Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Last October, Trustwave SpiderLabs blogged about the use and prevalence of HTML email attachments to deliver malware and phishing for credentials. The use of HTML smuggling has become more prevalent, and we have since seen various cybercriminal groups utilizing these techniques to distribute malware. HTML smuggling employs HTML5 attributes that can work offline by storing a binary in an immutable blob of data within JavaScript code.

Clicking on malicious links can lead to compromised accounts and can infect your devices with malware. Learning how to check if a link is safe, before clicking on it, is important to keeping you safe online. You can check if a link is safe by hovering over the link to see if it’s the URL it’s saying it is or by using a URL checker.

Arctic Wolf has observed a significant increase in the number of malicious files delivered and opened via OneNote email attachments. Unlike malicious Word and Excel files, infected OneNote files do not require the security prompt asking the end-user to allow macros, thus increasing the chances of unknowingly running the malicious executable.

The annual State CIO Top 10 priorities list issued by the National Association of State Chief Information Officers shows that while the technology initiatives remain relatively unchanged, there is a slight shuffle around priorities. Cybersecurity continues to take the number one spot and will likely be the case for years to come, given the increase in ransomware attacks across industries and organizations of all sizes.

Our annual Ransomware Report shares the latest trends and developments of the most active threat groups, and their victims to help businesses better protect themselves.

Early Friday morning, February 3, 2023, Arctic Wolf Labs began monitoring a new ransomware campaign targeting public-facing ESXi servers. The campaign has grown exponentially over the weekend, with approximately 3,000 victims worldwide as of early-Monday morning. Based on reporting from OVH, the threat actors behind this campaign are likely leveraging a nearly two year old heap overflow vulnerability (CVE-2021-21974) in VMware ESXi’s OpenSLP service.

Ransomware is one of the most painful threats to organizations worldwide. As this industry keeps on growing both in number of groups and improved technology, every now and then global authorities are able to get their hands on individuals and important data that can mitigate and prevent this threat. This week, the FBI was able to take down the notorious Hive Ransomware group’s Onion Site.

Over the weekend, a relatively new ransomware group named Nevada Ransomware initiated a first massive campaign, targeting any ESXi machine that is exposed to the internet. The group seemed to compromise hundreds of servers over the weekend and caused major damage. Although the scale of this campaign is one of the biggest we have seen, it might already have a solution.

Hive has been seized by law enforcement, but were likely to still see these initial access methods and tactics used across other threat actor groups.