TheCyberThrone Security Week In Review

Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings. This review is for the week ending Saturday, May 20, 2023.

1.RA Group Ransomware Dissection

Researchers have discovered a new ransomware called RA Group that has been active for alteast a month, The group has already compromised three organizations in the U.S. and one in South Korea. Researchers say that the group is using the leaked Babuk ransomware source code.

The binary has the debug path “C:\Users\attack\Desktop\Ransomware.Multi.Babuk.c\windows\x64\Release\e.pdb” that has the same mutex name as the Babuk ransomware, suggests the malware borrows Babuk’s leaked source code. The RA Group also uses a double extortion model and runs a date leak site similar to other threat actors.

2.MichaelKors RaaS targets VMware ESXi

Researchers have spotted the newly emergent MichaelKors ransomware-as-a-service operation has set its sights on VMware ESXi and Linux systems since last month, As per the report, VMware ESXi and linux are similarly targetted by the ALPHV/BlackCat, ESXiArgs, LockBit, Play, Rook, Black Basta, Defray, and Rorschach ransomware gangs

VMware ESXi Hypervisors have been increasingly attractive targets for ransomware operations due to the lack of antivirus software or third-party agent support, as well as their widespread usage, inadequate network segmentation, and numerous in-the-wild security flaws.

3.MalasLocker Ransomware targets Zimbra

A new active ransomware group has been spotted that victimized nearly 200 organizations having a different spin on its extortion efforts: Don’t pay us, pay a charity

This unnamed group that is at least publicly claimed to be driven by anti-capitalist sentiment largely targets users Zimbra. The ransomware used by the group dubbed as MalasLocker. The ransomware leak website lists three companies as victims, alongside a list of 170 other entities listed as Defaulters. The group uses DDoS as attack tactics

4.Discord Discloses a Data Breach

Discord has announced a data breach that occurred after the account of a third-party support agent was compromised. The breach resulted in the exposure of some users’ personal information, including their email addresses, usernames, and hashed passwords.

As per the official statement, the data breach occurred after a support agent’s account was hacked that reportedly obtained through a phishing scheme, which allowed the attacker to access the agent’s account and gain access to some users’ personal information. Discord has since taken steps to revoke the attacker’s access and is investigating the incident further.

Discord has not disclosed the exact number of users affected by the data breach. It stated that the breach only affects users who contacted the support team between specific dates and does not impact all Discord users.

SUBSCRIBE TO OUR BLOG TODAY !

We understand the importance of staying on top of the latest threats and vulnerabilities that can harm your digital life. You’ll receive the latest cybersecurity news, insights, resources, offers and analysis straight to your inbox every day

5.UNC3944 Abuses Azure leveraging SIM Swapping attacks

Researchers have spotted a threat actor known by the name UNC3944 and were observed abusing privileged accounts to access the Microsoft Azure Serial Console. UNC3944 has bypassed many of the defense and detection methods used within Azure, thereby gaining full access to the text-based console for Windows virtual machines. By leveraging SIM swapping attacks through multiple intrusions, some of which included the Azure Serial Console and other Azure extensions.

This attacker often leverages compromised credentials of administrators or other privileged accounts for initial access. A common tactic employed by this attacker involves SMS phishing privileged users, SIM swapping, and then impersonating the users to trick help desk agents into sending a multi-factor reset code via SMS.

This brings end of this week in review security coverage. Thanks for visiting TheCyberThrone. If you like us please follow us on Facebook, Twitter, Instagram