Security News
It started as a slow ransomware news week but slowly picked up pace with the Department of Justice announcing indictments on TrickBot and Conti operations members. In other news, Cisco confirmed that ransomware gangs are exploiting a zero-day in Cisco VPN appliances after BleepingComputer's, SentinelOnes, and Rapid7's reporting on its abuse by the Akira ransomware operation.
Cisco is warning of a zero-day vulnerability in its Cisco Adaptive Security Appliance and Cisco Firepower Threat Defense that is actively exploited by ransomware operations to gain initial access to corporate networks. The medium severity zero-day vulnerability impacts the VPN feature of Cisco ASA and Cisco FTD, allowing unauthorized remote attackers to conduct brute force attacks against existing accounts.
A cyberattack campaign is targeting exposed Microsoft SQL databases, aiming to deliver ransomware and Cobalt Strike payloads. The attackers target exposed MS SQL servers by brute-forcing access credentials.
Among the 600 respondents, only 16% of those whose organization had experienced a successful ransomware attack were able to fully recover all their data after the attack, while a staggering 84% lost data they were not able to recoup. "Threat actors continue their attacks because, for them, it is a business model that works. In most cases, a ransomware attack results in permanently lost data, even when companies meet the ransom demand." said Keepit CTO Jakob Østergaard.
Threat actors are exploiting poorly secured Microsoft SQL servers to deliver Cobalt Strike and a ransomware strain called FreeWorld. "The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld."
That's what we call a static shock Even ransomware operators make mistakes, and in the case of ransomware gang the Key Group, a cryptographic error allowed a team of security researchers to...
Network monitoring company LogicMonitor confirmed today that certain customers of its SaaS platform have fallen victim to cyberattacks linked to ransomware. While LogicMonitor did not confirm that ransomware attacks hit its affected customers, anonymous sources familiar with the incidents told BleepingComputer that the threat actors hacked customer accounts and "Were able to create local accounts and deploy ransomware."
Researchers took advantage of a weakness in the encryption scheme of Key Group ransomware and developed a decryption tool that lets some victims to recover their files for free. " encrypts victim data using the AES algorithm in Cipher Block Chaining mode with a given static password," explains EclecticIQ. "The password is derived from a key using the Password-Based Key Derivation Function 2 with a fixed salt," the researchers add.
NET-based information stealer malware dubbed SapphireStealer is being used by multiple entities to enhance its capabilities and spawn their own bespoke variants. "Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion," Cisco Talos researcher Edmund Brumaghin said in a report shared with The Hacker News.
Since March 2023, affiliates of the Akira and LockBit ransomware operators have been breaching organizations via Cisco ASA SSL VPN appliances. "In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we've observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication was either not enabled or was not enforced for all users," Rapid7 researchers said on Tuesday.