Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data


From infostealer development to data exfiltration, cloud service providers are increasingly being abused by threat actors for malicious schemes. While in this case the ransomware samples we examined contained hard coded AWS credentials, this is specific to this single threat actor and in general, ransomware developers leverage other online services as part of their tactics.

In line with this, Trend Micro examined ransomware samples written in Go language (aka Golang), targeting Windows and MacOS environments. Most of the samples contained hard-coded AWS credentials, and the stolen data were uploaded to an Amazon S3 bucket controlled by the threat actor.

Read more…
Source: Trend Micro


Sign up for our Newsletter


Related:

  • Spectre vulnerabilities cannot be mitigated by software alone

    February 19, 2019

    A team of Google researchers has demonstrated the Spectre vulnerabilities present in many of today’s processors cannot be completely mitigated by applying software fixes, as has been assumed. Variants of the Spectre flaw discovered last year, which involves information leaking via ‘speculative execution’ or functions performed early to speed up computation, are not just software glitches ...

  • APT Adversaries Up the Ante on Speed, Target Telecom

    February 19, 2019

    Despite law-enforcement wins in the form of several high-profile arrests and indictments during 2018, nation-state adversaries have upped their games when it comes to speed. That’s according to CrowdStrike’s 2019 Global Threat Report, which found that when analyzing how long it takes to go from initial compromise to the attacker’s first lateral movement within the network, Russian-speaking APTs (such ...

  • North Korea Turns Against New Targets?!

    February 19, 2019

    Over the past few weeks, we have been monitoring suspicious activity directed against Russian-based companies that exposed a predator-prey relationship that we had not seen before. For the first time we were observing what seemed to be a coordinated North Korean attack against Russian entities. While attributing attacks to a certain threat group or another is ...

  • Hackers Use Compromised Banks as Starting Points for Phishing Attacks

    February 19, 2019

    Cybercriminals attacking banks and financial organizations use their foothold in a compromised infrastructure to gain access to similar targets in other regions or countries. In a report released today and shared with BleepingComputer, international security company Group-IB specialized in preventing cyber attacks describes a so called cross-border domino-effect that can lead to spreading an infection beyond the initial ...

  • When Cyberattacks Pack a Physical Punch

    February 18, 2019

    Physical security goes hand in hand with cyberdefense. What happens when – as we see all too often – the physical side is overlooked? More than one in 10 data breaches now involve “physical actions,” according to a recent report. These include leveraging physical  devices to aid an attack, but also hacks that involve breaking into hardware ...

  • Cisco’s warning: Patch this default Network Assurance Engine password bug

    February 13, 2019

    Cisco is urging customers to install an update that fixes a high-severity issue affecting its Network Assurance Engine (NAE) for managing data-center networks. The bug, tracked as CVE-2019-1688, could allow an attacker to use a flaw in the password-management system of NAE to knock out an NAE server and cause a denial of service. NAE is an ...