Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware Groups. Show all posts
vulnerability exploitation
AI cyberattacks Cyber Security Cybersecurity Threats fileless ransomware nation-state hackers Ransomware Groups Rapid7 report vulnerability exploitation

Cybercriminals Speed Up Tactics as AI-Driven Attacks, Ransomware Alliances, and Rapid Exploitation Reshape Threat Landscape

 

Cybercriminals are rapidly advancing their attack methods, strengthening partnerships, and harnessing artificial intelligence to gain an edge over defenders, according to new threat intelligence. Rapid7’s latest quarterly findings paint a picture of a threat environment that is evolving at high speed, with attackers leaning on fileless ransomware, instant exploitation of vulnerabilities, and AI-enabled phishing operations.

While newly exploited vulnerabilities fell by 21% compared to the previous quarter, threat actors are increasingly turning to long-standing unpatched flaws—some over a decade old. These outdated weaknesses remain potent entry points, reflected in widespread attacks targeting Microsoft SharePoint and Cisco ASA/FTD devices via recently revealed critical bugs.

The report also notes a shrinking window between public disclosure of vulnerabilities and active exploitation, leaving organisations with less time to respond.

"The moment a vulnerability is disclosed, it becomes a bullet in the attacker's arsenal," said Christiaan Beek, Senior Director of Threat Intelligence and Analytics, Rapid7.
"Attackers are no longer waiting. Instead, they're weaponising vulnerabilities in real time and turning every disclosure into an opportunity for exploitation. Organisations must now assume that exploitation begins the moment a vulnerability is made public and act accordingly," said Beek.

The number of active ransomware groups surged from 65 to 88 this quarter. Rapid7’s analysis shows increasing consolidation among these syndicates, with groups pooling infrastructure, blending tactics, and even coordinating public messaging to increase their reach. Prominent operators such as Qilin, SafePay, and WorldLeaks adopted fileless techniques, launched extensive data-leak operations, and introduced affiliate services such as ransom negotiation assistance. Sectors including business services, healthcare, and manufacturing were among the most frequently targeted.

"Ransomware has evolved significantly beyond its early days to become a calculated strategy that destabilises industries," said Raj Samani, Chief Scientist, Rapid7.
"In addition, the groups themselves are operating like shadow corporations. They merge infrastructure, tactics, and PR strategies to project dominance and erode trust faster than ever," said Samani.

Generative AI continues to lower the barrier for cybercriminals, enabling them to automate and scale phishing and malware development. The report points to malware families such as LAMEHUG, which now have advanced adaptive features, allowing them to issue new commands on the fly and evade standard detection tools.

AI is making it easier for inexperienced attackers to craft realistic, large-volume phishing campaigns, creating new obstacles for security teams already struggling to keep pace with modern threats.

State-linked actors from Russia, China, and Iran are also evolving, shifting from straightforward espionage to intricate hybrid operations that blend intelligence collection with disruptive actions. Many of these campaigns focus on infiltrating supply chains and compromising identity systems, employing stealthy tactics to maintain long-term access and avoid detection.

Overall, Rapid7’s quarterly analysis emphasises the urgent need for organisations to modernise their security strategies to counter the speed, coordination, and technological sophistication of today’s attackers.
Read more »
Zero-Day Vulnerabilities
chain attacks Cyble report October cyber threats Ransomware Groups SaaS provider attacks software supply Vulnerabilities and Exploits Zero-Day Vulnerabilities

Software Supply Chain Attacks Surge to Record Highs in October, Driven by Zero-Day Flaws and Ransomware Groups

 

Software supply chain intrusions reached an unprecedented peak in October, surpassing previous monthly records by more than 30%, according to new research.

Cyble revealed in a blog post that threat actors on dark-web leak forums claimed 41 supply chain attacks in October—10 more than the earlier high recorded in April 2025. The report notes that supply chain incidents have more than doubled since April, with an average of 28 attacks per month, compared to the monthly average of 13 from early 2024 through March 2025. Cyble attributed the escalation to multiple factors.

The sharp rise has been fueled primarily by a “combination of critical and zero-day IT vulnerabilities and threat actors actively targeting SaaS and IT service providers,” Cyble wrote, adding that “the sustained increase suggests that the risk of supply chain attacks may remain elevated going forward.”

