A recent report by Halcyon, a cybersecurity research firm, sheds light on the use of command-and-control (C2) providers by ransomware gangs. The report highlights Cloudzy, a virtual private server (VPS) provider, as a common service provider for ransomware attacks and other cybercriminal activities. Although Cloudzy is incorporated in the US, the researchers believe that the company operates out of Tehran, Iran, potentially violating US sanctions.

According to Halcyon’s estimates, between 40% and 60% of Cloudzy customers engage in potentially malicious activities. The report identifies various threat actors that leverage Cloudzy’s services, including APT groups associated with governments such as China, Iran, North Korea, Russia, India, Pakistan, and Vietnam. Additionally, the report mentions criminal syndicates, ransomware affiliates, and even a sanctioned Israeli spyware vendor that targets civilians.

Halcyon researchers also introduce two newly discovered ransomware affiliates: Ghost Clown and Space Kook. Both groups utilize Cloudzy to host their Cobalt Strike infrastructure. Ghost Clown initially deployed the Conti ransomware but switched to BlackBasta after Conti’s shutdown in 2022. On the other hand, Space Kook is presently using the Royal ransomware.

In another development, Recorded Future’s Insikt Group has identified the activities of a Russian threat actor known as BlueBravo, APT29, or Cozy Bear. BlueBravo has been leveraging Microsoft’s OneDrive to host command-and-control communications for its GraphicalProton malware loader. According to Insikt Group, the Russian government likely prioritizes cyber-espionage efforts against government sector entities in Europe, driven by its need for strategic data during and after the war in Ukraine. The researchers predict that BlueBravo will continue to adapt and iterate upon existing malware families and employ third-party services to obfuscate command-and-control communications.

The cybersecurity firm Proofpoint recently unveiled a new strain of commodity malware called WikiLoader. This sophisticated downloader is designed to install a second malware payload. WikiLoader employs various evasion techniques and custom implementation of code to make detection and analysis challenging. Proofpoint believes that this malware was developed to be rented out to select cybercriminal threat actors, particularly those operating as initial access brokers (IABs). The research indicates that WikiLoader is already being utilized by multiple threat actors and is expected to be adopted by others in the future.

In their OT/IoT Security Report for the first half of 2023, Nozomi Networks observes a significant number of network scanning indications in water treatment facilities, clear text password alerts in the building materials industry, program transfer activity in industrial machinery, and OT protocol packet injection attempts in oil and gas networks. The report categorizes OT/IoT cyber incidents into three main categories: opportunistic, targeted, and accidental. Over the past six months, opportunistic attacks have remained the most prevalent. These attacks involve flooding traffic via DDOS attempts, exploiting common vulnerabilities and weaknesses, and trial and error with malware strains across various network domains and target systems.

Lastly, Aqua, a cybersecurity company, has conducted an analysis of Mirai malware attacks on Apache Tomcat servers. The researchers found that threat actors actively seek misconfigurations in the Tomcat web application manager. In their analysis, Aqua discovered that infected hosts were intended for further attacks, varying from relatively low-impact campaigns like cryptomining to more severe DDoS attacks. The campaign is ongoing, with the attacks continuously evolving and adapting to avoid detection.

These recent findings highlight the evolving tactics and strategies employed by cybercriminals and state-sponsored threat actors. The reliance on C2 providers, abuse of legitimate services like OneDrive, discovery of new malware strains, and the targeting of industrial systems underscore the importance of robust cybersecurity measures. To stay ahead of these threats, organizations must remain vigilant, update their defenses, and employ proactive security protocols.

Source link