Posts

Hello Kitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability

Image
Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution. "In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations," cybersecurity firm Rapid7  disclosed  in a report published Wednesday. "Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October." The intrusions are said to involve the exploitation of  CVE-2023-46604 , a remote code execution vulnerability in Apache ActiveMQ that allows a threat actor to run arbitrary shell commands. It's worth noting that the  vulnerability  carries a CVSS score of 10.0, indicating maximum severity. It has been  addressed  in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.1...

Stat! 3 Must-Have Data Filtering Techniques

Image
Data filtering techniques for threat hunting Why is filtering data important? Well, Splunk allows you to store gigabytes, terabytes, or even petabytes of full-fidelity security data — yet the evidence you are seeking during a hunt or investigation is often contained in just a few events.  You need to eliminate the noise and expose the signal. To do this, we will focus on three specific techniques for filtering data that you can start using right away. For all three tutorials, below, we use data from our Boss of the SOC v1.0 data set.  Technique 1. It’s About Time: Specifying a time range The most obvious (but often overlooked) technique for reducing the number of events returned by your Splunk search — and getting you closer to actionable results — is to specify an appropriate time range.  If you can put a left and right boundary on the timeline of your hunt, you enable Splunk to ignore events from time periods that have nothing to do with your hypothesis, ...

New Jupyter Infostealer Version Emerges with Sophisticated Stealth Tactics

Image
  An updated version of an information stealer malware known as Jupyter has resurfaced with "simple yet impactful changes" that aim to stealthily establish a persistent foothold on compromised systems. "The team has discovered new waves of Jupyter Infostealer attacks which leverage PowerShell command modifications and signatures of private keys in attempts to pass off the malware as a legitimately signed file," VMware Carbon Black researchers said in a report shared with The Hacker News. Jupyter Infostealer, also known as Polazert, SolarMarker, and Yellow Cockatoo, has a track record of leveraging manipulated search engine optimization (SEO) tactics and malvertising as an initial access vector to trick users searching for popular software into downloading it from dubious websites. It comes with capabilities to harvest credentials as well as establish encrypted command-and-control (C2) communication to exfiltrate data and execute arbitrary commands. Th...

FBI: Ransomware gangs hack casinos via 3rd party gaming vendors

Image
  The Federal Bureau of Investigation is warning that ransomware threat actors are targeting casino servers and use legitimate system management tools to increase their permissions on the network. In a private industry notification, the agency says that third-party vendors and services are common attack vector. Ransomware gangs continue to rely on third-party gaming vendors to breach casinos. "New trends included ransomware actors exploiting vulnerabilities in vendor-controlled remote access to casino servers, and companies victimized through legitimate system management tools to elevate network permissions," the agency explains. Starting 2022, the FBI noted ransomware attacks that targeted small and tribal casinos to encrypt servers and personally identifiable information of employees and patrons. The alert also details that the threat actor known as ‘Silent Ransom Group’ (SRG) and 'Luna Moth' has been carrying callback-phishing data theft and extortion attacks since...

Palo Alto Networks to Acquire Cloud Security Start-Up Dig Security

Image
  Palo Alto Networks (NASDAQ: PANW) announced on Tuesday that it has entered into a definitive agreement to acquire  Dig Security , a Tel Aviv, Israel-based provider of Data Security Posture Management (DSPM) technology. Dig Security’s DSPM solution helps organizations to discover, classify, monitor, and protect sensitive data across all cloud data stores, and will offer Palo Alto Networks’ customers robust visibility and control over their multi-cloud data estate. Following the completion of the acquisition, Dig’s capabilities will be integrated Palo Alto’s  Prisma Cloud  platform. In an equity research note, analysts from Jefferies see the acquisition as a “strategic and complementary acquisition that should bolster PANWs $500M Prisma Cloud business (growing 29% 2-YR CAGR) and could also help PANW become a governance tool for AI data sets further broadening its TAM.” Financial details of the transaction were not disclosed, but the purchase price could sur...

Researchers Find 34 Windows Drivers Vulnerable to Full Device Takeover

Image
  Researchers Find 34 Windows Drivers Vulnerable to Full Device Takeover Nov 02, 2023   As many as 34 unique vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers could be exploited by non-privileged threat actors to gain full control of the devices and execute arbitrary code on the underlying systems. "By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate [operating system] privileges," Takahiro Haruyama, a senior threat researcher at VMware Carbon Black, said. The research expands on previous studies, such as ScrewedDrivers and POPKORN that utilized symbolic execution for automating the discovery of vulnerable drivers. It specifically focuses on drivers that contain firmware access through port I/O and memory-mapped I/O. The names of some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ...

September was a record month for ransomware attacks in 2023

Image
  Ransomware activity in September reached unprecedented levels following a relative lull in August that was still way above regular standards for summer months. According to NCC Group data, ransomware groups launched 514 attacks in September. This surpasses March 2023 activity, which  counted 459 attacks , and was heavily skewed by  Clop's Fortra GoAnywhere data theft attacks . Clop had virtually no activity in September, which may be a sign the sophisticated ransomware gang is preparing for its next big attack.  However, the record was achieved by other threat groups, led by LockBit 3.0 (79 attacks), LostTrust (53), and BlackCat (47). LostTrust is a new threat actor in the list, making a dynamic entrance straight to second place. Believed to be a rebrand of MetaEncryptor due to significant code overlaps,  LostTrust has already encrypted the networks  of many organizations, some of whom experienced data leaks, too. RansomedVC,  a newcomer in exto...