Select Page
Slide 1

Weekly

Ransomware Roundup

August 22 - 26, 2022

PlayPlay
Quantum Ransomware Hits IAD Government Agency in Dominican Republic

The Instituto Agrario Dominicano (IAD) has suffered a Quantum ransomware attack that encrypted multiple services and servers throughout the government agency. Four physical and eight virtual servers were affected and most of the information, including databases, email and applications, was compromised. The IAD has told local media that they only had basic security software on their systems, such as antivirus, and lack a dedicated security department. The attackers have asked for more than six hundred thousand dollars in ransom and have threatened to leak sensitive data. Read more

Hackers Hit over 130 Organizations in Another Okta Phishing Supply Chain Attack

Hackers responsible for a string of recent cyberattacks, including those on Twilio, MailChimp, and Klaviyo, compromised over 130 organizations in the same phishing campaign. The campaign used a phishing kit codenamed '0ktapus' and stole 9,931 login credentials that were used to gain access to corporate networks and systems through VPNs and other remote access devices. Identity credentials and 2FA codes were also stolen from Okta, which is an identity-as-a-service (IDaaS) platform, and were used to carry out subsequent supply chain attacks on customers using these services, like Signal and DigitalOcean. Read more

RansomEXX Claims Ransomware Attack on Bombardier Recreational Products (BRP)

RansomEXX group, notorious for attacking high-profile companies like GIGABYTE, has claimed yet another victim “Bombardier Recreational Products”. After the attack, BRP informed the public of a temporary halt of all operations that impacted production and caused delays in transactions with customers and suppliers. The company confirmed that the hackers breached its systems via a supply chain attack. Shortly after, the RansomEXX gang listed BRP on its leak site along with 29.9GB of files allegedly stolen from the firm. They also provided samples that included non-disclosure agreements, passports and IDs, material supply agreements, and contract renewals.
Read more

LastPass Source Code Stolen in Data Breach

Password management software firm “LastPass”, having more than 30 million users and 85,000 business customers worldwide, has suffered a data breach that led to the theft of source code and technical information. The unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of the source code and some proprietary LastPass technical data. However, LastPass stores sensitive data like passwords in 'encrypted vaults' that can only be decrypted using a customer's master password, which LastPass says was not compromised in this cyberattack. Read more

Veeam-Ready Backup and DR Appliance with Onsite and Cloud-Based Immutable Storage

Immutable storage follows the Write-Once Read-Many (WORM) framework to prevent changes and modifications to critical data for a user-defined retention period. This protects mission-critical backups, file/S3 object data from ransomware since this data cannot be maliciously encrypted. Learn how you can use a Veeam-ready backup and disaster recovery (DR) appliance to set up policy-based and automated onsite and cloud-based immutable storage. Read more

French Hospital Hit by Ransomware Attack – Hackers Demanding $10M in Ransom

The Center Hospitalier Sud Francilien (CHSF), a hospital in Paris, has suffered a ransomware attack over the weekend. The attack disrupted the emergency services and surgeries and forced the hospital to refer patients to other healthcare service providers. The security breach forced hospital staff to return to paper and pen as it affected the hospital’s software, the storage systems (in particular medical PACS imaging) and the information systems relating to patient admissions. Threat actors demand a $10 million ransom for the decryption key. Sources confirmed that the attack was launched by an affiliate of LockBit 3.0 RaaS.
Read more

Promo
1PB Fully Air Gapped & Immutable Veeam Backup and DR appliance for $995

1PB, expandable up to 4PB, fully air-gapped and immutable Veeam-ready backup and disaster recovery appliance with file and object Lockdown technology for ransomware protection & instant multi-VM recovery for $995/month in a 5-year term.

Fully Populated 1U, 4 bay head unit plus 60-bay 4U JBOD all filled with total of 64x16TB (1,024 TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 64GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and optional S3 cloud object storage.

Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

August 15 - 19, 2022

Exploit out for critical flaw affecting Realtek’s networking devices

Exploit code has been released for a critical vulnerability, identified as CVE-2022-27255, that is affecting networking devices with Realtek’s RTL819x system on a chip (SoC). The flaw is a stack-based buffer overflow, with a severity score of 9.8 out of 10, that enables remote attackers to execute code without authentication by using specially crafted SIP packets with malicious SDP data. The attackers can exploit it to compromise vulnerable devices from various original equipment manufacturers (OEMs), ranging from routers and access points to signal repeaters. Read more

LockBit claims ransomware attack on security giant Entrust

The LockBit ransomware gang has claimed responsibility for the cyberattack on digital security giant Entrust. LockBit had created a dedicated data leak page for Entrust on their website, stating that they would publish all of the stolen data. In a security notification to their customers, Entrust stated that “some files were taken from our internal systems”. In a response to security researchers, they said they found no indication that the issue has affected the operation or security of their products and services as they were running in separate, air-gapped environments from their internal systems and are fully operational. Read more

CS:GO trading site hacked to steal $6 million worth of skins

CS.MONEY, one of the largest platforms for trading CS:GO skins, has taken its website offline after a cyberattack looted 20,000 items worth approximately $6,000,000. The hackers gained access to Mobile Authenticator (MA) files used for Steam authorization. Then they assumed control of 100 bot accounts containing the skins held by the service and conducted about a thousand transactions siphoning the items to their own accounts. Read more

Disaster Recovery-as-a-Service (DRaaS) or On-Site DR Appliance?

Offsite disaster recovery (DR) management and recovery with minimum hardware, and time/resource investment(s) versus faster recovery, full control of physical DR appliance(s), no bottleneck/latency issues, and ease of compliance? Read more

Argentina's Judiciary of Córdoba hit by PLAY ransomware attack

Argentina's Judiciary of Córdoba has shut down its IT systems after suffering a ransomware attack, at the hands of the new 'Play' ransomware operation. The attack affected the Judiciary's IT systems and its databases. Researchers are of the opinion that a list of employee email addresses was leaked as part of the Lapsus$ breach of Globant in March, which may have allowed threat actors to conduct a phishing attack to steal credentials. Read more

Hackers target Ukraine with Phishing Backdoors Hacks and default Word template hijacker

The notorious Russian hacking group 'Gamaredon' is using phishing messages carrying a self-extracting 7-Zip archive that fetches an XML file from an “xsph.ru” subdomain. The XML file executes a PowerShell info-stealer that attempts to evade detection. Additionally, the attackers used VBS downloaders to fetch the “Pterodo” and “Giddome” backdoor allowing them to record audio, snap screenshots, log and exfiltrate keystrokes, or download and execute additional “.exe” and “.dll” payloads. Gamaredon’s also modifies the “Normal.dotm” file (the default Microsoft Word template) on the host, using a specially crafted macro to infect all documents created on the compromised machine with malicious code. Read more

Promo
128TB Fully Air Gapped & Immutable Veeam Backup and DR appliance for $9,995

128TB Fully Air Gapped Veeam backup and disaster recovery appliance with Immutable File and Object Lockdown Technology for ransomware protection & instant multi VM recovery for $9,995.

8-bay 2U Rackmount unit, 8x16TB (128TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and optional S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe + SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are included.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

August 08 - 12, 2022

PlayPlay
Zimbra Authentication Bypass Bug Exploited to Breach Servers

The Zimbra security vulnerability is being actively exploited to compromise Zimbra Collaboration Suite (ZCS) email servers worldwide. Attackers are abusing a ZCS remote code execution flaw, tracked as CVE-2022-27925, with the help of an authentication bypass bug, tracked as CVE-2022-37042. Successful exploitation allows the attackers to deploy web shells on specific locations of the compromised servers to gain persistent access. Experts have identified over 1,000 ZCS instances backdoored and compromised. Zimbra has advised patching versions older than Zimbra 8.8.15 patch 33 or Zimbra 9.0.0 patch 26. Read more

Cisco Hacked by Yanluowang Ransomware Gang – Stole 2.8GB of Data

Cisco confirmed a cyberattack after threat actors infiltrated an employee's personal Google account that contained passwords synced from web browser. The attacker attempted to bypass multi-factor authentication (MFA) using voice phishing and MFA fatigue. Upon establishing initial foothold, the attacker escalated to administrative privileges to login to several systems including Citrix servers and domain controller using the exploit identified as CVE-2022-24521. The attacker then stole credentials and registries, cleared system logs to cover their tracks, and made changes to host-based firewall configurations to enable RDP access to systems. The attacker claimed to have stolen 2.75GB of data, consisting of non-disclosure agreements, data dumps, and engineering drawings. Read more

Palo Alto bug used for DDoS attacks and there's no fix yet

A high-severity Palo Alto Networks denial-of-service (DoS) vulnerability has been exploited by cybercriminals looking to launch DDoS attacks, and several of the affected products won't have a patch until next week. The vulnerability, tracked as CVE-2022-0028, received an 8.6 out of 10 CVSS score, and it affects PAN OS, the operating system in Palo Alto Networks' network security products. The bug is caused by a URL filtering policy misconfiguration that could allow an external attacker with network access to conduct reflected and amplified TCP denial-of-service attacks. Read more

FC SAN vs iSCSI SAN: What’s the difference?

Is Fibre Channel (FC) Storage Area Network (SAN) protocol actually faster than iSCSI? Why are most storage vendors so fixated on FC SAN when iSCSI SAN make up most govt. and corporate data centers? Both SAN protocols have their pros and cons, making it worthwhile to take a minute and learn the differences between the two; especially if you’re looking to set up a new SAN environment, or replace/expand an existing one. Read more

VMware Warns of Public PoC Code for Critical Authentication Bypass Bug

VMware has warned its customers of the availability of a proof-of-concept exploit code for a critical authentication bypass flaw, tracked as CVE-2022-31656, in multiple products. The proof-of-concept (PoC) reveals that a malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. Read more

