Hacking Group Known as “Andariel” Used Ransom Proceeds to Fund Theft of Sensitive Information from Defense and Technology Organizations Worldwide, Including U.S. Government Agencies
In the wake of Spanish Authorities arresting three individuals associated with NoName057(16), the group declared a "holy war" on Spain. The call to arms encourages all pro-Russian hacker groups to join under the hashtag #FuckGuardiaCivil. Over the past two days, NETSCOUT observed a significant increase in claimed attacks on Spanish websites, coinciding with the call to arms in retaliation for the arrests made. Despite the surge in hacktivist targeting and claims of victory, the daily DDoS attacks manifest as a normal day for Spanish network operators.
Sekoia.io investigated the mysterious 7777 botnet (aka. Quad7 botnet), published by the independent researcher Gi7w0rm inside the “The curious case of the 7777 botnet” blogpost.
This investigation allowed us to intercept network communications and malware deployed on a TP-Link router compromised by the Quad7 botnet in France.
To our understanding, the Quad7 botnet operators leverage compromised TP-Link routers to relay password spraying attacks against Microsoft 365 accounts without any specific targeting.
Therefore, we link the Quad7 botnet activity to possible long term business email compromise (BEC) cybercriminal activity rather than an APT threat actor.
However, certain mysteries remain regarding the exploits used to compromise the routers, the geographical distribution of the botnet and the attribution of this activity cluster to a specific threat actor.
The insecure architecture of this botnet led us to think that it can be hijacked by other threat actors to install their own implants on the compromised TP-Link routers by using the Quad7 botnet accesses.
On May 2, 2024, Arctic Wolf Labs began monitoring deployment of a new ransomware variant referred to as Fog. The ransomware activity was observed in several Arctic Wolf Incident Response cases, each exhibiting similar elements. All victim organizations were located in the United States, 80% of which were in the education sector and 20% in the recreation sector.
We are sharing details of this emerging variant to help organizations defend against this threat. Please note that we may add further detail to this article as we uncover additional information in our ongoing investigation.
Two foreign nationals pleaded guilty today to participating in the LockBit ransomware group—at various times the most prolific ransomware variant in the world—and to deploying LockBit attacks against victims in the United States and worldwide.
Cisco has fixed a critical severity vulnerability that lets attackers add new users with root privileges and permanently crash Security Email Gateway (SEG) appliances using emails with malicious attachments.
Tracked as CVE-2024-20401, this arbitrary file write security flaw in the SEG content scanning and message filtering features is caused by an absolute path traversal weakness that allows replacing any file on the underlying operating system.