Knowledge is our best weapon in the fight against cybercrime. An understanding of how various gangs operate and what tools they use helps build competent defenses and investigate incidents. …
Search Results for: cuba
Note: The following is a redacted version of a larger report. For full and comprehensive details of this attack, please enquire about our CTI-on-demand service.
SummaryBlackBerry has discovered and documented …
On December 1, 2022, CISA and FBI released a joint Cybersecurity Advisory (CSA) on Cuba ransomware [1]. Security researchers have track downed a new variant of the Cuba ransomware as …
This post is also available in: 日本語 (Japanese)
Executive SummaryBeginning in early May 2022, Unit 42 observed a threat actor deploying Cuba Ransomware using novel tools and techniques. Using …
Trend Micro Research observed the resurgence of the Cuba ransomware group that launched a new malware variant using different infection techniques compared to past iterations. We discuss our initial findings …
Cuba ransomware is an older ransomware, that has recently undergone some development. The actors have incorporated the leaking of victim data to increase its impact and revenue, much like we have seen recently with other major …
Over the past year, we have seen ransomware attackers change the way they have responded to organizations that have either chosen to not pay the ransom or …
2024年5月29日,美国司法部发布通告,声称其执法活动摧毁了”史上最大的僵尸网络” 911 S5,查封了相关域名,并且逮捕了其管理员YunHe Wang。Wang及其同伙通过创建并分发包含恶意代码的免费VPN程序感染用户,并且在名为911 S5的住宅代理服务中出售对被感染设备构成的代理网络的访问权。
按照360威胁情报中心的分析,911S5从2014年开始运营,到2022年7月关停,在2023年10月又摇身一变,化名CloudRouter继续其肮脏生意,终于在2024年5月被多国联合执法摧毁。911S5的僵尸网络运行时间长、涉及多个国家的19M个IP地址、行为高调,虽然经过执法行动后大势已去,但是其数字遗产仍然对网络空间构成了现实且显著的威胁,下文是我们对威胁分析的结果。
911S5出售的代理服务背后是数千万被感染的设备。受害者主动或被动下载捆绑了恶意代码的软件、免费VPN程序等。在程序启动后,恶意代码将会创建持久化服务作为后门,为911S5客户提供代理服务。
在2023年以前,911S5使用的免费VPN包括:ProxyGate、MaskVPN、DewVPN与ShineVPN。我们观察到最早出现的VPN程序是ProxyGate,在2016年至2020年间活跃。
911S5与VPN程序的强关联 共同的基础设施将911S5与一众免费VPN关联起来的关键性证据就是它们共用了一部分基础设施。我们注意到,911.re、searchsafe.com、maskvpn.org、proxygate、911.gg、dewvpn.com的电子邮件服务都曾被解析到同一个服务器:173.244.211.96,证明911S5和特定免费VPN程序拥有共同的运营者。
更多数据,请查看最后一部分”共用IP”。
相似的样本行为MaskVPN、DewVPN以及ShineVPN拥有相似的编码方式、进程链结构:
MaskVPN进程链 DewVPN进程链2022年7月,911S5的运营者停止了911S5的服务,但是它们也并未蛰伏太长时间。2023年2月,911S5的继任者CloudRouter被研究人员发现;10月,CloudRouter正式发布,提供类似911S5的住宅服务,它使用PaladinVPN、Shield VPN感染设备并继续构建代理网络,我们确认这是换汤不换药的911S5。
CloudRouter,换汤不换药 共用基础设施与911S5类似,cloudrouter.pro、paladinvpn.com、shieldvpn.org的电子邮件服务解析到了相同的服务器:209.126.108.53。
更多数据,请查看最后一部分”共用IP”。
样本的强关联 CloudRouter使用的PaladinVPN、ShineVPN的编码方式、进程链与MaskVPN、DewVPN高度相似。 PaladinVPN进程链 根据美国法院的扣押文件,在2023年8月份,分析人员观察到了从MaskVPN到ShieldVPN的升级,该文件声称ShieldVPN、PaladinVPN与reachfresh.com通信,并从updatepanel.cc&upgradeportal.org接受更新指令。 PaladinVPN的推广域名我们注意到,有150+个推广域名都解析到了同一个地址148.72.152.203 ,如:
soccerstreamingvpn.com freevpnlebanon.com…Threat actors consistently alter and develop their schemes in order to further escalate their payoffs. In a new trend, ransomware affiliates are actively re-monetizing stolen data outside of their original …
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims …
In December 2023, Sophos X-Ops received a report of a false positive detection on an executable signed by a valid Microsoft Hardware Publisher Certificate. However, the version info for the …
GhostSec, a significant member of The Five Families, has garnered substantial attention with the latest research, following their recent twin ransomware attack with Stormous –another Five Families affiliated threat group. Researchers and the …
It’s that time of the year when not only do you have to be worried about filing your federal taxes in the U.S., you must also be on the lookout …
As of today, a large majority of intrusion sets and threat actors leverage crypters prior to delivering and executing malicious payloads on a target system. They use it to build …
Intel-Ops
·
Follow
9 min read ·
Mar 5, 2024
—
On February 29th 2024, CISA released an advisory on Phobos ransomware.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a
Intel-Ops is actively tracking infrastructure assessed to …
This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known …
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization’s network environment after …
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state-sponsored cyber actors are seeking …
Throughout Q2 and Q3 2023, Kroll has observed an increased use of the malicious “SYSTEMBC” tool to maintain access in a compromised network. SYSTEMBC was first observed in the wild …
Resecurity has identified an alarming rise in ransomware operators targeting the energy sector, including nuclear facilities and related research entities. Over the last year, ransomware attackers have targeted energy installations …
SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT, as its uses can be diverse depending on …
.table { width: 100%; margin-bottom: 1rem; color: #212529 } .table th, .table td { padding: 0.75rem; vertical-align: top; border-top: 1px solid #dee2e6 } .table thead th { vertical-align: bottom; border-bottom: …
In October 2022, during an investigation into an incident at a Russian industrial enterprise, samples of previously unseen malware were discovered running on compromised computers of this organization. The names of this malware’s executable files were similar to the …
Late last year, Sophos X-Ops responded to exploitation of what appeared to be the ProxyNotShell attack flow, which targets Microsoft Exchange servers, and which Microsoft attempted to address in an …
In September of last year, our Incident Response team was called to an incident that was identified as an attempt of social engineering an online customer service platform. Due to …
At the end of November 2022, experts from Bitdefender Labs started to notice an increase in attacks using ProxyNotShell/OWASSRF exploits chains to target on-premises Microsoft Exchange deployments. SSRF attacks on …
Bluebottle, a cyber-crime group that specializes in targeted attacks against the financial sector, is continuing to mount attacks on banks in Francophone countries. The group makes extensive use of living …
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, …
Update 12.01.22: The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on Cuba ransomware, listing this BlackBerry blog as a resource. See Advisory.
SummaryThe threat actor …
Industrial Spy is a relatively new ransomware group that emerged in April 2022. In some instances, the threat group appears to only exfiltrate and ransom data, while in other cases …
By Sriram P & Lakshya Mathur
Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer, Pony, CobaltStrike, Cuba Ransomware, and many more. Recently at …