Cyber Hub

During the past week, we saw some interesting developments in the ransomware arena, from prominent enterprises falling victim to these ransomwares, to new ransomware families attacking in the wild. Cybergangs continue to improve their ransomware as this attack vector proves to be one of the most profitable TTPs in the cybercriminal world. The Cyberproof CTI team is keeping a close eye on the evolution of the ransomware front. The following includes some of the major developments over the last week.

Each week there are several reports of cyber-attacks and high-severity vulnerabilities found. The risk they pose to your organization depends on a variety of factors that are in a near-constant state of flux. This week security researchers detected new disturbing vulnerabilities in Intel processors, as well as an UPnP vulnerability that affects billions of IoT devices.

New substantial phishing campaigns were detected over the past week; threat actors are still focused on leveraging COVID-19 and the fact that most employees are working from home remotely using Zoom communication platform. A campaign that tries to take advantage of the fact that many businesses that are expecting to receive financial relief from the government was identify this week, aiming to steal corporate credentials. In addition, threat actors capitalize the Black Lives Matter movement to spread TrickBot.

As ransomware attacks continue to prove themselves as one of the most profitable TTPs for cybercriminals today, their sophistication and frequency increase as well. The average ransom payment in ransomware attacks sharply grew by 33% in Q1 of 2020, and threat actors seems to be highly motivated than ever to utilize it. This week, security researchers have detected new threatening malware strains of the [F]Unicorn ransomware, as well as an extended activity of PonyFinal ransomware against organizations around the world.

Over the past week, several malware campaigns exposed new developments and capabilities that improve their abilities to avoid detection and cause greater damage to the infected victims. The TrickBot trojan has been seen using a new module to avoid detection and infect domain controllers while a new malware named Valak, that was used as a loader, has started collecting sensitive data. In addition, a new malware dubbed Octopus Scanner was detect infecting organizations using GitHub.

Each week there are several reports of cyber-attacks and high-severity vulnerabilities found. The risk they pose to your organization depends on a variety of factors that are in a near-constant state of change. This week we saw a number of security issues affecting the Exim MTA servers. In addition, we also witnessed attacks exploiting SaltStack vulnerabilities and the dangers of having potentially affected unpatched Cisco products.

Botnets remain at the top of the hackers' list of preferred tools due to the ability to magnify attacks without much effort. From DDoS attacks to malware delivery, botnets continue to create headlines with new methods used by threat actors to wreak havoc and seize financial gains.

As ransomware attacks continue proving themselves as one of the most profitable TTPs for cybercriminals today, their sophistication and frequency increases as well. The average ransom payment in ransomware attacks has sharply grown by 33% in Q1 of 2020. Threat actors seem to be highly motivated than ever to utilize it. This week, security teams have discovered new disturbing evasion techniques of the infamous NetWalker and Ragnar Locker ransomware.

Many new phishing campaigns were detected over the past week where threat actors are still focused on leveraging COVID-19 and the fact that most employees are working remotely, from home, using various communication and collaboration platforms. Apart from that, threat actors continue developing new phishing techniques to avoid detection and not raise suspicion by the victims. A massive campaign capitalizes the Coronavirus to spread the NetSupport RAT, while the collaboration platform, LogMeIn is impersonated to gather credentials. In addition, threat actors are taking advantage of the tax season for credentials gathering as well, while in another campaign, Google Firebase is used to host phishing pages. Moreover, a new phishing campaign is being spread by luring employees to access files that are related to upcoming bonuses in order to gain permissions to internal systems without the need to use credentials or MFA required.

Threat actors consistently come up with new ways to distribute malware that will be used for their malicious intentions to harm individuals and organizations. When it comes to state-sponsored actors, the scope of the attacks usually increases in direct proportion to the threat actor’s resources. Over the past week, security researchers have detected new malware strains that are believed to be associated with the infamous Lazarus hacking group.