Here is this week’s cybersecurity bulletin that covers details around how malware attacks are on the rise and how threat actors are leaving no stone unturned to make their breach attempts successful.
Europe and the U.S. Witness a Surge in EvilExtractor Malware Attacks
There has been a surge in EvilExtractor’s usage to target Europe and the U.S.
A data theft tool sold by Kodex for $59 per month, EvilExtractor has seven attack modules and can bypass Windows Defender. Fortinet’s researchers have been monitoring EvilExtractor and its development and shared a report highlighting that the tool’s deployment increased significantly in March 2023.
The attacks start with phishing emails that appear to be account confirmation requests. The emails contain gzip compressed attachments that execute a Python program that launches a .NET loader to launch EvilExtractor executables. The tool is updated and has the following capabilities:
- Date time checking
- Anti-Sandbox
- Anti-VM
- Anti-Scanner
- FTP server setting
- Steal data
- Upload Stolen data
- Clear log
- Ransomware
Fortinet also shared that the tool is constantly updated, and individuals must stay vigilant against phishing emails to steer clear of EvilExtractor.
Data Breach at American Bar Association Affects 1.4 Million Members
The ABA (American Bar Association) suffered a data breach where the threat actors gained access to the credentials of 1,466,000 old ABA members.
The ABA observed suspicious activity on the network on 17 March 2023 and activated its incident response plan. The investigation revealed that unauthorized individuals could steal usernames, hashed, and salted passwords of ABA users that they used before 2018.
The ABA has outlined that it is not a ransomware or corporate attack. Even if the stolen passwords are hashed and salted, threat actors may be able to de-hash them in the long run and use some of the default passwords to gain access to the accounts.
ABA has recommended that ABA users change their passwords on the site and any other websites that employ the same passwords. They should watch for spear-phishing emails of threat actors imitating the ABA.
Trigona Ransomware Spread Through Hacked Microsoft SQL Servers
Threat actors are hacking into the Internet-exposed MS-SQL (Microsoft SQL) servers and deploying Trigona ransomware payloads.
Image sourced from velosio.com
The threat actors are deploying the malware to encrypt all files. The servers are breached using brute-force or dictionary attacks, and they deploy the malware dubbed CLR shell after establishing a server connection. The Trigona malware is sophisticated, as it can be used to harvest system information, alter account configurations, and escalate privileges to the LocalSystem.
Once the threat actors have established a presence, they install and launch another dropper malware that, in turn, launches Trigona and configures the binary to automatically launch on each system restart utilizing a Windows autorun key.
The ransomware gang has been a constant threat since the start of the year.
U.K. Cybersecurity Agency Cautions About a New Breed of Russian Hackers
The U.K.’s NCSC (National Cyber Security Centre) has warned about increased risk from state-aligned Russian hacktivists and urged nationwide organizations to take security measures.
Over the last year and a half, these state-aligned groups have emerged, and these are sympathetic to Russia’s invasion and are not financially motivated.
These hacktivists launch DDoS (Distributed Denial of Service) attacks and cause service disruptions in critical areas such as the parliament, transport departments, and government websites. NCSC has outlined that the threat actors also intend to cause as much harm as possible, and organizations should implement all of NCSC’s recommended actions.
This is the dedicated guide businesses and organizations should follow during the elevated risk of cyber threats.
Australians’ Scam Losses Reach an All-Time High of $3.1 Billion in the Previous Year
The ACCC (Australian Competition & Consumer Commission) shared that the country’s individuals lost $3.1 billion to scams last year, a staggering 80% increase from 2021.
A significant loss was due to investment scams that accounted for $1.5 billion, followed by $229 million lost to remote access scams and $224 million to payment redirections. ACCC attributed the increase in the losses to the increased effectiveness of fraud due to threat actors employing various themes to make said scams appear genuine.
The Deputy Chair of the ACCC, Catriona Lowe, added that these scams included the impersonation of official phone numbers, emails, and websites.
You should always know the latest scams and verify investment opportunities by searching for legitimate websites.
New Chameleon Android Malware Imitating Bank, Government, and Cryptocurrency Applications
A new Android malware named “Chameleon” has emerged, targeting Australian and Polish citizens since the start of the year.
The malware mimics the CoinSpot crypto exchange, Australian government agencies, and IKO bank. The malware performs multiple checks upon execution to evade detection and requests the victim to use the Accessibility Service, getting additional permissions and disables Google Play.
Chameleon is a highly sophisticated tool that sends the device’s details and has other capabilities to steal cookies, key logs, inject phishing pages, and steal lock patterns and SMS.
Android users should be cautious when installing applications and only download software from the Google Play store. You should also enable Google Play Protect.