At a glance.
- Play ransomware's new tools.
- Fancy Bear, out and about.
- Other GRU activity: more on Sandworm (a.k.a. FROZENBARENTS).
- Ransomware in Russia's war against Ukraine.
- US Air Force opens investigation into alleged leaker's ANG wing.
- Passwordless MFA solutions are coming.
Play ransomware's new tools.
Symantec, part of Broadcom Software, shared this morning their observation of two new tools the Play ransomware gang is using. The tools include an infostealer, “Grixba,” as well as a Volume Shadow Copy Service, or VSS, copying tool. Grixba is “a network scanning tool used to enumerate all users and computers in the domain.” The tool was developed using “a popular .NET development tool for embedding and applications dependencies into a single executable file,” known as Costura.
Also developed using Costura was another executable, a VSS copying tool that the researchers say “embeds the library AlphaVSS into executables. The AlphaVSS library is a.NET framework that provides a high-level interface for interacting with VSS. The library makes it easier for .NET programs to interface with VSS by offering a set of controlled APIs.” This tool allows for the threat actors to copy files normally blocked by the OS. For more on new developments in Play, see CyberWire Pro.