Select Page
Slide 1

Weekly

Ransomware Roundup

Aug 21 - 25, 2023

Massive Phishing Operations Linked to Russian “Telekopye” Telegram Bot

The Telekopye bot is streamlining phishing schemes by creating deceptive web pages from templates and dispatching them to victims. Telekopye's functionality allows for phishing emails, SMS messages, QR codes, and stealing funds. The culprits are informally known as "Neanderthals," and evidence suggests a Russian connection due to language use and targeted online marketplaces. Read more

BlackCat Ransomware Group Targets Japanese Watchmaker Seiko in Breach

BlackCat/ALPHV ransomware syndicate has targeted Seiko, releasing stolen data on its online extortion site. Analysts verified an initial access broker sold access to a Japanese manufacturer on July 27th, just a day before Seiko's breach announcement. The IAB hinted at the company's revenue alignment with Seiko's '1.8B' as per Zoominfo data. Seiko acknowledged the breach that compromised production plans, employee scans, watch designs, passport scans, and technical blueprints. Read more

CosmicBeetle Uses Spacecolon Toolkit in Global Scarab Ransomware Campaign

The CosmicBeetle is orchestrating a global Scarab ransomware distribution campaign using the Spacecolon toolkit. They deploy a clipper malware that alters wallet addresses and deploys a new ransomware strain, ScRansom. CosmicBeetle exploits vulnerable web servers or RDP credentials to compromise victims in France, Mexico, Poland, Slovakia, Spain, and Turkey. The ScHackTool deploys ScService backdoor to execute commands, download payloads, and gather data. Read more

CypherRAT and CraxsRAT Malware Traced Back to Syrian Threat Actor EVLF

EVLF is using CypherRAT and CraxsRAT, to gain unauthorized access to victim devices, including camera, microphone, and location tracking. Offered as "malware-as-a-service," around 100 threat actors have purchased these tools. CraxsRAT can evade Google Play protect, view screen in real time, execute commands through an integrated shell and receive updates. The ‘Super Mod’ feature also makes it challenging to uninstall the malware. Read more

Remote Access Trojans (RATs): The Silent Invaders of Cybersecurity

With organizations embracing interconnected networks, cloud services, and remote work, RATs have become a severe threat to digital security. RATs are covert malware agents that work in the background, infiltrating systems and giving cybercriminals unauthorized control. Discover the rising danger of RATs and learn how to safeguard your digital assets from these stealthy threats. Read more

Ivanti Identifies Actively Exploited Zero-Day Vulnerability in Sentry Software

Ivanti warns of a critical zero-day flaw in Ivanti Sentry identified as CVE-2023-38035, with a CVSS score of 9.8. The flaw involves an authentication bypass affecting versions 9.18 and earlier due to a weak Apache HTTPD setup. This lets unauthenticated users access sensitive APIs via port 8443. Exploitation risk is lower if port 8443 isn’t exposed to the internet. Successful attacks allow unauthorized system access and file manipulation. CISA has listed CVE-2023-38035 as an exploited vulnerability in its KVE. Read more

Promo
Fully Immutable & Air-Gapped Hyperconverged, SAN, NAS, Object Storage Appliance for $5,995

Fully Immutable and Air-gapped Hyperconverged, SAN, NAS and S3 Object Storage Appliance with Ransomware protection for $5,995.

It is 2U, 8 Bay Rackmount unit, 10 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller.

Supports up to 200 iSCSI Hosts, Support for CIFS/SMB & NFS Volumes, NAS Segment AES256 Data Encryption, WORM Compliant Policy-Based NAS Storage.

Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and details, contact us.

Slide 1

Weekly

Ransomware Roundup

Aug 14 - 18, 2023

Critical Vulnerabilities in Ivanti Avalanche Puts 30,000 Organizations at Risk

Critical security vulnerabilities have been found in Ivanti Avalanche, a widely used mobile device management solution. The vulnerabilities collectively identified as CVE-2023-32560, stem from processing specific data types, like hex strings. The critical flaw leads to stack-based buffer overflows in the WLAvanacheServer.exe version 6.4.0.0. Attackers can exploit this flaw to trigger code execution or system crashes. Read more

LABRAT Campaign Exploits GitLab Vulnerability for Cryptojacking and Proxyjacking

The LABRAT campaign is exploiting a former GitLab flaw for cryptojacking and proxyjacking. The attacker deploys signature-concealed tools, sophisticated malware, fortified command-and-control methods, and kernel-rootkits to hide their actions. The campaign uses compiled binaries in Go and .NET languages for stealth and exploits CVE-2021-22205 vulnerability to install a shell script via a C2 server. TryCloudflare redirects connections to the malicious shell script and complicates defense. Read more

Hackers Employ Zulip Chat and Duke Malware for Command and Control in Diplomatic Phishing Attacks