Automotive Supplier Breached by 3 Ransomware Gangs in 2 Weeks

An automotive supplier had its systems breached and files encrypted by LockBit, Hive, and ALPHV/BlackCat affiliates network on April 20, May 1, and May 15, respectively. LockBit and Hive distributed their payloads using the PsExec and PDQ Deploy tools within two hours to encrypt and exfiltrate data on more than a dozen systems. Two weeks later, a BlackCat threat actor also connected to the same compromised server and installed the Atera Agent remote access solution and gained persistence on the network while exfiltrating data. Within half an hour, BlackCat delivered its payloads on the network using PsExec to encrypt six machines after moving laterally through the network using compromised credentials. Read more

Promo
70TB - $7,995 Air-Gapped & Immutable Veeam, Rubrik, Commvault, site recovery Backup & DR appliance

70TB, expandable up to 4PB, Air-gapped & Immutable Veeam, Rubrik, Commvault, Site Recovery, Backup and DR appliance with Object Lockdown Technology for Ransomware protection for $7,995.

8-bay 2U Rackmount unit with 5x14TB Enterprise SAS drives, 10 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and Native S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are included.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

August 01 - 05, 2022

PlayPlay
Russian Organizations Attacked with New Woody RAT Malware

Unknown attackers have targeted Russian entities with a new malware - Woody RAT, that allows controlling and stealing information from compromised devices remotely. The malware is delivered via phishing emails by either ZIP files containing the payload or "Information security memo" documents that exploit the Follina vulnerability. RAT uses RSA-4096 and AES-CBC to escape network-based monitoring and injects itself into a notepad process subsequently deleting itself to evade detection. The malware can collect system information, list folders and running processes, execute commands and files received from its command-and-control server, download, upload, and delete files, and take screenshots. Read more

Crypto Bridge Nomad Loses $190M as Hackers Exploit a Critical Bug

Dozens of hackers jointly attacked the cross-chain crypto bridge Nomad to steal nearly $200 million in digital assets. Experts say that the attack occurred after Nomad updated its smart contracts and inadvertently made it easy to spoof transactions by failing to verify the amount of digital assets being exchanged. A bug that caused improper initialization function on Nomad allowed transaction messages to be validated immediately instead of going through the verification process. Attackers misused this vulnerability to broadcast fake messages, validating all requests for funds transfer by default and drained the assets. The attackers stole at least $190.7 million and laundered at least $6 million via cryptocurrency mixer Tornado Cash. Read more

Hackers Deploy New Ransomware Tool in Attacks on Albanian Government Websites

A cyberattack caused government portal e-Albania to go offline along with the government’s websites. The attack involved a new ransomware family dubbed Roadsweep, that uses the RC4 stream cipher to maliciously encrypt files, a spyware called Chimneysweep, and possibly a new variant of Zeroclear wiper malware. Zeroclear corrupts the file system using RawDisk which is a legitimate commercial driver used for interacting with files, disks and partitions while Chimneysweep allow key logging and is capable of taking screenshots, listing and collecting files and spawning a reverse shell. Read more

Cloud Disaster Recovery vs On-Premise – Which is Best?

On-premise disaster recovery appliances provide secondary site with faster recovery, no latency issues, and more control while cloud DR is scalable, offsite, partially/fully managed, and affordable - making them suitable for different requirements, and budgets. But which one is best for your projects and budget? Read our blog where we explain on-premise vs cloud disaster recovery to help you choose the right solution for your mission-critical workloads.

Microsoft Email Accounts Targeted in New Phishing Campaign That Can Bypass MFA

A phishing campaign is targeting corporate users including fintech, lending, accounting, insurance, and Federal Credit Union organizations in the US, UK, New Zealand, and Australia. The threat actors are using the adversary-in-the-middle (AiTM) technique to bypass multi-factor authentication. AiTM allows the attacker to intercept the authentication process between the client and the server to steal credentials during the exchange, thus stealing MFA details. Threat actors are leveraging tools like Evilginx2, Muraena, and Modilshka for AiTM execution and online code editing services such as CodeSandbox and Glitch to Open Redirect pages hosted by Google Ads and Snapchat, to host redirection URL code for evading corporate email URL analysis. Read more

Solana Wallets Drained in Multimillion-Dollar Exploit

An overnight attack on the Solana blockchain platform drained thousands of software wallets of cryptocurrency worth millions of U.S. dollars. While there is no definitive answer at the moment about how the wallets were drained, various blockchain security experts believe it to be a supply chain attack, a browser zero-day flaw, or a faulty random number generator used in the key generation process. Another explanation is a nonce reuse bug, which enables the threat actors to recover secret keys, as long as a signature and the nonce is publicly exposed. Read more

Promo
32TB Air-Gapped & Immutable Veeam Site Recovery Backup & DR Appliance for $5,995

32TB expandable up to 4PB Air-gaped & Immutable Veeam, Rubrik, CommVault, Site Recovery, Backup and DR appliance with Zero Trust, SAN-NAS and S3 Object Lockdown Technology for Ransomware protection for $5,995.

Gen 10, 4bay 1U Rackmount unit with 2x16TB Enterprise SAS drives, 10 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and Native S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are included.

For demos and hardware details, contact us.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email