Internet threat news

To say that the financially motivated, advanced persistent threat group FIN7 is notorious is an understatement. The Russian-speaking group of hackers has been active since 2013 and primarily focused on financial fraud and stealing credit card details. The group then moved to the ransomware game in a big way.

MuddyWater, also tracked as Earth Vetala, MERCURY, Static Kitten, and Seedworm, is an Iranian state-sponsored threat actor that has been active since 2017. In the past, we have seen the group extensively use zero-day exploits on several separate occasions.

The group has also proven highly capable of developing and deploying its custom malware strains to further its objectives and those of the Iranian state. The newly discovered BugSleep malware indicates this group's malware development capability.

On July 2, 2024, Ethereum disclosed that a threat actor compromised Ethereum's mailing list provider and sent to over 35,000 addresses a phishing email with a link to a malicious site running a crypto drainer.

A banking trojan first discovered in 2020 has made a comeback, according to threat intelligence firm Cleafy. Called Medusa, not to be confused by the ransomware gang or the botnet going by the same name, the malware targets Android devices and is offered as a Malware-as-a-Service to other threat actors for a fee.

In the most recent campaign discovered by security researchers, a new version of Medusa is being used to target Android users in France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey.

According to security researchers based at Trustwave, a sophisticated malware campaign has been detected. The attack campaign abuses the Windows search functionality embedded in HTML code to deploy malware.

Researchers found that the threat actors utilize a sophisticated understanding of system vulnerabilities and user behaviors to push malware onto unsuspecting victims who receive phishing emails as the first port of call.

England's NHS Blood and Transplant (NHSBT) has issued an urgent call to O Positive and O Negative blood donors to book appointments and donate.

This comes as major hospitals in the London area had to cancel operations and blood transfusions after a cyberattack on June 4, 2024. Hospitals were directly impacted when their pathology and diagnostic services provider, Synnovis, was hit by a ransomware attack.

The relatively new ransomware gang RansomHub has been quick to cause waves amongst ransomware researchers. With increased attention comes increased analysis by researchers, who have now discovered possible links to the somewhat out-of-action Knight ransomware.

In a recent press release by Europol, the details of the law enforcement agency's largest-ever operation against botnet infrastructure were released to the public.

The main goal of the operation was to target the infrastructure behind some of the Internet's most prolific dropper malware strains: IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and TrickBot. This publication has covered all of these strains and provided removal guides for those infected by these malware strains.

Security researchers at security firm Check Point Research have discovered a new version of the BiBi wiper malware that now includes destroying disk partition drives, making any recovery process far more complex.

Wiper malware is designed to cause permanent damage to both data and hardware, making continued use of a machine challenging to near impossible, depending on the extent of the damage.

These tools have been a favorite of Iranian state-sponsored groups looking to further the country's geopolitical aims. In recent years, their use has also increased in active war zones like Ukraine.

In a joint report published by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), it was stated affiliates associated with the Black Basta have breached the networks of over 500 organizations worldwide.

The United Kingdom's National Crime Agency (NCA) announced it had unmasked one of the kingpins behind the LockBit ransomware operation. US, UK, and Australian authorities have sanctioned this.

Security researchers based at security firm Black Lotus Labs recently discovered a new type of malware infecting enterprise-grade and small office routers to monitor data that passes through them and steal authentication information.

To help facilitate this, the malware can perform DNS and HTTP hijacking within private IP spaces, interfering with internal communications, and possibly introducing more payloads.

According to a recent report by Avast, a new malware campaign was discovered by the security firm’s researchers hijacking an eScan antivirus update mechanism to distribute backdoors and cryptocurrency mining malware.

The malware is currently being tracked as GuptiMiner and has been seen dropping popular crypto-miner XMRig.

Banking trojan malware, namely malware designed to intercept a victim’s banking-related information, including login passwords, so that funds can be fraudulently stolen, is an ever-present danger for those using banking applications on mobile phones.

Reminding us of this danger is the recent discovery by security researchers at Kaspersky Labs, which discovered a new banking trojan called SoumniBot.