company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

APT29

Russia

spear-phishing

loading..
loading..
loading..

Cyberspies linked to Russian Intelligent Forces targeted Slovak Government via phishing campaigns

Cyberspies linked to APT29 group & Russian Intelligence forces targeted Slovak government by deploying malware through malicious emails & spear-phishing campaig...

14-Aug-2021
2 min read

Related Articles

loading..

RansomHub

"CosmicBeetle Partners with RansomHub to Deploy ScRansom Ransomware" ...

CosmicBeetle, a notorious threat actor active since at least 2020, has continued its aggressive cybercriminal activities into 2024, deploying its evolving ScRansom ransomware to exploit SMBs (Small and Medium Businesses) across Europe and Asia. While not the most sophisticated ransomware, ScRansom has proven dangerous due to CosmicBeetle's adaptability and persistence. The ScRansom ransomware, which replaced the previously deployed Scarab ransomware, has undergone continual development since its first appearance in 2023. Despite its imperfections and limitations, the ransomware's use of experimental features and connections to other notorious ransomware gangs makes it a formidable threat. Recently, there has been evidence that CosmicBeetle has formed an affiliation with RansomHub, a fast-growing ransomware-as-a-service (RaaS) gang, further boosting its capabilities. #### CosmicBeetle's Evolution and Affiliation with RansomHub ##### CosmicBeetle’s Transition from Scarab to ScRansom ScRansom marked a significant transition for CosmicBeetle. Originally relying on Scarab ransomware, the group shifted its focus in 2023 to its custom-built ransomware, ScRansom. ESET researchers believe with high confidence that ScRansom is now CosmicBeetle’s ransomware of choice. Despite this shift, the group continues to face challenges, from poorly executed encryption schemes to imperfect decryption processes, indicating their relatively immature status in the world of cybercrime. ##### Impersonation of LockBit and Affiliation with RansomHub CosmicBeetle has engaged in a tactic known as "brand hijacking," leveraging the reputation of the infamous LockBit ransomware gang. By impersonating LockBit through ransom notes and using leaked LockBit builders, CosmicBeetle sought to intimidate victims into paying ransom demands. However, its most recent and significant move has been its affiliation with RansomHub. RansomHub, a RaaS group that emerged in early 2024, has quickly gained prominence, and researchers believe that CosmicBeetle has now become one of its affiliates. The rapid rise of RansomHub and its association with notorious actors like CosmicBeetle adds a layer of complexity and danger to the group’s activities. The following sections delve deeper into the significance of RansomHub in this context. #### The Rise of RansomHub: A New Player in the RaaS Ecosystem ##### What Is RansomHub? RansomHub is a relatively new ransomware-as-a-service (RaaS) platform that has emerged as a significant player in the cybercrime ecosystem. First spotted in March 2024, RansomHub has attracted attention for its rapid rise and involvement with some of the more notorious threat actors. As an affiliate-based platform, RansomHub provides ransomware to various groups in exchange for a share of the ransom payments. ##### How RansomHub Operates RansomHub operates by providing ransomware tools to affiliates who then deploy the ransomware to their own targets. This model allows for a decentralized approach to ransomware deployment, making it more challenging for law enforcement and cybersecurity professionals to track the origin of attacks. Affiliates, like CosmicBeetle, gain access to sophisticated ransomware builders and decryption tools, enabling them to conduct attacks with relative ease. #### Technical Analysis of ScRansom ##### ScRansom’s Encryption Mechanism ScRansom employs a range of encryption mechanisms that are continually evolving. Initially, the ransomware used simple AES-CTR-128 encryption but has since moved to a more complex, albeit flawed, system. The latest versions of ScRansom generate unique encryption keys for each file, making recovery difficult without paying the ransom. One key aspect of ScRansom's encryption scheme is its partial encryption mode. The ransomware targets specific portions