Cyber Weekly Digest - 2022 Week #43

Take a look at this week’s cyber weekly digest to stay up to date on the latest cyber security news including the threat group targeting Russian organisations with Linux ransomware, and the See Tickets data breach which lasted 2 and a half years. Keep reading to find out about the biggest cyber security news from this week.

1. OldGremlin group is utilising Linux Ransomware to attack Russian organisations.

OldGremlin, one of the few ransomware groups attacking Russian corporate networks, has expanded its toolkit with file-encrypting malware for Linux machines. The gang has Russian-speaking members that have been operating since at least March 2020 using self-made malware, focusing on Russian companies in the logistics, retail, real estate, software development, and banking sectors. Also known as TinyScouts, due to the names of the functions in the malicious code they use, OldGremlin is characterised by a small number of campaigns per year with million-dollar ransom demands. In 2022, OldGremlin, launched just five campaigns but they also demanded the highest ransom in the two and a half years of activity, $16.9 million. As OldGremlin relies on a self-developed toolkit, it is evident that they are highly skilled, and they carefully prepare attacks to leave it’s victims with no other choice but to pay the ransom.

2. Chrome extensions with 1 million installs hijack targets’ browsers.

Researchers have discovered a new malware advertising campaign pushing Google Chrome extensions that hijack searches and insert affiliate links into webpages. Because all these extensions offer colour customisation, options arrive on the victim’s machine with no malicious code to evade detection. By mid-October, 30 variants of the browser extensions were available on both the Chrome and Edge web stores, and in total there were over a million installs. The victim is tricked into downloading one of the malicious extensions from a forced tab popup that persuades the user to download an extension. Once the extension is installed, a random advertisement link will open, and then enable a malicious state on the device by inserting affiliate links on the user’s browser. Whoever is behind the Adware campaign earns commission per click or interaction with an inserted advert. The extensions and the websites listed in the report's IoCs section have been removed/taken offline, but the researchers warn that the operation is constantly renewed with new add-on names and domains.

3. Apple patches another actively exploited zero-day vulnerability.