Internet threat news

FIN8 seen using new Backdoor called Sardonic

FIN8 is a purely financially motivated cybercrime organization and since 2016, the group has successfully operated by targeting retail, restaurant, hospitality, healthcare, and entertainment industries. This is done to primarily steal payment information from Point of Sale (POS) devices those industries typically rely on to process payments from customers. These tactics were used towards the end of 2019 when Visa warned that the group was compromising POS devices used by fuel stations in North America. FIN8 attack campaigns are conducted sporadically but never fail to make an impact leaving victims questioning how best to shore up their defenses.

   
LockBit 2.0 has Chile in its Sights

The LockBit ransomware gang has been operational since 2019. In June 2021, the gang deployed a newer version of the ransomware, dubbed LockBit 2.0 by its developers, was seen by researchers making a stir on underground forums. Now, a report published by Trend Micro details how the new version has been deployed in recent campaigns starting in July of this year.

The campaigns targeted organizations in Chile, Italy, Taiwan, and the U.K making use of the newer version.

   
Conti Ransomware’s Secret Backdoor Discovered

Getting to peek behind the curtains of a ransomware operation is rare. Figuring out the inner workings of modern ransomware-as-a-service operations is an investigation that can take hours upon hours to glean the smallest bits of information. Sometimes discoveries are made that pull the curtain back a little further. Recent blog posts by Vitali Kremez’s Advanced Intelligence have helped expose large sections of the Conti gang’s operations and tactics.

One such blog post revealed how affiliates gain persistence on a victim’s network and avoid detection by security applications.

   
Attackers use Morse Code to Supplement Phishing Campaign

Microsoft’s ever-popular Office 365 has been a favored target for many hackers. This is partly due to the popular application enjoying widespread adoption in both the corporate and government spheres as employees use many of the bundled applications for daily work life and the ability to easily share documents. In the past, we have seen both ransomware campaigns and phishing actively target users of the product. Microsoft’s 365 Defender Threat Intelligence Team now warns of another phishing campaign using a novel, if somewhat dated, encryption method.

According to the article published by the security team, the attackers are leveraging morse code along with several other encryption techniques to obfuscate code and evade detection while the attackers harvest credentials.

   
Biggest Defi Theft results in 600 million USD going up in Smoke

Bloomberg reports that hackers have just successfully stolen roughly 600 million USD from a decentralized finance platform. The theft occurred on the Poly Network which allows users to swap tokens across several blockchains. Tens of thousands of users are believed to be impacted by the theft with a vulnerability within Poly Network being exploited by hackers.

The Poly Network team took to Twitter to address those responsible for the hack and open a line of communication in the hopes that funds can be retrieved. For those who are victims of the theft, there is a strong possibility that the funds cannot be recovered, and they will be significantly out of pocket even if some arrangement can be made with the Poly Network’s team.

   
BlackMatter Ransomware now has a Linux Version

While classified as a new strain of ransomware BlackMatter is strongly believed to be a rebranding of the DarkSide ransomware operation infamous for the Colonial Pipeline Incident that drew far too much attention to the gang. BlackMatter is more than a rebranding and does boast some unique features, including the capability of targeting Linux machines. This appears to be an ever-increasing trend amongst other ransomware gangs seeing the potential is not just targeting Windows machines.

According to a recently published report by Recorded Future, researchers have analyzed both Windows and Linux variants of the ransomware. The Windows variant appears to have been created by an experienced ransomware operator, the malware has several obfuscation and anti-analysis techniques within the code.

   
Racoon Stealer now going after your Crypto

As info stealers go Racoon Stealer has to be one of the more prolific malware strains of its type in recent memory. This is due in part to the malware being offered as a service, similar to how ransomware-as-a-service or other malware-as-a-service business models have been adopted recently. This model relies on the malware’s developer constantly updating the malware to make it an attractive option to other hackers and so that it warrants the monthly subscription fee.

Racoon Stealer’s latest update enables the malware customers to steal crypto transactions through the use of a clipper. These malware strains operate by replacing the wallet addresses used in a transaction with a wallet address used by the attacker.

   
New Wiper Malware Responsible for Attack on Iranian Railways

On July 9, 2021, the railway service used by Iranians for their daily transport needs suffered a cyber attack. New research published by Sentinel One reveals that the chaos caused during the attack was a result of a previously undiscovered form of wiper malware, called Meteor.

The attack resulted in both the Transport Ministry’s online services offered been shut down and to the frustration of passenger’s cancellations and delays of scheduled trains. Further, the electronic tracking system used to determine the locations of trains in service also failed. The government's response to the attack was at odds with what the Iranian media was saying.

   
Praying Mantis APT Targeting Windows Servers

According to a recently published report by the Sygnia Incident Response team, internet-facing Windows servers are being targeted by an advanced persistent threat group called Praying Mantis, or less glamorously TG1021. What makes their attack campaigns noteworthy is that they are almost exclusively conducted in memory.

These attacks, also referred to as Fileless attacks are pieces of malware that rather than been stored on a machine's storage are run from a machine's memory. This makes them harder to detect as no files are stored on the infected system or at least none that are easily detectable.

   
MosaicLoader Distributed via Ads in Search Results

Researchers at Bitdefender have discovered a new password-stealing malware that targets Windows users. The malware is delivered via ads that appear in the user's search results. This is not the first time we have seen this distribution method being used this year. At the beginning of June security firm, Morphisec revealed that several info-stealing malware strains were actively being distributed via Google pay per click (PPC) ads.

The malware discovered by Bitdefender has been named MosaicLoader and is more than just an info stealer targeting users’ passwords. The malware can also mine cryptocurrency and act as a dropper for other strains of malware in particular trojans. Based on the distribution method the threat actors are not targeting specific organizations or individuals.

   
US and Allies Insist the Chinese State Responsible for Exchange Server Attacks

Much of the world's attention regarding cybersecurity matters has been firmly affixed to the NSO saga resulting from the Pegasus Project. While Spyware has been abused by governments dominated headlines, the US Government and its allies placed responsibility for the Exchange Server hacks that occurred in March squarely at the feet of the Chinese Government.

Given the number of incidents and revelations that have happened in 2021 already, what happened in March already feels like eons ago, so a quick recap of events is probably necessary. On March 2, 2021, Microsoft warned of a Chinese state-sponsored hacking group, codenamed Hafnium, was using several zero-day vulnerabilities discovered in Exchange Server, a popular enterprise product to better facilitate email communications, to distribute malware including ransomware.

   
The Pegasus Project and the Political Fallout

Following the Washington Post’s expose regarding the spyware created by an Israeli firm, NSO, which had been used by the firm's clients in a questionable way, the political fallout is just beginning. Spyware can be defined as malware designed to track user activity on a device, not only can activity as in who the user communicates with or engages with the apps including browsers on the device but also location. Full-featured spyware can also log communications and grant the attacker privileged access to the user’s device and by extension the user’s life.

The spyware created by NSO, named Pegasus, has been active since 2016 and has made headlines in the past due to its questionable use by the firm's clients which include governments. The spyware is sold as a solution for tracking and monitoring terrorist activity but as the Washington Post, their media partners, and French investigative non-profit Forbidden Secrets show the spyware is used to track journalists, activists, and those deemed to pose a threat to authoritative regimes.

   
Sodinokibi Websites and Infrastructure are Mysteriously Offline

On the evening of Monday, July 13, 2021, various news outlets began reporting that websites and infrastructure were used by ransomware operators behind the Sodinokibi strain had been taken offline. This resulted in several theories being proposed as to why. Was it a result of legal action? Was it increased pressure by governments following both the JBS and Kaseya incidents?

The latter has been estimated to have resulted in an estimated 1,500 small to medium enterprises becoming victims. Or has the gang decided to call it quits, restructure its infrastructure, or has the gang split based on internal differences and squabbles?

   
Current Ransomware-as-a-Service Trends

Half of 2021 has already blown past and yet again ransomware has dominated infosec headlines. Petroleum distributor Colonial Pipeline, meat supplier JBS, and IT service provider Kaseya have all been in headlines not for stellar business performance but because they have been victims of crippling ransomware attacks. No longer is ransomware a one-man-band operation but given the profitability seen they have turned into a mutated software-as-a-service (SaaS) business model termed Ransomware-as-a-Service (RaaS).

In a recent report by security Kela titled “Ransomware Gangs are Starting to Look Like Ocean’s 11” written by Victoria Kivilevich the trends dominating this mutated business model are investigated. As ransomware moved away from one operator developing or buying, the ransomware’s source code, compromising a victim’s machine or network, then executing the malware over the years specialists have assumed those specific roles.

   

Page 2 of 43

<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal