We Are Monitoring Current Cyber Threats
Recent Ransomware Attacks:
April 28th, 2021
New stealthy Linux malware used to backdoor systems for years
A recently discovered Linux malware with backdoor capabilities has flown under the radar for years, allowing attackers to harvest and exfiltrate sensitive information from compromised devices.
The backdoor, dubbed RotaJakiro by researchers at Qihoo 360’s Network Security Research Lab (360 Netlab), remains undetected by VirusTotal’s anti-malware engines, although a sample was first uploaded in 2018.
RotaJakiro is designed to operate as stealthy as possible, encrypting its communication channels using ZLIB compression and AES, XOR, ROTATE encryption.
It also does its best to block malware analysts from dissecting it as resource information found within the sample spotted by 360 Netlab’s BotMon system is encrypted using the AES algorithm.
“At the functional level, RotaJakiro first determines whether the user is root or non-root at run time, with different execution policies for different accounts, then decrypts the relevant sensitive resources using AES& ROTATE for subsequent persistence, process guarding and single instance use, and finally establishes communication with C2 and waits for the execution of commands issued by C2,” 360 Netlab said.
Attackers can use RotaJakiro to exfiltrate system info and sensitive data, manage plugins and files, and execute various plugins on compromised 64-bit Linux devices.
However, 360 Netlab is yet to discover the malware creators’ true intent for their malicious tool due to lack of visibility when it comes to the plugins it deploys on infected systems.
“RotaJakiro supports a total of 12 functions, three of which are related to the execution of specific Plugins,” the researchers added. “Unfortunately, we have no visibilityto the plugins, and therefore do not know its true purpose.”
Since 2018 when the first RotaJakiro sample landed on VirusTotal, 360 Netlab found four different samples uploaded between May 2018 and January 2021, all of them with an impressive total of zero detections.
360 Netlab researchers also discovered links to the Torii IoT botnet first spotted by malware expert Vesselin Bontchev and analyzed by Avast’s Threat Intelligence Team in September 2018.
The two malware strains use the same commands after being deployed on compromised systems, similar construction methods and constants used by both developers.
RotaJakiro and Torii also share multiple functional similarities, including “the use of encryption algorithms to hide sensitive resources, the implementation of a rather old-school style of persistence, structured network traffic.”
April 23, 2021
Phishing Impersonates Global Recruitment Firm to Push Malware
An ongoing phishing campaign is impersonating Michael Page consultants to push Ursnif data-stealing malware capable of harvesting credentials and sensitive data from infected computers.
Michael Page is a world-leading employment agency focused on recruiting at the qualified professional and management level for permanent, temporary, contract, or interim positions.
The agency is part of the British-based PageGroup recruitment business with operations in the Americas, UK, Continental Europe, Asia-Pacific, and Africa.
We are continuing to experience a global phishing campaign where our employees are being impersonated. Our systems have not been breached. Emails are being sent by scammers who have impersonated our consultants using publicly available data. (1/3)
— Michael Page UK (@MichaelPageUK) April 22, 2021
“We are continuing to experience a global phishing campaign where our employees are being impersonated,” Michael Page UK said.
“These phishing emails are being generated from publicly available information not linked to our business and are being then sent on to random email recipients,” PageGroup revealed.
PageGroup urges those who have received one of these phishing emails or any email coming from Michael Page that looks suspicious “not to reply or click” on any of the embedded links.
In phishing emails sent as part of this campaign seen by BleepingComputer, attackers posing as Michael Page UK headhunters are luring targets with executive positions.
— March 27th, 2021 —
FatFace sends controversial data breach email after ransomeware attack
British clothing brand FatFace has sent a controversial ‘confidential’ data breach notification to customers after suffering a ransomware attack earlier this year.
— March 28th, 2021 —
CompuCom MSP expects over $20 million in losses after ransomeware attack
American managed service provider CompuCom is expecting losses of over $20 million following this month’s DarkSide ransomeware attack that took down most of its systems.
— March 29th, 2021 —
Harris Federation hit by ransomeware attack affecting 5o schools
The IT systems and email servers of London-based nonprofit multi-academy trust Harris Federation were taken down by a ransomeware attack on Saturday.
— April 1st, 2021 —
New Dharma ransomeware variants
Jakub Kroustek found new Dharma ransomware variants that append the .4o4 and .ctpl extensions to encrypted files.
— April 2nd, 2021 —
Asteelflash electronics maker hit by REvil ransomeware attack
Asteelflash, a leading French electronics manufacturing services company, has suffered a cyberattack by the REvil ransomware gang who is demanding a $24 million ransom.
Ransomeware gang wanted $40 million in Florida schools cyberattack
Fueled by large payments from victims, ransomware gangs have started to demand ridiculous ransoms from organizations that can not afford to pay them. An example of this is a recently revealed ransomware attack on the Broward County Public Schools district where threat actors demanded a $40,000,000 payment.
New Makop ransomeware variant
New Makop ransomware variant that appends the .dark extension and drops a ransom note named readme-warning.txt.
New WhiteBlackGroup ransomeware
New ransomware called WhiteBlackGroup that appends the .encrpt3d extension to encrypted files.
— April 3rd, 2021 —
Malware attack is preventing car inspections in eight US states
A malware cyberattack on emissions testing company Applus Technologies is preventing vehicle inspections in eight states, including Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin.
Ransomeware gang leaks data from Stanford, Maryland universities
Personal and financial information stolen from Stanford Medicine, University of Maryland Baltimore (UMB), and the University of California was leaked online by the Clop ransomware group.
— April 6th, 2021 —
Ransomeware hits TU Dublin and National College of Ireland
The National College of Ireland (NCI) and the Technological University of Dublin have announced that ransomware attacks hit their IT systems.
— April 7th, 2021 —
New Cring ransomeware hits unpatched Fortinet VPN devices
A vulnerability impacting Fortinet VPNs is being exploited by a new human-operated ransomware strain known as Cring to breach and encrypt industrial sector companies’ networks.
— April 9th, 2021 —
Leading cosmetics group Pierre Fabre hit with $25 million ransomeware attack
Leading French pharmaceutical group Pierre Fabre suffered a REvil ransomware attack where the threat actors initially demanded a $25 million ransom, BleepingComputer learned today.
Maze/Egregor ransomeware cartel estimated to have made $75 million
The group behind the Maze and Egregor ransomware operations are believed to have earned at least $75 million worth of Bitcoin from ransom payments following intrusions at companies all over the world.
[gravityform id=”2″ title=”true” description=”true”]