What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-07-19 11:11:49 | Pegasus Project – how governments use Pegasus spyware against journalists (lien direct) | Pegasus Project investigation into the leak of 50,000 phone numbers of potential surveillance targets revealed the abuse of NSO Group’s spyware. Pegasus Project is the name of a large-scale investigation into the leak of 50,000 phone numbers of potential surveillance targets that revealed the abuse of NSO Group’s spyware. Pegasus is a surveillance malware developed by […] | Malware | ||
 |
2021-07-19 00:00:00 | Fresh Malware Hunts for Crypto Wallet and Credentials (lien direct) | The FortiGuard Labs team recently discovered a new phishing campaign with a fresh malware delivered by a Word document which is designed to steal crypto wallet information and credentials from victims' infected devices. Learn more in our analysis.
|
Malware | ||
 |
2021-07-16 15:55:57 | Windows 0-Days Used Against Dissidents in Israeli Broker\'s Spyware (lien direct) | Candiru, aka Sourgum, allegedly sells the DevilsTongue surveillance malware to governments around the world. | Malware | ||
 |
2021-07-16 15:53:16 | Google: New Chrome Zero-Day Being Exploited (lien direct) | For the seventh time this year, Google is dealing with zero-day attacks targeting users of its flagship Chrome web browser. The search advertising giant released a Chrome security refresh overnight with a warning that malicious hackers are actively exploiting a critical type confusion vulnerability to launch malware attacks. | Malware Vulnerability | ||
 |
2021-07-16 13:00:24 | 4 Risk-Based Steps for Securing Developers and Code (lien direct) | As software supply chain attacks surge in frequency and scale, it's become apparent that cyber criminals are looking for stealthy ways to make malicious changes or inject malware into software - before it's deployed -... | Malware | ||
 |
2021-07-16 11:01:02 | Toddler mobile banking malware surges across Europe (lien direct) | The Android malware is a new and persistent threat to European citizens and banks alike. | Malware Threat | ||
|
2021-07-16 09:21:08 | New enhanced Joker Malware samples appear in the threat landscape (lien direct) | The Joker malware is back, experts spotted multiple malicious apps on the official Google Play store that were able to evade scanners. Experts reported an uptick in malicious Android apps on the official Google Play store laced with the Joker mobile trojan. The Joker malware is a malicious code camouflaged as a system app and […] | Malware Threat | ||
|
2021-07-15 17:07:34 | HelloKitty ransomware now targets VMware ESXi servers (lien direct) | HelloKitty ransomware gang is using a Linux variant of their malware to target VMware ESXi virtual machine platform. A Linux variant of the HelloKitty ransomware was employed in attacks against VMware ESXi systems. The move of the ransomware gang aims at expanding the operations targeting enterprises that are largely adopting virtualizing platforms. Targeting VMware ESXi […] | Ransomware Malware | ||
|
2021-07-15 05:50:17 | macOS: Bashed Apples of Shlayer and Bundlore (lien direct) | Uptycs threat research team analyzed macOS malware threat landscape and discovered that Shlayer and Bundlore are the most predominant malware. The Uptycs threat research team has been observing over 90% of macOS malware in our daily analysis and customer telemetry alerts using shell scripts. Though these scripts have slight variations, they mostly belong to a […] | Malware Threat | ||
|
2021-07-14 16:18:35 | Trickbot Malware Rebounds with Virtual-Desktop Espionage Module (lien direct) | The attackers have spruced up the 'vncDll' module used for spying on targets and stealing data. | Malware | ||
 |
2021-07-14 15:29:17 | BazarBackdoor sneaks in through nested RAR and ZIP archives (lien direct) | Security researchers caught a new phishing campaign that tried to deliver the BazarBackdoor malware by using the multi-compression technique and masking it as an image file. [...] | Malware | ||
|
2021-07-14 12:23:56 | Updated Joker Malware Floods into Android Apps (lien direct) | The Joker premium billing-fraud malware is back on Google Play in a fresh onslaught, with an updated bag of tricks to evade scanners. | Malware | ||
 |
2021-07-14 04:01:11 | Small businesses save up to 60% in McAfee and Visa partnership (lien direct) | 
Small business owners are getting a special deal on their online protection through a partnership between McAfee and Visa. With new ways of working creating online opportunities and risks for small business owners, McAfee and Visa have come together to offer comprehensive protection for a changed business landscape. Designed to help you minimize costs and unexpected interruptions to your business, McAfee® Security for Visa cardholders provides award-winning antivirus, ransomware, and malware […]
|
Malware | ||
|
2021-07-14 03:32:00 | Trickbot updates its VNC module for high-value targets (lien direct) | The Trickbot botnet malware that often distributes various ransomware strains, continues to be the most prevalent threat as its developers update the VNC module used for remote control over infected systems. [...] | Ransomware Malware Threat | ||
 |
2021-07-13 15:00:00 | Anomali Cyber Watch: Global Phishing Campaign, Magecart Data Theft, New APT Group, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data Theft, Malicious Apps, Middle East, Phishing, Targeted Campaigns, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Global Phishing Campaign Targets Energy Sector and Its Suppliers
(published: July 8, 2021)
Researchers at Intezer have identified a year-long global phishing campaign targeting the energy, oil and gas, and electronics industry. The threat actors use spoofed or typosquatting emails to deliver an IMG, ISO or CAB file containing an infostealer, typically FormBook, and Agent Tesla. The emails are made to look as if they are coming from another company in the same sector, with the IMG/ISO/CAB file attached, which when opened contains a malicious executable. Once executed, the malware is loaded into memory, helping to evade detection from anti-virus. The campaign appears to be targeting Germany, South Korea, United States, and United Arab Emirates (UAE).
Analyst Comment: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Process Injection - T1055
Tags: FormBook, AgentTesla, Phishing, Europe, Middle East
SideCopy Cybercriminals Use New Custom Trojans in Attacks Against India's Military
(published: July 7, 2021)
SideCopy, an advanced persistent threat (APT) group, has expanded its activities and new trojans are being used in campaigns across India accordingaccodring Talos Intelligence. This APT group has been active since at least 2019 and appears to focus on targets of value in cyberespionage. SideCopy have also taken cues from Transparent Tribe (also known as PROJECTM, APT36) in how it uses tools and techniques against the targets. These targets include multiple units of the Indian military and government officials.
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Third-party Software - T1072 | |
Malware Threat | APT 36 | |
 |
2021-07-13 10:00:00 | Best practices for a secure ecommerce website (lien direct) | This blog was written by an independent guest blogger. Ecommerce is a popular business model. Many people are getting into this business and looking for ways to secure early retirement from typical 9 to 5 jobs. With the right ideas and execution, there is a good chance that this will happen, but making it in eCommerce isn’t that easy as it was in the past. Yes, there are more options than ever in terms of delivery, logistics, storage, and creating an online store. However, there is a lot more competition, and everyone is looking for new ways to enhance their services and bring in more customers. Online businesses are also dealing with increased cybersecurity threats. In fact, it’s been argued that 29% of traffic on ecommerce sites are people with malicious intentions. It’s an issue you must tackle if you want to achieve your business goals. Luckily, there are a lot of ways you can boost your security. Find a reliable ecommerce platform When starting an ecommerce site, the first thing you notice is that there are many ecommerce platforms available. However, many people don’t even consider security when choosing their platform or hosting provider. Both the platform and the host you choose have a significant impact on your site’s security. They use a variety of security measures and features that make your store safer. In general, they should at least offer protection from SQL injections and malware since they are common attacks. Take the time to look at what different platforms and hosts have to offer. Choose HTTPS and SSL HTTPS is short for “Hypertext Transfer Protocol Secure”, and this protocol is designed for establishing secure communications online. HTTPS sites are considered secure and unique because they have certification. In other words, a site that has the “green lock” is authentic, and it isn’t a fake page. For HTTPS to be enabled, a site needs an SSL certificate or Secure Socket Layer. This system helps protect the data going between a buyer and your ecommerce store. Apart from improving security, SSL also brings in more customers as many people avoid stores without it. Do regular backups Accidents and attacks are sometimes unavoidable, but backups help you get your site back online quickly. Whether an update has created an issue with your site or someone has used malicious software – you can’t let your store stay offline. Even the best cybersecurity experts can’t guarantee that your website will be 100% secure. That’s why regular backups are necessary – backing up your site means downloading your whole site and creating a duplicate. If something happens, you can upload this duplicate and get your site back online. Ideally, your hosting provider should offer daily backups as well. Get PCI compliant Lots of people are reluctant to give their bank or credit card details online. They have the right to be sceptical because there have been many cases of this information falling into the wrong hands. That’s why ecommerce websites should attain PCI compliance. | Malware Vulnerability | ||
|
2021-07-13 03:29:00 | New BIOPASS malware live streams victim\'s computer screen (lien direct) | Hackers compromised gambling sites to deliver a new remote access trojan (RAT) called BIOPASS that enables watching the victim's computer screen in real time by abusing popular live-streaming software. [...] | Malware | ||
 |
2021-07-13 00:06:59 | Trickbot Malware Returns with a new VNC Module to Spy on its Victims (lien direct) | Cybersecurity researchers have opened the lid on the continued resurgence of the insidious TrickBot malware, making it clear that the Russia-based transnational cybercrime group is working behind the scenes to revamp its attack infrastructure in response to recent counter efforts from law enforcement.
