Opinions on large cyberattack cost estimates are discussed, arguing they can cause fear and public shaming rather than productive action; the piece advocates concentrating on practical, easy cybersecurity wins. It highlights Talos findings on YoroTrooper, plus related incidents and industry observations, including AI-assisted threats and high-profile breaches. Hashtags: #YoroTrooper #RagnarLocker #Okta #MGMResorts #CaesarsEntertainment #alfachange #ShadowBrokers
Keypoints
- The Lloyd’s of London estimate claiming a global cyberattack on payments systems could cost $3.5 trillion is critiqued as potentially unhelpful fear-based framing rather than a practical planning metric.
- Public shaming over losses from huge cyber incidents can contribute to stigma around disclosure, hindering transparent cybersecurity improvements.
- New Talos research identifies YoroTrooper as likely operating from Kazakhstan, expanding spam operations, and using Azerbaijan-related false flags to mislead researchers.
- YoroTrooper targets CIS countries, compromising state-owned websites and government accounts between May and August 2023, with phishing and credential harvesting as core methods.
- Talos provides indicators of compromise, Snort rules, and ClamAV signatures to detect YoroTrooper activity, highlighting its use of information-stealing malware.
- AI-tools and generative AI-adjacent studies are noted as increasing the potential for malicious code and spam emails, underscoring evolving threat capabilities.
- Notable incidents mentioned include the Ragnar Locker arrest and takedown, Okta breaches leveraging stolen tokens to bypass MFA, and related impacts on MGM Resorts and Caesars Entertainment.
MITRE Techniques
- [T1566.002] Phishing – Spearphishing Link – YoroTrooper emails direct victims to credential harvesting sites. [‘phishing emails that direct victims to credential harvesting sites.’]
- [T1036] Masquerading – Use of Azerbaijan-related false flags to mislead researchers. [‘using Azerbaijan-related false flags to throw researchers off their scent.’]
- [T1134] Access Token Manipulation – Stolen tokens used to access Okta and bypass MFA. [‘adversaries tricked Okta multi-factor authentication administrators into resetting requirements, which provided them easier access to the targeted networks.’]
- [T1486] Data Encrypted for Impact – Ragnar Locker employed double extortion, threatening to leak stolen data. [‘double extortion tactics, threatening to leak any stolen data if the ransom isn’t paid.’]
Indicators of Compromise
- [SHA256] context – example1: b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59, example2: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5, and 3 more hashes
- [MD5] context – example1: 3b100bdcd61bb1da816cd7eaf9ef13ba, example2: 8c80dd97c37525927c1e549cb59bcbf3, and 3 more hashes
- [Typical Filename] context – example1: vt-upload-C6In1, example2: Eternalblue-2.2.0.exe, and 3 more filenames
- [Detection Name] context – example1: Backdoor:KillAV-tpd, example2: Win.Exploit.Shadowbrokers::5A5226262.auto.talos, and 3 more names
Read more: https://blog.talosintelligence.com/threat-source-newsletter-oct-26-2023/