Iranian Hackers Are Targeting Israeli Officials, Military Officers, Others Using Spearphishing
Sandworm may be exploiting Follina, Gallium has new stealth RAT, BlackCat actors target Microsoft Exchange servers, AZ medical center exposed 700K patients' data, Man sentenced for DDoS attack, more
My latest CSO column looks at the main takeaways on ransomware from the RSA conference. Despite some perceptions, ransomware is on the upswing with possible BEC-ransomware hybrids ahead.
Researchers at Check Point say that hackers possibly affiliated with Iran have been running a spearphishing campaign targeting former Israeli officials, high-ranking military personnel, the head of a leading security think tank, and the former U.S. ambassador to Israel.
The hackers conduct the spearphishing campaign through both hijacked legitimate and phony email accounts, a fake URL shortener, a credential-harvesting Yahoo-themed phishing page, and the use of a legitimate document verification service to obtain targets’ ID or passport scans. Check Point speculates that the campaign could be the work of Phosphorus, a prolific Iranian government-connected cyber-espionage group also known as APT35, Newscaster Team, Charming Kitten, or Magic Hound. (AJ Vicens / Cyberscoop)
Ukraine's Computer Emergency Response Team (CERT) is warning that the Russian hacking group Sandworm may be exploiting Follina, a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) currently tracked as CVE-2022-30190.
Malicious actors can exploit Follina by opening or selecting a specially crafted document; threat actors have been using it in attacks since at least April 2022. CERT-UA says that Russian hackers launched a new malicious email campaign leveraging Follina and targeted more than 500 recipients at various media organizations in Ukraine, including radio stations and newspapers. (Bill Toulas / Bleeping Computer)
Researchers at Palo Alto Networks say that an established Chinese hacking group known as Gallium that has targeted telecommunications, finance, and government organizations worldwide has developed a “new, difficult-to-detect” remote access trojan (RAT) as part of its espionage activities.
The RAT, dubbed PingPull, can make it more difficult to detect its command and control communications by leveraging the ICMP protocol, typically used by devices on a network to diagnose communication issues and send error reports. Researchers say that Gallium remains an active threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa. (AJ Vicens / Cyberscoop)
The Microsoft 365 Defender Threat Intelligence Team says BlackCat ransomware affiliates are now attacking Microsoft Exchange servers using exploits targeting unpatched vulnerabilities.
In at least one instance, the attackers slowly moved through the victim's network, stealing credentials and exfiltrating information for double extortion. Two weeks after the initial compromise using an Exchange server, the threat actor deployed BlackCat ransomware payloads across the network via PsExec. To defend against BlackCat ransomware attacks, Microsoft advises organizations to review their identity posture, monitor external access to their networks, and update all vulnerable Exchange servers in their environment as soon as possible. (Sergiu Gatlan / Bleeping Computer)
Matthew Gatrel of St. Charles, Illinois, was sentenced to two years in prison following his conviction last year for operating services that allowed paying customers to launch powerful distributed denial-of-service (DDoS) attacks against hundreds of thousands of Internet users and websites.
He was found guilty of violations of the Computer Fraud and Abuse Act (CFAA) related to his operation of downthem[.]org and ampnode[.]com, two DDoS-for-hire services with thousands of customers who paid to launch more than 200,000 attacks. Prosecutors said Downthem sold subscriptions allowing customers to launch DDoS attacks. At the same time, AmpNode provided “bulletproof” server hosting to customers — with an emphasis on “spoofing” servers that could be pre-configured with DDoS attack scripts and lists of vulnerable “attack amplifiers” used to launch simultaneous cyberattacks on victims. (Brian Krebs / Krebs on Security)
The Yuma Regional Medical Center (YRMC) in Arizona is sending breach notification letters to more than 700,000 patients after a ransomware attack in April led to a data breach involving Social Security numbers.
The Center said the attacker stole a subset of files containing certain patient information, including names, Social Security numbers, health insurance information, and limited medical information relating to care as a YRMC patient. The organization is offering free credit monitoring and identity theft protection services “to those who are eligible.” (Jonathan Greig / The Record)
Kaiser Permanente, a leading not-for-profit health plan and health care provider, disclosed a data breach that exposed the health information of more than 69,000 individuals.
The company said an attacker accessed an employee's email account containing patients' protected health information (PHI) on April 5, 2022, without authorization. The information exposed in the attack are the patients' first and last names, medical record numbers, dates of service, and laboratory test result information. (Sergiu Gatlan / Bleeping Computer)
The Justice Department is increasingly seeking and receiving permission to secretly reach into Americans’ computers to delete malware as part of new aggressive and creative tactics for combating a surge in cyberattacks.
In the past year, federal prosecutors and FBI agents have increased their efforts to defeat botnets and contain malware outbreaks by directly removing malicious code from infected computers without the knowledge or authorization of those computers’ owners. Adam Hickey, a deputy assistant attorney general for national security, said at the RSA conference last week, “We have gotten more comfortable, as a government, taking that step.” (Eric Geller / Politico)
Cybersecurity researchers at Zscaler have detailed the workings of a fully-featured malware loader dubbed PureCrypter cybercriminals purchase to deliver remote access trojans (RATs) and information stealers.
The loader is a .NET executable obfuscated with SmartAssembly and uses compression, encryption, and obfuscation to evade antivirus software products. Some of the malware families distributed using PureCrypter include Agent Tesla, Arkei, AsyncRAT, AZORult, DarkCrystal RAT (DCRat), LokiBot, NanoCore, RedLine Stealer, Remcos, Snake Keylogger, and Warzone RAT. (Ravie Lakshmanan / The Hacker News)