Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries - Related to released, uncovers, global, kb5051989, 15+

Ransomware Attacks are on the Rise

Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.

After a recent dip, ransomware attacks are back on the rise. , the resurgence is being led by old ransomware-as-a-service (RaaS) groups.

With data gathered by “actively monitoring the leak sites used by each ransomware group and scraping victim details as they are released,” researchers have determined that Lockbit was by far the most prolific ransomware gang in July, behind 62 attacks. That’s ten more than the month prior, and more than twice as many as the second and third most prolific groups combined. “Lockbit [website] maintain their foothold as the most threatening ransomware group,” the authors wrote, “and one with which all organizations should aim to be aware of.”.

Those second and third most prolific groups are Hiveleaks – 27 attacks – and BlackBasta – 24 attacks. These figures represent rapid rises for each group – since June, a 440 percent rise for Hiveleaks, and a 50 percent rise for BlackBasta.

It may well be that the resurgence in ransomware attacks, and the rise of these two particular groups, are intimately connected.

Researchers from NCC Group counted 198 successful ransomware campaigns in July – up 47 percent from June. Sharp as that incline may be, it still falls some ways short of the high-water mark set this Spring, with nearly 300 such campaigns in both March and April.

Well, in May, the United States government ramped up its efforts against Russian cybercrime by offering up to $15 million for prized information about Conti, then the world’s foremost ransomware gang. “It is likely that the threat actors that were undergoing structural changes,” the authors of the investigation speculated, “and have begun settling into their new modes of operating, resulting in their total compromises increasing in conjunction.”.

Hiveleaks and BlackBasta are the result of that restructuring. Both groups are “associated with Conti,” the authors noted, Hiveleaks as an affiliate and BlackBasta as a replacement strain. “As such, it appears that it has not taken long for Conti’s presence to filter back into the threat landscape, albeit under a new identity.”.

Now that Conti’s properly split in two, the authors speculated, “it would not be surprising to see these figures further increase as we move into August.”.

Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and rel...

Amazon has showcased key security enhancements for Redshift, a popular data warehousing solution, to...

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that res...

Windows 11 KB5051987 & KB5051989 cumulative updates released

Microsoft has released Windows 11 KB5051987 and KB5051989 cumulative updates for versions 24H2 and 23H2 to fix security vulnerabilities and issues.

Both KB5051987 and KB5051989 are mandatory cumulative updates as they contain the February 2025 Patch Tuesday security updates for vulnerabilities discovered in previous months.

You can also manually download and install the improvement from the Microsoft improvement Catalog.

What's new in the February 2025 Patch Tuesday revision.

After installing today's security updates, Windows 11 24H2 (KB5051987) will have its build number changed to Build [website], and 23H2 (KB5051989) will be changed to [website].

This month's Patch Tuesday improvement has several new attributes, including a feature that allows you to resume the OneDrive file that you edited on your phone directly from the desktop.

[Taskbar] New! This revision improves the previews that show when your cursor hovers over apps on the taskbar. The revision also improves their animations.

[ Windows Studio Effects ] New! An icon will appear in the system tray when you use an app that supports Windows Studio Effects. This only occurs on a device that has a neural processing unit (NPU). Select the icon to open the Studio Effects page in Quick Settings. To view the app that is using the camera, .

[Fonts] New! This modification adds Simsun-ExtG, a new simplified Chinese font. It includes the Biangbiang noodles character. Some apps might not be able to display these new extension characters yet. The font has 9,753 ideographs that support Unicode Extensions G, H, and I. See the list below. Unicode range G 30000-3134A (4,939 chars) Unicode range H 31350-323AF (4,192 chars) Unicode range I 2EBF0-2EE5D (622 chars).

[High dynamic range (HDR)] Fixed: The display of some games appears oversaturated. This occurs when you use Auto HDR.

[Digital/Analog converter (DAC) (known issue)] Fixed: You might experience issues with USB audio devices. This is more likely when you use a DAC audio driver based on USB [website] USB audio devices might stop working, which stops playback.

[USB audio device drivers] Fixed: The code 10 error message, “This device cannot start” appears. This occurs when you connect to certain external audio management devices.

[Chinese Pinyin input method editor (IME)] Bing will stop giving automatic suggestions in the search box for search engine sites, like Baidu. To get manual suggestions, use Ctrl+Tab or the chevron button (>).

