In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of enumeration and lateral movement occurred using Cobalt Strike. Remote access tools were used for command and control, such as Tactical RMM and Anydesk.…
Tag: IMPACT
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.…
There’s a common saying in cyber security, “you can’t protect what you don’t know,” and this applies perfectly to the attack surface of any given organization.
Many organizations have hidden risks throughout their extended IT and security infrastructure. Whether the risk is introduced by organic cloud growth, adoption of IoT devices, or through mergers and acquisitions, the hidden risk lies dormant.…
The Cybereason Global SOC (GSOC) team is investigating Qakbot infections observed in customer environments related to a potentially widespread ransomware campaign run by Black Basta. The campaign is primarily targeting U.S.-based companies. …
December 8, 2022 update – Reflected additional research on Boa-related CVEs and updated supply chain diagram.
Vulnerabilities in network components, architecture files, and developer tools have become increasingly popular attack vectors to gain access into secure networks and devices. External tools and products that are managed by vendors and developers can pose a security risk, especially to targets in sensitive industries.…
AXLocker Ransomware Stealing Victim’s Discord Tokens
Read More Ransomware is one of the most critical cybersecurity problems on the internet and possibly the most powerful form of cybercrime plaguing organizations today. It has rapidly become one of the most important and profitable malware families among Threat Actors (TAs). In a typical scenario, the ransomware infection starts with the TA gaining access to the target system.…
LodaRAT samples were deployed alongside other malware families, including RedLine and Neshta.
Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild.
Changes in these LodaRAT variants include new functionality allowing proliferation to attached removable storage, a new string encoding algorithm and the removal of “dead” functions
A relatively unknown VenomRAT variant named S500 has been observed deploying LodaRAT.…
Read More Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.
This report analyzes the threat landscape ahead of the 2022 FIFA World Cup hosted in Qatar that begins on November 20, 2022.…
Summary
Actions to Take Today to Mitigate Cyber Threats from Ransomware:
• Prioritize remediating known exploited vulnerabilities.• Enable and enforce multifactor authentication with strong passwords• Close unused ports and remove any application not deemed necessary for day-to-day operations.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.…
Summary
On August 25, 2022, Chile’s government computer systems were attacked by a previously unseen ransomware variant. CSIRT of Chile’s government published a report which contained some Indicators of Compromise (IoCs) and recommendations for prevention measures.
On October 3, 2022, Invima — The Colombia National Food and Drug Surveillance Institute — reported a cyberattack that led to a temporary shutdown of the organization’s web services.…
By Max Kersten · November 15, 2022
In early 2022, Ukrainian companies were struck by multiple destructive wipers, attacking various organizations across sectors. This raised questions about the usage and impact of “digital weapons” within the security community, even though wipers themselves weren’t new. The infamous Shamoon wiper dates back more than a decade ago.…
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, 2), and this report is a continuation of a series of reports uncovering multiple TTPs seen by BumbleBee post exploitation operators.…
Published On : 2022-11-10
Prestige Ransomware Analysis Executive SummaryCYFIRMA Research team has seen an uptick in threat actor-orchestrated ransomware campaigns. We have reasons to believe that Prestige Ransomware has been used with notable features that differentiate it from other ransomware campaigns targeting transportation and other logistics industries in Ukraine and Poland.…
Latest Strain Spreading Bumblebee and IcedID Malware
Read More Emotet malware strain was first discovered by cyber security researchers in 2014. Initially designed as banking malware to steal sensitive and private information from the victim’s system without their knowledge.
Later versions of Emotet can spam and deliver malware services that download other malware families, including banking trojans and ransomware.…
Share this blog
Web browsers contain the most lucrative pieces of information about a user and thus are becoming an interesting target for malware developers. Every keystroke or session cookie can contain very private information about a user, and access to such information can create critical security and privacy issues.…
Rebranded Chaos Ransomware Using Telegram Group to Finance its activities
Read More During a routine threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) encountered data-destructive ransomware linked to the pro-Russian Threat Actors (TA) group named “Killnet”. The ransomware is a modified version of notorious Chaos Ransomware. Upon execution, the Killnet Ransomware drops a note which contains a link to a pro-Russian Telegram channel containing propaganda posts related to the conflict in Ukraine.…
Executive SummarySince mid-2022, SocGholish operators have been significantly diversifying and expanding their infrastructure for staging malware with new servers. This helps the operators to counter defensive operations against known servers and scale up their operation.SocGholish operators have been introducing on average 18 new malware-staging servers per month, with varying server uptimes.…
Read More 11/07: Updated article to provide clarity around hunting techniques
Key points from our research:
Following our reporting on Robin Banks in July, Cloudflare disassociated Robin Banks phishing infrastructure from its services, causing a multi-day disruption to operations. In response, Robin Banks administrators made several changes, including relocating its infrastructure to a notorious Russian provider and changing features of its kits to be more evasive.…By Antonio Cocomazzi and Antonio Pirozzi
Executive SummarySentinelLabs researchers describe Black Basta operational TTPs in full detail, revealing previously unknown tools and techniques. SentinelLabs assesses it is highly likely the Black Basta ransomware operation has ties with FIN7. Black Basta maintains and deploys custom tools, including EDR evasion tools.…By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
IntroductionA recently released critical vulnerability for Apache Commons Text library is currently being exploited in the wild. The Apache Commons project provides a large number of Java-based utilities and packages for a wide range of applications.…