Internet threat news
While classified as a new strain of ransomware BlackMatter is strongly believed to be a rebranding of the DarkSide ransomware operation infamous for the Colonial Pipeline Incident that drew far too much attention to the gang. BlackMatter is more than a rebranding and does boast some unique features, including the capability of targeting Linux machines. This appears to be an ever-increasing trend amongst other ransomware gangs seeing the potential is not just targeting Windows machines.
According to a recently published report by Recorded Future, researchers have analyzed both Windows and Linux variants of the ransomware. The Windows variant appears to have been created by an experienced ransomware operator, the malware has several obfuscation and anti-analysis techniques within the code.
As info stealers go Racoon Stealer has to be one of the more prolific malware strains of its type in recent memory. This is due in part to the malware being offered as a service, similar to how ransomware-as-a-service or other malware-as-a-service business models have been adopted recently. This model relies on the malware’s developer constantly updating the malware to make it an attractive option to other hackers and so that it warrants the monthly subscription fee.
Racoon Stealer’s latest update enables the malware customers to steal crypto transactions through the use of a clipper. These malware strains operate by replacing the wallet addresses used in a transaction with a wallet address used by the attacker.
On July 9, 2021, the railway service used by Iranians for their daily transport needs suffered a cyber attack. New research published by Sentinel One reveals that the chaos caused during the attack was a result of a previously undiscovered form of wiper malware, called Meteor.
The attack resulted in both the Transport Ministry’s online services offered been shut down and to the frustration of passenger’s cancellations and delays of scheduled trains. Further, the electronic tracking system used to determine the locations of trains in service also failed. The government's response to the attack was at odds with what the Iranian media was saying.
According to a recently published report by the Sygnia Incident Response team, internet-facing Windows servers are being targeted by an advanced persistent threat group called Praying Mantis, or less glamorously TG1021. What makes their attack campaigns noteworthy is that they are almost exclusively conducted in memory.
These attacks, also referred to as Fileless attacks are pieces of malware that rather than been stored on a machine's storage are run from a machine's memory. This makes them harder to detect as no files are stored on the infected system or at least none that are easily detectable.
Researchers at Bitdefender have discovered a new password-stealing malware that targets Windows users. The malware is delivered via ads that appear in the user's search results. This is not the first time we have seen this distribution method being used this year. At the beginning of June security firm, Morphisec revealed that several info-stealing malware strains were actively being distributed via Google pay per click (PPC) ads.
The malware discovered by Bitdefender has been named MosaicLoader and is more than just an info stealer targeting users’ passwords. The malware can also mine cryptocurrency and act as a dropper for other strains of malware in particular trojans. Based on the distribution method the threat actors are not targeting specific organizations or individuals.
Much of the world's attention regarding cybersecurity matters has been firmly affixed to the NSO saga resulting from the Pegasus Project. While Spyware has been abused by governments dominated headlines, the US Government and its allies placed responsibility for the Exchange Server hacks that occurred in March squarely at the feet of the Chinese Government.
Given the number of incidents and revelations that have happened in 2021 already, what happened in March already feels like eons ago, so a quick recap of events is probably necessary. On March 2, 2021, Microsoft warned of a Chinese state-sponsored hacking group, codenamed Hafnium, was using several zero-day vulnerabilities discovered in Exchange Server, a popular enterprise product to better facilitate email communications, to distribute malware including ransomware.
Following the Washington Post’s expose regarding the spyware created by an Israeli firm, NSO, which had been used by the firm's clients in a questionable way, the political fallout is just beginning. Spyware can be defined as malware designed to track user activity on a device, not only can activity as in who the user communicates with or engages with the apps including browsers on the device but also location. Full-featured spyware can also log communications and grant the attacker privileged access to the user’s device and by extension the user’s life.
The spyware created by NSO, named Pegasus, has been active since 2016 and has made headlines in the past due to its questionable use by the firm's clients which include governments. The spyware is sold as a solution for tracking and monitoring terrorist activity but as the Washington Post, their media partners, and French investigative non-profit Forbidden Secrets show the spyware is used to track journalists, activists, and those deemed to pose a threat to authoritative regimes.
On the evening of Monday, July 13, 2021, various news outlets began reporting that websites and infrastructure were used by ransomware operators behind the Sodinokibi strain had been taken offline. This resulted in several theories being proposed as to why. Was it a result of legal action? Was it increased pressure by governments following both the JBS and Kaseya incidents?
The latter has been estimated to have resulted in an estimated 1,500 small to medium enterprises becoming victims. Or has the gang decided to call it quits, restructure its infrastructure, or has the gang split based on internal differences and squabbles?
Half of 2021 has already blown past and yet again ransomware has dominated infosec headlines. Petroleum distributor Colonial Pipeline, meat supplier JBS, and IT service provider Kaseya have all been in headlines not for stellar business performance but because they have been victims of crippling ransomware attacks. No longer is ransomware a one-man-band operation but given the profitability seen they have turned into a mutated software-as-a-service (SaaS) business model termed Ransomware-as-a-Service (RaaS).
In a recent report by security Kela titled “Ransomware Gangs are Starting to Look Like Ocean’s 11” written by Victoria Kivilevich the trends dominating this mutated business model are investigated. As ransomware moved away from one operator developing or buying, the ransomware’s source code, compromising a victim’s machine or network, then executing the malware over the years specialists have assumed those specific roles.
Just as some were, rather hopefully, predicting that ransomware had peaked given the increased response by the US and other governments to both the Colonial Pipeline and JBS incidents. Ransomware operators behind Sodinokibi, who have also been blamed for the JBS incident, seem not to have received that memo and carried possibly the largest ransomware incident to date.
It is believed that an affiliate of the Sodinokibi ransomware gang carried out an attack that possibly impacted thousands of organizations according to the Associated Press. The affiliate is believed to have also been behind the recent JBS attack where 11 million USD was demanded as a ransom.
The most recent attack was believed to have been conducted by first compromising a firm that remotely manages the IT infrastructure for clients. Further, the attack has impacted organizations in at least 17 different countries.
The good work done by No More Ransom may be difficult to quantify but it is safe to say that their work releasing free decryptors to be used by victims of ransomware has possibly saved millions of dollars’ worth in damages and ransom payments funding criminal activity.
No More Ransom is a partnership between public, private, and law enforcement agencies, of which this publication is a partner to help educate the public and assist victims.
Recent high-profile attacks, including the Colonial Pipeline Incident and subsequent responses by governments across the globe, attest to this.
Given the threat posed by ransomware and other cyber incidents in general it is little wonder that cyber insurance offerings have been developed to try and mitigate the risk somewhat. This has led to experts asking if such insurance packages are enabling ransomware attacks to some extent?
Cyber insurance, or cyber-liability insurance, is a type of insurance policy designed specifically to help mitigate the threats posed by cyber-attacks. These policies are designed to protect organizations against the fallout of an attack and do not prevent an attack.
For any scholar of cybersecurity trends, ransomware provides a unique study. The threat has seen several key evolutions since it first emerged in 2010. The latest evolution seen and documented by two separate security firms involves how ransomware operators are using virtual machines (VMs) to hide activity.
VMs are often used for the emulation or virtualization of traditional hardware. A virtual machine can be defined as,
“A Virtual Machine (VM) is a compute resource that uses software instead of a physical computer to run programs and deploy apps. One or more virtual “guest” machines run on a physical “host” machine. Each virtual machine runs its own operating system and functions separately from the other VMs, even when they are all running on the same host. This means that, for example, a virtual MacOS virtual machine can run on a physical PC.”
Hackers are ever increasingly looking to abuse developers and their tools to conduct attack campaigns. Recently this trend has involved hackers uploading malicious packages to popular repositories. In April 2021, it was found that hackers had uploaded malicious code that installed the Mac Shlayer.
In the same month a new malware strain, named web-browserify, was distributed via the popular NPM repository. Both instances targeted Node.JS developers, now a malware strain has been seen targeting Python developers.
Page 8 of 48<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>