Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cybersecurity threat. Show all posts
Personal Data
cybersecurity threat Data Breach Data Leak Data protection data security Defence Ministry Personal Data

Afghans Report Killings After British Ministry of Defence Data Leak

 

Dozens of Afghans whose personal information was exposed in a British Ministry of Defence (MoD) data breach have reported that their relatives or colleagues were killed because of the leak, according to new research submitted to a UK parliamentary inquiry. The breach, which occurred in February 2022, revealed the identities of nearly 19,000 Afghans who had worked with the UK government during the war in Afghanistan. It happened just six months after the Taliban regained control of Kabul, leaving many of those listed in grave danger. 

The study, conducted by Refugee Legal Support in partnership with Lancaster University and the University of York, surveyed 350 individuals affected by the breach. Of those, 231 said the MoD had directly informed them that their data had been compromised. Nearly 50 respondents said their family members or colleagues were killed as a result, while over 40 percent reported receiving death threats. At least half said their relatives or friends had been targeted by the Taliban following the exposure of their details. 

One participant, a former Afghan special forces member, described how his family suffered extreme violence after the leak. “My father was brutally beaten until his toenails were torn off, and my parents remain under constant threat,” he said, adding that his family continues to face harassment and repeated house searches. Others criticized the British government for waiting too long to alert them, saying the delay had endangered lives unnecessarily.  

According to several accounts, while the MoD discovered the breach in 2023, many affected Afghans were only notified in mid-2025. “Waiting nearly two years to learn that our personal data was exposed placed many of us in serious jeopardy,” said a former Afghan National Army officer still living in Afghanistan. “If we had been told sooner, we could have taken steps to protect our families.”  

Olivia Clark, Executive Director of Refugee Legal Support, said the findings revealed the “devastating human consequences” of the government’s failure to protect sensitive information. “Afghans who risked their lives working alongside British forces have faced renewed threats, violent assaults, and even killings of their loved ones after their identities were exposed,” she said. 

Clark added that only a small portion of those affected have been offered relocation to the UK. The government estimates that more than 7,300 Afghans qualify for resettlement under a program launched in 2024 to assist those placed at risk by the data breach. However, rights organizations say the scheme has been too slow and insufficient compared to the magnitude of the crisis.

The breach has raised significant concerns about how the UK manages sensitive defense data and its responsibilities toward Afghans who supported British missions. For many of those affected, the consequences of the exposure remain deeply personal and ongoing, with families still living under threat while waiting for promised protection or safe passage to the UK.
Read more »
Zero-Click Exploit
cybersecurity threat Digital Espionage iOS Vulnerability Mobile Security Remote Code Execution Spyware Attack Vulnerabilities and Exploits vulnerability patch WhatsApp Security Zero-Click Exploit

Critical WhatsApp Zero Click Vulnerability Abused with DNG Payload

 


It has been reported that attackers are actively exploiting a recently discovered vulnerability in WhatsApp's iOS application as a part of a sophisticated cyber campaign that underscores how zero-day vulnerabilities are becoming weaponised in today's cyber warfare. With the zero-click exploit identified as CVE-2025-55177 with a CVSS score of 5.4, malicious actors can execute unauthorised content processing based on any URL on a victim's device without the need for user interaction whatsoever. 

A vulnerability referred to as CVE-2025-55177 provides threat actors with a way to manipulate WhatsApp's synchronization process, so they may force WhatsApp to process attacker-controlled content during device linking when they manipulate the WhatsApp synchronization process. 

Even though the vulnerability could have allowed crafted content to be injected or disrupted services, its real danger arose when it was combined with Apple's CVE-2025-43300, another security flaw that affects the ImageIO framework, which parses image files. In addition to this, there were also two other vulnerabilities in iOS and Mac OS that allowed out-of-bounds memory writing, which resulted in remote code execution across these systems. 

The combination of these weaknesses created a very powerful exploit chain that could deliver malicious images through the incoming message of a WhatsApp message, causing infection without the victim ever having to click, tap or interact with anything at all—a quintessential zero-click attack scenario. Investigators found that the targeting of the victims was intentional and highly selective. 

In the past, WhatsApp has confirmed that it has notified fewer than 200 people about potential threats in its apps, a number that is similar to earlier mercenary spyware operations targeting high-value users. Apple has also acknowledged active exploitation in the wild and has issued security advisories concurrently. 

