All news with #ransomware tag

Velociraptor Abused in LockBit Ransomware Campaign Wave

🔒 Threat actors are abusing Velociraptor, an open-source DFIR tool, to support ransomware operations attributed to Storm-2603. Attackers exploited on-premises SharePoint ToolShell flaws to deploy an outdated Velociraptor build (0.73.4.0) vulnerable to CVE-2025-6264, enabling privilege escalation and remote command execution. After lateral movement and creation of domain admin accounts, the group tampered with GPOs, disabled real‑time protection, and staged exfiltration before deploying Warlock, LockBit, and Babuk. Vendors caution that legitimate collection and orchestration capabilities can be repurposed by adversaries.

FBI Seizes BreachForums Servers as Salesforce Deadline Nears

🔒 The FBI, US Department of Justice and French authorities seized the BreachForums domain and parts of its backend on Oct. 9, disrupting infrastructure tied to an alliance of threat actors including ShinyHunters, Scattered Spider and LAPSUS$. The action followed threats to publish alleged Salesforce customer data unless a ransom was paid by Oct. 10. Although the primary forum domain now displays a takedown notice, a separate leak site remains active and the extortion campaign appears to be continuing. Experts advise organizations to audit Salesforce configurations, enable OAuth app governance, and enforce token and session hygiene immediately.

Stealit Malware Uses Node.js SEA, Electron for Delivery

⚠️ Fortinet FortiGuard Labs has detailed an active campaign dubbed Stealit that uses Node.js Single Executable Application (SEA) packaging—and in some builds, the Electron framework—to deliver credential-stealing and remote-access payloads. Operators distribute counterfeit game and VPN installers via file-hosting sites and messaging platforms, which drop three primary executables that perform browser and messenger data theft, wallet extraction, and persistence with live screen streaming. Installers run anti-analysis checks, write a Base64 authentication key to %temp%\cache.json for C2 authentication, and configure Microsoft Defender exclusions to conceal downloaded components.

Stealit Campaign Abuses Node.js Single Executable Packaging

🔍 FortiGuard Labs identified an active Stealit campaign that distributes malware packaged with Node.js Single Executable Application (SEA) technology to create standalone Windows binaries. Operators deliver fake game and VPN installers via file-sharing sites and Discord, using multi-layer obfuscation and in-memory execution. The modular payloads harvest browser data, extension-based crypto wallets, and provide remote access, with persistence via a startup Visual Basic script. Fortinet provides detections and recommends updating protections and user training.

Velociraptor Abuse Enables Stealthy Ransomware Campaigns

🔒 Researchers report that the open-source DFIR tool Velociraptor was abused by threat actors to maintain stealthy persistent access while deploying multiple ransomware families, including Warlock, LockBit and Babuk. Cisco Talos observed the activity in August 2025 and attributed the multi-vector operation to a China-linked cluster tracked as Storm-2603. Attackers exploited a vulnerable agent (v0.73.4.0) via CVE-2025-6264 to escalate privileges and persist; defenders are urged to verify deployments and update to v0.73.5 or later.

Fortra Confirms Active Exploitation of GoAnywhere Flaw

🔒 Fortra disclosed its investigation into CVE-2025-10035, a deserialization vulnerability in the GoAnywhere License Servlet that has been exploited since September 11, 2025. The vendor issued a hotfix within 24 hours and published patched builds (7.6.3 and 7.8.4) on September 15, saying the risk is limited to admin consoles exposed to the public internet. Microsoft attributes observed exploitation to threat actor Storm-1175, which deployed Medusa ransomware; Fortra recommends restricting internet access to admin consoles, enabling monitoring, and keeping software up to date.

