Select Page
Slide 1

Weekly

Ransomware Roundup

July 25 - 29, 2022

PlayPlay
Cyberspies use Google Chrome Extension to Steal Emails Undetected

A North Korean-backed threat group tracked as Kimsuky is using a malicious browser extension to steal emails from Google Chrome or Microsoft Edge users reading their webmail. The extension, dubbed SHARPEXT, supports three Chromium-based web browsers (Chrome, Edge, and Whale) and can steal mail from Gmail and AOL accounts. The attackers install the malicious extension after compromising a target's system using a custom VBS script by replacing the 'Preferences' and 'Secure Preferences' files with ones downloaded from the malware's command-and-control server. Once the new preferences files are downloaded, the web browser automatically loads the SHARPEXT extension. Read more

LockBit Claims to Have Breached Italy’s Internal Revenue Service Servers

LockBit ransomware gang is claiming to have stolen as much as 100 GB of data from the servers of Italy’s Internal Revenue Service (L’Agenzia delle Entrate). According to the group’s claims, the stolen data includes company documents, scans, financial reports, and contracts which it threatens to publish if a ransom isn’t paid. On the other hand, SOGEI SPA, a public company wholly owned by the Ministry of Economy and Finance and responsible for managing the technological infrastructures of the financial administration, has denied all claims of a ransomware attack on the Italian tax agency. Read more

Hackers Steal $6 Million from Blockchain Based Music Platform Audius

The decentralized blockchain-based music platform ‘Audius’ was hacked over the weekend, with threat actors stealing over 18 million AUDIO tokens worth approximately $6 million. According to experts, the hacker exploited a bug in the smart contract initialization code that allowed repeated invocations of the initialize functions. The hacker attempted to execute four governance proposals, three of which failed and one passed, transferring the bulk of the Audius community pool to an external wallet under their control. Read more

What is BCDR – A Guide to Business Continuity and Disaster Recovery

With ransomware attacks targeting an organization every 11 seconds, how does a backup administrator come up with a BCDR plan that can ensure business continuity and quick disaster recovery? Find the answers to this and other relevant questions on StoneFly blog. Read more

LinkedIn Phishing Target Employees Managing Facebook Ad Accounts

Researchers have identified a new phishing campaign, dubbed ‘Ducktail’, that targets social media professionals on LinkedIn with administrative social media privileges to take over Facebook business accounts that manage ads for victim companies. The campaign uses social engineering to induce victims to download files, hosted on legitimate cloud hosting service such as DropBox or iCloud, containing JPEG images including an executable made to appear like a PDF document. This executable is a malicious .NET Core file that contains all required dependencies, allowing it to run on any computer. When executed, the malware scans for browser cookies on Chrome, Edge, Brave, and Firefox, collects system information, and steals Facebook credentials by crawling through Facebook pages to capture multiple access tokens. Read more

Hackers Exploit PrestaShop Zero-Day Flaw to Steal Payment Data from Online Stores

Malicious actors are exploiting an unknown security flaw, tracked as CVE-2022-36408, in the PrestaShop e-commerce platform to inject malicious skimmer code designed to swipe sensitive information. Successful exploitation of the flaw allows attacker to submit a specially crafted request that grants the ability to execute arbitrary instructions. In this case, inject a fake payment form on the checkout page to gather credit card information. Read more

Promo
1PB Fully Air Gapped & Immutable Veeam Backup and DR appliance for $995

1PB, expandable up to 4PB, Fully Air Gapped and Immutable Veeam Backup and DR appliance with File and S3 Object Lockdown Technology for Ransomware protection & Instant multi VM recovery for $995/month in 5-year term.

This Veeam-ready 1PB DR365V leverages Veeam backup and replication with built-in fully automated Immutable and Air-Gap network, Optional Power Management and Storage Controller with Veeam hardened repository.

Fully Populated 1U, 4 bay head unit plus 60-bay 4U JBOD all filled with total of 64x16TB (1,024 TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 64GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and optional S3 cloud object storage.

Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

July 18 - 22, 2022

PlayPlay
Neopets Data Breach Exposes Personal Information of 69 Million Users

The popular virtual pet website Neopets has suffered a data breach leading to the theft of source code and a database containing personal information of over 69 million members. The threat actor “TarTarX” posted an ad for anyone interested in purchasing the Neopets database on a dark web marketplace offering the entire database and source code for 4 BTC ($94,000). The data includes sensitive personal information like date of birth, country of residence, IPs, gender, names, and emails. Neopets also confirmed the breach in a tweet on Thursday. Read more

Building materials giant Knauf hit by Black Basta ransomware gang

The Knauf Group has announced it has been the target of a cyberattack that has disrupted its business operations, forcing its global IT team to shut down all IT systems to isolate the incident. Knauf is a German-based multinational building and construction materials producer that holds approximately 81% of the world’s wallboard market. The firm operates 150 production sites in several countries worldwide and owns U.S.-based Knauf Insulation and USG Corporation. Black Basta has claimed responsibility and has published 20% of the files they allegedly exfiltrated during the attack on Knauf, which over 350 visitors have accessed. Read more

New Luna Ransomware Encrypts Windows, Linux, and ESXi Systems

A new ransomware named Luna was discovered by Kaspersky security researchers via a dark web ransomware forum. Luna can be used to encrypt devices running Windows, Linux and ESXi systems. The CLI-based ransomware is simple and is adjudged to be under development with limited capabilities. Written in the Rust programming language, the ransomware can exploit its platform-agnostic nature to port to several platforms with only minor changes to the source code. Read more

FC SAN vs iSCSI SAN: What’s the Difference?

