Grey Wolf Security

Cybercriminals turn to container files and other tactics to get around the company’s attempt to thwart a popular way to deliver malicious phishing payloads.

Threat actors are finding their way around Microsoft’s default blocking of macros in its Office suite, using alternative files to host malicious payloads now that a primary channel for threat delivery is being cut off, researchers have found.

By Elizabeth Montalbano - threatpost

Threat Actors Pivot Around Microsoft’s Macro-Blocking in Office Cybercriminals turn to container files and other tactics to get around the company’s attempt to thwart a popular way to deliver malicious phishing payloads.

A threat actor associated with the LockBit 3.0 ransomware operation is abusing the Windows Defender command line tool to load Cobalt Strike beacons on compromised systems and evade detection by security software.

Cobalt Strike is a legitimate pe*******on testing suite with extensive features popular among threat actors to perform stealthy network reconnaissance and lateral movement before stealing data and encrypting it.

By Bill Toulas - Bleeping Computer

LockBit ransomware abuses Windows Defender to load Cobalt Strike Security analysts have observed an affiliate of the LockBit 3.0 ransomware operation abusing a Windows Defender command line tool to decrypt and load Cobalt Strike beacons on the target systems.

CISA has added a critical Confluence vulnerability tracked as CVE-2022-26138 to its list of bugs abused in the wild, a flaw that can provide remote attackers with hardcoded credentials following successful exploitation.

As Australian software firm Atlassian revealed last week, unpatched versions of the Questions for Confluence app (installed on more than 8,000 servers) create an account with hardcoded credentials.

By Sergiu Gatlan - Bleeping Computer

CISA warns of critical Confluence bug exploited in attacks CISA has added a critical Confluence vulnerability tracked as CVE-2022-26138 to its list of bugs abused in the wild, a flaw that can provide remote attackers with hardcoded credentials following successful exploitation.

The largest distributed denial-of-service (DDoS) attack that Europe has ever seen occurred earlier this month and hit an organization in Eastern Europe.

The target, a customer of cybersecurity and cloud service company Akamai, has been under constant assault, facing dozens of DDoS rounds over the past 30 days.

By Bill Toulas - Bleeping Computer

Akamai blocked largest DDoS in Europe against one of its customers The largest distributed denial-of-service (DDoS) attack that Europe has ever seen occurred earlier this month and hit an organization in Eastern Europe.

The No More Ransom project celebrates its sixth anniversary today after helping millions of ransomware victims recover their files for free.

Launched in July 2016, No More Ransom is an online portal and a public-private partnership created by law enforcement (Europol and the Dutch National Police) and IT security companies (Kaspersky and McAffee).

By Sergiu Gatlan - Bleeping Computer

No More Ransom helps millions of ransomware victims in 6 years The No More Ransom project celebrates its sixth anniversary today after helping millions of ransomware victims recover their files for free.

System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed.

According to Palo Alto's 2022 Unit 42 Incident Response Report, hackers are constantly monitoring software vendor bulletin boards for new vulnerability announcements they can leverage for initial access to a corporate network or to perform remote code ex*****on.

By Bill Toulas - Bleeping Computer

Hackers scan for vulnerabilities within 15 minutes of disclosure System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed.

The source code for an information-stealing malware coded in Rust has been released for free on hacking forums, with security analysts already reporting that the malware is actively used in attacks.

The malware, which the author claims to have developed in just six hours, is quite stealthy, with VirusTotal returning a detection rate of around 22%.

By Bill Toulas - Bleeping Computer

Source code for Rust-based info-stealer released on hacker forums A malware author released the source code of their info-stealer for free on hacking forums earlier this month, and security analysts already report observing several samples being deployed in the wild.

Threat analysts have uncovered a new campaign attributed to APT37, a North Korean group of hackers, targeting high-value organizations in the Czech Republic, Poland, and other European countries.

In this campaign, the hackers use malware known as Konni, a remote access trojan (RAT) capable of establishing persistence and performing privilege escalation on the host.

By Bill Toulas - Bleeping Computer

North Korean hackers attack EU targets with Konni RAT malware Threat analysts have uncovered a new campaign attributed to APT37, a North Korean group of hackers, targeting high-value organizations in the Czech Republic, Poland, and other European countries.

