Take a look at the latest Cyber Weekly Digest to get a rundown of some of the biggest cyber security news from the week including the threat actors who breach the US Government by utilising the Log4Shell exploit. Keep reading to stay up to date on the latest cyber security stories.
An ongoing phishing campaign has infected thousands of home and corporate users with a new version of the ‘IceXLoader’ malware. The authors of IceXLoader, a malware loader first spotted in the wild this summer, have released version 3.3.3, which enhanced the tool’s functionality and introduced a multi-stage delivery chain. The delivery chain of the malware starts with the arrival of a ZIP file via a phishing email containing the first-stage extractor. The extractor drops a hidden temp folder with an executable. The executable will then download a PNG file that converts it into an obfuscated DLL file, which is the IceXLoader payload. Then the process checks to see if it is running on a sandbox and then starts process hollowing. The security researchers have informed the affected companies of the exposure, but the database is updated with new entries daily.
Russian hacktivists have infected multiple organisations in Ukraine with a new ransomware strain called ‘Somnia,’ encrypting their systems and causing operational problems. The Computer Emergency Response Team of Ukraine (CERT-UA) has confirmed the outbreak via an announcement on its portal, attributing the attacks to ‘From Russia with Love’ (FRwL), also known as ‘Z-Team,’ whom they treat as UAC-0118. The group previously disclosed their Somnia ransomware on Telegram and even posted evidence of attacks against tank producers in Ukraine. According to CERT-UA, the hacking group uses fake sites that drop fake tools such as “Advanced IP Scanner” software to trick Ukrainian organization employees into downloading an installer. Somnia does not request the victims to pay a ransom in exchange for a working decryptor to recover the files, as its operators are more interested in causing disruption to their targets than generating revenue. This means the malware should rather be considered a data-wiper than a traditional ransomware attack.
Whoosh, the Russian scooter-sharing service has confirmed a data breach after hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. Woosh is Russia’s leading urban mobility service platform, operating in 40 cities with over 75,000 scooters. The company confirmed the cyberattack via statements on Russian media earlier this month but claimed that its IT experts have managed to remove the threat successfully. In a new statement shared with the RIA Novosti, Whoosh admits that was a data leak and informed its user base they are working with law enforcement authorities to take measures to stop the distribution of data. A user on the “Breached” Hacking forums posted a database containing about 7.2 million Whoosh customers, including email addresses, phone numbers, and first names for $4200 in Bitcoins. However, it seems that no one has bought this yet.
The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organisation to deploy XMRig cryptomining malware. The attackers compromised the federal network after hacking into an unpatched VMWare Horizon server using an exploit targeting the Log4Shell (CVE-2021-44228) remote code execution vulnerability. After deploying the cryptocurrency miner, the Iranian threat actors also set up reverse proxies on compromised servers to maintain persistence within the FCEB agency’s network. The Log4Shell exploit can be abused to remotely target vulnerable servers exposed to local or Internet access to move laterally across breached networks to access internal systems that store sensitive data. Almost immediately after Log4Shdll was disclosed in December 2021, threat actors were scanning for unpatched systems in the wild. CISA warned that VMware Horizon and Unified Access Gateway (UAG) servers are still being preyed upon by multiple threat actors.
A ransomware called “ARCrypter” that compromised key organisations in Latin America is now expanding its attacks worldwide. Threat actors behind the new ransomware family attacked a government agency in Chile last August, targeting both Linux and Windows systems and appending the “.crypt” extension on encrypted files. Researchers at BlackBerry have correlated this with a second attack against the Colombia National Food and Drug Surveillance Institute (Invima) in October. In some cases, the ransom request can be as low as $5,000 so ARCrypter operates as a mid-tier ransomware actor. The ransomware gains persistence and tried to delete volume shadow copies to prevent data restoration, it then modifies network settings to secure stable connectivity, and then encrypts all files except for some whitelisted extensions. At this time, little is known about the operators of ARCrypter, their origin, language, and potential links to other ransomware gangs.