Information Technology

The US Justice Department (DoJ) has revealed the extent to which hackers had access to officials’ emails due to the SolarWinds breach it disclosed in January.The FBI, CISA, ODNI, and the NSA that month said it was most likely Kremlin-backed hackers that tainted a software update from enterprise IT vendor, SolarWinds. Since then, the US and UK have officially blamed Russian intelligence services for the attack and US president Joe Biden announced sanctions against Russia over it.  

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

The DoJ said in an updated statement that it was treating the source of attack as an Advanced Persistent Threat (APT) that gained much broader access to the department’s Microsoft Office 365 (O365) email systems than the 3% of non-classified email it initially thought was accessed. SEE: Network security policy (TechRepublic Premium)”While other districts were impacted to a lesser degree, the APT group gained access to the O365 email accounts of at least 80% of employees working in the U.S. Attorneys’ offices located in the Eastern, Northern, Southern, and Western Districts of New York,” the DoJ said in a new statement.  The department has published a list of the 27 districts that had one or more employees’ O365 email accounts compromised in the SolarWinds attack. These compromised accounts affected the US government and private sector, it added.  The DoJ has also disclosed that the hackers had access to compromised email accounts for at least six months, from around May 7 to December 27, 2020. 

“The Department is responding to this incident as if the Advanced Persistent Threat (APT) group responsible for the SolarWinds breach had access to all email communications and attachments found within the compromised O365 accounts,” the DoJ said.SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefCompromised data included all sent, received, and stored emails and attachments found within those accounts during that time, it said.  The SolarWinds breach resulted in the compromise of major US tech and cybersecurity companies and key federal agencies, including US Treasury Department, the Cybersecurity and Infrastructure Agency (CISA), The Department of Homeland Security (DHS), and the US Department of State, and the US Department of Energy (DOE).   More

The Initial Access Broker market continues to expand, with fees a drop in the ocean in comparison to the potential rewards of a successful ransomware attack. 

Initial Access Brokers (IABs) are individuals or groups who have managed to quietly obtain access to a corporate network or system through means including, but not limited to, stolen credentials, brute-force attacks, or by exploiting vulnerabilities.  In recent years, ransomware-as-a-service (RaaS) groups have taken an interest in these brokers, as by employing them directly or paying them a fee in return for access to a target system, they are able to avoid the first step of intrusion: the time-consuming process required to find a vulnerable endpoint.  On Monday, cybersecurity firm KELA published a report exploring the Initial Access Broker market and found that the average cost of network access was $5,400, while the median price was $1,000.  When you consider today’s ransomware demands are reaching millions of dollars, from a criminal’s perspective, this is a small price to pay.  The team examined over a thousand listings in dark web underground forums from July 1, 2020, to June 30, 2021, and found that initial access ads included a range of network and compromised account-based offerings — such as remote access to a computer in an organization — as well as domain-level privilege account access and both RDP and VPN-based remote access. In total, 25% of the listings were posted by brokers. 

Unsurprisingly, the most valuable offers — and, therefore, earning the top prices — were initial access services offering domain-level privileges in companies boasting hundreds of millions of dollars in revenue.  The most expensive initial access services were for an Australian company generating an annual revenue of $500 million for 12 Bitcoin (BTC), or roughly $478,000 — and access to an IT company in the United States, through ConnectWise, for 5 BTC ($200,000).  Access to small companies may cost as little as $200. “While some actors are ready to work for a percentage (a share from the amount gained in a successful ransomware attack), the majority of IAB prefer to stick to fixed prices,” KELA says. It should also be noted that as a string of high-profile ransomware attacks — including Kaseya and Colonial Pipeline — has put law enforcement and governments on notice, some brokers are moving from public adverts to private conversations with RaaS groups.  As the bottom line is at the heart of this business model, even if their services are not purchased, some Initial Access Brokers were linked to data theft — potentially in order to sell stolen records in bulk as an alternative revenue stream.  Top impacted countries included the United States, UK, Australia, France, and Canada.  The report does note that there seems to be some form of honor among thieves — with few ads found that relate to healthcare systems, such as those operated by hospitals. “IABs have become professional participants of the RaaS economy,” KELA says. “They constantly find new initial access vectors, expanding the attack surface, and follow their customers’ demands.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australian logistics giant Toll is not sure whether it was the company that avoided assistance from the government when it was struck by ransomware.Last year, Toll found itself victim to ransomware on two occasions.See also: Ransomware: These are the two most common ways hackers get inside your networkAppearing before the Parliamentary Joint Committee on Intelligence and Security (PJCIS) as part of its review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 last month, Toll global head of information security Berin Lautenbach said his organisation had help from the Australian Signals Directorate (ASD), which included having software installed on its systems.During the hearing, Lautenbach, as well as the other organisations testifying before the PJCIS, was asked if it was his company ASD Director-General Rachel Noble was referring to when she revealed a company had declined to talk to the agency about an incident it had experienced.At the time, Lautenbach said “certainly not”. In a submission [PDF] made available on Monday, Toll has revised the testimony.

“We are very grateful for the Australian Signals Directorate’s (ASD) support during the two cyber attacks Toll experienced in 2020. Toll is not in a position to know which company Ms Noble is referring, and while indeed it may be Toll, we note that the ASD has never raised any formal concerns with our response to date,” the company wrote.”Following further internal discussions, we continue to be of the opinion that Toll acted transparently and cooperatively with the ASD. “However, we recognise that we may not have responded at the pace the ASD may have expected due to the crisis we were experiencing.”Noble had told the PJCIS in June that the ASD found out about the attack at a well-known company after reading about it in the media.”Then we tried to reach out to the company to clarify if the media reports were true, and they didn’t want to talk to us. We kept pushing … at times, we have spent nearly a week negotiating with lawyers about us even being able to obtain just the basic information,” she said. “Asking, ‘Can we please just have some data from your network; we might be able to help by telling you quickly who it is, what they’re doing and what they might do next?'”Noble said five days later, the ASD was still getting “very sluggish engagement”.”On day 14, we were only able to provide them with generic protection advice, and their network was still down. Three months later they got reinfected and we started again,” she said.Toll’s first attack happened in January, with the company reporting the second incident in late May.Noble in March last year told the Foreign Affairs, Defence and Trade Legislation Committee as part of Senate Estimates that the ASD and its Australian Cyber Security Centre (ACSC) had been working with Toll.”Throughout February this year, the ACSC has worked closely with Toll Group, at their behest, in relation to their recent ransomware incident,” she said in a statement entered straight into Hansard. “Our assistance has included providing technical experts to identify the nature and extent of the compromise, and provide Toll with tailored mitigation advice.”Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaLATEST AUSTRALIAN SECURITY NEWS More

Image: Getty Images
Zoom has agreed to an $85 million settlement for a class action lawsuit that accused the company of improperly sharing user data through third-party software integrations with various digital platforms. The preliminary settlement [PDF] was filed over the weekend and is currently awaiting court approval. From March to May last year, 14 lawsuits were filed against Zoom, which then became a consolidated class action. In the lawsuit, the class members claimed Zoom misled users about its encryption capabilities, shared user data with digital platforms without consent, and had inadequate security and privacy controls, which resulted in zoombombings. Zoombombings are unwanted and unauthorised interruptions of Zoom meetings by outsider participants. The US Department of Justice last year made zoombombing a crime, with people that conduct zoombombing liable to fines or arrests on a variety of state or federal charges.  The $85 million amount, if approved, would be allocated so that users who paid for an account will be eligible to receive the greater amount of either 15% of the money they paid to Zoom for their core Zoom Meetings subscription or $25 from April to October 2020. Meanwhile, other users who did not have a paying account may be eligible to receive up to $15. While Zoom earned $1.3 billion in subscriptions from class members, the plaintiff’s lawyers said the $85 million settlement was reasonable in light of the significant risks of litigation. “Although plaintiffs firmly believe their liability case is strong and that class certification is warranted, it is uncertain whether the court ultimately would grant certification, deny a motion for summary judgment filed by Zoom, or ever find that plaintiffs are entitled to damages,” the plaintiff’s lawyers added.

