fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Ransomware Actor OldGremlin Uses Custom Malware to Hit Top Orgs

New Ransomware Actor OldGremlin Uses Custom Malware to Hit Top Orgs

A new ransomware group has been targeting large corporate networks using self-made backdoors and file-encrypting malware for the initial and final stages of the attack.

Researchers are tracking the gang using the codename OldGremlin. Their campaigns appear to have started in late March and have not expanded globally, yet.

Attacks attributed to this group have been identified only in Russia but there is a strong suspicion that OldGremlin is currently operating at smaller scale to fine-tune their tools and techniques before going global.

Custom tools, imaginative phishing

OldGremlin is using custom backdoors (TinyPosh and TinyNode) and ransomware (TinyCrypt, a.k.a decr1pt) along with third-party software for reconnaissance and lateral movement (Cobalt Strike, command line screenshot, NirSoft’s Mail PassView for email password recovery).

The gang is not picky about victims as long they are prominent businesses in Russia (medical labs, banks, manufacturers, software developers), indicating that it’s composed of Russian-speaking members.

The threat actor starts its attacks with spear phishing emails that deliver custom tools for initial access. They use valid names for the sender address, impersonating well-known individuals.

Researchers at Singapore-based cybersecurity company Group-IB says that in one attack against a bank OldGremlin sent out an email under the pretense of setting up an interview with a journalist at a popular business newspaper.

Also Read: The Importance of Penetration Testing for Businesses

The fake journalist scheduled an appointment using a calendar app and then contacted the victim with a link to alleged interview questions hosted at an online storage service. Clicking on the link downloaded the TinyPosh backdoor.

For another attack targeting a clinical laboratory, the actor impersonated RosBiznesConsulting (RBC), a major media holding company in Russia, that had trouble paying for medical services.

They seem to be well-versed in social engineering and take advantage of current events to make their phishing more credible.

For instance, on August 19 they posed as the CEO of the Minsk Tractor Works informing Russian partners that the company was being investigated for participation in anti-government protests in Belarus and asking them for documents required by the prosecutor’s office.

It is worth mentioning that the name used for the sender’s address is not of the factory’s actual CEO. At least 50 messages were sent in this campaign.

The aim is to gain a foothold on the target organization’s network via one of the two backdoors (TinyNode or TinyPosh) that allow expanding the attack via additional modules downloaded from their command and control (C2) server. Remote Desktop Protocol is also used to jump to other systems on the network.

After spending some time on the network identifying valuable systems, the attacker deploys the file-encrypting routine. In the case of the medical laboratory, the attacker obtained domain administrator credentials and created a fallback account with the same elevated privileges to maintain persistence in case the initial one was blocked.

OldGremlin moved to the encryption stage a few weeks after the initial access, deleting server backups and locking hundreds of computers on the corporate network.

The ransom note left behind asked close to $50,000 in cryptocurrency for the decryption key and provided a Proton email address for contact.

In total, Group-IB detected multiple attacks attributed to OldGremlin between May and August 2020, all against targets in Russia, Group-IB told BleepingComputer.

This tactic sets the group apart from other threat actors and was previously seen with financially-motivated groups Silence and Cobalt, which also ran smaller operations in Russia and before moving to targets outside country borders and beyond the former Soviet space.

Typically, Russian hackers avoid attacking organizations in Russia and former Soviet countries. Several big-game ransomware groups and threat actors are adamant about this.

“This indicates that the attackers are either fine-tuning their techniques benefiting from home advantage before going global, as it was the case with Silence and Cobalt, or they are representatives of some of Russia’s neighbors who have a strong command of Russian”

– Oleg Skulkin, Group-IB senior Digital Forensics analyst

Skulkin says that OldGremlin is the only Russian-speaking ransomware actor to ignore this rule and that their tactics and techniques are similar to those from advanced hacking groups.

In their blog post today, Group-IB provides a list with indicators of compromise for OldGremlin along with details about the tactics, techniques, and procedures below observed in attacks attributed to this new group.

Also Read: Top 4 Advantages Of Opting WordPress Developer Singapore

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us