Hackers Hide Backdoor Malware in Old Windows Logo
A hacking group known as Witchetty (aka LookingFrog) is using steganography to hide backdoor malware within a Windows logo. The campaign is ongoing and has so far seen targeted attacks conducted on governments in the Middle East and a stock exchange in Africa, according to a recent report from Symantec. The threat actor has strong links with the Chinese state-sponsored threat group APT10 and the TA10 operatives behind attacks on...
Microsoft Confirms Two Exchange Server Zero-Day Vulnerabilities Being Actively Exploited
Microsoft has confirmed that two zero-day vulnerabilities in Microsoft Exchange Server are being actively exploited in the wild and that patches are currently being developed to address the flaws. The vulnerabilities affect Microsoft Exchange Server 2013, 2016, and 2019, one of which is a Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2022-41040, and the second, tracked as CVE-2022-41082, is a remote code execution...
IRS Warns of Exponential Increase in IRS-Themed Smishing Attacks
The U.S. Internal Revenue Service (IRS) has issued a warning following a massive increase in SMS-based phishing (smishing) attacks over the past few weeks. The IRS-themed messages include links to malicious websites that attempt to steal sensitive personal and financial information. The IRS says it observed an increase in smishing attacks on taxpayers in the fall of 2020, with the attacks continuing throughout the pandemic, but this...
Cybersecurity Awareness Month 2022 Focuses on People
Cybersecurity Awareness Month 2022 runs from October 1 to October 31, with the month of October having been dedicated to improving awareness about cybersecurity since 2004. Throughout October, the U.S. Cybersecurity and Infrastructure Security (CISA) and the National Cybersecurity Alliance (NCA) will lead a collaborative effort between government and industry to improve cybersecurity awareness in the United States and beyond. The...
Erbium Information Stealer Distributed via Fake Software Cracks
A new malware-as-a-service (MaaS) operation – Erbium – is gaining popularity in the cybercrime community. The MaaS provides strong customer support, the malware is competitively priced, and it has extensive functionality. According to a recent report from Cyfirma, the MaaS operation has been advertising on Russian language hacking forums since at least July. Initially, the malware was offered for just $9 per week, although due...
The Emotet Botnet Is Being Used to Deliver Quantum and BlackCat Ransomware
Security researchers at AdvIntel have recently confirmed that the Emotet botnet is currently being used to deliver ransomware payloads, with the operators of the botnet teaming up with the Quantum and BlackCat ransomware operations. Emotet started life as a banking Trojan and was first detected in 2014. Over the years the malware has received several upgrades to add further capabilities, with the malware-infected devices now serving...
LastPass Says Hackers Accessed Systems for 4 Days
The world’s most popular password manager, LastPass, has provided more information on its August 2022 cyberattack and data breach. The forensic investigation has confirmed that an unauthorized individual gained access to its internal systems for a period of four days; however, no evidence was found to indicate that an individual or individuals had access to any parts of its network before or after that timeline. LastPass CEO, Karim...
Phishing Campaign Uses a Queen Elizabeth II Lure to Steal Credentials
Whenever there is a major news story that is attracting considerable public interest, phishers are quick to respond, so it is no surprise that they have responded to the death of Queen Elizabeth II. A campaign has recently been identified that masquerades as a notification from Microsoft about an initiative to commemorate her reign. If you live in the United Kingdom, you will almost certainly have received notifications in your inbox...
September 2022 Patch Tuesday: Microsoft Patches 5 Critical Vulnerabilities and Actively Exploited 0Day
Microsoft released patches to fix 63 vulnerabilities on September 2022 Patch Tuesday, 5 of which have been rated critical, including one zero-day vulnerability affecting Windows that is being actively exploited in the wild. A second zero-day vulnerability has been publicly disclosed but has been rated important with Microsoft believing exploitation is less likely. The actively exploited zero-day is tracked as CVE-2022-37969, has a...
Ransomware Gangs Adopt Stealthier Technique That Accelerates Encryption Process
Several ransomware gangs have changed their file encryption techniques, and instead of encrypting entire files they are now opting for intermittent encryption, with files only partially encrypted. This technique allows files to be encrypted far more quickly and helps the attackers evade security solutions, which often fail to detect the encryption due to the lower intensity of file IO operations and the greater similarity between...
12% of Enterprise IT Assets Lack Endpoint Protection
A recent study has revealed 12% of enterprise IT assets do not have enterprise protection installed, and 5% are not covered by patch management processes. The lack of protection and unpatched vulnerabilities could be exploited by threat actors to gain access to enterprise networks. Sevco Security conducted the study using data from 500,000 IT assets and published the findings of the study in its State of Cybersecurity Attack Surface...
Ransomware Warning Issued to U.S. School Districts Following Major Attack 2nd Largest U.S. School District
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), have issued a joint security alert warning U.S. school districts about the Vice Society ransomware gang, days after the second-largest school district in the United States was crippled by a ransomware attack. Major Ransomware Attack Reported by Los Angeles Unified...
TikTok Denies Theft of 2 Billion Data Records and Source Code
On September 3, 2022, a hacker operating under the name of AgainstTheWest claimed on a hacking forum that TikTok and WeChat had been breached and a database had been stolen from an Alibaba cloud repository that contained the personal information of users of the platforms. TikTok and WeChat are both Chinese companies; however, the companies are not owned by the same parent company, which suggests that the hacking claim may not be...
