Current Active Threats
Russian Cybergangs Stole Over 50 Million Passwords This Year
At least 34 distinct Russian-speaking cybercrime groups using info-stealing malware like Raccoon and Redline have collectively stolen 50,350,000 account passwords from over 896,000 individual infections from January to July 2022. The stolen credentials were for cryptocurrency wallets, Steam, Roblox, Amazon, and PayPal accounts, as well as payment card records. According to a report from Group-IB, whose analysts have been tracking these operations globally, most victims are based in the United States, Germany, India, Brazil, and Indonesia, but the malicious operations targeted 111 countries.
Ducktail Malware Operation Evolves with New Malicious Capabilities
Operators of the Ducktail information stealer have returned introducing new malicious capabilities. Ducktail is a malware designed to siphon browser cookies and take advantage of authenticated Facebook sessions to steal information from victims and run ads on their accounts for monetary gain. The info-stealer is attributed to a Vietnamese threat actor which is known for targeting businesses in the digital marketing and advertising sectors which are active on the Facebook Ads and Business platform. “Also targeted are individuals within prospective companies that are likely to have high-level access to Facebook Business accounts. This includes marketing, media, and human resources personnel.
Backdoored Chrome Extension Installed by 200,000 Roblox Players
SearchBlox' installed by more than 200,000 users, has been discovered to contain a backdoor that can steal your Roblox credentials and your assets on Rolimons, a Roblox trading platform. After analyzing the extension code, which indicated the presence of a backdoor, it has been suggested the backdoor was introduced either intentionally by its developer or after an initial compromise. The extensions claim to let allow users to "search Roblox servers for the desired player... blazingly fast." Suspicions arose among the Roblox community members of SearchBlox containing malware where someone tweeted that the Popular plug-in SearchBlox has been COMPROMISED / BACKDOORED - and if you have it, your account may be at risk.
Hackers Breach Energy Orgs via Bugs in Discontinued Web Server
Microsoft said today that security vulnerabilities found to impact a web server discontinued since 2005 have been used to target and compromise organizations in the energy sector. Recorded Future revealed in a report published in April that state-backed Chinese hacking groups (including one traced as RedEcho) targeted multiple Indian electrical grid operators, compromising an Indian national emergency response system and the subsidiary of a multinational logistics company.
Black Basta Using QBot Malware to Target US-Based Companies
Researchers say Black Basta is dropping QBot malware - also called QakBot - in a widespread ransomware campaign targeting mostly U.S.-based companies. In the group's latest campaign, attackers are again using QBot to install a backdoor and then drop in encryption malware and other malicious code, according to Cybereason.
Experts Warn Threat Actors May Abuse Red Team Tool Nighthawk
Security researchers are warning that a new red-teaming tool dubbed “Nighthawk” may soon be leveraged by threat actors. Created in late 2021 by MDSec, the tool is best described as an advanced C2 framework, which functions like Cobalt Strike and Brute Ratel as a commercially distributed remote access trojan (RAT) designed for legitimate use.
Hospital Workers Charged with Selling Patient Information
The U.S. Justice Department in a statement says a federal grand jury on Nov. 10 indicted five former employees of Memphis, Tennessee-based Methodist Le Bonheur Healthcare with accessing and disclosing patient information to a sixth individual, Roderick Harvey, without the knowledge, consent or authorization of the patients. Four of the employees worked as financial counselors at Methodist Healthcare, and one of the individuals held a variety of roles, including PBX unit secretary, according to court documents. The longest-tenured employee, Taylor, worked in the hospital's emergency room as a financial counselor for 18 years, according to court documents.
Emotet Is Back and Delivers Payloads Like Icedid and Bumblebee
In April, the operators of the infamous Emotet botnet started testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default. In June, Proofpoint experts spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser. The experts noticed multiple changes to the bot and its payloads, and the operators introduced changes to the malware modules, loader, and packer. Below are the changes observed by Proofpoint, “The volume of emails that Emotet sending bots attempt to deliver each day is in the hundreds of thousands. These numbers are comparable to historic averages. Hence, it does not appear that the Emotet botnet lost any significant spamming capability during the inactive period.” reads the report published by Proofpoint.
Chinese 'Mustang Panda' Hackers Actively Targeting Governments Worldwide
A notorious advanced persistent threat actor known as Mustang Panda has been linked to a spate of spear-phishing attacks targeting government, education, and research sectors across the world. The primary targets of the intrusions from May to October 2022 included counties in the Asia Pacific region such as Myanmar, Australia, the Philippines, Japan, and Taiwan, cybersecurity firm Trend Micro said in a Friday report.
Google Provides Rules to Detect Tens of Cracked Versions of Cobalt Strike
Google Cloud researchers announced to have discovered 34 different Cobalt Strike hacked release versions with a total of 275 unique JAR files across these versions. Google Cloud Threat Intelligence (GCTI) researchers developed a set of YARA rules to detect hacked variants in the wild with a high degree of accuracy. The researchers noticed that each Cobalt Strike version contains approximately 10 to 100 attack template binaries The experts were able to locate versions of the Cobalt Strike JAR file starting with version 1.44 (which was released in 2012) up to the latest version at the time of publishing the analysis, Cobalt Strike 4.7.
New Ransomware Encrypts Files, Then Steals Your Discord Account
When a user logs into Discord with their credentials, the platform sends back a user authentication token saved on the computer. This token can then be used to log in as the user or to issue API requests that retrieve information about the associated account. Threat actors commonly attempt to steal these tokens because they enable them to take over accounts or, even worse, abuse them for further malicious attacks.
Netflix Phishing Emails Surge 78%
Researchers from Egress detailed an increase in phishing campaigns spoofing the Netflix brand since October, noting a 78% increase in impersonation attacks against the brand. If employees use the same credentials for personal accounts like Netflix as their work accounts, campaigns like this may impact corporate systems and data, warned Egress. The group behind the attacks is using Unicode characters to bypass natural language processing (NLP) scanning, which will prevent traditional anti-phishing filters from catching it. “Unicode helps to convert international languages within browsers – but it can also be used for visual spoofing by exploiting international language characters to make a fake URL look legitimate,” Egress wrote.
