Tag Archive for: Beware

Beware of New Trigona Ransomware Attacking FinanceIndustries

/in


New Trigona Ransomware

The relatively new Trigona ransomware strain, according to Unit 42 researchers, was particularly active in December 2022, targeting industries in the manufacturing, finance, construction, agriculture, marketing, and high technology industries.

“Trigona’s threat operator engaging in behavior such as obtaining initial access to a target’s environment, conducting reconnaissance, transferring malware via remote monitoring and management (RMM) software, creating new user accounts and deploying ransomware,” Unit 42 researchers.

Companies in the United States, Australia, New Zealand, Italy, France, and Germany were affected.

Specifics of the Trigona Ransomware

From the recent analysis, researchers say that unique computer IDs (CIDs) and victim IDs are included in Trigona’s ransom notes, which are presented via an HTML application with embedded JavaScript rather than the typical text file (VID).


EHA
Image 1 is a screenshot of a sample Trigona ransom note that tells a business its network is encrypted, the three steps of instructions for data recovery, and tips to make the price cheaper. There is also a “Need help?” link.
Sample Trigona ransom note

The ransom note’s JavaScript contains the following details:

  • A uniquely generated CID and VID
  • A link to the negotiation Tor portal
  • An email address to contact.

At least 15 possible victims who were compromised in December 2022 may be found, according to experts. Also, in January 2023 and February 2023, they discovered two new Trigona ransom notes.

There was no proof that Trigona was using a leak site for double extortion when it was originally discovered. The victims were sent to their negotiating portal by their ransom message instead. A researcher identified a leak site attributable to Trigona hosted on a specific IP address.

Image 3 is a screenshot of the Trigona leak site. It details current leaks, views, if the leak is active, and a counter showing how much time is left. Details including screenshots are available, as well as the ransom amounts. There is a green button to place a bid.
Trigona leak site

Additionally, tactics, techniques, and procedures (TTPs) used by Trigona operators and CryLock ransomware operators coincide, indicating that the threat actors who previously used CryLock ransomware may have switched to using Trigona ransomware.

Image 5 is a screenshot of the Russian antimalware forum SafeZone where someone has posted asking for help with Crylock. Highlighted in red is an email address.
A user on SafeZone, a Russian anti-malware forum, seeking help for Crylock ransomware

Both ransomware families drop ransom notes in HTML Application format, and the ransom message is similar, including:

  • Their claim that all “documents, databases, backups, and other critical” files and data were encrypted
  • AES is their choice of cryptographic algorithm
  • Their statement that…

Source…

Cyber Security Today, Jan. 11, 2023 – Debate on ransomware attacks dropping continues, beware of long-hidden backdoors and lots of patches released

/in


The debate on ransomware attacks dropping continues, beware of long-hidden backdoors and lots of patches released.

Welcome to Cyber Security Today. It’s Wednesday, January 11th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.

Another entry in the debate on whether ransomware attacks are going up or down has been issued. Last week researchers at Emsisoft said the truth in the U.S. is hard to figure out because so many attacks aren’t publicly reported. This week researchers at Delinea released a report saying a survey it paid for suggests ransomware last year was down significantly over 2021. Of the 300 American IT decision-makers surveyed, 25 per said they were victims of ransomware in 2022. By comparison, 64 per cent of respondents said their firm was hit in 2021. Respondents also said budgets for ransomware defence dropped last year, although that could be because IT leaders are folding defences against ransomware with defences against all types of cyber attacks. More worrisome, the number of companies with incident response plans dropped to 71 per cent last year from 94 per cent in 2022. There’s a link to the full report in the text version of this podcast.

