Tag: target | Page 6

Akira Ransomware Mutates to Target Linux Systems, Adds TTPs

September 23, 2023/in Internet Security

Arika ransomware has continued to evolve since emerging as a threat in March, expanding its reach from initially targeting Windows systems to include Linux servers and employing a growing array of tactics, techniques, and procedures (TTPs).

An in-depth report on Akira from LogPoint breaks down the “highly sophisticated” ransomware, which encrypts victim files, deletes shadow copies, and demands ransom payment for data recovery.

The infection chain actively targets Cisco ASA VPNs lacking multifactor authentication to exploit the CVE-2023-20269 vulnerability as an entry point.

As of early September, the group had successfully hit 110 victims, focusing on targets in the US and the UK.

British quality-assurance company Intertek was a recent high-profile victim; the group has also targeted manufacturing, professional services, and automotive organizations.

According to a recent GuidePoint Security’s GRI report, educational organizations have been disproportionately targeted by Akira, representing eight of its 36 observed victims.

The ransomware campaign involves multiple malware samples that carry out various steps, including shadow copy deletion, file search, enumeration, and encryption, when executed.

Akira uses a double-extortion method by stealing personal data, encrypting it, and then extorting money from the victims. If they refuse to pay, the group then threatens to release the data on the Dark Web.

Upon gaining access, the group uses tools including remote desktop apps AnyDesk and RustDesk and encryption and archiving tool WinRAR.

Advanced system information tool and task manager PC Hunter aids the group in laterally moving through the breached systems, along with wmiexc, according to the report.

The group can also disable real-time monitoring to evade detection by Windows Defender, and shadow copies are deleted through PowerShell.

Ransom note files are dropped into the multiple files across the victim’s system, which contain payment instructions and decryption assistance.

Anish Bogati security research engineer at Logpoint, says Akira’s use of Windows internal binary (also known as LOLBAS) for execution, retrieving credentials, evading defense, facilitating lateral…

Source…

Chinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom

September 2, 2023/in Internet Security

A suspected Chinese-nexus hacking group exploited a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances to breach government, military, defense and aerospace, high-tech industry, and telecom sectors as part of a global espionage campaign.

Mandiant, which is tracking the activity under the name UNC4841, described the threat actor as “highly responsive to defensive efforts” and capable of actively tweaking their modus operandi to maintain persistent access to targets.

“UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets that it compromised either before the patch was released, or shortly following Barracuda’s remediation guidance,” the Google-owned threat intelligence firm said in a new technical report published today.

Almost a third of the identified affected organizations are government agencies. Interestingly enough, some of the earliest compromises appear to have taken place on a small number of devices geolocated to mainland China.

The attacks entail the exploitation of CVE-2023-2868 to deploy malware and conduct post-exploitation activities. In select cases, the intrusions have led to the deployment of additional malware, such as SUBMARINE (aka DEPTHCHARGE), to maintain persistence in response to remediation endeavors.

Further analysis of the campaign has revealed a “distinct fall off in activity from approximately January 20 to January 22, 2023,” coinciding with the beginning of the Chinese New Year, followed by two surges, one after Barracuda’s public notification on May 23, 2023, and a second one in early June 2023.

The latter is said to have involved the attacker “attempting to maintain access to compromised environments via the deployment of the new malware families SKIPJACK, DEPTHCHARGE, and FOXTROT / FOXGLOVE.”

While SKIPJACK is a passive implant that registers a listener for specific incoming email headers and subjects before decoding and running their content, DEPTHCHARGE is pre-loaded into the Barracuda SMTP (BSMTP) daemon using the LD_PRELOAD environment variable, and retrieves encrypted commands for execution.

The earliest use of DEPTHCHARGE dates back to May…

Source…

International Ransomware Gangs Are Evolving Their Techniques. The Next Generation Of Hackers Will Target Weaknesses In Cryptocurrencies

August 28, 2023/in Internet Security

(MENAFN– The Conversation) In May 2023, the Dallas City Government was hugely disrupted by a ransomware attack. Ransomware attacks are so-called because the hackers behind them encrypt vital data and demand a ransom in order to get the information decrypted.

The attack in Dallas put a halt to hearings, trials and jury duty, and the eventual closure of the Dallas Municipal Court Building. It also had an indirect effect on wider police activities, with stretched resources affecting the ability to deliver, for example, summer youth programmes . The criminals threatened to publish sensitive data, including personal information, court cases, prisoner identities and government documents.

One might imagine an attack on a city government and police force causing widespread and lengthy disruption would be headline news. But ransomware attacks are now so common and routine that most pass with barely a ripple of attention. One notable exception happened in May and June 2023 when hackers exploited a vulnerability in the Moveit file transfer app which led to data theft from hundreds of organisations around the world. That attack grabbed headlines, perhaps because of the high profile victims, reported to include British Airways, the BBC and the chemist chain Boots.

According to one recent survey , ransomware payments have nearly doubled to US$1.5 million (£1.2 million) over the past year, with the highest-earning organisations the most likely to pay attackers. Sophos, a British cybersecurity firm, found that the average ransomware payment rose from US$812,000 the previyear. The average payment by UK organisations in 2023 was even higher than the global average, at US$2.1 million.

Meanwhile, in 2022 The National Cyber Security Centre (NCSC) issued new guidance urging organisations to bolster their defences amid fears of more state-sponsored cyber attacks linked to the conflict in Ukraine. It follows a series of cyber attacks in Ukraine which are suspected to have involved Russia, which Moscow denies.

This article is part of Conversation Insights
The Insights team generates long-form journalism derived from interdisciplinary research. The team is working with academics from different…

Source…