Select Page
Slide 1

Weekly

Ransomware Roundup

Oct 24 - 28, 2022

US Healthcare Organizations Warned of 'Daixin Team' Ransomware Attacks

A joint alert from CISA, FBI, and HHS has warned the healthcare sector of a threat actor identified as the Daixin team that is targeting US organizations with ransomware-based on the leaked Babuk source code. The group targets VPN servers for initial access via unpatched vulnerabilities and compromised credentials, and uses Secure Shell (SSH) and Remote Desktop Protocol (RDP) for lateral movement. Daixin also employs credential dumping and pass-the-hash to gain access to privileged accounts and connect to VMware vCenter to reset passwords for the ESXi servers and deploy ransomware. The ransomware impacts healthcare services such as diagnostics, electronic health records, imaging, and intranet services. Read more

Quantum Ransomware Stole Patient Data of 200k+ People from Australian Clinical Labs

Australian Clinical Labs (ACL) has disclosed, that the February 2022 data breach, that impacted its Medlab Pathology has exposed the medical records and sensitive information of 223,000 people. The breach compromised Medicare numbers, full names, credit card numbers with CVV code, and personal medical and health records. Quantum ransomware group claimed responsibility for the attack releasing 86GB of stolen sensitive data on its Tor site. Medibank said that it expects a financial impact of $25 to $35 million from the incident, aside from “customer and other remediation, regulatory or litigation costs.” Read more

See Tickets Discloses Data Breach Exposed Customers’ Payment Card Details

Ticketing service company ‘See Tickets’ disclosed a data breach that compromised customers’ payment card details. Threat actors claims to have stolen payment card data by implanting a software skimmer on the victim’s website. The stolen data includes name, address, zip code, payment card number, card expiration date, and CVV number. However, See Tickets insists that social security numbers, state identification numbers, or bank account information were not exposed because the company doesn’t store them. Read more

CERT-UA Warns of Cuba Ransomware Attacks Against Critical Networks in Ukraine

The Ukraine Computer Emergency Response team has warned about potential Cuba ransomware attacks targeting the critical infrastructure of the country through a phishing campaign. The campaign impersonates the Press Service of the General Staff of the Armed Forces of Ukraine and tricks the victim into downloading a file that executes the “rmtpak.dll” DLL file which is the ROMCOM RAT. CERT-UA has associated the use of the RomCom backdoor with the threat actor Tropical Scorpius (aka UNC2596). Read more

What are air-gapped backups? How air-gapped backups work

Air-gapping is an advanced data protection feature used to isolate and detach target storage volumes from unsecure networks, production environments, and host platforms. Here is a blog explaining air-gapping, how air-gapped backups work and the role of air-gap in ransomware protection. Read more

Hive claims ransomware attack on Tata Power, begins leaking data

Tata Power, a subsidiary of the multinational conglomerate Tata Group, has become the victim of the Hive ransomware group. Hive has exfiltrated data of employees' personally identifiable information (PII), National ID (Aadhar) card numbers, PAN (tax account) numbers, and salary information. The data dump also contains engineering drawings, financial and banking records as well as client information. Hive has posted all this data on their leak site. Read more

Promo
32TB Air-Gapped & Immutable Veeam Site Recovery Backup & DR appliance $5,995

32TB, expandable up to 4PB, air-gapped & immutable Veeam, Rubrik, Commvault, Site Recovery, Backup and DR appliance with Zero Trust, SAN-NAS and S3 Object Lockdown Technology for Ransomware protection for $5,995.

Gen 10, 4bay 1U Rackmount unit with 2x16TB Enterprise SAS drives, 10 Core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller. Fully Integrated SAN, NAS and Native S3 cloud object storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are included.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

Oct 17 - 21, 2022

Prestige Ransomware Targets Ukraine Organizations

Microsoft has spotted a new ransomware strain identified as DEV-0960 (or “Prestige”) that is targeting Ukrainian and Polish Organizations. The DEV-0960 AKA ‘Prestige’ either copies itself to the ADMIN$ share of a remote system, and uses Impacket to remotely create a scheduled task or remotely invokes an encoded PowerShell command to execute the payload. Prestige ransomware can also copy itself to an Active Directory Domain Controller using the Default Domain Group Policy Object. After deployment, it encrypts files while deleting the backup catalog and all shadow copies to hinder recovery. Read more

