SophosLabs analysts investigated WantToCry ransomware attacks that involved the threat actors abusing the Server Message Block (SMB) service for initial access and then exfiltrating files to attacker-controlled infrastructure for remote encryption. The detection surface is significantly reduced because WantToCry operates without local malware execution, and there is no post-compromise activity beyond exfiltrating files and rewriting them to disk.
Read more…
Source: SophosLabs
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Massive Phishing Campaigns Target India Banks’ Clients
November 7, 2022
Trend Micro researchers observed an uptick in attacks targeting bank customers in India, the common entry point being a text message with a phishing link. The SMS content urges the victims to open the embedded phishing link or malicious app download page and follow the instructions: To fill in their personally identifiable information (PII) and ...
- Azov Ransomware is a wiper, destroying data 666 bytes at a time
November 7, 2022
The Azov Ransomware continues to be heavily distributed worldwide, now proven to be a data wiper that intentionally destroys victims’ data and infects other programs. Last month, a threat actor began distributing malware called ‘Azov Ransomware’ through cracks and pirated software that pretended to encrypt victims’ files. However, instead of providing contact info to negotiate a ransom, ...
- China is likely stockpiling and deploying vulnerabilities, says Microsoft
November 7, 2022
Microsoft has asserted that China’s offensive cyber capabilities have improved, thanks to a law that has allowed Beijing to create an arsenal of unreported software vulnerabilities. China’s 2021 law required organizations to report security vulnerabilities to local authorities before disclosing them to any other entity. The rules mean Beijing can use local research to hoard vulnerability ...
- Greece: Report claims illegal surveillance software was used to spy on politicians, journalists and businessmen
November 5, 2022
Greece has been rocked by a ‘wiretapping’ scandal as a bombshell report claimed Prime Minister Kyriakos Mitsotakis ‘used state intelligence to spy on dozens of people including potential political rivals, journalists and businessmen’. Documento reported that the list of targets included former premier Antonis Samaras, current members of the cabinet and shipping magnate Vangelis Marinakis, owner ...
- A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain
November 4, 2022
Note: The three vulnerabilities discussed in this blog were all fixed in Samsung’s March 2021 release. They were fixed as CVE-2021-25337, CVE-2021-25369, CVE-2021-25370. To ensure your Samsung device is up-to-date under settings you can check that your device is running SMR Mar-2021 or later. As defenders, in-the-wild exploit samples give us important insight into what attackers ...
- Robin Banks phishing service returns to steal banking accounts
November 4, 2022
The Robin Banks phishing-as-a-service (PhaaS) platform is back in action with infrastructure hosted by a Russian internet company that offers protection against distributed denial-of-service (DDoS) attacks. Robin Banks faced operational disruption in July 2022, when researchers at IronNet exposed the platform as a highly threatening phishing service targeting Citibank, Bank of America, Capital One, Wells Fargo, ...