BRANDEFENSE BRANDEFENSE
  • Platform
    How It Works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    Q1 | 2023
    Explore the Ransomware Attacks
  • Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
  • Resources
    Blog
    Infographics
    Datasheets
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    Cybersecurity Glossary
    Events
  • Partners
    About the Partner Program
    Become a Partner
    Partner Portal
  • Company
    About Us
    Join Us!
    We in the Press
    Privacy Policy
    Terms of Use
    Contact Us
Request a Demo
Login

BRANDEFENSE

  • Platform
    How It Works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    Q1 | 2023
    Explore the Ransomware Attacks
  • Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
  • Resources
    Blog
    Infographics
    Datasheets
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    Cybersecurity Glossary
    Events
  • Partners
    About the Partner Program
    Become a Partner
    Partner Portal
  • Company
    About Us
    Join Us!
    We in the Press
    Privacy Policy
    Terms of Use
    Contact Us
Security News – Week 22

Security News – Week 22

BRANDEFENSE
Weekly Newsletter
01/06/2022

Last updated on August 9th, 2022 at 09:52 pm

microsoft

Table of Contents

  • Follina: The Critical 0-Day Vulnerability Affects Windows Systems
  • GoodWill: A New Ransomware Group Raising Attention to Social Responsibility
  • Misconfigured Elasticsearch Servers Targeted by Threat Actors

Follina: The Critical 0-Day Vulnerability Affects Windows Systems

A 0-day vulnerability has been identified that allows threat actors to perform code execution activities on targeted Windows systems through Microsoft Office documents. It has been observed that threat actors exploiting the vulnerability called Follina obtain an HTML document from the command and control (C&C) server with the “remote template” feature of the malicious Microsoft Word document and use the ‘ms-msdt’ MSProtocol URI scheme to execute the malicious code on the target system.

0-day vulnerability in microsoft

MSDT is a tool that collects errors that Windows users receive on the system for analysis. Threat actors can execute malicious code on the system with the MSDT tool, even if the targets do not enable macros of Microsoft Word documents. Also, converting the document to RTF format runs the code in the browser without the need to open the document.

The malicious Microsoft Word document, which cannot be detected in the Microsoft Defender Anti-Malware solution, affects Office 2016 and 2021 applications. In this context, it is recommended not to open Office documents obtained from unknown parties via e-mail attachments and other vectors, benefit from comprehensive Anti-Malware solutions, and use Office applications in the most up-to-date versions.

goodwill apt group

GoodWill: A New Ransomware Group Raising Attention to Social Responsibility

CloudSEK security researchers have identified a ransomware group that solicits donations from targets to individuals and patients who need help in exchange for a decryption tool. Ransomware called GoodWill was detected in March 2022. As the threat group’s name suggests, operators are allegedly more interested in promoting targets for social justice than traditional financial motivations. Some of the features identified by GoodWill in the analyzes are as follows;

  • GoodWill ransomware was developed with .NET and packaged with UPX wrappers.
  • It can stay in sleep mode for 722.45 seconds to avoid being detected during dynamic analysis.
  • It uses the AES_Encrypt function to encrypt the captured files with the AES algorithm.
  • It has a function called “GetCurrentCityAsync” that tries to detect the geolocation of the infected system.

When GoodWill infects systems, it encrypts documents, photos, videos, databases, and other important files with the “.gdwill” extension, making all these elements inaccessible without the decryption key. In the ransom note that the group left on the systems, it is stated that the targets must perform some social activities to obtain the decryption key.

goodwil is a new ransomware group

In the detailed analysis of GoodWill carried out by CloudSEK threat intelligence researchers, it has been observed that the ransomware in question has approximately 1246 threads, and 91 of them overlap with the open-source HiddenTear ransomware software developed by an operator of Turkish origin. In addition, the use of Hindi scripts by threat actors in the existing lines leads to the opinion that the group is based in India.

ransomware

Although the threat actors behind the GoodWill ransomware software claim to operate under the name of social responsibility campaigns, they violate the intellectual property and privacy concepts of institutions/organizations. At the same time, these activities cause the targeted organizations to be unable to provide services, damage their reputation, material, and moral losses, and violate the security of personal information.

