RansomHub has attacked over 210 critical organizations in the United States

RansomHub has attacked over 210 critical organizations in the United States

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

RansomHub has attacked over 210 critical organizations in the United States

Information:

 Ransomware is a type of malware designed to block or restrict access to a user's data by encrypting the user's files until a ransom is paid to the attacker. This type of malware often targets important data such as documents and files and demands payment for a decryption key.

Incident:

 RansomHub, a hacking group specializing in ransomware attacks on organizations, began its operations in February 2024 and has caused significant damage in a short period of time. Since its inception, it has compromised data from over 210 victims in the United States. RansomHub operates on a Ransomware-as-a-Service (RaaS) model, renting out its attack tools to other hackers, including prominent figures from groups like LockBit and ALPHV.

   This group employs a tactic known as double extortion, where they steal sensitive data from their victims before locking their files. If the victim refuses to pay the ransom, the group threatens to publicly release the stolen data. The group primarily targets organizations in critical infrastructure sectors such as utilities, information technology, government services, finance, manufacturing, and transportation.

To carry out their attacks, RansomHub exploits vulnerabilities in popular software like Citrix ADC, FortiOS, and Apache ActiveMQ. They then use remote access and penetration testing tools such as Remote Desktop Protocol, Anydesk, and Cobalt Strike to gain control over the network. Additionally, they utilize a variety of data exfiltration tools, including PuTTY, AWS S3, and WinSCP.

Recommendation:

  - Train employees to identify phishing emails 

  - Keep software patched to the latest version

  - Implement multi-factor authentication (MFA)

  - Regularly back up critical data and test recovery

 

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)

 

References :

  -  https://cybernews.com/security/ransomware-newcomer-ransomhub-claiming-one-victim-per-day/

  - https://www.it.chula.ac.th/ransomware-%E0%B8%84%E0%B8%B7%E0%B8%AD%E 0%B8%AD%E0%B8%B0%E0%B9%84%E0%B8%A3/

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2024-3035

8/8/2024

29/8/2024

GitLab
Version
17.0.0 - 17.0.5
17.1.0 - 17.1.3
17.2.0 - 17.2.1

Authorization

6.6

A permission check vulnerability in GitLab CE/EE allowed for LFS tokens to read and write to the user owned repositories

Upgrading to version 17.0.6, 17.1.4 or 17.2.2

https://vuldb.com/?id.273971
2

CVE-2024-0794

20/2/2024

30/8/2024

HP Enterprise LaserJet Printer
HP LaserJet Managed Printer
HP LaserJet Pro Printer

Buffer Overflow

8

Certain HP LaserJet Pro, HP Enterprise LaserJet, and HP LaserJet Managed Printers are potentially vulnerable to Remote Code Execution due to buffer overflow when rendering fonts embedded in a PDF file.

No information about possible countermeasures known.

https://vuldb.com/?id.254236
3

CVE-2022-33162

16/8/2024

29/8/2024

IBM Security Directory Integrator 7.2.0
IBM Security Verify Directory Integrator 10.0.0

Memory Corruption

8

IBM Security Directory Integrator 7.2.0 and Security Verify Directory Integrator 10.0.0 does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. IBM X-Force ID: 228570.

Upgrade to a higher version.

https://vuldb.com/?id.274878
4

CVE-2024-2615

19/3/2024

29/8/2024

Mozilla Firefox befor version124

Memory Corruption

7.9

Memory safety bugs present in Firefox 123. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 124.

Upgrading to version 124.

https://vuldb.com/?id.257257
5

CVE-2022-24379

14/11/2023

30/8/2024

Intel(R) M70KLP Family BIOS Firmware before version 01.04.0029

Input Validation

6.8

Improper input validation in some Intel(R) Server System M70KLP Family BIOS firmware before version 01.04.0029 may allow a privileged user to potentially enable escalation of privilege via local access.

Upgrading to version 01.04.0029 .

https://vuldb.com/?id.245281

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

PG_MEM 

29/08/2024​

Brute-Force Attack, Privilege Escalation,

 Cryptojacking, 

Denial of Service (DoS)​

PG_MEM is malware that attacks PostgreSQL databases using password guessing to log in. Once accessed, the attacker uses SQL commands to execute shell commands on the server. The malware then downloads payloads that are used to mine the Monero cryptocurrency and seize the database. The attacker disables access to other superusers to reduce the risk of a takeover. Any system connected to the Internet that is not properly protected and has weak passwords is vulnerable to this type of attack.​

1.Use strong passwords: Choose long, complex passwords for your database to prevent brute-force attacks.

2.Update and patch your system: Check for and install the latest security updates and patches.

3.Restrict access to your database: Prevent your database from directly connecting to the Internet, and use a firewall to restrict access to only authorized IPs.

Ref : https://thehackernews.com/search/label/Cyber%20Attack

20 September 2024

Viewed 84 time

Engine by shopup.com