Blog | Scenario

Vice Society Ransomware

ByDetecteam 2023-08-242023-08-24

TLP

TLP CLEAR

Author

Jordi M. Lobo

Summary

The Vice Society ransomware group gained notoriety in late 2022 and early 2023 for launching attacks across various sectors, including San Francisco’s transit system. While education and healthcare were their primary targets, Trend Micro’s data reveals manufacturing industry infiltration in Brazil, Argentina, Switzerland, and Israel. Exploiting the PrintNightmare flaw initially, Vice Society progressed to self-made ransomware and potent encryption, possibly signaling their move towards a ransomware-as-a-service venture. With previous ransomware versions like Hello Kitty/Five Hands and Zeppelin, their evolving tactics showcase a versatile threat actor aiming to breach diverse industries using compromised credentials from underground sources.

DATA

windows_sysmon.xml_-1 Download

TIMELINE

references

https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html

MITRE ATT&CK

Blog | Scenario

Nokoyawa
ByDetecteam 2023-09-282023-09-28

TLP TLP TLP CLEAR Author Jordi M. Lobo, David Deflache, Sebastien Tricaud Summary Nokoyawa is a cyber intrusion that began with a malicious Excel document in October 2022. The document triggered macros, leading to the execution of an IcedID DLL payload. The attackers established persistence on the host, deployed Cobalt Strike beacons, escalated privileges, and…

Read More Nokoyawa
Blog | Scenario

F5 Server Audit
ByDetecteam 2023-11-092023-11-09

TLP TLP TLP CLEAR Author Sebastien Tricaud Summary This week, we share data from an actively exploited attack from the CISA Known Exploited Vulnerabilities Catalog. This is the /var/log/audit.log file from the F5 boxes which were compromised. A critical security advisory, CVE-2023-46747, reveals an unauthenticated remote code execution vulnerability in the BIG-IP Configuration utility. This…

Read More F5 Server Audit
Blog | Scenario

Clop – Ransomware by TA505
ByDetecteam 2023-06-222023-06-23

TLP TLP TLP CLEAR Author Jordi Lobo Summary Clop ransomware is a variant of a previously known strain called CryptoMix. In 2019, Clop was delivered as the final payload of a phishing campaign associated with the financially motivated actor TA505. In 2020, Clop has evolved from a ransomware delivered through malicious spam to one being…

Read More Clop – Ransomware by TA505
Blog | Scenario

HTML Smuggling
ByDetecteam 2023-12-142023-12-14

TLP TLP TLP CLEAR Author David Deflache, Sebastien Tricaud Summary In early November 2022, a targeted intrusion began via email, delivering an HTML file utilizing HTML smuggling. Previously relying on Excel macros, the threat actor adapted to Microsoft’s macro control updates. Upon opening the HTML, a disguised Adobe page prompted a ZIP download with a…

Read More HTML Smuggling
Blog | Scenario

Adhubllka ransomware
ByDetecteam 2023-09-142023-09-14

TLP TLP TLP CLEAR Author Jordi M. Lobo Summary A new ransomware variant has emerged as part of the Adhubllka ransomware family, targeting individuals and small enterprises with smaller ransom demands to evade media attention. The ransomware spreads via phishing emails and employs a victim portal on Tor for decryption key delivery after ransom payment….

Read More Adhubllka ransomware
Blog | Scenario

oneday SSH bruteforce
ByDetecteam 2023-07-112023-07-11

TLP TLP TLP CLEAR Author David Deflache Summary In this attack scenario, an individual with the IP address 192.168.0.42 and a valid username is engaging in an authentication brute force attack through SSH. Their target is a system with the IP address 192.168.0.111, using the default SSH port 22. The attacker executes a loop of…

Read More oneday SSH bruteforce

TLP