Along with paying the $85 million payment, Zoom has also agreed to implement various changes focused on improving security, bolstering privacy, and safeguarding consumer data. The company has agreed to provide in-meeting notifications to make it easier for users to understand who can see, save, and share Zoom users’ information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting. Zoom will also not reintegrate the Facebook software development kit (SDK) for iOS into Zoom meetings for a year and request that Facebook delete any US user data obtained from the SDK. In the settlement motion, the plaintiffs have also applied to have Zoom pay for its legal fees, which would amount to an additional $21.25 million. If the settlement is approved, Zoom will have denied any wrongdoings that were alleged in the lawsuit. Related Coverage More

A new report from SonicWall found that attempted ransomware attacks skyrocketed in the first half of 2021, with 304.7 million attempted attacks seen by the company. SonicWall researchers saw a record number of attempted attacks in both April and May but both months were beat by June, which had a record 78.4 million attempted ransomware attacks.The total figure of ransomware attacks seen by SonicWall in the first half of 2021 smashed the 2020 total of 304.6 million. The fact that the first six months of 2021 have already surpassed all of 2020 alarmed SonicWall researchers, who added that it represented a 151% year-on-year increase.”Even if we don’t record a single ransomware attempt in the entire second half (which is irrationally optimistic), 2021 will already go down as the worst year for ransomware SonicWall has ever recorded,” the report said. 
SonicWall
According to the 2021 SonicWall Cyber Threat Report, ransomware volume seen by the company hit massive year-to-date spikes in the US at 185% and the UK at 144%. The US, UK, Germany, South Africa and Brazil topped the list of countries most impacted by ransomware in the first half of 2021. Within the US, the hardest hit states from a ransomware perspective were Florida, which saw 111.1 million ransomware attempts. New York had 26.4 million, while Idaho saw 20.5 million, and Rhode Island as well as Louisiana dealt with nearly 9 million.

The report was compiled based on information gathered by the SonicWall Capture Threat Network, which “monitors and collects information from global devices” including more than 1.1 million security sensors in 215 countries and territories. The report also features cross-vector, threat related information shared among SonicWall security systems, including firewalls, email security devices, endpoint security solutions, honeypots, content filtering systems and the SonicWall Capture Advanced Threat Protection multi-engine sandbox. The network collects malware and IP reputation data from tens of thousands of firewalls and email security devices around the globe. The report also gleans insights through shared threat intelligence from more than 50 industry collaboration groups and research organizations.

The report notes that the ransomware problem continues to worsen, and the data proved that Q2 was far worse than Q1 for 2021. Q2 was the worst quarter ever recorded by the company, with a ransomware volume of 188.9 million, far surpassing the Q1 figure of 115.8 million. Ransomware attacks are also increasingly spreading worldwide. Europe suffered a 234% increase in ransomware volume while North America saw increases of 180%. Asia saw its high point in March.But the US still leads the way globally, nearly matching the ransomware volume of the next nine countries on the top 10 list for most attacked countries. 
SonicWall
For 2021, the most commonly attacked industry is the government, seeing three times as many attacks as last year. Government targets face more attacks than almost every other industry each month. By June, government customers saw 10 times as many ransomware attempts and an overall spike of 917%Customers in the education field also saw a significant number of ransomware attempts, with an increase of 615%. SonicWall Capture Labs threat researchers found alarming ransomware spikes across healthcare (594%) and retail (264%) organizations as well.The Ryuk, Cerber and SamSam ransomware groups accounted for 64% of all attempted ransomware attacks, according to data from SonicWall’s Capture Labs. Ryuk alone accounted for 93.9 million attempts, tripling the number of Ryuk attempts seen in the first six months of 2020.Cerber ended 2020 as the number two most seen ransomware family, according to SonicWall, and continued this trend with 52.5 million attempted attacks for the first six months of 2021, ramping up efforts in April and May. SamSam was able to double its volume from 2020 in the first half of 2021 with 49.7 million attempted attacks. In June alone, the group launched 15.7 million attacks. SonicWall CEO Bill Conner said the latest data shows that sophisticated threat actors are adapting their tactics and embracing ransomware to reap financial gain and sow discord. “With remote working still widespread, businesses continue to be highly exposed to risk, and criminals are acutely aware of uncertainty across the cyber landscape,” Conner said. 
SonicWall
The report also tracks malware, finding that compared to 2020, the instances seen by SonicWall have been decreasing since its peak of 10.5 billion instances in 2018. Malware reached a six year low in 2020 with 5.6 billion malware attempts and 2021 saw 2.5 billion malware attempts in the first six months of this year.”But as it will become apparent by reading the rest of this report, less malware isn’t the same as less cybercrime. Instead, it’s a sign that the traditional malware associated with spray-and-pray attacks of yesterday is being abandoned…usually in favor of more specialized, more sophisticated and more targeted attacks, capable of making criminals much more money and leaving much more devastation in their path,” the report said. Both North America and Europe saw dips in malware volume but Asian countries saw a 23% increase. Malware skyrocketed in India and Germany in the first part of the year, with India seeing 147.2 million malware attempts, an increase of 83% year over year, and Germany seeing 150.4 million malware attempts. Germany’s figures represented a staggering 465% increase.SonicWall researchers note that some countries outside of the top 10 list were still suffering from malware. SonicWall said an organization in Vietnam had a 36.4% chance of seeing a malware attempt, higher than any other country. The company’s Real-Time Deep Memory InspectionTM also discovered 185,945 “never-before-seen” malware variants, up 54% from the first half of 2020.The report did include some good news. The volume of malicious PDF files and Office files dropped for the first time since 2018. Malware targeting IoT skyrocketed in 2021 with more than 32 million attacks, and in the US attempts on IoT increased by 15%. “While the nine vulnerabilities, collectively known as ‘Name:Wreck,’ all have patches available as of the time of this writing, many IoT devices lack the ability to be easily patched (or patched at all), meaning we may see attacks arising from these vulnerabilities for years into the future,” the report noted.
SonicWall
Cryptojacking attempts also grew a staggering amount in the first half of 2021. Of the 51.1 million cyrptojacking attempts in 2021, the number of attacks rose 118% in Asia and 248% in Europe.”The continued rise of ransomware, cryptojacking and other unique forms of malware targeted at monetization, along with their evolution of tactics, are evidence that cybercriminal activity always follows the money and rapidly adapts to new opportunities and changing environments,” said SonicWall Vice President of Platform Architecture Dmitriy Ayrapetov. More

