What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-11-08 21:02:18 | (Déjà vu) New Whitepaper Details Latest TSA Security Directive 2021-02C, With Guidance On How to Adapt (lien direct) | >Since the Colonial Pipeline ransomware attack in May 2021, the regulatory environment in which critical pipeline owners and operators must... The post New Whitepaper Details Latest TSA Security Directive 2021-02C, With Guidance On How to Adapt first appeared on Dragos. | Ransomware | ||
 |
2022-11-08 20:22:00 | Amadey Bot Spotted Deploying LockBit 3.0 Ransomware on Hacked Machines (lien direct) | The Amadey malware is being used to deploy LockBit 3.0 ransomware on compromised systems, researchers have warned. "Amadey bot, the malware that is used to install LockBit, is being distributed through two methods: one using a malicious Word document file, and the other using an executable that takes the disguise of the Word file icon," AhnLab Security Emergency Response Center (ASEC) said in a | Ransomware Malware | ||
 |
2022-11-08 17:56:13 | LockBit affiliate uses Amadey Bot malware to deploy ransomware (lien direct) | A LockBit 3.0 ransomware affiliate is using phishing emails that install the Amadey Bot to take control of a device and encrypt devices. [...] | Ransomware Malware | ||
 |
2022-11-08 17:15:00 | Defending Education from Cyber Threat Attackers (lien direct) | >Threat actors — and particularly ransomware attackers — have education institutions in their crosshairs. From Vice Society’s September attack on schools in California to Snach’s late October assault on schools in Wisconsin, threat actors are not holding back when it comes to preying on schools. K-12 schools are the most vulnerable within the education industry, […] | Ransomware Threat | ||
 |
2022-11-08 16:00:00 | Anomali Cyber Watch: Active Probing Revealed Cobalt Strike C2s, Black Basta Ransomware Connected to FIN7, Robin Banks Phishing-as-a-Service Became Stealthier, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Active scanning, EDR evasion, Infostealers, Phishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild
(published: November 3, 2022)
Cobalt Strike remains a popular post-exploitation tool for threat actors trying to evade threat detection. Cobalt Strike’s Beacons use advanced, flexible command-and-control (C2) communication profiles for stealth communication with an attacker-controlled Linux application called Team Server. Beacon implants can covertly utilize the DNS protocol or communicate via HTTP/HTTPs using the the default Malleable C2 profile or Malleable C2 Gmail profile. Palo Alto researchers probed the Internet for these three types of communication to find previously-unknown active Team Server instances. Researchers were preselecting suspicious IP addresses with Shodan, actively probing them with stager requests and initializing a connection with the netcat tool to test, verify and extract communication profile settings (such as the served stager bytes).
Analyst Comment: Network fingerprinting and active scanning technologies allow for proactive identification of threats such as Cobalt Strike’s C2 IP addresses. Network defenders and intelligence feed providers can get better coverage by improving their collaboration and coverage via threat intelligence platforms such as ThreatStream provided by Anomali.
MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071
Tags: detection:Cobalt Strike Beacon, detection:Cobalt Strike, detection:Cobalt Strike Team Server, Cobalt Strike stager, Active scanning, Shodan, netcat, Post-exploitation tool, Gmail, DNS, TCP, HTTP, Windows
Abusing Microsoft Customer Voice to Send Phishing Links
(published: November 3, 2022)
Avanan researchers detected a phishing campaign that abuses Microsoft Dynamics 365 Customer Voice since at least September 2022. These phishing emails come from legitimate email address surveys@email.formspro.microsoft.com, and clicking the link opens the Microsoft’s Customer Voice domain on a page with URL starting with: customervoice.microsoft.com/Pages/ResponsePage.aspx?id=... At the same time, a user clicking on the embedded “Play Voicemail” link redirects to an attacker-controlled phishing page asking for Microsoft account login credentials.
