Plus, Flubot gets beat, DogWalk gets curbed, and Evil Corp tries to hide.
In a joint Cybersecurity Advisory by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Treasury, and the Financial Crimes Enforcement Network (FinCEN), the four U.S. agencies warned businesses about the tactics, techniques, and procedures (TTPs) of the Karakurt data extortion group. Unlike ransomware groups, Karakurt does not encrypt data, it simply steals it. The group then threatens the victimized business with auctioning the sensitive data if the company does not pay the extortion fee. The alert says the fee typically ranges between $25,000 to $13,000,000 in Bitcoin.
“This is an interesting plot twist,” commented Avast Security Evangelist Luis Corrons. “Ransomware gangs started stealing data and using extortion to enforce payment when victims refused to pay as they had their own backups. Now this group has figured out that they can skip the encryption process altogether. They do not have to invest in ransomware, providing keys, etc. It has yet to be seen if this ‘business model’ will be more successful than the traditional ransomware one, where victims tend to lose access to all their data.” Karakurt typically gives the business a week to pay, and it piles on the pressure by harassing the company’s employees and clients with phone calls urging them to get the business to comply with the demands. For more, see ZDNet.
Europol takes down Flubot…maybe
This week, Europol announced that an operation involving authorities from 11 countries has succeeded in disrupting the fast-spreading Android mobile malware known as Flubot. The botnet’s aggressive attack tactics are due to its ability to access contacts on whatever device it infects, sending out phishing messages that continue its spread. Flubot has been known to steal passwords, online banking details, and other sensitive information. Dutch police say they managed to deactivate the malware strain, but the investigation is ongoing as Europol tries to identify the criminals behind it. While Flubot may be down for now, history has shown that botnets are exceedingly difficult to eradicate completely. For more, see Cyberscoop.
Free unofficial patch released for Windows “DogWalk” flaw
Because Microsoft has not deemed the “DogWalk” flaw a security issue, the opatch platform has taken it upon itself to release free patches for users. DogWalk is a 0-day exploit that uses a path traversal flaw to copy an executable to the Windows Startup folder. Then, the next time the user starts Windows, the malicious executable is executed. In order for a user to become a victim, they must unwittingly click on a malicious .diagcab file. Microsoft says Outlook users are not at risk from this exploit because .diagcab files are automatically blocked. Some security researchers believe the bug is still a valid attack vector, so opatch created free patches for any user. For more on this story, see Bleeping Computer.
Next version of Apple CarPlay integrates deeper
At Apple’s Worldwide Developers Conference (WWDC) this week, the company teased some details about the next generation of the CarPlay platform, the Apple feature that allows iPhone uses to control and view certain apps on their dashboard display. The next version of the feature will more deeply integrate with the car’s hardware, allowing the user to adjust climate controls, seat heaters, radio stations, and more. It will also take over the car’s instrument cluster, displaying the current speed, fuel and battery levels, RPMs, navigation details, and other information, all through Apple’s own UI. To learn more, see Ars Technica.
Evil Corp cybercrime group shifts to LockBit ransomware
Cybersecurity researchers believe the Russia-based cybercrime group Evil Corp may be reinventing themselves as a threat cluster known as UNC2165, which uses LockBit ransomware instead of Evil Corp’s usual Hades ransomware. In an analysis on the issue, researchers noted “These actors have shifted away from using exclusive ransomware variants to LockBit – a well-known ransomware as a service (RaaS) – in their operations, likely to hinder attribution efforts in order to evade sanctions.” Some law enforcement agencies have imposed ransomware sanctions that bar victims from negotiating with the threat actors. For more on this story, see The Hacker News.
This week’s must-read on the Avast blog
How we interact with social media has profound effects on how we navigate the real world. That's why it's important to foresee and prevent digital burnout.