dailysecurityreview.com
Open in
urlscan Pro
50.215.24.113
Public Scan
URL:
https://dailysecurityreview.com/news/ransomhub-zero-day/
Submission: On September 07 via api from IN — Scanned from IT
Submission: On September 07 via api from IN — Scanned from IT
Form analysis 3 forms found in the DOM
GET https://dailysecurityreview.com
<form class="elementor-search-form" action="https://dailysecurityreview.com" method="get">
<div class="elementor-search-form__container">
<label class="elementor-screen-only" for="elementor-search-form-d25b019">Search</label>
<input id="elementor-search-form-d25b019" placeholder="Search..." class="elementor-search-form__input" type="search" name="s" value="">
<button class="elementor-search-form__submit" type="submit" aria-label="Search">
<div class="e-font-icon-svg-container"><svg class="fa fa-search e-font-icon-svg e-fas-search" viewBox="0 0 512 512" xmlns="http://www.w3.org/2000/svg">
<path
d="M505 442.7L405.3 343c-4.5-4.5-10.6-7-17-7H372c27.6-35.3 44-79.7 44-128C416 93.1 322.9 0 208 0S0 93.1 0 208s93.1 208 208 208c48.3 0 92.7-16.4 128-44v16.3c0 6.4 2.5 12.5 7 17l99.7 99.7c9.4 9.4 24.6 9.4 33.9 0l28.3-28.3c9.4-9.4 9.4-24.6.1-34zM208 336c-70.7 0-128-57.2-128-128 0-70.7 57.2-128 128-128 70.7 0 128 57.2 128 128 0 70.7-57.2 128-128 128z">
</path>
</svg></div> <span class="elementor-screen-only">Search</span>
</button>
</div>
</form>POST
<form class="elementor-form" method="post">
<input type="hidden" name="post_id" value="8481">
<input type="hidden" name="form_id" value="635ecd3">
<input type="hidden" name="referer_title" value="Kaspersky Antivirus Software Banned in the US Over National Security Concerns - Security Spotlight">
<input type="hidden" name="queried_id" value="8081">
<div class="elementor-form-fields-wrapper elementor-labels-">
<div class="elementor-field-type-email elementor-field-group elementor-column elementor-field-group-email elementor-col-60 elementor-field-required">
<label for="form-field-email" class="elementor-field-label elementor-screen-only"> Email </label>
<input size="1" type="email" name="form_fields[email]" id="form-field-email" class="elementor-field elementor-size-sm elementor-field-textual" placeholder="Email" required="required" aria-required="true">
</div>
<div class="elementor-field-group elementor-column elementor-field-type-submit elementor-col-40 e-form__buttons">
<button class="elementor-button elementor-size-sm" type="submit">
<span class="elementor-button-content-wrapper">
<span class="elementor-button-text">Send</span>
</span>
</button>
</div>
</div>
</form>Name: New Form — POST
<form class="elementor-form" method="post" name="New Form">
<input type="hidden" name="post_id" value="8578">
<input type="hidden" name="form_id" value="1a4e6e5">
<input type="hidden" name="referer_title" value="Life360 Extorted by Hackers After Tile Data Breach - News">
<input type="hidden" name="queried_id" value="7972">
<div class="elementor-form-fields-wrapper elementor-labels-above">
<div class="elementor-field-type-email elementor-field-group elementor-column elementor-field-group-email elementor-col-60 elementor-field-required">
<label for="form-field-email" class="elementor-field-label"> Email </label>
<input size="1" type="email" name="form_fields[email]" id="form-field-email" class="elementor-field elementor-size-sm elementor-field-textual" placeholder="Email" required="required" aria-required="true">
</div>
<div class="elementor-field-group elementor-column elementor-field-type-submit elementor-col-20 e-form__buttons">
<button class="elementor-button elementor-size-sm" type="submit">
<span class="elementor-button-content-wrapper">
<span class="elementor-button-text">Send</span>
</span>
</button>
</div>
</div>
</form>Text Content
Skip to content Main Menu * Security Spotlight * News * Ransomware * Cybersecurity * Blog * Phishing * Resources * Contact Us CYBERSECURITY, NEWS, RANSOMWARE RANSOMHUB RANSOMWARE GROUP EXPLOITS ZEROLOGON VULNERABILITY TO SPREAD MALWARE Security researchers have uncovered ransomware attacks conducted by the notorious RansomHub group leveraging the unpatched ZeroLogon vulnerability (CVE-2020-1472) to gain initial access to victim environments. Home - Cybersecurity - RansomHub Ransomware Group Exploits ZeroLogon Vulnerability to Spread Malware * Gabby Lee * June 10, 2024 Facebook Twitter Youtube Linkedin Table of Contents Add a header to begin generating the table of contents Security researchers have uncovered ransomware attacks conducted by the notorious RansomHub group leveraging the unpatched ZeroLogon vulnerability (CVE-2020-1472) to gain initial access to victim environments. HOW RANSOMHUB GAINS INITIAL ACCESS? According