What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-10-25 15:00:00 | POS Malware Used to Steal Details of Over 167,000 Credit Cards (lien direct) | The operators could make over $3m if they decide to sell the card dumps on underground forums | Malware | ||
 |
2022-10-25 14:59:22 | Two PoS Malware used to steal data from more than 167,000 credit cards (lien direct) | >Researchers reported that threat actors used 2 PoS malware variants to steal information about more than 167,000 credit cards. Cybersecurity firm Group-IB discovered two PoS malware to steal data associated with more than 167,000 credit cards from point-of-sale payment terminals. On April 19, 2022, Group-IB researchers identified the C2 server of the POS malware called MajikPOS. […] | Malware Threat | ||
 |
2022-10-25 14:12:28 | (Déjà vu) Thousands Of Fake PoC Exploits In GitHub Repositories Deliver Malware – Expert Comments (lien direct) | A technical paper from the researchers at Leiden Institute of Advanced Computer Science details how researchers discovered thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. In an inspection of 47,313 downloaded and checked repositories, fully 10.3% (4893), were found to “have symptoms of malicious intent.” This number […] | Malware | ||
|
2022-10-25 13:40:13 | Payment Card Attack Could Be Worth $3.3M (lien direct) | It has been reported that a PoS payment card attack involving a pair of malware variants was used to steal more than 167,000 payment records from 212 infected devices mostly in the U.S. Full story: Researchers uncover more than 167,000 stolen credit card numbers, primarily from the U.S. – CyberScoop | Malware | ||
|
2022-10-25 13:28:52 | Typosquat Campaign Mimics 27 Brands To Push Windows, Android Malware (lien direct) | It has been reported that the Typosquat campaign mimics 27 brands to push Windows, Android malware. Full story: Typosquat campaign mimics 27 brands to push Windows, Android malware (bleepingcomputer.com) | Malware | ||
 |
2022-10-25 13:27:54 | Massive Typosquatting Racket Pushes Malware at Windows, Android Users (lien direct) | Pas de details / No more details | Malware | ||
 |
2022-10-25 01:04:42 | Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed (lien direct) | On October 17th, 2022, the Korean Internet & Security Agency (KISA) published a security notice titled “Advising Caution on Cyber Attacks Exploiting the Kakao Service Malfunction Issue’, and according to the notice, malware disguised as a KakaoTalk installation file (KakaoTalkUpdate.zip etc.) is being distributed via email. The ASEC analysis team was able to secure a file that seems to be of the type while monitoring relevant samples. This malware has the same filename and icon as the actual messenger program,... | Malware | ||
|
2022-10-25 00:52:47 | (Déjà vu) ASEC Weekly Malware Statistics (October 10th, 2022 – October 16th, 2022) (lien direct) | The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 10th, 2022 (Monday) to October 16th, 2022 (Sunday). For the main category, downloader ranked top with 44.4%, followed by info-stealer with 41.7%, backdoor with 12.5%, ransomware with 0.9%, and CoinMiner with 0.5%. Top1. SmokeLoader Smokeloader is infostealer / downloader malware that is distributed via exploit kits. This week, it ranked first place... | Ransomware Malware | ||
 |
2022-10-24 22:11:11 | Payment terminal malware steals $3.3m worth of credit card numbers – so far (lien direct) | With shops leaving VNC and RDP open, quelle surprise Cybercriminals have used two strains of point-of-sale (POS) malware to steal the details of more than 167,000 credit cards from payment terminals. If sold on underground forums, the haul could net the thieves upwards of $3.3 million.… | Malware | ||
|
2022-10-24 16:00:00 | Multiple RCE Vulnerabilities Discovered in Veeam Backup & Replication App (lien direct) | The Veeamp malware was used by the Monti and Yanluowang ransomware groups in these attacks | Ransomware Malware | ★★ | |
 |
2022-10-24 14:45:43 | Android-Clicker Malware Garners Reaches 20 Million Downloads (lien direct) | Earlier today, a so-called “clicker” malware designed to facilitate ad fraud has been found on 16 mobile apps in the Google Play store, according to McAfee. Once notified by the security vendor, Google has removed the offending apps, which are estimated to have garnered as many as 20 million downloads. Having been detected as Android/Clicker, […] | Malware | ||
 |
