Weekly
Feb 20 - 24, 2023
Stealc is a new information stealer that is being promoted on the dark web. It targets web browser data, extensions, and cryptocurrency wallets, and has a customizable file grabber. Stealc relies on other established stealers and uses legitimate third-party DLLs for data theft and communications with its C2 servers. The malware is also distributed through YouTube videos that describe how to install pirated software. Read more
The Earth Kitsune threat group is using a new backdoor called WhiskerSpy to target victims through a watering hole technique by luring them from pro-North Korean websites. The backdoor grants remote access to the victim's computer, allowing the attackers to execute various commands such as file download, interactive shell, delete, upload, and take screenshots. Earth Kitsune also uses a Google Chrome extension and OneDrive side-loading vulnerabilities for persistence in their campaigns. Read more
Researchers have created a demonstration exploit for a recently disclosed remote code execution vulnerability (CVE-2022-39952) in Fortinet's FortiNAC network access control suite. An attacker could use this vulnerability to gain the highest privileges by writing arbitrary files on the system. Horizon3 experts have detailed the vulnerability and released a proof-of-concept (PoC) exploit code on GitHub, which involves creating a ZIP archive that carries the payload and sending it to the target endpoint using the key parameter. The exploit then writes a cron job to trigger a root reverse shell, giving attackers remote code execution capabilities. Read more
Cybercriminals are using OpenAI's ChatGPT chatbot to spread malware through phishing websites and fake ChatGPT apps. The attackers deceive users into clicking on links that redirect them to malicious websites and promote harmful software like Spynote malware. Researchers have identified several domains delivering various types of malware, including Redline, Aurora, and Lumma stealers. Moreover, the attackers are using a fraudulent page to steal sensitive financial information. Read more
Enterprise cybersecurity is critical to prevent potential damages like financial loss, legal issues, and data breaches. Cyber threats like malware, phishing, and insider threats can compromise an organization's sensitive data and cause operational disruptions. Prioritizing cybersecurity measures and adopting best practices can help enterprises safeguard their systems and data. To learn more about the current state of enterprise data security and effective data protection strategies, read further.
North Korean APT37 group is using a new malware strain called M2RAT, which leaves few traces on the infected machine. The malware uses shared memory sections for command and data exfiltration and spreads via phishing emails. M2RAT performs various malicious activities such as keylogging, data theft, command execution, and taking screenshots. The malware also scans for portable devices and exfiltrates data to the attacker's server using password-protected RAR archives to make it difficult to recover and analyze. Read more
210TB Veeam Backup and DR appliance with Policy based Immutability using built-in Network & Power management Controllers and automated physical and logical Air-Gapped vault for $14,995.
Gen 10, 16-bay, 3U Rackmount unit with 15x14TB (210TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Redundant Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller, Dual 10Gb RJ-45 Ports, Fully Integrated SAN, NAS and optional S3 cloud storage.
All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.
For appliance demos, specifications, and quotes contact us.
Weekly
Feb 13 - 17, 2023
The Domain registrar Namecheap experienced a hack on its email account through phishing emails pretending to be from MetaMask and DHL. The emails targeted recipients' personal information and cryptocurrency wallets by luring them to enter their recovery phrase or private key. The incident is linked to the exposure of API keys from SendGrid, MailChimp, and Mailgun in mobile applications. As victims reported the attack on Twitter, Namecheap suspended all emailing through SendGrid, which was used to send promotional and renewal emails and started investigating the issue with their upstream provider. Read more
Security experts have identified five harmful packages on the Python Package Index (PyPI) designed to steal sensitive information from unsuspecting developers. The packages contain the 'W4SP Stealer' malware, which targets passwords, Discord authentication cookies, and cryptocurrency wallets. The malware can search for specific keywords and attempts to steal them using the "transfer.sh" file transfer service. The W4SP Stealer malware then sends stolen data to the threat actor's server through a Discord webhook. Researchers have found that some of the keywords were in French, which suggests the threat actors could be from France. Read more
Over 3.3 million patients had their personal health information stolen during a ransomware attack on Regal Medical Group, one of the largest medical groups in Southern California. The attack affected several affiliated medical groups and compromised patients' personal information, including names, addresses, Social Security numbers, diagnosis and treatment details, birthdates, laboratory test results, prescription information, radiology reports, health plan member numbers, and phone numbers. The incident was reported to the Department of Health and Human Services and is the largest breach reported in 2023 on the HIPAA Breach Reporting Tool website.
