What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-03-03 14:49:28 | Universities Should Prepare for Attacks (lien direct) | Universities have a long tradition of open learning and collaboration, where information is shared freely among students and researchers alike. In fact, universities played a key role in growing the internet from its early military roots to the global communication platform it has become. Unfortunately, in today's world, ransomware gangs and other bad actors have become a regular part of online life. | Ransomware | ||
 |
2022-03-03 09:46:00 | Boardroom does not see ransomware as a priority (lien direct) | Pas de details / No more details | Ransomware | ||
 |
2022-03-03 02:21:52 | Hackers Who Broke Into NVIDIA\'s Network Leak DLSS Source Code Online (lien direct) | American chipmaking company NVIDIA on Tuesday confirmed that its network was breached as a result of a cyber attack, enabling the perpetrators to gain access to sensitive data, including source code purportedly associated with its Deep Learning Super Sampling (DLSS) technology. "We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the | Ransomware | ||
 |
2022-03-02 19:55:14 | How a Strong Identity Protection Strategy Can Accelerate Your Cyber Insurance Initiatives (lien direct) | The growth in frequency and severity of cyberattacks has caused organizations to rethink their security strategies. Major recent security threats, such as high-profile ransomware attacks and the Log4Shell vulnerabilities disclosed in 2021, have led to a greater focus on identity protection as adversaries rely on valid credentials to move laterally across target networks. Cyber insurers […] | Ransomware | ||
 |
2022-03-02 18:14:49 | Conti Ransomware Decryptor, TrickBot Source Code Leaked (lien direct) | The decryptor spilled by ContiLeaks won't work with recent victims. Conti couldn't care less: It's still operating just fine. Still, the dump is a bouquet's worth of intel. | Ransomware | ||
 |
2022-03-02 17:49:52 | Conti Ransomware Group Diaries, Part II: The Office (lien direct) | Earlier this week, a Ukrainian security researcher leaked almost two years' worth of internal chat logs from Conti, one of the more rapacious and ruthless ransomware gangs in operation today. Tuesday's story examined how Conti dealt with its own internal breaches and attacks from private security firms and governments. In Part II of this series we'll explore what it's like to work for Conti, as described by the Conti employees themselves. | Ransomware | ||
 |
2022-03-02 15:36:17 | (Déjà vu) NVIDIA discloses data breach after the recent ransomware attack (lien direct) | Chipmaker giant Nvidia confirmed a data breach after the recently disclosed security incident, proprietary information stolen. The chipmaker giant Nvidia was recentty victim of a ransomware attack that impacted some of its systems for two days. The security breach is not connected to the ongoing crisis in Ukraine, according to a person familiar with the […] | Ransomware Data Breach | ||
 |
2022-03-02 15:24:15 | Fuite d\'informations du groupe Conti – le CyberArk Labs analyse les techniques et données dévoilées (lien direct) | Le conflit en Ukraine suscite une attention considérable de la part de la communauté de la cybersécurité, en raison des attaques menées contre les infrastructures ukrainiennes et plus récemment de la fuite d'informations sur le fonctionnement interne, dont les tactiques, techniques et procédures (TTP), du groupe de hackers à l'origine du ransomware Conti. The post Fuite d'informations du groupe Conti – le CyberArk Labs analyse les techniques et données dévoilées first appeared on UnderNews. | Ransomware | ||
 |
2022-03-02 13:15:21 | Ransomware infections top list of the most common results of phishing attacks (lien direct) | Eighty-four percent of organizations were phishing victims last year, 59% of whom were hit with ransomware. Why, then, do less than a quarter of boards think ransomware is a top priority? | Ransomware | ||
|
2022-03-02 12:42:50 | Conti Ransomware Source Code Leaked (lien direct) | A hacker who claims to be Ukrainian has leaked the source code of the notorious Conti ransomware after the cybercrime gang expressed its support for Russia. | Ransomware | ||
 |
2022-03-02 11:07:11 | Conti ransomware group suffers another leak (lien direct) | A Ukrainian researcher retaliating to Conti siding with Ukraine has dealt another devastating blow to the ransomware operation. More internal conversations have been leaked, alongside the source for their ransomware, administrative panels and more. The Ukrainian researcher,, who uses the Twitter handle @ContiLeaks leaked 393 JSON files containing over 60,000 internal messages on Sunday. The messages […] | Ransomware | ||
|