A new version of the Amadey Bot malware is distributed through the SmokeLoader malware, using software cracks and keygen sites as lures.

Amadey Bot is a malware strain discovered four years ago, capable of performing system reconnaissance, stealing information, and loading additional payloads.

By Bill Toulas - Bleeping Computer

Amadey malware pushed via software cracks in SmokeLoader campaign A new version of the Amadey Bot malware is distributed through the SmokeLoader malware, using software cracks and keygen sites as lures.

Unknown threat actors are using previously undetected malware to backdoor macOS devices and exfiltrate information in a highly targeted series of attacks.

ESET researchers first spotted the new malware in April 2022 and named it CloudMensis because it uses pCloud, Yandex Disk, and Dropbox public cloud storage services for command-and-control (C2) communication.

By Sergiu Gatlan - Bleeping Computer

New CloudMensis malware backdoors Macs to steal victims’ data Unknown threat actors are using previously undetected malware to backdoor macOS devices and exfiltrate information in a highly targeted series of attacks.

Google's Threat Analysis Group (TAG), whose primary goal is to defend Google users from state-sponsored attacks, said today that Russian-backed threat groups are still focusing their attacks on Ukrainian organizations.

In a report regarding recent cyber activity in Eastern Europe, Google TAG security engineer Billy Leonard revealed that hackers part of the Turla Russian APT group have also been spotted deploying their first Android malware.

By Sergiu Gatlan - Bleeping Computer

Russian hackers use fake DDoS app to infect pro-Ukrainian activists Google's Threat Analysis Group (TAG), whose primary goal is to defend Google users from state-sponsored attacks, said today that Russian-backed threat groups are still focusing their attacks on Ukrainian organizations.

Google removed eight Android apps, with 3M cumulative downloads, from its marketplace for being infected with a Joker spyware variant.

Google has removed eight apps from its Google Play store that were propagating a new variant of the Joker spyware, but not before they already had garnered more than 3 million downloads.

By Elizabeth Montalbano - threatpost

Google Boots Multiple Malware-laced Android Apps from Marketplace Google removed eight Android apps, with 3M cumulative downloads, from its marketplace for being infected with a Joker spyware variant.

Researchers following the activities of advanced persistent (APT) threat groups originating from China, North Korea, Iran, and Turkey say that journalists and media organizations have remained a constant target for state-aligned actors.

The adversaries are either masquerading or attacking these targets because they have unique access to non-public information that could help expand a cyberespionage operation.

By Bill Toulas - Bleeping Computer

Hackers pose as journalists to breach news media org’s networks Researchers following the activities of advanced persistent (APT) threat groups originating from China, North Korea, Iran, and Turkey say that journalists and media organizations have remained a constant target for state-aligned actors.

The FBI has warned today that cybercriminals use fraudulent cryptocurrency investment applications to steal funds from US investors.

So far, the US federal law enforcement agency estimates that cyber criminals have already successfully stolen roughly $42,7 million from 244 victims.

By Sergiu Gatlan - Bleeping Computer

FBI warns of fake cryptocurrency apps used to defraud investors The FBI warned that cybercriminals are creating and using fraudulent cryptocurrency investment applications to steal funds from US cryptocurrency investors.

A court in Moscow has imposed a fine of $358 million (21 billion rubles) on Google LLC for failing to restrict access to information considered prohibited in the country.

More specifically, according to an announcement by Roskomnadzor, Russia's internet watchdog, Google, and its subsidiary YouTube, have failed to remove the following materials even after multiple requests from the Russian IT controller:

By Bill Toulas - Bleeping Computer

Russia fines Google $358 million for not removing banned info A court in Moscow has imposed a fine of $358 million (21 billion rubles) on Google LLC for failing to restrict access to information considered prohibited in the country.

Attackers used adversary-in-the-middle attacks to steal passwords, hijack sign-in sessions and skip authentication and then use victim mailboxes to launch BEC attacks against other targets.

Microsoft researchers have uncovered a massive phishing campaign that can steal credentials even if a user has multi-factor authentication (MFA) enabled and has so far attempted to compromise more than 10,000 organizations.

By Elizabeth Montalbano - threatpost

Large-Scale Phishing Campaign Bypasses MFA Attackers used adversary-in-the-middle attacks to steal passwords, hijack sign-in sessions and skip authentication and then use victim mailboxes to launch BEC attacks against other targets.

