Tag Archive for: Orgs

Dangerous New ICS Malware Targets Orgs in Russia and Ukraine

/in


Two dangerous malware tools targeted at industrial control systems (ICS) and operating technology (OT) environments in Europe are the latest manifestations of the cyber fallout from the war in Ukraine.

One of the tools, dubbed “Kapeka,” appears linked to Sandworm, a prolific Russian state-backed threat actor that Google’s Mandiant security group this week described as the country’s primary cyberattack unit in Ukraine. Security researchers from Finland-based WithSecure spotted the backdoor featured in 2023 attacks against an Estonian logistics company and other targets in Eastern Europe and perceive it as an active and ongoing threat.

Destructive Malware

The other malware — somewhat colorfully dubbed Fuxnet — is a tool that Ukraine government-backed threat group Blackjack likely used in a recent, destructive attack against Moskollector, a company that maintains a large network of sensors for monitoring Moscow’s sewage system. The attackers used Fuxnet to successfully brick what they claimed was a total of 1,700 sensor-gateways on Moskollector’s network and in the process disabled some 87,000 sensors connected to these gateways.

“The main functionality of the Fuxnet ICS malware was corrupting and blocking access to sensor gateways, and trying to corrupt the physical sensors as well,” says Sharon Brizinov, director of vulnerability research at ICS security firm Claroty, which recently investigated Blackjack’s attack. As a result of the attack, Moskollector will likely have to physically reach each of the thousands of affected devices and replace them individually, Brizinov says. “To restore [Moskollector’s] ability of monitoring and operating the sewage system all around Moscow, they will need to procure and reset the entire system.”

Kapeka and Fuxnet are examples of the broader cyber fallout from the conflict between Russia and Ukraine. Since the war between the two countries started in February 2022 — and even well before that — hacker groups from both sides developed and used a range of malware tools against each other. Many of the tools, including wipers and ransomware, have been destructive or disruptive in nature and mainly targeted critical infrastructure, ICS, and OT…

Source…

Updated Truebot Malware Targeting Orgs in US, Canada

/in


Cybercrime
,
Fraud Management & Cybercrime
,
Malware as-a-Service

New Variant of Trojan Called Silence.Downloader Seen in May

Prajeet Nair (@prajeetspeaks) •
July 8, 2023    

Updated Truebot Malware Targeting Orgs in US, Canada

North American cybersecurity agencies are warning about a new variant of the Truebot Trojan that collects and exfiltrates information from victims.

See Also: Live Webinar | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security

In an advisory published Thursday, the U.S. Cybersecurity and Infrastructure Security Agency, the FBI, the Multi-State Information Sharing and Analysis Center and the Canadian Centre for Cyber Security warned that cybercriminals were using the newly identified variant, tracked as Silence.Downloader, as recently as May 31.

Silence.Downloader attacks a known critical-severity vulnerability CVE-2022-31199 – a remote code execution vulnerability in Netwrix Auditor. Threat actors have leveraged this flaw to gain initial access and move laterally within the compromised network, CISA said. Threat actors leverage phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new variant, CISA said.

“Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments, but this newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199, enabling deployment of the malware at scale within the compromised environment,” CISA said in the advisory.

The Netwrix audit tool is used for on-premises and cloud-based IT system auditing by over 13,000 organizations worldwide. It tracks happenings across IT environment to streamlines IT…

Source…

Mass exploitation of critical MOVEit flaw is ransacking orgs big and small

/in


Mass exploitation of critical MOVEit flaw is ransacking orgs big and small

Getty Images

Organizations big and small are falling prey to the mass exploitation of a critical vulnerability in a widely used file-transfer program. The exploitation started over the Memorial Day holiday—while the critical vulnerability was still a zeroday—and continues now, some nine days later.

As of Monday evening, payroll service Zellis, the Canadian province of Nova Scotia, British Airways, the BBC, and UK retailer Boots were all known to have had data stolen through the attacks, which are fueled by a recently patched vulnerability in MOVEit, a file-transfer provider that offers both cloud and on-premises services. Both Nova Scotia and Zellis had their own instances or cloud services breached. British Airways, the BBC, and Boots were customers of Zellis. All of the hacking activity has been attributed to the Russian-speaking Clop crime syndicate.

Widespread and rather substantial

Despite the relatively small number of confirmed breaches, researchers monitoring the ongoing attacks are describing the exploitation as widespread. They liken the hacks to smash-and-grab robberies, in which a window is broken and thieves grab whatever they can, and warned that the quick-moving heists are hitting banks, government agencies, and other targets in alarmingly high numbers.

“We have a handful of customers that were running MOVEit Transfer open to the Internet, and they were all compromised,” Steven Adair, president of security firm Volexity, wrote in an email. “Other folks we have talked to have seen similar.”

Adair continued:

I do not want to categorize our customers at this point since I do not know what all is out there in terms of who is running the software and give them away. With that said, though—it’s both massive and small organizations that have been hit. The cases we have looked into have all involved some level of data exfiltration. The attackers typically grabbed files from the MOVEit servers less than two hours after exploitation and shell access. We believe this was likely widespread and a rather substantial number of MOVEit Transfer servers that were running Internet-facing web services were…

Source…

Oktatapus Hack Stole 10,000 Logins From 130 Different Orgs

/in


Image for article titled A Massive Hacking Campaign Stole 10,000 Login Credentials From 130 Different Organizations

Researchers say that a mysterious “threat actor” (a fancy term for a hacker or hacker group) has managed to steal nearly 10,000 login credentials from the employees of 130 organizations, in the latest far-reaching supply chain attack on corporate America. Many of the victims are prominent software companies, including firms like Twilio, MailChimp, and Cloudflare, among many others.

The news comes from research conducted by cybersecurity firm Group-IB, which began looking into the hacking campaign after a client was phished and reached out for help. The research shows that the threat actor behind the campaign, which researchers have dubbed “0ktapus,” used basic tactics to target staff from droves of well-known companies. The hacker(s) would use stolen login information to gain access to corporate networks before going on to steal data and then break into another company’s network.

“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations,” researchers wrote in their blog Thursday. “Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”

How the Hacking Campaign Worked

Unfortunately, this isn’t a wholly unfamiliar story. It’s been a pretty tough couple years for corporate cybersecurity, tough enough to inspire the question: do bluechip tech companies just totally suck at protecting themselves, or do hackers keep getting lucky, or both? While we can’t say for certain either way, what is clear is that the “0ktapus” campaign, like a lot of other recent hacking episodes, was remarkably successful at compromising a broad array of corporate networks using elementary intrusion techniques.

G/O Media may get a commission

Researchers say that the hackers used a pretty standard tool, a phishing toolkit, to target employees of the companies that they wanted to breach. Such kits are prepackaged hacking tools that can be purchased—usually for pretty low prices—on the dark web. In this case, the hackers first went after companies that were users of

Source…