Security
Headlines
HeadlinesLatestCVEs

Headline

New HardBit Ransomware 4.0 Uses Passphrase Protection to Evade Detection

Cybersecurity researchers have shed light on a new version of a ransomware strain called HardBit that comes packaged with new obfuscation techniques to deter analysis efforts. “Unlike previous versions, HardBit Ransomware group enhanced the version 4.0 with passphrase protection,” Cybereason researchers Kotaro Ogino and Koshi Oyama said in an analysis. "The passphrase needs to be provided during

The Hacker News
#vulnerability#mac#microsoft#git#perl#samba#auth#The Hacker News

Network Security / Data Protection

Cybersecurity researchers have shed light on a new version of a ransomware strain called HardBit that comes packaged with new obfuscation techniques to deter analysis efforts.

“Unlike previous versions, HardBit Ransomware group enhanced the version 4.0 with passphrase protection,” Cybereason researchers Kotaro Ogino and Koshi Oyama said in an analysis.

“The passphrase needs to be provided during the runtime in order for the ransomware to be executed properly. Additional obfuscation hinders security researchers from analyzing the malware.”

HardBit, which first emerged in October 2022, is a financially motivated threat actor that, similar to other ransomware groups, operates with an aim to generate illicit revenues via double extortion tactics.

What makes the threat group stand out is that it does not operate a data leak site, and instead pressurizes victims to pay up by threatening to conduct additional attacks in the future. Its primary mode of communication occurs over the Tox instant messaging service.

The exact initial access vector used to breach target environments is currently not clear, although it’s suspected to involve brute-forcing RDP and SMB services.

The follow-up steps encompass performing credential theft using tools like Mimikatz and NLBrute, and network discovery via utilities such as Advanced Port Scanner, allowing the attackers to laterally move across the network by means of RDP.

“Having compromised a victim host, the HardBit ransomware payload is executed and performs a number of steps that reduce the security posture of the host before encrypting victim data,” Varonis noted in its technical write-up about HardBit 2.0 last year.

Encryption of the victim hosts is carried out by deploying HardBit, which is delivered using a known file infector virus called Neshta. It’s worth noting that Neshta has been used by threat actors in the past to also distribute Big Head ransomware.

HardBit is also designed to disable Microsoft Defender Antivirus and terminate processes and services to evade potential detection of its activities and inhibit system recovery. It then encrypts files of interest, updates their icons, changes desktop wallpaper, and alters the system’s volume label with string “Locked by HardBit.”

Besides being offered to operators in the form of command-line or GUI versions, the ransomware requires an authorization ID in order for it to be successfully executed. The GUI flavor further supports a wiper mode to irrevocably erase files and wipe the disk.

“Once threat actors successfully input the decoded authorization ID, HardBit prompts for an encryption key to encrypt the files on the target machines and it proceeds with ransomware procedure,” Cybereason noted.

“Wiper mode feature needs to be enabled by the HardBit Ransomware group and the feature is likely an additional feature that operators need to purchase. If the operators need wiper mode, the operator would need to deploy hard.txt, an optional configuration file of HardBit binary and contains authorization ID to enable wiper mode.”

The development comes as cybersecurity firm Trellix detailed a CACTUS ransomware attack that has been observed exploiting security flaws in Ivanti Sentry (CVE-2023-38035) to install the file-encrypting malware using legitimate remote desktop tools like AnyDesk and Splashtop.

Ransomware activity continues to “remain on an upward trend” in 2024, with ransomware actors claiming 962 attacks in the first quarter of 2024, up from 886 attacks reported year-over-year. LockBit, Akira, and BlackSuit have emerged as the most prevalent ransomware families during the time period, Symantec said.

According to Palo Alto Networks’ 2024 Unit 42 Incident Response report, the median time it takes to go from compromise to data exfiltration plummeted from nine days in 2021 to two days last year. In almost half (45%) of cases this year, it was just under 24 hours.

“Available evidence suggests that exploitation of known vulnerabilities in public-facing applications continues to be the main vector for ransomware attacks,” the Broadcom-owned company said. “Bring Your Own Vulnerable Driver (BYOVD) continues to be a favored tactic among ransomware groups, particularly as a means of disabling security solutions.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Alert: Ivanti Releases Patch for Critical Vulnerability in Endpoint Manager Solution

Ivanti has released security updates to address a critical flaw impacting its Endpoint Manager (EPM) solution that, if successfully exploited, could result in remote code execution (RCE) on susceptible servers. Tracked as CVE-2023-39336, the vulnerability has been rated 9.6 out of 10 on the CVSS scoring system. The shortcoming impacts EPM 2021 and EPM 2022 prior to SU5. “If exploited, an

Ivanti Sentry Authentication Bypass / Remote Code Execution

This Metasploit module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which allows for code execution in the context of the root user.

Ivanti Sentry critical vulnerability—don't play dice, patch

Categories: Exploits and vulnerabilities Categories: News Tags: Ivanti Tags: Sentry Tags: MobileIron Tags: CVE-2023-38035 Tags: MICS Tags: port 8443 There is some uncertainty about whether a vulnerability in Ivanti Sentry is being exploited in the wild, but why take the risk when you can patch? (Read more...) The post Ivanti Sentry critical vulnerability—don't play dice, patch appeared first on Malwarebytes Labs.

Ivanti Warns of Critical Zero-Day Flaw Being Actively Exploited in Sentry Software

Software services provider Ivanti is warning of a new critical zero-day flaw impacting Ivanti Sentry (formerly MobileIron Sentry) that it said is being actively exploited in the wild, marking an escalation of its security woes. Tracked as CVE-2023-38035 (CVSS score: 9.8), the issue has been described as a case of authentication bypass impacting versions 9.18 and prior due to what it called an

CVE-2023-38035: Ivanti Community

A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.

The Hacker News: Latest News

Warning: Over 2,000 Palo Alto Networks Devices Hacked in Ongoing Attack Campaign