Over the past week we observed three different attacks on our honeypots. The scripts and malware that were used bear a striking resemblance to none other than the threat actor TeamTNT. Eleven months ago they posted a farewell note on Twitter. Since then, we have only seen legacy attacks which automatically run on past infrastructure.…
Tag: PERSISTENCE
The barrier to entry for enterprising cybercriminals has been dropping considerably over recent years, in part due to the availability of RaaS (Ransomware as a Service) offerings on the darknet but also due to publicly-accessible code being shared for free. One such offering is the Slam Ransomware Builder, which had been hosted until recently on Github.…
Summary
Actions to take today to protect against ransom operations:
• Keep systems and software updated and prioritize remediating known exploited vulnerabilities.• Enforce MFA.• Make offline backups of your data.
This joint Cybersecurity Advisory (CSA) is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), U.S.…
THIS POST IS ALSO AVAILABLE IN:
Read More
Українська (Ukrainian)
Cisco Talos recently identified a new, ongoing campaign attributed to the Russia-linked Gamaredon APT that infects Ukrainian users with information-stealing malware. The adversary is using phishing documents containing lures related to the Russian invasion of Ukraine. LNK files, PowerShell and VBScript enable initial access, while malicious binaries are deployed in the post-infection phase.…
Table of contents
Background
Read More
Pay-Per-Install (PPI) is a malware service widely used in the cybercrime ecosystem that monetises the installation of malicious software. As generally observed, a malware operator provides a Pay-per-Install service operator with a payload, a requested number of installations, and a target geographical location.…
Cybereason GSOC team analysts have analyzed a specific technique that leverages Notepad++ plugins to persist and evade security mechanisms on a machine. Following this introduction, we describe in detail how to reproduce this attack and implement detection and prevention mechanisms.…
This post is also available in: 日本語 (Japanese)
Executive SummaryOn March 4, 2019, one of the most well-known keyloggers used by criminals, called Agent Tesla, closed up shop due to legal troubles. In the announcement message posted on the Agent Tesla Discord server, the keylogger’s developers suggested people switch over to a new keylogger: “If you want to see a powerful software like Agent Tesla, we would like to suggest you OriginLogger.…
Key Takeaways
Arctic Wolf Labs assesses with medium confidence that the Lorenz ransomware group exploited CVE-2022-29499 to compromise Mitel MiVoice Connect to gain initial access
Lorenz waited nearly a month after obtaining initial access to conduct additional activity
Lorenz exfiltrated data via FileZilla
Encryption was done via BitLocker and Lorenz ransomware on ESXi
Lorenz employed a high degree of Operational Security (OPSEC)
Ransomware groups continue to use Living Off the Land Binaries (LOLBins) and gaining access to 0day exploits
Process and PowerShell Logging can significantly aid incident responders and potentially help decrypt encrypted files
Background
Read More
The Arctic Wolf Labs team recently investigated a Lorenz ransomware intrusion, which leveraged a Mitel MiVoice VoIP appliance vulnerability (CVE-2022-29499) for initial access and Microsoft’s BitLocker Drive Encryption for data encryption.…
In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet.
The post-exploitation started very soon after the initial compromise. The threat actors began enumerating the network once Emotet deployed a Cobalt Strike beacon on the beachhead host.…
Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government.
This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations.
Targeted organizations include energy providers from around the world, including those headquartered in the United States, Canada and Japan.…
Read More
A ransomware victim called in the BlackBerry Incident Response (IR) team during this year’s 4th of July holiday weekend. We quickly realized we were investigating an attack by a previously unknown group, calling themselves “MONTI.” They encrypted nearly 20 user hosts along with a multi-host VMware ESXi cluster that brought down over 20 servers.…
Cisco Talos has discovered a new remote access trojan (RAT) we’re calling “MagicRAT,” developed and operated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor.
Lazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon platforms.
We’ve also found links between MagicRAT and another RAT known as “TigerRAT,” disclosed and attributed to Lazarus by the Korean Internet & Security Agency (KISA) recently.…
Read More
Beginning with macOS 10.12 (Sierra), Apple introduced a key change to how logging was done on their systems. This new logging system replaced common Unix logs with macOS Unified Logs. These logs can provide forensic investigators a valuable artifact to aid in investigating macOS systems or other Apple devices.…
Summary
Actions to take today to mitigate cyber threats from ransomware:
• Prioritize and remediate known exploited vulnerabilities.• Train users to recognize and report phishing attempts.• Enable and enforce multifactor authentication.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.…
Recent studies show that more than 85% of financial institutions in Central and Western Africa have repeatedly been victimized in multiple, damaging cyberattacks. In a quarter of these cases, intrusions into network systems resulted in the worst possible outcomes for the financial and banking sector: information leaks, identity theft, money transfer fraud, and bank withdrawals on false checks.…
It has now been six months since the war in Ukraine began. Since then, pro-Russian and pro-Ukrainian hacker groups, like KillNet, Anonymous, IT Army of Ukraine, Legion Spetsnaz RF, have carried out cyberattacks. A lesser-known group called NoName057(16) is among the pro-Russian groups attacking Ukraine and the countries surrounding it and siding with Ukraine.…
Play is a new ransomware that takes a page out of Hive and Nokoyawa’s playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people.
In July, we investigated a spate of ransomware cases in the Latin American region that targeted government entitles, which was initially attributed to a new player known as Play ransomware.…
In March 2021, we investigated a backdoor with a unique modular architecture and called it BumbleBee due to a string embedded in the malware. However, in our recent investigations, we have discovered a controller application that expands its capabilities.
Updated on Sept. 6, 2022, at 11:55 p.m.…
Corporate espionage, also known as industrial espionage, is espionage conducted for commercial or financial purposes. One of the common misconceptions is that espionage is affecting only large corporations or government entities, but it is more common than expected. In this article, we provide an analysis of one such exfiltration and explain why these attacks are on the rise. …
By Securonix Threat Labs, Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov
IntroductionThe Securonix Threat research team has recently identified a unique sample of a persistent Golang-based attack campaign tracked by Securonix as GO#WEBBFUSCATOR. The new campaign incorporates an equally interesting strategy by leveraging the infamous deep field image taken from the James Webb telescope and obfuscated Golang programming language payloads to infect the target system with the malware.…