2022-10-24 11:55:00 | SideWinder APT Using New WarHawk Backdoor to Target Entities in Pakistan (lien direct) | SideWinder, a prolific nation-state actor mainly known for targeting Pakistan military entities, compromised the official website of the National Electric Power Regulatory Authority (NEPRA) to deliver a tailored malware called WarHawk. "The newly discovered WarHawk backdoor contains various malicious modules that deliver Cobalt Strike, incorporating new TTPs such as KernelCallBackTable injection | Malware | APT-C-17 | |
 |
2022-10-24 11:00:00 | Researchers uncover more than 167,000 stolen credit card numbers, primarily from the U.S. (lien direct) | >Using two malware variants, unknown operators managed to compile stolen card data potentially worth more than $3 million, researchers said. | Malware | ★★ | |
|
2022-10-24 09:30:00 | Clicker Malware Garners Estimated 20 Million Downloads (lien direct) | Google forced to remove over a dozen malicious apps | Malware | ||
 |
2022-10-24 07:12:13 | C2 Communications Through outlook.com, (Mon, Oct 24th) (lien direct) | Most malware implements communication with their C2 server over HTTP(S). Why? Just because it works! But they are multiple ways to implement C2 communications: DNS, P2P, Layer 7 (Twitter), ... Another one that has become less popular with time is SMTP (email communications). I spotted a malicious Python script that exchanges information with its C2 server through emails. | Malware | ||
 |
2022-10-23 11:15:19 | Thousands of GitHub repositories deliver fake PoC exploits with malware (lien direct) | Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. [...] | Malware | ||
|
2022-10-23 10:17:34 | Typosquat campaign mimics 27 brands to push Windows, Android malware (lien direct) | A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware. [...] | Malware | ||
 |
2022-10-21 22:31:58 | VMware bug with 9.8 severity rating exploited to install witch\'s brew of malware (lien direct) | If you haven't patched CVE-2022-22954 yet, now would be an excellent time to do so. | Malware | ||
|
2022-10-21 22:17:00 | Emotet Botnet Distributing Self-Unlocking Password-Protected RAR Files to Drop Malware (lien direct) | The notorious Emotet botnet has been linked to a new wave of malspam campaigns that take advantage of password-protected archive files to drop CoinMiner and Quasar RAT on compromised systems. In an attack chain detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP file lure was found to contain a nested self-extracting (SFX) archive, the first archive acting as a conduit to launch | Malware | ||
 |
2022-10-21 13:15:23 | APT‑C‑50 updates FurBall Android malware – Week in security with Tony Anscombe (lien direct) | ESET Research spots a new version of Android malware known as FurBall that APT-C-50 is using in its wider Domestic Kitten campaign | Malware | ||
|
2022-10-21 11:00:36 | OldGremlin Ransomware Fierce Comeback Against Russian Targets (lien direct) | Earlier today. a ransomware group which unusually targets Russian organizations has upped its efforts this year, demanding larger ransoms from its victims and developing new malware for Linux, according to Group-IB. Yesterday, the security vendor released what it claimed was the first comprehensive report on the group known as “OldGremlin,” which was first spotted in 2020. […] | Ransomware Malware | ||
 |
2022-10-21 10:28:32 | CISA Tells Organizations to Patch Linux Kernel Vulnerability Exploited by Malware (lien direct) | The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a Linux kernel flaw to its Known Exploited Vulnerabilities Catalog and instructed federal agencies to address it within three weeks. | Malware Vulnerability | ||
|
2022-10-21 10:28:06 | Good news, URSNIF no longer a banking trojan. Bad news, it\'s now a backdoor (lien direct) | And one designed to slip ransomware and data-stealing code onto infected machines URSNIF, the malware also known as Gozi that attempts to steal online banking credentials from victims' Windows PCs, is evolving to support extortionware.… | Ransomware Malware | ||
 |
2022-10-21 10:00:00 | Do the recent DDoS attacks signal future web application risks? (lien direct) | Multiple reports in the media, including in Bloomberg US Edition, allege that Russian-associated cybercrime group Killnet is responsible for a series of distributed-denial-of-service (DDoS) attacks during the week of October 6 that took several state government and other websites offline. While most of the websites were restored within 48 hours, these volumetric attacks can leave even the most secure sites paralyzed and susceptible to further damage.
AT&T Alien Labs, the threat intelligence arm of AT&T Cybersecurity, suggests politically motivated cyber strikes such as the ones that hit web sites in October are nothing new. Killnet has a long history of successfully attacking both public and private organizations and businesses.
