Cyber threats are on the rise, and no organization is immune to their impact, regardless of their industry or size. In light of the ever-growing volume of sensitive information stored online, the repercussions of a cyber attack can be grave for both individuals and businesses.
To counter the threat of phishing attacks, companies can implement robust phishing protection measures that leverage advanced technologies. Here are this week’s most important phishing and data breach-related headlines to ensure that you stay current on the latest security incidents and data breaches.
‘Digital Smoke’ Launches An Investment Scam Network Impersonating Fortune 100 Corporations
Resecurity recently identified large investment fraud networks by volume and size targeting Internet users from the U.S., Canada, Australia, China, Colombia, the European Union, Singapore, Malaysia, India, United Arab Emirates, Saudi Arabia, and Mexico regions.
The threat actors operate as an organized crime syndicate with massive infrastructure. They impersonate Fortune 100 corporations from the UK and the US, using their market reputation and brand value to defraud consumers. After collecting victims’ payments, they erase the previously created resources and set up the next campaign – hence the investigators naming the group “Digital Smoke.”
The security researchers identified that most fraudulent projects were linked to financial services (FIs), renewable energy, EV batteries, electric vehicles, oil & gas, semiconductors, healthcare, investment corporations, and world-recognized funds.
The researchers quickly shared information about Digital Smoke and the identities of the key actors with the US Law Enforcement and the Indian Cybercrime Coordination Center in Q4 of 2022. As a result of the numerous domain takedowns and coordinated action, the majority of the scam projects were terminated.
Cyberattack on a Boston Labor Union Results in $6.4M Loss
Cybercriminals targeted a Boston-based labor union’s health fund, leading to the firm incurring a loss of $6.4 million. However, the union officials said that it does not appear that the attackers stole or compromised the personal information of members.
Financial secretary-treasurer and union business manager Daniel O’Brien said that Federal and local law enforcement was notified about the attack targeting Pipefitters Local 537, which the union discovered on Feb 7.
“It is unfortunate news, but please rest assured that our health fund remains well-funded and nothing regarding your benefits with Local 537 has changed,” O’Brien wrote. He added that law enforcement agencies are “optimistic” that they will return most of the stolen funds, and the fund is also insured.
O’Brien described the attack as a social engineering tactic and said private investigators had completed the fund office’s email server’s review, concluding that there was no breach or hack.
Thousands of Cloud Servers Targeted by the Mysterious Nevada Group
A group of unidentified mysterious hackers (named the Nevada Group by security experts) is rapidly storming SMEs with encryption-based cyberattacks across Europe and the US. The threat actors are targeting an easy-to-fix vulnerability commonly found in cloud servers.
According to a report, the group aims to compromise over 5,000 victims across Europe and the US Most targeted organizations used VMware products hosted on the European low-cost hosting services provider OVHcloud. The VMware products were deployed on bare-metal servers, and the hosts did not patch them for several years.
The targeted businesses include universities in the US and Hungary, manufacturers in Germany, and shipping and construction groups in Italy.
Publicly visible ransom notes
Malicious actors demanded two Bitcoins (around $50,000), a relatively small ransom compared to prominent ransomware groups. Another peculiar feature of the attacks is that hackers left their Bitcoin wallet addresses and publicly visible ransom notes, making it possible to trace the transactions.
‘Anonymous Sudan’ Launches DDoS Attacks on 9 Danish Hospitals
Threat actors calling themselves the ‘Anonymous Sudan’ launched distributed denial-of-service (DDoS) attacks on nine Denmark hospitals, leading to their websites getting crashed. Copenhagen’s health authority mentioned on Twitter that although the websites were down, medical care at the said facilities remained unaffected by the attacks. After “a couple of hours,” the websites came back online.
Anonymous Sudan stated on Telegram that they launched the attacks “due to Quran burnings,” referring to an incident in Stockholm where Rasmus Paludan, a dual Danish-Swedish national, set the holy book on fire in front of the Turkish embassy. The Guardian describes the Danish-Swedish national as a “far-right politician and anti-Islam provocateur.”
Truesec noted in its threat intelligence report that “Anonymous Sudan’s” Telegram account has its user location listed in Russia. Furthermore, the report said that an illegal botnet did not generate the group’s DDoS traffic, but it was done by a “61 paid server cluster hosted at IBM/Softlayer in Germany.” Unusual for a hacktivist group, they “routed the traffic through open proxies to disguise the attacks’ real origin.”
Hackers Use ChatGPT’s Official Website To Launch Phishing Attacks Distributing Windows and Android Malware
The ChatGPT chatbot, which created a sudden interest in AI and its use cases, has become a go-to lure today for cybercriminals looking to distribute malware and launch other AI-assisted cyberattacks. Attackers are using several social media pages, phishing websites, and fake apps impersonating ChatGPT to spread malware and steal credit card information.
Typosquatting and phishing attempts
Cyble researchers discovered attackers leveraging typosquatting domains to launch phishing attacks. The websites mimicked the official ChatGPT website and showed a “TRY CHATGPT” button containing malicious links hosting various malicious files.
The files contained executable files for notorious malware families like the clipper malware Lumma Stealer and Aurora Stealer. Furthermore, the attackers created fake ChatGPT-related payment pages to trick users and steal their money and credit card information. These pages offered visitors a payment portal for purchasing ChatGPT Plus.
Additionally, security experts identified about 50 malicious and fake apps pretending to be ChatGPT, targeting unsuspecting users with malware families, like a Spynote malware variant, adware, spyware, and billing fraud.
Australian Retailer The Good Guys’ Customer Data Compromised In A Third-Party Breach
Data of The Good Guys customers recently got compromised in a security breach in which the Australian retailer My Rewards, a former third-party supplier, was involved.
Formerly called the Pegasus Group Australia, My Rewards confirmed the breach in a statement, revealing that preliminary investigations showed “unauthorized access” to its systems in August 2021, which led to the data compromise.
The company said it means that personally identifiable information (PII), including names, phone numbers, and email addresses, have likely been publicly available.
It further noted that it stored all its data in Australia. My Rewards said there was no evidence that its IT systems had suffered any breach. It is working with the relevant authorities, including the Australian Federal Police, to investigate the breach. In its statement, The Good Guys said it got notified regarding the breach this month, and its IT systems were not involved.
Pirated Video Editing Software for MacOS Leads To Stealth Malware Delivery
Do you think Apple’s MacOS is safe from state-of-art malware attacks? It might be the thought in many people’s minds when they downloaded Final Cut Pro‘s pirated version on their Apple devices and got more than they asked for!
For several months, an unknown threat actor has been using the pirated version of the macOS video editing software to install the XMRig cryptocurrency mining tool on systems that downloaded the app.
Researchers from Jamf recently spotted the operation but could not determine how many users installed the weaponized software and currently have XMRig running on them. But the experts say that the level of software sharing suggests it could be hundreds.
The security researchers said the threat actor had modified the main binary in the Final Cut Pro’s pirated version. So when a user double-clicked the application bundle, it opened the main executable– a malware dropper.
The dropper carries out all malicious activity on the system, including displaying the pirated application to the user and launching the crypto-miner in the background.
New S1deload Stealer Malware Hijacking Youtube and Facebook accounts
An ongoing malware campaign targets YouTube and Facebook users, infecting their systems with a new information stealer that hijacks their social media accounts and uses their systems to mine cryptocurrency.
Bitdefender’s Advanced Threat Control (ATC) team identified the new malware and named it S1deload Stealer because it extensively uses DLL sideloading to evade detection.
Bitdefender researcher Dávid Ács said, “From July to December 2022, Bitdefender products discovered over 600 unique users infected with the S1deload Stealer malware.” Victims get tricked using social engineering and comments on FaceBook pages pushing archives with adult themes (for example, AlbumGirlSexy.zip, HDSexyGirl.zip, SexyGirlAlbum.zip, etc.).
If the user downloads the linked archives, they receive an executable signed with a valid Western Digital signature and a malicious DLL (WDSync.dll) having the final payload. Once installed on the victims’ devices, the S1deload Stealer’s operators connect to the command-and-control (C2) server and instruct it to perform malicious tasks.