What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-06-21 12:34:43 | Office 365 Config Loophole Opens OneDrive, SharePoint Data to Ransomware Attack (lien direct) | A reported a "potentially dangerous piece of functionality" allows an attacker to launch an attack on cloud infrastructure and ransom files stored in SharePoint and OneDrive. | Ransomware | ||
 |
2022-06-21 06:01:00 | CNI leaders\' attitude to ransomware lackadaisical at best (lien direct) | Pas de details / No more details | Ransomware | ||
 |
2022-06-21 03:59:59 | Avos ransomware group expands with new attack arsenal (lien direct) | By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]] | Ransomware | ||
 |
2022-06-21 03:34:27 | Mitigate Ransomware in a Remote-First World (lien direct) | Ransomware has been a thorn in the side of cybersecurity teams for years. With the move to remote and hybrid work, this insidious threat has become even more of a challenge for organizations everywhere. 2021 was a case study in ransomware due to the wide variety of attacks, significant financial and economic impact, and diverse ways that organizations responded. These attacks should be seen as a | Ransomware Threat | ||
 |
2022-06-20 14:10:51 | Less Than 40% of Asia-Pacific Organizations Are Confident to Stop Cyber Threats as 83% Experience At Least One Ransomware Attack a Year (lien direct) |
|
Ransomware Threat | ||
 |
2022-06-20 12:05:13 | QNAP Appliances Targeted in New DeadBolt, eCh0raix Ransomware Campaigns (lien direct) | Network-attached storage (NAS) devices made by QNAP are being targeted in new attack campaigns involving DeadBolt and eCh0raix ransomware. | Ransomware | ||
 |
2022-06-20 11:58:52 | RSAC insights: How IABs - initial access brokers - help sustain, accelerate the ransomware plague (lien direct) | Specialization continues to advance apace in the cybercriminal ecosystem. Related: How cybercriminals leverage digital transformation Initial access brokers, or IABs, are the latest specialists on the scene. IABs flashed to prominence on the heels of gaping vulnerabilities getting discovered … (more…) | Ransomware | ||
 |
2022-06-20 11:15:00 | QNAP Customers Hit by Double Ransomware Blitz (lien direct) | Taiwanese manufacturer braced for twin threat | Ransomware | ||
|
2022-06-20 11:13:47 | ALPHV Ransomware Operators Pressure Victim With Dedicated Leak Site (lien direct) | Cybercriminals who are using the ALPHV ransomware created a dedicated leak website in an apparent attempt to pressure one of their victims into paying the ransom. | Ransomware | ||
|
2022-06-20 05:34:58 | Do You Have Ransomware Insurance? Look at the Fine Print (lien direct) | Insurance exists to protect the insured party against catastrophe, but the insurer needs protection so that its policies are not abused – and that's where the fine print comes in. However, in the case of ransomware insurance, the fine print is becoming contentious and arguably undermining the usefulness of ransomware insurance. In this article, we'll outline why, particularly given the current | Ransomware | ||
 |
2022-06-19 07:00:00 | Experts warn of a new eCh0raix ransomware campaign targeting QNAP NAS (lien direct) | >Experts warn of a new ech0raix ransomware campaign targeting QNAP Network Attached Storage (NAS) devices. Bleeping Computer and MalwareHunterTeam researchers, citing user reports and sample submissions on the ID Ransomware platform, warn of a new wave of ech0raix ransomware attacks targeting QNAP Network Attached Storage (NAS) devices. The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is […] | Ransomware | ||
 |
2022-06-18 13:06:03 | QNAP NAS devices targeted by surge of eCh0raix ransomware attacks (lien direct) | This week a new series of ech0raix ransomware has started targeting vulnerable QNAP Network Attached Storage (NAS) devices according to user reports and sample submissions on the ID-Ransomware platform. [...] | Ransomware | ★★★★ | |
 |
2022-06-18 00:48:00 | DeadBolt ransomware takes another shot at QNAP storage (lien direct) | Keep boxes updated and protected to avoid a NAS-ty shock QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.… | Ransomware | ||
|
2022-06-17 20:11:14 | Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners (lien direct) | A recently patched critical security flaw in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads. In at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a crypto miner called z0miner | Ransomware Vulnerability | ||
 |
2022-06-17 18:30:00 | Atlassian Confluence Server Bug Under Active Attack to Distribute Ransomware (lien direct) | Most of the attacks involve the use of automated exploits, security vendor says. | Ransomware | ||
|
2022-06-17 17:11:05 | The Week in Ransomware - June 17th 2022 - Have I Been Ransomed? (lien direct) | Ransomware operations are constantly evolving their tactics to pressure victims to pay. For example, this week, we saw a new extortion tactic come into play with the creation of dedicated websites to extort victims with searchable data. [...] | Ransomware | ||
 |
2022-06-17 15:06:57 | (Déjà vu) Dangerous Microsoft Office 365 Functionality That Can Store Ransom Files On SharePoint And OneDrive (lien direct) | Proofpoint has discovered a potentially dangerous piece of functionality in Office 365 or Microsoft 365 that allows ransomware to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker. The research focused on two of the most popular enterprise cloud apps – […] | Ransomware | ||
 |
2022-06-17 14:22:52 | QNAP warns of new DeadBolt ransomware attack locking up NAS devices (lien direct) | Owners of NAS drives manufactured by QNAP have been advised that the company is "thoroughly investigating" reports that a new variant of the DeadBolt ransomware is targeting devices, locking up data and demanding victims pay a fee to extortionists. Read more in my article on the Hot for Security blog. | Ransomware | ||
 |
2022-06-17 11:00:31 | The Cybersecurity Consolidation Conundrum: Why Less is Sometimes More (lien direct) | >While employees and organizations are busy settling into remote or hybrid working, cybersecurity professionals continue to grapple with the challenges that come with a rapidly expanding network perimeter. And with every new ransomware attack that hits the headlines, it would be fair to assume that adding more security products or vendors would make a company… | Ransomware | ||
|
2022-06-17 10:27:04 | Costa Rica Chaos a Warning That Ransomware Threat Remains (lien direct) | Teachers unable to get paychecks. Tax and customs systems paralyzed. Health officials unable to access medical records or track the spread of COVID-19. A country's president declaring war against foreign hackers saying they want to overthrow the government. | Ransomware Threat | ||
 |
2022-06-17 08:06:00 | New in Cybersecurity - Insights, threat trends, & RSA learnings (lien direct) | AT&T Business’ most recently #BizTalks Twitter Chat—What’s New in Cybersecurity—Insights, Threat Trends, & RSA Learnings—explored many emerging concepts in the cybersecurity industry. [Optional sentence: Our very own Tawnya Lancaster, AT&T Cybersecurity’s threat intelligence and trends Research lead, did a takeover of the @ATTBusiness Twitter handle to provide her point of view.] Head to the @ATTBusiness Twitter page—go.att.com/twchat—to see the full chat and learn more. It was an interesting conversation with diverse opinions. Here are some of the highlights. Adversary tactics The top question in terms of engagement was this one, and lots of interesting perspectives: A3: Human weakness remains the Achilles Heel of #cybersecurity. And human stupidity is not going to change any time soon. We are gullible creatures.#cybersecurity #biztalks #ATTinfluencer — Joseph Steinberg (@JosephSteinberg) June 15, 2022 A3.a: Rapidly evolving IoT malware & compromised personal devices as entry points into networks are trends. This shows an accelerated threat of home networks becoming entry points into corporate networks which has been an issue since 2020. #BizTalks #Cybersecurity #ATTInfluencer pic.twitter.com/1xoSZ304j7 — ��Tyler Cohen Wood (@TylerCohenWood) June 15, 2022 Ransomware is not new but is trending again because criminal hackers can easily get paid in crypto currencies. Also, many of those attacks are hybrid in nature, being automated and augmented with machine learning algorithms. #Cybersecurity, #BizTalks, #ATTInfluencer — Chuck Brooks (@ChuckDBrooks) June 15, 2022 A3… This fact has proven especially problematic during the COVID-19 pandemic and will remain so in the post-pandemic era as remote working has made it easier to carry out successful social engineering campaigns... #cybersecurity #biztalks #ATTinfluencer — Joseph Steinberg (@JosephSteinberg) June 15, 2022 | Ransomware Malware Threat Guideline | ||
