No market tolerates emptiness and that applies to ransomware too. After the BlackMatter and REvil gangs ceased their operations, the emergence of new players was a matter of time. And here is one of them — last December advertisements for the services of the ALPHV group, also known as BlackCat, appeared on hacker show more ...
forums. After several incidents, our experts from the Global Research and Analysis Team (GReAT) decided to carefully study the activity of this group and publish a comprehensive report on the Securelist website. In the ads the attackers mentioned that they studied the errors and problems of their predecessors and created an improved version of the malware. However, there are signs that their connection to BlackMatter and REvil groups may be much more intimate than they are trying to show. Who are the BlackCat gang and what tools does they use? The BlackCat ransomware creators offer their services under the Ransomware-as-a-Service (RaaS) scheme. In other words, they provide other attackers with access to their infrastructure and malicious code and in return they get certain share of the ransom. In addition to that, the BlackCar gang members are probably also responsible for the negotiations with the victims. Therefore the only thing that their franchisee have to do themselves is to gain access to the corporate environment. This we-got-everything-covered principle is the reason why BlackCat gained momentum so quickly: their malware is already used to attack companies around the world. BlackCat arsenal consists of several items. First one is the cyrptor of the same name. It is written in the Rust language, thanks to which the attackers managed to create a cross-platform tool: there are versions of the malware that works both in Windows and in Linux environments. Second one is the Fendr utility, which is used to exfiltrate data from infected infrastructure. The use of this tool suggests that BlackCat may simply be a rebranding of the BlackMatter faction — they were the only known gang to use this tool, which is also known as ExMatter. BlackCat also employs the PsExec tool for lateral movement in the victims network; Mimikatz, the well-known hacker software and Nirsoft software to extract network passwords. You can find more technical information about BlackCats methods and tools as well as the indicators of compromise on Securelist blog. Who are the victims of BlackCat? Among the BlackCat ransomware incidents, our experts saw at least one attack on a South American industrial company involved in oil, gas, mining and construction, as well as the infection of several clients of a Middle Eastern ERP provider (an organization that provides enterprise resource planning tools). One of the most disturbing facts is the evolution of the Fendr. At the moment the tool can automatically download a much wider range of files, compared to previous cases of BlackMatter group attacks. Cybercriminals recently added the ability to find files with the following list of extensions: .sqlite, .catproduct, .rdp, .accdb, .catpart, .catdrawing, .3ds, .dwt and .dxf. These types of files are related to industrial design applications and remote access tools, and that may be the sign that malware creators are targeting industrial environments. How to stay safe? In order to prevent your company from losing important information, we recommend first to protect all corporate devices using reliable security solutions, and second to train employees on information security basics regularly. With ransomware-as-a-service on the continuing rise, it is more important than ever for any company to be prepared for the incident and have a multi-level anti-ransomware strategy.
Researchers at two US universities have found that muting popular native video-conferencing apps fails to disable device microphones – and that these apps have the ability to access audio data when muted, or actually do so.
Google has released a Chrome update for Windows, Mac, and Linux, to fix a high-severity zero-day vulnerability, tracked as CVE-2022-1364, actively used by threat actors in attacks.
The United States government has issued an advisory for the malware toolkit dubbed Pipedream that cybercriminal groups could use to potentially target all critical infrastructure owners worldwide.
A vulnerability has been discovered in Apache Struts, which could allow for remote code execution. Apache Struts is an open-source framework used for building Java web applications.
The Conti ransomware operation has claimed responsibility for a cyberattack on wind turbine giant Nordex, which was forced to shut down IT systems and remote access to the managed turbines earlier this month.
The CERT-UA detected the new campaigns and attributed the IcedID phishing attack to the UAC-0041 threat cluster, previously connected with AgentTesla distribution, and the second to UAC-0097, a currently unknown actor.
The researcher discovered that the agent can be disabled by a local attacker with administrator privileges simply by modifying a registry key, leaving the endpoint exposed to attacks.
The United States has linked the North Korean hackers to the theft of hundreds of millions of dollars' worth of cryptocurrency tied to the popular online game Axie Infinity.
Documents and information from email accounts, private texts, and audio conversations from top executives of the federation, including president Luis Rubiales, have been stolen in recent months.
While the details remain sparse, Panasonic suffered another breach just six months after a high-profile attack—this time at Panasonic Canada. The Conti gang said it was behind the February attack that resulted in the theft of more than 2.8GB of data.