"The new capabilities discovered are used to monitor and gather intelligence on victims, using |
Malware | ||
|
2021-07-12 21:52:02 | Critical RCE Flaw in ForgeRock Access Manager Under Active Attack (lien direct) | Cybersecurity agencies in Australia and the U.S. are warning of an actively exploited vulnerability impacting ForgeRock's OpenAM access management solution that could be leveraged to execute arbitrary code on an affected system remotely.
"The [Australian Cyber Security Centre] has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools," |
Malware Vulnerability | ★★★ | |
|
2021-07-12 20:30:15 | BIOPASS RAT Uses Live Streaming Steal Victims\' Data (lien direct) | The malware has targeted Chinese gambling sites with fake app installers. | Malware | ||
|
2021-07-12 14:15:12 | BIOPASS malware abuses OBS Studio to spy on victims (lien direct) | Researchers spotted a new malware, dubbed BIOPASS, that sniffs victim's screen by abusing the framework of Open Broadcaster Software (OBS) Studio. Researchers from Trend Micro spotted a new malware, dubbed BIOPASS, that sniffs the victim's screen by abusing the framework of Open Broadcaster Software (OBS) Studio. Threat actors behind the new malware planted a malicious JavaScript code on support […] | Malware Threat | ||
 |
2021-07-12 14:00:00 | RoboSki and Global Recovery: Automation to Combat Evolving Obfuscation (lien direct) | In a recent collaboration to investigate a rise in malware infections featuring a commercial remote access trojan (RAT), IBM Security X-Force and Cipher Tech Solutions (CT), a defense and intelligence security firm, investigated malicious activity that spiked in the first quarter of 2021. With over 1,300 malware samples collected, the teams analyzed the delivery of […] | Malware | ||
|
2021-07-12 10:00:00 | Back to the office… (lien direct) | As the world is starting to move out of lockdown, businesses are moving some of their workforce back into the office environment. Whilst their focus may be on the logistics of this and making the office environment ‘Covid-Safe’ for their employees, they also need to be cognisant of the potential security challenges facing them. Some areas that businesses should start to focus on are: Currency of critical security patches Any relaxation of endpoint administrative rights Identification of unauthorised network scans The problem During the pandemic, most corporate assets (laptops) have in effect been residing on home office networks, those being home or public Wi-Fi, with only their EDR solution and VPN protecting them from attack. For the last 18 months or so, these assets have been sharing their local network with potentially un-patched devices, being operated by individuals who may have been more concerned with the latency of MineCraft and downloading the latest gaming ‘feature packs’ from non-salubrious websites, than good cybersecurity hygiene. Combine this with the necessity of some IT Depts having had to relax their Corporate Policy on Remote Patching (due to bandwidth limitations of VPN) and Administration Rights on local assets (in order to install ‘that home printer driver’), if not revisited and reverted, can leave a significant exposure. Early stakeholder buy-in This is essential, as without stakeholder support, any efforts to address these challenges will stall very quickly. The pandemic has put constraints on operating budgets for many businesses, so it is essential to be able to articulate these security challenges and ways in which to mitigate, clearly to stakeholders. Without this insight, it will be an uphill struggle to focus on these additional security requirements and obtain the budget to support them. Hopefully this article will provide the narrative to assist with that dialogue and highlight some of the concerns that pose a real threat to businesses. The human element Moving away from technology for a moment, and an area that is often overlooked by businesses, is how the employee has been managing their security hygiene, in the absence of localised IT support. In effect, they could have been making security decisions for over a year, as remote workforce. They have lacked the ability to prevent potential ‘odd behaviour on endpoints’ with peers. That ‘security pop-up’ message that they just clicked ‘yes’ to, or the attachment they opened, that appeared to ‘do nothing’, all