What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-12-31 12:38:28 | A New Year Will Bring New Targets: What to Look for in 2022 (lien direct) | There's no way to put it nicely: cybercrime just continues to get worse as we become increasingly connected. 2020 was a banner year for ransomware – and by all accounts, it's almost certain that 2021 will top it. And as we move into 2022, not only do defenders need to put more scrutiny on the attack vectors they're already focused on, but now they will need to expand that view to new targets. | Ransomware | ||
 |
2021-12-30 11:28:19 | (Déjà vu) AvosLocker ransomware gang releases a free decryptor after an affiliate hit US gov agency (lien direct) | The AvosLocker ransomware operators released a free decryptor after they accidentally encrypted the system of US Government entity. The AvosLocker ransomware operation provided a free decryptor after they encrypted the systems of a US government agency. According to BleepingComputer, the gang hit a police department but fearing the reaction of US law enforcement opted to […] | Ransomware | ||
 |
2021-12-29 16:01:00 | Conti Ransomware Affiliate Attacks Australian Utilities Giant\'s Corporate Network (lien direct) |
While news reports indicate no impact to the utilities company's ability to deliver electricity to its' customers, this could be the start of attacks on critical infrastructure in Australia. |
Ransomware | ||
 |
2021-12-29 16:00:00 | Anomali Cyber Watch: Equation Group\'s Post-Exploitation Framework, Decentralized Finance (DeFi) Protocol Exploited, Third Log4j Vulnerability, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Apache Log4j 2, APT, Malspam, Ngrok relay, Phishing, Sandbox evasion, Scam, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard
(published: December 27, 2021)
Check Point researchers have published their findings on the Equation Group’s post-exploitation framework DanderSpritz — a major part of the “Lost in Translation” leak — with a focus on its DoubleFeature logging tool. DoubleFeature (similar to other Equation Group tools) employs several techniques to make forensic analysis difficult: function names are not passed explicitly, but instead a checksum of it; strings used in DoubleFeature are decrypted on-demand per function and they are re-encrypted once function execution completes. DoubleFeature also supports additional obfuscation methods, such as a simple substitution cipher and a stream cipher. In its information gathering DoubleFeature can monitor multiple additional plugins including: KillSuit (also known as KiSu and GrayFish) plugin that is running other plugins, providing a framework for persistence and evasion, MistyVeal (MV) implant verifying that the targeted system is indeed an authentic victim, StraitBizarre (SBZ) cross-platform implant, and UnitedRake remote access tool (UR, EquationDrug).
Analyst Comment: It is important to study Equation Group’s frameworks because some of the leaked exploits were seen exploited by other threat actors. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140
Tags: Equation Group, DanderSpritz, DoubleFeature, Shadow Brokers, EquationDrug, UnitedRake, DiveBar, KillSuit, GrayFish, StraitBizarre, MistyVeal, PeddleCheap, DiceDealer, FlewAvenue, DuneMessiah, CritterFrenzy, Elby loader, BroughtHotShot, USA, Russia, APT
Dridex Affiliate Dresses Up as Scrooge
(published: December 23, 2021)
Days before Christmas, an unidentified Dridex affiliate is using malspam emails with extremely emotion-provoking lures. One malicious email purports that 80% of the company’s employees have tested positive for Omicron, a variant of COVID-19, another email claims that the recipient was just terminated from his or her job. The attached malicious Microsoft Excel documents have two anti-sandbox features: they are password protected, and the macro doesn’t run until a user interacts with a pop-up dialog. If the user makes the macro run, it will drop an .rtf f |
Ransomware Malware Tool Vulnerability Threat Conference | APT 35 | |
 |
2021-12-29 14:01:07 | (Déjà vu) Ransomware gang coughs up decryptor after realizing they hit the police (lien direct) | The AvosLocker ransomware operation provided a free decryptor after learning they encrypted a US government agency. [...] | Ransomware | ||
|
2021-12-29 14:01:07 | AvosLocker ransomware gives free decryptor to US police dept (lien direct) | The AvosLocker ransomware operation provided a free decryptor after learning they encrypted a US government agency. [...] | Ransomware | ||
|
2021-12-28 15:13:46 | Shutterfly hit by a Conti ransomware attack (lien direct) | Shutterfly, an online platform for photography and personalized products, has been affected by a ransomware attack. Shutterfly, is American photography, photography products, and image sharing company that owns multiple brands such as BorrowLenses, GrooveBook, Lifetouch, Shutterfly, Snapfish, Spoonflower, and Tiny Prints. The service allows users to create personalized photo gifts such as smartphone cases, photo books, wall art, and […] | Ransomware | ||
 |
2021-12-28 13:30:27 | 12 Cybersecurity Conversations Spanning Identity, Privilege and the Evolving Landscape (lien direct) | When this year comes to a close (which is just about a blink away now), cyber crime damages will have cost the world $6 trillion, and ransomware attacks rose 148% during the rush to adapt... | Ransomware | ||
|
2021-12-28 13:26:44 | State Workers to Be Paid on Time Despite Ransomware Attack (lien direct) | State workers in West Virginia will be paid on time this week despite a ransomware attack that affected a software provider that helps manage the state's payroll system. | Ransomware | ||
|
2021-12-28 11:51:50 | Shutterfly Says Ransomware Attack Impacted Manufacturing (lien direct) | Shutterfly, an online platform for photography and personalized products, has confirmed that some of its services have been affected by a ransomware attack. | Ransomware | ||
|
2021-12-27 19:08:50 | A new wave of ech0raix ransomware attacks targets QNAP NAS devices (lien direct) | A new wave of ech0raix ransomware attacks is targeting QNAP network-attached storage (NAS) devices. The threat actors behind the ech0raix ransomware are targeting NAP network-attached storage (NAS) devices. Users reported numerous compromises of their devices a few days before Christmas. According to BleepingComputer, forum users reported an intensification of the attacks since December 20, the […] | Ransomware Threat | ||
 |
2021-12-27 17:29:05 | Meet Rook Ransomware (lien direct) | FortiGuard Labs is aware of a recently reported ransomware "Rook". According to a publicly available report, Rook appears to be based on the leaked Babuk ransomware source code. One of the Rook's victims is a financial institution in Kazakhstan which the ransomware gang stole more than 1,000 GB worth of data.Why is this Significant?This is significant because Rook is one of the recent ransomware gangs that joined the already crowded ransomware landscape. The ransomware reportedly infected a financial institution in Kazakhstan and stole more than 1,000 GB worth of data.What is Rook Ransomware?Rook ransomware is reported to be based on the leaked Babuk source code and was first discovered in the wild at the end of November 2021. Files encrypted by Rook ransomware typically has ".rook" file extension, however the earlier version of Rook is said to use ".tower" file extension instead. The ransomware leaves a ransom note in HowToRestoreYourFiles.txt, which the victim is instructed to contact the Rook gang by either accessing the Rook's Tor web site or emailing the threat actor. The ransom note warns the victim that the private key to decrypt the encrypted files will be destroyed if a security vendor or law enforcement agency joins the negotiation.How is Rook Ransomware Delivered?Rook ransomware is reported to have been delivered via Cobalt Strike or untrustworthy Torrent downloads.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against Rook ransomware:W32/Filecoder_Sodinokibi.A!tr.ransom | Ransomware Threat | ||
|
2021-12-27 14:37:09 | IT Services Firm Inetum Discloses Ransomware Attack (lien direct) | French IT services company Inetum Group revealed just before Christmas that it had fallen victim to a ransomware attack, but claimed that impact on its operations was limited. | Ransomware | ||
 |
2021-12-27 14:00:00 | 2021 Manufacturing and Supply Chain Security Roundup (lien direct) | In 2020, ransomware actors demanded $17 million from a laptop maker and $34 million from a Taiwanese electronics contract company. The past two years have also delivered major disruptions for supply chains. The pandemic pushed supply chain attack issues front-and-center, with disruptions up 67% in 2020 and problems expected to persist as global markets adjust to the ‘new […] | Ransomware | ||
|
2021-12-27 12:34:05 | Organizations Targeted With Babuk-Based Rook Ransomware (lien direct) | A piece of ransomware that emerged in late November has already made three victims, with the first of them hit less than a week after the malware was initially spotted. | Ransomware Malware | ||
|
2021-12-27 11:19:45 | QNAP NAS devices hit in surge of ech0raix ransomware attacks (lien direct) | Users of QNAP network-attached storage (NAS) devices are reporting attacks on their systems with the eCh0raix ransomware, also known as QNAPCrypt. [...] | Ransomware | ||
|
2021-12-27 02:56:34 | Shutterfly services disrupted by Conti ransomware attack (lien direct) | Photography and personalized photo giant Shutterfly has suffered a Conti ransomware attack that allegedly encrypted thousands of devices and stole corporate data. [...] | Ransomware | ||
|