[USB cameras] Fixed: Your device does not recognize the camera is on. This issue occurs after you install the January 2025 security revision.

[Passkey] Fixed: This enhancement removes the one-minute timeout when you use a passkey on a phone.

[Power] Fixed: Shutdown might be slower on some devices when a controller is connected.

​​​​​​​[Wi-Fi] Fixed: The Windows Security dialog stops responding. This occurs when you sign in to certain Wi-Fi networks. The same issue might occur for some other options in Settings.

At the present, Microsoft is not aware of any new issues.

You can check for updates manually to get the changes as soon as possible.

Nicht nur Cyberkriminelle möchten mittels Schadsoftware auf Mobilgeräten herumschnüffeln und Daten abschnorcheln – auch Regierungen und Gehei......

Look at any article with advice about best practices for cybersecurity, and about third or fourth on that list, you’ll find something about applying p......

In einer koordinierten Aktion von Strafverfolgungsbehörden aus 14 Ländern wurden vergangene Woche vier Anführer der Ransomware-Gruppe 8Base festgenomm......

Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries

A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation dubbed BadPilot that stretched across the globe.

"This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations," the Microsoft Threat Intelligence team noted in a new findings shared with The Hacker News ahead of publication.

The geographical spread of the initial access subgroup's targets include the whole of North America, several countries in Europe, as well as others, including Angola, Argentina, Australia, China, Egypt, India, Kazakhstan, Myanmar, Nigeria, Pakistan, Turkey, and Uzbekistan.

The development marks a significant expansion of the hacking group's victimology footprint over the past three years, which is otherwise known to be concentrated around Eastern Europe -.

2022: Energy, retail, education, consulting, and agriculture sectors in Ukraine.

2023: Sectors in the United States, Europe, Central Asia, and the Middle East that provided material support to the war in Ukraine or were geopolitically significant.

2024: Entities in the United States, Canada, Australia, and the United Kingdom.

Sandworm is tracked by Microsoft under the moniker Seashell Blizzard (formerly Iridium), and by the broader cybersecurity community under the names APT44, Blue Echidna, FROZENBARENTS, Grey Tornado, Iron Viking, Razing Ursa, Telebots, UAC-0002, and Voodoo Bear. Active since at least 2013, the group is assessed to be affiliated with Unit 74455 within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

The adversarial collective has been described by Google-owned Mandiant as an "highly adaptive" and "operationally mature" threat actor that engages in espionage, attack, and influence operations. It also has a track record of mounting disruptive and destructive attacks against Ukraine over the past decade.

Campaigns mounted by Sandworm in the wake of the Russo-Ukrainian war have leveraged data wipers (KillDisk aka HermeticWiper), pseudo-ransomware (Prestige aka PRESSTEA), and backdoors (Kapeka), in addition to malware families that allow the threat actors to maintain persistent remote access to infected hosts via DarkCrystal RAT (aka DCRat).

It has also been observed relying on a variety of Russian companies and criminal marketplaces to source and sustain its offensive capabilities, highlighting a growing trend of cybercrime facilitating state-backed hacking.

"The group has used criminally sourced tools and infrastructure as a source of disposable capabilities that can be operationalized on short notice without immediate links to its past operations," the Google Threat Intelligence Group (GTIG) mentioned in an analysis.

"Since Russia's full-scale invasion of Ukraine, APT44 has increased its use of such tooling, including malware such as DarkCrystal RAT (DCRat), Warzone, and RADTHIEF ('Rhadamanthys Stealer'), and bulletproof hosting infrastructure such as that provided by the Russian-speaking actor 'yalishanda,' who advertises in cybercriminal underground communities."

Microsoft stated the Sandworm subgroup has been operational since at least late 2021, exploiting various known security flaws to obtain initial access, followed by a series of post-exploitation actions aimed at collecting credentials, achieving command execution, and supporting lateral movement.

"Observed operations following initial access indicate that this campaign enabled Seashell Blizzard to obtain access to global targets across sensitive sectors including energy, oil and gas, telecommunications, shipping, arms manufacturing, in addition to international governments," the tech giant noted.

"This subgroup has been enabled by a horizontally scalable capability bolstered by -facing systems across a wide range of geographical regions and sectors."

Since early last year, the sub-cluster is presented to have weaponized vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788) to infiltrate targets in the United Kingdom and the United States.

Attacks carried out by the subgroup involve a combination of both opportunistic "spray and pray" attacks and targeted intrusions that are designed to maintain indiscriminate access and perform follow-on actions to either expand network access or obtain confidential information.

It's believed that the wide array of compromises offer Seashell Blizzard a way to meet Kremlin's ever-evolving strategic objectives, permitting the hacking outfit to horizontally scale their operations across diverse sectors as new exploits are disclosed.

As many as eight different known security vulnerabilities have been exploited by the subgroup to date,.

Microsoft Exchange Server (CVE-2021-34473 aka ProxyShell).

Fortinet FortiClient EMS (CVE-2023-48788).

Connectwise ScreenConnect (CVE-2024-1709).

A successful foothold is succeeded by the threat actor establishing persistence through three different methods -.

February 24, 2024 – present: Deployment of legitimate remote access software such as Atera Agent and Splashtop Remote Services, in some cases abusing the access to drop additional payloads for credential acquisition, data exfiltration, and other tools for maintaining access like OpenSSH and a bespoke utility dubbed ShadowLink that allows the compromised system to be accessible via the TOR anonymity network.

Deployment of legitimate remote access software such as Atera Agent and Splashtop Remote Services, in some cases abusing the access to drop additional payloads for credential acquisition, data exfiltration, and other tools for maintaining access like OpenSSH and a bespoke utility dubbed ShadowLink that allows the compromised system to be accessible via the TOR anonymity network Late 2021 – present: Deployment of a web shell named LocalOlive that allows for command-and-control and serves as a conduit for more payloads, such as tunneling utilities ([website], Chisel, plink, and rsockstun).

Deployment of a web shell named LocalOlive that allows for command-and-control and serves as a conduit for more payloads, such as tunneling utilities ([website], Chisel, plink, and rsockstun) Late 2021 – 2024: Malicious modifications to Outlook Web Access (OWA) sign-in pages to inject JavaScript code that can harvest and exfiltrate credentials back to the threat actor in real-time, and alter DNS A-record configurations likely in an effort to intercept credentials from critical authentication services.

"This subgroup, which is characterized within the broader Seashell Blizzard organization by its near-global reach, represents an expansion in both the geographical targeting conducted by Seashell Blizzard and the scope of its operations," Microsoft stated.

"At the same time, Seashell Blizzard's far-reaching, opportunistic access methods likely offer Russia expansive opportunities for niche operations and activities that will continue to be valuable over the medium term."

The development comes as Dutch cybersecurity firm EclecticIQ linked the Sandworm group to another campaign that leverages pirated Microsoft Key Management Service (KMS) activators and fake Windows updates to deliver a new version of BACKORDER, a Go-based downloader that's responsible for fetching and executing a second-stage payload from a remote server.

BACKORDER, per Mandiant, is usually delivered within trojanized installer files and is hard-coded to execute the original setup executable. The end goal of the campaign is to deliver DarkCrystal RAT.

"Ukraine's heavy reliance on cracked software, including in government institutions, creates a major attack surface," security researcher Arda Büyükkaya stated. "Many customers, including businesses and critical entities, have turned to pirated software from untrusted findings, giving adversaries like Sandworm (APT44) a prime opportunity to embed malware in widely used programs."

Further infrastructure analysis has uncovered a previously undocumented RDP backdoor codenamed Kalambur that's disguised as a Windows upgrade, and which utilizes the TOR network for command-and-control, as well as to deploy OpenSSH and enable remote access via the Remote Desktop Protocol (RDP) on port 3389.

"By leveraging trojanized software to infiltrate ICS environments, Sandworm (APT44) continues to demonstrate its strategic objective of destabilizing Ukraine's critical infrastructure in support of Russian geopolitical ambitions," Büyükkaya mentioned.

In einer koordinierten Aktion von Strafverfolgungsbehörden aus 14 Ländern wurden vergangene Woche vier Anführer der Ransomware-Gruppe 8Base festgenomm......

Today is Microsoft's February 2025 Patch Tuesday, which includes security updates for 55 flaws, including four zero-day vulnerabilities, with two acti......

Nicht nur Cyberkriminelle möchten mittels Schadsoftware auf Mobilgeräten herumschnüffeln und Daten abschnorcheln – auch Regierungen und Gehei......