Pepijn Hack, Cybersecurity Analyst, Fox-IT, part of NCC Group Zong-Yu Wu, Threat Analyst, Fox-IT, part of NCC Group Abstract Organizations worldwide continue to face waves of digital extortion in the form of targeted ransomware. Digital extortion is now classified as the most prominent form of cybercrime and the most devastating and pervasive threat to functioning … Continue reading “We wait, because we know you.” Inside the ransomware negotiation economics.
Category: Threat Intelligence
TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
NCC Group’s global Cyber Incident Response Team has observed an increase in Clop ransomware victims in the past weeks. The surge can be traced back to a vulnerability in SolarWinds Serv-U that is being abused by the TA505 threat actor. TA505 is a known cybercrime threat actor, who is known for extortion attacks using the … Continue reading TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
Cracking RDP NLA Supplied Credentials for Threat Intelligence
In this post, we discuss our work in cracking the hashed passwords being sent over NLA connections to ascertain those supplied by threat actors.
SnapMC skips ransomware, steals data
Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay. Given the current threat landscape, most notable is the absence of ransomware or any technical attempt at disrupting the … Continue reading SnapMC skips ransomware, steals data
Handy guide to a new Fivehands ransomware variant
NCC Group’s Incident Response team observed a new variant of the FiveHands ransomware, deployed by an affiliate leveraging publicly available tools to progress their attack. This blog post aims to describe the developments in the ransomware variant and the techniques used by the affiliate.
Detecting Rclone – An Effective Tool for Exfiltration
NCC Group CIRT has responded to a large number of ransomware cases where frequently the open source tool Rclone being used for data exfiltration. We provide some techniques for detection.
RM3 – Curiosities of the wildest banking malware
by fumik0_ & the RIFT TL:DR Our Research and Intelligence Fusion Team have been tracking the Gozi variant RM3 for close to 30 months. In this post we provide some history, analysis and observations on this most pernicious family of banking malware targeting Oceania, the UK, Germany and Italy. We’ll start with an overview of its origins and current operations before providing a deep dive technical analysis … Continue reading RM3 – Curiosities of the wildest banking malware
A Census of Deployed Pulse Connect Secure (PCS) Versions
Today we are releasing some statistics around deployment of Pulse Connect Secure versions in the wild. The hope is that by releasing these statistics we can help to highlight the risk around outdated versions of PCS, which are being actively exploited by malicious actors. We have also shared the raw data with national CIRTs and … Continue reading A Census of Deployed Pulse Connect Secure (PCS) Versions
RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986
This post discusses NCC Group observed in the wild exploitation attempts and detection logic for the F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986
RIFT: Analysing a Lazarus Shellcode Execution Method
NCC Group's Research and Intelligence Fusion Team analyze a recent shellcode execution method used by Lazarus Group