New Money Message Ransomware Demands Payment or Threatens Total Data Loss - 1

New Money Message Ransomware Demands Payment or Threatens Total Data Loss

  • Written by Ari Denial Cybersecurity & Tech Writer

Ransomware groups have been observed to be rapidly multiplying on the threat landscape, reminiscent of the sudden growth of mushrooms after rainfall. Among the recent additions to the already vast pool of ransomware groups is the Money Message group, which has been found to demand million-dollar ransoms from their victims in exchange for a decryptor.

An embedded JSON configuration file within the Money Message encryptor written in C++ dictates the encryption process for a device.

The JSON configuration file is an essential component of the C++-based Money Message encryptor, as it defines the encryption process. The file determines critical parameters such as the specific folders that should not be encrypted.

The extension to be appended, and the services and processes that need to be terminated. Moreover, the configuration file includes an option to enable or disable logging during the encryption process.

The Money Message ransomware’s configuration file containing domain login names and passwords is a significant concern, as the attackers could exploit the stolen credentials to access other systems and inflict more harm. This highlights the serious implications of ransomware attacks.

The encryption process employed by the Money Message ransomware does not append any extension while encrypting files, though this behavior may be subject to variation depending on the targeted victim. According to Rivitna, a security researcher, the encryption technique utilized by the ransomware is ChaCha20/ECDH.

Upon completion of the encryption process, the Money Message ransomware creates a ransom note in the form of a file named money_message.log. This file includes a hyperlink that leads the victim to a TOR negotiation site, which is utilized for conducting negotiations with the attackers.

In addition to the ransom demand, the ransomware operators issue a warning that they will publish any stolen data on their data leak site if the victim fails to pay the demanded ransom.

Despite the lack of sophistication in the encryptor employed by the group, their attacks have proven to be successful in stealing data and encrypting devices. As experts continue to analyze the ransomware, any potential weakness in the encryption will be identified.

European Government Emails Stolen Through Exploiting Vulnerability in Zimbra Email Platform - 2

European Government Emails Stolen Through Exploiting Vulnerability in Zimbra Email Platform

  • Written by Ari Denial Cybersecurity & Tech Writer

The Russian hacking group TA473, also known as ‘Winter Vivern,’ has been targeting unpatched Zimbra endpoints since February 2023 to steal the emails of NATO officials, governments, military personnel, and diplomats. Recent operations have involved using fake European agency websites to spread malware disguised as a virus scanner.

Proofpoint has now released a report detailing how the group exploits the CVE-2022-27926 vulnerability in Zimbra Collaboration servers to access the communications of NATO-aligned individuals and organizations.

Security researchers suggest Belarus and Russia may be aligned with APT group, although their support remains unproven. Zimbra Collaboration is a versatile platform used by businesses, service providers, governments, and educational institutions to manage emails, contacts, calendars, and tasks, available for on-premise or cloud-based use.

A link embedded in emails is being used to exploit the CVE-2022-27926 vulnerability in compromised Zimbra infrastructure. This vulnerability is used to inject JavaScript payloads into the webpage, which are then used to steal login credentials and tokens from cookies received from the endpoint. This information is then used by threat actors to access the targets’ email accounts with ease.

Proofpoint’s report explains that the server hosting a vulnerable webmail instance is responsible for executing the CSRF JavaScript code blocks.

TA473 has been observed targeting RoundCube webmail request tokens in some instances, revealing their careful pre-attack reconnaissance to identify the specific webmail portal used by their targets before crafting phishing emails and creating landing pages.

Winter Vivern’ employed various tactics to evade detection, including applying three layers of base64 obfuscation to the malicious JavaScript and incorporating fragments of legitimate JavaScript that operate in native webmail portals. This blending of malicious and legitimate code reduces the likelihood of detection during analysis.

After compromising the webmails, the threat actors can access sensitive information or monitor communications over an extended period of time. The breached accounts can also be used for lateral phishing attacks to further infiltrate target organizations.