Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days. This week, learn about a new backdoor from PurpleFox that utilizes WebSockets for more secure communication. Also, read on the link between the Sinclair ransomware attack and the cybercrime group Evil Corp.
Read on:
PurpleFox Adds New Backdoor That Uses WebSockets
In September 2021, Trend Micro‘s Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator and resulted in an investigation of an updated PurpleFox arsenal.Trend Micro found a new backdoor written in .NET implanted during the intrusion, which we believe is highly associated with PurpleFox. This backdoor leverages WebSockets to communicate with its command-and-control (C&C) servers, resulting in a more robust and secure means of communication compared to regular HTTP traffic.
Hacking Tool Linked with Russian Crime Ring Used in Sinclair Ransomware Attack, Analysts Say
The hacking tool used in a ransomware attack that disrupted programming at Sinclair Broadcast Group is similar to malicious code previously used by a Russian crime group sanctioned by the US government. The crime group, known as Evil Corp, is believed to be primarily motivated by money, and known for flaunting its ill-gotten wealth. US authorities have previously accused it of stealing $100 million from victims around the world in part by accessing the victims' bank account login information.
Vulnerabilities serve as entry points for threats, and even relatively new ones have swarms of exploit campaigns that target them. In this research, Trend Micro looks into how malware campaigns target server vulnerabilities such as the Atlassian Confluence Server Webwork Object-Graph Navigation Language (OGNL) injection vulnerability, CVE-2021-26084, and three Oracle WebLogic Server vulnerabilities, CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883. This blog also includes recommendations on how security teams can safeguard their workloads.
US Judge Sentences Duo for Roles in Running Bulletproof Hosting Service
On Wednesday, the US Department of Justice (DoJ) said that Pavel Stassi and Aleksandr Skorodumov, of Estonia and Lithuania, have now been jailed for 24 months and 48 months, respectively. The 30 and 33-year-old duo were accused of providing online hosting services that are known as bulletproof -- a popular option for cybercriminals who need a host that will turn a blind eye to criminal activity.
Modern Ransomware Shake Up Banking, Government, Transportation Sectors in 1H 2021
In this report, read about the impact of ransomware to critical industries like banking, government and transportation in 1H 2021, how modern ransomware operators gain initial access to organizations, and what decision-makers can do to defend against the threat of ransomware.
VPN Exposes Data for 1M Users, Leading to Researcher Questioning
Free virtual private network (VPN) service Quickfox, which provides access to Chinese websites from outside the country, exposed the personally identifiable information (PII) of more than a million users in just the latest high-profile VPN security failure. The incident has some security practitioners questioning whether VPNs are an outdated technology.
Forced Entry: A Security Test for Automatic Garage Doors
The first line of defense for most homes is a version of the classic lock-and-key system used to secure all possible passages inside. These mechanisms are often dependable, encouraging residents to take for granted that this will always be the case. In this blog entry, Trend Micro takes a closer look at one of these mechanisms, the common garage door remote, to test two threat scenarios and show their security implications.
Commerce Department Announces New Rule Aimed at Stemming Sale of Hacking Tools to Russia and China
The Commerce Department on Wednesday announced a long-awaited rule that officials hope will help stem the export or resale of hacking tools to China and Russia while still enabling cybersecurity collaboration across borders. The rule, which will take effect in 90 days, would cover software such as Pegasus, a potent spyware product sold by the Israeli firm NSO Group to governments that have used it to spy on dissidents and journalists.
New Attack ‘Clones’ and Abuses Your Unique Online ID via Browser Fingerprinting
Researchers have developed a method to copy the characteristics of a victim’s web browser using browser fingerprinting techniques, and thereafter ‘impersonate’ the victim. The technique has multiple security implications: the attacker can carry out damaging or even illegal online activities, with the ‘record’ of those activities attributed to the user; and two-factor authentication defenses can be compromised, because an authenticating site believes that the user has been successfully recognized, based on the stolen browser fingerprint profile.
What do you think about the new rule aimed at stemming the sale of hacking tools to Russia and China? Share in the comments below or follow me on Twitter to continue the conversation: @JonLClay.