Additional contributors include cloud-security weaknesses and AI-powered phishing campaigns, with vishing also playing an important role in recent Scattered LAPSUS$ Hunters attacks on Salesforce environments.

All 24 industries monitored by Cyble experienced at least one supply chain breach this year, but IT and IT services firms were hit disproportionately. These organizations remain attractive to attackers due to their broad customer ecosystems and valuable access points. Cyble reported 107 supply chain attacks targeting IT companies so far this year—over three times more than those seen in financial services, transportation, technology, or government sectors.

Ransomware operations remain a major driver of this surge. Groups such as Qilin and Akira, which Cyble identified as the most active this year, have also carried out “an above-average share of supply chain attacks.”

Akira recently targeted a major open-source initiative, stealing 23GB of sensitive data including internal reports, confidential files, and issue-tracking information. Both Akira and Qilin have also compromised multiple IT providers serving high-risk verticals such as government, defense, intelligence, law enforcement, healthcare, energy, and finance. In one case, Qilin claimed to have obtained source code for proprietary tools used across public safety and security organizations.

Another Qilin incident involved breaching customers of a U.S. cybersecurity and cloud provider through “clear-text credentials stored in Word and Excel documents hosted on the company’s systems.”

A newer threat actor, Kyber, leaked more than 141GB of internal builds, databases, project files, and backups allegedly taken from a major U.S. aerospace and defense contractor specializing in communication and electronic warfare technologies.

Other notable October events included the Cl0p ransomware group's exploitation of Oracle E-Business Suite vulnerabilities and a breach involving Red Hat GitLab.

Cyble emphasized that mitigating supply chain threats is difficult because organizations inherently trust their vendors and partners. The firm stressed that security audits and third-party risk evaluations should become routine practice.

The researchers highlighted that the “most effective place to control software supply chain risks is in the continuous integration and development (CI/CD) process,” and advised that organizations thoroughly vet suppliers and enforce strong security requirements within contracts to strengthen third-party protection.
Read more »
Ransomwares
cryptocurrency Cyber Attacks CyberCriminal cybercriminal group data security Ransom Demands ransomware attacks Ransomware Groups Ransomwares

Romanian Arrested in Diskstation Ransomware Operation Targeting Synology NAS Devices

 

A 44-year-old Romanian national has been arrested as part of a coordinated international law enforcement effort to take down the cybercriminal group behind the Diskstation ransomware campaign. This group is known for targeting Synology Network-Attached Storage (NAS) devices, which are widely used by businesses and organizations for centralized file storage, data backups, and hosting. These attacks have primarily affected entities operating in enterprise environments, where NAS systems are critical to daily operations. 

The Diskstation ransomware group has operated under several aliases, including DiskStation Security, Quick Security, 7even Security, Umbrella Security, and LegendaryDisk Security. Since its emergence in 2021, the group has engaged in multiple ransomware campaigns, encrypting data on NAS devices and demanding cryptocurrency payments in exchange for decryption keys. 

Victims have included international organizations involved in civil rights advocacy, film production, and event management. These attacks left many victims unable to continue operations unless they agreed to pay substantial ransoms. Authorities in Italy launched an investigation after numerous companies in the Lombardy region reported ransomware attacks that rendered their data inaccessible. 

The attackers demanded payments in cryptocurrency, prompting investigators to analyze the affected systems and blockchain transactions. This digital trail eventually led police across borders, uncovering connections in both France and Romania. The operation, dubbed “Elicius,” was coordinated by Europol and culminated in a series of raids in Bucharest in June 2024. During these raids, several individuals believed to be involved in the Diskstation campaign were identified. One suspect was caught in the act of committing a cybercrime. 

The 44-year-old man who was arrested is now in custody and faces charges including unauthorized access to computer systems and extortion. While the Diskstation name is often associated with Synology’s NAS products, this specific campaign received little attention from mainstream cybersecurity outlets. 

However, it caused significant disruption to organizations worldwide. The ransomware gang reportedly demanded payments ranging from $10,000 to several hundred thousand dollars, depending on the organization’s size and data sensitivity. Law enforcement agencies continue to investigate the broader network behind the Diskstation operation. 

