Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malware attacks. Show all posts
Microsoft
cybercriminals Hacking malware Malware attacks Microsoft

Hackers Exploit Visual Studio Code as a Remote Access Tool, Researchers Find

 

In a new wave of cyberattacks, hackers are using Microsoft’s Visual Studio Code (VSCode) as a remote access tool to gain unauthorized entry into computers, according to Cyble Research and Intelligence Labs. Visual Studio, a popular integrated development environment (IDE) for app development on the .NET framework, supports languages like C#, VB.NET, and C++. 

While the tool is widely used for legitimate purposes, cybercriminals have now found a way to exploit it for malicious activities. The attack begins with a seemingly harmless file, a malicious “.LNK” shortcut, which is likely spread through spam emails. Once opened, the file displays a fake “Installation Successful” message in Chinese. 

In the background, however, it secretly downloads a Python package named “python-3.12.5-embed-amd64.zip” and creates a directory on the target system. This malicious file then executes an obfuscated Python script (update.py) from the online source paste[.]ee, which was not detected by the VirusTotal scanning service. 

To maintain access, the malware sets up a scheduled task, “MicrosoftHealthcareMonitorNode,” which runs every four hours or when the computer starts, using SYSTEM-level privileges. If the system does not have VSCode already installed, the malware fetches the Visual Studio Code Command Line Interface (CLI) from Microsoft’s servers. 

This tool is then used to open a remote tunnel that enables the attackers to generate an 8-character activation code, giving them unauthorized remote access to the victim’s computer. Once access is established, the malware gathers sensitive system information, such as data from critical directories, running processes, user details, and even geographical locations. 

With this, hackers can fully control the victim’s machine, accessing files, directories, and the terminal. This discovery highlights the growing sophistication of cyberattacks and emphasizes the need for vigilance, especially with common developer tools like VSCode. Users are advised to be cautious of unexpected email attachments and ensure their systems are protected against such threats.
Read more »
Web Community
Cyber Attacks CyberCrime Cybersecurity efvt Malware attacks Microsoft Office Netskope Phishing Attacks QR code Quishing Quishing Campaign URL Web Community

Quishing Scams Exploit Microsoft Sway Platform

 


It has been discovered that a new phishing campaign is being run using Microsoft Sway, which has been found by researchers. A series of attacks have been called the "Quishing" campaign to describe what is happening. The practice of "squishing" is a form of phishing that uses QR codes to lead people to malicious websites. An example of Quishing is embedding malicious URLs into a QR code to commit phishing. 

A few groups of victims in Asia and North America are primarily focusing on the campaign. In late December, researchers noticed that an unexpected spike in traffic to unique Microsoft Sway phishing pages arose as a result of a campaign called "quishing," which targeted Microsoft Office credentials.  As defined by Netskope Threat Labs, quishing is essentially phishing to trick users into opening malicious pages by presenting them with QR codes, which are commonly used in many forms of phishing. 

According to a spokesperson for the campaign, the campaign mainly targets victims in Asia and North America, across multiple industries such as the technology, manufacturing, and finance sectors. A researcher from the University of California, Davis, reported that "attackers instruct their victims to scan QR codes with their mobile devices, in the hope that these portable devices do not possess the strict security measures found on corporate-issued devices," according to an article written by the researchers. 

This QR phishing campaign utilizes two techniques that have been discussed in previous articles: transparent phishing in conjunction with Cloudflare Turnstile" Those who operate phishing websites use Cloudflare Turnstile to ensure that their malicious websites are protected from static analysis tools so that they can hide their malicious payloads, prevent web filtering providers from blocking their domains, and maintain a clean reputation among the web community. 

This is known as an attack-in-the-middle phishing technique, which is more sophisticated than traditional phishing techniques. The attackers not only attempt to gain access to the victims' credentials but also attempt to log them into the legitimate service using those credentials, bypassing multi-factor authentication, so they can steal sensitive tokens or cookies which can be used to gain further unauthorized access to the system. 

This is a massive QR code phishing campaign, which abused Microsoft Sway, a cloud-based tool for creating presentations online, to create landing pages that scammed Microsoft 365 users into handing over their credentials in exchange for money. According to Netskope Threat Labs, these attacks were spotted in July 2024 after detecting an increase of 2,000-fold in attacks exploiting Microsoft Sway to host phishing pages that allegedly steal access credentials for Microsoft 365 accounts. 

Interestingly, this surge of activity dates back to the first half of the year when minimal activity was reported. So, it comes as no surprise that this campaign has been so widespread. Essentially, they were interested in targeting users in Asia and North America, concentrating primarily on the technology, manufacturing, and finance sectors, which were the most likely to present themselves to them. A free application, called Sway, is available in Microsoft 365 for anyone with a Microsoft account who has a Microsoft account. 

Attackers, however, utilize this open access as an opportunity to fool users by misrepresenting them as legitimate cloud applications, thus defrauding them of the money they are paid to use them. Furthermore, Sway is accessed once an individual logs into their Microsoft 365 account, adding a layer of legitimacy to the attack, since it is accessible once the victim has already logged into the account, thus increasing the chances of them opening malicious links. 

Netskope Threat Labs identified a new QR code phishing campaign in July 2024, marking a significant development in cyber threats. This campaign primarily targets victims in Asia and North America, affecting various sectors, including manufacturing, technology, and finance. Cybercriminals employ diverse sharing methods, such as email, links, and social media platforms like Twitter, to direct users to phishing pages hosted on the sway. cloud.Microsoft domain. 

Once on these pages, victims are prompted to scan QR codes that subsequently lead them to malicious websites. Microsoft Sway, a platform known for its versatility, has been exploited in the past for phishing activities. Notably, five years ago, the PerSwaysion phishing campaign leveraged Microsoft Sway to target Office 365 login credentials. This campaign, driven by a phishing kit offered through a malware-as-a-service (MaaS) operation, was uncovered by Group-IB security researchers.

The attacks deceived at least 156 high-ranking individuals within small and medium-sized financial services companies, law firms, and real estate groups. The compromised accounts included those of executives, presidents, and managing directors across the U.S., Canada, Germany, the U.K., the Netherlands, Hong Kong, and Singapore. This escalation in phishing tactics highlights the ongoing battle between cybercriminals and cybersecurity professionals, where each defensive measure is met with a corresponding offensive innovation. 

The need for a comprehensive approach to cybersecurity has never been more apparent, as malicious actors continue to exploit seemingly innocuous technologies for nefarious purposes. With the rising popularity of Unicode QR code phishing techniques, security experts emphasize the importance of enhancing detection capabilities to analyze not just images but also text-based codes and other unconventional formats used to deceive users and infiltrate systems. This sophisticated phishing method underscores the continuous vigilance required to safeguard digital environments against increasingly cunning cyber threats.
Read more »
US Healthcare
Cyber Security CyberCrime Cyberhackers Cyberstrealing CyberThreat Everest Gang Malware attacks NASA ransomware attacks US Healthcare

Everest Gang Poses New Cybersecurity Threat to US Healthcare

 


According to the Health Sector Cybersecurity Coordination Center, the Everest Ransomware group is a threat profile of the recent ransomware attack that took place at Gramercy Surgery Center in New York. The Everest Ransomware group is behind the recent attack. In addition to this, the group has also claimed responsibility for attacks on Horizon View Medical Center in Las Vegas, 2K Dental in Ohio, Prime Imaging in Tennessee, and Stages Pediatric Care in Florida, with more attacks targeted toward the healthcare and public health sectors since 2021. 

