CISA warns govt agencies to patch actively exploited Android driver
CISA ordered federal agencies today to patch a high-severity Arm Mali GPU kernel driver privilege escalation flaw added to its list of actively exploited vulnerabilities and addressed with this month’s Android security updates. […] Read More
Hacker Customize LockBit 3.0 Ransomware To Attack Orgs Worldwide
[[{“value”:”
Hackers leverage the LockBit 3.0 ransomware due to its sophisticated encryption functionalities, which enable them to successfully encrypt victims’ files and request a ransom in order to supply decryption keys.
The stealthiness of LockBit 3.0 enhances the attack methods, which allow threat actors to have a better chance of successfully deploying ransomware by enabling them to trespass into systems without permission.
Cybersecurity researchers at Kaspersky Labs recently discovered that hackers are actively exploiting customized LockBit 3.0 ransomware to attack organizations worldwide.
Customize LockBit 3.0 Ransomware
Recently, the threat actors demonstrated their power to obtain unencrypted administrator logins through an incident response engagement.
Such credentials were used to design and generate the latest variant of LockBit 3.0 ransomware.
To perform lateral movement, this customized malware utilized stolen passwords, turned off Windows Defender, wiped out event logs, and finally encrypted data across the network.
A simplified LockBit 3.0 builder makes it easier for threat actors to select options such as impersonation, network share encryption, process termination, and network propagation via PsExec.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by
other email security solutions. .
This occurrence explains the danger involved in identity theft as well as how conveniently threat actors weaponize tools like LockBit 3.0 into highly individualized and evasive ransomware threats.
The builder allows attackers to customize ransomware by selecting which files, directories, and systems to encrypt or exclude based on the target’s network architecture.
Tailored malware is generated, including the main executable (LB3.exe) for delivery, a decryptor, password-protected variants, and injection techniques.
Running this custom build demonstrates its ransomware functionality, though paying the ransom is inadvisable and unlikely to recover files.
Custom ransom note (Source – Securelist)
Files were successfully decrypted in a secure laboratory using the decryptor that researchers had made themselves for their ransomware sample.
However, after Operation Cronos in February 2024, which led to the confiscation of their infrastructure and decryption keys by law enforcement agencies, the true LockBit group temporarily stopped its activity.
Besides this, the LockBit declared they had resumed operations shortly. The check_decryption_id utility will allow users to verify if they have the right keys for known victims.
The check_decrypt tool assesses decryptability, but the outcome depends on multiple conditions, and this tool just checks which conditions are met in the analyzed systems.
A CSV file is created, listing decryptable files and providing an email address for further instructions on restoring them.
This toolset caught our attention because we had investigated several LockBit threat cases.
Researchers ran victim IDs and encrypted files through the decryption tool, but most showed the same result, “check_decrypt” confirmed decryption was impossible using known keys.
The leaked builder was used by LockBit competitors to target Commonwealth of Independent States companies, violating LockBit’s rule to avoid compromising CIS nationals, triggering a dark web discussion where LockBit operators explained their non-involvement.
Recommendations
Here below we have mentioned all the recommendations:-
Utilize robust antimalware.
Employ Managed Detection and Response (MDR).
Disable unused services and ports.
Keep all systems and software updated.
Conduct regular penetration tests and vulnerability scans.
Provide cybersecurity training for staff awareness.
Make frequent backups and test them.
Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.
Johnson Controls sustains cyberattack. Nearly 100,000 ICS services exposed to the Internet. FBI anticipates an increase in Chinese and Russian targeting of the energy sector. Joint advisory warns of Beijing’s “BlackTech” threat activity. CISA’s push for hardware bills of materials. Cybersecurity in the US industrial base. Guest Michael Toecker, Cyber Security Advisor at the United States Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response, continues his discussion of community defense and Neighborhood Keeper. On the Learning Lab, Mark Urban is joined by Alex Baretta, a senior solution architect at Dragos, for part two of their discussion about secure remote access. Read More
Multiple Flaws Found in Ninja Forms Plugin Leave 800,000 Sites Vulnerable
Multiple security vulnerabilities have been disclosed in the Ninja Forms plugin for WordPress that could be exploited by threat actors to escalate privileges and steal sensitive data.
The flaws, tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, impact versions 3.6.25 and below, Patchstack said in a report last week. Ninja Forms is installed on over 800,000 sites.
A brief description Read More
The Hacker News | #1 Trusted Cybersecurity News Site