2021-12-26 20:36:19 | French IT services provider Inetum hit by BlackCat ransomware attack (lien direct) | The IT services company Inetum Group was hit by a ransomware attack a few days before the Christmas holiday. French IT services company Inetum Group was hit by a ransomware attack a few days before the Christmas holiday, but according to the company the security breach had a limited impact on its operations. Inetum is […] | Ransomware | ||
|
2021-12-26 14:17:13 | Security Affairs newsletter Round 346 (lien direct) | A new round of the weekly Security Affairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box. If you want to also receive for free the newsletter with the international press subscribe here. New Rook Ransomware borrows code from Babuk Omicron-themed phishing attacks spread Dridex and taunt […] | Ransomware | ||
|
2021-12-25 19:11:34 | New Rook Ransomware borrows code from Babuk (lien direct) | Recently launched ransomware operation, named Rook, made headlines for its announcement claiming a desperate need a lot of money. A new ransomware operation named Rook appeared in the threat landscape, it was first reported by researcher Zach Allen and caught the attention of the experts for its blatant announcement that claims a desperate need to […] | Ransomware Threat | ★★★★★ | |
|
2021-12-24 16:34:18 | The Week in Ransomware - December 24th 2021 - No rest for the weary (lien direct) | The holiday season is here, but there is no rest for our weary admins as ransomware gangs are still conducting attacks over the Christmas and New Years breaks. [...] | Ransomware | ||
 |
2021-12-24 11:32:34 | (Déjà vu) Unique cyber-attacks declined for the first time in 3 years (lien direct) | New data has found that unique cyber-attacks have declined for the first time since 2018. The research has shown that in Q3 2021 there has been a 4.8% decline in unique attacks, which is the first decline recorded since 2018. The researchers have said that this reduction was mainly due to a decline in ransomware […] | Ransomware | ||
|
2021-12-24 11:26:18 | Rook ransomware is yet another spawn of the leaked Babuk code (lien direct) | A new ransomware operation named Rook has appeared recently on the cyber-crime space, declaring a desperate need to make "a lot of money" by breaching corporate networks and encrypting devices. [...] | Ransomware | ||
|
2021-12-24 11:00:32 | Global IT services provider Inetum hit by ransomware attack (lien direct) | Less than a week before the Christmas holiday, French IT services company Inetum Group was hit by a ransomware attack that had a limited impact on the business and its customers. [...] | Ransomware | ||
 |
2021-12-24 11:00:00 | Hellmann Warns Customers They Could Face Malicious Communications Following Attack (lien direct) | Hellmann confirmed that data was extracted from its systems during the ransomware attack earlier this month | Ransomware | ||
 |
2021-12-24 03:32:57 | New Ransomware Variants Flourish Amid Law Enforcement Actions (lien direct) | Ransomware groups continue to evolve their tactics and techniques to deploy file-encrypting malware on compromised systems, notwithstanding law enforcement's disruptive actions against the cybercrime gangs to prevent them from victimizing additional companies. "Be it due to law enforcement, infighting amongst groups or people abandoning variants altogether, the RaaS [ransomware-as-a-service] | Ransomware Malware | ||
 |
2021-12-23 21:43:15 | Hackable Infusion Pump, Ransomware Risks To Patients (lien direct) | Hospitals are sitting ducks for cyberattacks – David Braue Melbourne, Australia – Dec. 23, 2021 Security researchers have long warned of the largely theoretical risks of security vulnerabilities in increasingly connected medical equipment - but McAfee's Advanced Threat Research (ATR) recently demonstrated that the risk has | Ransomware Threat | ||
|
2021-12-23 19:31:01 | AvosLocker ransomware reboots in Safe Mode and installs tools for remote access (lien direct) | In a recent wave of attacks, AvosLocker ransomware is rebooting systems into Windows Safe Mode to disable endpoint security solutions. Sophos experts monitoring AvosLocker ransomware attacks, noticed that the malware is rebooting compromised systems into Windows Safe Mode to disable endpoint security solutions. Running the systems into safe mode will allow the malware to encrypt […] | Ransomware Malware | ||
|
2021-12-23 16:38:50 | Canadian Government Urges Organizations to Take Additional Steps to Protect Against Ransomware Attacks (lien direct) |
Citing upticks in attacks, Canada's Centre for Cyber Security asks organizations to step up protective measures, offering guidance and a playbook to improve security. |
Ransomware | ||
|
