Venus ransomware has been launching data encryption attacks across the globe since at least August 2022. Last week, the Health Sector Cybersecurity Coordination Center issued an advisory stating that at least one healthcare entity in the United States had fallen victim to Venus ransomware, prompting wider warnings for healthcare and other organizations to be on their guard.

In this blog post, we provide further analysis, indicators of compromise, and TTPs associated with Venus ransomware to help organizations and security teams better understand and defend against this threat.

Overview

Venus ransomware, also known as Goodgame, has been attracting attention since August 2022 and related samples have been known since at least mid-2021. There are sufficient markers and other metadata present in Venus samples to suggest a genealogy with Zeoticus ransomware, which dates back to early 2020.

Venus ransomware is in the tradition of what now might be termed the “legacy ransomware” model: a file locker sold on underground markets as a standalone package rather than on a subscription or “ransomware-as-a-service” model. The package includes a compiled binary and access to decryptors. Unlike more modern data extortion schemes, there is no public data leak site or double extortion methods known to be associated with operators of Venus ransomware at this time.

Underground adverts offering Venus ransomware for sale began appearing in May 2022.

Translated, the message shown in the image above states “We are looking for pentesters”,  a common euphemism for ransomware in the wake of a crackdown on overt ransomware discussion in many forums after certain high profile attacks brought unwanted attention.

Aside from HC3’s warning last week of a healthcare organization being compromised by Venus ransomware operators, there is little indication that targets are industry or sector-specific. Initial access is reportedly publicly-exposed and vulnerable RDP (Remote Desktop Protocol) services, a common weakness found across many different types of organizations, regardless of industry or sector. Cybercriminals discover such vulnerable RDP services through tools like Shodan, direct scanning, COTS/Open-source tools, or by purchasing access from an Initial Access Broker.

Venus Ransomware | Technical Analysis

On launch, Venus ransomware samples will spawn a UAC (User Access Control) prompt in an attempt to elevate privileges before continuing execution.

Subsequently, the malware launches a child process with the following syntax:

file.exe g g g o n e123

In common with Zeoticus, the ransomware then uses the ping to achieve a delay before deleting its own first-stage binary and hiding the console window from victims.

/c ping localhost -n 3 > nul & del C:Users[user]Desktopfile.exe

Following this stage, a hardcoded list of processes is compared against what is running on the target and any applicable processes are shutdown via taskkill.exe.  A full list of processes targeted mirrors the hardcoded list found in Zeoticus samples.

agntsvc.exe
agntsvc.exe
agntsvc.exe
agntsvc.exe
dbeng50.exe
dbsnmp.exe
encsvc.exe
excel.exe
firefoxconfig.exe
infopath.exe
isqlplussvc.exe
msaccess.exe
mspub.exe
mydesktopqos.exe
mydesktopservice.exe
mysqld-nt.exe
mysqld-opt.exe
mysqld.exe
ocautoupds.exe
ocomm.exe
ocssd.exe
onenote.exe
oracle.exe
outlook.exe
powerpnt.exe
sqbcoreservice.exe
sqlagent.exe
sqlbrowser.exe
sqlservr.exe
sqlservr.exe
sqlwriter.exe
synctime.exe
tbirdconfig.exe
thebat64.exe
thunderbird.exe
winword.exe
wordpad.exe
xfssvccon.exe

Persistence is achieved by adding an entry for the ransomware payload in the registry (Windows run key).  For example:

Write Value HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun352.exe

Once encrypted, affected files will be appended with the .venus extension. Note that .TXT files are not always encrypted by Venus ransomware.

The malware also changes the icons of encrypted files with an image written to %Windir% in the early stages of execution. The user’s Desktop wallpaper is likewise replaced by a .jpg image written to %temp%. Both are given file names with a random 20-character string that conform to the regex d{20}, for example:

• 16773516481972502376.jpg
• 34004731821972527219.jpg
• 28604229151972527219.jpg

Once all files have been processed, the malware uses registry modification to change the wallpaper.

REGISTRYUSER[USERIDENTIFIER]Control PanelDesktopWallpaper = "C:Users[user]AppDataLocalTemp\[20char string)].jpg"

After the Desktop wallpaper is updated, the ransom note is displayed to the user.  The ransom note is an .HTA file similarly written to  %temp% with a 20-character string of digits for the file name.