More than 120 victims have been added to the site of this group, of which 34% are in the United States, and 27% of them are in the healthcare industry, according to information gathered from their data leak. At least 20 attacks have been carried out by the group between April 2021 and July 2024 on healthcare organizations, with disproportionately high rates of attacks on medical imaging organizations during that period.

As one of the most prevalent types of cybercrime experienced by the world today, ransomware has rapided over the last few years. As a result, criminals are luring victims with highly automated and easy-to-distribute crypto-locking malware to encrypt systems forcibly to demand Bitcoin ransoms in exchange for keys that would allow them to unlock the systems. There are several sources of information available on this Ransomware Resource Center, including information on emerging ransomware variants, threat intelligence on attackers, as well as best practices for detecting, responding, and remediating ransomware. 

A relatively new Russian-speaking ransomware group is looking for targets in the healthcare sector and claims to have stolen sensitive patient information in recent attacks on at least two medical care providers in New York and Nevada. The Everest ransomware group was first identified in December 2020. Following the attack on the Brazilian government and NASA in April 2012, it quickly became well-known within the cybercrime community after several high-profile targets were targeted. 

The group has used double extortion tactics to extort money and exfiltrate data by infecting files with ransomware and then encrypting them with a ransom payment to be paid to decrypt the files and prevent them from being uploaded to its dark web data dump site. According to researchers, there are similarities between the encryptor used by Everest, as well as other ransomware groups, such as Ransomed, which is known to work in collaboration with Everest. Everest has previously been associated with BlackByte ransomware. 

Ransomware is only a recent attack method that was used by the group, as they initially focused on data exfiltration to run malware. Everest, a company that's been around since late 2022, has become a market leader in the initial access broker (IAB) niche. IABs are a group of malicious hackers whose primary objective is to breach company networks, install malware to provide remote access to those networks, and then sell that access to other groups of malicious hackers who need that access to carry out their threats. 

When it comes to threat groups making money with ransomware attacks, this tactic is relatively uncommon. That is because if a threat group can breach company networks and has an encryption tool, it might be able to make more money if it conducts the attack itself rather than outsource access to another group. It is possible that this could be happening to keep a low profile and avoid any law enforcement scrutiny as the explanation. Among the many victims listed on Everest's dark web leak site is Gramercy Surgery Center, which was struck down in January of this year. 

According to the company, it has exfiltrated from the New York-based practice 450 gigabytes of data, including patient and doctor information, which it claims is all private and confidential. Gramercy announced in a statement published on its website on June 18 that it may have been the victim of a cyberattack and that it would be investigating the matter. From June 14 to June 17, Gramercy Medical Center determined that some documents were lost within its information technology environment and as part of the incident, copies of these documents were made and viewed within its systems. 

There is a report that Gramercy reported the hacking incident to federal regulators on Aug. 9 as a data breach by HIPAA regulations that affects nearly 51,000 people. In addition, Everest also listed the Nevada-based Horizon View Medical Center on its data leak site and alleged that the Medical Records Information, which included test results and other sensitive information about patients, had been stolen. The notice about the alleged incident was not posted on Horizon View's website as of Thursday, and the company did not immediately respond to an inquiry for comment from Information Security Media Group regarding Everest's statements regarding the alleged incident.

Following the HHS HC3 alert, the American Hospital Association on Wednesday issued a warning to hospitals regarding the threat of Everest that could pose a threat to patient safety. To move from one victim's network to another, the group employs compromised user accounts and remote desktop protocols to gain entry into the victim's computer networks. It is well known that Everest attacks are made possible by exploiting weak or stolen credentials. 

They can exploit the credentials of several systems that are within an organization. They use tools like ProcDump to make copies of the LSASS process which allows them to steal additional credentials. Following the recommendations of the AHA and HC3, hospitals and healthcare organizations should set up network monitoring systems so that alerts can be sent out for activations of the Cobalt Strike. The US authorities have advised organizations within the healthcare sector to undertake a thorough review of their cybersecurity infrastructure in response to emerging threats from the Everest Gang. 

Specifically, they have recommended the meticulous examination of domain controllers, servers, workstations, and active directories to identify and address any new or unrecognized user accounts. Additionally, it is advised that organizations regularly back up their data, implement air-gapping for data copies, and ensure that backup copies are stored offline and secured with strong passwords. Moreover, the Everest Gang's malicious activities are not confined solely to the healthcare industry. 

The group has also targeted a wide array of sectors, including construction and engineering, financial services, legal and professional services, manufacturing, and government institutions. The authorities have urged all organizations within these industries to remain vigilant and adopt stringent cybersecurity measures to safeguard against potential breaches.
Read more »
Stolen Credentials
Credential Theft Cyber Security Cyber Threats initial access breaches Malware attacks Password Security Stolen Credentials

Rising Threat of Stolen Credentials and Initial Access Breaches

 

Weak or reused passwords continue to pose significant risks for organizations, as criminals increasingly exploit stolen credentials to access user accounts. This trend has fueled a thriving market for stolen credentials and the initial access they provide. The ENISA Threat Landscape 2023 report highlights a year-over-year growth in the Initial Access Broker (IAB) market, with credentials being the primary commodity for sale.

Stealer malware frequently infiltrates victim machines through social engineering tactics, primarily phishing, and sometimes through paid distribution schemes using the Emotet and Qakbot botnets. Other campaigns entice users to download seemingly legitimate software via malvertising.

ENISA anticipates that future social engineering campaigns will adapt to new defensive measures aimed at protecting credentials from abuse.

Increasing Challenges with Stolen Credentials
Organizations face growing challenges with stolen credentials. The Verizon 2024 Data Breach Investigation Report (DBIR) reveals a 180% increase in attacks exploiting vulnerabilities to initiate breaches compared to the previous year. Stolen credentials were the leading initial action in breaches, accounting for 24%, just ahead of ransomware at 23%.

Fraudsters employ various methods to steal credentials, including malware that steals passwords and sells them on the dark web. Popular tools for this purpose include Redline, Vidar, and Raccoon Stealer. The FBI has warned of cybercriminals using search engine advertisements to impersonate brands and direct users to malicious sites that host ransomware to steal login credentials.

Credentials can also be compromised through brute force attacks, where cybercriminals use tools to test password combinations until the correct one is found. These methods range from simple trial and error to more sophisticated dictionary attacks, exploiting common password choices.

Potential for Major Breaches
The Solarwinds attack, described by Microsoft Corp President Brad Smith as "the largest and most sophisticated attack the world has ever seen," exemplifies the potential danger of stolen credentials. A compromised SolarWinds password was discovered on a private Github repository, where an intern had set the password "solarwinds123" on an account with access to the company's update server.

Other notable examples include the Dropbox breach, which impacted millions of users. A Dropbox employee reused a password from a LinkedIn breach, where millions of passwords were accessed by thieves.

ENISA notes that while abusing valid accounts for initial access is not a new technique, it remains effective for cybercriminals. Misconfigured accounts and those with weak passwords are particularly vulnerable. Although multi-factor authentication (MFA) can prevent many attacks, it is not foolproof, with actors intercepting MFA codes and harassing users with push notifications.

ENISA expects credentials to remain a focal point for cybercrime actors despite technical protective measures, as these actors continually find ways around them.

Cybersecurity experts recognize the danger of stolen credentials and the necessity of strong security measures. However, complacency is not an option. The threat posed by stolen credentials is constantly evolving, necessitating ongoing adaptation.

Organizations must enforce the creation of strong passwords resistant to brute force attacks and other forms of exploitation. Specops Password Policy can help build robust password policies by:

  • Generating personalized dictionary lists to prevent the use of commonly used words within the company.
  • Providing immediate and interactive updates to users when changing passwords.
  • Restricting the use of usernames, display names, certain words, consecutive characters, incremental passwords, and repeating parts of previous passwords.
  • Applying these features to any GPO level, computer, individual user, or group within the organization.
  • Continuously scanning for and blocking over 4 billion compromised passwords, ensuring that breached passwords are found daily.
Increasing overall password security, enforcing good password hygiene, and eliminating weak passwords enhance the security of Active Directory environments and privileged accounts. Organizations must prepare their defenses by scanning for password vulnerabilities in Active Directory to detect weak and compromised passwords.
Read more »
SMS Phishing
Android Malware Bank Accounts Cyber Attacks Italy Malware attacks Mobile Cyber Attacks SMS Phishing

New Android Malware BingoMod Targets Financial Data and Wipes Devices

 

Malware has long been a significant threat to online security, serving as a backdoor entry for cybercriminals. Despite Google’s efforts to keep the Play Store free of malicious apps and deliver timely Android security patches, some attackers manage to bypass these defenses, stealing money and personal information from unsuspecting victims. 

Recently, a new malware named BingoMod has been identified targeting Android devices, stealing financial data and wiping them clean. BingoMod, discovered by researchers at cybersecurity firm Cleafy, uses a technique called smishing (SMS phishing) to infiltrate devices. This method involves sending a malware-laden link to the victim’s device, which, when clicked, installs the BingoMod app (version 1.5.1) disguised as a legitimate mobile security tool like AVG AntiVirus & Security. 

Once installed, the app requests access to device accessibility services, allowing it to steal login credentials, take screenshots, and intercept SMS messages. This information is then sent to the threat actor, providing near real-time access to the device’s functions. BingoMod leverages Android’s media projection APIs, which handle screencasting requests, to gather displayed information and bypass security measures like two-factor authentication (2FA). The malware is currently targeting devices in Italy, stealing up to 15,000 Euros in each transaction. 

However, experts at Cleafy believe the malware could spread to other markets, as it is still in active development. The malware’s evasive techniques enable it to avoid detection by reputable security tools like VirusTotal. It conceals its activities using fake notifications and screen overlays while stealing money and data in the background. If the BingoMod app is granted device administrator privileges, the attackers can remotely wipe the device, although Cleafy notes this would only clear the external storage. 

To avoid falling victim to smishing attacks like BingoMod, it is crucial never to click on links from unverified sources, especially those claiming to be important. Install apps only from reputable sources like the Google Play Store and set up passkeys for an additional layer of biometric security. A Google spokesperson told Android Police that Play Protect already safeguards Android users from known versions of this malware by blocking the app or showing a warning, even if the malicious app wasn’t downloaded from the Play Store. Additionally, using a password manager can help keep your credentials safe and alert you to recent data breaches that could compromise your accounts. 

By staying vigilant and following these best practices, you can protect your device from BingoMod and other malicious threats, ensuring your financial data and personal information remain secure.
Read more »
ransomware tactics
Cyber Extortion Cyber Threats Cybersecurity data exfiltration. logistics industry LukaLocker ransomware Malware attacks manufacturing sector phone call intimidation Ransomware group ransomware tactics

This New Ransomware Group Uses Phone Calls to Pressure Victims

 



Researchers have identified a new ransomware group called Volcano Demon, responsible for at least two successful attacks in the past two weeks. Tim West, an analyst at cybersecurity firm Halcyon, revealed that the group targeted companies in the manufacturing and logistics industries. However, further details about the targets were not disclosed.

Unlike typical ransomware groups, Volcano Demon does not have a public leaks website. Instead, they use phone calls to intimidate and negotiate payments with leadership at the victim organizations. These calls, often threatening, originate from unidentified numbers.

Before making the calls, the hackers encrypt files on the victims' systems using previously unknown LukaLocker ransomware and leave a ransom note. The note threatens to inform clients and partners about the attack and sell data to scammers if the ransom is not paid.

Volcano Demon uses a double extortion technique, exfiltrating data to command-and-control (C2) services before encrypting it. They successfully locked Windows workstations and servers by exploiting common administrative credentials from the network. Tracking Volcano Demon has proven difficult due to their practice of clearing log files on targeted machines, which hampers comprehensive forensic evaluation.

West mentioned that the hackers, who spoke with a heavy accent, call very frequently, almost daily in some cases. However, the origin of the callers remains unclear as no recordings are available.

It is uncertain whether Volcano Demon operates independently or as an affiliate of a known ransomware group. Halcyon has not yet identified any such links.

Ransomware operators continue to evolve, with new threat actors emerging and targeting various industries. In May 2024, researchers identified a criminal gang named Arcus Media, operating a ransomware-as-a-service model and targeting victims in the U.S., U.K., India, and Brazil. Another group, Space Bears, appeared in April, quickly gaining notoriety for their corporate-themed data leak site and affiliations with the Phobos ransomware-as-a-service group. Researchers suggest that these groups may be more organized and funded than previously anticipated.
Read more »
Ransomware attack
Cyber Attacks cybercriminals data security healthcare sectors LockBit Malware attacks Ransom Demand Ransomware attack

Comparitech Report Reveals Average Ransom Demands of Over $5.2 Million in Early 2024

 

In the first half of 2024, the average ransom demand per ransomware attack reached over $5.2 million (£4.1 million), according to a new analysis by Comparitech. This figure is derived from 56 known ransom demands issued by cybercriminals from January to June 2024. 

The largest of these demands was a staggering $100 million (£78.9 million) following an attack on India’s Regional Cancer Center (RCC) in April 2024. The second-highest confirmed demand was issued to UK pathology provider Synnovis, with attackers demanding $50 million (£39.4 million). This incident led to the cancellation of thousands of operations and appointments at hospitals in South East England, with the Qilin group claiming to have stolen 400GB of sensitive NHS patient data. The third-highest ransom demand in the first half of 2024 targeted Canadian retailer London Drugs in May 2024, with the LockBit group demanding $25 million (£19.7 million). 

Overall, Comparitech’s researchers logged 421 confirmed ransomware attacks during this period, impacting around 35.3 million records. These figures mark a reduction compared to the same period in 2023, which saw 704 attacks affecting 155.7 million records. However, disclosures for the first half of 2024 are ongoing, so these figures may increase. Comparitech also noted an additional 1,920 attacks claimed by ransomware gangs but not acknowledged by the victims. Private businesses experienced the highest number of incidents, with 240 attacks affecting 29.7 million records. 

