01-Sep-23: In Security News Today

MSSQL Databases Under Attack by FreeWorld Ransomware

A cyberattack campaign called DB#JAMMER has been targeting exposed Microsoft SQL Server (MSSQL) databases, using brute-force attacks to deliver ransomware and Cobalt Strike payloads. The attackers establish persistence on the host by running shell commands and deploy various tools, including remote-access Trojans (RATs) and a new ransomware variant called FreeWorld. The campaign exhibits a high level of sophistication and is still ongoing, posing a medium to high risk to organizations.

Key Group Ransomware Foiled by New Decryptor

Researchers at EclecticIQ have developed a free tool to decrypt data compromised by the Key Group ransomware. The Key Group ransomware, a low-sophisticated threat group that uses AES encryption, has been cracked due to flaws in its cryptography. Security teams can protect against Key Group ransomware by disabling non-essential remote desktop protocols, restricting application execution, and establishing a secure backup strategy.

Russian State-Backed ‘Infamous Chisel’ Android Malware Targets Ukrainian Military

A Russian state-sponsored actor known as Sandworm has been identified as the source of mobile malware called ‘Infamous Chisel,’ which targets Android devices used by the Ukrainian military. The malware enables unauthorized access, file scanning, traffic monitoring, and periodic information theft. Sandworm is associated with the Russian Main Intelligence Directorate’s Main Centre for Special Technologies (GTsST) and has been active since at least 2014, known for its disruptive and destructive cyber campaigns.

Threat Actors Adopt, Modify Open Source ‘SapphireStealer’ Information Stealer

Multiple threat actors have adopted and modified the open-source information stealer known as ‘SapphireStealer’ after its source code was released on GitHub. The malware, written in .NET, can gather system data, take screenshots, target specific files, and cache browser credentials. Threat actors have been using and enhancing this malware in various attacks, with modifications focusing on improving data exfiltration capabilities and receiving alerts on new infections.

Sourcegraph Discloses Data Breach Following Access Token Leak

Code search and navigation platform Sourcegraph experienced a data breach after an engineer accidentally leaked an admin access token. The breach was identified after a surge in API usage prompted an investigation. While customer information such as names and email addresses may have been accessed, there is no evidence that the data was viewed, modified, or copied.

New SuperBear Trojan Emerges in Targeted Phishing Attack on South Korean Activists

A new phishing attack targeting civil society groups in South Korea has uncovered a remote access trojan called SuperBear. The attack involved sending a malicious LNK file to an activist, which launched a PowerShell command to execute a Visual Basic script that fetched the next-stage payloads from a compromised WordPress website. The trojan, named SuperBear, establishes communication with a remote server to exfiltrate data and download and run additional commands and DLLs.

Classiscam Scam-as-a-Service Raked $64.5 Million During the COVID-19 Pandemic

The Classiscam scam-as-a-service program has generated $64.5 million in illicit earnings since 2019. The scam initially started on classified sites and has since become highly automated, targeting various online platforms. The majority of victims are based in Europe, with Germany, Poland, Spain, Italy, and Romania being the most affected countries.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.