Did you know that Discord attachments are publicly accessible? Did you know that even after deleting an attachment, the link to download the file is still active? In this edition of our leaky app series, we cover how sharing attachment links in Discord can cause accidental public exposure of data. We will also look into the malware abuse case of threat actors using Discord as a malware-hosting platform.
A cybersecurity bulletin was released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) on October 28, 2020. The three agencies have issued a high-level warning about an increased, imminent threat of ransomware attacks in the healthcare sector. The cybercriminal group behind the TrickBot, Ryuk, and BazarLoader malware is now targeting U.S. hospitals and healthcare providers.
Cybersecurity Infrastructure Security Agency (CISA) released Alert (AA20-302A) on October 28th called “Ransomware Activity Targeting the Healthcare and Public Health Sector.” This alert details TTPs associated with ongoing and possible imminent attacks against the Healthcare sector, and is a joint advisory in coordination with other U.S. Government agencies.
Several weeks ago, my good friend Katie Nickels (Director of Intelligence at Red Canary extraordinaire) and I were chatting about Ransomware. She was super interested and passionate about some new uses of a ransomware variant named “Ryuk” (first detected in 2018 and named after a manga/anime character) [1]. I was, to be honest, much less interested. It turns out, as usual, Katie was right; this was a big deal (although as you will see, I’m right too… still dull stuff!).
The Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security recently announced that activity in LokiBot, a form of aggressive malware, has increased dramatically over the last two months. The activity increase was discovered by an automated intrusion detection system referred to as EINSTEIN, which the Department of Homeland Security uses for collecting and analyzing security information across numerous government agencies.
First identified as active in November 2012, 'njRAT', also known as 'Bladabindi' or 'Njw0rm', is a well established and prevalent remote access trojan (RAT) threat that was initially created by a cybercriminal threat group known as 'Sparclyheason' and used to target victims located in the Middle East. Undoubtedly following the source code leak, reportedly in May 2013, njRAT has become widely available on the cybercriminal underground with numerous variants being released over the years.
Kovter is a fileless malware that attempts to remain invisible and targets the Windows operating system. Kovter avoids detection as it relies on the host registry to store its configuration data, thus avoids traditional endpoint protection (anti-virus) file scanning.
Cybersecurity is in the news again with the disclosure that Tesla, working in conjunction with the FBI, prevented a ransomware attack from being launched at its Gigafactory in Nevada. The cybercriminals targeted Tesla through one of its employees, whom they allegedly promised to pay $1 million in order to help them infect the company’s system with malware.
Historically targeting the financial sector, and first observed in 2014 as a banking trojan, Emotet remains an active and credible threat to organizations across all industries worldwide and, whilst retaining some core data stealing capabilities, has evolved to act as a downloader for secondary malicious payloads.