 |
2022-06-17 07:52:00 | BrandPost: Is Stopping a Ransomware Attack More Important than Preventing One? (lien direct) | The sophistication and frequency of ransomware attacks is growing. According to Akamai CTO Robert Blumofe, ransomware has become “a repeatable, scalable, money-making business model that has completely changed the cyberattack landscape.” Conti, for example, the cybercrime giant that operates much like the businesses it targets – with an HR department and employee of the month – not only aims to make money but to carry out politically motivated attacks. (Learn more in our Ransomware Threat Report H1 2022.)To read this article in full, please click here | Ransomware Threat | ||
 |
2022-06-17 07:00:37 | Vulnérabilités SharePoint et OneDrive – les infrastructures cloud nouvelles, cibles des ransomwares (lien direct) | >Des recherches menées par Proofpoint, société leader en cybersécurité et en conformité, démontrent que les acteurs du ransomware peuvent désormais lancer des attaques contre les infrastructures cloud des organisations. Tribune – Les chercheurs se sont concentrés sur deux des applications cloud d’entreprise les plus populaires – SharePoint Online et OneDrive – et ont découvert une […] The post Vulnérabilités SharePoint et OneDrive – les infrastructures cloud nouvelles, cibles des ransomwares first appeared on UnderNews. | Ransomware Guideline | ||
|
2022-06-17 05:52:36 | QNAP \'thoroughly investigating\' new DeadBolt ransomware attacks (lien direct) | Network-attached storage (NAS) vendor QNAP once again warned customers on Friday to secure their devices against a new campaign of attacks pushing DeadBolt ransomware. [...] | Ransomware | ||
|
2022-06-16 21:53:40 | BlackCat Ransomware affiliates target unpatched Microsoft Exchange servers (lien direct) | >The BlackCat ransomware gang is targeting unpatched Exchange servers to compromise target networks, Microsoft warns. Microsoft researchers have observed BlackCat ransomware gang targeting unpatched Exchange servers to compromise organizations worldwide. The compromise of Exchange servers allows threat actors to access the target networks, perform internal reconnaissance and lateral movement activities, and steal sensitive documents before encrypting them. “For example, […] | Ransomware Threat | ||
 |
2022-06-16 21:35:48 | Ransomware Roundup – 2022/06/16 (lien direct) | FortiGuard Labs has become aware of several ransomware strains that caught the public's attention for the week of June 13th, 2022. It is imperative to raise awareness about ransomware variants because infections can cause severe damage to organizations. This week's Ransomware Roundup Threat Signal covers Nyx, Solidbit, RobbinHood and HelloXD ransomware along with the Fortinet protections against them.What is Nyx ransomware?Nyx is a double-extortion ransomware that was recently discovered. It steals data from the victim and encrypts files on the compromised machine and then demands a ransom from the victim in exchange for file recovery and not leaking the stolen information to the public. It leaves a ransom note in a file called READ_ME.txt that includes the victim's unique ID, the attacker's contact email address as well as secondary email address which the victim should use in case the attacker did not respond within 48 hours of the first email being sent to the attacker. Nyx ransomware's ransom noteThe ransomware adds the following file extension to the files it encrypts:[victim's unique ID].