Select Page
Phony Call Centres Tricking Users Into Installing Ransomware and Data-Stealers

Phony Call Centres Tricking Users Into Installing Ransomware and Data-Stealers

An ongoing malicious campaign that employs phony call centres has been found to trick victims into downloading malware capable of data exfiltration as well as deploying ransomware on infected systems.

The attacks — dubbed “BazaCall” — eschew traditional social engineering techniques that rely on rogue URLs and malware-laced documents in favour of a vishing-like method wherein targeted users are sent email messages informing them of a forthcoming subscription charge unless they call a specific phone number.

By tricking the recipients into calling the number, the unsuspecting victims are connected with an actual human operator at a fraudulent call centre, who then provides them with instructions to download the BazaLoader malware.

BazaLoader (aka BazarBackdoor) is a C++-based downloader with the ability to install various types of malicious programs on infected computers, including deploying ransomware and other malware to steal sensitive data from victimized systems. First observed in April 2020, BazaLoader campaigns have been used by multiple threat actors and frequently serves as a loader for disruptive malware such as Ryuk and Conti ransomware.

images from Hacker News

Hackers Exploit Microsoft Browser Bug to Deploy VBA Malware on Targeted PCs

Hackers Exploit Microsoft Browser Bug to Deploy VBA Malware on Targeted PCs

An unidentified threat actor has been exploiting a now-patched zero-day flaw in Internet Explorer browser to deliver a fully-featured VBA-based remote access trojan (RAT) capable of accessing files stored in compromised Windows systems, and downloading and executing malicious payloads as part of an “unusual” campaign.

The backdoor is distributed via a decoy document named “Manifest.docx” that loads the exploit code for the vulnerability from an embedded template, which, in turn, executes shellcode to deploy the RAT, according to cybersecurity firm Malwarebytes, which spotted the suspicious Word file on July 21, 2021.

The malware-laced document claims to be a “Manifesto of the inhabitants of Crimea” calling on the citizens to oppose Russian President Vladimir Putin and “create a unified platform called ‘People’s Resistance.'”

The Internet Explorer flaw, tracked as CVE-2021-26411, is notable for the fact that it was abused by the North Korea-backed Lazarus Group to target security researchers working on vulnerability research and development.

Earlier this February, South Korean cybersecurity firm ENKI revealed the state-aligned hacking collective had made an unsuccessful attempt at targeting its security researchers with malicious MHTML files that, when opened, downloaded two payloads from a remote server, one of which contained a zero-day against Internet Explorer. Microsoft addressed the issue as part of its Patch Tuesday updates for March.

images from Hacker News

New Ransomware Gangs — Haron and BlackMatter — Emerge on Cybercrime Forums

New Ransomware Gangs — Haron and BlackMatter — Emerge on Cybercrime Forums

Two new ransomware-as-service (RaaS) programs have appeared on the threat radar this month, with one group professing to be a successor to DarkSide and REvil, the two infamous ransomware syndicates that went off the grid following major attacks on Colonial Pipeline and Kaseya over the past few months.

“The project has incorporated in itself the best features of DarkSide, REvil, and LockBit,” the operators behind the new BlackMatter group said in their darknet public blog, making promises to not strike organizations in several industries, including healthcare, critical infrastructure, oil and gas, defence, non-profit, and government sectors.

According to Flashpoint, the BlackMatter threat actor registered an account on Russian-language forums XSS and Exploit on July 19, quickly following it up with a post stating they are looking to purchase access to infected corporate networks comprising anywhere between 500 and 15,000 hosts in the U.S., Canada, Australia, and the U.K. and with revenues of over $100 million a year, potentially hinting at a large-scale ransomware operation.

“The actor deposited 4BTC (approximately $150,000 USD) into their escrow account. Large deposits on the forum indicate the seriousness of the threat actor,” Flashpoint researchers said in a report. “BlackMatter does not openly state that they are a ransomware collective operator, which technically doesn’t break the rules of the forums, though the language of their post, as well as their goals clearly indicate that they are a ransomware collective operator.”

images from Hacker News

Best Practices to Thwart Business Email Compromise (BEC) Attacks

Best Practices to Thwart Business Email Compromise (BEC) Attacks

Business email compromise (BEC) refers to all types of email attacks that do not have payloads. Although there are numerous types, there are essentially two main mechanisms through which attackers penetrate organizations utilizing BEC techniques, spoofing and account take-over attacks.

In a recent study, 71% of organizations acknowledged they had seen a business email compromise (BEC) attack during the past year. Forty-three percent of organizations experienced a security incident in the last 12 months, with 35% stating that BEC/phishing attacks account for more than 50% of the incidents.

The FBI’s Internet Crime Complaint Centre (IC3) reports that BEC scams were the most expensive of cyberattacks in 2020, with 19,369 complaints and adjusted losses of approximately $1.8 billion. Recent BEC attacks include spoofing attacks on Shark Tank Host Barbara Corcoran, who lost $380,000; the Puerto Rican government attacks that amounted to $4 million, and Japanese media giant, Nikkei, who transferred $29 million based on instructions in a fraudulent email.

To thwart a BEC attack, an organization must focus on the Golden Triangle: the alignment of people, process, and technology. Read on to discover best practices every organization should follow to mitigate BEC attacks.

images from Hacker News

New Android Malware Uses VNC to Spy and Steal Passwords from Victims

New Android Malware Uses VNC to Spy and Steal Passwords from Victims

A previously undocumented Android-based remote access trojan (RAT) has been found to use screen recording features to steal sensitive information on the device, including banking credentials, and open the door for on-device fraud.

Dubbed “Vultur” due to its use of Virtual Network Computing (VNC)’s remote screen-sharing technology to gain full visibility on targeted users, the mobile malware was distributed via the official Google Play Store and masqueraded as an app named “Protection Guard,” attracting over 5,000 installations. Banking and crypto-wallet apps from entities located in Italy, Australia, and Spain were the primary targets.

“For the first time we are seeing an Android banking trojan that has screen recording and keylogging as the main strategy to harvest login credentials in an automated and scalable way,” researchers from ThreatFabric said in a write-up shared with The Hacker News.

“The actors chose to steer away from the common HTML overlay development we usually see in other Android banking Trojans: this approach usually requires a larger time and effort investment from the actors to create multiple overlays capable of tricking the user. Instead, they chose to simply record what is shown on the screen, effectively obtaining the same end result.”

images from Hacker News

Top 30 Critical Security Vulnerabilities Most Exploited by Hackers

Top 30 Critical Security Vulnerabilities Most Exploited by Hackers

Intelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage.

“Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) noted.

“However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.”

The top 30 vulnerabilities span a wide range of software, including remote work, virtual private networks (VPNs), and cloud-based technologies, that cover a broad spectrum of products from Microsoft, VMware, Pulse Secure, Fortinet, Accellion, Citrix, F5 Big IP, Atlassian, and Drupal.

images from Hacker News