Just Another Blue TeamerSep 17, 2023

Happy Sunday!

The Intel 471 team provides their findings of the #BumbleBee loader as it makes its comeback after a two month break. Taking the place of the #BazarLoader (the source code was leaked when the #Conti leak occurred). The BumbleBee loader has been associated with distributing ransomware and is currently being used by multiple threat actors. My favorite part of this article though (and not surprising) is all the MITRE ATT&CK mappings that provide all the #ThreatHunters a place to start looking, so thank you for that team! I hope you all enjoy and Happy Hunting!

Bumblebee Loader Resurfaces in New Campaign
https://intel471.com/blog/bumblebee-loader-resurfaces-in-new-campaign

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday

Bumblebee Loader Resurfaces in New Campaign

The Bumblebee malware loader is used as a gateway to launch ransomware attacks. Intel 471's Malware Intelligence systems have uncovered new techniques being used to distribute it. Here's how to defend against it.

Intel471
Show thread𝙽𝙴𝚃𝚁𝙴𝚂𝙴𝙲Apr 15, 2023
#BazarLoader / #BazarBackdoor also uses the BackConnect protocol do deploy reverse VNC. This screenshot is from @malware_traffic's 2021-11-05 Bazar PCAP. The #BackConnect server was running on 87.120.8.190:9090
ITSEC NewsAug 3, 2021
BazarCaller – the malware gang that talks you into infecting yourself - Calling someone back feels safer than clicking an unknown link... but it isn't! Remind yo... https://nakedsecurity.sophos.com/2021/08/03/bazarcaller-the-malware-gang-that-talks-you-into-infecting-yourself/ #bazarloader #bazacaller #bazaloader #microsoft #malware #scam
BazarCaller – the malware gang that talks you into infecting yourself

Calling someone back feels safer than clicking an unknown link… but it isn’t! Remind your friends and family.

Naked Security
ITSEC NewsMay 21, 2021
Threat Roundup for May 14 to May 21 - Today, Talos is publishing a glimpse into the most prevalent threats we've observe... http://feedproxy.google.com/~r/feedburner/Talos/~3/CbfPo4HC6XU/threat-roundup-0514-0521.html #vulnerabilities #threatroundup #bazarloader #ciscotalos #features #trickbot #banload #malware #securex #dridex #nymaim #tofsee #zegost #talos #iocs #razy #zbot
Threat Roundup for May 14 to May 21

A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group

ITSEC NewsJan 26, 2021
Threat Roundup for January 8 to January 15 - Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 8 a... http://feedproxy.google.com/~r/feedburner/Talos/~3/woaYH9fG8c4/threat-roundup-0108-0115.html #vulnerabilities #fickerstealer #threatroundup #bazarloader #ciscotalos #glupteba #malware #redline #bunitu #dridex #expiro #tofsee #zegost #talos
Threat Roundup for January 8 to January 15

A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group

ITSEC NewsJan 5, 2021
Cyberattacks on Healthcare Spike 45% Since November - The relentless rise in COVID-19 cases is battering already frayed healthcare systems — and ransomw... https://threatpost.com/cyberattacks-healthcare-spike-ransomware/162770/ #healthcarecybersecurity #criticalinfrastructure #ransomwareasaservice #softwareasaservice #cobaltstrike.ddos #vulnerabilities #cloudsecurity #cisaadvisory #websecurity #bazarloader #healthcare #ransomware #sodinokibi #hospitals #covid-19 #trickbot #malware
Cyberattacks on Healthcare Spike 45% Since November

The relentless rise in COVID-19 cases is battering already frayed healthcare systems — and ransomware criminals are using the opportunity to strike.

Threatpost - English - Global - threatpost.com
SecurityLabOct 24, 2020
IT-гигант Sopra Steria подвергся атаке вымогательского ПО Ryuk #кибератака, #Ryuk, #TrickBot, #BazarLoader https://www.securitylab.ru/news/513326.php https://twitter.com/SecurityLabnews/status/1319936680644743169/photo/1
IT-гигант Sopra Steria подвергся атаке вымогательского ПО Ryuk

Операторы Ryuk также известны своими атаками с использованием вредоносного ПО TrickBot и BazarLoader.

ITSEC NewsOct 19, 2020
Ryuk Ransomware Gang Uses Zerologon Bug for Lightning-Fast Attack - Researchers said the group was able to move from initial phish to full domain-wide encryption in j... https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/ #initialphishingemail #privilegeescalation #vulnerabilities #activedirectory #attackanalysis #cve-2020-1472 #cobaltstrike #websecurity #bazarloader #dfirreport #fivehours #zerologon #malware #ryuk
Ryuk Ransomware Gang Uses Zerologon Bug for Lightning-Fast Attack

Researchers said the group was able to move from initial phish to full domain-wide encryption in just five hours.

Threatpost - English - Global - threatpost.com
SecurityLabOct 14, 2020
Операторы TrickBot используют вредонос BazarLoader для загрузки Ryuk #TrickBot, #BazarLoader https://www.securitylab.ru/news/513052.php https://twitter.com/SecurityLabnews/status/1316287642913439744/photo/1
Операторы TrickBot используют вредонос BazarLoader для загрузки Ryuk

Один из компонентов BazarLoader загружает маяк Cobalt Strike, обеспечивающий злоумышленникам удаленный доступ.