MyDeal Data Breach Affects 2.2M Users – Data Put on Sale

MyDeal, an Australian retail marketplace was breached affecting 2.2 million customers. The hacker used compromised user credentials to access the company's Customer Relationship Management (CRM) system to view and export customer information. Stolen data contains names, email addresses, phone numbers, delivery addresses and birth dates. The hacker has put the stolen data on a hacking forum for $600. Read more

Venus Ransomware Targets Remote Desktop services

Venus Ransomware group is hacking into publicly-exposed Remote Desktop services to encrypt Windows devices. When executed, Venus closes thirty-nine processes associated with database servers and Microsoft Office applications and begins encryption. While encrypting, it appends .venus extension and an additional file marker 'goodgamer' to the files. After encryption, it deletes all event logs, Shadow Copy Volumes, and disables Data Execution to eliminate any chances of recovery. Read more

New Stealthy PowerShell Backdoor Targets 60+ Victims

Threat actors are using an undetectable PowerShell backdoor to target its victims for committing cyberespionage and data exfiltration. The attack begins with a phishing email with a document containing malicious macros that drop and execute a script that creates a scheduled task to impersonate a routine Windows update. The scripts then send the victim ID to the attacker’s C2 center from where the malware receives encrypted commands to perform data exfiltration, user enumerations, file listings, account and file removal, and RDP client enumerations. Read more

What is BCDR – A Guide to Business Continuity and Disaster Recovery

Business continuity and disaster recovery can help keep an organization operational by creating resilient data infrastructures and are essential parts of risk management and recovery plan. But what are the differences between both? How do you develop and implement a BCDR policy? Read more

OldGremlin Use Linux Ransomware to Attack Russian Organizations

OldGremlin aka TinyScouts has upgraded its toolkit with file-encrypting malware for Linux machines and is attacking Russian companies in the logistics, insurance, retail, real estate, software development and banking sectors. The malware is deployed by tricking the victim into downloading a document from a file-sharing service that contains TinyCrypt ransomware which encrypts the system using AES algorithm with the CBC block cipher mode and a 256-bit key. The malware then deploys TinyFluff, a NodeJS backdoor for remote access, PowerSploit and Cobalt Strike and many additional payloads that can extract data from Credential Manager, evade antivirus software and isolate a device from the network. Read more

Promo
128TB Fully Air-Gapped & Immutable Veeam Backup and DR appliance for $9,995

128TB Veeam backup and DR appliance with policy-based immutability using built-in network & power management controllers and automated physical and logical air-gapped vault for $9,995.

Gen 10, 8-bay 2U Rackmount unit with 8x16TB (128TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Redundant Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller, Dual 10Gb RJ-45 Ports, Fully Integrated SAN, NAS and optional S3 cloud storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

Oct 10 - 14, 2022

Hacking Group POLONIUM Uses ‘Creepy’ Malware Against Israel

POLONIUM, a Lebanon-based hacking group, is using a range of custom malware against Israeli firms for cyberespionage. The threat group uses different variants of the “Creep” backdoors and legitimate cloud services such as OneDrive, Dropbox, and Mega, to act as command and control (C2) servers. The backdoors can log keystrokes, take screenshots, take photos with the webcam, exfiltrate files from the host, install additional malware, and execute commands on the infected device. POLONIUM also uses various open-source tools for reverse proxying, and keylogging, and hides behind virtual private servers (VPS) to hide its tracks. Read more

NHS Vendor Confirms Data Theft – Doesn’t Say if Patient Data was Stolen

Advanced, an IT service provider for the U.K.’s National Health Service (NHS), has confirmed that attackers stole data from its systems during an August ransomware attack, but refuses to say if patient data was compromised. In an updated report, the service provider disclosed that the malware used to carry out the attack was Lockbit 3.0. Moroever, the attackers accessed its network using “legitimate” third-party credentials to establish a remote desktop session to the company’s Staffplan Citrix server, used for powering its caregiver’s scheduling and rostering system. Read more

Magniber Ransomware Infects Windows Users via JavaScript

The Magniber ransomware is targeting Windows users with fake security updates. The threat actor uses JavaScript that initiates an infection with encryption malware. The malicious files are obfuscated and use a variation of the "DotNetToJScript" technique to execute a .NET file in the system memory for evasion. The shellcode deletes shadow copies and uses a bypass for the User Account Control (UAC) feature in Windows to disable backup and recovery features. After successful encryption, Magniber ransomware operators demand payment of up to $2,500. Read more