During the course of execution, the malware attempts basic local discovery such as finding the machine name and OS. Venus ransomware traverses available network shares via NetShareEnum and wNetOpenEnum.

Some variants of Venus will utilize WMI to query or redirect additional system services and details. The following command is one launched by Venus ransomware:

wmi - start iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, threadcount, workingsetsize, kernelmodetime, usermodetime, parentprocessid from win32_process where ( caption = "msftesql.exe" or caption = "sqlagent.exe" or caption = "sqlbrowser.exe" or caption = "sqlservr.exe" or caption = "sqlwriter.exe" or caption = "oracle.exe" or caption = "ocssd.exe" or caption = "dbsnmp.exe" or caption = "synctime.exe" or caption = "mydesktopqos.exe" or caption = "agntsvc.exe" or caption = "isqlplussvc.exe" or caption = "xfssvccon.exe" or caption = "mydesktopservice.exe" or caption = "ocautoupds.exe" or caption = "agntsvc.exe" or caption = "agntsvc.exe" or caption = "agntsvc.exe" or caption = "encsvc.exe" or caption = "firefoxconfig.exe" or caption = "tbirdconfig.exe" or caption = "ocomm.exe" or caption = "mysqld.exe" or caption = "mysqld-nt.exe" or caption = "mysqld-opt.exe" or caption = "dbeng50.exe" or caption = "sqbcoreservice.exe" or caption = "excel.exe" or caption = "infopath.exe" or caption = "msaccess.exe" or caption = "mspub.exe" or caption = "onenote.exe" or caption = "outlook.exe" or caption = "powerpnt.exe" or caption = "sqlservr.exe" or caption = "thebat64.exe" or caption = "thunderbird.exe" or caption = "winword.exe" or caption = "wordpad.exe")

In addition, the following commands are commonly used across Venus variants in order to inhibit or disable system recovery and backup systems.

vdsldr.exe -Embedding
cmd.exe (wbadmin.exe) delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE
wbadmin.exe delete catalog -quiet
vssadmin.exe delete shadows /all /quiet
mshta.exe [name].hta) - "C:Users[user]AppDataLocalTemp16773516481972502376.hta" {xxxxxxxxx-F1C3-4B2E-88BF-xxxxxxxxxx}{1E460BD7-F1C3-4B2E-88BF-xxxxxxxxxx}
WMIC.exe  SHADOWCOPY DELETE
bcdedit.exe /set {current} nx AlwaysOff

Venus Ransomware’s Connection to Zeoticus

Like Zeoticus, Venus instructs users to reach out via email and TOX in order to engage with the ransomware operators and does not use C2 servers for data exfiltration or backdoors.

As noted above, there are certain code similarities between the way Zeoticus and Venus use the ping command.

Also note how the p r i v e t2 marker in Zeoticus is paralleled by the g g g o n e123 marker in Venus.

Command line syntax for persistence, task termination and various ‘housekeeping’ tasks between the two families is almost identical, and both malware families hardcode the same list of processes to target for termination.

Like Venus, Zeoticus is also offered as a complete standalone package rather than a RaaS and is not associated with a leaks site.

The ransom notes and Desktop backgrounds have similar stylistic overtones, and both malware variants write copies to mounted Recovery volumes.

Neither family is particularly sophisticated, and both use hardcoded strings within the malware with no attempt at obfuscation or anti-analysis.

SentinelOne Protects Against Venus Ransomware

SentinelOne Singularity fully detects and prevents payloads, behaviors, and artifacts associated with Venus and Zeoticus ransomware families.

Conclusion

Organizations are right to be concerned about the uptick in activity of this ransomware variant. Insofar as organizations leave vulnerable RDP services exposed to the public internet or fail to protect endpoints with a reliable Next-Gen security solution, attackers need not invest resources in sophisticated malware. Venus ransomware may not be specifically targeting healthcare organizations, but public service and critical infrastructure organizations may be symptomatic of those that most need to up their game to combat threats such as these.

Indicators of Compromise

SHA1
026ce3bceb3a82452f0fc38c0b9abfa90f2c9d87
06757be6174bdc9ef8fe899bcbe5e6e5547dc059
0d0bbcecc80ea3b1712678b24ba925ac2903531f
102b8625e5662c89efe4547dc2cb173be8b08851
10f2ed474a9e0065fed2afebbfe81dc596f46542
13315ee0ba756ac3e7edf2b9a4028b7649ece754
1482e7fdbab29c3e8a2f3ccd1c6ddd48a54c06b0
14d031138fb0aad2432cadf2e0d241ca75b2dfbb
1970f6c17567d56c3e7840fe33a6959dd887fca2
1992336a5d752187c979e24a95a871d8932ade6d
1cb7e2ab7012990bd5051120c3ef8a438035aa88
1fb9b8115d74cf38d6a90b9049c73ea6eb743643
326dc3ca63d10968054153305a9564fac2a37ba3
5166d17d8e9a91a3a36b5edaf168699b03bb13de
5d1229ece791a55823f60298cb7dcf9c0494f3ee
62383813a6ca85fc9c70051c361e0273e135593d
6bf35f44a2267755c2646c89c836bd618c4e964c
6e530c9a3eddabc29c2f8f6aca6c6f786ae052d6
7f4bcc7d13bf3ebab836a770718cc8273470d660
7f8cd9947f9c2bddd9586868c181b4c6a86f10a5
88433f6f33d7b81178815412111d146185b9a857
895eb3047e7a28ce219fdd7e7ad5ce2a61312d93
969a91d0038c10599f0f1f647cf0da869b5ded34
ac1c4cb8a6920bb7276dbf1435040f4003f8580c
ac348c2673f9c66d695bc75b65cbe32adc7887a6
ba145483608a4ea567ed3c3c2b7e396098f5386a
c40909226c102ceb3cf97e9037c590f1623af013
c7a16493be181dbe5ec8d993883bbc1759d22131
c91f54077b8ad8dd8e3f5807181b941124a4e971
da452698643d21a0212d62bd293e0c250f684b14
e044edce8646124ddc39906e6fb6f02eaff16161
e47eefdacf2b1190d2c95cb2800628429bfa115b
ec11f6abf13044a438a7f363bda2c9d5709d2475
fd30e7fcce4c1c372981cde822ba36ded96b7614
ff8747471c9641b17543038433137d7c0ffbcbb7

SHA256
04d75593f6acdfe0c959345b8d6702166537d7533abfeb4b568339dee1986b5e
0a4e5832841ffff9f8d27ce8216d655c8743b682fff0f90dee6bd3ea83dec028
0dc0da0739b227a9dae83be93d1b232c645dbffc7499709ae05c4ffa1bf44000
223f6c995c3de7613fd6e317ff88683999f43225d4ece6640cc752fd1f60ddbc
260ddec8adb08c4f1a3fa3cf75f8faf8b70f40cf49d4965ac15b60929350294c
261286c526153f77f317b0ecb015836aed4ab3a69f0bdfbd189836f209f896e7
2e2cef71bf99594b54e00d459480e1932e0230fb1cbee24700fbc2f5f631bf12
380791c0b797096fee3013ef5666e9c965b93d6cd203d0445132bac3cab5f7c4
49fd52a3f3d1d46dc065217e588d1d29fba4d978cd8fdb2887fd603320540f71
52f7ace0de098c3c820416b601d62c4f56c9b20b569fa625bf242b625521f147
59b05789e5ac3d47c0a3d0f3e4ccacb2667cb7367e42adb9a3cbb108a538fc77
65524db4cc14954481961341c72aa8cf00f78144915cd9eb357c99c3ab669b52
6a52b9cd66ae94e8d27eb0bc3a63e6bd2c3ba6903637533a554d786e00af2404
6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05
79f3aca3bd4e35948db577c9c0b0949c93c9869df6151889aa95b2ef9b8fae17
7b42fa7abdb7e2cfdbb3001e18cf09f62aefd0607684b956aa02c866c12539ac
7d703d0266823347ead7b3333e5e7ac5dd9d36231da62edfe407159aec0afbc9
7e2201b3fd0cf8a6e550ad4af3419e8955bb4ebbca15e11f8ba7a9f4d48cc88c
8045ad5cda6c42e5669cf52e492c004d842c7ae6f8a09522134834d0f57347eb
91845c398b06ddad405f15c1ff73c0ba6c2d27aca46bb04449f1b0855a5fd243
969bfe42819e30e35ca601df443471d677e04c988928b63fccb25bf0531ea2cc
9aa3826da16367166ac01379dd79eab4f0925a6f9b23eab87df6c498bce987c4
a3fa331e4a1e6171cfbda8739513b9477596400b283f32479f4342a1a4d21469
a558d293b26621888f71149c977cc9b68383f0e4cf039d09910f0a97892d7b33
aa0cfdc539cb2db1109606802d6b09a0652c9d60396faa7829ee692df580561f
c54f9afbcf5ed31373855154e8d2f8c2511c76cbbcbed325b30b98ddf3049f98
d6098f0d579273528b28b0b49c8b72b6f9908aef9e1ba0ec5da0874fa8c92266
d9aa454dc2c5d430ac2585f170fcd1ba7a3d31ba80dcc6f22676673c50919865
de6547c284800a6153f79e8518db48a41cc7841550bfdb699f084e988355c952
e844cf44b04c924730626cf2a0342890606d55386f757e99871092bbfc585044
ee036f333a0c4a24d9aa09848e635639e481695a9209474900eb71c9e453256b
f7fe602573c1c9df594ae7d29ddcad56332001005ae5d7786ce3cb452d381d54
fa7ba459236c7b27a0429f1961b992ab87fc8b3427469fd98bfc272ae6852063
faee1c99d47e9dc02bce9a89363817b94200d8a825e3bce0bc4e98f4e0feb2c0

