Tag Archive for: Brute

Black Basta Uses Qakbot, Brute Ratel in Ransomware Attacks


The threat actors behind the Black Basta ransomware were observed using the Qakbot malware in order to deploy the Brute Ratel framework as a second-stage payload in recent attacks.

Brute Ratel, commercial adversary emulation software, is a relatively new player similar to the Sliver and Cobalt Strike platforms, which are marketed to red teams but also utilized by a wide range of threat actors. The recent Qakbot campaign is “a noteworthy development because it is the first time we have observed Brute Ratel as a second-stage payload via a QAKBOT infection,” said Ian Kenefick, Lucas Silva and Nicole Hernandez, researchers with Trend Micro, in an analysis this week.

“Based on our investigations, we can confirm that the QAKBOT-to-Brute Ratel-to-Cobalt Strike kill chain is associated with the group behind the Black Basta Ransomware,” they said. “This is based on overlapping TTPs and infrastructure observed in Black Basta attacks.”

The attackers used various methods of infection with two distributors (labeled with the ‘BB’ and ‘Obama20x’ IDs), in one case launching the campaign via spam emails with a malicious URL, which when visited presented victims with a password-protected ZIP file along with the password to use, and in another delivering the ZIP file via HTML smuggling (where malicious script is encoded into an HTML attachment or web page).

In both campaigns, the ZIP file contained an ISO file (in a likely attempt to defeat the Mark of the Web feature that categorizes files as being downloaded from the internet), which contained malicious files that set the stage for Qakbot to be run inside an injected process (wermgr.exe). Qakbot then used obfuscation to hide suspicious-looking command lines and performed reconnaissance on the infected environment.

From there, Qabot dropped the Brute Ratel DLL, which in turn dropped Cobalt Strike for lateral movement. Brute Ratel also ran the SharpHound utility, which collects data for the BloodHound Active Directory reconnaissance tool, and packed collected files into a ZIP file for exfiltration.

Brute Ratel, which first emerged in December 2020, has been highlighted by researchers as sophisticated as it was…

Source…

Raspberry Pi OS update bolsters security against brute force attacks


Raspberry Pi has announced a new change to the device’s operating system that aims to improve its defences against cyber attacks.

First-time set up processes for Raspberry Pis have previously required users to set a custom password, but the latest change will mandate a custom default user name too.

Although developers have said that obtaining a common default user name, which was previously set to “pi” unless changed, isn’t all that useful to hackers, they believe this change should help prevent brute force attacks and password spraying attempts.

“Just knowing a valid user name doesn’t really help much if someone wants to hack into your system; they would also need to know your password, and you’d need to have enabled some form of remote access in the first place,” said Simon Long, senior principal engineer at Raspberry Pi.

“But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials.”

The UK’s Product Security and Telecommunications Infrastructure (PSTI) Bill was introduced in 2021 but drew criticism from experts who argued the Bill did not go far enough to ensure adequate protection for internet-connected devices.

The PSTI’s scope does not cover desktop and laptop computers, among an array of other devices, Martin Tyley, head of cyber security at KPMG UK, said to IT Pro earlier this year – a category under which Raspberry Pis would fall.

Long said the change to Raspberry Pi OS may introduce “a few issues” where software and its accompanying documentation assumes a default “pi” user is present, though “it feels like a sensible change to make at this point”.

After flashing a new OS image, users will be presented with a new, but familiar, Raspberry Pi OS set up wizard, which will no longer be optional. Users could previously press ‘cancel’ and were not forced to use it.

If users choose to manually set their user name and password to ‘pi’ and ‘raspberry’ respectively, the previous default credentials, they will be met with a warning prompt but such a configuration won’t be…

Source…

Zoom bug meant attackers could brute force their way into password-protected meetings

Zoom has patched a security hole that could have allowed attackers to break their way into password-protected private calls.

Read more in my article on the Hot for Security blog.

Graham Cluley

GetCrypt Ransomware Brute Forces Credentials, Decryptor Released – BleepingComputer

GetCrypt Ransomware Brute Forces Credentials, Decryptor Released  BleepingComputer

A new ransomware called GetCrypt is being installed via the RIG exploit kit. While encrypting a computer it will try to brute force the network credentials of …

“exploit kit” – read more