New Meta information stealer distributed in malspam campaign
META is a new info-stealer malware that appears to be rising in popularity among cybercriminals. Along with Mars Stealer and BlackGuard, its operators apparently wish to take advantage of Raccoon Stealer’s exit from the market that left many searching for their next platform. META is sold at $125 for monthly subscribers or $1,000 for unlimited lifetime use and is promoted as an improved version of RedLine. Following the “standard” approach of a macro-laced Excel spreadsheet arriving in prospective victims’ inboxes as email attachments, it is being deployed to steal passwords stored in Chrome, Edge, and Firefox, as well as cryptocurrency wallets.
NB65 group targets Russia with a modified version of Conti’s ransomware
According to BleepingComputer, the NB65 hacking group has been targeting Russian organizations with ransomware that they have developed using the leaked source code of the Conti ransomware. Apparently joining forces with Anonymous, it has hit multiple Russian targets including All-Russia State Television and Radio Broadcasting Company (VGTRK) and the Russian Space Agency ‘Roscosmos’. Since the end of March, the NB65 crew has started using its own ransomware to target Russian entities. The group has apparently also modified the encryption process to stop its Russian victims from using a decryptor that had been provided by the Conti gang, which has announced its support for Russia in this conflict.
Elon Musk unveils vision for Twitter after joining board
After buying a 9.2% stake in the company, Musk has, in a series of Twitter posts expressed his concern over the company’s moderation policies. In late March – after he had acquired his stake in the company, but before he had disclosed that publicly – he tweeted a poll asking users whether Twitter adhered to the principle of free speech. “Given that Twitter serves as the de facto public town square, failing to adhere to free speech principles fundamentally undermines democracy,” he added. “What should be done?” Other ruminations focus on an edit button and whether Twitter Blue members should all get a checkmark.
New Android banking malware remotely takes control of your device
Octo is an evolved Android malware based on ExoCompact, that enables the threat actors to perform on-device fraud (ODF) by remotely controlling the compromised Android device. Remote access is provided through a live screen streaming module (updated every second) through Android’s MediaProjection and remote actions through the Accessibility Service. Octo uses a black screen overlay to hide the victim’s remote operations, sets screen brightness to zero, and disables all notifications by activating the “no interruption” mode. By making the device appear to be turned off, the malware can perform various tasks without the victim knowing. These tasks include screen taps, gestures, text writing, clipboard modification, data pasting, and scrolling up and down.
Thanks to our episode sponsor, Code42
Code42 believes that the Three Ts should define any IRM program: transparency, training, and technology. Shift your security culture from “watchdog” to “guide dog” and everyone wins. Learn more at Code42.com/showme.
Germany shuts down Russian Hydra darknet market; seizes $25 million in Bitcoin
Germany’s Federal Criminal Police Office, on Tuesday announced the official takedown of Hydra, the world’s largest illegal dark web marketplace that has cumulatively facilitated over $5 billion in Bitcoin transactions to date. The agency attributed the shutdown of Hydra to an extensive investigation operation conducted by its Central Office for Combating Cybercrime in partnership with U.S. law enforcement that had been underway since August 2021. Launched in 2015, Hydra was a Russian-language darknet marketplace used to conduct illicit sales of stolen credit cards, SIM cards, and counterfeit documents and IDs, among other offerings — as well as to obfuscate their own digital transactions through regional exchanges and extended money laundering tactics,” according to a Flashpoint May 2021 report.
Hackers are increasingly targeting UK small businesses
According to the UK government’s latest annual Cyber Security Breaches Survey, 48% of British small businesses have identified a cyberattack over the 12 months and 31% say they are now being attacked at least once a week. The report also suggests only 37% of small businesses have a formal cybersecurity strategy in place, and that one in five attacks have direct negative consequences, ranging from financial costs to a loss of data. The average bill for each such attack was £3,080 for small businesses. The repot was published in part to draw attention to a government-run cybersecurity program for small business called Cyber Essentials.
Microsoft: Windows Autopatch steals the ‘fun’ from Patch Tuesdays
Microsoft has announced that Windows Autopatch, a service designed to automatically keep Windows and Office software up to date, will be released in July 2022. It is a new managed service offered for free to all Microsoft customers who already have a Windows 10/11 Enterprise E3 or above license. According to Lior Bela, a Senior Product Marketing Manager at Microsoft, “This service will keep Windows and Office software on enrolled endpoints up-to-date automatically, at no additional cost. The second Tuesday of every month will be ‘just another Tuesday’,” promised. The change is intended to move the update orchestration from organizations to Microsoft, with the burden of planning the update process (including rollout and sequencing) no longer the organizations’ IT teams.
Indian bank with no firewall license, intrusion or phishing protection – gets robbed
The Andra Pradesh Mahesh Co-Operative Urban Bank has 45 branches and just under $400 million of deposits, making it one of India’s smaller banks. Over three days in November 2021, more than 200 phishing emails were sent to its staff, one of which allowed threat actors to deploy a Remote Access Trojan (RAT). Since it had also chosen to not adopt virtual LANs, the attackers were able to roam widely through its systems and core banking application. The bank had also allowed its super-users to use identical passwords. The attackers created new bank accounts and moved more than 1 million dollars worth of customers’ funds into those accounts, as well as making withdrawals at 938 ATMs across India. The money was funneled to Nigeria and the UK.