Autonomous AI Hacking and the Future of Cybersecurity

⚠️AI agents are now autonomously conducting cyberattacks, chaining reconnaissance, exploitation, persistence, and data theft at machine speed and scale. In 2025 public demonstrations—from XBOW’s mass submissions on HackerOne in June, to DARPA teams and Google’s Big Sleep in August—along with operational reports from Ukraine’s CERT and vendors, show these systems rapidly find and weaponize new flaws. Criminals have operationalized LLM-driven malware and ransomware, while tools like HexStrike‑AI, Deepseek, and Villager make automated attack chains broadly available. Defenders can also leverage AI to accelerate vulnerability research and operationalize VulnOps, continuous discovery/continuous repair, and self‑healing networks, but doing so raises serious questions about patch correctness, liability, compatibility, and vendor relationships.

Google: Clop Exfiltrated Data via Oracle E-Business Flaw

🔍 Google Threat Intelligence and Mandiant report the Clop (FIN11) actor likely exfiltrated a significant amount of data from Oracle E-Business Suite environments beginning as early as August 9, 2025. The group sent extortion emails to executives from September 29 and supplied legitimate file listings to substantiate claims. Attackers exploited the zero-day CVE-2025-61882 prior to an emergency patch released on October 4, 2025. Investigators advise urgent patching, hunting for malicious templates, restricting outbound EBS traffic, and performing Java memory forensics.

Move Beyond the CIA Triad: A Layered Security Model

🔐 The article contends that the Cold War–era CIA triad (confidentiality, integrity, availability) is too narrow for modern threats driven by cloud, AI, and fragile supply chains. It proposes the 3C Model—Core, Complementary, Contextual—to elevate authenticity, accountability, and resilience as foundational pillars rather than afterthoughts. The framework aims to harmonize standards, reduce duplication, and help CISOs speak in terms of survival, trust, and business impact instead of only uptime and technical controls.

Cl0p-Linked Actors Exploit Oracle E-Business Suite

🔔 Google Threat Intelligence Group and Mandiant report a multi-stage zero-day campaign exploiting Oracle E-Business Suite (tracked as CVE-2025-61882, CVSS 9.8) that has impacted dozens of organizations since August 2025. The attackers combined SSRF, CRLF injection, authentication bypass and XSL template injection to achieve remote code execution and deploy multi-stage Java loaders. Observed payloads include GOLDVEIN.JAVA and a SAGEGIFT/SAGELEAF/SAGEWAVE chain; orchestration and extortion messaging bear the Cl0p signature. Oracle has released patches and investigations by GTIG and Mandiant are ongoing.

Six steps for disaster recovery and business continuity

🔒 Modernize disaster recovery and continuity with six practical steps for CISOs. Secure executive funding and form a cross-functional team, map risks and locate data across cloud, SaaS, OT, and edge devices, and conduct a Business Impact Analysis to define a Minimal Viable Business (MVB). Evolve backups to 3-2-1-1-0 with immutable or air-gapped copies, adopt BaaS/DRaaS and AI-driven tools for discovery and autonomous backups, and run realistic, gamified tests followed by post-mortems.

Threat actors abusing Velociraptor in ransomware attacks

⚠️Researchers have observed threat actors leveraging the open-source DFIR tool Velociraptor to maintain persistent remote access and deploy ransomware families including LockBit and Babuk. Cisco Talos links the campaigns to a China-based group tracked as Storm-2603 and notes use of an outdated Velociraptor build vulnerable to CVE-2025-6264. Attackers synchronized local admin accounts to Entra ID, accessed vSphere consoles, disabled Defender via AD GPOs, and used fileless PowerShell encryptors with per-run AES keys and staged exfiltration prior to encryption.

Hidden Text Salting in Emails and Strategic Cyber Decisions

🧯 Cisco Talos warns of extensive abuse of CSS to insert hidden “salt” — extraneous characters, comments and markup — into email preheaders, headers, attachments and bodies to evade detection. This hidden text salting technique is significantly more common in spam and malicious mail than in legitimate messages, undermining both signature and ML-based defenses. Talos advises detecting concealed content and, crucially, stripping or normalising that salt before passing messages to downstream engines, while also urging attention to longer-term strategic decision-making in cyber defense.

Cloudflare Launches REACT: Unified Incident Response

🔒 Cloudflare today introduces REACT, a new incident response and advisory service from Cloudforce One designed to bridge the gap between edge defenses and in‑network remediation. REACT combines proactive advisory work—threat hunting, tabletop exercises, and readiness assessments—with emergency incident response and retainer options for guaranteed availability. As a network‑native, vendor‑agnostic service, REACT can deploy mitigations at the Cloudflare edge and coordinate investigations across on‑premise, cloud, and hybrid environments.

Oracle EBS Zero-Day Exploitation and Extortion Campaign

⚠️ GTIG and Mandiant tracked a large-scale extortion campaign beginning Sept. 29, 2025, in which actors claiming affiliation with the CL0P brand alleged theft from Oracle E‑Business Suite (EBS) environments. Analysis indicates exploitation of a zero-day (CVE-2025-61882) as early as Aug. 9, 2025, with suspicious activity dating back to July 10. Attackers abused UiServlet and SyncServlet flows, embedding Java payloads via XSL templates to achieve unauthenticated RCE and deploy in-memory implants. Organizations are urged to apply Oracle emergency patches, hunt for malicious templates in XDO_TEMPLATES_B/XDO_LOBS, and restrict outbound traffic to disrupt C2.

LockBit, DragonForce and Qilin Form Ransomware Cartel

🚨 Three major ransomware-as-a-service operators — LockBit, DragonForce, and Qilin — announced a coalition in early September aimed at coordinating attacks and stabilizing market conditions after recent law enforcement disruptions. The groups signaled intentions to reduce intra-group conflicts, share resources, and protect affiliate revenue, and LockBit explicitly authorized targeting certain critical infrastructure sectors. ReliaQuest researchers reviewed forum posts and communications but have not yet observed joint operations or a combined leak site.

September 2025 Cyber Threats: Ransomware and GenAI Rise

🔍 In September 2025, global cyber-attack volumes eased modestly, with organizations facing an average of 1,900 attacks per organization per week — a 4% decline from August but a 1% increase year-over-year. Beneath this apparent stabilization, ransomware activity jumped sharply (up 46%), while emerging GenAI-related data risks expanded rapidly, changing attacker tactics. The report warns that evolving techniques and heightened data exposure are creating a more complex and consequential threat environment for organizations worldwide.

ThreatsDay: Teams Abuse, MFA Hijack, $2B Crypto Heist

🛡️ Microsoft and researchers report threat actors abusing Microsoft Teams for extortion, social engineering, and financial theft after hijacking MFA with social engineering resets. Separate campaigns use malicious .LNK files to deliver PowerShell droppers and DLL implants that establish persistent command-and-control. Analysts also link over $2 billion in 2025 crypto thefts to North Korean‑linked groups and identify AI-driven disinformation, IoT flaws, and cloud misconfigurations as multiplying risk. Defenders are urged to harden identity, secure endpoints and apps, patch exposed services, and limit long-lived cloud credentials.

Velociraptor Abused in Ransomware Attacks by Storm-2603

🔐 Cisco Talos confirmed ransomware operators abused Velociraptor, an open-source DFIR endpoint tool, to gain arbitrary command execution in August 2025 by deploying an outdated agent vulnerable to CVE-2025-6264. Talos links the activity with moderate confidence to Storm-2603 based on overlapping tooling and TTPs. Operators used the tool to stage lateral movement, deploy fileless PowerShell encryptors, and deliver multiple ransomware families, severely disrupting VMware ESXi and Windows servers.

Kantsu’s Ransomware Crisis: Recovery, Costs, and Lessons

🔒 Kantsu, a midsize Japanese logistics firm, was hit by ransomware on Sept. 12, 2024 that encrypted servers, cut communications, and halted shipping operations for hundreds of clients. The company refused to pay a ransom, shut down networks, replaced PCs, and rebuilt its cloud WMS Cloud Thomas on AWS while using analog processes to maintain critical shipments. Executives prioritized speed, cash availability, and employee welfare during an expensive recovery process that exposed gaps in cyber insurance.