Numerous Ukrainian organizations have been compromised by a wave of attacks using the novel .NET-based RansomBoggs ransomware strain, which resembled prior attacks by the Russian state-sponsored threat operation Sandworm, reports The Hacker News.
Initially discovered by ESET researchers on Nov. 21, RansomBoggs attacks involved a PowerShell script that enabled ransomware distribution, a process that is nearly identical to the process leveraged in April's Industroyer2 malware attacks, which involved the use of the POWERGAP PowerShell script to enable CaddyWiper malware delivery through the ArguePatch loader.
RansomBoggs generates random keys, leverages AES-256 in CBC mode for file encryption, and adds the ".chsch" extension to encrypted files, according to ESET.
Sandworm-linked threat operation Iridium was recently linked by Microsoft to Prestige ransomware attacks against Ukrainian and Polish transportation and logistics firms last month. Moreover, Sandworm has also been associated with the 2017 NotPetya cyberattacks targeted at healthcare providers, as well as the 2015 and 2016 cyberattacks against Ukraine's power grid.
Operations of California's Solano Partner Libraries and St. Helena, or SPLASH, continue to be interrupted weeks after the county's library network was targeted by a ransomware attack earlier this month, StateScoop reports.
Several rootkit-like capabilities could be obtained by threat actors through the exploitation of vulnerabilities in Windows' DOS-to-NT path conversion process, including file and process concealment and compromised prefetch file analysis, reports The Hacker News.
Open-source DevOps software project GitLab has also been impacted by the same security issue in GitHub comments that has been exploited by threat actors through Microsoft repository-linked URLs to facilitate the distribution of malware that was made to seem to originate from credible entities' official source code repositories, according to BleepingComputer.