in short Malware has been spotted that blocks EDR (Endpoint Detection and Response) software. Given that RansomHub is being used, this malware could soon be everywhere.

The malware was discovered by Sophos analysts after a failed attack and has been dubbed EDRKillShifter. The malware uses legitimate but vulnerable drivers on Windows machines to push ransomware to targets.

Both variants tested by Sophos analysts leverage known vulnerable drivers with publicly available proofs of concept, with the ultimate goal of disabling endpoint detection and response software and taking the victim’s machine hostage. The tactic of leveraging publicly known driver vulnerabilities is common to EDR-killing malware, Sophos said.

RansomHub – which emerged earlier this year and has quickly become one of the most widely used tools by ransomware actors – indicates that EDRKillShifter is already on the verge of becoming a serious threat. However, a look inside the malware reveals that it is not as dangerous as it first appears, provided the right precautions are taken.

Sophos’ research doesn’t say what access route attackers could take with EDRKillShifter, but it does note that “this attack is only possible if the attacker escalates the privileges they have control over or can gain administrative privileges.”

Once an attacker has the necessary privileges, he must execute the malware via the command line and enter a password to launch it. This is where things get a bit more complicated: EDRShiftKiller obfuscates its activity with self-modifying code and various EDR killers, which are written in Go and also obfuscated.

If initial attempts to integrate itself into memory are successful, EDRShiftKiller deploys one of two payloads that creates a new service for the compromised driver, forcing the driver into an endless loop where all targets are killed.

Since a threat actor must first gain access to their target machine with elevated privileges in order to execute EDRShiftKiller and deploy ransomware, Sophos recommends practicing good Windows security role hygiene as the best prevention. This means clearly separating users from administrators, ensuring that EDR software has tamper protection enabled, and keeping systems and drivers up to date.

However, it is wise to remain alert to this threat, as it is closely related to a common form of ransomware.

Public NetSuite sites may leak data

Organizations using NetSuite SuiteCommerce or SiteBuilder are urged to review their settings as thousands of externally facing sites have been discovered that can be abused to leak customer PII.

Aaron Costello, head of SaaS security research at AppOmni, wrote in a blog post last week that poor access control configuration, combined with improper use of record and search APIs, can allow an unauthenticated user to extract data.

There are numerous caveats here, such as the need for the attacker to know what customer record types (CRTs) are being used, but the advice remains the same: check your NetSuite settings, tighten access controls to CRTs, and lock down public sites.

“I would highly recommend that administrators start by reviewing field-level access controls and determining which fields, if any, should be exposed,” Costello added.

Ransomware Miners Strike Gold (Mining Company)

An Australian gold mining company has admitted it was the victim of a ransomware attack. However, the company has shared little other information beyond acknowledging that the incident actually occurred.

Evolution Mining issued a warning (PDF) about the incident last week, stating that the company believed the incident was under control and that there would be no material impact on its operations.

“The incident was proactively addressed with a focus on protecting people’s health, safety and privacy, along with the company’s systems and data,” Evolution said.

Other than mentioning the impact on IT systems, no details were shared.

Evolution’s report is far less detailed than an attack on another Australian mining operation that occurred in March. Northern Minerals Limited suffered a “cyber incident” that led to the theft of personal data of its employees, including scans of their passports.

During the attack on Northern Minerals, data related to exploration, mining projects and other company information was also stolen and published online in June by the BianLian ransomware gang.

Half a million patient records stolen from Idaho health care company

Kootenai Health, based in Idaho, has announced that an unknown incident occurred in late February that resulted in the personal information of nearly half a million patients being stolen.

Kootenai wrote in a letter to victims that names, dates of birth, social security numbers, IDs and medical records may have been stolen, but there was no mention of ransomware.

That said, multiple sources have reported that the 3AM ransomware gang was behind the attack. The Russian-speaking 3AM crew, which first emerged last year, reportedly published around 22GB of stolen Kootenai data on its leak site.

If you work in healthcare, consider this an extra warning to keep your systems up to date and your defenders alert.

Five Malware Variants That Stood Out in Q2

ReliaQuest has published a list of five malware variants that they believe will have a major impact in the second quarter of 2024. Surprisingly, Infostealers remain popular.

Windows infostealer LummaC2 topped the list after what ReliaQuest said was a quarter of significant growth: compared to the first quarter of 2024, Russian market quotations for LummaC2 rose 51.9 percent.

Next on the list are all types of Rust-based infostealers. According to ReliaQuest, these are becoming increasingly popular because Rust is fast, easy to program to bypass antivirus, and cross-platform.

The SocGholish remote access trojan has long been a popular tool, but it remains so thanks to a new infection modification that uses Python and establishes persistence. AsyncRAT is also gaining popularity.

The Oyster backdoor malware, which is distributed by websites that supposedly host legitimate software infected with malware, comes in last place. ReliaQuest noted that Oyster – also known as Broomstick and CleanUpLoader – has been linked to some of Russia’s largest malware gangs, including Wizard Spider.

Make sure your security systems are protected against the various tricks these malware families use, which are discussed in the ReliaQuest report. ®