What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-12-22 09:30:00 | Ransomware Attack Hits The Guardian Newspaper (lien direct) | Staff told to work from home after compromise | Ransomware | ★★★★ | |
 |
2022-12-22 08:00:32 | Ransomware and wiper signed with stolen certificates (lien direct) | In this report, we compare the ROADSWEEP ransomware and ZEROCLEARE wiper versions used in two waves of attacks against Albanian government organizations. | Ransomware | ★★★ | |
 |
2022-12-22 08:00:00 | FIN7 hackers create auto-attack platform to breach Exchange servers (lien direct) | The notorious FIN7 hacking group uses an auto-attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size. [...] | Ransomware | ★★★ | |
 |
2022-12-22 00:00:00 | Le rapport Threat Lab de WatchGuard révèle que la principale menace emprunte exclusivement des connexions chiffrées (lien direct) | Paris, le 4 janvier 2023 – WatchGuard® Technologies, leader mondial de la cybersécurité unifiée, publie son dernier Rapport trimestriel sur la sécurité Internet, qui présente les grandes tendances en matière de malwares et de menaces pour la sécurité des réseaux et des endpoints analysées par les chercheurs du Threat Lab de WatchGuard au 3ème trimestre 2022. Ses conclusions clés révèlent notamment que la principale menace du trimestre en matière de logiciels malveillants a été détectée exclusivement via des connexions chiffrées, que les attaques ICS conservent leur popularité, que le logiciel malveillant LemonDuck évolue au-delà du cryptominage, et qu'un moteur de triche Minecraft diffuse une charge utile malveillante. " Nous ne saurions trop insister sur l'importance d'activer l'inspection HTTPS, même si elle nécessite quelques réglages et exceptions pour fonctionner correctement. La majorité des logiciels malveillants utilisent le protocole chiffré HTTPS, et ces menaces ne sont pas détectées en l'absence d'inspection ", a déclaré Corey Nachreiner, Chief Security Officer chez WatchGuard Technologies. " À juste titre, les plus grands objets de convoitise des cybercriminels, comme les serveurs Exchange ou les systèmes de gestion SCADA, méritent également un maximum d'attention. Lorsqu'un correctif est disponible, il est important de procéder immédiatement à la mise à jour, car les cybercriminels finiront par tirer profit de toute organisation qui n'a pas encore mis en œuvre le dernier correctif. " Le rapport sur la sécurité Internet du 3ème trimestre contient d'autres résultats clés, notamment : La grande majorité des logiciels malveillants empruntent des connexions chiffrées – Bien qu'il soit arrivé 3ème dans la liste classique des 10 principaux malwares du 3ème trimestre, Agent.IIQ a pris la tête de la liste des logiciels malveillants chiffrés pour cette même période. De fait, en regardant les détections de ce malware sur ces deux listes, il apparaît que toutes les détections d'Agent.IIQ proviennent de connexions chiffrées. Au 3ème trimestre, si une appliance Firebox inspectait le trafic chiffré, 82 % des logiciels malveillants détectés passaient par une connexion chiffrée, ce qui correspond à seulement 18 % de détections sans chiffrement. Si le trafic chiffré n'est pas inspecté sur Firebox, il est très probable que ce ratio moyen s'applique et que l'entreprise passe à côté d'une énorme partie des logiciels malveillants. Les systèmes ICS et SCADA restent les cibles d'attaques les plus courantes – Ce trimestre, une attaque de type injection SQL ayant touché plusieurs fournisseurs a fait son apparition dans la liste des dix principales attaques réseau. Advantech fait partie des entreprises concernées. Son portail WebAccess est utilisé pour les systèmes SCADA dans une variété d'infrastructures critiques. Un autre exploit sérieux au 3ème trimestre, également classé parmi les cinq principales attaques réseau en termes de volume, a visé les versions 1.2.1 et antérieures du logiciel U.motion Builder de Schneider Electric. Un rappel brutal du fait que les cybercriminels ne se contentent pas d'attendre tranquillement la prochaine opportunité, mais qu'ils cherchent activement à compromettre les systèmes chaque fois que cela est possible. Les vulnérabilités des serveurs Exchange continuent de poser des risques – La C | Ransomware Malware Tool Threat | APT 3 | ★★★ |
 |
2022-12-21 20:45:00 | Ransomware Attackers Bypass Microsoft\'s ProxyNotShell Mitigations With Fresh Exploit (lien direct) | The Play ransomware group was spotted exploiting another little-known SSRF bug to trigger RCE on affected Exchange servers. | Ransomware | ★★★★ | |
 |
