Ransomware/Malware Activity
Global Credit Reporting Agency TransUnion Confirms Data Breach Involving SSNs
TransUnion LLC, a global consumer credit reporting agency headquartered in Chicago, Illinois, confirmed with the Massachusetts Attorney General on November 7, 2022, that it has suffered a data breach. According to the law firm Console & Associates, an unauthorized third-party had access to sensitive consumer data including consumer names, Social Security numbers, financial account numbers, and driver's license numbers. The total number of impacted individuals is currently unknown, but it should be noted that the company overall possesses information on one billion consumers in over thirty (30) countries, which includes 200 million United States individuals. TransUnion began sending out data breach notification letters on November 7, 2022, but has yet to publish a statement regarding the situation. CTIX analysts will continue to monitor activity surrounding TransUnion and provide necessary updates once additional details are released.
Threat Actor Activity
Man Accused of Participating in a Lockbit Ransomware Campaign is Extradited from Canada to the US
Mikhail Vasiliev, an alleged member of the LockBit ransomware group, is being extradited to the United States from Bradford, Ontario. The thirty-three (33) year-old dual Russian-Canadian citizen was arrested in Canada on multiple charges related to involvement with LockBit. This came as an unsealed criminal complaint filed in the District of New Jersey charging Vasiliev was released. Vasiliev is charged with conspiracy to intentionally damage protected computers and to transmit ransom demands. Deputy Attorney General Lisa O. Monaco released a statement regarding the arrest stating, “This arrest is the result of over two-and-a-half-years of investigation into the LockBit ransomware group, which has harmed victims in the United States and around the world.” The arrest is the culmination of an FBI-led investigation against the LockBit group that has over 1,000 victims worldwide and has recently seen an increase in activity with the release of “LockBit 3.0,” the newest version of the destructive ransomware.
- US Department of Justice: Lockbit Actor Extradition Press Release
- The Record: Lockbit Actor Extradition Article
Vulnerabilities
November 2022 Microsoft Patch Tuesday Fixes "ProxyNotShell" While Four Other Critical Vulnerabilities Are Added to CISA's KEV
The November 2022 Microsoft “Patch Tuesday” update fixed sixty-eight (68) vulnerabilities, with eleven (11) of them being classified as critical. Of the eleven (11), two (2) are the zero-day attack-chain vulnerabilities known as “ProxyNotShell” which directly affect Exchange. Six (6) of the eleven (11) critical vulnerabilities have reportedly been exploited in-the-wild. Following the patch, the Cybersecurity and Infrastructure Security Agency (CISA) added four (4) zero-day flaws (not including ProxyNotShell) to its catalog of known exploited vulnerabilities (KEV), mandating that federal civilian executive branch (FCEB) agencies must patch all four (4) of the flaws before November 29, 2022. The first vulnerability added to the KEV, tracked as CVE-2022-41073, is an escalation of privileges flaw affecting the Windows Print Spooler service. If exploited, an attacker could elevate their privileges to SYSTEM, giving them full control of the target machine. This is a low complexity attack, similar to the devastating 2021 remote code execution (RCE) attacks facilitated by exploiting the notorious “PrintNighmare” bugs, which took almost four (4) months to successfully patch. The second flaw, tracked as CVE-2022-41125, is a Windows Cryptography API: Next Generation (CNG) key isolation service elevation of privilege vulnerability. CNG runs as the LocalSystem account, (a predefined local account used by the service control manager) sharing the executable “lsass[.]exe” with other services. The CNG service stores keys to authenticate users in the Winlogon service. If exploited, LSASS could be compromised to allow the threat actor to escalate their privileges and exfiltrate secret keys. The third vulnerability, tracked as CVE-2022-41091, is a Windows Mark of the Web (MotW) bypass vulnerability. MotW is a security feature that labels suspicious files and webpages. MotW labels tell the operating system, web browsers, and other applications that the file could be malicious, triggering a warning to the user informing them that opening the file or webpage could be dangerous. If exploited, this vulnerability could allow a threat actor to deliver maliciously crafted files within a ZIP archive that when extracted, would not have the embedded malicious macros marked by MotW flags, allowing for the successful download of malware on the vulnerable device. The final flaw added to the KEV, tracked as CVE-2022-41128, is a Windows scripting language vulnerability affecting the Jscript9 engine that leads to RCE. If exploited, an attacker could trick a user into visiting a maliciously crafted server or website, most likely via a phishing link or attachment, allowing the threat actor to execute arbitrary code from remote utilizing the user’s privileges. CTIX analysts urge all Microsoft customers to ensure that they are running the most up-to-date versions of their services.
- The Record: Microsoft Patch Tuesday Article
- The Hacker News: Microsoft Patch Tuesday Article
- CISA: KEV Catalog
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
