Researchers at the Lookout Threat Lab have discovered a new Android surveillance tool which we attribute with moderate confidence to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA). Named BouldSpy for the “BoulderApplication” class which configures the tool’s command and control (C2), we have been tracking the spyware since March 2020.

While ransomware continues to be a growing problem, double extortion ransomware in particular has been growing even more rapidly for organizations. Zscaler’s ThreatLabz has found a nearly 120% growth in double extortion ransomware. Double extortion attacks are devastating for organizations because they involve both the encryption of production data as well as the exfiltration of data.

The continued increase in cybercrime and breach attempts is not a new trend. For years now, the percentages have ticked upwards, and though cybersecurity has evolved, so have hackers seeking data, money, or infamy. While the initial attack vectors can be myriad — vulnerability exploits, misconfigurations, and credential theft to name a few — there are two tactics that stand tall above the rest: Ransomware and business email compromise (BEC).

Cyber attacks have become inevitable. According to research from Rubrik Zero Labs, 99% of IT and Security leaders were made aware of a cyberattack against their organization in 2022 with an average of 52 cyberattacks in this category. On top of that, 96% of IT and Security leaders are concerned they will be unable to maintain business continuity if they experience a cyberattack this year.

The JFrog Security Research team recently discovered a new malware payload in the PyPI repository, written in C#. This is uncommon since PyPI is primarily a repository for Python packages, and its codebase consists mostly of Python code, or natively compiled libraries used by Python programs. This finding raised our concerns about the potential for cross-language malware attacks.

South Korean cyber security organisation AhnLab has identified a breach in Microsoft SQL servers allowing deployment of Trigona ransomware. The attacks were threat actors using brute-force or dictionary attacks with obtained or guessed credentials to infiltrate externally accessible MS-SQL servers.

As Aviation, Maritime, Rail and Road transport organisations are reportedly experiencing increased levels of ransomware activity across Europe as per ENISA’s recent report, JUMPSEC analysts have combined the findings with JUMPSEC’s attacker reported data scraped from a variety of sources (including the dark web) providing further context to the risks currently posed to European transport organisations.

Cyber attacks can have a significant impact on point-of-sale (POS) services, which are used in retail environments to process transactions and collect payments from customers. POS systems typically involve the use of software, hardware, and network components, which can be vulnerable to a variety of cyber threats. A successful campaign targeting POS systems can result in credit card theft, transaction tampering, service disruption, brand damage and other severe organizational damage.

The Splunk Threat Research Team (STRT) continues to analyze and produce content related to the ongoing geopolitical conflict in eastern Europe where new variances of destructive payloads are being released, targeting government and civilian infrastructure. The sole purpose of these destructive payloads is to decimate infrastructure; there is no ransom or alternative presented, and they need to be addressed as soon as they are detected.

Ransomware has become a significant threat in today’s digital landscape, with cybercriminals using it as an effective means of making money, often with a low cost and high profit margin. Victims rarely recover their stolen data in full, despite promises from the perpetrators, so most of the time paying the ransom is not a viable solution.

Rubrik Zero Labs is excited to debut its second State of Data Security report: “The State of Data Security: The Hard Truths.” This in-depth global study is the first public use of Rubrik telemetry data to provide objective data security insights. Rubrik data is complemented by an extensive third-party study conducted by Wakefield Research, which provides a deeper look into the challenges IT and security decision-makers face, the impacts of these challenges, and possible solutions.

Understanding ransomware attacks is the first step in being able to prevent them from successfully targeting an organization. To prevent ransomware attacks, organizations must have strong security protocols in place such as performing regular system backups and training employees to avoid social engineering scams, among other measures. Continue reading to learn more about ransomware attacks and what organizations can do to stay protected against this type of attack.

A new malicious package has been detected on the Node Package Manager (npm) repository that poses a significant threat to users who may unknowingly install it. Named ‘Vibranced,’ the package has been carefully crafted to mimic the popular ‘colors’ package, which has over 20 million weekly downloads.

Adversaries use multiple techniques to identify and exploit weaknesses in Active Directory (AD) to gain access to critical systems and data. This blog post explores 3 ways they use PowerShell PowerSploit to elevate or abuse permissions, and offers effective strategies for protecting against them.

We live in a digital age, where new technologies are emerging daily, and old technologies are evolving and merging into new ones so fast that one could quickly lose track. All of this new technology is for the betterment and ease of life and to ensure that humanity lives a peaceful, stress-free and non-redundant life.

Cyber threat actors are becoming more and more efficient. They are targeting software and applications that are used by organizations globally. One recent example of this is the ESXIargs mass ransomware campaign which targeted a zero-day vulnerability in ESXi. So far this year, it has been reported that over 3,000 ESXi servers and countless virtual machines globally have been impacted by this campaign in the last two months.

The Windows kernel driver is an interesting space that falls between persistence and privilege escalation. The origins of a vulnerable driver being used to elevate privileges may have begun in the gaming community as a way to hack or cheat in games, but also has potential beginnings with Stuxnet.

CyberArk Labs discovered a new malware called Vare that is distributed over the popular chatting service, Discord. Vare has been used to target new malware operators by using social engineering tactics on them. Additionally, we have found that Vare uses Discord’s infrastructure as a backbone for its operations. This malware is linked to a new group called “Kurdistan 4455” based out of southern Turkey and is still early in its forming stage.

In late 2022, SafeBreach commissioned S&P Global Market Intelligence to conduct a research project surveying 400 highly qualified security practitioners across the United States and Europe. The goal was to understand respondents’ biggest security challenges, the level of adoption and maturity of the continuous security validation (CSV) tools they use to address those challenges, and the business outcomes they achieved.

Anticipation leads people to suspend their better judgment as a new campaign of credential theft exploits a person’s excitement about the newest AI systems not yet available to the general public. On Tuesday morning, April 11th, Veriti explained that several unknown actors are making false Facebook ads which advertise a free download of AIs like ChatGPT and Google Bard.

In this blog post, we’ll provide a detailed analysis of a malicious payload we’ve dubbed “Impala Stealer”, a custom crypto stealer which was used as the payload for the NuGet malicious packages campaign we’ve exposed in our previous post. The sophisticated campaign targeted.NET developers via NuGet malicious packages, and the JFrog Security team was able to detect and report it as part of our regular activity of exposing supply chain attacks.

Researchers at Securonix are tracking an ongoing phishing campaign dubbed “TACTICAL#OCTOPUS” that’s been targeting users in the US with tax-related phishing emails.

Todays Headline: International law enforcement operation involving the FBI and police agencies worldwide led to the arrest of a suspected administrator of the net remote access Trojan and the seizure of the services domain and hosting server. NetWire was a remote access trojan promoted as a legitimate remote administration tool to manage a Windows computer remotely.

In this blog post, the KrakenLabs team will take a deep dive into a malware sample classified as LummaC2, an information stealer written in C language that has been sold in underground forums since December 2022. We assess LummaC2’s primary workflow, its different obfuscation techniques (like Windows API hashing and encoded strings) and how to overcome them to effectively analyze the malware with ease.

The FBI’s newly-released report shows just how ransomware continues to plague critical infrastructure sectors, despite the U.S. government’s recent efforts to stop these attacks. You’ll probably recall the news about ransomware attacking the Colonial Pipeline and other U.S. critical infrastructure (CI) to the point that the government was stepping up their efforts to stop these attacks and even conducting congressional hearings on what to do about the problem.

The first quarter of 2023 was the best quarter we’ve seen for the ransomware industry in a long time, even exceeding Q1 2022. With 831 victims, Q1 2023’s victim count was much higher than the first quarter of 2022, with just 763 victims. Unsurprisingly, LockBit3.0 remained the number one group claiming an average of around 23 victims per week and almost 33% of all ransomware cases this quarter.

In early March, one of the notorious botnets, Emotet, resumed its spamming activities after a 3-month period of inactivity. Recently, Trustwave SpiderLabs saw Emotet switch focus to using OneNote attachments, which is a tactic also adopted by other malware groups in recent months. This analysis is intended to help the cybersecurity community better understand the wider obfuscation and padding tricks Emotet is using.

Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges.

It’s like a technological thriller come to life. Ransomware entered the global spotlight in 2021 after a number of high-profile cases caught the media’s attention. But long before the growing threat entered the public domain, a small group of individuals started quietly helping thousands of people and businesses get their information back – without paying the ransom.

In this blog post, we outline what the Colour-Blind trojan is, how it works and what it tells us about the changing nature of malware.

BleepingComputer reports that a cybercriminal gang is sending phony ransomware threats to prior victims of ransomware attacks. The gang, which calls itself “Midnight,” claims to have stolen hundreds of gigabytes of data and threatens to leak it if the victim doesn’t pay a ransom. Security firm Kroll said the gang’s ransom notes use the names of more prolific ransomware actors.

Another supply chain attack requires an urgent response from security teams.

The Biden Administration’s 35-page National Cybersecurity Strategy released in March 2023 emphasizes the growing importance of cybersecurity for both private companies and federal agencies. The strategy specifically highlights ransomware as a significant concern, particularly in terms of its impact on private companies that collaborate with the federal government or are critical to national security.

The threat of ransomware has been ever present in 2020, especially within the high-stakes industries like healthcare and those involved in the election. According to Verizon's 2019 Data Breach Investigations Report, 24% of security incidents that involved specific malware functionality exhibited ransomware functionality.