One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8616252 |
| Date de publication | 2024-11-22 21:45:45 (vue: 2024-11-22 22:08:21) |
| Titre | Helldown Ransomware: An Overview of this Emerging Threat |
| Texte | ## Snapshot Researchers at Sekoia have reported with medium confidence that the \'Helldown\' ransomware operation is exploiting vulnerabilities in Zyxel firewalls to infiltrate corporate networks. ## Description Helldown, which was first documented in August 2024, has been growing rapidly, listing numerous victims on its data extortion portal. The ransomware has a Linux variant that targets VMware files, with capabilities to list and kill VMs to encrypt images, though it appears to be under development. Helldown for Windows is believed to be based on the leaked LockBit 3 builder and shows operational similarities to Darkrace and Donex, but no definitive connection has been established. Helldown is not particularly selective in the data it steals, publishing large data packs on its website, with one instance reaching up to 431GB. The ransomware uses a random victim string as the extension for encrypted files and includes this string in the ransom note\'s filename. Sekoia\'s investigation suggests that Helldown may be using CVE-2024-42057, a command injection vulnerability in Zyxel firewalls\' IPSec VPN, to execute OS commands and establish a foothold in networks. The attackers reportedly use a malicious account to access domain controllers, move laterally, and disable endpoint defenses. Payloads connected to the Zyxel compromise were uploaded to VirusTotal from Russia, indicating the possibility of private n-day exploit usage. As of the latest reports, 31 victims have been listed on Helldown\'s extortion portal, primarily small and medium-sized firms in the United States and Europe. ## Recommendations Microsoft recommends the following mitigations to defend against this threat: - Keep software up to date. Apply new security patches as soon as possible. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enable [network protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide?ocid=magicti_ta_learndoc) to help prevent access to malicious domains. - Run endpoint detection and response [(EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Configure [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - Read our [ransomware threat overview](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport) for advice on developing a holistic security posture to prevent ransomware, including credential hygiene and hardening Microsoft Defender customers can turn on [attack surface reduction rules](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?ocid=magicti_ta_learndoc) to help prevent common attack techniques used by Onyx Sleet: - [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](https://learn.microsoft.com/defender-endpoint/attack-surface-reduction-rules-reference?ocid=magicti_ta_learndoc#block-executable-files-from-running-unless-they-meet-a-prevalence-a |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 2024 2024** 365/security/defender 42057 431gb 496d access accessed account action ad3c advanced advice against age alert alerts all allow antivirus any appears apply are artifacts attack attacker attackers august automated based been behind believed block breach breaches builder but c6a795a33c27/analystreport can capabilities cloud com/defender com/microsoft com/threatanalytics3/05658b6c command commands common components compromise confidence configure connected connection content controllers copyright corporate cover credential criterion customers cve darkrace data date day dc62 defend defender defenses definitive delivered description detect detected detection detections/hunting detects developing development disable distribution documented does domain domains donex downloaded edr emerging enable encrypt encrypted endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/enable equivalent establish established europe even evolving executable execute execution exploit exploiting extension extortion filename files firewalls firms first following foothold from full growing hardening has have helldown help holistic https://blog https://learn https://security hygiene images immediate includes including indicating infiltrate injection instance investigation investigations io/helldown ipsec its javascript keep kill large laterally latest launching leaked learndoc learndoc#block learndoc#use learning linux list listed listing lockbit machine majority malicious malware: may medium meet microsoft mitigations mode move msr mtb network networks new non not note numerous obfuscated ocid=magicti one onyx operation operational our overview packs part particularly passive patches payloads permission portal possibility possible post posture potentially prevalence prevent primarily private product prohibited protection protections publishing queries random ransom ransom:linux/hellcat ransom:win32/helldown ransomware ransomware: rapidly reaching read recommendations recommends reducing reduction reference references remediate remediation reported reportedly reports reproduction researchers reserved resolve response rights rules run running russia scenes scripts security sekoia selective shows sight significantly similarities site sized sleet: small snapshot software soon states steals string suggests surface take targets techniques thereof though threat threat/ threat: tools trojan:bat/killtask trusted turn under united unknown unless uploaded usage use used uses using variant variants vbscript victim victims view=o365 virustotal vms vmware volume vpn vulnerabilities vulnerability website when which windows without works worldwide written yce your zyxel for in in so |
| Tags | Ransomware Malware Tool Vulnerability Threat |
| Stories | APT 45 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.