of files, reducing the encryption time but increasing the difficulty of decryption without the appropriate keys. Victims who attempt to decrypt their files without the proper tools risk permanently losing data, especially when ScRansom’s ERASE mode is applied, which irreversibly corrupts files. ##### Decryption Challenges Victims face significant challenges when attempting to decrypt their files, even after paying the ransom. ScRansom often requires multiple decryption keys for a single machine, complicating the process. Moreover, due to CosmicBeetle’s immature decryption mechanisms, some files may be permanently lost even after successful decryption. This is further complicated by ScRansom’s incomplete decryption process, where victims may need to manually enter different keys and run the decryption tool multiple times. #### CosmicBeetle’s Exploitation Tactics ##### Vulnerability Exploitation CosmicBeetle is known for exploiting years-old vulnerabilities in public-facing applications. Some of the common vulnerabilities exploited include: - **CVE-2017-0144 (EternalBlue)**: Used to exploit outdated SMB protocols. - **CVE-2023-27532**: A vulnerability in Veeam Backup & Replication components. - **CVE-2021-42278 and CVE-2021-42287**: AD privilege escalation vulnerabilities exploited through the noPac attack chain. - **CVE-2022-42475**: A vulnerability in FortiOS SSL-VPN, enabling remote access. - **CVE-2020-1472 (Zerologon)**: A critical privilege escalation vulnerability in Microsoft Active Directory. ##### Targeting SMBs CosmicBeetle primarily targets SMBs across various industries, including manufacturing, pharmaceuticals, legal, education, and healthcare. SMBs are often vulnerable due to insufficient patch management practices and reliance on older systems, making them ideal targets for exploitation. The industries targeted by CosmicBeetle reflect the group’s opportunistic approach, prioritizing ease of exploitation over high-value targets. #### CosmicBeetle’s Use of Brute-Force Attacks and Tools Aside from exploiting vulnerabilities, CosmicBeetle frequently relies on brute-force methods to gain initial access to victim networks. This includes targeting Remote Desktop Protocol (RDP) services and SMB ports that are exposed to the internet. CosmicBeetle’s toolkit also includes custom-built tools like ScHackTool, ScInstaller, and ScPatcher, which are used to escalate privileges and deploy ransomware once inside the victim’s network. #### RansomHub’s Growing Influence in the RaaS Market ##### Why RansomHub Matters The rise of RansomHub marks a shift in the ransomware ecosystem, providing newer ransomware groups with the tools and infrastructure they need to compete with more established gangs like LockBit and BlackCat. The RaaS model allows even relatively inexperienced threat actors to launch sophisticated attacks, leveraging the tools and knowledge provided by more established cybercriminal organizations. ##### RansomHub’s Role in CosmicBeetle’s Success RansomHub has been instrumental in CosmicBeetle’s continued success, providing access to advanced ransomware tools that have allowed CosmicBeetle to refine its attacks. The affiliation between the two groups likely provides CosmicBeetle with additional resources, enabling them to improve ScRansom and expand their operations to new regions and industries. For victims of ScRansom, the challenges are significant. The complex and flawed encryption mechanism, coupled with the involvement of a RaaS platform like RansomHub, makes decryption difficult and costly. As RansomHub continues to grow in influence, organizations must remain vigilant, ensuring that they have robust cybersecurity measures in place to mitigate the risks posed by this dangerous new threat actor. #### Key Takeaways: - CosmicBeetle has transitioned from using Scarab ransomware to its custom-built ScRansom ransomware. - The group has formed a recent affiliation with RansomHub, a growing RaaS platform. - ScRansom’s encryption scheme is complex and prone to errors, making file recovery difficult. - CosmicBeetle targets SMBs across various industries using brute-force attacks and exploitation of outdated vulnerabilities. ### References - CVE-2017-0144 (EternalBlue), Microsoft Vulnerability Database - ESET Telemetry Reports (2023-2024) - MITRE ATT&CK Framework, Version 15