Analyst Comment: Organizations can use services like Anomali Digital Risk Protection, which defends your brand against brand abuse and continuously monitors domains for cybersquatters and domain hijacking to prevent phishing and malware attacks. Users are advised to always check the current domain by hovering over the URL, especially before entering credentials.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566
Tags: Customer Voice, Phishing, Microsoft, Forms Pro
Black Basta Ransomware |
Ransomware Malware Tool Threat | ||
 |
2022-11-08 11:13:43 | Ransomware Gang Threatens to Publish Medibank Customer Information (lien direct) | On Monday, shortly after Australian health insurer Medibank said it will not pay a ransom following a recent cyberattack, the BlogXX/REvil ransomware gang threatened to make stolen Medibank customer information public. | Ransomware | ||
 |
2022-11-08 11:00:00 | Prepare, respond & recover: Battling complex Cybersecurity threats with fundamentals (lien direct) | The cybersecurity industry has seen a lot of recent trends. For example, the proliferation of multifactor authentication (MFA) to fight against credential harvesting is a common thread. Threat actors have been creating legitimate-looking phishing campaigns, which have been a big driver for this trend. Although some of the tools for MFA can be complex, proper authentication/authorization is an absolute fundamental that every enterprise should embrace. Where should we start with fundamentals? People, Process & Technology Let’s have a little more strategic look at this, though. To provide a holistic approach to security, a higher-level perspective is necessary. Your Process must be sound. Yes, that means policy-level guidance. Yes, that means that standards need to be in place. Finally, it means that procedures to provide more detailed guidance must be available for employees. Again, perspective is essential. Nobody wants to work on the process first. Indeed, I was guilty of having a negative view of process early in my career. Let’s take the first example and reveal how the process might assist. An enterprise policy statement might provide simple guidance that access to all company resources requires management approval (as a policy). How does an enterprise define who needs access to specific resources? Glad you asked. Standards can be used to and determine data classification and controls for accessing and protecting the various categories of data. An access control standard would also be appropriate to complement the data categories. So far, we have policy-level guidance, data classification, and access control standards which guide the controls necessary to control access to company resources. Where does the requirement for MFA live? That is a good question; my thoughts are likely in the standards area. However, requiring MFA could be a policy, standard, or process/procedure level requirement. The next reasonable question is: where do the requirements for implementing an MFA belong? In an authentic consultant manner, I would say: It depends. Take that with the lighthearted intention I meant it with. Implementing MFA may be a process/procedure used by IT. Why did I say, “maybe?” The reality is that there may be automation that handles this. It is possible that HR defines each employee’s role, and based on that, an HR system provides that through API to the systems used to provide authentication/authorization. Doesn’t that sound pleasantly streamlined? More likely, things are not that automated. If they are, then kudos to your enterprise. There are likely multiple processes and procedures required before even setting this up, but I think most of the folks reading this will understand where I’m trying to go with this. HR will have processes and procedures around defining roles and requesting implementation. IT will have processes and procedures focused on implementing the solution. The information security team will have processes and procedures for monitoring authentication/authorization mechanisms. This is just to state that Process is as important as the tool or technology chosen to meet the need. None of these documents state which tool or Technology to use. That is the point. If you have policy guidance and standards that define the need and processes to guide implementing MFA, then the Technology should be interchangeable. So, the first fundamental which should be a foundation is sound process. I spoke about various teams here (IT and HR). That is another fundamental: People. People need to understand the requirements. People need to understand their role, and people need to be part of the solution. Finally, the last high-level fundamental is Technology. But I said Technology could be interchanged. Yes, in many cases it ca | Ransomware Tool Vulnerability Threat Guideline | ||
 |
2022-11-08 10:45:00 | SMBs Fear Security Budget Cuts as Inflation Bites (lien direct) | Concerns come amid worries over ransomware surge | Ransomware | ||
 |
2022-11-08 09:56:30 | Ransomware: how UK businesses can curb the threat in response to a rise in figures (lien direct) | Ransomware: how UK businesses can curb the threat in response to a rise in figures At a time of mounting economic pressure, latest research reveals UK organisations experience sixth highest number of global ransomware attacks Latest research published by the European Union Agency for Cybersecurity (ENISA) reveals just how threatening ransomware poses to the UK and its organisations. The UK is the sixth most attacked nation on the global stage when it comes to ransomware. - Special Reports | Ransomware Threat | ||
