Maintaining email security remains a challenge, especially when threat actors are so particular about sustaining their malicious activities despite law enforcement penalizing them. Here are the latest cyber headlines this week to guide you through the never-ending hunt for cyber offenders.
Threat Actors Exploit the Vulnerabilities You Don’t Have a Patch For
A China-based threat actor group called DEV-0322 has exploited a recently patched zero-day vulnerability in Zoho’s ManageEngine ADSelfService Plus. They could perform remote code execution after accessing systems via this bug, and CISA had warned organizations against such actions from advanced persistent threat (APT) groups. The breach was first discovered by Palo Alto Networks who found that a spy campaign exploited the flaw to access internal systems of organizations.
DEV-0322 could get into the network of over nine entities across sectors like technology, defense, healthcare, energy, and education. Cybersecurity experts revealed that the adversaries were using several malicious tools to steal sensitive information and credential harvesting. This exploiter vulnerability has been dubbed CVE-2021-40539. Reportedly, the adversaries were targeting the 370 Zoho ManageEngine servers in the US alone. They had used the Godzilla webshell to upload variations of the webshell on the targeted server. Some of the victims were also infected with the NGLite trojan.
The best way to avoid the exploitation of bugs that already have a patch released is for organizations to regularly implement robust cybersecurity tools and introduce patch management programs.
Ransomware Gang Actions Defined: Old Wine in New Bottle
With ransomware gangs, nothing ever goes out of style. For instance, the BlackMatter ransomware emerged when both REvil and DarkSide were out of sight. Since then, the BlackMatter gang has consistently attacked organizations and cost them hundreds of millions of dollars. But now, its operators have announced that the ransomware will no longer be operational. In its Ransomware-as-a-Service (RaaS) portal, the threat actor recently announced its forced shutdown caused by the stringent regulations of law enforcement. This news comes after law enforcement had recently arrested 12 adversaries associated with over 1800 ransomware attacks. In its announcement, BlackMattet also asked victims to approach them in the organization’s chat for the decryptor.
The end of BlackMatter’s operations should ideally mean good news, but its affiliates are now making a quick shift to the LockBit site, and that makes LockBit one of the most powerful ransomware gangs in recent times. One might expect that the actions of law enforcement are making ransomware gangs shut down their operations, but at the end of each ransomware stands the beginning of another notorious gang. This is an ongoing cycle, hard to stop until cybersecurity experts and regulatory bodies come together to make all gangs stop operating simultaneously!
OpenText Acquiring Zix Marks a Significant Cybersecurity Merger
The email security enterprise Zix was recently acquired by the enterprise information management solutions provider, OpenText at $8.50 per share. The entire acquisition will be completed in cash over the next three months and come to approximately $860 million. The Zix shares had surged since mid-October when the organization announced that it was exploring business expansion strategies, including a prospective sale. The enterprise is affirmative that this acquisition by OpenText shall increase its product and resources capabilities.
The sale seems to be working out fine as Zix’s largest shareholder – an affiliate of True Wind Capital, LP, too has consented to list out its Series A Preferred Shares as common shares in the tender offer. Similarly, its directors and executive officers, too, have agreed to list out their common shares in the tender offer. Currently, Zix offers email security service, encryption, message privacy, backup and recovery, secure file sharing, information archiving, and Microsoft 365 products to over 21,000 customers.
DomainTools and Farsight Become One
California-based DNS intelligence and cybersecurity data solutions provider Farsight Security was recently acquired by the Washington-based DNS threat intelligence organization DomainTools. Both organizations have been active players in the battle against threat actors. Their coming together only increases the quality of the DNS intelligence and security solutions their global clients receive.
As it turns out, DomainTools and Farsight have collaborated on several occasions ever since 2017 to deliver Farsight’s passive DNS data using DomainTools’ Iris investigation platform. This merger acknowledges the robust security features that can be facilitated when these two DNS intelligence experts come together. They seem to be looking towards creating a safer internet for all and growth for both parties via this acquisition. Customers can now expect faster and comprehensive threat protection solutions from the companies.
Beware of Google Ads Leading to Crypto Wallets
Cybersecurity researchers have recently noticed that adversaries use Google Ads to target victims with fake wallets stealing credentials and account balances. Using Google Ads to redirect users of crypto-wallets like MetaMask and Phantom, the adversaries have stolen over $500,000 in just a week.
In a typical attack, clicking on the attackers’ malicious Google Ad redirects users to a fake site that resembles the MetaMask or Phantom wallet site. All users who entered these counterfeit sites and downloaded these fake wallets hoping to make a currency swap lost their money. The fake wallet further asks users to register with a new account (the attackers obviously harvest these credentials), post which they are led to the Phantom/MetaMask site. Even when users get the Wallet extension from the authorized website, logging in using the recovery phrase they created for the new account on the fake website would mean that all funds transferred are actually reaching the adversaries’ accounts.
When users add the Chrome wallet tab to their browser and enter the attacker’s freshly constructed recovery phrase, they are in-reality logging into the attacker’s wallet rather than generating a new one. This implies that if they send money, the attacker will receive it right away. This looks like the beginning of a new cybercrime trend, where scammers manipulate innocent Google searches to lead people to fake websites. Since cryptocurrency is being embraced by people worldwide, crypto enthusiasts must visit websites only after double-checking the URLs. Further, users must refrain from clicking on Google Ads leading to crypto wallets as these might be malicious ones created by threat actors!
Chinese Airlines Become the Target of Foreign Threat Actor Groups
The Chinese Ministry of State Security (MSS) recently notified that many of its airlines had been attacked by international threat actors‘ groups in 2020 who also stole databases containing passengers’ travel data. The breach was brought to the notice of the MSS in January 2020 by one of the Chinese Airlines. Investigations into the breach revealed that the attackers had used a custom trojan to exfiltrate passengers and other data from the airlines. The succeeding research confirmed that the adversaries used the same strategy to compromise the systems of several other Chinese airlines.
An overseas spy intelligence agency has carefully planned and executed this attack on Chinese airlines. Unlike other world nations, China seldom reveals details about foreign state-sponsored cyberattacks. Hence, this public notification is a rarity, but even still, the MSS was careful not to disclose the identity of the threat actors. From unnamed sources, it has been found that the Chinese cybersecurity firms frequently detect cyberattacks from foreign threat actors.