What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-03-23 00:26:45 | Joint CyberSecurity Advisory Alert on AvosLocker Ransomware (lien direct) | FortiGuard Labs is aware that a joint advisory on AvosLocker malware was recently issued by the Federal Bureau of Investigation (FBI) and the US Department of Treasury. AvosLocker is a Ransomware-as-a-Service (RaaS) that has targeted organizations across multiple critical infrastructure sectors in the United States. The targeted sectors include financial services, critical manufacturing, and government facilities organizations. Other AvosLocker victims are in multiple countries throughout the world. Why is this Significant?This is significant because the joint advisory indicates that organizations across multiple critical infrastructure sectors in the United States were targeted by AvosLocker ransomware. The advisory calls out vulnerabilities that the ransomware group exploited, which companies need to consider patching as soon as possible.What is AvosLocker?AvosLocker ransomware targets Windows and Linux systems and was first observed in late June 2021. As Ransomware-as-a-Service, AvosLocker is advertised on a number of Dark Web communities, recruiting affiliates (partners) and access brokers. After breaking into a target and locating accessible files on the victim network, AvosLocker exfiltrates data, encrypts the files with AES-256, and leaves a ransom note "GET_YOUR_FILES_BACK.txt". Some of the known file extensions that AvosLocker adds to the files it encrypted are ".avos", ".avos2", and ".avoslinux".On top of leaving a ransom note to have the victim pay in order to recover their encrypted files and to not have their stolen information disclosed to the public, some AvosLocker victims were reported to have received phone calls from an AvosLocker attacker. The calls threatened the victim to go to the payment site for negotiation. Some victims also received an additional threat that the attacker would launch Distributed Denial-of-Service (DDoS) attacks against them. AvosLocker's leak site is called "press release" where the victims are listed along with a description about them.How Widespread is AvosLocker Ransomware?The advisory indicates that AvosLocker's known victims are "in the United States, Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, United Arab Emirates, United Kingdom, Canada, China, and Taiwan".What Vulnerabilities are Exploited by AvosLocker?The advisory states that "multiple victims have reported on premise Microsoft Exchange Server vulnerabilities as the likely intrusion vector". Those vulnerabilities include CVE-2021-26855 and ProxyShell, which is an exploit attack chain involving three Microsoft exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. Also, a path traversal vulnerability in the FortiOS SSL-VPN web portal was reported to have been exploited by the AvosLocker group.FortiGuard Labs previously posted a Threat Signal on ProxyShell. See the Appendix for a link to "Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell" and FortiGuard Labs released a patch for CVE-2018-13379 in May 2019. For additional information, see the Appendix for a link to "Malicious Actor Discloses FortiGate SSL-VPN Credentials", and "The Art of War (and Patch Management)" for the importance of patch management.What Tools is AvosLocker Known to Utilize?The advisory references the following tools:Cobalt StrikeEncoded PowerShell scriptsPuTTY Secure Copy client tool "pscp.exe"RcloneAnyDeskScannerAdvanced IP ScannerWinLister What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against known samples of AvosLocker ransomware:W32/Cryptor.OHU!tr.ransomW32/Filecoder.OHU!tr.ransomELF/Encoder.A811!tr.ransomLinux/Filecoder_AvosLocker.A!trPossibleThreatFortiGuard Labs provides the following AV coverage against ProxyShell:MSIL/proxyshell.A!trMSIL/proxyshell.B!trFortiGuard Labs provides the following IPS coverage against CVE-2021-26855, ProxyShell, and CVE-2018-13379:MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution (CVE-2021-26855)MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution (CVE-2021-34473)MS.Exchange.Server.Common.Access.Token.Privil | Ransomware Malware Tool Vulnerability Threat Patching | ★★ | |
 |
2022-03-22 17:22:44 | \'Serpent\' Backdoor Used in Malware Attacks on French Entities (lien direct) | French organizations in the construction, government, and real estate sectors have been targeted with a new backdoor in a string of malware attacks, according to a warning from Proofpoint. | Malware | ||
 |
2022-03-22 16:58:00 | Anomali Cyber Watch: Russia Targets Ukraine with New Malware, Targeted Phishing Campaigns Give Way to Wizard Spider, Certificates Stolen by Lapsus$ Are Being Abused, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Code signing, Naver, Phishing, Russia, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Double Header: IsaacWiper and CaddyWiper
(published: March 18, 2022)
Data destruction is one of the common objectives for Russia in its ongoing cyberwar with Ukraine. During the February-March 2022 military escalation, three new wipers were discovered. On February 23, 2022, HermeticWiper, on February 24, 2022, IsaacWiper, and, later in March 2022, CaddyWiper. Malwarebytes researchers assess that all three wipers have been written by different authors and have no code overlap. IsaacWiper and CaddyWiper are light in comparison to the more complex HermeticWiper. CaddyWiper has an additional check to exclude wiping Domain Controllers probably to leave an opportunity for malware propagation.
