Security News

A Russian-speaking ransomware group dubbed OldGremlin has been attributed to 16 malicious campaigns aimed at entities operating in the transcontinental Eurasian nation over the course of two and a half years. In what's a rarity in the ransomware landscape, OldGremlin is one of the very few financially motivated cybercrime gangs that primarily focuses on Russian companies.

A new ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million. Royal, aka Royal Zeon, is a relatively new operation that launched in June 2022 and consists of a group of vetted and experienced ransomware actors from previous operations.

Chaos, new multipurpose malware written in the Go programming language, is spreading across the world. The prevalence of malware written in Go has increased dramatically in recent years due to the language's flexibility, low antivirus detection rates and difficulty to reverse-engineer, Black Lotus Labs analysts noted.

A massive operation that has reportedly siphoned millions of USD from credit cards since its launch in 2019 has been exposed and is considered responsible for losses for tens of thousands of victims. The site operators, thought to originate from Russia, operate an extensive network of bogus dating and customer support websites and use them to charge credit cards bought on the dark web.

A new stealthy Linux malware known as Shikitega has been discovered infecting computers and IoT devices with additional payloads. The malware exploits vulnerabilities to elevate its privileges, adds persistence on the host via crontab, and eventually launches a cryptocurrency miner on infected devices.

To protect the victim's account, the organization had implemented Microsoft MFA through the Microsoft Authenticator app, which should have stopped any use of stolen credentials. Microsoft MFA doesn't always require a second form of authentication.

Once authenticated, a session cookie maintains the session state and the user's browsing session stays authenticated. Figure A. Each cookie stored in the browser's database contains a list of parameters and values, including in some cases a unique token provided by the web service once authentication is validated.

Active adversaries are increasingly exploiting stolen session cookies to bypass multi-factor authentication and gain access to corporate resources, according to Sophos. "Over the past year, we've seen attackers increasingly turn to cookie theft to work around the growing adoption of MFA. Attackers are turning to new and improved versions of information stealing malware like Raccoon Stealer to simplify the process of obtaining authentication cookies, also known as access tokens," said Sean Gallagher, principal threat researcher, Sophos.

A Chinese state-sponsored threat activity group named RedAlpha has been attributed to a multi-year mass credential theft campaign aimed at global humanitarian, think tank, and government organizations. The adversary's consistent targeting of think tanks and humanitarian organizations over the past three years falls in line with the strategic interests of the Chinese government, the report added.

RubyGems, the official package manager for the Ruby programming language, has become the latest platform to mandate multi-factor authentication for popular package maintainers, following the footsteps of NPM and PyPI. To that end, owners of gems with over 180 million total downloads are mandated to turn on MFA effective August 15, 2022. What's more, gem maintainers who cross 165 million cumulative downloads are expected to receive reminders to turn on MFA until the download count touches the 180 million thresholds, at which point it will be made mandatory.