A critical vulnerability addressed in the Elementor WordPress plugin could allow authenticated users to upload arbitrary files to affected websites, potentially leading to code execution.
Segurança-Informatica published an analysis of a recent sample of SunnyDay ransomware. As a result of the work, some similarities between other ransomware samples such as Ever101, Medusa Locker, Curator, and Payment45 were found.
The FBI has blamed hackers associated with the North Korean government for stealing more than $600 million in cryptocurrency last month from a video gaming company -- the latest in a string of audacious cyber heists tied to Pyongyang.
As many as five security vulnerabilities have been addressed in Aethon Tug hospital robots that could enable remote attackers to seize control of the devices and interfere with the timely distribution of medication and lab samples.
After breaching servers managed by the cybercriminals, security researchers found a connection between Conti ransomware and the recently emerged Karakurt data extortion group, showing that the two gangs are part of the same operation.
Asterisk suffers from a possible remote SQL injection vulnerability. Some databases can use backslashes to escape certain characters, such as backticks. If input is provided to func_odbc which includes backslashes it is possible for func_odbc to construct a broken SQL query and the SQL query to fail. Asterisk Open show more ...
Source versions 16.x up to but not including 16.25.2, 18.x up to but not including 18.11.2, and 19.x up to but not including 19.3.2 are affected. Certified Asterisk versions 16.x up to but not including 16.8-cert14 are affected.
Asterisk suffers from a server-side request forgery vulnerability. When using STIR/SHAKEN, it is possible to send arbitrary requests like GET to interfaces such as localhost using the Identity header. Asterisk Open Source versions 16.15.0 up to but not including 16.25.2, 18.x up to but not including 18.11.2, and 19.x up to but not including 19.3.2 are affected.
When using STIR/SHAKEN in Asterisk, it is possible to download files that are not certificates. These files could be much larger than what you would expect to download. Asterisk Open Source versions 16.15.0 up to but not including 16.25.2, 18.x up to but not including 18.11.2, and 19.x up to but not including 19.3.2 are affected.
Red Hat Security Advisory 2022-1379-01 - Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation execution, and business optimization for solving planning problems. It automates business decisions and makes show more ...
that logic available to the entire business. This asynchronous security patch is an update to Red Hat Decision Manager 7. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2022-1378-01 - Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services. This show more ...
asynchronous security patch is an update to Red Hat Process Automation Manager 7. Issues addressed include a code execution vulnerability.
Cisco has released patches to contain a critical security vulnerability affecting the Wireless LAN Controller (WLC) that could be abused by an unauthenticated, remote attacker to take control of an affected system. Tracked as CVE-2022-20695, the issue has been rated 10 out of 10 for severity and enables an adversary to bypass authentication controls and log in to the device through the
Cloud computing and virtualization technology firm VMWare on Thursday rolled out an update to resolve a critical security flaw in its Cloud Director product that could be weaponized to launch remote code execution attacks. The issue, assigned the identifier CVE-2022-22966, has a CVSS score of 9.1 out of a maximum of 10. VMware credited security researcher Jari Jääskelä with reporting the flaw. <
Google on Thursday shipped emergency patches to address two security issues in its Chrome web browser, one of which it says is being actively exploited in the wild. Tracked as CVE-2022-1364, the tech giant described the high-severity bug as a case of type confusion in the V8 JavaScript engine. Clément Lecigne of Google's Threat Analysis Group has been credited with reporting the flaw on April 13
With the ongoing conflict in Eurasia, cyberwarfare is inevitably making its presence felt. The fight is not only being fought on the fields. There is also a big battle happening in cyberspace. Several cyber-attacks have been reported over the past months. Notably, cyber attacks backed by state actors are becoming prominent. There have been reports of a rise of ransomware and other malware
As many as five security vulnerabilities have been addressed in Aethon Tug hospital robots that could enable remote attackers to seize control of the devices and interfere with the timely distribution of medication and lab samples. "Successful exploitation of these vulnerabilities could cause a denial-of-service condition, allow full control of robot functions, or expose sensitive information,"
A crimeware-related threat actor known as Haskers Gang has released an information-stealing malware called ZingoStealer for free on, allowing other criminal groups to leverage the tool for nefarious purposes. "It features the ability to steal sensitive information from victims and can download additional malware to infected systems," Cisco Talos researchers Edmund Brumaghin and Vanja Svajcer