Threatpost spoke with Check Point Research Director of Threat Intelligence Research Maya Horowitz, who highlighted a rising trend of cybercriminal groups joining forces and bolstering the underground cybercriminal economy through their coordinated activities. “In some cases, it’s just an as-a-service model, so the groups don’t necessarily have to know each other. But in many cases, the cooperation is so tight, that we have to assume that there’s something there behind the scenes, that these groups actually communicate and complete each other’s gaps in the attack chain,” Horowitz said. Actors would likely split the profit after a successful attack or provide payment for services. Their reasons could range from capitalizing on some groups’ expertise in certain parts of the attack chain, or as a smokescreen to confound researchers looking into their methods and tools, Horowitz said. Horowitz also touched on the top malware families expected to emerge after the dismantling of Emotet, naming Phorpiex, Dridex and QBot as potential top malwares for 2021.
Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.
Initial access to the targeted SharePoint server through the flaw was leveraged to breach a Microsoft Exchange service account with elevated privileges, deploy the Huorong Antivirus, and install Impacket, resulting in the deactivation of legitimate antivirus systems and lateral movement.
Other Linux-based network devices may have also been targeted by Pygmy Goat, as indicated by its utilization of a fake Fortinet certificate, a pair of remote shells, and several communication wake-up techniques.
Attacks by Interlock involved infiltration of targeted corporate networks and data exfiltration before proceeding with lateral movement, file encryption, and double-extortion activities.