SophosLabs analysts investigated WantToCry ransomware attacks that involved the threat actors abusing the Server Message Block (SMB) service for initial access and then exfiltrating files to attacker-controlled infrastructure for remote encryption. The detection surface is significantly reduced because WantToCry operates without local malware execution, and there is no post-compromise activity beyond exfiltrating files and rewriting them to disk.
Read more…
Source: SophosLabs
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Following the Lazarus group by tracking DeathNote campaign
April 12, 2023
The Lazarus group is a high-profile Korean-speaking threat actor with multiple sub-campaigns. Kaspersky researchers have previously published information about the connections of each cluster of this group. In this blog, Kaspersky focus on an active cluster that they dubbed DeathNote because the malware responsible for downloading additional payloads is named Dn.dll or Dn64.dll. This threat is ...
- DDoS attacks shifting to VPS infrastructure for increased power
April 12, 2023
Hyper-volumetric DDoS (distributed denial of service) attacks in the first quarter of 2023 have shifted from relying on compromised IoT devices to leveraging breached Virtual Private Servers (VPS). According to internet security company Cloudflare, the newer generation of botnets gradually abandoned the tactic of building large swarms of individually weak IoT devices and are now shifting ...
- Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
April 11, 2023
This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. UEFI bootkits are particularly dangerous as they run at computer startup, prior to the operating system loading, and therefore can interfere with or ...
- Latitude Financial refuses to pay cyber-attack ransom demands
April 11, 2023
Finance company Latitude Financial says it will not give in to ransom demands by cyber criminals behind one of Australia’s largest cyber-attacks. Almost 8 million driver’s licenses of Australian and New Zealand customers have been stolen including more than 6 million customer records. Read more… Source: MSN News
- Microsoft, Fortra are this fed up with cyber-gangs abusing Cobalt Strike
April 10, 2023
Microsoft and Fortra are taking legal and technical actions to thwart cyber-criminals from using the latter company’s Cobalt Strike software to distribute malware. Microsoft’s Digital Crimes Unit (DUC), Fortra, and Health Information Sharing and Analysis Center (Health-ISAC) filed a 223-page complaint against multiple groups known to have used older and altered versions of Cobalt Strike in ...
- CISA Adds Two Known Exploited Vulnerabilities to Catalog
April 10, 2023
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-28206 Apple iOS, iPadOS, and macOS IOSurfaceAccelerator Out-of-Bounds Write Vulnerability Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency Related story: CISA Adds Five Known Exploited Vulnerabilities to Catalog Related story: CISA Releases Seven Industrial Control Systems Advisories