Russian Turla hackers hijack decade-old malware infrastructure to deploy new backdoors
Turla, a Russian cyberespionage group, has been observed taking advantage of an attack infrastructure used by a decade-old malware to install reconnaissance and backdoor tools on targets in Ukraine. Mandiant has identified the hijacked servers as corresponding to a variant of the malware ANDROMEDA (aka Gamarue) which had been uploaded to VirusTotal in 2013.
LastPass hit with lawsuit over August breach
Following the August data mishap at LastPass, a lawsuit has now been filed by an unnamed individual who blames the failures on the theft of an unspecified amount of Bitcoin private keys stored in a cryptowallet. The suit is seeking a jury trial and is seeking damages and restitution from LastPass via a nationwide class that includes any LastPass users who had data stolen in the breach. In December, LastPass admitted that the attack was more serious than had first been suspected, with attackers gaining access to a cloud storage system to steal user password vaults.
Hackers abuse Windows error reporting tool to deploy malware
Hackers are taking advantage of the Windows Problem Reporting error reporting tool (WerFault.exe), using it to load malware into a compromised system’s memory via a DLL sideloading technique. The goal is to infect devices without raising alarms, since the malware is being launched through through a legitimate Windows executable. This campaign was spotted by K7 Security Labs, who believes the hackers to be based in China. The campaign starts with the delivery of an email with an ISO attachment, which, when double-clicked, will “mount itself as a new drive letter containing a legitimate copy of the Windows WerFault.exe executable, a DLL file (‘faultrep.dll’), an XLS file (‘File.xls’), and a shortcut file.”
Amazon S3 will now encrypt all new data with AES-256 by default
According to Bleeping Computer, “Amazon Simple Storage Service (S3) will now automatically encrypt all new objects added on buckets on the server side, using AES-256 by default. While the server-side encryption system has been available on AWS for over a decade, the tech giant has enabled it by default to bolster security.” Administrators will not have to take any actions for the new encryption system to affect their buckets, and Amazon promises it won’t have any negative performance impact. This addresses a security problem that included the leak of data from 123 million households in December 2017 and the leak of 540 million records of Facebook users in April 2019 where the data had not been encrypted.
Thanks to this week’s episode sponsor, AppOmni
Amazon to axe 18,000 jobs as it cuts costs
Spokespeople for the company, which employs 1.5 million people globally, did not say which countries the job cuts would hit, but did say they would include Europe. Most of the job losses will come from its consumer retail business and its human resources division. Amazon CEO Andy Jassy cited the “uncertain economy” for the cuts, saying it had “hired rapidly over several years.” Amazon has seen sales slow after business boomed during the pandemic when customers at home spent a lot online.
(BBC News)
SpyNote malware spies on Android users, steals banking credentials
Hackers are using “a new variant of SpyNote malware to secretly observe and modify infected Android smartphones, according to research published by ThreatFabric on Monday. SpyNote is a “powerful” spyware family designed to monitor, manage, and modify a device.” The spyware is distributed through fake mobile apps that infect Android smartphones. The new variant impersonates the apps of “reputable financial institutions” like HSBC and Deutsche Bank to exfiltrate the personal data of their customers. It also disguises itself as well-known mobile apps like WhatsApp, Facebook, and Google Play, as well as more generic apps such as wallpaper, productivity, or gaming apps.
Windows Server 2012 reaches end of support in October
Microsoft is reminding customers that extended support for all editions of Windows Server 2012 and Windows Server 2012 R2 will end on October 10. “Although Windows Server 2012 reached its mainstream support end date in October 2018, Microsoft pushed back the end date for extended support five years to allow customers to migrate to newer, under-support Windows Server versions.” Customers are advised to upgrade or migrate to Azure.
Last week in ransomware
This was a really busy week in ransomware. Following a bad year for organizations, with Emsisoft reporting that 200 government, education, and healthcare entities were targeted by ransomware in 2022. As we reported, LockBit attacked Toronto’s SickKids children’s hospital, and then apologized, blaming a rogue affiliate and giving the hospital a free decryptor. As of Sunday the hospital was only 80% recovered from the attack. Rackspace has confirmed an attack by Play Ransomware, Queensland University of Technology was hit by Royal ransomware, and U.S. rail and locomotive company Wabtec was breached by LockBit. The UK newspaper The Guardian had to send its employees home while they sorted out an attacker from an unnamed source, and the LA Housing Authority got hit, also by LockBit. The BlackCat/ALPHV gang cloned a corporate victim’s website to post stole data as an innovative extortion technique. In the good news file, BitDefender released a free decryptor for the MegaCortex ransomware. Any victims who saved their encrypted files in the hopes of a decryptor being released can recover their files for free.
(Bleeping Computer and CISO Series)