The modus operandi of these scammers is quite consistent and alarming. They approach organizations that have already been victimized by ransomware and offer a service to hack into the servers of the ransomware groups and delete the stolen data. This proposition typically comes with a significant fee, sometimes in the range of 1-5 Bitcoins (which could amount to about $190,000 to $220,000).

These scammers often use platforms like Tox Chat to communicate with their targets and may go by names like “Ethical Side Group” or use monikers such as “xanonymoux.” They tend to provide “proof” of access to the stolen data, which they claim is still on the attacker’s servers. In some instances, they accurately report the amount of data exfiltrated, giving their claims an air of credibility.

A notable aspect of this scam is that it adds an additional layer of extortion to the victims of ransomware. Not only do these victims have to contend with the initial ransomware attack and the associated costs, but they are also faced with the prospect of paying yet another party to ensure the safety of their data. This situation highlights the complexities and evolving nature of cyber threats, particularly in the context of ransomware.

Security experts and researchers, like those from Arctic Wolf, have observed and reported on these incidents, noting the similarities in the tactics and communication styles used by the scammers in different cases. However, there remains a great deal of uncertainty regarding the actual ability of these scammers to delete the stolen data, and their true intentions.

The Emerging Scam in Ransomware Attacks

1. The False Promise of Data Deletion

• Ransomware gangs have been known not to always delete stolen data even after receiving payment. Victims are often misled into believing that paying the ransom will result in the deletion of their stolen data. However, there have been numerous instances where this has not been the case, leading to further exploitation.

2. Fake ‘Security Researcher’ Scams

• A new scam involves individuals posing as security researchers, offering services to recover or delete exfiltrated data for a fee. These scammers target ransomware victims, often demanding payment in Bitcoin. This tactic adds another layer of deception and financial loss for the victims.

3. The Hack-Back Offers

• Ransomware victims are now being targeted by fake hack-back offers. These offers promise to delete stolen victim data but are essentially scams designed to extort more money from the victims. This trend highlights the evolving nature of cyber threats and the need for greater awareness.

4. The Illogical Nature of Paying for Data Deletion

• Paying to delete stolen data is considered an illogical and ineffective strategy. Once data is stolen, there is no guarantee that the cybercriminals will honor their word. The article argues that paying the ransom often leads to more harm than good.

5. The Role of Ransomware Groups

• Some ransomware groups are involved in offering services to delete exfiltrated data for a fee. However, these offers are often scams, and there is no assurance that the data will be deleted after payment.

These scams underscores the critical importance of cybersecurity vigilance and the need for robust security measures to protect against ransomware and related cyber threats. It also highlights the challenging decision-making process for organizations that fall victim to ransomware: whether to pay the ransom, how to handle stolen data, and how to respond to subsequent extortion attempts.

The post Inside the Scam: How Ransomware Gangs Fool You with Data Deletion Lies! appeared first on Information Security Newspaper | Hacking News.

Here’s a detailed breakdown of the new VM Ransomware tactic adopted by BlackCat, based on discoveries made by Unit 42:

1. Munchkin Utility Introduction:
   • The BlackCat operators announced updates to their toolkit, including a utility named Munchkin.
   • Munchkin facilitates the propagation of BlackCat payloads to remote machines and shares within a victim organization’s network.
   • The use of Munchkin marks a significant evolution in BlackCat’s ransomware-as-a-service (RaaS) business model, making it more potent and elusive to security measures.
2. Customized Alpine VM Usage:
   • Munchkin is unique in its deployment, as it leverages a customized Alpine VM.
   • This VM tactic allows ransomware actors to bypass security solutions, as most security controls on host OS do not have introspection within the embedded virtualized OS.
   • Once the malware is deployed using the VM, it can execute without being interrupted by the security solutions on the host machine.
3. Technical Execution:
   • Munchkin utility is delivered as an ISO file, loaded in a newly installed instance of the VirtualBox virtualization product representing a customized implementation of the Alpine OS.
   • Upon running the operating system, specific commands are executed to change the root password of the VM to one chosen by threat actors, generating a new terminal session via the built-in tmux utility to execute the malware binary named controller. Post execution, it powers the VM off.
   • Within the VM OS, notable files are hosted that play crucial roles in the malware’s operation, such as the Munchkin malware utility, serialized configuration file used by Munchkin, and a template BlackCat malware sample customized by Munchkin at runtime.
4. Escalating Threat:
   • The use of VMs for malware deployment is an escalating trend in the ransomware community.
   • Other ransomware organizations have also been reported to leverage this new tactic, indicating a paradigm shift in how ransomware is deployed and managed across networks.
5. Cybercrime Syndicate ALPHV/BlackCat:
   • The cybercrime syndicate ALPHV, also known as BlackCat, initiated this novel tool deployment.
   • This development underscores the continual evolution of tactics employed by the BlackCat syndicate, marking a significant step in its operational sophistication.
6. Security Implications:
   • The evolvement of BlackCat’s tactics, including the use of VMs, underscores a growing need for enhanced security measures to mitigate such advanced threats.
   • The Unit 42 researchers hope that shedding light on these tactics will motivate further efforts within the information security industry to better defend against this evolving threat.
7. BlackCat’s Evolution:
   • Over time, BlackCat has evolved from using unobfuscated configurations to employing obfuscation mechanisms and command-line parameters for added security, illustrating its dynamic threat landscape.

