Medusaโ€™s back once again with the renegade ransomware

Jan 15 2024

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that wonders if there are any cyber criminals taking a long, hard look in the mirror on this #BlueMonday. One can only hope ๐Ÿคž๐Ÿ™๐Ÿฅบ

ย Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿ Medusaโ€™s back once again with the renegade ransomware ๐Ÿ’ธ

  • ๐Ÿ‘‘ Ukrainian crypto-jack daddy mac arrested for $2m operation ๐Ÿ’ฐ

  • ๐Ÿ‘จโ€๐Ÿ’ป Five โ€˜malware familiesโ€™ deployed in cyberattack on Ivanti VPN ๐ŸŒย 

Avert your eyes! Medusaโ€™s giving it another (Gor)go ๐Ÿ‘€๐Ÿ๐Ÿ’€

๐Ÿ”’ Medusa Ransomware Alert! ๐Ÿ”’

๐ŸŒ Cybersecurity researchers from Palo Alto Networks Unit 42 have uncovered intensified activities from the Medusa ransomware group. ๐Ÿ†˜ Since February 2023, the threat actors have launched a dedicated dark web data leak site to expose sensitive information from victims who resist their demands.

๐Ÿ’ธ As part of their multi-extortion approach, Medusa provides victims with options like time extensions, data deletion, or full data downloads, all with a price tag varying based on the targeted organisation. ๐Ÿ˜ฑ

๐ŸŒ In 2023, an estimated 74 organisations, mainly in the U.S., U.K., France, Italy, Spain, and India, fell victim to Medusa's opportunistic attacks across various industries.

๐Ÿ›‘ The attacks start with exploiting vulnerabilities and hijacking legitimate accounts, often utilising initial access brokers. Living-off-the-land techniques are employed to avoid detection, along with kernel drivers terminating security products.

๐ŸŒ Medusa's leak site discloses details about organisations, ransom amounts, countdowns, and views to pressure victims. The ransomware also displays a media-savvy approach with a public Telegram channel for information sharing.

๐Ÿšจ This trend is part of a broader shift in ransomware tactics, with threats evolving into not just data exposure but also physical harm and dedicated PR channels. Stay vigilant against Medusa's sophisticated propagation methods and evolving strategies!

๐Ÿ”— In related news, malicious actors are posing as security researchers for secondary extortion attempts, emphasising the urgency of robust cybersecurity measures. ๐Ÿ”—

Itโ€™s a jungle out there, folks!

๐Ÿ” Stay informed, stay secure! ๐Ÿ›ก๏ธ

Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Talk about fiddling (the crypto books ๐Ÿ˜) while Rome burns ๐Ÿ™ˆ๐Ÿ˜ ๐Ÿ”ฅ

๐Ÿ’ป Cryptojacking Mastermind Arrested in Ukraine! ๐Ÿ’ป

๐Ÿšจ Breaking News: A 29-year-old Ukrainian national, the alleged "mastermind" behind a sophisticated cryptojacking scheme, has been nabbed in Mykolaiv, Ukraine, on January 9. The arrest, made possible by collaboration between the National Police of Ukraine, Europol, and a cloud service provider, brings an end to months of intensive investigation.

๐Ÿ’ฐ The suspect reportedly raked in over $2 million (ยฃ1.57 million) through the illicit crypto jacking operation. ๐Ÿ•ต๏ธโ€โ™‚๏ธ The scheme involved infecting the servers of a prominent American company with a miner virus since at least 2021, using custom brute-force tools to compromise 1,500 accounts.

๐ŸŒ Europol's involvement began when a cloud provider shared intelligence about compromised accounts in January 2023. The Cyber Police of Ukraine revealed that the hacker, using compromised accounts, gained management access to the service and created over one million virtual computers to operate the malware.

๐Ÿ” In a coordinated effort, three properties linked to the suspect were searched as part of the investigation to gather evidence.

๐Ÿ‘พ Cryptojacking, a form of cybercrime, exploits computing resources without authorization to mine cryptocurrencies. Typically, these attacks infiltrate cloud infrastructure via compromised credentials, installing miners to utilise processing power without the host's knowledge or consent.

๐Ÿ”’ To avoid infrastructure costs, threat actors often use compromised credentials or exploit existing subscriptions. In a related incident in October 2023, Palo Alto Networks Unit 42 uncovered a cryptojacking campaign stealing Amazon Web Services credentials from GitHub repositories within minutes of disclosure.

