Welcome to TheCyberThrone cybersecurity week in review will be posted covering the important security happenings. This review is for the week ending Saturday, May 06, 2023.
1. Rapture Ransomware Dissection
Researchers have uncovered a new ransomware variant, dubbed Rapture, that employs a minimalistic approach and leaves a minimal footprint.
Rapture shares similarities with the Paradise ransomware, such as the RSA key configuration file and the requirement of a .NET 4.0 framework for execution. Rapture differs in the way that it was found to be injected into legitimate processes, and in some instances, the attackers dropped it as a *.log file. Rapture appends six characters to encrypted files and requires specific command lines for proper execution.
2. BouldSpy – Android Spyware Attributed to Iran
Researchers has discovered a new Android surveillance tool and attributed to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA). The tool dubbed as BouldSpy, the mobile malware has been used by threat actors to target minority groups and potentially those involved in illegal trafficking activities. BouldSpy has extensive surveillance capabilities, such as recording calls, capturing photos, and monitoring account usernames across various platforms.
BouldSpy keeps its application alive by turning off battery management and establishing CPU wake locks while simultaneously leveraging Android accessibility services to perform most of its surveillance actions. By abusing CPU wake locks and disabling battery management features, the spyware prevents the device from shutting down its activities, causing faster battery drainage for victims.
3. FIN7 Exploiting Veeam Backup Vulnerability
The Russian threat group FIN7 has been found exploiting unpatched Veeam Backup & Replication instances. FIN7, which has been active since at least 2015, primarily focuses on financially motivated crimes related to stealing credit card information.
The vulnerability tracked as CVE-2023-27532, with a CVSS score of 7.5, was disclosed and patched. The Proof-of-Concept exploitation code was publicly released by researchers from Horizontal3.ai. Veeam stated that if successfully exploited, the bug could enable an attacker to obtain encrypted credentials stored in the Veeam backup database.
SUBSCRIBE TO OUR BLOG TODAY !
We understand the importance of staying on top of the latest threats and vulnerabilities that can harm your digital life. You’ll receive the latest cybersecurity news, insights, resources, offers and analysis straight to your inbox every day
4. APT 28 Uses Fake Windows Updates
Researchers have reported that the Russia-linked APT28 group is targeting Ukrainian government bodies with fake ‘Windows Update’ guides CERT-UA warns. The APT28 group (aka Fancy Bear) has been active since at least 2007, and it has targeted governments, militaries, and security organizations worldwide by spear phishing campaigns
CERT-UA observed the campaign in April 2023, the malicious e-mails with the subject “Windows Update” were crafted to appear as sent by system administrators of departments of multiple government bodies. The threat actors sent the messages from e-mail addresses created on the public service “@outlook.com.