Phishing with Chatbots

May 24, 2022

Phishing with Chatbots

Industry: N/A | Level: Strategic | Source: BleepingComputer

In the latest efforts to improve the authenticity of phishing scams, attackers are incorporating chatbots to aid with credential theft. Observed by Trustwave and BleepingComputer, phishing emails using DHL shipping themes containing a weblink to a phishing URL are being used. Once the victim opens a web link, a page to a webchat opens with a scripted conversation attempting to add legitimacy by posting a photo of the alleged package claiming that due to a damaged label the parcel could not be delivered. This creative setup is designed to coerce the victim into releasing personal and payment information under the guise they are agreeing to re-process the package. The victim would provide shipping information for name, address, and phone number as well as payment details for the cost of shipping. The payment page even requests a one-time-passcode to provide an extra layer of legitimacy.

National Emergency Declared in Costa Rica

May 10, 2022

National Emergency Declared in Costa Rica

Industry: Government | Level: Strategic | Source: BleepingComputer

As cyber-attacks from the Conti ransomware group have targeted multiple Costa Rica government agencies, a national emergency has been declared by the Costa Rican President Rodrigo Chaves on May 8th, 2022. The following was quoted by news outlet Amelia Rueda from the Costa Rican president “The attack that Costa Rica is suffering from cybercriminals, cyberterrorists is declared a national emergency and we are signing this decree, precisely, to declare a state of national emergency in the entire public sector of the Costa Rican State and allow our society to respond to these attacks as criminal acts.” The impact was identified by BleepingComputer amounting to a 672 GB data dump associated with Costa Rican government agencies. Based on the ransomware group’s data leak site, of the 672 GB of stolen data, 97% of the data has been leaked. From an initial review of the data posted, the data appears to be related to source code and SQL database information. A message from Conti on the leak site, mentions “UNC1756” as the actor responsible for the attack. The objective of the actor for the attacks is for financial gain and has warned of more attacks “I will definitely carry out attacks of a more serious form.”

New REvil Malware

May 10, 2022

New REvil Malware

Industry: N/A | Level: Strategic | Source: BleepingComputer

Following an update of a potential return from a new TOR site reported on April 20th, 2022, by security researchers and BleepingComputer, and a sighting of new malware, it appears to confirm REvil’s has return. The new REvil encryptor was identified by AVAST researcher Jakub Kroustek and a review of the malware’s code identified it as being compiled from source code with new modifications. Advanced Intel CEO Vitali Kremez, discovered the malware was compiled on April 26th, 2022, and upon additional reviews of found the version value incremented to version 2.08 retaining version values from when Revil supposably shut down.

New Black Basta, Ransomware Gang

May 03, 2022

New Black Basta, Ransomware Gang

Industry: N/A | Level: Strategic | Source: BleepingComputer

Bursting into the cyber threat landscape in April 2022, the newly identified Black Basta ransomware group, has compromised at least twelve organizations. As reported by BleepingComputer, the group employs a double extortion tactic to exfiltrate data prior to launching the ransomware. The Black Basta group site lists ten victim organizations and its likely several impacted organizations have paid/negotiated with the threat actors had their listing removed. Research from MalwareHunterTeam, is predicting the Black Basta gang as a potential rebrand of Conti, given the need to dodge law enforcement and refresh from damaging leaks. Similarities identified include a leak and payment site as well as mannerisms from support personnel. The group doesn’t appear to be currently recruiting or marketing its operations.

Stormous Ransomware Breaches Coca-Cola

May 03, 2022

Stormous Ransomware Breaches Coca-Cola

Industry: Food & Beverage | Level: Strategic | Source: BleepingComputer

Beverage corporation Coca-Cola is investigating a claim made by threat group, Stormous, of a breach to the company’s network, exfiltrating 161GB of data. As reported by BleepingComputer, the threat group claim to have stolen “compressed documents, text files with admin, emails, and passwords, account and payment ZIP archives, and other type of sensitive information.” A Telegram post made by Stormous announced the group is selling compromised data for 1.65 Bitcoin/approximately $64,000. Similar to Lapsus$, the Stormous group created a poll the week prior listing targets to breach, with coca-cola.com receiving the most votes at 74%. Other noted targets included Mattel, Danaher, Blackboard, and GE Aviation.

MetaStealer Malware

April 19, 2022

New information-stealing malware, META has been gaining popularity amongst cybercriminals. Research from SANS and BleepingComputer shares the malware has been distributed through malspam campaigns.

Miratorg Agribusiness Holding – Ransomware Attack

March 25, 2022

March 22nd, 2022: Miratorg Agribusiness Holding – Ransomware Attack

Industry: Producer & Supplier | Level: Strategic | Source: BleepingComputer

A ransomware attack using Windows BitLocker has hit Miratorg Agribusiness Holding, a meat supplier based in Moscow. The story reported by BleepingComputer believe the attack was conducted for “sabotage and not financial” with a focus of the attack against “VetIS, a state information system used by veterinary services and companies engaging in the field, making it likely a supply chain compromise.” Additionally, a machine translated statement from the company paints the attack as hostility from the West in regards to the Russia and Ukraine conflict “Probably, this incident is a manifestation of the informational and economic “total war” that the collective West unleashed against Russia. We are pushed to this assumption by the fact that during the entire existence of VetIS (more than 10 years) and tens of thousands of Russian and foreign software systems integrated with it, this has never happened.” Miratorg Agribusiness is working to restore business services.

Conti Source Code Leak

March 22, 2022

Conti Source Code Leak

Industry: N/A | Level: Strategic | Source: BleepingComputer

Conti leaks continue from a Ukrainian security researcher under Twitter handle @ContiLeaks. The latest leak on March 20th, 2022 provided on VirusTotal, contains the source for “conti v3.” A review of the uploaded files was conducted by BleepingComputer having identified the code to be dated to January 25th, 2021, and newer than previously leaked code. The code is authentic, as BleepingComputer was able successfully to compile the code without issue.

German Government Warns Usage of Kaspersky AV

March 22, 2022
German Government Warns Usage of Kaspersky AV
Industry: N/A | Level: Strategic | Source: BleepingComputer

In a bulletin released by the German Federal Office for Information Security (BSI), the government entity advises against the use of Kaspersky’s antivirus software in favor of “alternative products.” The trust and reliability of the product are brought into question given the conflict between Russia and Ukraine, with any relationship the company may have with the Russian government. As the service operates in real-time and in the cloud, various technical attributes are potentially at risk. BSI offers the following for consideration “extensive system authorizations and, due to the system (at least for updates), must maintain a permanent, encrypted and non-verifiable connection to the manufacturer’s servers. Therefore, trust in the reliability and self-protection of a manufacturer as well as his authentic ability to act is crucial for the safe use of such systems. If there are doubts about the reliability of the manufacturer, virus protection software poses a particular risk for the IT infrastructure to be protected.”

Rostec Hit with Cyberattack

March 21, 2022

March 11th, 2022: Rostec Hit with Cyberattack

Industry: Aerospace, Defense | Level: Strategic | Source: BleepingComputer

Russian industrial conglomerate Rostec, has encountered a cyberattack causing its website to be briefly taken offline. This new story is reported by BleepComputer, with the impacted aerospace and defense firm stating it’s encountered consistent attack activity since late February. A statement from Rostec shared, “we had to briefly close the website. The attack has been repelled, and now the website is functioning again and all information about the corporation is available in full.” The attack appears to be attributed to the IT Army of Ukraine, as the group’s Telegram channel lists attributes of Rostec’s internet infrastructure as targets for DDoS attacks.