Fibre Channel (FC) or Internet Small Computer Systems Interface (iSCSI) Storage Area Network (SAN) protocol? Which is faster, costs less, and is easier to implement and use? While storage vendors push Fibre Channel as the faster option, ever since its innovation iSCSI has become the standard SAN protocol in the industry. Read more

Hacking Group '8220' Grows its Botnet to Hijack Cloud Compute Resources

The 8220 ransomware gang known for infecting AWS, Azure, GCP, Alitun, and QCloud hosts, has been exploiting Linux and cloud app vulnerabilities and growing their botnet to more than 30,000 hosts. After gaining access, the attackers use SSH brute forcing to spread further and hijack available computational resources to run cryptominers pointing to untraceable pools. To obscure the real destination of the generated currency, the group uses a fake FBI subdomain with an IP address pointing to a Brazilian federal government domain. 8220 also uses custom cryptominer, PwnRig, based on the open-source Monero miner XMRig. Read more

Candiru Uses Chrome zero-day to infect journalists with spyware

The Israeli spyware vendor Candiru is using a zero-day vulnerability in Google Chrome to spy on journalists and other high-interest individuals in the Middle East with the 'DevilsTongue' spyware. The vulnerability CVE-2022-2294 is a memory corruption in the WebRTC component of the Google Chrome that leads to shellcode execution. Threat actors also use XXS (cross-site scripting) attacks to reroute valid targets to the exploit server. According to Avast report, compromised data included the victim’s language, time zone, screen information, device type, browser plugins, referrer, device memory, and cookie functionality. Read more

Promo
304TB Fully Air Gapped & Immutable Veeam Backup and DR appliance for $449

304TB expandable up to 4PB Fully Air Gapped and Immutable Veeam backup and DR appliance with Object Lockdown Technology for Ransomware protection & Instant multi VM recovery for $449/month in a 48 months term.

This powerful DR365V site in a box leverages Veeam-integration with built-in Immutable File and S3 object storage, and Air-Gap network, Optional Power Management and Storage Controller with fully automated and Veeam hardened repository.

24-bay 4U Rackmount unit, 19x16TB (304TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 64GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and optional S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

July 11 - 15, 2022

PlayPlay
Mangatoon Data Breach Exposes Data of 23 Million Accounts

Comic reading platform Mangatoon has suffered a data breach that exposed information of 23 million user accounts. A well-known hacker "pompompurin," claimed to have stolen the data from an unsecured database which was using weak credentials. The breach exposed names, email addresses, genders, social media account identities, authentication tokens from social logins and salted MD5 password hashes. Read more

Bandai Namco Confirms Hack After BlackCat Ransomware Data Leak Threat

Bandai Namco, a Japanese publisher of popular video games, has confirmed that they suffered a cyberattack which may have compromised customers' personal data. BlackCat ransomware (aka AlphV) claimed responsibility for the attack. Written in Rust, the ALPHV Black ransomware is entirely command-line driven, human-operated, and highly configurable, with the ability to use different encryption routines, spread between computers, kill virtual machines and ESXi VMs, and automatically wipe ESXi snapshots to prevent recovery. Read more

New Ransomware Lilith Emerges and Targets First Victim

Researchers have found a new ransomware named 'Lilith’ targeting its first victim - a large construction group based in South America. Lilith is a C/C++ console-based ransomware that performs double-extortions attacks and steals data before encrypting it. Upon execution, Lilith terminates processes including Outlook, SQL, Thunderbird, Steam, PowerPoint, WordPad, Firefox, and more. This frees up valuable files from applications that may be using them, making them available for encryption. Before encryption, Lilith creates and drops ransom notes on all the enumerated folders. Read more

Backups aren’t Enough – Here’s Why Air-Gapping and Immutability are Necessary

Ransomware attacks exploit vulnerabilities, infiltrate corporate networks, and encrypt all connected devices and stored data – this includes production, virtual environments and backup servers. This makes backups an insufficient means of protecting data from ransomware – which is why automated air-gappin gand immutability are necessary. Read more

