Play ransomware continues to be a formidable cybersecurity threat, with over 300 successful attacks reported globally since its first detection in 2022. Named for the “.PLAY” extension it appends to encrypted files, this ransomware has been linked to Andariel, a North Korean state-sponsored hacking group operating under the Reconnaissance General Bureau.
This connection highlights the increasing involvement of state-backed actors in sophisticated cybercrime campaigns targeting both public and private sector organizations worldwide.
Recent analysis by AhnLab sheds light on how Play ransomware gains access to its victims’ networks. The attackers exploit vulnerabilities in widely used software systems or misuse valid user accounts.
Known flaws in Microsoft Exchange Server’s ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) and Fortinet’s FortiOS (CVE-2020-12812 and CVE-2018-13379) have been frequently abused by these attackers. After infiltrating a network, they use port scanning techniques to gather information about active systems and services, collect Active Directory data, and identify paths for privilege escalation. These escalated privileges allow the attackers to obtain administrator-level access, steal credentials, and ultimately gain control over the domain environment.
One of the key challenges in detecting Play ransomware lies in its ability to blend malicious activities with legitimate operations
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: