Ransomware gangs are increasingly failing to keep their promise to delete stolen data after a victim pays a ransom.
In 2019, the Maze ransomware group introduced a new tactic known as double-extortion, which is when attackers steal unencrypted files and then threaten to release them publicly if a ransom is not paid.
Now, not only are victims being extorted through the encryption of their files but also by the risk of their data being published and causing a data breach.
This tactic was quickly adopted by other ransomware operations, who began to create data leak sites used to publish victims’ stolen files.
As part of this double-extortion tactic, most ransomware operations require a victim to pay a single ransom that will provide both a decryptor for their encrypted files and a promise not to share and to delete stolen files.
Some ransomware operations, like AKO/Ranzy, demand two ransom payments, one for the decryptor and another not to publish stolen data.
Read more »
Oracle issued an out-of-band security update over the weekend to address a critical remote code execution (RCE) vulnerability impacting multiple Oracle WebLogic Server versions.
The security vulnerability tracked as CVE-2020-14750 received a 9.8 severity base score from Oracle, out of a maximum rating of 10.
Oracle credits 20 organizations and people in the security advisory for having provided information that allowed the company to address CVE-2020-14750.
Read more »
US Cyber Command today shared information on malware implants used by Russian hacking groups in attacks targeting multiple ministries of foreign affairs, national parliaments, and embassies.
The malware samples were identified by US Cyber Command’s Cyber National Mission Force (CNMF) unit and the Cybersecurity and Infrastructure Security Agency (CISA) and uploaded today to the Virus Total online virus scan platform.
CISA also published two advisories in collaboration with the FBI and CNMF detailing additional info regarding the ComRAT and Zebrocy malware used by the Russian state-sponsored Turla and APT 28 hacking groups in these attacks.
Read more »
This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyber Command Cyber National Mission Force (CNMF). This advisory describes the tactics, techniques, and procedures (TTPs) used by North Korean advanced persistent threat (APT) group Kimsuky—against worldwide targets—to gain intelligence on various topics of interest to the North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.
This advisory describes known Kimsuky TTPs, as found in open-source and intelligence reporting through July 2020. The target audience for this advisory is commercial sector businesses desiring to protect their networks from North Korean APT activity.
Read more »
Emotet switched to a new template this week that pretends to be a Microsoft Office message stating that Microsoft Word needs to be updated to add a new feature.
Emotet is a malware infection that spreads through emails containing Word documents with malicious macros. When opening these documents, their contents will try to trick the user into enabling macros so that the Emotet malware will be downloaded and installed on the computer.
Once the malware is installed, Emotet will use the computer to send spam emails and ultimately install other malware that could lead to a ransomware attack on the victim’s network.
New malicious document template
Emotet spam campaigns use a variety of lures to trick recipients into open an attachment, such as pretending to be invoices, shipping notices, resumes, or purchase orders, or even COVID-19 information, as shown below. Read more »