Phishing Kit Impersonates Well-known Brands to Target US Shoppers
A sophisticated phishing kit has been targeting North Americans since mid-September, using lures focused on holidays like Labor Day and Halloween. The kit uses multiple evasion detection techniques and incorporates several mechanisms to keep non-victims away from its phishing pages.
Atlassian Fixes Critical Command Injection Bug in Bitbucket Server
Atlassian has released updates to address critical-severity updates in its centralized identity management platform, Crowd Server and Data Center, and in Bitbucket Server and Data Center, the company's solution for Git repository management. Both security vulnerabilities received a severity rating of 9 out of 10 (calculated by Atlassian) and affect multiple versions of the products.
Previously Unidentified ARCrypter Ransomware Expands Worldwide
A previously unknown ‘ARCrypter’ ransomware that compromised key organizations in Latin America is now expanding its attacks worldwide. Threat actors behind the new ransomware family attacked a government agency in Chile last August, targeting both Linux and Windows systems and appending the “.crypt” extension on encrypted files. Back then, Chilean threat analyst Germán Fernández told BleepingComputer that the strain appeared entirely new, not connected to any known ransomware families. Researchers at BlackBerry have confirmed this via a report that identifies the family as ARCrypter and links it to a second attack against the Colombia National Food and Drug Surveillance Institute (Invima) in October.
TLP: CLEAR - HIVE RANSOMWARE
Today, CISA, the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released joint Cybersecurity Advisory (CSA) #StopRansomware: Hive Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Hive ransomware variants. FBI investigations identified these TTPs and IOCs as recently as November 2022.
FBI-Wanted Leader of the Notorious Zeus Botnet Gang Arrested in Geneva
A Ukrainian national who has been wanted by the U.S for over a decade has been arrested by Swiss authorities for his role in a notorious cybercriminal ring that stole millions of dollars from victims' bank accounts using malware called Zeus. Vyacheslav Igorevich Penchukov, who went by online pseudonyms "tank" and "father," is said to have been involved in the day-to-day operations of the group. He was apprehended on October 23, 2022, and is pending extradition to the U.S. Details of the arrest were first reported by independent security journalist Brian Krebs.
High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices
Cybersecurity firm Rapid7 recently disclosed two high-severity vulnerabilities in F5 BIG-IP and BIG-IQ devices which could enable complete device takeover upon successful exploitation. The first flaw which is being tracked as CVE-2022-41622 is related to a cross-site request forgery vulnerability in BIG-IP and BIG-IQ products and can allow a malicious threat actor to execute code remotely without authentication.
Ukrainian CERT Discloses New Data-Wiping Campaign
Ukrainian cyber-experts have discovered a new attack campaign by suspected Russian threat actors that compromises victims’ VPN accounts to access and encrypt networked resources. The country’s Computer Emergency Response Team (CERT) noted in a new statement that the so-called Somnia ransomware was being used by the FRwL (aka Z-Team), also identified as UAC-0118.
U.S. Charges Russian Suspects With Operating Z-Library E-book Site
Z-Library is described as "one of the world's largest public and free-to-access written content repositories, containing 11 million books and 84 million articles in a massive 220 TB database and as a volunteer-run project with no commercial direction. However, at some point, it started offering paid memberships in exchange for premium features.
Microsoft Urges Devs to Migrate Away From .Net Core 3.1 ASAP
Microsoft has urged developers still using the long-term support (LTS) release of .NET Core 3.1 to migrate to the latest .NET Core versions until it reaches the end of support (EOS) next month. The company warned customers on the Windows message center to upgrade to .NET 6 (LTS) or .NET 7 "as soon as possible" before .NET Core 3.1 (LTS) reaches EOS on December 13, 2022.
Study: Electronics Repair Technicians Snoop on Your Data
When your computer or smartphone needs repairing, can you trust repair technicians not to access or steal your data? According to the results of recent research by scientists at the University of Guelph, Canada, you shouldn’t. Granted, they tested only 16 repair service providers with rigged devices, but in six cases, technicians snooped on customers’ data, and in two, they copied the data to external devices. Oh, and most of them tried to cover their tracks, either by removing evidence (e.g., by clearing items in the “Quick Access” or “Recently Accessed Files” on Microsoft Windows) or by trying not to generate it (e.g., by just zooming in on photo thumbnails).
New Rapperbot Campaign Targets Game Servers With DDoS Attacks
Researchers from FortiGuard Labs discovered the previously undetected RapperBot IoT botnet in August, and reported that it is active since mid-June 2022. The bot borrows a large portion of its code from the original Mirai botnet, but unlike other IoT malware families, it implements a built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.
North Korean Hackers Target European Orgs With Updated Malware
North Korean hackers are using a new version of the DTrack backdoor to attack organizations in Europe and Latin America. DTrack is a modular backdoor featuring a keylogger, a screenshot snapper, a browser history retriever, a running processes snooper, an IP address and network connection information snatcher, and more. Apart from spying, it can also run commands to perform file operations, fetch additional payloads, steal files and data, and execute processes on the compromised device. The new malware version doesn't feature many functional or code changes compared to samples analyzed in the past, but it is now deployed far more widely.
Researchers Discover Hundreds of Amazon RDS Instances Leaking Users' Personal Data
Researchers recently uncovered hundreds of databases on Amazon Relational Database Service (Amazon RDS) which are exposing personally identifiable information (PII). "Amazon RDS is a web service that makes it possible to set up relational databases in the Amazon Web Services (AWS) cloud. It offers support for different database engines such as MariaDB, MySQL, Oracle, PostgreSQL, and SQL Server.
China-Based Campaign Uses 42,000 Phishing Domains
Security researchers have uncovered a sophisticated phishing campaign using tens of thousands of malicious domains to spread malware and generate advertising revenue. Dubbed “Fangxiao,” the group directs unsuspecting users to the domains via WhatsApp messages telling them they’ve won a prize, according to security vendor Cyjax. The phishing site landing pages apparently impersonate hundreds of well-known brands including Emirates, Unilever, Coca-Cola, McDonald’s and Knorr. The victims will be redirected to advertising sites, which Fangxiao generates money from, en route to a fake survey where it's claimed they can win a prize.
