Select Page
Slide 1

Weekly

Ransomware Roundup

Dec 26 - 29, 2022

Vice Society Ransomware Gang Switches to a New Custom Encryption System

Vice Society - known to perform double-extortion on its victims, is now using a new encryptor dubbed "PolyVice" which uses NTRUEncrypt asymmetric and ChaCha20-Poly1305 symmetric encryption in conjunction. A unique 112-bit NTRU private key is generated after importing a pre-generated 192-bit NTRU public key. The key pairs are used to encrypt the ChaCha20-Poly1305 symmetric keys, while NTRU key pairs are encrypted using the public NTRU key to prevent retrieval attempts. PolyVice uses multi-threading and utilizes the victim's CPU to its full capacity to speed up the encryption process. It also reads file content to apply speed optimization in each case and uses intermittent encryption selectively. It then adds the ".ViceSociety" extension to locked files and drops 'AllYFilesAE' ransom notes. Read more

Comcast Xfinity Accounts Hacked in Widespread 2FA Attacks

Threat actors can now evade two-factor authentication to compromise Comcast Xfinity customer accounts and reset Passwords for other services, like DropBox, Evernote, Coinbase and Gemini. The intruders determine login credentials using credential stuffing, and successful 2FA verification requests are forged using a privately circulated OTP bypass for the Xfinity website. The attacker then resets passwords by logging into the account and changing the second email address to @yopmail.com. The main Xfinity email address receives a notification that information has been changed. However, because the password has also been changed, it can no longer be accessed. Read more

Vulnerability in YITH WordPress Plugin for Premium Gift Cards Exploited in Attacks

A vulnerability tracked as CVE-2022-45359 in the YITH WooCommerce Gift Cards premium plugin allows attackers to upload executable files to WordPress sites without any authentication to gain remote code execution and take control of the entire site. Upon reverse engineering the exploit, researchers discovered a security defect in an import function running on the admin_init hook, which runs for all /wp-admin/ directories. The function does not have cross-site request forgery (CSRF) or capability checks, so an unauthenticated attacker can send special requests with specific parameters and payloads. Since no file type checks are performed, executable PHP files can also be uploaded. Read more

U.S. President Signs Law to Safeguard I.T. Against Quantum Computing

Joe Biden has signed a law to ensure federal agencies migrate to I.T. systems that can resist quantum decryption. The law aims to prioritize developing applications, intellectual property, hardware, and software that can be updated to support cryptographic agility. Additionally, federal agencies have been instructed to share a list of quantum-vulnerable cryptographic systems by May 2023. NIST will set encryption standards for post-quantum computing within two years and is evaluating four new models for post-quantum computing encryption. After post-quantum cryptographic standards are issued, the law requires the OMB to require federal agencies to adopt them and to report annually to Congress on their progress. Read more

What are Air-Gapped Backups and Why Should You Use Them

With their ability to isolate critical volumes from the primary environment, air-gapped networks provide reliable ransomware protection to enterprise workloads – making them a necessary feature for all storage, hyperconverged infrastructure (HCI) and backup and disaster recovery (DR) solutions. Learn more

Louisiana Hospital Falls Victim to the Hive Ransomware Group

Nearly 270,000 people who have received care at Lake Charles Memorial Health System (LCMHS) medical centers had their data breached in a ransomware attack by the Hive group. The hackers gained unauthorized access to LCMHS' network and stole sensitive information, including full names, date of birth, physical addresses, patient identification numbers, medical records, payment information, health insurance information, social security numbers, and limited clinical information. However, intruders could not access the electronic medical records. Hive listed LCMHS on its data leak site and published allegedly stolen files, including bills of materials, contracts, medical records, papers, scans, and residents. Read more

Promo
98TB Fully Air-Gapped & Immutable Veeam Backup and DR appliance for $8,995

98TB Veeam Backup and DR appliance with Policy based Immutability using built-in Network & Power management Controller and automated physical and logical Air-Gapped vault for $8,995.

