Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

FBI alert warns private organizations of Egregor ransomware attacks

The US Federal Bureau of Investigation (FBI) issued a security alert warning private sector companies of Egregor ransomware attacks. The US FBI has issued a Private Industry Notification (PIN) to warn private organizations of Egregor ransomware attacks. The Egregor ransomware first appeared on the threat landscape in September 2020, since then the gang claimed to […]

FBI

The US Federal Bureau of Investigation (FBI) issued a security alert warning private sector companies of Egregor ransomware attacks.

The US FBI has issued a Private Industry Notification (PIN) to warn private organizations of Egregor ransomware attacks.

The Egregor ransomware first appeared on the threat landscape in September 2020, since then the gang claimed to have compromised over 150 organizations.

The list of known victims includes Barnes and NobleCencosudCrytekKmart, Ubisoft, and Metro Vancouver’s transportation agency TransLink.

Egregor is known to target printers of the compromised organizations, instituting them to print the ransom note.

The gang Egregor often exfiltrate files from the target network and if the victim refuses to pay, the operators publish victim data to a leak site.

“The FBI assesses Egregor ransomware is operating as a Ransomware as a Service Model. In this model, multiple different individuals play a part in conducting a single intrusion and ransomware event. Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation.” reads the alert. “Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices.”

Threat actors use phishing emails with malicious attachments as attack vector, they also exploit insecure Remote Desktop Protocol(RDP) or Virtual Private Networks to gain access to the networks.

Once gained access to the target network, the threat actors attempt to escalate privileges and make lateral movements using Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind.

Feds also added that the ransomware operators leverages tools like Rclone (sometimes renamed or hidden as svchost) and 7zip for data exfiltration.

FBI discourages victims to pay the ransom and urge them to report incidents to local FBI offices.

“The FBI does not encourage paying a ransom to criminal actors. Paying a ransom emboldens adversaries to target additional organizations, encourages other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities.” concludes the alert.”Paying the ransom also does not guarantee that a victim’s files will be recovered.”

Below the list of mitigations provided by the FBI to defend against Egregor’s attacks:

  • Recommended Mitigations;
  • Back-up critical data offline.
  • Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
  • Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
  • Install and regularly update anti-virus or anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks.
  • Use two-factor authentication and do not click on unsolicited attachments or links in emails.
  • Prioritize patching of public-facing remote access products and applications, including recent RDP vulnerabilities (CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019- 1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108).
  • Review suspicious .bat and .dll files, files with recon data (such as .log files), and exfiltration tools.
  • Securely configure RDP by restricting access, using multi-factor authentication or strong passwords.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Egregor ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]