Tag Archive for: Surge

Ransomware attacks on Linux to surge

/in


Trend Micro predicted that ransomware groups will increasingly target Linux servers and embedded systems over the coming years. It recorded a double-digit year-on-year (YoY) increase in attacks on these systems in 1H 2022.

ransomware groups target Linux

Jon Clay, VP of threat intelligence for Trend Micro, said: “New and emerging threat groups continue to evolve their business model, focusing their attacks with even greater precision. That’s why it’s essential that organizations get better at mapping, understanding, and protecting their expanding digital attack surface. A single, unified cybersecurity platform is the best place to start.”

According to the data:

  • 63 billion threats blocked by Trend Micro in 1H 2022
  • 52% more threats in the first half of the year than the same period in 2021
  • Government, manufacturing and healthcare are the top three sectors targeted with malware

Detection of attacks from ransomware-as-a-service surged in the first half of 2022. Major players like LockBit and Conti were detected with a 500% YoY increase and nearly doubled the number of detections in six months, respectively. The ransomware-as-a-service model has generated significant profits for ransomware developers and their affiliates.

New ransomware groups are emerging all the time

The most notable one in the first half of 2022 is Black Basta. The group hit 50 organizations in just two months. Many persist with the “big game-hunting” of large enterprises, although SMBs are an increasingly popular target.

One of the primary attack vectors for ransomware is vulnerability exploitation. Trend Micro’s Zero Day Initiative published advisories on 944 vulnerabilities in the period, a 23% YoY increase. The number of critical bug advisories published soared by 400% YoY.

APT groups continue to evolve their methods by employing expansive infrastructure and combining multiple malware tools. The ten-fold increase in the number of detections is another proof point that threat actors are increasingly integrating Emotet as part of their elaborate cybercrime operations.

The concern is that threat actors are able to weaponize these flaws faster than vendors can release patch updates and/or customers can patch…

Source…

Lax Security Fuels Massive 8220 Gang Botnet Army Surge

/in


Leveraging little more than Linux bugs, common cloud application vulnerabilities, and misconfigurations, the 8220 Gang has been able to use its latest IRC botnet to infect more than 30,000 hosts with their PwnRig cryptominer.

Researchers with SentinelOne reported observing this noteworthy increase in the number of infected hosts over the course of just the past month. In mid-2021, the analysts said the malicious botnet was running on just 2,000 hosts worldwide.

The 8220 Gang gets its name from its original command-and-control communications port choice:8220.

“Over the past few years, 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner,” the cloud botnet security warning explained. “From our observations, the group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally.”

Patching and better password hygiene would prevent most infections, researchers noted.

The report includes indicators of compromise (IoCs).

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Source…

Car thieves face curbs on online sales of key hacking technology fuelling surge in crime

/in


Criminal gangs of car thieves face new legal curbs to prevent them buying DIY devices online to hack keyless technology and steal vehicles.



TELEMMGLPICT000296745048.jpeg - Moment RF

© Moment RF
TELEMMGLPICT000296745048.jpeg – Moment RF

Ministers and police chiefs are considering legislation to close loopholes that allow the devices to be bought online on sites including eBay and Amazon.

Amid a surge in thefts, the Telegraph found firms freely selling electronic equipment to hack keyless cars, jammers to disable trackers and modern “skeleton” keys to open and drive away vehicles.

Police chiefs and motor manufacturers are concerned the ready availability of the technology is fuelling a rise in car thefts which increased by 14 per cent last year to more than 105,000.

Criminals are getting the equipment online and then “productionizing” it for cheap mass use by gangs of thieves, according to Thatcham Research, the motor insurers’ automotive research centre.

Kit Malthouse, the policing minister, held a summit of police and car industry chiefs last week to consider counter measures and is understood to be “open” to new laws to close the loopholes.

Assistant chief constable Jenny Sims, the National Police Chief Council’s (NPCC) lead on vehicle crime, said she was engaged in a “big piece of work” with the online firms to prevent sales of the devices to criminals and restrict it to legitimate businesses like garages, car dealers and locksmiths.

“We are looking at whether or not there are any legislative changes we can make, but at the same time we are working with sellers as legislation takes time. We’d rather do it voluntarily through the sellers who are cooperating,” she said.



TELEMMGLPICT000000835508.jpeg - PA

© Provided by The Telegraph
TELEMMGLPICT000000835508.jpeg – PA

It is not illegal to sell, buy or possess the technology but police can arrest prospective thieves if they have the equipment with them and can be shown to be “going equipped” to steal a vehicle.

One company based in Bulgaria offered an off-the-shelf “car relay attack unit.” This enables one member of a gang to scan and capture the signal from a keyless fob in a house before “relaying” it to a colleague by the car to open it and drive it…

Source…

New ChromeLoader malware surge threatens browsers worldwide

/in


Chrome logo on a red background

The ChromeLoader malware is seeing an uptick in detections this month, following a relatively stable volume since the start of the year, causing the browser hijack to become a widespread threat.

ChromeLoader is a browser hijacker that can modify the victim’s web browser settings to show search results that promote unwanted software, fake giveaways and surveys, and adult games and dating sites. 

The malware’s operators receive financial gains through a system of marketing affiliation by redirecting user traffic to advertising sites.

There are many hijackers of this kind, but ChromeLoader stands out for its persistence, volume, and infection route, which involves the aggressive use of PowerShell.

Abusing PowerShell

According to Red Canary researchers, who have been following the activity of ChromeLoader since February this year, the operators of the hijacker use a malicious ISO archive file to infect their victims.

The ISO masquerades as a cracked executable for a game or commercial software, so the victims likely download it themselves from torrent or malicious sites.

The researchers have also noticed Twitter posts promoting cracked Android games and offering QR codes that lead to malware-hosting sites.

When a person double-clicks on the ISO file in Windows 10 or later, the ISO file will be mounted as a virtual CD-ROM drive. This ISO file contains an executable that pretends to be a game crack or keygen, using names like “CS_Installer.exe.”

Contents of ISO file
Contents of ISO file (Red Canary)

Finally, ChromeLoader executes and decodes a PowerShell command that fetches an archive from a remote resource and loads it as a Google Chrome extension.

Once this is done, the PowerShell will remove the scheduled task leaving Chrome infected with a silently injected extension that hijacks the browser and manipulates search engine results.

The PowerShell used against Chrome on Windows
The PowerShell used against Chrome on Windows
​​​​​​​(Red Canary)

macOS targeted too

The operators of ChromeLoader also target macOS systems, looking to manipulate both Chrome and Apple’s Safari web browsers.

The infection chain on macOS is similar, but instead of ISO, the threat actors use DMG (Apple Disk Image) files, a more common format on that…

Source…