Internet threat news

Online card skimming, which abuses the code that runs checkout features on eCommerce websites, has been a problem for years. Arguably, it has been overshadowed by ransomware’s meteoric rise to popularity amongst the financially motivated cybercriminal underground, card skimming has still posed a genuine financial threat to both clients and owners of eCommerce platforms. Now, Microsoft has released new research showing that card skimming has reached a new stealthier level in its evolution cycle.

Both the kinetic war and the cyberwar in Ukraine have dominated both the traditional media and the InfoSec media. Unfortunately, hackers whether financially motivated or state-sponsored have not stopped on account of the war, and for many, it's just business as usual like the rest of us not involved in the war. In the realm of cyber espionage this rings doubly true, even for nations who claim to be allies or share a special relationship like China and Russia purport to have.

The US Department of Justice announced via the US Attorney’s Office of the Eastern District of New York that Moises Luis Zagala Gonzalez (Zagala), a 55-year-old cardiologist with French and Venezuelan citizenship residing in Ciudad Bolivar, Venezuela, created and rented Jigsaw and Thanos ransomware to cybercriminals.

Often security researchers will state rather bluntly that a ransomware attack can be financially devastating for an organization. So much in fact that the organization may be forced to shut its doors for good. These extreme cases are often met with the standard response of “it will never happen to me or my business.” Lincoln College is yet another of these extreme cases turned into reality.

Back in October 2021, this publication covered how Sodinokibi operations were ceased following Russian law enforcement seizing the ransomware gangs infrastructure. Now following the Russian invasion of Ukraine, Russian and US officials are no longer collaborating on fighting cybercrime. This has now left the door open for Sodinokibi, also tracked as REvil, to make a comeback.

In what can only be described as a meteoric rise to prominence, the Black Basta ransomware gang is believed to be behind 12 separate attacks in only a matter of weeks. The first known Black Basta attacks seemed to have occurred in the second week of April 2022. Further, it appears as if the gang is not focussing its efforts on one single region as victims are reporting instances worldwide.

Qakbot, also tracked as QBot, is well known for its botnet distributing the credential-stealing trojan component of the malware via malicious Microsoft Office documents. In many instances, Office documents, especially Word documents, would abuse the application’s macros feature to run malicious code.

The last set of vulnerabilities that had everyone talking was the reveal of the Log4j2 flaw that impacted a Java framework for collecting logs in Apache webservers. As is now the case the vulnerability draw comparison to the Spectre and Meltdown flaws  seen a few years prior.

This publication has covered how malicious malware called wipers have seen an uptick in use following the start of the Ukrainian war. Several new wipers have been discovered since the outbreak of war. Following these discoveries, the FBI warned that satellite communication infrastructure was coming under increased attack. The warning was not without incident as Viasat routers were rendered practically useless following a cyber incident.

Mars Stealer appears to be rising in popularity among hackers looking to steal information without spending extended periods developing their malware. Mars Stealer first announced its presence on the malware scene in 2021 on underground hacker forums marketed as a malware-as-a-service (MaaS). A quick look at the malware’s past shows its development has taken advantage of the rise and fall of other malware strains.

Eset researchers have discovered an ongoing campaign using a previously undiscovered version of the Korplug malware. Korplug was previously seen in a campaign targeting Australian government departments and businesses in the middle of 2020. Korplug, also going by PlugX, Thor, and the latest variant by Hodur is a remote access trojan (RAT) capable of granting remote access to infected machines and executing commands. Ultimately the functionality of the RAT is dependent on the requirements of the threat actor has changed from Korplug variant to variant.

When this publication last covered Conti, the ransomware used by a highly skilled gang infamous for targeting large corporations, it covered how the gang had brought some of TrickBot’s experienced malware developers into the fold to work on making BazarBackdoor more efficient at distributing the ransomware. At the time it was speculated this would propel Conti into the ransomware hall of fame. The recent upheaval Europe seems to have placed a dedicated number of security researchers against the ransomware gang.

In a joint alert issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) the private and public spheres have been warned about increased instances of threat actors targeting satellite communications (SATCOM) companies. Along with the warning the alert has listed several mitigations that can be applied to help protect both the SATCOM provider and their customers.

What was once called AbereBot, an Android banking trojan, has returned with a new version going by the name Escobar. The new variant is capable of stealing Google AUthenticator Multi-Factor Authentication (MFA) codes meaning the attacker could bypass this layer of security when looking to steal credentials that could aid in the committing of bank fraud.