SAN MATEO, CA, February 13, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Trickbot ransomware gang members sanctioned by US and UK
- Reddit hacked, user accounts and passwords safe “so far”
- Hackers abusing Google Ads to steal AWS creds via phishing sites
- Dozens of security flaws found in wireless IIOT devices put critical infrastructure at risk
- Pharmaceutical distributor AmerisourceBergen hacked by Lorenz ransomware group
- Medusa botnet returns with new, albeit broken, ransomware feature
- CISA assists ESXiArgs ransomware victims with free recovery script
- GuLoader malware campaign adapting in response to Microsoft’s macro blocking
- Flaw in Clop Linux ransomware allowed victims to recover their files quietly
- Ransomware campaign exploiting 2021 VMware bug
Trickbot ransomware gang members sanctioned by US and UK
A joint effort by the US and UK has sanctioned seven individuals that have been determined to be involved in Russia’s Trickbot ransomware gang. The group members, known to have close links to Russia’s intelligence operations, have had their assets frozen and have received a travel ban from the two nations. Trickbot is known for targeting medical facilities, resulting in system outages and ambulance service disruptions. In a statement on the sanctions, the US State Department said that Russia is “a safe haven for cybercriminals, where groups such as Trickbot freely perpetrate malicious cyber activities against the United States, the United Kingdom, and our allies and partners.” Read more.
Reddit hacked, user accounts and passwords safe “so far”
In a thread on the site, Reddit has reported that it was hacked in a “highly targeted” phishing attack that allowed an unauthorized user to access business systems, code and internal documents. Based on the post, it appears as though a Reddit employee was tricked into clicking a link that sent them to a site that “cloned the behavior” of the company’s gateway. The statement says there is no evidence that user data or passwords had been exposed in the incident, although the investigation remains “ongoing.” Read more.
Hackers abusing Google Ads to steal AWS creds via phishing sites
A malware campaign targeting Amazon Web Services (AWS) logins by pushing phishing sites into Google Search via Google Ads has been discovered by Sentinel Labs. The phony ads send victims to a website that mimics a legitimate vegan food blog but is actually under the control of threat actors. The site then automatically directs people to a fake AWS login page designed to steal their credentials. It is one of many recent instances in which attackers abuse Google Ads to get their scams in front of potential victims. Read more.
Dozens of security flaws found in wireless IIOT devices put critical infrastructure at risk
38 security vulnerabilities have been found to exist in wireless industrial internet of things (IIOT) devices from four different vendors, according to industrial cybersecurity firm Otoro. Threat actors can leverage the flaws to gain a remote entry point for attack. From gaining total control of vulnerable devices and remote code execution to data theft, the findings highlight the risk of making IIOT devices directly accessible over the internet. The majority of these flaws can be exploited easily and the potential damage from a successful hack could be catastrophic. Read more.
Pharmaceutical distributor AmerisourceBergen hacked by Lorenz ransomware group
AmerisourceBergen, a drug distributor and major entity in the healthcare sector, has suffered a data breach at the hands of the Lorenz cybercrime gang. Data purported to come from the company and its subsidiary, MWI Animal Health, has been leaked online. While AmerisourceBergen has reported the attack and IT compromise, they have yet to confirm officially that the leaked data is genuine. Researchers have noted that the “post date” on the data is November 1st, although it has just been released. This indicates that the hack happened months ago. Lorenz has a history of targeting large companies. Read more.
Medusa botnet returns with new, albeit broken, ransomware feature
A new strain of the Medusa DDoS botnet has been observed in the wild. Medusa has been around since 2015, but this new variant includes a ransomware module and a Telnet brute-forcer and is being advertised as a MasS to be used for crypto mining and DdoS attacks. Medusa’s ransomware functions don’t appear to be functional at this time, however, as the malware deletes files before pushing a ransom note. Additionally, how it destroys system drives makes it impossible for a victim to view the note. This leads researchers to believe that ransomware functionality is still being developed and not yet ready for successful deployment. Read more.
CISA assists ESXiArgs ransomware victims with free recovery script
A widespread ransomware campaign targeting VMWareESXi servers has been prolific but largely unsuccessful, as threat actors failed to encrypt flat files thereby leaving the door open for recovery. However, the process is not simple. To assist victims, CISA has released a script on GitHub that automates the recovery process. CISA is urging administrators to carefully review how the script works. “While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit,” the agency warns. Read more.
GuLoader malware campaign adapting in response to Microsoft’s macro blocking
Researchers have uncovered a malware campaign targeting e-commerce companies worldwide, including those in the US, Korea, Germany and Japan. The campaign displays a trend in the cybercrime world that sees criminals responding to Microsoft blocking downloaded macros in Office by exploring new avenues of attack. Hackers continue to flex their muscles and adapt to new security features, and “the new phishing wave employs NSIS files embedded within ZIP or ISO images to activate the infection” instead of Word files packed with macros. Read more.
Flaw in Clop Linux ransomware allowed victims to recover their files quietly
Victims of Clop ransomware running Linux servers have been able to decrypt files without dealing with cybercriminals, thanks to several flaws within the variant that fail to properly keep security administrators from peeling back its layers. Clop’s Linux version is reportedly still in development, with deployed instances of it being loaded with bugs that make it far less challenging to circumvent than the Windows version. As Clop advances the malware, researchers expect it to solidify into a form with more effectiveness. Clop’s use of such a flawed attack demonstrates that the group values the ability to target Linux-using victims, even if the weapon in use is currently not its strongest. Read more.
Ransomware campaign exploiting 2021 VMware bug
A ransomware campaign targeting firms in the US, Canada, France, Finland and Italy is taking advantage of a bug within VMware ESXi hypervisors that was initially disclosed in 2021. The flaw “enables attackers to perform remote code execution by triggering a heap-overflow issue in OpenSLP.” The scale of the campaign has not yet been determined, but dozens of instances have been reported in Italy and security vendor DarkFeed has revealed over 300 victims. Users of affected products are urged to update to the latest versions immediately. Read more.