| New Threat Detection Added | 3 (Pikabot Malware, GandCrab Ransomware and Ivanti Connect Secure XXE Attempt (CVE-2024-22024)) |
| New Threat Protections | 118 |
| New Ransomware Victims Last Week | 132 |
Weekly Detected Threats
The following threats were added to Crystal Eye XDR this week:
|
Threat name:
|
Pikabot Malware | ||||||||||||||||||
|
Pikabot is a new kind of harmful software. It's made up of three parts: a downloader/installer, a loader, and a backdoor component. Even though it's still new, it's showing some smart tricks to avoid detection and analysis. The loader part especially has tricky ways to hide and protect itself, drawing inspiration from a project called Al-Khaser. Pikabot also hides its payload using steganography. Plus, it has its own special way of communicating and can do lots of things like checking out a computer and injecting more bad stuff into it.
|
|||||||||||||||||||
|
Threat Protected:
|
03 | ||||||||||||||||||
|
Rule Set Type:
|
|
||||||||||||||||||
|
Class Type:
|
Trojan-activity | ||||||||||||||||||
|
Kill Chain:
|
|
||||||||||||||||||
|
Threat name:
|
GandCrab Ransomware | ||||||||||||||||||
|
Since its discovery in 2018, GandCrab has evolved through five versions, causing havoc for individuals and companies. The creators are quick to adapt to defences, making it a persistent threat. The latest version, 5.1, targets global users but spares those from ex-USSR regions, identified by keyboard or language settings. This Windows-exclusive ransomware spreads through email spam or exploit kits, leading victims to a TOR website after encrypting files. Restoring data often requires paying a ransom, ranging from $1000 to $3000, though some victims report demands as high as $700,000. GandCrab operates as Ransomware-as-a-Service, allowing distribution to clients who customise ransom notes and share proceeds with the creators.
|
|||||||||||||||||||
|
Threat Protected:
|
01 | ||||||||||||||||||
|
Rule Set Type:
|
|
||||||||||||||||||
|
Class Type:
|
Trojan-activity | ||||||||||||||||||
|
Kill Chain:
|
|
||||||||||||||||||
|
Threat name:
|
Ivanti Connect Secure XXE Attempt (CVE-2024-22024) | ||||||||||||||||||
|
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allow an attacker to access certain restricted resources without authentication.
|
|||||||||||||||||||
|
Threat Protected:
|
01 | ||||||||||||||||||
|
Rule Set Type:
|
|
||||||||||||||||||
|
Class Type:
|
Attempted-admin | ||||||||||||||||||
|
Kill Chain:
|
|
||||||||||||||||||
Known exploited vulnerabilities (Week 3 - February 2024)
|
Threat
|
CVSS
|
Description | |
|
CVE-2023-43770
|
6.1 (Medium)
|
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
|
|
|
CVE-2024-21412
|
8.1 (High)
|
Microsoft Windows Internet Shortcut Files Security Feature Bypass Vulnerability
|
|
|
CVE-2024-21351
|
7.6 (High)
|
Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
|
|
|
CVE-2020-3259
|
7.5 (High)
|
Cisco ASA and FTD Information Disclosure Vulnerability
|
|
|
CVE-2024-21410
|
9.8 (Critical)
|
Microsoft Exchange Server Privilege Escalation Vulnerability
|
Updated Malware Signatures (Week 3 - February 2024)
|
Threat
|
Description
|
|
|
Valyria
|
A Microsoft Word-based malware which is used as a dropper for second-stage malware.
|
|
|
LokiBot
|
An information-stealer malware used to gather data from victims’ machines such as stored account credentials, banking information and other personal data.
|
|
|
DarkKomet
|
A remote access trojan that can take full control over an infected machine.
|
|
|
Qakbot
|
A malware designed to acquire valuable data such as banking credentials and is also capable of stealing FTP credentials and spreading across a network by utilising SMB.
|
| New Ransomware Victims Last Week: | 132 |
|
The Red Piranha Team actively collects information on organisations globally affected by ransomware attacks from various sources, including the Dark Web. In the past week alone, our team uncovered a total of 132 new ransomware victims or updates on previous victims across 22 different industries spanning 28 countries. This underscores the widespread and indiscriminate impact of ransomware attacks, emphasising their potential to affect organisations of varying sizes and sectors worldwide.
The LockBit3.0 ransomware group stands out as the most prolific, having updated a significant number of victims (46) distributed across multiple countries. In comparison, Hunter and Alphv ransomware groups updated 14 and 11 victims, respectively, in the past week. The following list provides the victim counts in percentages for these ransomware groups and a selection of others.
|
|
| Name of Ransomware Group | Percentage of new Victims last week |
|
3Am
|
0.76%
|
|
8Base
|
2.27%
|
|
Abyss-Data
|
2.27 %
|
|
Akira
|
2.27%
|
|
Alphv
|
8.33%
|
|
Bianlian
|
5.30%
|
|
Black Suit
|
1.52%
|
|
Blackbasta
|
6.06%
|
|
Cactus
|
2.27%
|
|
Clop
|
0.76%
|
|
Hunters
|
10.61%
|
|
Inc Ransom
|
0.76%
|
|
Lockbit3
|
34.85%
|
|
Medusa
|
2.27%
|
|
Meow
|
3.03%
|
|
Mydata
|
0.76%
|
|
Play
|
6.82%
|
|
Qilin
|
3.79%
|
|
Ransomhub
|
0.76%
|
|
Rhysida
|
0.76%
|
|
Stormous
|
1.52%
|
|
Trigona
|
1.52%
|
|
Werewolves
|
0.76%
|
|
In a comprehensive analysis of ransomware victims across 28 countries, the United States emerges as the most heavily impacted nation, reporting a staggering 82 victim updates in the past week. The following list provides a breakdown of the number and percentage of new ransomware victims per country, underscoring the persistent and concerning prevalence of ransomware attacks, with the USA particularly susceptible to these cybersecurity threats.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Upon further investigation, it has been identified that ransomware has left its mark on 22 different industries worldwide. Notably, the Manufacturing and Retail sectors bore the brunt of the attacks in the past week, accounting for 26 and 14 victims, respectively. The table below delineates the most recent ransomware victims, organised by industry, shedding light on the sectors grappling with the significant impact of these cyber threats.
|
|||||||||||||||||||||||||||||||||||||||||||||||
Details
Date Published
February 19, 2024
Category