Analyst Comment: Focus on intrusion prevention and having a proper disaster recovery plan in place: have anti-phishing training, keep your systems updated, regularly backup your data to an offline storage.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485
Tags: CaddyWiper, IsaacWiper, HermeticWiper, Wiper, Data destruction, Russia, Ukraine, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
UAC-0035 (InvisiMole) Attacks Ukrainian Government Organizations
(published: March 18, 2022)
The Computer Emergency Response Team for Ukraine (CERT-UA) detected a new UAC-0035 (InvisiMole) phishing campaign targeting Ukrainian government organizations. InvisiMole is likely a subgroup connected to the Russia-sponsored Gamaredon (Primitive Bear) group. The new campaign features an attached archive, together with a shortcut (LNK) file. If the LNK file is opened, an HTML Application file (HTA) downloads and executes VBScript designed to deploy the LoadEdge backdoor. LoadEdge deploys additional malware and modules including TunnelMole, malware that abuses the DNS protocol to form a tunnel for malicious software distribution, and RC2CL backdoor module.
Analyst Comment: Users should be trained to recognize spearphishing attempts. Attachments with rare attachment extensions (LNK, ISO, BAT to name a few) should be reported.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Protocol Tunneling - T1572 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] User Execution - T1204
Tags: InvisiMole, UAC-0035, TunnelMole, Gamaredon, Primitive Bear, Russia, Ukraine, LNK, HTA, DNS, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Exposing Initial Access Broker with Ties to Co |
Ransomware Malware Tool Vulnerability Threat | ★★★★ | |
 |
2022-03-22 16:12:11 | Storm Cloud à l'horizon: Gimmick malware frappe à MacOS Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS (lien direct) |
> Fin 2021, Volexity a découvert une intrusion dans un environnement surveillé dans le cadre de son service de surveillance de la sécurité du réseau.La volexité a détecté un système exécutant FRP, autrement connu sous le nom de proxy inverse rapide, et a ensuite détecté le balayage de port interne peu de temps après.Ce trafic a été déterminé comme non autorisé et le système, un MacBook Pro exécutant MacOS 11.6 (Big Sur), a été isolé pour une analyse médico-légale supplémentaire.Volexity a pu exécuter la surtension Collect pour acquérir la mémoire du système (RAM) et sélectionner les fichiers d'intérêt dans la machine pour l'analyse.Cela a conduit à la découverte d'une variante macOS d'un gadget d'appels de volexité d'implant de logiciels malveillants.La volexité a rencontré des versions Windows de la famille des logiciels malveillants à plusieurs reprises.Gimmick est utilisé dans les attaques ciblées de Storm Cloud, un acteur de menace d'espionnage chinois connue pour attaquer les organisations à travers l'Asie.Il s'agit d'une famille de logiciels malveillants multiplateforme riche en fonctionnalités qui utilise des services d'hébergement de cloud public (tels que Google [& # 8230;]
>In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis. Volexity was able to run Surge Collect to acquire system memory (RAM) and select files of interest from the machine for analysis. This led to the discovery of a macOS variant of a malware implant Volexity calls GIMMICK. Volexity has encountered Windows versions of the malware family on several previous occasions. GIMMICK is used in targeted attacks by Storm Cloud, a Chinese espionage threat actor known to attack organizations across Asia. It is a feature-rich, multi-platform malware family that uses public cloud hosting services (such as Google […] |
Malware Threat Cloud | ★★★ | |
 |
2022-03-21 16:24:26 | L'art et la science de la chasse au malware des macos avec Radare2 |Tirer parti des Xrefs, Yara et Zignatures The Art and Science of macOS Malware Hunting with radare2 | Leveraging Xrefs, YARA and Zignatures (lien direct) |
Dans la prochaine partie de notre série sur l'inversion de malwares macOS, nous fouillons dans l'identification du code réutilisé sur des échantillons de logiciels malveillants pour la chasse et la détection.
