Weekly
Oct 24 - 28, 2022
A joint alert from CISA, FBI, and HHS has warned the healthcare sector of a threat actor identified as the Daixin team that is targeting US organizations with ransomware-based on the leaked Babuk source code. The group targets VPN servers for initial access via unpatched vulnerabilities and compromised credentials, and uses Secure Shell (SSH) and Remote Desktop Protocol (RDP) for lateral movement. Daixin also employs credential dumping and pass-the-hash to gain access to privileged accounts and connect to VMware vCenter to reset passwords for the ESXi servers and deploy ransomware. The ransomware impacts healthcare services such as diagnostics, electronic health records, imaging, and intranet services. Read more
Australian Clinical Labs (ACL) has disclosed, that the February 2022 data breach, that impacted its Medlab Pathology has exposed the medical records and sensitive information of 223,000 people. The breach compromised Medicare numbers, full names, credit card numbers with CVV code, and personal medical and health records. Quantum ransomware group claimed responsibility for the attack releasing 86GB of stolen sensitive data on its Tor site. Medibank said that it expects a financial impact of $25 to $35 million from the incident, aside from “customer and other remediation, regulatory or litigation costs.” Read more
Ticketing service company ‘See Tickets’ disclosed a data breach that compromised customers’ payment card details. Threat actors claims to have stolen payment card data by implanting a software skimmer on the victim’s website. The stolen data includes name, address, zip code, payment card number, card expiration date, and CVV number. However, See Tickets insists that social security numbers, state identification numbers, or bank account information were not exposed because the company doesn’t store them. Read more
The Ukraine Computer Emergency Response team has warned about potential Cuba ransomware attacks targeting the critical infrastructure of the country through a phishing campaign. The campaign impersonates the Press Service of the General Staff of the Armed Forces of Ukraine and tricks the victim into downloading a file that executes the “rmtpak.dll” DLL file which is the ROMCOM RAT. CERT-UA has associated the use of the RomCom backdoor with the threat actor Tropical Scorpius (aka UNC2596). Read more
Air-gapping is an advanced data protection feature used to isolate and detach target storage volumes from unsecure networks, production environments, and host platforms. Here is a blog explaining air-gapping, how air-gapped backups work and the role of air-gap in ransomware protection. Read more
Tata Power, a subsidiary of the multinational conglomerate Tata Group, has become the victim of the Hive ransomware group. Hive has exfiltrated data of employees' personally identifiable information (PII), National ID (Aadhar) card numbers, PAN (tax account) numbers, and salary information. The data dump also contains engineering drawings, financial and banking records as well as client information. Hive has posted all this data on their leak site. Read more
32TB, expandable up to 4PB, air-gapped & immutable Veeam, Rubrik, Commvault, Site Recovery, Backup and DR appliance with Zero Trust, SAN-NAS and S3 Object Lockdown Technology for Ransomware protection for $5,995.
Gen 10, 4bay 1U Rackmount unit with 2x16TB Enterprise SAS drives, 10 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and Native S3 cloud object storage.
All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are included.
For demos and hardware details, contact us.
Weekly
Oct 17 - 21, 2022
Microsoft has spotted a new ransomware strain identified as DEV-0960 (or “Prestige”) that is targeting Ukrainian and Polish Organizations. The DEV-0960 AKA ‘Prestige’ either copies itself to the ADMIN$ share of a remote system, and uses Impacket to remotely create a scheduled task or remotely invokes an encoded PowerShell command to execute the payload. Prestige ransomware can also copy itself to an Active Directory Domain Controller using the Default Domain Group Policy Object. After deployment, it encrypts files while deleting the backup catalog and all shadow copies to hinder recovery. Read more
MyDeal, an Australian retail marketplace was breached affecting 2.2 million customers. The hacker used compromised user credentials to access the company's Customer Relationship Management (CRM) system to view and export customer information. Stolen data contains names, email addresses, phone numbers, delivery addresses and birth dates. The hacker has put the stolen data on a hacking forum for $600. Read more
Venus Ransomware group is hacking into publicly-exposed Remote Desktop services to encrypt Windows devices. When executed, Venus closes thirty-nine processes associated with database servers and Microsoft Office applications and begins encryption. While encrypting, it appends .venus extension and an additional file marker 'goodgamer' to the files. After encryption, it deletes all event logs, Shadow Copy Volumes, and disables Data Execution to eliminate any chances of recovery. Read more
Threat actors are using an undetectable PowerShell backdoor to target its victims for committing cyberespionage and data exfiltration. The attack begins with a phishing email with a document containing malicious macros that drop and execute a script that creates a scheduled task to impersonate a routine Windows update. The scripts then send the victim ID to the attacker’s C2 center from where the malware receives encrypted commands to perform data exfiltration, user enumerations, file listings, account and file removal, and RDP client enumerations. Read more
Business continuity and disaster recovery can help keep an organization operational by creating resilient data infrastructures and are essential parts of risk management and recovery plan. But what are the differences between both? How do you develop and implement a BCDR policy? Read more
OldGremlin aka TinyScouts has upgraded its toolkit with file-encrypting malware for Linux machines and is attacking Russian companies in the logistics, insurance, retail, real estate, software development and banking sectors. The malware is deployed by tricking the victim into downloading a document from a file-sharing service that contains TinyCrypt ransomware which encrypts the system using AES algorithm with the CBC block cipher mode and a 256-bit key. The malware then deploys TinyFluff, a NodeJS backdoor for remote access, PowerSploit and Cobalt Strike and many additional payloads that can extract data from Credential Manager, evade antivirus software and isolate a device from the network. Read more
128TB Veeam backup and DR appliance with policy-based immutability using built-in network & power management controllers and automated physical and logical air-gapped vault for $9,995.
