2 min read

Biweekly Threat Report

Biweekly Threat Report

LockBit ransomware is now moving to a triple extortion tactic

LockBit ransomware is now moving to a triple extortion tactic. Exfiltrating and encrypting data, leaking the data and DDoS attacking the victim. They've also increased the amount of infrastructure hosting leaked data to prevent further DDoS attacks, this was necessary due to LockBit being DDoS attacked after threatening to leak data stolen from Entrust.


EvilProxy Phishing-As-A-Service with MFA bypass Emerged in Dark Web

EvilProxy actors are utilizing Reverse Proxy and Cookie Injection methods to bypass 2FA authentication with realistic login pages for Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, PyPi, Yahoo, Yandex and others.


InterContinental Hotels Group have been compromised

Parts of their technology systems have been subject to unauthorized activity, leading to operations being disrupted since Monday (5th of September) leaving people unable to reserve rooms online, with hotels still being able to operate and to take reservations directly.


Ransomware is increasingly utilizing intermittent encryption to Evade Detection

This encryption method helps ransomware operators to evade detection systems and encrypt victims’ files faster. Encryption of files can be a time-intensive process, the faster they can encrypt the victims’ files, the less likely they are to be detected and stopped in the process. Ransomware detection systems may evaluate the intensity of file IO operations, with partial encryption the file IO operations are significantly lower in intensity and therefore can avoid detection. Intermittent encryption has been detected to be used by: Qyick Ransomware, Agenda Ransomware, BlackCat (ALPHV), PLAY Ransomware and Black Basta Ransomware.


Threat actors are exploiting the death of Queen Elizabeth II

The death of Queen Elizibeth ll is being used as bait in phishing attacks to steal Microsoft account credentials. The messages sent to the victims purported to be from Microsoft then invited recipients to an “artificial technology hub” in Queen Elizabeth II's honor, upon clicking the button embedded within the email, the recipients are redirected to the phishing landing page which has been created using EvilProxy phishing kit.


Hackers steal Steam accounts in new Browser-in-the-Browser attacks phishing attacks

This starts as an invite to a tournament, and when accessing the website, the victim is told to link their Steam account for authentication. When the user attempts to link their Steam account they are directed to what appears to be a legitimate Steam popup to log in however this is just an interactable window within the original page, making it hard to spot it’s a fake site as it appears to be the correct URL and a green SSL padlock symbol. This method also can be used to capture MFA codes.

 

References

Biweekly Threat Report

Biweekly Threat Report

New attacks use Windows security bypass zero-day to drop malware

Read More
Biweekly Threat Report

Biweekly Threat Report

Fake POCs on GitHub Target Security Researchers

Read More
91% of cyber attacks start with an email

91% of cyber attacks start with an email

Email is the most common type of threat vector, and 23% of people click on malicious emails. It only takes one click for your whole network to be...

Read More