2021-12-23 14:00:00 | Ransomware Attackers\' New Tactic: Double Extortion (lien direct) | Need another reason to defend against ransomware instead of ending up having to find a solution other than paying it? Double extortion may be it. So, what is double extortion? When did it start? With this tactic, ransomware actors steal a victim’s data before their malware strain activates its encryption routine. They then have the […] | Ransomware Malware | ||
|
2021-12-23 12:47:14 | AvosLocker ransomware reboots in Safe Mode to bypass security tools (lien direct) | Recent AvosLocker ransomware attacks are characterized by a focus on disabling endpoint security solutions that stand in the way of threat actors. [...] | Ransomware Threat | ||
 |
2021-12-22 18:39:08 | PYSA Emerges as Top Ransomware Actor in November (lien direct) | Overtaking the Conti ransomware gang, PYSA finds success with government-sector attacks. | Ransomware | ||
|
2021-12-22 15:50:25 | PYSA ransomware gang is the most active group in November (lien direct) | PYSA and Lockbit were the most active ransomware gangs in the threat landscape in November 2021, researchers from NCC Group report. Security researchers from NCC Group reported an increase in ransomware attacks in November 2021 over the past month, and PYSA (aka Mespinoza) and Lockbit were the most active ransomware gangs. Experts observed a 400% […] | Ransomware Threat | ||
 |
2021-12-22 15:48:00 | Conti ransomware is exploiting the Log4Shell vulnerability to the tune of millions (lien direct) | Log4Shell is a dangerous security concern - and now Conti, a prominent ransomware group, is exploiting it to attack vulnerable servers to extort millions of dollars. | Ransomware Vulnerability | ||
|
2021-12-22 15:27:14 | Virginia Still Working to Fix Issues After Ransomware Attack (lien direct) | The information technology agency that serves Virginia's legislature is still working to fix problems caused by a ransomware attack earlier this month, a state official said Tuesday. | Ransomware | ||
|
2021-12-22 15:23:05 | What\'s in store for cybersecurity in 2022? (lien direct) | As 2021 draws to an end, it's safe to say it was an eventful year from a cybersecurity perspective. Ransomware became the go-to for cybercriminal gangs and insecure databases still plagued organisations. So, what's on the horizon for 2022? More of the same or will hackers turn their attentions elsewhere? We asked some security experts […] | Ransomware | ||
|
2021-12-22 11:02:49 | PYSA Dominated the Ransomware Landscape in November: Report (lien direct) | PYSA and Lockbit were the dominating threats in the ransomware landscape in November 2021, UK-based risk mitigation company NCC Group reports. | Ransomware | ||
|
2021-12-21 17:37:20 | PYSA ransomware behind most double extortion attacks in November (lien direct) | Security analysts from NCC Group report that ransomware attacks in November 2021 increased over the past month, with double-extortion continuing to be a powerful tool in threat actors' arsenal. [...] | Ransomware Tool Threat | ||
|
2021-12-21 16:57:00 | Anomali Cyber Watch: \'PseudoManuscrypt\' Mass Spyware Campaign Targets 35K Systems, APT31 Intrusion Set Campaign: Description, Countermeasures and Code, State-sponsored hackers abuse Slack API to steal (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT31, Magecart, Hancitor, Pakdoor, Lazarus, and Vulnerabilities CVE-2021-21551.. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
NSW Government Casual Recruiter Suffers Ransomware Hit
(published: December 17, 2021)
Finite Recruitment suffered a ransomware attack during the month of October 2021, resulting in the exfiltration of some data. Their incident responders (IR) identified the ransomware as Conti, a fast encrypting ransomware commonly attributed to the cybercriminal group Wizard Spider. The exfiltrated data was published on the dark web, however the firm remains fully operational, and affected customers are being informed.
Analyst Comment: Always check to see if there is a decryptor available for the ransomware before considering payment. Enforce a strong backup policy to ensure that data is recoverable in the event of encryption or loss.
MITRE ATT&CK: [MITRE ATT&CK] Scheduled Transfer - T1029
Tags: Conti, Wizard Spider, Ransomware, Banking and Finance
Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions
(published: December 16, 2021)
Check Point Research has uncovered a new variant of the Phorpiex botnet named Twizt. Historically, Phorpiex utilized sextortion, ransomware delivery, and cryptocurrency clipping. Twizt however, appears to be primarily focused on stealing cryptocurrency and have stolen half a million dollars since November 2020 in the form of Bitcoin, Ether and ERC20 tokens.The botnet features departure from it’s traditional command and control (C2) infrastructure, opting for peer-to-peer (P2P) communications between infected hosts, eliminating the need for C2 communication as each host can fulfill that role.
Analyst Comment: Bots within a P2P network need to communicate regularly with other bots to receive and share commands. If the infected bots are on a private network, private IP addresses will be used. Therefore, careful monitoring of network traffic will reveal suspicious activity, and a spike in network resource usage as opposed to the detection of C2 IP addresses.
MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Clipboard Data - T1115
Tags: Phorpiex, Twizt, Russia, Banking and Finance, Cryptocurrency, Bitcoin
‘PseudoManuscrypt’ Mass Spyware Campaign Targets 35K Systems
(published: December 16, 2021)
Kaspersky researchers have documented a spyware that has targeted 195 countries as of December 2021. The spyware, named PseudoManuscrypt, was developed and deployed by Lazarus Group |
Ransomware Malware Vulnerability Threat Guideline Medical | APT 41 APT 38 APT 28 APT 31 | |
|
2021-12-21 14:45:00 | Ransomware Threat Just as Urgent as Terrorism, Say Two-Thirds of IT Pros (lien direct) | Over two-thirds of organizations experienced a ransomware attack over the past 12 months | Ransomware Threat | ||
 |
2021-12-21 13:12:29 | History\'s Most Notorious Ransomware Gangs (lien direct) |
In a recent study, titled Ransomware: The True Cost to Business, we found that the costs of ransomware have increased for organizations. We learned that two-thirds of organizations experienced significant revenue loss following a ransomware attack, for instance. |
Ransomware | ||
|
2021-12-21 10:46:37 | 5 Ways to Reduce the Risk of Ransomware to Your OT Network (lien direct) | In the last year and half, we've seen an unprecedented increase in ransomware attacks on Operational Technology (OT) networks. While this surge is generating a lot of press coverage, it was something that experts within our industry have been anticipating for a while. | Ransomware | ||
|
2021-12-21 09:45:00 | British Council Struck by Two Ransomware Attacks in Five Years (lien direct) | The British Council suffered two successful ransomware attacks in the past five years, leading to 12 days of downtime | Ransomware Guideline | ||
|
2021-12-21 08:06:10 | Windows 10 21H2 adds ransomware protection to security baseline (lien direct) | Microsoft has released the final version of security configuration baseline settings for Windows 10, version 21H2, available today from the Microsoft Security Compliance Toolkit. [...] | Ransomware | ||
|
2021-12-21 08:04:29 | Log4j Vulnerability Aftermath (lien direct) | Uptycs researchers have observed attacks related to miners, DDOS malware and some variants of ransomware actively leveraging LogforShell flaw in log4j. Last week the Log4j vulnerability turned the internet upside down. The impact of the vulnerability is massive and attackers have started taking advantage of the flaw. So far we have observed attacks related to […] | Ransomware Malware Vulnerability | ||
|
2021-12-20 22:11:30 | Conti Ransomware Gang Has Full Log4Shell Attack Chain (lien direct) | Conti has become the first professional-grade, sophisticated ransomware group to weaponize Log4j2, now with a full attack chain. | Ransomware | ||
|
2021-12-20 20:13:47 | Double Extortion Ransomware Attacks That Publish Victim Data Increase 935% (lien direct) |
According to new data, the number of victim companies impacted by double extortion has jumped from 229 by the first half of 2020 to nearly 2400 by the first half of 2021. |
Ransomware | ||
 |
2021-12-20 11:43:18 | GUEST ESSAY: Introducing \'killware\' - malware designed to contaminate, disrupt critical services (lien direct) | Within the past year, we have seen a glut of ransomware attacks that made global news as they stymied the operations of many. In May, the infamous Colonial Pipeline ransomware attack disrupted nationwide fuel supply to most of the U.S. … (more…) | Ransomware Malware | ★★★★★ | |
|
2021-12-20 06:15:13 | How to see if cybersecurity of your organization is in check for the New Year (lien direct) | The last several years have seen an ever-increasing number of cyber-attacks, and while the frequency of such attacks has increased, so too has the resulting damage. One needs only to look at CISA's list of significant cyber incidents to appreciate the magnitude of the problem. In May of 2021, for example, a ransomware attack brought down the Colonial Pipeline, causing a serious fuel disruption | Ransomware | ||
 |
2021-12-20 05:00:00 | Top 10 ransomware and backup stories of 2021 (lien direct) | Pas de details / No more details | Ransomware |
To see everything:
