Cybersecurity is a significant issue facing all small and large businesses across the globe. This week’s cyber news headlines highlight the major cybersecurity incidents that have occurred recently.
FBI Warns Private Industries to Stay Wary of Emennet Pasargad
The FBI recently issued a warning notification for private industries cautioning them of the malicious activities of the Iranian cyber company – Emennet Pasargad. In its notification, the FBI mentions the threat actor’s tactics, techniques, and procedures (TTPs) and some cybersecurity recommendations to detect and prevent their attacks.
This is the same Iranian threat actor group that wanted to sabotage the 2020 presidential elections and was under the U.S. Treasury Department’s sanctions in November 2021. The group has rebranded itself frequently in the past to evade U.S. sanctions, and some of its past names include Net Peygard Samavat and Eeleyanet Gostar. The FBI notes that Emennet Pasargad usually targets hosting services and websites or networks in specific sectors. Emennet also targeted popular content management systems like Drupal and WordPress, apart from the U.S. presidential elections.
UpdateAgent: Infostealer Turned Malware
Cybersecurity experts have uncovered an info stealer called UpdateAgent, working as a macOS malware for over 14 months. It started circulating as an info stealer and emerged sometime in November or December 2020, but it is becoming more malicious and constantly evolving to work like malware. It now has advanced functionalities like a second-stage adware payload that installs a backdoor. The adware also facilitates man-in-the-middle attacks, enabling adversaries to steal ad revenue from official website holders. In addition, UpdateAgent can also gather system profile data and SPHardwaretype, which reveals the serial number of victims’ systems.
UpdateAgent is a threat to cybersecurity because it tricks victims by impersonating legitimate software and exploiting Mac device functionalities. The notorious malware abuses existing user permissions and then deletes all evidence of its malicious activities. Since modern-day work environments heavily rely on different operating systems, it is imperative to ensure ransomware protection across all these platforms.
NCSC-FI Warns of Phishing Campaign Exploiting Facebook Accounts
Have you ever received a text from a friend on Facebook asking for your number and an OTP? Have you complied with those random requests? Finland’s National Cyber Security Center (NCSC-FI) warns citizens against sharing personal details with such friends on Facebook, which could be a part of this new phishing campaign. Adversaries have taken to Facebook to impersonate victims‘ friends on Facebook Messenger and ask for their contact numbers and a verification code delivered on their mobile phones. Any unsuspecting user who shares these details with the adversaries will lose control of their Facebook accounts (as the malicious actors can immediately change your password). A hijacked Facebook account will then be used to spread the attack further among the victim’s friends.
The NCSC-FI warns that users look at all messages with suspicion – irrespective of how well you know the sender in person. Another way to verify the authenticity of such texts is by contacting the sender outside of Facebook (via call or SMS) and asking if they are aware of the messages. Scammers have used Messenger, WhatsApp and Instagram extensively in the past to give shape to their phishing campaigns; therefore, being wise and using cybersecurity tools while chatting on these platforms is essential.
Hacker Exploits Vulnerability in Wormhole Cryptocurrency
Hackers recently exploited a vulnerability in the web-based application Wormhole, allowing users to convert one cryptocurrency into another. The adversaries reportedly stole over $322.8 million Ether currency from the platform. While Wormhole hasn’t confirmed the breach yet, it is likely to be the largest attack on a crypto platform so far in 2022. The value of the stolen cryptocurrencies has dropped to $294 million.
The crypto network has put its website under maintenance mode until investigations continue. In addition, Wormhole has launched a bug bounty program worth $10 million wherein it is luring the adversaries to return the stolen funds and take home a bounty of $10 million. More comments from Wormhole are due after its email security experts finish the initial investigation.
Trend Micro Patches Two High-Severity Vulnerabilities
Trend Micro recently fixed two high-severity vulnerabilities tracked as CVE-2022-23119 and CVE-2022-23120, impacting its Deep Security and Cloud One workload security solutions. Cybersecurity researchers at Modzero first discovered the vulnerabilities in September. Trend Micro quickly announced patches for the flaws and released them between October and December. Modzero also released an advisory and PoC exploits on 19th January 2022.
As per Modzero’s report, a directory traversal vulnerability in the Deep Security Agent for Linux enables adversaries to read arbitrary files. It also allows them to execute remote code and escalate privileges. But the attacker needs to have access to the target system to exploit the flaw. However, the attacker needs to access the targeted system, and exploitation is only possible if the agent has not been activated or configured. This is not the first time that flaws in Trend Micro products have been highlighted. Only last week, Trend Micro informed customers of a flaw in its Worry-Free Business Security small business product. But this was categorized as a low severity vulnerability.
Watch Out For The New Ransomware Sugar
Cybersecurity experts at the retail giant Walmart have discovered a new ransomware called Sugar which is available to attackers as a ransomware-as-a-service (RaaS). With its first glimpse in November 2021, Sugar gets its objects from other ransomware families and is written in Delphi.
Sugar is different from other ransomware families that usually target enterprise networks. It attacks individual computers but is in no way less dangerous. Its crypter employs a modified version of the RC4 encryption, but code from this crypter is also used in the ransomware, which could mean two things – the ransomware and its crypter are created by the same developer, or the crypter is offered to affiliates as part of the RaaS. Walmart researchers found similarities between the ransom note used by the REvil, Cl0p and Sugar ransomware gangs. They also found similarities between Sugar and GPLib which suggest that the SCOP encryption algorithm is used in encryption.