Blog | Scenario

Mallox Ransomware

ByDetecteam 2023-07-262023-07-26

TLP

TLP CLEAR

Author

Jordi M. Lobo

Summary

Mallox is a ransomware strain that targets Microsoft Windows systems and has been active since June 2021. Recently, Unit 42 researchers observed a significant increase in Mallox ransomware activities, with a rise of almost 174% compared to the previous year. The group exploits unsecured MS-SQL servers as a penetration vector to compromise victims’ networks. They employ brute force attacks, data exfiltration, and network scanners to distribute the ransomware. Mallox follows the double extortion trend, stealing data before encrypting files and threatening to publish it on a leak site to pressure victims to pay the ransom.

DATA

windows_sysmon.xml_-1 Download

TIMELINE

references

MITRE ATT&CK

Blog

Hafnium
ByDetecteam 2023-09-012023-09-01

TLP TLP TLP CLEAR Author David Deflache Summary Microsoft has detected China-linked state-sponsored group HAFNIUM using zero-day exploits to target on-premises Microsoft Exchange Servers. The group gained access to servers, email accounts, and installed malware. Vulnerabilities CVE-2021-26855, -26857, -26858, and -27065 were patched in the latest release. Exchange Online is unaffected. HAFNIUM’s targets include US…

Read More Hafnium
Blog | Scenario

The Trigona ransomware
ByDetecteam 2023-10-112023-10-11

TLP TLP TLP CLEAR Author Jordi M. Lobo Summary The Trigona ransomware, emerging in late 2022, has rapidly evolved with continuous updates. By April 2023, it started targeting MSSQL servers through brute force methods. This threat is linked to the CryLock ransomware group and possibly ALPHV (BlackCat), though their involvement remains uncertain. The US and…

Read More The Trigona ransomware
Blog | Scenario

Snatch Ransomware
ByDetecteam 2023-10-192023-10-19

TLP TLP TLP CLEAR Author Jordi M. Lobo Summary In a recent cyber attack, the Snatch Team used RDP brute force to infiltrate a network and rapidly executed a series of sophisticated actions within a short time frame. They gained initial access by logging into a Domain Administrator (DA) account, performed various commands, and initiated…

Read More Snatch Ransomware
Blog | Scenario

Clop – Ransomware by TA505
ByDetecteam 2023-06-222023-06-23

TLP TLP TLP CLEAR Author Jordi Lobo Summary Clop ransomware is a variant of a previously known strain called CryptoMix. In 2019, Clop was delivered as the final payload of a phishing campaign associated with the financially motivated actor TA505. In 2020, Clop has evolved from a ransomware delivered through malicious spam to one being…

Read More Clop – Ransomware by TA505
Blog | Scenario

F5 Server Audit
ByDetecteam 2023-11-092023-11-09

TLP TLP TLP CLEAR Author Sebastien Tricaud Summary This week, we share data from an actively exploited attack from the CISA Known Exploited Vulnerabilities Catalog. This is the /var/log/audit.log file from the F5 boxes which were compromised. A critical security advisory, CVE-2023-46747, reveals an unauthenticated remote code execution vulnerability in the BIG-IP Configuration utility. This…

Read More F5 Server Audit
Blog | Scenario

ESXiArgs VMware Ransomware
ByDetecteam 2023-06-132023-06-13

TLP TLP TLP CLEAR Author Jordi Lobo Summary ESXiArgs VMware Ransomware: Massive VMware: Ransomware attack targeting the VMware ESXi hypervisor. Exploits CVE-2021-21974 vulnerability: This vulnerability affects the Service Location Protocol (SLP) service and allows attackers to exploit arbitrary code remotely. The systems currently targeted are ESXi hypervisors in version 6.x, prior to 6.7, CERT-FR stated….

Read More ESXiArgs VMware Ransomware

TLP