Research Killnet on the Alien Labs Open Threat Exchange (OTX),
among the largest open threat intelligence sharing communities in the world.
Figure 1: OTX pulse on Killnet.
“We have been following Killnet for years and have seen a marked increased activity in the last few weeks. Their attacks, however, appear to be opportunistic DDoS campaigns aimed at attracting media coverage,” says Research Director Santiago Cortes Diaz. “Their efforts seem to be coordinated with the Russian government as part of their FUD (fear, uncertainty and doubt) campaign around the geopolitical conflict.”
Aside from a temporary takedown that can disrupt operations, there is also a reputational cost to DDoS attacks. Moves against government websites potentially aim to destroy faith among voters that U.S. elections are a secure and insulated process. And, though the election process is mostly separated from the Internet, consecutive attacks of this nature could also negatively impact confidence in the United States’ digital defenses.
DDoS attacks, though typically short-lived, succeed in getting the public’s attention by causing a digital flood of information on websites with an otherwise regular flow of traffic. A botnet, a group of machines infected with malware and controlled as a malicious group, generates bogus requests and junk directed at the target while hiding within a site’s usual traffic patterns. DDoS attacks are not to be underestimated. They will likely continue to proliferate as hackers acquire access to more botnets and resources allowing them to commit larger attacks — and the resources will come with the next era of computing.
As organizations continue to deploy edge applications and take advantage of 5G, the threat of DDoS attacks is potentially compounded. To this point, in a survey of 1,500 global respondents for the AT&T Cybersecurity Insights Report: 5G and the Journey to the Edge, 83% believe attacks on web-based applications will present a big security challenge.
Why? Because along with the improvements in speed, capacity, and latency of 5G and edge computing, there is also going to be an explosion in connected devices. For example, in the same Insights Report, the top three use cases expected to be in production within three years for edge computing include: industrial IoT or OT, enterprise IoT, and industry-oriented consumer IoT functions — all of which are driven by applications that can be connected to the internet. This increase in devices and network quality as well as explosion in appli |
Malware Threat | ||
 |
2022-10-21 09:32:50 | ESET découvre une nouvelle version d\'un logiciel espion visant les citoyens iraniens, Furball, caché dans une application de traduction (lien direct) | ESET découvre une nouvelle version d'un logiciel espion visant les citoyens iraniens, Furball, caché dans une application de traduction • Les chercheurs d'ESET ont récemment identifié une nouvelle version du malware Android FurBall utilisée dans une campagne " Domestic Kitten ". • Cette dernière remonte au moins à 2016 et est toujours active. • Elle vise principalement les citoyens iraniens. • Nous avons découvert un nouvel échantillon obfusqué de Furball pour Android • Cet échantillon est diffusé à partir d'un faux site • L'échantillon analysé dispose de fonctionnalité d'espionnage restreinte pour tenter d'échapper à toute détection - Malwares | Malware | ||
|
2022-10-21 07:50:12 | News URSNIF variant doesn\'t support banking features (lien direct) | A new variant of the popular Ursnif malware is used as a backdoor to deliver next-stage payloads and steal sensitive data. Mandiant researchers warn of a significant shift from Ursnif‘s original purpose, the malware initially used in banking frauds is now used to deliver next-stage payloads and steal sensitive data. The new variant, first observed […] | Malware | ||
|
2022-10-21 03:56:17 | GuLoader Malware Disguised as a Word File Being Distributed in Korea (lien direct) | The ASEC analysis team has discovered that the GuLoader malware is being distributed to Korean corporate users. GuLoader is a downloader that has been steadily distributed since the past, downloading various malware. The phishing mail being distributed is as follows, and has an HTML file attached. When the user opens the attached HTML file, a compressed file is downloaded from the URL below. The compressed file contains an IMG file and the GuLoader malware is inside this IMG file. GuLoader... | Malware | ||
|
2022-10-21 02:30:43 | Attackers Abusing Various Remote Control Tools (lien direct) | Overview Ordinarily, attackers install malware through various methods such as spear phishing emails with a malicious attachment, malvertising, vulnerabilities, and disguising the malware as normal software and uploading them to websites. The malware that is installed include infostealers which steal information from the infected system, ransomware which encrypts files to demand ransom, and DDoS Bots which are used in DDoS attacks. In addition to these, backdoor and RAT are also major malware programs used by attackers. Backdoor malware is installed... | Ransomware Malware | ||
