Blog
Latest Cyberthreats and Advisories - July 15, 2022
Callback scams, ransomware, Windows attacks and phishing … here are the latest cybersecurity threats and advisories for the week of July 15, 2022.
Threat Advisories and Alerts
North Korea State-Sponsored Cybercriminals Target U.S. Healthcare Organizations
North Korea state-sponsored cyber actors are infecting the systems of U.S. healthcare organizations with Maui ransomware. The malware encrypts the servers of healthcare services—which can freeze up their electronic health care records, diagnostic services, imaging services and other critical functions—disrupting their operations for prolonged periods. Why are healthcare organizations targets? They are more likely to pay ransoms. According to Sophos’ State of Ransomware in Healthcare 2022 report, 61% of healthcare organizations agreed to pay, which is a rate 15% higher than the global average.
Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-187a
MedusaLocker ransomware strikes again
The MedusaLocker ransomware, which was first seen in September 2019, has again been observed this past May. The ransomware predominately infects victims’ networks through vulnerabilities in Remote Desktop Protocol, but also may gain entry via phishing campaigns in which the malware is attached to emails. Like typical ransomware, files are encrypted upon infection and a note provides instruction to pay the ransom. MedusaLocker seems to operate as a Ransomware-as-a-Service, as the ransom payments appear to be split between the developer and affiliate.
Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-181a
Emerging Threats and Research
Cybercriminals Masquerade as Security Companies in Sophisticated Phishing Campaign
Last Friday, the American cybersecurity company CrowdStrike detected a callback phishing campaign that impersonates legitimate security companies. How does it work? Victims receive an email that says a potential compromise has been found on their network and they should call a phone number to resolve the situation. If victims call, they’ll likely be asked to install malware, which poses as a security update, in their system. While callback phishing is an old scam, the impersonation of a security company adds credibility to the attack.
Source: https://www.crowdstrike.com/blog/callback-malware-campaigns-impersonate-crowdstrike-and-other-cybersecurity-companies/
BlackCat Unleashes New, Aggressive Ransomware Attack
The notorious BlackCat gang has a new, more aggressive ransomware extortion method. While many ransomware attacks encrypt the files of victims and threaten to release sensitive stolen information, BlackCat’s new extortion model perpetuates both these attacks, plus two more. These include a distributed denial of service and a harassment campaign designed to damage the company’s reputation—informing the victims’ business partners, employees, customers and the media that the company was attacked.
Cybercriminals Exploit Follina Vulnerability to Attack Windows Users
A new phishing campaign leverages the recent Follina security vulnerability to distribute the Rozena backdoor on Windows systems. The malware uses a shellcode to infect users’ machines. Once it has penetrated a victim’s device, the cybercriminal can take full control of the system. The malware is distributed via email through a weaponized Office document that, once clicked, begins the attack.
Source: https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html
Luna Moth Uses Fake Subscription Renewal to Breach Organizations
Subscribers from Duolingo, Masterclass and Zoho services have been targeted by the Luna Moth cybercriminal gang in yet another callback phishing campaign. Victims are notified via email that their subscription is ending and will be automatically renewed within 24 hours—unless they call a phone number. Once dialed, they are instructed to download a remote access tool on their system, which the bad actors then use to steal confidential information and threaten to publicly expose it unless the ransom is paid.
Windows Users Targeted by Raspberry Robin Worm
A Windows worm known as Raspberry Robin has penetrated the cyberdefenses of hundreds of organizations. The worm is spread through infected USB devices that contain a malicious .LNK file that infects the device when clicked. While Raspberry Robin was first detected in September of last year, security researchers have yet to identify the bad actor’s origins and purpose. Join the thread on the (ISC)² Community .
Source: https://thehackernews.com/2022/07/researchers-warn-of-raspberry-robins.html
To stay updated on the latest cybersecurity threats and advisories, look for weekly updates on the (ISC)² blog. Please share other alerts and threat discoveries you’ve encountered and join the conversation on the (ISC)² Community Industry News board.