Microsoft has continued its analysis of the LemonDuck malware, known for installing crypto-miners in enterprise environments. It makes a strong case for why it is worth removing it from your network.  This group, according to Microsoft, has a well-stocked arsenal of hacking tools, tricks and exploits aimed at one thing: for their malware to retain exclusive access to a compromised network for as long as possible. While crypto-mining malware could be just a nuisance, LemonDuck attributes suggest the attacker group really do try to own compromised networks by disabling anti-malware, removing rival malware, and even automatically patching vulnerabilities — a competitive effort to keep rival attackers from feeding off its turf.  “This allows them to limit the visibility of the attack to [security operations center] analysts within an organization who might be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high volume of malware present,” Microsoft explained in a follow-up analysis of LemonDuck to one it published previously. The critical so-called ProxyLogon Microsoft Exchange Server exploits from March and April were treated this way by LemonDuck attackers. They used the bugs to install web shells on Exchange servers for remote access to unpatched systems and to install additional LemonDuck malware. In some cases, LemonDuck attackers used renamed copies of the Microsoft Exchange On-Premises Mitigation Tool (released by Microsoft on March 15) to fix the bug they had used to gain access in the first place, according to Microsoft.   “They did so while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities,” it adds.  They also use file-less malware that executes in-memory and process injection, making it harder to remove from an environment. 

Microsoft’s description of LemonDuck’s techniques and tools suggest the group put a lot of effort into being difficult to kick off a network while using multiple methods to gain a foothold, including exploits, password guessing attacks and exploits against SSH, MSSQL, SMB, Exchange, RDP, REDIS and Hadoop YARN for Linux and Windows systems. LemonDuck’s automated entry relies on a small file with JavaScript to launch a PowerShell CMD process that launches Notepad and the PowerShell script inside the JavaScript.  The manual entry includes RDP brute force password attacks or Exchange bugs. Human actors generate scheduled tasks and scripts to create file-less persistence by re-running the PowerShell download script to pull in command and control (C2) infrastructure. It’s all about re-enabling any malware components that have been disabled or removed. Remember that web shells persist on a system even after being patched.  To make persistence more resilient, they host scripts on multiple sites (making it difficult to take down), and as a backup, also use WMI Event Consumers, or an arsenal of tools that includes access RDP access, Exchange web shells, Screen Connect, and remote access tools (RATs). LemonDuck attempts to automatically disable the cloud-based Microsoft Defender for Endpoint real-time monitoring by adding the entire C: drive to the Microsoft Defender exclusion list. Windows 10 “Tamper protection” should prevent these actions.    Other vendors’ targeted by LemonDuck’s anti-malware removal activities include ESET, Kaspersky, Avast, Norton Security, and MalwareBytes.  Once inside a network, one of LemonDuck’s tools tries to assess whether a compromised device is running Outlook. If so, it scans the mailbox for contacts and starts spreading malware in emails with .zip, .js, or .doc/.rtf files attached.     “The attackers were also observed manually re-entering an environment, especially in instances where edge vulnerabilities were used as an initial entry vector,” Microsoft explains.  “The attackers also patch the vulnerability they used to enter the network to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a Microsoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their infrastructure, to ensure other attackers don’t gain web shell access the way they had.” In other words, LemonDuck might only be deploying crypto-miners that drain CPU resources, but the lengths they go to stay on a network put them in a different light than just a nuisance. It could be well-worth security teams’ time to review Microsoft’s tips towards the end of its analysis for hunting down LemonDuck threats and tools on a network because once LemonDuck is aboard, it really doesn’t want to leave. More

StackCommerce
The world is opening up again to travel, but while you’re researching all the best travel tech you’ll need to take with you, don’t forget to grab a VPN subscription before you go. Not only will you want to stay safe on public WiFi in all those neat cafes, but you may want to pass the time in airports watching some of your favorite content from back home and it could be restricted in your location. A good VPN is key to your security and a big help with entertainment, so take a look at some of the bargains on offer at the moment.

FastestVPN: Lifetime subscription (10 devices)Get the utmost privacy and protection on up to 10 devices with military-grade encryption, NAT firewall, strict no-logging policy, and a kill switch. With 200 high-speed servers and unlimited bandwidth, you can access unrestricted content, and USA Netflix is supported.For a limited time only, get FastestVPN: Lifetime Subscription (10 Devices) for $17.49 (reg. $1200) with code ANNUAL30.Ivacy VPN: Lifetime subscriptionEnjoy powerful 256-bit encryption, completely anonymous P2P file-sharing and unrestricted access to bufferless HD video all at blazing fast speeds with over 1,000 servers in more than 100 worldwide locations. Also defeat port blocking and ISP speed throttling, log in onto up to five devices simultaneously.For a limited time only, get Ivacy VPN: Lifetime Subscription for $27.99 (reg. $1194) with code ANNUAL30.SurfShark VPN: Two-year subscriptionThis is the only VPN that allows you to connect an unlimited number of devices simultaneously, as well as use unlimited data and unlimited bandwidth. You also get ultimate protection and privacy with military-grade encryption, IPv6 leak protection, zero-knowledge DNS and a kill switch. Over 1,200 torrent-friendly servers let you bypass geo-restrictions to enjoy unrestricted content.For a limited time only, get SurfShark VPN: 2-Yr Subscription for $39.89 (reg. $290) with code ANNUAL30.BulletVPN: Lifetime subscription

Enjoy an enhanced browsing, content viewing, and gaming experience thanks to the premium grade carrier lines that provide the fastest possible speed on hundreds of highly encrypted servers. Unblock the top video sites such as Netflix, Amazon Prime Video, Hulu, BBC iPlayer and more.For a limited time only, get BulletVPN: Lifetime Subscription for $27.29 (reg. $540) with code ANNUAL30.Disconnect VPN Premium: Lifetime subscriptionKeep your data safe while increasing the speed of your internet connection. Block tracking and mask your location to access geo-restricted content. This is the New York Times anti-tracking tool of choice.Get Disconnect VPN Premium: Lifetime Subscription for $13.99 (reg. $300) with code ANNUAL30.SlickVPN: Lifetime subscriptionWith more than 125 gateways located in over 45 countries, SlickVPN uses connections with bank-grade 256-bit encryption to mask your traffic from everyone and provide HYDRA protection to keep you safe no matter where you are. Yet, you will still enjoy unthrottled speed while accessing your favorite content without geo-restrictions.For a limited time only, get SlickVPN: Lifetime Subscription for $13.99 (reg. $1200) with code ANNUAL30.KeepSolid VPN Unlimited: Lifetime subscriptionGet ultimate privacy and protection with military-grade AES 256-bit encryption and a zero log policy, with 24/7 customer support and no limits on speed or bandwidth. Enjoy the convenience of over 400 servers in more than 80 locations across the globe, as well as features such as Favorite Servers, Trusted Networks and more.For a limited time only, get KeepSolid VPN Unlimited: Lifetime Subscription for $27.99 (reg. $199) with code ANNUAL30.VPN.asia: 10-year subscriptionUsing high-strength 256-bit encryption, VPN.asia protects your data and hides your location while running in the background so it won’t slow down your internet connection. Best of all, it can easily be used on a wide variety of devices, including Amazon Firestick, Android TV and much more.For a limited time only, get VPN.asia: 10-Year Subscription for $55.99 (reg $290) with code ANNUAL30.NordVPN: Two-year subscription + $10 store creditThis is the service that was rated a perfect 5 out of 5 stars by PCMag, CNET and TrustPilot. It offers bulletproof security with double encryption (double data SSL-based 2048-bit encryption), a strict zero-logs policy and automatic kill switch. And you can still enjoy unrestricted instant high-speed access to your favorite content.For a limited time only, get NordVPN 2-Yr Subscription + $10 Store Credit for $62.30 (reg. $286) with code ANNUAL30.Private Internet Access VPN: Two-year subscription + $15 store creditGet access to more than 10,000 servers in over 70 countries and enjoy unlimited bandwidth at lightning-fast speeds on up to 10 devices simultaneously. Your privacy is secured by the no-logging policy and powerful encryption provided by the impressive Blowfish CBC algorithm protects your data.For a limited time only, get Private Internet Access VPN 2-Yr Subscription + $15 Store Credit for $48.97 (reg. $268) with code ANNUAL30.

