Safety information report

The attacker hijacked Craigslist Email spreads malware

Craigslist The internal e-mail system was hijacked by attackers this month to deliver convincing messages , The ultimate goal is to avoid Microsoft Office Security controls to deliver malware .

These emails come from real Craigslist IP The address to send , Inform users that their advertisements contain inappropriate content and violate Craigslist The terms and conditions of , It also provides false instructions on how to avoid its account being deleted .

INKY The researchers found that , The attacker will email HTML Manipulate into a custom document , And upload the malware download link to Microsoft OneDrive page . The page pretends to be DocuSign、Norton and Microsoft Other major brands . This also enables the activity to bypass standard e-mail Authentication .

The researchers pointed out in a post this week ：“ Because of the problem-solving URL Managed a place in Microsoft OneDrive Custom documents on , It doesn't appear in any threat intelligence sources , Enable it to bypass most security providers .”

News source ： 

https://threatpost.com/attackers-hijack-craigslist-email-malware/175754/

The number of blackmail software attacks in the UK has doubled in a year

British spy agency GCHQ The person in charge revealed that , In the past year , The number of blackmail software attacks against British institutions has doubled .

GCHQ My supervisor Jeremy · Fleming (Jeremy Fleming) Express , Lock the files and data on the user's computer and ask for a release fee , This is becoming more and more popular among criminals , Because it “ There is basically no dispute ” And lucrative .

He was on Monday Cipher Brief The comments made at the annual threat conference came after warning that Russia and China are harbouring criminal gangs that have successfully targeted Western governments or companies .

GCHQ Refused to provide the exact number of blackmail software attacks recorded in the UK this year or last year . However , A report released this month by the US Treasury Department shows that , In the first six months of this year, the value of suspicious transactions related to extortion software in the United States was about 5.9 Billion dollars . According to the report , Considered to be behind the crime 10 In the past three years, the big hacker organization has transferred about 52 Billion dollars of bitcoin .

National Cyber Security Center (NCSC) CEO Lindy · Mr Cameron (Lindy Cameron) In a speech this month at the Chatham Institute think tank , Blackmail software is one of all the cyber threats facing the UK “ The most immediate danger ”.

News source ： 

https://www.theguardian.com/uk-news/2021/oct/25/ransomware-attacks-in-uk-have-doubled-in-a-year-says-gchq-boss

Enterprises will face more phishing attacks

Network protection organization Acronis Released its annual network Readiness Report , This paper comprehensively summarizes the modern network security pattern and the main pain points faced by global enterprises and remote employees during the global pandemic .

According to this year's global 18 A country / Regional 3,600 Of a small and medium-sized company IT Independent survey results of managers and remote employees , The report states that ,53% Global companies have a false sense of security chain attack on Supply .

The number and complexity of attacks are increasing

Three out of ten companies say they face cyber attacks at least once a day , Similar to last year ; This year, , Only 20% The company reported no attack , lower than 2020 Year of 32%, This means that the number of attacks is increasing .

The most common type of attack this year has reached an all-time high , Including the increasing frequency of phishing attacks , Now in order to 58% The proportion of has become the most common type of attack .2021 Malware attacks are also increasing in ： This year's 36.5% Our company has detected malware attacks , higher than 2020 Year of 22.2%.

However , This year is the year of phishing ： since 2020 Since then , Yes URL The demand for filtering solutions has increased 10 times ,20% Global companies are now aware of the dangers that phishing poses to their business .

Despite multifactor Authentication (MFA) The awareness of , But nearly half of them IT The manager (47%) Not used MFA Solution , This makes their businesses vulnerable to phishing attacks . Based on these findings , They either think it's worthless , Or think it's too complex to implement . According to the Acronis call , On average, one in five remote employees become the key target of phishing attacks , Receive more than... Per month 20 Phishing email .

News source ： 

https://www.mybusiness.com.au/technology/8469-businesses-face-increasing-risk-of-phishing-attacks-report

Blackmail software organizations launch phishing activities against financial service companies

go by the name of TA505 The blackmail software organization has existed for at least six years , Large scale e-mail attacks on various industries around the world . Now it's the financial industry .

As report goes , After fine tuning its signature malware and scripting language , Since last month, the group has transferred Bank of North America 、 Credit unions and other financial services companies are included in their objectives . By named “MirrorBlast” E-mail phishing activities are targeted at a variety of institutions , Direct users to fraudulent sites ,FSI Employees may accidentally download malware to their company computers or other devices on the site .

Client security provider Feroot CEO and co-founder of Ivan Tsarynny Pointed out that , Although financial services institutions have long been “ Besieged by cyber criminals ”, But these companies usually have the most “ Advanced network security plan 、 Practice and deploy the team .”

For all that , Silent for some time TA505, Is a sleeping giant that can't be underestimated . According to the US Treasury , It has caused more than... In the past few years 1 Billion dollars in losses . And it's not just American financial services institutions , And in Canada , Financial companies in Europe and Asia .

However , according to Tsarynny That's what I'm saying , To really make an impact , Blackmail software attacks must attack the server , Attacks like this often enter through the client .“ Cybercriminals find it easy to FSI Deploy malicious third parties on Web applications and web pages JavaScript, And you can browse user data ,” He said .“ Criminals do not have to use traditional server-side attacks to collect FSI Customer data . They can browse the bank website and Web Information in the application .”

and , No matter how the blackmail software threat is solved , Especially for financial service institutions , Concerns about such security hazards also include compliance and privacy issues .

News source ：  

https://www.scmagazine.com/analysis/phishing/ransomware-group-targets-financial-service-firms-with-phishing-campaign

exceed 1000 ten thousand Android User installation “ Advanced SMS ” Fraud application

A global fraud was discovered using 151 A malicious Android Applications , Downloads of 1050 Ten thousand times , Without the consent and knowledge of the user , Introduce users into advanced subscription services .

go by the name of “UltimaSMS” High quality SMS fraud is believed to be 2021 year 5 Month begins , The applications involved cover a wide range of categories , Including keyboard 、 QR code scanner 、 Video and photo editor 、 Spam interceptor 、 Camera filters and games , Most of these fraud applications are made in Egypt 、 Saudi Arabia 、 Pakistan 、 The united Arab emirates 、 Turkey 、 Oman 、 Qatar 、 Kuwait 、 Downloaded by users in the United States and Poland .

Although since then, most problematic applications have changed from Google Play Delete from the store , But up to 2021 year 10 month 19 Japan , There are still... In the online market 82 Applications available .

It all started when the application prompted the user to enter their phone number and e-mail address and asked the victim to subscribe to advanced SMS service , Depending on the country and mobile operator , The monthly charge can reach 40 More than $ .

UltimaSMS Another notable feature of advertising software scam is that it passes through Facebook、Instagram and TikTok And other advertising channels on popular social media websites , In what the researchers say “ Fascinating video advertising ” To attract unsuspecting users .

In addition to uninstalling the above applications , It is recommended that users disable the operator's advanced SMS option , To prevent subscription abuse .

News source ：  

https://thehackernews.com/2021/10/over-10-million-android-users-targeted.html

FBI：RanzyLocker Ransomware attacked at least this year 30 An American company

The FBI said Monday ,“ By 2021 year 7 month , Use Ranzy Locker Unknown cyber criminals who extort software have damaged 30 Many American companies ,” The FBI is TLP A white flashing alarm indicates .

“ The victims include the construction sector of key manufacturing industries 、 The academic department of the government facilities department 、 Information technology department and transportation department .”Flash The alarm is associated with CISA Coordinate the release of , It aims to provide information to help security professionals detect and prevent such blackmail software attack attempts .

majority Ranzy Locker The victim told FBI, An attacker brutally cracked the remote desktop protocol (RDP) The weak password destroyed their network . lately , Others reported that , Attackers also take advantage of vulnerable Microsoft Exchange Server or use to steal login password in phishing attack .

Once you get into the victim's Network ,Ranzy Locker Operators also steal unencrypted files before encrypting systems on the victim's corporate network , This is the strategy used by most other extortion software gangs . These leaked files contain sensitive information , Include customer information 、 Personal identity information (PII) Data and financial records , Used as a means to force victims to pay ransom to get back their documents , Instead of letting data leak online .

When victims visit the organization Tor When paying for the site , They'll see a “ By Ranzy Locker lock ” Messages and a real-time chat screen , To negotiate with threat actors . For this “ service ” Part of , Ransomware operators also allow victims to decrypt three files for free , To prove that decryptors can recover their files .

Victims who do not pay ransom will be in Ranzy Locker Data leakage site （ be called Ranzy Leak） Publish their stolen documents on the Internet . They disclosed that the domain name used by the site was also used in the past Ako Ransomware Use , This is the gang from Ako To ThunderX Until then Ranzy Locker Part of brand reinvention .

News source ：  

https://www.bleepingcomputer.com/news/security/fbi-ranzy-locker-ransomware-hit-at-least-30-us-companies-this-year/

Security vulnerabilities threaten

The reporter of the New York Times was repeatedly arrested after reporting on Saudi Arabia Pegasus The hacker attacks

《 The New York times 》 Reporter Ben · Hubbard (Ben Hubbard) Of iPhone stay 2018 year 6 Month to 2021 year 6 Many times in the three years of June NSO Group Of Pegasus Hacking with spyware tools , Lead to 2020 year 7 The month and 2021 year 6 Twice a month .

The University of Toronto citizenship laboratory, which released its findings on Sunday, said ,“ The goal is to report on Saudi Arabia and write a book about Saudi Crown Prince Muhammad · Ben · What happened when Salman's book .” The institute does not attribute infiltration to specific governments .

In a statement shared with Hubbard , The Israeli company denied involvement in the hacking , And treat the findings as “ speculation ”, At the same time, it is pointed out that this reporter is not “NSO Any customer's Pegasus The goal is ”.

so far , It is believed that NSO Group At least three different iOS Loophole —— namely 2019 year 12 Of the month iMessage Zero hit vulnerability 、2020 year 7 The beginning of the month is for iOS13.5.1 and iOS13.7 Of KISMET Vulnerabilities and targeting iOS Of FORCEDENTRY The loophole comes from 2021 year 2 Since the month , from 14.x To 14.7.1.

It's worth pointing out ,Apple Of iOS14 The update includes a BlastDoor frame , The framework aims to make zero click vulnerability exploitation more difficult , Even though FORCEDENTRY It explicitly destroys the very secure functions built into the operating system , prompt Apple stay 9 An update was released in January to fix the defect 2021.

The forensic investigation of the activity shows that , Hubbard's iPhone stay 2020 year 7 month 12 Day and 2021 year 6 month 13 It was successfully invaded by monitoring software twice a day , Once through KISMET and FORCEDENTRY Zero Click iMessage Exploit , Two previous attempts to send text messages failed 2018 Year of WhatsApp.

News source ： 

https://thehackernews.com/2021/10/nyt-journalist-repeatedly-hacked-with.html

Trickbot Bank Trojan horse develops new technology

notorious Trickbot Bank Trojans have developed a more advanced set of attack tools . It used to be a tool for online banking data theft , But it has developed into a multi module malware , Its activities range from data theft to other malware distribution , Including ransomware .

Kaspersky researchers analyzed Trickbot Of 61 An existing module and defines Trickbot How to update , Tracked Trickbot The evolution of .

in general , The researchers analyzed the characteristics of the Trojan horse 61 A module , It is found that it has obtained dozens of auxiliary modules to steal credentials and sensitive information .

It uses stolen credentials and vulnerabilities to spread over the local network , Provide remote access 、 Proxy network traffic 、 Perform violent attacks and download other malware .

Trickbot For global corporate and individual users . Although its activities are not subject to geographical restrictions , But most of the affected users are located in the United States （13.21%）、 Australia （10.25%） And China （9.77%）, Next is Mexico （6.61%） And France （6.30%）.

Security experts say , Attackers will constantly update and refresh their toolset .Trickbot Has developed and become one of the most powerful and dangerous samples of its malware types . With the development of cyber criminals , Protection technology should be the same . Most attacks are preventable , That's why it's important to have the latest security solutions .

To protect against Trojans and other financial threats , Security experts advise users not to click on links in spam , And don't open the attached documents , Use only online banking with multiple authentication solutions . It is recommended to ensure that all software is updated —— Including the operating system and all software applications , Because attackers often exploit vulnerabilities in widely used programs to gain access .

News source ： 

https://www.itweb.co.za/content/rxP3jqBme19MA2ye