In the recent times of technological advancement, and as we get increasingly linked to the internet, cybercrime will only become worse. Ransomware had a great year in 2021, and it is almost certain that 2022 will be much more significant. Information security personnel will have to pay better attention to the attack vectors they are already tracking and widen their coverage to include new targets this year.
This post will look at the most popular and latest cybersecurity threats for the last week.
- Latest Ransomware in 2022: “Night Sky”
In 2022, new ransomware is dubbed ‘Night Sky’ to be aware of, which targets business networks and steals data in double-extortion attacks.
The Night Sky operation began on December 27th, according to MalwareHunterTeam, which was the first to identify the new ransomware. It has since published the data of two victims.
One of the victims received an initial ransom demand of $800,000 in exchange for a decryptor and the promise that the stolen data would not be made public.
How Night Sky Ransomware Encrypts Data
Night Sky ransomware is modified to incorporate a bespoke ransom note and hardcoded login credentials to access the victim’s negotiation page.
When launched, the ransomware will encrypt all files except those ending with the .dll or .exe file extensions.
In addition, the ransomware will not encrypt files or folders in the following locations: windows, windows. Old, google, opera, Mozilla, Mozilla Firefox, recycle bin, all programs, and all users.
Night Sky appends the. nightsky extension to encrypted file names while encrypting them.
A ransom note named NightSkyReadMe.hta is included in each folder, and it contains information about what was stolen, contact emails, and hardcoded credentials to the victim’s negotiation page.
Instead of communicating with victims through a Tor site, Night Sky uses email addresses and a simple website powered by Rocket. Chat. The credentials are used to access the URL specified in the ransom note, Rocket. Chat.
- Thousands of school websites were down due to the FinalSite ransomware attack.
A ransomware attack has disrupted access to websites for thousands of schools around the world, according to FinalSite, a renowned school website services provider.
FinalSite is a software as a service (SaaS) company that provides K-12 school districts and institutions with website design, hosting, and content management systems. FinalSite claims to have solutions in place for more than 8,000 institutions and universities in 115 countries.
How the Finalsite attack happened
On January 4th, school districts that used FinalSite to host their websites discovered that they were no longer accessible or displayed problems.
FinalSite did not reveal that they had been attacked at the time, instead stating that they were experiencing an error. Across several services, most of which were hurting their Composer content management system.
FinalSite did not specify a time estimate for when services would be restored, according to a school IT administrator, who was obliged to send letters to parents informing them of the outage.
FinalSite revealed on January 6th that a ransomware attack on their network is to blame for the disruptions, which lasted three days.
- Facebook has launched a “Privacy Center” to educate users about data collection and privacy settings.
Meta Platforms, formerly known as Facebook, announced the launch of a centralized Privacy Center on Friday 7th, with the goal of “educating people” about how it gathers and handles personal information across its family of social media apps.
In a news statement, the social technology firm stated, “Privacy Center gives helpful information on five frequent privacy topics: sharing, security, data collecting, data use, and ads.
Security will be the initial module, and it will provide quick access to basic features like account security settings and two-factor authentication. Users will quickly look at the data Meta collects and understand how and why it is used in Collection and Use. Sharing will reveal information on post visibility and options for archiving or deleting outdated posts. Finally, the Ads section will provide details about users’ ad preferences.
The learning hub is expected to be limited to a small group of people who use Facebook on the desktop in the United States at first, with plans to expand to a larger group of users and more of Facebook’s apps in the coming months. On the desktop version of Facebook, users participating in the test will visit Privacy Center by going to Settings and Privacy.
Privacy Center joins a slew of other tools previously available from the internet giant, such as Privacy Shortcuts and Privacy Checkup, which both walk users through some of the platform’s privacy and security settings and allow them to evaluate their selections. The new feature stands out because it aims to be a one-stop-shop for navigating the numerous privacy and security choices available across Facebook, Instagram, and WhatsApp.
The report singled out Facebook and Google for their “privacy-intrusive default settings, misleading wording, giving users the illusion of control, hiding away privacy-friendly choices, take-it-or-leave-it choices, and choice architectures where choosing the privacy-friendly option requires more effort for the users” in punishing users for choosing privacy over-sharing.
Over the years, Facebook’s privacy controls have sparked outrage for being incomprehensible to the point of being ineffective in protecting users’ data, thanks in part to labyrinthine menus and opaque terminology designed to discourage users from adopting privacy-friendly choices on the platform.
- Malware could use a new trick to spy on users by imitating an iPhone shutdown secretly.
Researchers have revealed a new method for malware on iOS to gain persistence on an infected device by imitating the shutdown process, making it impossible to detect whether an iPhone is on or off physically.
The finding, dubbed “NoReboot,” was made by mobile security firm ZecOps, which discovered that it is feasible to stop and then replicate an iOS rebooting operation, fooling the user into thinking the phone has been turned off when it has not.
How the NoReboot Malware works on iPhone
NoReboot works by interfering with iOS’s shutdown and restart procedures, effectively preventing them from ever occurring in the first place and allowing a trojan to gain persistence without really turning the device off.
This is done by injecting specially designed code into three iOS daemons, including the InCallService, SpringBoard, and Backboardd, to mimic a shutdown by suppressing all audio-visual cues associated with a powered-on device, such as the screen, sounds, vibration, the camera indicator, and touch feedback.
The goal of NoReboot malware is to make it appear as if the device has been turned off without actually turning it off by hijacking the event that occurs when the user pushes and holds the side button and one of the volume keys while dragging the “slide to power off” slider.
Even though all physical input has been disabled, the phone is entirely functioning and can maintain an active internet connection. Because the user is misled into thinking the phone is off, either by the victim or by hostile actors using ‘low battery’ as an excuse, the malicious actor could remotely flagrantly influence the phone without worrying about being detected.
The malware strain then commands the BackBoardd, the daemon that handles all touch and physical button click events, to display the Apple logo effect if the user chooses to turn the phone back on while the dangerous code remains.
Furthermore, this technique could theoretically be extended to manipulate an iPhone force restart by intentionally causing the Apple logo to appear a few seconds earlier when such an event is recorded via the Backboardd, tricking the victim into releasing the side button without triggering a force restart.
Although no malware has been detected or publicly documented using a method similar to NoReboot, the findings show that once an adversary has gained access to a target device, even the iOS restart process can be hijacked, something that is well within reach of both nation-state groups and cyber mercenaries.
- Patchwork APT Hackers Score Own Goal in Recent Malware Attacks
Threat hunters have shed light on the tactics, techniques, and procedures used by Patchwork, an Indian-origin hacking group, as part of a renewed campaign that began in late November 2021 and targeted Pakistani government entities and individuals working in molecular medicine and biological science research.
Ironically, all of the information we gathered was made possible by the threat actor infecting themselves with their own [remote access trojan], which resulted in captured keystrokes and screenshots of their computer and virtual machines.
The latest campaign is similar in that the adversary entices potential victims with RTF documents posing as Pakistani authorities, which then serve as a conduit for the distribution of Ragnatela, a new variant of the BAD NEWS trojan that allows the operators to run arbitrary commands, capture keystrokes and screenshots, list and upload files, and download additional malware.
The new lures, ostensibly from the Pakistan Defence Officers Housing Authority (DHA) in Karachi, include a Microsoft Equation Editor exploit used to corrupt the victim’s PC and execute the Ragnatela payload.
However, in a case of OpSec failure, the threat actor also infected their development machine with the RAT, as Malwarebytes was able to unmask a number of its tactics, including the use of dual keyboard layouts (English and Indian), as well as the use of virtual machines and VPNs like VPN Secure and CyberGhost to hide their IP address.
The latest campaign is similar in that the adversary entices potential victims with RTF documents posing as Pakistani authorities, which then serve as a conduit for the distribution of Ragnatela, a new variant of the BAD NEWS trojan that allows the operators to run arbitrary commands, capture keystrokes and screenshots, list and upload files, and download additional malware.
However, in a case of OpSec failure, the threat actor also infected their development machine with the RAT, as Malwarebytes was able to unmask a number of its tactics, including the use of dual keyboard layouts (English and Indian), as well as the use of virtual machines and VPNs like VPN Secure and CyberGhost to hide their IP address.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.