MITRE ATT&CK

S0106 – cmd.exe
T1005 – Data from Local System
T1012 – Query Registry
T1018 – Remote System Discovery
T1070.004 – Indicator Removal: File Deletion
T1082 – System Information Discovery
T1112 – Modify Registry
T1120 – Peripheral Device Discovery
T1202 – Indirect Command Execution
T1486 – Data Encrypted for Impact
T1490 – Inhibit System Recovery
T1491.001 – Defacement: Internal Defacement
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1555.003 – Credentials from Password Stores: Credentials from Web Browsers
T1564.003 – Hide Artifacts: Hidden Window

The Good

A two-year FBI investigation into LockBit ransomware has led to charges this week against a dual Russian-Canadian citizen for allegedly conducting ransomware attacks on U.S. and other organizations around the world.

Mikhail Vasiliev, 33, was arrested in Ontario, Canada on Wednesday on charges of conspiring to damage protected computers and transmitting ransom demands in connection with doing so. He is now awaiting extradition to the U.S.

Documents filed in the case state that since the LockBit RaaS (ransomware-as-a-service) first appeared in 2020, it has been used in over 1000 attacks and garnered its operators tens of millions of dollars in confirmed ransom payments. However, Deputy AG Lisa Monaco had a message for those involved: “Let this be yet another warning to ransomware actors…we will use every available tool to disrupt, deter and punish cyber criminals.”

It’s also not the first time Canadian police and the FBI have cooperated to arrest individuals believed to be involved in ransomware: Back in 2021, Canadian national Sébastien Vachon-Desjardins was arrested in Canada and subsequently sentenced to 20 years in a U.S. prison for his role in Netwalker ransomware attacks.

The Bad

Despite wins like those above, it’s clear that the profits from ransomware and data extortion as well as the ease of conducting such attacks continue to incentivise threat actors. This week, the Health Sector Cybersecurity Coordination Center (HC3) warned that Venus ransomware is targeting U.S. healthcare entities via publicly exposed Remote Desktop Services.

HC3 says that Venus ransomware is targeting Windows devices that companies have failed to protect with a firewall or other defenses, allowing attackers to gain initial access via the Remote Desktop Service. Typically, threat actors discover vulnerable services through internet search services such as Shodan or purchase access from Initial Access Brokers.

Reports suggest that Venus ransomware is likely being operated by several independent cybercrime groups. HC3 says that the malware has been observed reaching out to IP addresses in a wide variety of countries, including Denmark, France, Great Britain, Ireland, Japan, the Netherlands, Russia and the United States.

At present, there are no data leak sites associated with Venus intrusions, and the operators appear to be relying solely on file locking to extort money from victims. Ransom demands are said to start at around $20,000. Victims are reminded that paying a ransom by no means ensures either that encrypted data will be unlocked or that the organization will not suffer further harm.

The Ugly

In cybersecurity, trust is always a weak point that attackers will seek to abuse, and this week’s Most Odious award goes to the threat actors behind the latest attempts to infect users of open source projects hosted on PyPI and GitHub.

Researchers this week spotted a malicious package on PyPI called “ApiColor” that reached out to a remote URL to download and execute code hidden in a .png file. The ApiColor package installed a steganography module and retrieved and executed a further second-stage malware payload.

