Kaspersky security researchers have disclosed details of a brand-new ransomware family written in Rust, making it the third strain after BlackCat and Hive to use the programming language.

Luna, as it’s called, is “fairly simple” and can run on Windows, Linux, and ESXi systems, with the malware banking on a combination of Curve25519 and AES for encryption.

“Both the Linux and ESXi samples are compiled using the same source code with some minor changes from the Windows version,” the Russian firm noted in a report published today.

Advertisements for Luna on darknet forums suggest that the ransomware is intended for use only by Russian-speaking affiliates. Its core developers are also believed to be of Russian origin owing to spelling mistakes in the ransom note hard-coded within the binary.

“Luna confirms the trend for cross-platform ransomware,” the researchers stated, adding how the platform agnostic nature of languages like Golang and Rust are giving the operators the ability to target and attack at scale and evade static analysis.

images from Hacker News

The 8220 cryptomining group has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021.

“8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors,” Tom Hegel of SentinelOne said in a Monday report.

The growth is said to have been fuelled through the use of Linux and common cloud application vulnerabilities and poorly secured configurations for services such as Docker, Apache WebLogic, and Redis.

Active since early 2017, the Chinese-speaking, Monero-mining threat actor was most recently seen targeting i686 and x86_64 Linux systems by means of weaponizing a recent remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to drop the PwnRig miner payload.

“Victims are not targeted geographically, but simply identified by their internet accessibility,” Hegel pointed out.

images from Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers outfitted in over 1.5 million vehicles that could lead to remote disruption of critical operations.

“Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control of the global positioning system tracker,” CISA said. “These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.”

Available on sale for $20 and manufactured by the China-based MiCODUS, the company’s tracking devices are employed by major organizations in 169 countries spanning aerospace, energy, engineering, government, manufacturing, nuclear power plant, and shipping sectors.

The top countries with the most users include Chile, Australia, Mexico, Ukraine, Russia, Morocco, Venezuela, Brazil, Poland, Italy, Indonesia, Uzbekistan, and South Africa.

images from Hacker News

The Great Resignation – or the Great Reshuffle as some are calling it – and the growing skills gap have been dominating headlines lately. But these issues aren’t new to the cybersecurity industry. While many are just now hearing about employee burnout, security teams have faced reality and serious consequences of burnout for years.

One of the biggest culprits? Alert overload.

The average security team gets tens of thousands of alerts each day. Many analysts feel like they can’t get their heads above water…and are starting to give up. This looks like physical burnout and even apathy. Surveys found that some security analysts feel so overwhelmed they ignore alerts and even walk away from their computers.

In fact, these surveys found that 70% of security teams feel emotionally overwhelmed by alerts, and more than 55% of security professionals don’t feel fully confident that they can prioritize and respond to every alert that really does need attention.

Sadly, there isn’t a single moment to waste when there’s a legitimate threat. The threat landscape is changing so quickly, you need a security team that’s not only on top of their game but also has the foresight to anticipate emerging threats. So the issue of alert overload is one of the main ingredients in a recipe for disaster when it comes to business risk. And the risks are only growing (think supply chains and ransomware attacks on critical industries like healthcare).

images from Hacker News

Russian threat actors capitalized on the ongoing conflict against Ukraine to distribute Android malware camouflaged as an app for pro-Ukrainian hacktivists to launch distributed denial-of-service (DDoS) attacks against Russian sites.

Google Threat Analysis Group (TAG) attributed the malware to Turla, an advanced persistent threat also known as Krypton, Venomous Bear, Waterbug, and Uroburos, and linked to Russia’s Federal Security Service (FSB).

“This is the first known instance of Turla distributing Android-related malware,” TAG researcher Billy Leonard said. “The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services.”

It’s worth noting that the onslaught of cyberattacks in the immediate aftermath of Russia’s unprovoked invasion of Ukraine prompted the latter to form an IT Army to stage counter-DDoS attacks against Russian websites. The goal of the Turla operation, it appears, is to use this volunteer-run effort to their own advantage.

The decoy app was hosted on a domain masquerading as the Azov Regiment, a unit of the National Guard of Ukraine, calling on people from around the world to fight “Russia’s aggression” by initiating a denial-of-service attack on the web servers belonging to “Russian websites to overwhelm their resources.”

images from Hacker News