CyberSecurity news

FlagThis - #interlock

@training.invokere.com //
Researchers have uncovered a new and sophisticated variant of the Interlock RAT, a remote access trojan associated with the Interlock ransomware group. This latest iteration is written in PHP, marking a departure from previously observed JavaScript-based versions. The malware is being distributed through a widespread campaign that leverages compromised websites and Cloudflare tunnels. The attack chain begins with a single-line script injected into website HTML, often unbeknownst to the website owners. This script employs IP filtering to serve the payload, which then manipulates the user into clicking a captcha for "verification," ultimately leading to the execution of a PowerShell script that deploys the Interlock RAT.

The delivery mechanism for this new PHP variant utilizes the KongTuke FileFix technique. Researchers have noted that this updated method has been observed deploying the PHP version of the Interlock RAT, and in some instances, this has subsequently led to the deployment of the Node.js variant of the same RAT. The capabilities of this Interlock RAT variant include remote control of compromised systems, thorough system reconnaissance, and the ability to perform lateral movement within a network. This demonstrates an evolving level of sophistication in the threat actor's tactics.

The DFIR Report, in collaboration with Proofpoint, identified the malware and its distribution methods. The observed execution involves a PowerShell command that deletes a scheduled task named "Updater" before downloading and executing a script from a specific URL. This script, in turn, abuses the `php.exe` executable from an uncommon location to further download and execute the RAT. Security professionals are advised to be aware of PowerShell spawning `php.exe` from unusual directories as a potential indicator of compromise. Additionally, the RAT's reconnaissance activities, such as running `systeminfo`, `tasklist`, `whoami`, or `nltest`, provide further opportunities for detection.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
Classification:
  • HashTags: #InterlockRAT #KongTuke #Malware
  • Company: Interlock
  • Target: Websites
  • Attacker: The DFIR Report
  • Product: FileFix
  • Feature: RAT
  • Malware: Interlock RAT
  • Type: Malware
  • Severity: Major
Pauline Dornig@it-daily.net //
The ransomware group Interlock has claimed responsibility for the recent cyberattack on Kettering Health, a US healthcare organization comprised of hospitals, clinics, and medical centers in Ohio. The attack, which initially disrupted the healthcare system on May 20th, forced the shutdown of all computer systems and has left Kettering Health struggling to fully recover over two weeks later. CNN first reported on Interlock’s involvement in the breach, but at the time, the group had not publicly taken credit, leading to speculation that ransom negotiations might be underway. However, Interlock has now come forward, potentially indicating that negotiations with Kettering Health have been unsuccessful.

Interlock announced its involvement by posting alleged stolen data on its dark web site, claiming to have exfiltrated over 940 gigabytes of data from Kettering Health’s internal network. A preliminary review of the posted files indicates that the stolen data includes sensitive private health information, such as patient names, patient numbers, and detailed clinical summaries. These summaries contain sensitive information including mental status assessments, medication lists, health concerns, and other specific details about patients' medical conditions. The stolen data also encompasses employee information and the contents of shared drives, raising concerns about further potential privacy breaches.

