The Sturmous ransomware group is back, a ransomware gang adds a new backdoor, and more.
Welcome to Cyber Security Today. It’s Wednesday, July 19th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
This continues to be one of the worst years for ransomware. Here’s the latest news: The Sturmous group which had been under the radar for a while, is back in business. According to researchers at Kela, the gang’s extortion site has been updated with listings of new alleged victims. It also has a section selling data allegedly stolen from organizations, a job application page and a contact page. A year ago the group significantly decreased additions to its online site. But now it claims to have recently hit more than 30 organizations. Also this month Sturmous announced a partnership with the GhostSec hacktivist group to target organizations in Cuba.
Meanwhile researchers at Symantec say the Syssphinx gang has added a reworked backdoor to deliver ransomware. Also known to researchers as FIN8 because it originally specialized in stealing financial information, the gang has reworked the Sardonic backdoor to deliver the Noberus/AlphV/BlackCat ransomware strain. The backdoor is indirectly embedded into a PowerShell script. This group has also been seen using the White Rabbit and Ragnar Locker ransomware strains.
Someone is selling threat actors access to an AI tool similar to ChatGPT for creating malware and convincing phishing messages. The tool is called WormGPT. Researchers at SlashNext say it’s based on an AI model created two years ago in Japan. The developer says it’s been trained on malicious code. But SlashNext tested it by creating a convincing email message that would trick an employee into paying a fraudulent invoice. As a result they warn infosec leaders to step up security awareness training of employees and enforce stringent email verification processes.
Employees continue to be careless with databases of sensitive information they create and leave open on the internet. The latest example is a database of what appeared to be subscribers to several dating apps. Security researcher Jeremy Fowler, who found the unprotected database, said it not only had peoples’ email addresses but also almost a million uploaded photos from dating app users, some of which were sexually explicit. Fowler sent a warning message to the developer of the Chinese-based app with the largest collection of information in that database. It was soon secured. There are two lessons from this report: First, because access to the database was secured after one company was alerted we can conclude it was created by an employee. That shows — again — employees have to be warned about security obligations when creating files and folders with sensitive information. Second, because privacy on the internet can never be assured, no-one should send suggestive comments or explicit images to anyone else.
Security awareness training usually focuses on recognizing phishing attacks. Trainers should also spend a few minutes on warning staff about spelling. Why? According to the Financial Times, Americans who have been mis-spelling email addresses have been sending sensitive emails to a small African country. Many emails that were supposed to go to U.S. military addresses ending in “@.mil” were going Mali because the senders were typing “@.ml.” This has been going on for 10 years. The U.S. Defense Department told The Register that messages going from its email systems will stop mis-spelled emails. However, people sending emails from their personal email service won’t be protected. The lesson: Remind staff that not only should they look for spelling mistakes in incoming emails, they also need to watch what they type when sending messages.
Attention IT managers with Zimbra’s Collaboration Suite in their environments. The developer has warned a security vulnerability in version 8.8.15 could impact the confidentiality and integrity of your data. An automated fix will be available shortly. Those who can’t wait can install the patch manually on all mailbox nodes.
JumpCloud, a U.S.-based identity and access management solution, says what it calls “a small set of customers” were impacted by a breach of security controls by an unnamed sophisticated nation-state. The attacker was able to inject data into JumpCloud’s commands framework. As a result it has rotated all customer credentials and rebuilt its infrastructure. The incident started with spear phishing messages on June 22nd.
An IT security analyst who tried to extort money from the U.K. company he worked for was sentenced last week in Britain to three years and seven months in jail. The man, who pleaded guilty in May, took advantage of a 2018 cyber attack to create an email address similar to one used by the hackers and sent his own messages to the company demanding money. Days before his arrested the man deleted evidence from his computer and phone, but that didn’t impair a forensic audit.
Finally, crooks often take advantage of the release of hot digital games, streaming TV shows and movies to scam individuals. The latest examples discovered by Kaspersky are offers to stream the about-to-be-released Oppenheimer movie for a small fee. Another offers limited edition dolls related to the Barbie movie. The real goal is to steal credit and debit card information.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.