Security Digest 7E6-16

Here are this week’s highlights in cybersecurity:

A new strain of ransomware called Goodwill, has unusual demands in exchange for the decryption key. The malware is forcing its victims to donate to the poor and provide food and financial assistance to those in need. To prove task completion, the India-based hacker group asks victims to post videos and selfies on social media. More
Clop ransomware gang is back hitting 21 victims in one month. This made them the 4th most active group in April compared to being last in March. Until last year, when several of the group members were arrested, Clop laundered $500 million in ransoms. More
According to Verizon’s 2022 Data Breach Investigation Report 82% of breaches involved some kind of human error. 96% of breaches have financial motives, the other 4% covering protest, curiosity, pride, grudge or personal offence. Web applications are the main entry points for breaches (over 40%). Credentials and personal data are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system. 80% of the breaches can be attributed to stolen credentials. More
New Office vulnerability dubbed “Follina” allows code execution via Microsoft Diagnostic Tool without the need for macros. In RTF documents, the exploit works by just previewing the file. More
Vodafone is piloting carrier-level user tracking for targeted ads. The system is called TrustPid and is currently in a testing phase in Germany. Vodafone plans to assign each customer a tracking id and associate all traffic with it. More
An international law enforcement operation involving 11 countries has resulted in the takedown of one of the fastest-spreading mobile malware to date. Known as FluBot, this Android malware has been spreading aggressively through SMS, stealing passwords, online banking details and other sensitive information from infected smartphones across the world. More
Latest iteration of XLoader malware uses a probability based approach to camouflage its Command-and-Control (C2) infrastructure. The stealthiness comes from the fact the domain name for the real C2 is hidden in a list of 64 decoy domains. The first eight domains are overwritten with new random values before each communication cycle while taking steps to skip the real domain. The real C2 server is accessed in every communication cycle, or once in approximately 80-90 seconds. After one million malware launches, only in one case the malware might not access the real C&C server in a period of 2.5 hours of run-time. More
Former OpenSea Head of Product was charged with NFT insider trading. His position allowed him to sell NFTs at profits of two to five-times his initial purchase price. He is charged with one count of money laundering and one count of wire fraud, carrying a maximum of 20 years in prison each. More
New 0-day in Atlassian Confluence allows attackers to execute code on exploited servers. No fix available yet and the vulnerability is exploited in the wild. According to a report, attackers deploy JSP web shells to maintain access and perform additional reconnaissance. More
SideWinder also known as RattleSnake and T-APT-04, has been one of the most aggressive threat actors in the past couple of years. Main characteristics of this group, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their operations. Kaspersky has detected over a thousand attacks by this APT actor since April 2020. More