In today’s edition: SkidMap, NFT, Impersonation Scams, Yashma Variant, McAfee, New Zealand, OpenBullet, 8BASE, MindX, ThreatSec, Israel, ALPHV/BlackCat, ScarCruft, Russia, Spain National Police, White House, Cl0p Ransomware, Torrents, Keystrokes.
Trustwave’s security researcher Radoslaw Zdonczyk unveils the dangerous evolution of SkidMap, a malware tailored to exploit vulnerable Redis services across a range of Linux distributions. The adaptable nature of this malware allows it to target specific system configurations, making it a challenging adversary to detect and combat. With Linux distributions like Alibaba, CentOS, RedHat, and others on its radar, SkidMap employs a multi-step attack chain involving disguising as GIF image files, enabling SSH access, establishing reverse shells, and deploying botnet components. This heightened level of sophistication poses a significant threat to Linux server infrastructures, demanding vigilant cybersecurity measures to counter its impact.
The FBI has cautioned individuals about the rise of cyber criminals who are assuming the identities of genuine NFT developers to orchestrate fraudulent schemes aimed at NFT community members. These scams involve the creation of counterfeit social media accounts or the hijacking of legitimate ones to promote fake NFT releases, often exploiting a sense of urgency or limited supply. Unsuspecting victims are then directed to phishing websites that trick them into connecting their cryptocurrency wallets, ultimately leading to the theft of digital assets and cryptocurrencies. The FBI advises users to diligently verify the legitimacy of NFT projects, cross-check social media accounts, and scrutinize websites before sharing wallet information.
An advanced strain of ransomware, believed to originate from Vietnam, has been pinpointed by Cisco Talos in a spree of attacks targeting China, Vietnam, Bulgaria, and English-speaking nations. The ransomware, a variant of Yashma, showcases a twist in tactics by utilizing a threat actor-controlled GitHub repository to deploy its ransom note. With its extensive anti-recovery capabilities and an eerily familiar ransom note style reminiscent of WannaCry, this new breed of ransomware highlights the evolution of cyber threats and the challenges they pose to cybersecurity experts worldwide.
New Zealand residents are falling prey to a clever text message phishing scheme, where scammers impersonate family members claiming phone damage. The fraudulent messages prompt recipients to contact a new mobile number, eventually leading to requests for bank and credit card details for supposed phone replacement. While receiving the message isn’t an immediate threat, responding could escalate risk, urging recipients to verify with family members through known contacts and report suspicious texts to authorities.
Discovered by McAfee’s Mobile Research Team, a sophisticated adware campaign aimed at Korean Android users has been exposed. This insidious trend involves certain apps from Google Play secretly loading ads even when the user’s device screen is off, violating Google Play Developer policies and defrauding advertisers. This campaign, encompassing 43 rogue apps with a combined download count of 2.5 million, employs technically advanced tactics to avoid detection and can remotely modify fraudulent behavior, posing a significant challenge in detection and mitigation. McAfee’s intervention prompted swift action from Google, resulting in app removals and updates to adhere to Google’s policies.
A novel malware campaign has surfaced, exploiting unsuspecting aspiring cyber criminals through the use of malicious OpenBullet configuration files, enabling the distribution of a potent remote access trojan (RAT) designed for data theft. Kasada’s analysis reveals that this campaign capitalizes on beginner hackers within trusted criminal networks, highlighting the alarming trend of advanced threat actors preying on less experienced individuals. By harnessing platforms like Telegram and GitHub repositories, the campaign orchestrates a sequence involving a Rust-based dropper called Ocean and a Python-based RAT named Patent, ultimately leading to unauthorized access and data exfiltration.
The 8BASE ransomware group has revealed that they successfully targeted the website of Delaney Browne Recruitment, an England-based recruitment agency. The attack resulted in the acquisition of sensitive personal data and important information, potentially putting individuals’ privacy at risk. This breach highlights the growing concern of cyber attacks affecting various industries, as hackers may exploit stolen recruitment data for targeted scams and social engineering tactics.
