
Ransomware/Malware
Ransomware Causes Phishing Attacks Using MS Teams
Ransomware gangs are increasingly using email bombing followed by posing as tech support on Microsoft Teams calls to trick employees into granting remote access and installing malware. These attacks involve sending thousands of spam emails quickly, then using external Teams calls from fake IT support accounts to gain control of the target's system. Once access is granted, the attackers drop malware like Java and Python scripts to establish a command-and-control channel and potentially deploy ransomware. Organizations are advised to block external Teams communication and disable Quick Assist to protect against such attacks.
Fake VPN Apps Are Targeting Devices with Malware
A recent investigation has raised concerns about the security of VPN services. In the study, they discovered vulnerabilities in VPN tunneling protocols (IP6IP6, GRE6, 4in6, and 6in4), which affect over 4 million systems, including VPN servers, home routers, mobile servers, and CDN nodes of major companies like Meta and Tencent. These vulnerabilities allow attackers to exploit weak identity verification processes in the protocols, enabling unauthorized access to networks, launching denial-of-service attacks, or stealing data.
To mitigate these risks, VPNs should incorporate additional security measures like IPsec or WireGuard for end-to-end encryption. VPN services from countries such as the US, Brazil, China, France, and Japan were found to be particularly vulnerable. When choosing a VPN, it's important to ensure it offers robust encryption features and to perform independent security tests to ensure safety.
Hacker Targets New Cybercriminals
A hacker is targeting fellow cybercriminals by spreading a Trojan builder designed to infect their Windows PCs. The builder creates a version of XWorm, a remote access Trojan that can steal data like browser passwords and cookies, take screenshots, and even shut down the PC. The malware has been circulating on platforms like GitHub, Telegram, and file-sharing sites, primarily aimed at novice hackers using tutorials.
It's been reported that the malware has infected over 18,000 devices globally, with significant numbers in Russia, the USA, India, Ukraine, and Turkey. Though it steals credentials from only a small portion of victims, the malware sends data back to its creator through a Telegram bot. Findings claim the malware can be deactivated using an uninstall command, but its effectiveness depends on the infected machine being online and Telegram’s rate limits.
Cyberattack/Data Breach
Hacker Claims to Steal HPE Source Code
Hewlett Packard Enterprise (HPE) is investigating claims by the group IntelBroker that it stole documents from the company’s developer environments, including certificates, source code, and credentials. While HPE has found no evidence of a breach so far, it activated its cyber response protocols and is examining the situation. IntelBroker, known for previous high-profile hacks, alleges access to HPE's API, GitHub repositories, and other sensitive data. HPE has faced several breaches in the past, including incidents in 2018 and 2021.
Massive Data Hack Claims 2.9 Billion Records
A hacking group called USDoD claims to have stolen personal records of 2.9 billion people from National Public Data, a Florida-based background check company. The breach, which is believed to have occurred in April, included sensitive information like names, addresses, Social Security numbers, and family details spanning three decades. The data, reportedly 277.1 gigabytes in size, was initially put up for sale on the dark web for $3.5 million, and later leaked for free. National Public Data has not confirmed the breach but is investigating the claims. Victims are advised to monitor their credit, update passwords, and take security measures to prevent identity theft.
Home Care Patients Affected by Data Breach
Allegheny Health Network (AHN) has reported a data breach affecting nearly 300,000 home care patients. The breach occurred between October 11 and November 19, when a third party accessed personal information, including names, Social Security numbers, and health data. The breach was linked to AHN’s vendor, IntraSystems LLC, which managed servers for its home medical equipment and infusion subsidiaries. AHN has begun notifying affected patients. This breach highlights the growing risk of cyberattacks targeting health system contractors, which have increasingly become a focus for hackers.
Phishing and Scams
Star Blizzard Launches Spear-Phishing Campaign
Russian cyber group Star Blizzard has launched a spear-phishing campaign targeting individuals in government, diplomacy, defense, and Ukraine aid organizations. The attack begins with an email impersonating a U.S. government official, inviting the recipient to join a WhatsApp group. The email includes a broken QR code to prompt a reply, leading to a fake WhatsApp invitation page. If followed, the victim unknowingly links the attacker's device to their WhatsApp, allowing the hacker to steal messages. The campaign, which relies on social engineering and no malware, highlights Star Blizzard's continued efforts despite recent disruptions to their operations.
Phishing and “Pig Butchering” Scams Hit SaaS Infrastructure
A recent study highlights a security vulnerability in Zendesk's SaaS infrastructure, where attackers are using the platform's free trial to create phishing sites and impersonate legitimate brands. By registering brand-like subdomains, they target users with fake support tickets to steal data or commit financial fraud, including "pig butchering" scams. The report suggests that Zendesk's lack of email verification and safeguards makes it vulnerable to such attacks. The study recommends using detection tools, and improving employee training to prevent phishing incidents.
FBI: Be on the Lookout for Specific Language in Emails
The FBI has issued a warning about increasingly sophisticated phishing scams that exploit mass casualty events and disasters, like the New Orleans attack and Los Angeles wildfires. These scams often use urgent language such as "act fast" to pressure victims into quick action. The FBI, along with CISA, advises caution with emails that create a sense of urgency and recommends avoiding unsolicited links. Experts also warn that AI is making phishing emails appear more legitimate. The best defense is to verify email addresses, avoid clicking on unknown links, and use two-factor authentication.
Artificial intelligence
New Tech Executive Orders
Before leaving office, President Biden signed two executive orders aimed at enhancing cybersecurity and advancing U.S. leadership in artificial intelligence (AI). The cybersecurity order builds on previous efforts, focusing on software security, AI for cyber defense, and preparing for post-quantum cryptography to defend against future threats. It also addresses threats from China and Russia, with new standards for software development and easier sanctions for cyberattacks on critical infrastructure. The AI order focuses on building infrastructure for AI data centers at federal sites, using clean energy and ensuring national security, while also promoting responsible development of AI technology. Biden emphasized the importance of safe, trustworthy AI and the U.S.'s role in leading its development.
Fortra's PhishLabs
Discover how Digital Risk Protection from PhishLabs can protect your organization’s critical digital assets and data from these online threats.