Tag Archive for: Yearlong

German automakers targeted in year-long malware campaign


Car manufacturer

A years-long phishing campaign has targeted German companies in the automotive industry, attempting to infect their systems with password-stealing malware.

The targets include both car manufacturers and car dealerships in Germany, and the threat actors have registered multiple lookalike domains for use in their operation by cloning legitimate sites of various organizations in that sector.

These sites are used to send phishing emails written in German and host the malware payloads downloaded to targeted systems.

Various lookalike domains used in this campaign
Various lookalike domains used in this campaign (Check Point)

Researchers at Check Point discovered this campaign and published a technical report where they presented the details of their findings. According to the report, the campaign started around July 2021 and is still ongoing.

Targeting the German auto industry

The infection chain begins with an email sent to specific targets containing an ISO disk image file that bypasses many internet security controls.

For example, the phishing email below pretends to contain an automobile transfer receipt sent to what appears to be a targeted dealership.

Samples of malicious emails seen by Check Point
One of the malicious emails seen by Check Point

This archive, in turn, contains an .HTA file that contains JavaScript or VBScript code execution via HTML smuggling.

Generic infection chain
Generic infection chain (Check Point)

This is a common technique used by hackers of all skill tiers, from “script kiddies” that rely on automated kits to state-sponsored actors that deploy custom backdoors.

While the victim sees a decoy document that is opened by the HTA file, malicious code is executed in the background to fetch the malware payloads and launch them.

Decoy document
Decoy document (Check Point)

“We found several versions of these scripts, some triggering PowerShell code, some obfuscated, and others in plain text. All of them download and execute various MaaS (Malware as a Service) info-stealers.” – Check Point.

The MaaS info-stealers used in this campaign vary, including Raccoon Stealer, AZORult, and BitRAT. All three are available for purchase in cybercrime markets and darknet forums.

In later versions of the HTA file, PowerShell code runs to change registry values and enable content on the Microsoft Office…

Source…

Year-long spear-phishing campaign targets global energy industry


Working oil pumps are seen against a sunset sky. Intezer uncovered a year-long spear-phishing campaign against energy companies.
Working oil pumps are seen against a sunset sky. Intezer uncovered a year-long spear-phishing campaign against energy companies. (Getty Images)

An unknown group has been conducting a year-long spear-phishing campaign against energy companies and other industries around the world.

The campaign has been happening for at least a year and targets companies and employees in the gas and oil, energy, information technology, media and electronics industries around the world, according to new research from Intezer, though many of the affected businesses are located in South Korea. The spear-phish emails leverage both typosquatting and spoofing to make the incoming emails look like they’re coming from established companies. They also reference executives from the company by name and include legitimate business addresses and company logos.

Many of the spear-phishing emails demonstrate how the threat actor appears to have done their homework, filled with procurement language jargon, referencing real ongoing projects the impersonated company is working on and inviting the target to bid for a portion of the work by clicking on an attachment.

That attachment – which is designed to mimic the appearance of a PDF but is usually an IMG, ISO or CAB file — contains information-stealing malware to steal banking data, log keystrokes and collect browsing data. The actors don’t appear to rely on a single type or family of malware, instead using a variety of remote access tools and other malware-as-a-service, like Agent Tesla and Formbook. Like many successful phishing lures, they’re designed to give a financial incentive to the victim to click on the link and create a sense of urgency in responding.

“It seems like part of the incentive was that the receiving component could think that there’s some money coming their way,” said Ryan Robinson, a security researcher at Intezer, in an interview.  

In one example, a fake email account pretending to be from Hyundai Engineering Inc. mentions a real power plant project in Panama, is filled with procurement jargon and gives short turnaround deadlines for expressing interest in the project (48…

Source…

Report: April Attack on Israel’s Water Infrastructure Was Culmination of Year-Long Cyber-Warfare Campaign – Algemeiner

Report: April Attack on Israel’s Water Infrastructure Was Culmination of Year-Long Cyber-Warfare Campaign  Algemeiner
“cyber warfare news” – read more

Uber Pays $148 Million Over Yearlong Cover-Up Of Data Breach

  1. Uber Pays $ 148 Million Over Yearlong Cover-Up Of Data Breach  NPR
  2. Uber pays $ 148m over data breach cover-up  BBC News
  3. Uber makes $ 148-million payment in connection with data breach  KWQC-TV6
  4. California Attorney General Becerra, San Francisco District Attorney Gascón Announce $ 148 Million Settlement with …  California Department of Justice – State of California
  5. Uber Co-Founder Travis Kalanick Resigns Under Pressure As CEO  NPR
  6. Full coverage

data breach – read more