Emerging Threat Group Black Basta Claims Responsibility for American Dental Association Cyberattack
The American Dental Association (ADA), a dentist and oral hygiene advocacy association headquartered in Illinois, confirmed on April 27, 2022, that it suffered a cyberattack on April 21, 2022. This cyberattack caused ADA to shut down the affected systems, making various services offline and inaccessible. These services include the ADA Store, the ADA Catalog, MyADA, Meeting Registration, Dues pages, ADA CE Online, the ADA Credentialing Service, and the ADA Practice Transitions as well as their email systems. On April 25, 2022, the ADA began notifying members of the "cybersecurity incident," and detailed that an active investigation is being conducted. BleepingComputer emphasized that this shutdown, "is not only affecting [ADA's] website, but also state dental associations, such as those in New York, Virginia, and Florida, who rely on ADA's online services to register an account or pay dues." An emerging threat group called "Black Basta" has taken responsibility for the attack, publishing a posting on their leak site that details ADA as a victim and samples of the data allegedly exfiltrated in screenshots. The data in the screenshots includes financial information including W2 forms, NDAs, accounting spreadsheets, and information on ADA members. As of April 26, 2022, Black Basta has leaked about 2.8 gigabytes (GBs) of data, which they claimed to be approximately thirty (30) percent of the stolen data. Due to this publishing of potential ADA members’ information, it is recommended that all ADA members maintain vigilance to identify targeted spear-phishing campaigns attempting to gain additional sensitive data, such as login credentials. CTIX analysts are monitoring this incident and will provide further updates as they become available.
Onyx Ransomware Destroys Access Files, Leaving No Data to be Recovered by Decryptor
"Onyx," an emerging ransomware operation, has been identified destroying accessed files that are larger than two (2) megabytes (MBs) rather than encrypting them. Onyx, who currently has six (6) victims on their leak site, has been observed exfiltrating data from compromised systems, encrypting devices, and utilizing the stolen data in double-extortion schemes, which is typical for ransomware operations. This destruction technique, however, is not common. The technique was identified by MalwareHunterTeam, who gained a sample of the ransomware's encryptor and documented their observations on Twitter. MalwareHunterTeam stated "the ransomware [Onyx] are using is a trash skidware, it's destroying a part of the victims' files," meaning that files are being overwritten with "ransom junk data," as opposed to encrypting the data. This technique prevents the victim from decrypting the files despite a ransom being paid to the operation. Jiří Vinopal, a forensic and malware analyst, also added that the Onyx decryptor does not account for larger files. While MalwareHunterTeam also noted that the ransom note is "mostly a copy-paste of Conti's note," there is speculation that the reviewed code is based on the Chaos ransomware (which includes an identical destruction encryption routine). CTIX analysts will continue to monitor Onyx's tactics, techniques, and procedures (TTPs) as the operation evolves.
Threat Actor Activity
Black Basta Ransomware Gang Amasses Twelve Victims in One Month
A new ransomware gang dubbed "Black Basta" has sprung into action, infecting twelve (12) companies just in April 2022. Amassing such a high victim count in a matter of weeks without recruiting affiliates on underground forums has led researchers to believe this is likely a rebrand of an existing ransomware organization. Security researcher MalwareHunterTeam has speculated Black Basta may be an offshoot of Conti, due to the similar appearance of the leak and payment site as well as the personalities of the support representatives. Conti's rebranding would also make sense as they have been under scrutiny for their announcements made favoring Russia in the current conflict and the Conti Leak incident. Black Basta is using traditional "double-extortion" techniques, where the ransomware steals sensitive data before encryption to later extort the victim. The ransomware used by Black Basta requires administrator privileges to run. Using the privileges, it then performs advanced malware capabilities such as deleting Volume Shadow Copies, hijacking Windows services, then restarting the machine into Safe Mode with Networking. Once it has rebooted, the ransomware will begin encrypting files with the ChaCha20 encryption algorithm and append the ".basta" extension. Finally, the malware changes the wallpaper as well as the ".basta" ICO file and drops a ransom note pointing to their chat website through TOR. The Black Basta chat gives an organization seven (7) days to initiate a negotiation on the price of the ransom. While final ransom payments range in price, one (1) organization stated they received a $2 million-dollar initial demand from the threat actor. CTIX analysts are monitoring the Black Basta ransomware gang and will provide updates on new information released about the group.
Maintainers Patch Critical "Nimbuspwn" Linux Vulnerabilities
A chain of critical vulnerabilities affecting Linux desktop endpoints collectively known as "Nimbuspwn" has been identified and detailed in a blog post published by Microsoft's 365 Defender Research Team. The flaws were identified while researchers were performing code analysis on root services, listening to System Bus messages in a Desktop-Bus (D-Bus) unit identified as "networkd-dispatcher." Microsoft researchers stated multiple vulnerabilities were found, "including directory traversal, symlink race, and time-of-check-time-of-use race condition issues." If exploited, these vulnerabilities could offer threat actors a multitude of attack options and payloads including rootkits, backdoors, and the opportunities to deploy malware stemming from the ability to perform arbitrary remote code execution (RCE). These flaws have been successfully patched by a network-dispatcher maintainer named Clayton Craft, and he recommends users update their Linux instances immediately. The quick identification, reporting, collaboration, and patching of these flaws (now identified as CVE-2022-29799 and CVE-2022-29800), indicate how important it is for organizations to work towards more cross-platform security. Endpoint detection tools and services are one of the best proactive/reactive solutions for organizations to identify and mitigate threats in real-time. Implementing effective endpoint detection and response (EDR) requires knowledge and experience in the field of cyber threat actors’ tactics, techniques, and procedures (TTP), and Ankura offers top of the line Managed Detection and Response (MDR) services provided by an expert-led team of analysts that offer 24/7 support to optimize our clients' perimeter and network defense.
Critical Netatalk Vulnerabilities Affect Synology and QNAP Products
Network Attached Storage (NAS) product giants Synology and QNAP have issued warnings to their users stating that some of their appliances are currently exposed to compromise due to three (3) Netatalk critical vulnerabilities. Netatalk is an open-source Apple Filing Protocol (AFP) allowing *NIX/*BSD systems to operate as AppleShare file servers for macOS. Specifically, these flaws affect Synology DiskStation Manager (DSM) and Synology Router Manager (SRM) and allow unauthenticated remote attackers to pilfer sensitive data and execute arbitrary code. The vulnerabilities were first exploited during the Pwn2Own 2021 hacking competition, with a proof-of-concept (PoC) exploit provided by NCC Group's EDG team. The flaws were partially patched by Netatalk in March of 2022. Currently, these flaws have been completely mitigated for appliances running DiskStation Manager (DSM) 7.1 or later, but some other products are still being patched, and therefore susceptible to attack. QNAP is currently in a similar state, where appliances running QTS 22.214.171.1242 build 20220419 and later have been successfully patched, but older products are still in the works. QNAP has recommended that NAS devices running AFP should disable the protocol for the time being, while the vulnerabilities are being patched. The CTIX team will follow this matter and release an update when more security patches have been implemented.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.