cRyPtHoN™ INFOSEC (EN)

2021-05-16 15:15:23 Beware of a New Type of Ransomware Similar to ThunderCrypt.

It Is Still Unclear If Lorenz Ransomware Is the Same Group or Inherited the Source Code to Create Its Own Version.

There’s a new ransomware operation in town and it targets organizations around the world with customized attacks.

Dubbed Lorenz, the ransomware gang began operating a month ago and has since compiled a growing list of victims whose stolen data has been published on a data leak site, as reported by BleepingComputer.

According to ID Ransomware’s Michael Gillespie, the Lorenz ransomware encryptor is the same as ThunderCrypt operation, but it’s not yet known if Lorenz is the same group or purchased the ransomware source code to create its own variant.

https://heimdalsecurity.com/blog/beware-of-a-new-type-of-ransomware-similar-to-thundercrypt/

@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2021-05-16 15:11:03 Send My-Upload arbitrary data via Apple's Find My network.

Send My allows you to to upload abritrary data from devices without an internet connection by (ab)using Apple's Find My network. The data is broadcasted via Bluetooth Low Energy and forwarded by nearby Apple devices.

The application consists of two parts:

Firmware: An ESP32 firmware that turns the microcontroller into a serial (upload only) modem

DataFetcher: A macOS application used to retrieve, decode and display the uploaded data

Both are based on OpenHaystack, an open source implementation of the Find My Offline Finding protocol.

https://github.com/positive-security/send-my

@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2021-05-16 15:05:16 RevengeRAT and AysncRAT target aerospace and travel sectors.

Microsoft Security Intelligence earlier this week tweeted out that it has been tracking a campaign of remote access trojans (RATs) targeting the aerospace and travel industries with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AysncRAT.

As part of the tweet exchange it was pointed out that attackers use the RATs for data theft, follow-on activity and additional payloads, including Agent Tesla, which they use for data exfiltration. The loader is under active development and is dubbed Snip3 by Morphisec.

https://www.scmagazine.com/home/security-news/phishing/revengerat-and-aysncrat-target-aerospace-and-travel-sectors/

@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2021-05-16 15:02:38 Pakistan-Linked Hackers Added New Windows Malware to Its Arsenal.

Cybercriminals with suspected ties to Pakistan continue to rely on social engineering as a crucial component of its operations as part of an evolving espionage campaign against Indian targets, according to new research.

The attacks have been linked to a group called Transparent Tribe, also known as Operation C-Major, APT36, and Mythic Leopard, which has created fraudulent domains mimicking legitimate Indian military and defense organizations, and other fake domains posing as file-sharing sites to host malicious artifacts.

https://thehackernews.com/2021/05/pakistan-linked-hackers-added-new.html

@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2021-05-16 14:54:35 Threat Roundup for May 7 to May 14.

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 7 and May 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threatsbubl in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness.

https://blog.talosintelligence.com/2021/05/threat-roundup-0507-0514.html

#oscp #iocteams #spread #snortteams
@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2021-05-16 14:50:11 Toshiba subsidiary confirms ransomware attack, as reports suggest possible DarkSide involvement.

European units of Japanese tech giant Toshiba are investigating a security incident in which scammers may have used a similar hacking tool to the malware used against IT systems at Colonial Pipeline.

The European subsidiaries of Toshiba Tec Group said Friday that a cyberattack from a criminal gang had prompted the company to disconnect network connections between Japan and Europe to stop the spread of the malware. In a statement, Toshiba Tec Group, a unit of the multinational conglomerate which makes printers and other technologies, said the firm had “not yet confirmed a fact that customer related information was leaked externally,” though it suggested a criminal gang is responsible.

https://www.cyberscoop.com/darkside-ransomware-toshiba-hack/

@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2021-05-16 14:45:24 Echelon PII Leak and Disclosure Fail.

Echelon (Echelon Fitness) is a competitor to companies such as Peloton. You buy the hardware, quickly assemble it, buy a subscription, use a built-in or external smart device and you do your exercise thing! However, their API had significantly worse security flaws than those we found in Peloton.

Echelon were also somewhat more challenging to deal with during the disclosure process than Peloton, first failing to respond and eventually claiming that they had fixed the issues ~90 days earlier, despite being provided with evidence to the contrary.

https://www.pentestpartners.com/security-blog/echelon-pii-leak-and-disclosure-fail/

@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2021-05-15 04:24:42 Ransomware 2021: Critical Mid-year Update [REPORT PREVIEW]

Ransomware exploded in 2020 and shows no signs of slowing down nearly five months into 2021.

When we published the 2021 Crypto Crime Report in February, blockchain analysis showed that the total amount paid by ransomware victims increased by 311% in 2020 to reach nearly $350 million worth of cryptocurrency. No other category of cryptocurrency-based crime had a higher growth rate. However, we warned readers that that number was likely a lower bound of the true total. Sure enough, since publishing, we’ve identified new ransomware addresses with payments we’d yet to count, and now know that ransomware victims paid over $406 million worth of cryptocurrency to attackers in 2020. Again, that number will continue to grow as we discover more ransomware addresses.

https://blog.chainalysis.com/reports/ransomware-update-may-2021

@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2021-05-15 04:01:48 The moral underground? Ransomware operators retreat after Colonial Pipeline hack.

The ransomware attack on Colonial Pipeline has caused a large amount of trouble in the United States. It looks as if that trouble has made its way back to the cybercrime underground.

Intel 471 has observed numerous ransomware operators and cybercrime forums either claim their infrastructure has been taken offline, amending their rules, or they are abandoning ransomware altogether due to the large amount of negative attention directed their way over the past week.

https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime

@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment

2021-05-15 03:48:44 Scale of damage from cyberattack on HSE systems will not be known for days.

Minister says group responsible has been identified by the State’s cybersecurity apparatus

It will be at least three days before the scale of the damage from “possibly the most significant cyber crime attack on the Irish State” is clear, a Government Minister has said.

Green Party Minister of State for Communications Ossian Smyth said the attack, which led to HSE IT systems being taken offline on Friday, was carried out by a “serious international group”, and was an “order of magnitude” beyond normal cyber attacks launched on State agencies.

https://www.irishtimes.com/news/health/scale-of-damage-from-cyberattack-on-hse-systems-will-not-be-known-for-days-1.4565621

@cRyPtHoN_INFOSEC_FR
@cRyPtHoN_INFOSEC_EN
@cRyPtHoN_INFOSEC_DE
@BlackBox_Archiv Open / Comment