10th Gen, 8-bay 2U Rackmount unit with 7x14TB (98TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Redundant Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller, Dual 10Gb RJ-45 Ports, Fully Integrated SAN, NAS and optional S3 cloud storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

Dec 19 - 23, 2022

Zerobot Malware Spreads by Exploiting Apache Vulnerabilities

The new Zerobot botnet, AKA the ZeroStresser is developing new modules and features to expand its attack vectors and infect new devices by exploiting security vulnerabilities in Internet-exposed and unpatched Apache servers. The updated malware comes with seven new modules and seven new DDoS attack capabilities. The malware uses around two dozen exploits to infect devices by exploiting vulnerabilities in IoT devices and web applications and spreads through brute force attacks on unsecured devices. As soon as it infects a system, it downloads a script called "zero" that allows it to spread to more vulnerable computers and provides the operators with initial access to victims' networks to launch DDoS attacks over various protocols. Read more

Colombian Energy Supplier EPM Hit by BlackCat Ransomware

Colombia's largest public energy, water, and gas provider, Empresas Públicas de Medellín (EPM), has been attacked by BlackCat/ALPHV ransomware, disrupting operations and taking down the EPM website. The Prosecutor's Office confirmed that the attack was caused by BlackCat ransomware, which encrypted devices and stole data. Researchers have published a sample of BlackCat's 'ExMatter' data-theft tool that can steal data from corporate networks before encrypting devices. The data is stored on attacker-controlled servers in folders named after the target device and is used for double extortion. The Colombian variant of ExMatter uploaded the data from over 40 devices into various folders in unsecured servers accessible to everyone. Read more

Play Ransomware Gang Uses New Microsoft Exchange Exploit to Breach Servers

The Play ransomware threat actors are using a new exploit chain – OWASSRF - to exploit Microsoft's ProxyNotShell URL rewrite mitigation, and perform remote code execution on vulnerable servers via the Outlook Web Access endpoint. Several organizations, including the German hotel chain H-Hotels, Antwerp, and Córdoba, Argentina, have been affected by the malware. The flaw abused by the newly discovered exploit is CVE-2022-41080, which allows remote privilege escalation on Exchange servers. The bug can be exploited using a chain to RCE Exchange on-premises, Exchange Online, Skype for Business Server and even SFB Online+Teams. Researchers replicated the recorded malicious activity and found that Plink and AnyDesk were installed on compromised servers, and ConnectWise remote administration software was also used. Read more

Glupteba Malware Has Returned After Being Disrupted by Google

Glupteba - a blockchain-enabled, modular malware that infects Windows devices to mine cryptocurrency, steal credentials, and deploy proxies is back after Google disrupted the botnet in December 2021. The new Glupteba campaign now uses Pay-per-install networks and traffic distribution systems to distribute malware through malvertising and leverages the Bitcoin blockchain for increased resilience. Because blockchain transactions cannot be erased, law enforcement cannot plant payloads onto the controller address without a Bitcoin private key, making it impossible to take over botnets and deactivate them globally. This campaign also uses more Bitcoin addresses than previous operations, making the botnet even more resilient. Read more

How is Ransomware Affecting the Healthcare Industry?

The Healthcare sector continues to be a prime target for ransomware attacks. Researches show a 94% increase in ransomware attacks on organizations in the health sector. This makes it all the more necessary for the healthcare sector to prepare beforehand and protect sensitive information and systems using automated backup and disaster recovery (DR). Read our blog to find out the impact of ransomware on healthcare institutions and how healthcare organizations can protect themselves against the menace of ransomware. Read more

GodFather Banking Trojan Targets Over 400 Banking and Crypto App Users

GodFather banking Trojan – a successor to Anubis malware is targeting users of more than 400 banking and cryptocurrency apps in 16 countries. A convincing overlay screen, AKA web fake, is served atop target applications by the malware, and trojanized dropper apps are used as initial vectors for infecting devices. GodFather uses similar methods like Anubis for implementing C2 commands, using web fake, proxy, and screen capture modules. However, it is unique because it decrypts actor-controlled Telegram channel descriptions encoded with the Blowfish cipher to obtain its C2 server address. The malware records videos, logs keystrokes, takes screenshots, harvests SMS and call logs, and includes native backdoor features to abuse Android's Accessibility APIs. Read more

Promo
80TB Veeam Backup and DR appliance Fully Air Gapped & Immutable

80TB Fully Air Gapped and Immutable Veeam Backup and DR appliance with Object Lockdown Technology for Ransomware protection & Instant multi VM recovery. Last 3 Units on half price!

It is 2U, 8 Bay Rackmount unit with 8x10TB Enterprise SAS drives, 12 Core Storage Virtualization Engine, 128GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and optional S3 cloud object storage.

This powerful 80TB DR365V site in a box leverages Veeam-integration using the built-in Air-Gapped network, power management controller repository and storage controller using fully automated and Veeam integrated isolation technology.

Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

Dec 12 - 16, 2022

Lazarus Group Targets Crypto VIPs Using Malicious Excel Sheets

Several high-volume traders are being manipulated into installing backdoors by the Lazarus cybercrime group. The joint advisory from Microsoft and Volexity reveals that threat actors are manipulating victims to open an Excel spreadsheet with malicious macros. For initial access, Lazarus uses social engineering tactics and deploys the AppleJeus backdoor. The threat actor targets victims with the infected Excel file containing legitimate information on crypto trading fees. The Excel file executes a macro that runs an obfuscated script that extracts a second spreadsheet, which then proceeds to open a png file containing the executables. The file logagent.exe sideloads a malicious wsock32.dll that runs the backdoor by proxying through the legitimate wsock32.dll. Read more

The Clop Ransomware Uses the TrueBot Malware to Gain Access to Networks

The Silence gang is distributing Clop ransomware using Truebot and a new tool called Teleport for data exfiltration. The Truebot module takes screenshots and exfiltrates Active Directory trust relations information to plan post-infection activities and drop Cobalt Strike beacons or Grace malware after compromise. Using Cobalt Strike, attackers deploy the Clop malware after moving laterally into the network. At the same time, the C2 server tells Truebot to load shellcode or DLLs into memory, execute additional modules, uninstall itself, or download DLLs, EXEs, BATs, and PS1 files. The intruders then use Teleport to stealthily steal data, including files from OneDrive folders and Outlook emails and create scheduled tasks on various systems to execute Clop ransomware. Read more

Two Python-Based Vulnerabilities in VMware ESXi OpenSLP Service

Hackers can now remotely control compromised VMware ESXi servers using the Python backdoor and exploits, CVE-2019-5544 and CVE-2020-3992, in ESXi's OpenSLP service by changing the reverse HTTP proxy configuration. The Python-based backdoor adds seven lines to the local.sh file, which persists through reboots and runs at startup. To minimize suspicion, one of the command lines launches a Python script saved as vmtools.py in a directory that stores VM disk images and logs. This script allows remote threat actors to send password-protected POST requests to a web server, launch a reverse shell or deploy a base-64 encoded command payload. The reverse shell initiates a connection with the threat actor, evades the firewall and circumvents network limitations. Read more

Windows Systems Infected with QBot Malware Using SVG Files

Threat actors are using malicious SVG images in phishing campaigns to distribute the Qakbot (Qbot) malware. The attackers use HTML smuggling and encode the malware in malicious attachments while using legitimate HTML and JavaScript features to assemble the payload on the victim's computer. The JavaScript is smuggled inside an SVG image that executes when the recipient launches an HTML attachment containing the JavaScript. Upon opening the email attachment, the script creates a malicious ZIP file. The file contains an ISO image that runs the Qakbot trojan. The ISO file leads to a typical "ISO → LNK → CMD → DLL" infection. Read more

How Ransomware Attacks Affect the Healthcare Sector

Healthcare sector continues to be a prime target for ransomware attacks. Hackers attempt to steal patient data, and sensitive information to sell in the dark web. This makes ransomware protection necessary for the healthcare sector. Read more

Hackers Target Japanese Politicians with New MirrorStealer Malware

The MirrorFace group is targeting Japanese politicians with the new 'MirrorStealer, ' credential stealer and the LODEINFO backdoor. The threat actors impersonate a Japanese ministry and attach decoy documents that extract WinRAR archives containing the application called K7Security Suite and the LODEINFO malware. Credentials are stolen from web browsers and email clients and stored in a txt file in the TEMP directory, and then sent to the C2 by LODEINFO since MirrorStealer does not support data exfiltration. LODEINFO can convey commands to MirrorStealer directly on the memory of the breached system and inject them into a newly spawned cmd.exe process. Read more

Promo
128TB Veeam, Rubrik, HYCU, Commvault Immutable and Air-gapped Object Storage Appliance for $8,995

128TB Veeam, Rubrik, HYCU, Commvault Immutable and Air-gapped fully Integrated SAN, NAS and S3 Object Storage Appliance with Ransomware protection for $8,995

It is 2U, 8 Bay Rackmount unit fully populated with 8x16TB Enterprise SAS drives, 12 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller.

