Select Page
A New Wiper Malware Was Behind Recent Cyberattack On Iranian Train System

A New Wiper Malware Was Behind Recent Cyberattack On Iranian Train System

A cyber attack that derailed websites of Iran’s transport ministry and its national railway system earlier this month, causing widespread disruptions in train services, was the result of a never-before-seen reusable wiper malware called “Meteor.”

The campaign — dubbed “MeteorExpress” — has not been linked to any previously identified threat group or to additional attacks, making it the first incident involving the deployment of this malware, according to researchers from Iranian antivirus firm Amn Pardaz and SentinelOne. Meteor is believed to have been in the works over the past three years.

“Despite a lack of specific indicators of compromise, we were able to recover most of the attack components,” SentinelOne’s Principal Threat Researcher, Juan Andres Guerrero-Saade, noted. “Behind this outlandish tale of stopped trains and glib trolls, we found the fingerprints of an unfamiliar attacker,” adding the offensive is “designed to cripple the victim’s systems, leaving no recourse to simple remediation via domain administration or recovery of shadow copies.”

On July 9, the Iranian train system was left paralyzed in the wake of a major attack, with the hackers defacing electronic displays to instruct passengers to direct their complaints to the phone number of the Iranian Supreme Leader Ayatollah Ali Khamenei’s office. The incident is said to have reportedly caused “unprecedented chaos” at stations with hundreds of trains delayed or cancelled.

Now according to SentinelOne, the infection chain commenced with the abuse of Group Policy to deploy a toolkit that consisted of a combination of batch files orchestrating different components, which are extracted from multiple RAR archives and are chained together to facilitate the encryption of the filesystem, corruption of the master boot record (MBR), and locking of the system in question.

images from Hacker News

Phony Call Centres Tricking Users Into Installing Ransomware and Data-Stealers

Phony Call Centres Tricking Users Into Installing Ransomware and Data-Stealers

An ongoing malicious campaign that employs phony call centres has been found to trick victims into downloading malware capable of data exfiltration as well as deploying ransomware on infected systems.

The attacks — dubbed “BazaCall” — eschew traditional social engineering techniques that rely on rogue URLs and malware-laced documents in favour of a vishing-like method wherein targeted users are sent email messages informing them of a forthcoming subscription charge unless they call a specific phone number.

By tricking the recipients into calling the number, the unsuspecting victims are connected with an actual human operator at a fraudulent call centre, who then provides them with instructions to download the BazaLoader malware.

BazaLoader (aka BazarBackdoor) is a C++-based downloader with the ability to install various types of malicious programs on infected computers, including deploying ransomware and other malware to steal sensitive data from victimized systems. First observed in April 2020, BazaLoader campaigns have been used by multiple threat actors and frequently serves as a loader for disruptive malware such as Ryuk and Conti ransomware.

images from Hacker News

Hackers Exploit Microsoft Browser Bug to Deploy VBA Malware on Targeted PCs

Hackers Exploit Microsoft Browser Bug to Deploy VBA Malware on Targeted PCs

An unidentified threat actor has been exploiting a now-patched zero-day flaw in Internet Explorer browser to deliver a fully-featured VBA-based remote access trojan (RAT) capable of accessing files stored in compromised Windows systems, and downloading and executing malicious payloads as part of an “unusual” campaign.

The backdoor is distributed via a decoy document named “Manifest.docx” that loads the exploit code for the vulnerability from an embedded template, which, in turn, executes shellcode to deploy the RAT, according to cybersecurity firm Malwarebytes, which spotted the suspicious Word file on July 21, 2021.

The malware-laced document claims to be a “Manifesto of the inhabitants of Crimea” calling on the citizens to oppose Russian President Vladimir Putin and “create a unified platform called ‘People’s Resistance.'”

The Internet Explorer flaw, tracked as CVE-2021-26411, is notable for the fact that it was abused by the North Korea-backed Lazarus Group to target security researchers working on vulnerability research and development.

Earlier this February, South Korean cybersecurity firm ENKI revealed the state-aligned hacking collective had made an unsuccessful attempt at targeting its security researchers with malicious MHTML files that, when opened, downloaded two payloads from a remote server, one of which contained a zero-day against Internet Explorer. Microsoft addressed the issue as part of its Patch Tuesday updates for March.

images from Hacker News

New Ransomware Gangs — Haron and BlackMatter — Emerge on Cybercrime Forums

New Ransomware Gangs — Haron and BlackMatter — Emerge on Cybercrime Forums

Two new ransomware-as-service (RaaS) programs have appeared on the threat radar this month, with one group professing to be a successor to DarkSide and REvil, the two infamous ransomware syndicates that went off the grid following major attacks on Colonial Pipeline and Kaseya over the past few months.

“The project has incorporated in itself the best features of DarkSide, REvil, and LockBit,” the operators behind the new BlackMatter group said in their darknet public blog, making promises to not strike organizations in several industries, including healthcare, critical infrastructure, oil and gas, defence, non-profit, and government sectors.

According to Flashpoint, the BlackMatter threat actor registered an account on Russian-language forums XSS and Exploit on July 19, quickly following it up with a post stating they are looking to purchase access to infected corporate networks comprising anywhere between 500 and 15,000 hosts in the U.S., Canada, Australia, and the U.K. and with revenues of over $100 million a year, potentially hinting at a large-scale ransomware operation.

“The actor deposited 4BTC (approximately $150,000 USD) into their escrow account. Large deposits on the forum indicate the seriousness of the threat actor,” Flashpoint researchers said in a report. “BlackMatter does not openly state that they are a ransomware collective operator, which technically doesn’t break the rules of the forums, though the language of their post, as well as their goals clearly indicate that they are a ransomware collective operator.”

images from Hacker News

Best Practices to Thwart Business Email Compromise (BEC) Attacks

Best Practices to Thwart Business Email Compromise (BEC) Attacks

Business email compromise (BEC) refers to all types of email attacks that do not have payloads. Although there are numerous types, there are essentially two main mechanisms through which attackers penetrate organizations utilizing BEC techniques, spoofing and account take-over attacks.

In a recent study, 71% of organizations acknowledged they had seen a business email compromise (BEC) attack during the past year. Forty-three percent of organizations experienced a security incident in the last 12 months, with 35% stating that BEC/phishing attacks account for more than 50% of the incidents.

The FBI’s Internet Crime Complaint Centre (IC3) reports that BEC scams were the most expensive of cyberattacks in 2020, with 19,369 complaints and adjusted losses of approximately $1.8 billion. Recent BEC attacks include spoofing attacks on Shark Tank Host Barbara Corcoran, who lost $380,000; the Puerto Rican government attacks that amounted to $4 million, and Japanese media giant, Nikkei, who transferred $29 million based on instructions in a fraudulent email.

To thwart a BEC attack, an organization must focus on the Golden Triangle: the alignment of people, process, and technology. Read on to discover best practices every organization should follow to mitigate BEC attacks.

images from Hacker News