To not be the target of similar attacks in this context, it is recommended that email, attachments, and links from unknown parties are not respected, and input information used in accounts is created using unique and powerful policies. Also, it is important to use comprehensive security solutions and enable 2FA/MFA features on all possible platforms.

elasticsearch servers targeted

Misconfigured Elasticsearch Servers Targeted by Threat Actors

Secureworks security researchers have identified a new attack campaign targeting misconfigured Elasticsearch databases. Threat actors demand ransom payments from targets by altering the database content on vulnerable Elasticsearh servers with their ransom notes.

ransom note

The threat actors conduct the campaign by deleting the vulnerable database contents and adding ransom notes via an automated script. If the targets do not pay the ransom demanded by the threat actors within seven days, the ransom fee is doubled, and access to the content is lost without return. Upon the execution of the requested ransom payment by the targets, the threat actors download a link to the database session of the targets. It is claimed that the link in question will enable the restoration of all compromised directories.

However, at this stage, promises made by threat actors should not be respected because it is impractical for threat actors to store large amounts of content. Most likely, the contents of the hacked databases are deleted, but ransom notes are left promising to restore the contents to the system. Therefore, database administrators need to take regular backups.

These and similar security breaches can lead to loss of reputation, data leakage, and possible service interruptions that may cost much more than the ransom amount of the affected institutions/organizations and organizations. In this context, it is recommended to use the current versions of the systems and programs, take regular backups of critical systems/files, perform attack surface analysis tests at regular intervals, and use comprehensive security solutions.

Follina misconfigured Elasticsearch
Share on Facebook Share on X
Search
Categories
APT GroupsBlogDark WebDRPSFraudRansomwareSector AnalysisSecurity NewsVIP SecurityWe in the PressWeekly Newsletter
Recent Posts
  • What is Supply Chain Security?
    What is Supply Chain Security?
  • Godfather Android Banking Trojan Technical Analysis
    Godfather Android Banking Trojan Technical Analysis
  • Celebrating a Milestone: Brandefense Earns a Spot on Fast Company Turkey’s Top 100 Start-Up List
    Celebrating a Milestone: Brandefense Earns a Spot on Fast Company Turkey’s Top 100 Start-Up List
  • Perspective of the Month | Anonymous Sudan | June – July 2023
    Perspective of the Month | Anonymous Sudan | June – July 2023
Ransomware Trends Report | Q2 2023
Ransomware Attack Trends in the Second Quarter of 2023
Report

Ransomware Attack Trends in the Second Quarter of 2023

Download Report
Follow us!

Continue Reading

Previous post

Follina: The Critical 0-Day Vulnerability Affects Windows Systems

0-day vulnerability
elasticsearch servers targeted
Next post

Misconfigured Elasticsearch Servers Targeted by Threat Actors

We know what hackers know about you

Our cyber threat intelligence and security research team is ready to help you.
image link

Brandefense is solving SOC’s complex challenges. We are here to help Brandefense customers to protect their brands and reputations against cyber threats.

United States:

300 Delaware Ave. Ste 210 #328 Wilmington, DE 19801 / USA

Republic of Turkey:

Üniversiteler, 1605 Cd. Cyberpark Vakıf Binası Kat: -1 No: B25, 06800 Çankaya/Ankara

© 2022 Brandefense. All rights reserved.

Solutions
Threat IntelligenceBrand ProtectionVulnerability ManagementFraud ProtectionVIP SecurityAttack Surface ManagementVulnerability Intelligence
Use Case
Data LeakagePhishing MonitoringAccount Takeover DetectionStolen Credit CardsDark Web MonitoringRemediation / Takedown
Partners
About the Partner ProgramBecome a Partner
Company
AboutCareerPrivacy PolicyTerms Of UseContact
Close
Search

Hit enter to search or ESC to close

cookie By using this website, you agree to our cookie policy. Close