Catch of the Day: RansomHub Phish
Chef’s Special: Coding Test Phish
Examples of clever phish that made it past my anti-spam nets and into my inbox. Some are contributed by clients or readers like you, and other reliable sources on the Internet.
You can send phishing samples to me at phish@wyzguys.com.
My intention is to provide a warning and show current examples of phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your inbox. If the pictures are too small or extend off the page, double clicking the image will display them in a photo viewer app.
New Ransomware Threat Group, RansomHub, is so Effective, the NSA is Already Warning You About Them
From Knowbe4
The latest evolution of the ransomware service model, RansomHub, has only been around since February of this year, but its affiliates are already successfully exfiltrating data.
You know you’re a problem when the U.S. government puts out a notice about you. That’s the case for RansomHub — the latest iteration of a ransomware as a service group formerly working under the names Cyclops and Knight.
It appears that their latest service model is pulling ransomware affiliate actors away from big names in the ransomware world like LockBit and ALPHV.
According to the CISA/NSA cybersecurity advisory, the group and its affiliates have successfully exfiltrated data from over 210 organizations since February of this year across a wide range of industries that include “water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure.”
In addition to a longer list of mitigations at the end of the advisory, the NSA make a few summary recommendations at the beginning to help organizations focus in on some of the most effective ways to stop ransomware:
- Install updates for operating systems, applications and firmware
- Use phishing-resistant MFA
- Implement security awareness training and include an ability for users to report phishing attacks
Blog post with kinks:
https://blog.knowbe4.com/new-ransomware-threat-group-ransomhub-is-so-effective-the-nsa-is-already-warning-you-about-them
North Korean Hackers Target Software Developers With Phony Coding Tests
Researchers at ReversingLabs warn that North Korea’s Lazarus Group is targeting software developers with phony job interviews.
The threat actors are posing as employees of major financial services firms and send coding assessment tests as part of the interview process. Our team recently recorded a webinar that covers this exact topic, as our cybersecurity experts discuss how we spotted the red flags and stopped it before any damage was done.
The coding tests are designed to trick the job applicant into installing malware concealed in Python packages.
“The content of nearly identical README files included with the packages provides more insight into what the victim encountered,” ReversingLabs says.
“They contain instructions for the job candidates to find and fix a bug in a password manager application, republishing their fix and taking screenshots to document their coding work. The README files tell would-be candidates to make sure the project is running successfully on their system before making modifications. That instruction is intended to make sure that the malware execution is triggered regardless of whether the job candidate (aka ‘the target’) completes the assigned coding assignment.”
The threat actors attempt to instill a sense of urgency by setting a short deadline for the assignment. This is a common social engineering tactic that makes the victim less likely to slow down and think rationally before acting.
“Specifically, the instructions set a timeframe for completing the assignment (finding a coding flaw in the package and fixing it),” the researchers write.
“It is clearly intended to create a sense of urgency for the would-be job seeker, thus making it more likely that he or she would execute the package without performing any type of security or even source code review first. That ensures the malicious actors behind this campaign that the embedded malware would be executed on the developer’s system.”
Blog post with links:
https://blog.knowbe4.com/north-korean-hackers-target-software-developers-with-phony-coding-tests
SEP
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com