Windows JavaScript zero-day, Iran-based hack-and-leak, METRO retailer attack
Exploited Windows zero-day lets JavaScript files bypass Mark of the Web security warnings
According to Bleeping Computer, this has already been seen in ransomware attacks. Windows includes a security feature called Mark-of-the-Web (MoTW) that flags a file as having been downloaded from the Internet and therefore should be treated with caution as it could be malicious. The MoTW flag is added to a downloaded file or email attachment as a special Alternate Data Stream called ‘Zone.Identifier.’ which uses JavaScript and generates a warning pop-up window. HP’s threat intelligence team recently reported that threat actors are infecting devices with Magniber ransomware using the JavaScript to bypass the warning window and deliver the malware.
FBI warns of ‘hack-and-leak’ operations from group based in Iran
The alert centers on Emennet Pasargad — an Iranian company U.S. law enforcement agencies have previously spotlighted for its role in efforts to interfere with the 2020 U.S. presidential election. On Thursday, the FBI said the company — which has changed its name several times to avoid sanctions — has targeted entities in Israel since 2020 with attacks that involved the theft and leak of stolen data. The group would then amplify the stolen data on social media and online forums. The FBI judges these techniques may be used to target US entities.?
Wholesale giant METRO confirmed to have suffered a cyberattack
The European retail giant has been hit by a cyberattack that has caused IT infrastructure outages. Metro employs more than 95,000 people in 681 stores around the world, most of them in Germany, and the outages have impacted stores worldwide. In response to the outage, the teams in the stores set up offline systems to process payments. The company has not provided technical details about the attack, but the problems faced by Metro suggest it was the victim of ransomware.
NSA cyber chief says Ukraine war is compelling more intelligence sharing with industry
Rob Joyce, director of the NSA Cybersecurity Directorate, speaking Wednesday at the Trellix Cybersecurity Summit in Washington, stated that “rapidly and proactively sharing intelligence on cyberthreats with industry and critical infrastructure providers “can really make a big and decisive difference,” adding that this was one of his main “lessons learned” from the ongoing war in Ukraine. Stressing the need for greater knowledge sharing despite the competitive nature of business is possible and necessary for mutual benefit and safety. “We can make available the insights about what we know without putting at risk how we know it” he said.
领英推荐
Thanks to this week’s episode sponsor, Votiro
URSNIF no longer a banking trojan. It’s now a backdoor
URSNIF, the malware also known as Gozi that attempts to steal online banking credentials from victims’ Windows PCs, is evolving to support extortionware. As one of the oldest banking trojans – dating back to the mid-2000s – the software has a number of variants including URSNIF, Gozi, and ISFB. Although its original developers have been arrested, extradited and or tried in court, URSNIF is now following the path of malware families such as Emotet, TrickBot, and Qakbot, which shed their banking-info-stealing pasts to become backdoors on infected machines that can be used by miscreants to deliver ransomware and data-stealing payloads.
Musk plans to lay off 75% of Twitter staff
Twitter’s workforce is likely to be hit with massive cuts in the coming months, no matter who owns the company, interviews and documents obtained by?The Washington Post?show, a change likely to have major impact on its ability to control harmful content and prevent data security crises. Elon Musk told prospective investors in his deal to buy the company that he planned to get rid of nearly 75 percent of Twitter’s 7,500 workers, whittling the company down to a skeleton staff of just over 2,000. Even if Musk’s Twitter deal falls through, cuts are also planned for its infrastructure, including data centers. Edwin Chen, a data scientist formerly in charge of Twitter’s spam and health metrics believes this will put Twitter’s users at risk of hacks and exposure to offensive material.
Ed Sheeran music hacker jailed
A 23-year-old, Adrian Kwiatkowski, from Ipswich, a town north-east of London, traded the music by Sheeran and 12 songs by rapper Lil Uzi Vert in exchange for cryptocurrency. He managed to get hold of them after hacking the performers’ digital accounts, the Crown Prosecution Service said, and made £131,000 from sales of the music, according to City of London Police. This case started in 2019 after the management of several musicians reported to the New York District Attorney that someone known online as Spirdark had hacked a number of accounts and was selling the content. A police investigation tracked the email address used to set up Kwiatkowski’s cryptocurrency account and soon discovered his home address linked to an IP address used to hack one of the devices. According to police, seven devices were recovered, including a hard drive that contained 1,263 unreleased songs by 89 artists, were seized.
(BBC News)
Last week in ransomware
Last week was a busy week in the ransomware business, with reports linking RansomCartel to REvil, OldGremlin hackers targeting Russia with ransomware, a new data exfiltration tool used by BlackByte, a warning that ransomware actors are exploiting VMware vulnerabilities, and new activity with Venus Ransomware. The FBI released an advisory warning that the Daixin ransomware gang is targeting U.S. Healthcare and Public Health (HPH) sector in multiple attacks. Medibank finally confirmed it was ransomware behind its recent cyberattack. We also saw an attack on the Stimme Mediengruppe media group that prevented the printing and distribution of German newspapers.