menu
techminis

A naukri.com initiative

google-web-stories
Home

>

Malware News

Malware News

source image

Securityaffairs

4d

read

81

img
dot

Image Credit: Securityaffairs

Raccoon Infostealer operator sentenced to 60 months in prison

  • Mark Sokolovsky, operator of Raccoon Infostealer, has been sentenced to 60 months in US prison.
  • He has been ordered to pay over $910,000 in restitution.
  • Raccoon Infostealer is a malware that steals credit card data, email credentials, and cryptocurrency wallets.
  • The malware infected over 100,000 users worldwide and resulted in the theft of millions of credentials and forms of identification.

Read Full Article

like

4 Likes

source image

Securityaffairs

5d

read

364

img
dot

Image Credit: Securityaffairs

Mirai botnet targets SSR devices, Juniper Networks warns

  • Juniper Networks warns that a Mirai botnet is targeting SSR devices with default passwords after unusual activity was reported on December 11, 2024.
  • Multiple customers reported anomalous activity on their Session Smart Network (SSN) platforms on December 11, 2024. Threat actors initially compromised the devices and then employed them in DDoS attacks.
  • Mirai bot exploits devices using default credentials, enabling remote command execution through SSH attacks to facilitate various malicious activities, including DDoS attacks.
  • To mitigate the exposure to these threats, users are recommended to change default credentials, use strong passwords, review access logs, employ firewalls and IDS/IPS, and keep firmware up-to-date.

Read Full Article

like

21 Likes

source image

Securityintelligence

5d

read

180

img
dot

Image Credit: Securityintelligence

Black Friday Chaos: The Return of Gozi Malware

  • On Black Friday, Gozi malware targeted financial institutions across North America with a significant surge in activity detected. Gozi malware, also known as Ursnif and ISFB, is a modular banking Trojan that steals banking credentials. The malware used sophisticated web-injects to compromise online banking sessions and steal sensitive information such as credentials and financial data. Increased transaction volumes, weakened security measures, and overlooking of suspicious activity by consumers are some reasons for the rise in Gozi malware attacks. Advanced monitoring systems and robust security measures are necessary to detect and prevent such attacks.
  • Our system revealed a rise in compromised banking sessions, with Gozi operators focusing on North American banks during peak shopping hours. The provided script shows a sophisticated web-inject attack used to manipulate online banking sessions and evade detection. The Gozi campaign is expected to continue strong, targeting Europe as well and employing more sophisticated tactics to further its impact. Recommendations on avoiding Gozi malware include being wary of email links, increasing password security, remaining cautious when accessing websites and staying informed about the latest cybersecurity threats. IBM Security Trusteer Pinpoint Detect is a powerful tool in detecting Gozi malware and protecting digital channels.

Read Full Article

like

10 Likes

source image

Securelist

5d

read

312

img
dot

Image Credit: Securelist

Lazarus group evolves its infection chain with old and new malware

  • Lazarus group delivers archive files containing malicious files using new and old malware samples to two employees associated with same nuclear-related organization.
  • The group used multiple types of malware, such as a downloader, loader, and backdoor.
  • The DeathNote campaign is a series of cyber attacks by the Lazarus group that has been distributing its malicious software components by exploiting fake job opportunities to target employees in various sectors.
  • Lazarus group tends to pose as recruiters and contact targets on platforms like LinkedIn, Telegram, WhatsApp, etc.
  • They have been distributing trojanized remote access tools to convince the targets to connect to a specific server for skills assessment.
  • Their recently discovered attack adapted the same method of distributing trojanized remote access tools, but the infection chain has completely changed.
  • The group delivered malicious compressed ISO files to its victims to go undetected, since ZIP archives are easily detected by many services.
  • The malware-to-malware flowchart created by the group defines the cookies and payloads that were sent and received by its malware components.
  • CookiePlus is a new modular malware introduced by the Lazarus group that disguises itself as open-source plugins.
  • The group has been using compromised web servers running WordPress as C2s for most of their campaigns.

Read Full Article

like

18 Likes

source image

TechCrunch

6d

read

272

img
dot

Image Credit: TechCrunch

How the ransomware attack at Change Healthcare went down: A timeline

  • A ransomware attack in February on US health tech company Change Healthcare affected at least 100m people, making it one of the largest data breaches of US health and medical data in history.
  • The company processes billing and insurance for hundreds of thousands of medical practices, pharmacies, and hospitals in the US healthcare sector, handling between one-third and one-half of all US health transactions.
  • The hackers broke into the company's system on or around February 12, with Change Healthcare only confirming that a cyber attack was the cause of the outage eight days later.
  • UnitedHealth later confirmed that a Russian-speaking ransomware gang, ALPHV/BlackCat, was behind the attack, with the gang itself also publishing evidence on the dark web.
  • In early March, the gang vanished after a $22m ransom payment, leaving the data behind to form a new extortion racket called RansomHub in April.
  • As of October 24, UnitedHealth confirmed the breach affected over 100m people, while a lawsuit by Nebraska revealed new details of the hack, suggesting the number could rise further.
  • CEO Andrew Witty later admitted that a user account was hacked with a single password that was not protected by multi-factor authentication.
  • Change Healthcare started notifying affected individuals in late June through a law requiring mandatory notice, while the US government upped its bounty to $10m for information on the gang’s location.
  • Affected healthcare providers can also request UnitedHealth notify their patients, while the incident remains one of the biggest data breaches of sensitive US health data.
  • UnitedHealth said the hackers stole sensitive information, including medical data, health information, diagnoses, payment information, test results, imaging, care plans, treatment plans and other personal information.

Read Full Article

like

16 Likes

source image

TechCrunch

6d

read

49

img
dot

Image Credit: TechCrunch

Nebraska sues Change Healthcare over security failings that led to medical data breach of over 100 million Americans

  • The state of Nebraska has sued Change Healthcare over alleged security failings that led to a data breach affecting over 100 million Americans.
  • Nebraska's attorney general claims that Change Healthcare failed to implement proper security measures, resulting in a historic and significant breach of sensitive health information.
  • The breach, linked to the ALPHV ransomware gang, exposed personal, health, and financial data of affected individuals.
  • Nebraska is seeking damages and accountability from Change Healthcare for the harm caused to residents, healthcare providers, and operational disruptions.

Read Full Article

like

2 Likes

source image

Qualys

6d

read

376

img
dot

Image Credit: Qualys

NotLockBit: A Deep Dive Into the New Ransomware Threat

  • NotLockBit, a recently identified ransomware family that encrypts macOS and Windows systems, has mimicked some tactics of the LockBit gang, while also adding new features.
  • The ransomware demonstrates advanced capabilities, such as targeted file encryption, data exfiltration, and self-deletion mechanisms.
  • It utilizes the go-sysinfo module to gather detailed data about the victim's system and decodes public key using the widely used method, Privacy Enhanced Mail.
  • The malware generates a random value and encrypts it using RSA details extracted from the PEM file. It writes collected information to a text file, and exfiltrates data to attackers to ensure continued access to sensitive information.
  • NotLockBit utilizes AES-based encryption and uses RSA to secure its encryption process, and programs to focus on specific file types based on their extensions.
  • After encryption, the ransomware alters the infected system's desktop wallpaper by replacing it with a custom LockBit ransom banner and ultimately deletes the shadow copy through self-removal mechanism designed to eliminate traces from the victim's system.
  • This finding highlights the need for proactive endpoint detection, threat hunting, and incident response capabilities to combat such advanced ransomware attacks effectively.

Read Full Article

like

22 Likes

source image

Socprime

6d

read

12

img
dot

Image Credit: Socprime

UAC-0125 Attack Detection: Hackers Use Fake Websites on Cloudflare Workers to Exploit the “Army+” Application

  • Another hacking collective has evolved in the cyber threat arena to target Ukrainian organizations.
  • CERT-UA notifies defenders about the discovery of fake websites that mimic the official page of the “Army+” application and are hosted using the Cloudflare Workers service.
  • UAC-0125 group is highly likely associated with the nefarious russia-backed hacking collective tracked as UAC-0002 (aka APT44 aka Sandworm).
  • The increasing number of cyber attacks targeting government bodies, military and defense agencies and critical infrastructure sector has been causing a stir on the cyber front line since russia’s full-fledged war against Ukraine.
  • SOC Prime Platform for collective cyber defense equips security teams with a relevant detection stack to proactively thwart attacks covered in the CERT-UA#12559 alert.
  • UAC-0125 Attack Analysis: Users are prompted to download the executable file “ArmyPlusInstaller-v.0.10.23722.exe” when visiting fake websites.
  • The executable file runs a PowerShell script to install OpenSSH on compromised system and generate an RSA key pair.
  • The adversary activity is tracked under the UAC-0125 identifier and is highly likely associated with the russia-linked UAC-0002 cluster (aka Sandworm).
  • The notorious Sandworm APT group has been targeting Ukrainian state bodies and critical infrastructure organizations for over a decade.
  • MITRE ATT&CK Context: Security teams can gain valuable insights into the UAC-0125 TTPs involved in the latest malicious campaign against Ukraine.

