Here is the weekly cybersecurity bulletin highlighting the latest developments in phishing protection.

 

The City of Augusta Cyberattack Claimed by BlackByte Ransomware Gang

Augusta, Georgia, has fallen victim to a cyberattack that resulted in the city’s IT system outage

The unauthorized access to Augusta’s governance network caused disruptions and technical difficulties starting on May 21. While city officials did not disclose the exact nature of the attack, the BlackByte ransomware gang claimed responsibility and identified Augusta as one of its targets.

As Georgia’s second-largest city with a population exceeding 611,000, Augusta is now working to investigate the incident’s full impact and restore the affected systems promptly. 

Augusta’s Information Technology Department is diligently examining the incident to assess the extent of the systems’ damage and restore full functionality.

 

Cyberattack on 30 Portuguese Banks’ Credentials Linked to ‘Operation Magalenha’

A group of threat actors from Brazil has been attacking thirty Portuguese government and private financial organizations since 2021. 

 

malicious campaign

Image sourced from jdsupra.com

 

The malicious campaign, known as ‘Operation Magalenha,’ was exposed by a report from Sentinel Labs. The malicious actors initiated the attack by sending phishing emails pretending to be from Portuguese organizations like EDP (Energias de Portugal) and the AT (Tax and Customs Authority). They also created fake websites to trick victims.

Once infected, the threat actors gain control over the victims’ systems using malware called ‘PeepingTitle,’ which allows them to monitor the victims’ activities, steal their credentials, and collect sensitive information. 

Malicious actors have shown adaptability by switching tactics and using different cloud service providers to avoid detection. This new campaign is no exception.

 

Malicious RomCom Malware Spreads via Google Ads and Trojanized ChatGPT, GIMP, and More

A new campaign involving the RomCom malware has been discovered wherein the malicious attackers use fictitious websites to deceive users into downloading and launching malicious installers

Trend Micro has been monitoring RomCom since the summer of 2022 and declared that the threat actors behind the malware have increased their evasion techniques by encrypting and obfuscating payloads.

With new and powerful commands to expand the malware’s capabilities, the adversaries use malicious websites in the campaign to imitate popular software applications such as GIMP, ChatGPT, WinDirStat, and more.

These fake websites are promoted through Google advertisements and targeted phishing emails and come with a malware payload, which can execute various commands. It enables the attackers to drop files, exfiltrate data, set up proxies, and install additional malware. 

 

malware attack

 

Trend Micro has shared the severity of the novel threat and provided IoCs (Indicators of Compromise) you can use to defend against RomCom attacks.

 

Spyware Apps on Google Play Installed Over 421 Million Times 

A recently discovered Android malware, known as ‘SpinOk,’ has been found in multiple apps, some of which were previously available on Google Play and had a combined total of over 421 million downloads

The spyware module, identified by security researchers at Dr. Web, is designed to engage users with mini-games and rewards while secretly stealing and transmitting their private data to a remote server. To evade detection, the malware checks for sandboxed environments commonly used by researchers.

Once installed, it downloads a list of URLs for displaying the expected mini-games. The capabilities of this malware include listing and accessing files, uploading files from the device, and modifying the clipboard to steal sensitive information like passwords, credit card data, and cryptocurrency payments. 

Google removed most of such malicious apps from the Play Store. Still, users are advised to update or uninstall any potentially compromised applications and scan their devices with mobile antivirus tools.

 

New Hacking Forum Leaks Data of 478,000 RaidForums Members

The online database of the notorious malicious forum RaidForums has been leaked, providing insights into its users. 

RaidForums was a malicious portal popular among malicious actors for hosting, selling, and leaking data stolen from breached organizations. Threat actors who frequented the forum obtained customer data through website hacking or accessing exposed database servers, which they sold or spread for reputation-building.

After law enforcement seized RaidForums, users migrated to Breached, but it was shut down following the arrest of its founder. A new forum called Exposed emerged as a replacement. Recently, an admin nicknamed ‘Impotent’ leaked the RaidForums member database, containing registration details of 478,870 users, including usernames, email addresses, hashed passwords, and registration dates. 

Law enforcement likely already has the data, but the leak could be valuable for security researchers to profile malicious actors.

 

cyberattack

 

Lazarus Threat Actors Target Windows IIS Web Servers for Initial Access

The Lazarus Group, a well-known North Korean state-backed hacking group, has shifted its focus to target vulnerable Windows IIS (Internet Information Services) web servers to gain initial access to corporate networks. 

The Lazarus Group is primarily motivated by financial gain, with some experts believing that their activities help fund North Korea’s weapons development programs. The new tactic was discovered by ASEC’s (AhnLab Security Emergency response Center) South Korean researchers.

Lazarus employs various techniques, including exploiting vulnerabilities and misconfigurations to create files on servers. They use legitimate files, such as ‘Wordconv.exe,’ to place malicious codes like ‘msvcr100.dll’, evading antivirus detection. 

ASEC recommends monitoring for abnormal process execution to detect and prevent Lazarus Group activities.