Turla hackers return, LastPass faces lawsuit, Windows reporter hacked
Russian Turla hackers are hijacking decades-old malware infrastructure to deploy new backdoors
The Russian cyber espionage group known as Turla has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine. Google-owned Mandiant, said the hijacked servers correspond to a variant of a malware called ANDROMEDA (aka Gamarue) that was uploaded to VirusTotal in 2013. Since the beginning of Russia’s military invasion of Ukraine in February 2022, the group has been linked to a number of phishing and reconnaissance efforts targeting entities located in the country, as well as Solar Winds.
(The Hacker News)
LastPass hit with a lawsuit for infringement in August
The August data disaster at LastPass is only getting worse because the company is now going to court. A lawsuit has been filed by an unnamed individual who said LastPass’s flaw led to the theft of an unspecified number of private Bitcoin keys stored in the wallet, which the lawsuit said contained approximately $53,000 in the cryptocurrency. The suit seeks a jury trial to press damages and compensation out of LastPass for a nationwide class that includes all LastPass users whose data was stolen in the breach. In December, LastPass admitted that the attack was more serious than first thought, with attackers gaining access to a cloud storage system to steal user password vaults.
Hackers misuse Windows error reporting tools to distribute malware
Hackers misuse the error reporting tool Windows Problem Reporting (WerFault.exe) to load malware into a compromised system’s memory using a DLL pageloading technique. The use of this Windows executable is to stealthily infect devices without triggering any alarms on the system which is broken by launching the malware through a legitimate Windows executable. The new campaign was discovered by K7 Security Labs, which believes the hackers are based in China. The malware campaign starts with the arrival of an email with an ISO attachment. When double-clicked, the ISO will mount itself as a new drive letter containing a legitimate copy of the Windows WerFault.exe executable, a DLL file (‘faultrep.dll’), an XLS file (‘File.xls’) and a shortcut file.
Amazon S3 will now encrypt all new data with AES-256 by default
Amazon Simple Storage Service (S3) will now automatically encrypt all new objects added to server-side buckets, using AES-256 by default. While the server-side encryption system has been available on AWS for over a decade, the tech giant has enabled it by default to bolster security. Administrators don’t need to do anything for the new encryption system to affect their buckets, and Amazon promises it won’t have any negative performance impact. Two notable examples regarding Amazon S3 storage buckets are the leak of data from 123 million households in December 2017 and the leak of 540 million records from Facebook users in April 2019 where the data was not encrypted.
Thanks to this week’s episode sponsor, AppOmni
Amazon to cut 18,000 jobs as it cuts costs
Spokesmen for the company, which employs 1.5 million people globally, did not say which countries the job cuts would affect, but said they would include Europe. Most of the job losses will come from the consumer store and the personnel department. Amazon CEO Andy Jassy cited the “uncertain economy” for the cuts, saying it had “hired rapidly over several years.” Amazon has seen sales slow after business boomed during the pandemic as customers at home spent heavily online.
SpyNote malware spies on Android users, steals banking credentials
Hackers using a new variant of the SpyNote malware to secretly observe and modify infected Android smartphones, according to research published by ThreatFabric on Monday. SpyNote is a “powerful” spyware family designed to monitor, manage and modify a device. Hackers distribute spyware through fake mobile apps that infect Android smartphones. The new variant mimics the apps of “reputable financial institutions” such as HSBC and Deutsche Bank to exfiltrate the personal data of their customers. It also disguises itself as well-known mobile apps such as WhatsApp, Facebook and Google Play, as well as more generic apps such as wallpapers, productivity or gaming apps.
Windows Server 2012 will end support in October
Microsoft reminds customers that extended support for all editions of Windows Server 2012 and Windows Server 2012 R2 will end on October 10. Although Windows Server 2012 reached the end of regular support in October 2018, Microsoft pushed back the end of extended support by five years to allow customers to migrate to newer, supported Windows Server versions. Customers are advised to upgrade or migrate to Azure.
Last week in ransomware
This was a very busy week in ransomware. After a bad year for organizations, with Emsisoft reporting that 200 government, education and healthcare organizations were targeted by ransomware in 2022. As we reported, LockBit attacked Toronto’s SickKids Children’s Hospital, then apologized, blamed a rogue affiliate and gave the hospital a free decryption. On Sunday, the hospital was only 80% recovered after the attack. Rackspace has confirmed an attack by Play Ransomware, Queensland University of Technology was hit by Royal ransomware, and US rail and locomotive company Wabtec was breached by LockBit. The British newspaper Guardian had to send its employees home while they sorted out an attacker from an unnamed source, and the LA Housing Authority was hit, also by LockBit. The BlackCat/ALPHV gang cloned a company’s victim’s website to post stolen data as an innovative blackmail technique. In the good news file, BitDefender released a free decryptor for MegaCortex ransomware. All victims who saved their encrypted files in the hope that a decryptor will be released can recover their files for free.
(Bleeping Computer and CISO series)