The recently identified Buhti operation uses LockBit and Babuk ransomware variants to target Linux and Windows systems.
The post Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation appeared first on SecurityWeek.
The all in one place for non-profit security aid.
The recently identified Buhti operation uses LockBit and Babuk ransomware variants to target Linux and Windows systems.
The post Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation appeared first on SecurityWeek.
U.S. Govt offers $10 Million Bounty on Info About Cl0p Ransomware Gang
In recent times, there have been several reports about the CL0P ransomware gang exploiting the MOVEit transfer application.
The CISA and the FBI have published a Cybersecurity Advisory, which consists of the CL0P ransomware gang’s TTPs (Tactics, Techniques, and Procedures), IoCs (Indicators of Compromises), and mitigations.
Based on the known information, the CL0P ransomware group has been targeting and exploiting an SQL injection vulnerability in the MOVEit File Transfer application (CVE-2023-3436).
Most of these exploitations were internet-facing based MOVEit managed File Transfer (MFT) solution.
CL0P acted as a Ransomware-as-a-Service (RaaS) and an affiliate for other RaaS-based groups.
This threat actor acted as an Initial Access Broker (IAB) for other threat actors to enter the organization. This is typically done through a phishing campaign.
Between 2020 to 2021, they exploited many zero-day targeting Accellion FTA servers and installed a web shell named DEWMODE.
At the start of this year, the TA was exploiting a zero-day vulnerability in the GoAnyWhere MFT platform that affected 130 victims in 10 days which was a great impact in a short period.
Their recent exploitation was an SQL injection vulnerability in the MOVEit File transfer applications which infected dozens of computers worldwide.
The list of malware exploited by the TA includes,
A complete list of exploitation and methodologies were published by the CISA and the FBI collaboratively, including TTPs, impact, IoCs, and other important information.
Review and Monitor all Remote access execution logs.
Limit the use of RDP and other remote desktop services
Audit user accounts and their privileges
Implementation of time-based access
Disable hyperlinks in emails
Keep the software up-to-date
Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus
The post U.S. Govt offers $10 Million Bounty on Info About Cl0p Ransomware Gang appeared first on Cyber Security News.
Cyber Security News
Ukraine at D+682: OSINT on morale, and a coming hacktivist shakeup.
Storms impede ground operations. Smartphones as intelligence sources (and as a security problem). Notes on hacktivist auxiliaries, both Russian and Ukrainian. Read More
The CyberWire
Genesis Market Technique: Hackers Exploited Node.js and EV Certificates
In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered a malevolent symphony echoing the tactics employed by the infamous Genesis Market.
Trend Micro Managed XDR, or Extended Detection and Response, is a comprehensive cybersecurity solution provided by Trend Micro, a global leader in cybersecurity solutions.
This nefarious threat actor has deployed a sophisticated arsenal, leveraging Node.js as a backdoor platform, deploying Extended Validation (EV) Code Signing for elusive defense evasion, and, intriguingly, potentially exploiting Google Colab to host search engine-optimized download sites.
Document
Protect Your Storage With SafeGuard
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
At the heart of this cyber saga lies the strategic misuse of Node.js, a popular JavaScript runtime.
Exploiting its capabilities, the threat actor establishes a covert backdoor, granting them a platform for executing surreptitious commands on infected systems, reads Trend Micro report.
This covert maneuver poses a severe threat to users, opening the gateway for malicious payloads like the formidable Lu0bot malware.
Infection chain
TimelineActivityT0The file, microsoft_barcode_control_16.0_download.exe, (3364dd410527f6fc2c2615aa906454116462bf96) is downloaded using a browser+ 20 secondsThe file is executed by the user+ 1 minute and 15 secondsThe first payload is executed+ 1 secondThe second payload is executed.+ 13 secondsThe first backdoor command is executed via lu0bot.+ 3 mins 20 secondsThe last backdoor command is executed via lu0bot.
In a calculated move to remain undetected, the malicious actors wield the power of Extended Validation (EV) Code Signing.
By compromising this security measure, the threat actors obtain access to private keys, allowing them to sign their malicious code with a veneer of legitimacy.
This manipulation facilitates stealthy operations and heightens the danger of compromised systems.
In an unexpected turn, the malevolent forces possibly exploit the unsuspecting Google Colab as a host for search-engine-optimized download sites.
This strategic choice amplifies the reach of their nefarious operations, ensnaring users who unsuspectingly navigate the virtual realm, potentially compromising their digital fortresses.
The attackers hone in on unsuspecting users engaged in file downloads from the internet, including those transmitted through social media or chat applications.
This insidious strategy extends its reach, capitalizing on users’ vulnerabilities in navigating the expansive digital sphere.
Several key findings emerge from this cyber cat-and-mouse pursuit, notably the adversaries’ adept use of EV code signing and the inconspicuous harbor of malicious content within the confines of Google Colab.
As users navigate the perilous waters of the internet, fortified defenses are imperative.
Recommendations include vigilant scrutiny of downloaded files, verification of sender identities in social media or chat apps, wariness of unusual file extensions, and the dutiful commitment to regular software updates.
These defensive measures serve as a shield against the ever-evolving tactics of cyber adversaries.
Embark on this journey into the digital shadows, where cyber intricacies unfold and defenders stand resilient against the encroaching darkness.
The revelations from the Trend Micro Managed XDR team underscore the urgency for users to fortify their cyber defenses and navigate the virtual realm with heightened vigilance.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
The post Genesis Market Technique: Hackers Exploited Node.js and EV Certificates appeared first on Cyber Security News.
Cyber Security News