Tag Archive for: Flash

Ankura CTIX FLASH Update – August 25, 2023 – Fin Tech

/in


29 August 2023


Ankura Consulting Group LLC


To print this article, all you need is to be registered or login on Mondaq.com.

Malware Activity

Whiffy Recon Malware Dropped by Smoke Loader
Botnet

A new piece of malware dubbed Whiffy Recon is a Wi-Fi scanning
payload being leveraged by threat actors to triangulate the
geolocation of compromised devices. Whiffy Recon is being
distributed by the threat actors behind the infamous Smoke Loader
botnet. The Smoke Loader botnet family is a modular backdoor with a
wide range of capabilities, mainly used by threat actors to drop
payloads at scale in the early stages of a compromise. The threat
actors are using Whiffy Recon to triangulate the positions of
infected devices by scanning for nearby Wi-Fi access points, and
then using Google’s geolocation service API to send the
longitude and latitude of the infected devices back to the
attackers. By utilizing the nearby Wi-fi access points, Whiffy
Recon can triangulate the device location even if the device does
not have a GPS system, giving attackers an edge when conducting
region-based attacks. The malware maintains persistence on the
compromised device by creating a “wlan.Ink” shortcut that
points to the Whiffy Recon malware’s location on the system.
Although the motive is currently unclear, Whiffy Recon could
potentially be utilized by threat actors to conduct mass
intimidation campaigns, pressuring victims into meeting the
cybercriminals’ demands. Researchers have stated that based on
the initial POST request to the C2 server, it is likely that the
developers of this malware will be upgrading it over time. CTIX
continues to report on new and interesting attack techniques and
may release an…

Source…

Ankura CTIX FLASH Update – October 2022 – 3 | Ankura

/in


Ransomware/Malware Activity

Prestige Ransomware Emerges, Targets Ukraine and Poland

A new ransomware variant has emerged in the wild, being used in targeted attacks against the logistics and transportation sectors within Ukraine and Poland. The variant has been dubbed ‘Prestige’, named after their initial codename that was displayed in the group’s ransom note as ‘Prestige ranusomeware’. Tactics, techniques, procedures (TTPs), and indicators of compromise from this ransomware variant are being clustered by Microsoft under DEV-0960. Prior to deployment, DEV-0960 executes stage-one malicious scripts via RemoteExec and Impacket followed by open-source collection tools which gain access to system administrator credentials. Once threat actors lay the groundwork for the ransomware attack, Prestige is deployed and is spread throughout the victim’s infrastructure. The Prestige payload can be cloned to remote systems and configured to run scheduled tasks or leverage PowerShell to establish persistence throughout several systems within the network. Prestige can also be copied to the Active Directory Domain Controller and distributed accordingly through Group Policy. Attacks from DEV-0960 actors appear to favor Russia, targeting enemies of the state and the Russia-Ukraine conflict. CTIX analysts will continue to monitor the evolution of ransomware throughout the landscape and provide additional details accordingly.

Threat Actor Activity

Operation CuckooBees Revived, APT41 Targets Organizations in Hong Kong

APT41 threat actors have launched a campaign targeting organizations throughout Hong Kong.  Based on known tactics, techniques, and procedures (TTPs), this is likely a continuation of Operation CuckooBees. The original espionage operation was a massive intellectual property theft campaign which allowed APT41 threat actors to exfiltrate hundreds of gigabytes worth of research documentation, source code, manufacturing data, formulas, and diagrams. The majority of these attacks occurred throughout Eastern Asia, North America, and Western Europe. Recent activity surrounding this operation was uncovered when security analysts from Symantec identified traces of the Spyder Loader…

Source…

Ankura CTIX FLASH Update – October 14, 2022

/in


Ransomware/Malware Activity

The United States Non-Profit Health Care System Giant Confirms Ransomware Attack

CommonSpirit Health, one of the largest non-profit healthcare systems in the United States, which provides services to over 21 million patients, confirmed on October 13, 2022, that it suffered a ransomware attack early last week which caused widespread IT outages at various hospitals across the United States. On October 3, 2022, CommonSpirit Health stated that it was “managing an IT security issue” that was impacting many electronic health record systems and had taken specific IT systems offline. In the company’s latest update regarding the situation, CommonSpirit Health stated that cybersecurity specialists have been engaged to conduct a forensic investigation of the ransomware attack and that efforts are being made to bring all systems back online. No details have been published regarding how the attack occurred, who is responsible for the attack, or if any data has been exfiltrated. CTIX analyst will continue to monitor for details of CommonSpirit Health’s ransomware attack as the investigation unfolds and provide updates where applicable.

Threat Actor Activity

United States Airports Targeted by Russian-Allied Threat Actors

Killnet threat actors have once again launched a massive, distributed denial-of-service (DDoS) attack against several United States airport websites. Killnet has been one of the most active threat organizations throughout the Russia-Ukraine conflict and continues to make their presence known against their enemies, including the United States. Security analysts at Raidware tracked several outages from this DDoS attack which targeted 24 total airport websites. Phoenix Sky Harbor Airport (PHX), Los Angeles International (LAX), Atlanta International (ATL), and Chicago air travel site “flychicago[.]com” were among the victims to be affected. Killnet actors boasted about the attacks in their Telegram channel shortly after a CNN article was posted about the DDoS incidents. The attacks caused no lasting damage to any of the affected sites; however, cybersecurity experts highlighted that Killnet’s primary motivation is notoriety, as opposed to the actual…

Source…

KIOXIA announces UFS embedded flash memory devices for a variety of mobile applications

/in


KIOXIA America announced sampling of the Universal Flash Storage (UFS) embedded flash memory devices supporting MIPI M-PHY v5.04.

KIOXIA America UFS devices

The new lineup utilizes the company’s BiCS FLASH 3D flash memory and is available in three capacities: 128GB, 256GB and 512GB. The new devices deliver high speed read and write performance and are targeted to a variety of mobile applications, including leading-edge smartphones.

The new KIOXIA devices are next-generation UFS (MIPI M-PHY 5.0), which has a theoretical interface speed of up to 23.2Gbps per lane (x2 lanes = 46.4Gpbs) in HS-GEAR5 mode. Sequential read and write performance of the 256GB device is improved by approximately 90 percent and 70 percent, respectively, over previous generation devices6.

Also, random read and write performance of the 256GB device is improved by approximately 35 percent and 60 percent, respectively, over previous generation devices. This next generation of UFS provides significant increases in performance, enabling next-generation smartphones and other products to enhance their capabilities and end user experiences in the 5G era and beyond.

“We are pleased to announce another first in UFS memory,” noted Scott Beekman, vice president, Memory Business Unit, for KIOXIA America, Inc. “This next generation of UFS provides significant increases in performance, enabling next generation smartphones and other products to enhance their capabilities and end user experiences. Moving forward, we will continue to drive these advances, maintaining our UFS memory leadership role.”

Source…