Internet threat news

According to research published by Microsoft, a new threat actor has been attacking developers by exploiting a vulnerability in MSHTML, tracked as CVE-2021-40444, which has been patched. Developers familiar with or use MSHTML should ensure that the patch has been installed. Microsoft describes that an attacker could “craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.

It was nearly Christmas 2015 when Juniper released a statement warning customers that it had discovered unauthorized code that allowed hackers to decipher encrypted communications and gain high-level access to customers’ machines that used a popular product developed by the company. The exact wording issued by Juniper stated,

At the start of this year, researchers looked back on 2020 and discovered it was a boom year for DDoS attacks. Now, Russian Internet giant Yandex is battling the biggest DDoS attack on record and a new Botnet may be the infrastructure powering this record-breaking attack.

Giving the attack method its full name of Distributed Denial of Service (DDoS), the attack involves attempts to maliciously disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. This can be done through the use of botnets, devices infected with specific malware that allows a hacker control over the device and can send HTTP requests via a device, typically Internet of Things devices and routers.

Also known as REvil, and sometimes referred to as the Crown Prince of Ransomware, Sodinokibi has long been the thorn in the side of large enterprises and a headline maker. This year alone those behind the ransomware were responsible for both the JBS incident and the Kaseya incident. The latter prompted direct statements of intent by both US President Joe Biden and US law enforcement agencies. This in turn was the likely motivator for the gang to take a holiday.

The bad news is it appears the gang is back in action after taking a summer holiday. When websites and infrastructure known to be used by the ransomware gang were taken offline, many in the InfoSec hoped that the group has thrown in the towel. Lawrence Abraham, of Bleeping Computer, took to Twitter to report that the group's leak site, Happy Blog, was back online with activity dating back to July.

Microsoft security researchers have recently published an article detailing a widespread phishing campaign looking to steal credentials by abusing redirector links. At first, the potential victim is baited by impersonations of well-known productivity tools. They are then redirected to multiple sites which include a CAPTCHA verification page before taking the victim to a fake login page.

Using redirection links has long been a favored technique of hackers, but it is also used by legitimate businesses even if it irritates some customers. Often redirects are used in emails sent by sales and marketing teams to lead customers to a desired landing web page and track click rates and other metrics.

FIN8 is a purely financially motivated cybercrime organization and since 2016, the group has successfully operated by targeting retail, restaurant, hospitality, healthcare, and entertainment industries. This is done to primarily steal payment information from Point of Sale (POS) devices those industries typically rely on to process payments from customers. These tactics were used towards the end of 2019 when Visa warned that the group was compromising POS devices used by fuel stations in North America. FIN8 attack campaigns are conducted sporadically but never fail to make an impact leaving victims questioning how best to shore up their defenses.

The LockBit ransomware gang has been operational since 2019. In June 2021, the gang deployed a newer version of the ransomware, dubbed LockBit 2.0 by its developers, was seen by researchers making a stir on underground forums. Now, a report published by Trend Micro details how the new version has been deployed in recent campaigns starting in July of this year.

The campaigns targeted organizations in Chile, Italy, Taiwan, and the U.K making use of the newer version.

Getting to peek behind the curtains of a ransomware operation is rare. Figuring out the inner workings of modern ransomware-as-a-service operations is an investigation that can take hours upon hours to glean the smallest bits of information. Sometimes discoveries are made that pull the curtain back a little further. Recent blog posts by Vitali Kremez’s Advanced Intelligence have helped expose large sections of the Conti gang’s operations and tactics.

One such blog post revealed how affiliates gain persistence on a victim’s network and avoid detection by security applications.

Microsoft’s ever-popular Office 365 has been a favored target for many hackers. This is partly due to the popular application enjoying widespread adoption in both the corporate and government spheres as employees use many of the bundled applications for daily work life and the ability to easily share documents. In the past, we have seen both ransomware campaigns and phishing actively target users of the product. Microsoft’s 365 Defender Threat Intelligence Team now warns of another phishing campaign using a novel, if somewhat dated, encryption method.

According to the article published by the security team, the attackers are leveraging morse code along with several other encryption techniques to obfuscate code and evade detection while the attackers harvest credentials.

Bloomberg reports that hackers have just successfully stolen roughly 600 million USD from a decentralized finance platform. The theft occurred on the Poly Network which allows users to swap tokens across several blockchains. Tens of thousands of users are believed to be impacted by the theft with a vulnerability within Poly Network being exploited by hackers.

The Poly Network team took to Twitter to address those responsible for the hack and open a line of communication in the hopes that funds can be retrieved. For those who are victims of the theft, there is a strong possibility that the funds cannot be recovered, and they will be significantly out of pocket even if some arrangement can be made with the Poly Network’s team.

While classified as a new strain of ransomware BlackMatter is strongly believed to be a rebranding of the DarkSide ransomware operation infamous for the Colonial Pipeline Incident that drew far too much attention to the gang. BlackMatter is more than a rebranding and does boast some unique features, including the capability of targeting Linux machines. This appears to be an ever-increasing trend amongst other ransomware gangs seeing the potential is not just targeting Windows machines.

According to a recently published report by Recorded Future, researchers have analyzed both Windows and Linux variants of the ransomware. The Windows variant appears to have been created by an experienced ransomware operator, the malware has several obfuscation and anti-analysis techniques within the code.

As info stealers go Racoon Stealer has to be one of the more prolific malware strains of its type in recent memory. This is due in part to the malware being offered as a service, similar to how ransomware-as-a-service or other malware-as-a-service business models have been adopted recently. This model relies on the malware’s developer constantly updating the malware to make it an attractive option to other hackers and so that it warrants the monthly subscription fee.

Racoon Stealer’s latest update enables the malware customers to steal crypto transactions through the use of a clipper. These malware strains operate by replacing the wallet addresses used in a transaction with a wallet address used by the attacker.

On July 9, 2021, the railway service used by Iranians for their daily transport needs suffered a cyber attack. New research published by Sentinel One reveals that the chaos caused during the attack was a result of a previously undiscovered form of wiper malware, called Meteor.

The attack resulted in both the Transport Ministry’s online services offered been shut down and to the frustration of passenger’s cancellations and delays of scheduled trains. Further, the electronic tracking system used to determine the locations of trains in service also failed. The government's response to the attack was at odds with what the Iranian media was saying.

According to a recently published report by the Sygnia Incident Response team, internet-facing Windows servers are being targeted by an advanced persistent threat group called Praying Mantis, or less glamorously TG1021. What makes their attack campaigns noteworthy is that they are almost exclusively conducted in memory.

These attacks, also referred to as Fileless attacks are pieces of malware that rather than been stored on a machine's storage are run from a machine's memory. This makes them harder to detect as no files are stored on the infected system or at least none that are easily detectable.