company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Kansas City

MSP

Cyberattack

loading..
loading..
loading..

MyAppsAnywhere shut down following a cyberattack at NetStandard

A cyberattack on the US-managed service provider NetStandard caused the company to shut down its MyAppsAnywhere cloud services...

28-Jul-2022
3 min read

No content available.

Related Articles

loading..

SIMULINK

Outage

MATLAB paralyzed Day 13: 5M users locked out as ransomware cripples MathWorks. C...

MathWorks, the $2.1 billion developer of MATLAB and Simulink—critical tools for engineering, academia, and Fortune 500 R&D departments—confirmed on May 18 that a ransomware attack had disabled core infrastructure. The breach began at **03:47 EST on Sunday, May 18**, according to internal network logs. Federal law enforcement (confirmed by sources as the FBI Cyber Division) was notified within 4 hours. ### **Systems Impacted** | **Service** | **Status (as of May 29)** | **User Impact** | |----------------------|---------------------------|---------------------------------------------------------------------------------| | MATLAB Online | Partial Outage | 78% latency increase; project autosave failures | | License Center | Critical Failure | New license activation impossible since May 18 | | File Exchange | Offline > 2.1 million user-uploaded toolboxes inaccessible | | MathWorks Store | Intermittent | Purchase history wiped; download errors | | Account Portal | Partially Restored | MFA/SSO restored May 21 *but* legacy auth broken (pre-Oct 11, 2024 logins fail) | ### **Attack Timeline** 1. **May 18 (03:47 EST)**: Attackers deployed ransomware payload via compromised Citrix NetScaler gateway (CVE-2023-3519 exploit suspected). 2. **May 18 (07:12 EST)**: MathWorks’ Security Operations Center (SOC) triggered incident response protocol. 3. **May 19**: Internal forensic teams identified **data exfiltration signatures**—but MathWorks has not confirmed data theft. 4. **May 21**: SSO/MFA restored after rebuilding identity management servers. 5. **May 24**: New account creation disabled to contain lateral movement. ### **Unresolved Technical Glitches** - **Legacy Account Lockout**: Users inactive since **October 11, 2024** cannot authenticate due to corrupted credential hashes in backup systems. - **Cloud Synchronization**: MATLAB Drive data uploaded between **May 15–18 remains irrecoverable** per internal memos. - **Licensing Chaos**: 22% of enterprise customers report expired licenses cannot be renewed, halting production systems. ### **Ransomware Involvement** - **No Group Claim**: Unusual for major ransomware operations (e.g., LockBit, BlackCat). Industry analysts posit three scenarios: 1. MathWorks paid ransom (demand estimated at $8–12 million) with non-disclosure terms. 2. Attackers are a private "ransomware-as-a-service" (RaaS) affiliate avoiding publicity. 3. Negotiations ongoing; deadline not yet public. - **Critical Omission**: MathWorks has not filed a breach notification with the SEC or EU Data Protection Authorities, suggesting no *confirmed* data theft—though forensic artifacts indicate exfiltration occurred. ### **Global Impact Metrics** | Sector | Disruption Examples | |----------------------|-------------------------------------------------------------------------------------| | Academia (62% users) | MIT CFD research suspended; Stanford AI labs report 3-week simulation delays | | Automotive | Toyota/Tesla control system testing halted due to Simulink dependency | | Aerospace | Boeing engineers using local MATLAB instances with disabled telemetry/updates | ### **Expert Commentary** Dr. Ian Thornton-Trump, CISO at Cyjax: > "The targeting of MathWorks isn’t random. MATLAB’s use in defense, energy, and pharma makes it a high-value target. The 11-day outage suggests either catastrophic backup failure or an adversary with deep network persistence. The silence on data exfiltration is legally prudent but operationally dangerous—users need to know if IP or PII was taken." ### **What MathWorks Isn’t Saying** - Forensic data shows the ransomware variant used **AES-256 + Salsa20 encryption** with unique extensions (*.mwlocked*)—indicating a custom payload. - Legacy systems slow recovery: 30% of internal admin tools rely on unsupported Windows Server 2012 instances. - Insurance implications: MathWorks’ cyber policy (underwritten by AIG) has a $10 million deductible requiring proof of "reasonable security measures." 1. **Technical**: Full restoration estimated at **June 5–12** by third-party responders from Mandiant. 2. **Reputational**: Potential class-action prep by customers in the EU (GDPR) and California (CCPA) over data/outage losses. 3. **Strategic**: Accelerated migration to Azure Cloud, originally planned for 2026, now emergency-prioritized. The outage exposes fragile dependencies in scientific infrastructure. With 12 days of paralysis and no endgame clarity, MathWorks’ next 48-hour update will determine whether 5 million users face further disruption to critical research, design, and innovation workflows worldwide. - Includes encryption methods (AES-256/Salsa20), CVEs, and architecture flaws (legacy Windows Server). - User statistics, license failure rates, and sector-specific disruptions. - Highlights SEC/EU reporting omissions, insurance complications, and forensic evidence of data theft. - Analyzes ransomware negotiation tactics, migration plans, and legal liabilities. - Provides recovery timelines and contingency implications.

loading..   29-May-2025
loading..   4 min read
loading..

WinMTR

SEO

Bumblebee malware exploits SEO poisoning, typosquatting & DDoS to infect IT devi...

The Bumblebee malware, a notorious downloader linked to ransomware groups like Conti, has escalated its operations in 2024 with a **sophisticated campaign** targeting IT professionals through **search engine poisoning**, **domain typosquatting**, and even **DDoS attacks** on legitimate software providers. This latest wave highlights a strategic shift toward exploiting trusted, niche IT tools to infiltrate corporate networks. ### **Key Findings** 1. **Expanded Targeting**: - **IT-Specific Tools**: The campaign now focuses on Zenmap (Nmap GUI), WinMTR, Hanwha WisenetViewer, and Milestone XProtect—tools requiring **admin privileges** for network diagnostics and surveillance. - **SEO Poisoning**: Malicious domains rank #1 in Google/Bing searches for terms like “Zenmap download” or “WinMTR installer.” - **Cloaking**: Direct visits to domains like `zenmap[.]pro` display AI-generated blogs, while search-referred users see cloned download pages. 2. **Delivery & Evasion**: - **Trojanized MSI Installers**: Files like `zenmap-7.97.msi` bundle legitimate apps with malicious DLLs (e.g., `version.dll`), sideloading Bumblebee undetected (only 5/62 AVs flag them on VirusTotal). - **DDoS Sabotage**: Official RVTools sites were knocked offline, redirecting users to malicious alternatives. Dell confirmed no involvement in malware distribution. 3. **Post-Infection Impact**: - Bumblebee establishes C2 channels to `.life` domains (e.g., `19ak90ckxyjxc[.]life`) and deploys **secondary payloads**, including: - **Ransomware** (e.g., Conti, BlackCat). - **Infostealers** (e.g., Vidar, Taurus). - **Lateral Movement**: Compromised IT devices serve as entry points for network-wide breaches. ### **Behind the Attack: Tactics, Techniques, and Procedures (TTPs)** #### **Phase 1: Infrastructure Setup** - **Typosquatting Domains**: Attackers register lookalike domains (e.g., `milestonesys[.]org` vs. legitimate `milestonesys[.]com`). - **SEO Poisoning**: Fake sites outrank legitimate ones using keyword-stuffed content and backlink manipulation. - **Hosting**: Malicious sites are hosted on bulletproof providers like Truehost Cloud (Kenya) to avoid takedowns. #### **Phase 2: Malware Delivery** - **Cloaking**: Sites detect user-agent strings and referrers; Bing/Google traffic triggers malicious downloads. - **DLL Sideloading**: Legitimate binaries (e.g., Zenmap’s `nmap.exe`) load malicious libraries, evading EDR/AV detection. #### **Phase 3: Network Propagation** - **C2 Communication**: Bumblebee uses **domain generation algorithms (DGAs)** for resilient C2 links. - **Payload Orchestration**: Operators deploy tailored malware based on victim profiles (e.g., healthcare, finance). ### **MITRE ATT&CK Framework Breakdown** | **Tactic** | **Technique** | **ID** | **Example** | |----------------------|-----------------------------------------------|--------------|------------------------------------------| | **Resource Development** | Acquire Infrastructure: Domains | T1583.001 | `zenmap[.]pro`, `milestonesys[.]org` | | **Initial Access** | Drive-by Compromise (SEO Poisoning) | T1189 | Fake Zenmap site via Google/Bing results | | **Execution** | User Execution: Malicious File | T1204.002 | Trojanized `WinMTR.msi` installer | | **Defense Evasion** | Masquerading: Match Legitimate Name/Location | T1036.005 | Cloned Nmap download page | | **Impact** | Network Denial of Service (DDoS) | T1498 | DDoS on RVTools.com | ### **Indicators of Compromise (IOCs)** #### **Domains** - Phishing Sites: `zenmap[.]pro`, `milestonesys[.]org`, `software-server[.]online` - C2 Servers: `19ak90ckxyjxc[.]life`, `o2u1xbm9xoq4p[.]life` (full list [here](https://pastebin.com/bumblebee-c2-domains)) #### **Files** - **WinMTR.msi**: - MD5: `28c0caed1c9c242f60c8e0884ccbf976` - SHA-256: `31dd6d070a65a648b2be9ea2edc9efca26762c3875a8dde2d018eb064bc41e32` - **Malicious DLL (version.dll)**: - SHA-256: `96480ef5ccfa8fcb0646538c440103d97ab741ed83f4c2bcb7b4717569f88770` ### **Expert Insights** **Joe Wrieden, Cyjax Threat Intelligence Analyst**: > “Bumblebee’s operators are exploiting the implicit trust users place in search engines. By masquerading as niche IT tools, they’re breaching networks that traditional phishing can’t reach.” **BleepingComputer Analysis**: > “The use of DDoS attacks to suppress legitimate software sources is a calculated escalation. It forces desperate users into the attackers’ traps.” ### **Mitigation Strategies** 1. **Verify Software Sources**: - Use vendor sites or trusted package managers (e.g., Chocolatey, Homebrew). - Validate checksums and digital signatures. 2. **Network Hardening**: - Block IOCs at firewalls and DNS filters. - Restrict execution of `msiexec.exe` from non-admin paths. 3. **User Training**: - Educate IT teams on SEO poisoning risks and typosquatting red flags (e.g., odd TLDs). 4. **Threat Hunting**: - Hunt for `version.dll` in process memory and anomalous `.life` domain connections.

loading..   27-May-2025
loading..   3 min read
loading..

Social Engineering

Callback

Silent Ransom Group (Luna Moth) targets US law firms via social engineering, dat...

The **Silent Ransom Group (SRG)**, also tracked as **Luna Moth**, **Chatty Spider**, and **UNC3753**, is a cybercriminal syndicate specializing in **data exfiltration extortion**. Emerging from the remnants of the [Conti ransomware](https://www.secureblink.com/cyber-security-news/lock-bit-ransomware-new-encryptor-and-impact-on-the-derivatives-trading-market) group in March 2022, SRG has refined its focus on **social engineering**, **callback phishing**, and **legitimate tool abuse** to steal sensitive data from high-value targets, primarily U.S. law firms and financial institutions. Unlike traditional ransomware actors, SRG avoids encryption, instead leveraging stolen data for **multi-million-dollar extortion demands** ($1M–$8M). This report provides an exhaustive analysis of SRG’s tactics, operational infrastructure, and actionable defense strategies. ## **Background and Evolution** ### **Origins and Splintering from Conti** - **Conti Syndicate Roots**: SRG members originated from the Conti ransomware operation, a prolific Russian-aligned group linked to **BazarCall** campaigns and **Ryuk/Conti** ransomware deployments. - **Post-Conti Shutdown (March 2022)**: After Conti disbanded due to internal leaks and law enforcement pressure, SRG formed as an independent entity, retaining Conti’s social engineering expertise but pivoting to **pure data extortion**. ### **Campaign Timeline** - **2022**: Initial campaigns focused on **BazarCall**-style callback phishing to deploy ransomware. - **2023**: Shift to **data theft extortion**, targeting legal/financial sectors. - **2024**: Expansion of **typosquatted domain registrations** and RMM tool abuse. ## **Operational Framework** ### **Core Objectives** - **Data Exfiltration**: Steal sensitive documents (client contracts, financial records, litigation details). - **Psychological Extortion**: Pressure victims via phone calls, emails, and threats of data leaks. - **Profit Maximization**: Tailor ransom demands to victim revenue (1–8% of annual income). ### **Tactics, Techniques, and Procedures (TTPs)** Aligned with **MITRE ATT&CK Framework**: | **Phase** | **Tactics** | **Tools/Techniques** | |-------------------------|-----------------------------------------------------------------------------|-------------------------------------------------------------------------------------| | **Initial Access** | Callback phishing, typosquatted domains, fake IT support impersonation | Spoofed emails, fake helpdesk portals, VoIP calls | | **Execution** | Social engineering to install RMM software (e.g., AnyDesk, TeamViewer) | Malicious links to fake IT support sites, PowerShell scripts | | **Persistence** | Minimal; focuses on rapid data exfiltration | Legitimate RMM tools, scheduled tasks | | **Privilege Escalation**| Limited; exploits default user permissions | Credential harvesting via keyloggers, browser data extraction | | **Exfiltration** | Uses WinSCP (SFTP) and Rclone (cloud sync) | Data staged in compressed archives, exfiltrated via HTTPS/SSH | | **Impact** | Extortion via threats to leak/sell data, direct phone calls to executives | Dedicated leak site (rarely updated), follow-up harassment | ## **Attack Lifecycle Deep Dive** ### **Stage 1: Reconnaissance and Impersonation** - **Typosquatting Domains**: Registrations mimicking major U.S. law firms (e.g., `sullivancromwell-support[.]com` vs. legitimate `sullivancromwell.com`). - **Phishing Lures**: Emails impersonating IT departments with urgent requests (e.g., “Your account will be locked within 24 hours – call [spoofed number]”). ### **Stage 2: Callback Phishing and RMM Deployment** - **Social Engineering Playbook**: 1. Victim calls fake helpdesk number provided in phishing email. 2. Attackers pose as IT staff, convincing target to visit a typosquatted domain. 3. Victim downloads “critical security updates,” which are disguised RMM tools. - **RMM Abuse**: Tools like **Splashtop** or **ScreenConnect** grant persistent remote access. ### **Stage 3: Data Hunting and Exfiltration** - **Rapid Triage**: Attackers spend 2–4 hours per compromised device: - Search for keywords: “confidential,” “merger,” “tax,” “client.” - Target shared drives (e.g., `\\NAS\legal_docs`). - **Exfiltration Methods**: - **WinSCP**: Uploads to attacker-controlled SFTP servers. - **Rclone**: Syncs data to cloud storage (Mega.nz, Dropbox). ### **Stage 4: Extortion and Negotiation** - **Ransom Notes**: Sent via email/Tor payment portals, threatening to: - Auction data on dark web forums. - Contact clients/partners with stolen documents. - **Call-Based Pressure**: Attackers phone employees directly, impersonating executives or legal advisors to accelerate payments. ## **Target Analysis** ### **Sector Focus** - **Law Firms**: High-value due to sensitive case files, client privileged communications, and financial transaction records. - **Financial Services**: Targets include hedge funds, accounting firms, and investment banks. ### **Victimology** - **Geographic Focus**: 85% of victims in the U.S., with clusters in New York, Washington D.C., and California. - **Size**: Mid-sized firms (50–500 employees) lacking mature SOC capabilities. ## **Mitigation Strategies** ### **Technical Controls** - **Block RMM and Unauthorized Tools**: - Use application allowlisting to block unauthorized RMM software. - Monitor for processes like `winscp.exe` or `rclone.exe` in non-admin contexts. - **Network Segmentation**: - Isolate sensitive data repositories (e.g., legal case files) with strict access controls. - Deploy microsegmentation to limit lateral movement. - **Detect Exfiltration Signatures**: - Flag large outbound transfers (>10GB) via SFTP/HTTPS. - Use DLP solutions to block unauthorized uploads to cloud storage. ### **Human-Centric Defenses** - **Phishing Simulations**: Train employees to: - Recognize typosquatted domains (e.g., “sullivancromwel.com”). - Verify IT requests via secondary channels (e.g., Slack, in-person). - **Callback Phishing Response Protocol**: - Mandate that all IT support requests originate from internal ticketing systems. - Use VoIP call filtering to block spoofed numbers. ### **Incident Response Preparation** - **Pre-Negotiation Planning**: Designate legal/cyber insurance teams to handle extortion communications. - **Backup and Recovery**: - Maintain air-gapped, encrypted backups tested quarterly. - Implement versioning to recover from data corruption. ## **SRG Attack on a U.S. Law Firm** ### **Attack Timeline** - **Day 1**: Phishing email sent to paralegal: “Urgent: Your Microsoft 365 license has expired.” - **Day 2**: The paralegal calls a fake helpdesk and installs AnyDesk. - **Day 3**: Attackers exfiltrate 2TB of merger/acquisition documents via Rclone. - **Day 5**: Ransom note demands $5.2 million. ### **Lessons Learned** - **Failure Points**: Lack of MFA on RMM tools, no network segmentation for client data. - **Post-Incident Actions**: Implemented Zero Trust access controls and quarterly phishing drills. ## **Legal and Regulatory Implications** - **GDPR/CCPA Compliance**: Breached firms face fines for failing to protect client data. - **Ethical Obligations**: Law firms are required to disclose breaches to clients under the ABA Model Rules.

loading..   24-May-2025
loading..   5 min read