Cybersecurity Weekly: Favicon backdoor, triple extortion scheme, ransomware for sale
Magecart hackers hide a PHP-based backdoor in website favicons. Ransomware attackers are now demanding cash from the customers of victims. Ransomware is selling for $4,000 on the dark web. All this, and more, in this week’s edition of Cybersecurity Weekly.
1. Magecart hackers hide PHP-based backdoor in website favicons
Cybercrime groups are distributing malicious PHP web shells disguised as a favicon. This is done in an attempt to maintain remote access to the compromised servers and inject JavaScript skimmers into online shopping platforms with an aim to steal financial information from their users.
2. Ransomware attackers now demanding cash from the customers of victims
Experts are now warning against a new ransomware threat called triple extortion. Attackers are demanding payments from customers, partners and other third parties related to the initial breach to grab even more cash for their crimes. Researchers said the first case of triple extortion they observed in the wild was in October.
3. Ransomware selling for $4,000 on the dark web
In the cybercriminal underground, ransomware samples and builders are going for anywhere between $300 to $4,000, with ransomware-as-a-service rentals costing $120 to $1,900 per year. That’s according to an analysis by Kaspersky of the three main underground forums where ransomware is circulated.
4. Irish healthcare shuts down IT systems after Conti ransomware attack
Ireland's publicly funded healthcare system shut down all IT systems after its network was breached in a ransomware attack. The responsible ransomware gang also hit the Scottish Environment Protection Agency on Christmas Eve, later publishing roughly 1.2 GB of stolen data on their dark web leak site.
5. QNAP warns of eCh0raix ransomware attacks, Roon Server zero-day
QNAP warns customers of an actively exploited Roon Server zero-day bug and eCh0raix ransomware attacks targeting their Network Attached Storage devices. This warning comes only two weeks after QNAP users were alerted of an ongoing AgeLocker ransomware outbreak.
6. Colonial pipeline paid nearly $5 million in ransom to cybercriminals
Last week, Colonial Pipeline restored operations to its entire pipeline system nearly a week after a ransomware infection targeting its IT systems. It was forced to shell out nearly $5 million to regain control of its computer networks. Following this restart, it will take several days for the product delivery supply chain to return to normal.
7. State-backed hackers added new Windows malware to its arsenal
Cybercriminals with suspected ties to Pakistan continue to rely on social engineering as a crucial component of its operations as part of an evolving espionage campaign against Indian targets. The group created fraudulent domains mimicking legitimate Indian military and defense organizations.
8. Rapid7 source code, credentials accessed in Codecov supply-chain attack
Some Rapid7 source code repositories were accessed in a security incident linked to the supply-chain attack that recently impacted customers of the popular Codecov code coverage tool. The unknown threat actors behind this incident were only able to gain access to a small subset of repositories containing source code for internal tooling.
9. Chemical distributor pays $4.4 million to DarkSide ransomware
Chemical distribution company Brenntag paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang to receive a decryptor for encrypted files and prevent the threat actors from publicly leaking stolen data. The DarkSide ransomware group claimed to have stolen 150GB of data during their attack.
10. Microsoft build tool abused to deliver password-stealing malware
Threat actors are abusing the Microsoft Build Engine to deploy remote access tools and information-stealing malware as part of an ongoing campaign. The malicious MSBuild project files delivered in this campaign injected the final payloads into the memory of newly spawned processes.
In this Series
- Cybersecurity Weekly: Favicon backdoor, triple extortion scheme, ransomware for sale
- Canada Flipper Zero ban and new RustDoor macOS malware
- AnyDesk hack and iPhone patched kernel flaw
- Tesla Pwn2Own hacks and iOS push alerts abuse
- TeamViewer breach and Atlassian Jira outage
- Moscow ISP revenge hack and Microsoft Sharepoint bug warning
- X verified accounts hack and SpectralBlur macOS malware
- CISA default password alert and SOHO KV-botnet campaign
- New 5G modem flaws and Apple’s data breach report
- Staples cyberattack, Agent Racoon backdoor and other news
- British Library ransomware attack, Windows fingerprint authentication bypass
- Samsung UK data breach and ransomware actor’s SEC complaint
- ICBC ransomware attack and ChatGPT outage
- Boeing Lockbit ransomware attack, Apple’s vulnerability and WhatsApp mods spyware
- Octo Tempest hacking group and new iLeakage attack
- Okta support system breach and Google Ads fake KeePass campaign
- Skype DarkGate malware, Shadow PC breach and AvosLocker ransomware warning
- 23andMe data theft, MGM’s $100M ransomware loss and the Azure VM breach
- Malicious Bing Chat ads and FBI’s dual ransomware warning
- T-Mobile app glitch and fake Booking.com pages
- Airbus data leak, Cisco Webex ad malware and €345 million TikTok fine
- New Apple iMessage exploit and CISA’s Apache RocketMQ warning
- Forever 21 data breach and Android BadBazaar espionage
- Duolingo data leak and the Met Police IT hack
- Discord.io data breach and Ivanti Avalanche vulnerabilities
- UK Electoral Commission hack and Microsoft’s role in China email breach
- Salesforce email zero-day exploit and Microsoft Power Platform criticism
- Airlines disclose pilot data breach and the Microsoft Teams bug
- GravityRAT Android Trojan and new MOVEit Transfer flaw
- University of Manchester hack and Honda API flaws
- MOVEit zero-day exploit and the U.S. iPhone hack accusation
- Daam Android virus and Barracuda zero-day flaw
- TP-Link router exploit and 18-year-old charged with hacking DraftKings accounts
- Discord support hack and Toyota location data leak
- Twitter private tweets bug and Cisco phone router vulnerabilities
- Cisco XSS zero-day flaw and PaperCut vulnerabilities
- 3CX hackers hit critical infrastructure and secondhand routers cause security concerns
- Hyundai data breach and Microsoft’s warning to accountants
- Western Digital cloud breach and the MSI ransomware hack
- TMX loan data breach, Italy bans ChatGPT and WordPress Elementor Pro exploit
- ChatGPT data leak and Gmail message theft by North Korean hackers
- U.S. federal agency hack and the return of FakeCalls Android malware
- Massive AT&T data breach and fake jobs targeting security researchers
- U.S. Marshals service breach and TPM 2.0 security flaws
- Dangerous ChatGPT apps and food giant Dole ransomware attack
- GoDaddy malware installations, record-breaking DDoS attack and the new WhiskerSpy malware
- Reddit’s employees phished, healthcare firms targeted and the new Screenshotter malware
- JD Sports data breached, VMware ESXi servers attacked and the HeadCrab malware
- Yandex source code leaked, 4500+ WordPress sites hacked and the new SwiftSlicer malware
- PayPal accounts breached, Fortinet VPN flaw exploited, and the new Hook malware
- Twitter users’ emails leaked, ChatGPT used to write malware and Slack’s repository breach
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
