Day One of Pwn2Own Ireland Unveils 52 Zero-Day Vulnerabilities
The first day of Pwn2Own Ireland saw participants uncover 52 zero-day vulnerabilities across a variety of connected devices, earning an impressive $486,250 in total rewards. Viettel Cyber Security set the pace, earning top scores with their zero-day exploits, including a notable buffer overflow in a Lorex 2K WiFi camera. Summoning Team’s Sina Kheirkhah impressed with a chain of nine vulnerabilities, taking control of devices from the QNAP router to the TrueNAS Mini X and securing $100,000. Additional exploits, like RET2 Systems’ out-of-bounds write on a Sonos smart speaker, awarded them $60,000 and full control over the device. Despite some setbacks and technical hurdles, teams effectively showcased the scale and impact of zero-day vulnerabilities, as they competed for the $1 million prize pool. With three days remaining, participants are set to tackle more vulnerabilities in fully patched SOHO devices.
New Qilin.B Ransomware Encryptor Introduces Advanced Evasion and Stronger Encryption
The latest version of Qilin ransomware, known as Qilin.B, presents enhanced encryption capabilities and sophisticated evasion tactics, posing a serious threat to cybersecurity. Written in Rust, this ransomware features AES-256-CTR encryption for faster processing on compatible hardware, while retaining ChaCha20 for less advanced systems. Qilin.B also integrates RSA-4096 for key protection, making decryption nearly impossible without access to private keys. Halcyon researchers have detected this strain, noting its potential to disrupt data recovery by disabling services like Veeam, SQL databases, and Sophos antivirus.
Qilin.B further hinders recovery efforts by deleting shadow copies, clearing event logs, and establishing persistence in the Windows Registry. With the ability to spread through network drives, it leaves ransom notes in each directory, targeting both local and network folders. Though not groundbreaking, these features enhance Qilin.B’s impact, contributing to sophisticated attacks by threat groups on critical systems worldwide.
Cisco Patches VPN DoS Vulnerability Linked to DDoS and Brute-Force Attacks
Cisco recently patched a critical denial-of-service (DoS) flaw in its ASA and Firepower Threat Defense (FTD) software, identified during large-scale brute-force and DDoS attacks targeting VPNs. Tracked as CVE-2024-20481, this vulnerability emerged when attackers flooded affected devices with numerous VPN login attempts, depleting resources and causing a DoS state. The flaw exploits resource exhaustion in Remote Access VPN (RAVPN) services, requiring affected devices to reload to restore service.
The vulnerability was discovered amid broad brute-force efforts aimed at obtaining VPN credentials, targeting devices from Cisco, Fortinet, Checkpoint, and others. These attacks often unintentionally led to DoS issues by straining resources. Cisco’s advisory highlights that the bug, CWE-772, involves improper resource management during VPN authentication, rendering systems vulnerable to DDoS. Additionally, Cisco issued fixes for other critical flaws, emphasizing the importance of immediate updates to guard against further DDoS and brute-force attack risks.
Henry Schein Discloses Data Breach a Year After Major Ransomware Attack
Healthcare solutions provider Henry Schein has disclosed a data breach affecting over 160,000 individuals, stemming from a series of ransomware attacks in 2023 by the BlackCat (ALPHV) gang. The first attack in October forced Henry Schein to take systems offline to protect its manufacturing and distribution operations. Following this, BlackCat ransomware claimed responsibility, stating they had exfiltrated 35 TB of sensitive data. A second attack followed in November after failed ransom negotiations, with threats to re-encrypt the network.
A year later, Henry Schein confirmed in a notification to the Maine Attorney General that 166,432 individuals had their personal data compromised. Working with cybersecurity experts, the company reviewed affected files throughout early 2024. Now, as a precaution, Henry Schein is offering impacted individuals two years of complimentary identity monitoring with Experian’s IdentityWorksSM service to help protect against potential fraud and identity theft.
Russia Sentences REvil Ransomware Members to Prison for Cybercrime and Payment Fraud
In a significant crackdown on cybercrime, Russia has sentenced four members of the REvil ransomware gang to prison terms ranging from 4.5 to 6 years. Known for their high-profile ransomware operations, REvil, also called Sodinokibi, rose to prominence in 2019, quickly amassing over $100 million. Their large-scale 2021 Kaseya attack, which impacted over 1,500 businesses worldwide, led to pressure from U.S. authorities for Russia to address cybercriminal activity within its borders.
Following coordinated international law enforcement efforts, Russia’s Federal Security Service (FSB) dismantled the group in January 2022, arresting 14 members and seizing $6.6 million. Recently, a Russian court sentenced members Artem Zayets, Alexey Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov on charges of illegal circulation of payment means and malware distribution. The remaining four REvil members await separate trials for illegal computer access, marking a pivotal outcome in the fight against global ransomware operations.
Black Basta Ransomware Uses Microsoft Teams as Phishing Tool to Breach Networks
The Black Basta ransomware group has evolved its social engineering tactics, now leveraging Microsoft Teams to impersonate IT support and gain unauthorized access to corporate networks. Active since 2022, Black Basta initially targeted employees with a barrage of spam emails, followed by fake IT support calls to trick victims into installing remote access tools like AnyDesk. In recent campaigns observed by ReliaQuest, Black Basta affiliates have shifted to contacting employees directly through Teams, posing as corporate help desks and using Entra ID tenants designed to appear legitimate, such as “supportserviceadmin.onmicrosoft[.]com.”
The attackers send a series of messages to gain trust, sometimes even sharing QR codes with undisclosed intentions. Once granted access, they install tools like “AntispamAccount.exe” and SystemBC (a proxy malware), eventually deploying Cobalt Strike to control devices and spread ransomware across the network. To mitigate this threat, experts advise limiting external Teams communications to trusted domains and enabling logging for suspicious activities.
Fog Ransomware Exploits SonicWall VPN Vulnerability to Breach Networks
The Fog ransomware operation, alongside Akira, has intensified attacks on corporate networks via SonicWall VPN vulnerabilities, particularly targeting the critical CVE-2024-40766 flaw. This SSL VPN access control flaw, patched by SonicWall in August 2024, has remained under active exploitation, with at least 30 breaches reported by Arctic Wolf, primarily involving Akira, while Fog accounts for the remainder. Researchers also note potential collaboration between the two ransomware groups, sharing infrastructure to scale attacks.
Once inside, threat actors move quickly—often achieving encryption within hours, especially on virtual machines and backups. A lack of multi-factor authentication and outdated software on SonicWall endpoints facilitates access, especially when endpoints run on the default port 4433. Intrusion logs typically reveal remote user login events, often masked via VPN/VPS to conceal attackers’ real IPs. With approximately 168,000 SonicWall endpoints still exposed, Fog ransomware’s impact underscores the critical need for immediate patching and security upgrades.
Conclusion
The escalating threats across connected devices and corporate networks underscore the pressing need for strengthened cybersecurity defenses. With vulnerabilities in VPNs, new ransomware strains, and sophisticated phishing campaigns, organizations face significant challenges in protecting their data and operations.
At BeforeCrypt, we specialize in helping companies navigate the aftermath of cyber incidents. Our expert Ransomware Recovery Services are designed to restore data and systems quickly, even in cases involving severe strains like Akira ransomware. For organizations needing support with strategic decisions, our Ransomware Negotiation Services and Ransomware Settlement Services provide comprehensive solutions to manage ransomware threats effectively. Contact us today to secure the expertise you need in ransomware recovery and cybersecurity.