February updates break some Windows Server 2022 VMs
According to Microsoft, some Windows Server 2022 virtual machines might not boot up following the installation of updates from this month’s Patch Tuesday. This apparently only impacts VMs with Secure Boot enabled and running on vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x. VMware and Microsoft are investigating. Currently, there is no fix for impacted VMs, but VMware has temporary workarounds available until a permanent solution is available.
BEC groups use Google Translate to target high value victims
While attacking targets using multiple languages is not new, in the past, these attacks were perpetrated mainly by sophisticated organizations with big budgets and more advanced resources, however a lower barrier to entry now allows threat actors to use Google Translate to instantly translate their malicious emails. Midnight Hedgehog, engages in payment fraud, posing as a company CEO to deceive recipients into making payments for bogus services, while Mandarin Capybara, executes payroll diversion attacks aimed at finance managers. This according to research from the firm Abnormal Security said. Both groups have launched BEC campaigns in at least 13 different European languages. BEC attacks accounted for more than one-third of all financial losses from cyberattacks in 2021, totaling nearly $2.4 billion in damage for the year. Between July and December 2022, there was an 81% increase in BEC attacks.
Evolving cyberattacks and alert fatigue creating DFIR burnout
“The evolution of cybercrime is weighing heavily on digital forensics and incident response (DFIR) teams, leading to significant burnout and potential regulatory risk.” This is according to the 2023 State of Enterprise DFIR Survey by Magnet Forensics, a developer of digital investigation solutions. The company surveyed almost 500 DFIR professionals in North America and Europe, the Middle East, and Africa from industries including technology, manufacturing, government, telecommunications, and healthcare. More than half (54%) said they feel burned out in their jobs, with 64% stating that alert and investigation fatigue is a likely contributing factor.
Hackers using Google Ads to spread FatalRAT malware disguised as popular apps
Chinese-speaking people in Southeast and East Asia are being targeted in a new Google Ads campaign that delivers remote access trojans such as FatalRAT to compromised machines. The attacks involve bogus ad slots that appear in Google search results and which point users who are in search of applications to rogue websites that host trojanized installers. This is according to a report from ESET published Tuesday. The ads have since been taken down. Some of the spoofed applications include Google Chrome, Firefox, Telegram, WhatsApp, LINE, Signal, and Skype.
Thanks to this week’s episode sponsor, CISO Series
MortalKombat ransomware employed in financially motivated campaign
Researchers at Cisco Talos researchers have been observing an unidentified financially motivated threat actor deploying two new malware types since December. The malware types are MortalKombat and a GO variant of the Laplas Clipper malware. The threat actor behind the release is scanning the internet for systems with an exposed remote desktop protocol (RDP) port 3389. The researchers point out that similarities in code, class name, and registry key strings led them to believe the ransomware belongs to the Xorist family. The malware targets individuals, small businesses, and large organizations with the end goal of stealing or demanding ransom payments in cryptocurrency.
New Mirai botnet variant has been very busy, researchers say
V3G4 is a variant that exploits 13 known vulnerabilities, according to research by Palo Alto Networks Unit 42. “Mirai typically allows for full control of devices, adding them to its network of remotely controlled bots used to launch distributed denial-of-service (DDoS) attacks.” It goes after online consumer devices such as cameras and home routers. “The botnet was first found in August 2016 and has been used in some of the largest and most disruptive DDoS attacks, including the cyberattack on Brian Krebs’ website and an attack on French web host OVH.” It is believed that Paras Jha, owner of the DDoS mitigation service ProTraf Solutions, and the company’s co-founder, Josiah White, are behind the Mirai botnet.
Spanish, US authorities dismantle cybercrime ring
This group, which is based in Madrid, uses phishing, social engineering, smishing, and vishing to trick victims into sharing details about their bank accounts to steal money from them. Their activities included three-way calls which interacted with both the victim and their North American financial institution to access verification and authorization codes. Law enforcement agencies in Spain, Panama, and the US, along with Europol, participated in the investigation.
Medibank class action launched after massive hack
A class action lawsuit has been launched against Medibank over the health insurer’s massive cyber attack last year. In what became the largest breach of its kind to date in Australia, the hack resulted in the personal details and health claims of 9.7 million current and former customers, including 5.1 million Medibank customers being leaked. The lawsuit centers on the company’s alleged failure to protect customer privacy.