[the attacker's primary contact email].NYX Files encrypted by Nyx ransomwareWhat is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Nyx ransomware:W32/Filecoder.NHQ!tr.ransomWhat is Solidbit ransomware?Solidbit is a ransomware that encrypts files on the compromised machine and demands a ransom from the victim for file recovery. Solidbit ransomware's lock screenSolidbit ransomware drops a ransom note in a file named RESTORE-MY-FILES.txt, which includes Solidbit's own TOR site where the victim is asked to visit to contact the attacker along with the decryption ID. Solidbit ransomware's ransom noteThe TOR site offers free decryption of a file (up to a maximum file size of 1MB) to prove that decryption works properly. The Solidbit threat actor also provides chat support for victims. Solibit ransomware's TOR siteWhat is the Status of Coverage?FortiGuard Labs provides the following AV coverage against Solidbit ransomware:MSIL/Filecoder.APU!tr.ransomWhat is RobbinHood ransomware?RobbinHood is a ransomware has been in the wild since at least 2019. This ransomware is covered in this week's ransomware roundup given a report recently surfaced that it was responsible for infecting an auto parts manufacture in February, 2022 which resulted in shutdown of the factories.Written in Golang, RobbinHood is a simple ransomware that encrypts files on the compromised machine and demands ransom for decrypting the affected files. A typical ransom note left behind by RobbinHood ransomware has the attacker's bitcoin address and asks the victim to pay the ransom within 3 to 4 days depending on the ransomware variant. The attacker warns that the ransom amount increases by $10,000 each day if the payment is not made during the specified window. However, some RobbinHood ransom notes state that the victim's keys will be removed after 10 days. This makes file recovery impossible in order to add pressure to the victim to pay the ransom. Also, the attacker asks the victim not to contact law enforcement or security vendors.Known file extensions that RobbinHood ransomware adds to encrypted files include ".enc_robbin_hood" and ".rbhd".It also deletes shadow copies, which makes file recovery difficult.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against RobbinHood ransomware:W32/Robin.AB!tr.ransomW32/Robin.A!trW32/RobbinHood.A!tr.ransomW32/RobbinHood.A!trW32/Ransom_Win32_ROBBINHOOD.SMW32/Filecoder_RobbinHood.D!tr.ransomW32/Filecoder_RobbinHood.D!trW32/Filecoder_RobbinHood.C!trW32/Filecoder_RobbinHood.B!tr.ransomW32/Filecoder_RobbinHood.B!trW32/Filecoder_RobbinHood.A!trWhat is HelloXD ransomware?HelloXD is a ransomware that targets both Windows and Linux systems. The ransomware has been in the field since at least November 2021 and typically comes with a logo having a red face with horns. HelloXD ransomware logoIn order to inhibit file recovery, it deletes shadow copies before encryptin | Ransomware Threat | ||
|
2022-06-16 20:34:43 | Microsoft 365 Function Leaves SharePoint, OneDrive Files Open to Ransomware Attacks (lien direct) | SharePoint and OneDrive libraries can be encrypted in ransomware attack, researchers say. | Ransomware | ||
|
2022-06-16 16:30:00 | Office 365 Functionality Could Allow Ransomware to Hold Files Stored on SharePoint and OneDrive (lien direct) | Malicious actors could reduce versioning limit of files to a low number and encrypt them more times than versioning limit | Ransomware | ||
 |
2022-06-16 15:44:57 | (Déjà vu) \'Potentially dangerous\' Office 365 flaw discovered (lien direct) | >Proofpoint says the piece of functionality allows ransomware to encrypt files stored on Microsoft SharePoint and OneDrive. | Ransomware | ||
 |
2022-06-16 15:39:33 | Proofpoint: \'Potentially Dangerous\' Flaw Could Allow Ransomware Attacks On Microsoft SharePoint, OneDrive (lien direct) | Pas de details / No more details | Ransomware | ||
|
2022-06-16 13:32:00 | Ransomware could target OneDrive and SharePoint files by abusing versioning configurations (lien direct) | Researchers warn that documents hosted in the cloud might not be out of reach for ransomware actors and that while they're harder to permanently encrypt due to the automated backup features of cloud service, there are still ways to make life hard for organizations.Researchers from Proofpoint have devised a proof-of-concept attack scenario that involves abusing the document versioning settings in Microsoft's OneDrive and SharePoint Online services that are part of Office 365 and Microsoft 365 cloud offerings. Furthermore, since these services provide access to most of their features through APIs, potential attacks can be automated using command-line interface and PowerShell scripts.To read this article in full, please click here | Ransomware | ||
|