In the next part of our series on reversing macOS malware, we dig into identifying reused code across malware samples for hunting and detection. |
Malware | ★★★ | |
 |
2022-03-21 14:21:36 | New Serpent backdoor malware targets French entities with unforeseen method (lien direct) | The malware has been found in the French construction and government sectors and uses steganography, Tor proxy and package installer software, Proofpoint says. | Malware | ||
 |
2022-03-21 09:57:32 | More Conti group source code leaked (lien direct) | A Ukrainian security researcher has released further source code from the Conti ransomware group in retaliation for their siding with Russia over the ongoing Russia-Ukraine conflict. Conti is a prolific ransomware operation run by Russia-based threat actors. The group has been involved in developing numerous malware families, and is considered one of the most active […] | Ransomware Malware Threat | ||
 |
2022-03-21 08:39:23 | Your Current Endpoint Security May Be Leaving You with Blind Spots (lien direct) | Threat actors are continuously honing their skills to find new ways to penetrate networks, disrupt business-critical systems and steal confidential data. In the early days of the internet, adversaries used file-based malware to carry out attacks, and it was relatively easy to stop them with signature-based defenses. Modern threat actors have a much wider variety […] | Malware Threat | ||
 |
2022-03-18 12:43:23 | Russia-linked Cyclops Blink botnet targeting ASUS routers (lien direct) | The recently discovered Cyclops Blink botnet, which is believed to be a replacement for the VPNFilter botnet, is now targeting the ASUS routers. The recently discovered Cyclops Blink botnet is now targeting the ASUS routers, reports Trend Micro researchers. The Cyclops Blink malware has been active since at least June 2019, it targets WatchGuard Firebox and other […] | Malware | VPNFilter | |
 |
2022-03-18 10:30:00 | Cyclops Blink Malware Expands to Target Asus (lien direct) | Researchers warn that large-scale campaign may be building | Malware | ||
|
2022-03-18 06:32:57 | (Déjà vu) Microsoft releases open-source tool for checking MikroTik Routers compromise (lien direct) | Microsoft released an open-source tool to secure MikroTik routers and check for indicators of compromise for Trickbot malware infections. Microsoft has released an open-source tool, dubbed RouterOS Scanner, that can be used to secure MikroTik routers and check for indicators of compromise associated with Trickbot malware infections. “This analysis has enabled us to develop a […] | Malware Tool | ||
 |
2022-03-17 22:33:21 | Pro-Ukraine \'Protestware\' Pushes Antiwar Ads, Geo-Targeted Malware (lien direct) | Researchers are tracking a number of open-source "protestware" projects on GitHub that have recently altered their code to display "Stand with Ukraine" messages for users, or basic facts about the carnage in Ukraine. The group also is tracking several code packages that were recently modified to erase files on computers that appear to be coming from Russian or Belarusian Internet addresses. | Malware | ||
 |
2022-03-17 21:52:58 | New Variant of Russian Cyclops Blink Botnet Targeting ASUS Routers (lien direct) | ASUS routers have emerged as the target of a nascent botnet called Cyclops Blink, almost a month after it was revealed the malware abused WatchGuard firewall appliances as a stepping stone to gain remote access to breached networks. According to a new report published by Trend Micro, the botnet's "main purpose is to build an infrastructure for further attacks on high-value targets," given that | Malware | ||
|
2022-03-17 18:07:18 | LokiLocker Ransomware with Built-in Wiper Functionality (lien direct) | FortiGuard Labs is aware of a report that LokiLocker ransomware is equipped with built-in wiper functionality. The ransomware targets the Windows OS and is capable of erasing all non-system files and overwriting the Master Boot Record (MBR) if the victim opts not to pay the ransom, leaving the compromised machine unusable. According to the report, most victims of LokiLocker ransomware are in Eastern Europe and Asia.Why is this Significant?This is significant because LokiLocker ransomware has built-in wiper functionality which can overwrite the MBR and delete all non-system files on the compromised machine if the victim does not pay ransom in a set time frame. Successfully overwriting the MBR will leave the machine unusable.What is LokiLocker Ransomware?LokiLocker is a .NET ransomware that has been active since as early as August 2021. The ransomware encrypts files on the compromised machines and demands ransom from the victim to recover the encrypted files. The ransomware adds a ".Loki" file extension to the files it encrypted. It also leaves a ransom note in a Restore-My-Files.txt file. The malware is protected with NETGuard, an open-source tool for protecting .NET applications, as well as KoiVM, a virtualizing protector for .NET applications.LokiLocker has a built-in configuration file, which contains information such as the attacker's email address, campaign or affiliate name, Command-and-Control (C2) server address and wiper timeout. Wiper timeout is set to 30 days by default. The value tells the ransomware to wait 30 days before deleting non-system files and overwriting the Master Boot Record (MBR) of the compromised machine. The configuration also has execution options which controls what actions the ransomware should or should not carry out on the compromised machine. The execution options include not wiping the system and the MBR, not encrypting the C Drive and not scanning for and encrypting network shares. The wiping option is set to false by default, however the option can be modified by the attacker.How is LokiLocker Ransomware Distributed?While the current infection vector is unknown, early LokiLocker variants were distributed through Trojanized brute-checker hacking tools. According to the public report, most victims of LokiLocker ransomware are in Eastern Europe and Asia. Fortinet's telemetry indicates the C2 domain was accessed the most from India, followed by Canada, Chile and Turkey.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage:W32/DelShad.GRG!tr.ransomW32/DelShad.GSE!tr.ransomW32/DelShad.GUJ!tr.ransomW32/Filecoder.AKJ!trW32/Generic.AC.171!trW32/PossibleThreatW32/Ramnit.AMSIL/Filecoder.AKJ!trMSIL/Filecoder.AKJ!tr.ransomMSIL/Filecoder_LokiLocker.D!trMSIL/Filecoder.4AF0!tr.ransomMSIL/Filecoder.64CF!tr.ransomPossibleThreatAll known network IOC's are blocked by the FortiGuard WebFiltering client. | Ransomware Malware Tool | ||
|
2022-03-17 14:18:28 | Escobar mobile malware targets 190 banking and financial apps, steals 2FA codes (lien direct) | A new Android mobile malware dubbed Escobar has hit the cybercrime underground market. Read more about it and see how to protect yourself from this threat. | Malware | ||
 |
2022-03-17 12:43:59 | [Heads Up] New Evil Ransomware Feature: Disk Wiper if You Don\'t Pay (lien direct) |
There is a new ransomware-as-a-service (RaaS) strain called LokiLocker, researchers at Blackberry warn. The malware uses rare code obfuscation and includes a file wiper component that attackers can deploy if their victims don't pay. "It shouldn't be confused with an older ransomware family called Locky, which was notorious in 2016, or LokiBot, which is an infostealer. |
Ransomware Malware | ||
|
2022-03-17 11:16:02 | B1txor20 Linux botnet use DNS Tunnel and Log4J exploit (lien direct) | Researchers uncovered a new Linux botnet, tracked as B1txor20, that exploits the Log4J vulnerability and DNS tunnel. Researchers from Qihoo 360’s Netlab have discovered a new backdoor used to infect Linux systems and include them in a botnet tracked as B1txor20. The malware was first spotted on February 9, 2022, when 360Netlab’s honeypot system captured […] | Malware Vulnerability | ||
|
2022-03-17 10:58:58 | Your mobile apps are exposing your data (lien direct) | New research suggests that mobile applications boasting tens of millions of downloads are leaking sensitive user data due to the misconfiguration of back-end cloud databases, according to Check Point. Check Point’s three-month study began with a simple query on VirusTotal for mobile apps listed on the malware scanning service that communicates with the Firebase cloud database. […] | Malware | ||
|
2022-03-17 05:59:15 | DirtyMoe Botnet Gains New Exploits in Wormable Module to Spread Rapidly (lien direct) | The malware known as DirtyMoe has gained new worm-like propagation capabilities that allow it to expand its reach without requiring any user interaction, the latest research has found. "The worming module targets older well-known vulnerabilities, e.g., EternalBlue and Hot Potato Windows privilege escalation," Avast researcher Martin Chlumecký said in a report published Wednesday. "One worm | Malware | ||
|
