What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-11-22 13:45:00 | US govt warns of increased ransomware risks during holidays (lien direct) | The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warned critical infrastructure partners and public/private sector organizations not to let down their defenses against ransomware attacks during the holiday season. [...] | Ransomware | ||
 |
2021-11-22 11:36:00 | Upcoming holidays prompt ransomware warning from authorities (lien direct) | Pas de details / No more details | Ransomware | ||
 |
2021-11-22 10:04:00 | New Memento ransomware uses password-protected WinRAR archives to block access to the files (lien direct) | Memento ransomware group locks files inside WinRAR password-protected archives after having observed that its encryption process is blocked by security firms. In October, Sophos researchers have spotted the Memento ransomware that adopts a curious approach to block access to victims' files. The ransomware copies files into password-protected WinRAR archives, it uses a renamed freeware version […] | Ransomware | ||
|
2021-11-21 15:01:49 | Researchers were able to access the payment portal of the Conti gang (lien direct) | The Conti ransomware group has suffered a data breach that exposed its attack infrastructure and allowed researcher to access it. Researchers at security firm Prodaft were able to identify the real IP address of one of the servers used by the Conti ransomware group and access the console for more than a month. The exposed […] | Ransomware Data Breach | ★★★★ | |
|
2021-11-20 12:23:20 | The newer cybercrime triad: TrickBot-Emotet-Conti (lien direct) | Advanced Intelligence researchers argue that the restarting of the Emotet botnet was driven by Conti ransomware gang. Early this year, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action. This operation was […] | Ransomware | ||
|
2021-11-19 19:19:16 | The Week in Ransomware - November 19th 2021 - Targeting Conti (lien direct) | While last week was full of arrests and law enforcement actions, this week has been much quieter, with mostly new research released. [...] | Ransomware | ||
|
2021-11-19 14:05:11 | (Déjà vu) Emotet botnet comeback orchestrated by Conti ransomware gang (lien direct) | The Emotet botnet is back by popular demand, resurrected by its former operator, who was convinced by members of the Conti ransomware gang. [...] | Ransomware | ||
|
2021-11-19 14:05:11 | Emotet botnet comeback hatched by ex-Ryuk member now part of Conti gang (lien direct) | The Emotet botnet is back by popular demand, resurrected by its former operator convinced by ex-members of the Ryuk ransomware gang. [...] | Ransomware | ||
|
2021-11-19 11:01:30 | Conti ransomware operations made at least $25.5 million since July 2021 (lien direct) | Researchers revealed that Conti ransomware operators earned at least $25.5 million from ransom payments since July 2021. A study conducted by Swiss security firm Prodaft with the support of blockchain analysis firm Elliptic revealed that the operators of the Conti ransomware have earned at least $25.5 million from attacks and subsequent ransoms carried out since […] | Ransomware | ||
 |
2021-11-19 10:21:31 | Memento Group Exploited CVE-2021-21972, Hid Five Months to Deploy Ransomware (lien direct) | FortiGuard Labs is aware of a report that a new adversary carried out an attack using a Python-based ransomware called "Memento." The Memento attackers are reported to have taken advantage of a remote code execution vulnerability in a VMWare vCenter Server plugin (CVE-2021-21972) as a initial attack vector. The group started to exploit the vulnerability in April, then stayed in the network until they deployed ransomware to the victim's network upon completion of their data exfiltration. Why is this Significant?This is significant because the attacker was able to stay in the victim's network for more than 5 months after they gained initial access to the network by exploiting CVE-2021-21972. Because of the severity of the vulnerability, CISA released an alert on February 24th, 2021 to urge admins to apply the patch as soon as possible. What is CVE-2021-21972?CVE-2021-21972 is a remote code execution vulnerability in a VMWare vCenter Server plugin. This vulnerability is due to improper handling of the request parameters in the vulnerable application. A remote attacker could exploit this vulnerability by uploading a specially crafted file to the targeted server. Successful exploitation of this vulnerability could lead to arbitrary code execution on the affected system. CVE-2021-21972 has a CVSS (Common Vulnerability Scoring System) score of 9.8 and affects the following products:vCenter Server 7.0 prior to 7.0 U1cvCenter Server 6.7 prior to 6.7 U3lvCenter Server 6.5 prior to 6.5 U3n For more details, see the Appendix for a link to the VMware advisory "VMSA-2021-0002". Has the Vendor Released a Patch for CVE-2021-21972?Yes, VMWare released a patch for CVE-2021-21972 in February 2021. What's the Details of the Attack Carried Out by Memento Group?According to security vendor Sophos, the attacker gained access to the victim's network in April 2021 by exploiting the vulnerability CVE-2021-21972. In May, the attacker deployed the wmiexec remote shell tool and the secretsdump hash dumping tool to a Windows server. Wmiexec is a tool that allows the attacker to remotely execute commands through WMI (Windows Management Instrumentation). Secretsdump is a tool that allows the attacker to extract credential material from the Security Account Manager (SAM) database. The attacker then downloaded a command-line version of the WinRAR and two RAR archives containing various hacking tools used for reconnaissance and credential theft to the compromised server. After that, the adversary used RDP (Remote Desktop Protocol) over SSH to further spread within the network. In late October, after successfully staying low for 5 months, the attacker collected files from the compromised machines and put them in an archive file using WinRAR for data exfiltration. Then the attacker deployed the initial variant of the Memento ransomware to the victim's network, but the file encryption process was blocked due to the anti-ransomware protection. The attack then switched its ransom tactic by putting the victim's files into password-protected archive files instead of encrypting them. What is Memento Ransomware?Memento is a Python-based ransomware used by the Memento group. The first Memento variant simply encrypts files in the compromised machine. The second variant does not involve file encryption. It collects files from the compromised machine and puts them into password-protected files. What is the Status of Coverage?FortiGuard Labs provides the following AV coverage for the available samples used in the attack:W32/KeyLogger.EH!tr.spyPossibleThreat.PALLASNET.HRiskware/MinerRiskware/ImpacketRiskware/MimikatzRiskware/Secretdmp FortiGuard Labs provides the following IPS coverage for CVE-2021-21972?VMware.vCenter.vROps.Directory.Traversal Other Workaround? VMWare provided workaround for CVE-2021-21972. See Appendix for a link to "Workaround Instructions for CVE-2021-21972 and CVE-2021-21973 on VMware vCenter Server (82374)". | Ransomware Tool Vulnerability Guideline | ||
 |
2021-11-18 22:50:24 | Experts Expose Secrets of Conti Ransomware Group That Made 25 Million from Victims (lien direct) | The clearnet and dark web payment portals operated by the Conti ransomware group have gone down in what appears to be an attempt to shift to new infrastructure after details about the gang's inner workings and its members were made public. According to MalwareHunterTeam, "while both the clearweb and Tor domains of the leak site of the Conti ransomware gang is online and working, both their | Ransomware | ||
 |
2021-11-18 21:45:54 | Ransomware Phishing Emails Sneak Through SEGs (lien direct) | The MICROP ransomware spreads via Google Drive and locally stored passwords. | Ransomware | ||
 |
2021-11-18 15:42:53 | Cyber Defenders Should Prepare for Holiday Ransomware Attacks (lien direct) | High days and holidays are prime time for ransomware. This should come as no surprise to anyone – but many companies remain surprisingly unaware or at least unprepared. | Ransomware | ||
 |
2021-11-18 14:00:00 | Rising Cyber Insurance Premiums Highlight Importance of Ransomware Prevention (lien direct) | No insurance premiums saw greater growth in the second quarter of 2021 than those related to cybersecurity. According to the Council of Insurance Agents & Brokers, cyber insurance premiums grew more than a quarter (25.5%) during that period. That’s well above the 17.4% increase witnessed by umbrella insurance and an average of 8.3% growth across […] | Ransomware | ||
