company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Data Breach

Healthcare

loading..
loading..
loading..

200,000 accounts compromised in a month old Colorado Springs data leak

200,000 Colorado Springs Utilities (CSU) customers might have exposed personal information in a month-old data breach…

16-Jul-2022
2 min read

Related Articles

loading..

APT44

Russian state-backed hackers, Sandworm, are targeting water utilities. Learn how...

APT44, also known as Sandworm, poses an alarming and dynamic threat, particularly highlighted in the context of Russia's ongoing invasion of Ukraine. Mandiant's research underscores the group's adaptability, operational maturity, and integration with Russia’s military objectives. Notably, APT44's activities extend beyond Ukraine, impacting global political, military, and economic landscapes, with a heightened concern during national elections due to its history of interference. ## Tactical Evolution Sandworm's evolution is marked by its transition from disruptive cyber sabotage to intelligence collection, aligning closely with Russia's military campaign objectives. This strategic shift emphasizes APT44's role in providing battlefield advantages to Russian forces, exemplified by its efforts in exfiltrating communications from captured mobile devices. APT44's multifaceted approach underscores its pivotal role in shaping and supporting Russia's military endeavors. ## Operational Scope APT44's operations span a spectrum of activities, ranging from espionage to influence operations, underpinned by its sponsorship by Russian military intelligence. Notably, the group's actions extend beyond traditional military targets to encompass broader national interests, including political signaling and crisis responses. APT44's involvement in consequential cyber attacks, such as disruptions to Ukraine's energy grid and the global NotPetya attack, underscores its significant impact on geopolitical dynamics. ## Threat Landscape The persistent and high-severity threat posed by APT44 extends globally, targeting governments and critical infrastructure operators where Russian interests converge. Moreover, APT44's actions contribute to a proliferation risk, as its disruptive capabilities may inspire emulation by other state and non-state actors. Mandiant's assessment underscores the urgent need for enhanced cybersecurity measures to counter APT44's sophisticated tactics and mitigate potential fallout. ## Future Outlook Looking ahead, APT44 is poised to remain a formidable cyber threat, with a continued focus on Ukraine amid Russia's ongoing war. However, the group's adaptability and expansive mandate suggest potential shifts in operational priorities, influenced by changing geopolitical dynamics and emerging issues. Mandiant's analysis underscores the imperative for proactive measures to safeguard against APT44's multifaceted cyber activities, particularly during significant political events and elections worldwide. ## Community Protection Measures In response to the APT44 threat, collaborative efforts are essential to protect communities and critical infrastructure. Google's Threat Analysis Group (TAG) and Mandiant play crucial roles in identifying and mitigating APT44's activities. Through initiatives like the Victim Notification Program and the release of threat intelligence, proactive steps are taken to raise awareness and enhance cybersecurity resilience.

loading..   18-Apr-2024
loading..   3 min read
loading..

steganography

Beware! Hackers are now hiding malware in images using steganography. Learn how ...

TA558, a threat actor known for its sophisticated tactics, has recently been observed actively leveraging steganography to conceal malware payloads within images and text files. This technique, termed SteganoAmor, has facilitated the delivery of various malware strains including Agent Tesla, FormBook, Remcos RAT, LokiBot, GuLoader, Snake Keylogger, and XWorm. These attacks primarily target sectors such as industrial, services, public, electric power, and construction in Latin American countries, with some incidents reported in Russia, Romania, and Turkey. #### Steganography: A Stealthy Approach Steganography serves as a covert means to embed malicious payloads within seemingly innocuous files, such as images and text documents. [TA558](https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel) as originally described leverages steganography extensively, embedding VBSs, PowerShell code, and RTF documents with exploits into these files. By concealing malware within seemingly benign content, attackers evade detection by traditional security measures, facilitating wide-scale infiltration. #### Attack Vector and Malware Delivery Phishing remains a prominent vector for malware delivery, with TA558 employing tactics to exploit [CVE-2017-11882](https://nvd.nist.gov/vuln/detail/cve-2017-11882) in Microsoft Excel to download initial payloads. These payloads, often Visual Basic Scripts, fetch subsequent malware components from external sources. Notably, the use of legitimate but compromised SMTP servers lends credibility to phishing emails, enhancing their effectiveness in bypassing email gateways. #### Malware Functionality The malware payloads delivered by TA558 cater to a spectrum of malicious activities, including remote access, data theft, and secondary payload delivery. [Agent Tesla](https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel), FormBook, [GuLoader](https://www.secureblink.com/cyber-security-news/guloader-s-latest-obfuscation-tactics-escalate-malware-analysis-complexity), LokiBot, Remcos RAT, Snake Keylogger, and XWorm are among the arsenal employed. These tools enable attackers to compromise systems, exfiltrate sensitive data, and establish footholds for further exploitation. #### LazyStealer: A Case Study in Credential Theft In addition to steganography-based attacks, TA558 has deployed LazyStealer, a primitive yet effective credential stealer. LazyStealer exhibits unsophisticated techniques, relying on PyInstaller, Pyarmor, and Cython to obfuscate its code and evade detection. By targeting Google Chrome credentials and forwarding stolen data to Telegram, LazyStealer underscores the threat posed by even rudimentary malware tools. #### Attribution and Victimology Positive Technologies' [analysis](https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/steganoamor-campaign-ta558-mass-attacking-companies-and-public-institutions-all-around-the-world/) links Lazy Koala, the actor behind LazyStealer, to TA558. Lazy Koala targets governmental, financial, medical, and educational institutions across Russia, Belarus, Kazakhstan, Tajikistan, Kyrgyzstan, Armenia, and Uzbekistan. The group's tactics, techniques, and procedures (TTPs) bear resemblance to those of YoroTrooper, as evidenced by similar toolsets and victim profiles. #### Key Takeaways and Recommendations The TA558 campaign underscores the efficacy of leveraging unsophisticated tools and tactics in cyberattacks. While sophisticated malware garners attention, attackers often achieve success through simplicity and stealth. Organizations must prioritize security measures to detect and mitigate threats like steganography-based attacks and credential stealers. Proactive defense strategies, including robust email filtering, endpoint protection, and user education, are essential in combating evolving cyber threats.

loading..   18-Apr-2024
loading..   3 min read
loading..

data breach

Omni Hotels faces a data breach nightmare. Ransomware gang claims to have stolen...

The Omni Hotels & Resorts chain has suffered a significant [cyberattack](https://www.secureblink.com/cyber-security-news/omni-hotels-hacked-guest-data-at-risk) as discussed in the last [Threatfeed](https://www.secureblink.com/cyber-security-news) is now attributed to the notorious Daixin ransomware group. This attack disrupted IT systems nationwide, impacting reservations, key card access, and payment systems. Daixin claims to have stolen sensitive data and threatens to release it unless a ransom demand is met. This attack follows a US government warning about Daixin Team's focus on healthcare organizations, indicating the broadening reach of the group. Omni Hotels is scrambling to restore systems while concerns about a potential data breach rise. #### **Daixin Ransomware Gang Claims Responsibility** The first sign of trouble emerged when Bleeping Computer, a cybersecurity news website, reported on the Daixin ransomware gang's claim of responsibility for an attack on Omni Hotels. The article, stated that the gang had stolen data from the hotel chain and threatened to release it if a ransom was not paid. This news was particularly concerning as Omni Hotels had already been a victim of a data breach in the past. ![Omni_Hotels_Daixin_Team_leak.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Omni_Hotels_Daixin_Team_leak_5e63f43302.jpg) #### **US Govt. Warns of Daixin Team Targeting Healthcare** Adding to the gravity of the situation highlighting a warning issued by the Cybersecurity and Infrastructure Security Agency (CISA) regarding the Daixin Team's targeting of healthcare organizations. The article detailed the gang's tactics, which included encrypting systems, stealing data, and exploiting vulnerabilities in VPN servers to gain access to networks. Once inside, the gang would use RDP and SSH to move laterally within the network and escalate privileges to gain more control. Notably, the article also mentioned that ransomware groups like Daixin often steal data and threaten to leak it, mirroring the current situation with Omni Hotels. #### **Omni Hotels Confirms Cyberattack Behind Ongoing IT Outage** More details confirmed that Omni Hotels had indeed been hit by a cyberattack and had been working to restore its systems since the attack began on Friday, March 29th. The attack had a widespread impact, affecting critical hotel systems such as reservations, credit card payments, and even hotel room door locks. The article highlighted the ongoing efforts by Omni Hotels to restore normalcy to its operations. #### **Nationwide IT Outage at Omni Hotels - Cause Yet Unknown** As earlier reported on the initial nationwide IT outage at Omni Hotels that began on Friday. The impact of the outage on various hotel systems, including reservations, credit card payments, and door locks. Interestingly, the cause of the outage was not entirely clear at that point. While some employees suspected a cyberattack, Omni Hotels had not yet confirmed it. #### **Omni Hotels Struggles to Recover Amidst Data Breach Concerns** While the exact nature of the attack and the extent of data theft remain unclear, the series of events paint a concerning picture for Omni Hotels. The hotel chain is grappling with restoring its IT systems while facing the potential consequences of a data breach. The attack also serves as a stark reminder of the growing threat posed by ransomware gangs like Daixin, who target not only healthcare organizations but also hospitality chains like Omni Hotels. ***This is a developing story, and further information may emerge in the coming days. Stay tuned for updates on how Omni Hotels navigates this challenging situation***

loading..   16-Apr-2024
loading..   3 min read