Threat actors are running a cybersecurity campaign targeting NATO-affiliated nations using phishing tactics. They use seemingly benign services like Google Drive, Microsoft OneDrive, and Dropbox to target political organizations, research firms, and critical sectors. The hackers also employ Zulip chat app for command-and-control and embed Duke malware within PDFs. Victims receiving the PDF attachment unknowingly activate Duke malware while Zulip's API funnels victim data to the attackers' chat room. Read more

Critical Vulnerability Exploited: Over 2,000 Citrix NetScaler Instances Compromised

2,000 Citrix NetScaler instances were hacked exploiting a critical vulnerability (CVE-2023-3519). Attackers exploited the flaw and injected web shells for persistent access. Over 1,900 compromised NetScalers were detected only in Europe. The incident impacts 6.3% of vulnerable NetScalers. Despite a patch issued by Citrix, the backdoor remains in these servers. Read more

Defending Your Data: The Vital Role of Multi-Factor Authentication

The rise of cyber threats poses a significant threat to sensitive data. Conventional password-centric security measures have shown their limitations in the face of sophisticated attacks. Multi-Factor Authentication (MFA) goes beyond passwords, adding an extra layer of defense by integrating diverse authentication factors like passwords and tokens. Learn how to deploy MFA and safeguard your data against unauthorized breaches. Read more

Bronze Starlight Group Targets Gambling Sector with Cobalt Strike Beacons

Bronze Starlight Targets Southeast Asian gambling sector using Cobalt Strike beacons. Exploiting Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan vulnerabilities, threat actors inject Cobalt Strike via DLL hijacking. The campaign uses AdventureQuest.exe malware loader that bear Ivacy VPN's signature while injected DLL files resemble HUI Loader variants used by APT10 and TA410. Read more

Promo
Immutable & Air-Gapped Veeam Cloud Backup, DR, Replication, Spin-up in the cloud $10 Per TB

Veeam Cloud Immutable Backup & DR with build-in automated Policy-based Air-Gap technology, Spin-up in the cloud for FastTrack Recovery and Enterprise level Ransomware protection starting at $10/TB per month.

Immutable or regular cloud Storage for Backup, Archive Documents, Images, Videos just like One-Drive, share and archive unstructured data starting at $5/TB per month.

24/7 Smart Protect plan available for your complete support needs. Pay Month-to-month, no long-Term contract.

All Datacenters are Certified for CJIS, HIPAA, SOC 2, ISO 27001, PCI-DSS.

For demos and details, contact us.

Slide 1

Weekly

Ransomware Roundup

Aug 7 - 11, 2023

Cybercriminals Use EvilProxy Phishing Kit to Target Executive Microsoft 365 Accounts

EvilProxy is being used as a phishing-as-a-service (PhaaS) toolkit that democratizes phishing and enables large-scale attacks. EvilProxy, discovered in September 2022, can breach accounts on major platforms. Threat actors use EvilProxy to target influential figures in organizations, executing account takeover attacks. The malware has targeted thousands of Microsoft 365 accounts from March to June 2023 with 39% of compromised users being top executives. Read more

Voter Data of 40 Million Britons Exposed in U.K. Electoral Commission Breach

The U.K. Electoral Commission faced a year-long cyberattack that accessed voter data of around 40 million people. Discovered in Oct 2022, attackers breached the Commission's servers in Aug 2021, gaining access to critical systems. Stolen data includes names, addresses, emails, contact numbers and electoral registers. Read more

Yashma Ransomware Strikes Several English-Speaking Nations

A new threat actor is using a unique Yashma ransomware variant to target several English speaking countries since June 4, 2023. Yashma is a rebrand of Chaos ransomware, known since May 2022. The attacker retrieves the ransom note from a GitHub repository using an embedded batch file, making detection more challenging. The ransom note bears a resemblance to the infamous WannaCry ransomware, engineered to obfuscate the threat actor’s identity and impede attribution. Read more

QakBot Operators Extend C2 Infrastructure with 15 New Servers

QakBot malware operators have set up 15 new command-and-control (C2) servers. QakBot’s behavior, like Emotet and IcedID, includes layered C2 nodes that obfuscate its activities. It typically goes dormant in summer and resumes in September. C2 nodes and Tier 2 (T2) nodes are hosted in the U.S., India, Mexico, and Venezuela to add more resilience to their infrastructure. Read more

Finance Industry at Risk: Navigating the Ransomware Threat Landscape

Ransomware's grip on the finance sector grows stronger by the day. Cybercriminals target vital data, customer details, and transactions for unlawful gains. Beyond monetary losses, these attacks erode trust and reputation. Safeguarding financial data is key for digital resilience, especially given ransomware's impact on customer trust. Read more

ScarCruft Uses OpenCarrot to Target Russian Missile Engineering Firm

NPO Mashinostroyeniya, a Russian missile company, faced a dual cyber-attack from two separate North Korean groups: ScarCruft and the Lazarus Group. The breach involved compromising an email server and deploying OpenCarrot, a tool linked to Lazarus. ScarCruft is associated with the Ministry of State Security, and Lazarus with Reconnaissance General Bureau. According to experts, this convergence signals strategic espionage. Read more

Promo
100TB Immutable and Air-Gapped Scale Out NAS Appliance for $8,995

100TB Enterprise SSO NAS appliance with Air-Gap and Immutable delta-based Snapshots for ransomware protection and Support for Unlimited NAS Clients, bunch of data services and built-in S3 cloud connect for $8,995.

Gen 10, 8-bay 2U Rackmount appliance with 7x14TB Enterprise SAS drive pack, 10 Core Storage Virtualization Engine, 32GB system memory, 12Gb SAS Hardware RAID Controller and 800W Platinum Certified hot swappable power supply.

All Enterprise data Services such as Snapshot, Tiering, Encryption, Sync & Async, Replication, Supports CIFS/SMB and NFS, Cloud Connect to Azure Hot / Cool Blob / AWS-S3, Erasure Coding are included.

1 Year Warranty and Support is included in this price.

For demos and details, contact us.

Slide 1

Weekly

Ransomware Roundup

July 31 - Aug 4, 2023

NodeStealer Targets Facebook Business Accounts and Crypto Wallets

Researchers have discovered a Python variant of NodeStealer malware targeting Facebook business accounts. The attack starts with deceptive messages on Facebook, luring victims with free budget tracking templates. Once users download a ZIP file, the malware is activated, stealing crucial information and downloading additional malware. The attackers employ User Account Control bypass techniques and exploit MetaMask credentials for crypto theft. The stolen data is then exfiltrated via the Telegram API to cover their tracks. Read more

Amazon Web Services (AWS) SSM Agent Abused as a Remote Access Trojan

Experts have discovered a new post-exploitation method in AWS that misuses the AWS Systems Manager Agent (SSM Agent) as a remote access trojan. Attackers with high privilege access on an endpoint with SSM Agent can gain control and execute malicious activities without detection and evade endpoint security solutions. The hackers can hijack the SSM Agent, leverage Linux namespaces, and abuse SSM proxy. Read more

APT Actors Target Ivanti EPMM with Zero-Day Exploits, CISA and NCSC-NO Issues Joint Advisory

CISA and NCSC-NO have issued a Joint Advisory on APT actors exploiting the CVE-2023-35078 vulnerability in Ivanti EPMM using compromised SOHO routers as proxies. The vulnerability provides access to PII and allows manipulation of configuration settings. When combined with CVE-2023-35081, it has the potential to cause more damage. Operating as a zero-day since April 2023, the flaw was used in targeted attacks against Norwegian entities, including the government network. Read more

SpyNote Trojan Campaign Targets European Bank Customers

Cybercriminals are using the SpyNote banking trojan to target European bank customers. The malware is delivered through email phishing or smishing campaigns and combines RAT capabilities with vishing attacks. Users are tricked into installing a banking app, which redirects them to the legitimate TeamViewer QuickSupport app. Attackers then get remote access to the victim's device and stealthily install SpyNote. The trojan can harvest sensitive information, including geolocation, keystrokes, screen recordings, and SMS messages to bypass 2FA. Read more

Defending Your Data: The Vital Role of Multi-Factor Authentication

Protecting sensitive data from sophisticated cyber threats is essential in today's digital landscape. Traditional password-based security is no longer enough. Multi-factor authentication (MFA) is a vital feature to strengthen data protection. By combining passwords and tokens, MFA provides an extra layer of defense against unauthorized access and reduces the risk of data breaches and unauthorized intrusions. Read more

Space Pirates Commit Cyber Espionage Across Russia and Serbia

The "Space Pirates" hacking group has been conducting cyberattacks against organizations in Russia and Serbia, including government agencies, aerospace, healthcare, and energy. The attackers use the Deed RAT malware to retrieve additional plug-ins from a remote server and deliver next-stage payloads like Voidoor. The attackers also employ publicly available tools and Acunetix web vulnerability scanner to identify network vulnerabilities. Read more

Promo
98TB Immutable & Air-Gapped Veeam Backup & DR Appliance with Veeam Backup Essential Licenses for $9,995

98TB Fully Air Gapped and Immutable Veeam Backup and DR appliance with Veeam Backup Essentials Annual Subscription License for $9,995.

10th Gen, 8-bay 2U Rackmount unit with 7x14TB (98TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Redundant Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller, Dual 10Gb RJ-45 Ports, Fully Integrated SAN, NAS and optional S3 cloud storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and details, contact us.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email