Read Full Article

like

Like

source image

Cybersecurity-Insiders

7d

read

120

img
dot

Image Credit: Cybersecurity-Insiders

Ransomware attacks on Texas University and Namibia Telecom

  • Interlock ransomware group targets Texas Tech University Health Sciences Center, exposing sensitive data of 1.46 million patients.
  • Texas Tech has notified affected patients and advises them to remain vigilant against potential identity theft and phishing attacks.
  • Telecom Namibia becomes the latest victim of Hunters International Ransomware Gang, exposing personal information of government officials.
  • Attackers leaked stolen data on the dark web and encrypted messaging platforms to apply pressure and profit from the sale.

Read Full Article

like

7 Likes

source image

Siliconangle

7d

read

166

img
dot

Image Credit: Siliconangle

1.4M records stolen in Texas Tech University Health Sciences Center ransomware attack

  • Approximately 1.4 million records related to students, staff, and patients at Texas Tech University's Health Science Center were stolen in a ransomware attack.
  • The attack occurred in September, but the university only recently disclosed the incident.
  • The stolen data includes personally identifiable information such as names, dates of birth, addresses, Social Security numbers, and medical records.
  • Texas Tech University is offering complimentary credit monitoring services to affected individuals.

Read Full Article

like

9 Likes

source image

Securityaffairs

7d

read

12

img
dot

Image Credit: Securityaffairs

Texas Tech University data breach impacted 1.4 million individuals

  • Texas Tech University disclosed a data breach that impacted over 1.4 million individuals following a cyber attack.
  • The incident took place in September 2024 and temporarily impacted computer systems and applications.
  • Compromised information includes personal, health, and financial data such as Social Security numbers, driver's license numbers, and medical records.
  • The Interlock ransomware gang claimed responsibility for the security breach and allegedly stole 2.6 terabytes of data.

Read Full Article

like

Like

source image

Socprime

7d

read

108

img
dot

Image Credit: Socprime

DarkGate Malware Attack Detection: Voice Phishing via Microsoft Teams Leads to Malware Distribution

  • Researchers have uncovered a new malicious campaign using voice phishing (vishing) to spread the DarkGate malware.
  • Adversaries masqueraded as a known client on a Microsoft Teams call, tricking victims into downloading AnyDesk for remote access and deploying malware.
  • The DarkGate malware facilitated remote control, offensive commands, data collection, and connection to a C2 server.
  • Mitigation measures include careful vetting of third-party technical support providers, cloud vetting processes, and implementation of multi-factor authentication (MFA).

Read Full Article

like

6 Likes

source image

Cybersecurity-Insiders

7d

read

54

img
dot

Image Credit: Cybersecurity-Insiders

Clop Ransomware circumvents Cleo file transfer software for data steal

  • Clop Ransomware gang exploits vulnerability in Cleo File Transfer software, compromising Harmony, VLTrader, and LexiCom.
  • Numerous businesses relying on Cleo's products are at risk of data theft.
  • Cleo has patched the vulnerability but many clients remain unaware and vulnerable.
  • Clop gang reveals their identity and claims to delete stolen data after media miscredits the attack.

Read Full Article

like

3 Likes

source image

Securityaffairs

7d

read

87

img
dot

Image Credit: Securityaffairs

The FBI warns of HiatusRAT scanning campaigns against Chinese-branded web cameras and DVRs

  • The FBI warns of HiatusRAT scanning campaigns against Chinese-branded web cameras and DVRs.
  • The FBI released a Private Industry Notification (PIN) highlighting HiatusRAT malware campaigns targeting these devices.
  • The malware has been active since July 2022 and is being used for reconnaissance and intelligence gathering.
  • The FBI recommends mitigation measures including patching, strong passwords, and network segmentation.

Read Full Article

like

5 Likes

source image

TechCrunch

7d

read

41

img
dot

Image Credit: TechCrunch

Texas medical school says hackers stole sensitive health data of 1.4 million individuals

  • Hackers stole sensitive health data of 1.4 million individuals from Texas Tech University Health Sciences Center during a September cyberattack.
  • The attackers accessed personal information such as Social Security numbers, financial account details, government-issued ID information, and medical records.
  • TTUHSC's security incident website has been made more difficult to find in search results through 'noindex' code.
  • The Interlock ransomware group has claimed responsibility for the cyberattack and published 2.1 million stolen files, totaling 2.6 terabytes of data.

Read Full Article

like

2 Likes

For uninterrupted reading, download the app