Category: Windows Server

Which Altaro directories do I need to exclude from AntiVirus software?

If you are running an AntiVirus software or a file-scanning software, we do recommend excluding a couple of directories used by Altaro in order to ensure that it’s operation remains undisrupted.

We do recommend excluding the following:

  • all onsite backup drive directories
  • all offsite backup drive directories
  • C:\ProgramData\Altaro on the Altaro Management and on the Hyper-V hosts
  • C:\Program Files\Altaro on the Altaro Management and on the Hyper-V hosts

Also, if you relocated the Altaro temporary files ensure to exclude that directory as well.

Source :
https://help.altaro.com/hc/en-us/articles/4416905883409-Which

Altaro Dealing with “Windows Error 64” and “Windows Error 59”

PROBLEM

The backup fails with a one of the following errors:

  • “Windows Error 64: The specified network name is no longer available.”
  • “Windows Error 59: An unexpected network error occurred.”

CAUSE

There’s a number of reasons that can very easily cause networks issues which will result in a failed backup pointing to a Windows Error 64 or 59. Mainly it could be down to potential hardware failures/issues or even configuration of network devices for that matter.

Aside from that, firewalls, other traffic on the line or other software could be causing load on the network or even on the storage device itself, that might be going over timeouts or maximum retransmission limits.

Sending backups over an unreliable connection such as a VPN/WAN connection can also result in such a failure, unless using the Altaro Offsite Server tool for offsite copies.

Timeouts from specific NAS boxes when using domain credentials can also be causing such disconnections.

SOLUTION

There are numerous, distinct solutions applicable for backups failing with this error, seeing as it could be occurring for a number of reasons.

  • If you’re using a NAS as a backup location, it’s recommended that you utilise the credentials of the NAS box itself, even if it’s connected to Active Directory. The reason behind this, being that certain NAS’s have a timeout period associated for connections connected via domain credentials, so it could be the cause for the backup failure.
  • In addition to that this also doubles as a security measure in order to protect against Crypto-malware.
  • Another point to keep in mind if you’re using a NAS box, is to check whether the particular model you’re using has a sleep/standby option that could be causing such backup failure.
  • If you have other storage media available, try taking backups to this location, as the previous location may be experiencing hardware or software issues that may only present themselves during backup times. This will serve as a definite confirmation if the issue is with the previously configured location as well as a temporary solution.
  • If the backup location you have configured is going over an unreliable network, such a VPN/WAN connection, please note that this is not supported. This would only be supported if you’re making use of the Altaro Offsite Server which is only applicable for offsite copies and not primary backups.
  • If you’re using a backup device, such as a NAS which supports connections via iSCSI it’s recommended to set up the backup location this way. Devices connected via iSCSI usually perform better and in turn offer increased performance.
  • If the backup device is connected to a different switch to the backup server then it’s best to connect it to the same switch and re-test.
  • It’s recommended to change the network cables that the backup device and the backup server are connected with; additionally changing the ports on the switch would also be suggested.
  • Make sure Opportunity Locks (Oplocks) are disabled if the backup location is a NAS
  • If your backup location is a Windows machine, the equivalent to Oplocks is: Set-SmbServerConfiguration -EnableLeasing 0

    Run the above command via Powershell.
  • It’s also a good idea to reboot the backup device as well as the backup server to clear any open connections and refresh the devices.

    SessTimeout
    Key:HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\
    DWORD: SessTimeoutThe value entered here should be in seconds. You can try entering a value of 300 seconds (5 minutes) or 600 seconds (10 minutes). The default for this is 1 minute.
    This will increase the time the backup server waits for a response before the connection is aborted.

    TcpMaxDataRetransmissions
    Key:HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    DWORD: TcpMaxDataRetransmissions
    The value entered here will reflect the number of retries. The default number for this is 5.This will increase the number of tries the TCP retransmission mechanism will attempt to transmit data before the connection is aborted.
  • If the above does not help and you’re still experiencing issues, it’s recommended to temporarily disable any firewalls and antivirus products on the backup server, the hosts and the backup device. This applies for both software and hardware firewalls.

Source :
https://help.altaro.com/hc/en-us/articles/4416921704081-Dealing-w

Microsoft finds Raspberry Robin worm in hundreds of Windows networks

Microsoft says that a recently spotted Windows worm has been found on the networks of hundreds of organizations from various industry sectors.

The malware, dubbed Raspberry Robin, spreads via infected USB devices, and it was first spotted in September 2021 by Red Canary intelligence analysts.

Cybersecurity firm Sekoia also observed it using QNAP NAS devices as command and control servers (C2) servers in early November [PDF], while Microsoft said it found malicious artifacts linked to this worm created in 2019.

Redmond’s findings align with those of the Red Canary’s Detection Engineering team, which also detected this worm on the networks of multiple customers, some of them in the technology and manufacturing sectors.

Although Microsoft observed the malware connecting to addresses on the Tor network, the threat actors are yet to exploit the access they gained to their victims’ networks.

This is in spite of the fact that they could easily escalate their attacks given that the malware can bypass User Account Control (UAC) on infected systems using legitimate Windows tools.

Microsoft shared this info in a private threat intelligence advisory shared with Microsoft Defender for Endpoint subscribers and seen by BleepingComputer.

Raspberry Robin worm infection flow
Raspberry Robin worm infection flow (Red Canary)

Abuses Windows legitimate tools to infect new devices

As already mentioned, Raspberry Robin is spreading to new Windows systems via infected USB drives containing a malicious .LNK file.

Once the USB device is attached and the user clicks the link, the worm spawns a msiexec process using cmd.exe to launch a malicious file stored on the infected drive.

It infects new Windows devices, communicates with its command and control servers (C2), and executes malicious payloads using several legitimate Windows utilities:

  • fodhelper (a trusted binary for managing features in Windows settings),
  • msiexec (command line Windows Installer component),
  • and odbcconf (a tool for configuring ODBC drivers).

“While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware,” Red Canary researchers explained.

“Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes.”

Security researchers who spotted Raspberry Robin in the wild are yet to attribute the malware to a threat group and are still working on finding its operators’ end goal.

However, Microsoft has tagged this campaign as high-risk, given that the attackers could download and deploy additional malware within the victims’ networks and escalate their privileges at any time.

Source :
https://www.bleepingcomputer.com/news/security/microsoft-finds-raspberry-robin-worm-in-hundreds-of-windows-networks/

Microsoft Defender adds network protection for Android, iOS devices

Microsoft has introduced a new Microsoft Defender for Endpoint (MDE) feature in public preview to help organizations detect weaknesses affecting Android and iOS devices in their enterprise networks.

After enabling the new Mobile Network Protection feature on Android and iOS devices you want to monitor, the enterprise endpoint security platform will provide protection and notifications when it detects rogue Wi-Fi-related threats and rogue certificates (the primary attack vector for Wi-Fi networks).

Threats it can spot include rogue hardware such as Hak5 Wi-Fi Pineapple devices which both pen-testers and cybercriminals can use to capture data shared within the network.

MDE will also alert users to switch networks if it spots a suspicious or unsecured network and push notifications when it discovers open Wi-Fi networks.

While the feature is enabled by default on mobile devices, Microsoft also provides detailed info on configuring network protection on Android and iOS devices via the Microsoft Endpoint Manager Admin center.

“As the world continues to make sense of the digital transformation, networks are becoming increasingly complex and provide a unique avenue for nefarious activity if left unattended,” the company said this week.

“To combat this, Microsoft offers a mobile network protection feature in Defender for Endpoint that helps organizations identify, assess, and remediate endpoint weaknesses with the help of robust threat intelligence.”

Disable MDE Network Protection
Disabling MDE Network Protection (Microsoft)

Cross-platform endpoint security platform

This is part of a broader effort to expand Defender for Endpoint’s capabilities across all major platforms to allow security teams to defend network endpoints via a single, unified security solution.

In February, MDE on iOS was updated with zero-touch onboarding capability allowing admins to silently and automatically install Defender for Endpoint on enrolled devices.

One month later, Microsoft announced that threat and vulnerability management support for Android and iOS reached general availability in Microsoft Defender for Endpoint.

Android and iOS vulnerability management lets admins decrease mobile endpoints’ surface attack and, in the process, increase their organization’s resilience against incoming attacks.

