Tag Archive for: attacks

GhostSec & Stormous Launched Twin Ransomware Attacks


A hacking group has evolved with a new ransomware variant known as GhostLocker 2.0.

This group, in collaboration with the Stormous ransomware operators, has initiated double extortion ransomware attacks targeting various businesses globally.

The joint efforts of GhostSec and Stormous have led to the creation of a new ransomware-as-a-service program named STMX_GhostLocker, offering diverse options for their affiliates.

The collaborative operation affected victims across various business verticals, according to disclosures made by the groups in their Telegram channels.(Source: Cisco Talos)

Global Impact of Ransomware Attacks

The victimology of these attacks spans across multiple countries, including Cuba, Argentina, Poland, China, and many others.

Document

Integrate ANY.RUN in your company for Effective Malware Analysis

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data
  • If you want to test all these features now with completely free access to the sandbox: ..

These cybercriminal activities have affected victims in different business sectors, as disclosed by the groups in their Telegram channels.

Talos’ observation in GhostSec’s Telegram channels highlighted the group’s continued attacks on Israel’s Industrial systems, critical infrastructure, and technology companies.(Source: Cisco Talos)

Notably, GhostSec has been actively targeting Israel’s industrial systems and critical infrastructure, with reported attacks on organizations like the Ministry of Defense in Israel.

Using the GhostLocker and StormousX ransomware malware, Talos discovered that the GhostSec and Stormous gangs were collaborating on several double extortion assaults.

Evolution of GhostLocker Ransomware

GhostSec introduced an upgraded version of their ransomware called GhostLocker 2.0, showcasing continuous development efforts with plans for further iterations like GhostLocker V3.

Stmx_GhostLocker member affiliate working model.

The ransom note strategy has evolved to include instructions for victims…

Source…

GhostSec and Stormous Launch Joint Ransomware Attacks in Over 15 Countries


The cybercrime group called GhostSec has been linked to a Golang variant of a ransomware family called GhostLocker.

“TheGhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries,” Cisco Talos researcher Chetan Raghuprasad said in a report shared with The Hacker News.

“GhostLocker and Stormous ransomware have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various options for their affiliates.”

Attacks mounted by the group have targeted victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, and Indonesia.

Some of the most impacted business verticals include technology, education, manufacturing, government, transportation, energy, medicolegal, real estate, and telecom.

GhostSec – not to be confused with Ghost Security Group (which is also called GhostSec) – is part of a coalition called The Five Families, which also includes ThreatSec, Stormous, Blackforums, and SiegedSec.

Cybersecurity

It was formed in August 2023 to “establish better unity and connections for everyone in the underground world of the internet, to expand and grow our work and operations.”

Late last year, the cybercrime group ventured into ransomware-as-a-service (RaaS) with GhostLocker, offering it to other actors for $269.99 per month. Soon after, the Stormous ransomware group announced that it will use Python-based ransomware in its attacks.

The latest findings from Talos show that the two groups have banded together to not only strike a wide range of sectors, but also unleash an updated version of GhostLocker in November 2023 as well as start a new RaaS program in 2024 called STMX_GhostLocker.

“The new program is made up of three categories of services for the affiliates: paid, free, and another for the individuals without a program who only want to sell or publish data on their blog (PYV service),” Raghuprasad explained.

STMX_GhostLocker, which comes with its own leak site on the dark web, lists no less than six victims from India, Uzbekistan, Indonesia, Poland, Thailand, and Argentina.

GhostLocker…

Source…

Meris Botnet Sets Record with Massive DDoS Attacks Across Global Servers


In a startling display of cyber force, the Meris botnet has successfully executed the largest DDoS (Distributed Denial of Service) attacks in history this summer, targeting a wide range of countries including the United States, Russia, New Zealand, and the United Kingdom. This malicious network, comprising over 250,000 devices, overwhelmed some of the most robust servers worldwide, marking a significant moment in cyber warfare.

Research conducted by the Russian search engine Yandex, alongside insights from DDoS mitigation service Qrator Labs, has unveiled that Meris is a new breed of botnet. Its capacity to generate an unprecedented 21.8 million requests per second (RPS) during an attack on Yandex on September 5 highlights its potential to cripple almost any infrastructure, including highly resilient networks.

Unprecedented Scale and Impact

The Meris botnet’s capability to launch attacks of such magnitude lies in its unique focus on the number of requests per second, a method that sets it apart from traditional DDoS attacks which generally aim to saturate servers with massive amounts of data. This strategy has enabled Meris to take down significant infrastructures, as evidenced by the disruption caused to major companies in New Zealand, including banks like ANZ and Kiwibank, NZ Post, MetService, and even the New Zealand Police.

Technical Sophistication

Unlike typical ‘Internet of Things’ (IoT) devices often associated with botnets, the devices commandeered by Meris are high-performance and likely connected via Ethernet, contributing to the botnet’s formidable power. This revelation, coupled with the attackers’ technique of rotating devices to avoid revealing their full capacity, complicates efforts to mitigate the botnet’s impact.

Global Response and Mitigation

The emergence of Meris has prompted a global response, with entities like Cloudflare and Yandex at the forefront of efforts to counteract the botnet’s attacks. The record-breaking assault on Yandex, which surpassed previous incidents attributed to the Mirai botnet, underscores the escalating challenge of safeguarding digital infrastructure against such sophisticated…

Source…

US cyber and law enforcement agencies warn of Phobos ransomware attacks


US cyber and law enforcement agencies warn of Phobos ransomware attacks

Pierluigi Paganini
March 02, 2024

US CISA, the FBI, and MS-ISAC issued a joint CSA to warn of attacks involving Phobos ransomware variants observed as recently as February 2024

US CISA, the FBI, and MS-ISAC issued a joint cyber security advisory (CSA) to warn of attacks involving Phobos ransomware variants such as Backmydata, Devos, Eight, Elking, and Faust.

The attacks were observed as recently as February 2024, they targeted government, education, emergency services, healthcare, and other critical infrastructure sectors.

Phobos operation uses a ransomware-as-a-service (RaaS) model, it has been active since May 2019.

Based on information from open sources, government experts linked multiple Phobos ransomware variants to Phobos intrusions due to observed similarities in Tactics, Techniques, and Procedures (TTPs). Phobos intrusions also involved the use of various open-source tools, including Smokeloader, Cobalt Strike, and Bloodhound. These tools are widely available and user-friendly across different operating environments, contributing to the popularity of Phobos and its associated variants among various threat actors.

Threat actors behind Phobos attacks were observed gaining initial access to vulnerable networks by leveraging phishing campaigns. They dropped hidden payloads or used internet protocol (IP) scanning tools, such as Angry IP Scanner, to search for vulnerable Remote Desktop Protocol (RDP) ports or by leveraging RDP on Microsoft Windows environments.

“Once they discover an exposed RDP service, the actors use open source brute force tools to gain access. If Phobos actors gain successful RDP authentication in the targeted environment, they perform open source research to create a victim profile and connect the targeted IP addresses to their associated companies. Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network.” reads the joint CSA. “Alternatively, threat actors send spoofed email attachments that are embedded with hidden payloads such as SmokeLoader, a backdoor trojan that is often used in…

Source…