Select Page
Slide 1

Weekly

Ransomware Roundup

Nov 28 - Dec 2, 2022

New DuckLogs Malware as a Service in the hands of Thousands of Novice Attackers

A new malware-as-a-service - 'DuckLogs' is giving low-skilled attackers access to multiple modules to carry out their schemes. DuckLogs primarily includes an information stealer and a remote access trojan (RAT) but has more than 100 individual modules that target specific applications. The RAT can fetch files from the command and control (C2) server, run them on the host, display a crash screen, shut down, restart, log out, and lock the device or open URLs in the browser. The malware also supports Telegram notifications, encrypted logs and communication, code obfuscation, process hollowing to launch payloads in memory, a persistence mechanism, and a bypass for the Windows User Account Control. Read more

Russian Sandworm Hackers Attack Ukrainian Organizations using RansomBoggs Malware

The threat group Sandworm, responsible for the KillDisk wiper attacks, is targeting Ukrainian organizations with its new RansomBoggs malware. The ransomware uses the POWERGAP PowerShell script to distribute the .NET ransomware and using AES-256 encryption in CBC mode to encrypt files via a random key hardcoded in the malware. The ransomware also appends a .chsch extension to all encrypted files and drops a ransom note. Sandworm is also known for developing the NotPetya wiper, which caused billions of dollars of damage in June 2017.
Read more

New Redigo Malware Drops Stealthy Backdoor on Redis Servers

A new malware Redigo has been targeting vulnerable Redis servers to plant a stealthy backdoor and exploit the critical vulnerability CVE-2022-0543 in Redis software. The malware scans on port 6379 to locate Redis servers and run several commands to determine server vulnerability, create copies of the attacking server, download shared libraries, load modules to execute arbitrary commands, collect hardware info about the host, and then download Redigo. The malware is then executed with escalated privileges, evading detection by simulating normal Redis communication. Read more

Dolphin Malware Works with BLUELIGHT for Reconnaissance and Scans Victims’ Devices to Steal Data

Researchers have found that the APT 37 threat group has been using the Dolphin backdoor to steal files and upload them to Google Drive. Dolphin is now used in conjunction with BLUELIGHT, which is a reconnaissance and Python loader tool. The Python loader contains a script and a shell code that launches a multi-step XOR decryption and executes the Dolphin payload. Dolphin scans local and removable drives and uses Google Drive as a command and control (C2) server to store the stolen files. The backdoor sends current configurations, version number, and time to the C2, with keylogging and file exfiltration instructions along with credentials and encryption keys, and maintains persistence by altering the Windows Registry. Read more

What is Automated Backup and Why Should You Use it

An IBM study has revealed that the average total cost of a ransomware breach is $4.62 million, which is why it is important to back up critical data to restore systems in the event of ransomware or other similar cyber-attacks. Unfortunately, manual backup and restore is a complex and time-consuming process. Automated backup simplifies backup procedures for faster recovery. Here is a blog on how your organizations can back up files, folders, and systems without human intervention using automated backups. Read more

Cuba Ransomware Raked in Over $60 Million from Over 100 Victims

The joint government advisory by the FBI and CISA has revealed that the Cuba ransomware gang has extorted over $60 million in ransom from over 100 victims. According to the advisory, threat actors are targeting U.S. financial services, government facilities, healthcare, manufacturing, and I.T. The ransomware gang has expanded their tactics, techniques, and procedures and is associated with the RomCom RAT and Industrial Spy ransomware. The payload includes a ‘Hancitor’ downloader that downloads RATs on infected systems and is delivered through phishing emails, Microsoft Exchange exploits, stolen credentials, or RDP tools. Threat actors use legitimate Windows services like PowerShell and PsExec to launch the remote payloads and encrypt all data. Read more

Promo
48TB SSO NAS appliance with Free Shipping & Support $6,995

48TB StoneFly XS Series ready to ship Enterprise SSO NAS appliance with Air-Gap and Immutable Snapshots option for ransomware protection and Support for Unlimited NAS Clients with built-in S3 cloud connect for $6,995.

Gen 10, 4-bay 1U Rackmount appliance with 3x16TB Enterprise 12GB SAS drives, 10 Core Storage Virtualization Engine, 32GB system memory, 12Gb SAS Hardware RAID Controller and 500W Platinum Certified hot swappable power supply.

All Enterprise data Services such as Snapshot, Tiering, Encryption, Sync & Async, Replication, Supports CIFS/SMB and NFS, Cloud Connect to Azure Hot / Cool Blob / AWS-S3, Erasure Coding are included. Price includes 1 Year Warranty, 9x5 Tech Support Free Shipping & Insurance.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

Nov 21 - 24, 2022

Attackers bypass Coinbase and MetaMask 2FA via TeamViewer, Fake Support Chat

Researchers at PIXM have discovered a new crypto-stealing phishing campaign targeting Coinbase, MetaMask, Crypto.com and KuCoin accounts that can bypass multi-factor authentication. The campaign uses a network of phishing websites where victims are lured by fake transaction confirmation requests or suspicious activity detection messages. After logging in, the victims are sent to a chat window where threat actors employ several social engineering tactics to extract 2FA codes from the victims to get access to their accounts and drain them. Read more

Hackers Steal $300,000 in DraftKings Credential Stuffing Attack

DraftKings suffered a Credential Stuffing Attack that resulted in a loss of as much as $300,000. The attack pattern for hijacking the accounts followed a $5 deposit, a change of password, and activation of two-factor authentication on a different phone number, followed by a withdrawal of money from the victims' linked bank accounts. DraftKings President and Cofounder Paul Liberman revealed that customers' login information was compromised on other websites and then used to access their DraftKings accounts. DraftKings has also issued a statement that it will be compensating its customers. Read more

Fake MSI Afterburner Deployed to Target Windows Users with Miners and Info-stealers

Fake MSI Afterburner download pages are targeting Windows power users to infect them with cryptocurrency mining malware 'Monero' and information-stealing malware ‘RedLine’. Attackers use black hat SEO to promote domains that fool users into thinking they are visiting the legitimate MSI website. After downloading the infected installer, it will install the Afterburner program along with the RedLine information-stealing malware and an XMR miner, which is retrieved from GitHub and injected directly into explorer.exe. The miner evades detection while the RedLine steals the passwords, cookies, browser information and cryptocurrency wallets. Read more

Donut Extortion Group Targets Victims with Ransomware

Donut extortion group linked to attacks against DESFA, Sheppard Robson, and Sando is deploying ransomware in its double-extortion attacks. The ransomware encrypts files with particular extensions and renames them to '.donut'. It also contains a builder consisting of a bash script for creating a Windows and Linux Electron application bundled with a Tor browser to access the leak sites. The malware deploys ransom notes that are heavily obfuscated to avoid detection. All strings are encoded and are decoded further in the browser. The ransom notes contain details of threat actors and can be reached using TOX and a Tor negotiation site. Read more

How to Add Air-gapping and Immutability to Veeam Backup Appliance

Even with a Veeam backup appliance, your backups are vulnerable if they are connected to the production network. If hackers gain access to the network, then they can encrypt your production and backup servers. This is why you need to add air gapping and immutability to your backups. But how exactly do you do that? Read this blog to find out.

New AXLocker Ransomware Encrypts Files and Steals Discord Accounts

The AXLocker ransomware is encrypting files and stealing the Discord accounts of infected users. The ransomware first encrypts files on the victim's device(s), including data such as documents, photos, and databases. Next, it sends the victim's ID, system details, data stored in browsers, and Discord tokens to the threat actors' Discord channel and displays a ransom note. The ransom note does not mention the ransom amount but asks victims to wait for 48 hours before they can receive payment information. Read more

Promo
128TB Fully Air-Gapped & Immutable Veeam Backup and DR Appliance for $9,995

128TB Veeam Backup and DR appliance with Policy based Immutability using built-in Network & Power management Controllers and automated physical and logical Air-Gapped vault for $9,995.

