Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Sophos. Show all posts
TLS
C2 Chinese Hackers Chinese Threat Actors Cyber Attacks Malware Attack NCSC Sophos TLS

NCSC Unveils “Pigmy Goat” Malware Targeting Sophos Firewalls in Advanced Chinese Cyberattack

 

The National Cyber Security Centre (NCSC) recently disclosed the presence of a Linux malware, “Pigmy Goat,” specifically designed to breach Sophos XG firewall devices. This malware, allegedly developed by Chinese cyber actors, represents a significant evolution in network infiltration tactics due to its complexity and advanced evasion methods. 

This revelation follows Sophos’ recent “Pacific Rim” reports, which detail a five-year campaign involving Chinese threat actors targeting network devices at an unprecedented scale. Among the identified tools, “Pigmy Goat” stands out as a rootkit crafted to resemble legitimate Sophos product files, making it challenging to detect. This strategy is known to use stealth by masking its identity within commonly named system files to evade basic detection protocols. “Pigmy Goat” enables threat actors to establish persistent, unauthorized access to the target’s network. Using the LD_PRELOAD environment variable, it embeds itself in the SSH daemon (sshd), allowing it to intercept and alter incoming connections. 

The malware seeks specific sequences called “magic bytes” to identify backdoor sessions, which it redirects through a Unix socket, thereby concealing its presence from standard security monitoring. Once a connection is established, it communicates with command and control (C2) servers over TLS. The malware cleverly mimics Fortinet’s FortiGate certificate, blending into networks where Fortinet devices are prevalent, to avoid suspicion. This backdoor offers threat actors multiple capabilities to monitor, control, and manipulate the network environment. Through commands from the C2, attackers can remotely open shell access, track network activity, adjust scheduled tasks, or even set up a SOCKS5 proxy, which helps them remain undetected while maintaining control over the network. These actions could allow unauthorized data access or further exploitation, posing significant threats to organizational cybersecurity. 

The NCSC report aligns “Pigmy Goat” with tactics used in “Castletap” malware, which cybersecurity firm Mandiant has linked to Chinese nation-state actors. The report’s insights reinforce concerns over the evolving sophistication in state-sponsored cyber tools aimed at infiltrating critical network infrastructure worldwide. Detection and prevention of “Pigmy Goat” are crucial to mitigating its impact. The NCSC report provides tools for identifying infection, including file hashes, YARA rules, and Snort rules, which can detect specific sequences and fake SSH handshakes associated with the malware. 

Additionally, monitoring for unusual files and behaviours, such as encrypted payloads in ICMP packets or the use of ‘LD_PRELOAD’ within the sshd process, can be effective. These insights empower network defenders to recognize early signs of compromise and respond swiftly, reinforcing defences against this sophisticated threat.
Read more »
Sophos report
BYOVD Attack Cyber Attacks EDR GitHub Malware Attack RansomHub Sophos Sophos report

RansomHub Deploys EDRKillShifter Malware to Disable Endpoint Detection Using BYOVD Attacks

 

Sophos security researchers have identified a new malware, dubbed EDRKillShifter, used by the RansomHub ransomware group to disable Endpoint Detection and Response (EDR) systems in attacks leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques. This method involves deploying a legitimate but vulnerable driver on a target device to gain escalated privileges, disable security measures, and take control of the system. 

The technique has gained popularity among various threat actors, including both financially motivated ransomware groups and state-sponsored hackers. The EDRKillShifter malware was discovered during an investigation of a ransomware incident in May 2024. The attackers tried to use this tool to disable Sophos protection on a targeted computer but were unsuccessful due to the endpoint agent’s CryptoGuard feature, which prevented the ransomware executable from running. Sophos’ investigation revealed two different malware samples, both exploiting vulnerable drivers with proof-of-concept code available on GitHub. These drivers include RentDrv2 and ThreatFireMonitor, the latter being part of an obsolete system-monitoring package. 

The malware’s loader execution process follows a three-step procedure. Initially, the attacker launches the EDRKillShifter binary with a password string to decrypt and execute an embedded resource named BIN in memory. This code then unpacks and executes the final payload, which installs and exploits a vulnerable driver to elevate privileges and disable active EDR processes. Once the driver is loaded, the malware creates a service and enters an endless loop that continuously monitors and terminates processes matching names on a hardcoded target list. Interestingly, the EDRKillShifter variants discovered were compiled on computers with Russian localization, and they exploit legitimate but vulnerable drivers, using modified proof-of-concept exploits found on GitHub. 

Sophos suspects that the attackers adapted portions of these proofs-of-concept and ported the code to the Go programming language. To mitigate such threats, Sophos advises enabling tamper protection in endpoint security products, separating user and admin privileges to prevent the loading of vulnerable drivers, and keeping systems updated. Notably, Microsoft continually de-certifies signed drivers known to have been misused in previous attacks. Last year, Sophos identified another EDR-disabling malware, AuKill, which similarly exploited a vulnerable Process Explorer driver in Medusa Locker and LockBit ransomware attacks.
Read more »
Technology
Critical Infrastructure Ransom Payment Ransomware Sophos Technology

How Ransomware is Draining Resources from Critical Infrastructure

How Ransomware is Draining Resources from Critical Infrastructure

The Rising Cost of Ransomware Attacks on Critical Infrastructure

The costs of ransomware attacks on critical national infrastructure (CNI) firms have soared over the last year.

According to Sophos' newest numbers, which were revealed today, the typical ransom payment increased to $2.54 million, more than 41 times last year's total of $62,500. The mean payment for 2024 is considerably greater, at $3.225 million, representing a less dramatic 6-fold rise.

