Cloud Atlas Unleashes VBCloud Malware: Over 80% of Affected Targets in Russia

Dec 27, 2024
Cyber Attack / Data Theft

The cyber threat group known as Cloud Atlas has been detected utilizing a newly identified malware named VBCloud in its attack campaigns throughout 2024. According to Kaspersky researcher Oleg Kupreev, victims are infected through phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and run malware code. Notably, over 80% of the targets are based in Russia, with additional victims reported in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam. Cloud Atlas, also known as Clean Ursa, Inception, Oxygen, and Red October, is an unidentified threat actor group that has been operational since 2014. In December 2022, the group was tied to cyber attacks on Russia, Belarus, and Transnistria, deploying a PowerShell-based backdoor called PowerShower.

Cloud Atlas Unleashes VBCloud Malware: Majority of Targets Located in Russia

December 27, 2024
Cyber Attack / Data Theft

Recent observations have revealed that the cyber threat group known as Cloud Atlas has deployed an emerging malware variant referred to as VBCloud in a series of targeted attacks throughout 2024. According to Kaspersky researcher Oleg Kupreev, these sophisticated operations have focused on several dozen users, with more than 80% of the affected parties based in Russia. The compromised systems are primarily infiltrated through deceptive phishing emails that contain malicious documents. These documents exploit an existing vulnerability within the formula editor (CVE-2018-0802) to download and execute the malicious code on the victims’ devices.

In addition to the significant number of Russian victims, reports indicate that a smaller collection of targets have been identified in countries such as Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam. Cloud Atlas, which has also been dubbed Clean Ursa, Inception, Oxygen, and Red October, is an unattributed cluster of threat activity that has been operational since 2014. This background suggests a level of sophistication and persistence that poses a serious risk to businesses globally.

In December 2022, the group was implicated in cyber operations targeting entities in Russia, Belarus, and Transnistria, employing a PowerShell-based backdoor named PowerShower. This history of aggressive tactics highlights their ongoing commitment to developing and deploying advanced malware strategies that bypass traditional security measures.

As organizations strive to enhance their cybersecurity posture, understanding the methods used by threat actors like Cloud Atlas is critical. The tactics associated with this recent attack correspond to several categories outlined in the MITRE ATT&CK framework. Initial access through phishing is a prominent tactic employed in this instance, facilitated by exploiting software vulnerabilities. Furthermore, the use of VBCloud may indicate potential methods for establishing persistence within networks, enabling attackers to maintain access and control over compromised systems.

The implications of this attack are significant for business owners, particularly those operating in regions with a high prevalence of such cyber threats. Organizations are advised to prioritize training employees on recognizing and responding to phishing attempts, as well as ensuring their software is regularly updated to patch known vulnerabilities.

Cybersecurity professionals must remain vigilant to the evolution of threats like VBCloud and apply frameworks such as MITRE ATT&CK when assessing their defenses. The ongoing activities of Cloud Atlas serve as a reminder that the landscape of cyber threats is ever-changing, necessitating a proactive approach to risk management and incident response.

Source link

Related Posts

⚡ THN Weekly Update: Key Cybersecurity Threats, Tools, and Tips

Dec 23, 2024
Cybersecurity / Weekly Update

The digital landscape is relentless, as this week has shown. From the apprehension of ransomware developers to state-sponsored hackers unveiling novel tactics, it’s evident that cybercriminals are continually evolving their methods. They exploit everyday tools for malicious purposes, embed spyware in trusted applications, and uncover new vulnerabilities in outdated security systems. These incidents are not mere coincidences—they highlight the ingenuity and adaptability of cyber threats. In this edition, we’ll explore the most significant cybersecurity events from the past week and provide essential insights to help you stay protected and proactive. Let’s dive in.

⚡ Threat of the Week

Charges Filed Against LockBit Developer Rostislav Panev — Rostislav Panev, a 51-year-old dual Russian and Israeli citizen, has been charged in the U.S. for allegedly serving as a developer for the now-disrupted LockBit ransomware-as-a-service (RaaS) operation, which is believed to have generated approximately $230,000 between June 2022 and February 2024. Panev was…

Old D-Link Vulnerabilities Fuel Global Attacks by FICORA and Kaiten Botnets

Dec 27, 2024
Botnet / DDoS Attack

Cybersecurity experts are alerting to a rise in malicious activity that leverages outdated D-Link routers, involving two distinct botnets: a Mirai variant known as FICORA and a Kaiten variant referred to as CAPSAICIN. “These botnets are often propagated through well-documented vulnerabilities in D-Link devices, enabling remote attackers to execute harmful commands via GetDeviceSettings on the HNAP (Home Network Administration Protocol) interface,” noted Vincent Li, a researcher at Fortinet FortiGuard Labs, in a Thursday analysis. “This HNAP flaw was first revealed nearly ten years ago, affecting multiple devices across various CVE identifiers, including CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112.” According to telemetry data from the cybersecurity firm, attacks linked to FICORA have been globally dispersed, while those involving CAPSAICIN have predominantly targeted East Asian countries like Japan and Taiwan.