Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Trend Micro. Show all posts
Wayne County Michigan
Cyberattack Data Breach double-extortion encryptor FreeBSD servers Interlock ransomware ransomware attacks Trend Micro Wayne County Michigan

Interlock Ransomware: New Threat Targeting FreeBSD Servers and Critical Infrastructure Worldwide

 

The Interlock ransomware operation, launched in late September 2024, is increasingly targeting organizations around the globe. Distinctly, this new threat employs an encryptor specifically designed to attack FreeBSD servers, a relatively uncommon tactic among ransomware groups.

Interlock has already affected six organizations and publicly leaked stolen data after ransoms went unpaid. One prominent victim, Wayne County in Michigan, experienced a cyberattack early in October, adding to the list of affected entities.

Details about Interlock remain limited, with early reports emerging from cybersecurity responder Simo in October. Simo's analysis noted a new backdoor associated with the ransomware, discovered during an investigation on VirusTotal.

Shortly after, MalwareHunterTeam identified a Linux ELF encryptor related to Interlock. Upon further examination, BleepingComputer confirmed that this executable was built specifically for FreeBSD 10.4, though attempts to execute it in a FreeBSD environment failed.

Although ransomware targeting Linux-based VMware ESXi servers is common, an encryptor for FreeBSD is rare. The now-defunct Hive ransomware, disrupted by the FBI in 2023, was the only other known operation with a FreeBSD encryptor.

Trend Micro researchers shared additional samples of the Interlock FreeBSD ELF encryptor and a Windows variant, noting that FreeBSD is often used in critical infrastructure. This likely makes it a strategic target for Interlock, as attacks on these systems can lead to significant service disruptions.

Trend Micro emphasizes that Interlock’s focus on FreeBSD infrastructure allows attackers to disrupt essential services and demand high ransoms, as these systems are integral to many organizations’ operations.

It is important to note that Interlock ransomware is unrelated to any cryptocurrency token of the same name.

While BleepingComputer encountered issues with running the FreeBSD encryptor, they successfully tested the Windows version, which performed actions like clearing event logs and deleting the main binary using rundll32.exe if self-deletion is enabled.

When encrypting files, Interlock appends the .interlock extension and generates a ransom note titled "!README!.txt" in each affected folder. The note explains the encryption, threats, and includes links to a Tor-based negotiation site where victims can communicate with the attackers. Each victim receives a unique ID and email for registration on this negotiation platform.

During attacks, Interlock breaches networks, steals sensitive data, and then deploys the encryptor to lock down files. The data theft supports a double-extortion scheme, with threats to leak data if ransoms—ranging from hundreds of thousands to millions of dollars—are not paid.
Read more »
Trend Micro
Cyber Attacks data security data theft Trend Mirco Digital Infrastructure Digital Security ransomware attacks Trend Micro

Rise in Ransomware Attacks in Southeast Asia Driven by Rapid Digitalization and Security Gaps

 

A wave of ransomware attacks across Southeast Asia during the first half of this year marks just the beginning of a larger trend. Companies and government agencies, particularly in countries like Thailand, Japan, South Korea, Singapore, Taiwan, and Indonesia, have experienced a dramatic rise in cyberattacks, outpacing the rate of ransomware growth in Europe, as shown by data from Trend Micro. 

With incidents like the June attack by the ransomware group Brain Cipher, which disrupted more than 160 Indonesian government agencies, the frequency of such attacks is expected to increase as the region’s economies expand. Many organizations in Southeast Asia are rapidly digitizing their infrastructure, often prioritizing speed over security. Ryan Flores, a senior manager at Trend Micro, points out that the rush to launch digital services often sidelines security measures. 

This rush, combined with a lack of stringent cybersecurity practices, makes organizations in Asia prime targets for cybercriminals. Recent incidents, such as the ransomware attack on a major Vietnamese brokerage in March and malicious code injections in Japan, indicate that cyber attackers are increasingly focusing on this region. Although North America and Europe remain the primary targets for ransomware, the Asia-Pacific region is experiencing a significant surge in attacks. In 2023, ransomware incidents in Asia grew by 85%, according to cybersecurity firm Comparitech. 

Countries like India and Singapore have become major targets, ranking among the top six countries affected by ransomware, based on Sophos’ “State of Ransomware 2024” report. Ransomware groups are especially targeting critical sectors in the Asia-Pacific region. Manufacturing saw the highest number of attacks, followed by government and healthcare sectors. Rebecca Moody of Comparitech suggests that the absence of strict breach notification laws in many Asian countries contributes to underreporting, which in turn reduces the focus on cybersecurity. While ransomware attacks in Asia are increasing, experts like Trend Micro’s Flores believe this rise is not due to targeted efforts but rather the sheer number of potential victims as companies in the region adopt digital tools without adequately upgrading their security. 

Cybercriminals are opportunistic, targeting any vulnerable infrastructure, regardless of its location. National governments in Asia are beginning to take steps to enhance their cybersecurity regulations. For instance, Singapore updated its Cybersecurity Act in May, and Malaysia introduced new legislation requiring cybersecurity service providers to be licensed. However, experts stress that organizations must prioritize basic security practices, such as regular software patching, strong password policies, and multifactor authentication, to mitigate risks effectively.
Read more »
Trend Micro
Africa APT41 Cyber Security Cybersecurity Earth Baku Europe malware Middle East sophisticated attacks Threat actor Trend Micro

China-Backed Earth Baku Broadens Cyber Assaults to Europe, Middle East, and Africa

 

The China-backed threat actor Earth Baku has diversified its targeting footprint beyond the Indo-Pacific region to include Europe, the Middle East, and Africa starting in late 2022. Newly targeted countries include Italy, Germany, the U.A.E., and Qatar, with suspected attacks also detected in Georgia and Romania. Governments, media and communications, telecoms, technology, healthcare, and education sectors are among those singled out as part of the intrusion set.

Trend Micro researchers Ted Lee and Theo Chen, in an analysis published last week, noted that Earth Baku has updated its tools, tactics, and procedures (TTPs) in more recent campaigns. The group utilizes public-facing applications such as IIS servers as entry points for attacks, subsequently deploying sophisticated malware toolsets on the victim's environment. The findings build upon recent reports from Zscaler and Google-owned Mandiant, which also detailed the threat actor's use of malware families like DodgeBox (aka DUSTPAN) and MoonWalk (aka DUSTTRAP). Trend Micro has assigned them the monikers StealthReacher and SneakCross.

Earth Baku, a threat actor associated with APT41, has been known for its use of StealthVector as far back as October 2020. Their attack chains involve the exploitation of public-facing applications to drop the Godzilla web shell, which is then used to deliver follow-on payloads. StealthReacher has been classified as an enhanced version of the StealthVector backdoor loader, responsible for launching SneakCross, a modular implant and a likely successor to ScrambleCross that leverages Google services for its command-and-control (C2) communication.

The attacks are further characterized by the use of other post-exploitation tools such as iox, Rakshasa, and a Virtual Private Network (VPN) service known as Tailscale. Sensitive data exfiltration to the MEGA cloud storage service is accomplished by means of a command-line utility dubbed MEGAcmd. "The group has employed new loaders such as StealthVector and StealthReacher to stealthily launch backdoor components, and added SneakCross as their latest modular backdoor," the researchers stated.

"The persistence of Earth Baku is notable," said the researchers. "Their tactics show a sophisticated understanding of public-facing applications, allowing them to infiltrate various sectors with precision." They further explained that the group's post-exploitation tools are customized to fit specific operational needs, with iox and Rakshasa playing significant roles in maintaining prolonged access and stealth. Tailscale, the VPN service, ensures the attackers can manage their operations without detection, while MEGAcmd allows for efficient data exfiltration.

The continued evolution of Earth Baku's methods, including the introduction of new malware like SneakCross, highlights the growing complexity and threat posed by this actor. The group’s ability to adapt and refine their TTPs makes them a formidable adversary in the cyber landscape.
Read more »
Trend Micro
Cyber Attacks Cybercriminal Tactics LockBit ransomware Ransomware Operation Trend Micro

LockBit Ransomware: Covertly Evolving Towards Next-Gen Threats Amid Takedown Efforts

 

In a significant development, law enforcement dismantled the infrastructure of LockBit ransomware earlier this week, uncovering the clandestine work on a next-generation file encryption malware. Referred to as LockBit-NG-Dev, this emerging threat, likely the precursor to LockBit 4.0, was revealed through a collaborative effort between the UK's National Crime Agency and cybersecurity firm Trend Micro. 