The case underscores the growing threat of ransomware campaigns targeting critical infrastructure and storage solutions. As attackers evolve their methods and target widely used systems like Synology NAS, cybersecurity vigilance remains crucial for all organizations, regardless of size or industry.
Read more »
Ransomware Groups
Cyber Security cybercriminal syndicates Cybersecurity Professionals dark AI models Penetration Testing ransomware defenses Ransomware Groups

Cybercriminals Recruit Experts for Advanced Ransomware Development

 

Businesses and cybercriminals alike are seeking skilled cybersecurity professionals, with the latter advertising for talent capable of developing dark AI models and penetration-testing tools, commonly used for ransomware. These efforts aim to strengthen their malware and reduce the risk of detection by defenders.

Telegram chats and forums such as the Russian Anonymous Marketplace (RAMP) are popular platforms for recruiting such talent. According to Cato Networks' "Q3 SASE Threat Report," these forums feature advertisements for developers to create malicious versions of tools like ChatGPT, showcasing the growing technical sophistication of cybercriminal operations.

The increasing demand for technical expertise reflects the recent success of law enforcement and private companies in dismantling botnets and aiding victims. "They definitely want to make sure all the effort they're putting into their software is not going to be turned over when somebody finds a vulnerability," said Etay Maor, chief security strategist at Cato Networks. Cybercriminals are now mirroring corporate practices to ensure their tools are robust.

As cybercriminal organizations grow, their structures increasingly resemble legitimate businesses, with specialized roles for software development, finance, and operations. Leading groups such as LockBit, RansomHub, and Akira have adopted these practices to improve efficiency and profitability. "These emerging groups and platforms bring new and interesting ways to attack," stated Recorded Future.

The first half of 2024 witnessed the appearance of 21 new ransomware groups, though many are likely rebranded versions of older entities. During this period, cybercriminals claimed over 2,600 breaches, a 23% rise from 2023, according to Rapid7. Malware development is also evolving, with languages like Rust and Go gaining popularity alongside traditional C and C++.

Roles within these organizations are becoming more specialized, including geographic-focused tasks like mule recruitment for financial fraud. "When you're talking about financial fraud, mule recruitment has always been a key part of the business," Maor explained, highlighting the professionalization of cybercrime.

Recent arrests of members from major ransomware groups like ALPHV/BlackCat and the release of decryption tools by law enforcement agencies illustrate the growing pressure on cybercriminals. These developments push groups to enhance their security measures.

Economic instability in conflict zones has contributed to a growing pool of skilled individuals turning to cybercrime. "There's people losing jobs in Eastern Europe because of the current war situation," Maor noted. For some, joining cybercrime networks becomes a necessity to survive financially.
Read more »
TransUnion
Data Breach Financial Data hack N4ughtySecTU Group Personal Data Ransomware Groups SABRIC South Africa data breach TransUnion

Hackers Threaten to Leak South Africa’s Private Financial Data, Demand R1.1 Billion Ransom


In a recent cyber threat, hackers have threatened to release all of South Africa’s private financial data unless TransUnion and Experian, the two biggest consumer credit reporting companies in the country, agree to pay ransom of R1.1 billion.  

The companies – TransUnion and Experian – were the ones that were hit by the cybercrime attack. 

According to Times Live, the hackers, the Brazil-based N4ughtySecTU Group, who had previously breached TransUnion's security and firewalls, claimed to have successfully evaded the safeguards of the company once again, following which they stole the data.  

Apparently, the hackers have demanded $30m [about R565m] from TransUnion and $30m from Experian.

The hackers, in a message sent to the managers and directors of the impacted companies, stated: “Ensure your response teams contact us on Session [a private communication platform] for payment instructions.”

While acknowledging the demands, TransUnion and Experian refuted the group's allegations of an ongoing hack on their systems.

“Following recent media coverage, TransUnion South Africa confirms it is aware of a financial demand from a threat actor asserting they have accessed TransUnion South Africa’s data. We have found no evidence that our systems have been inappropriately accessed or that any data has been exfiltrated,” TransUnion said.

“We’ve likewise seen no change to our operations and systems in South Africa related in any way to this claim. We are continuing to monitor closely. We treat matters regarding our information security seriously, and data security remains our top priority,” they continued. 

