Tag Archive for: Ongoing

Ongoing Autom Cryptomining Malware Attacks Using Upgraded Evasion Tactics

/in


Cryptomining Campaign

An ongoing crypto mining campaign has upgraded its arsenal while adding new defense evasion tactics that enable the threat actors to conceal the intrusions and fly under the radar, new research published today has revealed.

Since first detected in 2019, a total of 84 attacks against its honeypot servers have been recorded to date, four of which transpired in 2021, according to researchers from DevSecOps and cloud security firm Aqua Security, who have been tracking the malware operation for the past three years. That said, 125 attacks have been spotted in the wild in the third quarter of 2021 alone, signaling that the attacks have not slowed down.

Initial attacks involved executing a malicious command upon running a vanilla image named “alpine:latest” that resulted in the download of a shell script named “autom.sh.”

“Adversaries commonly use vanilla images along with malicious commands to perform their attacks, because most organizations trust the official images and allow their use,” the researchers said in a report shared with The Hacker News. “Over the years, the malicious command that was added to the official image to carry out the attack has barely changed. The main difference is the server from which the shell script autom.sh was downloaded.”

Automatic GitHub Backups

The shell script initiates the attack sequence, enabling the adversary to create a new user account under the name “akay” and upgrade its privileges to a root user, using which arbitrary commands are run on the compromised machine with the goal of mining cryptocurrency.

While early stages of the campaign in 2019 featured no special techniques to hide the mining activity, later versions show the extreme measures its developers have taken to keep it invisible to detection and inspection, chief among them being the ability to disable security mechanisms and retrieve an obfuscated mining shell script that was Base64-encoded five times to get around security tools.

Cryptomining Campaign

Malware campaigns carried out to hijack computers to mine cryptocurrencies have been dominated by multiple threat actors such as Kinsing, which has been found scanning the internet for misconfigured Docker servers to break into the unprotected hosts and install a previously…

Source…

The Acronis cyberthreats report 2022 reveals ongoing malware pandemic – Middle East & Gulf News

/in


Acronis, a global leader in cyber protection, recently released its annual Acronis Cyberthreats Report, the 2022 version, providing an in-depth review of cybersecurity trends and threats worldwide.

The report warns that managed service providers (MSPs) are particularly at risk, with more of their own management tools, such as PSA or RMM, used against them by cybercriminals, and thus are becoming increasingly vulnerable to supply chain attacks.

Supply-chain attacks on MSPs are particularly devastating since attackers gain access to both their business and clients, as seen in the SolarWinds breach last year and the Kaseya VSA attack earlier in 2021.

The report also shows that during the second half of 2021, only 20% of companies reported not having been attacked, as opposed to 32% last year.

Key trends of 2021 and predictions for 2022

Beyond the growing efficiency of cybercriminals and the impact on MSPs and small businesses, the Acronis Cyberthreats Report 2022 shows:

  • Phishing remains the main attack vector. 94% of malware gets delivered by email, using social engineering techniques to trick users into opening malicious attachments or links. just this year, Acronis reported blocking 23% more phishing emails and 40% more malware emails in Q3, as compared with Q2 of the same year.
  • Phishing actors develop new tricks, move to messengers. Now targeting OAuth and multifactor authentication tools (MFA), these new tricks allow criminals to take over accounts. To bypass common anti-phishing tools, they will use text messages, Slack, Teams chats and other tools for attacks such as business email compromise (BEC).
  • Ransomware is still the #1 threat. High-value targets include the public sector, healthcare, manufacturing, and other critical organizations. Ransomware continues to be one of the most profitable cyber attacks these days. Acronis predicts ransomware damages will exceed $20 billion before the end of 2021.
  • Cryptocurrency among the attackers’ favorite playing cards. Info stealers and malware that swaps digital wallet addresses are the reality today. We can expect more such attacks waged directly against smart contracts in 2022. Attacks against Web 3.0 apps will also occur more…

Source…

FBI Cyber Crime Division Warns Tribal Casinos About Ongoing Threats

/in


Posted on: November 6, 2021, 05:54h. 

Last updated on: November 6, 2021, 05:54h.

The FBI Cyber Crime Division says casinos owned by Native Americans should remain on high alert for ransomware attacks.

FBI Cyber Crime tribal casinos
FBI Director Christopher Wray says cybercrime is only intensifying in frequency. Tribal casinos, the federal intelligence and security agency says, are at high risk of a criminal online attack. (Image: Getty)

Numerous counts of cyber attacks on tribal casino resorts have been reported in recent years, but there’s been an uptick of such crime, federal officials explain. In an industry notification distributed to tribal casino properties last week, the FBI says cyber gangs find such businesses attractive to penetrate due to an array of perceived security shortcomings.

Bleeping Computer, an information security and technology media outlet that first reported on the FBI intelligence, explains that since the tribal casinos are located on sovereign land, their IT infrastructure networks are at greater risk of attack.

Limited cyber investigative capabilities and law enforcement resources are likely some of the reasons behind ransomware groups seeing US tribes as desirable targets,” wrote Sergui Gatlan for Bleeping Computer.

The FBI Cyber Crime Division adds that while many tribal casinos are IT savvy with world-class computer networks and gaming systems, many others remain limited to basic internet security safeguards.

Bounties Growing

In mid-September of 2020, the Cache Creek Casino Resort in Northern California confirmed it was forced to shutter its gaming and resort operations due to a cyber attack. The tribal casino complex initially told guests that it was closing due to a “systems infrastructure failure.” The Yocha Dehe Wintun Nation, owners of the resort, later revealed that internet criminals were behind the IT intrusion. The attack kept the casino closed for three weeks.

This year, a cyber attack in Oklahoma resulted in all six Lucky Star Casinos shuttering operations. Tribal officials said they were working with the FBI to resolve the matter…

Source…

Russian hackers target US networks in ‘ongoing’ cyberattack

/in


Russian-linked hackers blamed for the massive cyberattack on the US last year have been targeting hundreds of companies and organizations in its latest wave of attacks on US-based computer networks — as the White House dismisses the incident as “unsophisticated, run-of-the-mill operations.”

In a blog post Sunday, Microsoft said Nobelium — the Russian-based agency behind last year’s widespread SolarWinds attack — has been targeting cloud service providers and technology service organizations in a bid to obtain data.

The attacks have targeted organizations in the US and Europe since May, Microsoft said.

One of Microsoft’s top security officers, Tom Burt, told the New York Times, which first reported the breach, that the latest attack was “very large and ongoing.”

“Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers,” Microsoft said in its blog post.

A smartphone displays the Microsoft logo in this illustration taken July 26, 2021.
Top Microsoft security officer Tom Burt claims Russian agency Nobelium is trying to disrupt the “global IT supply chain.”
REUTERS

“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.” 

Microsoft said it had notified 609 customers between July 1 and Oct. 19 that they had been attacked.

The company insisted only a small percentage of the latest attempts were successful.

President Joe Biden greets Russian President Vladimir Putin during a US-Russia Summit in Geneva, Switzerland on June 16, 2021.
President Biden greets Russian President Vladimir Putin during a US-Russia summit in Geneva, Switzerland, on June 16, 2021.
Getty Images

“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling — now or in the future — targets of interest to the Russian…

Source…