2022-06-16 11:24:26 | Ransomware Risk in Healthcare Endangers Patients (lien direct) | Ryan Witt, Proofpoint's Healthcare Cybersecurity Leader, examines the impact of ransomware on patient care. | Ransomware Guideline | ||
|
2022-06-16 10:39:55 | Researchers Discover Way to Attack SharePoint and OneDrive Files With Ransomware (lien direct) | Ransomware can attack data in the cloud and launch attacks on cloud infrastructure Researchers have discovered a functionality within Office 365 that could allow attackers to ransom files stored on SharePoint and OneDrive. On disclosure to Microsoft, the researchers were told the system 'is working as intended'. That is, it's a feature, not a flaw. | Ransomware | ||
|
2022-06-16 10:00:00 | API security: 12 essential best practices to keep your data & APIs safe (lien direct) | This blog was written by an independent guest blogger. If you don’t think API security is that important, think again. Last year, 91% of organizations had an API security incident. The proliferation of SOAP and REST APIs makes it easy for organizations to tailor their application ecosystems. But, APIs also hold the keys to all of a company’s data. And as data-centric projects become more in demand, it increases the likelihood of a target API attack campaign. Experts agree that organizations that keep their API ecosystem open should also take steps to prevent ransomware attacks and protect data from unauthorized users. Here is a list of 12 tips to help protect your API ecosystem and avoid unnecessary security risks. Encryption The best place to start when it comes to any cybersecurity protocol is encryption. Encryption converts all of your protected information into code that can only be read by users with the appropriate credentials. Without the encryption key, unauthorized users cannot access encrypted data. This ensures that sensitive information stays far from prying eyes. In today’s digital business environment, everything you do should be encrypted. Using a VPN and Tor together runs your network connection through a secured server. Encrypting connections at every stage can help prevent unwanted attacks. Customer-facing activities, vendor and third-party applications, and internal communications should all be protected with TLS encryption or higher. Authentication Authentication means validating that a user or a machine is being truthful about their identity. Identifying each user that accesses your APIs is crucial so that only authorized users can see your company’s most sensitive information. There are many ways to authenticate API users: HTTP basic authentication API authentication key configuration IdP server tokens OAuth & OpenID Connect A great API has the ability to delegate authentication protocols. Delegating authorizations and authentication of APIs to an IdP can help make better use of resources and keep your API more secure. OAuth 2 is what prevents people from having to recall from memory thousands of passwords for numerous accounts across the internet and allows users to connect via trusted credentials through another provider (like when you use Facebook, Apple, or Google to log in or create an account online). This concept is also applied to API security with IdP tokens. Instead of users inputting their credentials, they access the API with a token provided by a third-party server. Plus, you can leverage the OpenId Connect standard by adding an identity layer on top of OAuth. Audit, log, and version Without adequate API monitoring, there is no way organizations can stop insidious attacks. Teams should continuously monitor the API and have an organized and repeatable troubleshooting process in place. It’s also important that companies audit and log data on the server and turn it into resources in case of an incident. A monitoring dashboard can help track API consumption and enhance monitoring practices. And don’t forget to add the version on all APIs and depreciate them when appropriate. Stay private Organizations should be overly cautious when it comes to vulnerabilities and privacy since data is one of the most valuable and sought-after business commodities. Ensu | Ransomware Tool | ||
 |