The cyberattack has severely impacted Kettering Health's operations. Since the initial breach, numerous medical procedures have been canceled or postponed, forcing healthcare professionals to revert to paper-based documentation. This digital standstill has significantly affected clinical care for approximately 1.5 million patients annually. While Kettering Health has reported progress in restoring its systems, including bringing the electronic health record (EHR) system "Epic" back online with the help of around 200 employees, the full extent of the damage and the long-term consequences of the data breach are still unfolding.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • infosec.exchange: Ransomware gang Interlock claims responsibility for the Kettering Health hack, posting some alleged stolen data on its dark web site. Data includes private health information, such as patient names, patient numbers, and clinical summaries written by doctors, which include categories such as mental status, medications, health concerns, and other categories of patient data.
  • techcrunch.com: Ransomware gang Interlock claims responsibility for the Kettering Health hack, posting some alleged stolen data on its dark web site. Data includes private health information, such as patient names, patient numbers, and clinical summaries written by doctors, which include categories such as mental status, medications, health concerns, and other categories of patient data.
  • www.it-daily.net: Report on a ransomware attack on Kettering Health.
  • techcrunch.com: Health giant Kettering still facing disruption weeks after ransomware attack
  • The Register - Security: Ransomware scum leak patient data after disrupting chemo treatments at Kettering
  • BleepingComputer: Kettering Health confirms Interlock ransomware behind cyberattack
  • BleepingComputer: Details about the leaked data.
Classification:
Mandvi@Cyber Security News //
The Interlock ransomware group is actively deploying a new, sophisticated remote access trojan (RAT) known as NodeSnake in attacks targeting corporate networks. Security researchers have observed this campaign, revealing that Interlock is leveraging NodeSnake as a key component of its attack toolkit to maintain persistent access and enhance its post-exploitation capabilities. NodeSnake, written in Golang, allows the attackers to bypass common detection mechanisms and exfiltrate sensitive data, ensuring continued access even if ransomware binaries are detected and removed.

Two UK-based universities and local government entities have recently fallen victim to NodeSnake within the past few months. Analysis by cybersecurity firm Quorum Cyber has uncovered two new variants of the RAT, strongly attributing them to the Interlock ransomware group. The timing and shared code elements between the incidents suggest a coordinated campaign by the same threat actor, signalling a shift in targets for the Interlock ransomware group which is believed to be behind these attacks.

NodeSnake is a type of Remote Access Trojan (RAT). RATs are dangerous because they allow attackers to take control of infected computers from afar. This means attackers can access files, watch what users are doing, change computer settings, and even steal or delete important information remotely while the RATs stay hidden in the system and even introduce other harmful programs. Furthermore, the two NodeSnake variants are from the same family, with the newer one showing significant improvements. This RAT expands the group’s capabilities for reconnaissance, lateral movement, and data exfiltration, facilitating ransomware deployment.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Cyber Security News: Interlock Ransomware Deploys NodeSnake RAT to Maintain Access in Corporate Networks Security researchers have observed a sophisticated cyber campaign in which the Interlock ransomware group is leveraging the NodeSnake remote access trojan (RAT) as part of its attack toolkit against corporate networks.
  • gbhackers.com: Interlock Ransomware Uses NodeSnake RAT for Persistent Access to Corporate Networks In a two UK-based universities have fallen victim to a sophisticated Remote Access Trojan (RAT) dubbed NodeSnake within the past two months.
  • hackread.com: Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks Quorum Cyber identifies two new NodeSnake RAT variants, strongly attributed to Interlock ransomware, impacting UK higher education and local government.
  • BleepingComputer: Interlock ransomware gang deploys new NodeSnake RAT on universities
  • ciso2ciso.com: Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks – Source:hackread.com Source: hackread.com – Author: Deeba Ahmed.
  • cyberpress.org: Interlock Ransomware Deploys NodeSnake RAT to Maintain Access in Corporate Networks Security researchers have observed a sophisticated cyber campaign in which the Interlock ransomware group is leveraging the NodeSnake remote access trojan (RAT) as part of its attack toolkit against corporate networks.
  • ciso2ciso.com: Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks – Source:hackread.com
  • bsky.app: We don’t just want payment; we want accountability." The malicious hackers behind the Interlock ransomware try to justify their attacks. Learn more about what you need to know about Interlock in my article on the Tripwire blog. #cybersecurity #ransomware #clickfix
  • Graham Cluley: "We don’t just want payment; we want accountability." The malicious hackers behind the Interlock ransomware try to justify their attacks.
Classification:
  • HashTags: #ransomware #RAT #NodeSnake
  • Company: Quorum Cyber
  • Target: Educational Institutes
  • Attacker: Interlock
  • Feature: Remote Access
  • Malware: NodeSnake
  • Type: Ransomware
  • Severity: Major