\nSecurity analysts first spotted the malware in 2018 as the malware related to the Ticketmaster UK exploit<\/a>, and threat actors are still using it in current attacks.
\nThe malware is used to steal credit card information that is later sold to cybercriminals in bulk across the dark web. It takes its name from Magento, an open-source shopping cart application. Hackers will replace the code in the genuine cart software with Magecart code or gain control of abandoned GitHub projects that are then shared across the internet.
\nExperts say that Magecart is an excellent example of the challenges behind keeping vigilant against cyber threats. Most e-commerce storefronts rely on a dozen or so bits of code that include databases, advertising servers, back office systems, and a shopping cart system typically used to collect customer payments.
\nSince shopping carts are commonly the weakest part of any e-commerce site, cybercriminals typically target them as easy prey. Besides, finding the many IOCs used by these shopping carts is challenging.
\nThe cybercriminals behind Magecart use what is commonly known as bulletproof hosting providers, which means law enforcement can't easily terminate their accounts after identifying them. Moreover, criminal gangs known as skimmers employ threat actors who help them collect credit card information from compromised ATMs internationally.
\nMore recently, the malware infected the WooCommerce WordPress plugin and affected websites around the world. Aside from WooCommerce, Magecart has affected the Google Tag manager and has launched a bunch of new attack modes, according to MalwareBytes.
\nTo help protect their e-commerce sites, businesses should scan the code of all third-party plugins for changes and ensure that suppliers also track these changes. Any such code should also be audited frequently to keep it malware-free.<\/p>\n
The asset pack includes:<\/p>\n
- \n
- Cybersecurity training videos<\/li>\n
- 3 white-label presentations<\/li>\n<\/ul>\n<\/div>\n
![\"CTA\"](\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/3b90dfed-10a2-4fae-a7c7-b33eabb374e8.png\")
<\/a><\/span><\/span>\n<\/div>\n![\"Free](\"\/wp-content\/uploads\/2023\/05\/Free-Assets.png\")
<\/div>\n<\/div>\nNew Cactus Ransomware Has a Unique Twist<\/h2>\n
Security analysts report that a new ransomware group is making waves and targeting vulnerabilities in VPN hardware with a unique twist. To avoid detection, the ransomware encrypts itself.
\nKroll LLC security researchers discovered the ransomware, which they have named Cactus, and say it was first spotted in March. It explicitly targets VPN hardware from Fortinet Inc.
\nAfter running the typical ransomware routine, such as spreading itself throughout the network, encrypting and stealing files along its path, it begins its unique obfuscation method, which spectators say is very interesting.
\nMore details are becoming available as researchers examine Cactus ransomware. Bleeping Computer reported<\/a> that the ransomware is using encryption to protect its ransomware binary. The threat actors behind Cactus also use a batch script that accesses the encryptor binary with 7-Zip, thus protecting it from detection by antivirus programs and other security tools.
\nSo far, Cactus has not set up a leak site. The ransom note instructs victims to contact them via either email or a backup chat service to prevent the information from getting leaked and to recover the stolen data.<\/p>\nCisa Adds Linux Vulnerabilities to Its Catalog With Warnings<\/h2>\n
Seven Linux-related vulnerabilities were added to the US Cybersecurity and Infrastructure Agency's catalog with the warning that they are being actively exploited.
\nThese vulnerabilities pose a significant risk to federal enterprises and are described as prevalent attack vectors used by malicious cyber actors.
\nAdded Linux Vulnerabilities
\nAlthough these vulnerabilities are new to CISA's database, they are a mix of old and new CVEs, with one going back to 2010.<\/p>\n- \n
- CVE-2023-25717<\/a> - Vulnerability in multiple Ruckus wireless products cross-site forgery request and RCE<\/li>\n
- CVE-2021-3560<\/a> - Vulnerability in Red Hat Polkit incorrect authorization<\/li>\n
- CVE-2014-0196<\/a> - Race condition of Linux kernel vulnerability<\/li>\n
- CVE-2010-3904<\/a> - Improper input validation for Linux kernel vulnerability<\/li>\n
- CVE-2015-5317<\/a> - Jenkins UI information disclosure vulnerability<\/li>\n
- CVE-2016-3427<\/a> - Unspecified Oracle Java SE and JRockit vulnerability<\/li>\n
- CVE-2016-8735<\/a> - Vulnerability in Apache Tomcat RCE<\/li>\n<\/ul>\n
These were added to CISA's Known Exploited Vulnerabilities<\/a> catalog, referred to as a \"living list\" of known common vulnerabilities and exposures that carry significant risks to federal enterprises.
\nCISA recommends that all organizations take steps to reduce their exposure to cyberattacks, such as prioritizing timely remediation of all vulnerabilities listed in the catalog.
\nBud Broomhead, Chief Executive at Viakoo Inc., says the seven vulnerabilities added focus on open-source software components and the recent inclusion of 15 vulnerabilities related to industrial control systems that are much more challenging to remediate than traditional IT vulnerabilities.