In a departure from its predecessors built in C/C++, LockBit-NG-Dev is a work-in-progress developed in .NET, compiled with CoreRT, and packed with MPRESS. This strategic shift was brought to light as Trend Micro analyzed a sample of the latest LockBit variant capable of operating across multiple systems, indicating a more sophisticated approach to infection. 

Despite lacking some features present in previous versions, such as self-propagation on compromised networks and printing ransom notes on victims' printers, LockBit-NG-Dev appears to be in its final development stages, providing the most anticipated functionalities. Trend Micro's technical analysis reveals the encryptor's support for three encryption modes (using AES+RSA) – "fast," "intermittent," and "full." It includes a custom file or directory exclusion and the ability to randomize file naming to complicate restoration efforts. 

Notably, the malware features a self-delete mechanism that overwrites LockBit's own file contents with null bytes. The discovery of LockBit-NG-Dev is a significant setback for LockBit operators, following law enforcement's Operation Cronos. Even if the gang still controls backup servers, the exposure of the new encryptor's source code poses a formidable challenge for the cybercriminal business. Restoring operations becomes a daunting task when security researchers have knowledge of the encrypting malware's source code. 

This revelation emphasizes the ongoing battle between law enforcement and cybercriminals, underscoring the need for continued vigilance and collaboration to address evolving threats in the ransomware landscape. 

In conclusion, the revelation of LockBit ransomware secretly building a next-gen encryptor serves as a stark reminder of the persistent and adaptive nature of cyber threats. As organizations and cybersecurity professionals work to stay ahead of evolving ransomware tactics, the need for proactive defenses, continuous threat intelligence sharing, and a collective, global response has never been more critical. LockBit's covert evolution reinforces the urgency of fortifying cybersecurity measures to protect against the ever-changing landscape of sophisticated cyber threats.
Read more »
Trend Micro
cryptomining Cyber Threats DarkGate malware malware Malware attacks malware-as-a-service (MaaS). Microsoft Teams Phishing Campaigns QakBot Botnet Ransomware Trend Micro

Compromised Skype Accounts Facilitate DarkGate Malware Spread

 

Cyber attackers wielding the DarkGate malware have utilized compromised Skype accounts as a vector to infiltrate targets between July and September. They accomplished this by dispatching messages with VBA loader script attachments. 

Trend Micro's security researchers, who detected these attacks, noted that this script is responsible for fetching a second-stage AutoIT script. This script, in turn, is tailored to deploy the final DarkGate malware payload.

Trend Micro explained that gaining access to the victim's Skype account provided the attacker with the ability to take control of an ongoing messaging thread. This allowed them to manipulate the naming of files to align with the context of the conversation. 

Although the means by which the initial accounts of instant messaging applications were compromised remains unclear, it is theorized to have occurred either through leaked login credentials available on underground forums or as a consequence of a prior breach of the parent organization.

Furthermore, Trend Micro observed instances where DarkGate operators attempted to deliver their malware payload through Microsoft Teams. This occurred in organizations where the service was set up to accept messages from external users. 

Previously, Truesec and MalwareBytes had identified phishing campaigns targeting Microsoft Teams users. These campaigns utilized malicious VBScript to deploy the DarkGate malware. The attackers targeted users via compromised Office 365 accounts outside their respective organizations and leveraged a tool named TeamsPhisher. 

This tool enabled the bypassing of restrictions on incoming files from external sources, enabling the transmission of phishing attachments to Teams users. The ultimate objective remained infiltrating the entire environment. Depending on the specific threat group employing the DarkGate variant, the threats ranged from ransomware to cryptomining.

Trend Micro's telemetry data indicated that DarkGate frequently led to the detection of tools commonly associated with the Black Basta ransomware group.

The proliferation of the DarkGate malware loader for initial access into corporate networks has been on the rise, especially following the dismantling of the Qakbot botnet in August. This was due to international collaborative efforts. 

