Over the last few weeks, Cyberint has witnessed an ongoing attack campaign targeting social media influencers, attempting to infect them with malware by impersonating large clothing retailers. The campaign targets influencers across multiple social media platforms but currently appears to mostly focus on influencers operating on YouTube. Further, although the infection process is not sophisticated, it is notable and appears to be evolving.
In the last couple of decades, the retail industry has seen dramatic changes, both on the business and on the consumer side. Perhaps the most notable one is buyers’ ever-increasing shift from physical “brick-and-mortar” retailers to online e-commerce platforms. Unfortunately, this has also been accompanied by more and more fraudulent activities, which in turn required for more digital checks and balances.
Hot on the heels of 'Dearcry'[1], yet another ransomware threat has been observed as targeting Microsoft Exchange servers vulnerable to recently reported critical vulnerabilities[2]. Dubbed 'Black KingDom', this ransomware threat has reportedly been deployed through a web-shell that is installed on vulnerable Microsoft Exchange servers following the exploitation of the vulnerability chain that results in both remote code execution (RCE) and elevated privileges.
Extinction Rebellion (XR) is a London-based environmental group aiming at disruptive and nonviolent civil resistance. Launching their first public campaign in October 2018, XR centers their motives on resisting structures that dismiss climate change and degradation of natural resources[1]. XR has been notable in eliciting mass arrest, a Ghandian tactic that garnered them press coverage, funding, and attention from government agencies and policy bodies.
Following high profile headlines of critical vulnerabilities affecting Microsoft Exchange servers, as detailed in our previous blog/bulletin[1], proof-of-concept exploits have become publicly available and appear to have been utilized by a financially-motivated threat actor in the seemingly manual deployment of a new ransomware threat dubbed 'Dearcry'.
Microsoft have recently shared [1][2] details of active threats targeting on-premise Microsoft Exchange servers worldwide by exploiting chained vulnerabilities that lead to the threat actor gaining full control of the affected email server.
It is common and intuitive to think that a security manager is responsible for the protection of their own team and organization. Spending the company’s resources on the security of another organization may sound unreasonable. However, recent events in the retail industry teach us otherwise. Today more than ever, as 3rd-party risk is gaining speed, executives are exposed to threats from unexpected directions and involving new weak points.
In the past few months, Cyberint has observed a series of suspicious PDF files mentioning different retail brands, scanned to an anti-virus repository. Seeing as the files were flagged as malicious by the repository, Cyberint’s working assumption is that the retailers were mentioned in order to lure their employees or customers into opening the files.
On January 28, 2021 the dark web community was informed that “ValidCC”, one of the leading marketplaces for compromised payment card details, was unexpectedly closing its services for good. This happened less than a month after “Joker’s Stash”, another popular dark web payment card marketplace, announced its retirement.
