SophosLabs analysts investigated WantToCry ransomware attacks that involved the threat actors abusing the Server Message Block (SMB) service for initial access and then exfiltrating files to attacker-controlled infrastructure for remote encryption. The detection surface is significantly reduced because WantToCry operates without local malware execution, and there is no post-compromise activity beyond exfiltrating files and rewriting them to disk.
Read more…
Source: SophosLabs
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Air-gapped PCs vulnerable to data theft via power supply radiation
December 10, 2022
A new attack method named COVID-bit uses electromagnetic waves to transmit data from air-gapped systems, which are isolated from the internet, over a distance of at least two meters (6.5 ft), where it’s captured by a receiver. The information emanating from the isolated device could be picked up by a nearby smartphone or laptop, even if ...
- Antivirus and EDR solutions tricked into acting as data wipers
December 9, 2022
A security researcher has found a way to exploit the data deletion capabilities of widely used endpoint detection and response (EDR) and antivirus (AV) software from Microsoft, SentinelOne, TrendMicro, Avast, and AVG to turn them into data wipers. Wipers are a special type of destructive malware that purposely erases or corrupts data on compromised systems and ...
- CISA Releases Three Industrial Control Advisories
December 8, 2022
CISA has released three (3) Industrial Control Systems (ICS) advisories on 08 December 2022. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations. Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency Related story: CISA Adds One ...
- DeathStalker targets legal entities with new Janicab variant
December 8, 2022
“Dosen’t matter how long you wait for the bus on a rainy day, X seconds was enough to get wet?” Just to clarify, the above subheading isn’t a normal quote, but a message that Janicab malware attempted to decode in its newest use of YouTube dead-drop resolvers (DDRs). While hunting for less common Deathstalker intrusions that use ...
- US Health Dept warns of Royal Ransomware targeting healthcare
December 8, 2022
The U.S. Department of Health and Human Services (HHS) issued a new warning today for the country’s healthcare organizations regarding ongoing attacks from a relatively new operation, the Royal ransomware gang. The Health Sector Cybersecurity Coordination Center (HC3) —HHS’ security team— revealed in a new analyst note published Wednesday that the ransomware group has been behind ...
- Cisco discloses high-severity IP phone bug with exploit code
December 8, 2022
Cisco has disclosed today a high-severity vulnerability affecting the latest generation of its IP phones and exposing them to remote code execution and denial of service (DoS) attacks. The company warned on Thursday that its Product Security Incident Response Team (PSIRT) is “aware that proof-of-concept exploit code is available” and that the “vulnerability has been publicly ...