The government sector followed with 74 attacks impacting 52,390 records, and the healthcare sector reported 63 attacks affecting 5.4 million records. LockBit remains the most prolific ransomware group, responsible for 48 confirmed attacks in the first half of 2024, despite a significant law enforcement operation that temporarily disrupted its activities in February. Following a brief period of dormancy, LockBit resurfaced as the most prominent ransomware group in May 2024, according to an analysis by NCC Group. Other notable ransomware groups during this period include Medusa with 31 attacks, BlackBasta with 27, Akira with 20, 8Base with 17, and INC Ransom with 16. 

The researchers observed an increasing trend among ransomware groups to forego file encryption and instead rely solely on data theft for extortion. This shift in tactics highlights the evolving landscape of ransomware attacks and underscores the need for robust cybersecurity measures.
Read more »
YouTube phishing
compromised Cybersecurity Threats deepfake videos fraudulent investment schemes Lumma Malicious Software Malware attacks RedLine scam landing pages Technology YouTube phishing

YouTube Emerging as a Hotspot for Cyber Threats: Avast Report

 

YouTube has become a new battleground for cybercriminals to launch phishing attacks, spread malware, and promote fraudulent investment schemes, according to a recent report by Avast, a leading security vendor.

Avast's researchers highlighted the use of tools like Lumma and RedLine in executing phishing attacks, creating scam landing pages, and distributing malicious software. YouTube functions as a traffic distribution network, guiding unsuspecting users to these harmful sites, thus facilitating various levels of scams.

The platform is also experiencing a surge in deepfake videos, which are used to mislead viewers with hyper-realistic but fake content, thereby spreading disinformation. Avast discovered multiple high-subscriber accounts, each with over 50 million followers, that were compromised and repurposed to disseminate cryptocurrency scams utilizing deepfake technology. These fraudulent videos often feature fake comments to deceive viewers further and include links to malicious sites.

Researchers identified five primary methods through which YouTube is exploited by cybercriminals. These include sending personalized phishing emails to YouTube creators, proposing fake collaboration opportunities to gain trust and eventually send malicious links. Additionally, attackers embed malicious links in video descriptions to trick users into downloading malware. They also hijack YouTube channels to spread other threats, such as cryptocurrency scams.

Moreover, cybercriminals exploit reputable software brands and legitimate-looking domains by creating fraudulent websites filled with malware. They produce videos that use social engineering tactics, guiding users to supposedly helpful tools that are actually malicious software in disguise.

Avast attributes its advanced scanning technology to protecting over 4 million YouTube users in 2023 and around 500,000 users in the first quarter of this year alone.

Trevor Collins, a network security engineer at WatchGuard, stresses the importance of educating employees and security teams about these threats. 

"Regular education is essential. Make people aware that there are scammers out there doing this," Collins says. "In addition, train and reassure them that it's OK to notify either their security team or other people within the company if they've gotten an unusual request — for instance, to provide login credentials, move money, or go buy a bunch of gift cards — before acting on it."
Read more »
Scams
malware Malware attacks Minecraft Source Packs online gaming scams online threats Scams

Malware Lurking in Minecraft Source Packs

In the world of gaming, customization is king. Players love tweaking their favourite games to make them even more exciting. But while mods and customizations can enhance your gaming experience, they can also hide dangerous threats. A new version of this malware (identified as d9d394cc2a743c0147f7c536cbb11d6ea070f2618a12e7cc0b15816307808b8a) was recently found concealed within a WinRAR self-extracting archive, cunningly masquerading as a Windows screensaver. Enter zEus, a sneaky malware that is making its way into Minecraft source packs. 


Let's Understand In Detail How It Works

Unsuspecting players download what seems like a harmless source pack, only to find themselves unknowingly installing zEus onto their systems. Once activated, the malware gets to work, stealing sensitive data and sending it off to a Discord webhook, where the perpetrators eagerly await their ill-gotten gains. But the trickery doesn't stop there. 

The self-extract file not only runs the malicious software but also opens an innocuous-looking image file, featuring the word "zEus." This simple image serves as a distraction while the malware does its dirty work in the background. It's a cautionary tale for gamers everywhere: be vigilant when downloading mods and source packs, especially from unverified sources. Stay safe by sticking to reputable platforms and avoiding suspicious links and downloads. After all, in the world of gaming, it is not just high scores you need to watch out for—it is also stealthy malware like zEus. 

When zEus malware is executed, it first checks if it's being analyzed. If not, it collects sensitive data and deploys script files for flexibility. It creates folders in C:\ProgramData to store stolen data and malicious scripts. To avoid detection, it compares computer names and running processes against blacklists. The malware steals various information, storing each piece in text files within corresponding folders. 

It grabs IP details using online tools and collects hardware info using command-line utilities and PowerShell. It also targets browsers like Chrome and Firefox, copying login data, cookies, history, and bookmarks. Additionally, zEus steals login data from software like Steam and Discord and searches for Discord backup codes. It copies .ldb files from Discord's Local Storage, extracting account details. It also gathers data from game-related folders to understand the victim's interests. 

After collecting data, it compresses it into a zip file and deletes the original folders. The malware sends the zip file and system information like execution date, username, processor, and antivirus software. It also checks for cryptocurrency wallets and searches for files with keywords related to login mechanisms and sensitive data.
Read more »
Ransomware
Citirix Account Cyber Security Cyberattacks CyberCrime CyberThreat Healthcare Hijacking Malware attacks MFA Ransomware

No MFA, No Defense: Change Healthcare Falls Victim to Citrix Account Hijacking

 


A UnitedHealth spokesperson confirmed that the black cat ransomware gang had breached Change Healthcare's network, using stolen credentials to get into the company's Citrix remote access service, which was not set up to support multi-factor authentication. It was revealed in a written statement issued by UnitedHealth's CEO Andrew Witty ahead of the hearing scheduled for tomorrow by a House Energy and Commerce subcommittee. 

This incident illustrates the significance of the healthcare giant failing to protect a critical system by failing to turn on multi-factor authentication, a consequential mistake the healthcare giant made in failing to identify the source of the intrusion into Change Healthcare's system that UnitedHealth Group previously confirmed on March 13. It is clear, according to Tom Kellerman, SVP of Cyber Strategy at Contrast Security, that UnitedHealth has shown pure negligence in this incident. 

According to the report, cybersecurity negligence resulted in systemic breaches throughout the U.S. healthcare industry. In his opinion, MFA would have likely prevented the attack chain that led to the breach, which will have long-term consequences. According to Casey Ellis, founder and chief strategy officer at Bugcrowd, the long-term effects of this massive breach will last for years. According to Ellis, at first glance, it appears that the software itself wasn't the issue that was causing the original access problem.

There was a threat of unauthorized access through remote access software without multi-factor authentication, and the credentials could have been leaked or guessed, leading to the most disruptive cyberattack on critical infrastructure in U.S. history. As a result of UnitedHealth Group's discovery and disclosure of the attack on Feb. 21, the medical claims and payment processing platform of Change Healthcare was paralyzed for more than one month, causing it to cease working completely. 

It was in late February 2024 that Optum's Change Healthcare platform was severely disrupted by a ransomware attack, resulting in a severe disruption of Optum's Change Healthcare platform. In addition to affecting a wide range of critical services used by healthcare providers all over the country, this also caused financial damages of approximately $872 million as a result of the disruption. These services included payment processing, prescription writing, and insurance claims processing. 

An exit scam was used by the BlackCat ransomware gang to steal money from UnitedHealth, which was allegedly a $22 million ransom payment made by UnitedHealth's affiliate. The affiliate claimed to still have the data shortly thereafter and partnered with RansomHub to begin an additional extortion demand by leaking stolen information in an attempt to extort the company of the affiliate. Despite recently acknowledging that it paid a ransom for people's data protection following a data breach, the healthcare organization has not released any details of the attack or who carried it. 

The company has confirmed that it paid a ransom to the hackers who claimed responsibility for a cyberattack and the subsequent theft of terabytes of data due to this cyberattack, which occurred last week. As part of their ransom demand, the hackers, known as RansomHub, threatened to post part of the stolen data to the dark web, if they did not sell the information. This is the second gang to claim theft and threaten to make money from it. 

A company that makes close to $100 billion in revenue every year, UnitedHealth said earlier this month that the company has suffered a $800 million loss due to the ransomware attack, which took place in the first quarter of 2017
Read more »
Personal Data
Cyberattacks CyberCrime Cybersecrurity Data Breach DPRK Hackers hacking groups Malware attacks Personal Data

DPRK Hackers Compromise South Korean Defense Contractors

 


It was reported on Tuesday that the North Korean hacking groups have been mounting "all-out" cyberattacks against South Korean defence companies, infiltrating their internal networks and stealing their technical data over the past year, South Korean police said. 

According to the police, a group of hackers, known as Lazarus, Kimsuky, and Andariel, who work directly or through contractors, planted malicious codes directly in the data systems of the defence companies, according to the authorities.

During the hacking process, state-sponsored hackers exploited vulnerabilities in the targeted systems of defence companies and installed malware to compromise their subcontractors. Even though the campaign lasted over a year, local reports claim that they managed to steal sensitive information from 10 of the 83 defence contractors and subcontractors that they targeted between October 2022 and July 2023. 

According to KPNA, many of these companies were completely unaware that they were breached when they were contacted by the police, as it has been revealed that they were completely unaware that they were. A special inspection was conducted between January 15th and February 16th by the National Police Agency and the Defense Acquisition Program Administration, and protective measures were implemented to secure critical networks as a result of the inspection.

A special investigation of the company discovered that multiple companies had been compromised since late 2022, but they weren't aware until authorities informed them of the breach. Lazarus targeted a contractor, for example, in November 2022, who was cyber-aware enough to operate separate internal and external networks. 

However, the hackers took advantage of their negligence when it came to managing the system linking the two. The hackers were able to breach an external network server, which was then infected by the hackers. As the network connection system was down for a network test, they tunnelled through it and got inside the innards of the network while the defences were down. 

To steal important information from the six employee computers, they began harvesting and exfiltrating data. It was not until police came along during the investigation that the defence companies were aware that they had been hacked. While North Korea is a country that is isolated from the rest of the world, the country has extremely strong cybersecurity capabilities and has a history of launching successful attacks against global targets over the past few decades. 

An attack on a Bangladesh central bank caused the loss of £64.6 million ($81 million) in addition to the detailed designs for a supersonic jet and a submarine, both of which would weigh three tons. In several South Korean firms, weak cybersecurity practices have enabled North Koreans to succeed in attacking their employees’ systems, with employees using the same password to access both their professional and personal accounts. 

Additionally, Andariel obtained login information, starting around October 2022, from an employee of a company which was responsible for the remote maintenance of the defence contractor in question. Infecting the company's servers with malware and exfiltrating data regarding defence technology, infected the company's servers using the hijacked account.

A police investigation also revealed an incident that took place between April and July 2023, when Kimsuky exploited the groupware email server of a partner company of a defence firm. By exploiting a vulnerability, an attacker could download large files that were sent internally via email, allowing an unauthorized attacker to download them. 

 A security breach committed by subcontractor employees who used the same password for their official and personal email accounts, as well as the hacker's ability to gain access to defence business networks and extract sensitive technical data, was utilized by the hackers. Police officers have not disclosed the nature of the compromised data and the names of the companies responsible. 

Since the signing of contracts worth billions of dollars to supply mechanized howitzers, tanks, and fighter jets in the last few years, South Korea has gained a significant place as a leading global defence supplier. It has been reported that North Korean hacking gangs gained access to global defence corporations' networks, in addition to those of South Korean financial institutions, news outlets, as well as South Korea's nuclear power operator in 2014, as a result of a significant security breach. 

There has been widespread speculation that North Korean hackers have been responsible for large-scale thefts of Bitcoin, which subsequently allowed them to finance their weapons development with the proceeds. The North Korean government denies any involvement with cyberattacks or cryptocurrency thefts carried out by other countries.
Read more »
Malware attacks
Credential stealing Cyber Attacks Cyber Criminals Cyber Security Data data stealing Data stealing malware Kaspersky Malware attacks

Data-Stealing Malware Infections Surge by 600% in Three Years, Kaspersky Reports

 

The digital landscape has become increasingly treacherous, with a startling surge in data-stealing malware compromising millions of devices worldwide. According to cybersecurity firm Kaspersky, the number of devices infected with data-stealing malware has skyrocketed by over 600% in the past three years alone. This alarming trend underscores the urgent need for heightened vigilance and robust cybersecurity measures to safeguard personal and corporate data in an era plagued by relentless cyber threats. 

Kaspersky's Digital Footprint Intelligence data paints a grim picture, revealing that the number of compromised devices reached a staggering 10 million in 2023, marking a 643% increase since 2020. The threat posed by data-stealers has escalated exponentially, posing a significant risk to both consumers and businesses alike. What's particularly concerning is the sheer volume of log-in credentials pilfered by cybercriminals from infected devices. 

On average, each compromised device surrenders a staggering 50.9 log-in credentials, encompassing a wide array of sensitive accounts ranging from social media and online banking services to cryptocurrency wallets and email accounts. This abundance of stolen credentials fuels the illicit underground economy, where cybercriminals peddle stolen data for profit. The actual scope of the problem may be even more extensive than reported, as Kaspersky's data draws insights from infostealer malware log files traded on underground markets. 

The clandestine nature of these transactions makes it challenging to quantify the full extent of the threat landscape accurately. According to Sergey Shcherbel, a cybersecurity expert at Kaspersky Digital Footprint Intelligence, the dark-web value of log files containing login credentials varies depending on their appeal and the method of sale. These credentials may be sold through subscription services, aggregators catering to specific requests, or exclusive shops offering freshly acquired login credentials to select buyers. 

Prices typically start at $10 per log file, highlighting the lucrative nature of stolen data in the cyber underground. The impact of data-stealing malware extends beyond individual devices, with a staggering 443,000 websites worldwide falling victim to compromised credentials in the past five years alone. In the .in domain associated with India, compromised accounts surged to over 8 million in 2023, underscoring the global reach and pervasive nature of the threat. 

As the threat landscape continues to evolve, organizations and individuals must prioritize cybersecurity as a fundamental aspect of their digital hygiene practices. Proactive measures such as robust antivirus software, regular software updates, and user education can help mitigate the risk of data breaches and protect sensitive information from falling into the wrong hands. 

The exponential rise in data-stealing malware serves as a stark wake-up call for individuals and organizations worldwide. By staying vigilant, informed, and proactive in combating cyber threats, we can collectively fortify our defenses and safeguard against the perils of the digital age.
Read more »
WordPress
Cyber Assault Cyber Attacks CyberCrime Cybersecurity JavaScript Malware attacks Sucuri WordPress

Evasive Sign1 Malware Hits 39,000 WordPress Sites in Widespread Cyber Assault

 


In the past six months, a major malware campaign known as Sign1 has compromised over 39,000 WordPress sites, using malicious JavaScript injections to direct people to scams. In a report published this week by Sucuri, it is estimated that no less than 2,500 sites have been infected by this latest malware variant over the past two months. 

As part of the attack, rogue JavaScript is injected into legitimate HTML widgets or plugins, allowing attackers to insert arbitrary JavaScript, along with other code, which provides attackers with an opportunity for their malicious code to be inserted. It was discovered that a new malicious malware campaign called FakeUpdates was targeting WordPress websites with malware shortly after Check Point Software Technologies Ltd. revealed it. 

In addition to its stealthy nature, Sign1 malware has a perilous reputation due to its stealthy tactics. It generates dynamic URLs through time-based randomization, which is extremely difficult to detect and block with security software. The malware's code is also obfuscated, so it's more difficult to detect it. Sign1 is also able to target visitors to certain websites, including popular search engines and social media platforms. This might be one of the most concerning aspects of malware. 

Sucuri’s report estimates that over 39,000 WordPress websites have been infected with Sign1 so far, suggesting a level of sophistication that could enable attackers to focus on users deemed more susceptible to scams. Sucuri’s report indicates that this level of sophistication suggests an attacker's ability to focus on users who are more likely to be targeted by scammers. Sucuri's client has been breached due to a brute force attack, so website owners should take immediate measures to protect their websites and visitors. 

However, although specific details of how the attackers compromised other sites remain unclear, it is believed that the attackers utilized brute force assaults and plugin vulnerabilities to get into WordPress sites via brute force attacks. When the attackers get inside, they usually use the WordPress plugin Simple Custom CSS and JS to inject their malicious JavaScript through the custom HTML widgets, or they may even use the legitimate Simple Custom CSS and JS plugin as well. 

With its sophisticated evasion tactics, Sign1 can bypass conventional blocking measures by dynamically altering URLs every 10 minutes by utilizing time-based randomization; this allows it to circumvent conventional blocking strategies. Since these domains were registered just before the attacks they carried out, they remain off blocklists because of their fleeting nature. 

The attackers, initially hosted by Namecheap, have since moved their operations to HETZNER for web hosting. Cloudflare provides an additional layer of anonymity through IP address obfuscation for IP addresses. A significant challenge for security tools that attempt to detect the injected code is the intricacies of the injected code, which features XOR encoding and arbitrary variable names, which make it very difficult to detect them. 

The Sucuri insights revealed that the Sign1 malware has evolved to an increasingly sophisticated and stealthy stage, as well as being more resilient to steps taken to block it. Infections have dramatically increased over the past six months, especially with new malware versions unleashed on the market each week. Sign1, which has accelerated its sophistication and adaptability in recent months, has taken on an increasingly sophisticated and adaptive appearance since the campaign was initiated in January 2024. 

As a result of such developments, website administrators must immediately take extra precautions and implement robust protected measures to ensure that their websites remain secure. A HETZNER and Cloudflare server hosts the domains, obscuring both the hosting addresses as well as the IP addresses of the domains. 

Moreover, it may not be obvious that the injection code contains XOR encoding and random names for variables, so if you were to detect it, you would still have a hard time. Approximately six months have passed since the malware campaign started, the researchers concluded, adding that it has been developing actively since then. 

The campaign is still ongoing today. There are always spikes in infections whenever new versions are released by the developers. There has been an attack on about 2,500 websites so far on this latest attack that has been happening since the beginning of January 2024.

To keep a website secure, the researchers recommend that website owners implement a strong combination of usernames and passwords so that their website cannot be breached by brute-force attacks, which could be used against them. The attackers may also gain unrestricted access to your premises the moment you uninstall every plugin and theme that is unused or unnecessary on your website.
Read more »
user data security
Cyber Attacks Hacker attack Latin American Government Malicious PDF Attachment Malware attacks user data security

Colombian Government Impersonation Campaign Targets Latin American Individuals in Cyberattack

 

In a concerning development, a sophisticated cyberattack campaign has emerged, targeting individuals across Latin America by malicious actors who impersonate Colombian government agencies. These attackers have devised a cunning strategy, distributing emails containing PDF attachments that falsely accuse recipients of traffic violations or other legal infractions. 

The ultimate goal of these deceptive communications is to coerce unsuspecting victims into downloading an archive that conceals a VBS script, thereby initiating a multi-stage infection process. Initially, the script acquires the payload’s address from resources like textbin.net before proceeding to download and execute the payload from platforms such as cdn.discordapp(.)com, pasteio(.)com, hidrive.ionos.com, and wtools.io. 

This intricate execution chain progresses from PDF to ZIP, then to VBS and PowerShell, and finally to the executable file (EXE). The resulting payload is identified as one of several well-known remote access trojans (RATs), including AsyncRAT, njRAT, or Remcos. These malicious programs are notorious for their capability to provide unauthorized remote access to the infected systems, posing significant risks to victims’ privacy and data security. To combat this threat, cybersecurity professionals and researchers are urged to consult the TI Lookup tool for comprehensive information on these samples. 

This resource can greatly assist in identifying and mitigating threats associated with this campaign. It’s essential to note that while this campaign targets individuals in Latin America, the technique employed by the attackers is adaptable and could be utilized against targets in other regions as well. The cybersecurity community must remain vigilant and proactive in defending against such sophisticated threats. Employing robust security measures, including up-to-date antivirus software, intrusion detection systems, and regular security awareness training for employees, is crucial. 

Additionally, organizations should implement strict email security protocols to prevent malicious emails from reaching employees' inboxes. Furthermore, individuals should exercise caution when interacting with unsolicited emails, especially those containing attachments or links. Verifying the legitimacy of email senders and carefully scrutinizing email content can help prevent falling victim to phishing attacks. It’s also advisable to avoid downloading attachments or clicking on links from unknown or suspicious sources. 

In conclusion, the emergence of this cyberattack campaign underscores the ever-present threat posed by malicious actors seeking to exploit vulnerabilities for their gain. By staying informed, adopting proactive security measures, and fostering a culture of cybersecurity awareness, organizations and individuals can better protect themselves against such threats and safeguard their digital assets and personal information.
Read more »
Privacy
Cyberattacks CyberCrime DataBreaches Email Firefox Malware attacks Mozilla Privacy

Protecting User Privacy by Removing Personal Data from Data Broker Sites

 


As part of its new subscription service model, Mozilla Firefox is offering its users the possibility of finding and removing their personal and sensitive information from data brokers across the internet. This new subscription model is known as Mozilla Monitor Plus and will allow users to locate and remove their sensitive information. 

