An Ivanti EPM SQL injection vulnerability tracked as CVE-2024-29824 has been exploited to target some of the company’s customers.
The post Ivanti EPM Vulnerability Exploited in the Wild appeared first on SecurityWeek.
SecurityWeek – Read More
Over 4,000 Adobe Commerce and Magento stores unpatched against an exploited vulnerability have been compromised.
The post Adobe Commerce Flaw Exploited to Compromise Thousands of Sites appeared first on SecurityWeek.
SecurityWeek – Read More
From Trump campaign signs to Planned Parenthood bumper stickers, license plate readers around the US are creating searchable databases that reveal Americans’ political leanings and more.
Security Latest – Read More
Forescout has identified more than a dozen new vulnerabilities in DrayTek routers, exposing hundreds of thousands of devices to attacks.
The post New Vulnerabilities Expose Hundreds of Thousands of DrayTek Routers to Hacking appeared first on SecurityWeek.
SecurityWeek – Read More
The latest Chrome and Firefox security updates address multiple high-severity vulnerabilities affecting the popular web browsers.
The post Chrome, Firefox Updates Patch High-Severity Vulnerabilities appeared first on SecurityWeek.
SecurityWeek – Read More
CISA director Jen Easterly says there is no chance a foreign adversary can change the results of the upcoming US election.
The post Cybersecurity Head Says There’s No Chance a Foreign Adversary Can Change US Election Results appeared first on SecurityWeek.
SecurityWeek – Read More
Welcome to ANY.RUN‘s monthly updates, where we share our team’s achievements over the past month.
September has been a productive month at ANY.RUN, packed with exciting new features and improvements. We’ve launched Safebrowsing, a powerful tool that lets you safely check suspicious URLs in an isolated browser.
In addition to that, we’ve integrated with Splunk, enhanced our sandbox capabilities, and rolled out new signatures and YARA rules to help you strengthen your security.
Let’s break down what’s new in ANY.RUN step by step.
We’ve released Safebrowsing, a new tool that allows ANY.RUN users to safely analyze suspicious URLs within a fully interactive, isolated browser. It is a quick and secure way to explore websites and verify potentially malicious content without putting your local system at risk.
You can interact with suspicious links in real time, detect threats using our proprietary technology, and receive detailed reports, including Indicators of Compromise (IOCs) and network traffic analysis.
Now available in free beta for all ANY.RUN users, it adds a new layer of security to your daily operations.
In September, ANY.RUN officially launched an integration with Splunk. It brings access to our Interactive Sandbox and Threat Intelligence Lookup directly in the Splunk SOAR environment.
With this integration, Splunk users can now analyze potentially malicious files and URLs in ANY.RUN’s sandbox and enrich their investigations using TI Lookup with comprehensive threat intelligence from TI Lookup—all without leaving Splunk.
Key features:
Comprehensive threat intelligence: Query ANY.RUN’s threat intelligence database directly from Splunk SOAR using the ‘get intelligence’ action.
Automated malware analysis: Automatically detonate files and URLs in ANY.RUN’s sandbox as part of a Splunk SOAR playbook.
Detailed reporting & IOC extraction: Quickly retrieve detailed reports and extract IOCs for further threat investigation and response.
Advanced threat hunting: Perform complex queries against ANY.RUN’s threat intelligence database to search for file hashes, IP addresses, domains, and more.
We’ve improved the sandbox’s AI capabilities by replacing the ChatGPT assistant with our own private AI model. Now you can access AI-powered explanations in both public and private analysis sessions, without worrying about your data going to any third party.
This private AI model is especially useful for those new to the cybersecurity field.
It breaks down complex data quickly, helping you better navigate your analysis and extract useful insights.
In September, we launched Security Training Lab, a new program designed to equip future cybersecurity professionals with practical, hands-on skills.
Universities often struggle to keep their curricula up to date, but Security Training Lab bridges the gap between theory and real-world practice.
Through in-depth modules and access to ANY.RUN’s tools, students gain valuable experience in detecting and responding to real threats.
Key advantages of Security Training Lab include:
30 hours of academic content: Including written materials, video lectures, and interactive tasks.
Access to ANY.RUN: Students and instructors use real-world tools to analyze threats.
Practical learning: Hands-on experience with real cyber threat samples.
In September, we added 459 new Suricata rules, of which 382 are dedicated to phishing detection.
This significant increase comes from closely monitoring the activity of threat actor Storm-1575, leading to the identification of two primary tools currently used by this group.
In September, we added a total of 9 new signatures. Here are some highlights:
Stealc signature for mutex detection
Razr signature for .raz file extension
SFX Dropper signature
Alucard ransomware
Tgbdownloader adware
Xmrig mutex and file drop detection
Hawkeye ransomware detection
Scheduled task creation via Registry
EFI boot file modification
We’ve added 5 new YARA rules to detect various malware threats:
Megatools downloader
Goldeneye ransomware
Diablonet detection
Pown ransomware
AutoIT scripts detection
Additionally, we’ve updated the YARA rule for Lumma, enhancing the detection mechanism for this threat.
ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
Record and study all aspects of malware behavior
Collaborate with your team
Scale as you need
Request free trial of ANY.RUN’s products →
The post Release Notes: Safebrowsing, Private AI Assistant, Splunk Integration, and more appeared first on ANY.RUN’s Cybersecurity Blog.
ANY.RUN’s Cybersecurity Blog – Read More
Cisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed delivering a MedusaLocker ransomware variant. Intelligence collected by Talos on tools regularly employed by the threat actor allows us to see an estimate of the amount and countries of origin of this group’s victims. This actor has been active since at least late 2022 and targets organizations worldwide, although the number of victims was higher than average in EU countries until mid-2023 and, since then, in South American countries.This threat actor was observed distributing a MedusaLocker ransomware variant known as “BabyLokerKZ.” This variant is compiled with a PDB path containing the word “paid_memes” that is also present in other tools observed during the attacks, presumably by the same author.Talos has new information on the attacker’s tools, including BabyLockerKz and attacker TTPs and IOCs to assist in detecting and preventing further attacks.
Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” The distinguishable techniques — including consistently storing the same set of tools in the same location on compromised systems, the use of tools that have the PDB path with the string “paid_memes,” and the use of a lateral movement tool named “checker” — used in the attack led us to take a deeper look to try to understand more about this threat actor.
This attacker uses several publicly known attack tools and living-off-the-land binaries (LoLBins), a set of tools built by the same developer (possibly the attacker) to assist in credential theft and lateral movement in compromised organizations. These tools are mostly wrappers around publicly available tools that include additional functionality to streamline the attack process and provide graphical or command-line interfaces.
The same developer built the MedusaLocker variant used in the initial attack. This variant that uses the same chat and leak site URLs contains several differences to the original MedusaLocker ransomware, such as a different autorun key or an extra public and private key set stored in the registry. Based on the name of the autorun key, the attackers call this variant “BabyLockerKZ.”
We assess with medium confidence that the actor is financially motivated, likely working as an IAB or an affiliate of a ransomware cartel, and has been carrying out attacks since at least 2022. Our telemetry indicates that the actor opportunistically targeted many victims worldwide. In late 2022 and early 2023, most victims were in European countries, but since the first quarter of 2023, the group’s focus shifted toward South American countries and, as a result, the number of victims per month almost doubled.
Intelligence collected by Talos on tools regularly employed by the threat actor allows us to estimate the number of, and the countries of origin of the victims. Although this is unlikely to capture all of the adversary’s activities, it still provides a look at a specific window of activity.
The actor has been active since at least October 2022. At that time, the targets were mostly located in European countries such as France, Germany, Spain or Italy. During the second quarter of 2023, the attack volume per month almost doubled, and the group shifted its focus toward South American countries such as Brazil, Mexico, Argentina and Colombia, as shown in the chart below. The attacks kept a steady volume of around 200 unique IPs compromised per month until the first quarter of 2024 when the attacks decreased.
The actor has consistently compromised a large number of organizations, often more than 100 per month, since at least 2022. This reveals the professional and highly aggressive nature of the attacks and is coherent with the activity we would expect from an IAB or ransomware affiliate.
During the attack leading to the deployment of the BabyLockerKZt, the adversary used several publicly known attack tools and others that could be unique to this actor. The group frequently used the Music, Pictures or Documents user folders of compromised systems to store attack tools. For example, the following paths were used to store tools during this attack:
c:users<user>musicadvanced_port_scanner_2.5.3869.exec:users<user>musichrswordhrsword install.batc:users<user>musickillavbuild.004disabler.exec:/users/<user>/music/checker/checker(222).exec:/users/<user>/music/checker/invoke-thehash.ps1c:/users/<user>/music/checker/checker (222).exec:/users/<user>/music/checker/invoke-smbexec.ps1c:/users/<user>/music/checker/invoke-wmiexec.ps1c:/users/<user>/appdata/roaming/ntsystem/ntlhost.exe.exec:/users/<user>/appdata/local/temp/advanced port scanner 2/advanced_port_scanner.exec:/users/<user>/appdata/local/temp/is-juad3.tmp/advanced_port_scanner_2.5.3869.tmp
These are similar to a previous attack leading to MedusaLocker ransomware, documented by ASEC in February 2023, which our telemetry suggests was a more active period for this threat actor.
