Risky Biz News: Black Basta group spam-bombs victims and then calls to help
07:12 Share

A ransomware group is spam bombing victims and then calling to help. Europol suffers another security breach. Google fixes its fifth Chrome Zero day this year. And the US Navy will build a unified cyber defence network. This is Risky Business News, prepared by Katalin Kimpanu and read by me, Claire Aird. Today is the 13th of May and this podcast episode is brought to you by Okta.

In today's top story, the Black Buster ransomware gang is using a new social engineering tactic to access corporate networks. According to security firm Rapid7, Black Buster operators are flooding the email inboxes of employees of a targeted company. The group then calls affected employees posing as their IT help desk and offering assistance. The campaign has been taking place for a month and its goal has been to install remote access software on the targeted networks.

Rapid7 says Blackbuster uses the software to collect credentials and move laterally inside a victim's network.

In other news, Europol has taken its EPE platform offline in the aftermath of a security breach. The agency started an investigation into the breach hours after a threat actor listed alleged Europol classified documents on a hacking forum. The data was leaked by a hacker named Intel Broker. The same individual previously claimed to have breached the US ICE, the US DOD, HPE and security firm Zscaler.

This marks Europol's second data breach after a first incident in March of last year. The US government has awarded Accenture a $789 million contract to build a unified cyber security platform for the US Navy. The platform will be named Shark Cage and will allow the Navy to better defend its networks. The contract runs for five years with an option to renew for another five.

Threat actors are exploiting three vulnerabilities in the ArcServe Unified Data Protection Backup and Disaster Recovery server to gain access to victim networks. Attacks were detected in the wild by the UK's National Health System. The NHS says attacks started after a cyber security firm published proof of concept exploit code online.

Google has released an update for its Chrome browser to fix a zero-day exploited in the wild. The zero-day is a vulnerability in Chrome's visuals component, a collection of libraries for interacting with the GPU. This is the fifth Chrome zero-day Google patched this year.

The Christie's auction house shut down its website last week in the aftermath of a cyber attack. The attack took place ahead of a week of major auctions expected to bring in around $840 million in sales. The company's website was supposed to allow remote customers to place bids for its auctions. Christie's officials didn't share any details and described the incident as a technology security issue.

The Ohio Lottery says the personal data of almost 540,000 customers was stolen in a ransomware attack last December. A ransomware group named Dragon Force took credit for the incident. The group leaked more than 94 gigabytes of files in late January after the Ohio Lottery refused to pay the ransom.

South Korean authorities have sentenced a security expert to four years in prison. The individual hacked apartment video intercoms, secretly recorded footage from inside people's homes and sold intimate videos online. Authorities say the individual hacked over 400,000 smart home intercoms installed across 638 apartment complexes.

Police discovered over 200 videos and over 400,000 images on his PC after they arrested the suspect in December 2022.

Europol has arrested six Austrians suspected of orchestrating an initial coin offering scam. Officials claim the group pretended to operate an online trading company, issued a cryptocurrency token and then absconded with its customers' money. The six were arrested in Cyprus last week. The alleged scam took place in late 2017 and early 2018. Officials didn't share the name of their platform.

British authorities have fumbled the arrest of a suspected Israeli man who acted as a hacker for hire for a US PR company. Authorities arrested Amit Forlit at the London airport earlier this month but failed to arraign him in court in due time. Reuters reports that Forlit was set free last week and his current whereabouts is unknown.

Iranian APT group Muddy Water is increasingly adopting residential proxies to hide its operations. Security firm Obsidian says the group relies on residential proxies when accessing previously phished accounts. Operators will employ a residential IP from a victim's local area to bypass enterprise geographic restriction policies and access accounts without triggering security alerts.

A botnet named Kinsing is exploiting vulnerabilities in over 75 different applications to breach systems and deploy a crypto miner. 90% of the targets are open source applications. According to Aqua Security, the botnet has been active since 2019 and receives updates almost on a weekly basis. The activator macOS malware gang ramped up operations in March this year in a campaign that's still active.

The malware works by replacing legitimate versions of the Exodus and Bitcoin QT cryptocurrency wallets with malicious ones that steal a user's funds. According to Microsoft's security team, the malware is distributed via pirated versions of legitimate macOS apps. Once installed, Activator turns off the macOS gatekeeper and disables the notification center to hide its presence on infected systems.

Kaspersky researchers have found critical vulnerabilities in Centurion cellular modems. The vulnerabilities allow threat actors to take over modems using a malicious SMS message. Tellit Centurion cellular modems are typically embedded in industrial and IoT equipment to allow remote management. Tellit released firmware updates for all bugs at the end of last year.

And finally Mozilla is adding a new privacy feature named Bounce Tracking Protection to its Firefox web browser. Bounce tracking is a new tracking technique that became popular after major browsers started phasing out third party cookies. It works by redirecting users through intermediary URLs before allowing them to access a desired site.

Bounce Tracking Protection will try to detect these redirects and only take users to their final destination. The new feature is currently being tested in Firefox nightly releases. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Okta. Find them at okta.com. Thanks to your company.