|
2022-10-21 00:03:49 | sczriptzzbn inject pushes malware for NetSupport RAT, (Fri, Oct 21st) (lien direct) | Introduction | Malware | ||
 |
2022-10-20 20:23:00 | Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability (lien direct) | In April, VMware patched a vulnerability CVE-2022-22954, which causes server-side template injection. Read our blog to learn more about how malware is attempting to leverage the vulnerability and the behavior after exploitation in more detail. | Malware Vulnerability | ||
|
2022-10-20 17:03:00 | Hackers Using New Version of FurBall Android Malware to Spy on Iranian Citizens (lien direct) | The Iranian threat actor known as Domestic Kitten has been attributed to a new mobile campaign that masquerades as a translation app to distribute an updated variant of an Android malware known as FurBall. "Since June 2021, it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books," ESET researcher Lukas Stefanko said | Malware Threat | ||
|
2022-10-20 16:00:37 | Ursnif malware switches from bank account theft to initial access (lien direct) | A new version of the Ursnif malware (a.k.a. Gozi) emerged as a generic backdoor, stripped of its typical banking trojan functionality. [...] | Malware | ||
 |
2022-10-20 15:44:24 | Intelligence Insights: October 2022 (lien direct) | AdSearch ghosts, Qbot returns with new tricks, and PureCrypter loads malware treats. All this and more in this month's Intelligence Insights. | Malware | ★★★ | |
|
2022-10-20 14:34:00 | These 16 Clicker Malware Infected Android Apps Were Downloaded Over 20 Million Times (lien direct) | As many as 16 malicious apps with over 20 million cumulative downloads have been taken down from the Google Play Store after they were caught committing mobile ad fraud. The Clicker malware masqueraded as seemingly harmless utilities like cameras, currency/unit converters, QR code readers, note-taking apps, and dictionaries, among others, in a bid to trick users into downloading them, | Malware | ||
|
2022-10-20 14:09:00 | New Ursnif Variant Likely Shifting Focus to Ransomware and Data Theft (lien direct) | The Ursnif malware has become the latest malware to shed its roots as a banking trojan to revamp itself into a generic backdoor capable of delivering next-stage payloads, joining the likes of Emotet, Qakbot, and TrickBot. "This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape," Mandiant researchers Sandor | Ransomware Malware Threat | ||
 |
2022-10-20 13:36:00 | Threat Hunting: Eight Tactics to Accelerating Threat Hunting (lien direct) | One of the more significant headaches in cyber security is the overuse of buzzwords and acronyms and the overlapping mutations of what they mean. Cyber threat Hunting has become one of those phrases, but it has gained clarity over the last few years as organizations strived to become more proactive. So what is threat hunting? Depending on who you ask, you may get somewhat different answers to the same question. Cyber threat hunting is a proactive approach to detecting suspicious activity from known or unknown, remediated, or unaddressed cyber threats within an organization’s networks. It involves finding malware such as viruses, Trojans, adware, spyware, ransomware, worms, bots, and botnets. The goal is for security analysts to find these threats before they cause damage to systems and data. It’s similar to how fire departments respond to fires; they go into buildings to ensure no additional problems before calling the firefighters. There is a vast collection of tools, skill sets, approaches, and processes to help identify advanced threats that could happen within the network. What is an effective hunting process for one organization may be a waste of time for another, depending on each company’s understanding of what threats they might face. Man-hours spent hunting are typically most beneficial for large organizations targeted by the cybercriminal community regularly, but that’s not to say that regular hunts for small/medium-sized enterprises can’t benefit from and identify threats by doing the same. Structured Threat Hunting The structured hunt is based on indicators of compromise (IOCs) and tactics, techniques, and procedures (TTP). IOCs provide information about potential adversaries, such as IP addresses, domain names, operating system versions, etc. TTPs describe how attackers operate and what tools they use. Combining IOCs and TTPs makes it possible to build a picture of the adversary. This approach allows us to detect threats earlier and prevent attacks. In addition, we can quickly identify the threat actors because each activity is described in detail. Unstructured Threat Hunting The concept of unstructured hunting is relatively new. It wasn’t until 2013 that we began seeing the emergence of unstructured hunters. Unstructured hunting is a method of finding malicious software (malware), such as viruses, Trojans, worms, etc., without knowing exactly what type of malware you