to Symantec, in recent attacks RansomHub actors have been exploiting the ZeroLogon flaw in the Windows Netlogon Remote Protocol. This critical remote code execution vulnerability allows attackers to fully compromise Windows domain controllers with a single request without credentials. Once the initial foothold is established on domain controllers through ZeroLogon, RansomHub operators utilize various remote access and network scanning tools like Atera, Splashtop and NetScan. These tools help facilitate remote access and gather intelligence about targets before ransomware deployment. After gaining access, RansomHub leverages the iisreset.exe and iisrstas.exe command line utilities to stop IIS services before encrypting files. The ransomware payload is then spread across the victim environment. HOW PREVELANT IS THE RANSOMHUB THREAT? RansomHub has grown rapidly to become one of the most prolific ransomware groups. In just 3 months, it has claimed over 60 victims according to Symantec, compared to other major threats. This success has allowed RansomHub to recruit from dismantled groups like BlackCat/ALPHV to improve capabilities. CONNECTIONS TO OTHER RANSOMWARE FAMILIES Interestingly, analysis revealed extensive code overlaps between RansomHub and the now-defunct Knight ransomware. The payloads are near identical, suggesting RansomHub operators acquired Knight source code and are reusing it with some modifications. Symantec analyzed the RansomHub payload and discovered extensive code similarities with the discontinued Knight ransomware. Both payloads are written in the Go programming language and use the same obfuscator, Gobfuscate. Their help menus, encoding of important strings, and command execution flows are nearly identical. RansomHub and Knight can both restart endpoints in safe mode prior to encryption and have the same command flow. Even the ransom notes are largely the same, with many verbatim phrases from Knight appearing in RansomHub. However, Symantec believes it’s unlikely the original Knight operators now run RansomHub. Rather, the RansomHub operators likely purchased the Knight source code when its creators put it up for sale earlier this year. They are now reusing the code with some modifications, like different commands executed via cmd.exe depending on configuration. In summary, the RansomHub group has effectively leveraged the widespread unpatched ZeroLogon vulnerability to compromise numerous victims and establish itself as a significant ransomware threat. Prompt patching remains critical to prevent destructive attacks exploiting this vulnerability. Trending Clearview AI Fined €30.5 Million for Unlawful Data Collection VK Data Leak Exposes 390 Million Users: HikkI-Chan Strikes Again North Korean Hackers Target Job Seekers with Fake FreeConference App: Contagious Interview Campaign What is a DDoS Attack – A Complete Guide Verkada to Pay $2.95 Million for Security Failures Leading to Breaches CBIZ Discloses Data Breach Affecting Nearly 36,000 Individuals TfL Cyberattack: Transport for London Under Attack This Week in Cybersecurity: 26th August to 30th August, BlackSuit Ransomware Stole Data DICK’S Sporting Goods Cyberattack Shuts Down Email and Locks Employee Accounts North Korean Hackers Exploit Chrome Zero-Day to Deploy Rootkit Search Search DAILY BRIEFING NEWSLETTER Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Email Send PrevPreviousChristie’s Data Breach Exposes Data of 45,798 Individuals NextLondon Hospitals Cyberattack Leads to Blood Shortages After Synnovis Ransomware AttackNext Related Posts CLEARVIEW AI FINED €30.5 MILLION FOR UNLAWFUL DATA COLLECTION * Mitchell Langley * September 5, 2024 VK DATA LEAK EXPOSES 390 MILLION USERS: HIKKI-CHAN STRIKES AGAIN * Mitchell Langley * September 5, 2024 NORTH KOREAN HACKERS TARGET JOB SEEKERS WITH FAKE FREECONFERENCE APP: CONTAGIOUS INTERVIEW CAMPAIGN * Gabby Lee * September 5, 2024 WHAT IS A DDOS ATTACK – A COMPLETE GUIDE * Mitchell Langley * September 5, 2024 VERKADA TO PAY $2.95 MILLION FOR SECURITY FAILURES LEADING TO BREACHES * Mitchell Langley * September 3, 2024 CBIZ DISCLOSES DATA BREACH AFFECTING NEARLY 36,000 INDIVIDUALS * Gabby Lee * September 3, 2024 Welcome to Daily Security Review, the premier source for news and information on security threats, Ransomware and vulnerabilities. TOPICS * Cybersecurity * Phishing * Resources * Ransomware * News * Security Spotlight * Cybersecurity * Phishing * Resources * Ransomware * News * Security Spotlight QUICK LINKS * Blog * Write For Us * Contact Us * Blog * Write For Us * Contact Us FOLLOW US Facebook Twitter Youtube Linkedin JOIN OUR NEWSLETTER Email Send © 2024 All Rights Reserved.