DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customers

Security Operations – Sophos News

By:gallagherseanm

27 May 2025 at 05:00

Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network

A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick Assist

Security Operations – Sophos News

By:gallagherseanm

20 May 2025 at 12:30

Another adversary picks up the email bombing / vishing Storm-1811 playbook, doing thorough reconnaissance to target specific employees with fake help desk call—this time, over the phone.

A timeline of the 3AM Ransomware actor’s attack.

Figure 2: Discussion about Blacksuit (now rebranded as 3AM) in the leaked BlackBasta chat logs

Lumma Stealer, coming and going

Security Operations – Sophos News

By:Angela Gunn

9 May 2025 at 04:12

The high-profile information stealer switches up its TTPs, but keeps the CAPTCHA tactic; we take a deep dive

A legitimate-seeming verification challenge

A second verification challenge, described in text

A flow chart depicting attack flow for Lumma Stealer

A listing of assorted files dropped by the malicious downloader

Log activity caused by the described EXE

An apparently legitimately "PDF," with a warning visible

A system message indicating that authorship of the alleged "PDF cannot be verified

A view of the shortcut showing a great deal of obfuscation

A CyberChef screen showing the code under examination

The questionable file, semi-decoded, now seen in Base64

Another obfuscated view, this time of the execution instruction

A large block of obfuscation with many amusing words, mainly concerning snacks

NICKEL TAPESTRY expands fraudulent worker operations

Security Operations – Sophos News

By:Angela Gunn

8 May 2025 at 11:45

The North Korean IT worker scheme grows to include organizations in Europe and Asia and industries beyond the technology sector

Moving CVEs past one-nation control

Security Operations – Sophos News

By:Chester Wisniewski

17 April 2025 at 15:57

A near-miss episode of attempted defunding spotlights a need for a better way

Sophos Annual Threat Report appendix: Most frequently encountered malware and abused software

Security Operations – Sophos News

By:gallagherseanm

16 April 2025 at 05:00

These are the tools of the trade Sophos detected in use by cybercriminals over 2024

Other12.79% Miner 0.89% Ransomware 1.18% Web/Browser Hijack 3.60% Attack tool/Exploit/EDR Killer 7.95% RAT/Backdoor 15.52% Stealer/Spyware 18.63% Loader/Downloader/Dropper 39.74% 9.13% of all malware was malware-as-a-service

Qilin (ransomware)1.05% Blacksuit (ransomware) 1.23% Faust (ransomware) 1.23% Crytox (ransomware) 1.41% Playcrypt (ransomware) 1.58% Black Basta (ransomware) 1.93% RansomHub (ransomware) 2.28% Gootloader (malware loader/dropper) 2.64% ChromeLoader (malware loader/dropper) 3.51% Fog (ransomware) 3.51% LockBit (ransomware) 4.39% Lumma Stealer (information stealer) 4.57% Akira (ransomware) 4.92% Cobalt Strike (C2 tool) 8.08% Web shell (C2) 9.84%

ExMatter (data exfiltration)0.56% Backstab (EDR killer) 0.56% Parcel RAT 0.56% DataGrabber (data exfiltration) 0.56% AsyncRAT 0.56% Sliver attack tool 0.56% Pikabot backdoor 0.56% Brute Ratel C4 0.56% Metasploit exploit framework 1.11% Grixba network scanning tool 1.11% SystemBC proxy/RAT 1.67% XMRIG miner malware 2.22% Web shell 7.22% Cobalt Strike attack tool 10.56%

Advanced Port Scanner (network discovery)4.92% FileZilla (file exfiltration) 5.10% Rclone (file exfiltration) 7.38% 7-Zip (file archiving/encryption) 7.38% PuTTy (remote command execution) 7.73% ScreenConnect (remote desktop access) 9.14% WinRAR (file archiving/encryption) 9.31% Sophos Uninstall (security tool removal) 9.49% Advanced IP Scanner (network discovery) 10.72% Mimikatz (credential dumping) 11.60% RDPclip (remote/local shared clipboard) 16.70% Impacket (network protocol exploitation) 17.05% AnyDesk (remote desktop access) 17.40% PsExec (remote command execution) 18.28% SoftPerfect Network Scanner (network discovery) 19.51%

