Emotet botnet makes comeback with help from TrickBot
The notorious Emotet botnet has made a comeback nearly 10 months after a coordinated law enforcement operation dismantled its command-and-control infrastructure. According to researcher Luca Ebach, the infamous TrickBot malware is being leveraged as an entry point to distribute a new version of Emotet which takes the shape of a DLL file. Europol dubbed Emotet the “world’s most dangerous malware” because of its use by threat actors as a precursor to many critical data theft and ransomware attacks. The first deployment was detected this past Sunday and nine Emotet command-and-control servers are currently online.
Leaked Robinhood customer data now up for sale
Following up on a story we brought you last week, the data of approximately 7 million Robinhood customers stolen in a data breach that began by social engineering a customer service rep, is now being sold by the hacker for at least $10,000. Two days after Robinhood disclosed the attack, and after a failed extorsion attempt, a threat actor named ‘pompompurin’ announced on a hacking forum that they were selling the data including email addresses and full names of millions of customers and more extensive details for a small subset of individuals. Pompompurin, is the same threat actor responsible for abusing FBI email servers to send threatening emails over the weekend.
WordPress sites defaced in fake ransomware attacks
Hundreds of WordPress sites were defaced over the weekend with a message claiming that the site’s data was encrypted. In a message on the updated page, the attackers requested 0.1 bitcoin (~$6,100) to unlock the affected websites. But upon further analysis, the ransom message only appears on a few selected site pages with no signs of encryption, which likely explains why nobody has paid the ransom demand so far. Security firm Sucuri said that the “fake ransomware” campaign exploited a vulnerability in a WordPress plugin named Directorist which was installed on the affected sites. At least 300 sites have been affected so far but site owners appear to have had little difficulty restoring affected pages.
MosesStaff locks up targets without ransom demand
Researchers at Check Point Research (CPR) have warned that the MosesStaff hacking group is aiming politically motivated, destructive attacks at Israeli targets with the goal of inflicting maximum damage. MosesStaff is exploiting known vulnerabilities in Microsoft Exchange Server and then leveraging a webshell to deploy a Python script which moves laterally across the network and then downloads and installs the custom payload. But unlike other anti-Zionist hacktivists, which look to extort their victims and cause embarrassment, MosesStaff has no intention of demanding a ransom or handing over decryption keys. MosesStaff explained via social-media that their purpose is to, “fight against the resistance and expose the crimes of the Zionists in the occupied territories.” The good news is that the researchers found the hackers’ encryption method to be flawed making it possible to decrypt victim systems using a simple program that initiates proper input/output control (IOCTL) to the DiskCryptor driver.
Thanks to our episode sponsor, Vulcan Cyber
GitHub fixes vulnerability in NPM service
Belarus now linked to Ghostwriter campaign
According to threat intelligence firm Mandiant, operation “Ghostwriter,” a propaganda campaign that has pushed fabricated narratives on a number of topics including North Atlantic Treaty Organization (NATO) and COVID-19, is the work of people in Belarus, including the country’s military. Ghostwriter is accused of harvesting stolen passwords and leaking hacked data to pollute political discourse and collect intelligence. According to research from back in April, Ghostwriter dumped stolen social media account info from Polish officials which was used by the state-sponsored group UNC1151 with the apparent goal of destabilizing the internal politics of several NATO countries. Mandiant has now determined that UNC1151 is operating out of Minsk and the bulk of their activity targets Ukraine, Latvia, Lithuania, Poland and Germany in addition to Belarusian dissidents, media entities and journalists.
Data of millions of hotel booking site customers leaked
The personal data of nearly 5.9 million Singaporean and South-east Asian customers of hotel booking site RedDoorz was found to have been leaked, in what the Government has called Singapore’s largest data breach. Leaked data includes customer name, contact number, e-mail address, date of birth, encrypted account passwords and booking information. Local firm Commeasure, which operates the website, has been fined $74,000 by the Personal Data Protection Commission (PDPC). The fine is disproportionately lower than than the $1 million fine imposed on SingHealth and Integrated Health Information Systems in a 2018 data breach affecting 1.5 million people. The commission said with respect to the fine it levied, that it had considered hardship on the hospitality sector caused by the Covid-19 pandemic.
Adult site’s customers and employees stripped of their privacy
One of the internet’s top 5 adult cam sites, StripChat, has suffered a security breach and has leaked the personal data of millions of users and adult models.The leak, discovered by security researcher Bob Diachenko, occurred after StripChat exposed its ElasticSearch database cluster on the internet between November 4 and November 7. Leaked data includes username, email, IP address, ISP details, tip balance, and account info for 65 million site users as well as username, gender, studio ID, live status, tip info and ratings belonging to 421,000 models broadcasting on the site. A trove of site transaction data and chat messages was also leaked during the incident.