The threat actors had set up multiple accounts on GitHub with code repositories that included the malicious PyPI package in their dependencies, hoping to infect developers or organizations that used the open source GitHub repositories. The PyPI package has since been taken down, but malware linked to some of the fake users accounts remains on GitHub at the time of writing.

Supply chain attacks on PyPI and Rust’s crate.io are not unknown, and seeding malicious code via GitHub repositories to infect developers and ultimately downstream users has also been seen before (e.g., in XCSSET malware). Steganography is also a common tactic for hiding malware.

However, what makes this attack of particular concern is precisely that the vectors and TTPs are neither novel nor sophisticated, and yet the attackers invested a considerable amount of time and effort setting up an elaborate infrastructure in the knowledge that trust in external code dependencies is still a blind spot for many organizations. The warning shots have been fired, and security teams need to be sure that they are on top of the supply chain risk across their software stack.

As the cyber threat landscape grows increasingly treacherous and sophisticated, more teams are looking to augment their often-limited internal cybersecurity resources with the expertise and hands-on assistance offered by managed detection and response (MDR) services and managed security service providers (MSSPs). Gartner estimates that by 2025, 50% of organizations using endpoint detection and response (EDR) technology will enlist the help of a managed security service partner.

About the MITRE Engenuity ATT&CK® Evaluation of Managed Security Services

In response to the growing needs of today’s cybersecurity teams and buyers, MITRE Engenuity has just published its debut ATT&CK Evaluation of Managed Security Services. MITRE Engenuity has quickly evolved to become the industry standard for third party evaluation of cybersecurity solutions. The independent evaluations provide rigorous analysis based on the ATT&CK® framework and knowledge base with the intent to help organizations combat today’s sophisticated cyber threats and improve their threat detection capabilities.

SentinelOne has participated in more comprehensive MITRE evaluations than any other cybersecurity leader, being the only XDR vendor to have participated in three years of ATT&CK Enterprise Evaluations, the inaugural Deception evaluation, and the inaugural Managed Services evaluation. Learn more about SentinelOne’s leading performance in MITRE Engenuity’s Enterprise ATT&CK and Deception evaluations here.

MITRE summarizes its newest Managed Services evaluation below:

As part of the evaluation process, participants like SentinelOne were tasked with understanding adversary activity without prior knowledge of the emulated adversary, and provide their analysis as if MITRE Engenuity was a standard MDR customer.

In this blog post, we’ll outline the key takeaways from our Vigilance MDR team’s participation in the inaugural MITRE Engenuity ATT&CK Evaluation for Managed Services. These takeaways are especially relevant for those considering or actively evaluating MDR and digital forensics & incident response (DFIR) services.

Takeaway 1: The Right Data Leads to the Right Decisions

While identifying the emulated adversary in this scenario seems like table stakes, proper adversary attribution unlocks actionability.

Based on the activity detected on this user endpoint, forensic artifacts collected, and the tactics, techniques, and procedures (TTPs) observed throughout the campaign, the SentinelOne Vigilance team was able to correctly attribute the attack to Iranian threat actor group APT 34, also known as OilRig.

Beyond just identifying the emulated adversary, the Vigilance team leveraged first party and open threat intelligence to provide additional insight into OilRig. The team’s reporting included a summary of the adversary and the group’s evolution over time, commonly exploited tools by the adversary, and all of their known associated TTPs.

As an MDR & DFIR buyer, it is important to consider whether the information you receive from your service partner is meaningful and actionable. While comprehensive reporting is a must, time and resource-constrained analysts benefit from analysis that is pertinent, timely, and distinguishes between insight and overwhelming detail.

In addition to the remediation guidance offered in-platform, Vigilance reporting focuses on what customers need to know to evaluate risk, assess incident impact, and mitigate threats for the immediate and long term.

Takeaway 2: Detection Is Half the Battle, Protection Is the Endgame

For the purposes of the evaluation, participants were tasked with detecting and understanding adversary activity through the entire attack, without intervening to prevent or remediate the threat. Over a 10-step campaign, our Vigilance team was able to track the adversary from end to end as they infiltrated the simulated environment through a phishing attack with a malicious attachment, performed reconnaissance on the host and environment, moved laterally to a critical server, and exfiltrated corporate data.

It is crucial to note, however, that a real-life application of detection and response technology and MDR services should be aimed at preventing and mitigating such attacks as quickly as possible—before the adversary can perform recon, move laterally, or steal data.

In a live scenario of this incident, the SentinelOne Singularity platform and Vigilance services would have stopped the attack from the very first detection. If set to “Protect” mode rather than “Detect-Only”, the Sentinel Agent would be equipped to autonomously kill the entire chain in an instant, without analyst intervention, rather than allowing the attack to execute over the course of several days. This would have prevented any further movement or downstream business impacts associated with this campaign.

Takeaway 3: Real-Time Response Maximizes Cyber Resilience

Time is of the essence in a real-world attack scenario. By a similar principle as our last takeaway, organizations should aim to eradicate malicious actors from their environment as soon as they’re detected, and have the confidence in their MDR partner to do just that.

Though the ATT&CK evaluation did not include a service level agreement (SLA) as part of its criteria, this should be a significant consideration for those evaluating MDR and DFIR services. The true efficacy of an MDR team often comes down to their ability to detect, contain, and mitigate a threat as quickly and effectively as possible, all with the goal of minimizing the impact of a cyber incident.

At SentinelOne, our Vigilance analysts are able to respond to events at often unmatched speeds. This is due in part to the robust autonomous capabilities of the Sentinel Agent, which can kill and quarantine threats at the endpoint level before a human ever intervenes. Additionally, Vigilance analysts take action on alerts that come with real-time, machine-generated context produced by SentinelOne’s patented Storyline technology. This allows an analyst to view and understand the entire progression of an attack in one pane of glass, instantly. On average, Vigilance minimizes attacker dwell time to just 20 minutes.

For many other MDR and MSSP-delivered services, the process of connecting the dots, building context, validating true vs. false positives, and containing threats is often a heavily manual effort, which may lead to longer overall response times.

Takeaway 4: There is More to MDR — DFIR Is the Difference

Although the 24×7 security monitoring offered by MDR services provides organizations with a reliable safety blanket, the reality of today’s digital world is that no organization is 100% impenetrable to a cyber incident. This is why more and more teams look to augment their security programs with digital forensics and incident response, or DFIR, capabilities.

The evaluation factored in security teams’ growing desire for deeper analysis and forensic investigation, and how this level of insight could enhance an end client’s overall understanding of attacks targeting their organization. In this spirit, the Vigilance team not only reported on “what” the adversary was doing in the simulated environment, but also the “how” and “why” — this included malware and data exfiltration technique analysis, as well as reverse engineering of malware samples.

These capabilities are at the crux of SentinelOne’s Vigilance Respond Pro offering. Through Vigilance Respond Pro, we are able to deliver our customers a more frictionless MDR and DFIR experience, drawing from the expertise of a unified, designated team with intimate knowledge of the customer environment.

When a DFIR team already has a pulse on what’s happening in the customer environment, is able to leverage their existing tools, and directly interfaces with their day-to-day MDR team, it significantly accelerates overall investigation and response. MDR and DFIR buyers should consider this approach in contrast to enlisting the help of two disparate, siloed teams under one vendor, or two separate firms for MDR and DFIR altogether.

Looking Ahead: Next Steps for MDR and DFIR Buyers

From the MITRE Engenuity ATT&CK Evaluation for Managed Services emerged some key considerations for those evaluating MDR and DFIR services. However, it is important for teams to consider their cybersecurity partners holistically, from the breadth, depth, and reliability of their technology to the expertise and level of service delivered by their people.

We encourage buyers to continue to lean on third party evaluations such as MITRE Engenuity to assess the best fit for their organizations, including their track record of performance across various domains such as Enterprise EDR & XDR, Identity & Deception, and Managed Services.

Dive deeper into SentinelOne’s leading performance over three years of MITRE Engenuity ATT&CK evaluations here. To join the ranks of other customers who have gained peace of mind and made security progress with SentinelOne Vigilance MDR and DFIR, learn more about our Vigilance Respond Pro.

The Good

Software supply chain attacks aren’t just creeping into the threat landscape anymore – they have been fully on the rise over recent years. After multiple high-profile attacks, including those on SolarWinds and Kaseya, nation states and organizations alike have all worked to share lessons learned and raise their awareness on supply chain attacks.

