Tag Archive for: targeting

DoNex Ransomware Observed in the Wild Targeting Enterprises

/in


Enterprises across the United States and Europe are on high alert as a new ransomware strain, dubbed “DoNex,” has been actively compromising companies and claiming victims.

This emergent threat has cybersecurity experts working overtime to understand the attack’s full scope and develop countermeasures.

The DoNex ransomware group has made its presence known by listing several companies as its victims on their dark web portal, accessible via the Onion network.

The group’s tactics are particularly insidious, employing a double-extortion method.

This not only involves the encryption of files, which are then appended with a unique.

VictimID extension, but also the exfiltration of sensitive data, holding it hostage to leverage additional pressure on the victims to pay the ransom.

Ransom Notes and Communication

Affected companies have discovered ransom notes named Readme.VictimID.txt on their systems, which instruct them to establish contact with the DoNex group through Tox messenger, a peer-to-peer instant messaging service known for its security and anonymity features.

Document

Integrate ANY.RUN in your company for Effective Malware Analysis

Malware analysis can be fast and simple. Just let us show you the way to:

  • Interact with malware safely
  • Set up virtual machine in Linux and all Windows OS versions
  • Work in a team
  • Get detailed reports with maximum data

    • If you want to test all these features now with completely free access to the sandbox:

The use of Tox indicates an attacker’s preference for secure communication channels, making it more challenging for law enforcement to track and intercept.

Broadcom recently spotted the emergence of a new ransomware actor, self-dubbed “DoNex,” which was detected in the wild during March.

Currently, the exact methods DoNex uses to infiltrate enterprise systems remain a mystery.

Cybersecurity teams diligently monitor the situation and conduct thorough investigations to uncover the group’s modus operandi.

Understanding the attack vectors is crucial for preventing further incidents and developing effective defense strategies.

A recent tweet by HackManac reported the emergence of a new…

Source…

Ransomware attacks targeting local healthcare groups

/in


Barbara McAneny with the New Mexico Cancer Center says they have had to change the way they work due to a string of ransomware attacks on Optum and United Health Care. “This is an important development for every health care entity in the country,” McAneny said.With Optum being one of their partners, it’s affected a number of services they provide.”Our ability to check whether or not patients are authorized by their insurance to get a prescription or treatment went away,” McAneny said.Due to the attack on Optum, the center also can’t submit claims or receive payments. Tech experts wonder how an attack like this continues to affect the health care industry.”It’s interesting given that the impact is so great that you would think that we would have turned the corner many years ago and started beefing up, you know, our cyber security programs in that space,” Deron Grzetich said.The New Mexico Cancer Center has not had its information breached — and has not been victim to this ransomware attack. But McAneny is concerned for other practices in the state and how this affects people’s ability to receive prescriptions, and if personal information is being stolen through other providers.Other groups affected by these ransomware attacks are UnitedHealth and Change Healthcare. “Anyone who’s filled a prescription or seen a physician or dentist or any health care provider is at risk to have their own personal identity stolen,” McAneny said.In the wake of this attack, she offers this to calm anyone seeking help at the cancer center.”We are going to be treating our patients as we always have,” McAneny said.She says the center is still able to fill prescriptions in-house, but can’t send orders to outside pharmacies.

ALBUQUERQUE, N.M. —

Barbara McAneny with the New Mexico Cancer Center says they have had to change the way they work due to a string of ransomware attacks on Optum and United Health Care.

“This is an important development for every health care entity in the country,” McAneny said.

With Optum being one of their partners, it’s affected a number of services they provide.

“Our ability to check whether or not patients are authorized by their insurance to get…

Source…

Phobos Ransomware Aggressively Targeting U.S. Critical Infrastructure

/in


U.S. Critical Infrastructure

U.S. cybersecurity and intelligence agencies have warned of Phobos ransomware attacks targeting government and critical infrastructure entities, outlining the various tactics and techniques the threat actors have adopted to deploy the file-encrypting malware.

“Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars,” the government said.

The advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Active since May 2019, multiple variants of Phobos ransomware have been identified to date, namely Eking, Eight, Elbie, Devos, Faust, and Backmydata. Late last year, Cisco Talos revealed that the threat actors behind the 8Base ransomware are leveraging a Phobos ransomware variant to conduct their financially motivated attacks.

There is evidence to suggest that Phobos is likely closely managed by a central authority, which controls the ransomware’s private decryption key.

Attack chains involving the ransomware strain have typically leveraged phishing as an initial access vector to drop stealthy payloads like SmokeLoader. Alternatively, vulnerable networks are breached by hunting for exposed RDP services and exploiting them by means of a brute-force attack.

Cybersecurity

A successful digital break-in is followed by the threat actors dropping additional remote access tools, taking advantage of process injection techniques to execute malicious code and evade detection, and making Windows Registry modifications to maintain persistence within compromised environments.

“Additionally, Phobos actors have been observed using built-in Windows API functions to steal tokens, bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege process,” the agencies said. “Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access.”

The e-crime…

Source…

Group-IB reveals Hi-Tech Crime Trends 23/24: surge in ransomware, leaks, and info stealers targeting Middle East and Africa

/in


(MENAFN– Active DMC) Dubai, February 28, 2024 — Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, has presented a comprehensive overview of the cyber threat landscape in the Middle East and Africa (MEA) for the years 2023/2024 with the release of its annual Hi-Tech Crime Trends report. The report provides a thorough analysis of how cybersecurity challenges in the MEA region have evolved. In 2023, Group-IB’s researchers identified a 68% surge in the number of ransomware attacks, with financial services and real estate companies emerging as the most common victims. The Gulf Cooperation Council (GCC) countries, South Africa, and Turkey were the most frequently targeted locales by Ransomware-as-a-Service (RaaS) affiliates. Information stealers pose a significant concern, impacting 297,106 infected devices in the MEA region whose logs were made available on Underground Clouds of Logs (UCL), and an additional 903,002 hosts, logs from which were put up for sale on underground markets. Additionally, 152 new data leaks were detected in the MEA region in 2023.

Nation-state sponsored hackers target MEA

Group-IB researchers discovered that the Middle East and Africa was a significant target for advanced persistent threats (APTs), also known as nation-state sponsored groups, last year. Overall, Group-IB attributed 523 attacks to nation-state actors across the globe in 2023. Attacks on MEA organizations accounted for 15% of the global total, numbering 77, with Group-IB experts asserting that this may be due to ongoing geopolitical conflicts in the region, along with MEA’s importance to the global energy market.

The top targeted locales in the MEA region in 2023 were Israel (14 attacks), Turkey (12) and the GCC region (8). Government and military organizations suffered the most APT attacks in the MEA region, totalling 20. Transportation (8 attacks) and telecommunications (7) were the second and third most targeted sectors, respectively.

Attacks coordinated by groups such as APT42, Oilrig and Hexane (all from MEA) reflect the desire of certain countries in the region to strengthen their…

Source…