Tag: Wild | SpinSafe

DoNex Ransomware Observed in the Wild Targeting Enterprises

March 11, 2024/in Internet Security

Enterprises across the United States and Europe are on high alert as a new ransomware strain, dubbed “DoNex,” has been actively compromising companies and claiming victims.

This emergent threat has cybersecurity experts working overtime to understand the attack’s full scope and develop countermeasures.

The DoNex ransomware group has made its presence known by listing several companies as its victims on their dark web portal, accessible via the Onion network.

The group’s tactics are particularly insidious, employing a double-extortion method.

This not only involves the encryption of files, which are then appended with a unique.

VictimID extension, but also the exfiltration of sensitive data, holding it hostage to leverage additional pressure on the victims to pay the ransom.

Ransom Notes and Communication

Affected companies have discovered ransom notes named Readme.VictimID.txt on their systems, which instruct them to establish contact with the DoNex group through Tox messenger, a peer-to-peer instant messaging service known for its security and anonymity features.

Document

Integrate ANY.RUN in your company for Effective Malware Analysis

Malware analysis can be fast and simple. Just let us show you the way to:

Interact with malware safely
Set up virtual machine in Linux and all Windows OS versions
Work in a team
Get detailed reports with maximum data

If you want to test all these features now with completely free access to the sandbox:

The use of Tox indicates an attacker’s preference for secure communication channels, making it more challenging for law enforcement to track and intercept.

Broadcom recently spotted the emergence of a new ransomware actor, self-dubbed “DoNex,” which was detected in the wild during March.

Currently, the exact methods DoNex uses to infiltrate enterprise systems remain a mystery.

Cybersecurity teams diligently monitor the situation and conduct thorough investigations to uncover the group’s modus operandi.

Understanding the attack vectors is crucial for preventing further incidents and developing effective defense strategies.

A recent tweet by HackManac reported the emergence of a new…

Source…

A whole new kind of Linux malware has been found in the wild

December 11, 2023/in Computer Security

A new type of Linux malware has been identified after going unnoticed for two years thanks to work by cybersecurity researchers from Group-IB.

The newly uncovered Linux Remote Access Trojan (RAT), Krasue, was first registered on Virustotal, and has since been targeting primarily telecommunications companies in Thailand.

Group-IB says that Krasue “poses a severe risk to critical systems and sensitive data” because attackers can access a targeted network remotely.

Krasue Linux RAT

The cybersecurity analysts say that the malware contains several embedded rootkits, drawn from public sources, meaning that the RAT can support different Linux kernel versions.

However, Group-IB is yet to determine Krasue’s initial infection vector. So far, vulnerability exploitation, credential brute force attacks, and unwitting downloads as part of deceptive packages are all being considered.

Instead, the cybersecurity company says it’s disclosing the limited information it has at this point in order to prime Thai telecommunications companies so that they can be better prepared to secure themselves against such attacks. Group-IB has also notified the Thailand Computer Emergency Response Team (ThaiCERT) and the Thailand Telecommunications Sector Computer Emergency Response Team (TTC-CERT).

After analysis, it looks like the Krasue RAT might have been created by the same author as XorDdos – another Linux Trojan malware with rootkit capabilities for launching large-scale DDoS attacks.

But specific threat group attribution is hard because the RAT uses code snippets from three different open-source projects – Diamorphine, Suterusu, and Rooty – which have been available for over five years.

For now, Group-IB promises to continue monitoring the malware’s spread, including to other areas outside of Thailand.

More from TechRadar Pro

Source…

Famed Hacker Unveils Wild Crack-In-The-Box Password Cracker Fueled By Dozens Of RTX 4090s

April 25, 2023/in Computer Security

A password cracking setup outfitted with multiple graphics cards.

Kevin Mitnick, a former black hat hooligan-turned-good-guy who spent several years in prison in the 1990s for various computer-related tomfoolery, is showing off a beastly setup outfitted with 30 high-end GeForce graphics cards. We know what you’re wondering—can it run Crysis? It certainly has enough firepower to push pixels around like a schoolyard bully on steroids. But what his setup is really designed to do is to crack passwords with the same speed and ease it would take Hercules to crack a walnut.

Anyone who is not familiar with Mitnick can look him up on Google or visit the Wikipedia entry on him for a quick history lesson. His hacking days started in his pre-teen years and it only gets more interesting from there. The US Department of Justice and Federal Bureau of Investigation are certainly familiar with the man who is widely considered to be the world’s most famous hacker—he eluded both agencies for years…up until he didn’t.

A successful “Free Kevin” movement helped Mitnick earn an early release after spending more than five years behind bars. These days he spends his time as a highly sought-after security consultant. He’s also the chief executive officer at Mitnick Security Consulting, and chief hacking officer at KnowBe4, among other roles on his ever-expanding resume.

Kevin Mitnick tweet showing off his password cracking setup.

In posts shared to both Facebook and Twitter, Mitnick uploaded photos of a “badass password cracker” that the team at KnowBe4 helped him set up and configure. The beastly configuration is outfitted with two dozen of NVIDIA’s flagship consumer graphics cards, the GeForce RTX 4090 based on the Ada Lovelace GPU architecture, as well as six GeForce RTX 2080 cards based on Turing.

“This is what companies come up against when we are hired for Red Team engagements. Our team now has a new large group of GPUs to crack passwords much, much faster,” Mitnick explains.

In security parlance, a Red Team engagement is essentially a simulated cyberattack. You can think of it as an intense security audit. Exposing vulnerabilities is inevitably part of the process, but that’s not the main goal. These simulated attacks test a company’s ability to detect and respond to security threats.

This process is of course…

Source…

Fortinet confirms VPN vulnerability exploited in the wild

December 12, 2022/in Internet Security

A critical zero-day vulnerability in Fortinet’s SSL-VPN has been exploited in the wild in at least one instance.

Fortinet issued an advisory Monday detailing the heap-based buffer overflow flaw, tracked as CVE-2022-42475, affecting multiple versions of its FortiOS SSL-VPN. Ranked a 9.3 on the common vulnerability scoring system, Fortinet warned the critical flaw could allow a remote unauthenticated attacker to execute arbitrary code.

“Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise,” Fortinet wrote in the advisory.

Patches are available, and Fortinet recommended upgrading to the latest versions as well as the unaffected earlier version of FortiOS. In an email to TechTarget Editorial, Fortinet said it also continues to monitor the situation.

While the company’s Product Security Incident Response team made the advisory publicly available Monday, it was not the first notification on the critical flaw. Olympe Cyberdefense, a France-based cyber threat intelligence vendor, released an alert Friday citing that a “new critical flaw, not yet made public” affected Fortinet SSL-VPN.

The alert, which was first reported Monday by TechTarget sister publication Le Mag IT, warned the zero-day vulnerability was easy to exploit and that attackers could gain full control of intended devices. Additionally, Olympe Cyberdefense recommended disabling VPN-SSL functionality if it’s not essential.

Olympe updated its alert once Fortinet confirmed the vulnerability and urged customers to patch.

In a statement sent to TechTarget Editorial, Claire Tills, senior researcher engineer at Tenable, noted the time gap between the Olympe’s initial disclosure and Fortinet’s advisory. “Three days after its initial public disclosure, Fortinet patched CVE-2022-42475 and confirmed it has been exploited in the wild,” Tills said.

“Fortinet SSL-VPNs have been a major target for years now — to the extent that the FBI and CISA issued a dedicated advisory to these flaws and their exploitation in 2021. Nation state actors are still known to exploit those legacy vulnerabilities in…

Source…

Tag Archive for: Wild

Ransom Notes and Communication