Unmasking Lorenz Ransomware: A Dive into Recent Tactics, Techniques and Procedures
Author: Zaid Baksh In the ever-evolving landscape of cyber threats, ransomware remains a persistent menace, with groups like Lorenz actively exploiting vulnerabilities in small to medium businesses globally. Since early 2021, Lorenz has been employing double-extortion tactics, exfiltrating sensitive data before encrypting systems and threatening to sell or release it publicly unless a ransom is […]
Ivanti Zero Day – Threat Actors observed leveraging CVE-2021-42278 and CVE-2021-42287 for quick privilege escalation to Domain Admin
Authors: David Brown and Mungomba Mulenga TL;dr NCC Group has observed what we believe to be the attempted exploitation of CVE-2021-42278 and CVE-2021-42287 as a means of privilege escalation, following the successful compromise of an Ivanti Secure Connect VPN using the following zero-day vulnerabilities reported by Volexity1 on 10/01/2024: By combining these vulnerabilities threat actors […]
Is this the real life? Is this just fantasy? Caught in a landslide, NoEscape from NCC Group
Author: Alex Jessop (@ThisIsFineChief) Summary Tl;dr This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving the Ransomware-as-a-Service known as NoEscape. Below provides a summary of findings which are presented in this blog post: NoEscape NoEscape is a new financially motivated ransomware group delivering a […]
Don’t throw a hissy fit; defend against Medusa
Unveiling the Dark Side: A Deep Dive into Active Ransomware Families Author: Molly Dewis Intro Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements. In case you missed it, our last post analysed an Incident Response […]
D0nut encrypt me, I have a wife and no backups
Unveiling the Dark Side: A Deep Dive into Active Ransomware Families Author: Ross Inman (@rdi_x64) Introduction Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements. In case you missed it, last time we analysed an Incident […]
From ERMAC to Hook: Investigating the technical differences between two Android malware variants
Authored by Joshua Kamp (main author) and Alberto Segura. Summary Hook and ERMAC are Android based malware families that are both advertised by the actor named “DukeEugene”. Hook is the latest variant to be released by this actor and was first announced at the start of 2023. In this announcement, the actor claims that Hook […]
Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign
Fox-IT (part of NCC Group) has uncovered a large-scale exploitation campaign of Citrix NetScalers in a joint effort with the Dutch Institute of Vulnerability Disclosure (DIVD). An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing webshells on vulnerable NetScalers to gain persistent access. The adversary can execute arbitrary commands with this webshell, […]
Threat Spotlight – Hydra
This publication is part of our Annual Threat Monitor report that was released on the 8th of Febuary 2023. The Annual threat Monitor report can be found here. Authored by Alberto Segura Introduction Hydra, also known as BianLian, has been one of the most active mobile banking malware families in 2022, alongside Sharkbot and Flubot […]