of which can be the precursor activity of an attack. Threat actors have taken full advantage of this exposure, and there has been a marked increase in attacks focussed on Business Email Compromise (BEC) and phishing scams to name a few. A recent report by Gartner talks about how these threat actors have taken advantage of the changing working environments, both during and post pandemic, targeting the remote workforce with email and SMS campaigns pertaining to be from their local IT Support. Any breach in endpoint security of your remote workforce may be amplified exponentially once they return to the office and the threat actors are then able to get a foothold on the corporate network and start profiling internal architecture, in advance of for example, ransomware deployment. Businesses can start to address these risks as part of their return to office planning by taking a number of tactical steps. Controlled introduction Just like the way a business would rollout a new technology, it is always advisable to address any outstand | Ransomware Malware Vulnerability Threat Patching Guideline | ||
|
2021-07-12 07:15:03 | Magecart hackers hide stolen credit card data into images and bogus CSS files (lien direct) | Magecart hackers continuously improve their exfiltration techniques to evade detection, they are hiding stolen credit card data into images. Magecart hackers have devised a new technique to obfuscating the malware within comment blocks and hide stolen credit card data into images evading detection. Hacker groups under the Magecart umbrella continue to target e-stores to steal payment card data with […] | Malware | ||
|
2021-07-12 04:04:33 | Hackers Spread BIOPASS Malware via Chinese Online Gambling Sites (lien direct) | Cybersecurity researchers are warning about a new malware that's striking online gambling companies in China via a watering hole attack to deploy either Cobalt Strike beacons or a previously undocumented Python-based backdoor called BIOPASS RAT that takes advantage of Open Broadcaster Software (OBS) Studio's live-streaming app to capture the screen of its victims to attackers.
The attack |
Malware | ||
|
2021-07-10 05:09:35 | Kaseya warns customers of ongoing malspam campaign posing as security updates (lien direct) | Threat actors are conducting a spam campaign aimed at infecting Kaseya customers, posing as legitimate VSA security updates Kaseya is warning customers of threat actors attempting to exploit the recent massive supply chain ransomware attack suffered by the company. The software provider is warning of an ongoing malspam campaign aimed at delivering malware into their […] | Ransomware Spam Malware Threat | ||
|
2021-07-09 17:42:45 | Microsoft Office Users Warned on New Malware-Protection Bypass (lien direct) | Word and Excel documents are enlisted to disable Office macro warnings, so the Zloader banking malware can be downloaded onto systems without security tools flagging it. | Malware | ||
|
2021-07-09 14:58:51 | ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks (lien direct) | The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports. | Spam Malware | ||
 |
2021-07-09 10:46:00 | Le ransomware, qui a frappé près de 1 500 entreprises, était programmé pour épargner les ordinateurs russes (lien direct) | Le code informatique derrière la cyberattaque aurait été écrit de manière à ce que le malware évite les systèmes utilisant la langue russe.  |
Malware | ||
|
2021-07-09 10:15:13 | Scam artists exploit Kaseya security woes to deploy malware (lien direct) | The company is being impersonated in the fallout of a recent ransomware attack. | Ransomware Malware | ||
 |
2021-07-09 09:48:25 | WildPressure Mac malware discovered by security researchers (lien direct) | WildPressure Mac malware variant found by security researchers. In this article: What it is | How it works | Who's behind it | Staying Safe | Malware | ||
|
2021-07-09 07:23:44 | Magecart Hackers Hide Stolen Credit Card Data Into Images for Evasive Exfiltration (lien direct) | Cybercrime actors part of the Magecart group have latched on to a new technique of obfuscating the malware code within comment blocks and encoding stolen credit card data into images and other files hosted on the server, once again demonstrating how the attackers are continuously improving their infection chains to escape detection.
"One tactic that some Magecart actors employ is the dumping of |
Malware | ||
 |
2021-07-09 01:44:31 | Hancitor tries XLL as initial malware file, (Fri, Jul 9th) (lien direct) | Introduction | Malware | ||
|
2021-07-08 22:39:48 | Hackers Use New Trick to Disable Macro Security Warnings in Malicious Office Files (lien direct) | While it's a norm for phishing campaigns that distribute weaponized Microsoft Office documents to prompt victims to enable macros in order to trigger the infection chain in the background, new findings indicate that macro security warnings can be disabled entirely without requiring any user interaction.
In yet another instance of malware authors continue to evolve their techniques to evade |
Malware | ||
|
2021-07-08 21:44:57 | Zloader With a New Infection Technique (lien direct) | 
This blog was written by Kiran Raj & Kishan N. Introduction In the last few years, Microsoft Office macro malware using social engineering as a means for malware infection has been a dominant part of the threat landscape. Malware authors continue to evolve their techniques to evade detection. These techniques involve utilizing macro obfuscation, DDE, […]
|
Malware Threat | ||
 |
2021-07-08 19:25:00 | Marvel Movie Malware Detected (lien direct) | Black Widow malware masquerades as new movie to steal money and credentials | Malware | ★★★★ | |
 |
2021-07-08 15:06:31 | Details of the REvil Ransomware Attack (lien direct) | ArsTechnica has a good story on the REvil ransomware attack of last weekend, with technical details: This weekend’s attack was carried out with almost surgical precision. According to Cybereason, the REvil affiliates first gained access to targeted environments and then used the zero-day in the Kaseya Agent Monitor to gain administrative control over the target’s network. After writing a base-64-encoded payload to a file named agent.crt the dropper executed it. […] The ransomware dropper Agent.exe is signed with a Windows-trusted certificate that uses the registrant name “PB03 TRANSPORT LTD.” By digitally signing their malware, attackers are able to suppress many security warnings that would otherwise appear when it’s being installed. Cybereason said that the certificate appears to have been used exclusively by REvil malware that was deployed during this attack... | Ransomware Malware | ||
 |
2021-07-08 15:05:25 | "Black Widow" digital premier a cover for malware and scams, says Kaspersky (lien direct) | Phishing, malicious files and other forms of fraud have followed the highly awaited movie since it was first delayed due to COVID-19. On the eve of its actual release, the scams have begun anew. | Malware | ||
|
2021-07-08 14:20:43 | Use of Common Malware in Operation Targeting Energy Sector Makes Attribution Difficult (lien direct) | Researchers at cybersecurity firm Intezer have been monitoring a campaign that appears to be mainly aimed at the energy sector, but attribution to a known threat group is made difficult by the fact that the operation involves several common malware families. | Malware Threat | ||
|
2021-07-08 13:01:17 | Mac Malware Used in Attacks Targeting Industrial Organizations in Middle East (lien direct) | A malicious campaign focused on the industrial sector in the Middle East has been expanded to also target Mac computers, security researchers at Kaspersky have discovered. | Malware | ||
|
2021-07-08 11:24:50 | Emails Offering Kaseya Patches Deliver Malware (lien direct) | IT management software maker Kaseya is still working on patching the vulnerabilities exploited in the recent ransomware attack, but some cybercriminals are sending out emails offering the patches in an effort to distribute their malware. | Ransomware Malware Patching | ||
|
2021-07-08 02:58:54 | Experts Uncover Malware Attacks Targeting Corporate Networks in Latin America (lien direct) | Cybersecurity researchers on Thursday took the wraps off a new, ongoing espionage campaign targeting corporate networks in Spanish-speaking countries, specifically Venezuela, to spy on its victims.
Dubbed "Bandidos" by ESET owing to the use of an upgraded variant of Bandook malware, the primary targets of the threat actor are corporate networks in the South American country spanning across |
Malware Threat | ||
|
2021-07-08 02:31:04 | SideCopy Hackers Target Indian Government Officials With New Malware (lien direct) | A cyber-espionage group has been observed increasingly targeting Indian government personnel as part of a broad campaign to infect victims with as many as four new custom remote access trojans (RATs), signaling a "boost in their development operations."
Attributed to a group tracked as SideCopy, the intrusions culminate in the deployment of a variety of modular plugins, ranging from file |
Malware | ||
|
2021-07-07 20:02:05 | Scammers exploiting Kaseya ransomware attack to deploy malware (lien direct) | A new phishing campaign claims to offer a security update for Kaseya's VSA software but actually tries to install malware, says Malwarebytes. | Ransomware Malware | ||
|
2021-07-07 18:28:35 | WildPressure APT expands operations targeting the macOS platform (lien direct) | WildPressure APT is targeting industrial organizations in the Middle East since 2019 and was spotted using now a new malware that targets both Windows and macOS. Researchers from Kaspersky have spotted a new malware used by the WildPressure APT group to targets both Windows and macOS systems. The WildPressure was spotted for the first time […] | Malware | ||
|
2021-07-07 17:46:07 | MacOS Targeted in WildPressure APT Malware Campaign (lien direct) | Threat actors enlist compromised WordPress websites in campaign targeting macOS users. | Malware Threat | ||
 |
2021-07-07 10:45:51 | Malware campaign targets companies waiting for Kaseya security patch (lien direct) | While the world continues to wait for Kaseya to issue an update to patch VSA installations against a vulnerability exploited by the REvil ransomware gang, security researchers spotted a malware campaign which is taking advantage of the vacuum. | Ransomware Malware Vulnerability | ||
 |
2021-07-07 10:00:45 | Wildpressure targets the macOS platform (lien direct) | We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS. | Malware | ||
|
2021-07-07 06:18:33 | WildPressure APT Emerges With New Malware Targeting Windows and macOS (lien direct) | A malicious campaign that has set its sights on industrial-related entities in the Middle East since 2019 has resurfaced with an upgraded malware toolset to strike both Windows and macOS operating systems, symbolizing an expansion in both its targets and its strategy around distributing threats.
Russian cybersecurity firm attributed the attacks to an advanced persistent threat (APT) it tracks as |
Malware Threat | ||
|
2021-07-06 15:05:00 | Anomali Cyber Watch: Thousands attacked as REvil ransomware hijacks Kaseya VSA, Leaked Babuk Locker Ransomware Builder Used In New Attacks and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Babuk, IndigoZebra, Ransomware, REvil, Skimmer, Zero-day and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Shutdown Kaseya VSA Servers Now Amidst Cascading REvil Attack Against MSPs, Clients
(published: July 4, 2021)
A severe ransomware attack reportedly took place against the popular remote monitoring and management (RMM) software tool Kaseya VSA. On July 2, 2021, Kaseya urged users to shut down their VSA servers to prevent them from being compromised. The company estimated that fewer than 40 of their customers worldwide were affected, but as some of them were managed service providers (MSPs), over 1,000 businesses were infected. The majority of known victims are in the US with some in Europe (Sweden) and New Zealand. The attackers exploited a zero-day vulnerability in Kaseya’s systems that the company was in the process of fixing. It was part of the administrative interface vulnerabilities in tools for system administration previously identified by Wietse Boonstra, a DIVD researcher. The REvil payload was delivered via Kaseya software using a custom dropper that dropped two files. A dropper opens an old but legitimate copy of Windows Defender (MsMpEng.exe) that then side loads and executes the custom malicious loader's export. The attack coincided with the start of the US Independence Day weekend, and has several politically-charged strings, such as “BlackLivesMatter” Windows registry key and “DTrump4ever” as a password.
Analyst Comment: Kaseya VSA clients should safely follow the company’s recommendations as it advised shutting Kaseya VSA servers down, and is making new security updates available. Every organization should have a ransomware disaster recovery plan even if it is serviced by a managed service provider (MSP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] DLL Side-Loading - T1073
Tags: REvil, Sodinokibi, Gandcrab, Leafroller, Kaseya VSA, ransomware, Ransomware-as-a- Service, zero-day, CVE-2021-30116, supply-chain, North America, USA, Sweden, New Zealand, MSP, RMM, schools
IndigoZebra APT Continues To Attack Central Asia With Evolving Tools
(published: July 1, 2021)
Researchers from Check Point have identified the Afghan Government as the latest victim in a cyber espionage campaign by the suspected Chinese group ‘IndigoZebra’. This attack began in April when Afghan National Security Council (NSC) officials began to receive lure emails claiming to be from the President’s secretariat. These emails included a decoy file that would install the backdoor ‘BoxCaon’ on the system before reaching out to the Dropbox API to act as a C&C server. The attacker would then be able to fingerprint the machine and begin accessing files. I |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | APT 19 APT 10 |
To see everything:
Our RSS (filtrered)
