FISA

A novel cloud-native cryptojacking operation has set its eyes on uncommon Amazon Web Services (AWS) offerings such as AWS Amplify, AWS Fargate, and Amazon SageMaker to illicitly mine cryptocurrency. The malicious cyber activity has been codenamed  AMBERSQUID  by cloud and container security firm Sysdig. "The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances," Sysdig security researcher Alessandro Brucato said in a report shared with The Hacker News. "Targeting multiple services also poses additional challenges, like incident response, since it requires finding and killing all miners in each exploited service." Sysdig said it discovered the campaign following an analysis of 1.7 million images on Docker Hub, attributing it with moderate confidence to Indonesian attackers based on the use of Indonesian language in scripts and usernames. S

A download manager site served Linux users malware that stealthily stole passwords and other sensitive information for more than three years as part of a supply chain attack. The modus operandi entailed establishing a reverse shell to an actor-controlled server and installing a Bash stealer on the compromised system. The campaign, which took place between 2020 and 2022, is no longer active. "This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure)," Kaspersky researchers Georgy Kucherin and Leonid Bezvershenko said. The website in question is freedownloadmanager[.]org, which, according to the Russian cybersecurity firm, offers a legitimate Linux software called "Free Download Manager," but starting in January 2020, began redirecting some users who attempted to download it to another domain deb.fdmpkg[.]org th

A set of memory corruption flaws have been discovered in the  ncurses  (short for new curses) programming library that could be exploited by threat actors to run malicious code on vulnerable Linux and macOS systems. "Using environment variable poisoning, attackers could chain these vulnerabilities to elevate privileges and run code in the targeted program's context or perform other malicious actions," Microsoft Threat Intelligence researchers Jonathan Bar Or, Emanuele Cozzi, and Michael Pearse said in a technical report published today. The vulnerabilities, collectively tracked as  CVE-2023-29491  (CVSS score of 7.8), have been addressed as of April 2023. Microsoft said it also worked with Apple on remediating the macOS-specific issues related to these flaws. Environment variables are user-defined values that can be used by multiple programs on a system and can affect the manner in which they behave on the system. Manipulating the variables can cause applications to perfo

  How to defend your organization from email phishing attacks. Introduction to Phishing Phishing attacks: defending your organization  provides a multi-layered set of mitigations to improve your organization's resilience against phishing attacks, whilst minimizing disruption to user productivity. The defenses suggested in this guidance are also useful against other types of cyber attack, and will help your organization become more resilient overall. This guidance is aimed at technology, operations or security staff responsible for designing and implementing defenses for medium to large organizations. This includes staff responsible for phishing training. Staff within smaller organizations will also find this guidance useful, but should refer to the  NCSC's Small Business Guide  beforehand. This guidance concludes with a real-world example that illustrates how a multi-layered approach prevented a phishing attack from damaging a major financial-sector organization. Note: The miti

  The ransomware group, ALPHV also known as BlackCat, is reportedly behind the  cyber attack that shut down MGM Grand casinos  on Monday, according to a report by malware archive  vx-underground . The archive claims ALPHV was able to social-engineer their way into the company’s systems in 10 minutes, effectively shutting down MGM Resorts International properties across the U.S. The ransomware group allegedly took hold of MGM’s computer systems in three simple steps, according to vx-underground. “All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” the organization wrote in a Twitter  post . “A company valued at $33,900,000,000 was defeated by a 10-minute conversation,” it added. Vx-underground suggested that MGM Grand has not met the ransomware gang’s demands, writing: “In our opinion, MGM will not pay.” MGM Grand said in a Twitter  post  on Monday that it had taken immediate steps to secure its systems after receivin

Microsoft Internet Information Services (IIS) is a web server software package designed for Windows Server. Organizations commonly use Microsoft IIS servers to host websites, files, and other content on the web. Threat actors increasingly target these Internet-facing resources as low-hanging fruit for finding and exploiting vulnerabilities that facilitate access to IT environments. Recently, a slew of activity by the advanced persistent threat (APT) group Lazarus has focused on finding vulnerable Microsoft IIS servers and infecting them with malware or using them to distribute malicious code. This article describes the details of the malware attacks and offers actionable suggestions for protecting Microsoft IIS servers against them. An Overview on Microsoft IIS Servers # IIS was first introduced with Windows NT 3.51 as an optional package back in 1995. Since then, it has seen several iterations, improvements, and features added to align with the evolving Internet, including support for