2022-03-02 10:39:36 | Hackers steal employee and internal data from Nvidia (lien direct) | Nvidia has admitted that employee and internal data was stolen in an apparent ransomware attack last week. The chip behemoth initially gave little away, announcing only that its “business and commercial activities continue uninterrupted” while the attack was investigated. A new statement provided more information: “Shortly after discovering the incident, we further hardened our network, […] | Ransomware | ||
|
2022-03-02 09:27:19 | Ukrainian researcher leaked the source code of Conti Ransomware (lien direct) | A Ukrainian researcher leaked the source for the Conti ransomware and components for the control panels. Recently a Ukrainian researcher leaked 60,694 messages internal chat messages belonging to the Conti ransomware operation after the announcement of the group of its support to Russia. He was able to access the database XMPP chat server of the Conti group. Clearly, the […] | Ransomware | ||
|
2022-03-02 02:29:17 | LIVE Webinar: Key Lessons Learned from Major Cyberattacks in 2021 and What to Expect in 2022 (lien direct) | With the COVID-19 pandemic continuing to impact, and perhaps permanently changing, how we work, cybercriminals again leveraged the distraction in new waves of cyberattacks. Over the course of 2021 we saw an increase in multiple attack approaches; some old, some new. Phishing and ransomware continued to grow from previous years, as expected, while new attacks on supply chains and | Ransomware | ||
|
2022-03-01 20:57:13 | Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities (lien direct) | Summary On Feb. 23, 2022, destructive attacks were conducted against Ukrainian entities. Industry reporting has claimed the Go-based ransomware dubbed PartyTicket (or HermeticRansom) was identified at several organizations affected by the attack,1 among other families including a sophisticated wiper CrowdStrike Intelligence tracks as DriveSlayer (HermeticWiper). Analysis of the PartyTicket ransomware indicates it superficially encrypts files […] | Ransomware | ||
|
2022-03-01 20:50:30 | Conti Ransomware Group Diaries, Part I: Evasion (lien direct) | A Ukrainian security researcher this week leaked several years of internal chat logs and other sensitive data tied to Conti, an aggressive and ruthless Russian cybercrime group that focuses on deploying its ransomware to companies with more than $100 million in annual revenue. The chat logs offer a fascinating glimpse into the challenges of running a sprawling criminal enterprise with more than 100 salaried employees. The records also provide insight into how Conti has dealt with its own internal breaches and attacks from private security firms and foreign governments. | Ransomware | ||
 |
2022-03-01 16:01:00 | Anomali Cyber Watch: Information-Stealing and Wiping Campaigns Target Ukraine, Electron Bot Is After Social Media Accounts, Attackers Poison Application and Library Repositories, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Iran, Russia, Spearphishing, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
(published: February 25, 2022)
Researchers at Unit 42 identified an attack targeting an energy organization in Ukraine. Ukrainian CERT has attributed this attack to a threat group they track as UAC-0056. The targeted attack involved a spear phishing email sent to organization employees containing a malicious JavaScript file that would download and install a downloader known as SaintBot and a document stealer called OutSteel. Actors leverage Discord’s content delivery network (CDN) to host their payload. Goal of this attack was data collection on government organizations and companies involved with critical infrastructure.
Analyst Comment: Administrators can block traffic to discordapp[.]com if their organization doesn’t have a current legitimate use of Discord. Implement attack surface reduction rules for Microsoft Office. Train users to recognize, safely process, and report potential spearphishing emails.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Modify Registry - T1112
Tags: Russia, Ukraine, OutSteal, SaintBot, UAC-0056, TA471, Lorec53, SaintBear, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations
(published: February 25, 2022)
Researchers at Secureworks have identified and investigated reports of Ukrainian government and financial organizations being impacted by distributed denial of service and wiper attacks. Between 15-23 Feb intermittent loss of access to a large number of government websites belonging to the Ukrainian Ministry of Foreign Affairs, Ministry of Defense, Security Service, Ministry of Internal Affairs, and Cabinet of Ministers. PrivatBank and Oschadbank. Along with this, the threat actors also targeted some government and financial organizations in Ukraine to deploy a novel wiper dubbed ‘HermeticWiper’ which abuses a legitimate & signed EaseUS partition management driver. In other attacks targeting Ukraine researchers also observed 13 Ukrainian government websites defaced and Tor forums listing data for Ukrainian citizens being available for sale.
