SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: BlackByte threat actor goes global with its ransomware
Description: The BlackByte ransomware group uses its software for its own goals and as a ransomware-as-a-service offering to other criminals. The ransomware group and its affiliates have infected victims all over the world, from North America to Colombia, the Netherlands, China, Mexico and Vietnam. Cisco Talos has been monitoring BlackByte for several months and we can confirm they are still active after the FBI released a joint cybersecurity advisory in February 2022. Additionally, BlackByte is considered part of the big game ransomware groups, which are targeting large, high-profile targets, looking to exfiltrate internal data and threatening to publicly release it. Like similar groups, they have their own leaks site on the darknet. The actual TOR address of this site is frequently moved. BlackByte updated its leak site with a new design and new victims and is still actively exploiting victims worldwide.
References: https://blog.talosintelligence.com/2022/05/the-blackbyte-ransomware-group-is.html
Snort SIDs: 58791 - 58794
Title: NVIDIA fixes 10 vulnerabilities in graphics cards drivers
Description: GPU maker NVIDIA released a round of security updates for several of its graphics cards last week, including four high-severity vulnerabilities. While the updates cover all active NVIDIA units, it also covers GTX 600 and GTX 700 Kepler-series cards, whose support ended in October 2021. Cisco Talos specifically discovered four vulnerabilities in the NVIDIA D3D10 driver for graphics cards that could allow an attacker to corrupt memory and write arbitrary memory on the card. An attacker could exploit these vulnerabilities by sending the target a specially crafted executable or shader file. These issues could also allow an adversary to perform a guest-to-host escape if they target a guest machine running virtualization environments. We specifically tested these issues with a HYPER-V guest using the RemoteFX feature, leading to the execution of vulnerable code on the HYPER-V host.
References:
- https://blog.talosintelligence.com/2022/05/vuln-spotlight-nvidia-driver-memory.html
Snort SIDs: 58880 - 58883, 58885, 58886, 58910 and 58911