Secure email gateways and end users alike are being fooled by a cyberattack campaign that’s enjoying skyrocketing volumes against businesses in every industry, globally. Read More
Related Posts
RedTail Cryptominer Exploiting Palo Alto Networks Firewall Zero-day Flaw
RedTail Cryptominer Exploiting Palo Alto Networks Firewall Zero-day Flaw
The RedTail cryptocurrency mining malware has been observed exploiting a critical zero-day vulnerability in Palo Alto Networks’ firewall software, PAN-OS.
This vulnerability, tracked as CVE-2024-3400, has a CVSS score of 10.0, indicating its severity. The flaw allows unauthenticated attackers to execute arbitrary code with root privileges on the affected firewall systems, posing a substantial threat to organizations relying on these devices for network security.
The exploitation process begins with the attackers leveraging the CVE-2024-3400 vulnerability to gain unauthorized access to the firewall.
Once access is obtained, the attackers execute commands to retrieve and run a bash shell script from an external domain.
All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo
This script is responsible for downloading the RedTail payload, which is tailored to the compromised system’s CPU architecture.
The malware then initiates its cryptomining operations, utilizing the system’s resources to mine cryptocurrency.
Advanced Techniques and Evasion
The latest iteration of RedTail incorporates several advanced techniques to evade detection and analysis.
According to Akamai’s security researchers, the malware now includes new anti-analysis features, such as forking itself multiple times to hinder debugging efforts and terminating any instances of the GNU Debugger (GDB) it encounters.
These enhancements make it more challenging for security professionals to analyze and mitigate the threat.
The malware’s configuration has also been updated to include an encrypted mining setup, which launches the embedded XMRig miner.
Notably, the latest version of RedTail does not contain a cryptocurrency wallet, suggesting that the threat actors have shifted to using private mining pools or pool proxies.
This change allows them greater control over mining outcomes despite the increased operational and financial costs of maintaining a private server.
RedTail’s impact is not limited to Palo Alto Networks firewalls. The malware has also been observed exploiting other known vulnerabilities in various devices and software, including TP-Link routers (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887), and VMWare Workspace ONE Access and Identity Manager (CVE-2022-22954).
This range of targets highlights the malware’s versatility and the attackers’ extensive knowledge of different systems.
RedTail was first documented in January 2024 by security researcher Patryk Machowiak, who identified its use in a campaign exploiting the Log4Shell vulnerability (CVE-2021-44228) to deploy the malware on Unix-based systems.
Since then, the malware has evolved significantly. In March 2024, Barracuda Networks reported cyber attacks that leveraged flaws in SonicWall (CVE-2019-7481) and Visual Tools DVR (CVE-2021-42071) to install Mirai botnet variants and deploy RedTail.
The latest version detected in April 2024 includes significant updates, such as the use of the RandomX algorithm for greater mining efficiency and modifications to the operating system configuration to utilize larger memory blocks (hugepages), enhancing performance.
While Akamai has not attributed the RedTail malware to any specific group, the sophistication, and resources required to operate a private cryptomining pool suggest the involvement of a nation-state-sponsored group.
The tactics the threat actors employ mirror those used by North Korea’s Lazarus Group, known for its for-profit hacking operations and cryptocurrency thefts.
The exploitation of the CVE-2024-3400 vulnerability by the RedTail cryptominer underscores the critical need for organizations to apply security patches and updates promptly.
IOCs
Indicator typeIndicator valueExploits origin IP addresses92.118.39.120193.222.96.16379.110.62.2534.127.194.11192.18.157.25168.170.165.3694.74.75.19
Malware hosting servers193.222.96.16394.156.79.6094.156.79.129185.216.70.13878.153.140.51Domain namesproxies.identitynetwork.top
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.
The post RedTail Cryptominer Exploiting Palo Alto Networks Firewall Zero-day Flaw appeared first on Cyber Security News.
![Urgent: GitLab Releases Patch for Critical Vulnerabilities – Update ASAP](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvvqUPLJvFSLuui6StYILlE7Ht5egMijsCX_eIfWARLeDoOYPemy9cRQpkLdjkqVImX9Z5VXNeFqBN0lw7656x6vF5SYnLt-46ZMgNjMXoc7-OP325kPE6duYjThroTt0zKL7ah55rDzEQv17hjKOWVdGST0719dmiLHsjf7b9Ea-_d7itMChsQzRA-BqK/s72-c/git.jpg)
Urgent: GitLab Releases Patch for Critical Vulnerabilities – Update ASAP
Urgent: GitLab Releases Patch for Critical Vulnerabilities – Update ASAP
GitLab has released security updates to address two critical vulnerabilities, including one that could be exploited to take over accounts without requiring any user interaction.
Tracked as CVE-2023-7028, the flaw has been awarded the maximum severity of 10.0 on the CVSS scoring system and could facilitate account takeover by sending password reset emails to an unverified email address.
The Read More
The Hacker News | #1 Trusted Cybersecurity News Site
Top 10 Notorious Ransomware Gangs of 2023
Top 10 Notorious Ransomware Gangs of 2023
By employing a multitude of advanced techniques like double extortion along with other illicit tactics, ransomware groups are continually evolving at a rapid pace.
In a double extortion tactic, the threat actors not only encrypt data but also threaten their victims to release their sensitive information or data.
In recent times, it’s been noted by security researchers that they are increasingly targeting high-profile victims to maximize their profits by using the following things:-
Sophisticated malware
Demands larger ransom amounts
Besides this, some groups also collaborate or share their resources, through which they make things more challenging for law enforcement and other security experts to combat their activities effectively.
Table of Contents:
Types Of Ransomware
10 Notorious Ransomware Gangs of 2023
LockBit
Alphv/BlackCat
Clop
Royal
BlackByte
Black Basta
Ragnar Locker
Vice Society
Everest
BianLian
Types Of Ransomware
Here below, we have mentioned all the types of ransomware used by the threat actors for their illicit goals and purposes:-
Locker Ransomware
Crypto-Ransomware
Scareware
Leakware
Ransomware As a Service (RaaS)
However, two types of ransomware are very popular and used widely by threat actors are:-
Locker ransomware
Crypto ransomware
Ransomware Gangs’ Motivations
Here below we have mentioned all the motivations:-
Financial Gains
Ease of Use
Powerful Monetisation
Evolving Technologies
Politics
10 Notorious Ransomware Gangs of 2023
In this blog, we have covered the top 10 notorious ransomware gangs of 2023, and here below, we have mentioned them:-
LockBit
Alphv/BlackCat
Clop
Royal
BlackByte
Black Basta
Ragnar Locker
Vice Society
Everest
BianLian
Now, let’s discuss the above-mentioned top 10 notorious ransomware gangs of 2023:-
LockBit
LockBit
LockBit, a notorious ransomware group, emerged in September 2019, employing a global ransomware-as-a-service (RaaS) model.
They target global companies and released versions 2.0 and 3.0 in June 2021 and 2022, respectively, featuring:-
BlackMatter-based encryptors
New payment methods
A bug bounty program
Despite their innovations, a setback occurred when the developer leaked LockBit Black’s builder online, compromising its legitimacy.
Alphv/BlackCat
Alphv/BlackCat
BlackCat/AlphV, a suspected successor to dissolved ransomware groups, operates in Rust to avoid detection and successfully encrypt victims’ files, and this ransomware group targeted:-
Western Digital
Sun Pharmaceuticals
ALPHV/BlackCat is the first Rust-written ransomware, requiring a specific access token and featuring encrypted configurations, including:-
Services/Processes lists
Whitelisted directories/Files
Stolen credentials
Apart from this, it erases Volume Shadow Copies, exploits privilege escalation, and alters file extensions to “uhwuvzu” using AES and RSA encryption.
Clop
Clop
The Clop ransomware emerged in 2019 and used a collaborative ransomware-as-a-service (RaaS) model with sophisticated social engineering tactics. Since then, this stealthy group has managed to extort over $500 million from several companies globally.
The operators of this group target a wide range of entities by exploiting the following things:-
Software vulnerabilities
Phishing
One of their notable attacks is they hacked Accellion’s File Transfer Appliance in 2020, affecting global organizations.
Clop encrypts files with “.clop” extension, denying access and teasing data leaks as proof. The operators of Clop employ double extortion tactics, which is why they threaten their victims to expose or sell their sensitive data along with high cryptocurrency demands, which shows the sharp shift from typical ransomware trends.
Royal
Royal
Royal Ransomware emerged in 2022 as a sophisticated threat, ranking among the year’s most terrifying campaigns.
Operating under Dev-0569, they primarily targeted high-profile victims like the following we have mentioned to demand millions:-
Silverstone Circuit
A major US telecom
Unlike typical ransomware, Dev-0569, a private group, directly purchases network access and utilizes double extortion tactics, which distinguishes it from other cybercrime operations.
BlackByte
BlackByte
BlackByte surfaced in July 2021, drawing FBI and USS attention for targeting US critical infrastructure sectors.
Despite a Trustwave decrypter released in October 2021, BlackByte evolved with multiple keys and continued operations, possibly linked to Conti’s rebranding.
It persists in global attacks but steers clear of Russian entities like:-
LockBit
RansomEXX
Black Basta
Black Basta
Black Basta ransomware surfaced in February 2022 with a multitude of unique traits. It erases Volume Shadow Copies, replacing them with a:-
JPG wallpaper
ICO file
Unlike others, it encrypts files indiscriminately but spares critical folders, and using the ChaCha20 algorithm, it encrypts with a hard-coded RSA public key.
Besides this, the file size dictates full or partial encryption, with a .basta extension added.
Ragnar Locker
Ragnar Locker
Since Dec 2019, the Ragnar Locker ransomware and its operators have targeted global infrastructure, hitting the following entities:-
Portuguese carriers
Israeli hospital
Operating on Windows by exploiting Remote Desktop Protocol, the group demanded huge payments using a double extortion strategy.
Not only that, but threat actors also threaten the victims with decryption tools and sensitive data release. While Ragnar Locker ransomware is considered one of the most dangerous, as it has a high threat level due to critical infrastructure attacks.
Vice Society
Vice Society
Vice Society is a Russian-speaking hacking group that emerged in 2021. This threat group specializes in ransomware attacks on the following sectors:-
Healthcare
Education
Manufacturing
They operate independently, and they have hit Europe and the U.S. with a double extortion approach through which they demanded over $1 million during their initial ransom and settled it around $460,000.
It penetrates exploiting the internet-facing apps and compromised credentials. While besides this, using SystemBC, PowerShell Empire, and Cobalt Strike, they move laterally.
Even it also exploits the Windows services, PrintNightmare, and evades detection with disguised malware and process injection.
Everest
Everest
Everest has been active since Dec 2020, and it has transitioned from data exfiltration to ransomware and now focuses on Initial Access Broker services.
Its targets span industries, with a focus on the Americas, capital goods, health, and the public sector. This notorious group is known for hitting AT&T and South American government entities, and besides this, it’s been linked to the following ransomware:-
EverBe 2.0
BlackByte
It has been operating discreetly, and till now, it has managed to list nearly 100 organizations on its dark website. Uncommonly, the group acts as an Initial Access Broker, a shift from direct ransomware attacks, which is a rare move in the cybercriminal landscape.
BianLian
BianLian
BianLian ransomware first emerged in June 2022 and is written in the Go language. However, it exfiltrates the data via:-
RDP
FTP
Rclone
Mega
Primarily it targets the following sectors:-
Financial institutions
Healthcare
Manufacturing
Education
Entertainment
Energy
Initially, they used encryption for ransom, but they later incorporated data exfiltration, threatening disclosure. However, Avast’s decryptor in January 2023 shifted its focus to data theft, terminating file encryption.
BianLian hacks via spearphishing, gaining entry through malicious emails or compromised links. Once in, the malware connects to its command server, downloads tools, and secures a lasting hold on the system.
The post Top 10 Notorious Ransomware Gangs of 2023 appeared first on Cyber Security News.
Cyber Security News