By Jon Munshaw.
The one big thing
Why do I care?
Although the scope of this attack is thus far limited, the attackers in this case seem to be fairly sophisticated, and the use of off-the-shelf tools means it’s tough to track them or attribute these campaigns to a known APT. The infostealers ModernLoader drops can steal users’ important login credentials or important information about the targeted machine, which could be used in future attacks. And any cryptominer has the potential to sap the target machine’s power, costing the target time and money.So now what?
Talos has released new Snort rules and OS Queries to detect activities from this campaign, so those should be deployed immediately. This actor seems to mainly rely on fake offers for Amazon gift cards, so be extra vigilant for those types of scams, even though you already should be on high alert for any deal that seems too good to be true.
Top security headlines from the week
A widespread cyber attack is affecting government services in Montenegro, including water supply systems, transportation services and online government services. Montenegrin officials were quick to blame Russian state-sponsored actors for the attack earlier this week, saying it was the largest attack of this type the country’s ever faced. The FBI sent in a dedicated cybersecurity team to the country to help them recover services as fast as possible. The Cuba ransomware group took credit for the attack, saying it had stolen financial documents and more. Cuba made $43.9 million last year in ransom payments, according to the FBI. (CBS News, Recorded Future)
A new warning from the FBI highlighted several recent attacks against decentralized finance (DeFi) platforms that have led to the loss of millions of dollars’ worth of cryptocurrency. The advisory says that attackers are exploiting individual vulnerabilities in popular DeFi platforms’ smart contracts and signature verification systems to break into users’ wallets or chaining together several flaws to manipulate digital currency pricing. Though the FBI told these platforms to analyze and patch their code, users should ensure they investigate potential platforms appropriately before choosing to store or invest their cryptocurrency somewhere. (ZDNet, Gizmodo)
The U.S. Federal Trade Commission is suing a massive data broker for selling the location data of millions of mobile device users that could be directly tracked on an individual basis. The suit alleges the company did not anonymize the exact location data it was collecting from cell phones before selling it to other third-party outlets. The data could then be used to track a person’s exact activities. This could potentially allow anyone with the data to learn things about a user such as whether they are homeless, if they recently went to an abortion clinic or what their place of worship is, all of which are specifically highlighted in the suit. (Ars Technica, Reuters)
Can’t get enough Talos?
- Threat Roundup for Aug. 19 - 26
- Beers with Talos Ep. #125: A(nother) new host approaches!
- Talos Takes Ep. #110: The kinetic and cyber threats Ukrainian agriculture faces
- Three campaigns delivering multiple malware, including ModernLoader and XMRig miner
- Talos Renews Cybersecurity Support For Ukraine on Independence Day
Upcoming events where you can find Talos
Most prevalent malware files from Talos telemetry over the past week
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg