Get A Quote
Written by Hitachi Systems Security on 4 March 2023

Weekly News March 1, 2023

Exfiltrator-22: The new tool for Ransomware

Exfiltrator-22 (or EX-22) is a new tool sold and use in the wild whose goal is to deploy ransomware while being able to avoid detection from within organizations’ networks. The tool makes post-exploitations really easy for the buyers. The tool has a wide range of capabilities which includes a reverse shell with elevation of privileges, upload and downloading of files, logging keystrokes, starting live VNC session with real-time access, and launching a ransomware to encrypt the files. There are more capabilities included. Researchers have moderate confidence that the creators are likely former affiliates of the Lockbit ransomware group. The tool is offered for 1k a month or 5k for a lifetime access. The post-exploitation-framework-as-a-service (PEFaaS) model is one of the latest tools available for threat actors looking to maintain covert access to compromised devices over an extended period of time without being detected.


LastPass new incident

Decryption keys were stolen from a LastPass’ Senior developer’s home computer as part of the August’s 2022 breach of security controls.

While LastPass was dealing with the first incident, an  attacker pivoted to go after the victim who was one of four who had access to the decryption. The keys are needed to access the cloud storage service had access to the decryption keys needed to access the cloud storage service.

LastPass provided additional details of the attack, mentioning “the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity. Ultimately AWS GuardDuty Alerts informed us of anomalous behavior as the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.”

The investigation to this second incident continues


New pro-Ukraine hacktivist group CH01

At the occasion of the first anniversary of the conflict in Ukraine, antagonism is more present than ever on the web, including the emergence of new actors. This is the case of the new hacktivist group "CH01", which joined forces with other pro-Ukrainian hacktivists and affiliates of the famous Anonymous collective. Together they defaced at least 32 Russian websites for this special occasion, showing an image of the Kremlin facility on fire.

On its Twitter account, CH01 published the following message:

“Today, at exactly 4:00 AM , for the fact that russia bombed Kyiv, a cyber war has been declared on it! Dozens of russian sites now look like this, we now have all the data from these sites”

Pro-ukrain acktivists and Anonymous have launched “full scale” cyberattacks on Russian government websites as art of their OpRussia campaign.


Dish satellite provider attacked by a ransomware

American satellite TV provider Dish Network confirmed that they had been hit with ransomware, affecting network, website and call centre. Last Monday,  “certain data was extracted from the Corporation’s IT systems as part of this incident.” Lawrence Abrams, Editor in chief of Bleeping Computer, twitted that Black Basta ransomware gang is the author of the attack.

The service isn’t fully restored, Dish says, but TV service isn’t affected. However, customers are still experiencing difficulties to pay their bills, accessing their accounts and getting hold of service desks. Personal information is suspected to be part of stolen data.

An investigation is ongoing.


US Marshals agency hit by cyberattack

On February 17th, an attack stroke U.S. Marshal’s service’s system holding sensitive law enforcement data and personally identifiable information (PII) related to suspects. This service oversees the witness protection program, protecting judges and transporting prisoners. NBC said the incident didn’t involve the database of people in the federal witness protection program.

The perpetrators of the attack are not known but suspicions seem to point to Russian APTs. This attack is the latest of a long serie affecting FBI and Justice Department since 2014, including the 2020’s infamous SolarWinds supply chain attack.

Related Posts

Don't Wait.
Get a quote today.

Toll Free 1 866-430-8166Free Quote
Secure Your Organization Today.