This week, the NSA, CISA, and the Office of the Director of National Intelligence (ODNI) released a new set of guidelines for securing software supply chain operations. The guidelines were created in coordination with public-private cross-sector, Enduring Security Framework (ESF), to provide suppliers with best practices for planning, prevention, and response processes.

While the document lays out comprehensive instructions to help suppliers define criteria for security checks and respond to vulnerabilities, it more importantly articulates the notion of establishing shared responsibility.

“Prevention is often seen as the responsibility of the software developer, as they are required to securely develop and deliver code, verify third party components, and harden the build environment. But the supplier also holds a critical responsibility in ensuring the security and integrity of our software,” the NSA noted in their press release.

Software supply chain attacks have remained at the forefront of discussion by U.S. officials with a new federal strategy to adopt a zero-trust model announced in January of this year followed in May by NIST Special Publication 800-191 addressing supply chain risk management. The ESF is set to release another set of guidelines, focusing next on customers in the software supply chain lifecycle. This week’s release is preceded by the first in the series, a guideline created to support developers specifically.

The Bad

Popular file-hosting service, Dropbox, disclosed this week that they suffered a breach after a phishing campaign targeted employees. In their blog post, the California-based company explained that attackers accessed 130 of their code repositories in GitHub, but the breach did not include unauthorized access to user accounts, content, passwords, or payment information. Code for its core apps and infrastructure were also not contained in the compromised repositories.

This phishing campaign on Dropbox shares its roots with a campaign that targeted GitHub just a few months ago. In both cases, the threat actor impersonated CircleCI, a continuous integration software, to harvest user credentials and MFA codes. Attackers were able to breach Dropbox’s defenses by using legitimate-looking phishing emails that directed employees to enter their credentials and hardware authentication key to pass a one-time password (OTP) to a fake CircleCI site.

Dropbox revealed that the code accessed by the threat actor contained some credentials, mainly API keys used by the company’s developers, and also “a few thousand names and email addresses” belonging to employees, sales leads, third-party vendors, as well as current and past customers.

Though the company has underscored that no customer data was stolen, the need for large companies to harden their authentication protocols is clear. In this case, over 700 million registered users rely on Dropbox for folder sharing, cloud storage, file backup, task management, and document signing services.

Identity-based protection has long needed more attention with even the U.S. government mandating this year that all federal agencies are to implement both zero-trust architecture and phishing-resistant MFA. Dropbox’s blog confirmed that the company has accelerated an upgrade to their authentication tools and will soon use biometric factors or hardware tokens across its environment.

The Ugly

The RomCom RAT has come out to play again, and this time it’s using rogue versions of SolarWinds Network Performance Monitor (NPM), KeePass password manager, and PDF Reader Pro. RomCom also has been known to use trojanized variants of Advanced IP Scanner and pdfFiller.

Researchers found RomCom actors leveraging customer trust in well-known software brands to create typo-squat lookalike download sites, effectively disguising their malware as legitimate products. This is done by scraping the HTML code from the company’s legitimate site, registering a new, similar domain, and deploying targeted phishing emails or social media posts to lure in specific users.

The spoofed websites host and deploy the RomCom RAT (remote access trojan), which is capable of taking screenshots and collecting sensitive information, before exporting them back to the threat actor’s server.

RomCom seems to be expanding on this tactic now that fake Veeam Backup Recovery installers have been identified, too.

We’re observing that ROMCOM RAT is now being packaged as an installer for Veeam Backup and Recovery software. This is in addition to the KeePass Password Manager and SolarWinds Orion installers identified by BlackBerry yesterday. pic.twitter.com/CHF1B9gB2M

— Unit 42 (@Unit42_Intel) November 3, 2022

Ukrainian military institutions have been the primary targets of this recent campaign though secondary targets included some English-speaking countries. Researchers commented that “given the geography of the targets and the current geopolitical situation, it’s unlikely that the RomCom RAT threat actor is cybercrime-motivated.”

Campaigns like these are part of the reason why the lines separating cybercriminals and targeted attack threat actors are blurring. The more targeted attack actors use traditional means of tooling, the harder attribution is.

For now, there are speculations that RomCom actors are potentially linked to Cuba Ransomware and Industrial Spy, but concrete evidence has yet to be found. The FBI continues to encourage organizations to bolster their defenses against spoofing, social engineering scams, and business email compromise and to report any suspected attempts to the Internet Crime Complaint Center.