FlagThis - #qilin

A recent cyberattack has exploited vulnerabilities in Managed Service Providers (MSPs) through a sophisticated phishing campaign, leading to the deployment of Qilin ransomware across multiple customer environments. The attackers, identified as affiliates of the STAC4365 threat cluster, targeted MSPs by mimicking the login page of ScreenConnect, a widely used Remote Monitoring and Management (RMM) tool. The attackers used spear-phishing emails directed at MSP administrators, disguising them as authentication alerts from ScreenConnect.

These emails directed recipients to counterfeit domains closely resembling the legitimate ScreenConnect login page, cloud.screenconnect[.]com.ms for example. Using an adversary-in-the-middle (AITM) attack framework, credentials and time-based one-time passwords (TOTP) required for multi-factor authentication (MFA) were intercepted. With these credentials, the attackers gained super administrator access to the legitimate ScreenConnect portal, enabling them to deploy malicious ScreenConnect instances across customer environments and ultimately launch Qilin ransomware. The attack highlights the risks for MSP and their customer base.


References :

• Sophos News: Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream
• securityonline.info: Qilin Ransomware Attack Exploits MSP Vulnerability to Target Downstream Customers
• Cyber Security News: Qilin Operators Use Mimic ScreenConnect Login Page to Deliver Ransomware and Gain Admin Access
• Cyber Security News: Qilin Operators Mimic ScreenConnect Login Page to Deliver Ransomware & Gain Admin Access
• gbhackers.com: Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

Classification:

• HashTags: #Ransomware #MSP #ScreenConnect
• Company: MSP
• Target: MSP customers
• Attacker: Qilin affiliates
• Product: ScreenConnect
• Feature: ScreenConnect
• Malware: Qilin
• Type: Ransomware
• Severity: Major

Microsoft has identified a North Korean hacking group known as Moonstone Sleet, previously tracked as Storm-1789, deploying Qilin ransomware in limited attacks. This represents a shift for the group, as they have historically used custom-built ransomware. The adoption of Qilin ransomware signifies a move towards Ransomware-as-a-Service (RaaS), where they utilize ransomware developed by external operators rather than relying solely on their own tools.

Moonstone Sleet's move to RaaS marks a new era in cyber threats, primarily driven by financial motivations, a departure from previous espionage-focused operations. They have been observed demanding ransoms as high as $6.6 million in Bitcoin. The group has also been known to use creative tactics, including fake companies, trojanized software, and even a malicious game to infiltrate targets, showcasing their adaptability and resourcefulness.


References :

• gbhackers.com: North Korean Moonstone Sleet Uses Creative Tactics to Deploy Custom Ransomware
• The DefendOps Diaries: Moonstone Sleet's Shift to Ransomware-as-a-Service: A New Era in Cyber Threats
• BleepingComputer: Microsoft: North Korean hackers join Qilin ransomware gang
• Cyber Security News: North Korean Moonstone Sleet Deploys Custom Ransomware with Creative Tactics
• securityaffairs.com: Microsoft researchers reported that North Korea-linked APT tracked as Moonstone Sleet has employed the Qilin ransomware in limited attacks.
• www.scworld.com: Moonstone Sleet was previously reported to have been behind a FakePenny ransomware attack.

Classification:

• HashTags: #Ransomware #NorthKorea #Qilin
• Company: Microsoft
• Attacker: Moonstone Sleet
• Product: Qilin
• Feature: Ransomware Deployment
• Malware: Qilin
• Type: Ransomware
• Severity: Major

Lee Enterprises, a major American media company with over 75 publications, has confirmed a ransomware attack that has disrupted operations across its network. The notorious Qilin ransomware gang has claimed responsibility for the February 3rd attack, alleging the theft of 350GB of sensitive data. This stolen data purportedly includes investor records, financial arrangements, payments to journalists and publishers, funding for tailored news stories, and even approaches to obtaining insider information. The cyberattack has resulted in widespread outages, significantly impacting the distribution of printed newspapers, subscription services, and internal business operations.

The attack has caused delays in the distribution of print publications and has partially limited online operations. Lee Enterprises anticipates a phased recovery over the next several weeks and has implemented temporary measures, including manual processing of transactions. The company has also launched a forensic investigation to determine the full extent of the breach. The Qilin ransomware group's actions have brought attention to the increasing threat facing media organizations and the importance of robust cybersecurity measures to protect sensitive information and maintain operational integrity.


References :

• securityaffairs.com: SecurityAffairs: Qilin ransomware gang claimed responsibility for the Lee Enterprises attack
• www.cysecurity.news: CySecurity News: Lee Enterprises Faces Prolonged Ransomware Attack Disrupting Newspaper Operations
• The420.in: The420.in: American Media Group Hit by Cyber Attack, 75 Newspapers Disrupted & Informers’ Data Leaked
• bsky.app: The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company.
• bsky.app: The Qilin ransomware gang has claimed responsibility for the attack at Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company.
• Information Security Buzz: Qilin Claims Lee Enterprises Ransomware Attack
• securityaffairs.com: The Qilin ransomware group claimed responsibility for the recent cyberattack on Lee Enterprises, which impacted dozens of local newspapers. Lee Enterprises, Inc. is a publicly traded American media company. It publishes 79 newspapers in 25 states, and more than
• CyberInsider: Reports that Qilin ransomware gang claimed responsibility for Lee Enterprises attack, threatens to leak stolen data
• www.cysecurity.news: reports on Ransomware
• Zack Whittaker: Lee Enterprises is still experiencing disruption and outages after a ransomware attack.
• Metacurity: UK ICO launches children's social media privacy probe, Qilin claims attack on Lee Enterprises, Polish Space Agency breached, Cellebrite zero days used to hack Serbian student's phone, Man sentenced to 24 years for putting CSAM on dark web, Canceled CFPB contracts threaten data security, much more
• Konstantin :C_H:: Qilin claims attack on Lee Enterprises,
• The420.in: Qilin ransomware group claimed responsibility for the Lee Enterprises attack.
• Kim Zetter: Reports Qilin claims attack on Lee Enterprises
• BleepingComputer: Qilin claiming responsibility for the cyberattack on Lee Enterprises.
• BleepingComputer: Qilin Ransomware Gang Claims Lee Enterprises Attack
• DataBreaches.Net: Japanese cancer hospital confirms breach; Qilin gang claims responsibility
• The Register - Security: Qilin ransomware gang claims attacks on cancer clinic, OB-GYN facility
• www.cysecurity.news: Qilin Ransomware Outfit Claims Credit for Lee Enterprises Breach
• securityaffairs.com: Qilin Ransomware group claims to have breached the Ministry of Foreign Affairs of Ukraine, marking a significant cybersecurity attack.
• www.scworld.com: The ransomware group Qilin has taken credit for the cyberattack on Lee Enterprises.

Classification:

• HashTags: #ransomware #cyberattack #media
• Company: Lee Enterprises
• Target: Lee Enterprises
• Attacker: Qilin
• Product: web servers
• Feature: ransomware attack
• Malware: Qilin
• Type: Ransomware
• Severity: Major