The ransomware threat landscape is growing exponentially as TTPs evolve and new ransomware families emerge. The CISA, along with the FBI and the HHS, has issued a new joint advisory to alert organizations about the new TTPs and IOCs used by Hive ransomware. The advisory highlights that the attackers behind the ransomware have extorted $100 million in ransom payments from over 1,300 companies worldwide. In another update, a newly found ARCrypter ransomware has begun expanding its operations beyond Latin America. The ransomware operation claims to steal data during its attacks, however, it does not have a data leak site currently for publishing data for victims who didn’t pay the ransom.
In the past 24 hours, researchers also shared details about the new versions of LodaRAT malware spotted in the wild. These new versions included functionalities to improve the speed of execution and evasion process.
Top Breaches Reported in the Last 24 Hours
Schools in Michigan counties suffer attacks
Public schools in two Michigan counties were forced to halt their operations after a ransomware attack. The schools notified law enforcement agencies and engaged cybersecurity advisors to investigate the incident. As a precautionary measure, the staff asked everyone to refrain from using any school-issued devices.
Widespread spear-phishing attacks
A wave of spear-phishing attacks orchestrated by the Mustang Panda APT group was used to target government, academic, foundations, and research sectors around the world. The infection routines led to the distribution of malware such as TONEINS, TONESHELL, and PUBLOAD. The ultimate goal of the attackers was to steal sensitive documents and information, which could be used as entry vectors for the next wave of intrusions.
Top Malware Reported in the Last 24 Hours
Update on Hive ransomware operation
The CISA issued a joint advisory to warn organizations about Hive ransomware operations. The advisory includes the recently and historically observed TTPs and IOCs to help organizations protect against ransomware. As of October, the attackers behind Hive have extorted $100 million in ransom payments from over 1,300 companies worldwide.
New versions of LodaRAT spotted
Several new versions of LodaRAT malware have been found to be deployed alongside RedLine and Neshta trojans in a series of attack campaigns. Significant upgrades include new functionality allowing proliferation to attached removable storage devices and a new string of encoding algorithms. The new implementations are likely to improve the speed of execution and evasion process.
QBot abuses the Windows control panel
Phishing emails distributing QBot malware are using a DLL hijacking method to abuse the Windows 10 Control Panel executable to infect computers. This is likely to bypass the security checks by antivirus software.
ARCrypter ransomware expands its attacks
A previously unknown ARCrypter ransomware is now expanding its operations outside Latin America and targeting organizations worldwide, including ones in France, Germany, U.S., China, and Canada. At this point in time, little is known about the operators of the ransomware and the attack vector also remains unknown. The ransom demands vary and are as low as $5,000.
Royal ransomware delivery process tweaked
Microsoft tracked a new change in attack pattern used by DEV-0596 threat actors to deliver Royal ransomware. From August to October, the malware was delivered via malicious links posing as legitimate installers for numerous applications such as TeamViewer, Adobe Flash Player, Zoom, and AnyDesk. Previously, the attackers leveraged malvertising, fake forum pages, and blog comments to distribute malware.
Top Vulnerabilities Reported in the Last 24 Hours
Vulnerability in Omron exploited
Threat actors exploited a critical vulnerability in Omron PLC to target ICS systems with Pipedream and Incontroller malware. Tracked as CVE-2022-33971, the hardcoded credentials vulnerability has a CVSS score of 9.4 and can be used to access Omron PLCs. Omron had released advisories to inform organizations about the flaw, alongside two other vulnerabilities (CVE-2022-33971 and CVE-2022-33208), with patches announced in July and October.
Atlassian addresses critical vulnerabilities
Atlassian addressed critical vulnerabilities found in its centralized identity management platform—Crowd Server and Data Center—and its Git repository management solution— Bitbucket Server and Data Center. The issue in Crowd Server and Data Center is tracked as CVE-2022-43782 and can allow attackers to bypass password checks when authenticating as the Crowd app and to call privileged API endpoints. Meanwhile, the flaw identified in Bitbucket Server and Data Center is tracked as CVE-2022-43781 and can let attackers launch code execution attacks under certain circumstances.