Some of the publicly known tools used by the attacker are:
HRSword_v5.0.1.1.rar: A tool used to disable AV and EDR software.Advanced_Port_Scanner_2.5.3869.exe: A network-scanning tool with several additional features to map internal networks and devices.Netscan.exe: SoftPerfect Network Scanner: A tool similar to Advanced Port Scanner.Processhacker.exe: Process Monitoring and administration software. Allows a TA to enumerate and control processes running on the infected endpoint.PCHunter64.exe: A tool similar to processhacker.Mimikatz: A tool to dump Windows user credentials from memory.
While most of the tools the attacker uses are publicly available, they also use some tools that are not widely distributed that streamline the attack process by automating the interaction between popular attack tools (e.g., Mimikatz, Invoke-the-hash, PSEXEC, RDP) and by adding convenient functionality and interfaces. One of these tools, called “Checker” used in an attack that deployed BabyLockerKZ, consisted of pivotal characteristics of BabyLockerKZ, the “Checker” tool has a PDB path containing the string “paid_memes”. Pivoting off this string, we identified files on VirusTotal, of which most are BabyLockerKZ samples. We also discovered several other tools, which we’ll outline below.
Checker (E:paid_memeswmi_smb_rdp_checkerReleasechecker.pdb) is an app that bundles several other freely available apps and provides a GUI for management of credentials as the attackers proceed with lateral movement. In particular it contains a set of tools:
Remote Desktop PlusPSEXECMIMIKATZ
And a set of scripts based on the Invoke-TheHash tool.
The tool also contains a GUI, as shown below, and a database to store the credentials.
As the image illustrates, the tool can be used to scan IPs for valid credentials using several protocols/techniques (PSEXEC, RDP, SMB and WMI) and is prepared to import data from lists of hosts and some of the tools in the attacker toolset, such as Mimikatz, as well as an advanced port scanner. The tool can also decrypt hashes and offers the convenience of a GUI to store a database of the hosts and respective credentials that have been obtained or verified.
The PTH (D:Projectspaid_memesPTHReleasePTH.pdb) name suggests the pass-the-hash technique to use NTLM hashes to authenticate remotely without having to crack the password. Looking at its resources it embeds:
Invoke-SMBClient.ps1Invoke-SMBEnum.ps1Invoke-SMBExec.ps1Invoke-TheHash.ps1Invoke-WMIExec.ps1
These were also used in the checker tool and are part of Invoke-TheHash. According to the author:
“Invoke-TheHash contains PowerShell functions for performing pass the hash WMI and SMB tasks. WMI and SMB connections are accessed through the .NET TCPClient. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol. Local administrator privilege is not required client-side.”
MIMIK (D:Projectspaid_memesmimikReleasestub_mimik.pdb) is a wrapper around Mimikatz and rclone that can be used to steal credentials and automatically upload them to an attacker-controlled server. The following image shows the terminal output for the tool.
The following command lines are examples of commands executed via the tool:
64.exe privilege::debug sekurlsa::logonPasswords token::elevate lsadump::sam full exit C:UsersuserDesktop64.exe 64.exe “privilege::debug” “sekurlsa::logonPasswords” “token::elevate” “lsadump::sam full” exit 64.exe “privilege::debug” “sekurlsa::logonPasswords” “token::elevate” “lsadump::sam full” exitC:UsersuserDesktoprclone.exe rclone rcd –rc-no-auth –bwlimit=30MC:UsersuserDesktoprclone.exe rclone rc operations/stat
BabyLockerKZ is a variant of MedusaLocker that has been around at least since late 2023 and has been analyzed by other researchers, although not specifically called out as a MedusaLocker variant with this name.
A Cynet blog post on the malware used the name “Hazard” for a MedusaLocker variant (named after the extension used for encrypted files) and mentions the existence of the BabyLockerKZ registry key.
Another post from Whitehat mentions the existence of PAIDMEMES PUBLIC and PRIVATE registry keys on a MedusaLocker sample.
This variant has not been given much attention outside of that, though, possibly because it’s highly similar to MedusaLocker or because it uses the same chat and leak sites as MedusaLocker. But there are several notable differences between BabyLockerKZ and MedusaLocker, such as:
No {8761ABBD-7F85-42EE-B272-A76179687C63} mutex.No MDSLK reg key.The PAIDMEMES Public and private keys.The BabyLockerKZ run key.
The use of the PAIDMEMES public and private keys is unclear. In their post, Whitehat mentioned that they believe the keys aren’t necessary for the encryption process, as the Linux version doesn’t use them. Further research into the use of these keys might be a topic for another blog post.