Gen 10, 8-bay 2U Rackmount unit with 8x16TB (128TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Redundant Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller, Dual 10Gb RJ-45 Ports, Fully Integrated SAN, NAS and optional S3 cloud storage.
All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.
For demos and hardware details, contact us.
Weekly
Oct 10 - 14, 2022
POLONIUM, a Lebanon-based hacking group, is using a range of custom malware against Israeli firms for cyberespionage. The threat group uses different variants of the “Creep” backdoors and legitimate cloud services such as OneDrive, Dropbox, and Mega, to act as command and control (C2) servers. The backdoors can log keystrokes, take screenshots, take photos with the webcam, exfiltrate files from the host, install additional malware, and execute commands on the infected device. POLONIUM also uses various open-source tools for reverse proxying, and keylogging, and hides behind virtual private servers (VPS) to hide its tracks. Read more
Advanced, an IT service provider for the U.K.’s National Health Service (NHS), has confirmed that attackers stole data from its systems during an August ransomware attack, but refuses to say if patient data was compromised. In an updated report, the service provider disclosed that the malware used to carry out the attack was Lockbit 3.0. Moroever, the attackers accessed its network using “legitimate” third-party credentials to establish a remote desktop session to the company’s Staffplan Citrix server, used for powering its caregiver’s scheduling and rostering system. Read more
The Magniber ransomware is targeting Windows users with fake security updates. The threat actor uses JavaScript that initiates an infection with encryption malware. The malicious files are obfuscated and use a variation of the "DotNetToJScript" technique to execute a .NET file in the system memory for evasion. The shellcode deletes shadow copies and uses a bypass for the User Account Control (UAC) feature in Windows to disable backup and recovery features. After successful encryption, Magniber ransomware operators demand payment of up to $2,500. Read more
KillNet - the DDoS group that attacked government websites in Colorado, Kentucky, and Mississippi last week has claimed large-scale distributed denial-of-service (DDoS) attacks against websites of several major airports in the U.S. The threat actor used a custom software to generate fake requests and garbage traffic to overwhelm the servers hosting the sites. This made it impossible for travelers to connect and get updates about their scheduled flights or booked airport service. Read more
Downtime costs are more than just lost revenue. It comes with reputational damage, SLA fines, recovery, and PR costs. Learn how to calculate IT downtime costs, and the best practices to minimize it. Read more
A new Chinese threat group, tracked as WIP19, is targeting IT services providers and telecommunications companies with signed malware. WIP19 signs several malicious components using a stolen certificate that was issued to Korean messaging provider DEEPSoft Co. The signed credential harvesting tools includes a password dumper, a keylogger, and a screen recorder. According to researchers, the threat actor’s malicious activities in the Middle East and Asia suggest that the motive is cyber espionage. Read more
48TB StoneFly XS-Series ready-to-ship Enterprise SSO NAS appliance with air-gap and immutable snapshots option for ransomware protection and support for unlimited NAS clients with built-in S3 cloud connect for $6,995.
Gen 10, 4-bay 1U Rackmount appliance with 3x16TB Enterprise 12GB SAS drives, 10 Core Storage Virtualization Engine, 32GB system memory, 12Gb SAS Hardware RAID Controller and 500W Platinum Certified hot swappable power supply.
All Enterprise data Services such as Snapshot, Tiering, Encryption, Sync & Async, Replication, Supports CIFS/SMB and NFS, Cloud Connect to Azure Hot / Cool Blob / AWS-S3, Erasure Coding are included.
Price includes 1 Year Warranty, 9x5 Tech Support Free Shipping & Insurance.
For demos and hardware details, contact us.
Weekly
Oct 03 - 07, 2022
One of the largest non-profit healthcare providers in the US has been hit by a suspected ransomware attack which has already impacted multiple locations around the country. While details of the attack have not yet been released, the non-profit organization said the following in a statement published on their website: “CommonSpirit Health has identified an IT security issue that is impacting some of our facilities. We have taken certain systems offline. We are continuing to investigate this issue…” Read more
The notorious hacking group 'Lazarus' is using a new Windows FudModule rootkit that abuses a Dell hardware driver in a Bring Your Own Vulnerable Driver (BYOVD) attack. The rootkit takes advantage of user-mode module to read and write kernel memory. After gaining kernel memory write access, the hackers disable mechanisms in the Windows operating system such as registry, file system, process creation, and event tracing to blind the security solutions. Read more
BlackByte ransomware is using a new technique dubbed "Bring Your Own Driver," which bypasses protections by disabling drivers used by various security solutions. The exploit is a privilege escalation and code execution flaw, tracked as CVE-2019-16098, that can prevent multiple endpoint detection and response (EDR) and antivirus products from operating normally. The threat actor exploits the MSI Afterburner RTCore64.sys driver, signed with a valid certificate, and runs it with high privileges on the system. The driver offers I/O control codes directly accessible by user which makes it possible for attackers to read, write, or execute code in kernel memory without using shellcode or an exploit. Read more
The official installer for the Comm100 Live Chat application - a widely deployed SaaS (software-as-a-service) used for communications, was trojanized in a supply-chain attack. The infected installer uses a valid digital signature to evade detection and a JavaScript backdoor coded into the "main.js" file. The backdoor fetches obfuscated JS script from a hard-coded URL which then gives the attackers remote shell access to the victimized endpoints, via the command line, to deploy malicious loaders. Read more
Hackers infiltrated a US defense industrial base organization, maintained persistence and long-term access to its network and stole sensitive data. The hackers combined custom malware called CovalentStealer, the open-source Impacket collection of Python classes, the HyperBro remote access trojan (RAT), and well over a dozen ChinaChopper webshell samples. They also exploited the ProxyLogon collection of four vulnerabilities for Exchange Server around the time Microsoft released an emergency security update to fix them. Read more
Manual backup and restore is a complex and time-consuming process. Maintaining proper configurations and compatibility with evolving production environments, carefully monitoring storage and archiving overheads, and constantly rotating media for offsite storage need a modern scheduled backup solution. Read more about how StoneFly backup and DR solutions help automate backup and recovery for your critical workloads.
98TB Veeam backup and DR appliance with policy-based immutability using built-in network & power management controller and automated physical and logical air-gapped vault for $8,995.
10th Gen, 8-bay 2U Rackmount unit with 7x14TB (98TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Redundant Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller, Dual 10Gb RJ-45 Ports, Fully Integrated SAN, NAS and optional S3 cloud storage.
All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.
For demos and hardware details, contact us.
Weekly
September 26 - 30, 2022
Security researchers have discovered a new campaign targeting multiple military contractors involved in weapon manufacturing. The highly targeted attacks begin with a phishing email sent to employees, leading to a multi-stage infection involving many persistence and detection avoidance systems. The threat actor use a highly secure C2 infrastructure and multiple layers of obfuscation in the PowerShell stages. Analysts have not been able to attribute the campaign to any known threat actors, but have pointed some similarities with APT37 (Konni) group. Read more
Coreid – the ransomware-as-a-service (RaaS) group behind the Noberus ransomware, aka BlackCat or ALPHV, has upgraded their malware to steal data and credentials from compromised networks. Noberus now uses an extensively updated version of the ‘Exmatter’ data exfiltration tool and ‘Eamfo’, an info-stealing malware. The updated version allows Exmatter to target more files while avoiding detection because it’s been extensively written. Eamfo uses SQL queries to steal credentials stored by Veeam backup software and allows hackers to gain access to critical systems. Read more
American Airlines was breached in a phishing campaign that used an employee's hacked Microsoft 365 account. The breach compromised personally identifiable information (PII) and medical information of both customers and employees. The attacker used an IMAP protocol to access mailboxes that synced their contents to another device. Once accessed, the hacker used these mailboxes to send phishing emails. The investigation revealed that the attacker further accessed multiple employees' accounts to send more phishing emails to target accounts. Read more
The threat actor ‘Fancy Bear’ is targeting entities in the defense and government sectors of Europe using a new method that exploits mouse hover function in Microsoft PowerPoint documents to deploy malware. Once mouse is hovered over the hyperlink contained in the file, the code runs a PowerShell script that downloads and executes a dropper from OneDrive. The dropper then downloads another payload, known as Graphite, which uses the Microsoft Graph API and OneDrive for command-and-control (C2) communications to retrieve additional payloads. Read more
Ransomware search and exploit vulnerable endpoints in your enterprise network to exfiltrate your data and encrypt it. That is why you need to plan and execute your ransomware protection strategy carefully. Here is a list of 8 things you can do to protect your critical endpoints from ransomware attacks. Read more
Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning. The ransomware infection starts with the MS-SQL process on the compromised machine downloading a .NET file using cmd.exe and powershell.exe. The payload fetches additional malware (including the locker), generates and runs a BAT file that terminates specific processes and services. Additionally, the malware executes the recovery deactivation command and terminates database-related processes to make their contents available for encryption. Read more
210TB Veeam Backup and DR appliance with Policy based Immutability using built-in Network & Power management Controllers and automated physical and logical Air-Gapped vault for $14,995.
Gen 10, 16-bay, 3U Rackmount unit with 15x14TB (210TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Redundant Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller, Dual 10Gb RJ-45 Ports, Fully Integrated SAN, NAS and optional S3 cloud storage.
All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.
For demos and hardware details, contact us.