Tag Archive for: Organizations

CISA, Partners Warn Organizations of Akira Ransomware Attacks


The Cybersecurity and Infrastructure Security Agency and its U.S. and international partners have released a joint cybersecurity advisory, or CSA, warning organizations against the Akira ransomware that has targeted critical infrastructure entities in North America, Europe and Australia.

The CSA outlines known tactics, techniques and procedures used by Akira ransomware operators and indicators of compromise to help organizations respond to ransomware attacks, CISA said Thursday.

According to the advisory, Akira threat actors have deployed a Linux variant targeting VMware ESXi virtual machines after initially focusing on Windows systems.

As of January, the ransomware group has targeted more than 250 organizations and gained approximately $42 million in ransomware proceeds.

In August 2023, Akira attacks started using Megazord, using Rust-based code, and Akira ransomware written in C++ and encrypted files.

CISA and its partners encourage organizations to implement the mitigations outlined in the CSA to reduce the impact of Akira ransomware attacks.

Source…

Hack The Box Redefines Cybersecurity Performance, Setting New Standards in the Cyber Readiness of Organizations


The innovative Cyber Performance Center approach helps businesses present a united front against cybercrime by aligning cybersecurity and corporate goals.

NEW YORK, NY, LONDON, UK and SYDNEY, AUSTRALIA / ACCESSWIRE / April 10, 2024 / Companies can level up their cybersecurity defenses – eliminating the skills and knowledge gaps that criminals regularly exploit thanks to Hack The Box’s Cyber Performance Center.

Hack The Box’s Cyber Performance Center unites individual ability, business management practices, and the human factor in the cybersecurity industry and it is designed to help organizations take a coordinated approach to their cyber readiness, reducing the vulnerabilities created when cybersecurity is siloed or treated as a tick-box requirement.

Its innovative model transcends the limits of traditional cyber training, taking a 360º overview that considers a business’s processes and technology investments along with the requirements of its cybersecurity teams. By matching processes and exercises to organizational outcomes it helps to align cybersecurity and business objectives.

Hack The Box’s disruptive approach also directly addresses the key human element within corporate cybersecurity, focusing on the upskilling and development cyber professionals need to perform to their best while providing clear career paths to encourage retention and combat the increased burnout and fatigue within the sector. This is critical as the global cybersecurity industry currently faces a skills shortage of four million people.

It is estimated that, by next year over half of significant cyber incidents will be caused by human error or skill shortages1. The Cyber Performance Center approach helps organizations tackle their security as a company-wide goal, considering the needs of its cybersecurity team, business processes, and respective technology investments to promote a healthy security culture.

Hack The Box combines these three organizational pillars with a continuous learning journey based on the latest technologies, vulnerabilities, and solutions for all cybersecurity domains. The approach enables customers to create and maintain a robust cyber strategy, unlocking the skills of each member of…

Source…

US organizations targeted with emails delivering NetSupport RAT


Employees at US-based organizations are being targeted with emails delivering NetSupport RAT malware via “nuanced” exploitation and by using an advanced detection evasion method.

The malware campaign

The campaign, dubbed PhantomBlu, takes the form of email messages purportedly coming from a legitimate accounting service.

The attackers are leveraging a legitimate email delivery platform, “SendInBlue” or Brevo service, to evade detection.

The phishing emails prompts recipients to download an attached Office Word file (.docx) to view their “monthly salary report”.

emails delivering NetSupport RAT

The PhantomBlu phishing email. (Source: Perception Point)

After downloading the file, victims are instructed to enter the provided password, click “enable editing”, and then double-click a printer image to view the “salary graph.”

But the clickable printer image is actually an Object Linking and Embedding (OLE) package, which is a Microsoft Windows feature that allows data and object sharing between applications.

Clicking on the printer icon triggers OLE template manipulation and opens an archived .zip file containing a single LNK file: a PowerShell dropper that retrieves and executes a script, which contains – among other things – an executable for the NetSupport RAT and a registry key designed to assure its persistence.

“This advanced technique bypasses traditional security measures by hiding the payload outside the document, only executing upon user interaction,” Perception Point researchers noted.

The NetSupport RAT

The NetSupport RAT is based on the legitimate remote desktop tool NetSupport Manager. It’s commonly used by attackers to infiltrate systems to set the stage for future attacks.

“Once installed on a victim’s endpoint, NetSupport can monitor behavior, capture keystrokes (keylogger), transfer files, commandeer system resources, and move to other devices within the network – all under the guise of a benign remote support software,” the researchers said.

(Other?) attackers have previously been spotted exploiting a vulnerability (CVE-2023-36025) in the Windows SmartScreen anti-phishing and anti-malware component to deliver the NetSupport RAT.

Source…

Hacker group hides malware in images to target Ukrainian organizations


A group of attackers targeting Ukraine-affiliated organizations has been delivering malicious payloads hidden within the pixels of image files. Known as steganography, it is just one of many advanced techniques the group uses to evade detection as part of a malware loader known as IDAT.

Tracked as UAC-0184 by several security firms, as well as the Computer Emergency Response Team of Ukraine (CERT-UA), the group was seen targeting Ukrainian servicemen via phishing emails masquerading as messages from Ukraine’s ​​3rd Separate Assault Brigade and the Israeli Defense Forces (IDF). While most of the recipients of these messages were located in Ukraine, security firm Morphisec has confirmed targets outside of the country as well.

“While the adversary strategically targeted Ukraine-based entities, they apparently sought to expand to additional entities affiliated with Ukraine,” researchers said in a new report. “Morphisec findings brought to the forefront a more specific target — Ukraine entities based in Finland.” Morphisec also observed the new steganography approach in delivering malicious payloads after the initial compromise.

Staged malware injection ends with Remcos trojan

The attacks detected by Morphisec delivered a malware loader known as IDAT or HijackLoader that has been used in the past to deliver a variety of trojans and malware programs including Danabot, SystemBC, and RedLine Stealer. In this case, UAC-0184 used it to deploy a commercial remote access trojan (RAT) program called Remcos.

“Distinguished by its modular architecture, IDAT employs unique features like code injection and execution modules, setting it apart from conventional loaders,” the Morphisec researchers said. “It employs sophisticated techniques such as dynamic loading of Windows API functions, HTTP connectivity tests, process blocklists, and syscalls to evade detection. The infection process of IDAT unfolds in multiple stages, each serving distinct functionalities.”

The infection happens in stages, with the first stage making a call to a remote URL to access a .js (JavaScript) file. The code in this file tells the executable where to look for an…

Source…