2022-06-16 09:36:25 | Microsoft Patch Fixes Follina Bug (lien direct) | Microsoft issued its last regular patch update round this week, fixing over 50 CVEs, including the malicious zero-day bug “Follina.” Officially named CVE-2022-30190, Follina, as reported last week, is being exploited in the wild by state-backed actors and the operators behind Qakbot, which has links to ransomware groups. It’s a remote code execution (RCE) bug […] | Ransomware | ||
|
2022-06-16 06:07:20 | Microsoft Office 365 feature can help cloud ransomware attacks (lien direct) | Security researchers are warning that threat actors could hijack Office 365 accounts to encrypt for a ransom the files stored in SharePoint and OneDrive services that companies use for cloud-based collaboration, document management and storage. [...] | Ransomware Threat | ||
|
2022-06-16 05:38:18 | BlackCat Ransomware Gang Targeting Unpatched Microsoft Exchange Servers (lien direct) | Microsoft is warning that the BlackCat ransomware crew is leveraging exploits for unpatched Exchange server vulnerabilities to gain access to targeted networks. Upon gaining an entry point, the attackers swiftly moved to gather information about the compromised machines, followed by carrying out credential theft and lateral movement activities, before harvesting intellectual property and | Ransomware | ||
|
2022-06-16 05:00:00 | Office 365 loophole may give ransomware an easy shot at your files (lien direct) | Pas de details / No more details | Ransomware | ★★★ | |
|
2022-06-16 03:05:49 | A Microsoft Office 365 Feature Could Help Ransomware Hackers Hold Cloud Files Hostage (lien direct) | A "dangerous piece of functionality" has been discovered in Microsoft 365 suite that could be potentially abused by a malicious actor to ransom files stored on SharePoint and OneDrive and launch attacks on cloud infrastructure. The cloud ransomware attack makes it possible to launch file-encrypting malware to "encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable | Ransomware Malware | ||
 |
2022-06-15 15:46:03 | How AI-Driven XDR Defeats Ransomware (lien direct) |
|
Ransomware | ||
|
2022-06-15 12:28:27 | Extortion gang ransoms Shoprite, largest supermarket chain in Africa (lien direct) | Shoprite Holdings, Africa's largest supermarket chain that operates almost three thousand stores across twelve countries in the continent, has been hit by a ransomware attack. [...] | Ransomware | ||
|
2022-06-15 09:33:58 | Ransomware Gang Develops New Website That Allows Victims To Search For Their Data (lien direct) | BlackCat, the ALPHV ransomware gang, has created a website that allows customers and employees of their victim to check if their data was stolen in an attack. Ransomware gangs typically quietly steal corporate data and harvest everything of value. After they’ve done this, the threat actor starts to encrypt devices. The hackers then, in a […] | Ransomware Threat | ||
|
2022-06-15 09:19:44 | New cybersecurity bill to require mandatory reporting of ransomware, other attacks (lien direct) | The Canadian legislature plans to introduce a bill on June 14th which would make the reporting of cybersecurity breaches mandatory for private-sector organizations. The legislations aims to target the underreporting of ransomware attacks which has proven to be a problem for cybersecurity regulators. According to SecOps report released by Deep Instinct, 38% of surveyed cybersecurity professionals […] | Ransomware | ||
 |
2022-06-14 19:53:12 | Ransomware Group Debuts Searchable Victim Data (lien direct) | Cybercrime groups that specialize in stealing corporate data and demanding a ransom not to publish it have tried countless approaches to shaming their victims into paying. The latest innovation in ratcheting up the heat comes from the ALPHV/BlackCat ransomware group, which has traditionally published any stolen victim data on the Dark Web. Today, however, the group began publishing individual victim websites on the public Internet, with the leaked data made available in an easily searchable form. | Ransomware | ||
|
2022-06-14 19:03:26 | Ransomware gang creates site for employees to search for their stolen data (lien direct) | The ALPHV ransomware gang, aka BlackCat, has brought extortion to a new level by creating a dedicated website that allows the customers and employees of their victim to check if their data was stolen in an attack [...] | Ransomware | ||
|
2022-06-14 16:41:26 | Defending Against the Five Stages of a Ransomware Attack (lien direct) |