The detailed elucidation of the Munchkin utility and its VM Ransomware tactic provides crucial insights into the advancing methodologies of BlackCat and similar ransomware operators. By understanding these evolving tactics, stakeholders in the cybersecurity domain can better prepare and defend against such sophisticated threats.

The FBI and other agencies have released Indicators of Compromise (IOCs) associated with the BlackCat/ALPHV ransomware, a Ransomware-as-a-Service (RaaS) entity, that has reportedly compromised at least 60 entities worldwide​​. While the specific IOCs were mentioned in a Flash report by the FBI.

Indicators of Compromise (IOCs):

The Federal Bureau of Investigation (FBI) has outlined specific indicators of compromise (IOCs) pertaining to the BlackCat/ALPHV ransomware activities. Although the exact details were contained in an FBI Flash report, the overarching concern is the worldwide compromise of at least 60 entities through this Ransomware-as-a-Service (RaaS) model. These IOCs are critical for organizations to identify potential threats and take necessary mitigation steps to prevent or respond to ransomware attacks orchestrated by BlackCat/ALPHV. By understanding and monitoring for these IOCs, organizations can significantly enhance their cybersecurity posture against this evolving threat vector.

It’s advisable for organizations and cybersecurity professionals to review official advisories and reports from the FBI and other cybersecurity agencies to stay updated on the latest IOCs and mitigation strategies concerning BlackCat/ALPHV Ransomware and its new VM Ransomware tactic involving the Munchkin utility.

The IOCs released by authoritative bodies like the FBI provide a crucial roadmap for organizations to assess their networks for potential compromises and to bolster their defenses against the evolving tactics of BlackCat/ALPHV Ransomware, particularly with the introduction of the Munchkin utility and the new VM Ransomware tactic.

The post This new technique allows you to install ransomware and avoid EDR on any system appeared first on Information Security Newspaper | Hacking News.

In the intricate landscape of global cybersecurity, Webwyrm malware has surfaced as a formidable adversary, casting its ominous shadow across 50 nations and leaving in its wake over 100,000 compromised victims. This insidious digital menace successfully emulates in excess of 1000 reputable companies globally, with the ensuing potential financial fallout estimated to surpass a staggering $100 million. It is imperative for cybersecurity professionals and organizations alike to comprehend the multifaceted nature of this threat to devise and implement robust defensive strategies effectively.

The Evolutionary Trajectory of Webwyrm

In the dynamic realm of cyber threats, malicious actors incessantly refine their Tactics, Techniques, and Procedures (TTPs), exploiting extant vulnerabilities and augmenting the efficacy of their malicious campaigns. Webwyrm epitomizes this relentless pursuit of evolution, embodying a level of sophistication reminiscent of infamous cyber threats of yore, such as the notorious ‘Blue Whale Challenge.’

Refined Modus Operandi

WebWyrm malware orchestrates a complex, deceptive narrative aimed at duping unsuspecting job seekers into relinquishing their cryptocurrency. Initiating contact predominantly via WhatsApp, the malefactors likely leverage data procured from employment portals to pinpoint and engage individuals predisposed to their deceptive overtures. Prospective victims are enticed with promises of lucrative weekly remuneration, ranging between $1200 and $1500, contingent upon the completion of daily task “packets” or “resets.”