“With this new cross-platform coverage, threat and vulnerability management capabilities now support all major device platforms across the organization – spanning workstations, servers, and mobile devices,” Microsoft said.

Earlier this month, Redmond also said that a new MDE feature allows admins to “contain” unmanaged Windows devices on their network if they were compromised or are suspected to be compromised to block malware and attackers from abusing them to move laterally through the network.

Source :
https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-adds-network-protection-for-android-ios-devices/

Google patches new Chrome zero-day flaw exploited in attacks

Google has released Chrome 103.0.5060.114 for Windows users to address a high-severity zero-day vulnerability exploited by attackers in the wild, the fourth Chrome zero-day patched in 2022.

“Google is aware that an exploit for CVE-2022-2294 exists in the wild.,” the browser vendor explained in a security advisory published on Monday.

The 103.0.5060.114 version is rolling out worldwide in the Stable Desktop channel, with Google saying that it’s a matter of days or weeks until it reaches the entire userbase.

This update was available immediately when BleepingComputer checked for new updates by going into Chrome menu > Help > About Google Chrome.

The web browser will also auto-check for new updates and automatically install them after the next launch.

Google Chrome 103.0.5060.114

Attack details not revealed

The zero-day bug fixed today (tracked as CVE-2022-2294) is a high severity heap-based buffer overflow weakness in the WebRTC (Web Real-Time Communications) component, reported by Jan Vojtesek of the Avast Threat Intelligence team on Friday, July 1.

The impact of successful heap overflow exploitation can range from program crashes and arbitrary code execution to bypassing security solutions if code execution is achieved during the attack.

Although Google says this zero-day vulnerability was exploited in the wild, the company is yet to share technical details or a any info regarding these incidents.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said.

“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

With this delayed release of more info on the attacks, Chrome users should have enough time to update and prevent exploitation attempts until Google provides additional details.

Fourth Chome zero-day fixed this year

With this update, Google has addressed the fourth Chrome zero-day since the start of the year.

The previous three zero-day vulnerabilities found and patched in 2022 are:

The one fixed in February, CVE-2022-0609, was exploited by North Korean-backed state hackers weeks before the February patch, according to the Google Threat Analysis Group (TAG). The earliest signs of in the wild exploitation was found on January 4, 2022.

It was abused by two North Korean-sponsored threat groups in campaigns pushing malware via phishing emails using fake job lures and compromised websites hosting hidden iframes to serve exploit kits.

Because the zero-day patched today is known to have been used by attackers in the wild, is it strongly recommended to install today’s Google Chrome update as soon as possible.

Source :
https://www.bleepingcomputer.com/news/security/google-patches-new-chrome-zero-day-flaw-exploited-in-attacks/

Microsoft: Windows Server 2012 reaches end of support in October 2023

Microsoft has reminded customers that Windows Server 2012/2012 R2 will reach its extended end-of-support (EOS) date next year, on October 10, 2023.

Released in October 2012, Windows Server 2012 has entered its tenth year of service and has already reached the mainstream end date over three years ago, on October 9, 2018.

Redmond also revealed today that Microsoft SQL Server 2012, the company’s relational database management system, will be retired on July 12, 2022, ten years after its release in May 2012.

Once EOS reached, Microsoft will stop providing technical support and bug fixes for newly discovered issues that may impact the usability or stability of servers running the two products.

“Microsoft recommends customers migrate applications and workloads to Azure to run securely. Azure SQL Managed Instance is fully managed and always updated (PaaS),” the company said.

“Customers can also lift-and-shift to Azure Virtual Machines, including Azure Dedicated Host, Azure VMware Solution, and Azure Stack (Hub, HCI, Edge), to get three additional years of extended security updates at no cost.”

What are the options?

Microsoft advises admins who want to keep their servers running and still receiving bug fixes and security updates to upgrade to Windows Server 2019 and SQL Server 2019.

Redmond also reminded admins in July 2021 that Windows Server 2012 and SQL Server 2012 will reach their extended support end dates in two years, urging them to upgrade as soon as possible to avoid compliance and security gaps.

“We understand that SQL Server and Windows Server run many business-critical applications that may take more time to modernize,” Microsoft said.

