company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecOps

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Threat Feeds

Threat Research

White Paper

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

Our Story

Our Team

Careers

Press & Media

Contact Us
loading..
loading..
loading..
Loading...

RaaS

Rio De Janerio

loading..
loading..
loading..

420GB lost in LockBit ransomware attack at Rio de Janeiro finance dept

LockBit ransomware group responsible for hitting at Rio de Janeiro finance department straling 420 GB…

24-Apr-2022
2 min read

Related Articles

loading..

Cyberattack

Hacktivist

Indian government on HIGH ALERT ahead of planned CYBER WAR PARTY to target Digit...

Indian government agencies are currently on HIGH ALERT as an Indonesian hacktivist group threatens to target numerous websites in the country, declaring an impending cyberattack that triggers a nationwide security response and prompts ministries and departments to enhance cybersecurity measures actively. They strictly follow Cyber Hygiene Standard Operating Procedures (SOPs) to protect critical data from potential breaches. Central agencies in India are very concerned about the possibility of underlying vulnerability that might have remained canceled across the healthcare sector, making it much more prone to incoming online security threats. This concern is especially true as hactivist groups have been primarily targeting the sector consistently, particularly after the global pandemic. As in the recent past we have witnessed some of the most unprecedented global healthcare attacks on [DICOM](https://www.secureblink.com/cyber-security-news/59-m-massive-healthcare-data-leak-of-2023-also-exposing-9-6-m-indians-data), [Tri-City Medical Center](https://www.secureblink.com/cyber-security-news/inc-ransom-claims-month-old-tri-city-medical-center-cyberattack) and [23andme](https://www.secureblink.com/cyber-security-news/new-6-9-million-23and-me-users-at-risk-after-confirming-ancestry-data-hack) to name a few in the recent past. Officials in the country are working diligently to strengthen defenses, and ministries and departments have been alerted to take quick action and prevent any unauthorized access. ### India braces for cyberattack campaigns from Pakistani and Indonesian hacktivist groups. Hacktivist groups from Pakistan and Indonesia, known for their attack expertise, announced to conduct a ‘Cyber War Party’ scheduled for December 11. With a membership exceeding 4,000 individuals, these hacktivist groups aim to coordinated attempt to compromise India’s digital infrastructure. ![55c8350b-e259-4877-b8bb-61567f475acc.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/55c8350b_e259_4877_b8bb_61567f475acc_438d745c4d.jpg) ***Screenshot of #OPINDIA threatening about CYBER WAR PARTY (Telegram)*** These hacktivist groups have a consistent track record, previously issuing a _“red notice”_ targeting over 12,000 government websites. Their global activities include documented attacks on countries like the US, Sweden, and Israel. Their motivations include incidents that provoke religious sensitivities and targeted actions against specific communities. The groups also said they are responsible for exposing information from users of Swedish social media, obtaining health and social media data from Israel, and breaching a police department in New York, USA. Authorities underscore the evolving and complex nature of cyber threats, posing a significant risk to digital infrastructure. These cyberattack attempts from hacktivist groups highlight the lack of immediate, proactive & resilient strategy to strengthen cybersecurity frameworks not just in India but all across the world. As the world copes with an escalating wave of sophisticated cyber threats, the necessity for global cooperation in cybersecurity becomes increasingly clear. Nations must unite to bolster their defenses, share crucial intelligence, and collectively address the evolving nature of these challenges. Adopting a cooperative and forward-thinking approach is crucial to ensuring the strength of digital infrastructure on a worldwide level.

loading..   10-Dec-2023
loading..   3 min read
loading..

Data Breach

Encryption

Apple’s recent report underscores the need for end‑to‑end encryption following t...

Apple reveals alarming statistics on the escalating global epidemic of data breaches. Commissioned by Apple and conducted by Massachusetts Institute of Technology professor Dr. Stuart Madnick, the study underscores the urgent need for robust cybersecurity measures, particularly end-to-end encryption. ### **Data Breaches Skyrocketed** The study indicates a staggering tripling of data breaches from 2013 to 2022, with a dire continuation in 2023. In the past two years alone, a jaw-dropping 2.6 billion personal records have been compromised. These findings, outlined in the report titled _"[The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase](https://www.apple.com/newsroom/pdfs/The-Continued-Threat-to-Personal-Data-Key-Factors-Behind-the-2023-Increase.pdf),"_ serve as a wake-up call to the escalating threats experienced by consumers worldwide. ### **Why there is an IMMEDIATE Call for End-to-End Encryption** The increasing digitization of personal and professional lives has fueled a dramatic surge in data breaches, exposing the personal information of millions. In response, companies, including tech giant Apple, are adopting end-to-end encryption as a critical defense mechanism. Apple's Advanced Data Protection for iCloud, launched in 2022, emerges as a pioneering solution, allowing users to safeguard their crucial iCloud data even in the event of a breach. ### **Apple's Advanced Data Protection** With Advanced Data Protection for [iCloud](https://www.secureblink.com/cyber-security-news/apple-allegedly-jeopardize-icloud-data-to-the-possession-of-chinese-government), users can fortify 23 data categories, including iCloud Backup, Notes, and Photos, using end-to-end encryption. Craig Federighi, Apple’s senior vice president of Software Engineering, [emphasizes](https://www.apple.com/in/newsroom/2023/12/report-2-point-6-billion-records-compromised-by-data-breaches-in-past-two-years/) the ongoing battle against malicious actors, stating, _"As threats to consumer data grow, we’ll keep finding ways to fight back on behalf of our users by adding even more powerful protections."_ ### **Evolution of Hacker Tactics: A Pervasive Risk** The report emphasizes the evolving methods of hackers who continuously seek creative ways to breach security practices. Even organizations with robust security practices are vulnerable due to targeted attacks on entities with weaker security, subsequently exploiting technical business relationships. This revelation underscores the need for constant vigilance and advanced cybersecurity measures. ### **Ransomware Surges: A Disturbing Trend** Ransomware emerges as a significant threat, with a 70% increase in attacks reported through September 2023 compared to the same period in 2022. Experts reveal that ransomware attacks in the first nine months of 2023 surpassed the total for the entire preceding year. Major breaches, such as those affecting [23andMe](https://www.secureblink.com/cyber-security-news/new-6-9-million-23and-me-users-at-risk-after-confirming-ancestry-data-hack), [Discord](https://www.secureblink.com/cyber-security-news/3-million-crypto-stolen-by-pink-drainer-exploiting-discord-and-twitter) , [Forever 21](https://www.secureblink.com/cyber-security-news/over-half-a-million-compromised-in-forever-21-data-breach) , [MGM Resorts](https://www.secureblink.com/cyber-security-news/mgm-resorts-reveals-100-million-cost-and-customer-data-breach), and Microsoft highlight the severity of the situation. ### **Global Impact: Breaches Escalate Worldwide** The United States, United Kingdom, Australia, and Canada collectively witnessed more than double the number of breached accounts in the first half of 2023 compared to the same period in 2022. Cloud infrastructure, a prime target, saw attacks nearly doubling from 2021 to 2022. A 2023 survey reveals that over 80% of breaches involved data stored in the cloud, emphasizing the need for heightened security measures. ### **End-to-End Encryption: A Non-Negotiable Safeguard** Apple's unwavering commitment to user security is exemplified through features like Lockdown Mode, which protects against extreme threats. End-to-end encryption remains a cornerstone of Apple's defense strategy, making it impossible for hackers to access user data without proper authentication. The study reinforces the crucial role of such encryption in safeguarding personal information. ### **A Call to Action: Fortifying Cybersecurity Defenses** As the threats to user data continue to escalate in frequency and sophistication, the cybersecurity landscape demands constant adaptation. Apple's proactive approach, evident in its Advanced Data Protection for iCloud, sets a benchmark for the industry. The onus is on companies globally to fortify their cybersecurity defenses, implement robust encryption practices, and stay ahead in the ongoing battle against cyber threats.

loading..   09-Dec-2023
loading..   4 min read
loading..

Malware

Guloader

GULOADER, an elusive shellcode downloader, revealing recent enhancements to its ...