Upon transferring funds into designated cryptocurrency wallets, victims are led to believe that the completion of tasks results in monetary withdrawals from their accounts, which are subsequently returned along with additional commissions. The introduction of “combo tasks” promises substantial financial returns but necessitates a more considerable investment. However, the caveat is that these returns are accessible only upon the sequential completion of all combo tasks, with each task demanding a progressively larger investment.

Campaign Enablers: Technical Insights

WebWyrm’s campaign is characterized by its sophistication, adaptability, and elusive operational framework. The initiative employs dedicated personnel engaging with victims via various platforms, thereby lending an aura of legitimacy and support to their endeavors. The orchestrators have meticulously crafted approximately 6000 counterfeit websites, directing victims to register their accounts. These platforms are expertly designed to mimic legitimate enterprises, with a keen focus on geo-targeting and associated contact numbers reflecting the respective victim’s geographical location.

Moreover, the malefactors astutely navigate the ephemeral nature of their infrastructure, allocating specific IP addresses or Autonomous System Numbers (ASNs) to host counterfeit domains for limited durations. This modus operandi facilitates operational continuity and anonymity, allowing for a swift transition to alternative infrastructure in response to potential threats, thereby effectively circumventing detection mechanisms.

Industries in the Crosshairs

Webwyrm has indiscriminately targeted a plethora of industries, including:

• IT Services
• Software Development
• Mobile App Development
• User Experience Design
• Digital Marketing
• Web Development
• SEO
• E-Commerce

Defensive Countermeasures

Effective defense against Webwyrm necessitates the adoption of several countermeasures:

• Origin Tracing of Malefactors via Employment Portals
• Collaborative Defensive Initiatives
• Deployment of Rapid Response Teams
• Implementation of Domain Blacklisting Protocols
• Asset Seizure
• Launch of Educational Awareness Campaigns

With the incorporation of these enhanced technical insights, it becomes abundantly clear that WebWyrm represents a meticulously orchestrated, sophisticated operation with the singular aim of exploiting job seekers. The nuanced understanding of potential victims, coupled with a highly adaptive and elusive infrastructure, renders this a significant threat warranting coordinated, informed countermeasures to safeguard potential victims. Awareness, education, and the proactive deployment of defense mechanisms are pivotal in mitigating the risks associated with the WebWyrm malware campaign.

The post Silent Predator Unveiled: Decoding WebWyrm Stealthy Malware affecting 50 countries appeared first on Information Security Newspaper | Hacking News.

MGM Resorts encountered a devastating cyberattack recently, incurring an approximate financial setback of $100 million. Unveiled on September 11, this digital attack led to the temporary shutdown of multiple systems within MGM’s various properties, disrupting operations and inflicting significant monetary losses.

Details of the Attack

The digital onslaught on MGM Resorts wasn’t confined to a single property but spread across its flagship resort and other prestigious properties like Mandalay Bay, Bellagio, The Cosmopolitan, and Aria. The cybercriminals managed to disrupt a range of operations, from the functioning of slot machines and the systems overseeing restaurant management to the technology behind room key cards. Despite the containment efforts by MGM, the attackers successfully exfiltrated a diverse set of customer data, including but not limited to names, addresses, phone numbers, driver’s license numbers, Social Security numbers, and passport details. Fortunately, credit card details remained secure and unaffected.

Economic Fallout

The cyber intrusion had a profound economic impact on MGM Resorts, with losses estimated around $100 million. This financial blow is anticipated to ripple through the earnings of the third and fourth fiscal quarters. However, MGM remains optimistic, projecting a 93% occupancy rate in October and planning for a complete operational recovery in Las Vegas by November. Expenses related to the cyberattack, including consultancy fees, legal services, and other related costs, amounted to less than $10 million.

Compromise of Customer Data

A vast array of customer data, from Social Security numbers to passport details, was pilfered during the cyber attack. The total count of individuals affected by this breach remains uncertain as MGM has not issued any comments on this matter. Proactive measures have been initiated by MGM Resorts to assist the victims of this data breach, including the establishment of dedicated phone lines and informational websites. The company also intends to reach out to the affected individuals via email, extending offers for identity protection services.

Identity of the Attackers

Initially, the cyberattack was attributed to hackers affiliated with a group known as Scattered Spider. This group later joined forces with a Russian ransomware collective known as Black Cat/AlphV. Scattered Spider has a notorious reputation, being implicated in several major cyberattacks over the past year, targeting entities like Reddit, Riot Games, Coinbase, and even another major player in the casino industry, Caesars Entertainment.

Recovery and Response

In response to the cyberattack, MGM Resorts took immediate action by shutting down all its systems to thwart further unauthorized access to customer data. Since these initial countermeasures, the company’s domestic properties have seen a return to normalcy in operations, with the majority of systems that interact with guests being restored. Efforts are ongoing to bring the remaining affected systems back online, with full restoration anticipated in the near future.

Conclusion and Future Implications

The cyberattack experienced by MGM Resorts highlights the substantial risks and potential financial damages associated with digital security breaches in the hospitality sector. With the compromise of sensitive customer information and the incurrence of hefty financial losses, this incident serves as a stark reminder for all businesses in the industry to bolster their cybersecurity infrastructure to safeguard against future digital threats. The episode underscores the imperative for continuous investments in state-of-the-art cybersecurity mechanisms and protocols to preemptively mitigate the risks of future cyber-attacks and protect sensitive customer data.

The post How MGm Resorts lost $100 million as a result of a simple vishing call appeared first on Information Security Newspaper | Hacking News.

The gang responsible for the ransomware made a statement claiming that it had “successfully compromised all of Sony’s systems.” The RANSOMEDVC ransomware gang has adopted a strategy that is distinct from the traditional approach followed by ransomware, which involves locking the victim’s system, causing disruptions in IT activities, and demanding payment in exchange for the decryption key. The organization has announced its desire to monetize the stolen material, citing Sony’s apparent unwillingness to cooperate with their demands. Instead of demanding a ransom, the group has stated its intention to do so. An examination of the sample data that was made available on the websites maintained by RANSOMEDVC provides very limited insights. Among the materials that have been compromised is a PowerPoint Presentation that is said to have originated from Sony’s Quality Assurance Division, as well as internal screenshots that seem to reveal a Sony workstation, Java files, and other data. For the sake of providing some background, the RANSOMEDVC ransomware gang has been active at least since 2023. They have become notorious for their aggressive methods, which include threatening victims with the disclosure of sensitive data if the ransom demands are not satisfied. These tactics have earned them a lot of notoriety.

Notably, the RANSOMEDVC gang has been tied to a number of high-profile cyberattacks, one of which occurred in September 2023 and targeted the website of the Hawaiian government. Their objectives extend across a wide range of industries, including the medical field, the business world, and the technological sphere. The assertions made by the ransomware gang known as RANSOMEDVC have been made only a few days after the FBI and CISA issued a joint alert about the dangers presented by another ransomware group known as Snatch Ransomware. The severity and breadth of the ransomware threat are both brought into sharper focus by this development.

On the other hand, Sony has been shown to be a valuable target for hackers owing to the fact that it is popular all over the world and has a user base that spans the whole planet. Previously, Sony was the victim of a big and extensive data breach. During this incident, hackers disclosed the personal data and income information of executives and staff working for Sony Group.

In February of 2021, the authorities in the United States of America filed charges against three North Korean hackers in connection with a series of cyberattacks, one of which was their participation in the hacking of Sony Pictures.

Despite this, the recent appearance of the RANSOMEDVC gang highlights the widespread danger that ransomware poses to businesses of all sizes. As a result of this, it is very necessary for companies to have all-encompassing cybersecurity policies in order to protect themselves against attacks of this kind.

The post Sony Corporation hacked by ransomware, PS5 lovers worried appeared first on Information Security Newspaper | Hacking News.

The massive photographic provider Shutterfly, which has its headquarters in California, has become the most recent victim of the data leak site run by Clop. The firm runs a number of other brands in addition to Shutterfly.com. Some examples of these brands are Spoonflower, Snapfish, Lifetouch, and Shutterfly Business Solutions (SBS).

This week, the Clop ransomware group published a blog in which they claimed that “the company does not care about its customers [and] it ignored their security!!!.”

However, in a statement , a spokeswoman for Shutterfly strongly disagrees with this assessment.