Since 2021, various state-aligned threat groups have turned up their targeting of journalists to siphon data and credentials and also track them.

Targeted phishing attacks are traced to multiple threat actors who have each independently focused on stealing credentials and sensitive data and tracking the geolocation of journalists.

By Elizabeth Montalbano - threatpost

Journalists Emerge as Favored Attack Target for APTs Since 2021, various state-aligned threat groups have turned up their targeting of journalists to siphon data and credentials and also track them.

A new ransomware operation has been launched under the name 'Lilith,' and it has already posted its first victim on a data leak site created to support double-extortion attacks.

Lilith is a C/C++ console-based ransomware discovered by JAMESWT and designed for 64-bit versions of Windows. Like most ransomware operations launching today, Lilith performs double-extortions attacks, which is when the threat actors steal data before encrypting devices.

By Bill Toulas - Bleeping Computer

New Lilith ransomware emerges with extortion site, lists first victim A new ransomware operation has been launched under the name 'Lilith,' and it has already posted its first victim on a data leak site created to support double-extortion attacks.

The record-breaking distributed denial-of-service (DDoS) attack that Cloudflare mitigated last month originated from a new botnet called Mantis, which is currently described as "the most powerful botnet to date."

The attack peaked at 26 million requests per second that came from 5,067 devices. The previous record was held by Mēris botnet, which launched an attack that spiked at 21.8 million requests per second.

By Bill Toulas - Bleeping Computer

Mantis botnet behind the record-breaking DDoS attack in June The record-breaking distributed denial-of-service (DDoS) attack that Cloudflare mitigated last month originated from a new botnet called Mantis, which is currently described as "the most powerful botnet to date."

Grey Wolf Security updated their address.

Microsoft says a massive series of phishing attacks has targeted more than 10,000 organizations starting with September 2021, using the gained access to victims' mailboxes in follow-on business email compromise (BEC) attacks.

The threat actors used landing pages designed to hijack the Office 365 authentication process (even on accounts protected by multifactor authentication (MFA) by spoofing the Office online authentication page.

By Sergiu Gatlan - Bleeping Computer

Microsoft: Phishing bypassed MFA in attacks against 10,000 orgs Microsoft says a massive series of phishing attacks has targeted more than 10,000 organizations starting with September 2021, using the gained access to victims' mailboxes in follow-on business email compromise (BEC) attacks.

A new data extortion group has been breaching companies to steal confidential information, threatening victims to make the files publicly available unless they pay a ransom.

The gang received the name Luna Moth and has been active since at least March in phishing campaigns that delivered remote access tools (RAT) that enable the corporate data theft.

By Bill Toulas - Bleeping Computer

New ‘Luna Moth’ hackers breach orgs via fake subscription renewals A new data extortion group has been breaching companies to steal confidential information, threatening victims to make the files publicly available unless they pay a ransom.

Hackers are impersonating well-known cybersecurity companies, such as CrowdStrike, in callback phishing emails to gain initial access to corporate networks.

Most phishing campaigns embed links to landing pages that steal login credentials or emails that include malicious attachments to install malware.

By Bill Toulas - Bleeping Computer

Hackers impersonate cybersecurity firms in callback phishing attacks Hackers are impersonating well-known cybersecurity companies, such as CrowdStrike, in callback phishing emails to gain initial access to corporate networks.

While Microsoft announced earlier this year that it would block VBA macros on downloaded documents by default, Redmond said on Thursday that it will roll back this change based on "feedback" until further notice.

The company has also failed to explain the reason behind this decision and is yet to publicly inform customers that VBA macros embedded in malicious Office documents will no longer be blocked automatically in Access, Excel, PowerPoint, Visio, and Word.

By Sergiu Gatlan - Bleeping Computer

Microsoft rolls back decision to block Office macros by default While Microsoft announced earlier this year that it would block VBA macros on downloaded documents by default, Redmond said on Thursday that it will roll back this change based on "feedback" until further notice.

A new ransomware operation named ‘0mega’ targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms.

0mega (spelled with a zero) is a new ransomware operation launched in May 2022 and has attacked numerous victims since then.

By Lawrence Abrams - Bleeping Computer

New 0mega ransomware targets businesses in double-extortion attacks A new ransomware operation named '0mega' targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms.