At a glance.
- Emotet was the biggest holiday threat.
- Earth Wendigo targets emails in Taiwan.
- Outcome of the data breach at the Hackney council.
- A cannabis producer's data breach buzz kill.
And the award for best holiday threat goes to...
The Emotet Trojan has returned to first place in Check Point Software Technologies’ Global Threat Index for December, after falling to fifth place in November. It took the lead after a spam campaign over the holidays that targeted 100,000 users daily and impacted 7% of organizations globally. Emotet likely owes its success to recent advancements to the Trojan, which include improved detection evasion features, new malicious payloads, and an upgraded email campaign. Runners-up for the top spot are Trickbot and Formbook, while Hiddad is the leading mobile malware and MVPower DVR Remote Code Execution is the most exploited vulnerability.
“Earth Wendigo” targets Taiwanese email system.
A new threat actor has been detected that appears unconnected to any known cybercriminal groups, reports Trend Micro. First appearing in May 2019, “Earth Wendigo” has been using JavaScript backdoors to a Taiwanese email system in order to extract emails from Taiwanese government organizations, research institutions, and universities. The attackers send a spear-phishing email disguised as a discount coupon for a shopping website embedded with obfuscated JavaScript. The malware embeds itself in the user’s email signature to spread the malware to other contacts, and infects a feature on the system called Service Worker. Earth Wendigo also exploits an XSS vulnerability in the webmail system that allows the attackers to replace part of the system with malicious code, reports SecurityWeek. Once the threat actors have access, a WebSocket connection is established so exfiltration can begin. The vulnerability was repaired by the webmail developers in January 2020, so it shouldn’t impact users with updated versions.
Hackers hack Hackney.
Hackers have released documents that appear to be stolen during a recent ransomware attack on Hackney Council in London, reports Sky News. The incident, which occurred in October 2020, was investigated by the UK's National Cyber Security Centre and the Ministry of Housing. Now Pysa/Mespinoza cybercriminal group have posted documents they claim belong to the Council on the darkweb, documents with file names like "passportsdump" and "staffdata." Though the Council has not stated whether they paid the requested ransom at the time of the attack, the publication of the data appears to be a threat. A Council spokesperson stated “We understand and share the concern of residents about any risk to their personal data, and we are working as quickly as possible with our partners to assess the data and take action, including informing people who are affected.”
A snake in the grass.
After infiltrating the systems of leading Canadian cannabis producer Aurora Cannabis on Christmas Day, a hacker is selling the stolen data on an underground forum, BleepingComputer reports. Posting sample pictures of the stolen files, the hacker is asking for one bitcoin for the 50GB of data, which include images of checks, passports, and business documents. The hacker claims he contacted Aurora to negotiate a ransom, and has even reached out to employees to let them know he still has access to their system, but his emails, he says, have gone unanswered.