“Shutterfly can confirm that it was one of the several firms that were vulnerable due to the MOVEit flaw. According to the individual who talked with the cybernews site, the enterprise business section of Shutterfly known as Shutterfly Business Solutions (SBS) has utilized the MOVEit platform for part of its operations.

“As soon as the company became aware of the vulnerability at the beginning of June, they moved quickly to take action. They immediately took the relevant systems offline, implemented patches that were provided by MOVEit, and started a forensics review of certain systems with the assistance of leading forensic firms.”

“After conducting an in-depth investigation with the assistance of a leading third-party forensics firm, we have no indication that any Shutterfly.com, Snapfish, Lifetouch, nor Spoonflower consumer data or any employee information was impacted by the MOVEit vulnerability,” the spokesman said. “Shutterfly.com, Snapfish, Lifetouch, nor Spoonflower consumer data was also not impacted by the MOVEit vulnerability.”

It is not obvious what information Clop intends to use in order to blackmail the picture giant. If Shutterfly has determined that customer data is secure, then the only thing that Clop may be able to use as leverage is their intellectual property, provided that they have managed to get anything at all. Every week, the number of businesses that have had their systems compromised by Clop because of unpatched MOVEit instances increases. The developer of MOVEit, Progress Software, issued a warning in June that their file transfer platform included a total of three vulnerabilities that malicious actors might take use of. Multiple resources are made available to IT administrators by the firm in order to thwart threats.

The post Shutterfly photography and image sharing company hacked by ransomware appeared first on Information Security Newspaper | Hacking News.

This bug, which is known as an RCE flaw (which stands for “Remote Code Execution”), can be found in FortiOS, which is the connected operating system for Fortinet’s Security Fabric. This serious vulnerability received a score of 9.8 out of 10. There are around 490,000 SSL VPN interfaces on the internet that are vulnerable, and roughly 69% of them have not been patched. Despite the fact that this RCE bug, which stands for remote code execution, was caused by a heap-based buffer overflow problem in FortiOS. There are around 490,000 SSL VPN interfaces on the internet that are vulnerable, and roughly 69% of them have not been patched. Despite the fact that this RCE bug, which stands for remote code execution, was caused by a heap-based buffer overflow problem in FortiOS.

The exploit  of this flaw may be used to do the following things:

Breaks the heap
Establishes a connection to the attacker’s server
Downloads BusyBox binary
Opens an interactive shell

On a 64-bit system, the exploit may be executed in a single second, which is far faster than the pace shown in the example video. Researchers  were able to locate machines that have accessible SSL VPN ports with the assistance of the Shodan search engine.

By searching for appliances that had specified HTTP response headers, they were able to find machines that redirected to ‘/remote/login,’ which indicated that an exposed SSL VPN interface was present.

There were a variety of degrees of Xortigate (CVE-2023-27997) vulnerability among the 489,337 devices that were discovered by the query. After further examination, it was found that 153,414 appliances had been upgraded to a more secure version of FortiOS.

The previous estimate of 250,000 vulnerable FortiGate firewalls generated from less trustworthy inquiries has been surpassed by the new figure of about 335,900 vulnerable web-accessible FortiGate firewalls.

The proof-of-concept exploit code for critical-severity issues is accessible to the public, which makes the devices in question susceptible to attack. At this time, the only solution that can be used is “Disable SSL-VPN.”

In order to protect important assets, it is highly advised that major vulnerabilities be patched as soon as possible, especially those that are amenable to proven exploitation. This vulnerability, CVE-2023-27997, may result in data breaches, ransomware attacks, and other severe repercussions.

In the list that follows, you will find all of the products that are impacted by this:

The post 335,000 Fortinet FortiGate firewalls used in the world could be hacked to install ransomware appeared first on Information Security Newspaper | Hacking News.

As this is an encryption attack, the workstations at the staff’s workplaces may also be impacted, students and staff have been cautioned not to turn on any of their work computers. On Friday, the university used an emergency webpage to report the issue and say that its “entire IT infrastructure  had been knocked down. This included university email accounts as well as the telephone system.

It is not obvious who the offenders are, nor is it clear if information was taken from the university’s systems as part of a sophisticated extortion effort before the hackers tried to encrypt them. Moreover, it is unknown whether the hackers were successful in encrypting the material.

The post Big german university shuts down every computer on campus after ransomware attack appeared first on Information Security Newspaper | Hacking News.

The all-risk insurance that Merck had with Ace American for $1.75 billion covered coverage for occurrences that led to the loss of software data. However, the insurer did not pay out, citing a “Acts of War” inclusion clause in their decision. This was due to the fact that NotPetya was caused by a cyberattack that was supported by Russia against Ukrainian entities. The majority of insurance contracts have the language, however Merck maintained that the exclusion did not apply since the consequences it incurred were not connected to military activity. The clause is found in the majority of insurance policies. The court reached the same conclusion as the parties and decided that the NotPetya cyberattack did not constitute any kind of military action and hence cannot be denied coverage under the pretext of a warlike conduct exclusion.

According to the decision, “coverage could only be excluded in this circumstance if we stretched the meaning of ‘hostile’ to its outer limit in an attempt to apply it to a cyberattack on a noncombatant firm that provided accounting software updates to various noncombatant customers, all wholly outside of the context of any armed conflict or military objective.”

The statement went on to say that “but that approach would conflict with our fundamental construction principles that require a court to narrowly construe an insurance policy exclusion.” In an exclusion, a word or phrase’s particular, obvious, clear, and conspicuous meaning, as well as its clear import and purpose, do not equal to the phrase or word’s widest possible interpretation; rather, it equates to the phrase’s smallest possible interpretation.

The lawsuit originated as a result of the consequences that Merck experienced as a result of the NotPetya catastrophe. According to the complaint, “within 90 seconds of the initial infection, approximately 10,000 machines in Merck’s global network were infected,” and within five minutes, nearly 20,000 additional machines were infected with the malicious software. More than 40,000 computers across the pharmaceutical company’s global network were compromised by the virus.

The corporation is reported to have incurred losses of $1.4 billion due to interruptions in production and manufacturing, costs paid to third-party cyber firms, and the expense to replace each system that was adversely affected.

At the time of the hack, Merck had an all-risk insurance with Ace American for $1.75 billion. One of the policy’s provisions was coverage for incidents that resulted in the loss of software data. However, the insurer did not pay out, citing a “Acts of War” inclusion clause in their decision. This was due to the fact that NotPetya was caused by a cyberattack that was supported by Russia against Ukrainian entities.

The phrase is included in the vast majority of insurance plans; nevertheless, Merck maintained that the exclusion did not apply to its situation since the effects it endured were not the result of a cyberattack launched by a nation-state.

In the original complaint that Merck filed in August 2018, it was observed that the exclusion provision did not apply to any cyber-related occurrences and only applied to assaults that were officially sanctioned by the government.

A judgement handed out by the New Jersey Superior Court in December 2021 decided against Ace American and “unhesitatingly” granted Merck’s petition for partial summary judgment. The court came to the conclusion that the hostile/warlike conduct exclusion did not apply to limit coverage for Merck’s damages that were caused by NotPetya. After then, the insurer filed an appeal, arguing that the lower court erred in its decision.

The argument in favor of Merck stated that in order to guarantee adequate insurance coverage, “accepting the insurers’ interpretation of the hostile/warlike exclusion would operate to change the settled meaning of war exclusions and… also threaten to undo the policy interpretation rules that local governments have historically relied upon.”

The judgement that was handed down this week puts an end to a protracted legal struggle and mandates that Ace American pay the losses that were sustained by Merck.

This ruling is being hailed as a big success for businesses who are pursuing claims for cyberattacks, particularly in light of the fact that hackers with ties to unfriendly nation-states have ramped up their threat activities in the form of supply chain assaults, ransomware, and other forms of destructive threats. It is anticipated that the judgement would make it simpler for businesses to get their claims compensated in the event that a forensic examination reveals a state-linked actor to be related to an attack. The ruling should also benefit the insurance sector as a whole by motivating insurers to at the very least review their policies and update them with any appropriate exclusions in order to stay abreast of the complicated and evolving cyber world.

The post Insurance companies can’t deny Ransomware attack payment, citing “Acts of War” clause appeared first on Information Security Newspaper | Hacking News.

