In this week’s Cyber Weekly Digest, find out more about the return of one of the most widely spread malware and how the FBI’s email systems were breached. Keep reading to stay up to date on the latest cyber security news from around the world.
The FBI confirmed that on Saturday, unidentified threat actors had breached one of its email servers. The threat actors sent out a fake security alert with the subject line “Urgent: Threat actor in systems” originating from a legitimate FBI email address “firstname.lastname@example.org[.]gov”. In the email, the attacks frame the attack on Vinny Troia, a security researcher and founder of dark web intelligence firms Night Lion Security and Shadowbyte, claiming he had links to a threat group.
Fake ransomware messages are being shown on hundreds of WordPress sites, warning that they’ve been encrypted. The message includes a countdown warning site owners that they’ve got seven days and 10 hours to pay over 0.1 Bitcoin before their files are encrypted. Researchers were hired by one of the victims to provide incident response. The researchers discovered that the websites had not actually been encrypted, but rather the threat actors modified an installed WordPress plugin to display the ransom note and countdown. By removing the plugin and running a command to republish the posts and pages, the site returned to its normal status.
The Emotet malware was considered the most widely spread malware in the past, using spam campaigns and malicious attachments to distribute the malware. Earlier this year, law enforcement took over the Emotet infrastructure. However, this week researchers spotted that the TrickBot malware has been dropping a loader for Emotet on infected devices. Later this week, the Emotet botnet kicked off with multiple spam campaigns delivering malicious documents to mailboxes worldwide.
A joint advisory was published this week by CISA about an ongoing threat carried out by Iranian-backed threat actors. The threat had been tracked by law enforcement across the globe, including the UK’s National Cyber Security Centre, the FBI and the Australian Cyber Security Centre. All of the security bodies have traced the attacks to an Iranian government-sponsored advanced persistent threat. The Iranian APT has been exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since October 2021. The vulnerabilities grant the attackers initial access to systems that lead to follow-on operations, including ransomware, data exfiltration or encryption, and extortion.
Researchers have warned that the MosesStaff hacking group is aiming politically motivated, destructive attacks at Israeli targets, looking to inflict the most damage possible. According to researchers, MosesStaff encrypts networks and steals information with no intention of demanding a ransom or rectifying the damage. MosesStaff appears to be using publicly available exploits for known vulnerabilities that remain unpatched on public-facing infrastructure. Although the actor is new by name, it may have links to ‘Pay2Key’ or ‘BlackShadow,’ who have the same political motivation and targeting scope.