thehackernews.com Open in urlscan Pro
2606:4700:20::681a:a75  Public Scan

Form analysis
2 forms found in the DOM

GET https://www.google.com/cse

<form action="https://www.google.com/cse" id="searchform" method="get"><input autocomplete="off" id="s" name="q" placeholder="Search Here..." type="text">
  <input name="cx" type="hidden" value="partner-pub-7983783048239650:3179771210">
</form>

Name: f1 — POST https://inl02.netline.com/rssnews0001/

<form action="https://inl02.netline.com/rssnews0001/" class="clear cf" id="subform" method="post" name="f1" target="_blank">
  <div class="email-box-h3">Get Latest News in Your Inbox</div>
  <p>Get the latest news, expert insights, exclusive resources, and strategies from industry leaders – all for free.</p>
  <div class="email-input">
    <input name="_submit" type="hidden" value="0001">
    <input id="brand" name="brand" type="hidden" value="thehackernews">
    <div class="e-book"><input checked="yes" id="opt_001" name="opt_001" type="checkbox" value="Y"><input checked="yes" id="opt_003" name="opt_003" type="checkbox" value="Y"></div><label class="visuallyhidden" for="input-email">Email</label><input
      class="text" id="input-email" name="email" placeholder="Your e-mail address" required="" type="email">
    <button aria-label="Subscribe" id="submitform" type="submit" value="Subscribe"></button>
  </div>
</form>

Text Content

#1 Trusted Cybersecurity News Platform

Followed by 4.50+ million  


 Subscribe – Get Latest News
 *  Home
 *  Newsletter
 *  Webinars

 * Home
 * Data Breaches
 * Cyber Attacks
 * Vulnerabilities
 * Webinars
 * Expert Insights
 * Contact





Resources
 * Webinars
 * THN Store
 * Free eBooks

About Site
 * About THN
 * Jobs
 * Advertise with us


Contact/Tip Us

Reach out to get featured—contact us to send your exclusive story idea,
research, hacks, or ask us a question or leave a comment/feedback!

Follow Us On Social Media
    
 RSS Feeds  Email Alerts  Telegram Channel



NEW 'HELLDOWN' RANSOMWARE VARIANT EXPANDS ATTACKS TO VMWARE AND LINUX SYSTEMS

Nov 19, 2024Ravie LakshmananRansomware / Linux

Cybersecurity researchers have shed light on a Linux variant of a relatively new
ransomware strain called Helldown, suggesting that the threat actors are
broadening their attack focus.

"Helldown deploys Windows ransomware derived from the LockBit 3.0 code," Sekoia
said in a report shared with The Hacker News. "Given the recent development of
ransomware targeting ESX, it appears that the group could be evolving its
current operations to target virtualized infrastructures via VMware."

Helldown was first publicly documented by Halcyon in mid-August 2024, describing
it as an "aggressive ransomware group" that infiltrates target networks by
exploiting security vulnerabilities. Some of the prominent sectors targeted by
the cybercrime group include IT services, telecommunications, manufacturing, and
healthcare.

Like other ransomware crews, Helldown is known for leveraging data leak sites to
pressure victims into paying ransoms by threatening to publish stolen data, a
tactic known as double extortion. It's estimated to have attacked at least 31
companies within a span of three months.



Truesec, in an analysis published earlier this month, detailed Helldown attack
chains that have been observed making use of internet-facing Zyxel firewalls to
obtain initial access, followed by carrying out persistence, credential
harvesting, network enumeration, defense evasion, and lateral movement
activities to ultimately deploy the ransomware.

Sekoia's new analysis shows that the attackers are abusing known and unknown
security flaws in Zyxel appliances to breach networks, using the foothold to
steal credentials and create SSL VPN tunnels with temporary users.

The Windows version of Helldown, once launched, performs a series of steps prior
to exfiltrating and encrypting the files, including deleting system shadow
copies and terminating various processes related to databases and Microsoft
Office. In the final step, the ransomware binary is deleted to cover up the
tracks, a ransom note is dropped, and the machine is shut down.

Its Linux counterpart, per the French cybersecurity company, lacks obfuscation
and anti-debugging mechanisms, while incorporating a concise set of functions to
search and encrypt files, but not before listing and killing all active virtual
machines (VMs).

"The static and dynamic analysis revealed no network communication, nor any
public key or shared secret," it said. "This is notable, as it raises questions
about how the attacker would be able to supply a decryption tool."



"Terminating VMs before encryption grants ransomware write access to image
files. However, both static and dynamic analysis reveal that, while this
functionality exists in the code, it is not actually invoked. All these
observations suggest that the ransomware is not highly sophisticated and may
still be under development."

Helldown Windows artifacts have been found to share behavioral similarities with
DarkRace, which emerged in May 2023 using code from LockBit 3.0 and later
rebranded to DoNex. A decryptor for DoNex was made available by Avast back in
July 2024.

"Both codes are variants of LockBit 3.0," Sekoia said. "Given Darkrace and
Donex's history of rebranding and their significant similarities to Helldown,
the possibility of Helldown being another rebrand cannot be dismissed. However,
this connection cannot be definitively confirmed at this stage."

The development comes as Cisco Talos disclosed another emerging ransomware
family known as Interlock that has singled out healthcare, technology, and
government sectors in the U.S., and manufacturing entities in Europe. It's
capable of encrypting both Windows and Linux machines.