Luca Stealer Malware Targets Cryptocurrency Wallets and Password Managers
A new malware variant dubbed Luca Stealer is growing in popularity following the release of its source code for free in July. At present, it appears that attacks are at a relatively low level, but the number of variants detected has increased in recent weeks and there is concern that Luca Stealer could become a significant threat. Luca Stealer is suspected of being used in an attack on the Solana blockchain network (SOL) in early...
Mid-Year Threat Report Suggests Ransomware Losses Likely to Exceed $30 Billion by 2023
Ransomware is the most serious threat to large and medium-sized businesses, and global ransomware damages have been predicted to exceed $30 billion by 2023, according to the Mid-Year Cyber Protection Operation Centers Report from Acronis. Attacks are showing no sign of slowing as cybercriminal gangs continue to make huge profits from their attacks. According to the report, the Conti ransomware gang was paid $2.7 billion in...
Residential Proxies Increasingly Used to Hide Credential Stuffing Attacks
Cyber threat actors are increasingly using hacked residential routers to hide their credential stuffing attacks, according to a recent alert from the Federal Bureau of Investigation (FBI). Credential stuffing is a type of brute force attack where a threat actor uses a large list of usernames and passwords that have been compromised in previous data breaches to access accounts on unrelated websites. The attack relies on the reuse of...
2 ‘Actively Exploited’ RCE Vulnerabilities Patched in iPhones, iPads, iPods, and Macs
Two critical zero-day vulnerabilities have been patched by Apple that may have been actively exploited in the wild. Exploitation of the flaws allows threat actors to remotely execute code on vulnerable iPhone, iPad, and Mac devices. The vulnerabilities affect the 6S iPhone and later models, 6th generation iPads and later, iPad Air 2 and later, iPad mini 4 and later, all iPad Pro models, the 7th generation iPod touch, Mac computer with...
IBM X-Force Provides Insights into the Rapidly Changing OT Threat Landscape
IBM X-Force has analyzed data from its incident response and managed security services (MSS) and has provided valuable insights into the rapidly expanding operational technology (OT) cyber threat landscape. This year, cybersecurity agencies have issued multiple alerts about threats to OT and the potential for attacks on critical infrastructure, new malware threats have been identified that target OT, and many new vulnerabilities have...
Hackers are Actively Exploiting 5 Vulnerabilities in the Zimbra Collaboration Suite
Five vulnerabilities have been identified in the Zimbra Collaboration Suite (ZCS) that are being actively exploited in the wild. The U.S. Cybersecurity and Infrastructure Security Agency has recently issued a security advisory to raise awareness of the flaws and to share mitigations to reduce the risk of compromise. ZCS is used by more than 200,000 businesses worldwide. The first vulnerability – tracked as CVE-2022-27924 (CVSS...
2022 Sees Major Increase in Malicious Browser Downloads
According to Kaspersky, in H1, 2022, 1,300,000 attempts were made to install malicious browser extensions, which is a substantial increase from 2021, when 1,823,263 attempts were made for the entire year. From January 1, 2020, to June 30, 2022, 6,795,056 attempts were made by 4.3 million users of Kaspersky software to install malicious browser extensions. There are many legitimate browser extensions, such as ad blockers, spell...
Ransomware Gangs are Weaponizing Their Stolen Data and Making BEC Attacks Easier
Business email compromise (BEC) attacks have been increasing. According to the Federal Bureau of Investigation (FBI), BEC attacks are the costliest type of cybercrime and resulted in $43 billion in losses between June 2016 and December 2021. In 2021 alone, 19,954 complaints were received by the FBI’s Internet Crime Complaint Center (IC3) and almost $2.4 billion was lost to the scams. Abnormal Security reports an 84% annual...
Ransomware Attack on CISCO Used an Employee’s Compromised Personal Google Account
CISCO has confirmed that the initial access to its network in an attempted May 2022 ransomware attack was a compromised employee’s personal Google account. The account contained credentials that had been synched from their browser. The attack involved multiple voice phishing calls where the attacker impersonated trusted support organizations, and used the MFA fatigue tactic, where multiple push notifications are sent in the hope that...
Microsoft Patches 121 Vulnerabilities Including an Actively Exploited 0-Day Bug
Microsoft released updates to fix 121 CVEs on August 2022 Patch Tuesday, including two zero-day flaws, one of which is being actively exploited in the wild. The actively exploited zero-day flaw has been dubbed DogWalk and is a vulnerability in the Windows Support Diagnostic Tool (MSDT). If exploited, an attacker could remotely execute arbitrary code on vulnerable systems. The flaw is tracked as CVE-2022-34713 and an exploit for the...
Sophisticated Twilio Smishing Attack Sees Accounts and Customer Data Compromised
The digital communication platform provider Twilio has confirmed that multiple employees have been tricked into disclosing their account credentials in a smishing attack. Smishing is the use of SMS messages for conducting a phishing attack to steal employee credentials. Those credentials can be used to access employee accounts and any sensitive data accessible through those accounts. Twilio provides programmable communication tools...
NHS 111 Services Disrupted by Cyberattack on Managed Service Provider
The National Health Service (NHS) in the United Kingdom is currently dealing with a cyberattack on one of its managed service providers, Advanced. Birmingham-based Advanced helps operate NHS 111 services. NHS 111 is a web and telephone service where patients can get quick health and mental health information on non-urgent medical matters. Advanced detected the cyberattack on Thursday, August 4, 2022, and has confirmed it has affected...
97% of Top Universities Failing to Adequately Protect Against Email Impersonation Attacks
Domain spoofing is a common tactic used by phishers to trick victims into believing they have received an official email from a trusted business or contact. Technologies have been developed to detect domain spoofing and protect individuals from email impersonation attacks, yet many organizations have not implemented email validation protocols that can detect spoofing, and as such, their employees and other stakeholders are subjected...
87% of Ransomware Uses Malicious Macros to Infect Devices
Microsoft recently rolled out a new security feature that would block macros by default. There was a hiccup in that process, as Microsoft had to do a temporary U-turn, in response to negative feedback from users. Microsoft has now taken the feedback on board and has improved usability, and the new security feature has now been rolled out again. An investigation by the cybersecurity firm Venafi and the criminal intelligence provider,...
Network of 11,000 Websites Used in Industrial Scale Fake Investment Scam
A network of more than 11,000 websites being used for industrial-scale investment fraud has been uncovered by security researchers at Group IB. The scammers use advertisements on social media networks such as Facebook and YouTube, which direct users to websites offering fake investment schemes. The posts, adverts, and websites often appear to have been endorsed by well-known local celebrities, and the websites themselves are well...
LinkedIn Remains the Most Impersonated Brand in Phishing Attacks
The Q2, 2022 Brand Phishing Report from cybersecurity firm Check Point shows LinkedIn is still the most impersonated brand in phishing attempts, having first entered into the Top 10 Most Impersonated Brands list in Q1, 2022. There has also been a surge in phishing attempts impersonating Microsoft, which have more than doubled from the previous quarter. The increase has seen Microsoft catapulted into position 2 in the list, accounting...
Amadey Bot Malware Distributed via SmokeLoader using Software Cracking Software
A malware distribution campaign has been detected by researchers at AhnLab that ultimately delivers Amadey Bot malware. Amadey Bot malware can steal information from infected systems, perform reconnaissance, and drop additional malware payloads on infected devices. Amadey Bot malware is a relatively old malware, first identified four years ago. The latest campaign delivers a new version of the malware via SmokeLoader malware....
Flaws in Vehicle GPS Tracker Could be Exploited Remotely to Track and Disable Vehicles
A popular GPS tracking device – MiCODUS MV720 GPS tracker – that is installed in vehicles to protect against theft and for vehicle fleet management has been found to contain six severe vulnerabilities that could be remotely exploited by threat actors to gain control of the device. The MiCODUS MV720 GPS tracker is hardwired into vehicles and allows vehicles to be tracked for fleet management, and also incorporates several...
North Korean Hackers Behind HolyGhost Ransomware Attacks on SMBs
A ransomware family called HolyGhost that is being used in attacks on SMBs has been linked to a suspected North Korean state-sponsored hacking group by researchers at Microsoft. The ransomware was first detected in September 2021 and has been predominantly used to attack small and mid-sized businesses, including schools, banks, manufacturers, and event and meeting planning companies. Microsoft has tracked the attacks to a threat group...
Security Vendors Impersonated in Callback Phishing Campaign
The cybersecurity vendor CrowdStrike has issued a warning about a callback phishing campaign that attempts to trick employees at businesses into visiting a malicious website. Initial contact is made via email, which instructs recipients to make a phone call as part of a security audit. According to one of the emails obtained by researchers at Crowdstrike, contact is made due to an alleged data breach at the cybersecurity firm. The...
Massive Phishing Campaign Bypasses MFA to Gain Access to Office 365 Accounts for BEC Attacks
This week, Microsoft shared details of a massive phishing campaign that has targeted more than 10,000 organizations since September 2021. The campaign targets organizations that use Office 365 and allows the attackers to hijack accounts, even if they have multi-factor authentication (MFA) enabled. The compromised accounts are then used to conduct business email compromise attacks on external companies to get them to make fraudulent...
Microsoft Rollback of VBA Macro Blocking is Only a Temporary Measure
Last week, Windows users started noticing that Microsoft had stopped blocking Internet-delivered VBA macros by default without making an announcement. Microsoft has now confirmed that the rollback is only a temporary measure. Back in February, Microsoft announced that it would be taking steps to improve security by blocking Visual Basic for Applications (VBA) macros by default in certain Office apps. The security measure would apply...
Threat Groups Observed Substituting Cobalt Strike for Stealthier Post-Exploitation Framework
Cyber threat actors are frequently observed deploying a legitimate penetration testing and post-exploitation framework known as Cobalt Strike on victims’ systems. Cobalt Strike is used by pen testers and cybersecurity red teams in simulated attacks on a company to probe for and exploit vulnerabilities. Cobalt Strike is used to deploy beacons on compromised parts of the network, which can be used for surveillance and running commands....
U.S. Healthcare Sector Warned About Maui Ransomware Attacks by North Korean Hackers
North Korean state-sponsored hackers are targeting organizations in the U.S. healthcare and public health sector (HPH) and are using Maui ransomware for extortion, according to a recent joint cybersecurity advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury. Ransomware attacks on healthcare providers can prevent access to electronic...
New IIS Backdoor Identified in Microsoft Exchange Servers
Security researchers at Kaspersky have sounded the alarm about a new malware threat that is being used to gain persistent, stealthy access to corporate Microsoft Exchange servers. The malware allows the threat actor to steal email data and gain full control of the victims’ infrastructure. Currently, detection rates by antivirus software engines are poor. Despite the malware having been in use for several months, many of the infections...
New AstroLocker Ransomware Variant Detected Being Distributed Directly Through Email Attachments
A new version of AstroLocker ransomware has been detected which is being delivered directly via email attachments. Astrolocker is a relatively new ransomware threat that is based on Babuk ransomware, the source code for which was leaked in September last year. In contrast to most malspam campaigns, which use VBA macros for downloading the first-stage payload, this campaign uses a Word Document attachment with an embedded OLE object –...
FBI Warns Employers About Use of Deepfakes to Land Remote Working Positions
The Federal Bureau of Investigation has issued a warning to businesses due to an increasing number of complaints received by its Internet Crime Complaint Center (IC3) about the use of deepfakes in applications for remote working and work-from-home positions. Deepfakes of images, video, and audio files can be very convincing and difficult to distinguish from genuine content. Deepfakes are often created using AI/machine learning...
Cybersecurity Agencies Recommend Using PowerShell to Improve Forensics and Incident Response
Windows PowerShell is a useful and powerful scripting language and configuration management tool that can be used by Windows and system administrators for creating scripts to automate tasks. PowerShell is also extremely useful to cyber threat actors, who often abuse PowerShell after gaining access to victims’ networks. By using PowerShell, they don’t have to download their own toolsets and can hide their malicious activity. The...
SharePoint and OneDrive Files Could be Vulnerable to Ransomware Attacks
A potential vulnerability has been identified in Office 365 and Microsoft 365 that could be exploited by ransomware gangs to encrypt files stored on SharePoint and OneDrive, rendering the files unrecoverable without paying the ransom if the files have not been separately backed up. According to Proofpoint, which recently published a report on the issue, the issue relates to the auto-save feature that saves SharePoint and OneDrive...
Microsoft Issues Out-of-Band Update to Fix Patch Tuesday-Related Issue on Arm Devices
Microsoft has issued an out-of-band update to fix an issue with Windows devices with Arm chips that was caused when users applied their June 2022 Patch Tuesday updates. The issue caused problems signing into Azure Active Directory and Microsoft 365 on Arm devices, and also affected applications and services that use Azure Active Directory for signing in, such as Microsoft Outlook, OneDrive for Business, and Microsoft Teams Microsoft...
Thousands Arrested in Interpol-Led Operation Targeting Social Engineering Scammers
An international law enforcement operation led by Interpol that involved police forces in 76 countries has seen more than $50 million seized and thousands of people have been arrested in connection with social engineering scams such as telecommunication fraud, business email compromise scams, and the money laundering activities in relation to those operations. The operation – called First Light 2022 – ran for two months between...
Emotet Malware Infections Increased by 2,700% from Q4, 2021 to Q1, 2022
Security researchers have identified new variants of Emotet malware that are capable of collecting and using stolen credentials, which are then weaponized and used to distribute the malware, and security solutions are failing to block the malware. Emotet is widely regarded as the most dangerous malware threat. While action was taken by a coalition of law enforcement agencies, which shut down the infrastructure of Emotet in January...
Local Governments Targeted in Phishing Campaign Exploiting Windows Follina Vulnerability
The critical Windows ‘Follina’ zero-day vulnerability is being exploited in phishing attacks on local governments in the United States and government entities throughout Europe, according to Proofpoint. The phishing campaign uses Rich Text File (RTF) attachments, which will exploit the Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution bug – CVE-2022-30190 – if opened. Exploitation of the vulnerability does not...
Zero-day Atlassian Confluence Vulnerability Being Actively Exploited by Multiple Threat Actors
A critical Atlassian Confluence zero-day vulnerability is being actively exploited by multiple threat actors. At present, there is no patch available to fix the flaw. The vulnerability is tracked as CVE-2022-26134 and is a remote code execution vulnerability that affects all versions of Confluence Server and Data Center. The vulnerability does not affect Atlassian Cloud. Atlassian said it is aware that the vulnerability is being...
3.6 Million MySQL Servers are Exposed to the Internet and Responding to Queries
The cybersecurity research group, The Shadowserver Foundation, has identified 3.6 million MySQL servers that are using the default TCP port 3306 and are exposed to the Internet. Almost 2.3 million of those MySQL servers responded to queries on IPv4, and over 1.3 million responded to queries over IPv6. 67% of all MySQL servers were discovered to be accessible over the Internet. The researchers did not investigate the level of access...
Zero-Day Vulnerability Affecting Microsoft Office Being Actively Exploited
A zero-day remote code execution vulnerability has been identified in the Microsoft Windows Support Diagnostic Tool (MSDT) which is being actively exploited in the wild. The vulnerability affects all versions of Microsoft Office from 2003 and has been dubbed Follina. The vulnerability can be exploited by sending a specially crafted Word document, which will exploit the flaw if the document is opened. The vulnerability works without...
General Motors Customers Targeted in Credential Stuffing Attack
General Motors has announced that certain customer accounts have been accessed by unauthorized individuals. Between April 11 and April 29, 2022, suspicious logins were detected in customer accounts. The investigation revealed unauthorized individuals accessed certain customer accounts and redeemed their reward points for gift vouchers. The compromised accounts contained information such as names, addresses, dates of birth, personal...
Ransomware Attacks Increased 13% in a Year
The 2022 Verizon Data Breach Investigations Report has been published, which shows the extent to which ransomware is being used in cyberattacks on businesses. Ransomware has proven to be a highly successful tool for monetizing system compromises. Threat actors gain initial access to the network, exfiltrate data, then encrypt files. Payment is demanded to prevent the sale or exposure of sensitive data and for the keys to decrypt files....
CISA Adds 41 Vulnerabilities to the Known Exploited Vulnerability Catalog
On May 23 and May 24, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a further 41 vulnerabilities to its Known Exploited Vulnerability Catalog, which brings the known exploited vulnerabilities included in the list up to 703. The latest additions to the list are based on evidence collected that indicates the vulnerabilities are being actively exploited by threat actors in the wild. When new vulnerabilities...
Conti Ransomware Operation Shuts Down and Restructures
The prolific Conti ransomware-as-a-service operation appears to have shut down. According to Advanced Intel, the internal infrastructure of the gang has been shut down, including the Tor admin panels that are used to negotiate with victims and to publish data on the leak site; however, the actual data leak and ransom negotiation sites remain online. The operation looks like it is splitting up and will operate as a collection of much...
Top Attack Vectors Used to Breach Corporate Networks
The Five Eyes cybersecurity agencies from the United States, United Kingdom, Canada, Australia, and New Zealand have issued a security alert sharing the top five techniques used by cyber threat actors to gain initial access to corporate networks. The agencies also list 10 weak security controls and poor security practices that are commonly exploited in cyberattacks and provide suggested mitigations for hardening security to prevent...
Critical F5 BIG-IP Flaw is Being Widely Exploited
A critical flaw in F5 BIG-IP systems is being actively exploited by threat actors. BIG-IP systems are software/hardware solutions that are used for access control, application availability, and security. The flaw, tracked as CVE-2022-1388, was disclosed last week by F5 and was assigned a CVSS severity score of 9.8 out of 10. The flaw affects the iControl REST authentication component which is used for communication between the F5...
3 Zero-Days Among 95 Flaws Patched by Microsoft on May 2022 Patch Tuesday
Microsoft has released patches to correct 75 flaws in its products on May 2022 Patch Tuesday, including 3 zero-days, one of which is being actively exploited in MitM attacks. The actively exploited zero-day is tracked as CVE-2022-26925 and is a Windows LSA spoofing vulnerability, which allows attackers to authenticate to domain controllers. According to Microsoft, “An unauthenticated attacker could call a method on the LSARPC...
Phishing Campaign Pushing Jester Malware Targets Ukrainian Citizens Warning of Chemical Attacks
A phishing campaign has been identified that warns of chemical weapon attacks on Ukrainian citizens in an attempt to infect devices with Jester malware. The Computer Emergency Response Team of Ukraine (CERT-UA) has recently issued a security advisory about the mass distribution of these malicious emails targeting Ukrainian citizens. The emails have the subject line “chemical attack” and warn in Ukrainian that information has been...
U.S. Offers $15 Million in Rewards for Information About Conti Ransomware Leaders & Affiliates
The U.S. Department of State is offering up to $15 million in rewards for information on the Conti ransomware leadership and its affiliates, as was the case in November where similar rewards were offered for information on the Sodinokibi (REvil) and Darkside ransomware groups. The Conti ransomware-as-a-service (RaaS) operation has been highly prolific and is currently the leading RaaS operation. The gang has conducted more than 1,000...
FBI: More than $43 Billion has been Lost to BEC Scams Since 2016
Business email compromise (BEC) scams are the leading cause of losses to cybercrime. According to the U.S. Federal Bureau of Investigation (FBI), reported losses between June 2016 and December 2021 exceeded $43.3 billion. These scams, also known as email account compromise (EAC), involve compromising a business email account and using it to send emails to individuals responsible for making wire transfers and tricking them into making...
Campaign Identified Delivering Fileless Malware using Shellcode in Windows Event Logs
A new technique has been observed in the wild for delivering fileless malware on targeted devices and evading detection. According to researchers at Kaspersky, the attack involves injecting shellcode into Windows event logs, which sees the attacker hiding in plain sight and delivering fileless Trojans. The encrypted shellcode that includes the payload is embedded into Windows event logs in 8KB blocks and is saved in the binary part of...
REvil Ransomware Operation Returns
Evidence is mounting that the notorious REvil ransomware operation is back up and running, despite multiple arrests and loss of control of its infrastructure. The notorious and prolific REvil ransomware gang ceased operations in October 2021, following a law enforcement operation that saw the Tor servers that hosted their payment portal hijacked, along with the data leak blog where victims were named. In January this year, the Federal...
Bumblebee is the Malware Loader of Choice for Delivering Malicious Payloads
A new malware loader dubbed Bumblebee is being used by multiple threat actors to deliver malicious payloads to victims’ devices. According to cybersecurity firm Proofpoint, which analyzed the Bumblebee loader, its sole purpose appears to be to download malicious payloads onto infected devices and has been observed being used to deliver the Cobalt Strike, Sliver, and Meterpreter red team frameworks. The researchers identified three...