Data services such as immutable snapshot, encryption (Hardware), Dedup (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

Dec 5 - 9, 2022

BMC Vulnerabilities Targeted in a Supply Chain Attack, Dozens of Servers Affected

The MegaRAC Baseboard Management Controller (BMC) software from American Megatrends (AMI) has three security vulnerabilities that can allow remote code execution. CVE-2022-40259 is the most severe of these issues, which allows arbitrary code execution through the Redfish API with only a minimum level of access. The second vulnerability, CVE-2022-40242, is a security issue involving a sysadmin user hash that can be cracked and abused to gain administrative shell access. The third vulnerability, CVE-2022-2827, is a vulnerability in the password reset feature that allows users to find accounts with specific usernames. Researchers have warned that exploiting these vulnerabilities could result in physical damage to servers, malware deployment, ransomware, firmware implants, and remote control of compromised servers. Read more

New CryWiper Data Wiper Targets Russian Courts, Mayor’s Office

CryWiper is targeting Russian mayor's offices and courts as ransomware but it’s a data wiper that can destroy data beyond recovery. The CryWiper executable is a 64-bit C++ application that abuses WinAPI function calls and connects to a command and control server (C2) to execute various commands. CryWiper stops critical processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services. Additionally, it prevents RDP connections to prevent IT specialists, from responding to incidents. A pseudorandom number generator called Mersenne Twister is used to corrupt the files, after which a ransom note is dropped, demanding 0.5 Bitcoin (approximately $8,000) for a decryptor. Read more

Sneaky Hackers Reverse Defense Mitigations When Detected

Threat actors, known as 'Scattered Spiders,' are hacking Telcos using legitimate tools while evading detection, consistently maintaining access, reversing mitigations, and pivoting to other targets. Using social engineering techniques, the threat actors gain initial access to corporate networks, breach network systems, access and steal subscriber information, and conduct operations like SIM swapping. Threat actors impersonate an IT employee to obtain credentials, send a message that redirects targets to a custom-made phishing site, or employ push-notification MFA fatigue tactics and social engineering to get the codes from the victims. Using the CVE-2021-35464 vulnerability, attackers run code with elevated privileges and continue to move laterally inside the network by leveraging reconnaissance information, downloading user lists from breached tenants, abusing WMI, and using SSH tunneling and domain replication. Read more

Hackers Employing New Fantasy Data Wiper in Coordinated Supply Chain Attack

Several organizations in Israel, Hong Kong, and South Africa have been attacked by the Agrius APT group using the new 'Fantasy' data wiper. The hackers gain access to systems and collect information within the breached network through stolen credentials. To spread the wiper on other devices, Argius deploys Host2IP and the 'Sandals' tool that writes a batch file and connects to systems on the same network via SMB. The malware gets a list of all drives and their directories, except for the Windows folder. It then overwrites files with random data, changes the timestamps and deletes the files. After that, the wiper deletes itself, overwrites the master boot record and reboots the system. Read more

What to Consider when Implementing DRaaS for Ransomware Protection

Gartner reports that downtime can cost more than $5,600 a minute, which is why every business needs a reliable backup and disaster recovery solution. Disaster Recovery as a service (DRaaS) provides cost-effective recovery in the cloud and is a highly efficient enterprise data protection solution to tackle downtime, and data security challenges. Here are things backup administrators need to know to choose and set up a DRaaS solution that works for them. Read more

The "Zombinder" Platform Binds Malware with Legitimate Applications

Cybersecurity researchers have discovered a darknet platform dubbed Zombinder designed for threat actors to embed malware in legitimate Android apps while retaining the full functionality of the original app. The platform can distribute multiple malware families through malicious Windows and Android campaigns. Users are lured into installing malware by impersonating Wi-Fi authorization portals. The site attempts to trick users into downloading either the Windows or Android versions of the application, which is a malware that binds with legitimate Android applications through malicious APKs. The malware drops Ermac payload for Android that performs keylogging and overlay attacks, steals Gmail emails and seeds of crypto wallets, and intercepts 2FA codes. Read more

Promo
64TB Veeam, Rubrik, HYCU, Commvault Immutable &
Air-gapped Object Storage Appliance $6,995

64TB Veeam, Rubrik, HYCU, Commvault immutable and air-gapped fully Integrated SAN, NAS and S3 object storage appliance with ransomware protection for $6,995.

It is 2U, 8 Bay Rackmount unit with 4x16TB Enterprise SAS drives, 12 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller.

Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and hardware details, contact us.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email