Researchers from Amnesty International noted that, despite initial signs suggesting limited probing of Android devices, this campaign was mainly concerned with Apple's iOS and macOS ecosystems, and therefore was focused on those two ecosystems mainly. The implications are particularly severe for businesses.

Corporate executives, legal teams, and employees with privileged access to confidential intellectual property are at risk of being spied on or exfiltrated through using WhatsApp on their work devices, which represents a direct and potentially invisible entry point into corporate data systems. 

Cybersecurity and Infrastructure Security Agency (CISA) officials say that the vulnerability was caused by an "incomplete authorisation of linked device synchronisation messages" that existed in WhatsApp for iOS versions before version 2.25.2.173, WhatsApp Business for iOS versions of 2.25.1.78, and WhatsApp for Mac versions of 2.25.21.78. 

This flaw is believed to have been exploited by researchers as part of a complex exploit chain, which was created using the flaw in conjunction with a previously patched iOS vulnerability known as CVE-2025-43300, allowing for the delivery of spyware onto targeted devices. A U.S. government advisory has been issued urging federal employees to update their Apple devices immediately because the campaign has reportedly affected approximately 200 people. 

A new discovery adds to the growing body of evidence that advanced cyber threat actors increasingly rely on chaining multiple zero-day exploits to circumvent hardened defences and compromise remote devices. In 2024, Google's Threat Analysis Group reported 75 zero-day exploits that were actively exploited, a figure that reflects how the scale of these attacks is accelerating. 

This stealthy intrusion method continues to dominate as the year 2025 unfolds, resulting in nearly one-third of all recorded compromise attempts worldwide occurring this year. It is important for cybersecurity experts to remind us that the WhatsApp incident demonstrates once more the fragility of digital trust, even when it comes to encrypting platforms once considered to be secure. 

It has been uncovered that the attackers exploited a subtle logic flaw in WhatsApp’s device-linking system, allowing them to disguise malicious content to appear as if it was originating from the user’s own paired device, according to a technical analysis.

Through this vulnerability, a specially crafted Digital Negative (DNG) file could be delivered, which, once processed automatically by the application, could cause a series of memory corruption events that would result in remote code execution. Researchers at DarkNavyOrg have demonstrated the proof-of-concept in its fullest sense, showing how an automated script is capable of authenticating, generating the malicious DNG payload, and sending it to the intended victim without triggering any security alerts. 

In order to take advantage of the exploit, there are no visible warnings, notification pop-ups, or message notifications displayed on the user's screen. This allows attackers to gain access to messages, media, microphones, and cameras unrestrictedly, and even install spyware undetected. It has been reported to WhatsApp and Apple that the vulnerability has been found, and patches have been released to mitigate the risks. 

Despite this, security experts recommend that users install the latest updates immediately and be cautious when using unsolicited media files—even those seemingly sent by trusted contacts. In the meantime, organisations should ensure that endpoint monitoring is strengthened, that mobile device management controls are enforced, and that anomalous messaging behaviour is closely tracked until the remediation has been completed. 

There is a clear need for robust input validation, secure file handling protocols, and timely security updates to prevent silent but highly destructive attacks targeting mainstream communication platforms that can be carried out against mainstream communication platforms due to the incident. Cyber adversaries have, for a long time, been targeting companies such as WhatsApp, and WhatsApp is no exception. 

It is noteworthy that despite the platform's strong security framework and end-to-end encryption, threat actors are still hunting for new vulnerabilities to exploit. Although there are several different cyberattack types, security experts emphasise that zero-click exploits remain the most insidious, since they can compromise devices without the user having to do anything. 

V4WEB Cybersecurity founder, Riteh Bhatia, made an explanation for V4WEB's recent WhatsApp advisory, explaining that it pertains to one of these zero-click exploits--a method of attacking that does not require a victim to click, download, or applaud during the attack. Bhatia explained that, unlike phishing, where a user is required to click on a malicious link, zero-click attacks operate silently, working in the background. 

According to Bhatia, the attackers used a vulnerability in WhatsApp as well as a vulnerability in Apple's iOS to hack into targeted devices through a chain of vulnerabilities. He explained to Entrepreneur India that this process is known as chaining vulnerabilities. 