To eliminate their phone numbers, e-mail, home addresses, and other information that is usually sold to data broker platforms for profit, the company offers a new subscription model called Mozilla Monitor-Plus. This is particularly interesting since Mozilla already offers a free service of privacy monitoring called Firefox Monitor which was previously known as Mozilla Monitor - which is now being revamped to strengthen privacy for users.

Previously, Mozilla Monitor was a free service that sent users notifications when their email accounts had been compromised. The new version is now called Monitor-Plus, and it is a subscription-based service. Approximately 10 million current Mozilla Monitor users will now have the opportunity to run scans to see if their personal information has been hacked by using the subscription-based service. 

Whenever a breach is detected, Monitor Plus provides the tools to make sure that a user's information remains private again if a breach is detected. Data broker websites have a convoluted and confusing process that individuals have to deal with when they try to remove their information from them. It is not uncommon for people to find themselves unsure of who is using their personal information or how to get rid of it once they find it online.

However, most sites have either an opt-out page or require them to contact the broker directly to request removal. This process can be simplified by Mozilla Monitor, which searches across 190 data broker sites known for selling private and personal information proactively.

Mozilla will initiate a request on behalf of the user for removal if any data provided to Mozilla is discovered on those sites, including name, location, and birthdate. The removal process can take anywhere from a day to a month, depending on how serious the problem is. There are two subscription options available for users of this feature, the Monitor Plus subscription costs $13.99 per month or $8.99 per month with an annual subscription, which includes this feature. 

The free option for users who do not wish to subscribe to Firefox is to scan data broker sites once. However, these users will have to manually go through the steps to remove their information from these websites. This may encourage them to upgrade to the Monitor Plus subscription, as it provides automatic removals for a process that can be very tedious otherwise.

In regards to data breaches, both free and paid users will continue to receive alerts and will have access to tools to learn how to fix high-risk breaches. By providing their email addresses, as well as a few personal details such as their first and last name, city, state, and date of birth, users can initiate a free one-time scan for their device.

There will then be the possibility to scan the tool for potential exposures and let users know about them and how they can be fixed. It is Mozilla's policy to initiate a data removal request on behalf of users who wish to have their data removed. The status of the requests of users can be viewed, as well as the progress of their requests can be tracked. 

Furthermore, Mozilla will perform a monthly scan after the removal of personal information to ensure that it is kept safe on 190+ data broker sites even after the removal. Users must submit their first and last name, current city and state, date of birth, and email address to initiate a scan. Mozilla has an extensive privacy policy that protects the privacy of this information and encrypts it.

With this kind of information in hand, Mozilla applies a scan to your personal information, showing you where your information has been exposed by data breaches, brokers, or websites that collect personal information. In 2023 alone, 233 million people will have been affected by data breaches, and it is for this reason that a tool such as this is vital in the current environment. The Mozilla Monitor Plus subscription will include monthly scans and automatic removal of any malware that is found on your computer.
Read more »
Purple Fox
Cyber Attacks data security Data Theft Malware attacks Purple Fox

Ukraine Faces PurpleFox Malware Crisis: Unraveling the Ongoing Battle and Countermeasures

 

In a disturbing turn of events, the insidious PurpleFox malware has recently unleashed a wave of cyber havoc in Ukraine, infiltrating and compromising thousands of computers. This highly adaptable and elusive malware variant has sent shockwaves through the cybersecurity community, posing a significant challenge to both individuals and organizations alike. 

PurpleFox, renowned for its sophisticated tactics, primarily targets Windows-based systems by exploiting vulnerabilities, granting unauthorized access, and establishing a persistent presence within the infected devices. Armed with multifaceted capabilities such as data theft, remote command execution, and the ability to download and deploy additional malicious payloads, PurpleFox has proven a formidable adversary. 

Reports of compromised systems experiencing data breaches and operational disruptions are emerging, highlighting the malware's destructive potential. Its ability to remain dormant within systems makes detection an arduous task, further complicating the efforts of cybersecurity professionals to neutralize its impact. 

Security researchers point to various infection vectors, including malicious websites, infected email attachments, and stealthy drive-by downloads, as the primary means by which PurpleFox spreads. Its polymorphic nature, constantly mutating its code, renders traditional signature-based detection methods less effective, underscoring the need for advanced, adaptive cybersecurity measures. 

Prompted by the severity of the situation, Ukrainian authorities, alongside cybersecurity agencies, have initiated a concerted effort to contain and eliminate PurpleFox. Emergency response teams have been dispatched to affected regions to assess the extent of the damage and devise strategies for neutralizing the malware's threat. 

The motives behind the PurpleFox campaign in Ukraine remain mysterious, as the malware is a versatile tool often utilized for various cybercriminal activities, including espionage, data theft, and ransomware attacks. Investigations are underway to identify the perpetrators and their overarching objectives. 

To fortify defences against PurpleFox and similar threats, cybersecurity experts stress the importance of timely software updates, robust antivirus solutions, and comprehensive user education. Additionally, organizations are urged to implement network segmentation and closely monitor network traffic for anomalies that could signify a malware infection. 

This incident serves as a poignant reminder of the ever-evolving landscape of cyber threats. As cyber adversaries continually refine their tactics, a proactive and collaborative approach is indispensable to fortify digital defences and ensure the resilience of critical infrastructure. 

In conclusion, the PurpleFox malware outbreak in Ukraine underscores the critical importance of cybersecurity vigilance in our interconnected world. As the investigation unfolds, individuals and organizations must remain vigilant, adopting proactive measures to bolster their cybersecurity defences against the relentless evolution of cyber threats.
Read more »
social media risks
data deception GitHub malware Malware attacks social media risks

Sneaky USB Hackers Pose Threat on Favorite Sites

 

In a recent revelation in the world of cybersecurity, a financially motivated hacker has been discovered utilizing USB devices as a means to infiltrate computer systems. This malicious group has chosen a cunning approach, hiding their harmful software in plain view on widely used platforms like GitHub, Vimeo, and Ars Technica. 

Their strategy involves embedding malicious codes within seemingly innocuous content, creating a challenging environment for detection and prevention. We strongly advise our readers to maintain a vigilant stance while navigating the online platforms. 

Reassuring our website visitors, we confirm that the peculiar text strings encountered on GitHub and Vimeo pose no harm upon clicking. However, there's a twist: these seemingly harmless strings serve as a key tool for hackers, discreetly facilitating the download and deployment of harmful software in their attacks. 

The cybersecurity watchdogs, Mandiant, are actively monitoring this group of hackers identified as UNC4990. Operating in the shadows since 2020, they have specifically targeted individuals in Italy. 

The cyber assault unfolds with an unsuspecting individual clicking on a deceptive file on a USB drive. The mystery lies in how these USB devices find their way into the hands of unsuspecting users. Once opened, the file initiates a digital script, explorer.ps1, downloading an intermediary code that reveals a web address. This address acts as the gateway for installing a malware downloader named 'EMPTYSPACE.' 

UNC4990 initially employed special files on GitHub and GitLab but later shifted their tactics to Vimeo and Ars Technica, embedding their secret codes in mundane areas on these sites to avoid suspicion. The harmful PowerShell script, decoded, decrypted, and executed from legitimate sites, leads to the activation of EMPTYSPACE. This payload establishes communication with the hackers' control server, subsequently downloading a sophisticated backdoor called 'QUIETBOARD.' 

