SophosLabs analysts investigated WantToCry ransomware attacks that involved the threat actors abusing the Server Message Block (SMB) service for initial access and then exfiltrating files to attacker-controlled infrastructure for remote encryption. The detection surface is significantly reduced because WantToCry operates without local malware execution, and there is no post-compromise activity beyond exfiltrating files and rewriting them to disk.
Read more…
Source: SophosLabs
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Emotet coming in hot
November 8, 2022
Emotet is a ubiquitous and well-known banking trojan that has evolved over the years to become a very successful modular botnet capable of dropping a variety of other threats. Even after a global takedown campaign in early 2021 disrupted the botnet, it reemerged later that year, rebuilding its infrastructure and becoming highly active in a ...
- Shangri-La hotel data breach likely had ‘minimal’ impact at Singapore ministerial summit
November 8, 2022
A recent data breach that hit eight Shangri-La hotels is unlikely to have a large impact on foreign government delegates who attended a high-level defence summit in Singapore, which was held at the hotel. Hackers claiming to have instigated the attack apparently have made contact with the hotel chain. Shangi-La Group said Friday it received an ...
- Malicious extension lets attackers control Google Chrome remotely
November 8, 2022
A new Chrome browser botnet named ‘Cloud9’ has been discovered in the wild using malicious extensions to steal online accounts, log keystrokes, inject ads and malicious JS code, and enlist the victim’s browser in DDoS attacks. The Cloud9 browser botnet is effectively a remote access trojan (RAT) for the Chromium web browser, including Google Chrome and ...
- LockBit affiliate uses Amadey Bot malware to deploy ransomware
November 8, 2022
A LockBit 3.0 ransomware affiliate is using phishing emails that install the Amadey Bot to take control of a device and encrypt devices. According to a new AhnLab report, the threat actor targets companies using phishing emails with lures pretending to be job application offers or copyright infringement notices. The LockBit 3.0 payload used in this attack ...
- DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework
November 8, 2022
C&C systems are useful collaboration tools for penetration testers and red teamers. They provide a common place for all victim machines to reach out to, be controlled from, and allow multiple users to interact with the same victims. When performing authorized testing, this is very important as logs are kept in a single place to ...
- CISA Adds Seven Known Exploited Vulnerabilities to Catalog
November 8, 2022
CISA has added seven vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the “Date Added ...