Read more
Hackers are using a new variant of the Xorist ransomware family named MortalKombat along with a crypto hijacker Laplas to launch a wave of cyberattacks primarily in the United States, with victims also identified in the UK, Turkey, and the Philippines. The malware can be used to commit financial fraud, extort victims and steal cryptocurrency. Cybercriminals use a malicious ZIP attachment in deceptive emails to deliver the malware payloads. The MortalKombat ransomware encrypts various files, systems, applications, databases, backups, and VMs, and drops a ransom note with instructions for negotiating with the attackers. While not equipped with a wiper, the ransomware can cause damage by corrupting system folders and disabling system applications. Read more
With ransomware attacks becoming increasingly common in today's IT environment, the 3-2-1 rule alone may not suffice for backing up data. To enhance data protection, immutability and monitoring must be included in your data protection plan. Veeam ONE v12 provides these features to strengthen the 3-2-1 rule and safeguard your data against cyber threats. Learn more about how you can protect your data with Veeam ONE v12.
Read more
North Korean APT37 group is using a new malware strain called M2RAT, which leaves few traces on the infected machine. The malware uses shared memory sections for command and data exfiltration and spreads via phishing emails. M2RAT performs various malicious activities such as keylogging, data theft, command execution, and taking screenshots. The malware also scans for portable devices and exfiltrates data to the attacker's server using password-protected RAR archives to make it difficult to recover and analyze. Read more
128TB Veeam, Rubrik, HYCU, Commvault Immutable and Air-gapped Fully Integrated SAN, NAS and S3 Object Storage Appliance with Ransomware protection for $8,995.
It is 2U, 8 Bay Rackmount unit fully populated with 8x16TB Enterprise SAS drives, 12 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller.
Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.
For appliance demos, specifications, and quotes contact us.
Weekly
Feb 6 - 10, 2023
A zero-day vulnerability in Internet-exposed GoAnywhere MFT administrator consoles is being actively exploited, with the exploit code being released. This allows unauthenticated remote code execution, with nearly 1,000 instances of GoAnywhere being exposed on the Internet and 140 being vulnerable on ports 8000 and 8001. The company has not yet released any security updates to fix the vulnerability, but Fortra has provided indicators of compromise and recommended disabling the licensing service for protection. Read more
The new ESXiArgs ransomware now encrypts larger amounts of data, making it difficult to recover encrypted VMware ESXi virtual machines. The new variant has encrypted over 3,000 Internet-exposed VMware ESXi servers. Unlike before, the encryption process involves using a script that searches for specific file extensions and encrypts the data in 1 MB increments, leaving most of the data encrypted. The new wave of attacks also changed the ransom note by removing bitcoin addresses. The recovery script provided by Cybersecurity and Infrastructure Security Agency (CISA) may no longer be effective for those affected by the new encryption routine. Read more
The QakNote malware, also known as QBot, is using Microsoft OneNote attachments to infect systems. The malware gains access to devices, loads further malware, steals data and carries out other attacks. Attackers use phishing emails with OneNote attachments that contain VBS attachments or LNK files, which are executed when the user clicks on the attachment. The malware uses OneNote files with embedded HTML applications (HTA files) that are distributed through emails with an embedded link or hijacking existing email threads. Social engineering tactics are used to entice the user to click after which the HTA file retrieves the QBot payload and saves it in the C:\ProgramData folder. Read more
The Medusa DDoS botnet has resurfaced with added features including a ransomware module, Telnet brute-forcer, and Linux targeting abilities. The updated variant is being offered as a MaaS (malware-as-a-service) for DDoS attacks and mining. The ransomware component encrypts files and adds the ".medusastealer" extension, but the encryption method is faulty and turns the ransomware into a data wiper that deletes all system files after 24 hours and demands a 0.5 BTC ransom. The botnet also includes a data exfiltration tool to gather information about victims and estimate resources for DDoS and mining.
The healthcare sector is a prime target for hackers due to the confidential patient information and medical records they store. Ransomware attacks on the sector have increased 94% making it imperative for healthcare providers to use automated air-gapped and immutable backup and disaster recovery to protect their sensitive information and systems. This article highlights the impact of ransomware on healthcare institutions and provides ways for healthcare organizations to protect themselves from these attacks.