Analyst Comment: Organizations exposed to war between Russia and Ukraine should be on high alert regarding the ongoing cyberattacks. Implement defense-in-depth approach including patch management, anti-phishing training, disaster recovery plans, and backing up your information and systems.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | |
Ransomware Malware Tool Vulnerability Threat | ★★★★ | |
|
2022-03-01 15:35:11 | Cyberattacks in Ukraine: New Worm-Spreading Data-Wiper With Ransomware Smokescreen (lien direct) | Cybersecurity researchers tracking destructive data-wiping malware attacks in Ukraine are finding signs of new malware with worm-spreading capabilities and what appears to be a rudimentary ransomware decoy. | Ransomware Malware | ||
|
2022-03-01 14:30:26 | Three Ways to Defeat Ransomware (lien direct) | Ransomware is very difficult to stop, mostly because the attackers are adept at locking up a network long before anybody in an organization even sees a ransom note. In many attacks, the malware combines an encryption payload with automated propagation. | Ransomware Malware | ||
 |
2022-03-01 13:37:07 | Cybereason vs. BlackCat Ransomware (lien direct) |
Since its first emergence in November 2021, the Cybereason Nocturnus team has been tracking the BlackCat Ransomware (aka ALPHV), which has been called “2021's most sophisticated ransomware”. |
Ransomware | ||
 |
2022-03-01 13:30:06 | Elections GoRansom – a smoke screen for the HermeticWiper attack (lien direct) | We present our analysis of HermeticRansom (aka Elections GoRansom) ransomware that was likely used as a smokescreen for the HermeticWiper attack. | Ransomware | ||
 |
2022-03-01 12:54:37 | What Caused The Ransomware Attack On Toyota? Experts Insight (lien direct) | Toyota, the world's largest carmaker has halted production at all of its plants in Japan after a ransomware attack on a key supplier. This marks another major enterprise casualty as hackers continue to see rising success with ransomware attacks. | Ransomware | ||
|
2022-03-01 12:06:30 | Decrypting Hive Ransomware Data (lien direct) | Nice piece of research: Abstract: Among the many types of malicious codes, ransomware poses a major threat. Ransomware encrypts data and demands a ransom in exchange for decryption. As data recovery is impossible if the encryption key is not obtained, some companies suffer from considerable damage, such as the payment of huge amounts of money or the loss of important data. In this paper, we analyzed Hive ransomware, which appeared in June 2021. Hive ransomware has caused immense harm, leading the FBI to issue an alert about it. To minimize the damage caused by Hive Ransomware and to help victims recover their files, we analyzed Hive Ransomware and studied recovery methods. By analyzing the encryption process of Hive ransomware, we confirmed that vulnerabilities exist by using their own encryption algorithm. We have recovered the master key for generating the file encryption key partially, to enable the decryption of data encrypted by Hive ransomware. We recovered 95% of the master key without the attacker’s RSA private key and decrypted the actual infected data. To the best of our knowledge, this is the first successful attempt at decrypting Hive ransomware. It is expected that our method can be used to reduce the damage caused by Hive ransomware... | Ransomware Guideline | ||
|
2022-03-01 10:39:18 | Toyota hit with ransomware attack, stops production (lien direct) | Toyota, the worlds largest car maker has stopped production at all of its plants in Japan following a ransomware attack, reports suggest. Toyota announced it would suspend 28 production lines at 14 factories on Tuesday, planning to resume on Wednesday, according to Nikkei. The report claimed that the cyberattack targeted Kojima Industries, a plastic parts […] | Ransomware | ||
 |
2022-03-01 09:32:00 | Toyota Halts Production Across Japan After Ransomware Attack (lien direct) | Outage hit key supplier, forcing carmaker to pull the plug | Ransomware | ||
|
2022-03-01 06:03:02 | Conti Ransomware Gang\'s Internal Chats Leaked Online After Siding With Russia (lien direct) | Days after the Conti ransomware group broadcasted a pro-Russian message pledging its allegiance to Vladimir Putin's ongoing invasion of Ukraine, a disgruntled member of the cartel has leaked the syndicate's internal chats. The file dump, published by malware research group VX-Underground, is said to contain 13 months of chat logs between affiliates and administrators of the Russia-affiliated | Ransomware Malware | ||
 |
