Original release date: August 4, 2022
Immediate Actions You Can Take Now to Protect Against Malware:
• Patch all systems and prioritize patching known exploited vulnerabilities.
• Enforce multifactor authentication (MFA).
• Secure Remote Desktop Protocol (RDP) and other risky services.
• Make offline backups of your data.
• Provide end-user awareness and training about social engineering and phishing.
This joint Cybersecurity Advisory (CSA) was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC). This advisory provides details on the top malware strains observed in 2021. Malware, short for “malicious software,” can compromise a system by performing an unauthorized function or process. Malicious cyber actors often use malware to covertly compromise and then gain access to a computer or mobile device. Some examples of malware include viruses, worms, Trojans, ransomware, spyware, and rootkits.
In 2021, the top malware strains included remote access Trojans (RATs), banking Trojans, information stealers, and ransomware. Most of the top malware strains have been in use for more than five years with their respective code bases evolving into multiple variations. The most prolific malware users are cyber criminals, who use malware to deliver ransomware or facilitate theft of personal and financial information.
CISA and ACSC encourage organizations to apply the recommendations in the Mitigations sections of this joint CSA. These mitigations include applying timely patches to systems, implementing user training, securing Remote Desktop Protocol (RDP), patching all systems especially for known exploited vulnerabilities, making offline backups of data, and enforcing multifactor authentication (MFA).
If you spew projects laced with hidden malware into an open source repository, don’t waste your time telling us “no harm done” afterwards.
Just over a year ago, we wrote about a “cybersecurity researcher” who posted almost 4000 pointlessly poisoned Python packages to the popular repository PyPI.
This person went by the curious nickname of Remind Supply Chain Risks, and the packages had project names that were generally similar to well-known projects, presumably in the hope that some of them would get installed by mistake, thanks to users using slightly incorrect search terms or making minor typing mistakes when typing in PyPI URLs.
These pointless packages weren’t overtly malicious, but they did call home to a server hosted in Japan, presumably so that the perpetrator could collect statistics on this “experiment” and write it up while pretending it counted as science. More...
A complex and ambitious investment scam has used more than 10,000 domains to induce speculators to give up not just funds, but personal information as well. Researchers at security firm Group-IB describe the campaign as one that proceeds through several distinct stages. It begins with ads placed in social media, or with pages displayed in compromised Facebook or YouTube accounts.
The come-on invites prospects to learn more about an investment opportunity, enticing them with bogus celebrity endorsements and (always a warning sign) promises of guaranteed returns. More…
The cybercriminal gang, dubbed “Luna Moth” uses a sophisticated mix of phishing, vishing, remote support sessions and remote access trojans to gain control of victim endpoints.
This latest attack example comes to us via the security researchers at security vendor Sygnia. Last month, they documented a series of phishing attacks by a ransom group they’ve named “Luna Moth”. This gang focuses on exfiltrating data and extorting a ransom from the victim, threatening to publish the data.
The phishing attack uses a few different methods to both get the attention of, and throw off, the potential victim. It starts with an email sent to the victim using a from address of the victim’s “first.last” name, prepended to either “.zohomasterclass[AT]gmail.com” or “.duolingo[AT]gmail.com”. More…
The Russian invasion of Ukraine began on February 20, 2022. By mid-March it was clear the cyber-war had begun, and the attacks have been consistent ever since. Prior to this, on March 1, 2022, Wordfence reported on an attack campaign on Ukrainian university websites. In response, we deployed our real-time threat intelligence to all sites running Wordfence with a .ua top-level domain (TLD). In the following months, we have continued to monitor the situation, and to block attack attempts aimed at Ukrainian websites.
Based on the data we have tracked, it has become clear that most of the attacks being levied against Ukrainian entities since the initial campaign are fairly routine, though regularly increasing in quantity. While there are some more sophisticated attacks, the vast majority of what we are seeing is routine spam content and defacements. These types of attacks are often perpetrated by lesser-skilled actors probing for easily exploitable random web targets with simple scripts. What we are seeing does not indicate the highly skilled and coordinated attacks that would be seen from larger criminal organizations or nation-state attackers. More…