Emotet is Once Again the Biggest Malware Threat
In January 2021, the infamous Emotet botnet was shut down following an international law enforcement operation coordinated by Europol and Eurojust. Emotet started life as a banking Trojan and was first detected in 2014. Over the years the malware evolved into a powerful tool that was offered under the malware-as-a-service model to provide other threat actors with access to the devices infected with Emotet, including ransomware gangs...
Cybersecurity Agencies Issue Warning About Cyberattacks by State Sponsored and Pro-Russian Hacking Groups
A joint threat assessment has been published by cybersecurity agencies in the United States, Australia, Canada, New Zealand, and the United Kingdom warning about the threat of cyberattacks by Russian state-sponsored hacking groups and pro-Russian hacking groups. Russian hacking groups are currently engaged in cyberattacks in Ukraine; however, there is concern that cyberattacks could be conducted beyond the Ukraine region in response...
CISA: Hackers Actively Exploiting Windows Print Spooler Privilege Escalation Flaw
On February 2022 Patch Tuesday, Microsoft released a patch to fix a high severity Windows Print Spooler privilege escalation vulnerability, tracked as CVE-2022-22718, which was one of four privilege escalation vulnerabilities in the Windows Print Spooler component to be patched on February 8. The vulnerability was assigned a CVSS severity score of 7.8 out of 10 and was marked as ‘exploitation more likely’. Hackers can...
LinkedIn is the Most Impersonated Brand in Phishing Attacks
The professional social networking site LinkedIn is now the most impersonated brand in phishing attacks according to Check Point Research. In Q1, 2022, 52% of phishing attacks spoofed LinkedIn, which is a 550% increase from the previous quarter when LinkedIn was the 5th most impersonated brand. This is part of an emerging trend in phishing that has seen phishers switch to campaigns seeking corporate social media credentials, which can...
Microsoft Takes Control of ZLoader Botnet Infrastructure
Microsoft’s Digital Crimes Unit (DCU) has taken control of 65 domains that were being used as the command-and-control mechanism for the ZLoader botnet. The botnet consisted of Windows devices infected with malware from the ZeuS family, such as Zloader and Zbot. Originally, Zloader malware was used for financial theft, credential theft, and stealing money from personal accounts; however, the threat actors behind the malware started...
APT Actors Have Demonstrated the Capability to Attack ICS/SCADA Systems
Certain Advanced Persistent Threat Actors (APT) have demonstrated they have the capability to gain access to industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, including Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers, according to a joint cybersecurity alert issued by the U.S....
Microsoft Fixes 128 Vulnerabilities Including 2 Zero Day Bugs
Microsoft has released patches to fix 128 vulnerabilities across its product range on April 2022 Patch Tuesday, including 10 flaws rated critical, and two zero-day bugs, one of which is being actively exploited in the wild. Three of the critical flaws are wormable and can be exploited remotely with no user action to achieve code execution. The two zero-day bugs have been rated important, even though one is being actively exploited in...
FBI Disrupts the Russia-Linked Cyclops Blink Botnet
The massive Cyclops Blink botnet that was being used to target firewall appliances and SOHO networking devices has been neutralized by the U.S. Federal Bureau of Investigation (FBI). The botnet consisted of an army of devices that had been infected by Cyclops Blink malware, which infects Internet-connected devices through malicious firmware updates. The botnet was first identified by the US and UK governments in February this year and...
New Borat RAT Makes Ransomware and DDoS Attacks Simple
A new Remote Access Trojan (RAT) has been identified that makes it easy for threat actors to conduct ransomware and DDoS attacks. The malware – dubbed Borat – takes its name from the character created by Sasha Baron Cohen and was discovered by researchers at the cybersecurity firm Cyble following attacks in the wild using the malware. Their analysis of the Borat RAT revealed it has extensive features. Thoe features are delivered...
Over 5 Dozen Software Flaws Added to CISA’s Known Exploited Vulnerabilities List
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 66 vulnerabilities to its Known Exploited Vulnerabilities Catalog that should be given priority when patching, which brings the total number of vulnerabilities on the list to 570. The Known Exploited Vulnerabilities was first published by CISA in November 2021 as part of its efforts to reduce the significant risk of vulnerabilities being exploited by...
Losses to Cybercrime Increased 64% in 2021 to $6.9 Billion
The 2021 Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3) shows there was a 64% increase in losses to cybercrime in 2021, rising from $4.2 billion in reported losses in 2020 to $6.9 billion in 2021. 2021 broke the previous record in submitted complaints, with IC3 receiving 847,376 complaints from victims of cybercrime – a 7% increase from 2020. 2021 saw increases in significant rises in phishing, ransomware,...
Critical Infrastructure Organizations Warned About AvosLocker Ransomware Attacks
AvosLocker ransomware is being used in attacks on U.S. critical infrastructure organizations, according to a recent joint cybersecurity advisory issued by the Federal Bureau of Investigation (FBI), U.S. Department of the Treasury, and the U.S. Treasury Financial Crimes Enforcement Network (FinCEN). AvosLocker is a relatively new ransomware group that first appeared in June 2021. Initially, the ransomware was used in attacks on Windows...
Feds Issue Security Alert About MFA Bypass and Vulnerability Exploitation
State-sponsored Russian hackers have bypassed multi-factor authentication and exploited the PrintNightmare vulnerability in an attack on a non-governmental organization (NGO), according to a recent security alert from the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA). The attack in question occurred in May 2021. The hackers gained a foothold in the network in a brute force attack and...
Feds Issue Update on Conti Ransomware
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have issued an update on Conti Ransomware as attacks on U.S. businesses pass the 1,000 mark. The update includes information gathered from the recent leak of internal private messages between gang members by a Ukrainian researcher, who also released the source code for the ransomware and...
Microsoft Issues Patches for 71 Vulnerabilities Including 3 Critical Bugs and 3 Zero-days
Microsoft has provided patches to fix 71 vulnerabilities on March 2022 Patch Tuesday, including 3 critical bugs, 68 important issues, and three flaws that have been publicly disclosed before a patch was released. None of the vulnerabilities are believed to have been exploited in the wild at the time the patches were released. The critical flaws affect HEVC Video Extensions – CVE-2022-22006 (CVSS 7.8), VP9 Video Extensions (CVSS 7.8),...
FBI Issues Security Alert About Ongoing RagnarLocker Ransomware Attacks
The Federal Bureau of Investigation (FBI), in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), has issued a TLP: White flash alert warning organizations in critical infrastructure sectors about RagnarLocker ransomware attacks. Ragnar Locker ransomware started to be used in attacks in December 2019, with the FBI first learning of the ransomware in April 2020. The FBI says RagnarLocker ransomware actors work...
Lapsus Ransomware Gang Continues with High Profile Attacks
The Lapsus ransomware gang only is a new threat group that first appeared in December 2021 but has already started building a name for itself with several high-profile attacks already conducted, the latest being the ransomware attack on GPU giant NVIDIA. Sensitive Employee Data and Source Code Stolen from NVIDIA NVIDIA said it detected the attack on February 23, 2021, and announced on February 25 that it was investigating a security...
Warnings Issued About Hermetic Wiper with Worm-like Capabilities
A destructive new malware dubbed Hermetic Wiper is being used in cyberattacks in Ukraine and there are fears that there could be spill over into other countries akin to the NotPetya wiper malware attacks in 2017. According to a recent report by cybersecurity firm ESET, Hermetic Wiper has been used in several attacks in Ukraine starting on February 24, 2022. The malware masquerades as ransomware and victims are told that their files...
TrickBot Trojan Retired as Developers Switch to Stealthier Malware
The TrickBot Trojan has been a major malware threat for the past 6 years but appears to have now been retired. The main developers of the TrickBot Trojan are believed to have joined the Conti ransomware gang to work on stealthier malware such as the BazarBackdoor and Anchor malware families. The TrickBot Trojan is a modular malware that first emerged in 2016. The malware was initially a banking Trojan but has had several capabilities...
U.S. Organizations Warned About Elevated Risk of Cyberattacks as New Wiper Malware Used in Attacks in Ukraine
Cyberattacks in Ukraine have recommenced following the Russian invasion of Ukrainian territory. Ukrainian government agencies have also been hit with DDoS attacks that took their websites offline, in what appears to be an attempt to destabilize the country, and a new wiper malware has been identified that has been used on hundreds of targets in the country. In contrast to ransomware, wiper malware’s sole purpose is the destruction of...
CISA Warns Critical Infrastructure Entities About the Risk of Foreign Influence Operations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to critical infrastructure organizations about the threat of foreign influence operations. Malicious actors use a range of tactics to shape public opinion in targeted countries and undermine trust in critical infrastructure. These tactics can amplify division and sow discord, and typically involve the distribution of misinformation, disinformation,...
Free Cybersecurity Tools to Adopt to Improve Your Security Capabilities
Cybersecurity budgets are usually limited, so it is not possible to purchase multiple best-in-class cybersecurity solutions, but the good news is there are many free cybersecurity tools that can be adopted to improve security capabilities at zero cost. There is no silver bullet when it comes to cybersecurity. Several cybersecurity solutions must be used to protect against intrusions and detect and block attacks in progress, which can...
These Critical Vulnerabilities in SAP Business Applications Require Immediate Patching
SAP has released patches to fix a set of critical vulnerabilities in the SAP Internet Communication Manager (ICM), which is used by SAP business applications such as SAP NetWeaver, S/4HANA, and SAP Web Dispatcher. One of the vulnerabilities has been given the highest possible CVSS severity score of 10. The vulnerabilities were identified by security researchers at Onapsis Research Labs, who reported them to SAP. The researchers have...
51 Patches Released by Microsoft on February 2022 Patch Tuesday
Microsoft has released 51 patches on February 2022 Patch Tuesday to fix vulnerabilities, including one zero-day bug. There are considerably fewer patches than in recent months when over 100 patches a month has been the norm; that said, Microsoft did release around 20 patches to fix vulnerabilities in the Chromium-based Microsoft Edge browser earlier this month. None of this month’s patches are critical issues – All have been rated...
California Attorney General Shares Tips for Avoiding Identity Theft
California Attorney General Rob Bonta has provided Californians with tips for avoiding identity theft and fraud in recognition of Identity Theft Awareness Week 2022. Identity theft is where someone steals an individual’s personal data and uses the information to impersonate that individual in order to commit fraud, such as opening lines of credit in the victim’s name. As more people now rely on online services for work and personal...
