Current Active Threats
Korean Cybersecurity Agency Released a Free Decryptor for Hive Ransomware Date: 2022-07-01
South Korean cybersecurity agency KISA recently published a free decryptor tool that can be used to recover files encrypted by the Hive ransomware (version 1 through version 4). Users can find step-by-step instructions on how to recover their encrypted data using the manual provided in the announcement by the KISA agency. The news comes after a team of researchers at Kookmin University (South Korea) discovered a flaw in the encryption algorithm used by Hive Ransomware, enabling them to decrypt data without knowing the private key used by the gang to encrypt files.
Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers Date: 2022-07-01
A cloud threat actor group tracked as 8220 has updated its malware toolset to breach Linux servers with the goal of installing crypto miners as part of a long-running campaign. "The updates include the deployment of new versions of a crypto miner and an IRC bot," Microsoft Security Intelligence said in a series of tweets on Thursday. "The group has actively updated its techniques and payloads over the last year." 8220, active since early 2017, is a Chinese-speaking, Monero-mining threat actor so named for its preference to communicate with command-and-control (C2) servers over port 8220. It's also the developer of a tool called whatMiner, which has been co-opted by the Rocke cybercrime group in their attacks.
Xloader Returns With New Infection Technique Date: 2022-07-01
Xloader is a rebranded version of the Formbook stealer. It is designed as a malicious tool to steal credentials from different web browsers, collect screenshots, monitor and log keystrokes from the victim’s machine, and send them to Command and Control (C&C) server. Typically, Xloader spreads via spam emails that trick victims into downloading a malicious attachment file, such as MS Office documents, PDF documents, etc. During Cybable’s routine threat-hunting exercise, the team came across a Twitter post wherein a researcher mentioned an interesting infection chain of Xloader malware.
Microsoft Exchange Servers Worldwide Backdoored with New Malware Date: 2022-07-01
Attackers used a newly discovered malware to backdoor Microsoft Exchange servers belonging to government and military organizations from Europe, the Middle East, Asia, and Africa. The malware was dubbed SessionManager by security researchers at Kaspersky, who first spotted it in early 2022. The malware is a malicious native-code module for Microsoft's Internet Information Services (IIS) web server software.
FBI Alert: MedusaLocker Date: 2022-06-30
Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
AstraLocker 2.0 Infects Users Directly From Word Attachments Date: 2022-06-30
A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments. This approach is quite unusual as all the intermediate steps that typically characterize email attacks are there to help evade detection and minimize the chances of raising red flags on email security products. According to ReversingLabs, which has been following AstraLocker operations, the adversaries don’t seem to care about reconnaissance, evaluation of valuable files, and lateral network movement. Instead, they are performing "smash-n-grab" attacks to his immediately hit with maximum force aiming for a quick payout.
Ukraine Arrests Cybercrime Gang Operating Over 400 Phishing Sites Date: 2022-06-30
Ukraine’s cyberpolice force recently arrested nine members of a criminal group that operated over 400 phishing websites pretending to be legitimate EU portals offering financial assistance to Ukrainians. “The threat actors used forms on the site to steal visitors' payment card data and online banking account credentials and perform fraudulent, unauthorized transactions like moving funds to accounts under their control” (Bleeping Computer, 2022). In total, this cybercrime operation was able to steal approximately $3,360,000, from roughly 5,000 victimized citizens. While it is unclear how the victims ended up on these phishing sites, the cybercriminals could have used various means including SEO poisoning, direct messaging, email, and scam posts on social media platforms.
Xfiles Info-Stealing Malware Adds Support for Follina Delivery Date: 2022-06-30
The XFiles info-stealer malware has added a delivery module that exploits CVE-2022-30190, aka Follina, for dropping the payload on target computers. The flaw, discovered as a zero-day at the end of May and fixed with Microsoft’s Windows update on June 14, enables the execution of PowerShell commands simply by opening a Word document.
Deepfakes and Stolen PII Utilized to Apply for Remote Work Positions — FBI Date: 2022-06-30
The FBI Internet Crime Complaint Center (IC3) warns of an increase in complaints reporting the use of deepfakes and stolen Personally Identifiable Information (PII) to apply for a variety of remote work and work-at-home positions. Deepfakes include a video, an image, or recording convincingly altered and manipulated to misrepresent someone as doing or saying something that was not actually done or said.
Ransomware Suspected in Wiltshire Farm Foods Attack Date: 2022-06-29
A leading UK producer of frozen ready meals has revealed its systems are currently down after experiencing a serious cyber-attack. Wiltshire Farm Foods said on Sunday that it is “currently experiencing severe difficulties” with its computer systems. “If you are expecting a delivery this week (w/c 27th June) or have other concerns, please contact your local depot,” it continued. Wiltshire says their systems are currently not working, and they will be unable to make deliveries for the next few days. While the company released little details about the attack, security experts noted the high likelihood of a ransomware attack on social media.
AMD Investigates RansomHouse Hack Claims, Theft of 450GB Data Date: 2022-06-29
Semiconductor giant AMD says they are investigating a cyberattack after the RansomHouse gang claimed to have stolen 450 GB of data from the company last year. RansomHouse is a data extortion group that breaches corporate networks, steals data, and then demands a ransom payment to not publicly leak the data or sell it to other threat actors. For the past week, RansomHouse has been teasing on Telegram that they would be selling the data for a well-known three-letter company that starts with the letter A.
New ZuoRAT Malware Targets Soho Routers in North America, Europe Date: 2022-06-29
Security researchers at Lumen’s Black Lotus Labs have uncovered a new remote access trojan (RAT) dubbed ZuoRAT. Since 2020, ZuoRAT has stayed under the radar, targeting remote workers via small office/home office (SOHO) routers across North America and Europe. “We identified a multistage remote access trojan (RAT) developed for SOHO devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold”.
Kaspersky Reveals Phishing Emails That Employees Find Most Confusing Date: 2022-06-29
Phishing simulator data from Kaspersky’s Security Awareness Platform shows that workers tend to not notice pitfalls hidden in emails devoted to corporate issues and delivery problem notifications, with one in five (16% to 18%) clicking the link in the email templates imitating these phishing attacks. According to estimates, 91% of all cyberattacks begin with a phishing email, and phishing techniques are involved in 32% of all successful data breaches.
APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor Date: 2022-06-28
Entities located in Afghanistan, Malaysia, and Pakistan are in the crosshairs of an attack campaign that targets unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware. Russian cybersecurity firm Kaspersky, which first detected the activity in mid-October 2021, attributed it to a previously unknown Chinese-speaking threat actor. Targets include organizations in the telecommunications, manufacturing, and transport sectors.
Over 900,000 Kubernetes Instances Found Exposed Online Date: 2022-06-28
Security researchers at Cyble recently uncovered over 900,000 misconfigured Kubernetes clusters that were exposed on the Internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks. For its part, Kubernetes is a highly versatile open-source container orchestration system for hosting online services and managing containerized workloads via a uniform API interface. Due to its scalability, flexibility in multi-cloud environments, portability, and cost, Kubernetes has seen a mass adoption by users in the last couple of years.
Raccoon Stealer Is Back With a New Version to Steal Your Passwords Date: 2022-06-28
The Raccoon Stealer malware is back with a second major version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and upgraded operational capacity. The Raccoon Stealer operation shut down in March 2022 when its operators announced that one of the lead developers was killed during Russia’s invasion of Ukraine. The remaining team promised to return with a second version, relaunching the MaaS (malware as a service) project on upgraded infrastructure and with more capabilities.
2022 CWE Top 25 Most Dangerous Software Weaknesses Date: 2022-06-28
The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE, has released the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. The list uses data from the National Vulnerability Database to compile the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition. This year’s list also incorporates updated weakness data for recent Common Vulnerabilities and Exposure records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog.
New Vulnerability Database Catalogs Cloud Security Issues Date: 2022-06-28
A new community-based database launched this week seeks to begin addressing that issue by providing a central repository of information on known cloud service-provider security issues and the steps organizations can take to mitigate them. The database — cloudvulndb.org — is the brainchild of security researchers at Wiz, who for some time have been advocating the need for a public catalog of known security flaws on platforms and services run by the likes of AWS, Microsoft, and Google. The database currently lists some 70 cloud security issues and vulnerabilities that security researcher Scott Piper had previously compiled in a document on GitHub titled "Cloud Service Provider security mistakes." Going forward, anyone is free to suggest new issues to add to the website or to suggest new fixes to existing issues. The goal is to list issues that a cloud service provider might have already addressed.
Readiness Pro: Privacy/Security Assessment & Policy Development Tool
Network Perimeter Security - Firewalls
Security Awareness Training
Network Security, Monitoring & Patching
Cloud Based Backup & Recovery
Backup Tape Vaulting & Rotation Services
Air Gap, Data Storage & Archiving
Data Destruction Services
Security Operations Center (SOC)
Data Storage and Media Updating
Server & Data Center Relocation Services
Breach Investigation & Notification Services
Forensic & Legal Investigations