CISA’s new Binding Operational Directive. “CosmicEnergy” tool doesn’t pose a cosmic threat. Hackers’ homage to fromage in attacks against the Swiss government. Industry advice for the White House.
CISA issues a new Binding Operational Directive. An update on CosmicEnergy. Hackers’ homage to fromage in attacks against the Swiss government. Ukraine’s Cyber Police shut down a pro-Russian bot farm. Clothing and footwear retailers see impersonation and online fraud. A 2021 ransomware attack contributed to a hospital closing. A proof-of-concept exploit of a patched MOVEit vulnerability. An industry letter calls for a new framework on the White House cybersecurity strategy. Joe Carrigan examines a ChatGPT fueled phishing scam. Our guest is Neha Rungta, Applied Science Director at AWS Identity discussing Amazon Verified Permissions. And trends in cyber risks for small and medium businesses. Read More
Risk warnings: ColdFusion, credential stuffing, data exposure, and spillover from hybrid wars.
CISA warns of Adobe ColdFusion exploitation. 23andMe data incident increases in scope. Process injection techniques bypass defenses. Sensitive data stored in Google Drives. Average losses to ransomware attacks. A snapshot of the state of DevSecOps. The current state of LockBit’s criminal operations. Threats to manufacturing. Cyber phases of hybrid wars spread beyond the theaters of operation. Read More
Microsoft has shared details of a now-patched flaw in Apple macOS that could be abused by threat actors with root access to bypass security enforcements…
LockBit Ransomware is Back From the Dead : Is Your SOC/DFIR Team Prepared?
[[{“value”:”
Law enforcement disrupted LockBit ransomware operations in February, seizing infrastructure and their website.
Regretfully, the victory appears to have been temporary. The gang’s leading members were not detained, and Operation Cronos’s defeat was only temporary since the group bounced back in a matter of days.
A surge in LockBit activity days after the takedown indicated renewed attacks while the gang utilized updated encryption tools and directed victims to new servers.
Researchers from ANY.RUN observed via the Interactive Malware Sandbox Tool that the incident mirrors past events in which dismantled ransomware groups re-emerged with improved tools. REvil emerged shortly after GandCrab’s takedown, likely utilizing the latter’s source code.
All over cybersecurity news sites
About LockBit
LockBit is a cybercriminal organization offering ransomware and advanced persistent threat (APT) capabilities. Their ransomware encrypts victim systems, primarily targeting Windows, and can also hit Linux and MacOS.
Operating as a Ransomware-as-a-Service (RaaS), LockBit developers sell their tools and infrastructure to affiliates, who then launch the attacks, which allows them to remain anonymous while profiting from a broader range of attackers.
The group has claimed responsibility for numerous high-profile incidents, extorting over $120 million from victims.
Document
Integrate ANY.RUN in Your Company for Effective Malware Analysis
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
Real-time Detection
Interactive Malware Analysis
Easy to Learn by New Security Team members
Get detailed reports with maximum data
Set Up Virtual Machine in Linux & all Windows OS Versions
Interact with Malware Safely
If you want to test all these features now with completely free access to the sandbox:
It highlights the importance of utilizing temporary disruptions to study seized infrastructure and prepare for potential evolutions of the threat.
Back from Dead
According to ANY.RUN study that was shared with Cyber Security News noted a period of inactivity followed by a spike, as LockBit detections in our sandbox reached 0 and then began to grow, starting a few days after the takedown.
The LockBit ransomware gang has resumed its attacks. Now, they’re employing updated encryptors and ransom notes that lead to new servers.
Based on the ANY.RUN Sandbox Analysis, Rather than rebranding, the LockBit gang promised to return with enhanced infrastructure and updated security measures to prevent law enforcement from reaccessing their descriptors.
Analyzing LockBit in ANY.RUN
A prevalent strain, LockBit ransomware, is actively being developed. Despite a recent takedown by law enforcement, its creators are likely to modify the code to evade detection. Organizations should be prepared, as the LockBit infection remains a significant threat.
Studying LockBit’s attack patterns (TTPs) and Indicators of Compromise (IOCs) is crucial for Security Information and Event Management (SIEM) and Threat Intelligence Platform (TIP) systems to identify and isolate intrusions before file encryption occurs.
The latest variant, LockBit 4.0, exhibits changes: it no longer modifies the desktop wallpaper, and the decryption process is significantly slower. Also, unlike its predecessor, version 4.0 does not self-delete after encryption.
LockBit’s ransom note in ANY.RUN
LockBit ransomware, which is known for targeting Windows primarily but is also capable of compromising Linux and MacOS systems, has re-emerged with updated tools and infrastructure after a recent takedown.
This notorious ransomware group is responsible for extorting over $120 million from 2,000 victims, and understanding LockBit’s attack patterns, tactics, techniques, and procedures (TTPs) along with collecting Indicators of Compromise (IOCs) is crucial to effectively configuring security systems for defense.
What is ANY.RUN?
ANY.RUN is a cloud-based malware sandbox designed to expedite threat analysis for security teams, using YARA rules and Suricata for prompt malware detection (around 40 seconds) and automatic family identification.
Unlike solely automated solutions, ANY.RUN offers real-time interaction with the virtual machine through a browser interface, which is crucial for countering zero-day exploits and advanced malware that can bypass signature-based detection.
ANY.RUN’s cloud-based nature also eliminates setup and maintenance burdens for DevOps teams, making it cost-effective for businesses.
The intuitive interface is well-suited for onboarding new security personnel, allowing even junior analysts to swiftly grasp malware analysis and extract Indicators of Compromise (IOCs).
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.