LokiBot is a Trojan malware that aims to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. LokiBot was seen for the first time in 2015 and has made a lot of noise since then. Multiple campaigns have been using this Trojan in recent months. This week, CISA released an alert about a notable increase in the use of LokiBot malware. Often during significant cyberattacks, malicious threat actors will invest most of their time during the reconnaissance phase to understand their victims' environments and prepare for the moment they strike for initial access.
A robust cooperative security fabric that enables virtual patching of vulnerable systems using intrusion prevention (IPS) signatures, provides malware protection across the organization, and is able to segment the network to prevent threat propagation are key steps to securing your organization.
The transition to the teleworking / remote working model opens users and companies up to myriad security threats including malware, all forms of phishing attacks, and many more. Ashco Systems innovation and cost effective cyber security solutions and services addresses remote worker scenarios with three primary levels of connectivity. If you have technical questions or need assistance, contact us at firstname.lastname@example.org.
Axis.SSI.camnbr.Remote.Command.Execution – This indicates an attack attempt to exploit a Remote Command Execution Vulnerability in Axis SSI.The vulnerability is due to insufficient sanitization of user supplied inputs. A remote attacker could exploit this to execute arbitrary commands within the context of the application. The affected products are Axis SSI and the impact can lead to remote attackers gaining control of vulnerable systems. Unfortunately, Axis has not released an advisory regarding this vulnerability.
Virtual patching should be considered an integral component of every organization's patch management strategy. They not only protect against new threats, but also provide an effective coverage for other scenarios, as referenced above. With virtual patching, business critical applications and data can be secured as the virtual patch quickly eliminates the window of exploit opportunity, thereby minimizing the risk to the business by shutting down the avenue to exploitation. This enables organizations to reduce their exposure to vulnerabilities across the board, and scale their responses and coverage accordingly with appropriate defenses that can be put in place within minutes or hours.
Fancy Bear and the Zebrocy Malware – APT28, also known as Fancy Bear, is a malicious threat actor from Russia who mainly focuses on cyberespionage. They have been active for more than 15 years and became very popular in 2016 when they allegedly compromised the Hillary Clinton campaign during the 2016 U.S. presidential election. Earlier this year, security researchers detected an ongoing campaign targeting government bodies of NATO members. A malicious file found on VirusTotal indicated that the campaign used the Zebrocy malware, a malware that multiple security vendors in the past attributed to Fancy Bear. During the attacks, the threat actor obfuscated a ZIP file with a JPEG file to evade security layers. To trigger the decompression of the ZIP file, multiple requirements have to be met. Besides the correct name, the file must be opened by WinRAR, a trendy file archiver service for Windows.
Ransomware abusing Virtual Machine Techniques – Ransomware has been a hot topic these last months - and years. There are many of them out there in the wild, but they are not all the same. Usually, ransomware spreads across corporate environments and encrypts data to make it unavailable so that threat actors can demand a ransom from their victims. The Maze ransomware goes some steps further; it not only infects and encrypts systems but also exfiltrates the found data to command-and-controller servers owned by the malicious threat actors. This gives attackers more leverage over their victims. Often, backups restore the encrypted data during an attack; in this case, the criminals can still blackmail their victims with the stolen data if the ransom is not paid. The stolen data is often sold on underground markets or released to the public, which hurts the victim's reputation. This week, security researchers released information about a recent investigation where malicious threat actors adopted a technique pioneered by the developers of the Ragnar Locker. The encrypted payload of the ransomware and a VirtualBox virtual disk image (.vdi) are masqueraded as a Windows.msi installer, which enables the VM to run as a headless device.
Our Research & Insights:
Whitepaper: Effective Cyber Security Strategies during the Covid-19 Pandemic
Whitepaper: The Essential Guide to Securing Remote Access
Secure Devops: Learn how to make security integral into your DevOps process.
E-Book: Effective Security Strategies for Devops & Application Services
E-Book: How to Build a Next Generation Security Operations Center