Prior to the disruption of Qakbot, an individual claiming to be the developer of DarkGate sought to sell subscriptions on a hacking forum, pricing them at up to $100,000 annually. The malware was marketed with an array of features, including a concealed VNC, capabilities to evade Windows Defender, a tool for pilfering browser history, an integrated reverse proxy, a file manager, and a Discord token snatcher.

Subsequent to this announcement, there has been a noticeable surge in reported DarkGate infections via various delivery methods like phishing and malvertising.

This recent upswing in DarkGate activity highlights the escalating influence of this malware-as-a-service (MaaS) operation within the realm of cybercrime. It underscores the unwavering determination of threat actors to persist in their attacks, demonstrating adaptability in tactics and methods despite disruptions and obstacles.
Read more »
Trend Micro
AI Cyber Security Cyber security landscape South Africa Threat risks Trend Micro

The Complex Landscape of Cybersecurity Threats in South Africa


Trend Micro has recently revealed that, in the course of 2023, it has detected over 86 million email threats, nearly four million malicious URLs, and more than 4,000 malicious mobile apps targeted at South African businesses and consumers’ systems.

The revelation comes at a time when South Africa is witnessing consistent complexities in its cybersecurity threat landscape. 

The revelations were made in Trend Micro’s 2023 Midyear Cybersecurity Threat Report, which presents findings gleaned from in-depth telemetry involving millions of business and consumer clients. The research sheds light on both threat actor actions and new trends in criminal tactics, providing security defenders working to outwit crafty cybercriminals with useful advice.

The Developments Made in Ransomware 

In the first half of 2023, Trend Micro was able to block around 15 million malware families, with ransomware posing a significant threat to regional organizations. Notably, only in June were around 2,500 ransomware detections reported. The Midyear Report digs deeply into the evolving strategies used by ransomware groups, including how they have modified tools and methods for more effective data extraction and how their revenue models have changed.

One of the risks arises from the newly discovered ‘Mimic’ ransomware, which cleverly deploys legit search engine tools to locate files for encryption. Apparently, Mimic has certain links with the notorious Conti ransomware group, further indicating the cooperation between these criminal organizations for the sake of lowering costs, expanding their market reach, and engaging in ongoing criminal activity. The report also highlights a change in ransomware groups' priorities, with a specific focus on data exfiltration involving bitcoin theft and corporate email compromise (BEC). 

AI’s Influence on Cybercrime Activities 

Another trend that came to light in 2023 is the growing use of AI by threat actors in conducting cybercrimes. On one hand, South African companies are adopting AI technologies to up their game, and threat actors are also embracing high-end technologies to design more complicated cyber scams. These scams may include virtual kidnapping, where it may use AI for deepfake voice generation to force the victims into paying the ransom amounts.

Additionally, AI tools like ChatGPT have given cybercriminals the ability to automate data collection, create target groups, and recognize weak behaviours, making it simpler to launch harpoon-whaling attacks. These attacks entail the deceptive targeting of executives via emails that are highly tailored, urgently written, and contain details specific to the target. The effort needed to target CEOs has been greatly decreased thanks to the usage of AI, making it simpler to shoot for a big target.

Innovations Expending Threat Risk

Threat actors are continually looking for new ways to attack people as advancements progress. Attackers want to gain access to user account data to enable crimes with the rise of linked cars. Cybercriminals may identify and break into vehicles for theft or other illegal acts after hijacking accounts or acquiring credentials through phishing or malware; they may even target the owner's home location for a break-in while they are away.

The reason behind threat actors’ interest in South Africa is the increased uptake of smart home networks (SHN). Trend Micro found more than 1.5 million inbound SHN attacks in the nation during the first half of 2023. Smaller platforms, such as file transfer services like MOVEit, business communications software like 3CX, and print management software options like PaperCut, have become more vulnerable as a result of these attacks.

Zaheer Ebrahim, Solutions Architect for the Middle East and Africa at Trend Micro further highlights that the unending complexities now seen in hacker tactics pose a severe threat to local businesses. Given the constantly changing world of digital security, he emphasizes the significance of identifying potential risks and threats in order to make wise decisions and proactively build cybersecurity defences.  

Read more »
Windows search tool
API malware Mimic Mimic Attacks Ransomware Trend Micro Windows Windows search tool

Mimic Attacks: Ransomware Hijacking Windows ‘Everything’ Search Tool


Trend Micro has recently revealed details of the new type of ransomware, apparently targeting the APIs ‘Everything’ search tool to attack English and Russian-speaking Windows users. 

The malware was discovered by the security firm researchers in June 2022 and was named ‘Mimic.’ According to the researchers, the malware has been “deleting shadow copies, terminating multiple applications and services, and abusing Everything32.dll functions to query target files that are to be encrypted.” 

The researchers also found that some of the code in Mimic shared similarities with the infamous Conti ransomware, which was leaked in early 2022 following a number of high-profile incidents. 

Mimic Attacks 

Mimic ransomware attack begin with targeted victims receiving executable, most likely via an email, that retrieves four files from the target system, including the main payload, ancillary files, and tools to disable Windows Defender. 

The researchers’ findings reveal that the ransomware attack largely constituted legitimate files, of which one file contains the malicious payloads. Mimic is a sophisticated strain of ransomware that may use command-line options to target specific files and multiple processor threads to encrypt data more rapidly. 

According to Trend Micro, this combination of several active threads and the way it abuses Everything's APIs enable it to operate with minimum resource consumption, leading to a more effective execution and attack. 

What Could be the Solution? 

One of the best measures advised to the companies is by implementing a multilayered approach, which will provide the most efficient security, including data protection, backup and recovery measures. 

Utilizing a range of software that are designed to prevent, mitigate and combat the attacks on personal and business computers will add another layer of protection to the systems. 

Moreover, conducting regular vulnerability assessment and patching those vulnerabilities in the systems as soon as security updates become available will additionally aid in combating potential ransomware attack.  

Read more »
User Privacy
Conti Ransomware Cyber Crime FBI Malicious actor Phishing Attacks Trend Micro User Privacy

FBI: To Install Malware, Hackers are Buying Ad Services

 

The FBI has recommended the citizens to download an ad blocker in order to safeguard themselves from internet security dangers, as cybercriminals use ads to spread ransomware and steal information.  

Trend Micro claims that Royal is the beta version version of the Zeon ransomware that first appeared this year and was linked in August to Conti Team One, one of the organizations responsible for the propagation of the Conti ransomware.

There were three groups of cybercriminals operating behind Conti, one of which switched to Quantum ransomware, another operating the Black Basta, Karakurt, and Blackbyte ransomware families, as well as Royal, and the third being shut down in early 2022, as per a chart that a security expert Vitali Kremez shared in August.

Royal ransomware has been employed in assaults mostly aimed at targets in the US and Brazil, according to Trend Micro. It is typically delivered via callback phishing, tricking victims into downloading remote access software.

The FBI highlighted that these adverts were also used to spoof financial websites, notably exchange platforms for cryptocurrencies.

Businesses employ search engine advertising services to make sure their ads show up at the top of search results with the smallest possible difference between an advertisement and a real internet search result. However, the warning noted that online criminals are also using domains that are similar to legitimate businesses or services to purchase these services for illicit reasons.

How to spot fake advertisements:
  • Prior to clicking an advertisement, check the URL. Look out for typos or unusual suffixes on a link because it will reveal the true URL.
  • If you want to look up businesses, enter the address in the browser's address bar rather than using a search engine like Google. 
  • Try using an ad blocker. These block all advertisements, so you can simply avoid being targeted by fraudulent ads but also fail to see any legitimate ones.
Ad blockers can help consumers avoid misleading adverts, but they can also severely damage their online experience. Many websites depend on advertising, thus some won't let you visit if you are using an ad blocker. When using an ad blocker, be sure to put your preferred websites to the list of the program. This will allow you to see advertising on this site but prevent you from seeing them elsewhere.

To assure the development of strong, safe passwords and keep away of malicious practices, the FBI also advises utilizing a password manager. Another effective strategy for protecting against online attacks is antivirus software.



Read more »
Subscribe to: Posts (Atom)