Netskope has just published the Monthly Threat Report for February, with this month’s report focused on what is going on in Europe. I don’t intend to summarise the report in this blog, instead I want to zoom in and study a continuing trend that was highlighted in there; one that is unfortunately heading in the wrong direction.

The term ransomware word perfectly captures the idea behind it, i.e. holding a computer system or software captive until a ransom is paid. Traditionally, attackers use ransomware to target individuals but things are different now.

Mimikatz provides attackers with several different ways to steal credentials from memory or extract them from Active Directory. One of the most interesting options is the MemSSP command. An adversary can use this command to register a malicious Security Support Provider (SSP) on a Windows member server or domain controller (DC) — and that SSP will log all passwords in clear text for any users who log on locally to that system.

CrowdStrike recently analyzed a macOS-targeted mineware campaign that utilized malicious application bundles to deliver open source XMRig cryptomining software and Invisible Internet Protocol (I2P) network tooling.

OpenAI's ChatGPT chatbot has been a phenomenon, taking the internet by storm. Whether it is composing poetry, writing essays for college students, or finding bugs in computer code, it has impressed millions of people and proven itself to be the most accessible form of artificial intelligence ever seen.

A ransomware outfit is advising its victims to secretly tell them how much insurance they have, so their extortion demands will be met. As security researchers at Varonis describe, a new strain of the HardBit ransomware has taken the unusual step of asking targeted companies to spill the beans of whether they have cyber insurance (and the terms of that insurance) anonymously.

An Operating System (OS) is the software that acts as a bridge between the computer hardware and the applications being run on the computer. It is responsible for managing and controlling the computer’s resources such as memory, processors, and input/output devices. The OS provides a user-friendly interface for users to interact with the computer, making it easier for users to perform tasks like file management, launching applications, and configuring system settings.

The city government of Oakland has declared a state of emergency after it was hit by a ransomware attack. The attack, which began in the evening of February 8th, has forced the city to take all its IT systems offline, and has affected many non-emergency services, including the ability to collect payments, issue permits, and process reports.

The underground economy of the initial access brokers (IABs) is more flourishing than ever. At least this is one of the conclusions of the recent report “Hi-Tech Crime Trends 2022/2023” released by Group-IB. Initial access brokers exploit vulnerabilities or misconfigurations to get hold of valid access credentials (typically VPN or RDP) and outsource or sell them to criminal gangs, including ransomware operators.

In a year where headlines were dominated by the global economic and geopolitical uncertainty around Russia’s war on Ukraine, 2022 saw a threat landscape that was both volatile and fragmented, largely due to the war. As the year drew to an end, ransomware hit a peak, primarily due to the rise in attacks impacting the manufacturing, health care, technology and telecommunications industries.

Info-stealers are malicious software designed to extract sensitive information, such as passwords, from victim systems. Info-stealers have become one of the most discussed malware types in cybercriminal underground forums. Let’s see how info-stealers have evolved recently to become the threat that they are. Then, we’ll look at a specific stealer freely available as open-source that could be used in future attacks.

Ransomware appears to be one of the most expensive and disruptive internet afflictions. It is a type of malware that encrypts the victim's files and vital information, and hackers demand payoffs to provide the decryption keys. While ransomware is not any new form of attack on cybersecurity, the prevalent scenario is indeed alarming; the following numbers corroborate the same- It seems that individuals and organizations are likely to get affected by ransomware attacks even in 2023 and beyond.

The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. This blog was jointly authored with Arjun Patel. GuLoader is a malware downloader that is primarily used for distributing other shellcode and malware such as ransomware and banking Trojans.

8220 Gang has been dubbed as a group of low-level script kiddies with an equally disappointing name based on their original use of port 8220 for Command and Control (C2) network communications dating back to 2017. Since an initial Talos report in late 2018, the group has continued to use, learn, and benefit from the efforts of their counterparts in the cryptojacking world.

The latest on ESXiArgs ransomware attacks, new QakNote attacks pushing QBot malware via Microsoft OneNote files, and Biden’s attention to data privacy in the State of the Union.

The threat actor group behind Royal ransomware first appeared in January 2022, pulling together actors previously associated with Roy/Zeon, Conti and TrickBot malware. Originally known as “Zeon” before renaming themselves “Royal” in September 2022, they are not considered a ransomware-as-a-service (RaaS) operation because their coding/infrastructure are private and not made available to outside actors.

The Hive Ransomware Group is a sophisticated criminal organisation that targets businesses around the world with their ransomware attacks. The group’s primary goal is to extort money from victims by locking and encrypting their data, making it inaccessible until a ransom payment is made.

Operating in a cloud model means not only being able to access your data anywhere but that your infrastructure is flexible and scalable enough to accommodate demands that change from day to day or sometimes from moment to moment. This is easy enough to achieve in a public cloud, where resources can be made elastic and added and removed dynamically.

Last October, Trustwave SpiderLabs blogged about the use and prevalence of HTML email attachments to deliver malware and phishing for credentials. The use of HTML smuggling has become more prevalent, and we have since seen various cybercriminal groups utilizing these techniques to distribute malware. HTML smuggling employs HTML5 attributes that can work offline by storing a binary in an immutable blob of data within JavaScript code.

Clicking on malicious links can lead to compromised accounts and can infect your devices with malware. Learning how to check if a link is safe, before clicking on it, is important to keeping you safe online. You can check if a link is safe by hovering over the link to see if it’s the URL it’s saying it is or by using a URL checker.

The annual State CIO Top 10 priorities list issued by the National Association of State Chief Information Officers shows that while the technology initiatives remain relatively unchanged, there is a slight shuffle around priorities. Cybersecurity continues to take the number one spot and will likely be the case for years to come, given the increase in ransomware attacks across industries and organizations of all sizes.

Our annual Ransomware Report shares the latest trends and developments of the most active threat groups, and their victims to help businesses better protect themselves.

Hive has been seized by law enforcement, but were likely to still see these initial access methods and tactics used across other threat actor groups.

Cybersecurity is a complex term, it’s become all-encompassing and constantly evolving to include new and emerging technologies, attacks, actors, and a myriad of other points. What this means for organizations large, medium, and small is that each must have a cybersecurity plan in place. An interesting point, however, is despite the mindshare cybersecurity now enjoys, the industry itself is still in its relative infancy.

Redline infostealer gathers information and steals high value data from an infected machine. The Redline infostealer is considered one of the most dangerous malware currently being used in the wild and has been used in countless trojanized software, applications, games and cracked software. In addition to data exfiltration, Redline also has the capability to connect to a command and control (C2) server to download, upload files as well as perform remote commands.