February updates break some Windows Server 2022 VMs
Microsoft says some Windows Server 2022 virtual machines might not boot up after installing updates released during this month’s Patch Tuesday. This known issue only impacts VMs with Secure Boot enabled and running on vSphere ESXi 6.7 U2/U3 or vSphere ESXi 7.0.x. VMware and Redmond are investigating the issue and will provide more information as soon as it’s available. While currently, there is no fix for impacted VMs, VMware provides admins with affected hosts with multiple temporary workarounds until a permanent solution is available.
BEC groups use Google Translate to target high value victims
While attacking targets using multiple languages is not new, in the past, these attacks were perpetrated mainly by sophisticated organizations with big budgets and more advanced resources, however a lower barrier to entry now allows threat actors to use Google Translate to instantly translate their malicious emails. Midnight Hedgehog, engages in payment fraud, posing as a company CEO to deceive recipients into making payments for bogus services, while Mandarin Capybara, executes payroll diversion attacks aimed at finance managers. This according to research from the firm Abnormal Security said. Both groups have launched BEC campaigns in at least 13 different European languages. BEC attacks accounted for more than one-third of all financial losses from cyberattacks in 2021, totaling nearly $2.4 billion in damage for the year. Between July and December 2022, there was an 81% increase in BEC attacks.
Evolving cyberattacks and alert fatigue creating DFIR burnout
The evolution of cybercrime is weighing heavily on digital forensics and incident response (DFIR) teams, leading to significant burnout and potential regulatory risk. That’s according to the 2023 State of Enterprise DFIR Survey by Magnet Forensics, a developer of digital investigation solutions. The firm surveyed 492 DFIR professionals in North America and Europe, the Middle East, and Africa working in organizations in industries such as technology, manufacturing, government, telecommunications, and healthcare. More than half (54%) of DFIR professionals surveyed said they feel burned out in their jobs, with 64% stating that alert and investigation fatigue is a likely contributing factor.
Hackers using Google Ads to spread FatalRAT malware disguised as popular apps
Chinese-speaking individuals in Southeast and East Asia are the targets of a new rogue Google Ads campaign that delivers remote access trojans such as FatalRAT to compromised machines. The attacks involve purchasing ad slots to appear in Google search results that direct users searching for popular applications to rogue websites hosting trojanized installers, ESET said in a report published Tuesday. The ads have since been taken down. Some of the spoofed applications include Google Chrome, Firefox, Telegram, WhatsApp, LINE, Signal, and Skype.
Thanks to this week’s episode sponsor, CISO Series
MortalKombat ransomware employed in financially motivated campaign
Since December 2022, Cisco Talos researchers have been observing an unidentified financially motivated threat actor deploying two new malware types, one entitled MortalKombat and a GO variant of the Laplas Clipper malware. The threat actor is scanning the internet for systems with an exposed remote desktop protocol (RDP) port 3389. The similarities in code, class name, and registry key strings led the experts into assessing with high confidence that the MortalKombat ransomware belongs to the Xorist family. The malware campaign is targeting individuals, small businesses, and large organizations with the end goal of stealing or demanding ransom payments in cryptocurrency.
New Mirai botnet variant has been very busy, researchers say
Called V3G4, the variant exploits 13 known vulnerabilities, according to research by Palo Alto Networks Unit 42. Mirai typically allows for full control of devices, adding them to its network of remotely controlled bots used to launch distributed denial-of-service (DDoS) attacks. Mirai primarily targets online consumer devices such as internet protocol cameras and home routers. The botnet was first found in August 2016 and has been used in some of the largest and most disruptive DDoS attacks, including the cyberattack on Brian Krebs’ website and an attack on French web host OVH. Paras Jha, owner of a DDoS mitigation service ProTraf Solutions and the company’s co-founder, Josiah White, are believed to be behind the Mirai botnet.
Spanish, US authorities dismantle cybercrime ring that defrauded victims of $5.3 million
Based in Madrid, the international criminal organization employed a sophisticated scam that involved phishing, social engineering, smishing, and vishing to trick victims into sharing details about their bank accounts to steal money from them. In some instances, the attackers engaged in three-way calls, interacting with both the victim and their North American financial institution, to obtain verification and authorization codes to complete the fraudulent transactions. Law enforcement agencies in Spain, Panama, and the US, along with Europol, participated in the investigation.
Medibank class action launched after massive hack
A class action lawsuit has been launched against Medibank over the health insurer’s massive cyber attack last year. In what became the largest breach of its kind to date in Australia, the hack resulted in the personal details and health claims of 9.7 million current and former customers, including 5.1 million Medibank customers being leaked. The lawsuit centers on the company’s alleged failure to protect customer privacy.