MindX Technology School (formerly Techkids) in Vietnam was allegedly targeted by the ThreatSec hacker group, potentially leading to a data breach. The hacktivist group claims to have accessed a substantial amount of data, including personal information of students and stakeholders. This attack highlights the growing concern of cybersecurity vulnerabilities in educational institutions, prompting renewed efforts by the Biden-Harris Administration to enhance cyber defense for schools across the United States.
A significant cyber attack on Mayanei Hayeshua Medical Center in Bnei Brak has disrupted the facility’s record-keeping systems, leading to the suspension of new patient admissions to outpatient clinics and imaging centers. While ongoing patient care remains unaffected, the hospital’s operations have been severely hampered due to the breach. Although the identity of the attackers has yet to be confirmed by the Israel National Cyber Directorate, previous incidents have highlighted the vulnerability of medical centers to cyber threats, urging institutions to strengthen their cyber defenses and adopt swift response protocols.
ALPHV/BlackCat ransomware group has reportedly targeted IBL Healthcare, a Pakistan-based organization, and claimed responsibility for the cyber attack. The attackers have asserted their involvement on their dark web portal, alleging that they possess a significant amount of data exfiltrated from the IBL Healthcare cyber attack. While IBL Healthcare has not yet confirmed the attack, the healthcare sector’s vulnerability to cyber threats is underscored by this incident, as healthcare organizations become increasingly targeted by hackers seeking valuable personal and financial information.
The state-sponsored hacking group ScarCruft has been identified as the perpetrator of a cyberattack on NPO Mashinostroyeniya, a prominent Russian space rocket designer and intercontinental ballistic missile engineering organization. The attack involved planting a Windows backdoor named ‘OpenCarrot’ within the organization’s IT systems, enabling remote access to their network. While the motive behind the attack remains unclear, ScarCruft (also known as APT37) is recognized for its cyber espionage activities, suggesting the theft of sensitive data might have been their aim.
Spanish police have apprehended three individuals involved in a sophisticated banking card fraud operation that targeted ATMs of national banks, resulting in the illicit acquisition of nearly 196,000 euros. The suspects employed a range of hacking techniques, including skimmers, micro-cameras, phishing emails, and false online profiles, to steal sensitive data from unsuspecting users. The arrests were made in Valencia following an operation led by the Spanish police’s internet crime and financial fraud divisions.
The White House is taking proactive measures to enhance cybersecurity defense for K-12 schools as students prepare to return to classrooms. Recognizing the surge in ransomware attacks on under-resourced educational institutions, particularly during the pandemic’s remote learning shift, the Biden administration aims to prevent disruptions in the upcoming academic year. Plans include establishing a government cybersecurity council led by the Department of Education, extensive training for K-12 entities, and the release of guidance documents promoting multifactor authentication, strong passwords, phishing recognition, and software updates. These initiatives are set to be highlighted in a cybersecurity summit hosted by key officials, emphasizing the administration’s commitment to safeguarding the education sector from cyber threats.
The notorious Cl0p ransomware group has taken a novel approach by offering access to data stolen in MOVEit attacks through torrents, a move revealed by security researcher Dominic Alvieri. Screenshots showcased the group’s actions, including big-name victims such as investment firm Putnam, Iron Bow Technologies, and Delaware Life. This innovative shift by Clop is likely an attempt to overcome slow downloads of large data dumps on leak sites, providing instructions for using torrent clients alongside data from about 20 compromised organizations. Clop’s tactics underline the evolving strategies of ransomware groups seeking to enhance their reputation and financial gains through unconventional means.
Researchers have developed a groundbreaking “deep learning-based acoustic side-channel attack” capable of accurately classifying laptop keystrokes recorded using a nearby phone, achieving an impressive 95% accuracy. This innovative approach, detailed in a recent study by Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad, showcases an accuracy record of 93% when trained on keystrokes obtained via Zoom video conferencing software. Side-channel attacks, which exploit physical effects during data processing, pose potential risks to user privacy and security, highlighting the need for countermeasures against this evolving threat. To execute the attack, the team conducted experiments involving Apple MacBook Pro keys, transforming keystrokes into mel-spectrograms and employing a deep learning model named CoAtNet for precise classification.