Cyber Security News — Past 24 hours | 17.05.2021

FIN7 is Spreading a Backdoor Called Lizar

Under the pretext of being a Windows pen-testing platform for ethical hackers, the infamous FIN7 cybercrime gang, a financially motivated organization, is spreading a backdoor called Lizar. Since mid-2015, the Russian criminal advanced persistent threat group FIN7 has targeted the retail, restaurant, and hospitality sectors in the United States. Combi Security, the front company for FIN7, manages a portion of the operation. FIN7 is posing as a legitimate company selling a security-analysis platform, according to the BI.

The group usually targets victims with malware-laced phishing attacks in the hopes of infiltrating networks and selling bank-card data. It has also introduced ransomware/data exfiltration attacks to its arsenal since 2020, carefully choosing targets based on revenue using the ZoomInfo service, according to researchers. Its malware selection is often changing, with researchers sometimes being surprised by never-before-seen samples. However, the Carbanak remote-access trojan , which is highly complex and sophisticated in comparison to its peers, has been its go-to toolkit.

Carbanak is commonly used for network reconnaissance and gaining a foothold. ZONE researchers have recently discovered that the community is employing a new form of backdoor known as Lizar. «Lizar is a diverse and complex toolkit,» according to the firm.

Source —

Washington DC Police Hit by the Worst Ransomware Ever

capital, the police department experienced a major information leak after declining to satisfy the extortion demands of a Russian-speaking ransomware syndicate. As per the experts, the US police department has been hit by the worst ransomware ever. On Thursday 13th May, the Gang, identified as the Babuk Squad, published on the dark web, some thousands of confidential documents from the Washington Metropolitan Police Department. Ransomware attacks have reached epidemic proportions as international gangs paralyze local and state governments, police, hospital, and private companies’ computer networks.

They need substantial payments for deciphering or to prevent the online leakage of stolen information. This Police data leak is «perhaps the most significant ransomware incident to date,» due to the risks it poses for officers and civilians, said Brett Callow, a threat analyst and ransomware specialist at the Emsisoft security company. Most documents contained security details from many other law enforcement authorities regarding the inauguration of President Joe Biden, along with a connection to a militia group «embedded source». This involves «big data pull» from cell towers, as well as plans to «analyze purchases» of Nike shoes that a concerning individual uses.

In response to an AP request for comments, the police department didn’t initially respond but has reported earlier that personal data was compromised. «This is going to send a shock through the law enforcement community throughout the country,» Ted Williams, a former officer at the department who is now a lawyer, told The Associated Press. Any discussions will show the difficulty of the issue of ransomware, with the police forced to consider paying for criminal gangs.

Source —

QNAP warns of eCh0raix ransomware and Roon Server zero-day attacks

QNAP warns of an actively exploited Roon Server zero-day flaw and eCh0raix ransomware attacks on its NAS devices.

QNAP warns customers of threat actors that are targeting its Network Attached Storage devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability.

The company recommends customers to perform the following actions

Use stronger passwords for your administrator accounts.

Enable IP Access Protection to protect accounts from brute force attacks.

Avoid using default port numbers 443 and 8080.

Independent experts observed a surge in eCh0raix ransomware infection reports between April 19 and April 26.

In the same period, the vendor also warned its users of an ongoing AgeLocker ransomware outbreak.

Unfortunately, the bad news for NAS owners are not ended, the vendor also issued another security advisory to warn of an actively exploited zero-day vulnerability affecting Roon Labs’ Roon Server 2021–02–01 and earlier versions.

Source —

Major hacking forums XSS and Exploit ban ads from ransomware gangs

XSS forum one of the most popular hacking forums, announced that it would ban the ads published by ransomware gangs.

The popular hacking forum XSS forum, previously known as DaMaGeLab, announced that that it would ban the ads published by ransomware gangs. The forum is one the most important places of aggregation where ransomware gangs offer their services and attempt to recruit new affiliates in their networks.

The decision to ban ads published by ransomware gangs was an attempt to avoid attracting attention from law enforcement, the forum also prohibits any affiliated program.

Admins of Exploit will also remove affiliate programs from the hacking forum

«We are glad to see pentesters, malware specialists, coders, but we are not happy with lockers — they attract a lot of attention. This type of activity is not good to us in view of the fact that networks are locked indiscriminately we do not consider it appropriate for RaaS partner programs to be present on our forum. It was decided to remove all affiliate programs and prohibit them as a type of activity on our forum.» reads the statement published by the admins.

Source —

Stay Focused. Stay Vigilant.

Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store