Safety information report
After blackmail software attack ,Expeditors Shut down global business
Seattle based logistics and freight forwarding company Expeditors International Cyber attacks over the weekend , Forcing the organization to close most of its global operations .
The company did not mention the type of cyber attack , But from its description and to BleepingComputer For anonymous tips , It looks like a massive software blackmail incident .
In subsequent press releases , The company reiterated , Cyber attacks forced it to shut down most of its systems worldwide , To maintain “ Security of the entire global system environment ”. The impact is huge , because Expeditors Our operations are limited , This includes freight 、 Customs and distribution activities , This may cause the freight of its customers to stagnate .
The company noted that , The system will remain offline , Until they can be safely restored from backup . meanwhile , The company is working with its operators and service providers to find solutions , To minimize the impact on customers . however , There is no estimate of when to resume operations .
News source :
https://www.bleepingcomputer....
Pirated software sites spread CryptBot Malware
A new version of CryptBot Information theft programs are distributed through multiple websites , Download these free games and professional cracking software .
Security analysts report that , Threat participants constantly refresh their C2、dropper The site and the malware itself , therefore CryptBot It is one of the most changed malicious operations at present .
According to the report ,CryptBot Threat participants crack by pretending to provide software 、 The website of key generator or other utilities distributes malware . In order to gain wide popularity , Threat participants use search engine optimization to rank malware distribution sites at the top of Google search results , So as to provide a stable flow of potential victims .
According to the screenshot of the shared malware distribution site , Threat participants use custom fields or are hosted in Amazon AWS On the website . Malicious websites are constantly updated , Therefore, there are a variety of changing bait to attract users to malware distribution sites . Visitors to these sites go through a series of redirects before arriving at the delivery page , Therefore, the login page may be located in an area that is abused SEO Poisoning attacks on damaged legitimate websites .
CryptBot The new sample shows that , Its authors hope to simplify its functionality and make malware lighter 、 leaner , And unlikely to be detected . under these circumstances , The anti sandbox routine has been deleted , Anti virtual machines are reserved only in the latest version CPU Kernel count check . Besides , Redundant second C2 Both the connection and the second leak folder have been deleted , The new variant has only a single information theft C2.
News source :
https://www.bleepingcomputer....
Kitchenware giant Meyer Disclose that cyber attacks have leaked employee data
The largest distributor of cooking utensils in the United States 、 The world's second largest distributor of cooking utensils Meyer Corporation The U.S. Attorney General's office has been informed of a data leak affecting thousands of its employees .
According to the notification letter shared with the attorney general's offices of Maine and California , Meyer Yu 2021 year 10 month 25 Become a victim of cyber attacks on the th .
Meyer The announcement did not provide details about the cyber attacks that led to the disclosure of data , stay Conti A blackmail website was found dating back to 2021 year 11 month 7 Related list of days .Conti On the portal Meyer The entry provides a ZIP file , It contains information that was allegedly stolen by extortion software gangs during the cyber attack 2% The data of .
News source :
https://www.bleepingcomputer....
new Xenomorph Android Malware targeting 56 Bank customers
adopt Google Play One of the products distributed by stores is called Xenomorph New malware has infected more than 50,000 platform Android Devices to steal bank information .
Xenomorph Malware boosts applications through common performance ( for example “FastCleaner”) Get into GooglePlay The store , The installed volume of this application is 50,000.
This kind of utility is a bank Trojan horse ( Include Alien) The classic bait used , Because people always improve their commitment Android Interested in tools for device performance .
Xenomorph The function of is not yet fully mature , Because Trojans are being vigorously developed . however , It remains a major threat , Because it can achieve its purpose of information theft , And for no less than 56 Different European banks .
The malware can intercept notifications 、 Record SMS And use injection to perform coverage attacks , So it has been able to steal credentials and one-time passwords used to protect bank accounts . Examples of commands that exist in the code but have not yet been implemented refer to keyboard recording functions and behavior data collection .
News source :
https://www.bleepingcomputer....
Iran National Broadcasting Corporation IRIB Destroyed Wiper Malware attack
Yes 2022 year 1 In late June, the Iranian state media company Republic Broadcasting Corporation (IRIB) The network attack deployed malware and other implants to erase data , The country's national infrastructure continues to face a wave of targeted attacks .
In the process of hacker attack, customized malware is also deployed , Able to take screenshots of victims , And a backdoor for installing and configuring malicious executables 、 Batch scripts and configuration files .
Check Point Express , There is not enough evidence to formally attribute it to specific threat actors , It is unclear how the attacker gained initial access to the target network . The attacks discovered so far include :
- Establish the back door and its persistence ,
- start-up “ malice ” Video and audio files , as well as
- install wiper Malware in an attempt to destroy hacked network data , The main purpose of the eraser is to destroy the files stored in the computer , Including erasing the master boot record (MBR)、 eliminate Windows The event log 、 Delete backup 、 Terminate the process and change the user's password .
- Behind the scenes , The attack involves interrupting the video stream using a batch script , To delete and IRIB Broadcast software used TFIAristaPlayoutServer Related executable files , And loop the video file (“TSE_90E11.mp4”).
The attacker used four back doors :WinScreeny、HttpCallbackService、HttpService and ServerLaunch, This is a use of HttpService Starting up dropper. combined , Different malware allows attackers to capture screenshots 、 Receive commands from remote servers and perform other malicious activities .
News source :
