Select Page
Slide 1

Weekly

Ransomware Roundup

June 26 - 30, 2023

Widescale Credential Stealing Attacks Linked to Midnight Blizzard, Microsoft Issues Warning

Microsoft has disclosed credential-stealing attacks by the hacking group Midnight Blizzard which is using residential proxy services to mask their IP addresses to target governments, IT service providers, NGOs, and critical sectors. The group employs password spraying, brute-force attacks, and token theft, along with session replay attacks, to gain access to cloud resources. These attacks align with the spear-phishing campaign by APT28 and the exploitation of a Microsoft Outlook zero-day flaw. Read more

Anatsa Banking Trojan Hits Users in the US, UK, Germany, Austria, and Switzerland

The Anatsa banking trojan is targeting banking customers in multiple countries. It steals credentials used for mobile banking transactions, enabling undetected fraudulent transactions. Anatsa is delivered through a dropper app and disguises itself as a harmless utility app targeting over 400 financial institutions worldwide. It bypasses fraud control measures and uses overlay attacks to steal credentials. Anatsa has targeted users in U.S., U.K., Germany, Austria, Switzerland, Italy, France, the U.A.E., South Korea, Australia, Sweden, Finland, Singapore, and Spain. Read more

Trojanized Super Mario Game Deploys SupremeBot & Umbral Stealer and Mines Monero

Cybercriminals are distributing trojanized Super Mario 3: Mario Forever game through social media groups, malvertising, and Black SEO techniques. The compromised installer includes two malicious executables. One executable functions as a Monero miner, while the other establishes a command-and-control connection to transmit information and receive mining configurations. The malware also retrieves an information-stealing payload, which captures browser data, credentials, screenshots, and media. To evade detection, the malware can disable Windows Defender if tamper protection is not enabled. Read more

From Production to Protection: Securing Manufacturing Against Ransomware

Recent developments in the manufacturing industry have merged operational technology (OT) and information technology (IT). However, this digital transformation has also allowed threat actors to target these systems. Ransomware attacks have been on the rise, with the manufacturing sector being a prime target. A staggering 21% of all ransomware attacks are aimed at manufacturing companies. Read why manufacturers are at risk, and learn practical steps to protect your business from ransomware.

Fortinet’s FortiNAC Vulnerable to Remote Code Execution, Fortinet Issues Emergency Patches

Fortinet has addressed a critical security vulnerability (CVE-2023-33299) in its FortiNAC network access control solution. The flaw involves Java untrusted object deserialization, enabling unauthorized code execution. Patches have been released for affected versions. Another vulnerability (CVE-2023-33300) with improper access control has also been resolved. These updates followed a previously exploited vulnerability in FortiOS and FortiProxy discovered by CODE WHITE and added to the KEV catalog by CISA. Read more

JokerSpy macOS Backdoor Hits Japanese Cryptocurrency Exchange

Cybercriminals targeted a Japanese cryptocurrency exchange using a macOS backdoor called JokerSpy. The threat actors used Swiftbelt, a reconnaissance tool and the JokerSky toolkit that uses Python and Swift programs to collect data and execute commands. The toolkit includes a self-signed binary called xcc, disguised as XProtectCheck, to verify permissions and bypass TCC permissions. The attack targeted a cryptocurrency service provider and may have exploited backdoored software development applications. Read more

Promo
70TB $7,995 Air-Gapped & Immutable Veeam, Rubrik, Commvault, site recovery Backup & DR appliance

70TB expandable up to 4PB Air-gaped & Immutable Veeam, Rubrik, Commvault, Site Recovery, Backup and DR appliance with Object Lockdown Technology for Ransomware protection for $7,995.

8-bay 2U Rackmount unit with 5x14TB Enterprise SAS drives, 10 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and Native S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are included.

For appliance demos, specifications, and quotes contact us.

Slide 1

Weekly

Ransomware Roundup

June 19 - 23, 2023

POC Exploit Released for Cisco AnyConnect Allowing Elevated Privileges

A vulnerability in Cisco Secure Client Software for Windows allows threat actors to escalate privileges to the SYSTEM account. This flaw grants attackers elevated privileges without user interaction. Cisco has released security updates to address the issue, however, researchers have identified and reported an Arbitrary File Delete vulnerability in Cisco AnyConnect and published a POC exploit code. The exploit takes advantage of the vpndownloader.exe and the client update process to escalate privileges through arbitrary file deletion. Read more

VMware Issues Security Advisory on VMware Aria Command Injection Vulnerability

VMware has issued an urgent security advisory due to the active exploitation of a critical vulnerability (CVE-2023-20887). The flaw affects VMware Aria Operations for Networks (formerly vRealize Network Insight) and allows unauthenticated attackers to execute arbitrary commands with root user privileges. The vulnerability stems from command injection when the Apache Thrift RPC interface accepts user input. There are no workarounds available and VMware administrators must patch all vulnerable installations immediately using the provided security patches. Read more

Critical ‘nOAuth’ Authentication Flaw Affects Applications in Microsoft Azure AD

A security vulnerability dubbed “nOAuth” has been discovered in Microsoft Azure Active Directory's OAuth process, potentially leading to a complete account takeover. The flaw involves manipulating email attributes in the "Contact Information" section of an Azure AD account and exploiting the "Log in with Microsoft" feature. By creating an administrative account and altering the email address to match the target's email, the attacker can control the victim's account through vulnerable apps or websites with single sign-on. Read more

How to Stop Ransomware Attacks from Deleting Backup Data

Backup data serves as a vital defense against the devastating consequences of ransomware attacks. However, ransomware attacks have taken a concerning turn, targeting backup data and aiming to cripple organizations by eliminating their last line of defense. Here is a blog that outlines various strategies to protect your data against ransomware and how StoneFly’s backup and disaster recovery solutions offer robust defenses against this emerging threat. Read more

Condi Malware Targets TP-Link AX21 Routers to Create DDoS Botnet

A new DDoS-as-a-Service botnet called "Condi" is exploiting a hidden vulnerability in TP-Link Archer AX21 Wi-Fi routers to build an army of compromised devices to launch DDoS attacks. The botnet operates as a "for-hire entity," allowing criminals to target websites and online services. The architects behind Condi use propagation methods like using Android Debug Bridge (ADB) and exploiting open ADB ports. The source code of Condi has been widely distributed and has spawned numerous customized variants. Read more

BlackCat Ransomware Behind Reddit Breach, Threatens to Leak Sensitive Data

The BlackCat ransomware gang, AKA ALPHV, has claimed to have orchestrated the cyberattack on Reddit in February. Using phishing, the threat actors gained unauthorized access to Reddit's systems and exfiltrated 80GB of data, including internal documents, source code, and employee records. While the primary production systems were unaffected, ALPHV attempted to extort $4.5 million from the company. Read more

Promo
70TB $7,995 Air-Gapped & Immutable Veeam, Rubrik, Commvault, site recovery Backup & DR appliance

70TB expandable up to 4PB Air-gaped & Immutable Veeam, Rubrik, Commvault, Site Recovery, Backup and DR appliance with Object Lockdown Technology for Ransomware protection for $7,995.

8-bay 2U Rackmount unit with 5x14TB Enterprise SAS drives, 10 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and Native S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are included.

For appliance demos, specifications, and quotes contact us.

Slide 1

Weekly

Ransomware Roundup

June 12 - 16, 2023

Shuckworm Targets Ukrainian Organizations to Commit Cyberespionage

The cyber threat actor Shuckworm has targeted Ukrainian entities, employing persistent and stealthy intrusions to exfiltrate sensitive data. Using spear-phishing tactics and information stealers like Giddome and Pterodo, the group targets security services, military establishments, and government agencies. Shuckworm's latest tactics include leveraging PowerShell scripts, USB drives, and Telegram channels. The threat actors prefer short-lived infrastructure, target human resources departments and continue to evolve their persistence and evasion mechanisms. Read more

LockBit Ransomware Gang Extorts $91 Million, Cybersecurity Agencies Issue Urgent Warnings

LockBit ransomware has amassed a staggering $91 million through extortion payments, targeting organizations in the United States since 2020. LockBit targeted critical sectors, underwent significant upgrades, and expanded its scope to include Linux, VMware ESXi, and Apple macOS systems. The operation exploits vulnerabilities in various systems and misuses legitimate software. CISA has issued a Binding Operational Directive mandating federal agencies to secure exposed network devices and highlighted the importance of protecting Baseboard Management Controller implementations. Read more

Skuld Malware Targets Windows PCs and Steals Discord and Browser Data

The Skuld malware has been targeting Windows systems in Europe, Southeast Asia, and the U.S. Skuld extracts sensitive information by scanning applications like Discord and web browsers, probing system data, and accessing files in user profile folders. It evades analysis by checking for virtual environments and terminates certain processes. It can harvest cookies, credentials, and manipulate files related to Discord. Skuld's exfiltrates data using Discord webhooks and the Gofile upload service. Read more

Critical Security Flaws Discovered in Microsoft Azure Bastion and Container Registry

Microsoft Azure Bastion and Azure Container Registry have been found to have significant security vulnerabilities that can result in cross-site scripting (XSS) attacks. The vulnerabilities exploit weaknesses in the postMessage iframe, allowing unauthorized access to sessions and the execution of malicious JavaScript code. Threat actors conduct reconnaissance to identify vulnerable endpoints within the Azure portal. By embedding the iframe in a remote server, they can deliver the malicious payload to compromise sensitive data. Read more

From Production to Protection: Securing Manufacturing Against Ransomware

The manufacturing industry is experiencing significant developments in operational technology (OT) and information technology (IT), creating interconnected systems that are vulnerable to targeted attacks. Ransomware attacks have become a major concern, with 21% of all attacks targeting the manufacturing sector. Many organizations in manufacturing struggle to secure their systems against ransomware, and nearly half believe they will be affected in the near future. Read more to explore why manufacturing is a target and gain insights on how companies can prepare against ransomware and secure their infrastructure.

WordPress Stripe Payment Plugin Vulnerability Exposes Customer Order Information

The WooCommerce Stripe Gateway plugin for WordPress has a severe vulnerability (CVE-2023-34000) that allows unauthenticated users to access sensitive order details. This flaw is an unauthenticated insecure direct object reference (IDOR) issue, enabling unauthorized exposure of personally identifiable information. The vulnerability affects versions prior to 7.4.1, and a patch was released on May 30, 2023. However, many installations still use vulnerable versions which increases the risk. Read more

Promo
Immutable & Air-Gapped Veeam Cloud Backup, DR, Replication, Spin-up in the cloud for $10 Per TB

Veeam Cloud Immutable Backup & DR with build-in automated Policy-based Air-Gap technology, Spin-up in the cloud for FastTrack Recovery and Enterprise level Ransomware protection starting at $10/TB per month.

Immutable or regular cloud Storage for Backup, Archive Documents, Images, Videos just like One-Drive, share and archive unstructured data starting at $5/TB per month.

24/7 Smart Protect plan available for your complete support needs. Pay Month-to-month, no long-Term contract.

All Datacenters are Certified for CJIS, HIPAA, SOC 2, ISO 27001, PCI-DSS.

For appliance demos, specifications, and quotes contact us.

Slide 1

Weekly

Ransomware Roundup

June 5 -9, 2023

Satacom Downloader Deployed in New Malware Campaign to Steal Cryptocurrency Using Web Injections

Cybercriminals are using Satacom downloader to deploy stealthy malware that steals cryptocurrency. The malware targets Bybit, Coinbase, Huobi, KuCoin, and Binance. The Satacom downloader is distributed through fake websites hosting archives with an artificially inflated executable. It uses DNS requests as a command-and-control method and downloads a browser add-on posing as a Google Drive extension. The add-on manipulates targeted cryptocurrency websites using web injections to steal crypto. The extension also hides email confirmations of fraudulent transactions. Read more

Stealthy PowerDrop Malware Targets U.S. Aerospace Industry to Exfiltrate Sensitive Data

An unidentified threat actor targeted U.S. aerospace using a newly discovered PowerShell-based malware called PowerDrop to avoid detection. The malware serves as a post-exploitation tool and collects data from compromised networks. It communicates with a remote C2 server using ICMP echo request messages and executes encrypted commands. Results are exfiltrated using ICMP ping messages, using "living-off-the-land" techniques to evade detection. Read more

Cyclops Ransomware Gang Offers Go-Based Info Stealer to Cybercriminals

The Cyclops ransomware is offering new information stealer malware to cybercriminals. This malware gathers sensitive data from compromised systems and can be accessed through an administrative panel, providing convenient access to stolen information. The stealer targets Windows and Linux systems and gathers data including operating system information, computer names, the number of running processes, and specific files that match certain extensions and uploads them to a remote server. Read more

CISA Directs Government Agencies to Patch MOVEit Bug

CISA has identified a critical security bug in Progress MOVEit Transfer, allowing remote attackers to execute arbitrary code through an SQL injection. While exploiting the vulnerability CVE-2023-34362, the threat actors also used a web shell called "LemurLoot" to steal Azure Blob Storage account details. Researchers have also identified possible connections with the FIN11 threat group. CISA has included the flaw it in their list of known vulnerabilities and directed U.S. federal agencies to patch their systems by June 23. Read more

CERT Warns of Cyberespionage Campaign Against Government Organizations in Ukraine

A cyberespionage campaign is targeting Ukrainian government agencies and media organizations since mid-2022. The campaign uses phishing emails, text messages, and malicious applications to breach Windows machines. The attackers deploy LonePage malware through a PowerShell script, establish communication with C2 server and use the ThumbChop information stealer to exfiltrate data. Additional software like Tor browser and Secure Shell enables unauthorized access to compromised systems. The attackers also employ various malware variants, including SeaGlow and OverJam. Read more

Array vs Host vs Hypervisor vs Network-Based Replication

Data replication techniques play a crucial role in safeguarding your valuable data assets. In our latest blog, we take a deep dive into four key replication methods: array-based replication, host-based replication, hypervisor-based replication, and network-based replication. Join us as we explore the features, use cases, advantages, and disadvantages of each technique. By gaining a better understanding of these methods, you'll be able to make informed decisions to ensure the protection and availability of your data. Read more

Promo
100TB Immutable and Air-Gapped Scale out NAS appliance for $8,995

100TB Enterprise SSO NAS appliance with Air-Gap and Immutable delta-based Snapshots for ransomware protection and Support for Unlimited NAS Clients, bunch of data services and built-in S3 cloud connect for $8,995.

Gen 10, 8-bay 2U Rackmount appliance with 7x14TB Enterprise SAS drive pack, 10 Core Storage Virtualization Engine, 32GB system memory, 12Gb SAS Hardware RAID Controller and 800W Platinum Certified hot swappable power supply.

All Enterprise data Services such as Snapshot, Tiering, Encryption, Sync & Async, Replication, Supports CIFS/SMB and NFS, Cloud Connect to Azure Hot / Cool Blob / AWS-S3, Erasure Coding are included.

1 Year Warranty and Support is included in this price.

For appliance demos, specifications, and quotes contact us.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email