Chaining vulnerabilities allows one weakness to provide entry while the other provides control of the system as a whole. Further, Bharatia stressed that spyware deployed by these methods is capable of doing a wide range of invasive functions, such as reading messages, listening through the microphone, tracking location, and accessing the camera in real time, in addition to other invasive actions. 

As a warning sign, users might notice excessive battery drain, overheating, unusual data usage, or unexpected system crashes, all of which may indicate that the user's system is not performing optimally. Likewise, Anirudh Batra, a senior security researcher at CloudSEK, stated that zero-click vulnerabilities represent the "holy grail" for hackers, as they can be exploited seamlessly even on fully updated and ostensibly secure devices without any intervention from the target, and no action is necessary on their part.

If this vulnerability is exploited effectively, attackers will be able to have full control over the targeted devices, which will allow them to access sensitive data, monitor communications, and deploy additional malware, all without the appearance of any ill effect. As a result of this incident, it emphasises that security risks associated with complex file formats and cross-platform messaging apps persist, since flaws in file parsers continue to serve as common pathways for remote code execution.

There is a continuing investigation going on by DarkNavyOrg, including one looking into a Samsung vulnerability (CVE-2025-21043), which has been identified as a potential security concern. There was a warning from both WhatsApp and Apple that users should update their operating systems and applications immediately, and Meta confirmed that less than 200 users were notified of in-app threats. 

It has been reported that some journalists, activists, and other public figures have been targeted. Meta's spokesperson Emily Westcott stressed how important it is for users to keep their devices current and to enable WhatsApp's privacy and security features. Furthermore, Amnesty International has also noted possible Android infections and is currently conducting further investigation. 

In the past, similar spyware operations occurred, such as WhatsApp's lawsuit against Israel's NSO Group in 2019, which allegedly targeted 1,400 users with the Pegasus spyware, which later became famous for its role in global cyberespionage. While sanctions and international scrutiny have been applied to such surveillance operations, they continue to evolve, reflecting the persistent threat that advanced mobile exploits continue to pose. 

There is no doubt that the latest revelations are highlighting the need for individuals and organisations to prioritise proactive cyber security measures rather than reactive ones, as zero-click exploits are becoming more sophisticated, the traditional boundaries of digital security—once relying solely on the caution of users—are eroding rapidly. It has become increasingly important for organisations to keep constant vigilance, update their software quickly, and employ layered defence strategies to protect both their personal and business information. 

Organisations need to invest in threat intelligence solutions, continuous monitoring systems, and regular mobile security audits if they want to be on the lookout for potential threats early on. In order for individual users to reduce their exposure, they need to maintain the latest version of their devices and applications, enable built-in privacy protections, and avoid unnecessary third-party integrations. 

The WhatsApp exploit is an important reminder that even trusted, encrypted platforms may be compromised at some point. The cyber espionage industry is evolving into a silent and targeted operation, and digital trust must be reinforced through transparent processes, rapid patching, and global cooperation between tech companies and regulators. A strong defence against invisible intrusions still resides in awareness and timely action.
Read more »
Zero-day vulnerability
Akira Ransomware cybersecurity threat SonicWall SSL VPN VPN security breach Vulnerabilities and Exploits Zero-day vulnerability

Possible Zero-Day Exploit in SonicWall SSL VPN Linked to Akira Ransomware Surge

 

Cybersecurity researchers are warning that SonicWall SSL VPN devices may be affected by a possible zero-day vulnerability currently being exploited by Akira ransomware operators.

In mid-July 2025, Arctic Wolf Labs detected a spike in suspicious logins through SonicWall SSL VPN endpoints. Notably, some compromised devices were fully patched, leading researchers to suspect the presence of an undiscovered flaw. However, they also acknowledged the possibility that attackers had obtained valid credentials from another source.

Regardless of the entry method, targeted organizations soon fell victim to Akira ransomware. "A short interval was observed between initial SSL VPN account access and ransomware encryption," Arctic Wolf researchers noted. They further explained that, unlike legitimate VPN logins that usually come from consumer ISP networks, ransomware operators often rely on Virtual Private Server (VPS) hosting for authentication in compromised systems.

Until SonicWall issues a patch or clarifies the situation, experts advise businesses to implement multi-factor authentication (MFA), remove inactive firewall accounts, and ensure all passwords are strong, unique, and regularly updated.

Akira, which first appeared in March 2023, has attacked organizations across various industries, exploiting stolen VPN credentials and exposed services to infiltrate systems. The group targets both Windows and Linux environments, often deleting backups to prevent recovery. By mid-2025, Akira had claimed hundreds of victims worldwide, including Stanford University, Nissan Australia, and Tietoevry. Communications with victims are typically directed through a Tor-based website.

The FBI and CISA have previously warned about Akira’s operations, urging companies to bolster defenses and enforce MFA.

In an official statement, SonicWall confirmed to TechRadar:

"SonicWall is actively investigating a recent increase in reported cyber incidents involving a number of Gen 7 firewalls running various firmware versions with SSLVPN enabled. These cases have been flagged both internally and by third-party threat research teams, including Arctic Wolf, Google Mandiant, and Huntress. We are working closely with these organizations to determine whether the activity is tied to a previously disclosed vulnerability or represents a zero-day vulnerability.

As always, we will communicate openly with our partners and customers as the investigation progresses. If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible.

As a precaution, we strongly urge customers and partners using Gen 7 firewalls to take immediate mitigation steps:

Disable SSLVPN services where practical - the additional mitigations below should be taken in all cases, including where disabling SSLVPN is not practical for the customer

o Limit SSLVPN connectivity to trusted source IPs.
o Ensure Security Services (e.g., Botnet Protection, Geo-IP Filter) are enabled.
o Remove unused or inactive firewall user accounts.
o Promote strong password hygiene.
o Enforce Multi-Factor Authentication (MFA) for all remote access (MFA enforcement alone may not protect against the activity under investigation)."
Read more »
Interlock ransomware
Ascension Cyber Attacks critical infrastructure attack cybersecurity threat Double extortion FBI CISA advisory Healthcare Interlock ransomware

CISA, FBI Issue Alert Over Rising Interlock Ransomware Attacks on Critical Infrastructure

 

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have raised an alarm over an increase in ransomware activity linked to the Interlock gang. The advisory, released on Tuesday in collaboration with the Department of Health and Human Services (HHS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), warns that the group is actively targeting businesses and critical infrastructure in double extortion attacks.

The alert includes indicators of compromise (IOCs) gathered from recent investigations—some as recent as June 2025—and outlines protective measures for network defenders.

Emerging in September 2024, Interlock is a relatively new but rapidly growing ransomware operation. It has launched attacks across various global sectors, with a particular focus on healthcare. The gang has previously been connected to ClickFix intrusions, where they impersonated IT utilities to breach networks, and to malware campaigns using a remote access trojan (RAT) known as NodeSnake, particularly affecting U.K. universities.

The group recently claimed responsibility for cyberattacks on DaVita, a Fortune 500 kidney care company, leaking 1.5 terabytes of stolen data, and Kettering Health, a major healthcare provider with over 120 outpatient locations and more than 15,000 employees.

According to the FBI, the Interlock gang has been observed using unusual methods to infiltrate systems.

"FBI observed actors obtaining initial access via drive-by download from compromised legitimate websites, which is an uncommon method among ransomware groups," the advisory notes.

The gang uses a double extortion model—first stealing and then encrypting victims’ data—forcing organizations to pay not just to restore systems but also to prevent public data leaks.
Read more »
Windows Vulnerability
corporate network breach CRON#TRAP cybersecurity threat Linux VM backdoor malware Phishing Attack QEMU ransomware tactics stealth malware virtual machine attacks Windows Vulnerability

New Phishing Attacks Use Backdoored Linux VMs to Infect Windows Systems

 

A recent phishing campaign, named 'CRON#TRAP,' is targeting Windows systems by deploying a Linux virtual machine with an embedded backdoor, allowing covert access to corporate networks.

While attackers have previously used virtual machines in malicious activities like ransomware and cryptomining, these installations were often done manually after gaining initial access. However, Securonix researchers identified that this new campaign automates the installation of a Linux VM through phishing emails, giving attackers a persistent foothold in corporate environments.

The phishing emails mimic a "OneAmerica survey," including a 285MB ZIP file that sets up a Linux virtual machine with a backdoor once opened. The ZIP archive contains a Windows shortcut labeled "OneAmerica Survey.lnk" and a folder named "data," which houses the QEMU application disguised as "fontdiag.exe."

When executed, the shortcut triggers a PowerShell command, extracting files to the "%UserProfile%\datax" directory and launching "start.bat" to set up a QEMU Linux VM. During installation, a fake server error message in a PNG format is displayed as a decoy, suggesting a broken survey link. This custom VM, called 'PivotBox,' includes a preconfigured backdoor for continuous command-and-control (C2) communication, enabling covert background operations.

The use of QEMU—a legitimate, digitally signed virtualization tool—means Windows security systems often fail to detect these malicious processes within the virtual environment.

The campaign’s backdoor mechanism uses a tool called Chisel for secure tunneling over HTTP and SSH, allowing attackers to maintain contact with the compromised system, even if firewalls are in place. To ensure persistence, the QEMU VM is set to restart on reboot, while SSH keys are uploaded to eliminate re-authentication requirements.

Securonix researchers noted two critical commands: 'get-host-shell,' which opens an interactive shell on the host for command execution, and 'get-host-user,' which checks user privileges. These commands facilitate activities like surveillance, network management, payload deployment, file control, and data exfiltration, enabling attackers to adapt and maximize their impact on target systems.

The CRON#TRAP campaign is not the first instance of QEMU misuse in stealthy attacks. In March 2024, Kaspersky observed a similar tactic, where a lightweight backdoor within a 1MB Kali Linux VM used QEMU to create hidden network interfaces and connect to a remote server.

To mitigate these types of attacks, experts recommend monitoring for processes like 'qemu.exe' in user-accessible folders, blocking QEMU and similar virtualization tools, and disabling virtualization in critical systems’ BIOS configurations.
Read more »
Vectra AI
cloud storage vulnerability Cyber Security cybersecurity threat Google Cloud Document AI malware injection Security flaw Sensitive Data Leak Vectra AI

Security Flaw in Google Cloud Document AI Could Expose Sensitive Data, Experts Warn

 

A critical vulnerability in Google Cloud's Document AI service could have allowed cybercriminals to steal sensitive information from users' cloud storage accounts and even inject malware, cybersecurity experts have warned. 

The flaw was first discovered by researchers at Vectra AI, who reported it to Google in April 2024. Document AI is a suite of machine learning tools that automates the extraction, analysis, and processing of documents, converting unstructured files like invoices and contracts into structured data to streamline workflows.

The issue arose during the batch processing of documents, a feature that automates large-scale document analysis. Instead of using the caller’s permissions, the system relied on broader permissions granted to a "service agent," a Google-managed entity responsible for processing tasks. This created a security gap, allowing a malicious actor with access to a project to potentially retrieve and modify any files stored in the associated Google Cloud Storage buckets.

Vectra AI researchers provided a proof of concept to demonstrate how an attacker could exfiltrate and alter a PDF file before reuploading it to its original location. Although Google released a patch and labelled the issue "fixed" soon after, the researchers criticized the initial fix as inadequate.

In response to further pressure, Google implemented a more comprehensive downgrade in September 2024, addressing the vulnerability by limiting access to impacted projects.
Read more »
Windows zero-day exploit
cybersecurity threat Fudmodule malware Hacking Group Microsoft vulnerability North Korea Vulnerabilities and Exploits Windows zero-day exploit

North Korea Exploited Windows Zero-Day Vulnerability to Install Fudmodule

 

North Korea's Lazarus hacking group has once again exploited a zero-day vulnerability in Microsoft Windows to deploy malware on targeted devices. On August 13, Microsoft addressed this issue with its monthly Patch Tuesday updates, fixing a flaw in the Windows Ancillary Function Driver (Afd.sys) for WinSock, identified as CVE-2024-38193. Security experts strongly recommend applying this update promptly, as Microsoft has confirmed that the vulnerability is actively being exploited.

The flaw allows attackers to escalate system privileges through a use-after-free memory management issue, potentially granting them elevated system access, according to Rapid7. The advisory underscores the urgency of this patch, highlighting the low complexity of attacks, lack of required user interaction, and minimal privileges needed for exploitation.

The warning proved accurate, as Avast researchers Luigino Camastra and Martin Milanek, who initially discovered and reported the flaw to Microsoft in June, revealed that Lazarus had been exploiting this vulnerability before the fix was issued. Their primary aim was to install a rootkit named Fudmodule on the affected systems, utilizing the zero-day vulnerability to remain undetected by security software.

Details on the specific organizations targeted and their industries have not been disclosed. However, Lazarus is known for its focus on stealing cryptocurrency to support North Korea’s financially strained regime. The regime also uses its hacking teams to gather intelligence on Western nuclear facilities and defense systems.

This incident is part of a broader pattern of North Korean hacking activities targeting Windows drivers. In February, Microsoft patched another vulnerability, CVE-2024-21338, which Lazarus had used to gain system-level access. This flaw was in the appid.sys AppLocker driver, crucial for controlling application execution on Windows systems. Avast had previously reported this vulnerability, which was actively being exploited by Lazarus to install Fudmodule. The updated version of Fudmodule included enhancements, such as disabling antivirus protections like Microsoft Defender and CrowdStrike Falcon.

The rise of "Bring Your Own Vulnerable Driver" (BYOVD) attacks, where attackers use legitimate but vulnerable drivers to bypass security measures, has been noted. Lazarus has employed this tactic since at least October 2021, using it to infiltrate systems by loading drivers with known vulnerabilities. Other groups have also utilized similar methods, such as Sophos reporting on RansomHub's use of outdated drivers to disable endpoint detection and response tools, and deploying ransomware.

Overall, as Lazarus and similar groups continue to adapt their strategies, the need for vigilance and timely updates is crucial to protect systems from these sophisticated attacks.
Read more »
targeting VMware ESXi systems
Cyber Security cybersecurity threat ESXi environments Linux Security New Linux ransomware Play ransomware variant ransomware attacks ransomware protection targeting VMware ESXi systems

New Linux Play Ransomware Variant Targets VMware ESXi Systems

 

Attacks with a new Play ransomware variant for Linux have been deployed against VMware ESXi systems, most of which have been aimed at the U.S. and at organizations in the manufacturing, professional services, and construction sectors, according to The Hacker News.

Such a novel Play ransomware version was hosted on an IP address that also contained the WinSCP, PsExec, WinRAR, and NetScan tools, as well as the Coroxy backdoor previously leveraged by the ransomware operation, indicating similar functionality, an analysis from Trend Micro revealed. However, additional examination of the payload showed its utilization of a registered domain generation algorithm to bypass detection, a tactic similarly used by the Prolific Puma threat operation. 

"ESXi environments are high-value targets for ransomware attacks due to their critical role in business operations. The efficiency of encrypting numerous VMs simultaneously and the valuable data they hold further elevate their lucrativeness for cybercriminals," said researchers. Cybersecurity researchers have discovered a new Linux variant of a ransomware strain known as Play (aka Balloonfly and PlayCrypt) that's designed to target VMware ESXi environments.

"This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations," Trend Micro researchers said in a report published Friday.

Play, which arrived on the scene in June 2022, is known for its double extortion tactics, encrypting systems after exfiltrating sensitive data and demanding payment in exchange for a decryption key. According to estimates released by Australia and the U.S., as many as 300 organizations have been victimized by the ransomware group as of October 2023.

Statistics shared by Trend Micro for the first seven months of 2024 show that the U.S. is the country with the highest number of victims, followed by Canada, Germany, the U.K., and the Netherlands. Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate are some of the top industries affected by the Play ransomware during the time period.

The cybersecurity firm's analysis of a Linux variant of Play comes from a RAR archive file hosted on an IP address (108.61.142[.]190), which also contains other tools identified as utilized in previous attacks such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.

"Though no actual infection has been observed, the command-and-control (C&C) server hosts the common tools that Play ransomware currently uses in its attacks," it said. "This could denote that the Linux variant might employ similar tactics, techniques, and procedures (TTPs)."

The ransomware sample, upon execution, ensures that it's running in an ESXi environment before proceeding to encrypt virtual machine (VM) files, including VM disk, configuration, and metadata files, and appending them with the extension ".PLAY." A ransom note is then dropped in the root directory.

Further analysis has determined that the Play ransomware group is likely using the services and infrastructure peddled by Prolific Puma, which offers an illicit link-shortening service to other cybercriminals to help them evade detection while distributing malware. Specifically, it employs what's called a registered domain generation algorithm (RDGA)
Read more »
Subscribe to: Comments (Atom)