Chinese Hackers Target Government Agencies and Defense Orgs
A cyberespionage threat actor tracked as Billbug (a.k.a. Thrip, Lotus Blossom, Spring Dragon) has been running a campaign targeting a certificate authority, government agencies, and defense organizations in several countries in Asia. The most recent attacks were observed since at least March but the actor has been operating stealthily for more than a decade and it is believed to be a state-sponsored group working for China. Its operations have been documented by multiple cybersecurity companies over the past six years.
Whoosh Confirms Data Breach After Hackers Sell 7.2M User Records
Whoosh is Russia's leading urban mobility service platform, operating in 40 cities with over 75,000 scooters. The Russian scooter-sharing service has confirmed a data breach after hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. It was on Friday, when the threat actor began selling the stolen data on a hacking forum, which allegedly contains promotion codes that can be used to access the service for free, as well as partial user identification and payment card data.
Previously Undetected Earth Longzhi APT Group Is a Subgroup of APT41
Early this year, Trend Micro investigated a security breach suffered by a company in Taiwan. Threat actors employed a custom Cobalt Strike loader in the attack. Further analysis, revealed that the same threat actor targeted multiple regions using a similar Cobalt Strike loader and has been active since 2020. The experts attributed the attacks to a new subgroup of the China-linked APT41 group, tracked as Earth Longzhi.
SSVC: Prioritization of Vulnerability Remediation According to CISA
The volume of newly discovered vulnerabilities continue to increase year after year. As threat actors become better at weaponizing vulnerabilities, it is becoming ever more important for organizations to make timely and well judged decisions in regards to vulnerability prioritization and remediation. While CISA regularly publishes it’s list of most exploited vulnerabilities and regularly updates the Known Exploited Vulnerabilities Catalog, it still remains a challenge for organizations to understand which security holes should be plugged first. To combat these challenges, CISA has been updating and promoting the Stakeholder-Specific Vulnerability Categorization (SSVC) system.
Microsoft Fixes Windows DirectAccess Connectivity Issues
Microsoft has resolved a known issue causing connectivity problems for Windows customers using the DirectAccess service to access their organizations remotely without using a virtual private network (VPN). According to Redmond, DirectAccess might not reconnect automatically after the impacted device experience connectivity issues. Scenarios that could lead to this known issue include switching between access points or Wi-Fi networks and temporarily losing network connectivity. The problems affect enterprise endpoints where admins have deployed Windows updates released since mid-October.
Kmsdbot, a New Evasive Bot for Cryptomining Activity and DDoS Attacks
The malware was employed in cryptocurrency mining campaigns, KmsdBot supports multiple architectures, including as Winx86, Arm64, and mips64, x86_64, and does not stay persistent to avoid detection. The malicious code was used in attacks targeting multiple sectors including the gaming industry, technology industry, and luxury car manufacturers. The first DDoS attack observed by Akamai targeted a gaming company named FiveM, which allows gamers to host custom private servers for Grand Theft Auto Online. The malware employed specific targeted attacks along with generic Layer 4 and Layer 7 attacks.
Ukraine Says Russian Hacktivists Use New Somnia Ransomware
Russian hacktivists have infected multiple organizations in Ukraine with a new ransomware strain called 'Somnia,' encrypting their systems and causing operational problems. The Computer Emergency Response Team of Ukraine (CERT-UA) has confirmed the outbreak via an announcement on its portal, attributing the attacks to 'From Russia with Love' (FRwL), also known as 'Z-Team,' whom they track as UAC-0118. The group previously disclosed creating the Somnia ransomware on Telegram and even posted evidence of attacks against tank producers in Ukraine. However, until today, Ukraine has not confirmed any successful encryption attacks by the hacking group.
Multiple High-Severity Flaws Affect Widely Used OpenLiteSpeed Web Server Software
Palo Alto Networks’ Unit 42 research team recently disclosed multiple vulnerabilities in the open-source OpenLiteSpeed Web Server as well as its enterprise version (LiteSpeed Web Server) which could be exploited to achieve remote code execution. In total, three vulnerabilities were uncovered, two of high severity and one of which has been rated medium in severity.
The vulnerabilities include:
The vulnerabilities include:
- Remote Code Execution (CVE-2022-0073) (CVSS 8.8)
- Privilege Escalation (CVE-2022-0074) (CVSS 8.8)
- Directory Traversal (CVE-2022-0072) (CVSS 5.8)
Canadian Food Retail Giant Sobeys Hit by Black Basta Ransomware
Grocery stores and pharmacies belonging to Canadian food retail giant Sobeys have been experiencing IT systems issues since last weekend. Sobeys is one of two national grocery retailers in Canada, with 134,000 employees servicing a network of 1,500 stores in all ten provinces under multiple retail banners, including Sobeys, Safeway, IGA, Foodland, FreshCo, Thrifty Foods, and Lawtons Drugs.
Ukraine Arrests Fraud Ring Members Who Made €200 Million per Year
Ukraine's cyber police and Europol have identified and arrested five key members of an international investment fraud ring estimated to have caused losses of over €200 million per year. The operation of the investment scheme was spread across multiple European countries, including Ukraine, Germany, Spain, Latvia, Finland, and Albania. The scammers operate call centers and offices in these countries, as required to trick prospective investors into initiating a series of fake investments. The criminals created an extensive network of fake websites posing as cryptocurrency, stocks, bonds, futures, and options investment portals to promote the operation.
Abused the Windows Credential Roaming in an Attack Against a Diplomatic Entity
The attack stands out for the use of the Windows Credential Roaming feature. Credential Roaming was introduced by Microsoft in Windows Server 2003 SP1 and is still supported on Windows 11 and Windows Server 2022. The feature is used to roam certificates and other credentials with the user within a domain. APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.
High-Severity Flaw Reported in Critical System Used by Oil and Gas Companies
Security researchers at Claorty recently disclosed details of a vulnerability in a system used across oil and gas organizations. Tracked as CVE-2022-0902 (CVSS score: 8.1), the flaw is related to a path traversal vulnerability in ABB Totalflow flow computers and remote controllers. “Flow computers are special-purpose electronic instruments used by petrochemical manufacturers to interpret data from flow meters and calculate and record the volume of substances such as natural gas, crude oils, and other hydrocarbon fluids at a specific point in time. These gas measurements are critical not only when it comes to process safety, but are also used as inputs when bulk liquid or gas products change hands between parties, making it imperative that the flow measurements are accurately captured”.
