New undetected backdoor runs across three OS platforms
According to researchers at Intezer, a new backdoor malware is making the rounds, and it is able to work across Windows, Mac and Linux. Some versions of it are currently undetected in Virus Total. The researchers named it SysJoker after discovering it as part of the investigation into an attack on a Linux web server running within an education sector organization. They stated, “SysJoker masquerades as a system update and generates its command and control by decoding a string retrieved from a text file hosted on Google Drive. During our analysis the C2 changed three times, indicating the attacker is active and monitoring for infected machines. Based on victimology and malware’s behavior, we assess that SysJoker is after specific targets.”
Microsoft RDP bug enables data theft, smart-card hijacking
Researchers from CyberArk are warning of a vulnerability in the Remote Desktop Services protocol that impacts Microsoft Windows systems going back to Windows Server 2012, which may provide attackers who are connected to a remote system via RDP, a route to gain file system access on the machines of other connected users. According to Dark Reading, “Threat actors that exploit the flaw can view and modify clipboard data or impersonate the identities of other users logged in to the machine in order to escalate privileges or to move laterally on the network, researchers from discovered recently. They reported the issue to Microsoft, which issued a patch for the flaw (CVE-2022-21893) in its security update for January this Tuesday.”
Ukrainian police arrests ransomware gang that hit over 50 firms
Estimates of total losses resulting from these attacks is in excess of $1 million USD. According to Ukrainian police, the group involved includes a 36-year-old resident of Kiev along with his wife and three other acquaintances. The type of ransomware used by the gang to encrypt data on victims’ computers has not been identified, but it is evident that it was delivered through spam emails. The police added that theree members of the gang did receive ransom payments in cryptocurrency, and in exchange, they provided the decryption tool to restore data.
FBI arrests social engineer who allegedly stole unpublished manuscripts from authors
Italian citizen Filippo Bernardini was arrested at JFK on January 5 for wire fraud and aggravated identity theft. This is in regard to a grand jury indictment dated July 14, 2021, that revealed his “multi-year scheme to impersonate individuals involved in the publishing industry in order to fraudulently obtain hundreds of prepublication manuscripts of novels and other forthcoming books. A review of Bernardini’s employment history, who worked at Simon & Schuster up until his arrest, shows he launched his caper simultaneously with the launch of his career in the publishing world, following his receiving a master’s degree in publishing in 2016 from University College London.”
Thanks to our episode sponsor, BlackBerry
Admins report Hyper-V and domain controller issues after first Patch Tuesday of 2022
“Microsoft’s first Patch Tuesday of 2022 has, for some people, broken Hyper-V and sent domain controllers into boot loops.” This is according to The Register, and is specifically about KB5009624, which they said “breaks hypervisors running on WS2012R2. As well as the broken Hyper-V, there have been reports of problems with boot loops on domain controllers, with other versions of Windows Server affected. Posters in a Reddit thread complained that KB5009546 (for Windows Server 2016) and KB5009557 (for Windows Server 2019) were probably also to blame and recommended a swift uninstall of the patches for those affected.
Ransomware locks down prison, knocks system offline
According to independent media outlet SourceNM, and quoted by ZDNet, “the Metropolitan Detention Center in Bernalillo County, New Mexico, went into lockdown on January 5, 2022, after cyberattackers infiltrated Bernalillo County systems and deployed malware. Local government systems were impacted by the cyberattack, including those used to manage the prison.” The prison went into lockdown as the due to the ransomware reportedly severing its internet connection and also locking staff out of data management servers and security camera networks. “In addition to interrupting communications for prison employees and inmates, a number of databases are suspected of being corrupted by the cyberattack, including an incident tracker which records inmate fights and attacks. Prison guards were left unable to manage automatic doors, however, physical keys could still be used.”
(ZDNet)
New GootLoader campaign targets accounting, law firms
According to the security firm eSentire, the GootLoader malware gang has moved from REvil ransomware to “actively targeting employees of law and accounting firms with malicious downloads.” The gang exploits WordPress vulnerabilities in order to hijack sites offering sample business agreements for professionals. “Law firm employees tricked by the malicious agreements were searching for common legal filings including “Post Nuptial Agreement,” “Model IP Agreement” and “Olympus Plea Agreement,” according to the report. By gaming Google’s Search Engine Optimization algorithm Gootloader was able to get to the top of keyword search results.”
Cybersecurity training isn’t working. And hacking attacks are only getting worse
Stuart E. Madnick, professor of information technology and engineering systems at MIT Sloan Executive Education told ZDNet Security Update recently, “The 30-minute video you’re obligated to watch once a year doesn’t do the job”. According to Madnick — who has been at MIT. since 1972 and has served as the head of MIT’s Information Technologies Group for more than 20 years — organizations need to build a culture of cybersecurity that actively involves everyone. He stated that even now, despite the risk posed by cyberattacks, many businesses and their boardrooms still don’t fully understand the threats they’re facing from cybercriminals and how to best defend their networks against them.
(ZDNet)