Tag Archive for: warn

Feds Warn About Snatch Ransomware

/in


Fraud Management & Cybercrime
,
Ransomware

US Agency Advisory Sheds Light on the Group’s Activities

Prajeet Nair (@prajeetspeaks) •
September 21, 2023    

Feds Warn About Snatch Ransomware
Image: Shutterstock

The Snatch ransomware group is targeting a wide range of critical infrastructure sectors, including the defense industrial base, food and agriculture, and information technology sectors, according to a new alert issued by U.S. authorities.

See Also: OnDemand | SaaS: The Gaping Hole in Your Disaster Recovery Plan

The group first appeared in 2018 and operates on a ransomware-as-a-service model, conducting operations involving data exfiltration and double extortion.

A joint advisory from the Cybersecurity and Infrastructure Security Agency and the FBI on Wednesday said that the group was earlier referred to as Team Truniger, based on the nickname of a key group member, Truniger, who operated as a GandCrab affiliate (see: Alleged GandCrab Distributor Arrested in Belarus).

Snatch threat actors employ different methods to gain access to and maintain persistence on a victim’s network. Their affiliates primarily rely on exploiting weaknesses in Remote Desktop Protocol for brute-forcing and gaining administrator credentials to victims’ networks.

In some instances, Snatch affiliates have sought out compromised credentials from criminal forums or marketplaces and gained persistence on a victim’s network by compromising an administrator account and establishing connections over HTTPS to a command-and-control server located on a Russian bulletproof hosting service.

The group also used previously stolen data bought from other ransomware actors to harass victims into paying extortion by threatening to release the data on its leak site.

Snatch uses different tactics, techniques and procedures to…

Source…

Russian hackers exploiting ‘poorly maintained’ Cisco routers for malware, security agencies warn

/in


Pixabay


RESEARCH TRIANGLE PARK –  A group of Russian hackers known as APT28 also known as Fancy Bear is deploying malware in the West by exploiting what cybersecurity agencies in the U.S. and U.K.  call “poorly maintained Cisco routers.”

The group is described as a “highly skilled threat actor.”

Here is the joint warning announcement and explanation:

“The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) are releasing this joint advisory to provide details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021.

“We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor.”

To download the UK PDF version of this report:

To download the US PDF version of this report:

Earlier Activity

Previously attributed the following activity to APT28:

Related APT28 links

 

Source…

Researchers warn of two new variants of potent IcedID malware loader

/in


Security researchers have seen attack campaigns using two new variants of IcedID, a banking Trojan program that has been used to deliver ransomware in recent years. The two new variants, one of which appears to be connected to the Emotet botnet, are lighter compared to the standard one because certain functionality has been stripped.

“It is likely a cluster of threat actors is using modified variants to pivot the malware away from typical banking Trojan and banking fraud activity to focus on payload delivery, which likely includes prioritizing ransomware delivery,” researchers from Proofpoint said in a new report. “Additionally, based on artifacts observed in the codebase, timing, and association with Emotet infections, Proofpoint researchers suspect the initial developers of Emotet have partnered with IcedID operators to expand their activities including using the new Lite variant of IcedID that has different, unique functionality and likely testing it via existing Emotet infections.”

IcedID is favored by initial access brokers

IcedID first appeared in 2017 and at origin was a Trojan designed to steal online banking credentials by injecting rogue content into local browsing sessions — an attack known as webinject. From 2017 until last year, the Trojan’s codebase remained largely unchanged. However, some attacker groups started using it in recent years for its ability to serve as a loader for additional malware payloads than for its bank fraud capabilities.

During 2022 and 2023, Proofpoint has seen hundreds of attack campaigns using the IcedID Trojan and managed to link them to five distinct threat actors, most of which operate as initial access brokers, meaning they sell access into corporate networks to other cybercriminals, usually ransomware gangs.

A group that Proofpoint tracks as TA578 has been using IcedID since June 2020. Its email-based malware distribution campaigns typically use lures such as “stolen images” or “copyright violations”. The group uses what Proofpoint considers to be the standard variant of IcedID, but has also been seen delivering Bumblebee, another malware loader favored by initial access brokers.

Another group that uses the…

Source…

Experts Warn of RambleOn Android Malware Targeting South Korean Journalists

/in


Feb 17, 2023Ravie LakshmananMobile Security / Cyber Threat

RambleOn Android Malware

Suspected North Korean nation-state actors targeted a journalist in South Korea with a malware-laced Android app as part of a social engineering campaign.

The findings come from South Korea-based non-profit Interlab, which coined the new malware RambleOn.

The malicious functionalities include the “ability to read and leak target’s contact list, SMS, voice call content, location and others from the time of compromise on the target,” Interlab threat researcher Ovi Liber said in a report published this week.

The spyware camouflages as a secure chat app called Fizzle (ch.seme), but in reality, acts as a conduit to deliver a next-stage payload hosted on pCloud and Yandex.

The chat app is said to have been sent as an Android Package (APK) file over WeChat to the targeted journalist on December 7, 2022, under the pretext of wanting to discuss a sensitive topic.

The primary purpose of RambleOn is to function as a loader for another APK file (com.data.WeCoin) while also requesting for intrusive permissions to collect files, access call logs, intercept SMS messages, record audio, and location data.

RambleOn Android Malware

The secondary payload, for its part, is designed to provide an alternative channel for accessing the infected Android device using Firebase Cloud Messaging (FCM) as a command-and-control (C2) mechanism.

Interlab said it identified overlaps in the FCM functionality between RambleOn and FastFire, a piece of Android spyware that was attributed to Kimsuky by South Korean cybersecurity company S2W last year.

“The victimology of this event fits very closely with the modus operandi of groups such as APT37 and Kimsuky,” Liber said, pointing out the former’s use of pCloud and Yandex storage for payload delivery and command-and-control.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source…


[the_ad_group id="27628"]