15,000 sites hacked for massive Google SEO poisoning campaign
Hackers are conducting a massive black hat search engine optimization (SEO) campaign by compromising almost 15,000 websites to redirect visitors to fake Q&A discussion forums. The attacks were first spotted by Sucuri, who says that each compromised site contains approximately 20,000 files used as part of the search engine spam campaign, with most of the sites being WordPress. The researchers believe the threat actors' goal is to generate enough indexed pages to increase the fake Q&A sites' authority and thus rank better in search engines.
Google Reveals Spyware Vendor's Use of Samsung Phone Zero-Day Exploits
Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since being designated with zero-day status. The flaws, tracked as CVE-2021-25337, CVE-2021-25369 and CVE-2021-25370, have been chained and exploited against Android phones, but they impact custom Samsung components. The security holes have been described as an arbitrary file read/write issue via a custom clipboard content provider, a kernel information leak, and a use-after-free in the display processing unit driver.
Malicious extension lets attackers control Google Chrome remotely
A new Chrome browser botnet named 'Cloud9' has been discovered in the wild using malicious extensions to steal online accounts, log keystrokes, inject ads and malicious JS code, and enlist the victim's browser in DDoS attacks. The Cloud9 browser botnet is effectively a remote access trojan (RAT) for the Chromium web browser, including Google Chrome and Microsoft Edge, allowing the threat actor to remotely execute commands. The malicious Chrome extension isn't available on the official Chrome web store but is instead circulated through alternative channels, such as websites pushing fake Adobe Flash Player updates. This method appears to be working well, as researchers at Zimperium reported today that they have seen Cloud9 infections on systems across the globe.
Citrix urges admins to patch critical ADC, Gateway auth bypass
On Tuesday Citrix released security updates to address three flaws impacting Citrix ADC and Citrix Gateway one of which is a critical authentication bypass vulnerability. Successful exploitation of these flaws could enable threat actors to gain unauthorized access to the targeted device, perform remote desktop takeover, and bypass login brute force protections.
VMware Fixes Three Critical Auth Bypass Bugs in Remote Access Tool
VMware has released security updates to address three critical severity vulnerabilities in the Workspace ONE Assist solution that enable remote attackers to bypass authentication and elevate privileges to admin. Workspace ONE Assist provides remote control, screen sharing, file system management, and remote command execution to help desk and IT staff remotely access and troubleshoot devices in real time from the Workspace ONE console.
Microsoft Patch Tuesday Updates Fix 6 Actively Exploited Zero-Days
11 vulnerabilities are rated as Critical and 53 are rated Important in severity. This month Microsoft addressed a couple of vulnerabilities in MS Exchange that are currently being exploited in the wild. “They were expected last month, but they are finally here (along with several other Exchange fixes). These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. At some point later, they were detected in the wild. Microsoft has released several different mitigation recommendations, but the best advice is to test and deploy these fixes.” reads the announcement published by ZDI. “There were some who doubted these patches would be released this month, so it’s good to see them here.”
Advanced RAT AgentTesla Most Prolific Malware in October
CheckPoint Researchers released their Global Threat Index for October 2022, which features metrics from millions of CheckPoint threat intel sensors, installed across customer networks, endpoints, and mobile devices. The researchers found that AgentTesla accounted for nearly a fifth (16%) of total global detections in October. The report revealed that “AgentTesla was the most widespread malware, impacting 7% of organizations. The advanced RAT malware works as a keylogger and information stealer capable of collecting the victim’s keystrokes, taking screenshots and exfiltrating credentials.
Amadey Bot Spotted Deploying LockBit 3.0 Ransomware on Hacked Machines
The Amadey malware is being used to deploy LockBit 3.0 ransomware on compromised systems, researchers have warned. ‘Amadey bot, the malware that is used to install LockBit, is being distributed through two methods: one using a malicious Word document file, and the other using an executable that takes the disguise of the Word file icon,’ AhnLab Security Emergency Response Center (ASEC) said in a new report published today.
New Laplas Clipper Malware Targeting Cryptocurrency Users via SmokeLoader
Cryptocurrency users are being targeted with a new clipper malware strain dubbed Laplas by means of another malware known as SmokeLoader. SmokeLoader, which is delivered by means of weaponized documents sent through spear-phishing emails, further acts as a conduit for other commodity trojans like SystemBC and Raccoon Stealer 2.0, according to an analysis from Cyble. Observed in the wild since circa 2013, SmokeLoader functions as a generic loader capable of distributing additional payloads onto compromised systems, such as information-stealing malware and other implants. In July 2022, it was found to deploy a backdoor called Amadey. Cyble said it discovered over 180 samples of the Laplas since October 24, 2022, suggesting a wide deployment.
China is Likely Stockpiling and Deploying Vulnerabilities, says Microsoft
Microsoft has asserted that China's offensive cyber capabilities have improved, thanks to a law that has allowed Beijing to create an arsenal of unreported software vulnerabilities. China's 2021 law required organizations to report security vulnerabilities to local authorities before disclosing them to any other entity. The rules mean Beijing can use local research to hoard vulnerability information.
Robin Banks Phishing Service for Cybercriminals Returns with Russian Server
According to a new report from cybersecurity firm IronNet, Robin Banks has returned after relocating its attack infrastructure to DDoS-Guard, a Russian provider of bulletproof hosting services. Robin Banks is a phishing-as-a-service platform that was uncovered back in July 2022. The platform offers ready-made phishing kits that have been used to target customers of well-known banks and online services including Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, etc.
British Govt Is Scanning All Internet Devices Hosted in UK
The United Kingdom's National Cyber Security Centre (NCSC), the government agency that leads the country's cyber security mission, is now scanning all Internet-exposed devices hosted in the UK for vulnerabilities. The goal is to assess UK's vulnerability to cyber-attacks and to help the owners of Internet-connected systems understand their security posture.
New Crimson Kingsnake gang impersonates law firms in BEC attacks
A business email compromise (BEC) group named 'Crimson Kingsnake' has emerged, impersonating well-known international law firms to trick recipients into approving overdue invoice payments. The threat actors impersonate lawyers who are sending invoices for overdue payment of services supposedly provided to the recipient firm a year ago. This approach creates a solid basis for the BEC attack, as recipients may be intimidated when receiving emails from large law firms like the ones impersonated in the scams.
Cisco Addressed Several High-severity Flaws in Its Products
Cisco addressed multiple vulnerabilities impacting some of its products, including high-severity flaws in identity, email, and web security products. The most severe vulnerability addressed by the IT giant is a cross-site request forgery (CSRF) flaw, tracked as CVE-2022-20961 (CVSS score of 8.8), that impacts the Identity Services Engine (ISE). An unauthenticated, remote attacker can exploit the vulnerability to perform arbitrary actions on a vulnerable device. The root cause of the issue is the insufficient CSRF protections for the web-based management interface of an affected device.
Attackers Leverage Microsoft Dynamics 365 to Phish Users
Attackers are abusing Microsoft Dynamics 365 Customer Voice to evade email filters and deliver phishing emails into Microsoft users’ inboxes, Avanan researchers are warning. Microsoft Dynamics 365 is a suite of enterprise resource planning (ERP) and customer relationship management (CRM) applications. Customer Voice is one of these applications, and it’s used for collecting data and feedback from customers via surveys, phone calls, etc. The attackers have created Microsoft Dynamics 365 Customer Voice accounts and are using them to send out phishing emails telling recipients that they have received a voicemail. To the end user, this looks like a voicemail from a customer, which would be important to listen to. Clicking on it is the natural step.
Lockbit Ransomware Claims Attack on Continental Automotive Giant
LockBit allegedly stole some data from Continental's systems, and they are threatening to publish it on their data leak site if the company doesn't give in to their demands within the next 22 hours. The gang has yet to make any details available regarding what data it exfiltrated from Continental's network or when the breach occurred. Ransomware gangs commonly publish data on their leak sites as a tactic to scare their victims into negotiating a deal or into returning to the negotiation table. Since LockBit says that it will publish "all available" data, this indicates that Continental is yet to negotiate with the ransomware operation or it has already refused to comply with the demands.
Black Basta Ransomware Gang Linked to the FIN7 Hacking Group
Security researchers at Sentinel Labs have uncovered evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7, also known as "Carbanak." When analyzing tools used by the ransomware gang in attacks, the researchers found signs that a developer for FIN7 has also authored the EDR (Endpoint Detection and Response) evasion tools used exclusively by Black Basta since June 2022.
OPERA1ER APT Hackers Targeted Dozens of Financial Organizations in Africa
A French-speaking threat actor dubbed OPERA1ER has been linked to a series of more than 30 successful cyber attacks aimed at banks, financial services, and telecom companies across Africa, Asia, and Latin America between 2018 and 2022. According to Singapore-headquartered cybersecurity company Group-IB, the attacks have led to thefts totaling $11 million, with actual damages estimated to be as high as $30 million. Some of the more recent attacks in 2021 and 2021 have singled out five different banks in Burkina Faso, Benin, Ivory Coast, and Senegal. Many of the victims identified are said to have been compromised twice, and their infrastructure subsequently weaponized to strike other organizations.
Hundreds of U.S. news sites push malware in supply-chain attack
Dozens of PyPI Packages Caught Dropping ‘w4sp’ Info-Stealing Malware
Researchers have discovered over two dozen Python packages on the PyPI registry that are pushing info-stealing malware. Most of these contain obfuscated code that drops "W4SP" info-stealer on infected machines, while others make use of malware purportedly created for "educational purposes" only. Researchers have identified over two dozen Python packages on the PyPI registry that imitate popular libraries but instead drop info-stealers after infecting machines. The packages, listed below, are typosquats—that is, threat actors publishing these have intentionally named them similar to known Python libraries in hopes that developers attempting to fetch the real library make a spelling error and inadvertently retrieve one of the malicious ones.
Emotet Botnet Starts Blasting Malware Again After 5 Month Break
Emotet is a malware infection distributed through phishing campaigns containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL will be downloaded and loaded into memory. Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks. While Emotet was considered the most distributed malware in the past, it suddenly stopped spamming on June 13th, 2022. Researchers from the Emotet research group Cryptolaemus reported that at approximately 4:00 AM ET on November 2nd, the Emotet operation suddenly came alive again, spamming email addresses worldwide.
CISA Message on OpenSSL 3.0.7 Release
To follow-up on Monday’s message, OpenSSL has released a security advisory to address the two vulnerabilities (CVE-2022-3602 and CVE-2022-3786), affecting OpenSSL versions 3.0.0 through 3.0.6. Both CVE-2022-3602 and CVE-2022-3786 can cause a denial of service. According to OpenSSL, a cyber threat actor leveraging CVE-2022-3786, "can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution," allowing them to take control of an affected system.
New Sandstrike Spyware Infects Android Devices via Malicious VPN App
Threat actors are using newly discovered spyware known as SandStrike and delivered via a malicious VPN application to target Android users. They focus on Persian-speaking practitioners of the Baháʼí Faith, a religion developed in Iran and parts of the Middle East. The attackers are promoting the malicious VPN app as a simple way to circumvent censorship of religious materials in certain regions. To spread it, they use social media accounts to redirect potential victims to a Telegram channel that would provide them with links to download and install the booby-trapped VPN.
Dropbox Breach: Hackers Unauthorizedly Accessed 130 GitHub Source Code Repositories
On Tuesday, Dropbox disclosed it was the victim of a phishing campaign that enabled unidentified threat actors to gain unauthorized access to 130 of its source code repositories on GitHub. The repositories allegedly contained copies of modified third-party libraries used by Dropbox, internal prototypes, and some tools and configuration files used by the file hosting service’s security team.
