Cybersecurity

Threat actors have been observed compromising vulnerable Microsoft SQL servers and infecting them with FARGO ransomware. Disrupting database servers can lead to significant disruption of business operations. They are often compromised via brute force, dictionary attacks, or by exploiting unpatched vulnerabilities. According to security researchers at AhnLab, this attack chain involves downloading a .Net file and PowerShell, followed by the execution of a BAT file, which eventually leads to the deployment of the FARGO ransomware and a ransom note on a victim’s device.

Last week, researchers began noticing at least one ransomware group attempting to “up” the data extortion game. Researchers at Cyderes and Stairwell observed a BlackCat/ALPHV sample attempting to corrupt files within the victim’s environment rather than encrypting them and then staging the files for destruction. The data destruction functionality is being linked to Exmatter, a tool that has previously been associated with BlackMatter.

The U.K.’s National Cyber Security Center (NCSC) recently published guidance highlighting how organizations can strengthen access and identity management security by implementing additional authentication methods beyond just using passwords.

Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI published a joint Cybersecurity Advisory (CSA) with technical details on cyber activity by Iranian state-sponsored threat actors that launched a destructive cyberattack against the government of Albania. Members are encouraged to review this advisory for greater understanding of adversary capabilities and behaviors and for recommended mitigations to protect systems from similar threats – irrespective of threat group or victimology.