Gootloader inside out – Sophos News
Open-source intelligence reveals the server-side code of this pernicious SEO-driven malware – without needing a lawyer afterward
Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces – Sophos News
A sudden disruption of a major phishing-as-a-service provider leads to the rise of another…that looks very familiar
VEEAM exploit seen used again with a new ransomware: “Frag
Last month, Sophos X-Ops reported several MDR cases where threat actors exploited a vulnerability in Veeam backup servers. We continue to track the activities of this threat cluster, which recently…
Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign
The Internet is full of cats—and in this case, malware-delivering fake cat websites used for very targeted search engine optimization.
Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats
Sophos X-Ops unveils five-year investigation tracking China-based groups targeting perimeter devices
Qilin ransomware caught stealing credentials stored in Google Chrome
Familiar ransomware develops an appetite for passwords to third-party sites
Ransomware attackers introduce new EDR killer to their arsenal
Sophos discovers the threat actors behind RansomHub ransomware using EDRKillShifter in attacks
Don’t get Mad, get wise
The “Mad Liberator” ransomware group leverages social-engineering moves to watch out for
Operation Crimson Palace: A Technical Deep Dive – Sophos News
Sophos Managed Detection and Response initiated a threat hunt across all customers after the detection of abuse of a vulnerable legitimate VMware executable (vmnat.exe) to perform dynamic link library (DLL) side-loading on one customer’s network. In a search for similar incidents in telemetry, MDR ultimately uncovered a complex, persistent cyberespionage campaign targeting a high-profile government organization in Southeast Asia. As described in the first part of this report, we identified at least three distinct clusters of intrusion activity present in the organization’s network from at least March 2023 through December 2023. The three security threat activity clusters—which we designated as Alpha (STAC1248), Bravo (STAC1870), and Charlie (STAC1305) – are assessed with high confidence to operate on behalf of Chinese state interests. In this continuation of our report, we will provide deeper technical analysis of the three activity clusters, including the tactics, techniques, and procedures (TTPs) used in the campaign, aligned to activity clusters where possible. We also provide additional technical details on prior compromises within the same organization that appear to be connected to the campaign.
'Crude' ransomware tools proliferating on the dark web for cheap, researchers find
Cheap ransomware is being sold for one-time use on dark web forums, allowing inexperienced freelancers to get into cybercrime without any interaction with affiliates. Researchers at the intelligence unit at the cybersecurity firm Sophos found 19 ransomware varieties being offered for sale or advertised as under development on four forums from June 2023 to February 2024.
It’ll be back: Attackers still abusing Terminator tool and variants
First released in May 2023, an EDR killer – and the vulnerable Zemana drivers it leverages – are still of interest to threat actors, along with variants and ported versions
Sophos has patched EOL Firewall versions against a critical flaw exploited in the wild, after identifying a new exploit.
UK-based cybersecurity firm Sophos this week announced patches for an exploited vulnerability in Firewall versions that have reached End-of-Life (EOL). The critical-severity flaw, tracked as CVE-2022-3236, was found to impact versions 19.0 MR1 (19.0.1) and older of the product. It was originally patched in September 2022, but only in supported versions of Sophos Firewall. Sophos describes the security defect as a code injection issue in the Firewall’s User Portal and Webadmin components, allowing attackers to achieve remote code execution (RCE).
Sophos backports RCE fix after attacks on unsupported firewalls
Sophos was forced to backport a security update for CVE-2022-3236 for end-of-life (EOL) firewall firmware versions after discovering hackers actively exploiting the flaw in attacks.
Attacker combines phone, email lures into believable, complex attack chain
A social engineering phone call lends authenticity to the attacker’s malicious email
Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders – Sophos News
- Compromised credentials are a gift that keeps on giving (your stuff away) MFA is your mature, sensible friend Dwell time is sinking faster than RMS Titanic Criminals don’t take time off; neither can you
- Active Directory servers: The ultimate attacker tool RDP: High time to decline the risk Missing telemetry just makes things harder
Using WinRAR? Be sure to patch against these code execution bugs… – Naked Security
Imagine if you clicked on a harmless-looking image, but an unknown application fired up instead…
Into the tank with Nitrogen
The element originally known as “foul air” stinks up computers as a new initial-access campaign exhibiting some uncommon techniques
Microsoft Revokes Malicious Drivers in Patch Tuesday Culling
In December 2022, Microsoft published their monthly Windows Update packages that included an advisory about malicious drivers, signed by Microsoft and other code-signing authorities, that Sophos X-…
The Phantom Menace: Brute Ratel remains rare and targeted
The commercial attack tool’s use by bad actors has faded after an initial flurry, while Cobalt Strike remains the go-to post-exploitation tool for many.
“FleeceGPT” mobile apps target AI-curious to rake in cash
Interest in OpenAI’s latest version of its interactive language model has spurred a new wave of scam apps looking to cash in on the hype
Akira Ransomware is “bringin’ 1988 back”
A new recently observed ransomware family dubbed Akira uses a retro aesthetic on their victim site very reminiscent of the 1980s green screen consoles and possibly takes its namesake from the popular 1988 anime film of the same name.
Analysis of Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671)
CVE-2023-1671 is a pre-authenticated command injection in Sophos Web Appliance. In this blog post, VulnCheck researchers analyze the vulnerability and develop a proof of concept (PoC) for it.
‘AuKill’ EDR killer malware abuses Process Explorer driver
Driver based attacks against security products are on the rise
Qakbot mechanizes distribution of malicious OneNote notebooks
A large-scale "QakNote" attack deploys malicious .one files as a novel infection vector
3CX users under DLL-sideloading attack: What you need to know
A Trojanized version of the popular VOIP/PBX software is in the news; here’s what hunters and defenders are doing IOCs
Assessing Potential Exploitation of Sophos Firewall and CVE-2022-3236
Sophos took immediate steps to remediate CVE-2022-3236 – an unauthenticated and remote code execution vulnerability affecting the Sophos Firewall Webadmin and User Portal HTTP interfaces – with an automated hotfix sent out in September 2022. Through its advisory published on September 23, 2022, it also alerted users who don't receive automatic hotfixes to apply the update themselves. The advisory stated the vulnerability had previously been used against "a small set of specific organizations, primarily in the South Asia region." In December, Sophos released v19.5 GA GA with an official fix. Key Takeaways * As there are no public proof-of-concept exploits for CVE-2022-3236, we created our own to determine its potential for mass exploitation. * We scanned internet-facing Sophos Firewalls and found more than 4,000 firewalls that were too old to receive a hotfix. * We encourage Sophos Firewall administrators to look through their logs to determine if they see indications of exploit attempts. Two files to focus on include /logs/csc.log and /log/validationError.log. * Internet-facing firewalls appear to largely be eligible for hotfixes and the default authentication captcha likely prevented mass exploitation.
LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling
Reverse-engineering reveals close similarities to BlackMatter ransomware, with some improvements
Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse
A fresh exploration of the malware uncovers a new tactic for bypassing security products by abusing a known driver vulnerability
Resolved RCE in Sophos Firewall (CVE-2022-3236)
A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall. The vulnerability has been fixed.
Telerik UI exploitation leads to cryptominer, Cobalt Strike infections
Attacker targets bugs in a popular web application graphical interface development tool.