Threat actors are known for installing back doors on victims’ IT infrastructure to enable their attacks. That’s why scouring an entire IT environment is vital after a successful breach of security controls to make sure back doors aren’t left around. The latest example comes in a report from researchers at U.K.-based S-RM Intelligence. It looked into an attack by the Lorenz ransomware gang. The gang exploited a vulnerability in an organization using Mitel’s VoIP phone system. However, it was able to do that by using a backdoor that had been installed five months before the ransomware was launched. One theory is an initial access broker compromised the victim’s IT infrastructure and installed the backdoor, then notified the Lorenz group. Whatever the explanation, it’s another example of why continuously searching for backdoors as well as patching vulnerabilities is essential.

Ransom demands linked to denial of service attacks aren’t talked about a lot. However,…

Source…

Holiday shoppers beware: Ransomware can be just 1 click away

/in


(KXAN) — One wrong click is all it can take for a hacker to lock your files or account and demand money.

It happened to Austin business Tiny Pies’ Instagram last year.

“We got an email from someone. And we accidentally clicked on it — it looks legitimate. We clicked on it. And then it was a hacker, and they asked us to give them ransom, or they threatened to delete our account,” Amanda Wadsworth, co-founder of Tiny Pies, a small business in Austin told KXAN News.

Ransomware attackers can also threaten to reveal customers’ information on the dark web, and there’s a lot of that data right now.

“Organizations are managing about 10 times more data than they were even five years ago,” said Bobbie Stempfley, vice president and business unit security officer for Dell Technologies.

“It’s an astronomical amount of data,” she added.

She said there’s been an increase in attack attempts. In fact, she said businesses like Dell have to fend them daily.

“It’s an environment where, when you put in better protections, the threat actors work to find better ways to go work around those protections,” Stempfley said.

She said Dell is constantly doing training and simulations for employees throughout the year so they don’t fall for ransomware attacks like phishing — when hackers try to lure you via email to click on a fake link.

Holiday shoppers beware

Security company Tanium said attacks like these increase during the holiday shopping season, as hackers try to capitalize on the surge of people surfing the web for deals.

“You’re going to potentially want to look for people impersonating your brand, by stealing websites or sending out emails,” said Melissa Bischoping, Tanium endpoint security research director.

It’s not just companies that hold your data that need to watch out for attacks, Bischoping said. Shoppers should be aware, too.

“Be aware when you receive an email, maybe advertising a holiday sale. Check…

Source…

FBI: Beware Residential IPs Hiding Credential Stuffing

/in


Cyber-criminals are increasingly hijacking home IP addresses to hide credential stuffing activity and increase their chances of success, the FBI has warned.

Credential stuffing is a popular method of account takeover whereby attackers use large lists of breached username/password ‘combos’ and try them across numerous sites and apps simultaneously to see if they work. As many individuals reuse their credentials, they often do.

Working credentials can then be sold to others for initial access. The FBI and Australian Federal Police claim to have found two websites containing over 300,000 unique sets of credentials obtained via credential stuffing. The sites had over 175,000 registered customers and made over $400,000 in sales, the FBI said.

However, website owners can detect this suspicious activity if they know what to look for. This is where residential proxies come in. By compromising home routers or other connected technology, attackers can route their efforts through benign-looking IPs to trick network defenders.

“In executing successful credential stuffing attacks, cyber-criminals have relied extensively on the use of residential proxies, which are connected to residential internet connections and therefore are less likely to be identified as abnormal,” the FBI said in its Private Industry Notification.

“Existing security protocols do not block or flag residential proxies as often as proxies associated with datacenters.”

As well as combo lists, malicious actors buy configurations, or ‘configs,’ and other tools on underground sites to help improve success rates.

“The config may include the website address to target, how to form the HTTP request, how to differentiate between a successful vs unsuccessful login attempt, whether proxies are needed, etc,” the notice explained.

“In addition, cracking tutorial videos available via social media platforms and hacker forums make it relatively easy to learn how to crack accounts using credential stuffing and other techniques.”

The FBI recommended a multi-layered approach to mitigate the threat of credential stuffing.

A report from May last year claimed there were 193 billion credential stuffing attempts during…

Source…