loading..   10-Sep-2024
loading..   6 min read
loading..

Data Breach

Avis

A massive cyberattack on Avis exposed sensitive data of 300K customers, includin...

In August 2024, Avis, a leading car rental company, fell victim to a significant cyberattack that compromised the personal data of nearly 300,000 customers. This breach, affecting sensitive information such as credit card details and driver's license numbers, underscores persistent gaps in corporate cybersecurity practices. ## **Timeline** The cyberattack was detected on August 5, two days after unauthorized access to one of Avis' business applications began. The company’s data breach notice, filed with various U.S. state attorneys general, reveals that customer names, email addresses, mailing addresses, phone numbers, dates of birth, credit card numbers (with expiration dates), and driver’s license numbers were stolen. Texas, with 34,592 affected residents, was hit particularly hard. The breach is expected to affect more individuals as further filings surface in the coming weeks. ## **Analyzing the Nature of the Breach** While the technical specifics of the breach remain undisclosed, questions arise about how Avis stored such sensitive data and what security protocols were in place—or absent—that allowed such information to be compromised. The fact that both personal identifiers and financial data were exposed suggests potential failures in encryption, data segregation, or multi-layered defenses. The absence of a swift response also hints at potential shortcomings in intrusion detection systems (IDS) and incident response protocols. ## **Avis’ Response: A Case of Corporate Silence?** Despite the gravity of the breach, Avis has remained relatively quiet about the attack. The company did not respond to requests for further comment, raising concerns about transparency in the face of a significant cyber incident. This silence may reflect a strategic decision to contain reputational damage, but it also leaves consumers and cybersecurity experts in the dark about the true extent of the damage. With businesses increasingly collecting vast amounts of personal data, the responsibility to protect this information is paramount. Avis, a global company with over 10,000 rental locations and $12 billion in revenue, should have had the resources to maintain robust cybersecurity defenses. The fact that a breach of this magnitude occurred suggests systemic vulnerabilities that could extend beyond Avis and into the wider industry. ## **Impact on Consumers and Regulatory Implications** The stolen data exposes customers to financial fraud, identity theft, and privacy violations. Given the nature of the compromised data, the affected individuals may face long-term consequences. This breach will likely fuel ongoing discussions about stronger regulatory frameworks, particularly in the U.S., where data protection laws like the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) in Europe demand stricter compliance.

loading..   09-Sep-2024
loading..   3 min read
loading..

Apache Ofbiz

Apache OFBiz fixed a critical flaw (CVE-2024-45195) allowing arbitrary code exec...

Apache has addressed a severe security vulnerability in its open-source OFBiz (Open For Business) software. This flaw, tracked as CVE-2024-45195, could allow unauthorized attackers to execute arbitrary code on affected Linux and Windows servers. OFBiz, a versatile suite for customer relationship management (CRM) and enterprise resource planning (ERP) applications, also serves as a Java-based web framework for web development. #### Vulnerability Overview Discovered by Rapid7 researchers, the vulnerability stems from a forced browsing weakness, which exposes restricted paths to unauthenticated direct request attacks. According to Ryan Emmons, a security researcher at Rapid7, this flaw allows attackers to bypass missing view authorization checks in the OFBiz web application, potentially leading to arbitrary code execution on the server. **Proof-of-Concept (PoC) Exploit:** Emmons provided a PoC exploit code in his report, illustrating how an attacker can exploit this vulnerability without valid credentials. #### Remediation The Apache security team has addressed CVE-2024-45195 in OFBiz version 18.12.16 by introducing necessary authorization checks. Users of OFBiz are strongly advised to upgrade to this version to mitigate potential security risks. #### Connection to Previous Vulnerabilities CVE-2024-45195 is identified as a bypass for three earlier OFBiz vulnerabilities: CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856. Emmons' analysis indicates that these vulnerabilities share a common root cause—a controller-view map fragmentation issue—that allows attackers to execute code or SQL queries, resulting in remote code execution without authentication. **Historical Context:** - **CVE-2024-32113:** Patched in May 2024, this vulnerability was noted for being actively exploited in attacks shortly after its disclosure. - **CVE-2024-38856:** This pre-authentication RCE bug was also a focus of SonicWall researchers, revealing technical details in the same timeframe. - **CVE-2024-36104:** Details about this vulnerability were less publicly available but were part of the same vulnerability class. #### Federal and Organizational Response The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning in early August about the exploitation of CVE-2024-32113, shortly after SonicWall's disclosure of CVE-2024-38856. CISA added these vulnerabilities to its catalog of actively exploited flaws, enforcing a binding operational directive (BOD 22-01) for federal agencies to patch their servers within three weeks. **Note:** While BOD 22-01 specifically applies to Federal Civilian Executive Branch (FCEB) agencies, CISA has urged all organizations to prioritize these patches to prevent potential network breaches. #### Ongoing Threats In December, additional exploitation of OFBiz vulnerabilities, including CVE-2023-49070, was reported. Attackers utilized public PoC exploits to target vulnerable Confluence servers, underscoring the importance of prompt patching and continuous monitoring. The patching of CVE-2024-45195 is a crucial update for OFBiz users, addressing a significant security flaw with potential for severe impact. Organizations must act swiftly to apply the latest update to safeguard their systems from exploitation and to ensure compliance with security directives.

loading..   07-Sep-2024
loading..   3 min read