Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Sophos. Show all posts
Sophos
Cyberbreaches CyberCrime Fake IT Support malware Micrpsoft Teams ransomware attacks Sophos

Fake IT Support Used by Ransomware Gangs in Microsoft Teams Breaches

 


The Sophos security team has identified two ransomware campaigns that are utilizing Microsoft Teams to steal data from organizations, and the crooks may be allied with Black Basta and FIN7. In the X-Ops Managed Detection and Response (MDR) service, Sophos X-Ops responds to incidents related to two different groups of threat actors. In each case, the attackers gained access to targeted organizations by using the Microsoft Office 365 platform to steal data and deploy ransomware to steal data. 

This pair of separate clusters of activity were investigated by Sophos MDR in November and December 2024 as a result of customer reports, and the threat is tracked as STAC5143 and STAC5777, respectively. The two groups are utilizing Microsoft Office 365 services, including Teams and Outlook, to gain access to victim organizations, according to Sophos, who has observed over 15 incidents in just the past two weeks, the majority of which took place between November and December 2024. 

According to Sophos, the attackers took advantage of a Microsoft Teams configuration that allows users from external domains to initiate chats or meetings with internal users, thereby taking advantage of a default configuration, he warned. As a result of threat actors exploiting Microsoft Teams to pose as tech support personnel, attackers gain initial access to victim organizations by using the platform, and their goal is to steal data and deploy ransomware, according to a report released on Tuesday by Sophos, which examined ongoing threat campaigns related to these two threats. 

A customer who received over 3,000 spam emails in 45 minutes in November of last year first brought STAC5143 to the attention of the Sophos team. Shortly thereafter, a Microsoft Teams call from outside the organization, coming from a bogus "Help Desk Manager" account, reached out to the customer, and he was instructed to allow a remote screen control session through Microsoft Teams to resolve the issue. 

As it turned out, the attacker was exploiting this vulnerability to inject malicious files into the victim's computer as well as infect the computer with malware by opening a command shell and dropping some files on it. The attacker had downloaded a Java archive (JAR) file (MailQueue-Handler.jar), as well as Python scripts (RPivot backdoor). As soon as the attackers have established a command-and-control channel with their target, they utilize the target's credentials to disable multifactor authentication and antivirus protections. 

They then connect to other computers in the network and move laterally to compromise additional computers and systems. Java code performed some reconnaissance work as well, mostly scoping out the user's account name and local network, before extracting and running from the snow.zip archive the payload contained a Python-based backdoor that could be used to remote control the Windows computer remotely. 

Python code included a lambda function to obfuscate the malware, which matched Python malware loaders previously spotted as part of the FIN7 malware campaign.  Two other Python pieces were extracted as part of the malware, including copies of the publicly available reverse SOCKS proxy RPivot, which FIN7 had previously used in its earlier attacks. 

As with the STAC5777 attacks, the malware started with large amounts of spam emails being sent to targeted organizations, followed by team messages claiming to be from the organization's IT department and requesting that they be contacted to stop the spam. CyberScoop spoke to Sean Gallagher, Sophos's principal threat researcher, and the study's lead author. 

Gallagher explained that his team had observed multiple individuals and at least 15 organizations using these tactics, and most of them were blocked before they were able to compromise the device they were attempting to compromise. Using the social engineering technique of posing as a technical support representative is a well-known social engineering method used by malicious hackers to compromise large, multinational companies.

Cybercriminal groups such as Lapsus$ have used this scheme for several years to compromise large, multinational corporations. It is, however, mainly smaller organizations that have been targeted by Office 365 and Teams, and it illustrates how threat groups have increasingly capitalized on the rush by small and mid-sized businesses to adopt cloud computing and digitization, especially after the COVID-19 virus pandemic. 

A significant portion of these small organizations were left vulnerable by the fact that, for the first time, they were using unfamiliar software like Microsoft Office 365, Teams, and Azure. It is a piece of malware, winhttp.dll, that is sideloaded into a legitimate oneDriveStandaloneUpdater.exe process, which is then relaunched by a PowerShell command when Windows starts up. Through the Windows API, the malicious DLL logs the user's keystrokes, gathers credential information from files and the registry, and scans the network for potential pivot points via SMB, RDP, and WinRM. 

Once a C2 connection has been established, the OneDriveStandaloneUpdater.exe process is started and a check is performed to see if there are any Remote Desktop Protocol hosts or Windows Remote Management hosts that can be accessed with stolen credentials. It appears that the attackers then attempted to move laterally to other hosts to continue their attack. 

One instance of this was when the attackers used the backdoor to uninstall local multifactor authentication integration on a compromised device, and Sophos has also found that the attackers have been hoovering up local files whose names contained the word "password". In one instance, STAC5777 was trying to infect the machine with the Black Basta ransomware - even though Sophos assured that its security protections blocked it from infecting the machine. 

According to the researchers, the threat actor has access to Notepad and Word files that have the word "password" in them. Moreover, the attackers also accessed two Remote Desktop Protocol files, likely searching for credentials. To prevent external domains from initiating messages and calls on Microsoft Teams and disabling Quick Assist in critical environments, organizations should consider implementing these tactics in the ransomware space as they become more prevalent.
Read more »
TLS
C2 Chinese Hackers Chinese Threat Actors Cyber Attacks Malware Attack NCSC Sophos TLS

NCSC Unveils “Pigmy Goat” Malware Targeting Sophos Firewalls in Advanced Chinese Cyberattack

 

The National Cyber Security Centre (NCSC) recently disclosed the presence of a Linux malware, “Pigmy Goat,” specifically designed to breach Sophos XG firewall devices. This malware, allegedly developed by Chinese cyber actors, represents a significant evolution in network infiltration tactics due to its complexity and advanced evasion methods. 

This revelation follows Sophos’ recent “Pacific Rim” reports, which detail a five-year campaign involving Chinese threat actors targeting network devices at an unprecedented scale. Among the identified tools, “Pigmy Goat” stands out as a rootkit crafted to resemble legitimate Sophos product files, making it challenging to detect. This strategy is known to use stealth by masking its identity within commonly named system files to evade basic detection protocols. “Pigmy Goat” enables threat actors to establish persistent, unauthorized access to the target’s network. Using the LD_PRELOAD environment variable, it embeds itself in the SSH daemon (sshd), allowing it to intercept and alter incoming connections. 

The malware seeks specific sequences called “magic bytes” to identify backdoor sessions, which it redirects through a Unix socket, thereby concealing its presence from standard security monitoring. Once a connection is established, it communicates with command and control (C2) servers over TLS. The malware cleverly mimics Fortinet’s FortiGate certificate, blending into networks where Fortinet devices are prevalent, to avoid suspicion. This backdoor offers threat actors multiple capabilities to monitor, control, and manipulate the network environment. Through commands from the C2, attackers can remotely open shell access, track network activity, adjust scheduled tasks, or even set up a SOCKS5 proxy, which helps them remain undetected while maintaining control over the network. These actions could allow unauthorized data access or further exploitation, posing significant threats to organizational cybersecurity. 

The NCSC report aligns “Pigmy Goat” with tactics used in “Castletap” malware, which cybersecurity firm Mandiant has linked to Chinese nation-state actors. The report’s insights reinforce concerns over the evolving sophistication in state-sponsored cyber tools aimed at infiltrating critical network infrastructure worldwide. Detection and prevention of “Pigmy Goat” are crucial to mitigating its impact. The NCSC report provides tools for identifying infection, including file hashes, YARA rules, and Snort rules, which can detect specific sequences and fake SSH handshakes associated with the malware. 

Additionally, monitoring for unusual files and behaviours, such as encrypted payloads in ICMP packets or the use of ‘LD_PRELOAD’ within the sshd process, can be effective. These insights empower network defenders to recognize early signs of compromise and respond swiftly, reinforcing defences against this sophisticated threat.
Read more »
Sophos report
BYOVD Attack Cyber Attacks EDR GitHub Malware Attack RansomHub Sophos Sophos report

RansomHub Deploys EDRKillShifter Malware to Disable Endpoint Detection Using BYOVD Attacks

 

Sophos security researchers have identified a new malware, dubbed EDRKillShifter, used by the RansomHub ransomware group to disable Endpoint Detection and Response (EDR) systems in attacks leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques. This method involves deploying a legitimate but vulnerable driver on a target device to gain escalated privileges, disable security measures, and take control of the system. 