are looking for. Instead, the hunter relies on behavioral analysis to find these threats. In short, unstructured hunting is investigative work where a cyber threat hunter observes behavior and looks for anomalies. For example, if someone sends out spam emails, a system administrator might notice unusual activity on his network and investigate further. If he finds something suspicious, he could take action immediately or wait a few days to see if the same email addresses start sending again. Traditional Threat Hunting The traditional definition of threat hunting can be defined as a focused and intensive human/machine-assisted process aimed to identify the possibility of something malicious happening within the network or likely about to happen; this is based on abnormal network behavior, artifacts, or identification via active threat research. A good example of this would be: A large bank has team members whose part of their job is to consume threat reports related to activity targeting their vertical and other companies that match their Enterprise profile. > A new threat report is published from an intel provider describing a new variant of malware that has been catastrophic at similar organizations. This report would ideally contain information around the process tree, registry key, etc., to help the cyber threat hunters not just hunt for detection of the associated IOCs but dig deeper to identify patterns that match the behavior of the malware across the network, like abnormal PowerShell executio | Spam Malware Tool Vulnerability Threat | ||
|
2022-10-20 11:03:41 | OldGremlin hackers use Linux ransomware to attack Russian orgs (lien direct) | OldGremlin, one of the few ransomware groups attacking Russian corporate networks, has expanded its toolkit with file-encrypting malware for Linux machines. [...] | Ransomware Malware | ||
 |
2022-10-20 09:58:54 | Check Point Research analyzes the newly emerged Black Basta Ransomware, alerts organizations to adopt prevention best practices (lien direct) | >Highlights: Check Point Research (CPR) puts a special spotlight on how the Black Basta gang delivers malware to its victims and provides best practices to lower risks of being victimized CPR details evasions and anti-analysis techniques of this ransomware, which was found to prevent security protections from detecting this malware Check Point Research provides links… | Malware | ||
|
2022-10-20 09:30:02 | Domestic Kitten campaign spying on Iranian citizens with new FurBall malware (lien direct) | >APT-C-50's Domestic Kitten campaign continues, targeting Iranian citizens with a new version of the FurBall malware masquerading as an Android translation app | Malware | ||
 |
2022-10-20 06:00:00 | Attackers switch to self-extracting password-protected archives to distribute email malware (lien direct) | Distributing malware inside password-protected archives has long been one of the main techniques used by attackers to bypass email security filters. More recently, researchers have spotted a variation that uses nested self-extracting archives that no longer require victims to input the password.“This is significant because one of the most difficult obstacles threat actors face when conducting this type of spam campaign is to convince the target to open the archive using the provided password,” researchers from Trustwave SpiderLabs said in a new report.To read this article in full, please click here | Spam Malware Threat | ||
|
2022-10-19 18:03:00 | Chinese Hackers Targeting Online Casinos with GamePlayerFramework Malware (lien direct) | An advanced persistent threat (APT) group of Chinese origin codenamed DiceyF has been linked to a string of attacks aimed at online casinos in Southeast Asia for years. Russian cybersecurity company Kaspersky said the activity aligns with another set of intrusions attributed to Earth Berberoka (aka GamblingPuppet) and DRBControl, citing tactical and targeting similarities as well as the abuse of | Malware Threat | ||
|
2022-10-19 15:57:23 | Mandiant Research : Pourquoi cette nouvelle backdoor pourrait être déterminante (lien direct) | Les chercheurs de Mandiant ont découvert que l'un des malwares de fraude bancaire les plus anciens et les plus réussis, URSNIF (aka Gozi), qui a causé des pertes estimées à des " dizaines de millions de dollars ", a été transformé en une porte dérobée (backdoor) générique, baptisée " LDR4 ". Bien qu'il y ait eu une multitude de variantes du malware URSNIF, il s'agissait jusqu'à présent d'un malware bancaire. LDR4 a été découvert par Mandiant et est soupçonné d'avoir été créé par les mêmes hackers que ceux qui (...) - Malwares | Malware | ||
|
2022-10-19 08:39:21 | Classement Top Malware Check Point du mois de septembre 2022 : Vidar prend la tête du classement en France (lien direct) | Classement Top Malware Check Point du mois de septembre 2022 : Vidar prend la tête du classement en France. Selon Check Point Research, l'infostealer Vidar est entré dans la liste des dix malwares les plus répandus après une fausse campagne Zoom. Les cyberattaques dans les pays d'Europe de l'Est ont augmenté de façon spectaculaire et le secteur de la recherche et de l'éducation est le plus touché au niveau mondial. - Malwares | Malware | ||
