Evil Corp. Used New Macaw Malware in Sinclair Broadcasting Attack, Sources

Macaw also reportedly used in an attack on Olympus, Russian hackers phished YouTube influencers, Acer admits Indian customer data was stolen in attack, GOP lawmakers question TSA security rules, more

Two sources say that the attack last weekend on Sinclair Broadcasting is linked to one of the most infamous Russian cybergangs, called Evil Corp. The attackers used Macaw, a variant of ransomware known as WastedLocker, both of which were created by Evil Corp.

The Macaw ransomware strain was first spotted by cybersecurity analysts in the past week. (William Turton / Bloomberg)

Related: The Hill, TechCrunch, CISO MAG, Cyberscoop, The Insider, Slashdot, The Mac Observer, CNN

According to two sources, the new malware variant known as Macaw, the variant of the WastedLocker malware created by Evil Corp., was used in a repeat cyberattack against the Japanese technology giant Olympus.

Olympus was hit last month by BlackMatter ransomware in its networks in Europe, the Middle East, and Africa. The Macaw attack took down Olympus’ systems in the U.S., Canada, and Latin America. (Zack Whittaker, Carly Page / TechCrunch)

Taiwanese PC maker Acer admitted servers it operates in India and Taiwan were compromised but says only those systems in India contained customer data.

The attackers, who call themselves the Desorden Group, boasted that they stole gigabytes of information from the servers and suggested other Acer operations worldwide are also vulnerable to information theft. In a video, the group says it has over 900,000 database records describing individual Acer customers plus "corporate, financial, [and] audit" data. (Simon Sharwood / The Register)

Related: Security Affairs, SecureNews, CNA ENGLISH NEWS, The Digital Hacker, Security Week

Google’s Threat Analysis Group (TAG) discovered a network of financially motivated Russian hackers phishing YouTube influencers with fake collaboration offers to hijack their accounts.

Once the influencers take the bait, the hackers take over their channels and sell them or use them to perpetuate crypto scams, including forging business emails and building fake websites to deliver malicious files via social engineering. TAG says it "decreased the volume of related phishing emails on Gmail by 99.6% since May 2021" and has referred the scheme to the FBI for further investigation. (Aisha Counts / Protocol)

Related: The Hill: Cybersecurity, Dark Reading, Reddit cybersecurity, Threatpost, Bleeping Computer, Security News | Tech Times, Google

Republican leaders and members of the Senate Commerce Committee sent a letter to Transportation Security Administration (TSA) Administrator David Pekoske detailing potential issues with upcoming security directives for the rail and aviation sector the Biden administration announced earlier this month.

The lawmakers are ostensibly concerned about the process of announcing and rolling out the rail and aviation directives, complaining that TSA announced the measures without allowance for a public comment process. They also question whether issuing the rules under an emergency authority was necessary and warned that more regulations could cause more delays when supply chains are already in crisis. (Maggie Miller / The Hill

Related: SC Magazine, InsideCyberSecurity.com, Ranking Members Letter

DevOps security firm Sonatype discovered crypto-mining malware hidden inside three JavaScript libraries uploaded on the official npm package repository.

The malware files detect the user’s operating system and then run a BAT or Shell script based on the victim’s platform. (Catalin Cimpanu / The Record)

Related: Sonatype, The Hacker News

Share Metacurity

The Centre for Computing History (CCH) in Cambridge, England, suffered a data breach that exposed its customers’ email addresses, which are now in the hands of spammers.

The website does not handle credit card details, financial information, and passwords, so these data were not caught up in the leak. (Paul Kunert / The Register)

Related: DataBreaches.net

Researchers at Cisco Talos say that an APT described as a “lone wolf” exploits a decades-old Microsoft Office flaw to deliver a barrage of commodity RATs to organizations in India and Afghanistan.

The threat group disguises itself behind a front that seems legitimate, posing as a Pakistani IT firm called Bunse Technologies. The old Microsoft Office flaw is CVE-2017-11882, a memory corruption vulnerability in Microsoft Office that persisted for 17 years before the company patched it in 2017. According to the researchers, the group is likely to abandon its use of commodity malware and develop its own malicious tools. (Elizabeth Montalbano / Threatpost)

Related: Reddit - cybersecurity, Talos Intelligence

Google released its latest Chrome browser version, Chrome v95, which features several security fixes and contains changes that will cause problems for some of its users.

In particular, Google removed support for File Transfer Protocol (FTP) URLs — ftp://. It also removed support for the Universal 2nd Factor (U2F) standard, used in old-generation security keys (Chrome will only support FIDO2/WebAuth security keys going forward). (Catalin Cimpanu / The Record)

Related: US-CERT Current Activity, The Register - Security, CSO Online, Security Week, TechTimes

Chief Judge Denise Page Hood of the U.S. District Court for the Eastern District of Michigan sentenced two Eastern European men, Pavel Stassiof Estonia and Aleksandr Skorodumov of Lithuania, to 48 months in prison providing“bulletproof hosting” services. The services were used by cybercriminals between 2009 to 2015 to distribute malware and attack financial institutions and victims throughout the United States.

Malware hosted by the organization and used to attack victims included Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit. (Sergiu Gatlan / Bleeping Computer)

Related: The Record by Recorded Future, ZDNet, The Hacker News, Justice.gov

The Justice Department announced that a SIM swapper, Kyell Bryan, who stole almost $17,000 with an accomplice, pleaded guilty to aggravated identity theft in a case of a criminal partnership gone wrong. 

Bryan and Jordan Milleson worked together to steal the password of an employee working for an unidentified cellphone carrier using one of several phishing websites Bryan set up. They then used the stolen account information to engage in a SIM swapping scheme that netted $16,847.47. Then, believing Milleson cheated them, Bryan and other accomplices sent the Baltimore police department to Milleson’s house under pretenses. (Lorenzo Franceschi-Bicchierai / Motherboard)

Related: The Verge, Department of Justice

The Cybersecurity and Infrastructure Security Agency (CISA) announced that it awarded $2 million to bring cybersecurity training programs to rural communities and diverse populations.

CISA awarded the funds to two nonprofit organizations, NPower and CyberWarrior, which will focus on training the unemployed and underemployed; underserved communities in urban and rural areas; and traditionally underserved populations, including veterans, military veterans spouses, women, people of color. (Kate Polit / Meritalk)

Related: Dark Reading, Homeland Security Today, WIBW, CISA

The Missouri Governor’s Office confirmed that assisting the 100,000 teachers whose Social Security numbers were made vulnerable in a massive state data breach could cost the state as much as $50 million.

The costs include credit monitoring and a call center to help affected teachers. (Summer Ballentine / Associated Press)

Related: Security Week, KBIA, Infosecurity Magazine

Former Russian state hackers who left the government are launching attacks “for their own personal enrichment,” Mieke Eoyang, deputy assistant defense secretary for cyber policy, said at a reporter’s roundtable.

In contrast, U.S. state hackers would never leave the government and set up shop as malicious hackers. “[T]hat is something the United States would never do. Anyone at Cyber Command or NSA who thinks that they're going to go home and, like, conduct a ransomware attack against the city in Russia, the FBI would like to have words with them because that is just not something that we would view as acceptable in the United States,” Eoyang said. (Patrick Tucker / DefenseOne)

Related: The Record, Venture Beat

Threat and fraud detection company Resistant AI raised $16.6 million in a Series A venture funding round.

GV (formerly Google Ventures) led the round, with participation from existing investors Index Ventures, Credo Ventures, and Seedcamp, plus several unnamed angel investors specializing in financial technology and security. (Natasha Lomas / TechCrunch)

Related: Private Equity Wire

Belgian-based cyberattack protection company Sweepatic has raised around $3.3 million in a follow-up to its Series A round.

The investors in the round include TIIN Capital’s Dutch Security Tech Fund, existing investor eCAPITAL, and PMV. (Vishal Singh / Silicon Canals)

Photo by Chaozzy Lin on Unsplash