I updated the repository of TTPs and threat actors, now we will not only have evidence or ttps of ransomware groups, but also of other types of groups and actors.
I'm trying to keep up to date.
Returning to work after a period of rest.
Ransomware Hunters International group server host identified.
Your .onion website is hosted at 193.106.175[.]48 (Russia)
New Stealer being marketed in the dark. Interesting that for marketing they put a "free trial". The subscription price is 150$ monthly, cheaper than Eternity's Stealer, which costs 300$.
#stealer
#malware
#mysticstealer
#stealer
#infosteal
New activity from IP addresses exploiting the Atlassian vulnerability (CVE-2023-22518) according to
@GreyNoiseIO
Address list:
87.249.138[.]203
45.94.211[.]81
45.135.232[.]69
103.73.67[.]95
193.176.179[.]41
193.43.72[.]11
A new group emerged known as "Apos" and reportedly claimed 4 companies.
2 Brazilians, 1 French and 1 Indian.
The curious fact is that they are using Notion for the blog.
I'm going to post a series that may help (or not) CTI researchers to track down possible servers for Ransomware operations, it's for educational purposes ok? The focus is on the Ransomware INC group.
#1
The initial access broker "Br0k3r" announced the sale of access to a Hospital with revenue of $3B with approximately 2,600 users and 1,600 computers. This broker came about mid-July 17, 2023 and advertised other companies.
@noexceptcpp
@BruteBee
@Iam4ndr3y
Some two commands used by ransomware to interrupt services and operation of operating systems.
I would like to contribute...
Exclude all shadow copies stored in the VSS service
vssadmin.exe delete shadows /all /quiet
The “backup” server infrastructure using the backup server favicon is no longer online at IP: 5[.]182.5.126. Are you rebuilding your infrastructure?
@fofabot
FOFA= icon_hash="-1776106944"
I know it's not much, but I added two more groups to the repository, APT73 and DoNex. There are still a few more to go up, in my free time I'm uploading everything and keeping it organized. Anyone who wants to contribute, talk to me.
Analyzing the builder of version 4 of Brata Rat, I realized that version 5 is already in sales announcements... promises that in this new version there are functions for iOS, in addition to Android...
#rat
#malware
#trojan
#android
#bratarat
Other domains were identified hosted on that server using "younglving[.]co[.]uk" but with the aim of SSH connections with SSH-2.0-OpenSSH_8.2p1 in operation.
Interestingly, the number of times that the user (affiliate) possibly used to compile the types of LockBit variants. Interestingly, specific affiliates still use LB Red (2.0).
#lockbit
Ransomware INC operators use free React admin template provider Horizon UI. If we perform a search on Shodan with this favicon it returns some addresses. If you scan directories on these IPs, some match the INC directories in use... interesting...
In addition,
@RakeshKrish12
published a post in January about Hunters referencing more details about the domain used, including some details about email addresses collected during his research.
Remote code execution on more than 3 million assets... If we filter further, 32 thousand in Brazil alone... However, the USA and Russia won...
Ref: CVE-2023-42115
LockBitSupp's identity revealed... what are the consequences of this now?
- Confirmation of acting for the Russian Federation?
- Condition for launching new attacks in favor of the Kremlin x extradition?
- Affiliates afraid of having "leaked" information.
- More paranoia?
Other IP addresses were identified as using Hunters International pages, with server addresses:
193.106.175[.]48
185.185.68[.]40
193.106.174[.]58
109.172.85[.]126
185.185.69[.]129
185.12.127[.]116
Well that's it, I would just like to add that
@karol_paciorek
identified in March the use of the main DLS IP address (192.106.175[.]48) to host a phishing website.
Further information obtained will possibly be on github.
🔍 While researching
#FletchenStealer
, I found two phishing sites:
ledgercheck[.live - 193.106.175[.48
test.brosecure360[.com - 162.241.85[.73
Both crafted by
#fletchen
.
Watch out for the first site's IP. 🕵️♂️
#stealer
So far, the group has announced three companies, which are potentially victims and are located in Brazil 🇧🇷
Two of the two affected companies are beauty clinics and the other sells vehicles.
Mapping an attack from an affiliate of the Medusalocker Ransomware, “.infected” variant. Interesting access via RDP, brute force on other accounts.
#diamondmodel
#ransomware
#medusalocker
I may be missing another group, but I identified the operation of at least 12 new ransomware actors from March to June.
-Ransomware NoEscape
-Ransomware Rhysida
-Ransomware BlackSuit
-Ransomware 8base
-Ransomware MalasLocker
#ransom
#ransomware
I created a repository on Github containing some TTP and information from ransomware groups. This was the first version. The idea is to collect data from open sources to organize and gather information.
Link:
The Qiulong ransomware has so far only published Brazilian companies. The curious thing is that 4 are beauty companies.
I think the operator may have performed a procedure that he didn't like the result of.
A análise que realizei sobre o KL Reboleto foi publicado pelo
@canaltech
. Ela é uma ferramenta que intercepta e é possível alterar informações de PDF.
Interesting, why is Team R70 now focusing on Brazilian sites? As well as some publications on his Telegram channel aimed at the Brazilian public. Their allegations don't really seem like the official ones to me.
It is interesting to note that the flow of new affiliate IDs in the Lockbit program increased after December 10th.
Just after ALPHV started having problems with its website (primary domain) and rumors that LE was taking down the infrastructure.
#lockbit
Interestingly, in a recent incident I observed the use of ScreenConnect for remote access. It was previously observed being used by Zeppelin Ransomware actors in released incidents and reports.
#ransomware
#zeppelin
Receiving word that someone started to use the
#PoC
for
#CVE
-2023-28771 published by
@rapid7
to mass-scan the internet.
It can be found here:
Currently,
#Shodan
lists more than 73.000 exposed devices using the query by
@1ZRR4H
.
"A VPN does not need to
Performs the use of the RSA algorithm to encrypt.
Use the 1.bat file to kill the processes below:
Before performing the reset, it performs encryption.
@BleepinComputer
@vxunderground
@siri_urz
Summary of the report produced today. APT28 focuses on corrupting emails and uses Outlook and other vulnerabilities for initial access. Uses EdgeOS as infrastructure and performs brute force on services, NTLM and phishing sending. Use VPNs in attacks.
#APT28
More and more TTPs added from groups based on incidents. Including, I created 2 folders for: Localized commands and also execution locations of ransomware and malicious codes found in incidents.
Alert about CVE-2023-30799 MikroTik vulnerability affecting RouterOS servers. The vulnerability could cause privilege escalation. (Still requires authentication)
Lockbit was unable to recover the seized domains. It will create others and publicize the operation again. From what it seems to me and even shared by the Lockbit profile that they exploited CVE-2023-3824.
Partial interruption? How much will this damage your image?
Interesting that the data published by
@BlackBerry
mentions the use of the "Wedgecut" tool by the operators of the Cuba ransomware.
I see some commenting about signature-based protection not working.
Added 2 new topics to the Repository and provided more details on actors.
+ Ransomware Crosslock
+ Ransomware Play
Over the days, we will have more!
@Iam4ndr3y
@P4nd3m1cb0y
A slight rant. The CTI community in Brazil that is being formed due to professionals who support sharing information in urgent ways as if the world were going to end and don't even weigh in or give more details about the information is sad.
Analyzing a sample I came across a sample that "speaks for the ransom note" to the victim on the host.
This ransom is Army Signal Ransomware, variant of Hidden Tear.
@vxunderground
@Gi7w0rm
@malwrhunterteam
More vulnerabilities identified in TeamCity according to the statement published today by JetBrains!
1st CVE-2024-27198
2nd CVE-2024-27199
FOFA: title="Log in to TeamCity"
@fofabot
Requirements:
- basic OS admin skills
- English
- Ability to find bugs and software versions
- Lack of other work
- Lack of personal life
- Lack of bad habits
- Ability to keep secrets
- Online 24/7
- Ambition
In addition to the Snatch Ransomware, the new strain known as NoEscape also uses Windows Safe Mode scripts to restart and encrypt files. What is this effective? Do you remember other groups that also use safe mode?
#ransom
#ransomware
#snatch
#noescape
Look, another article reinforcing that ScreenConnect is a great weapon to use in a cyber attack, as its domain can apparently go unnoticed by an analyst.
Interestingly, in a recent incident I observed the use of ScreenConnect for remote access. It was previously observed being used by Zeppelin Ransomware actors in released incidents and reports.
#ransomware
#zeppelin
@Br0k3rIAB
@ido_cohen2
@SophosXOps
I think it's time to create a "feedback list" from the groups. Apparently Alphv -2. They will offer you a check to compensate.
An application used by Brazilians known as WebDetetive would have been the victim of an invasion. More precisely, the company responsible for the software and tool would have been the victim of the invasion.
There are asshole people in this world. Wanting to know more than others and show that they know more... and worst of all, they still misunderstand a simple publication and talk shit about it. What's the solution for this? Leave talking alone?
Is using a project like Notion for your blog innovative (that I remember) or an opsec failure?
@NotionHQ
take action, your blog is being used to extort companies.
It's funny that they use "Hello Kitty", and then that crazy thing starts with linking the old Meow (based on the leaked Conti code) or (based on the leaked Hello Kitty code).
Favicon + Title was also possible to categorize the domain that was used as "MEOW LEAK", hosted on CloudFlare:
Domain: domain2proof[.]com with IP address: 172.67.221[.]108
@infosec1000grau
Falta a parte de copia e cola de inteligência externa e apresentam como inteligência própria, está tendo o curso de formar sireninhas 🚨🚨🚨
@N4hualH
Maybe some public place like a CERT that would collect information about certain attacks could be useful. Here in Brazil we don't have that, because the Data Law hinders this type of reporting by companies. It is a huge job to identify these differences... I suffer from this too
I recommend reading. Understand Chainalysis' blockchain data collection methodology to identify digital currency transactions for government investigations.
#tracersinthedark
#criptocurrency
#darkweb
The Goiasa 🇧🇷 group were announced by the Akira Ransomware. These operators are known to exploit CVE-2023-20269 (Cisco VPN). In both domains used there is a public service available for access. Both Goiasa domains.
Another incidence of a possible attack on companies in China 🇨🇳. Following some publications, including
@BushidoToken
, the increase is really notable, LockBit with ICBC, Rhysida with China Energy Eng. Corp.
This time AlphV with China Petrochemical Development is in TW 🇹🇼.
I questioned Team R70 about its non-political motivation. And days after the publication, there is a photo of President Lula, hmm, it seems like something related to political statements.
#teamr70
#r70