US Airports' Sites Taken Down in DDoS Attacks

KillNet - the DDoS group that attacked government websites in Colorado, Kentucky, and Mississippi last week has claimed large-scale distributed denial-of-service (DDoS) attacks against websites of several major airports in the U.S. The threat actor used a custom software to generate fake requests and garbage traffic to overwhelm the servers hosting the sites. This made it impossible for travelers to connect and get updates about their scheduled flights or booked airport service. Read more

Downtime Cost: How to Calculate and Minimize it

Downtime costs are more than just lost revenue. It comes with reputational damage, SLA fines, recovery, and PR costs. Learn how to calculate IT downtime costs, and the best practices to minimize it. Read more

Chinese Cyberespionage Group Targets Telcos, IT Service Providers

A new Chinese threat group, tracked as WIP19, is targeting IT services providers and telecommunications companies with signed malware. WIP19 signs several malicious components using a stolen certificate that was issued to Korean messaging provider DEEPSoft Co. The signed credential harvesting tools includes a password dumper, a keylogger, and a screen recorder. According to researchers, the threat actor’s malicious activities in the Middle East and Asia suggest that the motive is cyber espionage. Read more

Promo
48TB SSO NAS appliance with Free Shipping & Support for $6,995

48TB StoneFly XS-Series ready-to-ship Enterprise SSO NAS appliance with air-gap and immutable snapshots option for ransomware protection and support for unlimited NAS clients with built-in S3 cloud connect for $6,995.

Gen 10, 4-bay 1U Rackmount appliance with 3x16TB Enterprise 12GB SAS drives, 10 Core Storage Virtualization Engine, 32GB system memory, 12Gb SAS Hardware RAID Controller and 500W Platinum Certified hot swappable power supply.

All Enterprise data Services such as Snapshot, Tiering, Encryption, Sync & Async, Replication, Supports CIFS/SMB and NFS, Cloud Connect to Azure Hot / Cool Blob / AWS-S3, Erasure Coding are included.

Price includes 1 Year Warranty, 9x5 Tech Support Free Shipping & Insurance.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

Oct 03 - 07, 2022

US Healthcare Giant CommonSpirit Hit by Possible Ransomware

One of the largest non-profit healthcare providers in the US has been hit by a suspected ransomware attack which has already impacted multiple locations around the country. While details of the attack have not yet been released, the non-profit organization said the following in a statement published on their website: “CommonSpirit Health has identified an IT security issue that is impacting some of our facilities. We have taken certain systems offline. We are continuing to investigate this issue…” Read more

Lazarus Hackers Abuse Dell Driver Bug Using New FudModule Rootkit

The notorious hacking group 'Lazarus' is using a new Windows FudModule rootkit that abuses a Dell hardware driver in a Bring Your Own Vulnerable Driver (BYOVD) attack. The rootkit takes advantage of user-mode module to read and write kernel memory. After gaining kernel memory write access, the hackers disable mechanisms in the Windows operating system such as registry, file system, process creation, and event tracing to blind the security solutions. Read more

BlackByte Ransomware Abuses Legit MSI Driver to Disable Security Products

BlackByte ransomware is using a new technique dubbed "Bring Your Own Driver," which bypasses protections by disabling drivers used by various security solutions. The exploit is a privilege escalation and code execution flaw, tracked as CVE-2019-16098, that can prevent multiple endpoint detection and response (EDR) and antivirus products from operating normally. The threat actor exploits the MSI Afterburner RTCore64.sys driver, signed with a valid certificate, and runs it with high privileges on the system. The driver offers I/O control codes directly accessible by user which makes it possible for attackers to read, write, or execute code in kernel memory without using shellcode or an exploit. Read more

Live Support Service Hacked to Spread Malware in Supply Chain Attack

The official installer for the Comm100 Live Chat application - a widely deployed SaaS (software-as-a-service) used for communications, was trojanized in a supply-chain attack. The infected installer uses a valid digital signature to evade detection and a JavaScript backdoor coded into the "main.js" file. The backdoor fetches obfuscated JS script from a hard-coded URL which then gives the attackers remote shell access to the victimized endpoints, via the command line, to deploy malicious loaders. Read more

Hackers Stole Data from US Defense Organization Using Impacket and CovalentStealer

Hackers infiltrated a US defense industrial base organization, maintained persistence and long-term access to its network and stole sensitive data. The hackers combined custom malware called CovalentStealer, the open-source Impacket collection of Python classes, the HyperBro remote access trojan (RAT), and well over a dozen ChinaChopper webshell samples. They also exploited the ProxyLogon collection of four vulnerabilities for Exchange Server around the time Microsoft released an emergency security update to fix them. Read more

What is Automated Backup and Why Should You Use it

Manual backup and restore is a complex and time-consuming process. Maintaining proper configurations and compatibility with evolving production environments, carefully monitoring storage and archiving overheads, and constantly rotating media for offsite storage need a modern scheduled backup solution. Read more about how StoneFly backup and DR solutions help automate backup and recovery for your critical workloads.