The technique has gained popularity among various threat actors, including both financially motivated ransomware groups and state-sponsored hackers. The EDRKillShifter malware was discovered during an investigation of a ransomware incident in May 2024. The attackers tried to use this tool to disable Sophos protection on a targeted computer but were unsuccessful due to the endpoint agent’s CryptoGuard feature, which prevented the ransomware executable from running. Sophos’ investigation revealed two different malware samples, both exploiting vulnerable drivers with proof-of-concept code available on GitHub. These drivers include RentDrv2 and ThreatFireMonitor, the latter being part of an obsolete system-monitoring package. 

The malware’s loader execution process follows a three-step procedure. Initially, the attacker launches the EDRKillShifter binary with a password string to decrypt and execute an embedded resource named BIN in memory. This code then unpacks and executes the final payload, which installs and exploits a vulnerable driver to elevate privileges and disable active EDR processes. Once the driver is loaded, the malware creates a service and enters an endless loop that continuously monitors and terminates processes matching names on a hardcoded target list. Interestingly, the EDRKillShifter variants discovered were compiled on computers with Russian localization, and they exploit legitimate but vulnerable drivers, using modified proof-of-concept exploits found on GitHub. 

Sophos suspects that the attackers adapted portions of these proofs-of-concept and ported the code to the Go programming language. To mitigate such threats, Sophos advises enabling tamper protection in endpoint security products, separating user and admin privileges to prevent the loading of vulnerable drivers, and keeping systems updated. Notably, Microsoft continually de-certifies signed drivers known to have been misused in previous attacks. Last year, Sophos identified another EDR-disabling malware, AuKill, which similarly exploited a vulnerable Process Explorer driver in Medusa Locker and LockBit ransomware attacks.
Read more »
Technology
Critical Infrastructure Ransom Payment Ransomware Sophos Technology

How Ransomware is Draining Resources from Critical Infrastructure

How Ransomware is Draining Resources from Critical Infrastructure

The Rising Cost of Ransomware Attacks on Critical Infrastructure

The costs of ransomware attacks on critical national infrastructure (CNI) firms have soared over the last year.

According to Sophos' newest numbers, which were revealed today, the typical ransom payment increased to $2.54 million, more than 41 times last year's total of $62,500. The mean payment for 2024 is considerably greater, at $3.225 million, representing a less dramatic 6-fold rise.

IT, technology, and telecoms were the least likely to pay large sums to hackers, with an average payment of $330,000, but lower education and federal government organizations reported the highest average payments of $6.6 million.

The figures are based solely on ransomware victims who were willing to reveal the specifics of their mistakes, thus they do not provide the full picture.

The Escalating Financial Burden

Only 86 of the 275 CNI organizations surveyed provided statistics on ransom payments. There's a significant risk that the results would be distorted if all of the CNI ransomware victims polled were completely upfront with their information.

Costs to recover from ransomware attacks have also increased dramatically since the researchers' findings last year, with some CNI industries' costs quadrupling to a median average of $3 million per event.

The Impact on Critical Infrastructure

According to the report, only one in every five people were able to recover in a week or less, down from 41 percent the previous year and 50 percent the year before that. The percentage of victims who take more than a month to recuperate has also increased to 55%, up from 36% last year. 

Sophos stated in its analysis that this could be due to attacks getting more sophisticated and complicated, requiring more work from the IT team to effectively repair all of the damage caused by the crimes. However, the vendor's global field CTO, Chester Wisniewski, believes the industries should reevaluate their propensity to pay ransoms.

Read more »
Sophos
Cyber Attacks Junk-Gun RaaS Ransomware Sophos

Junk Ransomware: Getting the Job Done For Hackers


Sophos detects ransomware

In an April 17 analysis from its Sophos X-Ops research team, cybersecurity firm Sophos observed an increase in low-cost, primitive ransomware—a boon for aspiring threat actors and a headache for defenders.

