North Korean Hacking Group H0lyGh0st Has Been Targeting Small Businesses for Nearly a Year
Powerful Mantis botnet has targeted nearly 1,000 Cloudflare customers, Illicit addresses account for nearly a quarter of funds sent to mixers, Lawmakers seek to curb VPN abuses, much more
Check out my latest CSO column, which delves into the details of the Cyber Safety Review Board’s first report focusing on the log4j vulnerability.
Researchers at Microsoft Threat Intelligence Center (MTIC) say that an emerging threat cluster that calls itself H0lyGh0st, tracked by Microsoft as DEV-0530, has connections to a North Korean-based group known as Plutonium and has been linked to developing and using ransomware in cyberattacks targeting small businesses since September 2021.
Targeted entities primarily include small-to-midsize businesses such as manufacturing organizations, banks, schools, and event and meeting planning companies. "The group's standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files,” MTIC says.
Ransom amounts demanded by DEV-0530 range between 1.2 and 5 bitcoins, although an analysis of the attacker's cryptocurrency wallet shows no successful ransom payments from its victims as of early July 2022. The group’s dark web portal claims it aims to "close the gap between the rich and poor" and "help the poor and starving people," in a tactic that mirrors another ransomware family called GoodWill that compels victims into donating to social causes and providing financial assistance to people in need. (Ravie Lakshmanan / The Hacker News)
Researchers at Cloudflare say that the botnet they call H0lyGh0st which was behind the largest HTTPS distributed denial-of-service (DDoS) attack in June 2022 has been linked to a spate of attacks aimed at nearly 1,000 Cloudflare customers.
Mantis targets entities in the IT and telecom (36%), news, media, and publications (15%), finance (10%), and gaming (12%) sectors. Over the past 30 days, Mantis launched 3,000 DDoS attacks against almost a thousand Cloudflare customers. Most targets are organizations in the United States (20%) and the Russian Federation (15%), while victims in Turkey, France, Poland, Ukraine, the UK, Germany, Netherlands, and Canada account for between 2.5% and 5%. (Bill Toulas / Bleeping Computer)
Researchers at Chainalysis say that the amount of cryptocurrency flowing into privacy-enhancing mixer services has reached an all-time high this year as funds from wallets belonging to government-sanctioned groups and criminal activity almost doubled.
Mixers, also known as tumblers, obfuscate cryptocurrency transactions by creating a disconnect between the funds a user deposits and the funds the user withdraws. The 30-day moving average of funds received by mixers hit $51.8 million in mid-April, an all-time high and almost double the incoming volumes at the same point last year. Illicit wallet addresses accounted for 23% of funds sent to mixers this year, up from 12 percent in 2021. (Dan Goodin / Ars Technica)
Representative Anna Eshoo (D-CA) and Senator Ron Wyden (D-OR.) have called on Federal Trade Commission Chair Lina Khan to take enforcement actions against abusive practices by virtual private networks (VPNs).
The legislators tied that call for action to concerns in the wake of the overturning of Roe V. Wade about protecting the personal information of women seeking abortions. They said they were particularly concerned about "deceptive advertising and data collection practices." In addition to taking enforcement actions against bad actors, the lawmakers want the FTC to develop a handbook for abortion-seekers on protecting their data, including the benefits/risks of VPNs. (John Eggerton / NextTV)
A Texas man, Troy Contreras, has filed a class-action lawsuit against Dallas-based Tenet Healthcare and its affiliate Baptist Health System after the companies experienced a data breach that affected more than a million patients this year.
The lawsuit was filed in Dallas County on behalf of Contreras, one of about 1.2 million patients affected by the breach. It alleges the companies failed to properly notify patients of the breach or take proper precautions to prevent it. It seeks more than $1 million in damages. (Catherine Marfin / Dallas Morning News)
Researchers from the New Jersey Institute of Technology warn about a novel technique that attackers could use to de-anonymize website visitors and potentially connect the dots on many components of targets’ digital lives.
Their research shows how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data. The hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. The attacks work against every major browser, including the anonymity-focused Tor Browser. (Lily Hay Newman / Wired)
HP Wolf Security isolated an unusually stealthy malware campaign that used OpenDocument text (.odt) files to distribute malware. OpenDocument is an open, vendor-neutral file format compatible with several popular office productivity suites, including Microsoft Office, LibreOffice, and Apache OpenOffice.
The malware campaign targets hotels that are contacted by email with fake booking requests by attaching documents that are purportedly guest registrations. Malware in the wild rarely uses OpenDocument files. The campaign is poorly detected by anti-virus scanners, with a 0% detection rate on VirusTotal as of 7 July. (Patrick Schläpfer / HP Wolf Security)
The Virginia Commonwealth University Health System (VCU) has warned almost 4,500 transplant participants about a privacy breach affecting their healthcare information.
The health system warned that some transplant recipients’ medical records contained their donor’s information, while recipient information also showed up in some donors’ records. It has been inappropriately exposing this information since 2006 in some cases. The information available included names, Social Security numbers, lab results, medical record numbers, medical procedures dates, and birth dates. In total, 4441 people were affected, it stated. (Danny Bradbury / Infosecurity Magazine)
Multi-signature wallet and secure digital asset protocol Gnosis Safe has raised $100 million in a funding round and will rebrand as “Safe.”
1kx led the round, which included 60+ investors, including Tiger Global, A&T Capital, Blockchain Capital, Digital Currency Group, Greenfield One, Rockaway Blockchain Fund, ParaFi, Lightspeed, Polymorphic Capital, Superscrypt, and 50 other strategic partners and industry experts. (Aleksandar Gilbert / The Defiant)
Dynamic application security testing (DAST) provider BishopFox raised $75 million in a Series B venture funding round.
Carrick Capital Partners led the round. (Tim Keary / Venture Beat)
Metacurity is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.