 |
2022-11-08 09:45:36 | Medibank confirms ransomware attack impacting 9.7M customers, but doesn\'t pay the ransom (lien direct) | Australian health insurer Medibank confirmed that personal data belonging to around 9.7 million current and former customers were exposed as a result of a ransomware attack. Medibank announced that personal data belonging to around 9.7M of current and former customers were exposed as a result of a recent ransomware attack. Medibank is one of the […] | Ransomware | ||
 |
2022-11-08 00:35:33 | (Déjà vu) LockBit 3.0 Being Distributed via Amadey Bot (lien direct) | The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. Like other malware strains, it is being sold in illegal forums and still being used by various attackers. It was used in the past to install ransomware by attackers of GandCrab or to install FlawedAmmyy by the TA505 group which... | Ransomware Malware | ||
|
2022-11-07 20:54:00 | Medibank Refuses to Pay Ransom After 9.7 Million Customers Exposed in Ransomware Hack (lien direct) | Australian health insurer Medibank today confirmed that personal data belonging to around 9.7 million of its current and former customers were accessed following a ransomware incident. The attack, according to the company, was detected in its IT network on October 12 in a manner that it said was "consistent with the precursors to a ransomware event," prompting it to isolate its systems, but not | Ransomware Hack | ||
|
2022-11-07 14:52:11 | SentinelLabs analyse les techniques utilisées par le ransomware Black Basta et fait le lien avec les hackers de FIN7 (lien direct) | SentinelLabs analyse les techniques utilisées par le ransomware Black Basta et fait le lien avec les hackers de FIN7. SentinelLabs, la division de recherche de SentinelOne, vient de publier les résultats de ses recherches sur le ransomware Black Basta qui a mené plusieurs dizaines d'attaques ces derniers mois. Par ailleurs, les chercheurs en sécurité de SentinelLabs ont trouvé des preuves reliant le groupe de rançongiciels Black Basta à FIN7, un groupe de piratage à motivation financière, également connu sous le nom de " Carbanak ". - Malwares | Ransomware | ||
|
2022-11-07 12:50:26 | Ransomware gang threatens to release stolen Medibank data (lien direct) | A ransomware gang that some believe is a relaunch of REvil and others track as BlogXX has claimed responsibility for last month's ransomware attack against Australian health insurance provider Medibank Private Limited. [...] | Ransomware | ||
|
2022-11-07 11:00:00 | 10 Cybersecurity predictions for 2023 (lien direct) | As we head into 2023, we look back at the last year and the focus will continue to be on reducing risk exposure and resilience. Organizations are strengthening their ransomware defense, security, and privacy approach to product development, cyberattack response, supply chain risk management and operational technology (OT) security and based on working with customers across industry sectors, here is a compilation of some trends we predict for 2023. 1. Critical Infrastructure and Public Sector will continue to become attractive targets. As cyberattacks become more sophisticated, building collaborative communities between the public and private sectors will be crucial to synchronize operations and take preventative measures as a unified front to critical infrastructure threats. The public sector has become a favored target for cybercriminals. Armed with automated botnets, hackers rummage through computer systems to locate "soft targets." In recent years, US state and local government agencies have fallen prey to cyber-attacks. Legacy security is proving ineffective against the growing legion of diverse, sophisticated, and confrontational cyber threats. Public agencies collect and store sensitive data. Like the private sector, government institutions have gone digital. The addition of cloud, mobile, and SaaS have expanded an organization's attack surface, and it further illuminates that your cyber security is only as strong as your weakest point. 2. OT attack patterns will become more prevalent. IT and OT teams must find common ground to eliminate the substantial risk factors of planned and accidental IT/OT convergence. But the mission does not end there. OT security solutions that work in conjunction with IT security solutions can be the catalyst that not only provides the visibility, security, and control needed to thwart new cyber threats but also brings these once separate teams together for the common security of every manufacturing, critical infrastructure and industrial organization will need to fulfill its core mission efficiently and securely. The rising demand for improved connectivity of systems, faster maintenance of equipment, and better insights into the utilization of resources has given rise to internet-enabled OT systems, which include industrial control systems (ICS) and others such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), remote terminal units (RTUs), and programmable logic controllers (PLCs). With everything becoming internet-facing and cloud-managed, the manufacturing and critical infrastructure sector (i.e., healthcare, pharma, chemicals, power generation, oil production, transportation, defense, mining, food, and agriculture) are becoming exposed to threats that may be more profound than data breaches. In the coming years, OT attacks will become more prevalent and be used in cyber warfare. 3. Privacy will start getting more attention within the US. We are going to see more states pass laws with a focus on privacy. Data privacy laws in the United States have been primarily sector-based, with different data privacy laws applying to other sectors of the economy. For example, HIPAA for health care, FERPA for education, GLBA for finance, etc. While this approach has allowed laws to be tailored to specific contexts, it has also resulted in many businesses being exempt from meaningful data privacy regulation. Recognizing these gaps, these state consumer data privacy laws will seek to establish a comprehensive framework for controlling and processing personal data by many businesses currently exempt from other regulatory schemes. While the state laws vary somewhat, they share a few common principles around establishing standards and r | Ransomware Vulnerability Guideline | ||
 |
2022-11-07 00:00:00 | Inside the Yanluowang Leak: Organization, Members, and Tactics (lien direct) | YanLuoWang ransomware was first used to attack a handful of US corporations in August 2021. Since then, the group have successfully ransomed organizations across the world, with global software giant Cisco among its victims. This blog post reveals Darktrace analysts' research into the organization's structure and tactics. | Ransomware | ||
|
2022-11-06 17:17:54 | LockBit 3.0 gang claims to have stolen data from Kearney & Company (lien direct) | The ransomware group LockBit claimed to have stolen data from consulting and IT services provider Kearney & Company. Kearney is the premier CPA firm that services across the financial management spectrum to government entities. The company provides audit, consulting and IT services to the United States government. It has helped the Federal Government improve its […] | Ransomware | ||
|
2022-11-04 17:00:00 | Black Basta Ransomware Attacks Linked to FIN7 Threat Actor (lien direct) | The hacker behind a tool used by Black Basta had access to the source code used by FIN7 | Ransomware Tool Threat | ||
|
2022-11-04 16:00:00 | LockBit Claims Ransomware Attack on Continental (lien direct) | The ransomware gang made the announcement on its leak site | Ransomware | ||
 |
2022-11-04 13:30:38 | Ransomware rages on – Week in security with Tony Anscombe (lien direct) | >This week's news offered fresh reminders of the threat that ransomware poses for businesses and critical infrastructure worldwide | Ransomware Threat | ||
|
2022-11-04 12:58:37 | Ransomware Group Threatens to Leak Data Stolen From Car Parts Giant Continental (lien direct) | The notorious LockBit ransomware group is threatening to publish files allegedly stolen from German car parts giant Continental. On its Tor-based leak website, the group says all files - the exact quantity of data or its type is not being specified - will be published on November 4, three hours after the publication of this article. | Ransomware | ||
|
2022-11-03 23:10:00 | Researchers Find Links b/w Black Basta Ransomware and FIN7 Hackers (lien direct) | A new analysis of tools put to use by the Black Basta ransomware operation has identified ties between the threat actor and the FIN7 (aka Carbanak) group. This link "could suggest either that Black Basta and FIN7 maintain a special relationship or that one or more individuals belong to both groups," cybersecurity firm SentinelOne said in a technical write-up shared with The Hacker News. Black | Ransomware Threat | ||
|
2022-11-03 21:29:12 | LockBit ransomware gang claims the hack of Continental automotive group (lien direct) | >The LockBit ransomware group claimed to have hacked the multinational automotive group Continental and threatens to leak stolen data. LockBit ransomware gang announced to have hacked the German multinational automotive parts manufacturing company Continental. The group added the name of the company to its Tor leak site and is threatening to publish alleged stolen data if the […] | Ransomware Hack | ||
|
2022-11-03 14:25:59 | LockBit ransomware claims attack on Continental automotive giant (lien direct) | The LockBit ransomware gang has claimed responsibility for a cyberattack against the German multinational automotive group Continental. [...] | Ransomware | ||
|
2022-11-03 12:34:23 | Experts link the Black Basta ransomware operation to FIN7 cybercrime gang (lien direct) | >Sentinel Labs found evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7. Security researchers at Sentinel Labs shared details about Black Basta‘s TTPs and assess it is highly likely the ransomware operation has ties with FIN7. The experts analyzed tools used by the ransomware gang in attacks, some of […] | Ransomware | ||
|
2022-11-03 09:57:27 | Le rapport " Q2-Q3 2022 Ransomware Report " montre que les ransomwares ont augmenté de 466 % depuis 2019, et que ransomwares et malwares sont aujourd\'hui précurseurs d\'une guerre physique (lien direct) | Le rapport " Q2-Q3 2022 Ransomware Report " montre que les ransomwares ont augmenté de 466 % depuis 2019, et que ransomwares et malwares sont aujourd'hui précurseurs d'une guerre physique. Le rapport montre aussi que la plupart des équipes IT et Sécurité n'ont pas de vue d'ensemble de toutes les vulnérabilités existantes ni de contexte de menace suffisant pour celles qui présentent le plus de risques. En particulier, il manque dans le catalogue KEV de la CISA 124 vulnérabilités de ransomware - Investigations | Ransomware | ||
 |
2022-11-03 09:55:17 | Ransomware Black Basta |Attaques Déployer des outils d'évasion EDR personnalisés liés à l'acteur de la menace FIN7 Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor (lien direct) |
Les TTP opérationnels Black Basta sont décrits ici en détail, révélant des outils et techniques inconnus auparavant et un lien vers FIN7.
Black Basta operational TTPs are described here in full detail, revealing previously unknown tools and techniques and a link to FIN7. |
Ransomware Tool Threat | ★★★ | |
|
2022-11-03 05:23:46 | (Déjà vu) ASEC Weekly Malware Statistics (October 24th, 2022 – October 30th, 2022) (lien direct) | The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 24th, 2022 (Monday) to October 30th (Sunday). For the main category, Infostealer ranked top with 43.2%, followed by downloader with 34.7%, backdoor with 19.4%, and ransomware with 2.2%. Top 1 – Agent Tesla AgentTesla is an Infostealer that ranked first place with 22.1%. It is an Infostaler that leaks user credentials saved in... | Ransomware Malware | ||
|
2022-11-03 05:23:28 | Surtr Ransomware Being Distributed in Korea (lien direct) | Through internal monitoring, the ASEC analysis team has recently discovered that Surtr ransomware is being distributed. This ransomware encrypts files, then adds a “[DycripterSupp@mailfence.com].[<random string>].Surtr” file extension to the original file extension name. When Surtr ransomware infects a system, it changes the desktop image of the infected PC and creates a ransom note (See Figures 1 and 2) to inform the user of the ransomware infection. Surtr also creates ransom note files (SURTR_README.hta and SURTR_README.txt) in folders containing the infected... | Ransomware | ||
 |
2022-11-03 04:22:00 | White House ransomware summit highlights need for borderless solutions (lien direct) | The US White House this week convened its Second International Counter Ransomware Initiative Summit (CRI), bringing together leaders from 36 countries and the European Union in person to build on the work of its first ransomware summit in 2021. At a press briefing before the Summit, a White House spokesperson said, "While the United States is facilitating this meeting, we don't view this solely as a US initiative. It's an international partnership that spans most of the world's time zones, and it really reflects the threat that criminals and cyberattacks bring.”To read this article in full, please click here | Ransomware Threat Guideline | ||
 |
2022-11-02 11:17:06 | Azov "Ransomware" Wiper (lien direct) | FortiGuard Labs is aware of a new ransomware variant called "Azov". Reason why this ransomware variant is in quotations is because although it has the hallmarks of ransomware, it is considered a data wiper. This is because there is no way to recover the encrypted data and/or get in touch with the threat actors.After encryption, the note left behind to the victim, "RESTORE_FILES.txt," references well known OSINT researchers on Twitter. The note falsely reports that victims should get in touch with said researchers to request keys for decryption:#####!Azov ransomware!Hello, my name is hasherezade.I am the polish security expert.To recover your files contact us in twitter:@hasherezade@VK_Intel@demonslay335@malwrhunterteam@LawrenceAbrams@bleepincomputer[Why did you do this to my files?]I had to do this to bring your attention to the problem.Do not be so ignorant as we were ignoring Crimea seizure for years.The reason the west doesn't help enough Ukraine.Their only help is weapons, but no movements towards the peace!Stop the war, go to the streets!Since when that Z-army will be near to my Polska country.The only outcome is nuclear war.Change the future now!Help Ukraine, come to the streets!We want our children to live in the peaceful world.--------------------------------------------------Biden doesn't want help Ukraine.You people of United States, come to the streets, make revolution!Keep America great!Germany plays against their own people!Du! Ein mann aus Deutschland, komm doch, komm raus!Das ist aber eine Katastrophe, was Biden zu ihnen gemacht hat.Wie war das schoen, wenn Merkel war da?---------------------------------------------------#TaiwanIsChina#####How is Azov Being Distributed?Reports are that Azov is being dropped by SmokeLoader. Further reports as well reveal that Azov is being distributed on various pirated software, etc. sites as well.So if Files are Encrypted, why is this Referred to as a Wiper?This is because files are not recoverable and there are no instructions or contact information provided to the victim. Essentially files are rendered inoperable because there are no known decryption keys available.Is Decryption Possible?There are no known decryption keys or tools available at this time.What is the Status of Coverage?FortGuard Labs has AV coverage in place for Azov as:W64/AzovWiper.BVMK!tr.ransomW64/Generik.BVMK!tr.ransom | Ransomware Threat | ||
|
2022-11-02 10:00:00 | AT&T Cybersecurity Insights Report: Focus Energy and Utilities (lien direct) | As energy and utilities companies strive to use the edge to innovate new solutions for delivering more efficient and resilient services, cybersecurity risks to carrying out those business missions loom large. Ransomware attackers and other cybercriminals have increasingly found energy and utilities organizations a profitable target, lobbying high-profile attacks in the last few years that have threatened safety and uptime in the process. Operational and security experts at these companies are well aware of the balancing act they must achieve under these conditions, according to a new industry breakout of the AT&T Cybersecurity Insights Report. Released this week, the AT&T Cybersecurity Insights Report: Focus on Energy and Utilities shows that technologists in these organizations are called upon by the business to roll out edge use cases such as remote-control operations, self-healing assets, and intelligent grid management. At the same time, they must ensure these deployments are done with cybersecurity as a central component, as the impact of attacks against this vertical's edge-connected assets could have drastic consequences for companies tasked with delivering the most vital resources for modern living. Rapid rate of energy and utility innovation One of the key areas examined by the AT&T Cybersecurity Insights Report is the rate of adoption of edge computing, the use cases in play, and their stage of maturity. This was tracked across six major sectors. This latest industry report dives into the trends for companies that provide services and resources such as electricity, oil and gas, water, and sewer. The study shows that some 77% of energy and utilities respondents worldwide are planning to implement, have partially implemented, or have fully implemented an edge use case. The study dug into nine industry-specific use cases and examined their stage of adoption across the energy and utilities sector. Combining the mid-stage and mature stage adoption rates reveals that the use of edge computing in infrastructure leak detection has the highest combined adoption maturity (82%) among survey respondents. Some examples of how this looks in action includes using sensors to gauge the flow of water in a municipal water system and using the low latency of edge connections to monitor that data in real time for drops or spikes in pressure that could indicate the need for preventive maintenance or immediate servicing of equipment. This is of course a single example in a broad range of use cases currently under exploration in this sector. Edge computing has opened up tremendous opportunities for energy and utilities companies to solve tough problems across the entire value chain, including the safe acquisition of energy supplies on the front end of the supply chain, the proper monitoring of consumption of energy and resources on the back end, and the efficient use of facilities and equipment to run the functions between the two phases. Some additional examples most commonly cited were: Remote control operations Geographic infrastructure exploration, discovery, and management Connected field services Intelligent grid management Interestingly, in spite of many energy companies engaged in proof-of-concept and insulated projects, overall the sector's rate of mature adoption was the least prevalent compared to all other sectors, sitting at about 40%. Survey analysis indicates this isn't from a lack of interest, but instead a product of the justifiably cautious nature of this industry, which keeps safety and availability top of mind. The fact that this market segment had the highest level of adoption in mid-stage compared to other industries offers a clue that these companies are all-in on edge deployments but taking their time considering and account | Ransomware Vulnerability Threat Patching Guideline | ||
 |
2022-11-02 09:41:35 | 277 attaques recensées en octobre 2022 (lien direct) | Ferrari, plusieurs mairies et des industriels de la défense ciblés par des cyber attaques de type ransomware au mois d'octobre 2022.... | Ransomware | ||
|
2022-11-02 01:22:25 | Elbie Ransomware Being Distributed in Korea (lien direct) | The ASEC analysis team has identified through internal monitoring that the Elbie ransomware is being distributed under the disguise of ieinstal.exe, an Internet Explorer Add-on installation program. The initial executable decodes the internal data into an executable that performs the actual ransomware behavior (See Figure 2). Afterward, the decoded executable is injected into the process which has run recursion, and it checks whether the user PC uses the VM environment. The injected and executed ransomware drops a copy into the... | Ransomware | ||
 |
2022-11-01 21:42:15 | Ransomware costs top $1 billion as White House inks new threat-sharing initiative (lien direct) | >The Treasury Department released its finding as the White House is wrapping up an international summit on fighting the ransomware problem. | Ransomware | ||
|
2022-11-01 17:33:53 | LockBit 3.0 gang claims to have stolen data from Thales (lien direct) | >The ransomware group LockBit 3.0 claimed to have stolen data from the French defence and technology group Thales. Thales is a global high-tech leader with more than 81,000 employees worldwide. The Group invests in digital and deep tech innovations – big data, artificial intelligence, connectivity, cybersecurity and quantum – to build a future of trust, […] | Ransomware Guideline | ||
|
2022-11-01 17:00:00 | Osaka Hospital Halts Services After Ransomware Attack (lien direct) | Emergency operations are continuing, but the hospital system failed and cannot be accessed | Ransomware | ||
|
2022-11-01 15:00:00 | Anomali Cyber Watch: Active Probing Revealed ShadowPad C2s, Fodcha Hides Behind Obscure TLDs, Awaiting OpenSSL 3.0 Patch, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, DDoS, OpenSSL, Ransomware, Russia, Spyware, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad)
(published: October 27, 2022)
ShadowPad is a custom, modular malware in use by multiple China-sponsored groups since 2015. VMware researchers analyzed the command-and-control (C2) protocol in recent ShadowPad samples. They uncovered decoding routines and protocol/port combinations such as HTTP/80, HTTP/443, TCP/443, UDP/53, and UDP/443. Active probing revealed 83 likely ShadowPad C2 servers (during September 2021 to September 2022). Additional samples communicating with this infrastructure included Spyder (used by APT41) and ReverseWindow (used by the LuoYu group).
Analyst Comment: Researchers can use reverse engineering and active probing to map malicious C2 infrastructure. At the same time, the ShadowPad malware changes the immediate values used in the packet encoding per variant, so finding new samples is crucial for this monitoring.
MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
Tags: detection:ShadowPad, C2, APT, China, source-country:CN, actor:APT41, actor:LuoYu, detection:Spyder, detection:ReverseWindow, TCP, HTTP, HTTPS, UDP
Raspberry Robin Worm Part of Larger Ecosystem Facilitating Pre-Ransomware Activity
(published: October 27, 2022)
The Raspberry Robin USB-drive-targeting worm is an increasingly popular infection and delivery method. Raspberry Robin works as a three-file infection: Raspberry Robin LNK file on an USB drive, Raspberry Robin DLL (aka Roshtyak) backdoor, and a heavily-obfuscated .NET DLL that writes LNKs to USB drives. Microsoft researchers analyzed several infection chains likely centered around threat group EvilCorp (aka DEV-0206/DEV-0243). Besides being the initial infection vector, Raspberry Robin was seen delivered by the Fauppod malware, which shares certain code similarities both with Raspberry Robin and with EvilCorp’s Dridex malware. Fauppod/Raspberry Robin infections were followed by additional malware (Bumblebee, Cobalt Strike, IcedID, TrueBot), and eventually led to a ransomware infection (LockBit, Clop).
Analyst Comment: Organizations are advised against enabling Autorun of removable media on Windows by default, as it allows automated activation of an inserted, Raspberry Robin-infected USB drive. Apply best practices related to credential hygiene, network segmentation, and attack surface reduction.
