What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2023-02-22 10:09:36 | Rapport IBM : Les ransomwares persistent malgré l\'amélioration de la détection en 2022 (lien direct) | IBM annonce les résultats de l'édition 2023 de son rapport annuel X-Force Threat Intelligence Index sur le paysage mondial des menaces. L'industrie manufacturière est le secteur qui subit le plus d'extorsions ; les tentatives de détournement d'emails augmentent ; la réussite d'une attaque par ransomware passe de plusieurs mois à quelques jours - Malwares | Ransomware Threat | ★ | |
|
2023-02-22 10:08:17 | Le ransomware HardBit veut connaître les détails de l\'assurance pour fixer un nouveau prix idéal (lien direct) | Le ransomware HardBit veut connaître les détails de l'assurance pour fixer un nouveau prix idéal, Benoit Grunemwald - Expert en Cybersécurité chez ESET France réagit - Malwares | Ransomware | ★ | |
 |
2023-02-22 07:19:07 | (Déjà vu) ASEC Weekly Malware Statistics (February 13th, 2023 – February 19th, 2023) (lien direct) | The AhnLab Security response Center (ASEC) analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 13th, 2023 (Monday) to February 19th, 2023 (Sunday). For the main category, backdoor ranked top with 50.8%, followed by downloader with 41.0%, Infostealer with 7.3%, ransomware with 0.8%, and CoinMiner with 0.2%. Top 1 – RedLine RedLine ranked first place with 49.4%. The malware steals various information such as... | Ransomware Malware | ★★ | |
 |
2023-02-22 05:46:58 | HardBit ransomware tells corporate victims to share their cyber insurance details (lien direct) | A ransomware outfit is advising its victims to secretly tell them how much insurance they have, so their extortion demands will be met. As security researchers at Varonis describe, a new strain of the HardBit ransomware has taken the unusual step of asking targeted companies to spill the beans of whether they have cyber insurance (and the terms of that insurance) anonymously. According to a part of a message in the ransomware note dropped on computers after an attack, sharing insurance details benefits both the victim and the attackers. ...since the sneaky insurance agent purposely negotiates... | Ransomware | ★ | |
 |
2023-02-21 19:19:19 | LockBit gang takes credit for attack on water utility in Portugal (lien direct) |  The LockBit ransomware group has taken credit for a cyberattack on Águas e Energia do Porto - the water utility for the city of Porto |
Ransomware | ★★★ | |
 |
2023-02-21 18:08:30 | Israel\'s Top Tech University Targeted by DarkBit Ransomware (lien direct) | An Israeli university is being blackmailed by hackers. However, they aren't just after money but are looking to send a political message - and maybe something more. | Ransomware | ★★ | |
|
2023-02-21 15:48:01 | Rapport sur les ransomwares 2023 : la France au 5ème rang mondial des attaques par ransomware (lien direct) | Rapport sur les ransomwares 2023 : la France au 5ème rang mondial des attaques par ransomware Un éclairage d'Outpost24 sur les motivations à l'origine des attaques ainsi que sur les différents chiffres et tendances Les points importants du rapport : ● La France au 5ème rang mondial des attaques par ransomware ● LockBit est le groupe de cybercriminels qui génère le plus de ransomwares (monde et France) ○ 34 % des attaques enregistrées dans l'année, avec une moyenne d'environ 67 attaques par mois, soit un total d'un peu plus de 800 attaques ● 2363 entreprises ont été victimes de divulgations de données par divers groupes de ransomware en 2022. - Investigations | Ransomware | ★★★★ | |
|
2023-02-21 13:16:28 | Irish TV broadcaster says attempted hack will affect programming (lien direct) |  Virgin Media Television, the Irish broadcaster, said on Monday that an attempted hack was going to impact its programming in coming days. The nature of the attack has not been specified, although a spokesperson told The Record it was not a ransomware attack. In a statement the company described identifying “an unauthorized attempt to access [… |
Ransomware Hack | ★★★ | |
 |