Promo
98TB Fully Air-Gapped & Immutable Veeam Backup and DR appliance for $8,995

98TB Veeam backup and DR appliance with policy-based immutability using built-in network & power management controller and automated physical and logical air-gapped vault for $8,995.

10th Gen, 8-bay 2U Rackmount unit with 7x14TB (98TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Redundant Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller, Dual 10Gb RJ-45 Ports, Fully Integrated SAN, NAS and optional S3 cloud storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and hardware details, contact us.

Slide 1

Weekly

Ransomware Roundup

September 26 - 30, 2022

Stealthy Hackers Target Military and Weapons Contractors

Security researchers have discovered a new campaign targeting multiple military contractors involved in weapon manufacturing. The highly targeted attacks begin with a phishing email sent to employees, leading to a multi-stage infection involving many persistence and detection avoidance systems. The threat actor use a highly secure C2 infrastructure and multiple layers of obfuscation in the PowerShell stages. Analysts have not been able to attribute the campaign to any known threat actors, but have pointed some similarities with APT37 (Konni) group. Read more

Noberus Ransomware Gets Upgraded - Targets Veeam Backup software

Coreid – the ransomware-as-a-service (RaaS) group behind the Noberus ransomware, aka BlackCat or ALPHV, has upgraded their malware to steal data and credentials from compromised networks. Noberus now uses an extensively updated version of the ‘Exmatter’ data exfiltration tool and ‘Eamfo’, an info-stealing malware. The updated version allows Exmatter to target more files while avoiding detection because it’s been extensively written. Eamfo uses SQL queries to steal credentials stored by Veeam backup software and allows hackers to gain access to critical systems. Read more

American Airlines Breached Using Compromised MS Exchange Account

American Airlines was breached in a phishing campaign that used an employee's hacked Microsoft 365 account. The breach compromised personally identifiable information (PII) and medical information of both customers and employees. The attacker used an IMAP protocol to access mailboxes that synced their contents to another device. Once accessed, the hacker used these mailboxes to send phishing emails. The investigation revealed that the attacker further accessed multiple employees' accounts to send more phishing emails to target accounts. Read more

Hackers Use 'Mouseover' in PowerPoint files for Malware Deployment

The threat actor ‘Fancy Bear’ is targeting entities in the defense and government sectors of Europe using a new method that exploits mouse hover function in Microsoft PowerPoint documents to deploy malware. Once mouse is hovered over the hyperlink contained in the file, the code runs a PowerShell script that downloads and executes a dropper from OneDrive. The dropper then downloads another payload, known as Graphite, which uses the Microsoft Graph API and OneDrive for command-and-control (C2) communications to retrieve additional payloads. Read more

8 Things You Can Do to Protect Your Endpoints from Ransomware

Ransomware search and exploit vulnerable endpoints in your enterprise network to exfiltrate your data and encrypt it. That is why you need to plan and execute your ransomware protection strategy carefully. Here is a list of 8 things you can do to protect your critical endpoints from ransomware attacks. Read more

Microsoft SQL servers hacked in TargetCompany ransomware attacks

Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning. The ransomware infection starts with the MS-SQL process on the compromised machine downloading a .NET file using cmd.exe and powershell.exe. The payload fetches additional malware (including the locker), generates and runs a BAT file that terminates specific processes and services. Additionally, the malware executes the recovery deactivation command and terminates database-related processes to make their contents available for encryption. Read more

Promo
210TB Fully Air-Gapped & Immutable Veeam Backup and DR appliance for $14,995

210TB Veeam Backup and DR appliance with Policy based Immutability using built-in Network & Power management Controllers and automated physical and logical Air-Gapped vault for $14,995.

Gen 10, 16-bay, 3U Rackmount unit with 15x14TB (210TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Redundant Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller, Dual 10Gb RJ-45 Ports, Fully Integrated SAN, NAS and optional S3 cloud storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For demos and hardware details, contact us.

WordPress PopUp Plugin

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email