North Korean hackers target small businesses with H0lyGh0st malware
A North Korea-linked hacker group, tracked as DEV-0530, has been attacking small businesses in various countries with a ransomware strain called H0lyGh0st since at least September 2021.
Like other ransomware gangs, DEV-0530 encrypts all files on the target device and uses the file extension .h0lyenc. It then sends the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files. Usually, the threat actor demanded a payment between 1.2 to 5 bitcoins and was willing to lower the price (in some cases to less than one-third of the initial ransom demand).
Russian hackers use DropBox and Google Drive to evade detection
APT29 (aka Cloaked Ursa, Nobelium or Cozy Bear), a Russia-linked state-sponsored hacker group, is using legitimate cloud services like Google Drive and Dropbox in order to deliver malicious payloads on compromised systems undetected.
The observed attacks involved phishing emails addressed to embassies in Portugal and Brazil containing a link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload.
Pegasus malware used to spy on Thai democracy activists
At least 30 activists in Thailand involved in pro-democracy protests calling for reforms to the monarchy in 2020 and 2021 had their cell phones infected with the infamous Pegasus software, a spying tool developed by the Israel-based cyber-intelligence firm NSO Group. The investigation began after several Thai civil society members received notifications from Apple sent to their iPhones that they may have been a target of a state-backed spyware attack in November 2021. The recipients included individuals that Apple believes were targeted with NSO Group’s FORCEDENTRY exploit.
According to the results of a technical analysis of forensic artifacts, the infections occurred between October 2020 to November 2021.
Hackers use password recovery tool to infect industrial systems with Sality malware
A malicious campaign was discovered that targeted industrial engineers and operators and involved a password “cracking” software for programmable logic controllers (PLCs) which infects systems with the Sality malware in order to ensnare them in a cryptomining botnet.
The investigation found that this password recovery tool was exploiting a known vulnerability (CVE-2022-2003) in Automation Direct DirectLogic PLC to extract the password.
Russia-linked Turla APT targets pro-Ukrainian activists with fake DDoS apps
Turla, an advanced persistent threat (APT) group believed to be working on behalf of Russia’s Federal Security Service (FSB), has been observed distributing Android apps masqueraded as tools for performing Denial of Service (DoS) attacks from a domain spoofing the Ukrainian Azov Regiment.
According to the researchers, the campaign had no major impact on Android users as the number of installs was miniscule.
New SATAn attack allows to steal data from air-gapped systems
Security researchers found a new way to steal information from air-gapped systems. The new technique, dubbed “SATAn,” makes use of the Serial ATA (SATA) cables as a wireless antenna to transmit data from a breached system to a nearby receiver.
US seizes $500,000 in ransom paid to North Korean hackers
The US Department of Justice said it seized nearly half a million dollars in cryptocurrency paid last year as ransom by a hospital in Kansas and medical provider in Colorado to hackers linked to North Korea.
in May 2021, North Korean hackers targeted servers of a medical center in Kansas with a ransomware strain called Maui. The healthcare provider then paid attackers around $100,000 in Bitcoin to get access to the encrypted servers. The organization reported the incident to law enforcement authorities and the FBI was able to identify a new ransomware strain used by North Koreans and ultimately track and seize ransom payments along with cryptocurrency from China-based money-launderers working for the North Korean cyber actors.
US Cyber Command shares samples of malware used in attacks on Ukrainian networks
US Cyber Command has shared the technical information about what the agency describes as different types of malware that has been used in attacks targeting networks of government bodies and other entities in Ukraine, including 20 previously unreported samples of malicious code.
Cyber Command has not attributed the malware to any specific threat actor. However, the cybersecurity firm Mandiant has released its own report regarding malicious activity in Ukraine which describes cyber operations conducted by cyber-espionage groups tracked as UNC2589 and UNC1151
German manufacturing giant Knauf Group hit by a Black Basta ransomware attack
German manufacturer of modern insulation materials Knauf Group has suffered a ransomware attack, which forced the company to shut down its services. The attack, which took place on June 29, appears to be carried out by the Black Basta ransomware gang, who added Knauf Group to the list of victims on their data leak website.
The group has also published 20% of files allegedly stolen from the manufacturer, including sensitive information about the company’s employees, ID scans and product documents.
Hackers target large Ukrainian software company with GoMet backdoor
A large Ukrainian software company whose software is used in various state organizations within Ukraine has been targeted in what appears to be a supply chain attack.
The campaign believed to be conducted by hackers affiliated with the Russian government attempted to infect the company’s networks with a modified version of the open-source backdoor known as GoMet designed for additional persistent access. According to Cisco’s Talos threat intelligence team, the infiltration attempt was unsuccessful.
Cyber criminals hacked Ukrainian radio network to spread fake messages about Zelensky’s health
Hackers attacked servers of TAVR Media, a Ukrainian company that operates nine “major” radio stations to spread a fake message that Ukrainian President Volodymyr Zelensky was in critical condition and under intensive care and his duties are carried out by Ruslan Stefanchuk, Chairman of the Verkhovna Rada of Ukraine.
TAVR Media wrote wrote on its Facebook page that the information was untrue and that the company was working to address the issue. Ukrainian authorities have not yet said who was behind the attack.
Candiru spyware linked to Chrome zero-day used in attacks targeting journalists
The DevilsTongue malware developed by the Israel-based spyware vendor most commonly known as Candiru or Saito Tech, was used in attacks targeting journalists in the Middle East that exploited a recently patched zero-day vulnerability (CVE-2022-2294) in the Google Chrome browser.
The cybersecurity firm Avast said in its new report it observed Candiru in March using the Chrome zero-day exploit for targeting individuals in Turkey, Yemen and Palestine, as well as journalists in Lebanon, where Candiru compromised a website used by employees of an unnamed news agency.
The Chrome zero-day exploit was designed to collect about 50 data points from a victim’s browser, including the victim’s language, timezone, screen information, device type, browser plugins, referrer, device memory, cookie functionality, and more.
The zero-day was chained with a sandbox escape exploit, but the researchers said they were not able to recover it due to the protection implemented by the malware.
TA4563 threat actor uses EvilNum malware in attacks against European financial and investment entities
Security researchers at Proofpoint have shared the details of a malware campaign aimed at European financial and investment entities, especially those with operations supporting foreign exchanges, cryptocurrency, and decentralized finance (DeFi). The researchers have linked this campaign, which has been active since 2021, to a hacker group tracked as TA4563.
The observed campaign delivered an updated version of the EvilNum backdoor using a varied mix of ISO, Microsoft Word and Shortcut (LNK) files in late 2021 and early 2022, presumably as a method of testing the efficacy of the delivery methods. The EvilNim malware can be used for reconnaissance, data theft, and to deploy additional payloads.
How the Conti ransomware gang hacked the Costa Rican government
The cyber intelligence firm Advanced Intelligence (AdvIntel) has published an interesting report detailing the Conti ransomware attack against the government entities in Costa Rica and how the hackers were able to breach the government computer systems. The report describes the stages of the attack starting from gaining access to a system belonging to Costa Rica’s Ministry of Finance over a VPN connection using compromised credentials to exfiltrating hundreds of gigabytes of data and executing the ransomware.