Cybersecurity Weekly: Favicon backdoor, triple extortion scheme, ransomware for sale
Magecart hackers hide a PHP-based backdoor in website favicons. Ransomware attackers are now demanding cash from the customers of victims. Ransomware is selling for $4,000 on the dark web. All this, and more, in this week’s edition of Cybersecurity Weekly.
1. Magecart hackers hide PHP-based backdoor in website favicons
2. Ransomware attackers now demanding cash from the customers of victims
Experts are now warning against a new ransomware threat called triple extortion. Attackers are demanding payments from customers, partners and other third parties related to the initial breach to grab even more cash for their crimes. Researchers said the first case of triple extortion they observed in the wild was in October.
3. Ransomware selling for $4,000 on the dark web
In the cybercriminal underground, ransomware samples and builders are going for anywhere between $300 to $4,000, with ransomware-as-a-service rentals costing $120 to $1,900 per year. That’s according to an analysis by Kaspersky of the three main underground forums where ransomware is circulated.
4. Irish healthcare shuts down IT systems after Conti ransomware attack
Ireland's publicly funded healthcare system shut down all IT systems after its network was breached in a ransomware attack. The responsible ransomware gang also hit the Scottish Environment Protection Agency on Christmas Eve, later publishing roughly 1.2 GB of stolen data on their dark web leak site.
5. QNAP warns of eCh0raix ransomware attacks, Roon Server zero-day
QNAP warns customers of an actively exploited Roon Server zero-day bug and eCh0raix ransomware attacks targeting their Network Attached Storage devices. This warning comes only two weeks after QNAP users were alerted of an ongoing AgeLocker ransomware outbreak.
6. Colonial pipeline paid nearly $5 million in ransom to cybercriminals
Last week, Colonial Pipeline restored operations to its entire pipeline system nearly a week after a ransomware infection targeting its IT systems. It was forced to shell out nearly $5 million to regain control of its computer networks. Following this restart, it will take several days for the product delivery supply chain to return to normal.
7. State-backed hackers added new Windows malware to its arsenal
Cybercriminals with suspected ties to Pakistan continue to rely on social engineering as a crucial component of its operations as part of an evolving espionage campaign against Indian targets. The group created fraudulent domains mimicking legitimate Indian military and defense organizations.
8. Rapid7 source code, credentials accessed in Codecov supply-chain attack
Some Rapid7 source code repositories were accessed in a security incident linked to the supply-chain attack that recently impacted customers of the popular Codecov code coverage tool. The unknown threat actors behind this incident were only able to gain access to a small subset of repositories containing source code for internal tooling.
9. Chemical distributor pays $4.4 million to DarkSide ransomware
Chemical distribution company Brenntag paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang to receive a decryptor for encrypted files and prevent the threat actors from publicly leaking stolen data. The DarkSide ransomware group claimed to have stolen 150GB of data during their attack.
10. Microsoft build tool abused to deliver password-stealing malware
Threat actors are abusing the Microsoft Build Engine to deploy remote access tools and information-stealing malware as part of an ongoing campaign. The malicious MSBuild project files delivered in this campaign injected the final payloads into the memory of newly spawned processes.