One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8624261 |
| Date de publication | 2024-12-12 21:33:09 (vue: 2024-12-12 22:13:58) |
| Titre | Lynx Ransomware Pouncing on Utilities |
| Texte | #### Targeted Geolocations - United States #### Targeted Industries - Energy ## Snapshot A recent report from the Center for Internet Security (CIS) highlights the growing threat of ransomware attacks targeting utility organizations, with a particular focus on the activities of the Lynx ransomware group (tracked by Microsoft as [Storm-2113](https://security.microsoft.com/intel-profiles/7d8b27d096bfce159d3602d5221a20a8c2fddc95db7401efe10f486f57c1e5d2)). ## Description Between 2022 and 2024, attacks on utilities surged due to their reliance on outdated hardware and software, making them attractive targets for groups like Lynx. The group claimed over 20 victims in the energy, oil, and gas sectors in the United States between July and November 2024. Despite its claims to be an "ethical hacking group" that avoids impacting organizations in healthcare and government, Lynx employs double extortion tactics, encrypting victims\' data and threatening to leak sensitive information unless additional ransoms are paid. The stolen data often includes trade secrets, financial records, and internal documents, causing severe reputational and operational damage. The group\'s initial compromise methods include phishing attacks to harvest credentials, followed by disabling antivirus software, deleting shadow copies, and encrypting both local files and network shares. Victims are pressured through ransom notes directing them to a Lynx-operated .onion site and public blogs where the group leaks or threatens to leak stolen data. ## Microsoft Analysis and Additional OSINT Context The threat actor that Microsoft tracks as [Storm-2113](https://security.microsoft.com/intel-profiles/7d8b27d096bfce159d3602d5221a20a8c2fddc95db7401efe10f486f57c1e5d2) is a financially motivated group known for deploying Lynx ransomware. The actor has targeted entities in multiple sectors, including manufacturing, energy, and commercial facilities, among others. Microsoft has observed Storm-2113 has obtain initial access through exploitation of publicly disclosed vulnerabilities. Post-compromise activity by the group includes the use of several remote monitoring and management (RMM) tools in intrusions for lateral movement and persistence. Storm-2113 also leverages tools like [Mimikatz](https://security.microsoft.com/intel-profiles/2dffdfcf7478886ee7de79237e5aeb52b0ab0cd350f1003a12064c7da2a4f1cb) and [Impacket](https://security.microsoft.com/intel-profiles/19a4861eb55c4c074ab0a8c6f58738d8f50dda8badf96695758399e3d826dda6) to steal credentials. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Harden internet-facing assets and identify and secure perimeter systems that attackers might use to access the network. Public scanning interfaces, such as [Microsoft Defender External Attack Surface Management](https://www.microsoft.com/security/business/cloud-security/microsoft-defender-external-attack-surface-management), can be used to augment data. The Attack Surface Summary dashboard surfaces assets such as Exchange servers which require security updates as well as provides recommended remediation steps. - Organizations can use [Microsoft Defender Vulnerability Management](https://security.microsoft.com/vulnerabilities?ocid=magicti_ta_ta2) to assess the current status of disclosed vulnerabilities and deploy any updates that might have been missed. - As more organizations move to the cloud, it is important to continue to protect Active Directory resources through credential hardening during this transition. Threat actors are motivated by easy access and continue to look for easy paths to acquire domain administrator privileges. Microsoft provides some steps organizations can take to build credential hygiene in our [on-premises credential theft threat overview](https://security.microsoft.com/threatanalytics3/9382203e-5155-4b5e-af74-21562b1004d5/analystreport). - Enforce multifactor authentication (MFA) on all accounts, remo |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | ### #### **© 2008 2022 2024 2024** 2113 21562b1004d5/analystreport 22h2 365/security/defender 46bb 496d 4b5e 5155 5ab5 7ca2d4e30156/analystreport abuse access accessed accounts acquire action active activities activity actor actors ad3c additional admin administrator administrators advanced af74 against age alert alerts all allow already also among analysis analyze antivirus any apply apps ara are article artifacts assess assets attack attacker attackers attacks attractive augment authentication authenticator authority automated avoids based bb79 been behavior behind between block blocking blogs both breach breaches build c6a795a33c27/analystreport can causing center changes cis cisa cisecurity claimed claims cloud com/archive/blogs/kfalde/restricted com/defender com/en com/intel com/microsoft com/security/business/cloud com/threatanalytics3/05658b6c com/threatanalytics3/44b8f927 com/threatanalytics3/9382203e com/vulnerabilities com/windows com/windows/security/identity commands commercial common components compromise configuration configure content context continue copies copyright cover creations credential credentials criterion current customers damage dashboard data dc62 default defender deleting delivered deploy deploying description despite detect detected detection detections/hunting detects devices devices: different directing directory disabling disclosed distribution documents does domain double due during easy edition edr employs enable enabled enable encrypting encyclopedia endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/prevent energy enforce enterprise entities environment equivalent ethical even evolving example exchange excluded exe executable execution exploitation external extortion facilities facing features fido files financial financially firewall first focus followed following from full further gas general geolocations government group groups growing guard guard/credential hacking harden hardening hardware harvest has have healthcare hello highlights https://learn https://security https://www human hygiene identify identities identity identity/what immediate impacket impact impacting important include included includes including industries information initial installations interfaces internal internet intrusions investigation investigations issues its joined july keys known lateral leak leaks learndoc learndoc#block learning leverages light like list listed local locations look lsa lsass lynx machine majority making malicious malware: manage#enable management management/configuring manufacturing meet methods mfa microsoft might mimikatz missed mitigations mode monitor monitoring more motivated move movement mtb multifactor multiple name=ransom:win32/lynxcrypt name=trojan:win32/filecoder network new non not notes november now obfuscated observed obtain ocid=magicti often oil onion on operated operational org/insights/blog/lynx organizations originating osint others outdated over overview paid part particular passive passwordless passwords paths perform perimeter permission persistence phishing post potentially pouncing ppl premises pressured prevalence prevent privileges process product profile profiles/19a4861eb55c4c074ab0a8c6f58738d8f50dda8badf96695758399e3d826dda6 profiles/2dffdfcf7478886ee7de79237e5aeb52b0ab0cd350f1003a12064c7da2a4f1cb profiles/7d8b27d096bfce159d3602d5221a20a8c2fddc95db7401efe10f486f57c1e5d2 prohibited protect protected protection protection/credential protections provides psexec public publicly queries ransom ransom:win32/lynxcrypt ransoms ransomware rapidly rdp recent recommendations recommended recommends records reduce reducing reduction refer reference reference#block reference#use references reliance remediate remediation remote remove report reproduction reputational require reserved resolve resources response restricted rights rmm rules rules#block running run scanning scenes scripts secrets sectors secure security security/microsoft sensitive server/security/credentials servers services settings several severe shadow s |
| Tags | Ransomware Malware Tool Vulnerability Threat Medical Cloud Commercial |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.