Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,188
- Points
- 113
The education sector is becoming a favorite target of cybercriminals.
On July 10, an unnamed private school was attacked by the ransomware group Rhysida, which uses a new version of Oyster Backdoor, also known as Broomstick. This updated version of Oyster was first discovered by Rapid7 at the end of June this year and uses the SEO Poisoning method to trick users into downloading malicious installers masquerading as legitimate software such as Google Chrome and Microsoft Teams.
During the above-mentioned attack, Oyster Backdoor was deployed on the user's endpoint, probably through a malicious IP scanner distributed through malvertising. The malicious DLL associated with this attack interacts with the domain "codeforprofessionalusers[.]com", which ThreatDown researchers identified as the Oyster command and control server.
One of the notable methods used in this attack was input hijacking, which allowed the administrative credentials of client hypervisors to be stolen. Certain tasks and malicious directories identified in this incident were added to the ThreatDown detection database.
The attackers used stolen SSH credentials to access the NAS devices and VMware hypervisors, bypassing the real-time ThreatDown Endpoint Protection (EP) layer, which allowed them to deploy Rhysida. Since the client only relied on EP instead of EDR or MDR, the suspicious activity went unnoticed.
The ransomware encrypted VMDK files on the hypervisor and possibly other critical data on NAS devices. In addition, local backups were also encrypted, which required the use of additional backups for data recovery.
Since its introduction in June 2023, the Rhysida group has conducted more than 107 confirmed attacks, with about 30% of victims coming from the education sector. To prevent attacks and minimize their consequences, we recommend following the following practices:
Constant vigilance, regular staff training, and a multi-layered security strategy are also key factors in preventing and mitigating the consequences of cyberattacks. Ultimately, investing in cybersecurity is an investment in the future and stability of any organization.
Source
On July 10, an unnamed private school was attacked by the ransomware group Rhysida, which uses a new version of Oyster Backdoor, also known as Broomstick. This updated version of Oyster was first discovered by Rapid7 at the end of June this year and uses the SEO Poisoning method to trick users into downloading malicious installers masquerading as legitimate software such as Google Chrome and Microsoft Teams.
During the above-mentioned attack, Oyster Backdoor was deployed on the user's endpoint, probably through a malicious IP scanner distributed through malvertising. The malicious DLL associated with this attack interacts with the domain "codeforprofessionalusers[.]com", which ThreatDown researchers identified as the Oyster command and control server.
One of the notable methods used in this attack was input hijacking, which allowed the administrative credentials of client hypervisors to be stolen. Certain tasks and malicious directories identified in this incident were added to the ThreatDown detection database.
The attackers used stolen SSH credentials to access the NAS devices and VMware hypervisors, bypassing the real-time ThreatDown Endpoint Protection (EP) layer, which allowed them to deploy Rhysida. Since the client only relied on EP instead of EDR or MDR, the suspicious activity went unnoticed.
The ransomware encrypted VMDK files on the hypervisor and possibly other critical data on NAS devices. In addition, local backups were also encrypted, which required the use of additional backups for data recovery.
Since its introduction in June 2023, the Rhysida group has conducted more than 107 confirmed attacks, with about 30% of victims coming from the education sector. To prevent attacks and minimize their consequences, we recommend following the following practices:
- Delete all traces of the attack. After isolating and stopping the first attack, it is necessary to remove all traces of intruders, their malware and penetration methods.
- Blocking common forms of penetration. Develop a plan to quickly eliminate vulnerabilities in systems accessible from the Internet; strengthen remote access protection (RDP and VPN); use software to protect endpoints.
- Intrusion detection. Segment networks and restrict access rights by using EDR or MDR to detect unusual activity.
- Create additional backups stored offline. Keep backups out of the reach of intruders and regularly check for recoverability.
Constant vigilance, regular staff training, and a multi-layered security strategy are also key factors in preventing and mitigating the consequences of cyberattacks. Ultimately, investing in cybersecurity is an investment in the future and stability of any organization.
Source