Not the First Attempt to Hack

Previously, in March 2022, N4ughtysecTU claimed responsibility for targeting TransUnion in their ransomware campaign. 

TransUnion South Africa later confirmed the hack, confirming that at least 3 million individuals were affected.  

Apparently, the threat actors gained access to the personal data of over 54 million people, which included information about their dates of birth, ID numbers, gender, marital status, and other sensitive facts. 

Experian also suffered a data breach in August 2020, reported by the South African Banking Risk Centre (SABRIC). The data breach compromised the personal information of around 24 million individuals and several business entities to a fraudster. 

Karabo Phungula, an Experian data fraudster, was given a 15-year prison sentence in March by the Specialized Commercial Crimes Court for obtaining the dataset under false pretence.   

Read more »
Sophos report
ALPHV Black Cat ransomware group Cyber Attacks PR charm tactic Ransomware Groups Sophos report

Ransomware Groups are Using PR Charm Tactic to Put Pressure on Victims to Pay Ransom


Recently, ransomware groups have been increasingly adopting newer tactics, one of them being the transparent, quasi-corporate strategy with the media, with the benefits of building pressure on the victims to pay ransom. 

According to a report, released this week by Sophos X-Ops, ransomware groups like Royal, the Play and RansomHouse were seen engaging with journalists. This partnership is dubious, however advantageous to both the parties: hackers expose their victims or, in some high-profile cases, amend the record, while reporters receive scoops directly from primary (but untrustworthy) sources.

According to Christopher Budd, director of threat intelligence for Sophos X-Ops, "This shows that they're true hackers[…]Now they're trying to hack the information sphere, as well as the technical sphere."

Cybercriminals in Corporate Clothing

These days, ransomware organizations provide channels for direct connection that are not limited to victims. In addition to the typical "Contact Us" forms and PR-focused Telegram channels, useful resources and FAQs are available to support them.

The ultimate idea is: that by broadcasting their deeds in the news, these threat actors put public pressure on the victims, further pressurizing their suppliers, customers, etc. 

The threat actors often imply this idea in ransom notes. For example, Sophos recently analyzed a ransom note published by the Royal ransomware group, stating how "anyone on the internet from darknet criminals ... journalists ... and even your employees will be able to see your internal documentation" if the ransom deadline was not achieved. 

Attackers Playing Analysts

However, not all ransomware groups are joining hands with the media with the same humour. Groups like Clop ransomware and LockBit interacted more antagonistically with the outside world.

And while it appears petty or posturing at times, these conflicts are occasionally handled professionally.

For instance, in response to initial reports containing purportedly incorrect information about the MGM attack, ALPHV published a 1,300-word statement. 

Budd says, "In trying to assert their authority and take their claim, they actually published what amounts to threat research — the type of stuff that security companies do. And they provided some fairly objective, detailed technical explanation about the actions they had taken."

He notes that the ALPHV statement felt like something a security firm would publish. He observed that ransomware groups are “consciously adopting some of the principles” that security companies use daily.

Read more »
Vulnerabilities and Exploits
HSS Ransomware Groups US Department of Health and Human Services US Healthcare Vulnerabilities and Exploits

US Health Dept Urges Hospitals to Patch Critical ‘Citrix Bleed’ Vulnerability


This week, the US Department of Health and Human Services (HSS) has warned hospitals of the critical ‘Citrix Bleed’ Netscaler vulnerability that has been exploited by threat actors in cyberattacks.

On Thursday, the department’s security team, Health Sector Cybersecurity Coordination Center (HC3), issued an alert where it urged all U.S. healthcare businesses to protect their NetScaler ADC and NetScaler Gateway equipment from ransomware gang invasions.

"The Citrix Bleed vulnerability is being actively exploited, and HC3 strongly urges organizations to upgrade to prevent further damage against the Healthcare and Public Health (HPH) sector. This alert contains information on attack detection and mitigation of the vulnerability,” the alert read.

"HC3 strongly encourages users and administrators to review these recommended actions and upgrade their devices to prevent serious damage to the HPH sector."

Prior to the aforementioned warning, Citrix had already issued two warnings urging admins to patch their appliances in priority. It also urged administrators to terminate all open and persistent sessions. Moreover, in order to stop hackers from obtaining authentication tokens even after the security upgrades have as well been installed.

Thousands of Servers Exposed, Many Already Breached

Cybersecurity professional Kevin Beaumont has been monitoring and analyzing cyberattacks against a variety of targets throughout the globe, such as Boeing, DP World, Allen & Overy, and the Industrial and Commercial Bank of China (ICBC), and he discovered that these targets were probably all compromised through the use of Citrix Bleed exploits. 

On Friday, Beaumont revealed that the U.S.-based managed service provider (MSP) experienced a ransomware attack by a threat group, that has exploited a Citrix Bleed vulnerability a week earlier. 

The MSP continues to work on securing its susceptible Netscaler appliances, which may leave its clients' networks and data open to additional intrusions.

The vulnerability was fixed by Citrix in early October, but Mandiant subsequently discovered that it has been actively exploited as a zero-day since at least late August of 2023. 

AssetNote, an external attack surface management company, on October 25, released a CVE-2023-4966 proof-of-concept exploit explaining how session tokens can be accessed by cybercriminals from Citrix appliances that has not been patched. 

According to Japan-based threat researcher Yukata Sejiyama, over 10,000 Citrix servers – many of which belonged to some important organizations globally – were still susceptible to Citrix Bleed attacks more than a month after the critical flaw was patched.

"This urgent warning by HC3 signifies the seriousness to the Citrix Bleed vulnerability and the urgent need to deploy the existing Citrix patches and upgrades to secure our systems," said John Riggi, a cybersecurity and risk advisor for the American Hospital Association, a healthcare industry trade group that represents 5,000 hospitals and healthcare providers across the U.S.

According to Riggi, this case also highlights the ferocity with which ‘foreign ransomware gangs,’ (majorly the Russian-speaking groups), continue to attack medical facilities and other healthcare institutions. Ransomware attacks interrupt and delay health care delivery, placing patient lives in danger.  

Read more »
Vulnerable Systems
CISA Critical Infrastructure Ransomware Groups RWVP Vulnerabilities and Exploits Vulnerable Systems

RWVP: CISA Shares Vulnerabilities and Misconfigurations Targeted by Ransomware Groups


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently revealed an insight into the misconfigurations and security vulnerabilities exploited by ransomware groups, in order to help critical infrastructure companies tackle their attacks. 

This information is part of a Ransomware Vulnerability Warning Pilot (RVWP) program conducted by CISA, which shows concern over the ransomware devices discovered on the networks of critical infrastructure organizations. 

To date, RVWP has discovered and identified over 800 vulnerable systems with internet-accessible vulnerabilities that are often targeted by different ransomware activities.  

CISA stated that "Ransomware has disrupted critical services, businesses, and communities worldwide and many of these incidents are perpetrated by ransomware actors using known common vulnerabilities and exposures (CVE) (i.e., vulnerabilities)." 

"However, many organizations may be unaware that a vulnerability used by ransomware threat actors is present on their network[…]Now, all organizations have access to this information in our known exploited vulnerabilities (KEV) catalog as we added a column titled, 'known to be used in ransomware campaigns.' Furthermore, CISA has developed a second new RVWP resource that serves as a companion list of misconfigurations and weaknesses known to be used in ransomware campaigns," CISA added.

RVWP is a component of a much larger effort that was initiated in response to the growing ransomware threat to critical infrastructure that first surfaced almost two years ago with a wave of cyberattacks targeting key infrastructure companies and U.S. government organizations, including Colonial Pipeline, JBS Foods, and Kaseya.

In June 2021, CISA broadened its horizon by launching the Ransomware Readiness Assessment (RRA), a component of its Cyber Security Evaluation Tool (CSET), whose goal is to help companies analyze and evaluate their preparedness in order to mitigate the risks and tackle from potential ransomware attacks. 

By August 2021, CISA also made recommendations to help vulnerable public and commercial sector organizations stop data breaches brought on by ransomware incidents.

In addition, CISA further formed an alliance with the business sector to defend vital US infrastructure against ransomware and other online dangers. All federal agencies and businesses who joined the cooperation have a collective response strategy embodied in this collaborative initiative, the Cyber Defense Collaborative.  

Read more »
Subscribe to: Comments (Atom)