Play ransomware on the rise, warns FBI, but research points to yet more hidden dangers
As the FBI and Cybersecurity & Infrastructure Security Agency issue a joint warning to businesses about the Play ransomware group, ESET research reminds us that ransomware isn’t the only fruit.
The FBI, CISA and the Australian Cyber Security Centre (ACSC) have published a joint advisory that warns organisations of the threat from ransomware group Play and exposes the indicators of compromise that security teams should look out for.
According to the report, the Play ransomware group used compromised credentials and vulnerabilities in public-facing applications, such as FortiOS and Microsoft Exchange. It also took advantage of Remote Desktop Protocol (RDP) for initial access.
Play then uses double-extortion techniques to pressurise organisations into paying their demands. Any organisation that does not pay a demand will have its data published on Play’s Tor leak site.
Simon Lawrence, Director and Co-Founder of i-confidential, says that while these tactics, techniques and procedures (TTPs) “mirror the TTPs of other ransomware gangs, it once again highlights the importance of securing employee login credentials”.
Both the government agencies and Lawrence recommend multi-factor authentication (MFA) as the primary defence as it makes it harder for any threat actors to gain access even if they have the stolen credentials to begin with.
“Criminals frequently spoof the login pages of MFA tools,” Lawrence adds, “so employees must also be taught to look out for these, such as verifying the URL of a page or looking out for suspicious imagery, before entering their details.”
ESET: ransomware not the only threat
But, as a threat report published by ESET today warns, ransomware is not the only threat. Although the Cl0p ransomware group features highly, using a vulnerability in the MOVEit file transfer app, this wasn’t ransomware as we know it, relying solely on threats to expose exfiltrated data.
“The Cl0p attack targeted numerous organisations, including global corporations and US governmental agencies,” says ESET Director of Threat Detection Jiří Kropáč. “A key shift in Cl0p’s strategy was its move to leak stolen information to public websites in cases where the ransom was not paid, a trend also seen with the ALPHV ransomware gang.”
The ESET report also highlights the prevalence of a new threat for users of IoT devices, meaning everything from smart TVs to mobile devices, whereby Android devices are being used to power denial of service attacks using Android/Pandora malware.
Talking of Android, SpinOK is distributed as a software development kit that’s found in legitimate applications, but is actually spyware.
And let’s not forget ChatGPT, which threat actors are using as bait to lure victims to malicious domains that have names close resembling the OpenAI AI service of the moment.
NEXT UP
Slow buyers cause tech firms to rethink sales approaches as tough Q1 hits home
New research suggests tech sales were slow in Q1, with buyers of technology and professional services taking their time before committing to any solutions.
ByteDance says it has no plans to sell TikTok and refuses to bow to US pressure
ByteDance, the Chinese company that owns TikTok, stated that it “doesn’t have any plans to sell TikTok” on Toutiao, a social media platform that it also happens to own.
Solace Kidisil, Group COO of Nsano: “The difference between traditional finance and fintech is the questions we ask”
We interview Solace Kidisil, Group COO of Nsano, a fintech company from Ghana, offering digital payment solutions across Africa