15 September 2022
2022
New Wave of Espionage Activity Targets Asian Governments
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
Excerpt:
“A distinct group of espionage attackers who were formerly associated with the ShadowPad remote access Trojan (RAT) has adopted a new, diverse toolset to mount an ongoing campaign against a range of government and state-owned organizations in a number of Asian countries. The attacks, which have been underway since at least early 2021, appear to have intelligence gathering as their main goal.”
Shape-shifting crypto miner savages Linux endpoints and IoT
Brandon Vigliarolo
https://www.theregister.com/2022/09/10/in_brief_security/
Excerpt:
“IN BRIEF AT&T cybersecurity researchers have discovered a sneaky piece of malware targeting Linux endpoints and IoT devices in the hopes of gaining persistent access and turning victims into crypto-mining drones.
The malware was dubbed "Shikitega" for its extensive use of the popular Shikata Ga Nai polymorphic encoder, which allows the malware to "mutate" its code to avoid detection. Shikitega alters its code each time it runs through one of several decoding loops that AT&T said each deliver multiple attacks, beginning with an ELF file that's just 370 bytes.”
Ransomware gangs switching to new intermittent encryption tactic
Bill Toulas
Excerpt:
“A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims' systems faster while reducing the chances of being detected and stopped.
This tactic is called intermittent encryption, and it consists of encrypting only parts of the targeted files' content, which would still render the data unrecoverable without using a valid decryptor + key.”
MagicRAT: Lazarus’ latest gateway into victim networks
Asheer Malhotra, Vitor Ventura, Jungsoo An
https://blog.talosintelligence.com/lazarus-magicrat/
Excerpt:
“Cisco Talos has discovered a new remote access trojan (RAT), which we are calling "MagicRAT," that we are attributing with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. Cyber Security & Infrastructure Agency (CISA). This new RAT was found on victims that had been initially compromised through the exploitation of publicly exposed VMware Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely.”
Cisco won’t fix authentication bypass zero-day in EoL routers
Sirgui Gotlan
Excerpt:
“Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life (EoL).This zero-day bug (CVE-2022-20923) is caused by a faulty password validation algorithm that attackers could exploit to log into the VPN on vulnerable devices using what the company describes as "crafted credentials" if the IPsec VPN Server feature is enabled.”
#StopRansomware: Vice Society
Multi State Information Sharing Society
https://www.ic3.gov/Media/News/2022/220906.pdf
Excerpt:
“This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.”
Newly discovered cyber spy crew targets Asian governments and corporations
Jeff Burt
https://www.theregister.com/2022/09/06/worok_espionage_asia/
Excerpt:
“A cyberespionage group has targeted government agencies and big-name corporations throughout Asia since at least 2020, using the notorious ProxyShell vulnerabilities in Microsoft Exchange to gain initial access.”
FBI issues warning after crypto-crooks steal $1.3 billion in just three months
Graham Culley
https://www.tripwire.com/state-of-security/fbi-issues-warning-after-crypto-crooks-steal-1-3-billion
Excerpt:
“Amid a wave of hacks that have cost investors billions of dollars worth of cryptocurrency, the FBI is calling on decentralised finance (DeFi) platforms to improve their security.In a warning posted on its website, the FBI said that cybercriminals are increasingly targeting DeFi platforms to steal cryptocurrency, often exploiting vulnerabilities in smart contracts to part investors from their money.”
Oh no, that James Webb Space Telescope snap might actually contain malware
Jeff Burt
https://www.theregister.com/2022/09/01/webb_telescrope_malware/
Excerpt:
“Scumbags are using a photo from the James Webb Space Telescope to smuggle Windows malware onto victims' computers – albeit in a roundabout way.The malicious code, written in Go, is hidden in a .jpeg of the stunning first proper image taken by the recently deployed spacecraft.”
New ransomware hits Windows, Linux servers of Chile govt agency
Bill Toulas
Excerpt:
“Chile's national computer security and incident response team (CSIRT) has announced that a ransomware attack has impacted operations and online services of a government agency in the country.”