CyberWire Daily - CISA Alert AA22-249A – #StopRansomware: Vice Society.” [CISA Cybersecurity Alerts]
Episode Date: September 6, 2022CISA, the FBI, and the Multi-State Information Sharing and Analysis Center, or MS ISAC, are releasing this advisory to disseminate indicators of compromise and TTPs associated with Vice Society actors... and their ransomware campaigns. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks. AA22-249A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. Original release date, September 6, 2022.
CISA, the FBI, and the Multi-State Information Sharing and Analysis Center, or MS-ISAC,
are releasing this advisory to disseminate indicators of compromise and TTPs associated with Vice Society actors and their ransomware campaigns.
The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors
disproportionately targeting the education sector with ransomware attacks. Vice Society is an
intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021.
Vice Society actors do not use a ransomware variant of unique origin. Instead, the actors
have deployed versions of Hello Kitty, Five Hands,
and Zeppelin ransomware and may deploy other variants. Vice Society actors obtain initial network access through compromised credentials by exploiting internet-facing applications.
Vice Society actors have been observed exploiting the print nightmare vulnerability to escalate
privileges. Prior to deploying ransomware, the actors spend time exploring the network,
identifying opportunities to increase accesses, and exfiltrating data for double extortion.
Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike for lateral movement.
They have also used living-off-the-land techniques targeting the legitimate Windows Management Instrumentation Service and tainting shared content.
Windows Management Instrumentation Service, and Tainting Shared Content.
Over the past several years, the education sector, especially K-12 institutions,
have been a frequent target of ransomware attacks.
Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, cancelled school days,
and unauthorized access to and theft of personal information regarding students and staff.
Attacks may increase as the 2022-2023 school year begins and criminal
ransomware groups perceive opportunities for successful attacks. K-12 institutions may be
seen as particularly lucrative targets due to the amount of sensitive student data accessible
through school systems or their managed service providers. The FBI, CISA, and the MS-ISAC encourage
organizations to implement the recommendations in the Mitigations section of the alert documentation linked in the show notes to reduce the likelihood and impact of ransomware events.
The alert documentation also includes indicators of compromise and a full MITRE attack mapping for this activity.
Thank you. cybersecurity and infrastructure security agency and edited and adapted for audio by the Cyber Wire as a public service. Please visit www.cisa.gov to read the full report, which may include additional details, links, and illustrations. A link to this report can be found in the show notes.
This has been a CISA Cybersecurity Alert.