A quick summary of what happened this week in the space of cyber security: New Rorschach ransomware was found, and is deemed one of the fastest encryption researchers ever seen. Malware researchers from Check Point discovered a new ransomware with “technically unique features”, following a cyber attack on a US-based company. One of the most unique capabilities observed was its encryption speed, which according to researchers, are the fastest ransomware threat today. Furthermore, the ransomware is partly autonomous, which carries out tasks that are normally manually performed during enterprise-wide ransomware deployment. My Cloud network breached, locked users out of their data. A recent breach in the My Cloud network has resulted in users being locked out of their data. Some users are reporting that their data has been entirely lost, and others are struggling to access their data due to the security measures put in place following the breach. Western Digital, the company behind My Cloud, has issued a statement acknowledging the breach and promising to take steps to improve security going forward. However, many users are expressing dissatisfaction with the company's response, and some are calling for compensation for the inconvenience caused. Online university, Open University of Cyprus (OUC), suffers a breach. Medusa ransomware gang has claimed a cyberattack on the OUC, which caused severe disruptions of the organization’s operations, whereby several of their central services and critical systems went offline. The ransomware gang gave the institute 14 days to respond to their demand of $100,000. However, they are also willing to sell this data to any interested party for the exact same price. Taiwanese PC Vendor, Micro-Star International (MSI), confirmed a security breach following a ransomware attack. Money Message ransomware gang allegedly claimed to have stolen sensitive information such as financial and personal data, and this information will be leaked online if the company refuses to pay a $4 million ransom. The company reported the intrusion to the police and cybersecurity agencies. MSI also reported that the cyber attack has had “no significant” operational and financial impact. However, they did not state whether customer data was compromised during this network breach. It is highly advised to obtain firmware/BIOs updates only from their official website, and to avoid using files from other sources. Hackers released 16,000 Tasmanian education department documents on the dark web Hackers have leaked approximately 16,000 documents from the Tasmanian government on the dark web. The leaked documents are said to include sensitive information, such as financial details, email correspondence, and personal data of school students and their parents. This information is believed to be released by a Russian-linked hacker group called Cl0p. It has been stated that the data has been accessed via a third party file transfer service, and there has been no evidence that Tasmanian government IT systems have been breached. The Tasmanian government has issued a statement acknowledging the breach and stating that they are working with cybersecurity experts to investigate and contain the incident. It is advised that individuals who may have been affected by the breach to be vigilant and take steps to protect their personal information. Capita, a British outsourcing services provider, suffered a cyberattack. Capita announced that last Friday, they suffered from a cyberattack that prevented access to their internal Microsoft Office 365 applications. Among its customers are critical infrastructure organizations in the UK, such as the UK military, the National Health Service, Vodafone and the Royal Bank of Scotland. The incident occurred at 4am, and it was discovered when staff attempted to log into the system. The company also stated that they managed to isolate and contain the security issue. However, the attack limited parts of the network, and disrupted some services provided to individual clients. The company also stated that there has been no indication that any data has been exposed during this attack. STYX, a new dark web marketplace found that focuses on financial fraud services. STYX has become a thriving hub for buying and selling illegal services or stolen data, after its launch earlier this year. Services provided includes but are not limited to money laundering, identity theft, distributed denial of service (DDoS), bypassing 2-factor authentication (2FA), fake or stolen IDs and other personal data, renting malware, using cash-out services, email and telephone flooding, identity lookup. The money laundering section in particular is significant in STYX, as “cleaning” the stolen funds is an important part of cybercriminal activity. Resecurity highlighted some vendors that offer money laundering services in STYX, like “Verta” who requests a minimum of $15,000 for individuals, and $75,000 for businesses and keeps 50% of the laundered amount. STYX also hosts a plethora of cash-out shops that cover globally. They offer “clean” funds via Paypal business accounts, Apple Pay, and various financial institutions in the UK, US and Canada. Updated info-stealing malware - Typhon, announced. Developers of Typhon announced on the dark web forum that they have updated the malware. According to Cisco Talos, Typhon V2 has been modified to make the malicious code more robust, reliable and stable. V2 features additional anti-analysis and anti-virtual machine capabilities to evade detection and make analysis of the malware a more challenging task. Data collection capabilities have also been expanded, as it now targets a larger number of apps, including gaming clients. Typhon also targets multiple email clients, messaging apps, cryptocurrency wallet apps, and browser extensions, FTP clients, VPN clients, and information stored in web browsers. It can also capture screenshots from the compromised device. Another new feature is that it allows operators to search for and exfiltrate specific files from the victim’s environment. This will allow threat actors to harvest and exfiltrate sensitive information and use Telegram API to send the stolen data to attackers. Critical vulnerability found in VM2 JavaScript sandbox library A critical vulnerability has been discovered in the VM2 JavaScript sandbox library that allows an attacker to execute arbitrary code remotely. The vulnerability is said to affect VM2 versions 3.7.0 and earlier, and has been assigned a severity score of 9.8 out of 10. Furthermore, an exploit for the vulnerability has been made publicly available, increasing the risk of attacks. VM2 has more than 16 million monthly downloads via the NPM package repository, and is used by integrated development environments (IDEs) and code editors, function-as-a-service (FaaS) solutions, pen-testing frameworks, security tools, and various JavaScript-related products. It is highly advised that users of the affected library upgrade to the latest version (3.9.15) immediately, and to take other security measures, such as limiting access to the library and monitoring for suspicious activity. Balada Injector malware has been targeted WordPress sites since 2017 Long-running attack campaign that has been targeting WordPress sites with the Balada injector malware since 2017. The campaign is estimated to have compromised over one million WordPress sites, and the attackers have been exploiting vulnerabilities in WordPress plugins to gain access. Once access is gained, the attackers inject malicious code into the site, which can be used for various purposes, such as stealing sensitive data or distributing further malware. It is important to note that the campaign is still ongoing and it is advised that WordPress site owners take steps to protect their sites, such as regularly updating plugins and use security plugins to scan for vulnerabilities. A bug found in Wifi chips that allows snooping. A vulnerability that can allow threat actors to spy on victim’s data, has been found in at least 55 Wi-Fi router models. This security shortcoming can be found in the network processing units in Qualcomm and HiSilicon Chips found at various wireless access points. The flaw prevents devices from blocking forged Internet Control Message Protocol (ICMP) messages, which allows threat actors to hijack and observe your wireless connectivity when connected to the same Wi-Fi network. eFile.com, an IRS authorized tax return software, caught serving JavaScript malware It has been found that IRS-authorized eFile.com tax return software has been serving malicious JavaScript (JS) code to its users. Security researchers state that this code existed on eFile.com for weeks.This malware allows threat actors to give full access to a device, allowing threat actors initial access to a corporate network for further attacks. This allows them to deploy additional malware, steal credentials, spread laterally on a network or steal data for extortion. However, the full extent of the damage of this malware is yet to be learned. Link:
https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/ https://arstechnica.com/information-technology/2023/04/users-fume-after-my-cloud-network-breach-locks-them-out-of-their-data/ https://www.documentcloud.org/documents/23745834-msi-twse-filing-regarding-information-service-systems-affected-by-cyberattack https://github.com/patriksimek/vm2 https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html https://www.ouc.ac.cy/index.php/en/news-events/news/2847-cyberattack https://www.bleepingcomputer.com/news/security/medusa-ransomware-claims-attack-on-open-university-of-cyprus/ https://www.begadistrictnews.com.au/story/8151728/hackers-leak-16000-tas-documents-on-dark-web/ https://www.theregister.com/2023/04/07/wifi_access_icmp/?&web_view=true https://www.bleepingcomputer.com/news/security/irs-authorized-efilecom-tax-return-software-caught-serving-js-malware/ https://www.capita.com/news/capita-plc-update-cyber-incident https://www.resecurity.com/blog/article/styx-marketplace-emerged-in-dark-web-focused-on-financial-fraud https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-analysis/ Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|