ZDNet Recommends More

Microsoft is warning that the BazarCall (or Bazacall) call center malware operation is actually more dangerous than first thought, with initial attacks potentially leading to ransomware attacks within 48 hours.   The group had been targeting Office 365/Microsoft 365 customers with phishing email regarding ‘expiring’ bogus trial subscriptions that dupe the target into calling a call center to chat with an operator, who then try to trick the victim into installing the Bazacall backdoor. The Microsoft 365 Defender Threat Intelligence Team spotlighted the group in June, as ZDNet reported at the time, and in a new post it outlines how it’s a more dangerous threat than previously reported, allowing the attackers to distribute ransomware or steal data within 48 hours of infection.     “Apart from having backdoor capabilities, the BazaLoader payload from these campaigns also gives a remote attacker hands-on-keyboard control on an affected user’s device, which allows for a fast network compromise,” the Microsoft team says. “In our observation, attacks emanating from the BazaCall threat could move quickly within a network, conduct extensive data exfiltration and credential theft, and distribute ransomware within 48 hours of the initial compromise.”The BazaCall group has apparently teamed up with group behind the Ryuk ransomware, which has made about $150 million in Bitcoin from its attacks.   A few notable differences with the BazaCall group’s tactics include that they don’t use phishing links or send malicious attachments, helping avoid classic detection systems. The technique is closer to call center fraudsters and victims are also connected to a human operator. 

“Hands-on-keyboard control further makes this threat more dangerous and more evasive than traditional, automated malware attacks,” Microsoft warns.The call center and email outreach parts of the operation seem reasonably well-organized. While subject lines in emails are repeated, each email is tagged with unique alpha-numeric string, creating a user ID or transaction code, in order to identify the victim across multiple calls. The initial call center operator discusses the expiring subscription and then recommends the victim visit a faked website where they can supposedly cancel the subscription to avoid future monthly fees.Microsoft has provided additional details regarding the group’s use of malicious macros in Excel files to download the Cobalt Strike penetration testing kit and gain ‘hands-on-keyboard’ control of a victim’s machine and the ability to search a network for admin and domain administrator account info to exfiltrate data or deploy Ryuk or Conti, a related ransomware. The agent instructs the victim to navigate to the account page and cancel the subscription by download a file, which turns out to be a macro-enabled Excel document. The call center agent instructs the victim to enable content on Microsoft’s default warning in Excel that macros have been disabled. The group is, according to Microsoft’s description, using relatively sophisticated ‘living-off the-land’ (or misusing legit software tools) for nefarious network activities.     If the attacker finds a high-value target, they use 7-Zip to archive intellectual property — such as information about security operations, finance and budgeting — for exfiltration.In cases where ransomware was deployed after compromise, the attacker used high privilege compromised accounts with Cobalt Strike’s PsExec functionality to distribute Ryuk or Conti ransomware on network devices, according to Microsoft.  More