a possible expansion of their interests. However, this represents only a fraction of the cluster\'s victims, with the Black Basta data leak site purporting over 500 victims since inception. Over the course of this blog post, Mandiant will detail the evolution of UNC4393\'s operational tactics and malware usage throughout its active lifespan, with a focus on the period following the QAKBOT botnet takedown. We will highlight the cluster\'s transition from readily available tools to custom malware development as well as its evolving reliance on access brokers and diversification of initial access techniques. 
Figure 1: UNC4393 intrusion lifecycle
Attribution and Targeting
UNC4393 is a financially motivated threat cluster, and the primary user of BASTA ransomware, tracked since mid-2022 but likely active since early 2022 based on activity on the BASTA DLS. The group has overwhelmingly leveraged initial access gained via UNC2633 and UNC2500 QAKBOT botnet infections to deploy BASTA ransomware. QAKBOT is typically distributed via phishing emails containing malicious links or attachments. In some cases, HTML smuggling has also been used to distribute ZIP files containing IMG files that house LNK files and QAKBOT payloads.
Mandiant suspects BASTA operators maintain a private or small, closed-invitation affiliate model whereby only trusted third-party actors are provided with use of the BASTA encryptor. Unlike traditional ransomware-as-a-service (RaaS), BASTA is not publicly marketed and its operators do not appear to actively recruit affiliates to deploy the ransomware. Instead, they focus on acquiring initial access via partnerships or purchases in underground communities. This deviates from traditional RaaS models, which focus on the ransomware development and related services such as the data leak site (DLS) that are provided to affiliates in exchange for directly distributing the ransomware. While UNC4393 is the only currently active threat cluster deploying BASTA that Mandiant tracks, we cannot rule out the possibility that other, vetted threat actors may also be given access to the encrypter.
The hundreds of BASTA ransomware victims claimed on the DLS appear credible due to UNC4393\'s rapid operational tempo. With a median time to ransom of approximately 42 hours, UNC4393 has demonstrated p |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | $7d7b40c2 $api1 $api2 $api3 $api4 $api5 $api6 $api7 $arg* $arg1 $arg2 $arg3 $arg4 $arg5 $arg6 $arg7 $arg8 $c* $c1 $c2 $c3 $code* $code1 $code2 $code3 $decr* $decr1 $decr2 $decr3 $domain $file* $file1 $file2 $file3 $file4 $file5 $file6 $hardcoded $hex $intial $keyiso $marker* $marker1 $marker2 $marker3 $marker4 $note $part $peb $s* $s1 $s2 $s3 $s4 $stackstring $str $str* $str1 $str2 $str3 $str4 $str5 $str6 $tunnel *|| 018 053 0x00004550 0x19f0 0x1a00 0x29f2 0x3c 0x5a4d 0x60c 0x60d 100 135 149 1st 2019 2021 2022 2023 2024 235/kineticasurge 25dd591a343e351fd72b6278ebf8197e 2nd 33s77xypi7nypxyd 3f400f30415941348af21d515a2fc6a3 4388 500 56c1a45c762a29fe6080788f85e6cfc3 65c6 79711209439b 99m |
| Tags | Ransomware Malware Tool Threat Prediction Medical Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.