Select Page
Slide 1

Weekly

Ransomware Roundup

June 27 - July 01, 2022

PlayPlay
Microsoft Exchange Servers Worldwide Hit by Stealthy New Backdoor

Researchers have identified new stealth malware, dubbed SessionManager, that threat actors have been using for the past 15 months to backdoor Microsoft Exchange servers belonging to government and military organizations. SessionManager poses as a legitimate module for Internet Information Services (IIS) – which is installed by default on Microsoft Exchange servers. These Malicious IIS modules can deploy powerful, persistent, and stealthy backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, harvest credentials, and deliver additional payloads. Read more

AMD Investigates Alleged 450 GB Data Theft by RansomHouse

Chip manufacturing giant Advanced Micro Devices (AMD) is investigating data breach and theft claims by extortion group RansomHouse. The cybercriminals claim to have stolen more than 450 GB in January. A portion of the stolen data leaked by RansomHouse suggests that AMD employees used weak passwords, with some even using the phrase “password” for sensitive accounts. Examining the sample of the stolen data has revealed AMD passwords, system information and other network files were potentially compromised. Read more

Legion Launched a Massive DDoS Attack Against Norway

Norway’s National Security Authority (NSM) confirmed that a DDoS attack took down some of the country’s most important websites and services. DDoS attack is a special type of cyberattack that causes servers to be overwhelmed by constant requests and garbage traffic, rendering the hosted sites and services inaccessible. The attacks were aimed against large companies that offer essential services to the population. NSM did not explicitly attribute the attacks to a threat actor, but Legion group published on its Telegram channel a list of targeted Norwegian organizations. Read more

How to Plan for and Recover from Ransomware

Reports suggest that ransomware attacks target a business every 11 seconds. How does ransomware infiltrate a corporate network? How to make sure your critical information is safe from ransomware attacks? And what to do in the event of a successful ransomware attack? Find the answers and more on StoneFly website. Read more

AstraLocker 2.0 Infects Users Directly from Email Attachments

AstraLocker has recently released its second version that allows rapid attacks and drops payloads directly from email attachments. AstraLocker 2.0 uses a Word document that hides an OLE object with the ransomware payload. The embedded executable uses the filename “WordDocumentDOC.exe”. Astra chooses OLE objects instead of VBA macros and SafeEngine Shielder v2.4.0.0 to pack the executable, which is an old and outdated packer that is very difficult to reverse. An anti-analysis check reveals that the malware can encrypt systems using the Curve25519 algorithm. Read more

Microsoft Azure FabricScape Bug Lets Hackers Hijack Linux Clusters

Researchers have disclosed details about a new security flaw affecting Microsoft's Service Fabric that could be exploited to obtain elevated permissions and seize control of all nodes in a cluster. Azure Service Fabric is Microsoft's platform-as-a-service (PaaS) and a container orchestrator solution to build and deploy microservices-based cloud applications across clusters. The issue dubbed as FabricScape (CVE-2022-30137), allows access to compromised containers with elevated privileges and gains control of the resource's host SF node and the entire cluster. The issue has been remediated as of June 14, 2022, in Service Fabric 9.0 Cumulative Update 1.0, and Microsoft has asked customers to update their Linux clusters to the most recent Service Fabric release. Read more

Promo
400TB Fully Air Gapped & Immutable Veeam Backup and DR appliance for $22,995

400TB Fully Air Gapped and Immutable Veeam backup and DR appliance with Object Lockdown Technology for Ransomware protection & Instant multi VM recovery for $22,995.

Fully Populated 36-bay 4U Rackmount unit, 25x16TB (400TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and optional S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For hardware specifications and demos, contact us.

Slide 1

Weekly

Ransomware Roundup

June 20 - 24, 2022

PlayPlay
Critical PHP Vulnerability Exposes QNAP NAS Devices to Remote Attacks

QNAP has warned its customers that its NAS devices, with non-default configurations, are vulnerable to attacks that would exploit a three-year-old critical PHP vulnerability allowing remote code execution. The vulnerability, identified as (CVE-2019-11043), has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config. Read more

Russian Hacker Group APT28 Hit Ukraine with Cobalt Strike and CredoMap

Russian hacking group APT28 is exploiting the CVE-2022-30190 vulnerability aka, “Follina”, in new phishing campaigns to install the CredoMap and Cobalt Strike beacons. Threat actors are sending emails with a malicious document named "Nuclear Terrorism A Very Real Threat.rtf.” Opening the document, or viewing it in Windows preview pane, triggers malicious downloads. The malware aims to steal information stored in Chrome, Edge, and Firefox web browsers, such as account credentials and cookies. Finally, it exfiltrates the stolen data using the IMAP email protocol, sending everything to the C2 address, which is hosted on an abandoned Dubai-based site. Read more

Log4Shell exploits Still Being Used to Hack VMWare Servers for Data Exfiltration

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), released a joint advisory warning of continued attempts by threat actors to exploit the Log4Shell flaw “CVE-2021-44228” in VMware Horizon servers to breach target networks. As part of this exploitation, the suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command-and-control (C2). The attackers can also move laterally inside the victim network, obtain access to a disaster recovery network, and collect and exfiltrate sensitive data. Read more

Chinese Hackers Use Ransomware as Decoy for Cyber Espionage

Two Chinese hacking groups are conducting cyber espionage and stealing intellectual property by deploying ransomware as a decoy to cover up their malicious activities. The two clusters of hacking activity are identified as "Bronze Riverside" (APT41) and "Bronze Starlight" (APT10). Both use a newer version of HUI Loader to deploy remote access trojans, PlugX, Cobalt Strike, and QuasarRAT. The new HUI loader is also capable of hooking Windows API calls, disable Event Tracing for Windows (ETW) and Antimalware Scan Interface. Read more

What are Immutable Backups and Why are they Necessary?

Immutable backups prevent ransomware from maliciously encrypting business-critical data. This makes immutability a necessary feature for healthcare, law, finance, banks, education, and manufacturing – industries that are constantly being targeted by ransomware. Learn more about immutable backups and why they are necessary. Read more

Yodel Confirms Cyberattack is Disrupting Delivery

Services for the U.K.-based delivery service company “Yodel” have been disrupted due to a cyberattack that caused delays in parcel distribution and prevented customers from tracking their orders online. The company claimed that no customer payment information had been affected because it does not hold or process this data. Yodel has not published any details of the attack itself, but confirmed there was an incident through an FAQ on its website. Read more

Promo
42TB - $149 Air-Gapped & Immutable Veeam, Rubrik, CommVault, Site Recovery Backup & DR appliance

42TB Air-gapped & Immutable Veeam, Rubrik, CommVault, Site Recovery, Backup and DR appliance with Object Lockdown Technology, Ransomware protection for $149 per month in 4-year term.

4-bay 1U Rackmount unit with 3x14TB Enterprise SAS drives, 10 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and Native S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification can be included.

For hardware specifications and demos, contact us.

Slide 1

Weekly

Ransomware Roundup

June 13 - 17, 2022

PlayPlay
New Phishing Campaign Delivers 'Matanbuchus' Ransomware to Infect Devices with Cobalt Strike

Security experts have noticed a new malicious spam campaign that delivers the 'Matanbuchus' malware to drop Cobalt Strike beacons on compromised machines. Cobalt Strike is a penetration testing suite that is frequently used by threat actors for lateral movement and to drop additional payloads. Matanbuchus is a malware-as-a-service (MaaS) initiative that launches executables directly into system memory. The malware's features include launching custom PowerShell commands, leveraging standalone executables to load DLL payloads, and establishing persistence via the addition of task schedules. Read more

QNAP NAS Devices Targeted in Another Wave of Ransomware Attacks

The operators of the eCh0raix ransomware, also known as QNAPCrypt, have launched another wave of attacks against QNAP network-attached storage (NAS) devices. The threat actors are gaining access to QNAP devices through known vulnerabilities or by brute-forcing weak passwords used on the device. This new wave of attacks picked up after the recent publication of an advisory released by QNAP for three vulnerabilities identified as CVE-2018-19943, CVE-2018-19949, and CVE-2018-19953 that allow attackers to inject malicious code or perform remote code execution. Read more

Sophos Firewall zero-day Bug Exploited by Chinese Hackers

Chinese hackers used a zero-day exploit for a critical-severity vulnerability in Sophos Firewall (18.5 MR3 (18.5.3) and earlier) to compromise a South Asian company and breach cloud-hosted web servers operated by the victim. The zero-day flaw is tracked as CVE-2022-1040, that concerns an authentication bypass vulnerability that can be used to execute arbitrary code remotely. The threat actors used the zero-day exploit to install webshell backdoors and malware that would enable infecting external systems outside the network protected by Sophos Firewall. Read more

What is BCDR – A Guide to Business Continuity and Disaster Recovery

Business continuity and disaster recovery (BCDR) are essential parts of risk management and recovery plan. But what are the differences between both? How do you develop and implement a BCDR policy? Read more

Extortion Gang Ransoms Shoprite, the Largest Supermarket Chain in Africa

Shoprite Holdings, Africa's largest supermarket chain has been hit by a ransomware attack. Last Friday, the company disclosed that they suffered a security incident, warning customers in Eswatini, Namibia, and Zambia, that their personal information might have been compromised due to a cyberattack.
The compromised data included names and ID numbers, but no financial information or bank account numbers. The ransomware gang known as RansomHouse took responsibility for the attack, posting an evidence sample of 600GB of data they claim to have stolen from the retailer during the attack. Read more

Blue Mockingbird Exploits Telerik Flaws to Deploy Cobalt Strike

The threat actor ‘Blue Mockingbird’ targeted Telerik UI vulnerabilities to install Cobalt Strike beacons, and mine Monero by hijacking system resources. The exploited flaw is CVE-2019-18935, a critical severity deserialization that leads to remote code execution in the Telerik UI library. The threat actors are able to acquire encryption keys by exploiting another vulnerability in the target web app or by using CVE-2017-11317 and CVE-2017-11357. Cobalt Strike deployment then allows easy lateral movement within the compromised network, data exfiltration, account takeover, and deployment of more potent payloads such as ransomware. Read more

Promo
70TB - $7,995 Air-Gapped & Immutable Veeam, Rubrik, CommVault, site recovery Backup & DR appliance

70TB expandable up to 4PB air-gapped & Immutable Veeam, Rubrik, CommVault, Site Recovery, Backup and DR appliance with Object Lockdown Technology for Ransomware protection for $7,995.

8-bay 2U Rackmount unit with 5x14TB Enterprise SAS drives, 10 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and Native S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are included.

For hardware specifications and demos, contact us.

Slide 1

Weekly

Ransomware Roundup

June 6 - 10, 2022

PlayPlay
Iranian Hackers Target Energy Sector with DNS Backdoor

The Iranian Lycaeum APT hacking group, also known as Hexane or Spilrin, is using a new .NET-based DNS backdoor hijacking to conduct attacks on companies in the energy and telecommunication sectors. DNS hijacking is a redirection attack that relies on DNS query manipulation to take a user who attempts to visit a legitimate site to a malicious clone hosted on a server under the threat actor's control. Any information entered on the malicious website, such as account credentials is shared directly with the threat actor. Read more

Vice Society Ransomware Claims Attack on Italian City of Palermo

The Vice Society ransomware group has attacked the city of Palermo in Italy causing a large-scale service outage. The cyberattack rendered internet-relying services unavailable, impacting 1.3 million people and many tourists visiting the city. Vice Society has claimed they were behind the attack on Palermo by posting an entry on their dark web data leak site, threatening to publish all stolen documents if a ransom is not paid. Read more

Hello XD Ransomware Dropping Backdoor While Encrypting Data

Cybersecurity researchers have reported increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption. The malware's author has created a new encryptor that features custom packing for detection avoidance and encryption algorithm changes. The ransomware operators are also using an open-source backdoor named MicroBackdoor to navigate the compromised system, exfiltrate files, execute commands, and wipe traces. When executed, Hello XD attempts to disable shadow copies to prevent system recovery and then encrypts files, adding the .hello extension to file names. Read more

NAS Security: What to Expect and How to Secure your NAS

With cybercriminals continuously coming up with new ways to target your NAS, making sure that your file storage and sharing environment is safe is an ever-growing challenge for SMBs, SMEs, and large enterprises alike. What NAS security challenges should you expect in 2022? And how can you secure your NAS from these threats? Read more

Confluence Servers Hacked to Deploy AvosLocker Ransomware

Ransomware gangs are now targeting a recently patched remote code execution (RCE) vulnerability affecting Atlassian Confluence Server and Data Center instances. By performing mass scans on various networks, AvosLocker threat actors search for vulnerable machines and deploy the ransomware. If successfully exploited, the OGNL injection vulnerability (CVE-2022-26134) enables unauthenticated attackers to take over unpatched servers remotely by creating new admin accounts and executing arbitrary code. Read more

Qbot Malware Uses Windows MSDT Zero-Day in Phishing Attacks

A critical Windows zero-day vulnerability, known as Follina is being exploited in ongoing phishing attacks to infect recipients with Qbot malware. The TA570 Qbot affiliate uses malicious Microsoft Office .docx documents to infect recipients with Qbot. The attackers use hijacked email thread messages with HTML attachments which will download ZIP archives containing IMG files. Inside the IMG, the targets will find DLL, Word, and shortcut files. While the shortcut file directly loads the Qbot DLL file already present in the IMG disk image, the blank .docx document will reach out to an external server to load an HTML file that exploits the Follina flaw to run PowerShell code which downloads and executes a different Qbot DLL payload. Read more

Promo
70TB - $7,995 Air-Gapped & Immutable Veeam, Rubrik, CommVault, site recovery Backup & DR appliance

70TB expandable up to 4PB air-gapped & Immutable Veeam, Rubrik, CommVault, Site Recovery, Backup and DR appliance with Object Lockdown Technology for Ransomware protection for $7,995.

8-bay 2U Rackmount unit with 5x14TB Enterprise SAS drives, 10 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and Native S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are included.

For hardware specifications and demos, contact us.

Slide 1

Weekly

Ransomware Roundup

May 30 - June 3, 2022

PlayPlay
Chinese LuoYu Hackers Deploy Cyber-Espionage Payload via App Updates

A Chinese-speaking hacking group known as LuoYu is infecting victims with WinDealer information stealer malware deployed by switching legitimate app updates with malicious payloads in man-on-the-side attacks. To do that, the threat actors actively monitor their targets' network traffic for app update requests linked to popular Asian apps such as QQ, WeChat, and WangWang and replace them with WinDealer installers. The malware can install backdoors to maintain persistence, manipulate files, scan for other devices on the network, and run arbitrary commands. Read more

Conti Ransomware Targets Intel’s Management Engine for Stealth Attacks

Russian-linked cybercriminal Conti has created proof-of-concept code that can leverage Intel’s Management Engine to overwrite flash and gain System Management Mode (SMM) execution. This allows Conti to access the flash memory that hosted UEFI/BIOS firmware, bypass write protections, and perform arbitrary code execution on the compromised system. The final goal would be to drop an SMM implant that would run with the highest possible system privileges (ring-0) while practically undetectable from OS-level security tools. Read more

Industrial Spy Hacks Corporate Websites to Show Ransom Notes

Industrial Spy, a recently launched marketplace that sells stolen data, has adopted a new extortion strategy of displaying ransom notes publicly on their victim’s website. As part of their attacks, Industrial Spy will breach networks, steal data, and deploy ransomware on devices. The threat actors then threaten to sell the stolen data on their Tor marketplace if a ransom is not paid. On June 2nd, the threat actor began selling 200GB data they claim was stolen from a French company named SATT Sud-Est for $500,000. Read more

A New Windows Search zero-day Vulnerability Found in Microsoft Protocol

Experts have identified a new Windows Search zero-day vulnerability can be used to automatically open a search window containing remotely-hosted malware executables simply by launching a Word document. The security issue can be leveraged because Windows supports a URI protocol handler called 'search-ms' that allows applications and HTML links to launch customized searches on a device. While most Windows searches will look on the local device's index, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window – which allows threat actors to weaponize word documents and launch remotely hosted malware. Read more

Log Archiving: What Challenges to Expect and How to Overcome Them

From event logs to network access to user actions, logs contain records and provide vital information which makes it important for businesses to analyze and store them. Even a small businesses’ IT system can generate terabytes of log data per day – adding up to several terabytes per month. In order to effectively manage these logs and ensure cost-effective retention, for compliance and data analytics, log archiving is necessary. However, traditional archive systems, such as tape arrays, take up time, rack-space, dedicated IT staff, and resources – which makes them inefficient, and insecure. Read more

Lockbit Ransomware Attack Disrupted Operations at Foxconn’s Mexico Site

Smartphone manufacturing giant Foxconn has confirmed that a ransomware attack disrupted operations at one of its Mexico-based production plants. The affected production plant specializes in the production of medical devices, consumer electronics and industrial operations. LockBit a prominent ransomware-as-a-service (RaaS) operation has claimed responsibility for the attack and is threatening to leak data stolen from Foxconn unless a ransom is paid. Read more

Promo
128TB Fully Air Gapped & Immutable Veeam Backup and DR appliance for $9,995

128TB Fully Air Gapped Veeam backup and DR appliance with Immutable Object Lockdown Technology for Ransomware protection & Instant multi VM recovery for $9,995.

8-bay 2U Rackmount unit, 8x16TB (128TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and optional S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, automated air-gapping, encryption (Hardware), Dedup (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), Immutable policy-based vault, Predictive failure, call home, Real-time performance, report, and notification are included.

For hardware specifications and demos, contact us.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email