Cybercrime


NEWS 
  • TrickBot Spruces Up Its Banking Trojan Module

    July 2, 2021

    The TrickBot trojan is adding man-in-the-browser (MitB) capabilities for stealing online banking credentials that resemble Zeus, the early banking trojan, researchers said — potentially signaling a coming onslaught of fraud attacks. TrickBot is a sophisticated (and common) modular threat known for stealing credentials and delivering a range of follow-on ransomware and other malware. But it started ...

  • Network Attack Trends: February-April 2021

    July 1, 2021

    Unit 42 researchers observed network attack trends, February-April 2021. In the following sections, we present our analysis of the most recently published vulnerabilities, including the severity and category. Additionally, we provide insight into how the vulnerabilities are actively exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We then ...

  • PurpleFox Using WPAD to Target Indonesian Users

    July 1, 2021

    In September 2020, we published a blog describing how the PurpleFox Exploit Kit used Cloudflare services to maintain an infrastructure resilient to blocking and detection attempts. Since then, PurpleFox has been maintaining this strategy while at same time improving its attack chain by incorporating the latest public vulnerabilities into its arsenal. Recently, we found that PurpleFox ...

  • Trickbot cybercrime group linked to new Diavol ransomware

    July 1, 2021

    FortiGuard Labs security researchers have linked a new ransomware strain dubbed Diavol to Wizard Spider, the cybercrime group behind the Trickbot botnet. Diavol and Conti ransomware payloads were deployed on different systems in a ransomware attack blocked by the company’s EDR solution in early June 2021. The two ransomware families’ samples are cut from the same cloth, ...

  • EUROPOL: Coordinated Action Cuts Off Access To Vpn Service Used By Ransomware Groups

    June 30, 2021

    Takedown of DoubleVPN makes it harder for criminal hackers to cover their tracks This week, law enforcement and judicial authorities in Europe, the US and Canada have seized the web domains and server infrastructure of DoubleVPN. This is a virtual private network (VPN) service which provided a safe haven for cybercriminals to attack their victims. This coordinated ...

  • Detecting unknown threats: a honeypot how-to

    June 30, 2021

    Catching threats is tricky business, especially in today’s threat landscape. To tackle this problem, for many years сybersecurity researchers have been using honeypots – a well-known deception technique in the industry. Dan Demeter, Senior Security Researcher with Kaspersky’s Global Research and Analysis Team and head of Kaspersky’s honeypot project, explains what honeypots are, why they ...

  • Cobalt Strike Usage Explodes Among Cybercrooks

    June 29, 2021

    The use of Cobalt Strike – the legitimate, commercially available tool used by network penetration testers – by cybercrooks has shot through the roof, according to Proofpoint researchers, who say that the tool has now “gone fully mainstream in the crimeware world.” The researchers have tracked a year-over-year increase of 161 percent in the number of ...

  • New ransomware highlights widespread adoption of Golang language by cyberattackers

    June 29, 2021

    A new ransomware strain that utilizes Golang highlights the programming language’s increasing adoption by threat actors. CrowdStrike secured a sample of a new ransomware variant, as of yet unnamed, that borrows features from HelloKitty/DeathRansom and FiveHands. These ransomware strains are thought to have been active since 2019 and have been linked to attacks against the maker of ...

  • REvil ransomware’s new Linux encryptor targets ESXi virtual machines

    June 28, 2021

    The REvil ransomware operation is now using a Linux encryptor that targets and encrypts Vmware ESXi virtual machines. With the enterprise moving to virtual machines for easier backups, device management, and efficient use of resources, ransomware gangs increasingly create their own tools to mass encrypt storage used by VMs. In May, Advanced Intel’s Yelisey Boguslavskiy shared a ...

  • Nefilim Ransomware Attack Through a MITRE Att&ck Lens

    June 28, 2021

    Nefilim is among a new breed of ransomware families that use advanced techniques for a more targeted and virulent attack. It is operated by a group that we track under the intrusion set “Water Roc”. This group combines advanced techniques with legitimate tools to make them significantly harder to detect and respond before it is ...

  • The human cost of ransomware: Disruption to Irish health service will continue for months

    June 24, 2021

    Ireland’s health service faces months of disruption as it continues to recover from a ransomware attack, the head of the Health Service Executive (HSE) has warned. HSE, which is responsible for healthcare and social services across Ireland, fell victim to what was described as a “significant” ransomware attack on 14 May. The attack has been attributed to ...

  • Ransomware gangs are using virtual machines to disguise their attacks

    June 24, 2021

    Cyber criminals are increasingly using virtual machines to compromise networks with ransomware. By using virtual machines as part of the process, ransomware attackers are able to conduct their activity with additional subtlety, because running the payload within a virtual environment reduces the chances of the activity being discovered – until it’s too late and the ransomware ...

  • Malicious spam campaigns delivering banking Trojans

    June 24, 2021

    In mid-March 2021, we observed two new spam campaigns. The messages in both cases were written in English and contained ZIP attachments or links to ZIP files. Further research revealed that both campaigns ultimately aimed to distribute banking Trojans. The payload in most cases was IcedID (Trojan-Banker.Win32.IcedID), but we have also seen a few QBot ...

  • REvil Ransomware Code Ripped Off by Rivals

    June 23, 2021

    They say imitation is the sincerest form of flattery: The LV ransomware, a strain that cropped up just this spring, turns out to be based on what is most likely pirated REvil ransomware code, according to researchers. A malware analysis of LV from Secureworks Counter Threat Unit (CTU) found that its operators (which it calls Gold ...

  • Tulsa warns of data breach after Conti ransomware leaks police citations

    June 23, 2021

    The City of Tulsa, Oklahoma, is warning residents that their personal data may have been exposed after a ransomware gang published police citations online. In early May, Tulsa suffered a ransomware attack that led to the City shutting down its network to prevent the spread of the malware. The attack disrupted Tulsa’s online bill payment systems, utility ...

  • Russia to work with US on identifying hackers as part of an agreement, FSB chief says

    June 23, 2021

    Russia will cooperate with the United States in the field of identifying ransomware hackers as part of an agreement between the two countries’ presidents, Director of Russia’s Federal Security Service Alexander Bortnikov said in his opening remarks at the IX Moscow Conference on International Security. “We are carrying out steps as part of the agreements reached ...

  • Ever101 ransomware payment traced to a sensual massage site

    June 22, 2021

    A ransomware targeting an Israeli company has led researchers to track a portion of a ransom payment to a website promoting sensual massages. The attack was conducted by a more recent ransomware operation known as Ever101 who compromised an Israeli computer farm and proceeded to encrypt its devices. Read more… Source: Bleeping Computer  

  • Conti Ransomware Gang: An Overview

    June 18, 2021

    Conti ransomware stands out as one of the most ruthless of the dozens of ransomware gangs that we follow. The group has spent more than a year attacking organizations where IT outages can have life-threatening consequences: hospitals, 911 dispatch carriers, emergency medical services and law enforcement agencies. Ireland has yet to recover from an attack ...

  • Fake DarkSide Campaign Targets Energy and Food Sectors

    June 18, 2021

    The ransomware attack on the major fuel supply company Colonial Pipeline recently made headlines. The incident has been attributed to the DarkSide threat actor, once again thrusting the group’s name into the spotlight. With this, it would not be surprising to find threat actors taking advantage of this incident for their own socially-engineered campaigns. Several companies ...

  • A deep dive into the operations of the LockBit ransomware group

    June 18, 2021

    Researchers have provided an in-depth look at how LockBit, one of the newer ransomware groups on the scene, operates. Ransomware has become one of the most disruptive forms of cyberattack this year. It was back in 2017 with the global WannaCry outbreak that we first saw the severe disruption the malware could cause, and in 2021, ...