Updated: Sep 3, 2021
In this week's Cyber Weekly Digest, find out about all the latest cyber security stories from across the world, including a new zero-click iMessage exploit used to deploy NSO spyware and a ransomware gang that has shut down their operations and released a master decryptor. Keep reading to stay up to date with this week's cyber security stories.
SAC Wireless, a US-based Nokia subsidiary, disclosed a data breach this week following a Conti ransomware attack in June. The threat actor, Conti, gained access to the SAC systems, uploaded files to its cloud storage, and then deployed ransomware to encrypt the files on SAC systems. Following a forensic investigation, it was found that the personal information belonging to current and former employees had been stolen. The Conti ransomware gang revealed on their leak site that they stole over 250 GB of data and will soon leak the data if SAC does not pay the ransom demands.
Researchers have uncovered a new zero-click iMessage exploit used to deploy NSO Group's Pegasus spyware on devices belonging to Bahraini activists. In total, nine Bahraini activists have their iPhones hacked in the campaign. Researchers first observed NSO Group deploying the new zero-click, FORCEDENTRY, iMessage exploit, which circumvents Apple's BlastDoor feature in February 2021. Until Apple releases security updates, the only thing potential targets could do to protect themselves is to disable all apps the Israeli surveillance firm could potentially target.
A financially motivated cybercrime gang has breached and backdoored the network of a US financial organisation with a new malware dubbed as Sardonic. FIN8, the threat actor behind this incident, has been active since at least January 2016 and is known for targeting retail, restaurant, hospitality, healthcare, and entertainment industries with the end goal of stealing payment card data. Sardonic is a new C++-based backdoor the FIN8 threat actors deployed on targets' systems, likely via social engineering or spear-phishing. In the attack against the US bank this week, the backdoor was deployed and executed onto victims' systems in a three-part process using a PowerShell script, a .NET loader, and downloader shellcode.
It appears that Ragnarok ransomware has shut down its operation following the release of the master decryptor. Their leak site has been completely stripped down, and all that is left on the site is the brief text linking to an archive containing the master key and the accompanying binaries for using it. Ragnarok has not explained the reasoning behind the shutdown and could mean that the gang had not actually intended to halt operations this week. Until this week, the Ragnarok ransomware leak site showed 12 victims from across the world, pressuring them into paying ransom demands.
Researchers have discovered a new phishing campaign that uses a clever technique to make the phishing efforts look more legitimate. An XSS vulnerability in UPS.com meant threat actors could modify the site's regular page to look like a legitimate download page. The flaw meant the threat actor to distribute a malicious document through a remote Cloudflare worker but make it look like it was being downloaded directly from UPS.com.