Ransomware Research: 17 Leaked Databases Operated by Threat- Actors Threaten Third Party Organization
Ransomware remains a serious threat to organizations, Deep Instinct, a New York-based deep learning cybersecurity specialist, said in its recently released 2022 Interim Cyber Threat Report. It’s no surprise, the company said, as there are currently 17 leaked databases operated by threat actors who are leveraging the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks.
OpenSSL Update: Fixes for Two ‘High’ Severity Vulnerabilities Released
OpenSSL released patches for two vulnerabilities that have caused widespread concern among cybersecurity experts and researchers over the last week and a half. OpenSSL is a commonly used code library that allows secured internet communication.
VMware Warns of the Public Availability of CVE-2021-39144 Exploit Code
VMware warned of the existence of a public exploit targeting a recently addressed critical remote code execution (RCE) vulnerability, tracked as CVE-2021-39144 (CVSS score of 9.8), in NSX Data Center for vSphere (NSX-V). VMware NSX is a network virtualization solution that is available in VMware vCenter Server. The remote code execution vulnerability resides in the XStream open-source library. Unauthenticated attackers can exploit the vulnerability in low-complexity attacks without user interaction.
Hackers Selling Access to 576 Corporate Networks for $4 Million
A new report shows that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fueling attacks on the enterprise. The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings. Although the number of sales for network access remained about the same as in the previous two quarters, the cumulative requested price has now reached $4,000,000. For comparison, the total value of initial access listings in Q2 2022 was $660,000, recording a drop in value that coincided with the summer ransomware hiatus that hurt demand. In the third quarter of 2022, KELA's analysts observed 110 threat actors posting 576 initial access offerings totaling a cumulative value of $4,000,000. The average selling price of these listings was $2,800, while the median selling price reached a record figure of $1,350.
FTC Takes Enforcement Action Against EdTech Giant Chegg
The Federal Trade Commission (FTC) has taken legal action against EdTech player Chegg, alleging the firm has failed to protect its customers after suffering four data breaches since 2017. The FTC’s proposed order alleged Chegg took “shortcuts” with the personal data of millions of its students and will mandate enhanced data security, limits to data collection, improved access controls and more autonomy for students to delete their own data. The California-based company – which sells online tutoring and online scholarship search services, among other things – collects a large amount of personal and financial information on its customers. This includes their religious affiliation, date of birth, sexual orientation, disabilities, Social Security numbers and medical data, the FTC said.
Microsoft fixes critical RCE flaw affecting Azure Cosmos DB
Analysts at Orca Security recently disclosed that they found a critical vulnerability affecting Azure Cosmos DB that could allow an unauthenticated threat actor to read and write access to containers. The flaw which has been dubbed CoMiss, resides in Azure Cosmos DB built-in Jupyter Notebooks that integrate into the Azure portal and Azure Cosmos DB accounts for querying, analyzing, and visualizing NoSQL data and results easier.
Former British Prime Minister Liz Truss ‘s phone was allegedly hacked by Russian spies
The personal mobile phone of British Prime Minister Liz Truss was hacked by cyber spies suspected of working for the Kremlin, the Daily Mail reported. According to the British tabloid, the cyber-spies are believed to have gained access to top-secret exchanges with key international partners as well as private conversations with his friend, the British Conservative Party politician Kwasi Kwarteng.
Github Flaw Could Have Allowed Attackers to Takeover Repositories of Other Users
The vulnerability was discovered by Checkmarx, which is called the attack technique RepoJacking. The method potentially allowed attackers to infect all applications and code in the repository. The vulnerability could allow an attacker to take control over a GitHub repository and potentially infect all applications and other code relying on it with malicious code. If not explicitly tended, all renamed usernames on GitHub were vulnerable to this flaw, including over 10,000 packages on the Go, Swift, and Packagist package managers.
CROSS-SECTOR CYBERSECURITY PERFORMANCE GOALS
In July 2021, President Biden signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. This memorandum required CISA, in coordination with the National Institute of Standards and Technology (NIST) and the interagency community, to develop baseline cybersecurity performance goals that are consistent across all critical infrastructure sectors. These voluntary cross-sector Cybersecurity Performance Goals (CPGs) are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small- and medium-sized organizations kickstart their cybersecurity efforts.
ConnectWise Recover and R1Soft Server Backup Manager Critical Security Release
ConnectWise Recover: Recover v2.9.7 and earlier versions are impacted by due to, "Improper Neutralization of Special Elements in Output Used by a Downstream Component." If exploit an attacker could execute remote code or directly access confidential data.
Affected versions ConnectWise Recover: Recover v2.9.7 and earlier versions are impacted. R1Soft: SBM v6.16.3 and earlier versions are also impacted.
Affected versions ConnectWise Recover: Recover v2.9.7 and earlier versions are impacted. R1Soft: SBM v6.16.3 and earlier versions are also impacted.
Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints
The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware. It is "part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread," the Microsoft Security Threat Intelligence Center (MSTIC) said in a detailed write-up. Raspberry Robin, also called QNAP Worm owing to the use of compromised QNAP storage servers for command-and-control, is the name given to a malware by cybersecurity company Red Canary that spreads to Windows systems through infected USB drives.
Google Fixes Seventh Chrome Zero-Day Exploited in Attacks This Year
API Attacks Have Emerged as the #1 Threat Vector in 2022
Gartner released new statistics this week on API attacks. According to the researchers, APIs have become the leading attack vector for enterprise web applications. As more organizations move their operations to cloud based services, data is being moved with APIs. ”Organizations are using APIs to build complex applications that serve as the foundation for their business models since they offer an effective way to leverage the data and functionality delivered by an organization’s digital applications and services. They are becoming more popular due to their ability to provide connectivity between disparate systems. For example, an API for a bank can allow you to access your account information from a mobile app or website. In addition, companies may use APIs for internal processes, such as billing or inventory management.
Android Malware Droppers With 130K Installs Found on Google Play
A set of Android malware droppers were found infiltrating the Google Play store to install banking trojans pretending to be app updates. Malware droppers are a challenging category of apps to stop because they do not contain malicious code themselves and thus can more easily pass Google Play reviews when submitted to the store. At the same time, they do not raise suspicion among the users as they provide the advertised functionality, and malicious behavior is conducted behind the scenes. Researchers at Threat Fabric, who discovered the new set of droppers, report a rise in the use of droppers for Android malware distribution precisely because they can offer a stealthy pathway to infecting devices. This is particularly important considering the ever-increasing restrictions and safeguards introduced with each major Android release, preventing malware from abusing permissions, fetching malicious modules from external resources, or using the Accessibility service to perform unlimited actions on the device.
Hackers Use Microsoft IIS Web Server Logs to Control Malware
The Cranefly hacking group, aka UNC3524, uses a previously unseen technique of controlling malware on infected devices via Microsoft Internet Information Services (IIS) web server logs. Microsoft Internet Information Services (IIS) is a web server that hosts websites and web applications. It’s also used by other software, such as Outlook on the Web (OWA) for Microsoft Exchange, to host management apps and web interfaces.
Developing Situation: Calix GigaCenter Under Attack - Calix Official Statement
Calix GigaCenter and GigaHub premises systems with remote access enabled are vulnerable to a SOCKS5 Proxy exploit. The exploit uses command injection via the HTTP API to download a script which then installs the SOCKS5 Proxy. The proxy will continue running after a reboot.
OpenSSL to Fix the Second Critical Flaw Ever
The OpenSSL Project announced that it is going to release updates to address a critical vulnerability in the open-source toolkit. Experts pointed out that it is the first critical vulnerability patched in toolkit since September 2016.
The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 3.0.7. This release will be made available on Tuesday 1st November 2022 between 1300-1700 UTC.” reads the announcement. “OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is CRITICAL.
The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 3.0.7. This release will be made available on Tuesday 1st November 2022 between 1300-1700 UTC.” reads the announcement. “OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is CRITICAL.
Notorious ‘Bestbuy’ Hacker Arraigned for Running Dark Web Market
A notorious British hacker was arraigned on Wednesday by the U.S. Department of Justice for allegedly running the now defunct 'The Real Deal" dark web marketplace. The 34-year-old defendant Daniel Kaye (aka Bestbuy, Spdrman, Popopret, UserL0ser) allegedly ran the illicit services market between early 2015 and November 2016 when The Real Deal shut down. Kaye also allegedly trafficked Twitter and Linked accounts and conspired with a threat actor known as TheDarkOverlord to sell stolen Social Security numbers. He laundered the cryptocurrency obtained while operating The Real Deal using the Bitmixer[.]io Bitcoin mixer service to hide the illicit gains from law enforcement's blockchain tracing analysis efforts.
Developing Situation: Calix GigaCenter Under Attack - Calix Statement
Calix development is, and has been, investigating this issue and working on fixes that include remediating systems impacted as well as preventing exploitation of other systems. The problem is understood and a fix is forthcoming. When it is available, customers will be advised via account teams, service bulletins and proactive alerts. This community post will also be updated with information as it becomes available.
Developing Situation: Calix GigaCenter Under Attack
We received reports this morning that some Calix GigaCenters were under attack. According to reports, Calix GigaCenter routers that have default or compromised credentials are being attacked. In one case, a service provider reported that 10% of their GigaCenters (844E) rebooted overnight. Another service provider reported that their DNS server’s cache was exhausted impacting DNS resolution.
VMware Releases Patch for Critical RCE Flaw in Cloud Foundation Platform
On Tuesday, VMware released security updates to address a critical flaw in the VMware Cloud Foundation Product, a hybrid cloud platform that is used to run enterprise apps in private or public environments. Tracked as CVE-2021-39144, the vulnerability is related to a remote code execution flaw that resides in XStream, an open-source library used by Cloud Foundation.
RomCom Hackers Circulating Malicious Copy of Popular Software to Target Ukrainian Military
The threat actor behind a remote access trojan called RomCom RAT has been observed targeting Ukrainian military institutions as part of a new spear-phishing campaign that commenced on October 21, 2022. The development marks a shift in the attacker's modus operandi, which has been previously attributed to spoofing legitimate apps like Advanced IP Scanner to drop backdoors on compromised systems.
Two Flaws in Cisco Anyconnect Secure Mobility Client for Windows Actively Exploited
Cisco is warning of exploitation attempts targeting two security flaws, CVE-2020-3153 (CVSS score: 6.5) and CVE-2020-3433 (CVSS score: 7.8), in the Cisco AnyConnect Secure Mobility Client for Windows. Both vulnerabilities are dated 2020 and are now patched.
- The CVE-2020-3153 flaw resides in the installer component of AnyConnect Secure Mobility Client for Windows; an authenticated local attacker can exploit the flaw to copy user-supplied files to system-level directories with system-level privileges.
- The CVE-2020-3433 vulnerability resides in the interprocess communication (IPC) channel of the Cisco AnyConnect Secure Mobility Client for Windows. An authenticated a local attacker can exploit the issue to perform a DLL hijacking attack. To use this vulnerability, the attacker would need to have valid credentials on the Windows system.
Microsoft: Server Manager Disk Resets Can Lead to Data Loss
Microsoft warns that a newly acknowledged issue can lead to data loss when resetting virtual disks using the Server Manager management console. Server Manager helps IT admins manage Windows-based servers from their desktops without requiring a Remote Desktop connection or physical access to the servers. Because of this issue, admins attempting to reset (or clear) a virtual disk might accidentally reset the wrong disk, leading to data corruption. They will also see "Failed to reset disk" errors in the Task Progress dialog window, with the 'Found multiple disks with the same ID. Please update your storage driver and then try again.' error message.
Malicious Clicker Apps in Google Play Have 20M+ Installs
Security researchers at McAfee have discovered 16 malicious clicker apps available in the official Google Play store that were installed more than 20 million times. One of these apps, DxClean, has more than five million times, and its user rating was 4.1 out of 5 stars. Clicker apps are adware software that loads ads in invisible frames or the background and clicks them to generate revenue for the threat actors behind the campaign. Threat actors have concealed the malicious code in practical utility applications like Flashlight (Torch), QR readers, Camara, Unit converters, and Task managers. Upon executing the clicker apps, they will download the configuration from a remote server and register the FCM listener to receive the push messages.