Phishing Kit Targets PayPal Victims for Full ID Theft

A new phishing kit is targeting PayPal users and stealing a large set of personal information. The threat actor targets poorly secured websites and brute-forces their log in using a list of common credentials. A file management plugin is then installed that allows uploading the phishing kit to the breached site. The site presents victim with a CAPTCHA to create a false sense of legitimacy. Logging in automatically delivers credentials to the threat actor. The phishing scheme then employs various mechanisms to collect user’s personal data including credit card info, billing details, and even personal documents. Read more

Hackers Impersonate Cybersecurity Firms in Callback Phishing Attacks

A callback phishing campaign has been impersonating cybersecurity firms to lure its victims. The phishing email claims that the recipient’s firm has been breached and urges them to call the provided phone number to stay protected. The threat actors then use legitimate RATs for initial access, off-the-shelf penetration testing tools for lateral movement, data extortion, and ransomware deployment. At present, researchers cannot confirm the variant used in the campaign. However, the callback operators are believed to be linked with the Quantum Ransomware Group. Read more

Promo
42TB Air-Gapped & Immutable Veeam, Rubrik, CommVault, Site Recovery Backup & DR appliance $5,995

42TB Air-gapped & Immutable Veeam, Rubrik, CommVault, Site Recovery, Backup and DR appliance with Object Lockdown Technology, Ransomware protection for $5,995

4-bay 1U Rackmount unit with 3x14TB Enterprise SAS drives, 10 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and Native S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification can be included.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

July 04 - 08, 2022

PlayPlay
Quantum Ransomware Attacks Professional Finance Company

Professional Finance Company Inc. (PFC) that aids thousands of healthcare, government, and utility organizations across the U.S. has confirmed that a ransomware attack led to a data breach affecting over 600 healthcare organizations. The attackers accessed crucial files containing critical data before encrypting the PFC’s systems that included patients’ first and last names, addresses, accounts receivable balance and information regarding payments made to accounts. The attackers behind the operations are linked to Conti/Quantum ransomware sub-group and using Cobalt Strike and exfiltration via command-line tools. Read more

QNAP Warns of New Checkmate Ransomware Targeting NAS Devices

QNAP has warned of a new family of ransomware targeting its NAS devices using weak passwords. Threat actors use brute-force attacks to break into accounts with weak passwords in QNAP devices with SMB service enabled. After gaining access, the threat actors can encrypt files in shared folders. QNAP recommends turning off SMB 1 service, using VPN to access the NAS and updating the operating system to the latest version to reduce the attack surface. Read more

Ransomware Groups Transition from Cobalt Strike to Brute Ratel

Hacking groups and ransomware operations are transitioning from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions. Similar to Cobalt Strike, Brute Ratel is an adversarial attack simulation tool that allows attackers to deploy 'Badgers' on remote hosts. These ‘Badgers’ connect back to the attacker's Command and Control server to receive commands to execute previously run commands. This tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Read more

OrBit Stealth Malware Steals Data from Linux Devices

Researchers have found a new Linux stealth malware that is stealing information from back doored Linux systems. Dubbed as “OrBit”, the malware hijacks shared libraries to intercept function calls by modifying the LD_PRELOAD environment variable on compromised devices. It can gain persistence by blocking removal attempts and can also be deployed as a volatile implant when copied in shim-memory. After deployment, OrBit hooks to various functions to evade detection, control process behavior, maintain persistence by infecting new processes, and hide network activity that would reveal its presence. Read more

NAS Security: What to Expect and How to Secure Your NAS

Whether it’s Deadbolt ransomware encrypting thousands of NAS devices, Qlocker or Quantum ransomware exploiting known vulnerabilities in a popular NAS operating system, NAS appliances are always one of the most sought after targets of ransomware attacks. Read our guide on what to expect when it comes to securing your NAS and how to do so effectively.

Fake copyright complaints push IcedID malware using Yandex Forms

Website owners are being targeted with fake copyright infringement complaints that utilize Yandex Forms to distribute the IcedID banking malware. The threat actors use a website's contact page to send legal threats to convince recipients to download a report of the offending material. These reports allegedly contain proof of DDoS attacks or copyrighted material used without permission but instead infect a target's device with various malware, including BazarLoader, BumbleBee, and IcedID. Read more

Promo
100TB SSO NAS Appliance with Automated Ransomware Protection for $7,995

100TB SSO NAS Appliance with built-in Air-gapped and Immutable storage repositories & Power management controller to protect against Ransomware & Malware with Free shipping for $7,995.

8-bay 2U Rackmount appliance with (7x14TB) 56TB enterprise SATA drives, High-Performance Hardware RAID Controller, 8 Core Storage Virtualization engine, 32GB system Memory, 600W Platinum Certified Power Supply.

With optional enterprise level data Services such as Snapshot, Tiering, Encryption, Sync & Async, Replication, CIFS/SMB and NFS support, Hot / Cool Blob, Erasure Coding & Cloud integration to S3 AWS/ Azur cloud.

1 Year Warranty, 9x5 Tech Support and Free shipping included. For demos and hardware details, contact us.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email