TypeFrequency LevelRMM (remote machine management) 0.70% RemCom (remote command execution) 0.70% MobaXterm (remote shell) 0.88% VNC (remote desktop) 1.58% NetSupport (remote machine management) 1.76% Cloudflared (Cloudflare network tunneling client) 1.76% Ngrok (web application tunneling) 2.11% WinRM (remote machine management) 2.28% Splashtop (remote desktop) 2.99% TeamViewer (remote desktop) 3.16% Atera (remote machine management) 3.51% OpenSSH (remote shell) 4.04% PuTTy (remote shell) 7.73% ScreenConnect (remote desktop) 9.14% AnyDesk (remote desktop) 17.40% PSExec (remote command execution) 18.28%

A chart showing a histogram of Lumma Stealer detections, with a majority of detections occurring in October and November of 2024.

A histogram showing a peak of Lumma Stealer events in November

A histogram showing spikes of Strela Stealer detections in February, March and July of 2024.

Stealc (information stealer)0.35% AsyncRAT (RAT with infostealer features) 0.53% More_eggs (RAT that can carry infostealer payload) 0.53% Brute Ratel C4 (red team C2 tool) 0.53% Metasploit (red team command and control tool) 0.70% Remcos (RAT) 0.70% FakeBat /EugenLoader (malware loader) 0.70% Sliver (red team C2 tool) 0.88% XMRIG (cryptocurrency miner) 1.05% SystemBC (proxy and RAT) 1.05% Gootloader (malware loader) 2.64% ChromeLoader (browser malware loader) 3.51% Lumma Stealer (information stealer) 4.57% Cobalt Strike (red team C2 tool with information stealing modules) 8.08% Web shell (malware deployment, command and control) 9.84%

Cicada33011.64% Mimic 1.64% Hunters International 2.19% INC Ransomware 2.19% 8Base 2.73% Qilin 3.28% Blacksuit 3.83% Faust 3.83% Crytox 4.37% Playcrypt 4.92% Black Basta 6.01% RansomHub 7.10% Fog 10.93% LockBit 13.66% Akira 15.30%

A histogram of Lockbit variant ransomware detections with a spike in late February 2024.

The Sophos Annual Threat Report: Cybercrime on Main Street 2025

Security Operations – Sophos News

By:gallagherseanm

16 April 2025 at 05:00

Ransomware remains the biggest threat, but old and misconfigured network devices are making it too easy

Figure 2: Relative frequency of initial compromise points by cybercriminals against small and medium businesses, based on all incident data. Initial compromise causes here overlap in some cases

Figure 3: Relative frequency of initial compromise points specifically observed in ransomware and data exfiltration/extortion attacks by cybercriminals against small and medium businesses, based on Sophos MDR and Incident Response incident data

How Sophos names STACs STACs are assigned numeric identifiers that are generated based on the type of activity, with their first digit representing motivation: 1: State-sponsored 2: Hacktivist 3: Initial access brokers 4: Financially motivated cybercrime 5: Ransomware affiliates 6: Unknown

Figure 4: Frag Ransomware note associated with a STAC5881 attack

Figure 6: Remote ransomware attacks from 2022 to 2024 by quarter

Figure 7: A developer browser view of a FlowerStorm phishing page

A login screen with a picture of a raccoon with a human body dressed in futuristic gunslinger garb.

A screenshot of the same raccoon from figure 8 from a generative AI website.

Figure 10: A phishing email with a QR code targeting Sophos employees

Figure 11: The fake authentication window for the phishing site the QR code directed targets to, with a Cloudflare security check to validate the target

It takes two: The 2025 Sophos Active Adversary Report

Security Operations – Sophos News

By:Angela Gunn

2 April 2025 at 05:01

The dawn of our fifth year deepens our understanding of the enemies at the gate, and some tensions inside it; plus, an anniversary gift from us to you