2022-12-21 18:21:25 | (Déjà vu) Ransomware groups use new exploit to bypass ProxyNotShell mitigations for Microsoft Exchange (lien direct) | Threat actors affiliated with the Play ransomware strain are leveraging a never-before-seen exploit method that bypasses Microsoft's ProxyNotShell URL rewrite mitigation to gain remote code execution through Outlook Web Access (OWA). | Ransomware | ★ | |
 |
2022-12-21 18:09:17 | Les prédictions du Dr Niklas Hellemann, PDG de SoSafe, en matière de cybersécurité pour 2023 (lien direct) | Les prédictions du Dr Niklas Hellemann, PDG de SoSafe, en matière de cybersécurité pour 2023. Pour lui le vishing (hameçonnage vocal), la manipulation émotionnelle, l'épuisement des collaborateurs à distance et des équipes de sécurité entraînera de nouvelles failles de sécurité, les ransomware devraient diminuer et les décision des Comex feront partie des tendances principales de la cybersécurité en 2023. - Points de Vue | Ransomware | ★★★ | |
|
2022-12-21 16:52:39 | 3x Expert Comments - The Guardian Attack (lien direct) | Following today's news that The Guardian has been hit by a cyberattack, potentially of the ransomware kind, leading to staff members having to work from home, Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, Dr Darren Williams, CEO of Blackfog, and Stephen Gates, Security Evangelist at Checkmarx comment: - Malware Update | Ransomware Guideline | ★ | |
 |
2022-12-21 16:52:37 | Guardian newspaper hit by suspected ransomware attack (lien direct) | The paper says its IT network is being affected by a "serious incident" and staff are working from home. | Ransomware | ★★ | |
 |
2022-12-21 15:40:06 | UK\'s Guardian newspaper breaks news of ransomware attack on itself (lien direct) | Reporters work from home as publication promises Thursday's print edition will hit newstands on time UK broadsheet media outlet The Guardian has become the victim of a ransomware attack which seems to have take out a large chunk of office-based systems.… | Ransomware | ★★ | |
 |
2022-12-21 13:11:00 | (Déjà vu) Ransomware Hackers Using New Way to Bypass MS Exchange ProxyNotShell Mitigations (lien direct) | Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution (RCE) through Outlook Web Access (OWA). "The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint," CrowdStrike researchers Brian Pitchford, | Ransomware Threat | ★★★★ | |
|
2022-12-21 11:35:31 | Royal overtakes LockBit as top ransomware in November as attacks increase 41% (lien direct) | November's sharp increase in reported incidents is backed by uncommon contributions, according to a new report by NCC Group. | Ransomware | ★★ | |
 |
2022-12-21 00:00:00 | Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks (lien direct) | From September to December, we detected multiple attacks from the Royal ransomware group. In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks. | Ransomware | ★★★ | |
|
2022-12-20 20:24:13 | Clop ransomware group targeting provider-patient trust by infecting medical images (lien direct) | Hold Security has observed the Clop ransomware group interacting with providers as if they were patients in order to send them medical images infected with malware. | Ransomware Medical | ★★★ | |
|
2022-12-20 17:53:48 | Stolen Events DC files exposed by BlackCat ransomware gang (lien direct) | District of Columbia convention and sports authority Events D.C. had files stolen from a cyberattack first reported two months ago leaked by the BlackCat ransomware gang, also known as ALPHV, last week, reports StateScoop. | Ransomware | ★★★ | |
|
2022-12-20 17:50:57 | Novel Rust-based Agenda ransomware variant discovered (lien direct) | Ransomware-as-a-service operation Qilin has developed a novel Rust-based variant of the Agenda ransomware strain, which was originally based in the Go programming language and was used to compromise the healthcare and education sectors in Indonesia, Thailand, Saudi Arabia, and South Africa, The Hacker News reports. | Ransomware | ★★★ | |
|
2022-12-20 17:33:13 | Ransomware gang uses new Microsoft Exchange exploit to breach servers (lien direct) | Play ransomware threat actors are using a new exploit chain that bypasses ProxyNotShell URL rewrite mitigations to gain remote code execution (RCE) on vulnerable servers through Outlook Web Access (OWA). [...] | Ransomware Threat | ★★ | |
 |
2022-12-20 13:06:00 | BrandPost: Today\'s workforce wants flexibility. Companies need Zero Trust. (lien direct) | By Microsoft Security & ZscalerCompetitive businesses are aggressively accelerating their cloud transformation through the use of SaaS apps. These apps can help an organization to optimize investments, acquire and retain talent, and maintain continuity – even during turbulent events. To realize the full benefits of cloud investments, workplaces must be modernized to satisfy the demands of today's “anywhere, any time, any device” workforces.Unfortunately, the unfettered access modern workforces require comes with the added risk of a dramatically expanded attack surface. IT staff must protect users, devices, and apps from ransomware attacks, data leaks, and other threats that can hinder a truly modern workplace. The best line of defense is a reliable Zero Trust security framework, natively built on a highly distributed, global architecture.To read this article in full, please click here | Ransomware | ★ | |
 |
2022-12-20 13:00:35 | Play Ransomware Gang Claims Responsibility for Cyber Attack on H-Hotels (lien direct) | H-Hotels (h-hotels.com) have recently been the target of a cyber-attack, which has led to disruptions in the company’s communication systems. The Play ransomware gang has claimed responsibility for the attack. At this point, it is unclear whether the claims made by the Play criminal gang are genuine; however, H-Hotels is looking into the matter as […] | Ransomware | ★ | |
|
2022-12-19 16:40:52 | Play ransomware claims attack on German hotel chain H-Hotels (lien direct) | The Play ransomware gang has claimed responsibility for a cyber attack on H-Hotels (h-hotels.com) that has resulted in communication outages for the company. [...] | Ransomware | ★★★ | |
|
2022-12-19 16:10:00 | Ransomware Groups to Increase Zero-Day Exploit-Based Access Methods in the Future (lien direct) | Trend Micro's latest research paper analyzed ways in which ransomware groups could evolve to stay on top of strengthened cyber-protection measures | Ransomware Prediction | ★★★ | |
|
2022-12-19 15:35:00 | New Agenda Ransomware Variant, Written in Rust, Aiming at Critical Infrastructure (lien direct) | A Rust variant of a ransomware strain known as Agenda has been observed in the wild, making it the latest malware to adopt the cross-platform programming language after BlackCat, Hive, Luna, and RansomExx. Agenda, attributed to an operator named Qilin, is a ransomware-as-a-service (RaaS) group that has been linked to a spate of attacks primarily targeting manufacturing and IT industries across | Ransomware Malware | ★★ | |
 |
2022-12-19 14:00:00 | How Reveton Ransomware-as-a-Service Changed Cybersecurity (lien direct) | >In 2012, Reveton ransomware emerged. It’s considered to be the first Ransomware-as-a-Service (RaaS) operation ever. Since then, RaaS has enabled gangs with basic technical skills to launch attacks indiscriminately. Now, nearly anyone can create highly effective malware campaigns. We now see RaaS outfits with organizational capabilities that rival the most professional Software-as-a-Service (SaaS) brands. But […] | Ransomware Malware | ★★★ | |
|
2022-12-19 09:11:19 | Trend Micro analyse les nouveaux modes opératoires des cybercriminels, notamment en matière de rançongiciels (lien direct) | Trend Micro Incorporated publie les résultats d'un rapport d'alerte sur l'évolution du marché des rançongiciels. Intitulé, 'The Near and Far Future of Today's Ransomware Groups', ce dernier établit une projection de l'activité des groupes spécialisés dans la cyber-extorsion, que ce soit dans d'autres domaines de la cybercriminalité ou dans l'association avec des gouvernements hostiles ou d'autres groupes issus du crime organisé. - Malwares | Ransomware Prediction | ★ | |
|
2022-12-16 18:00:00 | Agenda Ransomware Switches to Rust to Attack Critical Infrastructure (lien direct) | Victim companies have a combined revenue of around $550m | Ransomware | ★★ | |
|
2022-12-16 13:47:12 | Colombian energy supplier EPM hit by BlackCat ransomware attack (lien direct) | Colombian energy company Empresas Públicas de Medellín (EPM) suffered a BlackCat/ALPHV ransomware attack on Monday, disrupting the company's operations and taking down online services. [...] | Ransomware | ★★★ | |
 |
2022-12-16 13:15:38 | Hospitals Warned of Royal Ransomware Attacks by U.S. Department of Health (lien direct) |
|
Ransomware | ★★ | |
|
2022-12-16 00:00:00 | Agenda Ransomware Uses Rust to Target More Vital Industries (lien direct) | This year, various ransomware-as-a-service groups have developed versions of their ransomware in Rust, including Agenda. Agenda's Rust variant has targeted vital industries like its Go counterpart. In this blog, we will discuss how the Rust variant works. | Ransomware | ★★★ | |
|
2022-12-15 16:05:52 | Comment: WithSecure - Microsoft suspended several accounts on its hardware developer program that signed malicious drivers used by a ransomware group called Cuba to disable endpoint security tools (lien direct) | Following the news that Microsoft suspended several accounts on its hardware developer program that signed malicious drivers used by a ransomware group called Cuba to disable endpoint security tools. Paul Brucciani a Cyber Security Advisor at WithSecure Solutions discusses the importance of placing trust in developers. - Opinion | Ransomware | ★ | |
 |
2022-12-15 06:10:39 | (Déjà vu) ASEC Weekly Malware Statistics (December 5th, 2022 – December 11th, 2022) (lien direct) | The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from December 5th, 2022 (Monday) to December 11th, 2022 (Sunday). For the main category, downloader ranked top with 44.3%, followed by Infostealer with 28.2%, backdoor with 18.3%, ransomware with 8.5%, and CoinMiner with 0.7%. Top 1 – Amadey This week, Amadey Bot ranked first place with 15.9%. Amadey is a downloader that can receive commands... | Ransomware Malware | ★★ | |
|
2022-12-15 06:04:55 | Caution! Magniber Ransomware Restarts Its Propagation on December 9th With COVID-19 Related Filenames (lien direct) | On December 9th, 2022, the ASEC analysis team discovered that Magniber Ransomware is being distributed again. During the peak of the COVID-19 outbreak, Magniber was found being distributed with COVID-19 related filenames alongside the previous security update related filenames. C:\Users\$USERS\Downloads\COVID.Warning.Readme.2f4a204180a70de60e674426ee79673f.msiC:\Users\$USERS\Downloads\COVID.Warning.Readme.502ef18830aa097b6dd414d3c3edd5fb.msiC:\Users\$USERS\Downloads\COVID.Warning.Readme.a179a9245f8e13f41d799e775b71fdff.msi Table 1. COVID-19 related filenames in circulation In the past, Magniber exploited Internet Explorer’s vulnerability to infect user PCs via Drive by Download which only required users to visit a web page. However, after Microsoft stopped supporting Internet Explorer, Magniber’s... | Ransomware Vulnerability | ★★★ | |
|
2022-12-15 06:02:24 | STOP Ransomware Being Distributed in Korea (lien direct) | The ASEC analysis team discovered that the STOP ransomware is being distributed in Korea. This ransomware is being distributed at a very high volume that it is ranked among the Top 3 in the ASEC Weekly Malware Statistics (November 28th, 2022 – December 4th, 2022). The files that are currently being distributed are in the form of MalPe just like SmokeLoader and Vidar, and the filenames include a random 4-byte string as shown below. When the ransomware is executed, it first... | Ransomware Malware | ★ | |
 |
2022-12-15 03:21:53 | How to deal with cyberattacks this holiday season (lien direct) | The holiday season has arrived, and cyberattacks are expected to increase with the upcoming celebratory events. According to The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) 2022 Holiday Season Threat Trends and summary report, ransomware and phishing attacks are expected to increase in retail. With the FIFA World Cup 2022, many cybersecurity experts have advised heightened caution about online impersonation scams and phishing campaigns. Looking back at 2021, studies show a 30% increase in ransomware attacks, and a 70% increase in attempted ransomware attacks during... | Ransomware Threat Studies | ★★ | |
|
2022-12-15 00:00:00 | Ransomware Business Models: Future Pivots and Trends (lien direct) | Ransomware groups and their business models are expected to change from what and how we know it to date. In this blog entry, we summarize from some of our insights the triggers that spark the small changes in the short term (“evolutions”) and the bigger deviations (“revolutions”) they can redirect their criminal enterprises to in the long run. | Ransomware | ★★★ | |
|
2022-12-14 21:20:00 | Cybereason Warns Global Organizations Against Destructive Ransomware Attacks From Black Basta Gang (lien direct) | The Royal Ransomware Group has emerged as a threat to companies in 2022 and they have carried out dozens of successful attacks on global companies. Cybereason suggests that companies raise their awareness of this potential pending threat. | Ransomware Threat | ★★ | |
|
2022-12-14 18:50:59 | Microsoft-Signed Malicious Drivers Usher In EDR-Killers, Ransomware (lien direct) | Malicious Windows drivers signed as legit by Microsoft have been spotted as part of a toolkit used to kill off security processes in post-exploitation cyber activity. | Ransomware | ★★★ | |
|
2022-12-14 18:38:00 | Ransomware Attackers Use Microsoft-Signed Drivers to Gain Access to Systems (lien direct) | Microsoft on Tuesday disclosed it took steps to suspend accounts that were used to publish malicious drivers that were certified by its Windows Hardware Developer Program were used to sign malware. The tech giant said its investigation revealed the activity was restricted to a number of developer program accounts and that no further compromise was detected. Cryptographically signing malware is | Ransomware Malware | ★ | |
|
2022-12-14 14:07:00 | Cuba ransomware group used Microsoft developer accounts to sign malicious drivers (lien direct) | Microsoft suspended several accounts on its hardware developer program that signed malicious drivers used by a ransomware group called Cuba to disable endpoint security tools. The driver certificates have been revoked and the drivers will be added to a blocklist that Windows users can optionally deploy."In most ransomware incidents, attackers kill the target's security software in an essential precursor step before deploying the ransomware itself," researchers from security firm Sophos said in a new report about the incident. "In recent attacks, some threat actors have turned to the use of Windows drivers to disable security products."To read this article in full, please click here | Ransomware Threat | ★★ | |
 |
2022-12-14 13:40:44 | (Déjà vu) Royal Rumble: Analysis of Royal Ransomware (lien direct) |
The Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year. Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe. The group itself is suspected of consisting of former members of other ransomware groups, based on similarities researchers have observed between Royal ransomware and other ransomware operators. |
Ransomware | ★★★ | |
|
2022-12-14 13:24:00 | Microsoft patches Windows zero-day used to drop ransomware (lien direct) | Microsoft has fixed a security vulnerability used by threat actors to circumvent the Windows SmartScreen security feature and deliver Magniber ransomware and Qbot malware payloads. [...] | Ransomware Malware Vulnerability Threat | ★★ | |
 |
2022-12-14 12:00:00 | (Déjà vu) OT Cybersecurity Best Practices for Small & Medium Organizations: How to Respond to a Ransomware Attack (lien direct) | >This is our monthly blog detailing best practices for OT cybersecurity for under-resourced organizations by Dragos OT-CERT (Operational Technology –... The post OT Cybersecurity Best Practices for Small & Medium Organizations: How to Respond to a Ransomware Attack first appeared on Dragos. | Ransomware | ★★★ | |
|
2022-12-14 11:00:00 | 5 Holiday Cybersecurity Tips That Make A Real Impact (lien direct) | >Tired of cybersecurity tips that don’t really make an impact? This post is for you. The year is winding down to an end. Everyone, including security teams, is busy and preoccupied. Cyber actors know this and are gearing up to launch attacks. Over the holiday season, the global number of attempted ransomware attacks has increased […] | Ransomware | ★ | |
 |
2022-12-14 09:42:46 | Ransomware : balance ton pote (lien direct) | Nouvelle fuite dans le petit monde des ransomwares. Un ancien membre du groupe URSNIF balance des informations personnelles sur les instigateurs de cette opération malveillante.... | Ransomware | ★★★ | |
|
2022-12-14 04:31:00 | New Royal ransomware group evades detection with partial encryption (lien direct) | A new ransomware group dubbed Royal that formed earlier this year has significantly ramped up its operations over the past few months and developed its own custom ransomware program that allows attackers to perform flexible and fast file encryption. "The Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year," researchers from security firm Cybereason said in a new report. "Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe. The group itself is suspected of consisting of former members of other ransomware groups, based on similarities researchers have observed between Royal ransomware and other ransomware operators."To read this article in full, please click here | Ransomware | ★ | |
 |
2022-12-13 21:28:57 | Cuba Ransomware Gang Abused Microsoft Certificates to Sign Malware (lien direct) | The company has taken measures to mitigate the risks, but security researchers warn of a broader threat. | Ransomware Malware | ★★★ | |
|
2022-12-13 20:02:12 | LockBit Breached The California Department of Finance (lien direct) | Authorities in California are looking into a cybersecurity breach at the Department of Finance after a large ransomware organization claimed to have stolen private information and financial records from the organization. In a statement released on Monday, the California Office of Emergency Services (Cal OES) called the danger a “intrusion” that had been “discovered via […] | Ransomware | ★★ | |
|
2022-12-13 17:11:25 | Comment from WithSecure spokesperson on: LockBit ransomware crew claiming an attack on California Department of Finance (lien direct) | Following the news of LockBit ransomware crew claiming another attack on California Department of Finance; Neeraj Singh a Research & Development Manager from WithSecure highlights the numerous attacks by LockBit in the past few months, and the ever-growing importance of government agencies strengthen their cybersecurity strategies. Neeraj Singh, Research & Development Manager, WithSecure Intelligence. - Malware Update | Ransomware | ★★ | |
|
2022-12-13 16:24:20 | LockBit claims attack on California\'s Department of Finance (lien direct) | The Department of Finance in California has been the target of a cyberattack now claimed by the LockBit ransomware gang. [...] | Ransomware | ★★★ | |
 |
2022-12-13 16:00:00 | Anomali Cyber Watch: MuddyWater Hides Behind Legitimate Remote Administration Tools, Vice Society Tops Ransomware Threats to Education, Abandoned JavaScript Library Domain Pushes Web-Skimmers (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Compromised websites, Education, Healthcare, Iran, Phishing, Ransomware, and Supply chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New MuddyWater Threat: Old Kitten; New Tricks
(published: December 8, 2022)
In 2020-2022, Iran-sponsored MuddyWater (Static Kitten, Mercury) group went through abusing several legitimate remote administration tools: RemoteUtilities, followed by ScreenConnect and then Atera Agent. Since September 2022, a new campaign attributed to MuddyWater uses spearphishing to deliver links to archived MSI files with yet another remote administration tool: Syncro. Deep Instinct researchers observed the targeting of Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.
Analyst Comment: Network defenders are advised to establish a baseline for typical running processes and monitor for remote desktop solutions that are not common in the organization.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: mitre-group:MuddyWater, actor:Static Kitten, actor:Mercury, Iran, source-country:IR, APT, Cyberespionage, Ministry of Intelligence and Security, detection:Syncro, malware-type:RAT, file-type:MSI, file-type:ZIP, OneHub, Windows
Babuk Ransomware Variant in Major New Attack
(published: December 7, 2022)
In November 2022, Morphisec researchers identified a new ransomware variant based on the Babuk source code that was leaked in 2021. One modification is lowering detection by abusing the legitimate Microsoft signed process: DLL side-loading into NTSD.exe — a Symbolic Debugger tool for Windows. The mechanism to remove the available Shadow Copies was changed to using Component Object Model objects that execute Windows Management Instrumentation queries. This sample was detected in a large, unnamed manufacturing company where attackers had network access and were gathering information for two weeks. They have compromised the company’s domain controller and used it to distribute ransomware to all devices within the organization through Group Policy Object. The delivered BAT script bypasses User Account Control and executes a malicious MSI file that contains files for DLL side-loading and an open-source-based reflective loader (OCS files).
Analyst Comment: The attackers strive to improve their evasion techniques, their malware on certain steps hides behind Microsoft-signed processes and exists primarily in device memory. It increases the need for the defense-in-depth approach and robust monitoring of your organization domain.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Abuse Elevation Control Mechanism - T1548 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | |
Ransomware Malware Tool Threat Medical | APT 38 | ★★★ |
|
2022-12-13 14:38:00 | Cybersecurity Experts Uncover Inner Workings of Destructive Azov Ransomware (lien direct) | Cybersecurity researchers have published the inner workings of a new wiper called Azov Ransomware that's deliberately designed to corrupt data and "inflict impeccable damage" to compromised systems. Distributed through another malware loader known as SmokeLoader, the malware has been described as an "effective, fast, and unfortunately unrecoverable data wiper," by Israeli cybersecurity company | Ransomware Malware | ★★★ |
To see everything:
Our RSS (filtrered)
