Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Corporate Networks. Show all posts

Hackers Sneak 'More_Eggs' Malware Into Resumes Sent to Corporate Hiring Managers

 

A year after potential candidates looking for work on LinkedIn were tempted with weaponized job offers, a new series of phishing assaults carrying the more eggs malware has been detected attacking corporate hiring supervisors with false resumes as an infection vector. 

Keegan Keplinger, eSentire's research and reporting lead said in a statement, "This year the more_eggs operation has flipped the social engineering script, targeting hiring managers with fake resumes instead of targeting job seekers with fake job offers."
 
Four separate security events were identified and disrupted, according to the Canadian cybersecurity firm, three of which happened towards the end of March. A U.S.-based aerospace company, a U.K.-based accounting firm, a legal firm, and a hiring agency, all based in Canada, are among the targets. 

The malware, which is thought to have been created by a threat actor known as Golden Chickens (aka Venom Spider), is a stealthy, modular backdoor suite capable of stealing sensitive data and lateral movement across a hacked network. 

Keplinger stated, "More_eggs achieves execution bypassing malicious code to legitimate windows processes and letting those windows processes do the work for them."
 
The goal is to leverage the resumes as a decoy to launch the malware and sidestep detection. Apart from the role reversal in the mode of operation, it's unclear what the attackers were after, given that the attacks were stopped before they could carry out their intentions. However, it's worth noting that, once deployed, more eggs might be used as a launchpad for further assaults like data theft and ransomware. 

"The threat actors behind more_eggs use a scalable, spear-phishing approach that weaponizes expected communications, such as resumes, that match a hiring manager's expectations or job offers, targeting hopeful candidates that match their current or past job titles," Keplinger stated.

Cyber Attack on Bridgestone Lead to Plant Closures Across North America & Latin America

 

After sending workers home for several days, Bridgestone-Firestone tyre manufacturers across North America and Latin America are still fighting to recuperate from a cyberattack. 

Despite numerous attempts for comment, the corporation has remained silent. However, the factory's union, USW 1155L, used Facebook to inform employees that the company was still dealing with the cyberattack and that nobody needed to come in. 

The union wrote on Monday, "Warren hourly teammates who are scheduled to work day shift, March 1st, will not be required to report to work (no-hit, no pay, or you have the option to take a vacation)". 

The outages were originally reported on Sunday when the union posted on Facebook that Bridgestone Americas was investigating a potential source of the information security incident. The notice looked to be sent straight from the firm, rather than from the union. 

The company explained, "Since learning of the potential incident in the early morning hours of February 27, we have launched a comprehensive investigation to quickly gather facts while working to ensure the security of our IT systems. Out of an abundance of caution, we disconnected many of our manufacturing and retreading facilities in Latin America and North America from our network to contain and prevent any potential impact, including those at Warren TBR Plant. First shift operations were shut down, so those employees were sent home." 

"Until we learn more from this investigation, we cannot determine with certainty the scope or nature of any potential incident, but we will continue to work diligently to address any potential issues that may affect our operations, our data, our teammates, and our customers." 

The firm reiterated on Tuesday evening that hourly staff scheduled to work on Wednesday will not be required to report to work. Bridgestone Americas employs nearly 50,000 people in dozens of locations across North America, Central America, and the Caribbean. Outages affecting factories in Iowa, Illinois, North Carolina, South Carolina, Tennessee, and Canada were reported by local news outlets across the United States.

Houdini Malware is Back, and Amazon Sidewalk has Affected Enterprise Risk Assessments

 

A secure access service edge (SASE) platform's nature allows it to see a significant number of internet data flows, and the larger the platform, the more dataflows can be evaluated. A review of over 263 billion network flows from Q2 2021 reveals rising dangers, new uses for old malware, and the expanding use of consumer devices in the workplace. 

According to the Cato Networks SASE Threat Research Report, a new version of the old Houdini malware is now being used to steal device information in order to circumvent access rules that looks at both the device and the user. Attackers have prioritized spoofing device IDs, which have evolved from simple point solutions to cloud-based services. As a result, verifying device identity has become critical for strong user authentication. 

The report also shows how Amazon Sidewalk and other consumer services run on many enterprise networks, making risk assessment difficult. “Cybersecurity risk assessment is based on visibility to threats as much as visibility to what is happening in the organization’s network,” says Etay Maor, senior director of security strategy at Cato Networks. 

Maor doubts that many firms would be comfortable with on-site networks that include a variety of home gadgets, including those that are automatically signed in by Sidewalk and belong to employees' neighbours. Just as concerning, he said, "How many companies are even aware that home devices have been brought into the corporate network and are sharing the corporate infrastructure." 

“With lines blurring between the home office and the corporate network – more devices and applications find their way to the organization’s network but not necessarily to the organization’s risk assessment,” Maor added. 

9.5 billion network scans were discovered across Cato's platforms in Q2. Maor is certain that the company's combination of AI-based danger identification and human help assures that these aren't researcher scans. Cato also discovered about 817 million security events caused by malware, as well as over 475 million events caused by incoming or outbound contact with domains with a negative reputation.  

There were nearly 400 million policy breaches, including 241 million vulnerability scans from scanners like OpenVAS, Nessus, and others that violated Cato's security policy or common best practices for network security. The most common exploit attempt (7,957,186 attempts) was against the CVE-2020-29047 vulnerability, a WordPress wp-hotel-booking vulnerability.

Babuk Ransomware Gang is Back Into Action

 

Although they are declaring their retirement from the firm, the Babuk ransomware operators seem to have reverted into old habits with a new attack on corporate networks. 

Following the announcement by the ransomware operators - Babuk, that their affiliate program has been closed and that they are moving to data theft extortion, the groups seem to have resorted to their old corporate systems encryption methods.

The hackers are currently using a fresh version of their file-encrypting malware and have relocated the operations to a new leak website that identifies a handful of victims. 

At the beginning of the year, the Babuk ransomware group came into recognization, although the gang claimed that their attack began mid-October 2020, aiming businesses worldwide to demand ransoms somewhere between $60,000 and $85,000 in crypt-monetary Bitcoin. There were certain instances wherein victims were required to pay hundreds of thousands to decrypt their data. 

The Washington DC Metropolitan Police Department is one of their most prominent victims (MPD). This attack probably led the threat actor to announce their withdrawal from the Ransomware organization only to embrace another extortion model that did not contain encryption. 

The group also declared plans to share its malware to let other cybercriminals begin a ransomware-as-a-service operation. The threat actors kept their promise and published their builder, a tool that creates customized ransomware. 

Kevin Beaumont, a security researcher, discovered it on VirusTotal and communicated the information for detection and decryption in the infosec community. The gang took the name PayLoad Bin after its shutdown in April, although its leak site displays minimal activity. 

Meanwhile, on the dark web, a new leak site with Babuk Ransomware tags surfaced. This site includes less than five victims who refused to pay for the ransom and were targeted with a second virus variant. Babuk does not seem to have abandoned the encryption-based extortion game. They just published the older virus version and built a new one to re-enter the ransomware company. 

Pieter Arntz, a security researcher at Malwarebytes, said “Another fact that may be of consequence, somehow, is that researchers found several defects in Babuk’s encryption and decryption code. These flaws show up when an attack involves ESXi servers and they are severe enough to result in a total loss of data for the victim,”