Just a sample of the Echomail archive
Cooperative anarchy at its finest, still active today. Darkrealms is the Zone 1 Hub.
| CONSPRCY | How big is your tinfoil hat? | 2,445 messages |
[ << oldest | < older | list | newer > | newest >> ]
| Message 2,044 of 2,445 |
| Mike Powell to All |
| Threats to watch this yea |
| 08 Dec 25 10:18:01 |
TZUTC: -0500 MSGID: 1801.consprcy@1:2320/105 2d9c2932 PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0 TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0 BBSID: CAPCITY2 CHRS: ASCII 1 FORMAT: flowed Threats to watch this year: from data theft and extortion to EDR killers Date: Sun, 07 Dec 2025 15:00:00 +0000 Description: Threat actors have shifted behaviors, refined their tooling and adapted tactics; here's what you need to know. FULL STORY As cybersecurity threats continue to grow in scale, sophistication and intent, its vital for organizations to understand the top actors, emerging risks and evolving techniques shaping the landscape to help strengthen cyber defenses. A recent report by Bridewell highlights just how dynamic the adversarial environment has become over the past year. Threat actors have shifted behaviors, refined their tooling and adapted their tactics. Here are some key takeaways organizations need to know to contend with imminent threats. The Rise of Data Theft and Extortion Historically, ransomware tactics were primarily centered around encrypting victim data and demanding payment for decryption keys. However, recent attacks highlight a shift in tactics, with threat actors now prioritizing data theft and extortion by threatening to publish stolen information unless ransoms are paid. This was witnessed in an attack on UK telecom provider Colt Technology Services, where the Warlock ransomware group exploited a vulnerability in Microsoft SharePoint to infiltrate the companys systems. The attackers stole several hundred gigabytes of sensitive data, including employee salary information, financial records, customer contracts and network architecture details. As a result of not paying the ransom, the group subsequently posted a file list on a Russian Tor forum, offering over a million documents for sale. Similarly, the Clop ransomware group demonstrated this shift in May 2023 by exploiting a zero-day vulnerability in the MOVEit filetransfer software (CVE202334362) to exfiltrate large volumes of data from hundreds of organizations, including high-profile companies such as the BBC and Boots. Rather than just encrypting systems, Clop threatened to publicly publish the stolen information via its leak site. This evolution exploits the growing regulatory and reputational pressures organizations face, particularly in jurisdictions with strict privacy laws. While encryption -based attacks often result in larger individual ransom demands due to the urgency of restoring critical services. Also, improvements in data recovery and backup controls have inadvertently made data theft and extortion a more effective alternative for attackers. The recent major data theft operations performed by hacker groups such as Scattered Spider and Shiny Hunters, who are related to a collective known as the Com or the Community have targeted large software service providers such as Salesforce and other companies that integrate with their platform. This has highlighted again the appetite to use data theft and extortion over deploying ransomware to encrypt the victims files. Exploitation of Vulnerabilities and Edge Devices Unpatched vulnerabilities in internet-facing systems and edge devices remain a primary attack vector for ransomware groups. Attackers are exploiting flaws in widely deployed technologies including VPNs , remote monitoring tools, and network appliances, to gain initial access into company systems. These vulnerabilities allow mass compromise at scale and are a major contributor to successful ransomware campaigns. In 2024 infamous ransomware groups, Clop and Termite, emerged as highly proficient actors in carrying out attacks against managed file transfer services. Additionally, earlier this year, Clop targeted Cleo, the enterprise integration and managed file transfer software provider, by exploiting a zero-day vulnerability (CVE-2024-50623) in its integration software. This attack affected over 80 organizations, primarily in the telecommunications and healthcare sectors, resulting in significant data exposure and operational disruption. More recently, we have seen several threat actors conducting widespread attacks targeting unpatched Fortinet, Cisco and Ivanti devices. This includes access brokers and affiliates associated with Qilin, Akira and Ransomhub ransomware groups. VMware Targeting, EDR Killers and Offensive Tooling Ransomware actors continue to target hypervisors such as VMware ESXi environments, with the intention of disrupting critical IT infrastructure quickly. Groups such as VanHelsing and DragonForce have been linked to recent attacks, actively employing this tactic in ongoing campaigns. Meanwhile, the adversaries are shifting their efforts towards developing capabilities to evade Endpoint Detection and Response (EDR) systems, known as EDR killers, which is often achieved by the abuse of vulnerable drivers or native software features. The success of these attacks has been amplified by the increased use of Living-Off-the-Land Binaries (LOLBINs) and Remote Monitoring and Management (RMM) tools, another method used to evade EDR tools by enabling threat actors to blend in with normal system or environment operations to remain unnoticed, making detection and mitigation significantly more difficult for organizations. Offensive security tools remain central to ransomware operations. Despite combined efforts by Microsofts Digital Crimes Unit (DCU), Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC) in recent years to combat the use of authorized, legacy copies of Cobalt Strike, it remains the most widely used offensive security tool among ransomware operators. While Fortra has reported an 80% reduction in unauthorized copies observed in the wild over the past two years, in reality the situation remains a cat-and-mouse game as malicious C2 infrastructure is removed from more reputable hosting providers, operators simply relocate it to less reputable ones. Even so, this shift still presents some tactical advantages for defenders, as infrastructure hosted on lower-tier providers is more likely to be blocked by security products such as next-generation firewalls and web proxies. Meanwhile, other offensive tools such as Metasploit, Sliver, Brute Ratel and more recently variants such as Pyramid C2, a Python -based command and control (C2) framework and Adaptix C2 are steadily gaining popularity. Final thoughts As we move into 2026, its clear that cybercriminals are becoming more agile, more opportunistic and more determined to exploit both technical weaknesses and organizational blind spots. With datatheftfirst extortion models on the rise, increased targeting of edge devices, and the continued refinement of EDRevading tools, defenders face a rapidly evolving challenge that demands equal adaptability. Organizations must prioritize proactive patching, strengthen monitoring across hybrid environments and invest in threat intelligence that keeps pace with adversaries shifting tactics. Those that build resilience now, through preparedness, visibility and robust incident response, will be best positioned to withstand the threats that lie ahead. ====================================================================== Link to news story: https://www.techradar.com/pro/threats-to-watch-this-year-from-data-theft-and-e xtortion-to-edr-killers $$ --- SBBSecho 3.28-Linux * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105) SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700 SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470 SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45 SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35 PATH: 2320/105 229/426 |
(c) 1994, bbs@darkrealms.ca