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. SIDs for this threat: Snort3 Rules: 1:300998:1:0 Snort2 Rules: 1:63928:1:0, 1:63929:1:0
ClamAV detections are also available for this threat:
Win.Ransomware.MedusaLocker-10035000-1
Win.Tool.PassTheHash-10034996-0
Win.Ransomware.MedusaLocker-10035000-0
IOCs for this research can be found at our Github repository here
BabylockerKZ:
33a8024395c56fab4564b9baef1645e505e00b0b36bff6fad3aedb666022599a
b8c994e3ed7dcc9080916119ddc315533c129479f508676d7544b82b2e24745f
63eb3d2886d9cb880c9b0d54b94f3e149b3b5b6215a33a0ef63588a09dcd4499
270c3354b3ee2940b499e365eaba143fba9d458f434dc38e663dc0f08e96121e
759b96f44806578cc0836a3a2bf11c8bc553effac72f8d28b94aec78b66be906
PTH:
9f066975f1e02b29c7c635280f405c59704ce4f4e06b04e9ac8a7eac22acd3c7
8bc455e5de35290f8a94376357947bd72aaf6f4d452c25a8ef444e037ef76b9f
Checker:
d00f7cf6af68ba832b9d364f28411346cfe66fd3b1f5bcac318766add29ff7f0
1f2df15442593b159e45d16a27e4d43d3a9062da212a588ba4c048f214a0b7be
1e9246e6a35731143368eaa0ade4f3cf576d6b22e6090152f6e94f1fa3070651
6ae3a58a78be9c606009c657de4e390538b21ad951e62b6f4d31138e1a75732c
2eddfe711c32ef1668e14a10d00452c83c29e394e17c41f491550a1583c1bcac
HOHOL1488:
dc4840a0992b218cbedd5a7ac5c711cb98f1f9e78a8ffdea37c694061dfd34c6
48046fb0e566f5a2d184f84b76d6cadc458762556daed0ae4a3a1200afbefb54
c0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801
012657c4548d9c98223caa4cc7aa52fc083d6983d42fde16ca3271412e7fe3fe
8edbb1944d94ff91ee917c31590b6d1d5690a52fc153e44355ee9749aa0f4625
364f1b7466d8e4c9f55294ecf1f874c763bcf980c59b0250c613ac366def6aca
5d5d639fdfbf632bb7d9f1bb28731217d09d36078ab5e594baf2a5a41267a5d2
PDB list:
d:/projects/paid_memes/virus/release/stub.pdb
e:/locker/bin/stub_win_x64_encrypter.pdb
i:/locker/bin/stub_win_x64_encrypter.pdb
d:/education/locker/bin/stub_win_x64_encrypter.pdb
d:/education/locker/bin/stub_win_x86_encrypter.pdb
d:/projects/paid_memes/wmi_smb_rdp_checker/release/checker.pdb
d:/projects/paid_memes/mimik/release/stub_mimik.pdb
i:/locker/x64/release/phantom.pdb
d:/projects/paid_memes/pth/release/pth.pdb
Registry keys:
HKEY_USERS%SID%SOFTWAREPAIDMEMESPRIVATE
HKEY_USERS%SID%SOFTWAREPAIDMEMESPUBLIC
HKEY_CURRENT_USERSOFTWAREPAIDMEMESPUBLIC
HKEY_CURRENT_USERSOFTWAREPAIDMEMESPRIVATE
HKCUSOFTWAREPAIDMEMESPUBLIC
HKCUSOFTWAREPAIDMEMESPRIVATE
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunBabyLockerKZ
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunBabyLockerKZ
HKEY_USERS%SID%SoftwareMicrosoftWindowsCurrentVersionRunBabyLockerKZ
Extension names observed being used by BabyLockerKZ samples:
crypto125
crypto1317
crypto165
crypto41
crypto76
encrypted1
hazard11
hazard21
hazard23
hazard24
hazard25
hazard27
hazard31
hazard38
hazard49
hazard55
hazard56
hazard7
infected
lock2
lock3
lock5
locked9
lockfiles
meduza210
rapid1
rapid10
readtext13
readtext47
readtext49
recovery29
recovery70
virus2
virus3
virus57
Encryption key BabyLockerKZ:
PUTINHUILO1337
MUTEX BabyLockerKZ:
HOHOL1488
Cisco Talos Blog – Read More
A new wave of international law enforcement actions has led to four arrests and the takedown of nine servers linked to the LockBit (aka Bitwise Spider) ransomware operation, marking the latest salvo against what was once a prolific financially motivated group.
This includes the arrest of a suspected LockBit developer in France while on holiday outside of Russia, two individuals in the U.K. who
The Hacker News – Read More
Meta has been fined $101 million by Ireland’s Data Protection Commission for storing hundreds of millions of user passwords in plaintext. We don’t really need to point the obvious, that storing passwords in plaintext is major violation of security best practices. Disclosed by Meta in 2019, it was then revealed that passwords for various Meta-owned platforms were logged in plaintext and stored…
TechSplicer – Read More