IT, technology, and telecoms were the least likely to pay large sums to hackers, with an average payment of $330,000, but lower education and federal government organizations reported the highest average payments of $6.6 million.

The figures are based solely on ransomware victims who were willing to reveal the specifics of their mistakes, thus they do not provide the full picture.

The Escalating Financial Burden

Only 86 of the 275 CNI organizations surveyed provided statistics on ransom payments. There's a significant risk that the results would be distorted if all of the CNI ransomware victims polled were completely upfront with their information.

Costs to recover from ransomware attacks have also increased dramatically since the researchers' findings last year, with some CNI industries' costs quadrupling to a median average of $3 million per event.

The Impact on Critical Infrastructure

According to the report, only one in every five people were able to recover in a week or less, down from 41 percent the previous year and 50 percent the year before that. The percentage of victims who take more than a month to recuperate has also increased to 55%, up from 36% last year. 

Sophos stated in its analysis that this could be due to attacks getting more sophisticated and complicated, requiring more work from the IT team to effectively repair all of the damage caused by the crimes. However, the vendor's global field CTO, Chester Wisniewski, believes the industries should reevaluate their propensity to pay ransoms.

Read more »
Sophos
Cyber Attacks Junk-Gun RaaS Ransomware Sophos

Junk Ransomware: Getting the Job Done For Hackers


Sophos detects ransomware

In an April 17 analysis from its Sophos X-Ops research team, cybersecurity firm Sophos observed an increase in low-cost, primitive ransomware—a boon for aspiring threat actors and a headache for defenders.

It's far more difficult to find something that there are only twenty copies of in the world, said Christopher Budd, director of threat research at Sophos X-Ops.

The group linked the choices to the cheap handguns that flooded the US firearms market in the 1960s and 1970s, known as junk guns.

Between June 2023 and February 2024, the Sophos team spotted 19 different types of "independently produced, inexpensive, and crudely constructed ransomware." Some missed clean graphics, while others used programming languages like C# and.NET, which "have a shallower learning curve," noted the paper.

It seems to be a fairly recent thing,"  noting that poor-quality malware has existed for decades.

Varying costs

Sophos discovered one with no price indicated, two open-source models, one for $20 (later reduced to free), and one for 0.5 BTC (about $13K).

According to a 2023 research by cybersecurity firm CrowdStrike, the cost of a Ransomware as a Service (RaaS) kit "ranges from $40 per month to several thousand dollars." RaaS models depend on affiliates purchasing ransomware and consenting to a subscription fee based on the victim's payment.

Junk-gun ransomware

Junk-gun ransomware destroys that commission: capitalism in action, in a sense.

In most instances, you don't have any kind of partner fees to pay, Budd stated.

Only three of the "junk" kinds paid a subscription fee

Ransomware groups such as LockBit have become large enough to be tracked and halted by government agencies. Junky ransomware has the potential to fly under the radar and bypass detection technology.

There is no single source of knowledge for investigators and researchers to track, the Sophos report stated.

Budd and his crew saw users asking basic inquiries in forums praising the cheap items. What is the best language for creating ransomware? Is writing in C# worthwhile? How should malware be priced and sold?

Budd describes a forum featuring inexpensive ransomware and beginner queries as a welcome place for young hackers waiting for their chance in the big leagues.

Step forward

Junk-gun ransomware presents specific problems for small enterprises, the general public, and the security industry. We saw threat actors expressly refer to assaults against smaller companies and individuals, even as they tried to figure out which types of companies to target and how much ransom to demand because such targets are often less well-defended, knowledgeable, and prepared.

At this point, junk-gun ransomware causes several challenges for the security industry. It is difficult to get samples of junk-gun ransomware, assess how widely it has been deployed in the wild, and monitor new variants. 

Threat actors may also adopt the 'brand names' of well-known ransomware families, presumably to capitalize on their reputations, which can lead to misunderstanding among experts.
Read more »
Supply Chain Attack
Cyber Security Hackers Healthcare Hack Multi-Factor Authentication (MFA) NCC Group Ransomware Attacks. Software Sophos Supply Chain Attack

Ransomware's Alarming Surge and Active Adversaries


Ransomware attacks have increased dramatically recently, worrying the cybersecurity community and heralding a new era of cyber threats. The convergence of sophisticated tactics used by hostile actors, as described in numerous reports, highlights the necessity of increased attention and proactive protection tactics.

According to reports, ransomware attacks have increased to previously unheard-of levels, and threat actors are continually modifying their strategies to find weak points. Targets increasingly include crucial infrastructure, the healthcare industry, and even political entities, going beyond traditional industries. Additionally, the demands of the attackers have grown exponentially, with multi-million dollar ransoms becoming distressingly regular.

The Sophos research on an active adversary targeting IT executives provides a window into the daring methods used by cybercriminals. The intricacy of contemporary cyber threats is being demonstrated by this adversary's capacity to influence supply chains and sneak inside businesses. These threats are now part of a larger, well-planned campaign rather than separate instances.

The cyber threat intelligence reports by NCC Group offer priceless insights into the changing strategies used by ransomware operators. These papers emphasize the evolving nature of cyber threats and the necessity for enterprises to stay on top of the situation. Organizations may efficiently enhance their defenses thanks to the comprehensive studies of threat vectors, malware families, and mitigation techniques.

The effects of a successful ransomware assault go beyond monetary losses because of how linked the digital world is becoming. The loss of vital services, the compromising of private information, and the deterioration of public confidence are just a few of the serious repercussions. Organizations need to take a multifaceted strategy for cybersecurity to combat this.

Organizations must first make significant investments in solid security measures, such as frequent software updates, vulnerability analyses, and personnel training. Systems for proactive monitoring and threat detection are essential given the constantly changing strategies used by hackers. Additionally, by keeping offline backups, you may prevent giving in to ransom demands and ensure that data recovery is still possible even during an attack.

Collaboration within the cybersecurity community is equally vital. Sharing threat intelligence and best practices helps fortify collective defenses and pre-empt emerging threats. Government bodies, private enterprises, and security researchers must collaborate to create a united front against cyber threats.
Read more »
Sophos
Cybersecurity Data Encryption Enterprise security Ransomware Sophos

Ransomware Attacks on the Rise in Manufacturing Industry

Threat of Ransomware Attacks

The Growing Threat of Ransomware Attacks

According to a recent report by Sophos, a global leader in cybersecurity, more than two-thirds (68%) of manufacturing companies hit by ransomware attacks globally had their data encrypted by hackers. This is the highest reported encryption rate for the sector over the past three years and is in line with a broader cross-sector trend of attackers more frequently succeeding in encrypting data.

Ransomware attacks have become an increasingly common threat to businesses and organizations of all sizes. These attacks involve hackers gaining access to a company's computer systems and encrypting their data, making it inaccessible to the company. The hackers then demand a ransom payment in exchange for the decryption key.

Manufacturing Industry Hit Hard by Ransomware

The manufacturing industry has been particularly hard hit by these attacks. Despite an increase in the percentage of manufacturing organizations that used backups to recover data, with 73% of the manufacturing firms using backups this year versus 58% in the previous year, the sector still has one of the lowest data recovery rates.

This highlights the importance of companies taking proactive measures to protect themselves against ransomware attacks. This includes regularly backing up important data, keeping software and systems up to date with the latest security patches, and training employees on how to recognize and avoid phishing emails and other common attack vectors.

Protecting Against Ransomware: Best Practices for Companies

In addition to these preventative measures, companies should also have a plan in place for how to respond in the event of a ransomware attack. This includes knowing who to contact for assistance, having a communication plan for informing customers and other stakeholders and having a plan for how to restore operations as quickly as possible.

The threat of ransomware attacks is not going away anytime soon. By taking proactive steps to protect themselves, companies can reduce their risk of falling victim to these attacks and minimize the impact if an attack does occur.

Read more »
Sophos
Crypto Cyber Attacks Encryption Ransomware Attacks. RSA Sophos

The Persistent Threat of Ransomware: RSA Conference 2023 Highlights

The cybersecurity industry's highest-profile annual gathering, the RSA Conference, has focused heavily on the ongoing and increasing threat of ransomware. Last year, 68% of all cyberattacks involved ransomware, according to cybersecurity firm Sophos. 

The National Security Agency's director of cybersecurity, Rob Joyce, recently confirmed that Russian hackers are now weaponizing ransomware to target Ukrainian logistics companies and organizations in Western-allied countries.

Ransomware typically begins with file-encrypting malware being installed on an organization's network, which is then followed by a ransom note displayed on every screen. Hackers demand payment, often in cryptocurrency, to unlock the networks and prevent any data leaks. In recent years, ransomware has affected schools, hospitals, small businesses, and more.

At RSA, conversations have shifted from viewing ransomware as a mere annoyance to a persistent and dangerous threat. A panel on the last day of the conference acted out a hypothetical response to an Iran-backed ransomware attack on US banks in 2025, highlighting the severity of the threat.

The shift in perspective is in response to the increasing sophistication and persistence of ransomware attacks, as well as the fact that cybercriminals have been successful in monetizing their activities. The use of cryptocurrency for payment also makes it more difficult for law enforcement to trace the source of the attacks.

Ransomware attacks are now considered to be a "forever problem," meaning they will be a persistent threat for the foreseeable future. Organizations and individuals must take proactive steps to prevent attacks, including maintaining strong security measures and regularly backing up data. It is also crucial to be vigilant for any suspicious activity and to report any potential attacks immediately to the appropriate authorities.

In conclusion, ransomware attacks continue to be a major concern for cybersecurity professionals, and their impact will only continue to grow. Organizations and individuals must be proactive in their cybersecurity measures to prevent attacks and minimize damage.

Read more »
Sophos
CTO Cyber Attacks Cybersecurity IT Projects Security Researchers Sophos

Sophos Says Nearly Every Company Was Attacked Last Year

 


Organizations are constantly bombarded with malicious activity, suffering negative impacts. In the State of Ransomware 2022 report, published by Sophos, a global leader in next-generation cybersecurity, a comprehensive overview of the real-world ransomware experiences of consumers has been provided to the public. According to the report, ransomware-affected organizations increased 66% from 37% in 2020 to 66% in 2021. 

For organizations, cyberattacks are not a matter of chance but something that must be prepared for daily. As per a recent survey released by Sophos on Tuesday, almost all organizations (94%) have suffered from some form of a cyberattack within the last year. 

Researchers warned companies to prepare themselves for being targets by 2023. Organizers are reeling under the constant barrage of malicious activity perpetrated against them. Several threats that face businesses today have become too advanced for them to respond to themselves and deal with on their own. In most cases, organizations report that cyber threats negatively impact their ability to complete IT projects on time or devote time to strategic issues. 

As a result of the most significant ransomware attack on an organization that encrypts data, the average ransom paid by the company has nearly fivefold increased to $812,360. The percentage of companies paying $1 million in ransoms has increased threefold. 

According to John Shier, field CTO of commercial at Sophos, "Many organizations are overwhelmed with routine operational responsibilities as well as strategic initiatives." Consequently, they react to what is happening around them and cannot improve their situation. This is because they are constantly on their backs. After all, they are continually distracted by the present. 

Approximately 5,600 mid-size companies in 31 countries in Europe, the Americas, Asia-Pacific, Central Asia, the Middle East, and Africa share details regarding ransomware payments in the report. It contains information about ransomware attacks on 5,600 mid-size companies in 31 countries overseas. Based on a survey conducted in 14 countries over three months, the report was compiled. There were two surveys conducted in January and February of this year. 

Almost all responders (93%), said they found many of the essential security operations tasks challenging, and only half of the security alerts are investigated by their security teams. According to the survey results, three-quarters of respondents had difficulty identifying the root cause of cyberattacks. 

According to the State of Ransomware 2022 global survey, which examines ransomware incidents in 2021, and cyber insurance issues related to them, the following are the main findings: 

An increase in ransom payments - in 2021, 11% of organizations paid a ransom of $1 million or more, a substantial increase from the 4% that incurred this ransom in 2020. On the other hand, the number of organizations paying less than $10,000 dropped from 34% in 2020 to 21% in 2021.

In 2021, 46% of victims affected by ransomware attacks that encrypted their data paid a ransom in compensation for the loss of their data. 26 percent of organizations paid a ransom to obtain encrypted data in 2021 after restoring data from backups. 

Ransomware attacks pose many risks. Recovery from the latest ransomware attack in 2021 cost an average of $1.4 million per computer, which was the cost of the latest attack. Recovery from the damage and disruption took about a month as a result of the incident. The attack affected six out of 10 organizations in operations, with ninety percent saying it disrupted their operations. The private sector made up 86% of the victims of the attack, with the majority of them having lost revenue or business as a consequence.

To recover from a ransomware attack, organizations often depend on cyber insurance to cover the costs incurred by the organization. According to the survey, 83% of mid-sized companies were protected by cyber insurance in a ransomware attack. In 98% of these incidents, the insurer paid at least a portion (40 percent covered the ransom payment). 

According to the research, ninety-four percent of cyber insurance owners have seen a change in their experiences in the past year, when compared with the year before. It has been found that cybersecurity measures have been increasingly imposed as a result of increasing demands, complicated or expensive policies, and fewer organizations offering insurance coverage. 

It is reported that, according to the survey of IT and cybersecurity leaders, there are five cyber threats of particular concern: data theft, phishing, ransomware, extortion, and DDoS attacks. This year, only 1% of IT leaders say they are not worried about cyberattacks affecting their organizations shortly.   
Read more »
Sophos
Antivirus Cuba Ransomware Data Breach Endpoint Microsoft Nevada Ransomware Attacks. Sophos

Cuban Ransomware Gang Hacked Devices via Microsoft Drivers

 
Multiple accounts which signed malicious drivers for the Cuba ransomware organization to deactivate endpoint security solutions have been suspended by Microsoft from its hardware developer program.

Cuba attempted to disable vulnerability scanning programs and alter settings using these cryptographically signed 'drivers' after infiltrating a target's systems. The intention of the activity was to go unnoticed, however, monitoring software from the security company Sophos alerted to it.

Additionally, In October, Microsoft received information from the Google-owned Mandiant, SentinelOne, and Sophos that many cybercrime groups were utilizing malicious third-party kernel-mode hardware drivers which were signed by Microsoft to transmit ransomware. 

According to Microsoft's counsel, "In these attacks, the attacker had already gained administrative rights on compromised systems prior to using the drivers, the company's investigation has revealed that several developer's accounts for the Microsoft Partner Center had been engaged in submitting malicious drivers to acquire a Microsoft signature."

The Cuba ransomware group employed the driver as part of its post-exploitation operations together with a malicious loader application, which was most likely used to end the processes of security products before the ransomware was activated. Mandiant named this malicious utility BURNTCIGAR back in February after it had previously been seen. It was installed using a faulty driver that was connected to the Avast antivirus software at the time.

Sophos' Christopher Budd, director of threat research, stated, "We've discovered a total of 10 malicious drivers, all of which are variations of the original discovery. Starting at least in July of last year, these drivers exhibit a concentrated effort to advance through the trust chain. It is tough to write a malicious driver from scratch and get it approved by a reputable body. Nevertheless, it's highly efficient because the driver can virtually complete any task without hesitation."

Since Windows 10, Microsoft has demanded that kernel-mode drivers be signed by the Windows Hardware Developer Program. Researchers at Sophos Andreas Klopsch and Andrew Brandt claim that the signature denotes trust. In 2022, the use of reputable third-party device drivers has increased for the purpose of killing security tools.

According to a U.S. government alert, the Cuba ransomware group has profited an additional $60 million through operations against 100 companies worldwide. The report warned that the ransomware organization, active since 2019, continues to target American entities with critical infrastructure.


Read more »
Sophos
Credential Phishing Cyber Security iOS MFA Phishing Attacks Ransomware Attacks. Scam Sophos

Sophos 2023 Threat Report: Cryptocurrency Will Fuel Cyberattacks

The Sophos 2022 Threat Report, released by Sophos, a pioneer in next-generation cybersecurity, illustrates how the gravitational influence of ransomware is attracting other cyber threats to building one vast, linked ransomware delivery system, having essential ramifications for IT security.

Entry-level hackers can buy malware and spyware installation tools from illicit markets like Genesis, and also sell illegal passwords or other data in mass. Access brokers increasingly sell other criminal groups' credentials and susceptible software exploits.

A new ransomware-as-a-service economy has emerged in the last decade due to the rising popularity of ransomware. In 2022, this as-a-service business model has grown, and almost every component of the cybercrime toolkit from initial infection to methods of evading detection is now accessible for purchase, according to the researchers.

