News – Page 11

Ukraine says hackers abuse SyncThing tool to steal data

Posted on 7 June 2024

From bleepingcomputer.com

The Computer Emergency Response Team of Ukraine (CERT-UA) reports about a new campaign dubbed “SickSync,” launched by the UAC-0020 (Vermin) hacking group in attacks on the Ukrainian defense forces.

The threat group is linked to the Luhansk People’s Republic (LPR) region, which Russia has occupied almost in its entirety since October 2022. The hacker’s activities commonly align with Russia’s interests.

The attack utilizes the legitimate file-syncing software SyncThing in combination with malware called SPECTR.

Vermin’s apparent motive is to steal sensitive information from military organizations.

SPECTR Malware Targets Ukraine Defense Forces in SickSync Campaign

Posted on 7 June 2024

From thehackernews.com

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks targeting defense forces in the country with a malware called SPECTR as part of an espionage campaign dubbed SickSync.

The agency attributed the attacks to a threat actor it tracks under the moniker UAC-0020, which is also called Vermin and is assessed to be associated with security agencies of the Luhansk People’s Republic (LPR). LPR was declared a sovereign state by Russia days prior to its military invasion of Ukraine in February 2022.

Attack chains commence with spear-phishing emails containing a RAR self-extracting archive file containing a decoy PDF file, a trojanized version of the SyncThing application that incorporates the SPECTR payload, and a batch script that activates the infection by launching the executable.

FBI Distributes 7,000 LockBit Ransomware Decryption Keys to Help Victims

Posted on 7 June 2024

From thehackernews.com

The U.S. Federal Bureau of Investigation (FBI) has disclosed that it’s in possession of more than 7,000 decryption keys associated with the LockBit ransomware operation to help victims get their data back at no cost.

“We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov,” FBI Cyber Division Assistant Director Bryan Vorndran said in a keynote address at the 2024 Boston Conference on Cyber Security (BCCS).

LockBit, which was once a prolific ransomware gang, has been linked to over 2,400 attacks globally, with no less than 1,800 impacting entities in the U.S. Earlier this February, an international law enforcement operation dubbed Cronos led by the U.K. National Crime Agency (NCA) dismantled its online infrastructure.

Microsoft OneDrive cheat sheet: Using OneDrive for Web

Posted on 7 June 2024

From computerworld.com

OneDrive for Web lets you save, access, share, and manage your files in the cloud using your favorite browser. Learn how to use its new interface for a big productivity boost.

Microsoft’s cloud storage, OneDrive, works both as a web app that you use through a browser and as a storage drive integrated into File Explorer in Windows 10 and 11. When you upload a file or folder to the OneDrive web app, it becomes available on your Windows PC through File Explorer, and vice versa. You can also access it on your smartphone or tablet (via the OneDrive app for Android, iPhone, or iPad) and even on a Mac (via the OneDrive Mac app) if any of these devices are signed in with the same Microsoft account.

Linux version of TargetCompany ransomware focuses on VMware ESXi

Posted on 7 June 2024

From bleepingcomputer.com

Researchers observed a new Linux variant of the TargetCompany ransomware family that targets VMware ESXi environments using a custom shell script to deliver and execute payloads.

Also known as Mallox, FARGO, and Tohnichi, the TargetCompany ransomware operation emerged in June 2021 and has been focusing on database attacks (MySQL, Oracle, SQL Server) against organizations mostly in Taiwan, South Korea, Thailand, and India.

In February 2022, antivirus firm Avast announced the availability of a free decryption tool that covered variants released up to that date. By September, though, the gang bounced back into regular activity targeting vulnerable Microsoft SQL servers and threatened victims with leaking stolen data over Telegram.

Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V)

Posted on 5 June 2024

From asec.ahnlab.com

AhnLab SEcurity intelligence Center (ASEC) recently discovered that phishing files are being distributed via emails. The phishing files (HTML) attached to the emails prompt users to directly paste (CTRL+V) and run the commands.The threat actor sent emails about fee processing, operation instruction reviews, etc. to prompt recipients to open the attachments. When a user opens the HTML file, a background and a message disguised as MS Word appear. The message tells the user to click the “How to fix” button to view the Word document offline.

Threat Actors’ Systems Can Also Be Exposed and Used by Other Threat Actors

Posted on 5 June 2024

From asec.ahnlab.com

Types of cyberattack include not only Advanced Persistent Threat (APT) attacks targeting a few specific companies or organizations but also scan attacks targeting multiple random servers connected to the Internet. This means that the infrastructures of threat actors can become the targets of cyberattack alongside companies, organizations, and personal users.

AhnLab SEcurity intelligence Center (ASEC) has confirmed a case in which a CoinMiner attacker’s proxy server became a target of a ransomware threat actor’s Remote Desktop Protocol (RDP) scan attack. The CoinMiner threat actor used a proxy server to access an infected botnet, and the port they opened to connect with the proxy server was exposed to another threat actor’s RDP scan attack. As a result, the RDP scan attack was launched against the CoinMiner’s botnet, infecting it with ransomware.