Attack chains distributing the ransomware have been observed using a fake Google
Chrome browser updater binary hosted on a legitimate-but-compromised news
website that, when run, unleashes a remote access trojan (RAT) that allows the
attackers to extract sensitive data and execute PowerShell commands designed to
drop payloads for harvesting credentials and conducting reconnaissance.

"In their blog, Interlock claims to target organizations' infrastructure by
exploiting unaddressed vulnerabilities and claims their actions are in part
motivated by a desire to hold companies' accountable for poor cybersecurity, in
addition to monetary gain," Talos researchers said.



Interlock is assessed to be a new group that sprang forth from Rhysida operators
or developers, the company added, citing overlaps in tradecraft, tools, and
ransomware behavior.

"Interlock's possible affiliation with Rhysida operators or developers would
align with several broader trends in the cyber threat landscape," it said. "We
observed ransomware groups diversifying their capabilities to support more
advanced and varied operations, and ransomware groups have been growing less
siloed, as we observed operators increasingly working alongside multiple
ransomware groups."

Coinciding with the arrival of Helldown and Interlock is another new entrant to
the ransomware ecosystem called SafePay, which claims to have targeted 22
companies to date. SafePay, per Huntress, also uses LockBit 3.0 as its base,
indicating that the leak of the LockBit source code has spawned several
variants.

In two incidents investigated by the company, "the threat actor's activity was
found to originate from a VPN gateway or portal, as all observed IP addresses
assigned to threat actor workstations were within the internal range," Huntress
researchers said.

"The threat actor was able to use valid credentials to access customer
endpoints, and was not observed enabling RDP, nor creating new user accounts,
nor creating any other persistence."



Found this article interesting? Follow us on Twitter  and LinkedIn to read more
exclusive content we post.

SHARE    
Tweet
Share
Share
Share
 Share on Facebook Share on Twitter Share on Linkedin Share on Reddit
Share on Hacker News Share on Email Share on WhatsApp Share on Facebook
Messenger Share on Telegram
SHARE 
cybersecurityhealthcarelinuxLockBitransomwarevmware
Trending News
PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs and Patch
Released
TikTok Pixel Privacy Nightmare: A New Case Study
Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day
Vulnerabilities
Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims
High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables
Gmail's New Shielded Email Feature Lets Users Create Aliases for Email Privacy
Warning: DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN
Credentials
Experts Uncover 70,000 Hijacked Domains in Widespread 'Sitting Ducks' Attack
Scheme
CISA Flags Two Actively Exploited Palo Alto Flaws; New RCE Attack Confirmed
Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations
Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage
Campaign
Popular Resources
[Guide] Mastering CTEM: 5 Key Stages to Manage and Reduce Cyber Threat Exposure
Audit Active Directory Security – Free Specops Audit Tool Available Now
Uncover Hidden Threats with ANY.RUN's Interactive Malware Sandbox – Try Free
Today!
Get a SaaS Security Risk Assessment—Fix Misconfigurations Fast with CISA's SCuBA
Framework


CYBERSECURITY WEBINARS

Secure Your Certificates, Fast!


LEARN TO AUTOMATE CERTIFICATE REPLACEMENT TO AVOID DISRUPTIONS

Prevent disruptions from certificate revocations with fast, automated solutions
for continuity.

Claim Your Spot Make Cybersecurity Memorable!


LEARN HOW TO TURN BORING SECURITY TRAINING INTO STORIES THEY'LL LOVE

Discover how Huntress SAT transforms security training with storytelling,
gamification, and real-world examples

Watch This Now
Breaking News

Cybersecurity Resources
CISO, Enhance Your Cyber Risk Reporting to the Board
Struggling to convey cybersecurity risks to your board? Our eBook offers
actionable insights for CISOs, helping you present accurate, meaningful reports
with confidence. Elevate your board presentations—download your guide today.
Permiso Security's 2024 State of Identity Security Report
More than 90% of respondents expressed concern over their team and tooling's
ability to detect identity-based attacks. Learn about critical gaps in security
programs and what environments pose the most risk to security teams. Download
the Report.
Ultimate Guide to Cloud Security
Tackle the unique challenges of cloud security with this expert guide.
2024 GigaOm Report: Top SSPM Solutions for Protecting SaaS Environments
Explore GigaOm's 2024 SSPM Radar Report with top vendor insights for securing
SaaS data.
Expert Insights / Articles Videos


BREATHING NEW LIFE INTO A STAGNANT APPSEC

November 14, 2024 Read ➝


STATE OF SAAS SECURITY REPORT: BOLD MOVES REQUIRED TO SECURE SAAS IN 2024 AND
BEYOND

November 12, 2024 Read ➝


BEYOND CASTLE WALLS: OPERATIONAL TECHNOLOGY AND ZERO TRUST

November 12, 2024 Read ➝


AN AGENT'S IDENTITY: IS YOUR AUTHENTICATION AI-PROOF?

November 14, 2024 Watch ➝

Get Latest News in Your Inbox

Get the latest news, expert insights, exclusive resources, and strategies from
industry leaders – all for free.


Email

Connect with us!

925,500 Followers

605,000 Followers

22,800 Subscribers

147,000 Followers

1,890,500 Followers

136,000 Subscribers
Company
 * About THN
 * Advertise with us
 * Contact

Pages
 * Webinars
 * Deals Store
 * Privacy Policy

Deals
 * Hacking
 * Development
 * Android

 RSS Feeds
 Contact Us
© The Hacker News, 2024. All Rights Reserved.