Several step-by-step tools and methods that attackers might use to spread the ransomware were revealed when an affiliate of the Conti ransomware published the deployment guide supplied by the operators. RaaS affiliates and other ransomware operators can use malware distribution platforms and IABs to discover and target potential victims once they have the virus they require. The second significant trend predicted by Sophos is being fueled by this.

Gootloader was launching innovative hybrid operations in 2021, as per Sophos's research, that blended broad campaigns with rigorous screening to identify targets for particular malware packs.

Ransomware distribution and delivery will continue to be adapted by well-known cyber threats. Which include spam, spyware, loaders, droppers, and other common malware in addition to increasingly sophisticated, manually handled first access brokers.

Data theft and exposure, threatening phone calls, distributed denial of service (DDoS) assaults, and other pressure tactics were all included in the list of ten pressure methods Sophos incident responders compiled in 2021.

Cryptocurrency will continue to feed cybercrimes like ransomware and unlawful crypto mining. In 2021, Sophos researchers discovered crypto miners like Lemon Duck and MrbMiner, which installed themselves on machines and servers by using newly revealed vulnerabilities and targets that had already been compromised by ransomware operators. Sophos anticipates that the trend will continue until international cryptocurrencies are better regulated.

In addition to promoting their products, cybercrime vendors sometimes post job openings to hire attackers with specialized capabilities. In addition to profiles of their abilities and qualifications, job seekers are posting help-wanted sites on some markets, which also have technical hiring personnel.

As web services grow, different kinds of credentials, particularly cookies, can be utilized in a variety of ways to penetrate networks more deeply and even get through MFA. Credential theft continues to be one of the simplest ways for new criminals to enter gray markets and start their careers.

Read more »
User Privacy
Chinese Actors CMS CVE vulnerability Cyber Security DNS Sophos User Privacy

Sophos Firewall Zero-Day Flaw Exploited by Hackers

 

Chinese hackers leveraged a zero-day exploit for a vital vulnerability in Sophos Firewall to infiltrate a corporation and gain access to the victim's cloud-hosted web servers. Although the security flaw has been patched, many threat actors have continued to use it to escape authentication and execute arbitrary code remotely on businesses. 

Sophos Firewall's User Portal and Webadmin parts were found to have an authentication bypass vulnerability, which was tagged as CVE-2022-1040 on March 25. 

Researchers from Volexity revealed that Chinese threat actors used the zero-day vulnerability in Sophos Firewall (CVE-2022-1040) to hack a corporation and its cloud-hosted web servers. The threat actor was still operational when Volexity started the study, and the researchers were able to track the attacker's movements, showing a clever adversary who tried to go undiscovered.

According to the researchers, "the attacker was using access to the firewall to conduct man-in-the-middle (MitM) assaults." "Data obtained from these MitM assaults was used by the attacker to target further systems outside of the network where the firewall was located." Following the firewall breach, the infection sequence included backdooring a legitimate component of the security software with the Behinder web shell, which could be accessed remotely from any URL chosen by the threat actor.

Securing web server access 

Apart from the web shell, Volexity discovered further malicious behavior that maintained the threat actor's survival and allowed them to carry on the attack: 
  • The initial phase in the assault is gaining access to the Sophos Firewall, which permits a Man-in-the-Middle (MitM) attack by altering DNS replies for specified websites of the victim companies. 
  • Using stolen session cookies, the attacker gains access to the CMS admin page and then installs a File Manager plugin to manipulate files on the website. 
For a simpler investigation of intrusions, the firm advises using the auditd framework on Unix-based servers. Vendors' devices should also include tools for analyzing potential security flaws. Volexity also made a set of YARA rules accessible that may be used to detect unusual behavior from this form of threat.
Read more »
Sophos
Business business risks customer privacy Cyber Attacks ransomware. Sophos

Cyberattacks In Companies Result in Customer Prices, Cost of Doing Business

 

If a person visits his favorite store that suffers cyberattacks frequently, he might think that someone stole his wallet. These types of data breach or cyberattack, the sense of fear, isn't new to the users. The rise in number of attacks, impact and the cost of these breaches, however, are new, customers notice. In today's date, a customer is up-to-date about these attacks, compared to earlier times. They affect the customers directly more in present times after all, like when threat actors steal personal data from a big organization. 

How do the customers think about such attacks? 

When threat actors target organizations, consumers pay the cost too. In simple terms, customer suffers from the price increase of goods and services. "When attackers sell customer data on the dark web and other criminals buy that data, they can turn an enterprise attack into hundreds of others. It can spin off into credit card fraud, identity theft, and a world of social engineering scams. Cyberattacks may strike once, but identity- and personal data-related fraud is forever," reports Security Intelligence. 

Cyberattacks affect costs because of ransomware payments, lawyer fees, increased insurance rates, cost of returning everything back online, and operational failure. The costs are paid by the companies, but at the last, the customers have to pay the prices. The costs of these attacks are increasing every year. According to Sophos survey, the average cost of a ransomware attack, for example, was $1.85 million in 2020 — double the previous year. 

The future keeps getting dark, cyberattacks costs across the world are said to increase by 15% per year for the next five years, said to reach $10.5 trillion per year by 2025, as per the cybersecurity experts. The rise is in the cost of doing business, which will affect the customer prices. According to Security Intelligence, "the rise in cyberattacks on businesses has heightened consumer worries in the past year. Some 44% feel more at risk from cybercrime than they did before the COVID-19 pandemic began, according to the Norton survey."
Read more »
VPNS
Apps Cring Cyber Crime Ransomware Sophos VPNS

Cring Ransomware Attacks Industrial Organisations Using Outdated VPNs and Apps

 

The Cring ransomware group is constantly making a name by attacking outdated Coldfusion servers and VPNs after surfacing earlier in 2021. According to experts, what makes cring different is, as of now, it appears in specific targeting of outdated vulnerabilities in their campaigns. In an earlier incident, Cring threat actors abused a two year old Fortigate VPN vulnerability exploit "end-of-life" or different incompatible devices, exposed to the web in the wild. Meanwhile Cring has threat actors using Mimikatz on devices to get credentials, and there's also proof that native windows process work blending in other authorotized activities. 

ZDNet reports "positive Technologies head of malware detection Alexey Vishnyakov added that the group gets its primary consolidation through the exploitation of 1-day vulnerabilities in services at the perimeter of the organization like web servers, VPN solutions and more, either through buying access from intermediaries on shadow forums or other methods." It can often lead to more complex problems for network hunters and cybersecurity agents to find anything suspicious by the time it's already too late. 

The current and earlier campaigns have shown continuous implementation and exploit of Cobalt Strike beacons used by several threat actors, mostly using it for post-exploit phase that is easier for hackers to operate. Sophos did a research in September emphasizing one particular case where Cring threat actors exploited an 11 year old Adobe Coldfusion 9 installation 9 to take remote command over Coldfusion server. 

Sophos managed to link the group using Cring ransomware to threat actors in Belarus and Ukraine, these hackers used automated tools to hack into unnamed company servers in the service sector. "In the incident we researched, the target was a services company, and all it took to break in was one internet-facing machine running old, out-of-date and unpatched software. The surprising thing is that this server was in active daily use. Often the most vulnerable devices are inactive or ghost machines, either forgotten about or overlooked when it comes to patching and upgrades," said Andrew Brandt, chief researcher at Sophos.
Read more »
Sophos
Cyber Attacks Liege Ransomware Attack Retail Industry Sophos

Retail Industry Suffered the most By Ransomware Attacks

 

The "Sophos state of Ransomware in Retail 2021" report issued by the software and hardware giant Sophos recently, examines the magnitude and consequences of ransomware attacks in the international retail sector during 2020, especially due to the ongoing Covid-19 situation - which started then started

Including the primary findings, retailers and the education industry have suffered the greatest ransomware attacks in 2020, with 44 % of firms affected (compared to 37 % across all industry sectors). It was also found that perhaps the entire price for remedying a ransomware attack was US$ 1.97 million on an estimate, compared to a cross-sectoral average of US$ 1.85 million, taking into account downtimes, people's time, equipment costs, networking cost, wasted opportunity, ransom payments, and much more. 

Retailers were highly susceptible to a modest but burgeoning new trend: extortion-only attacks. Whilst such instances, programmers of ransomware don't encrypt data rather they threaten to publish stolen information online if ransom requests are not being fulfilled. 

More than half (54 %) of the retail industry impacted by Ransomware stated that the attackers were able to encrypt their data. The ransom was paid by one-third (32%) of individuals whose data is encrypted. The average payment for recovery was US $147,811 (below that of the world average of US $170,404). Furthermore, individuals who have paid only retrieved two-thirds (67%) of their data on an average, which leaves a third still inaccessible; and only 9% had all their encrypted data back. 

The relatively large proportion of targets affected by data theft attacks is not wholly unexpected. The service industries such as the retail sector hold data that is often subject to legal data protection legislation, and threat actors are only prepared to exploit the victims' fear of data breach fallout concerning penalties and harm to their brand image, selling and customer confidence, Wisniewski said. 

“The retail sector has always been an attractive target for cyberattacks, with its complex, distributed IT environments, including a multitude of connected point-of-sale devices, a relatively transient and non-technical workforce, and access to a wide range of personal and financial customer data.” Chester Wisniewski, a principal research scientist at Sophos, is quoted in a press release. “The impact of the pandemic introduced additional security challenges that cybercriminals were quick to exploit.” 

Researchers urge IT teams, to defend the IT networks for retailers from Ransomware and other cyber attacks, to spend resources on three key areas: the creation of comprehensive cyber threat defenses; security skill development for users, especially part-time and temporary personnel, whenever possible and investing in more robust infrastructure.
Read more »
Sophos
Data Breach EpsilonRed Ransomware Indian Company NSE Sophos

India’s Finance Software Powerhouse NSE Blown By EpsilonRed Ransomware

 

Nucleus Software Exports, an Indian financial software company has witnessed a major ransomware attack. The company that facilitates Indian banks and retail stores with software has suffered severely in regard to its internal networks and encrypted essential business data. 

As per the latest data, Nucleus Software Company is a leading provider of Banking and Financial Services and is also known for lending and transaction banking consultancy services to the global financial services industry. 

In the wake of the security incident, the company reported that they filed a report on Tuesday with the Indian National Stock Exchange authority, which said that the incident occurred on May 30, and the group that has attacked the system is known as ‘EpsilonRed’. 

Alongside, the NSE published its quarterly report in which it wrote that the company’s cyber-security researchers' team is working hard to get back its sensitive business credential, and towards fixing the damaged part of the system. Meanwhile, the company’s spokesperson assured their customers and said, “So far as sensitive data is concerned, we’d like to assure our customers that there is NO financial data of any customer available/stored with us and therefore the question of any leakage or loss of client data does not arise’’. 

The researchers' team from the cybersecurity community has disclosed that the ransomware that caused damage to the NSE’s network which is colloquially known as EpsilonRed, is also known as BlackCocaine. EpsilonRed/BlackCocaine is a different type of ransomware that has been discovered very recently. 

UK security firm Sophos had first reported on this new strain, last month. According to the Sophos report, the EpsilonRed gang makes its victims from unpatched Microsoft Exchange email servers, target the ProxyLogon exploit, after getting full command into the system, hackers install a collection of PowerShell scripts that gives access to hackers into the inside of a victim’s network. 

Furthermore, Sophos told that the ransomware gang got success in some of its attacks, and made payments of around $210,000 from its previous attacks. 

NSE has not disclosed the exact details of the breach nor if it followed the demand of the hackers. However, it is widely accepted that the attack was caused by an Exchange server. 


Read more »
trading apps
Android Crypto Currency Cyber Security iOS Sophos trading apps

167 Fake iOS & Android Trading Apps Brought to Light by Researchers

 

Sophos, a worldwide leader in cybersecurity, has found 167 fake Android and iOS apps that criminals have been using to rob people who still believe they have a very well, trustworthy financial trading, banking, or cryptocurrency application. A research article titled, ‘Fake Android and iOS apps disguised as trading and cryptocurrency apps,’ illustrates how criminals utilized social technology, fake web pages like a fake iOS App Slot, and an iOS app tester to deliver the fake apps to unsuspecting customers. 

Fake applications were investigated and the results showed that all were very similar to each other, as stated by Sophos researchers. Many have included the "chat" option to integrate customer service. When researchers attempt to communicate by using chat with support teams, answers were almost alike. They also discovered a single server loaded with 167 counterfeit trading and cryptocurrency applications. In combination, this indicates that, according to Sophos, all fraud might be carried out by the same party. 

In one of the scenarios examined, the scammers approached the customers through a dating app by creating a profile and exchanging messages with specific objectives before attempting to encourage them to download and add money and cryptocurrency to a counterfeit application. The attackers blocked access when their targets later tried to withdraw funds or close the account. 

In other instances, websites built to resemble a reputable company, such as a bank, have been able to attract the targets. To persuade the users to install an app from the genuine App Store, they have even developed a fake "iOS App Store" download page with fabricated customer reviews. 

When the visitors pressed upon the links to install fake apps for Android or iOS, something like a smartphone web app was obtained but was only a shortcut icon connected to a fake website. 

Technicians have also delivered fake iOS applications via third-party websites to encourage developers towards testing new applications with a small number of Apple device users before applying to the official App Store. 

“People trust the brands and people they know – or think they know – and the operators behind these fake trading and cryptocurrency scams ruthlessly take advantage of that,” said Jagadeesh Chandraiah, a senior threat researcher at Sophos. “The fake applications we uncovered impersonate popular and trusted financial apps from all over the world, while the dating site sting begins with a friendly exchange of messages to build trust before the target is asked to install a fake app. Such tactics make the fraud seem very believable.”

“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play and Apple’s app store. Developers of popular apps often have a website, which directs users to the genuine app and, if they have the skills to do so, users should verify if the app they are about to install was created by its actual developer. Last, but not least, if something seems risky or too good to be true – high returns on investment or someone from a dating site asking you to transfer money or cryptocurrency assets into some ‘great’ account – then sadly it probably is,” he further added.

Sophos also recommends the user install an anti-virus program on the mobile device to defend Android and iOS devices from cyber attacks, like the Intercept X for Mobile.
Read more »
Sophos
Bio Research Institute Cyber Attacks Ryuk Ranomware Sophos

Sloppiness of Student Allows Ryuk Ransomware to Target Bio Research Institute

 

Cybersecurity vendor Sophos has revealed how using a 'crack' version of a data visualization tool was the cause of a major ransomware attack that cost the European research institute a week’s work and a lot of money. 

A student working at a European biomolecular research institute was allowed to use expensive data visualization software. The student was on the hunt for a free version of a data visualization software tool, but the license was most likely too expensive– so as a workaround, the student eventually elected to find a cracked version instead.

The crack triggered a malware warning from Microsoft Defender, which he not only ignored but also decided to disable the antivirus tool, as well as the firewall. Thirteen days later a remote desktop protocol (RDP) connection was registered on the institute’s network using the student’s credentials and the incident response team from Sophos learned that the crack was actually info-stealing malware. 

“A feature of RDP is that a connection also triggers the automatic installation of a printer driver, enabling users to print documents remotely. This allowed the Rapid Response investigation team to see that the registered RDP connection involved a Russian language printer driver and was likely to be a rogue connection. Ten days after this connection was made, the Ryuk ransomware was launched,” Sophos explained. 

The malware was in use by a malicious third-party for a few days, harvesting keystrokes, stealing browser cookies, clipboard data, and such. While Sophos did not go into details: how much money the operators asked for, or whether or not the institute paid the ransom, it did say that the organization lost a week’s worth of data, given that its backup wasn’t up to date.

The institute also suffered the operational impact, like all computer and server files needed to be rebuilt from the ground up, before any data could be restored. It also said that the group that placed the info-stealer probably wasn’t the same one that installed Ryuk. The most likely scenario is, once access was established, that it got sold on the dark web to the highest bidder.

As a precautionary measure, Sophos advised organizations to install multi-factor authentication (MFA) for access to any internal networks, especially from third parties, keep software regularly updated, segment networks and restrict account privileges. It also urged customers to lock down RDP access with static Local Area Network (LAN) rules, via a group policy or using access control lists.
Read more »
User Security
Cyber Security Mount Locker Ransomware group Sophos User Security

Sophos Uncovered Connection Between Mount Locker and Astro Locker Team

 

Sophos published another report on a recently revealed association between the Mount Locker ransomware group and a new group, called "Astro Locker Team." Sophos as of late recognized ransomware targeting an organization’s unprotected machines that had all the hallmarks of Mount Locker ransomware. However, when they followed the link in the ransom note to the attacker's chat/support site, Sophos incident responders found themselves faced with a near-unknown group calling themselves "AstroLocker Team" or "Astro Locker Team." Astro Locker has all the earmarks of being a new ransomware family – however, appearances can be beguiling. 

When comparing the Astro Locker leak site with the Mount Locker leak site, investigators noticed that all five of the organizations listed on the Astro Locker site were likewise listed as victims on the Mount Locker site. Delving in further, the size of the information leaks on each of the five matched and shared some of the same links to the spilled information. Taking a gander at the matching links all the more intently, Sophos experts saw one final association: a portion of the spilled information linked on the Mount Locker site was being facilitated on the Astro Locker onion site: http[:]//anewset****.onion.  

“In recent incidents where Sophos experts investigated and neutralized an active Mount Locker attack, we noticed various techniques that suggest these attackers are not as sophisticated as other ransomware groups like Ryuk, REvil and DoppelPaymer,” said Peter Mackenzie, manager of Sophos’s Rapid Response team. “It is possible that the Mount Locker group wants to rebrand themselves to create a new and more professional image, or it could be an attempt to kickstart a true ransomware-as-a-service (RaaS) program. Regardless, if any organizations become a victim of Astro Locker in the future, they should investigate the TTPs of both Mount Locker and Astro Locker.” 

Mackenzie contended that Mount Locker could be utilizing the Astro name to pretend the group has a significant new associate for its new RaaS program, or it very well might be a legitimate deal intended to speed up its change to turning into a RaaS operation. 

“Branding is a powerful force for ransomware groups. Good branding can come from a single threat group being skilled at hitting high-value targets and avoiding detection — such as DoppelPaymer — or by running a successful RaaS network — like Sodinokibi or Egregor. Powerful branding with ransomware groups can strike fear in targets and lead to a higher likelihood of pay-outs,” he concluded.
Read more »
Sophos
malware Nefilim Ransomware Rapid Response Sophos

Deceased User's Accounts used by Nefilim Ransomware Actors

 

Recently we are witnessing that the Ransomware operators are teaming up to exchange software and infrastructure to further accelerate the operation of leakage and extortion that harms the victims of such attacks. One such ransomware is Nefilim. 

Nefilim also known as Nemty has emerged in 2020 as a new category onto the list of ransomware strains, here if the victims do not pay the ransom, Nefilim threatens to reveal information to the public; it has its own leaks platform called Corporate Leaks and is located in the TOR node. 

As stated by Michael Heller, a researcher at Sophos, the Rapid Response is a 24/7 service provided by Sophos that helps organizations to detect and neutralize the active threat by actors as soon as possible. Lately, a company that has been attacked with the Nefilim ransomware, reached out to the Rapid Responses by Sophos for help. In the incident reported by the company, a ransomware attack from Nefilim locked up more than 100 systems stemmed from the unregulated account compromised of an employee who died three months ago. The attackers traveled silently through the network, stole the domain admin keys, then located and filtered hundreds of GB of data prior to unleashing any malware that exposes the existence of such data. The account was obviously held deliberately as it was used for utilities, so the Rapid Response team had to determine which acts were legit and which were deceptive from that account. 

Nefilim ransomware replaces the initial files with encrypted copies, nearly all the big ransomware, making recovery difficult without either a decryption key or a recent backup. As soon as the Customer contracted Sophos, the Rapid Response Team took steps to load security into any applications that they might use, to guarantee that all the security measured required were added to systems that had already been implemented by Sophos and to find evidence about how and where the invading processes started and what could have been stolen. 

 As stated by Michael Heller, the latest victim of the attack was compromised by exploiting vulnerable versions of the Citrix Software, after which the actors gained access to the domain key or the domain admin account using Mimikatz. Well in general the actor can gain access either by Citrix Software or by Remote Desktop Protocol. 

“Ransomware is the final payload in a longer attack. It is the attacker telling you they already have control of your network and have finished the bulk of the attack. It is the attacker declaring victory,” stated, Peter Mackenzie, manager of Rapid Response. “Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what counts.”
Read more »
Sophos
Data Breach Sophos

Cybersecurity Company Sophos Hit By Data Breach Attack, Company Informs Customers

 

A data breach attack recently hit Sophos, a Uk based cybersecurity company. The company currently has notified its customers regarding the data attack via mail, which the company suffered last week. The leaked information includes user names, emails, and contact numbers. According to Sophos, only a small number of customers were affected by the data breach. The spokesperson says that a "small subset" of customers was affected; however, not providing any further details. 

Earlier this week, the company was informed of an access permission problem in a tool. The tool contains customers' information who contact Sophos support. The company said this in an email sent to its customers. 

The company says that it came to know about the issue through an expert and had fixed the misconfiguration as soon as it was reported. According to Sophos, customer privacy and safety is their topmost priority. It is currently contacting all impacted customers. 

Besides this, the company has implemented preventive measures to ensure that permission settings are not exploited. The data breach is the second cybersecurity incident that Sophos suffered this year. 

In April, a quite similar incident happened where hackers found and exploited a zero-day XG Firewall in Sophos and attacked companies worldwide. The hackers used Asnarok malware, but when the vulnerability was exposed, they shifted to ransomware and failed eventually. 

The email reads, "On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support. As a result, some data from a small subset of Sophos customers was exposed. We quickly fixed the issue. Your information was exposed, but due to remediation measures we have taken, your data is no longer exposed. Specifically, first name, last name, email address, and, where provided, a contact phone number. 

There is no action that you need to take at this time. At Sophos, customer privacy and security are always our top priority. We are contacting all affected customers. Additionally, we are implementing additional measures to ensure access permission settings are continuously secure. "
Read more »
Subscribe to: Posts (Atom)