Additionally, UNC4990 employs this backdoor for crypto mining activities targeting Monero, Ethereum, Dogecoin, and Bitcoin. The financial gains from this cyber scheme exceed $55,000, not including the hidden Monero. 

QUIETBOARD, UNC4990's advanced backdoor, exhibits a wide range of capabilities, including executing commands, cryptocurrency theft, USB drive propagation, screenshot capture, system information collection, and geographical location determination. Mandiant highlights UNC4990's penchant for experimentation to refine their attack strategies. 

Despite ongoing efforts to mitigate USB-based malware threats, they persist as a significant danger. The tactic of concealing within reputable sites challenges traditional security measures, underscoring the need for enhanced online safety practices. In the evolving digital landscape, staying informed and vigilant is paramount. Cyber threats may emerge from unexpected quarters, demanding a proactive approach to cybersecurity.
Read more »
Trend Micro
cryptomining Cyber Threats DarkGate malware malware Malware attacks malware-as-a-service (MaaS). Microsoft Teams Phishing Campaigns QakBot Botnet Ransomware Trend Micro

Compromised Skype Accounts Facilitate DarkGate Malware Spread

 

Cyber attackers wielding the DarkGate malware have utilized compromised Skype accounts as a vector to infiltrate targets between July and September. They accomplished this by dispatching messages with VBA loader script attachments. 

Trend Micro's security researchers, who detected these attacks, noted that this script is responsible for fetching a second-stage AutoIT script. This script, in turn, is tailored to deploy the final DarkGate malware payload.

Trend Micro explained that gaining access to the victim's Skype account provided the attacker with the ability to take control of an ongoing messaging thread. This allowed them to manipulate the naming of files to align with the context of the conversation. 

Although the means by which the initial accounts of instant messaging applications were compromised remains unclear, it is theorized to have occurred either through leaked login credentials available on underground forums or as a consequence of a prior breach of the parent organization.

Furthermore, Trend Micro observed instances where DarkGate operators attempted to deliver their malware payload through Microsoft Teams. This occurred in organizations where the service was set up to accept messages from external users. 

Previously, Truesec and MalwareBytes had identified phishing campaigns targeting Microsoft Teams users. These campaigns utilized malicious VBScript to deploy the DarkGate malware. The attackers targeted users via compromised Office 365 accounts outside their respective organizations and leveraged a tool named TeamsPhisher. 

This tool enabled the bypassing of restrictions on incoming files from external sources, enabling the transmission of phishing attachments to Teams users. The ultimate objective remained infiltrating the entire environment. Depending on the specific threat group employing the DarkGate variant, the threats ranged from ransomware to cryptomining.

Trend Micro's telemetry data indicated that DarkGate frequently led to the detection of tools commonly associated with the Black Basta ransomware group.

The proliferation of the DarkGate malware loader for initial access into corporate networks has been on the rise, especially following the dismantling of the Qakbot botnet in August. This was due to international collaborative efforts. 

Prior to the disruption of Qakbot, an individual claiming to be the developer of DarkGate sought to sell subscriptions on a hacking forum, pricing them at up to $100,000 annually. The malware was marketed with an array of features, including a concealed VNC, capabilities to evade Windows Defender, a tool for pilfering browser history, an integrated reverse proxy, a file manager, and a Discord token snatcher.

Subsequent to this announcement, there has been a noticeable surge in reported DarkGate infections via various delivery methods like phishing and malvertising.

This recent upswing in DarkGate activity highlights the escalating influence of this malware-as-a-service (MaaS) operation within the realm of cybercrime. It underscores the unwavering determination of threat actors to persist in their attacks, demonstrating adaptability in tactics and methods despite disruptions and obstacles.
Read more »
Ransomware
Cyber Attacks Cyberattacks Cybersecurity Government Malware attacks PureCrypter Ransomware

Info-stealer Ransomware hit Government Organisations

 


Threat actors have targeted government entities with the PureCrypter malware downloader, which is used to deliver several information stealers and ransomware variants to targeted entities.  

According to a study conducted by researchers at Menlo Security, the initial payload of this attack was hosted on Discord by the threat actor. A non-profit organization was compromised to store more hosts for the campaign. 

Several different types of malware were delivered via the campaign, including Redline Stealer, Agent Tesla, Eternity, Black Moon, and Philadelphia Ransomware, researchers said in a statement. 

Several government organizations in the Asia Pacific (APAC) and North American regions have been targeted by PureCrypter's marketing campaign, according to researchers. 

Steps Involved in an Attack 

Firstly, the attacker sends an email with a Discord app link pointing to a password-protected ZIP archive containing a PureCrypter sample, which is then used to launch the attack. 

As of March 2021, PureCrypter began to become popular in the wild as a .NET malware downloader. Various types of malware are distributed by its operator on behalf of other cybercriminals through the use of the software. 

There is no content within this file, so when it is executed, it will deliver the next-stage payload from the compromised server of a non-profit organization, which in this case is a compromised command and control server.  

Researchers from Menlo Security examined Agent Tesla as the sample in their study. A Pakistan-based FTP server is connected to the Trojan as soon as it is launched, which receives all the stolen information on its server. 

The researchers discovered that when using leaked credentials in a breach, the threat actor took control of a particular FTP server and did not set it up themselves but rather used leaks of credentials to do so. As a result, the risk of identification was reduced and traceability was minimized. 

The Use of Agent Tesla Continues 

Cybercriminals use a malware family called Agent Tesla in their efforts to compromise Windows systems. In October 2020 and January 2021, it reached its peak in terms of usage. 

In a recent report released by Cofense, the company highlights the fact that Agent Tesla remains one of the most cost-effective and highly-capable backdoors in the market, and it has undergone continuous improvements and development during its lifespan.

Defense Intelligence recorded roughly one-third of all keylogger reports recorded by Defense Intelligence in the year 2022, which may be indicative of Tesla's keylogging activities. 

As a result of malware, the following capabilities can be observed: 

  • To gather sensitive information about the victim such as her password, all keystrokes the victim makes are recorded. 
  • A hacker can break into a web browser, email client, or file transfer application to steal passwords. 
  • The most effective way to protect confidential information on your desktop is to take screenshots of it as you use it. 
  • Obtain user names, passwords, and credit card numbers from the clipboard, as well as access clipboard contents. 
  • Send the stolen data to C2 via any of the following methods: FTP, SMTP, etc.
A feature of the attacks examined by Menlo Labs was that the threat actors managed to avoid detection by antivirus tools by injecting the AgentTesla payload into a legitimate process ("cvtres.exe") using process hollowing. 

Agent Tesla's communications with the C2 server, as well as its configuration files, are also encrypted with XOR. This is to protect them from network traffic monitoring tools used to monitor network traffic. 

According to Menlo Security, the threat actor behind PureCrypter is not one of the big players in the threat landscape. Nevertheless, it is worth taking note of its activities to determine whether or not it is targeting government agencies. 

As a result, it would be expected that the attacker would continue to use the compromised infrastructure for as long as possible before seeking out a new one. 
Read more »
Subscribe to: Posts (Atom)