Select Page
Slide 1

Weekly

Ransomware Roundup

July 24 - 28, 2023

Realst Infostealer Targets Apple macOS Users and Steals Crypto from Wallets

New macOS malware, Realst, disguised as blockchain games, is stealing login credentials and crypto from wallets. Distributed through malicious websites with various names, it uses social media to lure victims. Researchers identified 16 variants across 59 samples, possibly connected to the Pureland campaign. Realst targets Chrome and Firefox, extracts data from Telegram, and takes screenshots. Apple Safari has so far remained unaffected. Read more

BlackByte and Akira Ransomware Claims Attack on Yamaha

Yamaha Canada Music, a division of Yamaha Corporation, suffered a cyberattack with BlackByte and Akira Ransomware claiming the attack. Yamaha Canada Music appeared on both the BlackByte and Akira ransomware gangs' victim lists, indicating collaboration between the two ransomware groups to increase pressure for ransom payments. The breach exposed unauthorized access into vulnerable Yamaha systems and possible data theft, affecting the company's reputation. Read more

UNC4899 Held Responsible for JumpCloud Hack Targeting BlockChain and Crypto

UNC4899, associated with the Reconnaissance General Bureau (RGB), is found to have been behind the JumpCloud hack that targeted cryptocurrency and intelligence-gathering sectors. UNC4899 used Operational Relay Boxes (ORBs) and commercial VPN providers to hide themselves. However, an OPSEC blunder exposed their IP address (175.45.178[.]0/24 subnet). The attackers used spear-phishing and impacted customers in a software supply chain attack that primarily targeted Apple systems running macOS Ventura versions 13.3 or 13.4.1. Read more

Lazarus Group Hijacks Microsoft IIS Servers to Distribute Malware

Lazarus group targets Windows Internet Information Service (IIS) web servers by exploiting poorly protected IIS services to spread malware. Lazarus infiltrates legitimate South Korean websites for "Watering Hole" attacks, targeting visitors with vulnerable INISAFE CrossWeb EX V6 software. It then gains control of IIS servers and deploys JuicyPotato for privilege escalation while executing a second malware loader (‘usoshared.dat’), which decrypts downloaded files and executes them in memory. Read more

Immutable File-Level WORM: Setup Guide and Best Practices

Immutable File-Level WORM is a defense mechanism that ensures data cannot be altered, overwritten, or deleted once written, safeguarding critical information. Here is a step-by-step guide to implement this security feature, fortifying your data storage environment and maintaining data integrity. Keep your data safe from accidental or malicious alterations! Learn how to protect your data from cyberattacks and unauthorized changes with Immutable File-Level WORM (FileLock). Read more

Zenbleed Vulnerability Affects AMD Zen2 Processors, Sensitive Data at Risk

A critical vulnerability (CVE-2023-20593) has affected AMD Zen2 CPUs that allows threat actors to steal sensitive data from each CPU core at 30KB/sec. The vulnerability identified as CVE-2023-20593 allows exfiltrating sensitive data from various system operations, including those in virtual machines, isolated sandboxes, and containers. The flaw stems from the handling of the 'vzeroupper' instruction during speculative execution, impacting all AMD CPUs built on Zen 2 architecture. Read more

Promo
Upgrade your VMware Cluster with Air-gapped and Immutable S3 Object Storage

Upgrade & secure your VMware Cluster with Enterprise class Air-Gapped and Immutable S3 object storage. Seamlessly Integrate smart ransomware protection within your existing environment. Manage all your workloads with a Single Pane of Glass interface.

For demos and details, contact us.

Slide 1

Weekly

Ransomware Roundup

July 10 - 14, 2023

VMware Issues Advisory on Exploit Available for Critical vRealize RCE Bug

VMware warns of a critical vulnerability (CVE-2023-20864) in Aria Operations for Logs, allowing remote code execution. Exploit code is available, and If successfully exploited, threat actors can execute arbitrary code with root privileges through low-complexity attacks that do not require any user interaction. Another vulnerability (CVE-2023-20865) allowing remote root-level commands affecting the Networks component has also been included in CISA's list. Read more

TeamTNT’s Targets Azure and Google Cloud in Cloud Credential Stealing Campaign

In a recent cloud credential stealing campaign, a threat actor targeted Azure and Google Cloud Platform (GCP) services. The evolving campaign has introduced new iterations of credential harvesting script, targeting credentials from various sources. Threat actors distribute a Golang-based ELF binary that acts as a scanner to propagate the malware to vulnerable targets. The campaign shares similarities with the TeamTNT cryptojacking crew, and attacks intersect with the Silentbob campaign, exploiting misconfigured cloud services. Read more

AVrecon SOHO Router Botnet Spreads to 70,000 Devices in 20 Countries

AVrecon botnet has infiltrated over 70,000 SOHO routers with 40,000 nodes across 20 countries. AVrecon targets routers for criminal activities like password spraying and digital ad fraud. Infected devices have high concentrations in the UK and US, as well as Argentina, Nigeria, Brazil, Italy, and Bangladesh. AVrecon exfiltrates data to a C2 server, stops any competing malware, and communicates with secondary servers. It evades detection and thrives on edge infrastructure vulnerability for advertising fraud. Read more

