惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Secure Thoughts
罗磊的独立博客
T
The Blog of Author Tim Ferriss
人人都是产品经理
人人都是产品经理
博客园 - 叶小钗
Last Week in AI
Last Week in AI
美团技术团队
Google Online Security Blog
Google Online Security Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
D
Docker
G
Google Developers Blog
大猫的无限游戏
大猫的无限游戏
酷 壳 – CoolShell
酷 壳 – CoolShell
小众软件
小众软件
月光博客
月光博客
L
LINUX DO - 最新话题
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
W
WeLiveSecurity
H
Heimdal Security Blog
Vercel News
Vercel News
SecWiki News
SecWiki News
Forbes - Security
Forbes - Security
Blog — PlanetScale
Blog — PlanetScale
Google DeepMind News
Google DeepMind News
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
www.infosecurity-magazine.com
www.infosecurity-magazine.com
TaoSecurity Blog
TaoSecurity Blog
T
Troy Hunt's Blog
A
About on SuperTechFans
C
Check Point Blog
S
Security Affairs
Hacker News - Newest:
Hacker News - Newest: "LLM"
AI
AI
WordPress大学
WordPress大学
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Help Net Security
Help Net Security
博客园_首页
The Last Watchdog
The Last Watchdog
S
SegmentFault 最新的问题
Hugging Face - Blog
Hugging Face - Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
Engineering at Meta
Engineering at Meta
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
I
Intezer
K
Kaspersky official blog
M
MIT News - Artificial intelligence
J
Java Code Geeks
G
GRAHAM CLULEY
P
Palo Alto Networks Blog

Vulnerabilities – Threatpost

Ransomware Attacks are on the Rise Cybercriminals Are Selling Access to Chinese Surveillance Cameras Firewall Bug Under Active Attack Triggers CISA Warning iPhone Users Urged to Update to Patch 2 Zero-Days Google Patches Chrome’s Fifth Zero-Day of the Year Xiaomi Phone Bug Allowed Payment Forgery Black Hat and DEF CON Roundup Microsoft Patches ‘Dogwalk’ Zero-Day and 17 Critical Flaws Open Redirect Flaw Snags Amex, Snapchat User Data
Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics
Elizabeth Montalbano · 2022-08-13 · via Vulnerabilities – Threatpost

The CISA has seen a resurgence of the malware targeting a range of verticals and critical infrastructure organizations by exploiting RDP, firewall vulnerabilities.

Zeppelin ransomware is back and employing new compromise and encryption tactics in its recent campaigns against various vertical industries—particularly healthcare—as well as critical infrastructure organizations, the feds are warning.

Threat actors deploying the ransomware as a service (RaaS) are tapping remote desktop protocol (RDD) exploitation and SonicWall firewall vulnerabilities–alongside previously used phishing campaigns–to breach target networks, according to an advisory from the Cybersecurity and Infrastructure Security Agency (CISA) released Thursday.

Zeppelin also appears to have a new multi-encryption tactics, executing the malware more than once within a victim’s network and creating different IDs and file extensions for multiple instances attack, according to the CISA.Infosec Insiders Newsletter

“This results in the victim needing several unique decryption keys,” according to the advisory.

The CISA has identified multiple variants of Zeppelin through various FBI investigations, with attacks occurring as recently as June 21, the agency said.

Targets and Tactics

Zeppelin is a variant of the Delphi-based ransomware-as-a-service (RaaS) family initially known as Vega or VegaLocker, which emerged at the beginning of 2019 in advertisements on the Russia-based Yandex.Direct, according to BlackBerry Cylance.

Unlike its predecessor, Zeppelin’s campaigns have been much more targeted, with threat actors first taking aim at tech and healthcare companies in Europe and the United States.

The latest campaigns continue to target healthcare and medical organizations most often, according to the CISA. Tech companies also remain in the crosshairs of Zeppelin, with threat actors also using the RaaS in attacks against defense contractors, educational institutions and manufacturers, the agency said.

Once they successfully infiltrate a network, threat actors spend one to two weeks mapping or enumerating it to identify data enclaves, including cloud storage and network backup, according to the agency. They then deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader.

Zeppelin also appears to be using the common ransomware tactic of double extortion in its latest campaigns, exfiltrating sensitive data files from a target prior to encryption for potential publication online later if the victim refuses to pay, according to the CISA.

Multiple Encryption

Once Zeppelin ransomware is executed on a network, each encrypted file is appended with a randomized nine-digit hexadecimal number as a file extension, e.g., file.txt.txt.C59-E0C-929, according to the CISA.

Threat actors also leave a note file that includes a ransom note on compromised systems, typically on a user desktop system, the agency said. Zeppelin actors typically request payments in Bitcoin in the range of several thousand dollars to more than $1 million.

The latest campaigns also show threat actors using a new tactic associated with Zeppelin to execute the malware multiple times within a victim’s network, which means a victim would need not one but multiple decryption keys to unlock files, according to the CISA.

However, this may or may not be a unique aspect of a ransomware attack, noted one security professional. Roger Grimes, data-driven defense evangelist for security firm KnowBe4, said it’s not uncommon for threat actors to encrypt different files separately but use one master key to unlock systems.

“Most ransomware programs today have an overall master key which encrypts a bunch of other keys which really do the encryption,” he told Threatpost in an email.

When the victim asks for proof that the ransomware attacker has decryption keys that can successfully unlock files if a ransom is paid, the ransomware group then uses a single key to unlock a single set of files to prove its worth, Grimes said.