MITRE ATT&CK: [MITRE ATT&CK] Replicat |
Ransomware Malware Hack Tool Vulnerability Threat Guideline | APT 41 | |
|
2022-11-01 15:00:00 | LockBit Dominates Ransomware Campaigns in 2022: Deep Instinct (lien direct) | The figures come from the 2022 Interim Cyber Threat Report by Deep Instinct | Ransomware Threat | ||
|
2022-11-01 11:32:51 | Ransomware activity and network access sales in Q3 2022 (lien direct) | >Ransomware activity report: Threat actors are selling access to hundreds of organizations, with a cumulative requested price of around $4M. Research published by threat intelligence firm KELA related to ransomware activity in Q3 reveals a stable activity in the sector of initial access sales, but experts observed a rise in the value of the offerings. […] | Ransomware Threat | ||
 |
2022-10-31 20:00:00 | Raspberry Robin worm used as ransomware prelude (lien direct) | >Categories: NewsCategories: RansomwareTags: Raspberry Robin Tags: FakeUpdates Tags: LockBit Tags: Clop Tags: ransomware Microsoft warns that the Raspberry Robin worm has triggered payload alerts on devices of almost 1,000 organizations in the past 30 days and is used to introduce ransomware. (Read more...) | Ransomware | ||
 |
2022-10-31 18:59:51 | Researcher Spotlight: How Azim Khodjibaev went from hunting real-world threats to threats on the dark web (lien direct) | Most of the time, Khodjibaev is combing through various dark web forums, ransomware group chats, Russian-speaking websites and other sources trying to learn of attackers' next moves. | Ransomware | ||
 |
2022-10-31 18:15:00 | Australian Defence Department Impacted In Ransomware Attack (lien direct) | It has been reported that the Australian Department of Defence fears the personal data of personnel, such as dates of birth, may have been compromised after a communications platform used by the military was hit by a ransomware attack. | Ransomware | ||
 |
2022-10-31 17:30:09 | The White House\'s global ransomware summit couldn\'t come at a better time (lien direct) | As cyber threats ramp up, businesses and organizations will be hoping for more than platitudes The White House has begun its second annual International Counter Ransomware Summit in which Biden administration officials will convene with representatives of three dozen nations, the EU, and private business to discuss the growing threat posed by data-destroying cyber attacks.… | Ransomware Threat | ||
|
2022-10-31 17:30:00 | Unofficial Patch Released for New Actively Exploited Windows MotW Vulnerability (lien direct) | An unofficial patch has been made available for an actively exploited security flaw in Microsoft Windows that makes it possible for files signed with malformed signatures to sneak past Mark-of-the-Web (MotW) protections. The fix, released by 0patch, arrives weeks after HP Wolf Security disclosed a Magniber ransomware campaign that targets users with fake security updates which employ a | Ransomware Vulnerability | ||
|
2022-10-31 14:37:01 | Wannacry, the hybrid malware that brought the world to its knees (lien direct) | >Reflecting on the Wannacry ransomware attack, which is the lesson learnt e why most organizations are still ignoring it. In the early afternoon of Friday 12 May 2017, the media broke the news of a global computer security attack carried out through a malicious code capable of encrypting data residing in information systems and demanding […] | Ransomware Malware | Wannacry Wannacry | ★★ |
|
2022-10-31 13:00:00 | Hackers Target Australian Defense Communications Platform With Ransomware (lien direct) | The firm is one of the defense department's external providers employed to run one of its websites | Ransomware | ||
|
2022-10-31 12:18:41 | White House seeks international cooperation to thwart growing ransomware threat (lien direct) | >During the International Counter Ransomware Summit in Washington, participants will discuss how to increase resilience against ransomware. | Ransomware Threat | ||
|
2022-10-31 11:09:00 | BrandPost: Phishing Attacks are on the Rise, and Cyber Awareness is One of Your Best Defenses (lien direct) | Cybersecurity Awareness Month has come to an end, yet security should be a top priority all year round for organizations of all shapes and sizes.The threat landscape is constantly evolving, with cybercriminals finding new ways to trick unsuspecting victims and infiltrate networks. For example, according to the 1H 2022 FortiGuard Labs Threat Report, ransomware is rampant, showing no signs of slowing its pace. These attacks are becoming more sophisticated and aggressive, with attackers introducing new strains and updating, enhancing, and reusing old ones. What's especially concerning as we look back at the first half of 2022 is that we observed 10,666 ransomware variants, compared to just 5,400 in the previous six months. That's nearly 100% growth in ransomware variants in half a year.To read this article in full, please click here | Ransomware Threat | ||
|
2022-10-28 16:08:28 | The Week in Ransomware - October 28th 2022 - Healthcare leaks (lien direct) | This week, we learned of healthcare data leaks out of Australia, information about existing attacks, and reports on how ransomware gangs operate and partner with malware developers for initial access. [...] | Ransomware Malware |
To see everything:
