Cybersecurity Weekly: Favicon backdoor, triple extortion scheme, ransomware for sale

May 19, 2021 by Sam Fay

Magecart hackers hide a PHP-based backdoor in website favicons. Ransomware attackers are now demanding cash from the customers of victims. Ransomware is selling for $4,000 on the dark web. All this, and more, in this week’s edition of Cybersecurity Weekly.


1. Magecart hackers hide PHP-based backdoor in website favicons

Cybercrime groups are distributing malicious PHP web shells disguised as a favicon. This is done in an attempt to maintain remote access to the compromised servers and inject JavaScript skimmers into online shopping platforms with an aim to steal financial information from their users.
Read more »


2. Ransomware attackers now demanding cash from the customers of victims

Experts are now warning against a new ransomware threat called triple extortion. Attackers are demanding  payments from customers, partners and other third parties related to the initial breach to grab even more cash for their crimes. Researchers said the first case of triple extortion they observed in the wild was in October.
Read more »


3. Ransomware selling for $4,000 on the dark web

In the cybercriminal underground, ransomware samples and builders are going for anywhere between $300 to $4,000, with ransomware-as-a-service rentals costing $120 to $1,900 per year. That’s according to an analysis by Kaspersky of the three main underground forums where ransomware is circulated.
Read more »


4. Irish healthcare shuts down IT systems after Conti ransomware attack

Ireland’s publicly funded healthcare system shut down all IT systems after its network was breached in a ransomware attack. The responsible ransomware gang also hit the Scottish Environment Protection Agency on Christmas Eve, later publishing roughly 1.2 GB of stolen data on their dark web leak site.
Read more »


5. QNAP warns of eCh0raix ransomware attacks, Roon Server zero-day

QNAP warns customers of an actively exploited Roon Server zero-day bug and eCh0raix ransomware attacks targeting their Network Attached Storage devices. This warning comes only two weeks after QNAP users were alerted of an ongoing AgeLocker ransomware outbreak.
Read more »


6. Colonial pipeline paid nearly $5 million in ransom to cybercriminals

Last week, Colonial Pipeline restored operations to its entire pipeline system nearly a week after a ransomware infection targeting its IT systems. It was forced to shell out nearly $5 million to regain control of its computer networks. Following this restart, it will take several days for the product delivery supply chain to return to normal.
Read more »


7. State-backed hackers added new Windows malware to its arsenal

Cybercriminals with suspected ties to Pakistan continue to rely on social engineering as a crucial component of its operations as part of an evolving espionage campaign against Indian targets. The group created fraudulent domains mimicking legitimate Indian military and defense organizations.
Read more »


8. Rapid7 source code, credentials accessed in Codecov supply-chain attack

Some Rapid7 source code repositories were accessed in a security incident linked to the supply-chain attack that recently impacted customers of the popular Codecov code coverage tool. The unknown threat actors behind this incident were only able to gain access to a small subset of repositories containing source code for internal tooling.
Read more »


9. Chemical distributor pays $4.4 million to DarkSide ransomware

Chemical distribution company Brenntag paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang to receive a decryptor for encrypted files and prevent the threat actors from publicly leaking stolen data. The DarkSide ransomware group claimed to have stolen 150GB of data during their attack.
Read more »


10. Microsoft build tool abused to deliver password-stealing malware

Threat actors are abusing the Microsoft Build Engine to deploy remote access tools and information-stealing malware as part of an ongoing campaign. The malicious MSBuild project files delivered in this campaign injected the final payloads into the memory of newly spawned processes.
Read more »

Posted: May 19, 2021
Sam Fay
View Profile