“Customers that cannot meet the end of support deadline and have Software Assurance or subscription licenses under an enterprise agreement enrollment will have the option to buy Extended Security Updates to get three more years of security updates for SQL Server 2012, and Windows Server 2012 and 2012 R2.”

Regarding the pricing scheme for Extended Security Updates, Microsoft says that they will only cost for on-premises deployments:

  • In Azure: Customers running SQL Server 2012 and Windows Server 2012 and 2012 R2 in Azure will get Extended Security Updates for free.
  • On-premises: Customers with active Software Assurance or subscription licenses can purchase Extended Security Updates annually for 75 percent of the license cost of the latest version of SQL Server or Windows Server for the first year, 100 percent of the license cost for the second year, and 125 percent of the license cost for the third year.

Additional information regarding eligibility requirements and onboarding details is available on the Extended Security Updates frequently asked questions page.

SQL Server 2008/R2 and Windows Server 2008/R2 Extended Security Updates (ESUs) will also reach their end support on July 12, 2022, and January 10, 2023, respectively.

Customers who will require additional time to upgrade servers may re-host them on Azure for an additional year of free Extended Security Updates (ESUs).

Source :
https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-server-2012-reaches-end-of-support-in-october-2023/

What is Shadow IT and why is it so risky?

Shadow IT refers to the practice of users deploying unauthorized technology resources in order to circumvent their IT department. Users may resort to using shadow IT practices when they feel that existing IT policies are too restrictive or get in the way of them being able to do their jobs effectively.

An old school phenomenon

Shadow IT is not new. There have been countless examples of widespread shadow IT use over the years. In the early 2000s, for example, many organizations were reluctant to adopt Wi-Fi for fear that it could undermine their security efforts. However, users wanted the convenience of wireless device usage and often deployed wireless access points without the IT department’s knowledge or consent.

The same thing happened when the iPad first became popular. IT departments largely prohibited iPads from being used with business data because of the inability to apply group policy settings and other security controls to the devices. Even so, users often ignored IT and used iPads anyway.

Of course, IT pros eventually figured out how to secure iPads and Wi-Fi and eventually embraced the technology. However, shadow IT use does not always come with a happy ending. Users who engage in shadow IT use can unknowingly do irreparable harm to an organization.

Even so, the problem of shadow IT use continues to this day. If anything, shadow IT use has increased over the last several years. In 2021 for example, Gartner found that between 30% and 40% of all IT spending (in a large enterprise) goes toward funding shadow IT.

Shadow IT is on the rise in 2022

Remote work post-pandemic

One reason for the rise in shadow IT use is remote work. When users are working from home, it is easier for them to escape the notice if the IT department than it might be if they were to try using unauthorized technology from within the corporate office. A study by Core found that remote work stemming from COVID requirements increased shadow IT use by 59%.

Tech is getting simpler for end-users

Another reason for the increase in shadow IT is the fact that it is easier than ever for a user to circumvent the IT department. Suppose for a moment that a user wants to deploy a particular workload, but the IT department denies the request.

A determined user can simply use their corporate credit card to set up a cloud account. Because this account exists as an independent tenant, IT will have no visibility into the account and may not even know that it exists. This allows the user to run their unauthorized workload with total impunity.

In fact, a 2020 study found that 80% of workers admitted to using unauthorized SaaS applications. This same study also found that the average company’s shadow IT cloud could be 10X larger than the company’s sanctioned cloud usage.

Know your own network

Given the ease with which a user can deploy shadow IT resources, it is unrealistic for IT to assume that shadow IT isn’t happening or that they will be able to detect shadow IT use. As such, the best strategy may be to educate users about the risks posed by shadow IT. A user who has a limited IT background may inadvertently introduce security risks by engaging in shadow IT. According to a Forbes Insights report 60% of companies do not include shadow IT in their threat assessments.

Similarly, shadow IT use can expose an organization to regulatory penalties. In fact, it is often compliance auditors – not the IT department – who end up being the ones to discover shadow IT use.

Of course, educating users alone is not sufficient to stopping shadow IT use. There will always be users who choose to ignore the warnings. Likewise, giving in to user’s demands for using particular technologies might not always be in the organization’s best interests either. After all, there is no shortage of poorly written or outdated applications that could pose a significant threat to your organization. Never mind applications that are known for spying on users.

