Alerts | BruCERT

[ALERT] ADVISORY ON HELLO (WICKRME) RANSOMWARE

Read more about [ALERT] ADVISORY ON HELLO (WICKRME) RANSOMWARE

BACKGROUND

A brand new ransomware variant called .hello ransomware or WickrMe Ransomware uses a Microsoft SharePoint 2019 vulnerability (CVE-2019-0604) to enter the victims’ network. From there, the threat actor leverages Cobalt Strike to pivot to the domain controller and launch ransomware attacks.

.hello (WickrMe) ransomware encrypts files and appends the ".hello" extension. For example, it renames a file named "1.jpg" to "1.jpg.hello", "2.jpg" to "2.jpg.hello", etc.

[ALERT] ADVISORY ON RANSOM DDOS ATTACKS

Read more about [ALERT] ADVISORY ON RANSOM DDOS ATTACKS

Background

Ransomware groups are now using DDoS attacks as a negotiation tactic to increase pressure on victims who do not cooperate in paying the ransom. This "Triple Extortion" strategy has recently been used by ransomware operators SunCrypt, RagnarLocker, and Avaddon.

[ALERT] ADVISORY ON DREAMBUS BOTNET

Read more about [ALERT] ADVISORY ON DREAMBUS BOTNET

BACKGROUND

A new botnet named DreamBus is a malware with worm-like behavior that can propagate itself both across the Internet and literally through compromised internal networks using a variety of techniques. It installs the XMRig crypto miner on powerful enterprise-class Linux and Unix systems with the goal of using their computing power to Mine Monero cryptocurrency.

[ALERT] ADVISORY ON SUPPLY CHAIN ATTACK ON SOLARWINDS ORION PLATFORM SOFTWARE (SUNBURST BACKDOOR)

Read more about [ALERT] ADVISORY ON SUPPLY CHAIN ATTACK ON SOLARWINDS ORION PLATFORM SOFTWARE (SUNBURST BACKDOOR)

Background

FireEye has uncovered a widespread campaign, that they are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This incident may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft.

[ALERT] ADVISORY ON WEB BROWSERS ATTACKED BY ADROZEK MALWARE

Read more about [ALERT] ADVISORY ON WEB BROWSERS ATTACKED BY ADROZEK MALWARE

BACKGROUND

A new strain of Adrozek malware infects devices and modifies browser settings in order to inject ads into search results pages so that the attackers can collect fees from referral programs. The malware can also extract credentials from the browser and upload them to the attacker's servers.