Toggle light / dark theme

The number of malware infections targeting Linux devices rose by 35% in 2021, most commonly to recruit IoT devices for DDoS (distributed denial of service) attacks.

IoTs are typically under-powered “smart” devices running various Linux distributions and are limited to specific functionality. However, when their resources are combined into large groups, they can deliver massive DDoS attacks to even well-protected infrastructure.

Besides DDoS, Linux IoT devices are recruited to mine cryptocurrency, facilitate spam mail campaigns, serve as relays, act as command and control servers, or even act as entry points into corporate networks.

Threat actors are actively incorporating public cloud services from Amazon and Microsoft into their malicious campaigns to deliver commodity remote access trojans (RATs) such as Nanocore, Netwire, and AsyncRAT to siphon sensitive information from compromised systems.

The spear-phishing attacks, which commenced in October 2021, have primarily targeted entities located in the U.S., Canada, Italy, and Singapore, researchers from Cisco Talos said in a report shared with The Hacker News.

Using existing legitimate infrastructure to facilitate intrusions is increasingly becoming part of an attacker’s playbook as it obviates the need to host their own servers, not to mention be used as a cloaking mechanism to evade detection by security solutions.

The use of trojanized USB devices for keystroke injection is not a new technique, even for FIN7. Typically the attack targets specific persons with access to the computer systems of the intended victim company. As FIN7 has recently ventured into ransomware, it makes sense for them to look for alternative avenues of infecting computers that are monitored by layers of protective systems, such as firewalls, email scanners, proxy servers, and endpoint security. The tactics and techniques involved in trojanized USB attacks enable FIN7 actors to avoid many of these network-level and endpoint protections by dispensing with malware transmission over the network, minimizing the use of files on disk and employing multiple layers of encoding of the malware’s scripts and executable code.

Pertinently, FIN7 recently created “Bastion Secure”, a fake information security company, and employed system administrators to unknowingly assist in system exploitation. It is possible that trojanized USBs are being constructed and used by these administrators for penetration testing. Alternatively, they might also be providing trojanized USBs to clients or prospective clients through some form of ruse (for example, telling the client it contains documentation on the fake company’s services). In either case, the clients or prospective clients could become victims of a trojanized USB attack, resulting in FIN7 gaining unauthorized remote access to systems within victims’ networks.

Gemini Advisory Mission Statement

Suspected Russian hackers left a message on the foreign ministry website, according to reports. It said: “Ukrainians! … All information about you has become public. Be afraid and expect worse. It’s your past, present and future.”

The message reproduced the Ukrainian flag and map crossed out. It mentioned the Ukrainian insurgent army, or UPA, which fought against the Soviet Union during the second world war. There was also a reference to “historical land”.

In a message to the Guardian, the foreign ministry’s spokesperson, Oleg Nikolenko, said: “As a result of a massive cyber-attack, the website of the ministry of foreign affairs and other government agencies are temporarily down.”

The malware establishes initial access on targeted machines, then waits for additional code to execute.

A brand-new multiplatform malware, likely distributed via malicious npm packages, is spreading under the radar with Linux and Mac versions going fully undetected in VirusTotal, researchers warned.

The Windows version, according to a Tuesday writeup from Intezer, has only six detections as of this writing. These were uploaded to VirusTotal with the suffix “.ts,” which is used for TypeScript files.

Chief information security officers’ (CISOs) greatest challenge going into 2022 is countering the speed and severity of cyberattacks. The latest real-time monitoring and detection technologies improve the odds of thwarting an attack but aren’t foolproof. CISOs tell VentureBeat that bad actors avoid detection with first-line monitoring systems by modifying attacks on the fly. That’s cause for concern, especially with CISOs in financial services and health care.

Enterprises are in react mode

Enterprises fail to get the most value from threat monitoring, detection, and response cybersecurity strategies because they’re too focused on data collection and security monitoring alone. CISOs tell VentureBeat they’re capturing more telemetry (i.e., remote) data than ever, yet are short-staffed when it comes to deciphering it, which means they’re often in react mode.

Such is the promise and peril of NFTs.

NFTs, or non-fungible tokens, offer many potential benefits to creators. They apply the mechanisms of scarcity to digital assets by allowing artists to render them as one-of-a-kind collectibles, like a painting or a baseball card. This means artists — especially digital artists — who have struggled to make their streamable, screenshot-able or reprintable work hold value — can price their items at rates appropriate for something in short supply.

However, the digital trading mechanism is still in nascent stages, and rife with scams, hacks and copyright issues. Beeple was hit by an organized hack, for example. While artists can sometimes find financial solvency with NFTs, other times, they lose millions.

Hackers used a cloud video hosting service to perform a supply chain attack on over one hundred real estate sites that injected malicious scripts to steal information inputted in website forms.

These scripts are known as skimmers or formjackers and are commonly injected into hacked websites to steal sensitive information entered into forms. Skimmers are commonly used on checkout pages for online stores to steal payment information.

In a new supply chain attack discovered by Palo Alto Networks Unit42, threat actors abused a cloud video hosting feature to inject skimmer code into a video player. When a website embeds that player, it embeds the malicious script, causing the site to become infected.