Staying a step ahead of threat actors requires understanding how they attack individuals online. Here we are with this week’s top cybersecurity news from around the world. From malware spreading images to royal ransoms, SMS phishing surges to crypto job applications delivering mac malware, and Russian cyberattacks to cybercriminals apologizing for data breaches, let us see what the cybersecurity world has been to.

Witchetty Gang Uses Windows Logo for Malware Delivery

Witchetty, a hacking group, is using a malware campaign where the malware is delivered via the Windows logo image. The cybercriminal group is believed to be tied to APT10/Cicada, a state-backed Chinese threat actor, and TA410 operatives.

Security researchers at Symantec discovered this novel malware campaign where the threat actors used steganography to evade antivirus software and hide the malicious content. An XOR-encrypted backdoor malware was hidden in old Windows logo bitmap images, with the file hosted on cloud services, minimizing security alarms and detections. Since there was no C2 (Command and Control) server, the payload appeared from trusted hosts and avoided raising red flags.

The threat actors gained network access by exploiting Microsoft Exchange ProxyShell to drop web shells onto servers. The Windows logo image file with malware allowed the threat actors to perform file and directory actions, modify processes, download payloads, modify the registry and exfiltrate files. The malware campaign also distinguished itself as the actors installed a custom proxy, disguising the infected system to appear as the C2 server and the server acting as the client.

The campaign targeted Middle Eastern governments and allowed threat actors to gain network entry by exploiting vulnerabilities discovered last year, as per Symantec’s report. With cybersecurity being such a delicate issue needing attention, why were the vulnerabilities not patched even after a long time?

 

Royal Ransoms for Royal Ransomware

Royal, an operation launched in the first month of 2022 by a group of threat actors, has been making headlines with its ransomware campaign, Royal.

The ransomware group began its reign of cybercrime by opting for Zeon and Conti’s ransomware encryptors. However, the group rebranded to “Royal” in September after employing its encryptors and strikes systems using callback phishing attacks and impersonating software providers and delivery partners for subscriptions.

 

 

The phishing emails contain subscription cancellation numbers connected to the threat actors, who use social engineering tactics to convince targets to download remote access software. With initial access into the organizational network, the threat actors deploy Cobalt Strike for persistence, lateral movement, and encrypted files appending the files with the “.royal” file extension.

The ransomware encrypts virtual hard disk files and leaves a readme file containing a link to a private Tor negotiation page where they demanded ransoms ranging from $250,000 to $2 million.

Royal has claimed that it steals critical data to strike once more as a double-extortion attack, but the data has not yet appeared on any leak site. It is recommended that admins monitor the network and windows to detect Royal attacks.

 

Taxpayers Remain Vigilant for SMS Phishing, says IRS

The IRS (Internal Revenue Service) issued a new warning for Americans of the surge in IRS-themed SMS phishing or smishing campaigns. The IRS has identified an exponential increase in SMS phishing this year targeting taxpayers.

Phishing is a cybercrime that lures individuals to fake websites designed to impersonate genuine ones to target personal information, harvest credentials, or steal finances. The IRS pointed out that the last few weeks have experienced a growth in IRS impersonation in phishing campaigns aimed at stealing finances and personal information.

With MMS, SMS, and text scams rising, phishing is on an industrial scale, with hundreds of thousands of malicious IRS-themed phishing messages being delivered. Phishing has been on the rise since the fall of 2020 and continued through the COVID-19 pandemic, baiting individuals and harming their digital lives.

The IRS has urged individuals to report all phishing scams and explained steps to keep SMS phishing artists at bay, even posting a video on YouTube. Americans should remain vigilant of phishing texts, especially the ones that impersonate the IRS, and always cross-check information on the authentic IRS portal.

 

Crypto.com Jobs Dropping Malware on Mac Devices

Fake “Crypto.com” job offers have been circling the web, duping crypto enthusiasts and innocent victims. Lazarus, a North Korean cybercriminal group, is behind the malware campaign that tricks targets into breaching internal networks and stealing substantial crypto and NFT holdings.

Lazarus employs LinkedIn to reach targets, offering lucrative job opportunities and sending the victims a macOS binary file disguised as a PDF. The PDF is a 26-page document with a fake list of Crypto.com vacancies named “Crypto.com_Job_Opportunities_2022_confidential.pdf.” The file, once downloaded, creates a folder called the “Wifi Preference” in the Library directory, deploying the “WifiAnalyticsServ.app.”

 

 

The application loads a persistence agent connecting to the C2 server that downloads a “Wifi Cloud Widget” for malicious activity. The threat actors do not encrypt files and sign them with ad hoc signatures to dupe Apple Gatekeeper checks and execute. Lazarus has been targeting top crypto businesses and organizations and is also responsible for a $617 million crypto theft from P2E (Play to Earn) game, Axie Infinity, in the past.

With cryptocurrency, NFTs, and P2E games gaining popularity and growing tremendously, it would be best to stay away from phony crypto job offers for the time being.

 

Hacker Deletes Stolen Data, Issues Apology

In a rare case, the threat actors who breached Optus, stealing customer data of 11 million clients, withdrew extortion demands due to increased pressure from the law and public attention.

Australia’s second-largest mobile operator, Optus, disclosed a security breach on September 22 where the threat actor got access to customer data, including customer names, date of birth, phone numbers, residential addresses, driver’s licenses, email addresses, and passport numbers. The following day, the threat actor issued a demand of $1 million, threatening to leak the data they stole using unsecure API endpoints.

When the demand was not fulfilled, the threat actors released a sample of 10,000 records and reached out to victims, asking them to pay $1300 within two days to stop the sale of their data to other cybercriminals. On September 27, the threat actor posted a message on Breached, explaining that the data would not be sold or leaked. With too much attention to the data breach, the threat actor apologized to Optus and its clientele and claimed that they had deleted all stolen data.

The news certainly came as a shock as there are not many cybercriminals who would succumb to pressure and disappear without causing harm. Optus continues to update its customers and has offered Equifax’s free credit monitoring and identity protection for a year.

 

Ukraine Warning Allies of Increase in Russian Cyberattacks

The Ukrainian military intelligence service has highlighted that Russia is planning to target the critical infrastructure of Ukraine and its allies using massive cyberattacks.

Amidst the war between Russia and Ukraine, the Main Directorate of Intelligence of the Ukrainian Defence Ministry says that massive cyberattacks to disrupt and take down the energy sectors aimed at Ukraine and its allies are inbound in Russia’s cyberattack campaign.

The cyberattacks are aimed at slowing the offensive approach of the Ukrainian military. Furthermore, the Russians would increase missile strikes on electricity supply facilities in Eastern and Southern Ukraine and will increase the intensity of DDoS attacks on Ukraine’s closest, Poland and Baltic states.

 

hacking

The entire world is already on high alert and in increased tension, with US President Joe Biden even highlighting that severe cyberattacks could trigger a shooting war, following NATO’s comparison of cyberattacks to armed ones in specific circumstances.

Pin It on Pinterest

Share This