SophosLabs analysts investigated WantToCry ransomware attacks that involved the threat actors abusing the Server Message Block (SMB) service for initial access and then exfiltrating files to attacker-controlled infrastructure for remote encryption. The detection surface is significantly reduced because WantToCry operates without local malware execution, and there is no post-compromise activity beyond exfiltrating files and rewriting them to disk.
Read more…
Source: SophosLabs
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- New IceApple exploit toolset deployed on Microsoft Exchange servers
May 11, 2022
Security researchers have found a new post-exploitation framework that they dubbed IceApple, deployed mainly on Microsoft Exchange servers across a wide geography. IceApple is described as being “highly sophisticated,” its developer prioritizing keeping a low profile for long-term objectives in targeted attacks. The framework was discovered by the Falcon OverWatch team, CrowdStrike’s proactive threat hunting division, in ...
- Microsoft closes Windows LSA hole under active attack
May 11, 2022
Microsoft patched 74 security flaws in its May Patch Tuesday batch of updates. That’s seven critical bugs, 66 deemed important, and one ranked low severity. At least one of the vulnerabilities disclosed is under active attack with public exploit code, according to Redmond, while two others are listed as having public exploit code. After April’s astonishing 100-plus ...
- CISA: Protecting Against Cyber Threats to Managed Service Providers and their Customers
May 11, 2022
The cybersecurity authorities of the United Kingdom (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (CISA), (NSA), (FBI) are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue. This joint Cybersecurity Advisory (CSA) provides actions MSPs and ...
- Team of experts help Rutube to recover from the May 9 cyberattack
May 11, 2022
Rutube involved several expert teams, including a team of specialists from Positive Technologies security center, to deal with the aftermath of the May 9 cyberattack, the website said in its Telegram channel. “In order to investigate the attack and deal with its aftermath, several expert teams were involved, including a team of specialists from the Positive ...
- U.S. Government Attributes Cyberattacks on SATCOM Networks to Russian State-Sponsored Malicious Cyber Actors
May 10, 2022
CISA and the Federal Bureau of Investigation (FBI) have updated the joint cybersecurity advisory, Strengthening Cybersecurity of SATCOM Network Providers and Customers, originally released March 17, 2022, with U.S. government attribution to Russian state-sponsored malicious cyber actors. The United States assesses Russia launched cyberattacks in late February against commercial satellite communications networks to disrupt Ukrainian ...
- Examining the Black Basta Ransomware’s Infection Routine
May 9, 2022
Black Basta, a new ransomware gang, has swiftly risen to prominence in recent weeks after it caused massive breaches to organizations in a short span of time. On April 20, 2022, a user named Black Basta posted on underground forums known as XSS.IS and EXPLOIT.IN to advertise that it intends to buy and monetize corporate network ...