Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cybereason. Show all posts

Active Threat of Black Basta Ransomware on US Companies by QakBot Malware

 


Recently Joakim Kandefelt and Danielle Frankel, researchers at Cybereason, a cybersecurity organization, announced that the Black Basta ransomware is operating a new campaign targeting U.S. companies with QakBoat malware. The malicious actors are trying to enter and later capture the organization’s network through this campaign. 

The threat actors use dangerous ransomware known as Black Basta Ransomware as a tool to capture the data of the victim’s network or system. This ransomware is specially targeted at organizations instead of individuals. Black Basta Ransomware captures and locks the data of the targeted organization by using encryptions that cannot be cracked without the specific decryption keys. 

Black Basta ransomware was first observed in April and was considered to be an outgrowth of the Conti ransomware. It uses the tested method of double extortion to extract confidential information from the targeted organization. After collecting this data, the cyber attackers use it to coerce the victim to get a ransom in exchange for the data. The attackers threaten the victim to release the information to the public in case the victim fails to pay demanded ransom. 

It is worth noting that Black Basta Ransomware attacks on a network make changes to the victim's desktop. These changes include renaming the original file name with the ‘.basta’ file extension, changing the desktop background with a new image, and creating a new file on the system as “readme.txt.” The wallpaper image includes a short message which directs the targeted users to open that text file. 

The prime target companies of the ransomware are from the U.S., Canada, Australia, and New Zealand. 

The QakBot, used in the latest campaign by Black Basta ransomware, dated back to 2019 and was highly used in many other ransomware attacks, like Fujifilm Holding Corp in 2020. The prominent factor of QakBot that made it the most used malware by attackers is that once the QakBot gets access to the target’s network, it also creates an entrance for the threat actor to deploy more malware. 

In a study of the campaign by Black Basta ransomware, it was observed that the minds behind this campaign are highly advanced and working sophisticatedly. In an attack under this campaign, the malicious actors get access to the domain of the victim’s network within 2 hours, and they can deliver the ransomware in just twelve hours. 

The Cybereason sent out a warning to organizations to be aware of and safeguard them from these attacks. There are certain precautionary measures that need to be followed. Firstly, the companies should be aware and avert infections from Black Basta and QakBot, and secondly, Cybereason customers should permit variant payload protection and obstruct vulnerable users and sources. 

Additionally, every organization should spot network connections that seem malicious. Resetting Active Directory access is also advised by Cybereason.

Notepad++ Plugin Cyberattack Analysis

Analysts from the Cybereason GSOC team have examined a unique method that makes use of Notepad++ plugins to evade and persist against security safeguards on a computer.

This report, called Threat Analysis, is a part of a series titled "Purple Team Series" which analyzes current attack methods, how hackers use them, and how to spot when they are being utilized.

Threat Analysis Reports are published by the Cybereason Global Security Operations Center (GSOC) Team to provide information on emerging threats. These risks are examined in the Threat Analysis Reports, which also offer useful advice for defending against them.

Plugins are merely modules that are created specifically using programming languages like C# or installed from the community-maintained approved list. The %PROGRAMFILES%Notepad++plugins directory is where these plugins are kept.

Threat Analysis 

The organization stated in an advisory on Wednesday that a security researcher going by the moniker of RastaMouse successfully showed how to create a malicious plugin that can be used as a persistence mechanism using the open-source project Notepad++ Plugin Pack.

The plugin bundle alone is essentially a Visual Studio.NET package that offers a simple framework for creating plugins. However, advanced persistent threat (APT) organizations have in the past used Notepad++ plugins for evil.

According to the Cybereason advice, "The APT group StrongPity is known to exploit a genuine Notepad++ installer accompanied by malicious executables, enabling it to remain after a reboot on a PC."

The Cybereason team examined the Notepad++ plugin loading process and created an attack scenario based on it for their advisory.

A custom Notepad++ command can be activated by using the SCI ADDTEXT API in tandem with Notepad++. Researchers developed a DLL in C# that, upon pressing any key inside Notepad++ for the first time, will execute a PowerShell command.

The PowerShell command will run a Meterpreter payload in an expert attack scenario. To ensure that the availability of our C2 would not be impacted by repeated connection attempts, researchers set this to just run once.

According to the company, in their "attack scenario, the PowerShell command will execute a Meterpreter payload."

Cybereason successfully obtained administrative access to the compromised system by running Notepad++ as "administrator" and re-running the payload. Static analysis methods were able to extract signs such as the binary's architecture, compilation time, and programming language.

As a preventive measure, the Cybereason GSOC advises turning on the Detect and Prevent modes of the Anti-Malware feature on the Cybereason NGAV. Furthermore, security experts advised businesses to keep an eye on Notepad++'s odd child processes and pay attention to shell content kinds to mitigate the hazard.










Chinese espionage campaign hit telecommunications firms around the world






Hackers have breached into the systems of more than a dozen global telecommunications companies and have to hold on a large amount of personal as well as corporate data, researchers from a cybersecurity company said on Tuesday.

Security researchers from a cybersecurity firm Cybereason, which is a collaboration of US-Israel, said that the attackers compromised companies in more than 30 countries. 

The main aim behind this espionage is to gather information about individuals who are working in government, law enforcement and politics. The group is linked to a Chinese cyber-espionage campaign.

The tools used by hackers were similar to other attacks which were carried out by Beijing, but the country denied of involvement in any kind of mischievous activity. 

Lior Div, chief executive of Cybereason. “For this level of sophistication, it’s not a criminal group. It is a government that has capabilities that can do this kind of attack,” he told Reuters.

Cybereason said in a blog post. “They built a perfect espionage environment. They could grab information as they please on the targets that they are interested in.”



“We managed to find not just one piece of software, we managed to find more than five different tools that this specific group used,” Div said.