2022-02-28 23:41:07 | Opération Bouclier Français (lien direct) | Guerre interne entre les pirates pro-russes et pro-ukrainiens du groupe de ransomware CONTI. Et au milieu, ZATAZ a retrouvé un français qui propose ses services comme négociateur officiel pour les rançons concernant les entreprises et institutions françaises !... | Ransomware | ||
|
2022-02-28 21:00:32 | Ukraine-Russia Cyber Warzone Splits Cyber Underground (lien direct) | A pro-Ukraine Conti member spilled 13 months of the ransomware group's chats, while cyber actors are rushing to align with both sides. | Ransomware | ||
|
2022-02-28 15:03:53 | Logiciels malveillants : protéger ses données contre la " double extorsion " (lien direct) | Les ransomwares sont bien connus des réseaux d'entreprise car ils présentent des risques colossaux et nécessitent bien souvent des efforts de récupération importants et coûteux. Les attaques de ransomware réussies peuvent entraîner le verrouillage des systèmes, le vol d'identité et la prise en otage des données, autant d'éléments susceptibles de semer le chaos dans les organisations visées. The post Logiciels malveillants : protéger ses données contre la " double extorsion " first appeared on UnderNews. | Ransomware | ||
|
2022-02-28 14:35:52 | Researcher leaked Conti\'s internal chat messages in response to its support to Russia (lien direct) | A Ukrainian researcher leaked tens of thousands of internal chat messages belonging to the Conti ransomware operation. A Ukrainian researcher leaked 60,694 messages internal chat messages belonging to the Conti ransomware operation after the announcement of the group of its support to Russia. Researchers from cybersecurity firm Hold Security confirmed that the researcher was able to access […] | Ransomware | ||
|
2022-02-28 14:06:24 | Conti Chats Leaked After Ransomware Gang Expresses Support for Russia (lien direct) | Hundreds of files storing tens of thousands of messages exchanged between Conti ransomware operators have been leaked online after the cybercrime group expressed support for Russia as it launched an invasion of Ukraine last week. | Ransomware | ||
|
2022-02-28 10:38:00 | Nvidia Appears to Brush Off Ransomware Attack (lien direct) | Online chatter suggests chip giant “hacked back” at its attacker | Ransomware | ||
 |
2022-02-27 22:30:37 | Previously Unseen Backdoor Bvp47 Potentially Victimized Global Targets (lien direct) | FortiGuard Labs is aware of a report by Pangu Lab that a new Linux backdoor malware that reportedly belongs to the Equation group was used to potentially compromise more than 200 organizations across over 40 countries around the globe. The Equation group is regarded as one of the most highly skilled threat actors, which some speculate have close connections with National Security Agency (NSA). The threat actor is also reported have been tied to the Stuxnet malware that was used in 2010 cyber attack on a nuclear centrifuge facility in Iran.Why is this Significant?Bvp47 is a previously undiscovered backdoor malware that was reportedly used in cyber attacks carried out by the Equation group. According to the report and information available in the documents that presumably leaked from the Equation group, over 200 organizations spread across more than 40 countries may have been infected with the Bvp47 malware.The Bvp47 file called out in the report was first submitted to VirusTotal in late 2013, which indicates that Bvp47 was used and undiscovered for close to a decade.How was the Connection between the Bvp47 malware and the Equation Group Established?Pangu Lab concluded that Bvp47 belongs to the Equation group because one of the folders included in the documents leaked by the Shadow Brokers in 2017 contained a RSA private key required by Bvp47 for its command execution and other operations.What is the Shadow Brokers?The Shadow Brokers is a threat actor who claimed to have stolen highly classified information from the Equation group in 2016. The stolen information includes zero-day exploits, operation manuals and description of tools used by the Equation group. The Shadow Brokers then attempted to sell the information to the highest bidder. After no one purchased the information, The threat actor released the information to the public after the auction attempt failed.One of the most famous exploits included in the leaked documents is EternalBlue. Within a few weeks of the leak, EternalBlue was incorporated in Wannacry ransomware which caused global panic in 2017.What are the Characteristics of Bvp47?Bvp is a Linux backdoor that performs actions upon receiving commands from Command and Control (C2) servers.Because the Bvp47 framework is incorporated with components such as "dewdrops" and "solutionchar_agents" that are included in the Shadow Brokers leaks, the backdoor is for mainstream Linux distributions, FreeBSD, Solaris as well as JunOS,.Bvp47 also runs various environment checks. If the requirements are not met, the malware deletes itself.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against Bvp47:ELF/Agent.16DC!tr | Ransomware Malware Threat | Wannacry Wannacry | |
|
2022-02-27 09:45:09 | Chipmaker giant Nvidia hit by a ransomware attack (lien direct) | The chipmaker giant Nvidia was the victim of a ransomware attack that took down some of its systems for two days. The chipmaker giant Nvidia was victim of a ransomware attack that impacted some of its systems for teo days. The security breach is not connected to the ongoing crisis in Ukraine, according to a […] | Ransomware | ||
|
2022-02-27 00:55:01 | Attacks From Within Seen as a Growing Threat to Elections (lien direct) | Election officials preparing for this year's midterms have yet another security concern to add to an already long list that includes death threats, disinformation, ransomware and cyberattacks - threats from within. | Ransomware Threat | ★★★ | |
|
2022-02-26 01:25:00 | Prevent Ransomware with New Capabilities from Anomali (lien direct) | In these uncertain times, ransomware attacks are only increasing, and Anomali is highly focused on helping CIOs and CISOs of enterprise businesses across the Globe along with our federal government and other government agencies. This is an infinite Journey against the bad guys, and we must all work together with all hands-on deck. Today, organizations employ defense in depth strategies to stop attacks. And while siloed security control points are effective at stopping most attacks before infection, the challenge is to stop ransomware attacks that typically evade protection. With The Anomali Platform, your XDR solution, you correlate globally identified ransomware attacks with your security telemetry (including public clouds), to discover the threats that are not detected by others. This enables you to proactively detect and respond, and ultimately reduce the risk of falling victim to ransomware attacks. Here is how we can help you and the ecosystem: Global Situational Awareness. Even before you are hit, a CISO must have the global situational awareness needed to understand the prevalence of these threats in the wild and the impact of these threat actors on your business, industry, and geography. The Anomali Platform attack trending dashboards provides security professionals the vital information you need to assess the threat of an impending attack. Stop The Initial Access. With a precision detection solution like The Anomali Platform, you can detect any malware. In the case of ransomware, this includes the ability to identify the first spear phishing access attempt by correlating messaging security telemetry together with all globally identified malicious links. Additionally, with an integrated sandbox capability, you can automate the inspection of suspicious emails through safe detonation and identification of attack indicators. Once identified, The Anomali Platform provides an analyst with the ability to review an attack and then respond by automatically updating security controls to block further infection. Stop the Attack. Precision detection provided by The Anomali Platform enables you to detect any ransomware in their environments on the first infected endpoint and to then automatically update endpoint security policies to block future threats. Because of our proprietary technology, you can correlate all endpoint telemetry including public clouds with the largest repository of global intelligence. The Anomali Platform has recently proven to catch Emotet attacks beyond what’s currently available in the ecosystem of security software. Stop the Communication. The Anomali Platform machine learning Domain Generation Algorithm (DGA) capability allows an analyst to quickly identify suspicious command and control connections associated with ransomware and all its variants. Additionally, C2 communication is easily detected by correlating all network traffic flow with global intelligence to return an accurate verdict. Using The Anomali Platform, an analyst can update perimeter and cloud security policies to block this communication. Stop the payload. At this point in the ransomware attack, an analyst will have enough correlated intelligence on the threat actor and the attack pattern to predict what is going to happen next. An analyst can use The Anomali Platform to predict the inevitable next stage of a multi-stage ransomware attack. Once again, the analyst can easily automate the response by disseminating high-fidelity indicators to security controls, protecting the organization from ransomware and all its variants. The Anomali Platform, our XDR solution, is a big data security offering that correlates all your organization’s telemetry (including public clouds) together with the largest repository of global threat intelligence, providing you with the power to detect and respond to ransomware at all stages of the attack. We are focused on dif | Ransomware Threat | ||
