Anyone who has watched the Lockpicking Lawyer realizes that certain locks promoted as the latest-and-greatest aren’t necessarily the most reliable devices for securing physical assets. Like many other security professionals, he seeks to educate consumers and manufacturers on defects in devices and how to improve their security. It reminds me of a quote by Deviant Ollam (security auditor and penetration testing consultant): "Security is achieved through openness.

Lampion is a banking trojan with a particular predisposition to targeting Portuguese-speaking users (and exploiting cloud services). First documented in December 2019, the malware has gone through multiple releases, characterized by a number of different mechanisms to deliver the initial VBS (Visual Basic Script Loader). All the different variants have an element in common, the malware is distributed abusing legitimate cloud services throughout different stages of the attack chain.

In our companion blog post, Vedere Labs analyzed the main ransomware trends we observed in the first half of 2022, including state-sponsored ransomware, new mainstream targets and evolving extortion techniques. Ransomware is the main threat targeting most organizations nowadays. However, three other notable cyberthreat trends also evolved during this period: Below we analyze each of these trends in more detail.

Throughout the first half of 2022, Vedere Labs published analyses of prominent ransomware families, such as Conti, Night Sky and ALPHV. We also examined well-known ransomware incidents such as the attacks on the NFL’s SF 49ers by the BlackByte group; on a UK water utility, where the Clop gang managed to access their SCADA system; and on an NHSsoftware provider, where an unknown group managed to disrupt healthcare services in the UK for weeks.

The Arctic Wolf Labs team recently investigated a Lorenz ransomware intrusion, which leveraged a Mitel MiVoice VoIP appliance vulnerability (CVE-2022-29499) for initial access and Microsoft’s BitLocker Drive Encryption for data encryption. Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems.

Modern organizations are built on data. It enables collaboration and helps us engage with customers. But that same helpful data is also sprawled across countless apps, making it difficult to secure. Ransomware attacks are on the rise — 57% of security leaders expect ransomware to compromise their organization within the next year — which makes data protection more essential than ever.

A ransomware gang that has been increasingly disproportionately targeting the education sector is the subject of a joint warning issued by the FBI, CISA, and MS-ISAC. The Vice Society ransomware group has been breaking into schools and colleges, exfiltrating sensitive data, and demanding ransom payments. The threat? If the extortionists aren’t paid, you may not be able to unlock your encrypted files, and the attackers may leak the information they have stolen from your servers online.

It is hard to believe, but ransomware is more than three decades old. While many would think that the ransomware mayhem started with the WannaCry attack of 2017, that is simply the most publicized example. Since then, dozens of ransomware strains have been utilized in a variety of cyberattacks.

AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems. Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist.

The BlackCat/ALPHV ransomware is a complex threat written in Rust that appeared in November 2021. In this post, we describe a real engagement that we recently handled by giving details about the tools, techniques, and procedures (TTPs) used by this threat actor. Firstly, the attacker targeted an unpatched Microsoft Exchange server and successfully dropped webshells on the machine.