2022-03-17 03:05:39 | TrickBot Malware Abusing Hacked IoT Devices as Command-and-Control Servers (lien direct) | Microsoft on Wednesday detailed a previously undiscovered technique put to use by the TrickBot malware that involves using compromised Internet of Things (IoT) devices as a go-between for establishing communications with the command-and-control (C2) servers. "By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, TrickBot adds | Malware | ||
 |
2022-03-16 07:56:00 | CaddyWiper is fourth new malware linked to Ukraine war (lien direct) | Pas de details / No more details | Malware | ||
 |
2022-03-15 20:45:00 | CaddyWiper: Third Wiper Malware Targeting Ukrainian Organizations (lien direct) | On March 1, 2022, ESET reported a third destructive data wiper variant used in attacks against Ukrainian organizations dubbed as CaddyWiper. CaddyWiper’s method of destruction is by overwriting file data with “NULL” values. This is the fourth sample of malware IBM Security X-Force has released public content for which has been reportedly targeted systems belonging […] | Malware | ||
|
2022-03-15 20:10:10 | [Eye Opener] Ukraine Is Now Being Hit With 4 Different Strains Of Wiper Malware (lien direct) |
Newly discovered data-destroying malware was found this week in attacks targeting Ukrainian organizations and deleting data across systems on compromised networks. "This new malware erases user data and partition information from attached drives," ESET Research Labs explained. |
Malware | ||
|
2022-03-15 18:42:54 | Cybercriminals are targeting Ukrainian sympathizers, what can you do to remain safe? (lien direct) | Cisco Talos has uncovered an information stealing malware affecting those attempting to aid Ukraine in their online fight against Russia. | Malware | ||
|
2022-03-15 17:14:50 | Mobile malware is on the rise: Know how to protect yourself from a virus or stolen data (lien direct) | Don't let mobile malware ruin your day or your device. Be aware of how this threat happens and take good precautions to avoid it. | Malware Threat | ||
|
2022-03-15 16:46:00 | Anomali Cyber Watch: Government and Financially-Motivated Targeting of Ukraine, Conti Ransomware Active Despite Exposure, Carbanak Abuses XLL Files, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Excel add-ins, Phishing, Russia, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Webinar on Cyberattacks in Ukraine – Summary and Q&A
(published: March 14, 2022)
As the military conflict in Ukraine continues, the number of cyberattacks in Ukraine is expected to rise in the next six months, according to Kaspersky researchers. Most of the current attacks on Ukraine are of low complexity, but advanced persistent threat (APT) attacks exist too. Gamaredon (Primitive Bear) APT group continues its spearphishing attacks. Sandworm APT targets SOHO network devices with modular Linux malware Cyclops Blink. Other suspected APT campaigns use MicroBackdoor malware or various wipers and fake ransomware (HermeticRansom, HermeticWiper, IsaacWiper, WhisperGate). Honeypot network in Ukraine detected over 20,000 attacking IP addresses, and most of them were seen attacking Ukraine exclusively.
Analyst Comment: Harden your infrastructure against DDoS attacks, ransomware and destructive malware, phishing, targeted attacks, supply-chain attacks, and firmware attacks. Install all the latest patches. Install security software. Consider strict application white-listing for all machines. Actively hunt for attackers inside the company’s internal network using the retrospective visibility provided by Anomali XDR.
MITRE ATT&CK: [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Pre-OS Boot - T1542 | [MITRE ATT&CK] Fallback Channels - T1008 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Disk Content Wipe - T1488 | [MITRE ATT&CK] Inhibit System Recovery - T1490
Tags: Gamaredon, Sandworm, MicroBackdoor, Hades, HermeticWiper, HermeticRansom, IsaacWiper, Pandora, Cyclops Blink, Government, Russia, Ukraine, UNC1151, Ghostwriter, Belarus, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Alert (AA21-265A) Conti Ransomware (Updated)
(published: March 9, 2022)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), with assistance from the U.S. Secret Service has updated the alert on Conti ransomware with 98 domain names used in malicious operations. Conti ransomware-as-a-service (RaaS) operation is attributed to the threat group Wizard Spider also known for its Trickbot malware. The group’s internal data and communications were leaked at the end of February 2022 after they announced support for Russia over the conflict in Ukraine.
