The trend of the Ransomware-as-a-Service (RaaS) model is flourishing on dark web forums as threat actors added two new malware families to extort more victims. Named Octocrypt and Alice, the ransomware families are offered for sale on cybercrime forums, with the capabilities to target a wide range of PCs. Besides these, a new AXLocker ransomware has emerged in the threat landscape, which is able to steal Discord tokens from infected machines.
In another threat update, Google Cloud Threat Intelligence researchers identified around 34 cracked versions of Cobalt Strike with unique Beacon components available in the wild. Each version of these post-exploitation tools included attack template binaries, numbering between 10 and 100. Meanwhile, organizations, especially in the legal and retail sectors, need to be vigilant of an ongoing extortion campaign that has already cost victims thousands of dollars.
Top Breaches Reported in the Last 24 Hours
Mastodon users’ data leaked
A misconfigured server was found leaking Mastodon users’ personal information. The exposed information included account names, display names, profile pictures, follower counts, following counts, and the last status updates of users. However, no email addresses or passwords were involved. The owner of the server remains unknown.
Top Malware Reported in the Last 24 Hours
Cracked Cobalt Strike versions in the wild
Google Cloud Threat Intelligence researchers found 34 cracked versions of Cobalt Strike in the wild. These versions contained 257 unique JAR files and Beacon components, which upon execution could log keystrokes, perform code execution, escalate privileges, and conduct port scanning, among other nefarious activities. Researchers also noticed that each unauthorized version of the Cobalt Strike toolkit had attack template binaries, numbering between 10 and 100.
New ransomware families spotted
A newly found ransomware named AXLocker not only encrypts the victims’ files but also attempts to steal Discord tokens. It targets specific file extensions with AES encryption, before extorting the victim. Apart from this, two RaaS families called Octocrypt and Alice have come to the notice of the researchers. While Octocrypt is being offered at a price of $400 to target all Windows versions, Alice is being sold at $600, with fast encryption capabilities and compatibility with Asian/Arab PCs.
Top Vulnerabilities Reported in the Last 24 Hours
PoC for ProxyNotShell flaw released
A security researcher released PoC exploit code for actively abused Microsoft Exchange ProxyNotShell vulnerabilities—tracked as CVE-2022-41040 and CVE-2022-41082. These flaws affect Microsoft Exchange Server 2013, 2016, and 2019, and can allow attackers to escalate privileges to run PowerShell in the context of the system and perform arbitrary or remote code execution on compromised servers.
PoC for macOS vulnerability published
PoC exploit code for a macOS vulnerability that could be exploited to circumvent sandbox restrictions has been published by a security researcher. The flaw, tracked as CVE-2022-26696, has a CVSS score of 7.8 and can also be abused to execute low-privileged code on the target system. The patch for the same was made available with the release of macOS Monterey 12.4 in May.
Top Scams Reported in the Last 24 Hours
Callback extortion campaign
Researchers have linked the Luna Moth ransom group with a callback phishing extortion campaign that has already cost victims hundreds of thousands of dollars. As the campaign is expanding in scope, researchers note that organizations in the legal and retail sectors need to be vigilant. The threat actors have significantly invested in call centers and infrastructure that is unique to each victim. The initial lure used in the campaign is a phishing email with an attached invoice that indicates the recipient’s credit card has been charged for a service, for an amount under $1000.