|
2021-11-18 11:42:58 | New Memento ransomware switches to WinRar after failing at encryption (lien direct) | A new ransomware group called Memento takes the unusual approach of locking files inside password-protected archives after their encryption method kept being detected by security software. [...] | Ransomware | ||
|
2021-11-17 23:59:00 | Microsoft Warns about 6 Iranian Hacking Groups Turning to Ransomware (lien direct) | Nation-state operators with nexus to Iran are increasingly turning to ransomware as a means of generating revenue and intentionally sabotaging their targets, while also engaging in patient and persistent social engineering campaigns and aggressive brute force attacks. No less than six threat actors affiliated with the West Asian country have been discovered deploying ransomware to achieve their | Ransomware Threat | ||
|
2021-11-17 22:06:26 | Fake Ransomware Infection Hits WordPress Sites (lien direct) | WordPress sites have been splashed with ransomware warnings that are as real as dime-store cobwebs made out of spun polyester. | Ransomware | ||
 |
2021-11-17 14:56:39 | How to protect your organization from ransomware attacks during the holiday season (lien direct) | A quarter of security pros polled by Cybereason said they lack a plan to deal with a ransomware attack during a weekend or holiday. | Ransomware | ||
|
2021-11-17 13:31:23 | Russian ransomware gangs start collaborating with Chinese hackers (lien direct) | There's some unusual activity brewing on Russian-speaking cybercrime forums, where hackers appear to be reaching out to Chinese counterparts for collaboration. [...] | Ransomware | ||
 |
2021-11-17 11:30:00 | Organizations More Susceptible to Ransomware Attacks During Weekends and Holidays (lien direct) | 37% of organizations do not have contingency plans in place to respond to a ransomware attack during weekend and holiday periods | Ransomware | ★★ | |
 |
2021-11-17 05:03:00 | Cybereason Research Finds Organizations Unprepared for Ransomware Attacks on Weekends and Holidays (lien direct) |
In June of 2021, Cybereason published a global research report, titled Ransomware: The True Cost to Business, which revealed that the vast majority of organizations that have suffered a ransomware attack experienced significant impact to the business as a result. The consequences included loss of revenue, damage to the organization's brand, unplanned workforce reductions, and disruption of business operations. |
Ransomware | ||
|
2021-11-17 05:02:00 | Predictive Ransomware Protection: The Key to Ending a Global Crisis (lien direct) |
Successful ransomware attacks take time. They involve gaining a foothold in the enterprise, conducting reconnaissance, escalating privileges, and then locating and exfiltrating your organization's most sensitive data. The entire process, up until the point that the attackers encrypt your data, could take weeks or months. |
Ransomware | ||
|
2021-11-16 20:21:00 | 14 tactics to use during a ransomware negotiation (lien direct) | Security researchers analyzed 700 incidents to understand the economics of these threats as well as what bargaining tactics work. | Ransomware | ||
 |
2021-11-16 17:34:00 | Anomali Cyber Watch: REvil Affiliates Arrested, Electronics Retail Giant Hit By Ransomware, Robinhood Breach, Zero Day In Palo Alto Security Appliance and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
(published: November 8, 2021)
US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert about advanced persistent threat (APT) actors exploiting vulnerability in self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. PaloAlto, Microsoft & Lumen Technologies did a joint effort to track, analyse and mitigate this threat. The attack deployed a webshell and created a registry key for persistence. The actor leveraged leased infrastructure in the US to scan hundreds of organizations and compromised at least nine global organizations across technology, defense, healthcare and education industries.
Analyst Comment: This actor has used some unique techniques in these attacks including: a blockchain based legitimate remote control application, and credential stealing tool which hooks specific functions from the LSASS process. It’s important to make sure your EDR solution is configured to and supports detecting such advanced techniques in order to detect such attacks.
MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Credentials in Files - T1081 | [MITRE ATT&CK] Brute Force - T1110 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Hooking - T1179 | [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 | [MITRE ATT&CK] Pass the Hash - T1075
Tags: Threat Group 3390, APT27, TG-3390, Emissary Panda, WildFire, NGLite backdoor, Cobalt Strike, Godzilla, PwDump, beacon, ChinaChopper, CVE-2021-40539, Healthcare, Military, North America, China
REvil Affiliates Arrested; DOJ Seizes $6.1M in Ransom
(published: November 9, 2021)
A 22 year old Ukranian national named Yaroslav Vasinskyi, has been charged with conducting ransomware attacks by the U.S Department of Justice (DOJ). These attacks include t |
Ransomware Data Breach Malware Tool Vulnerability Threat Medical | APT 38 APT 27 APT 1 | |
|
2021-11-16 14:28:03 | RansomOps: Detecting Complex Ransomware Operations (lien direct) |
In a recent blog post we discussed how today's more complex RansomOps attacks are more akin to stealthy APT-like operations than the old “spray and pray” mass email spam campaign of old, and how there are multiple players from the larger Ransomware Economy at work, each with their own specializations. |
Ransomware Spam | ||
|
2021-11-16 13:16:47 | BlackMatter Uses New Custom Data Exfiltration Tool (lien direct) | FortiGuard Labs is aware that a BlackMatter ransomware affiliate started to use a new custom data exfiltration tool called "Exmatter". The tool is used to steal specific file types from predetermined directories and upload them to an attacker's server. This process happens before the ransomware is deployed to the victim's network.Why is this Significant?This is significant because Exmatter appears to target specific file types which the attacker thinks are valuable so it can steal them as quickly as possible. That allows the attacker to spend less time on the network before deploying the BlackMatter ransomware.What File Types is Exmatter Designed to Steal?According to security vendor Symantec, files with the following file extensions on the compromised machine are targeted by Exmatter: .doc.docx.xls.xlsx.pdf.msg.png.ppt.pptx.sda.sdm.sdw.csv.xlsm.zip.json.config.ts.cs.js.asp.pstAre There Multiple Versions of Exmatter?According to the security vendor, there are at least four versions of Exmatter that were used by a BlackMatter affiliate. Newer versions include additional file extensions to steal, as well as specific strings in file names that Exmatter excludes from the exfiltration targets. One directory target was shortened so that Exmatter can search for more files for exfiltration. Also SFTP server details used for uploading the stolen data were updated with Webdav to serve as a backup in case the SFTP transmission did not work.What is the Significance of the Updates Made to Exmatter?It is significant because the attacker used lessons learned from the networks of previous victims to update Exmatter to make data exfiltration more efficient and effective against future victims.What does FortiGuard Labs Know About BlackMatter Ransomware?BlackMatter ransomware is a fairly new Ransomware-as-a-Service (RaaS) and was discovered in late July 2021. The group posted ads on hacking forums recruiting affiliates and asking to buy access to compromised corporate networks to deploy ransomware. FortiGuard Labs has previously released two Threat Signals on BlackMatter ransomware. See the Appendix for a link to the Threat Signal, "Meet BlackMatter: Yet Another RaaS in the Wild" and to the Threat Signal, "Joint CyberSecurity Advisory on BlackMatter Ransomware (AA21-291A)."What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Exmatter:MSIL/Agent.7AAD!trW32/Crypt!trPossibleThreatAll Network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client. | Ransomware Tool Threat | ||
|
2021-11-16 13:00:00 | Fear and shame are making it harder to fight ransomware and accidental data loss, report finds (lien direct) | A third of employees admit lying to hide the fact that they accidentally deleted data, most doing so out of embarrassment or fear of punishment. Even more would lie about a ransomware infection. | Ransomware | ||
|
2021-11-16 12:35:50 | WordPress sites are being hacked in fake ransomware attacks (lien direct) | A new wave of attacks starting late last week has hacked close to 300 WordPress sites to display fake encryption notices, trying to trick the site owners into paying 0.1 bitcoin for restoration. [...] | Ransomware | ||
|
2021-11-16 10:31:03 | Microsoft adds AI-driven ransomware protection to Defender (lien direct) | Microsoft has introduced an AI-driven ransomware attack detection system for Microsoft Defender for Endpoint customers that complements existing cloud protection by evaluating risks and blocking actors at the perimeter. [...] | Ransomware | ||
 |
2021-11-16 00:00:00 | Global Operations Lead to Arrests of Alleged Members of GandCrab/REvil and Cl0p Cartels (lien direct) | A total of 13 suspects believed to be members of two prolific cybercrime rings were arrested as a global coalition across five continents involving law enforcement and private partners, including Trend Micro, sought to crack down on big ransomware operators.
