18TH JAN 2024
The scale and complexity of cyberattacks continues to leave security researchers on guard. This week we saw cybersecurity incidents that included the TeamViewer ransomware, Spica malware, and Kansas University outage.
Here are the details regarding the latest cybersecurity news:
Ransomware perpetrators are once again exploiting TeamViewer to gain initial entry into organizational endpoints, attempting to deploy encryptors based on the leaked LockBit ransomware builder.
TeamViewer, a legitimate remote access tool widely utilized in the enterprise world for its simplicity and capabilities, is unfortunately also favored by scammers and ransomware actors. They leverage the tool to access remote desktops, dropping and executing malicious files without hindrance.
A similar incident was initially reported in March 2016, where numerous victims on forums confirmed that their devices were breached using TeamViewer to encrypt files with the Surprise ransomware. During that period, TeamViewer attributed the unauthorized access to credential stuffing, indicating that attackers did not exploit a zero-day vulnerability but instead utilized users' leaked credentials.
A recent report from Huntress reveals that cybercriminals continue to employ these old techniques, persistently taking control of devices through TeamViewer in their attempts to deploy ransomware.
The specific methods employed by threat actors to gain control of TeamViewer instances remain unclear.
Kansas State University (K-State) has declared its management of a cybersecurity incident responsible for disrupting specific network systems, including VPN, K-State Today emails, and video services on Canvas and Mediasite.
K-State, a public land-grant research university renowned for offering 65 master's and 45 doctoral programs, currently accommodates 20,000 students and employs 1,400 academic personnel.
On Tuesday morning, the university communicated through its media portal that certain IT systems were experiencing disruptions. Later in the afternoon, it officially confirmed that a cyberattack was the cause.
The affected systems were promptly taken offline upon the detection of the attack, leading to the unavailability of VPN, emails, Canvas and Mediasite videos, printing, shared drives, and mailing list management services (Listservs).
Google has reported that the ColdRiver Russian-backed hacking group is employing a new tactic, using previously unknown backdoor malware disguised as a PDF decryption tool.
The attackers initiate their campaign by sending phishing emails containing PDF documents that appear to be encrypted. These emails impersonate individuals affiliated with the targets, a tactic first observed in November 2022. When recipients respond that they cannot read the 'encrypted' documents, they receive a link to download what seems to be a PDF decryptor executable (named Proton-decrypter.exe) to view the contents of the purportedly encrypted documents.
Google TAG (Threat Analysis Group) explained:
However, despite the appearance of a decoy PDF document, the fake decryption software acts as a backdoor, infecting victims' devices with a malware strain identified as Spica by security researchers at Google TAG, who detected the attacks.
Although researchers suspect the existence of multiple Spica samples corresponding to various phishing lures, they were only able to capture a single sample during their investigation into this campaign.