Apple Releases Patch for New Actively Exploited iOS and iPadOS Zero-Day Vulnerability
On Monday, Apple released security updates to address a zero-day flaw in iOS and iPadOS which is actively being exploited in the wild. Tracked as CVE-2022-42827, the vulnerability is related to an out-of-bounds write bug in the kernel that could be exploited by a malicious threat actor to execute arbitrary code with the highest privileges.
Hive Claims Ransomware Attack on Tata Power, Begins Leaking Data
Hive ransomware group has claimed responsibility for a cyber attack disclosed by Tata Power this month. A subsidiary of the multinational conglomerate Tata Group, Tata Power is India's largest integrated power company based in Mumbai. In screenshots seen by BleepingComputer, Hive operators have posted data they claim to have stolen from Tata Power, indicating that the ransom negotiations failed.
Medibank Data Breach: More Customers Affected, Attacker Got in via Stolen Credentials
Australian private health insurance provider Medibank has revealed that the hack and data breach it discovered over two weeks ago has affected more customers than initially thought, “We have received a series of additional files from the criminal. We have been able to determine that this includes: a copy of the file received last week containing 100 ahm policy records (including personal and health claims data); a file of a further 1,000 ahm policy records (including personal and health claims data); and files which contain some Medibank and additional ahm and international student customer data. It has become clear that the criminal has taken data that now includes Medibank customer data, in addition to that of ahm and international student customers,” the company said.
US Charges Two Chinese Agents in Huawei Obstruction Case
The US has announced another blockbuster set of charges against Chinese nationals in three cases, including one in which two agents are said to have paid bribes for inside information on the federal prosecution of Huawei. The US Department of Justice (DoJ) unveiled the charges yesterday and, although Huawei is not named, widespread reports claim it is the telco at the center of the case. The US filed a string of charges of racketeering and conspiracy to steal trade secrets against the firm in 2019 and 2020.
Daixin Team Targets Health Organizations With Ransomware, US Agencies Warn
CISA, the FBI, and the Department of Health and Human Services (HHS) warned that the Daixin Team cybercrime group is actively targeting U.S. businesses, mainly in the Healthcare and Public Health (HPH) Sector, with ransomware operations. The Daixin Team is a ransomware and data extortion group that has been active since at least June 2022. The group focused on the HPH Sector with ransomware operations that aimed at deploying ransomware and exfiltrating personal identifiable information (PII) and patient health information (PHI) threatening to release the stolen data if a ransom is not paid.
Botnet Distributing Self-Unlocking Password-Protected RAR Files to Drop Malware
The notorious Emotet botnet has been linked to a new wave of malspam campaigns that take advantage of password-protected archive files to drop CoinMiner and Quasar RAT on compromised systems. In an attack chain detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP file lure was found to contain a nested self-extracting (SFX) archive, the first archive acting as a conduit to launch the second. While phishing attacks like these traditionally require persuading the target into opening the attachment, the cybersecurity company said the campaign sidesteps this hurdle by making use of a batch file to automatically supply the password to unlock the payload
Thousands of GitHub Repositories Deliver Fake PoC Exploits With Malware
Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. GitHub is one of the largest code hosting platforms, and researchers use it to publish PoC exploits to help the security community verify fixes for vulnerabilities or determine the impact and scope of a flaw. According to the technical paper from the researchers at Leiden Institute of Advanced Computer Science, the possibility of getting infected with malware instead of obtaining a PoC could be as high as 10.3%, excluding proven fakes and prankware.
Typosquat Campaign Mimics 27 Brands to Push Windows, Android Malware
A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware. Typosquatting is an old method of tricking people into visiting a fake website by registering a domain name similar to that used by genuine brands. The domains used in this campaign are very close to the authentic ones, featuring a single letter position swap or an additional "s," making them easy for people to miss. The malicious websites are clones of the originals or at least convincing enough, so there's not much to give away the fraud.
Alert (AA22-294A) Daixin Team, Ransomware Attacks
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.
CISA Tells Organizations to Patch Linux Kernel Vulnerability Exploited by Malware
The vulnerability is tracked as CVE-2021-3493 and it’s related to the OverlayFS file system implementation in the Linux kernel. It allows an unprivileged local user to gain root privileges, but it only appears to affect Ubuntu. CVE-2021-3493 has been exploited in the wild by a stealthy Linux malware named Shikitega, which researchers at AT&T Alien Labs detailed in early September. Shikitega is designed to target endpoints and IoT devices running Linux, allowing the attacker to gain full control of the system. It has also been used to download a cryptocurrency miner onto the infected device.
Health System Data Breach Due to Meta Pixel Hits 3 Million Patients
BlackByte Ransomware Uses New Data Theft Tool for Double-Extortion
A BlackByte ransomware affiliate is using a new custom data stealing tool called 'ExByte' to steal data from compromised Windows devices quickly. Data exfiltration is believed to be one of the most important functions in double-extortion attacks, with BleepingComputer told that companies are more commonly paying ransom demands to prevent the leak of data than to receive a decryptor. Due to this, ransomware operations, including ALPHV and LockBit, are constantly working on improving their data theft tool.
98% of orgs with Office 365 harbor malicious emails inside their mailboxes. Threats like ransomware, spear phishing, and account takeover put your organization and employees at significant risk. Find out what’s hiding in your inbox.
Via security assessment, we can quickly identify security gaps, patches and software updates that are out of date, then advise steps to fix.
Via short questionnaire, we'll help you determine whether weakness exist in the way you protect your confidential data. In a few minutes, we'll produce a comprehensive profile of strengths and vulnerabilities of your IT security. Let us show you where protections should be placed before those vulnerabilities are exploited.
LA-Cyber can directly submit suspicious URLs and files through the ISAO’s Cyber Forum for rapid analysis to determine if they are known or zero-day cybersecurity threats.
Readiness Pro: Privacy/Security Assessment & Policy Development Tool
Network Perimeter Security - Firewalls
Security Awareness Training
Network Security, Monitoring & Patching
Cloud Based Backup & Recovery
Backup Tape Vaulting & Rotation Services
Air Gapping as a Service
Data Destruction Services
Security Operations Center (SOC)
Data Storage and Media Updating
Server & Data Center Relocation Services
Breach Investigation & Notification Services
Forensic & Legal Investigations