Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Italian Spanish
Search
LECS 320x100 1
Banner Ancharia Desktop 1 1

Tag: cyber threat intelligence

Linkc Ransomware: The New Cybercriminal Group Targeting Artificial Intelligence Data

Pietro Melillo 20/02/2025

In the DarkLab group’s underground analysis activity, we ventured onto an onion site that is apparently a Data Leak Site (DLS) of a new ransomware cyber gang. This new actor called Linkc, was the author of a recent heist against H2O.ai. Their Data Leak Site-a minimalist page devoid of any further information-leaks only the essentials: a leak of sensitive data and source code belonging to a company specialising in artificial intelligence. A New Group, Familiar Methods? Even though Linkc appears to be a brand-new group, their operation follows the well-known double extortion model: What’s novel in this case is the site’s extreme

Ransomware Gangs weaponize Windows Defender Application Control (WDAC) to disable EDR products.

Alex Necula 13/01/2025

In the past days we saw that Ransomware Gangs use WDAC to disable EDR products. I have known this type of attack for a year when a guy posts a similar technique on Twitter, but this is the first time that was used in Ransomware Attacks. So, it’s time to explain how it works and how to check it. First, the WDAC is a feature of Microsoft that is very similar to App Locker. We need to download Application Control Wizard from Microsoft webpage. After we install it, we can open it and define the policy. Here we can do two things,

The Story Of Conti Ransomware – The Last Ceremony (Final Episode)

Alessio Stefan 08/01/2025

This is the last episode of “The Story Of Conti Ransomware” series, we would finally reach the decline of the group and what this means for the current ransomware landscape. In the previous article group we have approached operations made by law enforcement (mainly the FBI) and by some vigilantes which didn’t liked Conti’s political positions. Conti is not dead, it’s still living. The Moon – Dostoevsky’s De(a)mons The Conti leak showed the world how “normal” a RaaS group of this size could be with the same organization of a “legit” company. But there is a message which we didn’t analyzed in

Harley-Davidson Targeted by Cyber ​​Criminals: 888 Claims Data Breach

RHC Dark Lab 31/12/2024

Recently, a threat actor on an underground forum posted an alleged data breach. According to reports, the famous American company Harley-Davidson has been the victim of a data breach that has exposed thousands of sensitive information relating to its customers. At this time we cannot confirm the veracity of the news, as the organization has not yet released any official press release on its website regarding the incident. Therefore, this article should be considered as an “intelligence source”. Details of the alleged infringement According to the threat actor, the data breach would have taken place in December 2024 and would have exposed

FBI responds to threats and announcement of LockBit 4.0

Alessio Stefan 22/12/2024

In the last month of 2024, LockBit has been exodusively talked about. The prominent news is the long-awaited release of the 4.0 program of the most famous RaaS in the scene. After the entire Operation Cronos series, which does not seem to be over yet, LockBit has been put to the test with an unprecedented digital crime-fighting experience executed by an international task force. In this article we will expand on the very latest updates trying to take stock and comment on these early (partial) conclusions of a real attrition that will impact the future of digital security and crime. For those

Brain Chiper claims computer attack on Deloitte. 1 Tera Byte of data

Luca Stivali 04/12/2024

At 14:35 today, the claim of a cyber attack on the consulting giant Deloitte was detected on BrainChiper’s Data Leak Site. A countdown is active, marking the time for the publication of the data, which according to the cybercriminals will take place in 10 days and 20 hours. At present, we cannot confirm the authenticity of the news, as the organisation has not yet published an official statement on its website about the incident. The information reported comes from public sources accessible on underground sites, so it should be interpreted as a source of intelligence and not as definitive confirmation. The post

The Exploit for the RCE on Palo Alto Firewalls is now Online! And let the Administration be for all

Luca Stivali 03/12/2024

A few hours ago on Breach Forum, a threat actor by the name “newplzqibeme” shared a GitHub repository where a python-written exploit for active exploitation of CVE-2024-0012 on PanOS (the Palo Alto firewall operating system) is published. The exploit grants the attacker, full administrative access to the firewall with an Authentication Bypass mechanism, gaining administrator access. The post by “newplzqibeme” shows two public IPs as examples, which are most likely exposed and vulnerable firewalls. Firewalls running PanOS 10.2, 11.0, 11.1 and 11.2 are affected by this CVE if not upgraded to the respective versions (>= 10.2.12-h2, >= 11.0.6-h1, >= 11.1.5-h1 and >=

RHC DarkLab Interviews Interlock Ransomware. “Don’t waste your energy and time. We will do it for you.”

RHC Dark Lab 02/12/2024

RHC DarkLab has always taken a unique and provocative approach in the fight against cyber threats, summed up by the motto: ‘One must know the Demons to learn how to counter them.’ This philosophy guides our ongoing commitment to understanding Threat Actors through face-to-face interviews to expose their techniques, tactics and procedures (TTPs) and improve the defences of those facing these insidious adversaries. Cyber gangs, such as Interlock, often present themselves with a mix of highly sophisticated motivations and skills, as demonstrated by recent attacks targeting seemingly secure systems such as FreeBSD. In many cases, they claim to act to fill gaps

RHC DarkLab Interview Stormous Ransomware. Between history, ideology, techniques and tactics

Redazione RHC 24/11/2024

The Stormous group represents a significant threat in the ransomware landscape: it has an established reputation for its targeted attacks and its overtly pro-Russian ideology. The group may have started operating in mid-2021, later becoming known for its aggressive presence on Telegram, its geopolitical motivations and its philosophy of attacking organisations perceived to be hostile to Russia, to which it declared its support, subsequently targeting the organisations of countries considered to be enemies, destabilising their organisations These include the United States, Western countries, India and Ukraine from 2022. However, their attacks in this way not only compromise the victims’ systems, but also

How Threat Actor make EDR’s harmless with a reboot

Alex Necula 22/11/2024

I became aware of this technique like 9 months ago, and now I see this on a attack in the wild conducted by Qilin Ransomware Gang, so it’s time to make it public. One of the most important security things in EDR’s is the possibility to intercept calls to the kernel. For this purpose, EDR’s vendors use MiniFilter Drivers that load on boot. But what happens when these drivers are forced disabled by attacker? The attacker can peacefully make kernel calls without being intercepted by EDR’s. When the Windows load a MiniFilter Driver , there is a order to load them ,

Category