Internet threat news

Israeli-made spyware is again in the headlines. The last fallout resulted from the NSO group’s use of Pegasus which was used to track politicians, journalists, political dissidents, and political rivals, as long as the customer could pay for the service. As to the vetting of customers, it could be argued that little was done in this regard and the only requirement was whether the customer be they a dictator or unscrupulous politician could afford the spyware services offered by NSO. Now another Israeli firm has been caught using spyware to spy on journalists.

Crypto miners, namely malware that is designed to mine cryptocurrency using a victim's machine and resources without their knowledge, often fly under the radar in terms of press coverage. They lack the fear ransomware can induce when you and all your work colleagues are locked out of a network or machine and need to pay millions of dollars just to get access back.

The last time Racoon Stealer made headlines was when its developers announced that they were ceasing operations following the war in Ukraine, more on this below. The last time this publication covered the malware was when its developers added features to target cryptocurrency wallets. Now, Racoon Stealer has emerged again with a completely new version built from the ground up in written in C/C++. Racoon Stealer 2.0 has officially emerged from dark web forums to steal your passwords.

For some time now major tech companies have offered monetary rewards to those who find flaws that lead to zero-day vulnerabilities within the company's product code. Often referred to as bug bounties they can net the finder thousands of dollars, more if the vulnerability is determined to be severe or critical to future security. Now the developers of the LockBit ransomware have instituted a similar program for their latest ransomware iteration LockBit 3.0.

Researchers have discovered a new spam email campaign dropping the Matabuchus malware which then drops Cobalt Strike beacons. This is by far not the first time we have seen other malware strains dropping Cobalt Strike beacons, previously we have seen Emotet doing almost the same thing.

Ransomware gangs are now targeting unpatched Confluence servers. This active targeting is due to a recently disclosed vulnerability that allows the attacker to execute code remotely if properly exploited. Following several proof-of-concept exploits of the vulnerability that were leaked to the public threat actors have jumped at the chance to target unpatched servers.

Malware targeting the Linux operating system often goes under-reported as the perception still prevails that Linux is one of the smaller players in the Operating System (OS) landscape behind Microsoft’s Windows and Apple's macOS. Such perceptions tend to ignore the fact that Linux makes up large portions of the Internet, power web servers, and proves to be the most popular choice in that regard, and the Internet of Things.

Towards the end of 2019 ransomware gangs began to apply a new tactic to further place pressure on corporate victims to pay the ransom. The tactic became known as double extortion due to ransomware operators threatening, and in many cases releasing, sensitive data stolen before files across the IT infrastructure of the victim are encrypted.

Over the past week, Interpol has announced two successful operations which resulted in the arrest of several individuals believed to be behind a string of cyberattacks as well as operations to disrupt criminal operations. Both operations resulted in the arrest of Nigerian citizens believed to be behind malware-assisted financial attacks and Business Email Compromise (BEC) scams.

Online card skimming, which abuses the code that runs checkout features on eCommerce websites, has been a problem for years. Arguably, it has been overshadowed by ransomware’s meteoric rise to popularity amongst the financially motivated cybercriminal underground, card skimming has still posed a genuine financial threat to both clients and owners of eCommerce platforms. Now, Microsoft has released new research showing that card skimming has reached a new stealthier level in its evolution cycle.

Both the kinetic war and the cyberwar in Ukraine have dominated both the traditional media and the InfoSec media. Unfortunately, hackers whether financially motivated or state-sponsored have not stopped on account of the war, and for many, it's just business as usual like the rest of us not involved in the war. In the realm of cyber espionage this rings doubly true, even for nations who claim to be allies or share a special relationship like China and Russia purport to have.

The US Department of Justice announced via the US Attorney’s Office of the Eastern District of New York that Moises Luis Zagala Gonzalez (Zagala), a 55-year-old cardiologist with French and Venezuelan citizenship residing in Ciudad Bolivar, Venezuela, created and rented Jigsaw and Thanos ransomware to cybercriminals.

Often security researchers will state rather bluntly that a ransomware attack can be financially devastating for an organization. So much in fact that the organization may be forced to shut its doors for good. These extreme cases are often met with the standard response of “it will never happen to me or my business.” Lincoln College is yet another of these extreme cases turned into reality.

Back in October 2021, this publication covered how Sodinokibi operations were ceased following Russian law enforcement seizing the ransomware gangs infrastructure. Now following the Russian invasion of Ukraine, Russian and US officials are no longer collaborating on fighting cybercrime. This has now left the door open for Sodinokibi, also tracked as REvil, to make a comeback.