\nIt is imperative to have complete visibility into all digitally connected assets, their software components, and how they can be remediated and restored back to full operation.<\/p>\nInfostealer-Class Malware Is Evolving to Become More Dangerous<\/h2>\n
Infostealers are a malware class that security researchers say is morphing into a more insidious threat.
\nAccording to security researchers, these menacing threats are well known for their ability to steal sensitive personal information from a target's computer, including browser cookies, login information, saved debit and credit cards, or other financial data.
\nSiliconAngle has shared details on the role of infostealers in ransomware and other cyberattacks. These reports more recently included Eventbot in April 2020, and LockBit and Stealc in February 2023.
\nCybercriminals continue developing and improving this malware class; recently, new reports have documented current updates.
\nYael Kishon from the KELA Cybercrime Prevention<\/a> research group says cybercriminals are working intently to develop and sell new data stealers on botnet marketplaces. They list them at very affordable prices, making them more appealing to a broader customer base.
\nNew versions of infostealers continue to arrive and depart from the marketplace as some cybercriminals land behind bars; this makes it very chaotic. The Ukrainian developer of the Raccoon Stealer, who disappeared after being arrested, is one example and facing criminal charges. Yet, after a few months, an updated version appeared.
\nInfostealers are typically a foundation for other cybercriminals launching campaigns that deploy ransomware with data extortion components that require credentials such as stolen logins. This class of malware has grown over time to integrate better with more malware resources that can analyze the swiped data and arrange it for explicit targets.
\nSome malware versions offer subscription service pricing similar to other SaaS products with tier pricing models for specific features, such as obfuscation and traffic analysis. It's frequently called \u201cmalware as a service\u201d under this scenario.
\nOne alarming trend is state-sponsored malware groups embracing infostealers for cyber espionage campaigns. Russian groups, for example, have deployed the Graphiron stealer against Ukrainian targets, and Chinese groups have used them against many enemies throughout Asia.
\nSecurity researchers say that information stealers are becoming more sophisticated, which makes them challenging to locate and remove.<\/p>\nThreat Actors Use SIM-Swapping to Access Azure Virtual Machines<\/h2>\n
A cybercriminal known to target Microsoft products such as Azure VMs is now using a mix of SIM-swapping and phishing tactics to take over Azure admin accounts that provide access to Azure Virtual Machines.
\nMandiant (a Google LLC-owned company) security researchers shared details<\/a> this month about the threat actor called UNC3944 installing third-party remote management apps within client networks through the Serial Console on Azure VMs. While they're not the first hacker gaining access to Azure Virtual Machines, the technique used stands out because it bypasses many of the typical detection methods in Azure and gives the attacker full admin privileges to the Virtual Machine.
\nThe researchers say that the UNC3944 threat group is driven financially and that Mandiant started tracking them in May 2022. Their tactics include SIM-swapping and email and establishing persistence by using compromised accounts. Once in the door, UNC3944 swipes files and data from within the victim organization's infrastructure.
\nThe researchers observed the attacker leveraging Azure Extensions for reconnaissance purposes using a high-level privileged Azure account. The attacker used extensions such as CollectGuestLogs, and built-in Azure diagnostic extensions. They also noted that the attacker used the Guest Agent Automatic Log Collection, Azure Network Watcher VMSnapshot, and Guest Configuration extensions.
\nThe UNC3944 installs commercially available remote admin tools to maintain a presence on the VM through PowerShell. The researchers say these tools have the advantage of legitimately signed apps and provide remote access without triggering alerts in most EDR platforms<\/a>.
\nMandiant researchers say organizations should restrict access to remote admin channels and disable SMS as an MFA method where possible.
\nAccording to Amit Shaked from Laminar Technologies, employing a zero-trust approach that leverages in-depth controls at the data and infrastructure layers is the best defense.<\/p>\nThat's a Wrap for News You Might've Missed<\/h2>\n
I hope this update has been helpful. MSP360 is your resource for MSP news. Stay safe and healthy, and remember to check back next month for more highlights.<\/p>\n","protected":false},"excerpt":{"rendered":"
What’s new this month in the news for MSPs? Cofense’s Q1 Phishing Intelligence report shows a 527% increase in credential phishing; Magecart malware is hitting e-commerce sites again; and more.<\/p>\n","protected":false},"author":84,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[877,885],"tags":[],"class_list":["post-55760","post","type-post","status-publish","format-standard","hentry","category-blog-articles","category-other"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/55760","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/users\/84"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/comments?post=55760"}],"version-history":[{"count":4,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/55760\/revisions"}],"predecessor-version":[{"id":61425,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/55760\/revisions\/61425"}],"wp:attachment":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media?parent=55760"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/categories?post=55760"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/tags?post=55760"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- CVE-2021-3560<\/a> - Vulnerability in Red Hat Polkit incorrect authorization<\/li>\n
- CVE-2023-25717<\/a> - Vulnerability in multiple Ruckus wireless products cross-site forgery request and RCE<\/li>\n