Overview of security incidents for the period from 24 to 30 July 2021
New attacks through ProxyLogon vulnerabilities, a cyberattack on a transport company, the return of the sensational cyber ransomware group DoppelPaymer and the appearance of the “heir” of the DarkSide and REvil groups are just a few of the events in the world of information security for the period from July 24 to July 30, 2021.
After two months of almost complete inactivity, the DoppelPaymer group has returned to the ransomware arena. The hackers rebranded the group, changing the name of the group to Grief or Pay or Grief. The hackers allegedly stole data from 5 organizations, including one in Mexico. According to experts, DoppelPaymer and Grief used the same encrypted file format and the same distribution channel – the Dridex botnet. Despite attempts by attackers to make Grief look like standalone ransomware as a service (RaaS), the similarities with DoppelPaymer cannot be ignored.
In addition to DoppelPaymer, the LockBit group is also working on improving its ransomware. Researchers have discovered a new version of the ransomware that has received a number of improvements, including the ability to encrypt Windows domains using Active Directory Group Policies. The new version of LockBit also received a feature previously used by the ransomware Egregor – printing a ransom note on all printers connected to the network.
This week, a new cyber ransomware group also entered the cybercriminal arena, claiming to be the successor to the much-talked-about and now-defunct Darkside and REvil. BlackMatter is currently looking for partners and has already posted relevant announcements on the Exploit and XSS hacker forums. According to the ad, the group is only interested in accessing large companies with annual revenues of $ 100 million or more.
Victim extortionate IN Death Kitty became South Africa’s state-owned Transnet, which manages the major ports in South Africa, including Durban and Cape Town. The attack disrupted TPT business processes and functions, as well as damage to equipment and data, according to company representatives. In a ransom message left on infected systems, the hackers claimed to have encrypted company files, including 1TB of personal data, financial statements and other documents.
The cyberattack, which paralyzed a railroad in Iran earlier this month, was not carried out using ransomware, as previously thought, but a Meteor wiper that erases all data stored on the system. This incident is the first use of Meteor, and experts have not yet been able to associate it with any known cybercriminal group.
A Chinese cybercriminal group, known for its attacks on the countries of Southeast Asia, exploits the ProxyLogon vulnerabilities in Microsoft Exchange Server to infect systems under attack with a previously unknown Remote Access Trojan (RAT). A division of Unit 42 of the information security company Palo Alto Networks attributed the attacks to the PKPLUG cybercriminal group (other names Mustang Panda and HoneyMyte). Experts have identified a new variant of PlugX modular malware called Thor, which was delivered to one of the compromised servers as a post-exploitation tool.
The operating system Windows 11 has not yet been officially released but is already available for download and preliminary acquaintance. And this, of course, is used by cybercriminals trying to slip malware under the guise of a new OS. Dangerous malware was detected by Kaspersky Lab specialists in a file called 86307_windows 11 build 21996.1 × 64 + activator.exe. It weighs 1.75 GB and is supposedly an operating system installation file, but when it is launched, the virus is unpacked, after which adware and even unnecessary programs appear on the computer.
Iranian hackers have disguised themselves as aerobics instructors for 18 months in a cyber espionage campaign targeting defence and aerospace employees and contractors. Criminals infected the victim’s systems with malware to steal credentials and other confidential information. During the campaign, which has been in effect since at least 2019, the attackers used the social networks Facebook and Instagram. Experts linked this campaign to the group TA456 (also known as Tortoiseshell), supported by the Iranian government and associated with the Iranian armed forces of the Islamic Revolutionary Guard Corps.
On Monday, July 26, five secret documents were released in the media, which allegedly laid out plans for Iran’s cyberattacks on the infrastructure of Western countries. While reports of attacks on infrastructure by Iran and other countries appear in the press quite often, this is the first time that the media has managed to get hold of internal documents of a cyber division of the Islamic Revolutionary Guard Corps outlining plans for cyberattacks. According to the documents, one of the cyberattacks was planned on a cargo ship’s ballast water system and could cause irreversible damage. Another attack was planned on the automatic gauges of some gas stations.
Cybercriminal group TG1021 (or Praying Mantis), allegedly related to China, exploited a vulnerability in the popular Checkbox Survey tool to launch attacks on organizations in the United States. During the attacks, the criminals exploited a deserialization vulnerability ( CVE-2021-27852 ) in the Checkbox Survey tool. The vulnerability can be exploited remotely without authentication and affects the Checkbox Survey 6 application. The vulnerability is not present in version 7.0 (released in 2019), but older versions are no longer supported and will not receive a fix.
Microsoft also warned its users about the spread of the LemonDuck malware. According to experts, getting on a computer, LemonDuck instantly creates a botnet network for mining Monero cryptocurrency. The malware enters computers through phishing emails, USB flash drives and security vulnerabilities. Most often, owners of devices based on Windows and Linux operating systems suffer from it, Microsoft warned.
The personal data of the supporters of the Anti-Corruption Foundation (FBK, recognized as an extremist organization and an NGO-foreign agent in Russia), once again appeared in the public domain. More than 111 thousand e-mails of users registered in the Smart Voting project have leaked into the network.
On the RAID forum, one of the users posted a 751-gigabyte file. He states that this is the source code for FIFA 21, which was stolen by a group of hackers in June 2021. Apparently, desperate to get money from Electronic Arts and not finding a buyer for the source code, the extortionists put it in free access.
Cybercriminals have compromised the credentials of ticket holders for the Tokyo 2020 Summer Olympics and Paralympics, as well as those of the event’s volunteers. The stolen credentials could be used to authorize volunteers and ticket holders on event websites, risking disclosure of information such as names, addresses and bank account numbers, Kyodo news agency reported.
A complete database of Clubhouse phone numbers was put up for sale on the darknet this week. The database contains information on 3.8 billion phone numbers of both Clubhouse members and users from their synchronized contact lists.
The Israeli company NSO Group has repeatedly denied that Pegasus spyware was used to hack the phones of many politicians. However, as WhatsApp CEO Will Cathcart told The Guardian, governments allegedly used Pegasus software to attack high-level government officials around the world in 2019, including national security officials who were allies of the United States. …
Security vendor Intezer has warned of cyberattacks in which attackers use the Argo Workflows engine to launch attacks on Kubernetes clusters and deploy crypto miners. Intezer experts have identified a number of vulnerable containers that have been used by organizations in the technology, financial and logistics sectors.
Catch up on more articles here
Follow us on Twitter here