惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
The Blog of Author Tim Ferriss
Know Your Adversary
Know Your Adversary
P
Palo Alto Networks Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
K
Kaspersky official blog
L
LINUX DO - 热门话题
P
Proofpoint News Feed
P
Privacy & Cybersecurity Law Blog
Google DeepMind News
Google DeepMind News
Attack and Defense Labs
Attack and Defense Labs
Cisco Talos Blog
Cisco Talos Blog
AI
AI
L
LINUX DO - 最新话题
H
Heimdal Security Blog
Hacker News: Ask HN
Hacker News: Ask HN
Webroot Blog
Webroot Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The GitHub Blog
The GitHub Blog
I
Intezer
Blog — PlanetScale
Blog — PlanetScale
有赞技术团队
有赞技术团队
S
Securelist
博客园_首页
IT之家
IT之家
Schneier on Security
Schneier on Security
博客园 - 叶小钗
罗磊的独立博客
WordPress大学
WordPress大学
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
MongoDB | Blog
MongoDB | Blog
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志
A
Arctic Wolf
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
W
WeLiveSecurity
The Register - Security
The Register - Security
D
DataBreaches.Net
S
Security @ Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
腾讯CDC
Recorded Future
Recorded Future
NISL@THU
NISL@THU
N
News and Events Feed by Topic
T
Tailwind CSS Blog
N
News and Events Feed by Topic
Cyberwarzone
Cyberwarzone
T
Tor Project blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com

Vulnerabilities – Threatpost

Ransomware Attacks are on the Rise Cybercriminals Are Selling Access to Chinese Surveillance Cameras Firewall Bug Under Active Attack Triggers CISA Warning iPhone Users Urged to Update to Patch 2 Zero-Days Google Patches Chrome’s Fifth Zero-Day of the Year Xiaomi Phone Bug Allowed Payment Forgery Black Hat and DEF CON Roundup Microsoft Patches ‘Dogwalk’ Zero-Day and 17 Critical Flaws Open Redirect Flaw Snags Amex, Snapchat User Data
Feds: Zeppelin Ransomware Resurfaces with New Compromise, Encryption Tactics
Elizabeth Montalbano · 2022-08-13 · via Vulnerabilities – Threatpost

The CISA has seen a resurgence of the malware targeting a range of verticals and critical infrastructure organizations by exploiting RDP, firewall vulnerabilities.

Zeppelin ransomware is back and employing new compromise and encryption tactics in its recent campaigns against various vertical industries—particularly healthcare—as well as critical infrastructure organizations, the feds are warning.

Threat actors deploying the ransomware as a service (RaaS) are tapping remote desktop protocol (RDD) exploitation and SonicWall firewall vulnerabilities–alongside previously used phishing campaigns–to breach target networks, according to an advisory from the Cybersecurity and Infrastructure Security Agency (CISA) released Thursday.

Zeppelin also appears to have a new multi-encryption tactics, executing the malware more than once within a victim’s network and creating different IDs and file extensions for multiple instances attack, according to the CISA.Infosec Insiders Newsletter

“This results in the victim needing several unique decryption keys,” according to the advisory.

The CISA has identified multiple variants of Zeppelin through various FBI investigations, with attacks occurring as recently as June 21, the agency said.

Targets and Tactics

Zeppelin is a variant of the Delphi-based ransomware-as-a-service (RaaS) family initially known as Vega or VegaLocker, which emerged at the beginning of 2019 in advertisements on the Russia-based Yandex.Direct, according to BlackBerry Cylance.

Unlike its predecessor, Zeppelin’s campaigns have been much more targeted, with threat actors first taking aim at tech and healthcare companies in Europe and the United States.

The latest campaigns continue to target healthcare and medical organizations most often, according to the CISA. Tech companies also remain in the crosshairs of Zeppelin, with threat actors also using the RaaS in attacks against defense contractors, educational institutions and manufacturers, the agency said.

Once they successfully infiltrate a network, threat actors spend one to two weeks mapping or enumerating it to identify data enclaves, including cloud storage and network backup, according to the agency. They then deploy Zeppelin ransomware as a .dll or .exe file or contained within a PowerShell loader.

Zeppelin also appears to be using the common ransomware tactic of double extortion in its latest campaigns, exfiltrating sensitive data files from a target prior to encryption for potential publication online later if the victim refuses to pay, according to the CISA.

Multiple Encryption

Once Zeppelin ransomware is executed on a network, each encrypted file is appended with a randomized nine-digit hexadecimal number as a file extension, e.g., file.txt.txt.C59-E0C-929, according to the CISA.

Threat actors also leave a note file that includes a ransom note on compromised systems, typically on a user desktop system, the agency said. Zeppelin actors typically request payments in Bitcoin in the range of several thousand dollars to more than $1 million.

The latest campaigns also show threat actors using a new tactic associated with Zeppelin to execute the malware multiple times within a victim’s network, which means a victim would need not one but multiple decryption keys to unlock files, according to the CISA.

However, this may or may not be a unique aspect of a ransomware attack, noted one security professional. Roger Grimes, data-driven defense evangelist for security firm KnowBe4, said it’s not uncommon for threat actors to encrypt different files separately but use one master key to unlock systems.

“Most ransomware programs today have an overall master key which encrypts a bunch of other keys which really do the encryption,” he told Threatpost in an email.

When the victim asks for proof that the ransomware attacker has decryption keys that can successfully unlock files if a ransom is paid, the ransomware group then uses a single key to unlock a single set of files to prove its worth, Grimes said.