Select Page
Slide 1

Weekly

Ransomware Roundup

September 19 - 23, 2022

Uber’s Internal Systems Breached by Lapsus$ Ransomware

A member of teenage extortion gang Lapsus$ used social engineering to break into the internal systems of Uber. FBI and department of justice began investigating the breach, when a hacker spammed the company’s slack channel with vulgar messages. The hacker also reconfigured the DNS settings to redirect intranet websites to an inappropriate picture, and screenshots of the company’s cloud storage, and code repositories. Uber says the hacker likely purchased an external contractor's password on the dark web after the contractor's personal device was infected with malware. Read more

Hackers Stayed Inside Albania’s Government Network for 14 Months

A cyberattack took down Albanian government’s websites and government services. The ransomware group, identified as "HomeLand Justice," used a file encryptor and disk wiping malware and infiltrated through a compromised Microsoft Exchange account to exfiltrate credentials and large amounts of data. The FBI investigation states that the hackers lurked inside the network for 14 months before being detected and maintained continuous network access and periodically accessed and exfiltrated sensitive data. Read more

2K Games Help Desk Hacked Pushing RedLine Info-Stealer Malware

American video game publisher 2K has confirmed that its help desk platform was hacked and used to target customers with fake support tickets that pushed the malware via embedded links. The tickets included links to download an archive named '2K Launcher.zip' that contained an executable for the “RedLine Stealer”. RedLine Stealer is an information stealing malware that can steal a wide range of data including web browser history, cookies, saved browser passwords, credit cards, VPN credentials, instant messaging content, cryptocurrency wallets, and more. Read more

LinkedIn Smart Links Abused in Evasive Email Phishing Attacks

Phishing actors are abusing LinkedIn’s Smart Link feature to bypass email security and redirect users to phishing pages that steal user information. The phishing email supposedly originates from Slovenská pošta, the state-owned postal service provider in Slovakia, informing the recipient of the need to cover costs for a parcel that’s pending shipment. The “confirm” button contains a LinkedIn Smart Link URL, with alphanumeric variables that redirect the victim to a phishing page which then steals the credit card details, including the number, holder’s name, expiration date, and Card Verification Value (CVV). Read more

What is BCDR – A Guide to Business Continuity and Disaster Recovery

Business continuity (BC) includes plans and processes implemented to make sure that business continues to operate in the event of a disaster. Whereas disaster recovery (DR) focuses on recovery from disasters. Learn the differences between the two so that you can effectively plan, and implement a BCDR policy that works for you.

Crypto Market Maker Wintermute Loses $160 million in a Cyberattack

Digital assets trading firm, and cyrpto market maker, Wintermute has lost $162.2 million in DeFi operations as a result of a hack. While the company hasn’t provided any details on how the attack happened, some crypto-experts suggest that the attacker likely exploited a bug in the abandoned “Profanity” tool, a vanity address generator for Ethereum, by brute-forcing private keys of every 7-character vanity address using a thousand GPUs for 50 days. Analysts have called everyone holding funds on wallets created with Profanity to move the assets elsewhere immediately. The platform has offered to pay the hacker 10% of the looted funds if the money is refunded. Read more

Promo
$10/TB Immutable Cloud for Veeam with Optional Air-Gapped Backup and DR

Veeam cloud immutable backup and disaster recovery (DR) for $10/TB per month. Optional air-gapped backup, spin-up in the cloud for fast, 1-click direct restore, offsite VM spin up, and 24/7 Smart Protect plan also available for your complete support needs.

Get enterprise ransomware protection with optional automated policy-based air-gap plus triple lockdown, immutable file, object Lock, or SnapLock technologies with FastTrack Recovery, Zero Trust and full multi-factor authentication, ransomware scanner, and much more.

Pay month to month, no long-term contract, discontinue anytime you like. No limit on storage capacity or scalability.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

September 12 - 16, 2022

Bell Technical Solutions (BTS) Hit by RaaS Group Hive

Hive - a Ransomware-as-a-Service (RaaS) operation, has hit Bell Technical Solutions (BTS) that specializes in installing Bell services for residential and small business customers. Hive claims in its data leak blog that it started encrypting BTS' systems almost a month ago and avoided detection. BTS' website is currently inaccessible. According to BTS, the threat group might have accessed the names, addresses and phone numbers of residential and small business customers in Ontario and Québec. Read more

Russian Hackers Use New Info Stealer Malware to Target Ukrainian Organizations

Gamaredon, also known as Callisto, is targeting Ukrainian entities including Ukrainian government, defense, security, and law enforcement in a new espionage campaign. The malware is delivered through phishing emails with MS documents containing malicious VBS macros that downloads RAR archives with LNK files. The LNK files then download and parse a remote XML that executes a malicious PowerShell script from a Russian domain which in turn collects sensitive data from the victim and sends it to a remote server. The malware can exfiltrate files from storage devices and has instructions to steal images, files, documents, archives and database files. Read more

Lorenz Ransomware Breaches Mitel MiVoice Network via Phone Systems

The Lorenz ransomware gang has exploited a critical vulnerability in Mitel MiVoice VOIP appliances to breach enterprises using their phone systems. Mitel Voice-over-IP (VoIP) products are used by organizations in critical sectors worldwide - including government agencies. Lorenz exploited CVE-2022-29499, a remote code execution vulnerability to obtain a reverse shell and used Chisel as a tunneling tool to pivot into the environment for initial access to their corporate networks. Over 19,000 Mitel devices are now currently exposed to attacks. Read more

Zero-day in WPGateway Wordpress Plugin Actively Exploited in Attacks

Researchers have warned that WordPress sites are actively being targeted due to a zero-day vulnerability in the WPGateway premium plugin for admins. The WPGateway plugin provides users with Wordpress installation, backup, and cloning capabilities. This critical vulnerability is a privilege escalation security flaw and identified as (CVE-2022-3180). The vulnerability enables unauthenticated attackers to add a rogue user with admin privileges to completely take over websites running the vulnerable WordPress plugin. Read more

Backups aren’t Enough – Here’s Why Air-Gapping and Immutability are Necessary

Backups aren’t enough to protect your critical data from ransomware. Security agencies and experts recommend air-gapping and immutability to ensure effective ransomware protection and business continuity. Learn why in this blog.

Hackers Exploiting the Death of Queen Elizabeth II to Steal Microsoft credentials

Threat actors are exploiting the death of Queen Elizabeth II in phishing attacks to lure victims to websites that steal Microsoft account credentials. Attackers bait their targets by sending messages which appear to be from Microsoft inviting recipients to an online memory board in honor of her majesty Queen Elizabeth II. The attackers include links in the messages that redirects victims to a credential harvesting page and steal their Microsoft email credentials including their MFA data. Read more

Promo
70TB Air-Gapped & Immutable Veeam, Rubrik, Commvault, Site recovery Backup & DR Appliance for $7,995

70TB, expandable up to 4PB, air-gapped & immutable Veeam, Rubrik, Commvault, site recovery, backup and DR appliance with file and object lockdown for ransomware protection for $7,995.

8-bay 2U Rackmount unit with 5 x 14TB Enterprise SAS drives, 10 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and Native S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are included.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

September 05 - 09, 2022

Los Angeles School District Hit by Ransomware Attack

The Los Angeles Unified School District, the second-largest collection of public schools in the United States, was targeted by a ransomware attack just weeks after the start of the new academic year. The attack disrupted the district's email system and other applications. But critical business systems, such as employee healthcare, payroll systems, and school safety and emergency mechanisms remain unaffected. The officials didn’t provide any detail on what potentially might have been stolen or damaged, however, they have sought assistance from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). Read more

North Korean Lazarus Hackers Targeting Energy Providers Globally

Researchers at Cisco Talos have observed that the state-backed North threat actor, Lazarus, has been targeting energy providers in the United States, Canada and Japan between February and July this year. The hackers are using an old vulnerability in Log4j, known as Log4Shell, to compromise VMware Horizon servers and establish an initial foothold onto a victim’s network. The attackers then deploy the “VSingle” and “YamaBot” malwares to establish long-term persistent. Researchers also found an unknown remote access Trojan dubbed - “MagicRAT,” which the hackers use for reconnaissance and stealing credentials. Read more

Nemesis Kitten Encrypts Windows Systems Using BitLocker

Microsoft Security Threat Intelligence says that a new threat group dubbed as DEV-0270 (aka Nemesis Kitten) is using BitLocker to encrypt its victims' systems. Nemesis Kitten is a sub-group of the Phosphorus cyber-espionage group (aka Charming Kitten or APT35) that collects intelligence from high-profile victims linked to governments, NGOs, and defense organizations. The threat actor exploits recently disclosed security vulnerabilities in Microsoft Exchange and Fortinet, such as ProxyLogon and Log4j 2. It uses batch commands to enable BitLocker encryption, making the host systems inoperable. The threat actor demands $8,000 for decryption keys and threatens to leak the stolen data. Read more

New Linux Uses Multi-Stage Deployment Malware and Evades Detection

A new stealthy Linux malware dubbed “Shikitega” is infecting computers and IoT devices with malicious payloads. Shikitega evades detection using a polymorphic encoder that makes static, signature-based detection impossible. Once deployed on a targeted host, the attack chain downloads and executes the Metasploit's "Mettle" meterpreter to maximize control and exploits vulnerabilities to elevate its privileges. The malware then adds persistence on the host via crontab, and launches a cryptocurrency miner on the infected devices. Read more

Downtime Cost: How to Calculate and Minimize it

Unplanned downtime is sudden, uncontrolled, and can happen anytime. It can be caused by ransomware attack, human error, zero-day exploits, virus, hackers, power/network outage, phishing campaigns, and natural disaster. Calculating the cost of unplanned downtime is tricky because it goes beyond lost revenue. Learn how to calculate the cost of downtime and how to reduce it in this blog.

North Face Accounts Hacked Using Credential Stuffing and Personal Data Stolen

Outdoor clothing brand “The North Face” has been hit by a major cyberattack impacting nearly 200,000 customer accounts. The attackers maintained access to the company’s the network from July 26, 2022 to August 11, 2022 before being detected. The threat actors used “credential stuffing” and stole user email addresses and passwords, as well as personal information including full name, purchase history, billing and shipping addresses of 194,905 user accounts. Read more

Promo
400TB Fully Air Gapped & Immutable Veeam Backup and DR appliance for $22,995

400TB Fully Air Gapped and Immutable Veeam backup and DR appliance with Object Lockdown Technology for Ransomware protection & Instant multi VM recovery for $22,995.

This powerful DR365V site in a box leverages Veeam-integration using the built-in Air-Gapped network, power management controller, repository and storage controller using fully automated and Veeam integrated isolation technology.

Fully Populated 36-bay 4U Rackmount unit, 25x16TB (400TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and optional S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

August 29 - Sep 2, 2022

Russian Streaming Platform Start Suffers Data Breach

Russian media streaming service “Start” suffered a data breach involving sensitive customer data. Russian-language Telegram channel "Data Leak”, published screenshots of the leaked information that shows 72GBs leaked database containing information of nearly 44 million customers. Threat actors appear to have exploited an exposed MongoDB database flaw to exfiltrate the data in JSON format. Although Start says that customer data was not affected, Data Leak contradicts this by asserting that exposed information includes customer usernames, hashed MD5 encrypted passwords, IP addresses, countries of registration, subscriptions and login details.
Read more

New Ransomware Hits Windows, Linux servers of Chile Government agency

Chile's national computer security and incident response team (CSIRT) has announced that a ransomware attack has impacted operations and online services of a government agency. The attack targeted the agency’s Microsoft and VMware ESXi servers, stopping all working VMs, and encrypting files with ".crypt" filename extension. The malware can also steal credentials from web browsers, list removable devices for encryption, and evade detection using execution timeouts. The CSIRT hasn’t named the ransomware group, the malware’s behavior is similar to ‘RedAlert” (aka ‘N13V’). Other indicators suggest Conti group’s involvement. Read more

Cuba Ransomware Gang Takes Credit for Attacking Montenegro

The Cuba ransomware gang has taken credit for the cyberattack on the government of Montenegro. The attack took multiple government websites and services offline. The gang has listed the Parliament of Montenegro - Skupština on its Tor-based data-leak site. The gang claims that the exfiltrated data includes financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, and source code. Hackers have demanded $10 million in ransom. Read more

Chinese hackers target Australian govt with ScanBox malware

China-based threat actors have been targeting Australian government agencies and wind turbine fleets in the South China Sea by directing select individuals to a fake impersonating an Australian news media outlet. Victims landed on the fraudulent site after receiving phishing emails with enticing lures and received a malicious JavaScript payload from the ScanBox reconnaissance framework. Researchers attribute the campaign to the Chinese APT40 group (a.k.a. TA423, Leviathan, Red Ladon). ScanBox can deliver JavaScript code in one single block or as a plugin-based, modular architecture. The framework includes Keylogger, Browser plugins, Browser fingerprinting, Peer connection and Security checks. Once deployed, it establishes command and control and transfers victim profile data, technical details, and useful information for reconnaissance and cyber espionage. Read more

Veeam-Ready Backup and DR Appliance with Onsite/Cloud Immutability

Backups are the last line of defense against ransomware. Immutability makes sure that even if production environment and the corporate networks are compromised, backups, when made immutable, are unchanged and available for recovery. Learn how your backup administrators can set up onsite and cloud-based immutable Write-Once Read-Many (WORM) storage with a turnkey Veeam-ready backup and DR appliance.

Hackers Hide Malware in James Webb Telescope Images

Threat analysts have spotted a new malware campaign dubbed ‘GO#WEBBFUSCATOR’ that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware. User is sent an email with an attached malicious document that downloads the image file, decodes it into an executable, and executes in the background. Upon execution, the malware establishes a DNS connection to the command-and-control server and sends encrypted data to the server which is then decrypted to reveal the contents. The binaries use XOR and case alteration to avoid signature-based detection and copies itself to registries to maintain persistence. Read more

Promo
32TB Air-Gapped & Immutable Veeam Site Recovery Backup & DR appliance $5,995

32TB expandable up to 4PB Air-gapped & Immutable Veeam, Rubrik, CommVault, Site Recovery, Backup and DR appliance with Zero Trust, SAN-NAS and S3 Object Lockdown Technology for Ransomware protection for $5,995.

Gen 10, 4bay 1U Rackmount unit with 2x16TB Enterprise SAS drives, 10 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and Native S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are included.

For demos and hardware details, contact us.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email