The increasing sophistication of ransomware attacks is costing businesses more than ever. Our recently released report, titled Ransomware: The True Cost to Business Study 2022, revealed that 73% of organizations suffered at least one ransomware attack in 2022, compared with just 55% in the 2021 study. |
Ransomware | ||
 |
2022-06-14 15:15:00 | Anomali Cyber Watch: Symbiote Linux Backdoor is Hard to Detect, Aoqin Dragon Comes through Fake Removable Devices, China-Sponsored Groups Proxy through Compromised Routers, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Hooking, Ransomware, Stealthiness, Vulnerabilities, and Web skimming. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat
(published: June 9, 2022)
Intezer and BlackBerry researchers described a new, previously unknown malware family dubbed Symbiote. It is a very stealthy Linux backdoor and credential stealer that has been targeting financial and other sectors in Brazil since November 2021. Symbiote is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD before any other SOs. It uses hardcoded lists to hide associated processes and files, and affects the way ldd displays lists of SOs to remove itself from it. Additionally, Symbiote uses three methods to hide its network traffic. For TCP, Symbiote hides traffic related to some high-numbered ports and/or certain IP addresses using two techniques: (1) hooking fopen and fopen64 and passing a scribbed file content for /proc/net/tcp that lists current TCP sockets, and (2) hooking extended Berkeley Packet Filter (eBPF) code to hide certain network traffic from packet capture tools. For UDP, Symbiote hooks two libpcap functions filtering out packets containing certain domains and fixing the packet count. All these evasion measures can lead to Symbiote being hidden during a live forensic investigation.
Analyst Comment: Defenders are advised to use network telemetry to detect anomalous DNS requests associated with Symbiote exfiltration attempts. Security solutions could be deployed as statically linked executables so they don’t expose themselves to this kind of compromise by calling for additional libraries.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] Data Staged - T1074
Tags: Symbiote, target-region:Latin America, Brazil, target-country:BR, Financial, Linux, Berkeley Packet Filter, eBPF, LD_PRELOAD, Exfiltration over DNS, dnscat2
Alert (AA22-158A). People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices
(published: June 8, 2022)
Several US federal agencies issued a special Cybersecurity Advisory regarding China-sponsored activities concentrating on two aspects: compromise of unpatched network devices and threats to IT and telecom. Attackers compromise unpatched network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, to serve as “hop points” to obfuscate their China-based IP addresses in preparation and during the next intrusion. Similarly, routers in IT and Telecom companies are targeted for initial access by China-sponsored groups, this time using open-source router specific software frameworks, RouterSploit and RouterScan.
Analyst Comment: When planning your company |
Ransomware Malware Tool Vulnerability Threat Guideline | CCleaner | |
|
2022-06-14 15:00:00 | HelloXD Ransomware Variants Found Installing Backdoor on Windows and Linux Machines (lien direct) | The backdoor allowed attackers to upload and download files, execute commands and remove their footprint | Ransomware | ||
 |
2022-06-14 12:43:08 | “Multiple adversaries” exploiting Confluence vulnerability, warns Microsoft (lien direct) | Microsoft has warned of APT groups and ransomware authors exploiting the now patched Confluence vulnerability. We take a look at the dangers. | Ransomware | ★★★★ | |
|
2022-06-14 09:45:15 | 45% of cybersecurity pros are considering quitting the industry due to stress (lien direct) | The results of the third edition of the annual Voice of SecOPs Report found that 45% of respondents in C-suite and senior cybersecurity roles were considering exiting the industry due to stress and incessant threats from ransomware. 46% of those surveyed knew someone in the past year who left due to stressors. Threats from ransomware […] | Ransomware Threat |
To see everything:
Our RSS (filtrered)