๐Ÿ‘ฎโ€โ™‚๏ธ The arrest marks a significant victory against crypto criminals, showcasing the global effort to combat cyber threats. Stay vigilant and secure your computing resources! ๐ŸŒ๐Ÿ’ป

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

๐Ÿƒย The Motley Fool: โ€œFool me once, shame on โ€” shame on you. Fool me โ€” you can't get fooled again.โ€ Good olโ€™ George Dubya ๐Ÿ˜‚ Let us tell whoโ€™s not fooling around though; thatโ€™s the Crรผe ๐Ÿ‘€ at Motley Fool. Youโ€™d be a fool (alright, enough already! ๐Ÿ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ๐Ÿ› Kidding aside, if you check out their website theyโ€™ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ๐Ÿค‘ย (LINK)

๐Ÿšตย Wander: Find your happy place. Cue Happy Gilmore flashback ๐ŸŒ๏ธโ›ณ๐ŸŒˆ๐Ÿ•Š๏ธ Mmmm Happy Placeโ€ฆ ๐Ÿ˜‡ So, weโ€™ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, itโ€™s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ๐Ÿž๏ธ๐Ÿ˜ย (LINK)

๐ŸŒŠย Digital Ocean: If you build it they will come. Nope, weโ€™re not talking about a baseball field for ghosts โšพ๐Ÿ‘ป๐Ÿฟ (Great movie, to be fair ๐Ÿ™ˆ). This is the Digital Ocean whoโ€™ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website youโ€™ll find yourself catching the buzz even if you canโ€™t code (guilty ๐Ÿ˜‘). But if you can and youโ€™re looking for somewhere to test things out or launch something new or simply enhance what youโ€™ve got, weโ€™d recommend checking out their services foโ€™ sho ๐Ÿ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ๐ŸŒฟย (LINK)

Five malware families: Ivant to make you an offer you canโ€™t refuse ๐Ÿคต๐Ÿ’ต๐Ÿด๐Ÿ’€๐Ÿ˜

๐Ÿšจ Nation-State Cyber Espionage Unleashes Chao on Ivanti Connect Secure! ๐Ÿšจ

๐Ÿ” Mandiant's latest analysis exposes a calculated onslaught by suspected nation-state actors, codenamed UNC5221, exploiting two zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in Ivanti Connect Secure (ICS) VPN appliances since December 2023.

๐ŸŒ UNC5221's sinister post-exploitation activities involve deploying five distinct malware families, allowing them to bypass authentication and establish backdoor access. Volexity attributes this cyber mayhem to a suspected Chinese espionage actor known as UTA0178.

๐ŸŽฏ The vulnerabilities serve as gateways for initial access, enabling the deployment of webshells, backdooring files, credential theft, and deeper penetration into victim environments. Ivanti reports that fewer than 20 customers have been impacted, indicating a highly-targeted campaign. Patches, dubbed ConnectAround, are set to release the week of January 22.

๐Ÿ›ก๏ธ Mandiant's investigation reveals UNC5221's advanced techniques, including using Perl scripts to remount read-only sections, deploying THINSPOOL shell scripts, and planting web shells LIGHTWIRE (Perl CGI) and WIREFIRE (Python) for persistent remote access.

๐Ÿ” The arsenal includes a JavaScript-based credential stealer named WARPWIRE and a versatile backdoor called ZIPLINE, capable of file download/upload, reverse shell establishment, proxy server creation, and tunnelling server setup.

๐ŸŒ "UNC5221's activity demonstrates that exploiting and living on the edge of networks remains a viable and attractive target for espionage actors," warns Mandiant. The absence of clear affiliations emphasises the sophisticated nature of this Advanced Persistent Threat (APT).

๐Ÿ”„ Ivanti acknowledges the impact on "less than 20" customers, but thatโ€™s up from ten when they first reported so the numbers could be growing. The good news is more companies are utilising integrity checker tools to scan for compromise indicators to nip these attacks in the bud.

Stay vigilant as this cyber saga unfolds! ๐ŸŒ๐Ÿ”’

๐Ÿ—ž๏ธ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran 'Wealthy Primate' might be able to help you climb that tree ๐Ÿ’๐ŸŒด with his stick and banana approach ๐ŸŒ๐Ÿ˜

  • Techspresso:ย Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles