Security News

The new PayloadBIN ransomware has been attributed to the Evil Corp cybercrime gang, rebranding to evade sanctions imposed by the US Treasury Department's Office of Foreign Assets Control. As cybergangs started to transition to highly profitable ransomware attacks, Evil Corp launched a ransomware operation called BitPaymer, which was delivered via the Dridex malware in compromised corporate networks.

The US Department of Justice announced today that a Latvian national was charged for her alleged role as a malware developer in the Trickbot transnational cybercrime organization. As a Trickbot malware developer, Witte wrote the code used by the malware to control, deploy, and manage payments of ransomware, the DOJ said in a press release published today.

The memo, from deputy national security advisor for Cyber and Emerging Technology Anne Neuberger, said the private sector has a "Critical responsibility" to protect their businesses against ransomware. "Much as our homes have locks and alarm systems and our office buildings have guards and security to meet the threat of theft, we urge you to take ransomware crime seriously and ensure your corporate cyber defenses match the threat."

The group, identified as the Sodinokibi REvil ransomware gang, also said it was not afraid of being labeled a cyber-terrorist group. The validity of the REvil source cannot be independently confirmed by Threatpost, however the REvil ransomware gang has used the Russian OSINT channel several times to discuss criminal activities such as future targets, alliances and revenue.

A Nigerian national was arrested recently in the United States on charges related to hacking into user accounts at a payroll processing company, to steal payroll deposits. The man, Charles Onus, 34, who was arrested in San Francisco on April 14, is accused of participating in a scheme that resulted in the compromise of approximately 5,500 user accounts at an unnamed human resources and payroll services company in the U.S. In 2017 and 2018, Onus allegedly employed a credential stuffing attack to gain unauthorized access to user accounts at the targeted company.

Today, the US Supreme Court restricted the scope of the federal Computer Fraud and Abuse Act after overturning the conviction of a Georgia police officer who searched a police database for money. The CFAA is a cybersecurity bill created in 1986 that prohibits unauthorized access to computer systems and networks or acts that "Exceeds authorized access." Due to the vague nature of the bill, the CFAA can be broadly interpreted to allow harmless actions such as violating a website's terms of service or violating corporate policies by using work devices to access personal accounts on social sites.

A new White House memo to business leaders underscores the threat of ransomware and offers advice on how to protect their companies. Following recent cyberattacks against key operations in the U.S., the White House is pushing companies to take ransomware seriously and beef up their defenses against it.

Secureworks, and Volexity shed light on a new spear-phishing activity unleashed by the Russian hackers who breached SolarWinds IT management software, the U.S. Department of Justice Tuesday said it intervened to take control of two command-and-control and malware distribution domains used in the campaign. Com - were used to communicate and control a Cobalt Strike beacon called NativeZone that the actors implanted on the victim networks.

The Justice Department said Tuesday that it has seized two domain names used in a cyberespionage campaign that targeted U.S. and foreign government agencies, think tanks and humanitarian groups. The campaign was disclosed last week by Microsoft, which linked it to the same group of Russian intelligence operatives responsible for the massive SolarWinds intrusion that breached federal agencies and private corporations.

The US Department of Justice has seized two Internet domains used in recent phishing attacks impersonating the U.S. Agency for International Development to distribute malware and gain access to internal networks. Com and were used to receive data exfiltrated from victims of the targeted phishing attacks and send further commands malware to execute on infected machines.