Internet threat news

In a recent article published by Emisoft, it was revealed how researchers discovered a bug in the BlackMatter ransomware’s code.  This bug was exploited by researchers to create decryption keys that were secretly handed out to victims of the ransomware gang, potentially losing the gang millions of dollars worth of ransom payments.

DarkSide, the threat group strongly believed to be behind BlackMatter and previously behind the DarkSide ransomware, was initially best known for committing other financially motivated cybercrimes, seeing the profit margins ransomware, and the ransomware-as-a-service business model could unlock they quickly pivoted.

The infamous financially motivated threat group FIN7 has been discovered to be posing as a legitimate company to hire penetration testers and other cybersecurity professionals to do the heavy lifting of the preliminary steps a typical ransomware attack would follow. FIN7 also tracked as Carbanak, is perhaps best known for attacks on Saks Fith Avenue and Lord & Taylor stores. Those attacks resulted in the subsequent sale of over 5 million payment cards on the dark web.

In what is writing itself into its own Netflix Original movie at this point, it appears Sodinokibi, also tracked as REvil, infrastructure has been taken offline for the second time this year. The news comes following statements made on the popular hacking forum XSS. The forum posts have been shared to Twitter by Dmitry Smilyanets, a security researcher for Recorded Future. Another post was also shared by Smilyanets which further explained the decision to take the infamous ransomware’s infrastructure offline.

With ransomware attacks now becoming an almost daily phenomenon governments are actively looking at new ways to combat the scourge and protect both individuals, organizations, and national interests. The Australian Minister for Home Affairs, Karen Andrews, has recently published a plan titled the “Ransomware Action Plan.”

The Japanese tech giant, Olympus, announced that its IT systems in the US, Canada, and Latin America had suffered a cybersecurity incident. Details of the attack are thin on the ground, but the attack follows another incident that occurred in September 2021. The first attack was announced on September 11, which according to the company affected the IT systems for Europe, the MIddle-East, and Africa. Again details of the attack were sparse but according to Bleeping Computer, the attack involved the now-infamous BlackMatter ransomware.

According to a recently published blog by Cybereason Nocturnus, researchers for the security firm have discovered a cyber espionage campaign making use of previously undiscovered malware. Researchers have, further, attributed the new espionage campaign to an also previously undisclosed threat group they have codenamed MalKamak. The group is currently targeting organizations in the aerospace and telecoms sectors.

Kaspersky Labs just recently published a report detailing a link between the Tomiris backdoor and the threat actors behind the SolarWinds attack that occurred towards the end of 2020. In summary, the backdoor closely resembles another piece of malware deployed by DarkHalo, SunShuttle, as well as similar tactics used in finding targets and deploying malware.

This week has seen the announcement of two separate campaigns infecting Android users with some form trojan malware. The first incident involves the discovery of a new trojan, called GriftHorse, while the second trojan distribution campaign involves an offshoot of the infamous Cerberus banking trojan. This latest Cerberus-based trojan has been called ERMAC by researchers.

Security firm eSentire published an article detailing an odd ransomware incident. In summary, the incident is odd as it used advanced techniques to gain initial access and compromise the target’s network. However, the ransomware dropped, Hello, is regarded as fairly unsophisticated. This provided researchers with a few head-scratching moments.

The victim in the instance observed was a testing company that evaluates hundreds of products from around the globe. This implies that during testing the company has access to a ton of intellectual property, making the company a high-profile target for attackers. The attack was also determined by researchers to be a hands-on-keyboard attack.

The Cybersecurity and Infrastructure Security Agency (CISA) recently published an advisory regarding the Conti ransomware. The advisory provides a comprehensive analysis of techniques used by the ransomware gang in the past and present. The advisory also noted that the Federal Bureau of Investigation (FBI) has observed more than 400 incidents involving ransomware internationally and in the US. The advisory also includes mitigation strategies to protect against falling victim to a Conti attack, measures that CISA, the FBI, and the NSA have adopted to secure their infrastructure.

According to research published by Microsoft, a new threat actor has been attacking developers by exploiting a vulnerability in MSHTML, tracked as CVE-2021-40444, which has been patched. Developers familiar with or use MSHTML should ensure that the patch has been installed. Microsoft describes that an attacker could “craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.

It was nearly Christmas 2015 when Juniper released a statement warning customers that it had discovered unauthorized code that allowed hackers to decipher encrypted communications and gain high-level access to customers’ machines that used a popular product developed by the company. The exact wording issued by Juniper stated,

At the start of this year, researchers looked back on 2020 and discovered it was a boom year for DDoS attacks. Now, Russian Internet giant Yandex is battling the biggest DDoS attack on record and a new Botnet may be the infrastructure powering this record-breaking attack.

Giving the attack method its full name of Distributed Denial of Service (DDoS), the attack involves attempts to maliciously disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. This can be done through the use of botnets, devices infected with specific malware that allows a hacker control over the device and can send HTTP requests via a device, typically Internet of Things devices and routers.

Also known as REvil, and sometimes referred to as the Crown Prince of Ransomware, Sodinokibi has long been the thorn in the side of large enterprises and a headline maker. This year alone those behind the ransomware were responsible for both the JBS incident and the Kaseya incident. The latter prompted direct statements of intent by both US President Joe Biden and US law enforcement agencies. This in turn was the likely motivator for the gang to take a holiday.

The bad news is it appears the gang is back in action after taking a summer holiday. When websites and infrastructure known to be used by the ransomware gang were taken offline, many in the InfoSec hoped that the group has thrown in the towel. Lawrence Abraham, of Bleeping Computer, took to Twitter to report that the group's leak site, Happy Blog, was back online with activity dating back to July.