BU-CERT – Page 4 – Bournemouth University Computer Emergency Response Team

Cyber Attack Defenders Up For Battle: Huge Uptick In Timely Detections

Posted on 25 April 2024

From gbhackers.com

Attackers are employing evasion techniques to bypass detection and extend dwell time on compromised systems. This is achieved by targeting unmonitored devices, leveraging legitimate tools, and exploiting zero-day vulnerabilities.

While defenders are improving detection speed (dwell time decreased from 16 to 10 days), this is partly due to faster ransomware identification and adversary-in-the-middle and social engineering tactics to bypass multi-factor authentication.

Cloud infrastructure is under attack, with attackers even leveraging cloud resources. Both red and purple teams are exploring AI for better security outcomes as they analyze these trends and offer mitigation strategies to the security community.

Investment Scams vs Fraud Kill Chain

Posted on 24 April 2024

From threatfabric.com

This fourth episode covers one of the most diverse scams: those offering an online investment opportunity. Criminals use a wide variety of methods suiting their logistical capabilities and skills. Some investment scams start as romance scams before turning to “investment”.

The unflatteringly named “Pig Butchering” scams are an example of this. Others use some kind of “impersonation” of an official-sounding organisation. Many investment scams start as an advertisement or “clickbait article” on social media, with claims that seem too good to be true, such as “Let me tell you how I earn 20,000 dollars per month.” Some professionals believe social media scams and investment scams are synonymous.

Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike

Posted on 24 April 2024

From thehackernews.com

Cybersecurity researchers have discovered an ongoing attack campaign that’s leveraging phishing emails to deliver malware called SSLoad.

The campaign, codenamed FROZEN#SHADOW by Securonix, also involves the deployment of Cobalt Strike and the ConnectWise ScreenConnect remote desktop software.

“SSLoad is designed to stealthily infiltrate systems, gather sensitive information and transmit its findings back to its operators,” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.

Mandiant: Attacker dwell time down, ransomware up in 2023

Posted on 24 April 2024

From techtarget.com

Mandiant found that while attacker dwell time decreased in 2023, ransomware and other threats continued to rise.

The cybersecurity company published on Tuesday its ‘M-Trends 2024 Special Report,’ which offered some bright spots for organizations amid an increasingly complex and expansive threat landscape. According to the report, which is based on Mandiant Consulting investigations during 2023, the global median dwell time for attackers fell to its lowest point since the company began tracking the metric in 2011. Dwell time, which is the number of days that an attacker is present in an environment before being detected, decreased nearly a week — from 16 days in 2022 to 10 days last year.

Hackers are carrying out ransomware experiments in developing countries

Posted on 24 April 2024

From arstechnica.com

Cyber attackers are experimenting with their latest ransomware on businesses in Africa, Asia, and South America before targeting richer countries that have more sophisticated security methods.

Hackers have adopted a “strategy” of infiltrating systems in the developing world before moving to higher-value targets such as in North America and Europe, according to a report published on Wednesday by cyber security firm Performanta.

“Adversaries are using developing countries as a platform where they can test their malicious programs before the more resourceful countries are targeted,” the company told Banking Risk and Regulation, a service from FT Specialist.

Recent ransomware targets include a Senegalese bank, a financial services company in Chile, a tax firm in Colombia, and a government economic agency in Argentina, which were hit as part of gangs’ dry runs in developing countries, the data showed.

Nvidia acquires AI workload management startup Run:ai

Posted on 24 April 2024

From techcrunch.com

Nvidia is acquiring Run:ai, a Tel Aviv-based company that makes it easier for developers and operations teams to manage and optimize their AI hardware infrastructure, for an undisclosed sum.

Ctech reported earlier this morning the companies were in “advanced negotiations” that could see Nvidia pay upwards of $1 billion for Run:ai. Evidently, the negotiations went on without a hitch.

A source close to the matter tells TechCrunch that the exact price tag was $700 million.

HACKERS HIJACKED THE ESCAN ANTIVIRUS UPDATE MECHANISM IN MALWARE CAMPAIGN

Posted on 24 April 2024

From securityaffairs.com

A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute backdoors and cryptocurrency miners.

Avast researchers discovered and analyzed a malware campaign that exploited the update mechanism of the eScan antivirus to distribute backdoors and crypto miners.

Threat actors employed two different types of backdoors and targeted large corporate networks

The researchers believe the campaign could be attributed to North Korea-linked AP Kimsuky. The final payload distributed by GuptiMiner was also XMRig.

“GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.” reads the analysis published by Avast. “The main objective of GuptiMiner is to distribute backdoors within big corporate networks.”