According to the data  collected on the sources of traffic going to the site, evilextractor[. ]com in March 2023, malicious activity saw a considerable uptick. On March 30th, experts discovered malware in a phishing email campaign, and they were able to link back to the samples of this. Typically, it will appear to be a valid file, such as an Adobe PDF or a file from Dropbox, but as soon as it is loaded, it will start using PowerShell to do malicious operations. In addition to that, it has features for monitoring the environment and preventing virtual machines. Its major function seems to be to collect browser data and information from endpoints that have been hacked, which it subsequently sends to an FTP server controlled by the attacker.

The researchers saw an increase in the number of attacks that disseminated the virus in the month of March 2023. The majority of infections were recorded in the United States and Europe.

An individual who uses the alias Kodex online is the one who advertises and sells the tool on cybercrime message boards. The program’s creator first made it available in October 2022 and is continually expanding its capabilities by adding new modules that come equipped with advanced capabilities.

The malicious software has the ability to steal sensitive data from the infected endpoint, such as the browser history, passwords, cookies, and more. Additionally, the malicious software is able to record keystrokes, activate the camera, and take screenshots. The specialists have discovered that the malware also has a ransomware function that is known as “Kodex Ransomware.”

The security analysts discovered a phishing effort that included a malicious attachment in the form of a PDF file that was disguised as a request to confirm an existing account. The perpetrator of the attack gets the victim to open the attachment by tricking them into clicking on the PDF icon.

It has been discovered that EvilExtractor is being used as a complete information stealer with numerous harmful characteristics, including ransomware. It is possible for a PowerShell script to avoid detection when run using a.NET loader or PyArmor. Within a relatively short period of time, its creator has improved the system’s reliability and updated a number of its functionalities. This blog post demonstrates how threat actors initiate an attack using phishing mail and identifies the files that are used to extract the EvilExtracrtor PowerShell script. In addition to this, they went through the functionalities that are available, the kind of information that may be gathered by EvilExtractor, and how the Kodex Ransomware operates. Users need to be aware of this new information stealer and should continue to exercise extreme caution when it comes to e-mails that seem to be suspicious.

The post New famous all in one malware and hacking tool among cyber criminals: EvilExtractor appeared first on Information Security Newspaper | Hacking News.

Play is notorious for exploiting a variety of vulnerabilities, including those found in Microsoft Exchange (CVE-2022-41080 and CVE-2022-41082), in order to achieve remote code execution (RCE) and enter victim networks. The gang was also one of the first ransomware groups to use intermittent encryption, a method that enables victims’ computers to be encrypted more quickly. The strategy involves encrypting only a portion of the content of the files that are being targeted, which would still prevent the data from being retrieved.

The Play ransomware gang is making use of two new, custom-built tools that provide it the ability to enumerate all users and machines on a compromised network and copy data from the Volume Shadow Copy Service (VSS) that are ordinarily locked by the operating system. These tools were created by the Play ransomware organization.

Grixba
Grixba (Infostealer.Grixba) was the first tool discovered by researchers at Symantec. Grixba is a network-scanning program that is used to enumerate all of the users and machines that are part of the domain.

Threat actors enumerate software and services by using WMI, WinRM, Remote Registry, and Remote Services. This is accomplished with the help of the.NET infostealer. The virus searches for the presence of backup and security software, as well as remote administration tools and other applications. The information that is acquired is then saved in CSV files and packed into a ZIP file before being sent to the threat actors for later manual exfiltration.

The Play ransomware group used the popular.NET programming tool known as Costura to create the Grixba ransomware. Costura allows developers to incorporate all of an application’s dependencies into a single executable file. Because of this, there is no longer a need to deploy the program and all of its dependencies in a separate operation, which makes it much simpler to both distribute and deploy the application. The DLL file costura.commandline.dll, which is used by Grixba for the purpose of command line parsing, is embedded by Costura into programs.

The VSS Copying Tool
The Play ransomware group was seen utilizing yet another.NET executable not too long ago, and this one, like the others, was produced with the help of the Costura tool.

Executables may have the AlphaVSS library built-in thanks to Costura. A high-level interface for interfacing with VSS is made available via the AlphaVSS library, which is built on top of the.NET framework. By providing a variety of regulated application programming interfaces (APIs), the library makes it simpler for.NET applications to communicate with VSS. These application programming interfaces (APIs) provide developers the ability to make, manage, and remove shadow copies, in addition to accessing information about existing shadow copies such as their size and status.

AlphaVSS is used by the program that was developed by the operators of the Play ransomware in order to copy files from VSS snapshots. The utility will go through all of the files and folders that are contained inside a VSS snapshot and then copy them to a target directory. Before the encryption takes place, the program gives the attackers the ability to copy data from VSS volumes that are located on compromised workstations. This gives the threat actors the ability to copy files that the operating system would ordinarily prevent them from copying.

Ransomware gangs are increasingly turning to the use of bespoke tools since these tools can be adapted to the surroundings of individual targets, hence making ransomware assaults both quicker and more effective. Ransomware groups preserve a competitive edge and increase their earnings by guarding the confidentiality of their own tools and limiting access to them.

The post Found Grixba & VSS Copying tools in network ? Means your network will be hacked soon by ransomware appeared first on Information Security Newspaper | Hacking News.

In order to circumvent this security precaution, attackers must either devise a method to acquire a malicious driver certified by a trustworthy certificate or engage in a BYOVD attack, in which they exploit a legal commercial software driver in order to accomplish their objective. Both of these options are very difficult to do. In contrast, the malware takes use of a genuine driver that is not up to date and may be exploited. A “bring your own vulnerable driver” (BYOVD) attack is the usual name for this kind of attack.

In this particular instance, the attackers made use of a driver that was not only developed by Microsoft but also signed by the company. The team at Sysinternals has developed a suite of administrative tools, one of which is called Process Explorer driver. This driver has a number of features that allow users to interact with processes that are currently active.

Sophos X-Ops has conducted an investigation into many occurrences over the course of the previous few months, all of which included attackers attempting to deactivate EDR clients by using a novel defensive evasion technique that we have named AuKill. In order to deactivate EDR processes on the target machine before installing either a backdoor or ransomware, the AuKill program takes use of an old version of the driver that is utilized by version 16.32 of the Microsoft application known as Process Explorer.

Since the beginning of 2023, the tool has been used in at least three ransomware instances in order to thwart the target’s protection and install ransomware. These events are as follows: In January and February, attackers utilized the program after delivering the ransomware known as Medusa Locker; in February, one attacker used AuKill just before releasing the malware known as Lockbit.

A driver with the name PROCEXP.SYS is placed in the C:\Windows\System32\drivers directory when using AuKill. This driver is from the release version 16.32 of process Explorer. The official driver for Process Explorer has the filename PROCEXP152.sys, and it is often located in the same directory as the fake driver. Both drivers may be installed on a computer at the same time if that computer is running a copy of Process Explorer. Additionally, the AuKill installer will place an executable version of itself in either the System32 or the TEMP directory, where it will operate automatically as a background service.

For instance, user-mode programs may send the IO control code IOCTL_CLOSE_HANDLE to the driver, which instructs the driver to shut a protected process handle, which ultimately results in the process being terminated.

For an attacker to successfully exploit this process, administrator rights on the target machine are required. When an attacker succeeds in gaining administrator rights, it normally indicates that the attacker now has complete control over the computer.

In order to get beyond such security measures, attackers need to go one step further and start a driver while it is in kernel mode. In this instance, AuKill circumvents these security measures by exploiting a valid driver that is used by Process Explorer.
In most cases, an EDR client is made up of a number of different parts that cooperate with one another. One example of a component is a currently-running process or an already-installed service, each of which has its own set of capabilities. Therefore, in the event that one freezes or shuts down, it often resumes as quickly as it can.

AuKill initiates several threads in order to guarantee that the EDR processes and services do not become active again, which helps avoid these components from having to be restarted. Each thread focuses on a particular component and checks in a continual manner to see whether the processes or services that it is targeting are active. AuKill will deactivate or terminate it if any of them are, if any of them are.
The practice of disabling EDR clients by utilizing drivers, whether such drivers are valid but misused for malicious purposes (BYOVD) or are issued by a certificate that was stolen or leaked, remains common among adversaries who wish to deactivate protection systems.

Over the course of the previous year, members of the security community documented many situations in which drivers were used as weapons for nefarious reasons. The finding of such a tool lends credence to the theory that adversaries are continually working to weaponize drivers.

The post How to use “bring your own vulnerable driver” (BYOVD) technique to kill/evade Antivirus or EDR appeared first on Information Security Newspaper | Hacking News.