Corvus Threat Intel
New York Post Hack, Vice Society Diversifies, & Raspberry Robin Malware
New York Post hack, Vice Society diversifies attacks, and Raspberry Robin malware.
New York Post Confirms It Was Hacked, Says It was an Insider Threat
The New York Post confirmed it was hacked last week after offensive headlines were published on its website and Twitter page. The offensive headlines and tweets referenced politicians such as U.S. President Joe Biden, New York City Mayor Eric Adams, New York Representative Alexandria Ocasio-Cortez, New York Governor Kathy Hochul, Texas Governor Gregg Abbot, and Illinois Representative Adam Kinzinger. The New York Post later confirmed this unauthorized content was published by an insider. The “rogue employee” was promptly fired and the Post declined to provide further evidence or confirm how the unauthorized access occurred. This comes just weeks after Fast Company, another media outlet, was breached through its content management system and had offensive headlines sent to its customers via Apple News push notifications.
Why This Matters
The reputational damage of such incidents can be harmful for any company, but especially media outlets. Insider threats can be just as devastating as external attacks. While we don’t know exactly how this occurred, good access management practices can help with both internal and external threats. Ensure only those with a crucial business need are authorized to access important services on your network such as sensitive data or public-facing content management accounts. Strong passwords and MFA throughout your organization can help prevent account takeovers. Accountability through logging and permissions auditing can likewise help protect you against internal and external threats.
- New York Post Says Rogue Employee Was Behind Vulgar and Racist Posts (The New York Times)
- New York Post hacked with offensive headlines targeting politicians (BleepingComputer)
Vice Society Ransomware Using Other Payloads in Attacks
In any ransomware attack it can be difficult to know exactly who you are dealing with. Often the ransom note will provide the name of a ransom group, but these organizations aren’t exactly like the legitimate companies we work for. So who exactly are you dealing with? This week Microsoft released a report detailing findings that the Vice Society ransomware gang has been using alternate malware in its attacks, including some developed by other ransomware groups. Normally Vice Society employs double extortion, where they both steal data and encrypt systems. However, Microsoft reported that in some instances Vice Society has opted to skip encryption altogether and perform data theft only. The group goes to great lengths to make recovery difficult when they do employ decryption, and have been observed changing passwords to lock out legitimate users prior to encryption. In September 2022, CISA reported that Vice Society has disproportionately attacked educational institutions including school districts.
Why This Matters
Beyond our innate desire to understand who the adversary is when undergoing a cyberattack, it’s also important to be well informed for tactical reasons. Knowing that Vice Society deploys other ransomware binaries is helpful for a number of reasons. If you are an organization such as a school district that may be targeted by Vice, factor in the known malware you should be looking to detect, which now includes some typically used by other ransomware groups. Despite Vice’s attempts to throw you off, EDR solutions can be helpful here since many are designed to detect the behavior of many different ransomware strains.
- DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector (Microsoft Security Blog)
Raspberry Robin Operators Selling Access to Thousands of Devices
A new type of malware nicknamed Raspberry Robin is becoming a successful underground business enterprise. Just a few months after its discovery in May 2022, it is now one of the largest malware distribution platforms currently active. Its operators are using it to infiltrate organizations and then sell access to other cybercriminals including ransomware operators. This development is another indicator of the division of labor among cybercriminals. Malware developers often sell or license access to other hackers for a fixed fee or profit sharing. Here, the Raspberry Robin operators are using their malware as initial-access-as-a-service, selling access to compromised victims for Clop, Lockbit, or other ransomware gangs to then exploit.
Why This Matters
As Raspberry Robin is quickly becoming more popular by threat groups, organizations of all types should make themselves aware of this new threat. Deploying EDR throughout the organization is the best detection and mitigation strategy for malware like this. If proactive threat hunting is possible, security teams should look for the latest IOC’s and stay up to date on how this malware is transforming.
- Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity (Microsoft Security Blog)
This article and its contents are intended for general guidance and informational purposes only. This article is under no circumstances intended to be used or considered as specific insurance or information security advice
Hive ransomware makes a profit, phishing for the holidays, and Amazon RDS leaks personal data.
Attackers are exploiting zero-days faster, Citrix vulnerability, and SEO poisoning attack.