Critical RCE Flaw Found in Ghostscript Open-Source PDF Library

A critical remote code execution vulnerability (CVE-2023-36664) has been discovered in Ghostscript, an open-source interpreter for PostScript and PDF files in Linux. The vulnerability also affects open-source applications on Windows utilizing Ghostscript ports. The flaw lies in the handling of OS pipes and a function called "gp_file_name_reduce()." To mitigate the risk, Linux users should update to Ghostscript version 10.01.2. Read more

Preventing Data Loss: Importance of Volume Deletion Protection

Volume deletion protection is a unique critical security feature in StoneFly backup and disaster recovery (DR) environments. It prevents accidental or intentional deletions of crucial data volumes, safeguarding against data loss and unauthorized access. Learn how organizations can enhance their data protection strategies, defend against ransomware attacks, mitigate insider threats, and prevent accidental deletions. Read more

Storm-0558 Compromises Emails of U.S. Government Agencies for Cyber Espionage

An undisclosed U.S. Federal Civilian Executive Branch agency uncovered suspicious email activities, leading to the discovery of an espionage campaign linked to the threat actor Storm-0558. The campaign targeted approximately two dozen organizations, including the U.S. State Department and Commerce Department. The threat actors gained unauthorized access to unclassified Exchange Online Outlook data. The attackers also exploited forged authentication tokens and used custom malware tools like Bling and Cigril. Read more

Promo
Veeam License Pack can get you an hour of Professional Services

Introducing our Certified Enterprise security package, included with every new purchase of a Veeam license pack. This package provides the best Immutable and Air-gapped practices against Ransomware, Malware, and viruses. You'll also benefit from comprehensive planning, backup & recovery policies, installation, configuration, optimization, performance, and training.

But that's not all! If you purchase the StoneFly Immutable and Air-Gapped Veeam Backup Appliance, you'll receive a remarkable $500 discount off the list price.

StoneFly Backup and fasttrack Disaster Recovery appliances are designed with security in mind. Featuring immutable and Air-gapped repositories, controllers, and Nodes, your data remains isolated from your network to prevent Ransomware Threat Actors from unauthorized to your data.

For demos and details, contact us.

Slide 1

Weekly

Ransomware Roundup

July 10 - 14, 2023

VMware Issues Advisory on Exploit Available for Critical vRealize RCE Bug

VMware warns of a critical vulnerability (CVE-2023-20864) in Aria Operations for Logs, allowing remote code execution. Exploit code is available, and If successfully exploited, threat actors can execute arbitrary code with root privileges through low-complexity attacks that do not require any user interaction. Another vulnerability (CVE-2023-20865) allowing remote root-level commands affecting the Networks component has also been included in CISA's list. Read more

TeamTNT’s Targets Azure and Google Cloud in Cloud Credential Stealing Campaign

In a recent cloud credential stealing campaign, a threat actor targeted Azure and Google Cloud Platform (GCP) services. The evolving campaign has introduced new iterations of credential harvesting script, targeting credentials from various sources. Threat actors distribute a Golang-based ELF binary that acts as a scanner to propagate the malware to vulnerable targets. The campaign shares similarities with the TeamTNT cryptojacking crew, and attacks intersect with the Silentbob campaign, exploiting misconfigured cloud services. Read more

AVrecon SOHO Router Botnet Spreads to 70,000 Devices in 20 Countries

AVrecon botnet has infiltrated over 70,000 SOHO routers with 40,000 nodes across 20 countries. AVrecon targets routers for criminal activities like password spraying and digital ad fraud. Infected devices have high concentrations in the UK and US, as well as Argentina, Nigeria, Brazil, Italy, and Bangladesh. AVrecon exfiltrates data to a C2 server, stops any competing malware, and communicates with secondary servers. It evades detection and thrives on edge infrastructure vulnerability for advertising fraud. Read more

Critical RCE Flaw Found in Ghostscript Open-Source PDF Library

A critical remote code execution vulnerability (CVE-2023-36664) has been discovered in Ghostscript, an open-source interpreter for PostScript and PDF files in Linux. The vulnerability also affects open-source applications on Windows utilizing Ghostscript ports. The flaw lies in the handling of OS pipes and a function called "gp_file_name_reduce()." To mitigate the risk, Linux users should update to Ghostscript version 10.01.2. Read more

Preventing Data Loss: Importance of Volume Deletion Protection

Volume deletion protection is a unique critical security feature in StoneFly backup and disaster recovery (DR) environments. It prevents accidental or intentional deletions of crucial data volumes, safeguarding against data loss and unauthorized access. Learn how organizations can enhance their data protection strategies, defend against ransomware attacks, mitigate insider threats, and prevent accidental deletions. Read more

Storm-0558 Compromises Emails of U.S. Government Agencies for Cyber Espionage

An undisclosed U.S. Federal Civilian Executive Branch agency uncovered suspicious email activities, leading to the discovery of an espionage campaign linked to the threat actor Storm-0558. The campaign targeted approximately two dozen organizations, including the U.S. State Department and Commerce Department. The threat actors gained unauthorized access to unclassified Exchange Online Outlook data. The attackers also exploited forged authentication tokens and used custom malware tools like Bling and Cigril. Read more

Promo
Veeam License Pack can get you an hour of Professional Services

Introducing our Certified Enterprise security package, included with every new purchase of a Veeam license pack. This package provides the best Immutable and Air-gapped practices against Ransomware, Malware, and viruses. You'll also benefit from comprehensive planning, backup & recovery policies, installation, configuration, optimization, performance, and training.

But that's not all! If you purchase the StoneFly Immutable and Air-Gapped Veeam Backup Appliance, you'll receive a remarkable $500 discount off the list price.

StoneFly Backup and fasttrack Disaster Recovery appliances are designed with security in mind. Featuring immutable and Air-gapped repositories, controllers, and Nodes, your data remains isolated from your network to prevent Ransomware Threat Actors from unauthorized to your data.

For demos and details, contact us.

Slide 1

Weekly

Ransomware Roundup

July 3 - 7, 2023

Multi-Site CloudSec Encryption Bug in Cisco’s Network Switches Breaks Traffic Encryption

Cisco has alerted customers about a vulnerability affecting specific data center switches. The flaw, CVE-2023-20185, allows unauthorized manipulation of encrypted traffic. It affects Cisco Nexus 9332C, 9364C, and 9500 spine switches operating in ACI mode with CloudSec encryption enabled. Exploitation grants remote access and modification of encrypted traffic without authentication. Cisco recommends deactivating the vulnerable feature as there is no fix available yet. Read more

StackRot Linux Kernel Vulnerability Allows Privilege Escalation

A privilege escalation vulnerability in the Linux kernel, called StackRot and identified as (CVE-2023-3269) is affecting Linux versions 6.1 through 6.4 and compromises the kernel's security. The flaw arises from stack expansion in the memory management subsystem. This was patched on July 1st, and details, along with a proof-of-concept (PoC) exploit, will be disclosed by the end of July. Read more

RedEnergy Stealer-as-a-Ransomware Targets Energy and Telecom Sectors

The RedEnergy ransomware is targeting energy utilities, oil, gas, telecom, and machinery sectors in Brazil and the Philippines through LinkedIn pages. The malware uses various modules and tricks users into downloading JavaScript-based malware disguised as browser updates. It then exfiltrates valuable data, encrypts files, and demands a ransom of 0.005 BTC. Read more

Malvertising Campaign Delivers BlackCat Ransomware Disguised as WinSCP

BlackCat ransomware operators are using malvertising to distribute unauthorized versions of WinSCP. They manipulate SEO tactics to display deceptive ads and redirect users to malicious websites. The malware includes a Cobalt Strike Beacon backdoor for initial access and uses authentic tools like AdFind and Terminator. Attackers then gain high-level administrative privileges, exploit remote monitoring utilities, and target backup servers to secure persistence. Read more

How to Stop Ransomware Attacks from Deleting Backup Data

Ransomware attacks have evolved, now targeting backup data to cripple organizations. This is done to blackmail victims into paying the ransom as the only means to recover data is deleted, or encrypted. Learn what ransomware protection measures your backup environment must have to prevent ransomware from deleting your backups. Read more

DDoSia Attack Upgrades its Encryption Mechanism, Targets Multiple Sectors

The DDoSia attack tool, developed by the NoName(057)16 hacker group, has released an updated version with improved functionality. The new variant includes encryption to conceal the list of target websites during transmission. DDoSia can launch DDoS attacks on Windows, Linux, and macOS systems. It is distributed through Telegram and targets European countries. The tool has so far affected 486 websites between May and June 2023. Read more

Promo
100TB Immutable and Air-Gapped Scale out NAS appliance for $8,995

100TB Enterprise SSO NAS appliance with Air-Gap and Immutable delta-based Snapshots for ransomware protection and Support for Unlimited NAS Clients, bunch of data services and built-in S3 cloud connect for $8,995.

Gen 10, 8-bay 2U Rackmount appliance with 7x14TB Enterprise SAS drive pack, 10 Core Storage Virtualization Engine, 32GB system memory, 12Gb SAS Hardware RAID Controller and 800W Platinum Certified hot swappable power supply.

All Enterprise data Services such as Snapshot, Tiering, Encryption, Sync & Async, Replication, Supports CIFS/SMB and NFS, Cloud Connect to Azure Hot / Cool Blob / AWS-S3, Erasure Coding are included.

For appliance demos, specifications, and quotes contact us.

WordPress PopUp Plugin

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email