Posts

GoDaddy Hack Spreads to 6 More Web Hosts


The hack that exposed the details of 1.2 million GoDaddy customers has spread to six more web hosts. As Search Engine Journal reports, the six additional web hosts are all resellers of GoDaddy’s WordPress hosting services and include 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple, and tsoHost.

Customers of at least two of these web hosting companies have been sent emails very similar to the one GoDaddy sent out regarding the security breach. The hack they experienced also targeted Managed WordPress accounts and managed to leak email addresses, customer numbers, WordPress Admin passwords, sFTP database usernames and passwords for active customers, and in some cases SSL private keys.

WordPress security plugin maker Wordfence confirmed the hack has spread to these web hosts and published a quote from Dan Rice, VP of Corporate Communications at GoDaddy, as to the extent of the attack:

“The GoDaddy brands that resell GoDaddy Managed WordPress are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost. A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident. No other brands are impacted. Those brands have already contacted their respective customers with specific detail and recommended action.”

The intrusion began on Sept. 6, giving the attacker plenty of time to take advantage of the user data and access to accounts. It’s currently unknown how that access to the data has been used. All customers affected by the breach at the web hosts listed above need to be vigilant and extra cautious with the emails they receive.

Hopefully each company has either contacted or is in the process of contacting affected customers with the measures taken to close the security hole. If you believe your account was compromised and haven’t been contacted, be proactive and contact your web host to confirm the status/health of your account.

Source…

Android Flubot virus now spreads via fake security updates


The Flubot malware has switched to a new and likely more effective lure to compromise Android devices, now trying to trick its victims into infecting themselves with the help of fake security updates warning them of Flubot infections.

“Your device is infected with the FluBot® malware. Android has detected that your device has been infected,” the new Flubot installation page says. The Week in Ransomware – October 1st 2021 – “This was preventable” “FluBot is an Android spyware that aims to steal financial login and password data from your device. You must install an Android security update to remove FluBot.”

As New Zealand’s computer emergency response team (CERT NZ) warned earlier today, the message on Flubot’s new installation page is only a lure designed to instill a sense of urgency and pushing potential targets to install malicious apps.

Potential victims are also instructed to enable the installation of unknown apps if they’re warned that the malicious app cannot be installed on their device. “If you are seeing this page, it does not mean you are infected with Flubot however if you follow the false instructions from this page, it WILL infect your device,” CERT NZ explained.

This banking malware (also known as Cabassous and Fedex Banker) has been active since late 2020, and has been used to steal banking credentials, payment information, text messages, and contacts from compromised devices.

The SMS messages used to redirect targets to this installation page are about pending or missed parcel deliveries or stolen photos uploaded online.

Until now, Flubot spread to other Android phones by spamming text messages to contacts stolen from already infected devices and instructing the targets to install malware-ridden apps in the form of APKs delivered via attacker-controlled servers.

Once deployed via SMS and phishing, the malware will try to trick the victims into giving additional permissions on the phone and grant access to the Android Accessibility service, which allows it to hide and execute malicious tasks in the background.

Flubot will effectively take over the infected device, gaining access to the victims’ payment and banking info in the process via…

Source…

Flubot Android malware now spreads via fake security updates


Flubot Android malware now spreads via fake security updates

The Flubot malware has switched to a new and likely more effective lure to compromise Android devices, now trying to trick its victims into infecting themselves with the help of fake security updates warning them of Flubot infections.

As New Zealand’s computer emergency response team (CERT NZ) warned earlier today, the message on Flubot’s new installation page is only a lure designed to instill a sense of urgency and pushing potential targets to install malicious apps.

“Your device is infected with the FluBot® malware. Android has detected that your device has been infected,” the new Flubot installation page says.

“FluBot is an Android spyware that aims to steal financial login and password data from your device. You must install an Android security update to remove FluBot.”

Potential victims are also instructed to enable the installation of unknown apps if they’re warned that the malicious app cannot be installed on their device.

“If you are seeing this page, it does not mean you are infected with Flubot however if you follow the false instructions from this page, it WILL infect your device,” CERT NZ explained.

The SMS messages used to redirect targets to this installation page are about pending or missed parcel deliveries or stolen photos uploaded online.

CERTNZ Flubot warning

This banking malware (also known as Cabassous and Fedex Banker) has been active since late 2020, and has been used to steal banking credentials, payment information, text messages, and contacts from compromised devices.

Until now, Flubot spread to other Android phones by spamming text messages to contacts stolen from already infected devices and instructing the targets to install malware-ridden apps in the form of APKs delivered via attacker-controlled servers.

Once deployed via SMS and phishing, the malware will try to trick the victims into giving additional permissions on the phone and grant access to the Android Accessibility service, which allows it to hide and execute malicious tasks in the background.

Flubot will effectively take over the infected device, gaining access to the victims’ payment and banking info in the process via downloaded webview phishing page overlayed on top of legitimate mobile banking and…

Source…

COVID-19 themed malware and credential theft campaigns make a resurgence as Delta variant spreads


Proofpoint finds COVID-19 themed email threats make a resurgence as the Delta variant spreads.

Since late June 2021, Proofpoint has observed high volumes of COVID-19 themed threats distributing malware and credential theft campaigns, including a Microsoft credential theft campaign targeting thousands of organisations globally. Proofpoint researchers also identified an increase in business email compromise, with threat actors posing as human resource professionals to gain an individual’s trust.  

The new attacks follow a lull in COVID-19-themed threat campaigns through the Spring and early Summer of 2021. Now, multiple types of high-volume threats have pivoted back to using COVID-19 social engineering themes as global concern about the Delta variant rises. 

Proofpoint has been tracking ongoing threats using COVID-19 and related coronavirus themes since the beginning of the pandemic. TA452, known to distribute Emotet, first began using COVID-19 in email threats in January 2020. Although the virus has remained an ongoing theme, researchers have observed a significant increase in messages leveraging COVID-19 in recent months. 

Since late June 2021, Proofpoint has observed high a volume COVID-19 themed campaigns distributing RustyBuer, Formbook, and Ave Maria malware, in addition to multiple corporate phishing attempts to steal Microsoft and O365 credentials. The researchers also found an increase in business email compromise threats using COVID-19 themes during this timeframe.

“The increase in COVID-19 themes in our data aligns with public interest in the highly contagious COVID-19 Delta variant,” says Proofpoint.

“According to global Google Trend data, worldwide searches for “Delta variant” first peaked the last week in June 2021 and have continued through August 2021 so far. The increase in COVID-19 related threats is global. We observed tens of thousands of messages intended for customers in various industries worldwide.” 

Open-source data also supports a greater threat actor adoption of COVID-19 themes. South Korea, for example, recently raised its cyber threat warning level in response to an increase of threats related to its COVID-19 relief programs. 

Threat actors…

Source…