Ransomware : des centaines de serveurs VMware ESXi pris dans une vaste campagne
Déclenchée ce vendredi 3 février, une vaste campagne d’infection avec ransomware frappe les serveurs VMware ESXi à travers le monde. La France ne fait pas exception. L’échelle suggère une opération automatisée.
Campagne d’exploitation d’une vulnérabilité affectant VMware ESXi
Le 03 février 2023, le CERT-FR a pris connaissance de campagnes d'attaque ciblant les hyperviseurs VMware ESXi dans le but d'y déployer un rançongiciel. Dans l'état actuel des investigations, ces campagnes d'attaque semblent exploiter la vulnérabilité CVE-2021-21974, pour laquelle un correctif est disponible depuis le 23 février 2021. Cette vulnérabilité affecte le service Service Location Protocol (SLP) et permet à un attaquant de réaliser une exploitation de code arbitraire à distance. Les systèmes actuellement visés seraient des hyperviseurs ESXi en version 6.x et antérieures à 6.7.
Un ransomware attaque les clients ESXi des hébergeurs français (MAJ)
Plusieurs alertes ont été lancées par différents hébergeurs sur une campagne d'attaque par ransomware concernant des serveurs basés sur l'hyperviseur ESXi de VMware. OVH a dans un premier temps identifié le rançongiciel Nevada dans un blog avant de corriger son message.
Exploitation of GoAnywhere MFT zero-day vulnerability
On Thursday, February 2, 2023, security reporter Brian Krebs published a warning on Mastodon about an actively exploited zero-day vulnerability affecting on-premise instances of Fortra’s GoAnywhere MFT managed file transfer solution. Fortra (formerly HelpSystems) evidently published an advisory on February 1 behind authentication; there is no publicly accessible advisory.
GoAnywhere MFT, a popular file transfer application, is warning about a zero-day remote code injection exploit. The company said it has temporarily implemented a service outage in response.
Malware-Traffic-Analysis.net - 2023-02-03 - DEV-0569 activity: Google ad -- FakeBat Loader -- Redline Stealer & Gozi/ISFB/Ursnif
NOTES: Zip files are password-protected. If you don't know the password, see the "about" page of this website. IOCs are listed on this page below all of the images.
No Pineapple! –DPRK Targeting of Medical Research and Technology Sector
During Q4 2022, WithSecure™ detected and responded to a cyber attack conducted by a threat actor that WithSecure™ have attributed with high confidence to an intrusion set referred to as Lazarus Group. Attribution with high confidence was based off of overlapping techniques tactics and procedures as well as an operational security mistake by the threat actor. Amongst technical indications, the incident observed by WithSecure™ also contains characteristics of recent campaigns attributed to Lazarus Group by other researchers.
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Initially observed in July 2016, TrickGate is a shellcode-based packer offered as a service to hide malware from EDRs and antivirus programs. * Over the last 6 years, TrickGate was used to deploy the top members of the “Most Wanted Malware” list, such as Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, AgentTesla and more. * TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically. This characteristic caused the research community to identify it by numerous attributes and names. * While the packer’s wrapper changed over time, the main building blocks within TrickGate shellcode are still in use today. * Check Point Threat Emulation successfully detects and blocks the TrickGate packer.
OneNote Documents Increasingly Used to Deliver Malware
Key Findings: * The use of Microsoft OneNote documents to deliver malware via email is increasing. * Multiple cybercriminal threat actors are using OneNote documents to deliver malware. * While some campaigns are targeted at specific industries, most are broadly targeted and include thousands of messages. * In order to detonate the payload, an end-user must interact with the OneNote document. * Campaigns have impacted organizations globally, including North America and Europe. * TA577 returned from a month-long hiatus in activity and began using OneNote to deliver Qbot at the end of January 2023.
HeadCrab: A Novel State-of-the-Art Redis Malware in a Global Campaign
HeadCrab: A Novel State-of-the-Art Redis Malware in a Global Campaign Aqua Nautilus researchers discovered a new elusive and severe threat that has been infiltrating and residing on servers worldwide since early September 2021. Known as HeadCrab, this advanced threat actor utilizes a state-of-the-art, custom-made malware that is undetectable by agentless and traditional anti-virus solutions to compromise a large number of Redis servers. The HeadCrab botnet has taken control of at least 1,200 servers. This blog will delve into the details of the HeadCrab attack, examining its methods of operation, techniques used to evade detection, and steps organizations can take to safeguard their systems.
Hospitals urged to tighten DDoS defenses after health data found on Killnet list
The Killnet hacktivist group is actively targeting the health sector with DDoS attacks, claiming to have successfully exfiltrated data from a number of hospitals within the last month, according to a Department of Health and Human Services Cybersecurity Coordination Center alert.
Pro-Russian DDoS attacks raise alarm in Denmark, U.S.
Distributed denial-of-service (DDoS) attacks by pro-Russian hacking groups are causing alarm in the U.S. and Denmark after several incidents affected websites of hospitals and government offices in both countries. On Tuesday, Denmark announced that it was raising its cyber risk alert level after weeks of attacks on banks and the country’s defense ministry.
Google sponsored ads malvertising targets password manager
We have recently written about malvertising campaigns that leverage Google paid advertisements to try and trick people into downloading malware instead of the software they were looking for. This malware then stole login credentials from the affected system.
It is not common for analysts to have the opportunity to study the social circles of criminal organizations, but occasionally a group emerges that is more transparent than others. Examining a criminal organization’s social presence can give analysts valuable insights into the structure and operations of the organization, as well as the relationships and connections between its members and the community around them.
An unfaithful employee leaked Yandex source code repositoriesSecurity Affairs
A source code repository allegedly stolen by a former employee of the Russian tech giant Yandex has been leaked online. A Yandex source code repository allegedly stolen by a former employee of the Russian IT giant has been leaked on a popular cybercrime forum. The announcement published on BreachForums includes a magnet link to the alleged […]
Cybercriminals stung as HIVE infrastructure shut down
In the last year, HIVE ransomware has been identified as a major threat as it has been used to compromise and encrypt the data and computer systems of large IT and oil multinationals in the EU and the USA. Since June 2021, over 1 500 companies from over 80 countries worldwide have fallen victim to HIVE associates and lost almost...
The Titan Stealer: Notorious Telegram Malware Campaign
The Uptycs threat research team discovered a Titan stealer malware campaign, which is marketed and sold by a threat actor (TA) through a Telegram channel.
