SAN MATEO, CA, March 20, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- LA Housing Authority breached for an entire year, LockBit claims to have 15TB of data
- ALPHV ransomware gang claims to have hacked Amazon’s Ring
- New Golang-based GoBruteforcer observed in the wild
- Fraudulent ChatGPT extension infecting Chrome users to make malicious Facebook ads
- Dangerous “Medusa” ransomware gaining momentum in 2023
- AI-generated YouTube videos are being used to spread malware
- Clop ransomware gang extorting companies with zero-day Fortra GoAnywhere bug
LA Housing Authority breached for an entire year, LockBit claims to have 15TB of data
The Housing Authority of the City of Los Angeles (HACLA), in a statement that follows up on a ransomware attack disclosed earlier this year, says that it suffered “unauthorized access to certain servers between January 15 2022 through December 31 2022.” The servers reportedly contained personal data including names, Social Security numbers, dates of birth, passport numbers, driver’s license numbers or state identification numbers, tax identification numbers, military identification numbers, and more. Ransomware gang LockBit is taking credit for the breach and claims to have collected over 15TB of information they plan to publish or sell on the dark web. Read more.
ALPHV ransomware gang claims to have hacked Amazon’s Ring
The ALPHV cybercrime gang has claimed it hacked Amazon’s Ring, a popular security and doorbell camera manufacturer, with their BlackCat ransomware. The gang is threatening to leak the company’s data on its site, even though Ring has said there is no evidence that any of its systems have been breached. The company stated that a third-party vendor they work with recently experienced a “ransomware incident,” clarifying that no customer data is in their possession and that they’re awaiting more details on the breach. Read more.
New Golang-based GoBruteforcer observed in the wild
GoBruteforcer is a new Golang-based malware that has been observed attacking “web servers running phpMyAdmin, MySQL, FTP, and Postgres to corral the devices into a botnet.” The vector in which GoBruteforcer is carried is yet to be determined and the malware appears to be built specifically to attack “Unix-like platforms running x86, x64 and ARM architectures.” According to Palo Alto Networks Unit 42 researchers, the malware uses a “Classless Inter-Domain Routing (CIDR) block for scanning the network during the attack” and the developers responsible for it “chose CIDR block scanning as a way to get access to a wide range of target hosts on different IPs within a network instead of using a single IP address as a target.” Read more.
Fraudulent ChatGPT extension infecting Chrome users to make malicious Facebook ads
A fake ChatGPT extension for users of Google’s Chrome web browser can hijack a victim’s Facebook account and use it to create fake ads for the malware at the account holder’s expense. Threat actors have been employing this tactic to create an “army of Facebook bots.” The extension, called “Quick access to ChatGPT,” has been pulled from the Google Play store, but not before gaining around 2,000 downloads a day since its appearance on March 9. Fake browser extensions are one of the many ways that threat actors have capitalized on the popularity of ChatGPT. Read more.
Dangerous “Medusa” ransomware gaining momentum in 2023
A ransomware outfit called Medusa has been increasingly active in 2023, demanding millions of dollars from victims worldwide. While it is unknown if Medusa has a Linux encryptor, attacks on Windows systems allow the threat actor to determine how they wish to encrypt targeted data. To make decryption even more challenging, Medusa ransomware also runs a command to “delete locally stored files associated with backup programs, like Windows Backup. This command will also delete virtual disk hard drives (VHD) used by virtual machines.” There is currently no way to decrypt affected files for free. Read more.
AI-generated YouTube videos are being used to spread malware
Threat actors have been leading victims to download infostealer malware including Raccoon, RedLine, and Vidar. The videos appear as though they offer viewers cracks for software such as Photoshop or Office and they appear at an alarming rate. Attackers link victims to malicious links and even populate the videos with fake comments to make them appear legitimate after hacking into a legitimate account. While account recovery can take as little as a few hours, those with large followings could see hundreds of clicks in a short amount of time. Read more.
Clop ransomware gang extorting companies with zero-day Fortra GoAnywhere bug
Last month, developers working on the GoAnywhere MFT file transfer solution disclosed that a zero-day remote code execution vulnerability had been found and exploited. The Clop ransomware gang has claimed credit for the attacks, claiming to BleepingComputer that they exploited the flaw over the course of 10 days, targeting 130 companies. Reports of demands have been coming in, lending credence to Clop’s claims. While ransom amounts have not yet been disclosed, Clop has previously demanded as much as $10 million for similar attacks. Read more.