Analyst Comment: Despite the increased attention to Conti ransomware group, it remains extremely active. Ensure t |
Ransomware Malware Tool Vulnerability Threat | APT 28 | |
|
2022-03-15 13:20:59 | (Déjà vu) Additional Wiper Malware Deployed in Ukraine #CaddyWiper (lien direct) | FortiGuard Labs is aware of new wiper malware observed in the wild attacking Ukrainian interests. The wiper was found by security researchers today at ESET. The wiper is dubbed CaddyWiper. Preliminary analysis reveals that the wiper malware erases user data and partition information from attached drives. According to the tweet, CaddyWiper does not share any code with HermeticWiper or IsaacWiper or any known malware families.This is a breaking news event. More information will be added when relevant updates are available.For further reference about Ukrainian wiper attacks please reference our Threat Signal from January and February. Also, please refer to our recent blog that encompasses the recent escalation in Ukraine, along with salient advice about patch management and why it is important, especially in today's political climate.Is this the Work of Nobelium/APT29?At this time, there is not enough information to correlate this to Nobelium/APT29 or nation state activity. Was this Sample Signed?No. Unlike the HermeticWiper sample related to Ukrainian attacks, this sample is unsigned.Why is Malware Signed?Malware is often signed by threat actors as a pretense to evade AV or any other security software. Signed malware allows threat actors to evade and effectively bypass detection, guaranteeing a higher success rate. What is the Status of Coverage?FortiGuard Labs has AV coverage in place for publicly available samples as:W32/CaddyWiper.NCX!tr | Malware Threat | APT 29 | |
 |
2022-03-15 13:00:43 | RiskIQ Threat Intelligence Roundup: Campaigns Targeting Ukraine and Global Malware Infrastructure (lien direct) | >This roundup will highlight our researchers' focus on these campaigns, including analyzing phishing attacks targeting Ukrainian refugees. We'll also add insight to other threat campaigns worldwide, including malware campaigns, nation-state threat infrastructure, and Magecart digital credit card skimming, all of which can be found in the RiskIQ Threat Intelligence Portal (TIP). The post RiskIQ Threat Intelligence Roundup: Campaigns Targeting Ukraine and Global Malware Infrastructure first appeared on RiskIQ. | Malware Threat | ||
 |
2022-03-15 12:55:00 | CaddyWiper: More destructive wiper malware strikes Ukraine (lien direct) | The wiper avoids domain controllers to stay under the radar. | Malware | ||
|
2022-03-15 11:38:33 | CaddyWiper: Another Destructive Wiper Malware Targeting Ukraine (lien direct) | ESET's security researchers have identified another data wiper targeting Ukrainian organizations, the third destructive malware identified since Russia began its invasion of the country. Dubbed CaddyWiper, the threat does not show significant code similarities with known malware families, and has been used only against a small number of organizations. | Malware Threat | ★★★★ | |
|
2022-03-15 10:30:00 | Mobile Devices See 466% Annual Increase in Zero-Day Attacks (lien direct) | Zimperium report warns of bugs, malware and misconfigurations | Malware | ||
|
2022-03-15 10:20:42 | Ukrainian machines hit with another Malware variant (lien direct) | Security researchers have discovered the fourth destructive malware variant targeting Ukrainian machines so far this year. ESET claimed to have made the find yesterday, noting that the “CaddyWiper” malware was seen on a few dozen systems in a “limited number” of organizations. The malware erases user data and partitions information from attached drives. It also […] | Malware | ★★★★★ | |
|
2022-03-15 09:30:00 | Ukrainian Targets Hit by Another Destructive Malware Variant (lien direct) | CaddyWiper looks like nothing else, says ESET | Malware | ||
|
2022-03-15 05:33:53 | CaddyWiper, a new data wiper hits Ukraine (lien direct) | Experts discovered a new wiper, tracked as CaddyWiper, that was employed in attacks targeting Ukrainian organizations. Experts at ESET Research Labs discovered a new data wiper, dubbed CaddyWiper, that was employed in attacks targeting Ukrainian organizations. The security firm has announced the discovery of the malware with a series of tweets: “This new malware erases […] | Malware | ||
|
2022-03-15 02:38:46 | CaddyWiper: Yet Another Data Wiping Malware Targeting Ukrainian Networks (lien direct) | Two weeks after details emerged about a second data wiper strain delivered in attacks against Ukraine, yet another destructive malware has been detected amid Russia's continuing military invasion of the country. Slovak cybersecurity company ESET dubbed the third wiper "CaddyWiper," which it said it first observed on March 14 around 9:38 a.m. UTC. Metadata associated with the executable (" | Malware | ||
|
2022-03-15 00:00:00 | A Brief History of The Evolution of Malware (lien direct) | FortiGuard Labs provides a brief historical insight into the history of computer malware from the pre-internet era to the current world of botnets, ransomware, viruses, worms, etc. Read to learn more.
|
Malware | ||
 |
2022-03-14 23:00:00 | CaddyWiper: New wiper malware discovered in Ukraine (lien direct) | This is the third time in as many weeks that ESET researchers have spotted previously unknown data wiping malware taking aim at Ukrainian organizations | Malware | ||
 |
2022-03-14 13:26:58 | Detecting malicious macros is a vital tool in the fight against malware (lien direct) | >by Bhabesh Raj Rai, Security ResearchEven the most sophisticated and advanced state-sponsored attackers leave digital traces and detecting these anomalies is key to protecting organizations against malware. One common method threat actors use to initiate malware campaigns is by phishing with a malicious Word document. When a user opens the document, it's likely to trigger [...] | Malware Tool Threat | ||
|
2022-03-14 13:20:43 | Cybersecurity: Attacker uses websites\' contact forms to spread BazarLoader malware (lien direct) | A new social engineering method is spreading this malware, and it's very easy to fall for. Here's what it's doing and how to avoid it. | Malware | ||
|
2022-03-14 10:32:49 | Malware hidden in fake Valorant aim-bot (lien direct) | Security analysts from Korea have detected a malware distribution campaign using Valorant cheat lures on YouTube in order to trick players into downloading RedLine, a powerful information stealer. This kind of lure is relatively common as threat actors can easily avoid YouTube’s new content submission reviews, or simply create new accounts when old ones are […] | Malware Threat | ||
|
2022-03-14 09:45:27 | Ukraine\'s “IT Army” hit with info-stealing malware (lien direct) | Security researchers have warned pro-Ukrainian actors of employing DDoS tools to attack Russia, as they may be ridden with info-stealing malware. In late February, Ukrainian vice prime minister, Mykhailo Fedorov, called for a volunteer “IT army” of hackers to DDoS Russian targets. Cisco Talos has claimed that many cyber criminals are attempting to exploit the outpouring of […] | Malware | ||
|
2022-03-14 02:17:59 | Researchers Find New Evidence Linking Kwampirs Malware to Shamoon APT Hackers (lien direct) | New findings released last week showcase the overlapping source code and techniques between the operators of Shamoon and Kwampirs, indicating that they "are the same group or really close collaborators." "Research evidence shows identification of co-evolution between both Shamoon and Kwampirs malware families during the known timeline," Pablo Rincón Crespo of Cylera Labs said. "If Kwampirs is | Malware | ||
|
2022-03-13 14:47:13 | The hidden C2: Lampion trojan release 212 is on the rise and using a C2 server for two years (lien direct) | The hidden C2: Lampion trojan release 212 is on the rise and using a C2 server for two years. Lampion trojan is one of the most active banking trojans impacting Portuguese Internet end users since 2019. This piece of malware is known for the usage of the Portuguese Government Finance & Tax (Autoridade Tributária e Aduaneira) email […] | Malware | ||
|
2022-03-12 16:40:23 | Attackers use website contact forms to spread BazarLoader malware (lien direct) | Threat actors are spreading the BazarLoader malware via website contact forms to evade detection, researchers warn. Researchers from cybersecurity firm Abnormal Security observed threat actors spreading the BazarLoader/BazarBackdoor malware via website contact forms. TrickBot operation has recently arrived at the end of the journey, according to AdvIntel some of its top members move under the Conti ransomware gang, […] | Malware Threat | ||
|
2022-03-11 16:50:11 | Report: Recent 10x Increase in Cyberattacks on Ukraine (lien direct) | As their cities suffered more intense bombardment by Russian military forces this week, Ukrainian Internet users came under renewed cyberattacks, with one Internet company providing service there saying they blocked ten times the normal number of phishing and malware attacks targeting Ukrainians. | Malware | ||
|
2022-03-11 15:28:20 | Email-Based Vishing Attacks Skyrocket 554% as Phishing, Social Media, and Malware Attacks Are All on the Rise (lien direct) |
New analysis of attacks in 2021 show massive increases across the board, painting a very concerning picture for this year around cyberattacks of all types. |
Malware | ||
|
2022-03-11 10:00:00 | Ukrainian IT Army Hijacked by Info-stealing Malware (lien direct) | DDoS tools may be booby-trapped, warns Cisco | Malware | ||
|
2022-03-10 23:39:03 | APT41 Compromised Six U.S. State Government Networks (lien direct) | FortiGuard Labs is aware of a report that threat actor APT41 compromised at least six networks belonging to U.S. state governments between May 2021 and February 2022. To gain a foothold into the victim's network, the threat actor used a number of different attack vectors: exploiting vulnerable Internet facing web applications and directory traversal vulnerabilities, performing SQL injection, and conducting de-serialization attacks. The intent of APT41 appears to be reconnaissance, though how the stolen information is to be used has not yet been determined.Why is this Significant? This is significant because at least six U.S. state government systems were broken into and data exfiltration was performed by APT41 as recent as February 2022 In addition, a zero-day vulnerability in the USAHerds application (CVE-2021-44207) as well as Log4j (CVE-2021-44228), among others, were exploited in the attacksWhat's the Detail of the Attack?APT41 performed several different ways to break into the targeted networks.In one case, the group exploited a SQL injection vulnerability in a Internet-facing web application. In another case, a then previously unknown vulnerability (CVE-2021-44207) in USAHerds, which is a web application used by agriculture officials to manage animal disease control and prevention, livestock identification and movement. Also, APT41 reportedly started to exploit the infamous Log4j vulnerability (CVE-2021-44228) within hours of Proof-of-Concept (PoC) code becoming available. Patches for both vulnerabilities are available. Once successful in breaking into the victim's network, the threat actor performed reconnaissance and credential harvesting activities. What is APT41?APT41 is a threat actor who has been active since at least 2012. Also known as TA415, Double Dragon, Barium, GREF and WickedPanda, the group reportedly performs Chinese state-sponsored espionage activities. APT41 targets organizations in multiple countries across a wide range of industries, such as telecommunications, industrial and engineering and think tanks. In 2020, five alleged members of the group were charged by the U.S. Justice Department for hacking more than 100 companies in the United States.What are the Tools Used by APT41?APT41 is known to use the following tools:ASPXSpy - web shell backdoorBITSAdmin - PowerShell cmdlets for creating and managing file transfers.BLACKCOFFEE - backdoor that disguise its communications as benign traffic to legitimate websites certutil - command-line utility tool used for manipulating certification authority (CA) data and components.China Chopper - web shell backdoor that allows attacker to have remote access to an enterprise networkCobalt Strike - a commercial penetration testing tool, which allows users to perform a wide range of activitiesDerusbi - DLL backdoorEmpire - PowerShell post-exploitation agent, which provides a wide range of attack activities to usersgh0st RAT - Remote Access Trojan (RAT)MESSAGETAP - data mining malware Mimikatz - open-source credential dumpernjRAT - Remote Access Trojan (RAT)PlugX - Remote Access Trojan (RAT)PowerSploit - open-source, offensive security framework which allows users to perform a wide range of activitiesROCKBOOT - BootkitShadowPad - backdoorWinnti for Linux - Remote Access Trojan (RAT) for LinuxZxShell - Remote Access Trojan (RAT)Badpotato - open-source tool that allows elevate user rights towards System rightsDustPan - shellcode loader. aka StealthVectorDEADEYE - downloaderLOWKEY - backdoorKeyplug - backdoorWhat are Other Vulnerabilities Known to be Exploited by APT41?APT41 exploited the following, but not restricted to, these vulnerabilities in the past:CVE-2020-10189 (ManageEngine Desktop Central remote code execution vulnerability)CVE-2019-19781 (Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance)CVE-2019-3396 (Atlassian Confluence Widget Connector Macro Velocity Template Injection)CVE-2017-11882 (Microsoft Office Memory Corruption Vulnerability)CVE-2017-0199 (Microsoft Office/WordPad Remote Code Execut | Malware Tool Vulnerability Threat Guideline | APT 41 APT 15 APT 15 | |
|
2022-03-10 21:51:37 | Crooks target Ukraine\'s IT Army with a tainted DDoS tool (lien direct) | Threat actors are spreading password-stealing malware disguised as a security tool to target Ukraine’s IT Army. Cisco Talos researchers have uncovered a malware campaign targeting Ukraine’s IT Army, threat actors are using infostealer malware mimicking a DDoS tool called the “Liberator.” The Liberator tool is circulating among pro-Ukraina hackers that use it to target Russian […] | Malware Tool Threat | ||
 |
2022-03-10 18:15:02 | Bourse : les cyberattaques font grimper des valeurs en bourse (lien direct) | La crise avec l’Ukraine a des répercussions de plus en plus mondiales. Désormais, même les internautes ne sont plus à l’abri. Un groupe de hackers russe, a publié un nouveau type de malware appelé “Cyclops Blink”. Plusieurs pannes sont recensées auprès de différents acteurs, cyberattaques ou coïncidence, la situation est bénéfique pour les sociétés de … Continue reading Bourse : les cyberattaques font grimper des valeurs en bourse | Malware |
To see everything:
Our RSS (filtrered)
