X
NEXT
Forgot password?

DigitalXRAID

Threat Pulse – May 2023

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats. 

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

Legion Malware Upgraded to Target SSH Servers and AWS Credentials 

Legion, a Python-based hacking tool that was first discovered last month has added to its suite of abilities in an effort to target SSH servers and AWS.  

The malware is known to exploit web servers running CMS, by leveraging telegram as a data exfiltration point. The new features allow the malware to go further by compromising SSH servers using the Python Paramiko module and retrieving additional AWS-specific credentials from Laravel web applications.  

BlackSuit Ransomware Shares Huge Similarities to Royal Ransomware 

Researchers discovered a potential connection between the BlackSuit and Royal ransomware variants.  

The analysis focused on the x64 ESXi version of BlackSuit targeting Linux systems and compared it to the Linux variant of Royal. The findings revealed a significant level of similarity in functions, blocks, and jumps.  

BlackSuit introduces different argument strings compared to Royal but maintains a similar purpose. It incorporates arguments from various Windows versions of Royal and introduces its own specific arguments, such as “-delete” and “-list”.  

The “-delete” argument enables BlackSuit to promptly delete targeted files, while the “-list” argument is used to specify directories for encryption. Additionally, BlackSuit ransomware possesses the capability to delete shadow copies through its command execution.  

These insights contribute to a better understanding of the similarities and potential collaboration between the BlackSuit and Royal ransomware variants. 

New Russian-linked CosmicEnergy malware targets industrial systems 

Researchers have discovered a new malware called CosmicEnergy designed to disrupt industrial systems and linked to Russian cybersecurity outfit Rostelecom-Solar (formerly Solar Security). 

The malware specifically targets IEC-104-compliant remote terminal units (RTUs) commonly used in electric transmission and distribution operations across Europe, the Middle East, and Asia. 

Once inside the victim’s network, the attackers can control RTUs remotely by issuing IEC-104 “ON” or “OFF” commands via the Lightwork malicious tool. 

Critical OAuth Framework Flaw Let Attackers Hijack Accounts & Steal Sensitive Data 

OAuth is the modern authentication mechanism most applications use to ease off the signing by creating a cross-allow application access delegation.  

However, recent discoveries state a security flaw, CVE-2023-28131. An attacker can exploit this vulnerability in the expo[.]io framework by sending a malicious link to a victim. When the victim clicks on the link, the attacker can take over the victim’s accounts and steal credentials on the application or website, which uses the “Expo AuthSession Redirect” Proxy for OAuth flow. 

New Stealthy Bandit Stealer Targeting Web Browsers and Cryptocurrency Wallets 

Cybersecurity researchers are warning about Bandit Stealer, a new stealthy information-stealing malware that targets a variety of web browsers and cryptocurrency wallets. 

A genuine command-line utility called runas.exe, which enables users to run programmes as another user with different rights, is what the malware currently employing to target Windows devices. 

According to reports, Bandit Stealer is spread by phishing emails that include a dropper file that opens a seemingly innocent Microsoft Word attachment to divert attention while simultaneously starting the infection. 

“Greatness” Phishing Tool Exploits Microsoft 365 Credentials 

A new phishing-as-a-service platform named Greatness has been leveraged by cybercriminals to target business users of the Microsoft 365 cloud service since at least mid-2022, effectively lowering the bar to entry for phishing attacks.  

Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages.  

It contains features such as having the victim’s email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organisation’s real Microsoft 365 login page. Campaigns involving Greatness have mainly targeted manufacturing, health care, and technology companies. 

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.    

Talk to the team to see how you can start protecting your business against cyberattacks today. 

Cyber Security Experts

Accredited and regulated, we're in the top 1% of cyber security agencies globally

Crown Commercial Service Supplier Cyber Essentials Plus ISO 27001 BSI ISO 9001 CHECK NCSC Cyber Incident Response CREST

We’re trusted by the UK Government as Crown Commercial Service providers as well as being accredited by two of the leading cyber security governing bodies. Our ISO9001 certification means you can rest assured our processes and approach are market leading.

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]