Maze shutting down finally đź’«

The Maze cybercrime gang is shutting down its operations that began its operation in may 2019 after rising to become one of the most prominent players performing ransomware attacks.

A double-extortion tactic introduced by Maze to exfilterates the data before encryption

Once encrypted, they demand ransom . If victim fails to pay they publish those data in maze site which started to be in limelight

This double-extortion technique was quickly adopted by other large ransomware operations, including REvil, Clop, DoppelPaymer, who released their own data leak sites. This double-extortion technique has now become a standard tactic used by almost all ransomware operations.

Maze continued to evolve ransomware operations by forming a ransomware cartel with Ragnar Locker and LockBit, to share information and tactics.

During their year and a half cybercrime spree, Maze has been responsible for attacks on notable victims, including Southwire, City of Pensacola, Canon, LG Electronics, Xerox, and many more.

Maze started to shut down six weeks ago
In a similar manner as GandCrab did in 2019.lastly Barnes and Noble ransomware attack.

This threat actor stated that they take part in ransomware attacks by compromising networks and stealing Windows domain credentials. The compromised networks are then passed to affiliates who deploy the ransomware.

Maze has started to remove victims that they had listed on their data leak site. All that is left on the site are two victims and those who previously and had all of their data published.The cleaning up of the data leak site indicates that the ransomware operation’s shutdown is imminent.

It is not uncommon for ransomware operations to release the master decryption keys when they shut down their operation, as was done with Crysis, TeslaCrypt, and Shade.

Maze affiliates have switched over to a new ransomware operation called Egregor which began operating in the middle of September, just as Maze started shutting down their encryption operation.

This is believed to be the same underlying software as both Maze and Sekhmet as they utilize the same ransom notes, similar payment site naming, and share much of the same code.

This was also confirmed by a ransomware threat actor who stated that Maze, Sekhmet, and Egregor were the same software.when a ransomware operation shuts down, it does not mean the threat actors involved retire as well. They just move to the next ransomware operation.

Abaddon RAT ! Sophisticated C2C

The new ‘Abaddon‘ remote access trojan may be the first to use Discord as a full-fledged command and control server that instructs the malware on what tasks to perform on an infected PC.

Threat actors abusing Discord for malicious activity is nothing new.

A new ‘Abaddon’ remote access trojan (RAT) could be the first malware that uses Discord as a full-fledge command and control server.

When started, Abaddon will automatically steal the following data from an infected PC:

  • Chrome cookies, saved credit cards, and credentials.
  • Steam credentials and list of installed games
  • Discord tokens and MFA information.
  • File listings
  • System information such as country, IP address, and hardware information.

Abaddon will then connect to the Discord command and control server to check for new commands to execute, as shown by the image below.

Receive a task from the Discord server

These commands will tell the malware to perform one of the following tasks:

  • Steal a file or entire directories from the computer
  • Get a list of drives
  • Open a reverse shell that allows the attacker to execute commands on the infected PC.
  • Launch in-development ransomware (more later on this).
  • Send back any collected information and clear the existing collection of data.

The malware will connect to the C2 every ten seconds for new tasks to execute.

Using a Discord C2 server, the threat actor can continually monitor their collection of infected PCs for new data and execute further commands or malware on the computer like encryption and decryption after paying ransom

With ransomware being extremely lucrative, it would not be surprising to see this feature completed in the future.

Energetic Bear ! Strikes US

The US government said today that a Russian state-sponsored hacking group has targeted and successfully breached US government networks , said by advisory of CISA & FBI

Intruders identified as Russian hacker group, Energetic Bear a codename used by the cybersecurity industry. Other names for the same group also include TEMP.Isotope, Berserk Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala.

The two agencies said Energetic Bear “successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.”

Networking Gear has been the target of attack

Russian hackers used publicly known vulnerabilities to breach networking gear, pivot to internal networks, elevate privileges, and steal sensitive data.

Targeted devices included Citrix access gateways (CVE-2019-19781), Microsoft Exchange email servers (CVE-2020-0688), Exim mail agents (CVE 2019-10149), and Fortinet SSL VPNs (CVE-2018-13379).

To move laterally across compromised networks, they used the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials.

Below are some of the details that are compromised and ex-filtrated by the group

  • Sensitive network configurations and passwords.
  • Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
  • IT instructions, such as requesting password resets.
  • Vendors and purchasing information.
  • Printing access badges.

This recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. But nothing known to be till now.

Haldiram’s renowned Snack maker. Hit by Unknown

Hackers have allegedly stolen crucial data of popular food and snack company Haldiram’s and have demanded Rs 7,50,000

The unidentified accused hacked the server of the company based in the industrial Sector 62 of Noida using a cyber malware popularly called possible Ransomware Attack.

The cyber attack took place on the intervening night of October 12 and 13 and the hackers may have stolen “entire or substantial data” of the company which runs several restaurants and outlets.

The complaint made by a Haldiram’s official said that an IT official of Haldiram’s consequently accessed the Firewall programme on the company’s servers and found some traffic generating from servers, showing certain IP addresses.

The officials of the company found out that some programme was being executed on the aforementioned servers and all the data of the company was being diverted from and going out from the servers of the company. Before disconnecting the entire connection substantial data has been exfilterated

The company said its official raised a complaint with its data security and cyber security firm, Trend Micro, and alleged that all files and sensitive data of the firm had been encrypted by the hacker, thereby, preventing its officials from interacting with their files, data, applications and systems.

It said that the hackers, to give effect to a pre-planned criminal conspiracy, have not only stolen data from the servers and systems of the company but have also contacted company officials through certain servers to illegally extort money to provide back the access to the company’s own data and to delete the stolen data from the servers and systems.

The data includes but not limited to financial, HR, sales/purchase and other data/information)