Stay Ahead of Cyber Threats – Daily Security Insights, Powered by AI
This report was originally published for our customers on 2 May 2024.
As part of our critical vulnerabilities monitoring routine, Sekoia’s Threat & Detection Research (TDR) team deploys and supervises honeypots in different locations around the world to identify potential exploitations.
Table of contentsIntroductionRecently, our team observed an incident involving our MS-SQL (Microsoft SQL) honeypot.…
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.…
Summary: Law enforcement has seized the Tor website of the Lockbit ransomware group and plans to reveal the identities of its members, but the group claims that they are still active and will continue their operations.
Threat Actor: Lockbit ransomware group | Lockbit ransomware group Victim: N/A
Key Point :
Law enforcement has seized the Tor website of the Lockbit ransomware group and plans to reveal the identities of its members on May 7, 2024.…Summary: A member of the REvil ransomware-as-a-service (RaaS) group, Yaroslav Vasinskyi, has been sentenced to over 13 years in prison and ordered to pay restitution for conducting numerous ransomware attacks and demanding millions in ransom payments.
Threat Actor: REvil ransomware-as-a-service (RaaS) group | REvil ransomware-as-a-service Victim: Multiple victims | REvil ransomware attacks
Key Point :
Affiliate of the REvil ransomware group, Yaroslav Vasinskyi, has been sentenced to 13 years and seven months in prison for conducting over 2500 ransomware attacks.…Victim: Drogaria Preco Bom Country : BR Actor: apos Source: https://apos.blog/apos-raas/Drogaria-Preco-Bom-314d05883c88439791995e7f9a288a53 Discovered: 2024-04-29 15:38:12.897021 Published: 2024-04-26 00:00:00.000000 Description : 5.6GB5MBrazilPrivate dataPublishedbomprecodrogaria.com.br
…
Victim: Sunlux Group Country : FR Actor: apos Source: https://apos.blog/apos-raas/Sunlux-Group-50eda5d7962a4b2fabf3ea9bb30cfbe6 Discovered: 2024-04-29 15:38:11.611229 Published: 2024-04-29 15:38:11.611229 Description : 160GB5.1MFrancePrivate dataFinancial dataNot publishedsunlux-group.com
…
Victim: Algen Healthcare Country : IN Actor: apos Source: https://apos.blog//apos-raas/Algen-Healthcare-d1a417add85448d1959683ac15099417 Discovered: 2024-04-29 15:38:10.479687 Published: 2024-04-29 15:38:10.479687 Description : 90GB5MIndiaFinancial dataPrivate dataNot publishedalgenhealthcare.co
…
Victim: Bitz Softwares Country : BR Actor: apos Source: https://apos.blog/apos-raas/Bitz-Softwares-bc9e829383bb4f0086ed1598c052cefe Discovered: 2024-04-29 15:38:09.214545 Published: 2024-04-29 15:38:09.214545 Description : 18.1MB11.3MBrazilSource codeNot publishedbitzsoftwares.com.br
…
Threat actors consistently alter and develop their schemes in order to further escalate their payoffs. In a new trend, ransomware affiliates are actively re-monetizing stolen data outside of their original RaaS agreements, especially as financial squabbles between threat actors emerge in the ransomware economy. The affiliates in such instances are starting to work with third-parties or external data leak services in order to re-extort victims who have already paid the ransom to the original attackers.…
Threat Actor: Psoglav Ransomware | Psoglav Ransomware Victim: Internet users | Internet users Price: $150 per ID Exfiltrated Data Type: Files
Additional Information :
Psoglav is coded in C# and functions seamlessly across all Windows operating systems. It encrypts files using AES-256+RSA-2048 algorithms swiftly and efficiently.…In the 1960s and ’70s, the US firearms market saw an influx of cheaply-made, imported handguns. Legislators targeted the proliferation of these inexpensive and frequently unreliable weapons, ostensibly because they were believed to pose a risk to their owners and facilitate criminality. This was not an issue unique to the US or to that time period, of course; in the UK, where handguns are now strictly regulated, criminals often resort to reactivated, or even home-made or antique, firearms.…
Summary: Attackers are increasingly exploiting vulnerabilities in computer systems to gain initial network access, with a 6% increase in intrusions through vulnerability exploitation in 2023, according to Mandiant’s M-Trends 2024 Report. Additionally, researchers observed a rise in the exploitation of zero-day vulnerabilities, with Chinese cyber espionage groups being the most prolific attackers in this regard.…
Summary: The GRIT Q1 2024 Ransomware Report highlights shifts in activity from Ransomware-as-a-Service (RaaS) groups, an increase in the number of ransomware victims, and changes in the behavior of ransomware groups following law enforcement activity.
Threat Actor: Ransomware-as-a-Service (RaaS) groups | Ransomware-as-a-Service Victim: Various organizations and industries | Ransomware victims
Key Point :
Q1 2024 saw a significant increase in the number of active ransomware groups, with a 55% rise from 29 distinct groups in Q1 2023 to 45 distinct groups in Q1 2024.…On April 18, 2024, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Netherlands’ National Cyber Security Centre (NCSC-NL) released a joint Cybersecurity Advisory (CSA) that disseminates known Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with Akira ransomware, identified through FBI investigations and trusted third party reporting as recently as February 2024.…
As the digital landscape continues to evolve, the United States finds itself at the forefront of emerging cybersecurity challenges. With its critical infrastructure, extensive government networks, and vibrant economy, the nation remains a prime target for a myriad of cyber threats. From state-sponsored actors seeking to undermine national security to sophisticated cybercriminal organizations aiming to exploit vulnerabilities for financial gain, the USA’s threat landscape is diverse and complex.…
Estimated reading time: 5 minutes
Ghost Locker is a Ransomware-as-a-Service (Raas) created by GhostSec [hacktivist groups]. In October 2023, GhostSec launched the GhostLocker framework. After their successful collaborative operations with the Stormous ransomware group in July 2023, GhostLocker ransomware operators provide various options for their affiliates.…
In late 2023, BlackBerry analysts identified a spear-phishing campaign by threat group FIN7 that targeted a large automotive manufacturer based in the United States. FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights. They used the lure of a free IP scanning tool to run their well-known Anunak backdoor and gain an initial foothold utilizing living off the land binaries, scripts, and libraries (lolbas).…
Summary: The number of ransomware victims who choose to pay a ransom has dropped to a record low, with only 28% paying in the first quarter of 2024, down from 29% in the previous quarter. Additionally, two major ransomware groups hit by law enforcement disruptions have swindled their affiliates, causing disaffection and driving away business partners.…
The Trellix Advanced Research Center has recently observed an uptick of LockBit-related cyber activity surrounding vulnerabilities in ScreenConnect. This surge suggests that despite the Law Enforcement’s (LE) “Operation Cronos” aimed at dismantling LockBit’s infrastructure, the ransomware operators somehow managed to survive and stay a float. It appears that the cybercriminals group behind LockBit ransomware partially restored their infrastructure and created an impression that the LE actions did not affect their normal operation.…