It's far more difficult to find something that there are only twenty copies of in the world, said Christopher Budd, director of threat research at Sophos X-Ops.

The group linked the choices to the cheap handguns that flooded the US firearms market in the 1960s and 1970s, known as junk guns.

Between June 2023 and February 2024, the Sophos team spotted 19 different types of "independently produced, inexpensive, and crudely constructed ransomware." Some missed clean graphics, while others used programming languages like C# and.NET, which "have a shallower learning curve," noted the paper.

It seems to be a fairly recent thing,"  noting that poor-quality malware has existed for decades.

Varying costs

Sophos discovered one with no price indicated, two open-source models, one for $20 (later reduced to free), and one for 0.5 BTC (about $13K).

According to a 2023 research by cybersecurity firm CrowdStrike, the cost of a Ransomware as a Service (RaaS) kit "ranges from $40 per month to several thousand dollars." RaaS models depend on affiliates purchasing ransomware and consenting to a subscription fee based on the victim's payment.

Junk-gun ransomware

Junk-gun ransomware destroys that commission: capitalism in action, in a sense.

In most instances, you don't have any kind of partner fees to pay, Budd stated.

Only three of the "junk" kinds paid a subscription fee

Ransomware groups such as LockBit have become large enough to be tracked and halted by government agencies. Junky ransomware has the potential to fly under the radar and bypass detection technology.

There is no single source of knowledge for investigators and researchers to track, the Sophos report stated.

Budd and his crew saw users asking basic inquiries in forums praising the cheap items. What is the best language for creating ransomware? Is writing in C# worthwhile? How should malware be priced and sold?

Budd describes a forum featuring inexpensive ransomware and beginner queries as a welcome place for young hackers waiting for their chance in the big leagues.

Step forward

Junk-gun ransomware presents specific problems for small enterprises, the general public, and the security industry. We saw threat actors expressly refer to assaults against smaller companies and individuals, even as they tried to figure out which types of companies to target and how much ransom to demand because such targets are often less well-defended, knowledgeable, and prepared.

At this point, junk-gun ransomware causes several challenges for the security industry. It is difficult to get samples of junk-gun ransomware, assess how widely it has been deployed in the wild, and monitor new variants. 

Threat actors may also adopt the 'brand names' of well-known ransomware families, presumably to capitalize on their reputations, which can lead to misunderstanding among experts.
Read more »
Supply Chain Attack
Cyber Security Hackers Healthcare Hack Multi-Factor Authentication (MFA) NCC Group Ransomware Attacks. Software Sophos Supply Chain Attack

Ransomware's Alarming Surge and Active Adversaries


Ransomware attacks have increased dramatically recently, worrying the cybersecurity community and heralding a new era of cyber threats. The convergence of sophisticated tactics used by hostile actors, as described in numerous reports, highlights the necessity of increased attention and proactive protection tactics.

According to reports, ransomware attacks have increased to previously unheard-of levels, and threat actors are continually modifying their strategies to find weak points. Targets increasingly include crucial infrastructure, the healthcare industry, and even political entities, going beyond traditional industries. Additionally, the demands of the attackers have grown exponentially, with multi-million dollar ransoms becoming distressingly regular.

The Sophos research on an active adversary targeting IT executives provides a window into the daring methods used by cybercriminals. The intricacy of contemporary cyber threats is being demonstrated by this adversary's capacity to influence supply chains and sneak inside businesses. These threats are now part of a larger, well-planned campaign rather than separate instances.

The cyber threat intelligence reports by NCC Group offer priceless insights into the changing strategies used by ransomware operators. These papers emphasize the evolving nature of cyber threats and the necessity for enterprises to stay on top of the situation. Organizations may efficiently enhance their defenses thanks to the comprehensive studies of threat vectors, malware families, and mitigation techniques.

The effects of a successful ransomware assault go beyond monetary losses because of how linked the digital world is becoming. The loss of vital services, the compromising of private information, and the deterioration of public confidence are just a few of the serious repercussions. Organizations need to take a multifaceted strategy for cybersecurity to combat this.

Organizations must first make significant investments in solid security measures, such as frequent software updates, vulnerability analyses, and personnel training. Systems for proactive monitoring and threat detection are essential given the constantly changing strategies used by hackers. Additionally, by keeping offline backups, you may prevent giving in to ransom demands and ensure that data recovery is still possible even during an attack.

Collaboration within the cybersecurity community is equally vital. Sharing threat intelligence and best practices helps fortify collective defenses and pre-empt emerging threats. Government bodies, private enterprises, and security researchers must collaborate to create a united front against cyber threats.
Read more »
Sophos
Cybersecurity Data Encryption Enterprise security Ransomware Sophos

Ransomware Attacks on the Rise in Manufacturing Industry

Threat of Ransomware Attacks

The Growing Threat of Ransomware Attacks

According to a recent report by Sophos, a global leader in cybersecurity, more than two-thirds (68%) of manufacturing companies hit by ransomware attacks globally had their data encrypted by hackers. This is the highest reported encryption rate for the sector over the past three years and is in line with a broader cross-sector trend of attackers more frequently succeeding in encrypting data.

Ransomware attacks have become an increasingly common threat to businesses and organizations of all sizes. These attacks involve hackers gaining access to a company's computer systems and encrypting their data, making it inaccessible to the company. The hackers then demand a ransom payment in exchange for the decryption key.

Manufacturing Industry Hit Hard by Ransomware

The manufacturing industry has been particularly hard hit by these attacks. Despite an increase in the percentage of manufacturing organizations that used backups to recover data, with 73% of the manufacturing firms using backups this year versus 58% in the previous year, the sector still has one of the lowest data recovery rates.

This highlights the importance of companies taking proactive measures to protect themselves against ransomware attacks. This includes regularly backing up important data, keeping software and systems up to date with the latest security patches, and training employees on how to recognize and avoid phishing emails and other common attack vectors.

Protecting Against Ransomware: Best Practices for Companies

In addition to these preventative measures, companies should also have a plan in place for how to respond in the event of a ransomware attack. This includes knowing who to contact for assistance, having a communication plan for informing customers and other stakeholders and having a plan for how to restore operations as quickly as possible.

The threat of ransomware attacks is not going away anytime soon. By taking proactive steps to protect themselves, companies can reduce their risk of falling victim to these attacks and minimize the impact if an attack does occur.

Read more »
Sophos
Crypto Cyber Attacks Encryption Ransomware Attacks. RSA Sophos

The Persistent Threat of Ransomware: RSA Conference 2023 Highlights

The cybersecurity industry's highest-profile annual gathering, the RSA Conference, has focused heavily on the ongoing and increasing threat of ransomware. Last year, 68% of all cyberattacks involved ransomware, according to cybersecurity firm Sophos. 

The National Security Agency's director of cybersecurity, Rob Joyce, recently confirmed that Russian hackers are now weaponizing ransomware to target Ukrainian logistics companies and organizations in Western-allied countries.

Ransomware typically begins with file-encrypting malware being installed on an organization's network, which is then followed by a ransom note displayed on every screen. Hackers demand payment, often in cryptocurrency, to unlock the networks and prevent any data leaks. In recent years, ransomware has affected schools, hospitals, small businesses, and more.

At RSA, conversations have shifted from viewing ransomware as a mere annoyance to a persistent and dangerous threat. A panel on the last day of the conference acted out a hypothetical response to an Iran-backed ransomware attack on US banks in 2025, highlighting the severity of the threat.

The shift in perspective is in response to the increasing sophistication and persistence of ransomware attacks, as well as the fact that cybercriminals have been successful in monetizing their activities. The use of cryptocurrency for payment also makes it more difficult for law enforcement to trace the source of the attacks.

Ransomware attacks are now considered to be a "forever problem," meaning they will be a persistent threat for the foreseeable future. Organizations and individuals must take proactive steps to prevent attacks, including maintaining strong security measures and regularly backing up data. It is also crucial to be vigilant for any suspicious activity and to report any potential attacks immediately to the appropriate authorities.

In conclusion, ransomware attacks continue to be a major concern for cybersecurity professionals, and their impact will only continue to grow. Organizations and individuals must be proactive in their cybersecurity measures to prevent attacks and minimize damage.

Read more »
Subscribe to: Posts (Atom)