2023-02-21 12:02:58 | HardBit Ransomware Offers to Set Ransom Based on Victim\'s Cyberinsurance (lien direct) | HardBit ransomware operators want to work with victims to negotiate a ransom behind the back of cyberinsurance companies. | Ransomware | ★ | |
 |
2023-02-21 11:00:00 | Ransomware Gang Seeks to Exploit Victim\'s Insurance Coverage (lien direct) | Ransomware group tries to demonize carriers in negotiations | Ransomware | ★ | |
|
2023-02-21 07:31:13 | GUEST ESSAY: Too many SMBs continue to pay ransomware crooks - exacerbating the problem (lien direct) | Well-placed malware can cause crippling losses – especially for small and mid-sized businesses. Related: Threat detection for SMBs improves Not only do cyberattacks cost SMBs money, but the damage to a brand's reputation can also hurt growth and trigger the … (more…) | Ransomware Malware | ★★ | |
 |
2023-02-21 00:00:00 | A Deep Dive into the Evolution of Ransomware Part 1 (lien direct) | This 3-part blog series takes an in-depth look at the evolution of ransomware business models, from the early stages to current trends. | Ransomware | ★★ | |
 |
2023-02-21 00:00:00 | Fight Ransomware with a Cybersecurity Audit (lien direct) | An advanced cybersecurity audit helps identify overlooked IP addresses, forgotten devices, and misconfigured infrastructure that can expose organizations to ransomware and other cyber threats. Find out how to strengthen attack surface risk management. | Ransomware | ★★★ | |
 |
2023-02-20 17:09:01 | HardBit ransomware wants insurance details to set the perfect price (lien direct) | A ransomware threat called HardBit has moved to version 2.0 and its operators are trying to negotiate a ransom payment that would be covered by the victim's insurance company. [...] | Ransomware Threat | ★★★★ | |
|
2023-02-20 14:00:00 | Majority of Ransomware Attacks Last Year Exploited Old Bugs (lien direct) | New research shows that 57 vulnerabilities that threat actors are currently using in ransomware attacks enable everything from initial access to data theft. | Ransomware Threat | ★★★ | |
 |
2023-02-20 02:27:10 | GoDaddy joins the dots and realizes it\'s been under attack for three years (lien direct) | Also: Russia may legalize hacking; Oakland declares ransomware emergency; the CVEs you should know about this week In brief Web hosting and domain name concern GoDaddy has disclosed a fresh attack on its infrastructure, and concluded that it is one of a series of linked incidents dating back to 2020.… | Ransomware | ★★★★ | |
|
2023-02-20 00:00:00 | Royal Ransomware expands attacks by targeting Linux ESXi servers (lien direct) | Ransomware actors have been observed to expand their targets by increasingly developing Linux-based versions. Royal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide a technical analysis on this variant in this blog. | Ransomware | ★★ | |
|
2023-02-18 03:02:00 | Malware Arsenal used by Ember Bear (aka UAC-0056,Saint Bear, UNC2589, Lorec53, TA471, Nodaria, Nascent Ursa, LorecBear, Bleeding Bear, and DEV-0586) in attacks targeting Ukraine (samples) (lien direct) |  2023-02-18Ember Bear (aka UAC-0056,Saint Bear, UNC2589, Lorec53, TA471, Nodaria, Nascent Ursa, LorecBear, Bleeding Bear, and DEV-0586) is an Advanced Persistent Threat (APT) group believed to be based in Russia. Their primary targets have been diplomatic and government entities in Europe, particularly Ukraine, and the United States. They have also targeted various industries, including defense, energy, and technology. Download the full collectionEmail me if you need the password (see in my profile) (209 MB. 218 samples listed in the hash tables below).The malware arsenal collected here includes:Elephant framework (GrimPlant (Backdoor) and GraphSteel (Stealer).)Graphiron BackdoorOutSteel (LorecDocStealer)BabaDedaCobalt Strike (Beacon)SaintBot DownloaderWhisperGate WiperAPT Group DescriptionAPT Group aliases:UAC-0056 (UA CERT)Ember Bear (Crowdstrike)Saint Bear (F-Secure)UNC2589 (Fireeye, IBM)Lorec53 (NSFOCUS)TA471 (Proofpoint)Nodaria (Symantec)Nascent Ursa (Palo Alto)LorecBearBleeding Bear (Elastic)DEV-0586 (MIcrosoft)The group is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021.The group primarily targets Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations.The group is known for using various malicious implants such as GrimPlant, GraphSteel, and CobaltStrike Beacon, as well as spear phishing attacks with macro-embedded Excel documents.In January 2022, the group performed a destructive wiper attack on multiple Ukrainian government computers and websites, known as WhisperGate.The Lorec53 group is a new type of APT group fi |
Ransomware Malware Hack Tool Vulnerability Threat Medical | ★★ | |
|
2023-02-17 21:03:38 | Semiconductor industry giant says ransomware attack on supplier will cost it $250 million (lien direct) |  Applied Materials said that a ransomware attack on part of its supply chain would cost it $250 million in the next quarter |
Ransomware | ★★ | |
 |
2023-02-17 14:00:00 | How Falling Crypto Prices Impacted Cyber Crime (lien direct) | >Some rare good news in the world of cyber crime trends: Certain crimes declined in 2022 after years of constant rises. Should we credit crypto? Some estimates say that cryptocurrencies have lost $2 trillion in value since November 2021. During that time, the costs associated with cyber crimes, such as ransomware payouts and financial scams, […] | Ransomware | ★★★ | |
|
2023-02-17 13:14:19 | Expect more sanctions and hacking operations on ransomware groups, top Justice official says (lien direct) |  Deputy Attorney General Lisa Monaco said the feds will continue to use sanctions and hacking operations as tools against ransomware groups |
Ransomware | ★★★ | |
|
2023-02-17 01:00:00 | Tracking Distribution Site of Magniber Ransomware Using EDR (lien direct) | AhnLab ASEC has been blocking the Magniber ransomware through various means since its distribution has continued even after, “Redistribution of Magniber Ransomware in Korea (January 28th),” was posted back in January. A particular finding at the time was that the ransomware used the <a> tag to bypass domain blocks. In order to detect this, we have researched response measures by tracking the distribution site URL through a different method. The team is working hard to prevent damages through means such... | Ransomware | ★★ | |
|
2023-02-17 00:00:00 | Overview of AhnLab\'s Response to Joint Cybersecurity Advisory Between South Korea and the United States on North Korean Ransomware (lien direct) | On February 10, intelligence agencies from South Korea and the United States announced a cybersecurity advisory in regard to ransomware attacks from North Korea. It is the first joint report between the South Korean National Intelligence Service and the United States’ National Security Agency (NSA), Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) to raise awareness of cyberattacks from North Korea and protect both countries from ransomware. Title: Ransomware... | Ransomware | ★★ | |
|
2023-02-16 22:34:00 | ESXi Ransomware Update Outfoxes CISA Recovery Script (lien direct) | New ESXiArgs-ransomware attacks include a workaround for CISA's decryptor, researchers find. | Ransomware | ★★★ | |
 |
2023-02-16 18:07:49 | Cryptocurrency users in the US hit by ransomware and Clipper malware (lien direct) | >Learn how to protect your business and staff from the MortalKombat ransomware and Laplas Clipper malware. | Ransomware Malware | ★★ | |
|
2023-02-16 17:00:00 | City of Oakland Declares State of Emergency After Ransomware Attack (lien direct) | Core functions are intact, but the city has taken certain non-emergency systems offline | Ransomware | ★★ | |
|
2023-02-16 16:39:18 | Scality selected as inaugural launch partner for Veeam Smart Object Storage API (lien direct) | Scality selected as inaugural launch partner for Veeam Smart Object Storage API Ranked #1 for backup use case by Gartner®, Scality joins forces with Veeam to simplify the 3-2-1 rule with a single-vendor architecture for immutable ransomware protection - Business News | Ransomware | ★ | |
 |
2023-02-16 15:43:00 | ESXiArgs Ransomware Hits Over 500 New Targets in European Countries (lien direct) | More than 500 hosts have been newly compromised en masse by the ESXiArgs ransomware strain, most of which are located in France, Germany, the Netherlands, the U.K., and Ukraine. The findings come from attack surface management firm Censys, which discovered "two hosts with strikingly similar ransom notes dating back to mid-October 2022, just after ESXi versions 6.5 and 6.7 reached end of life." | Ransomware | ★★ | |
|
2023-02-16 15:11:59 | Will the ransom war ever end? (lien direct) | Another day, another ransomware attack. Question is, who is next? Because as new research reveals, ransomware ain't going anywhere. A new report from Ivanti, Cyber Security Works (CSW), Cyware, and Securin reveals the devastating toll that ransomware has had on organisations globally. The study, 2023 Spotlight Report: Ransomware Through the Lens of Threat and Vulnerability Management, identifies 56 new vulnerabilities associated with ransomware threats among a total of 344 threats identified in 2022-marking a 19% increase year-over-year. Furthermore, the survey findings indicate that IT and security teams are being tripped up by open-source, old, and low-scoring vulnerabilities associated with ransomware. - Special Reports | Ransomware Vulnerability Threat | ★★ | |
|
2023-02-16 12:11:07 | Companies must learn lessons from Royal Mail ransomware attack, says GlobalData (lien direct) | Following the leak of details of ransom negotiations between Royal Mail and ransomware group LockBit: David Bicknell, Principal Analyst in the Thematic Intelligence team at GlobalData, offers his view. - Opinion | Ransomware | ★★ | |
 |
2023-02-16 11:34:00 | (Déjà vu) Ransomware Roundup – CatB Ransomware (lien direct) | In this week's Ransomware Roundup, FortiGuard Labs covers CatB ransomware along with protection recommendations. Read the blog to find out more. | Ransomware | ★★ | |
 |
2023-02-16 09:43:51 | (Déjà vu) City Of Oakland Declares State Of Emergency After Ransomware Attack (lien direct) | Because of the effects of a ransomware assault that required the City to shut down all of its IT systems on February 8, the City of Oakland has declared a local state of emergency. G. Harold Duffey, the interim city administrator, announced a state of emergency so that the City of Oakland could swiftly place […] | Ransomware | ★★ | |
|
2023-02-16 09:36:01 | Surge in ESXiArgs Ransomware Attacks as Questions Linger Over Exploited Vulnerability (lien direct) | >Hundreds of new servers were compromised in the past days as part of ESXiArgs ransomware attacks, but it's still unclear which vulnerability is being exploited. | Ransomware Vulnerability | ★★ | |
|
2023-02-16 08:46:40 | Check Point Software présente Quantum SD-WAN (lien direct) | Check Point Software présente Quantum SD-WAN pour sécuriser les succursales en unifiant une sécurité optimale et une connectivité Internet perfectionnée. Check Point Quantum SD-WAN assure une prévention complète contre les attaques de type " zero-day ", phishing et ransomware et offre un routage optimisé pour les utilisateurs et plus de 10 000 applications. - Produits | Ransomware | ★★ | |
|
2023-02-16 07:31:05 | (Déjà vu) ASEC Weekly Malware Statistics (February 6th, 2023 – February 12th, 2023) (lien direct) | The ASEC analysis team uses the ASEC automatic analysis system RAPIT to categorize and respond to known malware. This post will list weekly statistics collected from February 6th, 2023 (Monday) to February 12th, 2023 (Sunday). For the main category, downloader ranked top with 54.7%, followed by backdoor with 27.7%, Infostealer with 12.8%, ransomware with 4.6%, and CoinMiner with 0.1%. Top 1 – Amadey This week, Amadey Bot ranked first place with 43.9%. Amadey is a downloader that can receive commands... | Ransomware Malware | ★★ | |
 |
2023-02-16 06:15:00 | Evolving cyberattacks, alert fatigue creating DFIR burnout, regulatory risk (lien direct) | The evolution of cybercrime is weighing heavily on digital forensics and incident response (DFIR) teams, leading to significant burnout and potential regulatory risk. That's according to the 2023 State of Enterprise DFIR survey by Magnet Forensics, a developer of digital investigation solutions.The firm surveyed 492 DFIR professionals in North America and Europe, the Middle East, and Africa working in organizations in industries such as technology, manufacturing, government, telecommunications, and healthcare. Respondents described the current cybercrime landscape as one that is evolving beyond ransomware and taking a toll on their ability to investigate threats and incidents, Magnet Forensics said.To read this article in full, please click here | Ransomware Guideline | ★★ | |
