top of page
  • Kathleen Maxted

Cyber Weekly Digest - 2022 Week #43

Take a look at this week’s cyber weekly digest to stay up to date on the latest cyber security news including the threat group targeting Russian organisations with Linux ransomware, and the See Tickets data breach which lasted 2 and a half years. Keep reading to find out about the biggest cyber security news from this week.

OldGremlin, one of the few ransomware groups attacking Russian corporate networks, has expanded its toolkit with file-encrypting malware for Linux machines. The gang has Russian-speaking members that have been operating since at least March 2020 using self-made malware, focusing on Russian companies in the logistics, retail, real estate, software development, and banking sectors. Also known as TinyScouts, due to the names of the functions in the malicious code they use, OldGremlin is characterised by a small number of campaigns per year with million-dollar ransom demands. In 2022, OldGremlin, launched just five campaigns but they also demanded the highest ransom in the two and a half years of activity, $16.9 million. As OldGremlin relies on a self-developed toolkit, it is evident that they are highly skilled, and they carefully prepare attacks to leave it’s victims with no other choice but to pay the ransom.

Researchers have discovered a new malware advertising campaign pushing Google Chrome extensions that hijack searches and insert affiliate links into webpages. Because all these extensions offer colour customisation, options arrive on the victim’s machine with no malicious code to evade detection. By mid-October, 30 variants of the browser extensions were available on both the Chrome and Edge web stores, and in total there were over a million installs. The victim is tricked into downloading one of the malicious extensions from a forced tab popup that persuades the user to download an extension. Once the extension is installed, a random advertisement link will open, and then enable a malicious state on the device by inserting affiliate links on the user’s browser. Whoever is behind the Adware campaign earns commission per click or interaction with an inserted advert. The extensions and the websites listed in the report's IoCs section have been removed/taken offline, but the researchers warn that the operation is constantly renewed with new add-on names and domains.

Apple on Monday rolled out updates to remediate a zero-day flaw in iOS and iPadOS that it said has been actively exploited in the wild. The vulnerability, tracked as CVE-2022-42827, has been described as an out-of-bounds write issue in the Kernel, which could be abused by a rogue application to execute arbitrary code with the highest privileges. CVE-2022-42827 is the third consecutive Kernel-related out-of-bounds memory vulnerability to be patched by Apple after CVE-2022-32894 and CVE-2022-32917, which were also being exploited by threat actors in the wild. With the latest fix, Apple has patched eight actively exploited zero-day flaws and one publicly-known zero-day vulnerability since the start of the year.

The Ticketing service provider “See Tickets” has disclosed a data breach, informing customers that cybercriminals might have accessed their payment details via a skimmer on its website. Skimmers are snippets of JavaScript code injected on order checkout pages to steal inputted payment card details from customers, in this case, people who bought a ticket to a live entertainment event. The investigation with a forensics team was started in April 2021, however, it wasn’t until January 8, 2022, that the malicious code was fully removed from its site. The internal investigation also revealed that the infection happened on June 25, 2019, so the total duration of the exposure was just over 2.5 years. The customer information that was likely stolen includes, Full names, physical addresses, All card details, ZIP Code etc. See Tickets have not offered to give free-identity protection to the affected customers, leaving them vulnerable to financial and impersonation fraud.

LinkedIn has introduced three new features to fight fake profiles and malicious use of the platform, including a new method to confirm whether a profile is authentic by showing whether it has a verified work email or phone number. LinkedIn, over the years has been a target for threat actors to imitate communication with victims to distribute malware, perform cyberespionage, steal credentials, or conduct financial fraud. On the 27th of October 2022, LinkedIn has introduced a new feature to display more information about a profile and utilize AI to find fake accounts and warn users when they receive a suspicious message. In most cases of threat actors trying to lure victims, they will start the conversation on LinkedIn and try to divert the conversation to download modified versions of WhatsApp or WeChat.



bottom of page