|
2022-02-25 20:33:55 | Ukraine calls on independent hackers to defend against Russia, Russian underground responds (lien direct) | While Ukraine calls for hacker underground to defend against Russia, ransomware gangs make their moves. Ukraine’s government is asking for volunteers from the hacker underground to provide their support in protecting critical infrastructure and carry out offensive operations against Russian state-sponsored hackers, reported Reuters which cited two e experts involved in the project. The call […] | Ransomware | ||
|
2022-02-25 19:46:57 | Microsoft Exchange Bugs Exploited by \'Cuba\' Ransomware Gang (lien direct) | The ransomware gang known as Cuba is increasingly shifting to exploiting Exchange bugs – including crooks' favorites, ProxyShell and ProxyLogon – as initial infection vectors. | Ransomware | ||
|
2022-02-25 10:30:00 | Massive Ransomware Attack Could Cost Irish Health Exec €100m (lien direct) | Costs have already topped €40m | Ransomware | ||
|
2022-02-24 21:11:33 | (Déjà vu) The Harsh Truths of Cybersecurity in 2022, Part II (lien direct) | Sonya Duffin, ransomware and data-protection expert at Veritas Technologies, shares three steps organizations can take today to reduce cyberattack fallout. | Ransomware | ||
|
2022-02-24 19:28:49 | Data wiper attacks on Ukraine were planned at least in November and used ransomware as decoy (lien direct) | Experts reported that the wiper attacks that yesterday hit hundreds of systems in Ukraine used a GoLang-based ransomware decoy. Yesterday, researchers from cybersecurity firms ESET and Broadcom's Symantec discovered a new data wiper malware that was employed in a recent wave of attacks that hit hundreds of machines in Ukraine. A tweet from ESET revealed that the company's telemetry shows […] | Ransomware Malware | ||
|
2022-02-24 15:55:50 | (Déjà vu) Deadbolt Ransomware targets Asustor and QNap NAS Devices (lien direct) | Deadbolt ransomware operators are targeting Asustor NAS (network-attached storage) appliances. Storage solutions provider Asustor is warning its customers of a wave of Deadbolt ransomware attacks targeting its NAS devices. Since January, DeadBolt ransomware operators are targeting QNAP NAS devices worldwide, its operators claim the availability of a zero-day exploit that allows them to encrypt the […] | Ransomware | ||
|
2022-02-24 14:24:39 | Deadbolt Ransomware Targeting Asustor NAS Devices (lien direct) | Storage solutions provider Asustor this week issued a warning to alert users of Deadbolt ransomware attacks targeting its network-attached storage (NAS) appliances. | Ransomware | ||
|
2022-02-24 09:45:00 | Researchers link Dridex botnet to emergent Entropy ransomware (lien direct) | Pas de details / No more details | Ransomware | ★★ | |
|
2022-02-24 04:34:53 | Warning - Deadbolt Ransomware Targeting ASUSTOR NAS Devices (lien direct) | ASUSTOR network-attached storage (NAS) devices have become the latest victim of Deadbolt ransomware, less than a month after similar attacks singled out QNAP NAS appliances. In response to the infections, the company has released firmware updates (ADM 4.0.4.RQO2) to "fix related security issues." The company is also urging users to take the following actions to keep data secure – | Ransomware | ||
|
2022-02-23 18:46:00 | Anomali Cyber Watch: EvilPlayout: Attack Against Iran\'s State Broadcaster, Microsoft Teams Targeted With Takeover Trojans, \'Ice phishing\' on the blockchain and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Emotet, Ice Phishing, Iran, Trickbot and Zoho. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
EvilPlayout: Attack Against Iran’s State Broadcaster
(published: February 18, 2022)
Checkpoint Researchers have released an article detailing their findings regarding a wave of cyber attacks directed at Iranian broadcast infrastructure during late January 2022. IRIB, an Iranian state broadcaster, was compromised, with malicious executables and wipers being responsible for the attack. Said malware had multiple functions, including hijacking of several tv stations to play recordings of political opposition leaders demanding the assassination of Iran’s supreme leader. Additional functionality includes custom backdoors, screenshot capability and several bash scripts to download other malicious executables. The malware appears new, with no previous appearances, nor has there been any actor attribution as of the date of publication.
