Sopra Steria …. Ryuked.. Services down

IT services provider Sopra Steria has confirmed that it was hit by a “new version” of the Ryuk ransomware that was “previously unknown to antivirus software providers and security agencies”.

The French-headquartered company detected the cyberattack on 20 October and made it public the following day.

Rreports pointed to hackers using Ryuk ransomware to target Sopra Steria’s Active Directory infrastructure. This saw some IT systems encrypted and payment demanded to unlock them.

Sopra Steria said it has made the virus signature of the new Ryuk ransomware strain available to “all antivirus software providers” so that they can update their defences.

Sopra Steria said that the ransomware attack was launched “a few days before it was detected”, which meant the virus was contained to a “limited part of the Group’s infrastructure”.

It has been revealed that Ryuk operators exploited the Netlogon vulnerability CVE 2020-1472 which hits the domain controllers and exfilterates the data. Microsoft released the patch for this Exploit in August

The company, which provides IT outsourcing services to the NHS and Home Office, said it has not identified any leaked data or damage to client networks.

It may take few weeks for services to up across geographies.

Bazar Backdoor 🚪✴️

TrickBot trojan has survived the massive takedown operation! While the trojan is set to reboot its operations with a new bunch of backend infrastructure, the operators are making headway with another creation dubbed BazarLoader/BazarBackdoor.

BazarLoader is the newest preferred stealthy covert malware added to the TrickBot group toolkit arsenal. It came to the limelight in July when researchers were investigating a particular attack campaign against targets across the U.S. and Europe. BazarLoader consists of two components: a loader and a backdoor.

The malware uses legitimate file-sharing services, as well as phishing emails, as part of the infection chain. The group behind the malware takes advantage of certificate signing to evade antivirus and software products.

Key Strengths

  • BazarLoader’s strength lies in its stealthy core component and obfuscation capabilities. Such obfuscation qualities allow the crime group to maintain persistency on the host even if the third-party software gets detected by antivirus software. 
  • Moreover, the ingenious use of blockchain by BazarLoader operators displays their ability to abuse legitimate services for nefarious activities. 

Essence

Loaders are becoming an essential part of any cybercrime campaign. They start the infection chain by distributing the payload. In essence, they deploy and execute the backdoor from the C2 server and plant it on the victim’s machine.

BazarLoader demonstrates tha alarming trend. Furthermore, the abuse of legitimate services and digital signatures for obfuscation represents the widespread use of deception techniques

Energetic Bear ! Strikes US

The US government said today that a Russian state-sponsored hacking group has targeted and successfully breached US government networks , said by advisory of CISA & FBI

Intruders identified as Russian hacker group, Energetic Bear a codename used by the cybersecurity industry. Other names for the same group also include TEMP.Isotope, Berserk Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala.

The two agencies said Energetic Bear “successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.”

Networking Gear has been the target of attack

Russian hackers used publicly known vulnerabilities to breach networking gear, pivot to internal networks, elevate privileges, and steal sensitive data.

Targeted devices included Citrix access gateways (CVE-2019-19781), Microsoft Exchange email servers (CVE-2020-0688), Exim mail agents (CVE 2019-10149), and Fortinet SSL VPNs (CVE-2018-13379).

To move laterally across compromised networks, they used the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials.

Below are some of the details that are compromised and ex-filtrated by the group

  • Sensitive network configurations and passwords.
  • Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
  • IT instructions, such as requesting password resets.
  • Vendors and purchasing information.
  • Printing access badges.

This recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. But nothing known to be till now.

Haldiram’s renowned Snack maker. Hit by Unknown

Hackers have allegedly stolen crucial data of popular food and snack company Haldiram’s and have demanded Rs 7,50,000

The unidentified accused hacked the server of the company based in the industrial Sector 62 of Noida using a cyber malware popularly called possible Ransomware Attack.

The cyber attack took place on the intervening night of October 12 and 13 and the hackers may have stolen “entire or substantial data” of the company which runs several restaurants and outlets.

The complaint made by a Haldiram’s official said that an IT official of Haldiram’s consequently accessed the Firewall programme on the company’s servers and found some traffic generating from servers, showing certain IP addresses.

The officials of the company found out that some programme was being executed on the aforementioned servers and all the data of the company was being diverted from and going out from the servers of the company. Before disconnecting the entire connection substantial data has been exfilterated

The company said its official raised a complaint with its data security and cyber security firm, Trend Micro, and alleged that all files and sensitive data of the firm had been encrypted by the hacker, thereby, preventing its officials from interacting with their files, data, applications and systems.

It said that the hackers, to give effect to a pre-planned criminal conspiracy, have not only stolen data from the servers and systems of the company but have also contacted company officials through certain servers to illegally extort money to provide back the access to the company’s own data and to delete the stolen data from the servers and systems.

The data includes but not limited to financial, HR, sales/purchase and other data/information)