 |
2022-10-19 00:00:00 | Growing your onion: AutoIt malware in the Darktrace kill chain (lien direct) | AutoIt is a scripting language designed for general purpose development. However, like many freeware languages, it has been exploited for malicious intent. Recently Darktrace captured the whole kill-chain of an AutoIt malware compromise, from delivery via email to payload download and subsequent C2. | Malware | ||
|
2022-10-18 23:44:15 | (Déjà vu) ASEC Weekly Malware Statistics (October 3rd, 2022 – October 9th, 2022) (lien direct) | The ASEC analysis team is using the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from October 3rd, 2022 (Monday) to October 9th, 2022 (Sunday). For the main category, downloader ranked top with 45.0%, followed by info-stealer with 39.6%, backdoor with 14.6%, ransomware with 0.4%, and CoinMiner with 0.4%. Top1. SmokeLoader Smokeloader is infostealer / downloader malware that is distributed via exploit kits. This week, it ranked first place... | Ransomware Malware | ||
|
2022-10-18 15:41:00 | Chinese \'Spyder Loader\' Malware Spotted Targeting Organizations in Hong Kong (lien direct) | The China-aligned espionage-focused actor dubbed Winnti has set its sights on government organizations in Hong Kong as part of an ongoing campaign dubbed Operation CuckooBees. Active since at least 2007, Winnti (aka APT41, Barium, Bronze Atlas, and Wicked Panda) is the name designated to a prolific cyber threat group that carries out Chinese state-sponsored espionage activity, predominantly | Malware Threat Guideline | APT 41 | |
|
2022-10-18 15:00:00 | Spyder Loader Malware Deployed Against Hong Kong Organizations (lien direct) | The attackers reportedly remained active on some networks for more than a year | Malware | ||
|
2022-10-18 15:00:00 | Anomali Cyber Watch: Ransom Cartel Uses DPAPI Dumping, Unknown China-Sponsored Group Targeted Telecommunications, Alchimist C2 Framework Targets Multiple Operating Systems, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, Hacktivism, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Ransom Cartel Ransomware: A Possible Connection With REvil
(published: October 14, 2022)
Palo Alto Networks researchers analyzed Ransom Cartel, a double extortion ransomware-as-a-service group. Ransom Cartel came to existence in mid-December 2021 after the REvil group shut down. The Ransom Cartel group uses the Ransom Cartel ransomware, which shares significant code similarities with REvil, indicating close connections, but lacks REvil obfuscation engine capabilities. Ransom Cartel has almost no obfuscation outside of the configuration: unlike REvil it does not use string encryption and API hashing. Among multiple tools utilized by Ransom Cartel, the DonPAPI credential dumper is unique for this group. It performs Windows Data Protection API (DPAPI) dumping by targeting DPAPI-protected credentials such as credentials saved in web browsers, RDP passwords, and Wi-Fi keys.
Analyst Comment: Network defenders should consider monitoring or blocking high-risk connections such as TOR traffic that is often abused by Ransom Cartel and its affiliates. It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Software Deployment Tools - T1072 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] BITS Jobs - T1197 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] File and Directory Permissions Modification - T1222 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Indicator Removal on Host - |
Ransomware Malware Tool Threat | APT 27 | |
|
2022-10-18 09:47:00 | BrandPost: Why Unified Platforms Are the Future of Network Security (lien direct) | Today's complex cybersecurity landscape regularly exposes the weaknesses of disconnected security solutions. In breach after breach, we see attackers taking advantage of gaps and vulnerabilities in legacy systems and devices, underscoring the reality that a pieced-together security infrastructure is woefully inadequate for stopping modern, sophisticated threats.The lack of visibility and fragmented oversight across poorly integrated systems limits insights and compromises security across all environments. With network attacks booming, endpoints under duress from ransomware, and massive amounts of malware hiding in encrypted traffic, it's never been more important to centralize and unify the security of network environments, users, and devices.To read this article in full, please click here | Malware | ||
|
2022-10-18 07:31:14 | Imagine surviving a wiper attack only for ransomware to scramble your restored files (lien direct) | Then again, imagine being invaded by Russia Organizations hit earlier by the HermeticWiper malware have reportedly been menaced by ransomware unleashed this month against transportation and logistics industries in Ukraine and Poland.… | Ransomware Malware |
To see everything:
Our RSS (filtrered)
