fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Cuba Ransomware Partners With Hancitor For Spam-fueled Attacks

Cuba Ransomware Partners With Hancitor For Spam-fueled Attacks

The Cuba Ransomware gang has teamed up with the spam operators of the Hancitor malware to gain easier access to compromised corporate networks.

The Hancitor (Chancitor) downloader has been in operation since 2016 when Zscaler saw it distributing the Vawtrak information-stealing Trojan. Since then, numerous campaigns have been seen over the years where Hancitor installs password-stealers, such as Pony, Ficker, and more recently, Cobalt Strike.

Hancitor is usually distributed through malicious spam campaigns pretending to be DocuSign invoices, as shown below.

Fake DocuSign spam pushing Hancitor
Fake DocuSign spam pushing Hancitor
Source: MalwareTraffic

When a recipient clicks on the ‘Sign document’ link, they will download a malicious Word document that tries to convince the target to disable protections.

Also Read: Compliance Course Singapore: Spotlight On The 3 Offerings

Malicious Word document that installs Hancitor
Malicious Word document that installs Hancitor
Source: MalwareTraffic

Once the protections are disabled, malicious macros will fire off to download and install the Hancitor downloader.

Cuba ransomware teams up with Hancitor

Similar to how Ryuk and Conti partnered with TrickBot and Egregor and ProLock worked with QBot, the Cuba Ransomware has partnered with Hancitor to gain access to compromised networks.

In a new report by cybersecurity firm Group-IB, researchers have detected recent Hancitor campaigns dropping Cobalt Strike beacons on infected computers.

Cobalt Strike is a legitimate penetration testing toolkit that uses deployed beacons, or clients, on compromised devices to remotely “create shells, execute PowerShell scripts, perform privilege escalation, or spawn a new session to create a listener on the victim system.”

Ransomware gangs commonly use cracked versions of Cobalt Strike as part of their attacks to gain a foothold and spread laterally throughout a network.

After the Cobalt Strike beacons are deployed, Group-IB researchers say the threat actors use this remote access to gather network credentials, domain information, and spread throughout the network.

“The Beacon’s capabilities were also used to scan the compromised network. In addition, the group leveraged some custom tools for network reconnaissance. The first tool is called Netping – it’s a simple scanner capable of collecting information about alive hosts in the network and saving it into a text file, the other tool, Protoping, to collect information about available network shares.”

“Built-in tools were also abused. For example, adversary used net view command to collect information about the hosts in the network and nltest utility to collect information about the compromised domain,” explains Group-IB in a report released today.

To move laterally from machine to machine, the threat actors use Remote Desktop, and if their Cobalt Strike beacons were detected, through other backdoor malware such as SystemBC.

“Ficker stealer wasn’t the only publicly advertised tool in the threat actors’ arsenal. Another tool, which is becoming more and more popular among various ransomware operators – SystemBC. Such additional backdoors allowed the attackers to download and execute additional payloads even if Cobalt Strike activity was detected and blocked,” the researchers warned.

While moving through the network, unencrypted data is harvested and sent to remote servers under the attacker’s control to be used as part of a double-extortion strategy.

When the actors finally gain access to a domain admin’s credentials, they deploy the ransomware executable via PsExec to encrypt devices on the network.

The partnership may speed up attacks

Since its launch at the end of 2019, Cuba Ransomware has not been particularly active compared to other operations, such as REvil, Avaddon, Conti, and DoppelPaymer.

At the time of this writing, they have published the data for nine companies on their data leak site.

Their most publicized attack was against the ATFS, a widely used payment processor for local and state governments.

With their attacks now fueled by spam campaigns, we should expect to see an uptick in victims soon.

Also Read: Considering Enterprise Risk Management Certification Singapore? Here Are 7 Best Outcomes

It should also be noted that while Cuba Ransomware uses a picture of Fidel Castro and is named after the country Cuba, a report by cybersecurity firm Profero believes that they are based out of Russia. This is because Profero found the Russian language on the gang’s data leak site and during negotiations.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us