Gen 10, 8-bay 2U Rackmount unit with 8x16TB (128TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Redundant Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller, Dual 10Gb RJ-45 Ports, Fully Integrated SAN, NAS and optional S3 cloud storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

Nov 14 - 18, 2022

Hundreds Infected with 'Wasp' Stealer in Ongoing Supply Chain Attack

Security researchers have identified an ongoing supply chain attack that uses malicious Python packages to distribute the Wasp information stealer. The attackers copy existing popular libraries and inject a malicious ‘import’ statement into them that infects the victim’s machine with a script that runs in the background. The script fetches the victim’s geolocation and contains a modified version of the information stealer. The malware can steal Discord account information, passwords, credit card data, crypto wallets, and local files. Read more

APT Threat Actors Compromise US Federal Network

According to a joint advisory published by the FBI and CISA, an APT threat group compromised a Federal Civilian Executive Branch (FCEB) organization using an exploit for the Log4Shell flaw (CVE-2021-44228) and deployed a crypto mining malware. The hackers breached an unpatched VMware Horizon server to gain remote code execution and installed the XMRig crypto mine. The attackers performed lateral movement gaining access to the domain controller, compromising credentials, and implanting Ngrok reverse proxies on several hosts to maintain persistence. Read more

Magento Stores Targeted in Massive Surge of Trojan Orders Attacks

Sansec has warned of a surge in cyberattacks targeting the CVE-2022-24086 mail template vulnerability affecting Adobe Commerce and Magento stores. The bug is an improper input validation flaw in the checkout process, which could be exploited without authentication to achieve arbitrary code execution. The threat actors first probe Magento and Adobe Commerce stores and trigger the system to send an email with exploit code in one field and take over the vulnerable website. Once the e-store has been compromised, the attackers install a remote access trojan (RAT) to gain permanent access. Read more

Chinese Hackers Target Government Agencies and Defense Organizations

A cyberespionage threat actor tracked as Billbug (a.k.a. Thrip, Lotus Blossom, Spring Dragon) is running a campaign targeting certificate authorities, government agencies, and defense organizations in several countries in Asia. Researchers have found out that Billbug uses two custom backdoors: Hannotog and Sagerunex. Hannotog can change firewall settings to enable all traffic, establish persistence on the compromised machine, upload encrypted data, run CMD commands, and download files to the device. Sagerunex connects to the command-and-control server via HTTPS to send a list of active proxies and files, receives payloads, and shell commands from the operators and executes programs and DLLs using “runexe” and “rundll.” Read more

Downtime Cost: How to Calculate and Minimize it?

Downtime is costly. But the true cost of unplanned downtime goes beyond lost revenue. Business gets disrupted, customers become unhappy, and regulatory authorities fine you. So, how do you calculate your downtime costs? Here are the best practices to calculate and minimize downtime.
Read more

Whoosh Confirms Data Breach After Hackers Sell 7.2M User Records

Russian scooter-sharing service Whoosh has confirmed a data breach after hackers sold a database containing details of 7.2 million customers on a hacking forum. The data allegedly contains promotion codes that can be used to access the service for free, as well as partial user identification and payment card data of 1,900,000 users. The seller has put the data on sale for $4,200 and plans to sell it to five buyers. Read more

Promo
48TB SSO NAS appliance with free Shipping & Support $6,995

48TB StoneFly XS Series ready to ship Enterprise SSO NAS appliance with Air-Gap and Immutable Snapshots option for ransomware protection and Support for Unlimited NAS Clients with built-in S3 cloud connect for $6,995.

Gen 10, 4-bay 1U Rackmount appliance with 3x16TB Enterprise 12GB SAS drives, 10 Core Storage Virtualization Engine, 32GB system memory, 12Gb SAS Hardware RAID Controller and 500W Platinum Certified hot swappable power supply.

All Enterprise data Services such as Snapshot, Tiering, Encryption, Sync & Async, Replication, Supports CIFS/SMB and NFS, Cloud Connect to Azure Hot / Cool Blob / AWS-S3, Erasure Coding are included.

Price includes 1 Year Warranty, 9x5 Tech Support Free Shipping & Insurance.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

Nov 07 - 11, 2022

Amadey Bot Deploying LockBit 3.0 Ransomware on Hacked Machines

The Amadey malware is being used to deploy LockBit 3.0 ransomware on compromised systems. The malware is being distributed using a malicious Word document file and an executable that takes the disguise of the Word file icon. The files contain a malicious VBA macro that runs a PowerShell command to download and run Amadey. While its primary function is to harvest sensitive information from the infected hosts, it further doubles up as a channel to deliver next-stage malware. Read more

Stealthy Wiper Azov Ransomware, Disguised as an Encryptor, Destroys Data

Threat actors are distributing the Azov malware that pretends to encrypt victims' files. However, it is a data wiper that destroys data and infects other programs. The malware sits dormant on the victim's devices after which it corrupts data on devices. It overwrites file contents and corrupts data in alternating 666-byte chunks of garbage data. The data wiper also infects 64-bit executables that inject code and launch the data wiper. The attacker is said to be distributing the malware through the Smokeloader botnet, commonly found in fake pirated software and crack sites. Read more

US Health Dept. Warns of Venus Ransomware Targeting Healthcare Orgs

The U.S. Department of Health and Human Services (HHS) has warned that Venus ransomware attacks are targeting healthcare organizations and is being deployed across the networks of dozens of corporate victims worldwide. The threat actors are known for hacking into the victims' publicly-exposed Remote Desktop services to encrypt Windows devices. Venus also closes database services and Office apps, deletes event logs, Shadow Copy Volumes, and disables data execution prevention on compromised endpoints. Read more

Worok Hackers Hide New Malware in PNGs Using Steganography

Researchers at ESET have warned that Worok is targeting high-profile victims, including government entities in the Middle East, Southeast Asia, and South Africa by hiding the malware within PNG images to infect target systems with information-stealing malware. Worok uses DLL sideloading to execute the CLRLoader malware loader into memory that loads the second-stage DLL (PNGLoader). The PNGLoader extracts the PNG files and uses them to assemble two executables. The first extracted payload is a PowerShell script while the second payload is the .NET C# info-stealer (DropBoxControl) that abuses the DropBox file hosting service for C2 communication, file exfiltration, and more.
Read more

What You Need to Know About Cybersecurity Threats in 2022

Cybersecurity threats exploit vulnerabilities to gain access to, and encrypt networks of govt. and corporate organizations. Learning about cybersecurity threats allows backup administrators to set up reliable measures that prevent malicious access, data loss and resulting compliance issues. To help backup administrators keep up with the latest trends in cybersecurity, we’ve broken down the recent malicious techniques employed by hackers and ransomware in our blog. Read more

Ukraine says Russian hacktivists use new Somnia ransomware

Russian hacktivists have infected multiple organizations in Ukraine with a new ransomware strain called 'Somnia,' encrypting their systems and causing operational problems. CERT-UA has confirmed the outbreak via an announcement on its portal, attributing the attacks to 'From Russia with Love' (FRwL), also known as 'Z-Team,' whom they track as UAC-0118. the hacking group uses fake sites that mimic the 'Advanced IP Scanner' software to trick Ukrainian organization employees into downloading an installer. the installer infects the system with the Vidar stealer, which steals the victim's Telegram session data to take control of their account. Read more

Promo
210TB Fully Air-Gapped & Immutable Veeam Backup and DR appliance for $14,995

210TB Veeam backup and DR appliance with policy-based Immutability using built-in network & power management Controllers and automated physical and logical Air-Gapped vault for $14,995.

Gen 10, 16-bay, 3U Rackmount unit with 15x14TB (210TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Redundant Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller, Dual 10Gb RJ-45 Ports, Fully Integrated SAN, NAS and optional S3 cloud storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

Oct 31 - Nov 4, 2022

Hackers Stole Source Code, Personal Data from Dropbox Following Phishing Attack

Dropbox has suffered a data breach where malicious actors gained access to the source code and personal information belonging to employees and customers. The attackers sent phishing emails to multiple employees, directing them to fake CircleCI websites to harvest their credentials and one-time passwords for multi-factor authentication. The hackers were able to exfiltrate 130 code repositories that included third-party libraries, internal prototypes, tools, and configuration files used by the security team. The attackers also exfiltrated developers’ credentials, names and email addresses of Dropbox employees, past and current customers, vendors, and sales leads. Read more

RomCom RAT Impersonates KeePass, SolarWinds NPM, Veeam

In a new campaign, discovered by BlackBerry, the RomCom threat actors were found creating websites that clone official download portals for SolarWinds Network Performance Monitor (NPM), KeePass password manager, and PDF Reader Pro, essentially disguising the malware as legitimate programs. In addition, Unit 42 discovered that the threat actors created a site that impersonates the Veeam Backup and Recovery software. While the distribution method differs per site, the websites are distributing RomCom RAT executables disguised as “legitimate” downloads or free trials of the software. Read more

OPERA1ER Hackers Steal Over $30 Million from Banks and Telcos

A threat group identified as OPERA1ER has stolen at least $30 million from banks and telecommunication service providers in Africa using off-the-shelf hacking tools. OPERA1ER obtains initial access through spear-phishing emails and relies on open-source tools, commodity malware, and frameworks such as Metasploit and Cobalt Strike. The phishing emails can deliver malware such as Netwire, bitrat, venomRAT, AgentTesla, Remcos, Neutrino, BlackNET, and Venom RAT. OPERA1ER can also use stolen credentials to access email accounts, perform lateral phishing, and study internal documentation to understand money transfer procedures and protection mechanisms.
Read more

Over 250 US News Sites Push Malware as Part of a Supply-Chain Attack

Researchers at Proofpoint have reported that a threat actor identified as TA569 is targeting a media company that serves many news outlets in the US via a JavaScript. The attacker modified the codebase of that script to push a malware known as SocGholish. The JavaScript victims those who visit the compromised websites using malware payloads camouflaged as fake browser updates and delivered as ZIP archives. More than 250 news sites are impacted, including the news digital news outlets of Boston, New York, Chicago, Washington DC, Miami, Palm Beach and Cincinnati. Read more

What to Consider when Implementing DRaaS for Ransomware Protection

Disaster Recovery as a service (DRaaS) provides recovery in the cloud and is a cost-effective and highly efficient enterprise data protection solution to tackle downtime, data security, and improve data availability. But what do backup administrators need to know for choosing and setting up a DRaaS solution that works for their organization? Read more

‘0ktapus’ Threat Group Victimize 130 Firms

Over 130 companies became victim to a sprawling phishing campaign that spoofed a multi-factor authentication system. The threat actors stole Okta identity credentials and multi-factor authentication (MFA) codes from users though text messages containing links to phishing sites that mimicked the Okta authentication page. Victims were asked to submit Okta identity credentials in addition to multi-factor authentication (MFA) codes that allowed hackers to access mailing lists and customer-facing systems to facilitate supply-chain attacks. Over 9,931 accounts are said to have been compromised. Read more

Promo
48TB SSO NAS appliance with Free Shipping & Support $6,995

48TB StoneFly XS Series ready to ship Enterprise SSO NAS appliance with Air-Gap and Immutable Snapshots option for ransomware protection and Support for Unlimited NAS Clients with built-in S3 cloud connect for $6,995.

Gen 10, 4-bay 1U Rackmount appliance with 3x16TB Enterprise 12GB SAS drives, 10 Core Storage Virtualization Engine, 32GB system memory, 12Gb SAS Hardware RAID Controller and 500W Platinum Certified hot swappable power supply.

All Enterprise data Services such as Snapshot, Tiering, Encryption, Sync & Async, Replication, Supports CIFS/SMB and NFS, Cloud Connect to Azure Hot / Cool Blob / AWS-S3, Erasure Coding are included.

Price includes 1 Year Warranty, 9x5 Tech Support Free Shipping & Insurance.

For demos and hardware details, contact us.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email