Internet threat news

In much the same way that GitHub has been used by malicious threat actors to distribute malware, it would not be long until Docker Hub would be abused for similar purposes. In a recent report published by Sysdig over 1,600 publicly available Docker Hub images are been used to hide malicious behavior, including cryptocurrency miners, embedded secret keys and other authenticators that can be used as backdoors, DNS hijackers, as well as website redirectors.

According to the Federal Bureau of Investigation (FBI), the Hive gang has successfully extorted over 100 million USD from approximately 1300 victims dating back to July 2021. Unfortunately, those that refuse to pay are likely to experience further ransomware payloads down the line, which is in line with recent Hive tactics and can be seen as an escalation in the famed double extortion tactic prominent in the ransomware space.

Robin Banks, the popular phishing-as-a-service (PaaS) platform amongst the cybercriminal underground, has resurfaced after previously having its backend and frontend rendered useless by Cloudflare. Now the platform has found a new hosting partner based in Russia that boasts distributed-denial-of-service (DDoS) protection for customers. The hosting partner, DDOS-GUARD, has also been linked to hosting QAnon, 8Chan, and Hamas web assets.

A sophisticated threat group designated as Cranefly by security firm Symantec is using new techniques and tools to bolster an already comprehensive threat package. Not only is Cranefly using new techniques to further attack campaigns but also a previously undiscovered malware dropper given the name Geppei by researchers.

Ransomware continues to be one of, if not the primary, threat faced by organizations, particularly large corporations. On October 21, UK car dealer Pendragon released a statement to the press saying,

Security researchers have recently discovered possible links between the relatively new Ransom Cartel and an old foe of many a researcher, Sodinokibi. The latter is also tracked as REvil, a pioneer in how ransomware gangs changed tactics to target large corporations and demand millions in ransom payments.

Based on research conducted by Team Cymru, threat actors distributing the IceID malware are experimenting with different delivery methods to find out which works best against different targets. Since Microsoft blocked Macros by default threat actors and malware developers have been forced to find new delivery methods for their malware and it seems IceID is no exception.

Lazarus Group, North Korea’s elite state-sponsored hacking group, has never been shy from adopting new techniques and tactics. In the past, the group has dabbled with ransomware blurring the lines between what was considered the realm of financially motivated hackers rather than their state-sponsored cousins. Now, according to a new report published by ESET, the group has adopted the Bring Your Own Vulnerable Driver (BYOVD) attack tactic to install Window’s based rootkits.

Security firm, Sentinel Labs, has discovered a new threat group that is intent on targeting telecommunications, internet service providers (ISP), and universities, primarily in Africa and the Middle East. Based on a report published the advanced threat group has been active for two years and focuses on long-term persistence for cyber espionage.

In an article published by Bleeping Computer, the cyber security news platform repealed that video games publisher 2K had their gaming support system hacked to spread malware to gamers. This follows news that Steam users were being targeted by unique Browser-in-the-Browser attacks looking to phish online credentials. Gamers across the globe need to be aware that they are now favored targets for specific financially motivated hackers and known threat actor groups.

Steam and its vast array of gaming enthusiasts who use the platform have long been a target for cybercriminals, either to frustrate users or make significant amounts of money hijacking accounts and selling them off. Now attacks are using a newly discovered phishing method, known as a Browser-in-Browser attack to go after the Steam accounts of well-known professional gamers. This is according to a new report by Group-IB.

Initially discovered in April 2022, Bumblebee activity rose as BazarLoader activity dropped off. This hinted at the Conti ransomware gang, and TrickBot had switched malware to grant backdoor access for the ransomware on targeted networks. Since Bumble Bee’s discovery, the developers behind the malware have continued to boost the feature set of the malware, with the latest feature being the capability to add a DLL payload into memory. This allows for more stealthy operations and infections.

Towards the end of August, an attack hit the systems of Italy's energy agency the Gestore dei Servizi Energetici SpA (GSE). The company is publicly owned and specializes in generating electricity from renewable resources across Italy. In a statement to Bloomberg, a spokesperson for the company at the time of the attack stated,

For some time now the penetration testing tool Cobalt Strike has long had its somewhat legitimate functions abused by hackers to compromise targeted machines. The creation of Cobalt Strike beacons was also a favored malware and ransomware delivery method for several threat actors, generally following an infection from TrickBot amongst others to signal a machine is compromised.