|
2023-02-16 01:30:06 | ESXiArgs ransomware fights off Team America\'s data recovery script (lien direct) | Want a clue to what you're dealing with? Check the ransom note That didn't take long.… | Ransomware | ★★ | |
|
2023-02-15 21:35:27 | ESXiArgs ransomware has infected hundreds of new targets in Europe, researchers say (lien direct) |  More than 500 European organizations are dealing with new infections of the ESXiArgs ransomware, according to Censys |
Ransomware | ★★ | |
|
2023-02-15 19:03:00 | Financially Motivated Threat Actor Strikes with New Ransomware and Clipper Malware (lien direct) | A new financially motivated campaign that commenced in December 2022 has seen the unidentified threat actor behind it deploying a novel ransomware strain dubbed MortalKombat and a clipper malware known as Laplas. Cisco Talos said it "observed the actor scanning the internet for victim machines with an exposed remote desktop protocol (RDP) port 3389." The attacks, per the cybersecurity company, | Ransomware Malware Threat | ★★★ | |
|
2023-02-15 18:44:59 | State of emergency as City of Oakland grapples with ransomware attack (lien direct) |  The City of Oakland has declared a state of emergency one week after a ransomware attack hampered local government operations. In a statement on Tuesday, interim City Administrator G. Harold Duffey said he was issuing the declaration “due to the ongoing impacts of the network outages resulting from the ransomware attack” that began February 8. [… |
Ransomware | ★★ | |
|
2023-02-15 17:32:28 | Ransomware Attack Pushes City of Oakland Into State of Emergency (lien direct) | >The city of Oakland, California issued a local state of emergency as a result of the impacts following a ransomware attack. | Ransomware | ★★ | |
|
2023-02-15 16:51:00 | LockBit and Royal Mail Ransomware Negotiation Leaked (lien direct) | It shows the threat actor trying to convince Royal Mail to pay the ransom using various techniques | Ransomware Threat | ★★ | |
|
2023-02-15 16:00:00 | Crypto-Stealing Campaign Deploys MortalKombat Ransomware (lien direct) | The attacks mainly targeted victims in the US but also in the UK, Turkey, and the Philippines | Ransomware | ★★ | |
|
2023-02-15 14:31:19 | MortalKombat Ransomware Infects Computer, Steals Crypto From Users (lien direct) | Organizations in the Philippines, Turkey, the Philippines, and the United Kingdom have recently been affected by MortalKombat, a new ransomware that cybersecurity experts are pointing out. Using MortalKombat and a brand-new piece of malware called Laplas Clipper, researchers from Cisco’s Talos security team claim to have tracked a ransomware organization that has been stealing cryptocurrency […] | Ransomware Malware | ★★★ | |
 |
2023-02-15 11:00:00 | GuLoader – a highly effective and versatile malware that can evade detection (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
This blog was jointly authored with Arjun Patel.
GuLoader is a malware downloader that is primarily used for distributing other shellcode and malware such as ransomware and banking Trojans. It was first discovered in the wild in late 2019 and has since become a popular choice among cybercriminals due to its effectiveness and ease of use. Researchers at cybersecurity firm CrowdStrike have recently published a technical write-up detailing the various techniques used by GuLoader to avoid detection.
One of the key features of GuLoader is its ability to evade detection by traditional security solutions. It uses several techniques to avoid being detected, including packing and encryption, as well as utilizing legitimate websites and services as command and control (C2) servers. It also employs advanced anti-debugging and anti-analysis techniques, which makes it difficult for security researchers to reverse engineer and analyze its code.
