Tag Archive for: MONTHS

New QakBot phishing campaign appears, months after FBI takedown

/in


Months after an international law enforcement operation dismantled the notorious QakBot botnet, a new phishing campaign distributing the same malicious payload has been discovered.

QakBot (also known as “QBot,” “QuackBot” and “Pinkslipbot”) was one of the most deployed malware loaders in 2023 until an FBI-led takedown in August took the operation offline and untethered 700,000 compromised machines from the botnet.

In a Dec. 15 posted on X (previously Twitter), Microsoft’s Threat Intelligence team said they had identified a new QakBot phishing campaign.

“The campaign began on December 11, was low in volume, and targeted the hospitality industry,” the researchers said.

Targets of the new campaign received an email purporting to be from a U.S. Internal Revenue Service (IRS) employee. The email included a PDF attachment containing a URL that downloaded a digitally signed Windows Installer (.MSI) file.

If victims executed the MSI file, it launched QakBot malware. The payload was configured with a previously unseen version of the malware, 0x500, the Microsoft researchers said.

While the unique versioning suggested updates may have been introduced over the past few months, another researcher said on X: ““All in all, this new Qbot version feels basically the same as the old stuff just with some minor tweaks.”

The ‘duck hunt’ is set to resume

As well as dismantling the botnet in August – in what was dubbed “Operation Duck Hunt” – authorities also seized infrastructure and $8.6 million in cryptocurrency belonging to the gang responsible for QakBot.

While taking out such a major botnet that had taken years to build was considered a significant victory, researchers warned at the time that because arrests were not made, there was a possibility the threat actors responsible for QakBot could regroup.

In October, Cisco Talos said it believed the same gang had been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails in the weeks prior to the QakBot takedown. Talos researchers said while the August raid took down the group’s command-and-control servers, it had not impacted their spam delivery infrastructure.

QakBot was first observed in 2008…

Source…

FBI-led takedown keeps crims at bay for just 3 months • The Register

/in


Multiple sources are confirming the resurgence of Qakbot malware mere months after the FBI and other law enforcement agencies shuttered the Windows botnet.

Microsoft Threat Intelligence reckons a new Qakbot phishing campaign is active as of December 11 but attack attempts are currently low in volume.

The gang targets the hospitality sector, initially using phishing emails containing malicious PDF attachments that they’ve doctored to look like they come from the US Internal Revenue Service (IRS).

When opened, the PDF presents the target with an error screen indicating a preview of the document isn’t available, alongside a button to download the document from “AdobeCloud.”

Germán Fernández, security researcher at CronUp, said the same PDF template was used by Pikabot operators just days earlier – Windows malware that shares many similarities with Qakbot. Both are being associated with attacks from the group Proofpoint tracks as TA577.

Clicking the button in the PDF led to the download and installation of Qakbot, which Microsoft said may have been an updated payload. The previously unseen version, 0x500, was generated on December 11, according to its analysis.

The team at Zscaler ThreatLabz confirmed that the payload was updated, and the new version has a 64-bit architecture, uses AES for network encryption, and sends POST requests to path /teorema505.

Two researchers at Proofpoint, Tommy Madjar and Pim Trouerbach, also confirmed they had spotted updated Qakbot activity, but the new features only amount to “minor tweaks.” 

They added that the new Qakbot activity goes back to November 28, roughly two weeks further than December 11 – the date Microsoft first spotted it.

Qakbot’s takedown

August saw the conclusion of Operation Duck Hunt with what authorities said at the time was a takedown of Qakbot, seizing its infrastructure and 20 of its operators’ crypto wallets.

The FBI, which oversaw Op Duck Hunt, said it was “the most significant technological and financial operation ever led by the Department of Justice against a botnet.” 

The operation was also supported by authorities in the UK, France, Germany, the Netherlands, and Latvia, but didn’t result in any…

Source…

Hong Kong Ballet reports data breach from ransomware attack, becomes third well-established city organisation to be hacked in 2 months

/in


Hong Kong Ballet has reported a data breach caused by a ransomware attack on its computer systems, becoming the third well-established organisation in the city to be hacked in two months.

In an official statement released on Monday night, the renowned cultural institution said it had recently discovered its network systems had been infected with ransomware, allowing intruders to illegally access files stored on computers.

Data including personal user details and the organisation’s internal information had been viewed by the intruders, while it was still working to determine the full scope of data accessed, it said in the statement.

Data of 900 Hongkongers exposed in hack attack of WhatsApp accounts

But due to file encryption by the ransomware, the organisation added it was unable to determine the contents of all files illegally accessed.

“We take this matter seriously and are diligently working to address the issue promptly and responsibly,” the institution, founded in 1979, said, expressing regret over the matter.

It also added it had not received any ransom demands or threats of data leak so far.

The company said it had immediately launched an internal investigation upon detecting the incident and hired external cybersecurity experts to assess the extent of the breach and implement measures.

Head of Hong Kong consumer watchdog apologises over potential personal data leak

The ballet institution, financially backed by the government, also notified police and the Office of the Privacy Commissioner for Personal Data.

It urged partners to remain vigilant and take precautionary measures such as regularly changing passwords, monitoring financial statements, and exercising caution when handling suspicious messages.

Users should also be wary of potential phishing attempts and to only share personal information through official channels, it warned, adding efforts had been made to contain the incident and prevent further unauthorised access to internal systems.

Data stolen from Hong Kong Cyberport includes staff details, credit card records

Early last month, international hackers demanded a ransom of HK$2.35 million (US$300,500) after hacking into tech hub Cyberport’s computers and stealing…

Source…

Mobile internet services to be restored after over four months

/in


Manipur Chief Minister N Biren Singh said that mobile internet services will be restored across the state from Saturday, PTI reported.

The Bharatiya Janata Party government in the state had shut down both broadband and mobile internet services in the wake of ethnic violence between the Meiteis and the Kukis that broke out on May 3. Over 200 people have been killed in the state since the conflict broke out.

The government had said that it took the decision to prevent people from spreading disinformation and rumours on social media.

On July 25, the government had conditionally lifted ban on broadband internet services. It had allowed for internet to be provided through Internet Lease Lines, used typically by businesses, and Fibre to the Home connections, which are more expensive to install than traditional broadband ones.

However, the July order did not allow internet connections through WiFi hotspots. Social media websites and virtual private networks also remained blocked.

On Saturday, Singh told reporters that as the situation in Manipur had improved, the government had decided to restore mobile internet services.

The chief minister also said that the Free Movement Regime that allows people from India and Myanmar to travel up to 16 kilometers inside each other’s territory has been suspended. He added that the Manipur government has requested the Centre to permanently close the agreement.

The BJP government has alleged on a number of occasions that the violence in Manipur was due to the influx of Kukis from Myanmar following the military coup in 2021 in the Southeast Asian country.

Union Home Minister Amit Shah had claimed in Parliament in August that the increase of Kukis from Myanmar into Manipur had led to anxieties among the majority Meitei community.

Surrender illegal weapons within 15 days: Manipur government

On Friday, the Manipur government told citizens to surrender illegal weapons within 15 days, after which comprehensive search operations will be carried out by central and state security forces.

Since the violence broke out in the state, there have been several reports of mobs attempting to loot state armouries. On several occasions, mobs have also clashed with central…

Source…