New undetected backdoor runs across three OS platforms
Security experts are warning of new backdoor malware designed to work across Windows, Mac and Linux, some versions of which are currently undetected in Virus Total. Dubbed “SysJoker” by researchers at Intezer, the malware was discovered during an attack on a Linux web server running in an education sector organization. It’s believed to date back to the second half of 2021. They stated, “SysJoker masquerades as a system update and generates its command and control by decoding a string retrieved from a text file hosted on Google Drive. During our analysis the C2 changed three times, indicating the attacker is active and monitoring for infected machines. Based on victimology and malware’s behavior, we assess that SysJoker is after specific targets.”
Microsoft RDP bug enables data theft, smart-card hijacking
Microsoft Windows systems going back to at least Windows Server 2012 R2 are affected by a vulnerability in the Remote Desktop Services protocol that gives attackers, connected to a remote system via RDP, a way to gain file system access on the machines of other connected users. Threat actors that exploit the flaw can view and modify clipboard data or impersonate the identities of other users logged in to the machine in order to escalate privileges or to move laterally on the network, researchers from CyberArk discovered recently. They reported the issue to Microsoft, which issued a patch for the flaw (CVE-2022-21893) in its security update for January this Tuesday.
Ukrainian police arrests ransomware gang that hit over 50 firms
It is estimated that the total losses resulting from the attacks is in excess of one million U.S. dollars. A 36-year-old resident of Ukraine’s capital Kiev was identified as the leader of the group, which included his wife and three other acquaintances, the police states. It is unclear what ransomware strain the gang used to encrypt data on victim computers, but they delivered the malware through spam emails. Three members of the gang received the ransoms from paying victims in cryptocurrency. In exchange, they provided the decryption tool to restore data, the Ukrainian police said in an announcement yesterday.
FBI arrests social engineer who allegedly stole unpublished manuscripts from authors
Italian citizen Filippo Bernardini was arrested at JFK on January 5 for wire fraud and aggravated identity theft. This is in regard to a grand jury indictment dated July 14, 2021, that revealed his “multi-year scheme to impersonate individuals involved in the publishing industry in order to fraudulently obtain hundreds of prepublication manuscripts of novels and other forthcoming books.” A review of Bernardini’s employment history, who worked at Simon & Schuster up until his arrest, shows he launched his caper simultaneously with the launch of his career in the publishing world, following his receiving a master’s degree in publishing in 2016 from University College London.
Thanks to our episode sponsor, BlackBerry
Admins report Hyper-V and domain controller issues after first Patch Tuesday of 2022
Microsoft’s first Patch Tuesday of 2022 has, for some people, broken Hyper-V and sent domain controllers into boot loops. According to The Register, this is specifically about KB5009624, which they said “breaks hypervisors running on WS2012R2. As well as the broken Hyper-V, there have been reports of problems with boot loops on domain controllers, with other versions of Windows Server affected. Posters in a Reddit thread complained that KB5009546 (for Windows Server 2016) and KB5009557 (for Windows Server 2019) were probably also to blame and recommended a swift uninstall of the patches for those affected.
Ransomware locks down prison, knocks system offline
The Metropolitan Detention Center in Bernalillo County, New Mexico, went into lockdown on January 5, 2022, after cyberattackers infiltrated Bernalillo County systems and deployed malware. Local government systems were impacted by the cyberattack, including those used to manage the prison. Inmates were made to stay in their cells as the ransomware outbreak reportedly not only knocked out the establishment’s internet but also locked staff out of data management servers and security camera networks. In addition to interrupting communications for prison employees and inmates, a number of databases are suspected of being corrupted by the cyberattack, including an incident tracker which records inmate fights and attacks. Prison guards were left unable to manage automatic doors, however, physical keys could still be used.
New GootLoader campaign targets accounting, law firms
Once prolific spreaders of REvil ransomware, the GootLoader malware gang has pivoted to actively targeting employees of law and accounting firms with malicious downloads. WordPress vulnerabilities let the attackers easily hijack sites offering sample business agreements for professionals, according to the security firm eSentire. Law firm employees tricked by the malicious agreements were searching for common legal filings including “Post Nuptial Agreement,” “Model IP Agreement” and “Olympus Plea Agreement,” according to the report. By gaming Google’s Search Engine Optimization algorithm Gootloader was able to get to the top of keyword search results.
Cybersecurity training isn’t working. And hacking attacks are only getting worse
Stuart E. Madnick, professor of information technology and engineering systems at MIT Sloan Executive Education told ZDNet Security Update recently, “The 30-minute video you’re obligated to watch once a year doesn’t do the job”. According to Madnick — who has been at MIT. since 1972 and has served as the head of MIT’s Information Technologies Group for more than 20 years — organizations need to build a culture of cybersecurity that actively involves everyone. He stated that even now, despite the risk posed by cyberattacks, many businesses and their boardrooms still don’t fully understand the threats they’re facing from cybercriminals and how to best defend their networks against them.