GuLoader, also known as [CloudEyE](https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye), continues its menacing presence as a sophisticated shellcode-based downloader, evolving to challenge security analysts. Elastic Security Labs reveals the latest changes in GuLoader's tactics, particularly in its Vectored Exception Handler (VEH), adding layers of complexity to its anti-analysis arsenal. ## Analyzing GULOADER: A Deep Dive ### 1. **Initial Shellcode Examination** GULOADER, often packaged within an NSIS installer, deploys an intricate structure, including NSIS scripts, System.dll, and encrypted shellcode. To pinpoint the shellcode file, Elastic Security Labs utilizes SysInternal's Process Monitor, revealing the extraction process and identifying the shellcode file named "Fibroms.Hag." ```plaintext Shellcode Retrieved from File: [code snippet] ``` ### 2. **Execution Control Flow Unraveled** GULOADER employs Windows API functions like [EnumResourceTypesA](https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-enumresourcetypesa) and CallWindowProcW for shellcode execution, strategically avoiding traditional process injection methods. By decoding these functions, analysts gain insights into the shellcode's entry point and the dynamic control flow. And they were evading traditional detection techniques associated with common APIs like CreateRemoteThread. ```plaintext EnumResourceTypesA Function Call inside GULOADER: [code snippet] ``` ### 3. **Finding Main Shellcode Entrypoint** Recent GULOADER [samples](https://www.virustotal.com/gui/file/6ae7089aa6beaa09b1c3aa3ecf28a884d8ca84f780aab39902223721493b1f99) introduce intricate obfuscation at the start of the shellcode, requiring meticulous unwinding of code obfuscation. Techniques such as leveraging x64dbg's graph view and utilizing the [Miasm](https://github.com/cea-sec/miasm) reversing engineering framework help trace the main entry point. ```plaintext Graph view for GULOADER main entrypoint call: [code snippet] ``` ### 4. **GULOADER’s VEH Update** A hallmark of GULOADER is its adept use of Vectored Exception Handling (VEH). The malware dynamically adds exceptions, such as EXCEPTION_PRIV_INSTRUCTION and EXCEPTION_ILLEGAL_INSTRUCTION, disrupting analysis tools. By modifying the EIP through the CONTEXT structure, GULOADER evades traditional detection methods. ```plaintext Decompilation of VEH: [code snippet] ``` ### 5. **New Anti-Analysis Techniques** GULOADER's recent enhancements include additional exceptions in its VEH, such as EXCEPTION_PRIV_INSTRUCTION and EXCEPTION_ILLEGAL_INSTRUCTION. These additions complicate the analysis process by breaking traditional tooling and increasing the workload for analysts. ```plaintext EXCEPTION_PRIV_INSTRUCTION: [code snippet] EXCEPTION_ILLEGAL_INSTRUCTION: [code snippet] ``` ### 6. **Control Flow Cleaning** To simplify control flow analysis, Elastic Security Labs employs [TinyTracer](https://github.com/hasherezade/tiny_tracer), a tool leveraging Pin, a dynamic binary instrumentation framework. By tracing and logging exceptions, analysts can patch out instructions generating exceptions, creating a cleaner control flow. ```plaintext Disassembly of patched instructions: [code snippet] ``` ## Navigating GULOADER’s Complexity GULOADER’s resilience poses challenges to cybersecurity researchers. Despite its obfuscation tactics, a combination of dynamic and static analysis processes, as showcased by Elastic Security Labs, can significantly reduce analysis time. Sharing these insights not only highlights GULOADER’s evolving strategies but also equips researchers with tools and methodologies to counter its sophisticated techniques. ## YARA Rules for Detection Elastic Security has developed YARA [rules](https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Trojan_Guloader.yar) to identify GULOADER activity. Researchers can utilize these rules to enhance detection capabilities and stay ahead of evolving threats. ```plaintext YARA Rule Example: [code snippet] ``` ## Observations and Industry Insights The cybersecurity community continues to uncover the intricacies of threats like GULOADER. Recent reports reveal its association with [Remcos](https://www.secureblink.com/cyber-security-news/african-banks-heavily-targeted-by-an-emerging-malware-distribution-campaign-remcos-rat) on the same platform, indicating an ever-adapting landscape where malware actors actively modify their strategies to evade detection. Israeli cybersecurity company Check Point's findings further emphasize GULOADER’s persistent evolution, with its [Vectored Exception Handling](https://learn.microsoft.com/en-us/windows/win32/debug/vectored-exception-handling) capability playing a crucial role in obfuscating execution flow. ## Broader Landscape GULOADER is not an isolated case; other malware families, such as DarkGate, demonstrate a similar adaptability, employing new execution chains and enhanced evasion techniques. The rapid iteration and depth of evasion methods underscore the sophistication of modern malware threats. ## Industry Response As the cybersecurity community faces evolving threats, a collaborative effort is crucial. Threat intelligence teams, like HUMAN Satori, provide valuable insights into the deployment of updated obfuscation engines, emphasizing the need for ongoing vigilance and research.

loading..   09-Dec-2023
loading..   4 min read