Cyber Security Headlines – DoJ shuts RSOCKS Botnet, new eCh0raix target QNAP NAS, Russia’s Ukraine cyberwar

US DoJ announces shut down of Russian RSOCKS Botnet

An international police operation that involved law enforcement partners from Germany, the Netherlands, and the U.K. shut down the RSOCKS botnet which was composed of millions of compromised computers and other electronic devices around the world. This included industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers. It had also expanded into compromising additional types of devices, including Android devices and conventional computers. The operators behind the RSOCKS botnet offered their clients access to IP addresses assigned to the compromised devices to route internet traffic.

(Security Affairs)

Experts warn of a new eCh0raix ransomware campaign targeting QNAP NAS

The ransomware, tracked as “QNAPCrypt” and “eCh0raix,” is written in the Go programming language and uses AES encryption to encrypt files. The malicious code appends .encrypt extension to filenames of encrypted files. It has been active since at least 2019, and we reported on the last wave of attacks back in December 2021, In May 2021, QNAP warned customers of threat actors that are targeting its NAS devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability on devices using weak passwords. Experts are now reporting a surge in eCh0raix infections in industry forums.

(Security Affairs)

Mixed results for Russia’s aggressive Ukraine information war, experts say

A top Ukrainian cybersecurity official said this week that the Russian campaign to wrest control over internet and phone networks in occupied Ukraine continues to grow, even as Russian forces intensify their shelling of telecommunications infrastructure. A former senior leader of U.S. Cyber Command said the Russians are narrowing Ukraine’s cyberspace and physical terrain simultaneously. It is also replacing many media outlets with branches of Russian state media. But Russian information war objectives have been thwarted to a large degree by international private sector enterprises like the Starlink satellite internet constellation and by the fact that many Ukrainians have virtual private networks (VPNs), White said.

(Cyberscoop)

Matanbuchus infects devices with Cobalt Strike

A new malicious spam campaign is delivering the ‘Matanbuchus’ malware to drop Cobalt Strike beacons on compromised machines. Matanbuchus is a malware-as-a-service (MaaS) project first spotted in February 2021 in advertisements on the dark web promoting it as a $2,500 loader that launches executables directly into system memory. Palo Alto Networks’ Unit 42 analyzed it in June 2021 and mapped extensive parts of its operational infrastructure. The malware’s features include launching custom PowerShell commands, leveraging standalone executables to load DLL payloads, and establishing persistence via the addition of task schedules.

(Bleeping Computer)

Thanks to today’s episode sponsor, Optiv

Modernizing your identity control plane from AD to the cloud is complex. Ralph Martino, who is leading the identity and access management (IAM) group for Optiv, discusses what challenges CISOs are facing in today’s ever-changing climate:
• Increasing security
• Decreasing risk
• Lowering cost
Learn more at www.optiv.com/IAM-Microsoft.

Chrome browser extension lets you remove specific sites from search results

The uBlackList browser extension lets you clean up search results by removing specific sites when searching on Google, DuckDuckGo, Bing, and other search engines. While not new, it’s a year old, it has started to pick up extra traction. Users can enter specific domain names with asterisks to represent variables, or use its built-in “block this site” option. It is available for Chrome and Firefox, and the source is available on GitHub page.

(Bleeping Computer)

Android-wiping BRATA malware is evolving into a persistent threat

The threat actor behind the BRATA banking trojan has evolved their tactics and improved the malware with information-stealing capabilities. Italian mobile security company Cleafy that is tracking BRATA activity stated that changes to recent campaigns have led to an Advanced Persistent Threat (APT) activity pattern. The malware has also been updated with new phishing techniques, new classes to request additional permissions on the device, and now also drops a second-stage payload from the command and control (C2) server.

(Bleeping Computer)

The crypto party is over

The Wall Street Journal has announced the end of the Crypto era. It compared crypto to “a combination of Beanie Babies, dot-com stocks and the Velvet Underground: It is manic, it is money, and all the cool people are into it,” but the Journal points out it has also shared characteristics with other bubbles throughout history, marked by speculation bordering on delusion, disregard and disrespect for risk, and greed. Its current crash is blamed on inflationary fears with investors dumping risky portfolios for safer harbors. One of the most significant developments, the article says, was the collapse of the stablecoin terraUSD, which was meant to hold a steady $1 value. The article’s headline says the crypto party is over, but perhaps hedging its own bets, it does not say explicitly that about crypto itself. 

(Wall Street Journal

And now, the week in ransomware

Last week saw a new extortion tactic introduced by the ALPHV gang, aka BlackCat, who created a searchable, clearweb site that contained the stolen data for employees and hotel guests for a particular victim. Using this website, employees of the company could search for their names to see if their data was stolen, including Social Security Numbers, phone numbers, etc. We also saw that AvosLocker and Ceber2021 are using recent Atlassian Confluence exploits to gain initial access to corporate networks, and that Hello XD ransomware is dropping a ‘MicroBackdoor’ on devices while encrypting. RansomHouse extorting Africa’s largest supermarket chain, Shoprite, and a California school district was forced to pay $400k ransom to Quantum.

(Bleeping Computer)

Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.