Medusa’s back once again with the renegade ransomware

Jan 15 2024

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that wonders if there are any cyber criminals taking a long, hard look in the mirror on this #BlueMonday. One can only hope ????????????

 Today’s hottest cybersecurity news stories:

  • ???? Medusa’s back once again with the renegade ransomware ????

  • ???? Ukrainian crypto-jack daddy mac arrested for $2m operation ????

  • ????‍???? Five ‘malware families’ deployed in cyberattack on Ivanti VPN ???? 

Avert your eyes! Medusa’s giving it another (Gor)go ????????????

???? Medusa Ransomware Alert! ????

???? Cybersecurity researchers from Palo Alto Networks Unit 42 have uncovered intensified activities from the Medusa ransomware group. ???? Since February 2023, the threat actors have launched a dedicated dark web data leak site to expose sensitive information from victims who resist their demands.

???? As part of their multi-extortion approach, Medusa provides victims with options like time extensions, data deletion, or full data downloads, all with a price tag varying based on the targeted organisation. ????

???? In 2023, an estimated 74 organisations, mainly in the U.S., U.K., France, Italy, Spain, and India, fell victim to Medusa's opportunistic attacks across various industries.

???? The attacks start with exploiting vulnerabilities and hijacking legitimate accounts, often utilising initial access brokers. Living-off-the-land techniques are employed to avoid detection, along with kernel drivers terminating security products.

???? Medusa's leak site discloses details about organisations, ransom amounts, countdowns, and views to pressure victims. The ransomware also displays a media-savvy approach with a public Telegram channel for information sharing.

???? This trend is part of a broader shift in ransomware tactics, with threats evolving into not just data exposure but also physical harm and dedicated PR channels. Stay vigilant against Medusa's sophisticated propagation methods and evolving strategies!

???? In related news, malicious actors are posing as security researchers for secondary extortion attempts, emphasising the urgency of robust cybersecurity measures. ????

It’s a jungle out there, folks!

???? Stay informed, stay secure! ????️

Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Talk about fiddling (the crypto books ????) while Rome burns ????????????

???? Cryptojacking Mastermind Arrested in Ukraine! ????

???? Breaking News: A 29-year-old Ukrainian national, the alleged "mastermind" behind a sophisticated cryptojacking scheme, has been nabbed in Mykolaiv, Ukraine, on January 9. The arrest, made possible by collaboration between the National Police of Ukraine, Europol, and a cloud service provider, brings an end to months of intensive investigation.

???? The suspect reportedly raked in over $2 million (£1.57 million) through the illicit crypto jacking operation. ????️‍♂️ The scheme involved infecting the servers of a prominent American company with a miner virus since at least 2021, using custom brute-force tools to compromise 1,500 accounts.

???? Europol's involvement began when a cloud provider shared intelligence about compromised accounts in January 2023. The Cyber Police of Ukraine revealed that the hacker, using compromised accounts, gained management access to the service and created over one million virtual computers to operate the malware.

???? In a coordinated effort, three properties linked to the suspect were searched as part of the investigation to gather evidence.

???? Cryptojacking, a form of cybercrime, exploits computing resources without authorization to mine cryptocurrencies. Typically, these attacks infiltrate cloud infrastructure via compromised credentials, installing miners to utilise processing power without the host's knowledge or consent.

???? To avoid infrastructure costs, threat actors often use compromised credentials or exploit existing subscriptions. In a related incident in October 2023, Palo Alto Networks Unit 42 uncovered a cryptojacking campaign stealing Amazon Web Services credentials from GitHub repositories within minutes of disclosure.

????‍♂️ The arrest marks a significant victory against crypto criminals, showcasing the global effort to combat cyber threats. Stay vigilant and secure your computing resources! ????????

???? Catch of the Day!! ????????????

???? The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can't get fooled again.” Good ol’ George Dubya ???? Let us tell who’s not fooling around though; that’s the Crüe ???? at Motley Fool. You’d be a fool (alright, enough already! ????) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ???? Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ???? (LINK)

???? Wander: Find your happy place. Cue Happy Gilmore flashback ????️⛳????????️ Mmmm Happy Place… ???? So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ????️???? (LINK)

???? Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ???????? (Great movie, to be fair ????). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty ????). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho ???? And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ???? (LINK)

Five malware families: Ivant to make you an offer you can’t refuse ????????????????????

???? Nation-State Cyber Espionage Unleashes Chao on Ivanti Connect Secure! ????

???? Mandiant's latest analysis exposes a calculated onslaught by suspected nation-state actors, codenamed UNC5221, exploiting two zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in Ivanti Connect Secure (ICS) VPN appliances since December 2023.

???? UNC5221's sinister post-exploitation activities involve deploying five distinct malware families, allowing them to bypass authentication and establish backdoor access. Volexity attributes this cyber mayhem to a suspected Chinese espionage actor known as UTA0178.

???? The vulnerabilities serve as gateways for initial access, enabling the deployment of webshells, backdooring files, credential theft, and deeper penetration into victim environments. Ivanti reports that fewer than 20 customers have been impacted, indicating a highly-targeted campaign. Patches, dubbed ConnectAround, are set to release the week of January 22.

????️ Mandiant's investigation reveals UNC5221's advanced techniques, including using Perl scripts to remount read-only sections, deploying THINSPOOL shell scripts, and planting web shells LIGHTWIRE (Perl CGI) and WIREFIRE (Python) for persistent remote access.

???? The arsenal includes a JavaScript-based credential stealer named WARPWIRE and a versatile backdoor called ZIPLINE, capable of file download/upload, reverse shell establishment, proxy server creation, and tunnelling server setup.

???? "UNC5221's activity demonstrates that exploiting and living on the edge of networks remains a viable and attractive target for espionage actors," warns Mandiant. The absence of clear affiliations emphasises the sophisticated nature of this Advanced Persistent Threat (APT).

???? Ivanti acknowledges the impact on "less than 20" customers, but that’s up from ten when they first reported so the numbers could be growing. The good news is more companies are utilising integrity checker tools to scan for compromise indicators to nip these attacks in the bud.

Stay vigilant as this cyber saga unfolds! ????????

????️ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran 'Wealthy Primate' might be able to help you climb that tree ???????? with his stick and banana approach ????????

  • Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles