What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-11-29 17:00:00 | PII May Have Been Stolen in Virginia County Ransomware Attack (lien direct) | A W-2 form was reportedly published on a dark web forum with stolen, sensitive data | Ransomware | ★★★ | |
 |
2022-11-29 16:00:00 | Anomali Cyber Watch: Caller-ID Spoofing Actors Arrested, Fast-Moving Qakbot Infection Deploys Black Basta Ransomware, New YARA Rules to Detect Cobalt Strike, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Caller-ID spoofing, False-flag, Phishing, Ransomware, Russia, the UK, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Voice-Scamming Site “iSpoof” Seized, 100s Arrested in Massive Crackdown
(published: November 25, 2022)
iSpoof was a threat group offering spoofing for caller phone numbers (also known as Caller ID, Calling Line Identification). iSpoof core group operated out of the UK with presence in other countries. In the 12 months until August 2022 around 10 million fraudulent calls were made globally via iSpoof. On November 24, 2022, Europol announced a joint operation involving Australia, Canada, France, Germany, Ireland, Lithuania, Netherlands, Ukraine, the UK, and the USA, that led to the arrest of 142 suspects and seizure of iSpoof websites.
Analyst Comment: Threat actors can spoof Caller ID (Calling Line Identification) similar to spoofing the “From:” header in an email. If contacted by an organization you should not confirm any details about yourself, take the caller’s details, disconnect and initiate a call back to the organization yourself using a trusted number. Legitimate organizations understand scams and fraud and do not engage in unsolicited calling.
Tags: iSpoof, Teejai Fletcher, United Kingdom, source-country:UK, Caller ID, Calling Line Identification, Voice-scamming, Social engineering
New Ransomware Attacks in Ukraine Linked to Russian Sandworm Hackers
(published: November 25, 2022)
On November 21, 2022, multiple organizations in Ukraine were targeted with new ransomware written in .NET. It was dubbed RansomBoggs by ESET researchers who attributed it to the Russia-sponsored Sandworm Team (aka Iridium, BlackEnergy). Sandworm distributed RansomBoggs from the domain controller using the same PowerShell script (PowerGap) that was seen in its previous attacks. RansomBoggs encrypts files using AES-256 in CBC mode using a randomly generated key. The key is RSA encrypted prior to storage and the encrypted files are appended with a .chsch extension.
Analyst Comment: Ransomware remains one of the most dangerous types of malware threats and even some government-sponsored groups are using it. Sandworm is a very competent actor group specializing in these forms of attack. Organizations with exposure to the military conflict in Ukraine, or considered by the Russian state to be providing support relating to the conflict, should prepare offline backups to minimize the effects of a potential data-availability-denial attack.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: detection:RansomBoggs, detection:Filecoder.Sullivan, malware-type:Ransomware, AES-256, PowerShell, detection:PowerGap, mitre-group:Sandworm Team, actor:Iridium, Russia |
Ransomware Malware Tool Threat Guideline | ★★★★ | |
 |
2022-11-29 13:32:35 | Ransomware Gang Takes Credit for Maple Leaf Foods Hack (lien direct) | The Black Basta ransomware group has taken credit for the recently disclosed attack on Canadian meat giant Maple Leaf Foods. The cybercriminals have made public several screenshots of technical documents, financial information and other corporate files to demonstrate that they gained access to Maple Leaf Foods systems. | Ransomware Hack | ★★★ | |
 |
2022-11-29 09:24:02 | Les prévisions de Tenable pour 2023 (lien direct) | Tenable présente ses prévisions pour l'année 2023. Entre désamour des ransomware au profit de l'extorsion pure et simple à la compromission programmée d'un acteur majeur du SaaS en passant par des investissements accrus dans l'OT, les dirigeants de Tenable anticipe une fois de plus une années mouvementée en matière de cybersécurité. - Points de Vue | Ransomware | ★★ | |
 |
2022-11-29 08:30:15 | Sandworm gang launches Monster ransomware attacks on Ukraine (lien direct) | The RansomBoggs campaign is the Russia-linked group's latest assault on the smaller country The Russian criminal crew Sandworm is launching another attack against organizations in Ukraine, using a ransomware that analysts at Slovakian software company ESET are calling RansomBoggs.… | Ransomware | ★★ | |
 |
2022-11-28 23:05:26 | Les pirates du Département des Alpes-Maritimes diffusent 20% des données volées (lien direct) | Les pirates du groupe Play Ransomware donnent 5 jours au Département des Alpes-Maritimes pour payer la rançon réclamée sous peine de diffuser 290gb de fichiers voler. Les hackers malveillants ont déjà diffusé des milliers de fichiers exfiltrés. Même sanction pour deux filiales IKEA.... | Ransomware | ★★ | |
|
2022-11-28 17:45:52 | Virginia County Confirms Personal Information Stolen in Ransomware Attack (lien direct) | Southampton County in Virginia last week started informing individuals that their personal information might have been compromised in a ransomware attack. The incident was identified in September, when a threat actor accessed a server at Southampton and encrypted the data that was stored on it. | Ransomware Threat | ★★★ | |
 |
2022-11-28 15:23:40 | RansomBoggs: New ransomware targeting Ukraine (lien direct) | >ESET researchers spot a new ransomware campaign that goes after Ukrainian organizations and has Sandworm's fingerprints all over it | Ransomware | ★★ | |
 |
2022-11-28 14:00:00 | Worms of Wisdom: How WannaCry Shapes Cybersecurity Today (lien direct) | >WannaCry wasn’t a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry “ransomworm” hit networks in 2017, it expanded […] | Ransomware Malware | Wannacry Wannacry | ★★ |
|
2022-11-28 10:45:00 | Belgian Police Under Fire After Major Ransomware Leak (lien direct) | Crime reports dating back 15 years are made public | Ransomware | ★★ | |
|
2022-11-28 10:10:00 | Russian Sandworm Hackers Linked to New Ransomware Blitz (lien direct) | Ukrainian targets are on the receiving end of RansomBoggs variant | Ransomware | ★★ | |
 |
2022-11-28 08:25:04 | RansomBoggs Ransomware hit several Ukrainian entities, experts attribute it to Russia (lien direct) | >Several Ukrainian organizations were hit by Russia-based RansomBoggs Ransomware in the last week, ESET reports. Researchers from ESET observed multiple attacks involving a new family of ransomware, tracked as RansomBoggs ransomware, against Ukrainian organizations. The security firm first detected the attacks on November 21 and immediately alerted the CERT US. The ransomware is written in […] | Ransomware | ★★ | |
 |
2022-11-28 05:52:14 | LockBit Ransomware Being Mass-distributed With Similar Filenames (lien direct) | The ASEC analysis team had written about LockBit ransomware being distributed through emails over three blog posts. Through consistent monitoring, we hereby let you know that LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their filenames. Unlike the previous cases introduced in the blog where Word files or copyright claim emails were used, the recent versions are being distributed through phishing mails disguised as job applications. LockBit Ransomware Being Distributed Using Resume and Copyright-related... | Ransomware | ★★ | |
 |
2022-11-28 02:00:00 | Here is why you should have Cobalt Strike detection in place (lien direct) | Google recently released a list of YARA detection rules for malicious variants of the legitimate Cobalt Strike penetration testing framework that are being used by hackers in the wild. Cobalt Strike is a commercial attack framework designed for red teams that has also been adopted by many threat actors, from APT groups to ransomware gangs and other cybercriminals.Living off the land is a common tactic The abuse by attackers of system administration, forensic, or security tools that are either already installed on systems or can be easily deployed without raising suspicion has become extremely common. The use of this tactic, known as living off the land (LOTL), used to be a telltale sign of sophisticated cyberespionage groups who moved laterally through environments using manual hacking and placed great value on stealth.To read this article in full, please click here | Ransomware Threat | ★★★★ | |
 |
2022-11-26 09:58:00 | Russia-based RansomBoggs Ransomware Targeted Several Ukrainian Organizations (lien direct) | Ukraine has come under a fresh onslaught of ransomware attacks that mirror previous intrusions attributed to the Russia-based Sandworm nation-state group. Slovak cybersecurity company ESET, which dubbed the new ransomware strain RansomBoggs, said the attacks against several Ukrainian entities were first detected on November 21, 2022. "While the malware written in .NET is new, its deployment is | Ransomware Malware | ★★ | |
|
2022-11-25 18:54:40 | En pause dans le Darknet depuis juin 2022, les pirates de Play sortent de l\'ombre (lien direct) | Depuis juin 2022, les pirates de Play Ransomware se promenaient de groupes en groupes, passant de Hive à Lockbit ou encore Donuts. Depuis la mi novembre ils décident de faire cavaliers seuls et affichent déjà 22 victimes dont le Conseil Départemental des Alpes-Maritimes.... | Ransomware | ★★ | |
 |
2022-11-25 12:18:23 | Vice Society ransomware claims attack on Cincinnati State college (lien direct) | The Vice Society ransomware operation has claimed responsibility for a cyberattack on Cincinnati State Technical and Community College, with the threat actors now leaking data allegedly stolen during the attack. [...] | Ransomware Threat | ★★ | |
|
2022-11-25 00:51:25 | (Déjà vu) ASEC Weekly Malware Statistics (November 14th, 2022 – November 20th, 2022) (lien direct) | The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from November 14th, 2022 (Monday) to November 20th (Sunday). For the main category, downloader ranked top with 53.2%, followed by backdoor with 24.1%, Infostealer with 21.1%, ransomware with 1.0%, CoinMiner with 0.4%, and banking malware with 0.2%. Top 1 – BeamWinHTTP BeamWinHTTP is a downloader malware that ranked top with 30.5%. The malware is... | Ransomware Malware | ★★ | |
|
2022-11-25 00:06:13 | Wiki Ransomware Being Distributed in Korea (lien direct) | Through the AhnLab ASD infrastructure’s history of blocking suspicious ransomware behavior, the ASEC analysis team has identified the distribution of Wiki ransomware, which has been determined to be a variant of Crysis ransomware, disguised as a normal program. Before performing the actual encryption, Wiki ransomware copies itself into the %AppData% or %windir%\system32 paths and undergoes a process of increasing the infection success rate of the ransomware by adding itself to the registry (HKLM\Software\Microsoft\Windows\CurrentVersion\Run) to be registered as one of the... | Ransomware | ||
|
2022-11-24 23:58:36 | Koxic Ransomware Being Distributed in Korea (lien direct) | It has been discovered that Koxic ransomware is being distributed in Korea. It was first identified earlier this year, and recently, the team found that a file with a modified appearance and internal ransom note had been detected and blocked via the ASD infrastructure. When infected, the “.KOXIC_[random string]” extension is added to the names of the encrypted files, and a TXT file ransom note is generated in each directory. The filename of the ransom note is as follows. The... | Ransomware | ||
|
2022-11-24 21:19:37 | RansomExx Ransomware upgrades to Rust programming language (lien direct) | >RansomExx ransomware is the last ransomware in order of time to have a version totally written in the Rust programming language. The operators of the RansomExx ransomware (aka Defray777 and Ransom X) have developed a new variant of their malware, tracked as RansomExx2, that was ported into the Rust programming language. The move follows the […] | Ransomware | ||
|
2022-11-24 18:55:00 | New RansomExx Ransomware Variant Rewritten in the Rust Programming Language (lien direct) | The operators of the RansomExx ransomware have become the latest to develop a new variant fully rewritten in the Rust programming language, following other strains like BlackCat, Hive, and Luna. The latest version, dubbed RansomExx2 by the threat actor known as Hive0091 (aka DefrayX), is primarily designed to run on the Linux operating system, although it's expected that a Windows version will | Ransomware Threat | ||
 |
2022-11-24 14:24:10 | Windows Service Failure Recovery Easily Exploitable for Ransomware (lien direct) | >Windows Services are the OS mechanism used to initiate processes at system startup which provide services not tied to user interaction. Windows services consist of three components: a service application, a service control program (SCP), and the service control manager (SCM). Characteristics of a service application. Service applications consist of at least one […] | Ransomware | ★★ | |
|
2022-11-24 11:36:00 | Black Basta Ransomware Gang Actively Infiltrating U.S. Companies with Qakbot Malware (lien direct) | Companies based in the U.S. have been at the receiving end of an "aggressive" Qakbot malware campaign that leads to Black Basta ransomware infections on compromised networks. "In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization's network," Cybereason researchers Joakim Kandefelt and | Ransomware Malware Guideline | ||
|
2022-11-24 09:59:26 | An aggressive malware campaign targets US-based companies with Qakbot to deliver Black Basta Ransomware (lien direct) | >Researchers warn of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US. Experts at the Cybereason Global SOC (GSOC) team have observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US. In the last two […] | Ransomware Malware Guideline | ||
|
2022-11-24 09:10:50 | Le Veeam Ransomware Trends Report 2022 révèle que 23 % des entreprises seulement disposent de stratégies de préparation aux cyberattaques totalement unifiées (lien direct) | Le Veeam Ransomware Trends Report 2022 révèle que 23 % des entreprises seulement disposent de stratégies de préparation aux cyberattaques totalement unifiées La sauvegarde sécurisée étant la dernière ligne de défense contre les ransomwares, un alignement des équipes informatiques est nécessaire. - Investigations | Ransomware | ||
 |
2022-11-23 18:04:36 | Hive ransomware has extorted $100 million in 18 months, FBI warns (lien direct) | $100 million. That's the amount of money that the Hive ransomware is thought to have extorted from over 1300 companies around the world, according to a joint report from the FBI, CISA, and HHS. Read more in my article on the Hot for Security blog. | Ransomware | ||
|
2022-11-23 16:00:00 | Qakbot Infections Linked to Black Basta Ransomware Campaign (lien direct) | Threat actors obtained admin access in two hours and then deployed ransomware in under 12 hours | Ransomware Threat | ||
 |
2022-11-23 15:54:40 | Detecting Ransomware Using Machine Learning (lien direct) | >Co-authored by Yihua Liao, Ari Azarafrooz, and Yi Zhang Ransomware attacks are on the rise. Many organizations have fallen victim to ransomware attacks. While there are different forms of ransomware, it typically involves the attacker breaching an organization's network, encrypting a large amount of the organization's files, which usually contain sensitive information, exfiltrating the encrypted […] | Ransomware | ||
 |
2022-11-23 10:26:14 | (Déjà vu) AirAsia Data Breach (lien direct) | It has been reported that the cybercrime group called Daixin Team has leaked sample data belonging to AirAsia, a Malaysian low-cost airline, on its data leak portal. The development comes a little over a week after the company fell victim to a ransomware attack on November 11 and 12, per DataBreaches.net. | Ransomware Data Breach | ★★★ | |
 |
2022-11-23 10:14:00 | (Déjà vu) Ransomware Roundup: Cryptonite Ransomware (lien direct) | The latest FortiGuard Labs Threat Signal Ransomware Roundup covers the Cryptonite ransomware, along with protection recommendations. Read more. | Ransomware Threat | ||
 |
2022-11-23 05:01:00 | THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies (lien direct) |
The Cybereason Global SOC (GSOC) team is investigating Qakbot infections observed in customer environments related to a potentially widespread ransomware campaign run by Black Basta. The campaign is primarily targeting U.S.-based companies. |
Ransomware | ★★★ | |
|
2022-11-23 00:11:08 | For two years security experts kept secret that they were helping Zeppelin ransomware victims decrypt their files (lien direct) | Researchers at cybersecurity firm Unit 221B have revealed that they have been secretly helping victims of the Zeppelin ransomware decrypt their computer systems since 2020. | Ransomware | ★★★★ | |
 |
2022-11-23 00:00:00 | WannaRen Returns as Life Ransomware, Targets India (lien direct) | This blog entry looks at the characteristics of a new WannaRen ransomware variant, which we named Life ransomware after its encryption extension. | Ransomware | ||
|
2022-11-22 23:47:00 | Anomali Cyber Watch: URI Fragmentation Used to Stealthily Defraud Holiday Shoppers, Lazarus and BillBug Stick to Their Custom Backdoors, Z-Team Turned Ransomware into Wiper, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Phishing, Ransomware, Signed malware, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
DEV-0569 Finds New Ways to Deliver Royal Ransomware, Various Payloads
(published: November 17, 2022)
From August to October, 2022, Microsoft researchers detected new campaigns by a threat group dubbed DEV-0569. For delivery, the group alternated between delivering malicious links by abusing Google Ads for malvertising and by using contact forms on targeted organizations’ public websites. Fake installer files were hosted on typosquatted domains or legitimate repositories (GitHub, OneDrive). First stage was user-downloaded, signed MSI or VHD file (BatLoader malware), leading to second stage payloads such as BumbleBee, Gozi, Royal Ransomware, or Vidar Stealer.
Analyst Comment: DEV-0569 is a dangerous group for its abuse of legitimate services and legitimate certificates. Organizations should consider educating and limiting their users regarding software installation options. Links from alternative incoming messaging such as from contact forms should be treated as thorough as links from incoming email traffic.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: actor:DEV-0569, detection:Cobalt Strike, detection:Royal, malware-type:Ransomware, file-type:VHD, detection:NSudo, malware-type:Hacktool, detection:IcedID, Google Ads, Keitaro, Traffic distribution system, detection:Gozi, detection:BumbleBee, NirCmd, detection:BatLoader, malware-type:Loader, detection:Vidar, malware-type:Stealer, AnyDesk, GitHub, OneDrive, PowerShell, Phishing, SEO poisoning, TeamViewer, Adobe Flash Player, Zoom, Windows
Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment
(published: November 16, 2022)
From mid-September 2022, a new phishing campaign targets users in North America with holiday special pretenses. It impersonated a number of major brands including Costco, Delta Airlines, Dick's, and Sam's Club. Akamai researchers analyzed techniques that the underlying sophisticated phishing kit was using. For defense evasion and tracking, the attackers used URI fragmentation. They were placing target-specific tokens after the URL fragment identifier (a hash mark, aka HTML anchor). The value was used by a JavaScript code running on the victim’s browser to reconstruct the redirecting URL.
Analyst Comment: Evasion through URI fragmentation hides the token value from traff |
Ransomware Malware Tool Threat Guideline Medical | APT 38 | ★★★★ |
|
2022-11-22 17:00:00 | RansomExx Upgrades to Rust (lien direct) | >IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this […] | Ransomware Malware Threat | ★★★★ | |
|
2022-11-22 16:34:35 | Ouch! Ransomware gang says it won\'t attack AirAsia again due to the “chaotic organisation” and sloppy security of hacked company\'s network (lien direct) | The Daixin ransomware gang has given a humiliating slap in the face to Air Asia, which lost the personal data of five million passengers and all of its employees earlier this month. | Ransomware | ★★★★ | |
|
2022-11-22 16:00:00 | Firms Spend $1197 Per Employee Yearly to Address Cyber-Attacks (lien direct) | The data excludes compliance fines, ransomware costs and losses from non-operational processes | Ransomware | ★★★★ | |
|
2022-11-21 22:09:06 | Alert (AA22-321A): #StopRansomware: Hive Ransomware (lien direct) | FortiGuard Labs is aware of that the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released a joint advisory for Hive ransomware as part of their #StopRansomware effort. Hive ransomware is a Ransomware-as-a-Service (RaaS) consisting of developers and affiliates. It attempts to steal data, encrypt files on victims' machines, and demand ransom recover affected files and prevent stolen data from being published to their data leak site, called "HiveLeaks," on the DarkWeb.Why is this Significant?This is significant because Hive is a Ransomware-as-a-Service (RaaS) that, according to the advisory, has victimized more than 1,300 enterprises globally and extorted 100 million US dollars. The group has been active since June 2021 and did not only target private enterprises but also essential industries such as government organizations and healthcare services. What is Hive Ransomware?Hive is a Ransomware-as-a-Service (RaaS) consisting of two groups: developers and affiliates. Hive developers create, maintain, and update Hive ransomware and infrastructures such date leak site named "HiveLeaks" and negotiant site. Hive affiliates are responsible for finding and infecting victims, exfiltrating files, and deploying Hive ransomware to the victims' network.The latest Hive ransomware iterations are written in the Rust programing language. Older variants are written in Go.Reported initial infection vectors include emails, exploiting vulnerabilities such as CVE-2020-12812, CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523.Hive ransomware encrypts files on victims' machines and typically appends a ".hive" file extension to the affected files. It also drops a ransom note named "HOW_TO_DECRYPT.txt", which instructs victims to visit a negotiation site on TOR.The advisory states that Hive ransomware is known to victimize organizations that were previously infected with Hive ransomware and recovered without paying ransom.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for recent Hive ransomware samples that we collected:W32/Filecoder_Hive.A!tr.ransomW32/Filecoder_Hive.B!tr.ransomW32/Hive.4a4e!tr.ransomW32/Hive.B0FF!tr.ransomW32/Hive.d10e!tr.ransomW32/Hive.FD38!tr.ransomW64/Filecoder.AW!tr.ransomW64/Filecoder_Hive.A!tr.ransomW64/Filecoder_Hive.B!tr.ransomW64/Hive.31ec!tr.ransomW64/Hive.6bcb!tr.ransomW64/Hive.71de!tr.ransomW64/Hive.7cec!tr.ransomW64/Hive.933c!tr.ransomW64/Hive.A!trW64/Hive.B0FF!tr.ransomW64/Hive.c2e4!tr.ransomW64/Hive.e550!tr.ransomW64/Hive.ea51!tr.ransomW32/Filecoder.507F!tr.ransomW32/Agent.0b0f!tr.ransomW32/Agent.32a5!tr.ransomW32/Agent.65e3!tr.ransomW32/Agent.69ce!tr.ransomW32/Agent.6d49!tr.ransomW32/Agent.7c49!tr.ransomW64/Agent.U!trAll network IOCs on the advisory are blocked by Webfiltering.FortiGuard Labs provides the following IPS signatures for the vulnerabilities reportedly exploited as initial infection vector by Hive threat actors:MS.Exchange.MailboxExportRequest.Arbitrary.File.Write (CVE-2021-31207)MS.Exchange.Server.Autodiscover.Remote.Code.Execution (CVE-2021-34473)MS.Exchange.Server.Common.Access.Token.Privilege.Elevation (CVE-2021-34523) | Ransomware Threat | ★★★ | |
|
2022-11-21 20:46:00 | Daixin Ransomware Gang Steals 5 Million AirAsia Passengers\' and Employees\' Data (lien direct) | The cybercrime group called Daixin Team has leaked sample data belonging to AirAsia, a Malaysian low-cost airline, on its data leak portal. The development comes a little over a week after the company fell victim to a ransomware attack on November 11 and 12, per DataBreaches.net. The threat actors allegedly claim to have obtained the personal data associated with five million | Ransomware Threat | ★★★ | |
 |
2022-11-21 18:33:41 | 10 Million Health Records from Australian Insurer Medibank are Leaked After Refusing to Pay the Ransom (lien direct) |
|
Ransomware | ★★★ | |
|
2022-11-21 16:04:59 | (Déjà vu) New Ransomware Encrypts Files & Steals Your Discord Account (lien direct) | The new ‘AXLocker’ ransomware family is not only encrypting victims’ files and demanding a ransom payment but also stealing the Discord accounts of infected users. When a user logs into Discord with their credentials, the platform sends back a user authentication token saved on the computer. This token can then be used to log in […] | Ransomware | ||
|
2022-11-21 14:35:40 | Spate Of Ransomware Targeting Healthcare Cost $92 Billion In Downtime Since 2018, Experts Weigh In (lien direct) | The FBI has recently warned of a spate of cyberattacks and data extortion efforts by the Hive ransomware group, particularly focusing on the health and public health sectors. Hive actors have successfully exploited more than 1,300 companies globally, just this year, receiving approximately $100 million in ransom pay-out. Comparitech recently released some related research looking at […] | Ransomware | ★★★★ | |
 |
2022-11-21 12:08:58 | Breaking the Zeppelin Ransomware Encryption Scheme (lien direct) | Brian Krebs writes about how the Zeppelin ransomware encryption scheme was broken: The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of them: An ephemeral RSA-512 public key that is randomly generated on each machine it infects. “If we can recover the RSA-512 Public Key from the registry, we can crack it and get the 256-bit AES Key that encrypts the files!” they wrote. “The challenge was that they delete the [public key] once the files are fully encrypted. Memory analysis gave us about a 5-minute window after files were encrypted to retrieve this public key.”... | Ransomware | ||
|
2022-11-21 10:00:00 | New AXLocker Ransomware Steals Victims\' Discord Tokens (lien direct) | Researchers also discover two additional new variants | Ransomware | ||
|
2022-11-21 09:50:09 | Sophos 2023 Threat Report: Criminals “Follow the Money” by Commercializing Cybercrime, Launching More “Innovative” Ransomware Attacks and Doubling Down on Credential Theft (lien direct) | Sophos 2023 Threat Report: Criminals “Follow the Money” by Commercializing Cybercrime, Launching More “Innovative” Ransomware Attacks and Doubling Down on Credential Theft Ransomware Remains One of the Greatest Cybercrime Threats to Organizations - Special Reports | Ransomware Threat | ||
|
2022-11-21 08:31:12 | Octocrypt, Alice, and AXLocker Ransomware, new threats in the wild (lien direct) | >Experts from Cyble Research and Intelligence Labs (CRIL) discovered three new ransomware families: AXLocker, Octocrypt, and Alice Ransomware. Threat intelligence firm Cyble announced the discovery of three new ransomware families named AXLocker, Octocrypt, and Alice Ransomware. The AXLocker ransomware encrypts victims’ files and steals Discord tokens from the infected machine. The analysis of the code […] | Ransomware Threat | ||
|
2022-11-21 07:02:00 | Luna Moth callback phishing campaign leverages extortion without malware (lien direct) | Palo Alto's Unit 42 has investigated several incidents linked to the Luna Moth group callback phishing extortion campaign targeting businesses in multiple sectors, including legal and retail. The analysis discovered that the threat actors behind the campaign leverage extortion without malware-based encryption, have significantly invested in call centers and infrastructure unique to attack targets, and are evolving their tactics over time. Unit 42 stated that the campaign has cost victims hundreds of thousands of dollars and is expanding in scope.Luna Moth removes malware portion of phishing callback attack Callback phishing – or telephone-oriented attack delivery (TOAD) – is a social engineering attack that requires a threat actor to interact with the target to accomplish their objectives. It is more resource intensive but less complex than script-based attacks and it tends to have a much higher success rate, Unit 42 wrote in a blog posting. Actors linked to the Conti ransomware group had success with this type of attack with the BazarCall campaign, which focused on tricking victims into downloading the BazarLoader malware. This malware element is synonymous with traditional callback phishing attacks. Interestingly, in this campaign, Luna Moth does away with the malware portion of the attack, instead using legitimate and trusted systems management tools to interact directly with a victim's computer to manually exfiltrate data for extortion. “As these tools are not malicious, they're not likely to be flagged by traditional antivirus products,” the researchers wrote.To read this article in full, please click here | Ransomware Malware Threat | ||
|
2022-11-20 19:39:40 | PoC exploit code for ProxyNotShell Microsoft Exchange bugs released online (lien direct) | >Proof-of-concept exploit code for two actively exploited Microsoft Exchange ProxyNotShell flaws released online. Proof-of-concept exploit code has been released online for two actively exploited vulnerabilities in Microsoft Exchange, known as ProxyNotShell. The two flaws are: they impact Exchange Server 2013, 2016, and 2019, an authenticated attacker can trigger them to elevate privileges to run PowerShell […] | Ransomware | ★★★★ | |
|
2022-11-20 10:07:14 | (Déjà vu) New ransomware encrypts files, then steals your Discord account (lien direct) | The new 'AXLocker' ransomware family is not only encrypting victims' files and demanding a ransom payment but also stealing the Discord accounts of infected users. [...] | Ransomware |
To see everything:
Our RSS (filtrered)