Cisco Releases Patches to Fix Multiple Critical Vulnerabilities in its Small Business Routers
Cisco has released patches to fix 15 vulnerabilities in its Small Business V160, RV260, RV340, and RV345 Series Routers, several of which are critical flaws and three have the maximum CVSS severity score of 10/10. The vulnerabilities could be exploited to execute arbitrary code with root privileges, elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, and...
SEO Poisoning to Distribute Malware Disguised as Legitimate Software Installers
Mandiant has identified a campaign that uses fake software installers for free productivity apps such as Zoom, Team Viewer, and Visual Studio to distribute Batloader, Ursnif, and Atera Agent malware. The campaign uses search engine optimization (SEO) poisoning to get web pages listed high in the search engine listings for certain search terms to drive traffic to the pages offering the software downloads. The researchers report that...
Banking Trojan Masquerades as Android Password Security App
A password security app that is available through the Google Play Store that has been downloaded more than 10,000 times is actually a malware dropper that delivers a banking Trojan. The malicious app – 2FA Authenticator – was identified by security researchers at Pradeo and was discovered to deliver a banking Trojan called Vultur that targets financial services and steals banking information and other sensitive data. 2FA...
8 Vulnerabilities Added to CISA’s Known Exploited Vulnerabilities Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added a further 8 actively exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog. These 8 vulnerabilities are known to have been exploited by threat actors in real-world attacks, and as such these vulnerabilities pose a significant risk to organizations. The vulnerabilities are a mix of old and new, with the earliest vulnerabilities dating back to 2014...
January 28, 2022 is Data Privacy Day – A Day to Take Steps to Improve the Privacy of Personal Data
Today is Data Privacy Day – An annual day with a focus on raising awareness of best practices for keeping personal data private and confidential along with the techniques and tools that can be adopted by all individuals to better protect them against data theft, identity theft, and other types of fraud. Data Privacy Day – January 28 – started as Data Protection Day in 2006 and was initiated by the Council of Europe. Two years later,...
QNAP: Immediate Action Required to Prevent Deadbolt Ransomware Attacks on NAS Devices
QNAP, a Taiwanese manufacturer of network-attached storage (NAS) devices, has issued a warning to all customers to ensure they are running the latest software and to reconfigure their systems to improve resilience to ransomware attacks. A campaign has been identified involving a new ransomware variant called Deadbolt, which is being used in attacks on QNAP NAS devices that are exposed to the Internet. The campaign has only recently...
ITRC Says Record-breaking Numbers of Data Compromises Were Reported in 2021
New data from the Identity Theft Resource Center (ITRC) shows record numbers of data breaches were reported in 2021, beating the previous record of 1,506 data breaches set in 2017 by 23%. 1,862 data compromises were reported in 2021, which is a 68% increase from 2020. There was also a slight increase in the number of reported breaches involving sensitive information such as Social Security numbers, which jumped from 80% in 2020 to 83%...
F5 Releases Patches to Fix 25 Vulnerabilities in its BIG-IP, BIG-IQ, and NGINX Solutions
F5, the multi-cloud management and application delivery and security solution provider has released 25 patches to address vulnerabilities in its BIG-IP, BIG-IQ, and NGINX Controller API Management solutions in its January 2022 quarterly security notification. 15 of the vulnerabilities are high-severity issues, with 9 medium-severity flaws, and one low-severity issue. The vulnerabilities could be exploited by an attacker in a...
FBI Shares IoCs Associated with Diavol Ransomware Attacks
The Federal Bureau of Investigation (FBI) has issued a TLP:WHITE Flash Alert sharing indicators of compromise (IoCs) associated Diavol ransomware attacks and recommended mitigations. Diavol ransomware is believed to be used by the operators of the TrickBot banking Trojan and botnet, who are also believed to operate Conti and Ryuk ransomware. The new ransomware family was first detected in July 2021 and came to the attention of the FBI...
Prepare for Wiper Malware Attacks, Warns CISA
A warning has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) to organizations in the United States to take steps to strengthen their defenses against wiper malware attacks following the recent cyberattacks in Ukraine. The attacks in Ukraine involved a new wiper malware – dubbed Whispergate by Microsoft – that was used in attacks on multiple government, non-profit, and information technology...
New Wiper Malware Was Used in Recent Cyberattacks in Ukraine
Last week, Ukraine experienced a massive cyberattack that affected around 70 government websites, including those of the Ministry of Foreign Affairs and the education ministry. A post on one of the attacked websites read, “Ukrainians! … All information about you has become public. Be afraid and expect worse. It’s your past, present and future.” The attack was mitigated quickly, with Ukraine now reporting that most of the affected...
New York Attorney General Issues Business Guide for Credential Stuffing Attacks
The Bureau of Internet and Technology at the Office of the New York State Attorney General (OAG) has issued a Business Guide for Credential Stuffing Attacks to raise awareness of the threat and offer advice on steps that can be taken to prevent and mitigate attacks. Credential stuffing is a type of brute force attack where credentials stolen in previous data breaches are used to gain access to other online accounts. Bots are used to...
Purple Fox Malware Being Delivered Disguised as a Telegram Installer
Threat actors often add malware to software installers, so it is no surprise that researchers at Minerva Labs have discovered installers for legitimate software being used to deliver the Purple Fox rootkit, but what makes this campaign different is the techniques used allow the threat actors to evade most AV engines. Most of the attack is kept under the radar and it has low detection rates by AV engines. The Purple Fox rootkit was...