Last week, officials for the Chilean telecom company, GTD identified a cyberattack on their Infrastructure-as-a-Service (IaaS) platform, which is responsible for many IT services across their international clientele. After disconnecting that IaaS platform from the Internet, the investigation into the attack revealed a Rorschach ransomware encryptor that was sideloaded by using known legitimate DLL vulnerabilities to distribute the malicious payload. Rorschach ransomware is known for encrypting entire systems with incredible pace and has been tested with sub-5-minute encryption times.
LockBit ransomware claims data breach at Boeing
Officials at the aerospace manufacturer, Boeing, are investigating claims from the LockBit ransomware group that they had suffered a significant data breach and only had a few days to pay an undisclosed ransom amount to avoid the data being published. The threat actors behind LockBit have created a post on their leak site claiming to have breached Boeing but would not post any samples of the stolen data until after the November 2nd deadline, in a good-faith effort to postpone highly confidential information from getting into competitor’s hands.
Hackers contacting Nevada school district breach victims
The hackers behind the recent data breach of Nevada’s Clark County School District (CCSD) have started emailing the victims of the breach to warn them that their data has been compromised during a months-long network intrusion. Officials for CCSD, which is the fifth largest school district in the US, were unaware of the breach and have yet to resolve or acknowledge the security incident, as the hackers have also confirmed that they still have access to the network. In a statement to Databreaches.net, the hackers claim to have stolen 6 years' worth of student data for over 200,000 individuals, as well as financial and salary information from the district.
Israeli companies under siege by BiBi-Linux wiper malware
Researchers have been tracking a new wiper malware, BiBi-Linux, that has been deployed by a Pro-Hamas group to erase the digital infrastructure of several Israeli companies. By leveraging multiple threads, the wiper can overwrite and destroy files concurrently, then rename them to include the string “BiBi,” which is the nickname of the current Israeli Prime Minister. With no connections to a C2 server or ransom note being dropped on affected systems, this malware is exclusively used for destruction.
Defunct Hive ransomware makes possible return as Hunters International
Not long after the FBI takedown of the Hive ransomware group, a new ransomware-as-a-service (RaaS) has appeared on the scene that uses roughly 60% of the old Hive source code: Hunters International. The researcher who first identified the Hunters International encryptor identified numerous code overlaps with prior Hive source code, though the threat actors behind Hunters International claim that they aren’t a resurgence of Hive, they simply purchased the encryptor code and made several improvements to it.
