Security News
Image: Adrian Grycuk/CC BY-SA 3.0 PL. Update November 10, 06:49 EST: The Industrial & Commercial Bank of China confirmed its services were disrupted by a ransomware attack that impacted its systems on Wednesday, November 8. "On November 8, 2023, U.S. Eastern Time, ICBC Financial Services experienced a ransomware attack that resulted in disruption to certain FS systems. Immediately upon discovering the incident, ICBC FS disconnected and isolated impacted systems to contain the incident," said the bank.
Image: Adrian Grycuk/CC BY-SA 3.0 PL. The Industrial & Commercial Bank of China is restoring systems and services following a ransomware attack that disrupted the U.S. Treasury market, causing equities clearing issues."ICBC is currently unable to connect to DTCC/NSCC. This issue is impacting all of ICBC's clearing customers," says an emergency notice issued to equity traders and shared by security research group vx-underground.
Threat actors are exploiting a zero-day vulnerability in the service management software SysAid to gain access to corporate servers for data theft and to deploy Clop ransomware. [...]
The Federal Bureau of Investigation is warning that ransomware threat actors are targeting casino servers and use legitimate system management tools to increase their permissions on the network. [...]
In interactions with threat intelligence analysts, farnetwork shared valuable details that link them to ransomware operations starting 2019 and a botnet with access to multiple corporate networks. According to a report Group-IB shared with BleepingComputer, the threat actor has several usernames and has been active on multiple Russian-speaking hacker forums trying to recruit affiliates for various ransomware operations.
Singapore-headquartered Group-IB, which attempted to infiltrate a private RaaS program that uses the Nokoyawa ransomware strain, said it underwent a "Job interview" process with the threat actor, learning several valuable insights into their background and role. "Throughout the threat actor's cybercriminal career, which began in 2019, farnetwork has been involved in several connected ransomware projects, including JSWORM, Nefilim, Karma, and Nemty, as part of which they helped develop ransomware and manage the RaaS programs before launching their own RaaS program based on Nokoyawa ransomware," Nikolay Kichatov, threat intelligence analyst at Group-IB, said.
For SOC teams to be able to defend their organization against ransomware attacks, they need to have the right security toolset, but also an understanding of the three primary ransomware attack stages. Instead, there are often many different indicators of compromise at different stages of the attack that seem benign when looked at individually.
"We did not pay a ransom and we are aware that data connected to the cyber incident has been published." - TransForm. Bluewater Health: Data on 5.6 million patient visits corresponding to 267,000 unique patients.
Multiple ransomware groups have begun to actively exploit recently disclosed flaws in Atlassian Confluence and Apache ActiveMQ. Cybersecurity firm Rapid7 said it observed the exploitation of CVE-2023-22518 and CVE-2023-22515 in multiple customer environments, some of which have been leveraged for the deployment of Cerber ransomware. Both vulnerabilities are critical, allowing threat actors to create unauthorized Confluence administrator accounts and lead to data loss.
Security organizations have responded to the recent rise in ransomware attacks by implementing zero trust and microsegmentation strategies. Respondents overwhelmingly agreed that microsegmentation is an effective tool to keep assets protected, but deployment was lower than expected, with only 30% of organizations segmenting across more than two business critical areas.