Tag Archive for: Emerges

As New Clues Emerges, Experts Wonder: Is REvil Back?

/in


Is REvil Back

Change is a part of life, and nothing stays the same for too long, even with hacking groups, which are at their most dangerous when working in complete silence. The notorious REvil ransomware gang, linked to the infamous JBS and Kaseya, has resurfaced three months after the arrest of its members in Russia.

The Russian domestic intelligence service, the FSB, had caught 14 people from the gang. In this apprehension, the 14 members of the gang were found in possession of 426 million roubles, $600,000, 500,000 euros, computer equipment, and 20 luxury cars were brought to justice.

REvil Ransomware Gang- The Context

The financially-motivated cybercriminal threat group Gold Southfield controlled ransomware group known as REvil emerged in 2019 and spread like wildfire after extorting $11 million from the meat-processor JBS.

REvil would incentivize its affiliates to carry out cyberattacks for them by giving a percentage of the ransom pay-outs to those who help with infiltration activities on targeted computers.

In July 2021, hackers working under REvil exploited zero-day vulnerabilities in Managed Service Provider (MSP)service developed by a company called Kaseya. As is often the case, these vulnerabilities had not been patched and were therefore open for exploitation. The code change was deployed globally against over 30 MSPs worldwide and 1,000 business networks managed by those MSPs.

The hackers rented their ransomware to other cyber criminals so that a similar attack could occur and disrupt the activities of others. It’s been reported how sustained ransomware attacks were conducted revealed that most hacking groups utilize Ransomware-as-service by renting out their services to other users (who often have easy access to the victim’s systems, networks, and other personal information). The famous Colonial Pipeline, the oil pipeline company, operating in the United States, was attacked by REvil as part of a Ransomware service.

In October 2021, a multi-country law enforcement operation seized control of REvil’s main ransomware-related resources and dismantled the darknet campaign that was being conducted on anonymous ToR servers.

But thanks to the U.S.-Russian collaboration, the REvil…

Source…

Bumblebee malware loader emerges • The Register

/in


A sophisticated malware loader dubbed Bumblebee is being used by at least three cybercriminal groups that have links to ransomware gangs, according to cybersecurity researchers.

Gangs using Bumblebee have in the past used the BazarLoader and IcedID loaders – linked to high-profile ransomware groups Conti and Diavol. The emergence of Bumblebee coincides with the swift disappearance of BazarLoader in recent weeks, according to researchers with security firm Proofpoint.

The researchers note that BazarLoader’s disappearance occurred about the same time a Ukrainian researcher with access to Conti’s operations – and apparently angry with Kremlin-linked Conti’s public support for Russia’s invasion of Ukraine – started leaking information from the organization, including its ties with BazarLoader.

In February, Conti reportedly took over the operation of the TrickBot botnet gang that developed BazarLoader. Researchers with both Proofpoint and Cybereason found code similarities between Bumblebee and TrickBot’s malware.

Bumblebee, like BazarLoader, likely is used to gain initial access to vulnerable systems and networks. The bad actors then sell that access to other cybercriminals who deliver their malicious payloads into the compromised environments.

Google’s Threat Analysis Group (TAG) wrote in March about a threat group called Exotic Lily. The ad giant’s infosec researchers said Exotic Lily has links to Conti and Diavol, and used Bumblebee to launch large-scale phishing campaigns to gain initial access.

This week Proofpoint and Cybereason observed that, while there are strong overlaps with TrickBot’s code, Bumblebee has unique features and stronger anti-detection tools.

“From a threat research perspective, what makes this malware interesting is the fact that it was associated with the Conti ransomware group as one of the group’s…

Source…

Global Consensus Emerges to Secure Internet-Connected Home and Wearable Devices

/in


The consumer internet of things (IoT) global market size is forecast to grow from $45 billion today to $154 billion by 2028. Whereas early adoption of smart wearables, home electronics and appliances was concentrated in North America and Western Europe, China is projected to overtake the United States as the largest market by the end of 2024.

As the use of connected devices increases worldwide, so does the potential for cyber threats – particularly as new products introduce vulnerabilities, potentially exposing people to hacking or leaks of personal data.

To address this challenge, the World Economic Forum’s Council on the Connected World mobilized a multistakeholder coalition of business leaders, government officials and technology experts to build a consensus on baseline security protections. Reflecting the interests of industry, consumers, white hat hackers and governments, the stakeholders agreed on five security requirements for consumer-facing IoT devices – the first international consensus of this type.

“As we look to new technologies to help address pressing global challenges – from climate change to rapid urbanization – we must ensure this progress does not come at a cost to individual safety and privacy,” said Jeff Merritt, Head of Urban Transformation, World Economic Forum. “Today’s announcement is an important step towards a more secure digital future and is testament to the critical role of multistakeholder collaboration in promoting the responsible development and use of technology.”

Cybersecurity Tech Accord, Consumers International, and I Am the Cavalry, representing more than 400 member organizations globally, developed a statement based on research and dialogue, which has already been endorsed by more than 100 organizations and major tech companies, including Microsoft and NTT. This Statement of Support calls on device manufacturers and vendors to take immediate action.

“Microsoft is excited to support this effort to raise awareness and advance best practices throughout the industry, as well as to encourage cooperation across stakeholder groups to advance the security of consumer products including the services and platforms they are built…

Source…

Windows MSHTML zero-day defenses bypassed as new info emerges

/in


Microsoft

New details have emerged about the recent Windows CVE-2021-40444 zero-day vulnerability, how it is being exploited in attacks, and the threat actor’s ultimate goal of taking over corporate networks.

This Internet Explorer MSHTML remote code execution vulnerability, tracked as CVE-2021-40444, was disclosed by Microsoft on Tuesday but with few details as it has not been patched yet.

The only information shared by Microsoft was that the vulnerability uses malicious ActiveX controls to exploit Office 365 and Office 2019 on Windows 10 to download and install malware on an affected computer.

Since then, researchers have found the malicious Word documents used in the attacks and have learned new information about how the vulnerability is exploited.

Why the CVE-2021-40444 zero-day is so critical

Since the release of this vulnerability, security researchers have taken to Twitter to warn how dangerous it is even though Microsoft Office’s ‘Protected View’ feature will block the exploit.

When Office opens a document it checks if it is tagged with a “Mark of the Web” (MoTW), which means it originated from the Internet.

If this tag exists, Microsoft will open the document in read-only mode, effectively blocking the exploit unless a user clicks on the ‘Enable Editing’ buttons.

Word document opened in Protected View
Word document opened in Protected View

As the “Protected View” feature mitigates the exploit, we reached out to Will Dormann, a vulnerability analyst for CERT/CC, to learn why security researchers are so concerned about this vulnerability.

Dormann told BleepingComputer that even if the user is initially protected via Office’s ‘Protected View’ feature, history has shown that many users ignore this warning and click on the ‘Enable Editing’ button anyway.

Dormann also warns that there are numerous ways for a document not to receive the MoTW flag, effectively negating this defense.

“If the document is in a container that is processed by something that is not MotW-aware, then the fact that the container was downloaded from the Internet will be moot. For example, if 7Zip opens an archive that came from the Internet, the extracted contents will have no indication that it came from the Internet. So no MotW, no Protected…

Source…