The zero-trust solution to Shadow IT

One of the best options for dealing with shadow IT threats may be to adopt zero trust. Zero-trust is a philosophy in which nothing in your organization is automatically assumed to be trustworthy. User and device identities must be proven each time that they are used to access a resource.

There are many different aspects to a zero-trust architecture, and each organization implements zero-trust differently. Some organizations for instance, use conditional access policies to control access to resources. That way, an organization isn’t just granting a user unrestricted access to a resource, but rather is considering how the user is trying to access the resource. This may involve setting up restrictions around the user’s geographic location, device type, time of day, or other factors.

Zero-trust at the helpdesk

One of the most important things that an organization can do with regard to implementing zero trust is to better secure its helpdesk. Most organizations’ help desks are vulnerable to social engineering attacks.

When a user calls and requests a password reset, the helpdesk technician assumes that the user is who they claim to be, when in reality, the caller could actually be a hacker who is trying to use a password reset request as a way of gaining access to the network. Granting password reset requests without verifying user identities goes against everything that zero trust stands for.

Specops Software’s Secure Service Desk can eliminate this vulnerability by making it impossible for a helpdesk technician to reset a user’s password until that user’s identity has been proven. You can test it out for free to reduce the risks of shadow IT in your network.

Source :
https://thehackernews.com/2022/06/what-is-shadow-it-and-why-is-it-so-risky.html

Staying safe online with our updated Google Password Manager

Strong, unique passwords are key to helping keep your personal information secure online. That’s why Google Password Manager can help you create, remember and autofill passwords on your computer or phone: on the web in Chrome, and in your favorite Android and iOS apps.

Video showing how Google Password Manager is built into Chrome and Android, and how you can set it up as your passwords' provider on your iPhone.

Today we’ve started rolling out a number of updates that help make the experience easier to use, with even stronger protections built in.

A consistent look and feel, across web and apps

We’re always grateful for feedback, and many of you have shared that managing passwords between Chrome and Android has been confusing at times: “It’s the same info in both places, so why does it look so different?” With this release, we’re rolling out a simplified and unified management experience that’s the same in Chrome and Android settings. If you have multiple passwords for the same sites or apps, we’ll automatically group them. And for your convenience, you can create a shortcut on your Android home screen to access your passwords with a single tap.

GIF showing new Google Password Manager shortcut on an Android homescreen.

You can now add a shortcut to Google Password Manager to your Android homescreen.

More powerful password protections

Google Password Manager can create unique, strong passwords for you across platforms, and helps ensure your passwords aren’t compromised as you browse the web. We’re constantly working to expand these capabilities, which is why we’re giving you the ability to generate passwords for your iOS apps when you set Chrome as your autofill provider.

Image showing how Chrome can automatically generate strong passwords on iOS

You can now create strong passwords on your computer or mobile, on any operating system.

Chrome can automatically check your passwords when you enter them into a site, but you can have an added layer of confidence by checking them in bulk with Password Checkup. We’ll now flag not only compromised credentials, but also weak and re-used passwords on Android. If Google warns you about a password, you can now fix them without hassle with our automated password change feature on Android.

Image showing how the Password Checkup feature flags compromised passwords on Android

For your peace of mind, Password Checkup on Android can flag compromised, weak and reused passwords.

To help protect even more people, we’re expanding our compromised password warnings to all Chrome users on Android, Chrome OS, iOS, Windows, MacOS and Linux.

Simplified access and password management

Google built its password manager to stay out of your way — letting you save passwords when you log in, filling them when you need them and ensuring they aren’t compromised. However, you might want to add your passwords to the app directly, too. That’s why, due to popular demand, we’re adding this functionality to Google Password Manager on all platforms.

GIF showing how you can add your passwords directly on all platforms.

Adding your passwords directly is now possible on all platforms.

In 2020, we announced Touch-to-Fill to help you fill your passwords in a convenient and recognizable way. We’re now bringing Touch-to-Login to Chrome on Android to make logging in even quicker by allowing you to securely log in to sites directly from the overlay at the bottom of your screen.

GIF showing new touch-to-login feature

Touch-to-Login signs you in directly from a recognizable overlay.

