Microsoft attributes Prestige ransomware attacks to Russian military hackers
Microsoft has attributed the recent series of Prestige ransomware attacks on transportation and logistics sectors in Ukraine and Poland to a threat cluster tracked as Iridium (DEV-0960) that shares overlaps with the well-known Russia-linked threat actor Sandworm. The attribution was made based on several indicators, including the infrastructure used in the attacks and forensic artifacts.
The company said that technical aftifacts it found indicate that Iridium had carried out multiple Prestige ransomware attacks going as far back as March 2022.
Alleged LockBit affiliate arrested in Canada
A dual Russian and Canadian national has been arrested on November 9 in Ontario, Canada, for his alleged role in the LockBit ransomware operation. Mikhail Vasiliev, 33, is believed to have deployed the LockBit ransomware to carry out attacks against critical infrastructure and organization worldwide. During the search of the man’s home the police seized two firearms, eight computers, and 32 external drives together with €400,000 in cryptocurrencies. US authorities are seeking his extradition to the US where he has been charged with conspiracy to intentionally damage protected computers and to transmit ransom demands.
Leaked internal chats for Yanluowang ransomware gang suggest members are Russian speakers, not Chinese
Internal chat data from the Yanluowang ransomware group leaked online last month indicates that the members of the group are Russian speakers and not Chinese as it was previously thought. The data also reveals potential links with other ransomware operations.
Microsoft November 2022 Patch Tuesday fixes ProxyNotShell bugs, 4 other zero-days
Microsoft rolled out November 2022 Patch Tuesday security updates that address multiple vulnerabilities in a wide range of its software products, including two high-severity Microsoft Exchange zero-day vulnerabilities collectively known as ProxyNotShell said to have been exploited by hackers since at least September 2022.
Surveillance vendor targeted Samsung smartphones with zero-day bugs
Google’s Project Zero released an interesting technical write-up on three zero-day vulnerabilities (CVE-2021-25337, CVE-2021-25369 and CVE-2021-25370) that have been exploited by a commercial surveillance vendor to compromise Samsung smartphones running Android.
Ukrainian police dismantle scam gang that made €200M per year
Ukrainian cyber police arrested five members of international investment fraud ring that operated multiple scam call centers across Europe that defrauded thousands of victims out of more a €200 million per year.
Threat actors are using IPFS for phishing, malware delivery
Cyber criminals are increasingly using the InterPlanetary File System (IPFS) decentralized network to host malware, phishing kit infrastructure, and facilitate other attacks, a new report from Cisco Talos warns. Multiple malware families are currently being hosted within IPFS and retrieved during the initial stages of malware attacks. The report describes several different attacks the researchers have discovered within IPFS.
IT Army of Ukraine
A new report from Trustwave covers the IT Army of Ukraine from its start at the very beginning of the Russoia-Ukraine war as a loose collective of cybersecurity experts and hackers, to a well-organized nation-state group of defensive and offensive actors with specific roles and purposes.
New Venus ransomware targets healthcare orgs
The US Department of Health and Human Services has warned of a new Venus ransomware that is targeting healthcare organizations. First spotted in August 2022, the Venus ransomware operation has compromised at least one US healthcare organization. The ransomware is targeting publicly-exposed Remote Desktop services, even those running on non-standard TCP ports. When encrypting files, the ransomware uses AES and RSA algorithms and will append the ‘.venus’ extension.
CISA releases a guidance on Stakeholder-Specific Vulnerability Categorization
The US Cybersecurity and Infrastructure Security Agency released a guidance on Stakeholder-Specific Vulnerability Categorization (SSVC), a vulnerability analysis methodology for prioritizing actions during vulnerability management.
NCCoE issues a guidance for manufacturing sector on how to respond to cyberattacks
The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), has issued a guidance on how the manufacturing and industrial sectors can respond to cyber incidents and recover operations.
Australia’s top health insurer Medibank refuses to pay ransom after customer data stolen in cyberattack
Medibank, one of Australia’s largest private health insurance providers, announced it will not pay a ransom to the threat actors behind the October data breach that affected around 9.7 million customers. The company said that there is only a limited chance that paying a ransom would ensure the return of our customers’ data, and prevent it from being published. Meanwhile, the threat actor behind the breach has started leaking stolen data on the dark web forums.
Microsoft warns of “disturbing” increase in aggressive nation state cyber activity
Microsoft says it noticed an increase in state-backed threat actors and cyber criminals using publicly disclosed zero-day vulnerabilities over the past year to hack into target networks. Although many state-backed hacker groups are known to develop zero-day exploits for unknown vulnerabilities, Chinese threat actors were especially prolific over the past year. Microsoft believes the spike is a result of China’s vulnerability reporting law that went into effect September 2021, which requires that all Chinese security researchers report new vulnerabilities they find to a state security authority.
Russian hackers abused “lesser-known” Windows feature in attack on a European diplomatic entity
The Russia-linked espionage group APT29 has been observed abusing the Windows Credential Roaming feature in a cyberattack targeting an unnamed European diplomatic entity. During the analysis of the numerous LDAP queries that the hackers had made to the Active Directory system the researchers discovered an elevation of privilege vulnerability (CVE-2022-30170) in Windows’ ‘credential roaming’ functionality. Microsoft addressed this issue in September 2022.