GuLoader is typically spread through phishing campaigns, where victims are tricked into downloading and installing the malware through emails or links containing a Visual Basic script file. It can also be distributed through other means, such as drive-by downloads, where the malware is delivered to a victim's computer through a web browser without the victim's knowledge.
GuLoader utilizes a three-stage process to deliver the final payload to the infected host. During the first stage, the VBScript dropper file gets downloaded into a registry key as a persistence mechanism and delivers a next-stage payload. The second stage payload performs anti-analysis checks before injecting shellcode into memory.
If these checks are successful, the shellcode then downloads the final payload from a remote server and executes it on the compromised host. The shellcode incorporates various anti-analysis and anti-debugging measures, including checks for the presence of a remote debugger and breakpoints, scans for virtualization software, and the use of a "redundant code injection mechanism" to avoid NTDLL.dll hooks implemented by endpoint detection and response (EDR) solutions.
*encrypted final payload
NTDLL.dll API hooking is a technique used by anti-malware engines to detect and flag suspicious processes on Windows by monitoring APIs that are known to be abused by threat actors. The method involves using assembly instructions to invoke the necessary Windows API function to allocate memory and inject arbitrary shellcode into that location via process hollowing. GuLoader's "redundant code injection mechanism" is designed to avoid these NTDLL.dll hooks, making it more difficult for EDR solutions to detect and flag the malware.
One of the ways that GuLoader evades detection is through its use of legitimate websites and services such as C2 servers. This means that it uses websites that are not known to be malicious as a means of communicating with its command-and-control (C2) center. This can make it difficult for security researchers to identify the C2 servers being used by the malware, as they are not typically flagged as malicious.
In addition to its advanced evasion techniques, GuLoader is also highly customizable |
Ransomware Malware Threat | ★★ | |
|
2023-02-15 10:47:25 | City of Oakland declares state of emergency after ransomware attack (lien direct) | Oakland has declared a local state of emergency because of the impact of a ransomware attack that forced the City to take all its IT systems offline on February 8th. [...] | Ransomware | ★★ | |
|
2023-02-15 00:10:00 | Continuous Distribution of LockBit 2.0 Ransomware Disguised as Resumes (lien direct) | The ASEC analysis team has identified that Lockbit 2.0 is being distributed in a MalPE format instead of the NSIS format which the team had introduced it with previously. The MalPE format is a type of packing method that disrupts the analysis of the actual malware. It then decrypts and executies its PE files through an internal shell code. We have recently discovered during our monitoring of ransomware that the distribution of LockBit has risen since January. As it was... | Ransomware | ★★ | |
|
2023-02-15 00:00:00 | Paradise Ransomware Distributed Through AweSun Vulnerability Exploitation (lien direct) | The ASEC analysis team has recently discovered the distribution of Paradise ransomware. The threat actors are suspected to be utilizing a vulnerability exploitation of the Chinese remote control program AweSun. In the past, the team also found and covered the distribution of Sliver C2 and BYOVD through a Sunlogin vulnerability, a remote control program developed in China. 1. AweSun Vulnerability Exploitation The installation of Sliver C2 through the AweSun remote control program developed by AweRay was also discovered to have... | Ransomware Vulnerability Threat | ★★ | |
|
2023-02-14 21:59:11 | MortalKombat ransomware found punching targets in US, UK, Turkey, Philippines (lien direct) |  Organizations in the U.S. and elsewhere have been hit with the new MortalKombat ransomware, according to researchers at Cisco Talos |
Ransomware | ★★ | |
|
2023-02-14 20:54:27 | Tonga is the latest Pacific Island nation hit with ransomware (lien direct) |  Tonga’s state-owned telecommunications company has been hit with ransomware, it warned customers on Monday. Tonga Communications Corporation (TCC) – one of two telecoms companies in the country – published a notice on Facebook saying the attack may slow down administrative operations. “Ransomware attack has been confirmed to encrypt and lock access to part of TCC's [… |
Ransomware | ★★ |
To see everything:
Our RSS (filtrered)