Analyst Comment: Utilize all telemetry and feed it into a SIEM to help identify malicious activity within your network. Anomali Match can collide this telemetry against global intelligence to assist in identifying malicious indicators within your network. A defense in depth approach will also mitigate the damage any compromises can do to your infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] Screen Capture - T1113
Tags: Iran, IRIB, Ava, Telewebion
Microsoft Teams Targeted With Takeover Trojans
(published: February 17, 2022)
Researchers at Avanan have documented a new phishing technique that threat actors are using that abuses the trust users of Microsoft Teams have for the platform to deliver malware. Threat Actors send phishing links to victims which initiate a chat on the platform, after which they will post a link to a dll file within the chat box. When clicked, it will install a trojan of choice on the target machine. With over 279 million users, this presents a new attack vector for threat actors to abuse.
Analyst Comment: Never click on a link or open attachments from untrusted senders when receiving email. Be skeptical of strangers attempting to move conversation to another platform, even if you use that platform. Be wary of links posted in apps that are used for communication, as links that are posted on trusted platforms are not trustworthy themselves.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Trusted Relationship - T1199
Tags: Microsoft Teams, trojan, phishing
Red Cross: State Hackers Breached our Network Using Zoho bug
(published: February 16, 2022)
The International Committee of the Red Cross (ICRC) suffered a data breach during January 2022. The incident led to the exfiltration of over 515,000 individual's PII, linked to their Restoring Family Links pro |
Ransomware Data Breach Malware Tool Vulnerability Threat Guideline | ||
|
2022-02-23 16:51:00 | US Receives Ransomware Warning (lien direct) | FBI official tells America to brace for cyber-attacks after US announces new sanctions against Russia | Ransomware | ||
|
2022-02-23 15:57:05 | Sophos linked Entropy ransomware to Dridex malware. Are both linked to Evil Corp? (lien direct) | The code of the recently-emerged Entropy ransomware has similarities with the one of the infamous Dridex malware. The recently-emerged Entropy ransomware has code similarities with the popular Dridex malware. Experts from Sophos analyzed the code of Entropy ransomware employed in two distinct attacks. “A pair of incidents at different organizations in which attackers deployed a […] | Ransomware | ||
 |
2022-02-23 15:00:00 | (Ex) Changement de rythme: UNC2596 Observé des vulnérabilités en train de tirer parti du déploiement des ransomwares de Cuba (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware (lien direct) |
En 2021, Mandiant a observé certains acteurs de menace déploiement des ransomwares qui passent de plus en plus pour exploiter les vulnérabilités en tant que vecteur d'infection initial.UNC2596, un acteur de menace qui déploie le ransomware Colddraw, connu publiquement sous le nom de ransomware Cuba, illustre cette tendance.Tandis que rapports public a mis en évidence les campagnes Chanitor comme précurseur de ces incidents de ransomware, Mandiant a également identifié l'exploitation des vulnérabilités d'échange Microsoft, y compris proxyshell et proxylogon , comme un autre point d'accès exploité par unc2596 probablement dès août 2021. Le contenu de ce blog se concentre
In 2021, Mandiant observed some threat actors deploying ransomware increasingly shift to exploiting vulnerabilities as an initial infection vector. UNC2596, a threat actor that deploys COLDDRAW ransomware, publicly known as Cuba Ransomware, exemplifies this trend. While public reporting has highlighted CHANITOR campaigns as precursor for these ransomware incidents, Mandiant has also identified the exploitation of Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon, as another access point leveraged by UNC2596 likely as early as August 2021. The content of this blog focuses |
Ransomware Vulnerability Threat | ★★★ | |
|
2022-02-23 14:00:22 | Creaky Old WannaCry, GandCrab Top the Ransomware Scene (lien direct) | Nothing like zombie campaigns: WannaCry's old as dirt, and GandCrab threw in the towel years ago. They're on auto-pilot at this point, researchers say. | Ransomware | Wannacry |
To see everything:
Our RSS (filtrered)
