The Black Basta ransomware-as-a-service (RaaS) syndicate has amassed nearly 50 victims in the U.S., Canada, the U.K., Australia, and New Zealand within two months of its emergence in the wild, making it a prominent threat in a short window.

“Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers, and more,” Cybereason said in a report.

Evidence indicates the ransomware strain was still in development as recently as February 2022, and only started to be used in attacks starting April after it was advertised on underground forums with an intent to buy and monetize corporate network access for a share of the profits.

Similar to other ransomware operations, Black Basta is known to employ the tried-and-tested tactic of double extortion to plunder sensitive information from the targets and threaten to publish the stolen data unless a digital payment is made.

A new entrant in the already crowded ransomware landscape, intrusions involving the threat have leveraged QBot (aka Qakbot) as a conduit to maintain persistence on the compromised hosts and harvest credentials, before moving laterally across the network and deploying the file-encrypting malware.

images from Hacker News

CODESYS has released patches to address as many as 11 security flaws that, if successfully exploited, could result in information disclosure and a denial-of-service (DoS) condition, among others.

“These vulnerabilities are simple to exploit, and they can be successfully exploited to cause consequences such as sensitive information leakage, PLCs entering a severe fault state, and arbitrary code execution,” Chinese cybersecurity firm NSFOCUS said. “In combination with industrial scenarios on the field, these vulnerabilities could expose industrial production to stagnation, equipment damage, etc.”

CODESYS is a software suite used by automation specialists as a development environment for programmable logic controller applications (PLCs).

Following responsible disclosure between September 2021 and January 2022, fixes were shipped by the German software company last week on June 23, 2022. Two of the bugs are rated as Critical, seven as High, and two as Medium in severity. The issues collectively affect the following products –

images from Hacker News

Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy. No mention of insider trading, naked shorting, or any malevolence. Just employees circumventing regulation using, well, Shadow IT. Not because they tried to obfuscate or hide anything, simply because it was a convenient tool that they preferred over any other sanctioned products (which JPMorgan certainly has quite a few of.)

Visibility into unknown and unsanctioned applications has been required by regulators and also recommended by the Centre for Internet Security community for a long time. Yet it seems like new and better approaches are still in demand. Gartner has identified External Attack Surface Management, Digital Supply Chain Risk, and Identity Threat Detection as the top three trends to focus on in 2022, all of which are closely intertwined with Shadow IT.

“Shadow IDs,” or in other words, unmanaged employee identities and accounts in third-party services are often created using a simple email-and-password-based registration. CASBs and corporate SSO solutions are limited to a few sanctioned applications and are not widely adopted on most websites and services either. This means, that a large part of an organization’s external surface –as well as its user identities– may be completely invisible.

images from Hacker News

Following the footsteps of Austria and France, the Italian Data Protection Authority has become the latest regulator to find the use of Google Analytics to be non-compliant with E.U. data protection regulations.

The Garante per la Protezione dei Dati Personali, in a press release published last week, called out a local web publisher for using the widely used analytics tool in a manner that allowed key bits of users’ personal data to be illegally transferred to the U.S. without necessary safeguards.

This includes interactions of users with the websites, the individual pages visited, IP addresses of the devices used to access the websites, browser specifics, details related to the device’s operating system, screen resolution, and the selected language, as well as the date and time of the visits.

The Italian supervisory authority (SA) said that it arrived at this conclusion following a “complex fact-finding exercise” it commenced in collaboration with other E.U. data protection authorities.

The agency said the transfer of personal information violates the data protection legislation because the U.S. is a “country without an adequate level of protection,” while highlighting the “possibility for U.S. government authorities and intelligence agencies to access personal data transferred without due guarantees.”

images from Hacker News

A malware-as-a-service (Maas) dubbed Matanbuchus has been observed spreading through phishing campaigns, ultimately dropping the Cobalt Strike post-exploitation framework on compromised machines.

Matanbuchus, like other malware loaders such as BazarLoader, Bumblebee, and Colibri, is engineered to download and execute second-stage executables from command-and-control (C&C) servers on infected systems without detection.

Available on Russian-speaking cybercrime forums for a price of $2,500 since February 2021, the malware is equipped with capabilities to launch .EXE and .DLL files in memory and run arbitrary PowerShell commands.

The findings, released by threat intelligence firm Cyble last week, document the latest infection chain associated with the loader, which is linked to a threat actor who goes by the online moniker BelialDemon.

“If we look historically, BelialDemon has been involved in the development of malware loaders,” Unit 42 researchers Jeff White and Kyle Wilhoit noted in a June 2021 report. “BelialDemon is considered the primary developer of TriumphLoader, a loader previously posted about on several forums, and has experience with selling this type of malware.”

images from Hacker News