|
Ransomware | ||
|
2021-11-15 21:53:21 | The Best Ransomware Response, According to the Data (lien direct) | An analysis of ransomware attack negotiation-data offers best practices. | Ransomware | ||
|
2021-11-15 18:10:02 | How organizations are beefing up their cybersecurity to combat ransomware (lien direct) | Most organizations surveyed by Hitachi ID are moving partly to software-as-a-service. Less than half have adopted a Zero Trust strategy. | Ransomware | ||
 |
2021-11-15 13:32:16 | As ransomware attacks rise, US government advice to protect K-12 schools is “vastly outdated” (lien direct) | With so many in the educational sector under attack, it's never been more important to ensure schools are properly defended against ransomware - and not relying on advice that is 11 years old. Read more in my article on the Tripwire State of Security blog. | Ransomware | ||
|
2021-11-14 17:44:17 | FTC shares guidance for small businesses to prevent ransomware attacks (lien direct) | The US Federal Trade Commission (FTC) has shared guidance for small businesses on how to increase resilience to ransomware attacks. The US Federal Trade Commission (FTC) published guidance for small businesses on how to protect their networks from ransomware attacks. The FTC suggests two steps small businesses can take to bolster their resilience against ransomware […] | Ransomware | ||
|
2021-11-14 10:00:00 | US Education Dept urged to boost K-12 schools\' ransomware defenses (lien direct) | The US Department of Education and Department of Homeland Security (DHS) were urged this week to more aggressively strengthen cybersecurity protections at K-12 schools across the nation to keep up with a massive wave of attacks. [...] | Ransomware | ||
 |
2021-11-12 22:18:35 | Who is REvil? The Notorious Ransomware Hacking Group, Explained (lien direct) |
Over the last two years, the internet has been riddled with ransomware attacks wherein cybercriminals compromise technology or data, make it inaccessible via encryption, and demand their victim pay a ransom to recover it. |
Ransomware | ★★★★ | |
|
2021-11-12 20:24:24 | Top 10 Cybersecurity Best Practices to Combat Ransomware (lien direct) | Immutable storage and more: Sonya Duffin, data protection expert at Veritas Technologies, offers the Top 10 steps for building a multi-layer resilience profile. | Ransomware | ||
|
2021-11-12 16:07:06 | The Week in Ransomware - November 12th 2021 - Targeting REvil (lien direct) | This week, law enforcement struck a massive blow against the REvil ransomware operation, with multiple arrests announced and the seizure of cryptocurrency. [...] | Ransomware | ||
|
2021-11-12 14:49:00 | Europol: Ransomware Gangs Focusing on High Profile Targets (lien direct) | Europol also highlighted an alarming rise in self-produced explicit material of children online in the past year | Ransomware | ||
|
2021-11-12 12:52:05 | Ransomware Whack-a-Mole (lien direct) |
Pretty much everyone is familiar with the carnival game Whack-a-Mole. No matter how many moles you bash with the mallet, it seems like two more pop up in its place. It's commonly used to describe cybersecurity and the ransomware news this week illustrates why Whack-a-Mole is an appropriate metaphor. |
Ransomware | ||
|
2021-11-12 12:14:17 | FTC shares ransomware defense tips for small US businesses (lien direct) | The US Federal Trade Commission (FTC) has shared guidance for small businesses on how to secure their networks from ransomware attacks by blocking threat actors' attempts to exploit vulnerabilities using social engineering or exploits targeting technology. [...] | Ransomware Threat | ||
|
2021-11-12 07:32:30 | Hackers Increasingly Using HTML Smuggling in Malware and Phishing Attacks (lien direct) | Threat actors are increasingly banking on the technique of HTML smuggling in phishing campaigns as a means to gain initial access and deploy an array of threats, including banking malware, remote administration trojans (RATs), and ransomware payloads. Microsoft 365 Defender Threat Intelligence Team, in a new report published Thursday, disclosed that it identified infiltrations distributing the | Ransomware Malware Threat | ★★★ | |
|
2021-11-11 20:32:39 | Invest in These 3 Key Security Technologies to Fight Ransomware (lien direct) | Ransomware volumes are up 1000%. Aamir Lakhani, cybersecurity researcher and practitioner at FortiGuard Labs , discusses secure email, network segmentation and sandboxing for defense. | Ransomware | ||
|
2021-11-11 17:54:28 | Congress Mulls Ban on Big Ransom Payouts (lien direct) | A bill introduced this week would regulate ransomware response by the country's critical financial sector. | Ransomware | ||
|
2021-11-11 16:45:00 | #BHEU: 5 Ways to Approach Ransomware Negotiations (lien direct) | How should organizations react when forced into a ransomware negotiation? | Ransomware | ||
|
2021-11-11 11:04:00 | Magniber ransomware gang now exploits Internet Explorer flaws in attacks (lien direct) | The Magniber ransomware gang is now using two Internet Explorer vulnerabilities and malicious advertisements to infect users and encrypt their devices. [...] | Ransomware | ||
 |
2021-11-11 10:33:43 | Don\'t get held to ransom – cause, prevention, recovery (lien direct) | Ransomware is one of the top earners of the dark economy, lining the coffers of cybercriminals. Expected to generate over $265bn USD in revenue for bad actors within the next decade, ransomware continues to pose an acute threat to businesses. It's no wonder then that cybercriminals have commoditised their skills in ransomware as a service to maximise their return on investment. They understand how to build a successful business from […] | Ransomware Threat | ||
 |
2021-11-11 09:00:00 | Hacking season: Why Cyber Monday presents a cyber security nightmare (lien direct) | As âBring Your Own Deviceâ (BYOD) drives digital convergence of our personal and professional lives, Black Friday scams targeting personal inboxes can easily spill over into corporate environments. This, coupled with an increased incidence of ransomware attacks over public holidays, is giving defenders plenty to think about this holiday season. | Ransomware | ||
|
2021-11-11 08:54:03 | New bill sets ransomware attack response rules for US financial orgs (lien direct) | New legislation introduced this week by US lawmakers aims to set ransomware attack response "rules of road" for US financial institutions. [...] | Ransomware | ||
|
2021-11-11 03:50:08 | TrickBot Operators Partner with Shatak Attackers for Conti Ransomware (lien direct) | The operators of TrickBot trojan are collaborating with the Shathak threat group to distribute their wares, ultimately leading to the deployment of Conti ransomware on infected machines. "The implementation of TrickBot has evolved over the years, with recent versions of TrickBot implementing malware-loading capabilities," Cybereason security analysts Aleksandar Milenkoski and Eli Salem said in a | Ransomware Threat Guideline |
To see everything:
Our RSS (filtrered)
