Tag Archive for: Notorious

Notorious Cyber Gang FIN7 Returns With Cl0p Ransomware in New Wave of Attacks

/in


May 20, 2023Ravie LakshmananCyber Crime / Ransomware

Cl0p Ransomware

The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor’s first ransomware campaign since late 2021.

Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest.

“In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and get a foothold into a target network,” the company’s threat intelligence team said. “They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware.”

FIN7 (aka Carbanak, ELBRUS, and ITG14) has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit, with the threat actor acting as a precursor for Maze and Ryuk ransomware attacks.

Active since at least 2012, the group has a track record of targeting a broad spectrum of organizations spanning software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities.

Another notable tactic in its playbook is its pattern of setting up fake security companies – Combi Security and Bastion Secure – to recruit employees for conducting ransomware attacks and other operations.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Last month, IBM Security X-Force revealed that members of the now-defunct Conti ransomware gang are using a new malware called Domino that’s developed by the cybercrime cartel.

FIN7’s use of POWERTRASH to deliver Lizar (aka DICELOADER or Tirion) was also highlighted by WithSecure a few weeks ago in connection with attacks exploiting a high-severity flaw in Veeam Backup & Replication software (CVE-2023-27532) to gain initial access.

The latest development signifies FIN7’s continued reliance on various ransomware families to target victims as part of a shift in its monetization strategy by pivoting away from payment card data theft to…

Source…

Notorious Maze Ransomware Gang Closes Up Shop And Releases Decryption Keys

/in


Over the past three years the Maze crew ensnared scores of victims with its ransomware. Now, suddenly, Maze seems to have called it quits. They’ve released master decryption keys and destroyed the bulk of the malware’s code.

Curiously enough the announcement was made on the message boards at Bleeping Computer. They’re a popular and incredibly useful resource for those who are trying to recover from a ransomware infection.

The Maze announcement certainly has the potential to be helpful to the group’s victims. Having access to the master keys allows security researchers to develop decryptors that victims can use to recover their files for free.

In addition to Maze, keys for the Sekhmet and Egregor ransomware were also released. Egregor was launched by the group in September of 2020, a month before Maze operations were shut down. Sekhmet first appeared in the Spring of 2020.

However, as Christopher Boyd of Malwarebytes Labs reported, decryption tools for all three ransomware strains had already been released. Boyd notes that the inclusion of keys is more of an interesting part of the announcement than a breakthrough for those looking to get their files back.

A Question Of Timing

Last February French and Ukranian law enforcement officials made several arrests connected to Egregor. The arrests followed a period of unexpected downtime of Egregor servers, which some in underground forums believed was a sign that its infrastructure had been compromised by the authorities.

The farewell post makes sure to point out that the decision to shut down once and for all was not made because of the arrests.

The poster claims that this was a planned move and that the group has decided to “never return to this kind of activity.”

It sounds encouraging enough to hear an alleged spokesperson to say that a crew that’s responsible for scores of attacks that targeted law firms, municipalities, construction companies and pretty much any other entity with the ability to pay high-dollar ransoms.

That said, the Maze group already claimed it was riding off into the sunset once. This could turn out to be more of an “until we meet again” than a real…

Source…

Hackers Spoof Post Office Notices To Spread Notorious Trickbot Malware

/in


Keep an eye on your email for messages from the U.S. Postal Service claiming that you’ve missed an important delivery. Cybercriminals are abusing the public’s trust in the USPS to trick victims into installing the resurgent Trickbot malware.

Researchers at Cofense have been tracking a new Trickbot phishing campaign which began earlier this month. The “lure” the attackers are using is one that most of us have encountered during the pandemic: a missed parcel delivery.

The messages claim that no one was available to provide a signature and that the recipient will have to reschedule the delivery. The criminals “helpfully” note that you can simply print out the linked shipping invoice and present it at a nearby post office to set up a new time.

It’s easy enough to see why someone would hurriedly click the button to view the purported invoice. No one wants to miss a delivery, and it can be incredibly frustrating when you do miss one.

There have been enough delays to deal with over the past couple of years . To then have to endure yet another one because of a bit of bad timing is just the sort of thing that might make people click first and ask questions later.

Those who do click through to see what this “invoice” is all about are pushed to a .ZIP file that hides a boobytrapped Excel workbook. When it’s opened, a large screen attempts to coax users into turning off Excel’s built-in defenses via the yellow Protected View bar.

If the instructions are followed, a script is triggered that tells the victim’s computer to download the real malicious payload and Trickbot infects the system.

Trickbot has been circulating since 2016. It started out as a banking Trojan, but has since evolved into fully modular malware that can provide remote access to infected systems, steal Active Directory credentials from enterprise environments and distribute ransomware.

Throughout the first year of the pandemic, Trickbot’s controllers used COVID-19 lures to phish for victims. Then, late in 2020, a collaborative effort involving Microsoft’s Digital Crimes Unit, numerous law enforcement agencies, security and hosting providers struck a major…

Source…

Signal’s Founder Hacked a Notorious Phone-Cracking Device

/in


This week, Apple’s spring product launch event was marred by a ransomware attack against one of its suppliers, Quanta Computer. The incident is notable because it involves Apple—and the release of confidential schematics—but also because it represents an intersection of multiple disturbing trends in digital extortion.

In other Apple-adjacent hacking news, Facebook researchers found that a Palestine-linked group had built custom malware to attack iOS, hidden inside a functional messaging app. Victims had to visit a third-party app store to install the malicious software, but the hackers used social engineering techniques to trick them into doing so. And speaking of Facebook, the social media giant has been implicated in yet another data exposure, this time the email addresses of millions of users who had set that information as “private” in their settings. This comes on the heels of a flaw that allowed the scraping of 500 million Facebook user phone numbers that came to light earlier this month.

We also took a look at a since-fixed bug in Clubhouse that would have allowed people to linger invisibly in rooms like ghosts and even to cause a racket, with the moderator unable to mute them or kick them out. 

And there’s more! Each week we round up all the news WIRED didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.

In December, forensics company Cellebrite—which helps authorities break into and extract data from iPhones and Android devices—claimed it could access Signal app data. This was a little bit of misdirection; it hadn’t undermined Signal’s famously sturdy encryption but rather added support for file types Signal uses to its Physical Analyzer tool. The distinction matters quite a bit. Cellebrite could basically access Signal messages once it already had your phone in hand and unlocked it, which is going to be a risk with any encrypted messaging app.

Fast forward to this week, when Signal founder Moxie Marlinspike published a blog post that details his apparently successful efforts to hack a Cellebrite’s phone-cracking device. What he found: lots of vulnerabilities, to the extent that an app could compromise a Cellebrite…

Source…