Many of these features were developed at the Google Safety Engineering Center (GSEC), a hub of privacy and security experts based in Munich, so Guten Tag from the team! Of course, our efforts to create a safer web are a truly global effort – from our early work on 2-step verification, to our future investments in technologies like passkeys – and these updates that we are rolling out over the next months are an important part of that work.

Source :
https://blog.google/products/chrome/password-manager-update/

Google Workspace Now Warns Admins of Sensitive Changes

Google this week announced that new warnings added in the Google Workspace Alert Center will keep administrators notified of critical and sensitive configuration changes.

Previously known as G Suite, Google Workspace provides secure collaboration and productivity tools for enterprises of all sizes. Accessible from anywhere in Google Workspace, the Alert Center delivers real-time security alerts and insights, to help admins mitigate threats such as phishing and malware.

With the new alerts in place, admins will also receive notifications whenever select changes are made to their Google Workspace configurations.

Specifically, warnings will be displayed when the primary admin is changed, when the password for a super admin account has been reset, and when changes are made to SSO profiles – when a third-party SSO profile has been added, updated, or deleted for the organization.

“These additional intelligent alerts will closely monitor several sensitive actions, making it easier for admins to stay on top of high-risk changes to their environment and potentially malicious actions being taken by bad actors,” Google explains.

An email notification containing key details on the event will be delivered to admins and super admins for each alert. The security investigation tool will allow admins to further investigate the reported incident.

The alerts and their associated email notifications are enabled by default and cannot be turned off.

The new capability is rolling out to all Google Workspace customers, including legacy G Suite Basic and Business customers, and is expected to become visible for everyone in the next couple of weeks.

Earlier this year, Google boosted malware and phishing protections in Workspace with updated comment notifications that now also include the commenter’s email address, so that users can better assess the legitimacy of the message.

Source :
https://www.securityweek.com/google-workspace-now-warns-admins-sensitive-changes

AstraLocker 2.0 infects users directly from Word attachments

A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments.

This approach is quite unusual as all the intermediate steps that typically characterize email attacks are there to help evade detection and minimize the chances of raising red flags on email security products.

According to ReversingLabs, which has been following AstraLocker operations, the adversaries don’t seem to care about reconnaissance, evaluation of valuable files, and lateral network movement.

Instead, they are performing “smash-n-grab” attacks to his immediately hit with maximum force aiming for a quick payout.

From document to encryption

The lure used by the operators of AstraLocker 2.0 is a Microsoft Word document that hides an OLE object with the ransomware payload. The embedded executable uses the filename “WordDocumentDOC.exe”.

To execute the payload, the user needs to click “Run” on the warning dialog that appears upon opening the document, further reducing the chances of success for the threat actors.

Unknown publisher warning
Unknown publisher warning (ReversingLabs)

This bulk approach is in line with Astra’s overall “smash-n-grab” tactic, choosing OLE objects instead of VBA macros that are more common in malware distribution.

Another peculiar choice is the use of SafeEngine Shielder v2.4.0.0 to pack the executable, which is such an old and outdated packer that reverse engineering is almost impossible.

After an anti-analysis check to ensure that the ransomware isn’t running in a virtual machine and that no debuggers are loaded in other active processes, the malware prepares the system for encryption using the Curve25519 algorithm.

The preparation includes killing processes that could jeopardize the encryption, deleting volume shadow copies that could make restoration easier for the victim, and stopping a list of backup and AV services. The Recycle Bin is simply emptied instead of encrypting its contents.

AstroLocker 2.0 ransom note
AstraLocker 2.0 ransom note (ReversingLabs)

AstraLocker background

According to the code analysis of ReversingLabs, AstraLocker is based on the leaked source code of Babuk, a buggy yet still dangerous ransomware strain that exited the space in September 2021.

Additionally, one of the Monero wallet addresses listed in the ransom note is linked to the operators of Chaos ransomware

This could mean that the same operators are behind both malware or that the same hackers are affiliates on both ransomware projects, which is not uncommon.

Judging from the tactics that underpin the latest campaign, this doesn’t seem to be the work of a sophisticated actor but rather one who is determined to deliver as many destructive attacks as possible.

Source :
https://www.bleepingcomputer.com/news/security/astralocker-20-infects-users-directly-from-word-attachments/