Are you still relying on legacy backup systems to protect your business from cyber attacks? If so, you might want to think twice. Cyber attacks have become so common that 98% of security and IT leaders reported that they dealt with at least one in the last year. Relying on legacy backups as a defense against cyber attacks is not only ineffective but also obsolete in today's rapidly evolving threat landscape.

In early March, the SANS Institute, whose mission is to empower cybersecurity professionals with the practical skills and knowledge to make the world a safer place, shared some insightful findings based on their survey on ransomware and malware intrusions in 2022. The survey included participants in various roles and industries from organizations worldwide of all sizes. “In this survey, we wanted to understand what the past year looked like for our respondents.

The ongoing geo-political crisis in Eastern Europe continues to be the scenario of deployment of a variety of payloads linked to information stealing and data/network destruction. The deployment of these payloads has been associated or contingent with Military actions as Microsoft and ESET have observed in some of their publications. These campaigns have targeted critical infrastructure affecting civilian populations in addition to military targets.

In our new threat briefing report, Forescout’s Vedere Labs provides details on the recent ransomware campaign targeting VMware ESXi virtualization servers, or hypervisors, and analyzes two payloads used in these attacks: variants of the Royal and Clop ransomware. We also present the tactics, techniques and procedures (TTPs) used by attackers in this campaign, discuss mitigation recommendations and list indicators of compromise (IOCs) that can be used for detection or threat hunting.

Trustwave SpiderLabs “noted” in Part 1 and Part 2 of our OneNote research that OneNote has been used as a malware delivery mechanism now we will shift gears and focus on several OneNote decoy notes SpiderLabs has discovered that deliver malware families like Qakbot, XWorm, Icedid, and AsyncRAT. While the malware payload can change, the techniques have generally been the same.

In part one, we examined how threat actors abuse a OneNote document to install an infostealer. Part 2 of this series discusses an AsyncRAT infection chain while detailing important parts of the code. We’ll also quickly analyze other notable malware strains such as Qakbot and RemcosRAT.

Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files. Once clicked, an attacker can use the embedded code for various malicious purposes, such as stealing data or installing ransomware on victims' systems.