Read more
The Royal Ransomware group has updated their malware to include the capability to encrypt Linux devices and specifically VMware ESXi virtual machines. The new variant can be executed through the command line and has various options for the ransomware operators to control the encryption process. It appends the ".royal_u" extension to encrypted files. The U.S. Department of Health and Human Services has issued a warning that the Royal ransomware is targeting organizations in the Healthcare and Public Healthcare sector that use VMware ESXi on Linux systems. Read more
100TB Fully Air Gapped and Immutable Veeam Backup and DR appliance with Object Lockdown Technology for Ransomware protection & Instant multi VM recovery. Last 4 units on half price!
It is 2U, 8 Bay Rackmount unit with 6x16TB Enterprise SAS drives, 12 core Storage Virtualization Engine, 128GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and optional S3 cloud object storage.
Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.
For appliance demos, specifications, and quotes contact us.
Weekly
Jan 30 - Feb 3, 2023
Hackers have deployed a new malware, SwiftSlicer, that destroys Windows domains by overwriting crucial files. The malware was discovered in a cyberattack on Ukraine's national news agency, Ukrinform, believed to be carried out by the Sandworm hacking group linked to Russia's military intelligence. SwiftSlicer is spread using Active Directory Group Policy, allowing it to execute scripts and commands on all devices in the Windows network. The malware wipes shadow copies, drivers, and critical files, including the Active Directory database, and targets the NTDS folder to bring down the entire Windows domain. Read more
UK-based sports apparel retailer JD Sports suffered a data breach in one of its servers, exposing information of 10 million customers, including names, addresses, billing details, phone numbers, email addresses, and the last four digits of payment cards. The company claims that complete payment card information and passwords were not stored on the impacted server, however, historical order records were present and could increase the risk of a data leak. JD Sports also confirmed that its sub-brands, including Millets, Blacks, Scotts, and MilletSport, were impacted by the breach. The company has reported the incident to authorities. Read more
Security researchers have revealed a vulnerability in VMware vRealize Log Insight that could allow remote code execution on unpatched systems. This is due to four security flaws, two of which are critical and can be used by remote attackers to execute code on affected devices. The vulnerabilities can be linked to gain full control of the system. Since VMware vRealize appliances are typically not exposed to the internet, they may be exploited in compromised networks for lateral movement. Researchers warn that threat actors may quickly adopt the exploit or develop their own versions. Read more
A new malware called HeadCrab is using infected Redis servers to mine Monero. The malware has compromised over 1,200 servers due to the unsecured default settings. The attacker uses the "SLAVEOF" command to deploy HeadCrab and take control of the server, adding it to the botnet. HeadCrab operates in memory and erases logs, only communicating with attacker-controlled servers, making it difficult to detect. The attacker uses mining pools hosted on previously infected servers, making attribution challenging.
Ransomware attacks have surged in recent years, fueled by the lack of data protection, outdated IT systems, advanced attack methods, and the COVID-19 pandemic. Despite awareness of the growing threat, many companies still lack proper cybersecurity measures. Here is a comprehensive overview of the state of cybersecurity, highlighting the ransomware statistics and trends for 2022. Read more
Nevada ransomware is attacking Windows and VMware ESXi systems and operates through a Rust-based locker, a negotiation portal, and domains on the Tor network. The Windows version gathers information and encrypts shared directories with the MPR.dll, and uses the Salsa20 algorithm for encryption while excluding some system files. Files are encrypted with ".NEVADA" extension, and a ransom note is left in each folder after encryption. The Linux/VMware ESXi version uses the same encryption algorithm and techniques, but bugs may allow for data recovery without paying ransom. The ransomware operators buy access to compromised endpoints and use a post-exploitation team for intrusion. Read more
1PB fully air-gapped and immutable Veeam backup and DR appliance with object lockdown technology for ransomware protection & instant multi VM recovery for $62,995.
This powerful DR365V site in a box leverages Veeam integration using the built-in air-gapped network, power management controller and storage controller using fully automated Veeam integrated isolation technology.
Fully populated 60-bay 4U JBOD plus 1U, 4 bay head unit with total of 64x16TB (1,024 TB) enterprise SAS drives, 10-core storage virtualization engine, 64GB system memory, 512GB NVMe SSD, hot-swappable power supply, 12Gb SAS hardware RAID controller. Fully integrated SAN, NAS and optional S3 cloud object storage.
For appliance demos, specifications, and quotes contact us.