Mastodon

0 posts0 participants0 posts today

ESET Research<a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ESETresearch</a> discovered previously unknown links between the <a href="https://infosec.exchange/tags/RansomHub" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RansomHub</a>, <a href="https://infosec.exchange/tags/Medusa" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Medusa</a>, <a href="https://infosec.exchange/tags/BianLian" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BianLian</a>, and <a href="https://infosec.exchange/tags/Play" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Play</a> ransomware gangs, and leveraged <a href="https://infosec.exchange/tags/EDRKillShifter" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#EDRKillShifter</a> to learn more about RansomHub’s affiliates. @SCrow357 <a href="https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/</a> RansomHub emerged in February 2024 and in just three months reached the top of the ransomware ladder, recruiting affiliates from disrupted <a href="https://infosec.exchange/tags/LockBit" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LockBit</a> and <a href="https://infosec.exchange/tags/BlackCat" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#BlackCat</a>. Since then, it dominated the ransomware world, showing similar growth as LockBit once did. Previously linked to North Korea-aligned group <a href="https://infosec.exchange/tags/Andariel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Andariel</a>, Play strictly denies operating as <a href="https://infosec.exchange/tags/RaaS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RaaS</a>. We found its members utilized RansomHub’s EDR killer EDRKillShifter, multiple times during their intrusions, meaning some members likely became RansomHub affiliates. BianLian focuses on extortion-only attacks and does not publicly recruit new affiliates. Its access to EDRKillShifter suggests a similar approach as Play – having trusted members, who are not limited to working only with them. Medusa, same as RansomHub, is a typical RaaS gang, actively recruiting new affiliates. Since it is common knowledge that affiliates of such RaaS groups often work for multiple operators, this connection is to be expected. Our blogpost also emphasizes the growing threat of EDR killers. We observed an increase in the number of such tools, while the set of abused drivers remains quite small. Gangs such as RansomHub and <a href="https://infosec.exchange/tags/Embargo" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Embargo</a> offer their killers as part of the affiliate program. IoCs available on our GitHub: <a href="https://github.com/eset/malware-ioc/tree/master/ransomhub" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/eset/malware-ioc/tree/master/ransomhub</a>

Digital Human ✔Bescherming tegen cyberaanvallen: de rol van cybersecurity platformen <a href="https://www.trendingtech.news/trending-news/2024/06/14430/bescherming-tegen-cyberaanvallen-de-rol-van-cybersecurity-platformen" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.trendingtech.news/trending-news/2024/06/14430/bescherming-tegen-cyberaanvallen-de-rol-van-cybersecurity-platformen</a> <a href="https://mastodon.social/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Cybersecurity</a> Platform <a href="https://mastodon.social/tags/Dora" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Dora</a> RAT Malware <a href="https://mastodon.social/tags/Andariel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Andariel</a> Hackers <a href="https://mastodon.social/tags/Apache" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Apache</a> Tomcat Kwetsbaarheden <a href="https://mastodon.social/tags/Digitale" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Digitale</a> Veiligheid <a href="https://mastodon.social/tags/Trending" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Trending</a> <a href="https://mastodon.social/tags/News" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#News</a> <a href="https://mastodon.social/tags/Nieuws" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Nieuws</a>

Not SimonASEC reports on activity by North Korean state-sponsored APT Andariel Group (publicly attributed to the DPRK Reconnaissance General Bureau by the US Treasury) against South Korean companies. AndarLoader and Modeloader (described as JavaScript malware) are downloaders used to take control and install Mimikatz for credential stealing. MeshAgent is (potentially unwanted application) abused as remote monitoring and management (RMM). ASEC describes a lot of TTPs that could be mapped to MITRE ATT&CK. IOC provided. 🔗 <a href="https://asec.ahnlab.com/en/63192/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://asec.ahnlab.com/en/63192/</a><a href="https://infosec.exchange/tags/NorthKorea" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#NorthKorea</a> <a href="https://infosec.exchange/tags/cyberespionage" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#cyberespionage</a> <a href="https://infosec.exchange/tags/APT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#APT</a> <a href="https://infosec.exchange/tags/Andariel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Andariel</a> <a href="https://infosec.exchange/tags/RGB" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RGB</a> <a href="https://infosec.exchange/tags/Modeloader" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Modeloader</a> <a href="https://infosec.exchange/tags/AndarLoader" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#AndarLoader</a> <a href="https://infosec.exchange/tags/MeshAgent" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#MeshAgent</a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#threatintel</a> <a href="https://infosec.exchange/tags/IOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#IOC</a>

Recent searches

Search options

Administered by:

Server stats:

#andariel