Russian Turla hackers hijack decade-old malware infrastructure to deploy new backdoors
The Russian cyberespionage group known as Turla has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine. Google-owned Mandiant, said the hijacked servers correspond to a variant of a commodity malware called ANDROMEDA (aka Gamarue) that was uploaded to VirusTotal in 2013. Since the onset of Russia’s military invasion of Ukraine in February 2022, the group has been linked to a string of credential phishing and reconnaissance efforts aimed at entities located in the country, as well as Solar Winds.
LastPass hit with lawsuit over August breach
The August data disaster at LastPass just keeps getting worse for the company is now going to the courts. A lawsuit has been filed by an unnamed individual who said LastPass’ failures led to the theft of an unspecified amount of Bitcoin private keys stored in the wallet, which the suit said contained roughly $53,000 in the cryptocurrency. The suit is seeking a jury trial to squeeze damages and restitution out of LastPass for a nationwide class that includes any LastPass users who had data stolen in the breach. In December, LastPass admitted that the attack was more serious than had first been suspected, with attackers gaining access to a cloud storage system to steal user password vaults.
Hackers abuse Windows error reporting tool to deploy malware
Hackers are abusing the Windows Problem Reporting (WerFault.exe) error reporting tool to load malware into a compromised system’s memory using a DLL sideloading technique. The use of this Windows executable is to stealthily infect devices without raising any alarms on the breached system by launching the malware through a legitimate Windows executable. The new campaign was spotted by K7 Security Labs, who believes the hackers to be based in China. The malware campaign starts with the arrival of an email with an ISO attachment. When double-clicked, the ISO will mount itself as a new drive letter containing a legitimate copy of the Windows WerFault.exe executable, a DLL file (‘faultrep.dll’), an XLS file (‘File.xls’), and a shortcut file.
Amazon S3 will now encrypt all new data with AES-256 by default
Amazon Simple Storage Service (S3) will now automatically encrypt all new objects added on buckets on the server side, using AES-256 by default. While the server-side encryption system has been available on AWS for over a decade, the tech giant has enabled it by default to bolster security. Administrators will not have to take any actions for the new encryption system to affect their buckets, and Amazon promises it won’t have any negative performance impact. Two notable examples concerning Amazon S3 storage buckets are the leak of data from 123 million households in December 2017 and the leak of 540 million records of Facebook users in April 2019 in which the data had not been encrypted.
Thanks to this week’s episode sponsor, AppOmni
Amazon to axe 18,000 jobs as it cuts costs
Spokespeople for the company, which employs 1.5 million people globally, did not say which countries the job cuts would hit, but did say they would include Europe. Most of the job losses will come from its consumer retail business and its human resources division. Amazon CEO Andy Jassy cited the “uncertain economy” for the cuts, saying it had “hired rapidly over several years.” Amazon has seen sales slow after business boomed during the pandemic when customers at home spent a lot online.
SpyNote malware spies on Android users, steals banking credentials
Hackers using a new variant of SpyNote malware to secretly observe and modify infected Android smartphones, according to research published by ThreatFabric on Monday. SpyNote is a “powerful” spyware family designed to monitor, manage, and modify a device. Hackers distribute spyware through fake mobile apps which infect Android smartphones. The new variant impersonates the apps of “reputable financial institutions” like HSBC and Deutsche Bank to exfiltrate the personal data of their customers. It also disguises itself as well-known mobile apps like WhatsApp, Facebook, and Google Play, as well as more generic apps such as wallpaper, productivity, or gaming apps.
Windows Server 2012 reaches end of support in October
Microsoft is reminding customers that extended support for all editions of Windows Server 2012 and Windows Server 2012 R2 will end on October 10. Although Windows Server 2012 reached its mainstream support end date in October 2018, Microsoft pushed back the end date for extended support five years to allow customers to migrate to newer, under-support Windows Server versions. Customers are advised to upgrade or migrate to Azure.
Last week in ransomware
This was a really busy week in ransomware. Following a bad year for organizations, with Emsisoft reporting that 200 government, education, and healthcare entities were targeted by ransomware in 2022. As we reported, LockBit attacked Toronto’s SickKids children’s hospital, and then apologized, blaming a rogue affiliate and giving the hospital a free decryptor. As of Sunday the hospital was only 80% recovered from the attack. Rackspace has confirmed an attack by Play Ransomware, Queensland University of Technology was hit by Royal ransomware, and U.S. rail and locomotive company Wabtec was breached by LockBit. The UK newspaper The Guardian had to send its employees home while they sorted out an attacker from an unnamed source, and the LA Housing Authority got hit, also by LockBit. The BlackCat/ALPHV gang cloned a corporate victim’s website to post stole data as an innovative extortion technique. In the good news file, BitDefender released a free decryptor for the MegaCortex ransomware. Any victims who saved their encrypted files in the hopes of a decryptor being released can recover their files for free.