QNAP NAS devices are being targeted in attacks by the AgeLocker ransomware, which encrypts the device’s data, and in some cases, steal files from the victim.
AgeLocker is ransomware that utilizes an encryption algorithm called Age (Actually Good Encryption) designed to replace GPG for encrypting files, backups, and streams.
In July 2020, we reported about a new ransomware called AgeLocker that was utilizing this algorithm to encrypt victims’ files.
When encrypting files, it would prepend a text header to the encrypted data that starts with the URL ‘age-encryption.org,’ as shown below.
Read more »
A new ransomware group has been targeting large corporate networks using self-made backdoors and file-encrypting malware for the initial and final stages of the attack.
Researchers are tracking the gang using the codename OldGremlin. Their campaigns appear to have started in late March and have not expanded globally, yet.
Attacks attributed to this group have been identified only in Russia but there is a strong suspicion that OldGremlin is currently operating at smaller scale to fine-tune their tools and techniques before going global. Read more »
The Maze ransomware operators have adopted a tactic previously used by the Ragnar Locker gang; to encrypt a computer from within a virtual machine.
In May, we previously reported that Ragnar Locker was seen encrypting files through VirtualBox Windows XP virtual machines to bypass security software on the host. The virtual machine would mount a host’s drives as remote shares and then run the ransomware in the virtual machine to encrypt the share’s files.
As the virtual machine is not running any security software and is mounting the host’s drives, the host’s security software could not detect the malware and block it.
Read more »
The US Cybersecurity and Infrastructure Security Agency (CISA) issued a new advisory on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities.
“CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People’s Republic of China using commercially available information sources and open-source exploitation tools to target US Government agency networks,” the cybersecurity agency said.
Over the past 12 months, the victims were identified through sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD), exploiting the public release of a vulnerability to pick vulnerable targets and further their motives. Read more »
The list of native executables in Windows that can download or run malicious code keeps growing as another one has been reported recently.
These are known as living-off-the-land binaries (LoLBins) and can help attackers bypass security controls to fetch malware without triggering a security alert on the system.
Works for download and exfil
The latest addition is finger.exe, a command that ships with Windows to retrieve information about users on remote computers running the Finger service or daemon. Communication is carried via the Name/Finger network communication protocol.
Security researcher John Page discovered that the Microsoft Windows TCPIP Finger command can also function as a file downloader and a makeshift command and control (C3) server that can serve for sending commands and exfiltrating data. Read more »