MuddyWater group officially linked to Iran by US Cyber Command
In early January, the US Cyber Command released details of multiple open-source tools used by the Iran-linked advanced persistent threat (APT) group “MuddyWater”. The group has reportedly used DLL side-loading to trick legitimate programs into running malware, and has obfuscated PowerShell scripts to hide malicious command-and-control functions. MuddyWater was found to be part of the Iranian Ministry of Intelligence and Security and conducts domestic and overseas surveillance in the oil, gas and telecommunications sectors.
Russia reacts to REvil ransomware
In early January, the FSB conducted a series of raids resulting in the arrest of several members of the Russia-based REvil ransomware gang. The FSB reported that the arrests were carried out at the request of the US, and that the detainees had been charged with “illegal turnover of means of payments.” According to the FSB, the following was seized: − More than RUB 426 million in fiat and cryptocurrency − More than USD 600,000 − More than EUR 500,000 − Cryptocurrency wallets − 20 cars − Computer equipment In addition, the FSB claimed to have “neutralized” REvil’s online infrastructure. Fourteen individuals were arrested initially, with an additional six arrested later.
ONUS Log4J Ransomware Attack
The Vietnamese trading platform ONUS was victim of a ransomware attack leveraging the Log4j flaw on its payment system. Cyber criminals demanded a $5 million ransom in a double extortion scheme. ONUS refused to pay, so threat actors published for sale records of 2 million ONUS customers.
New UEFI rootkit linked to Chinese APT group uncovered by researchers
A new UEFI firmware-level rootkit dubbed MoonBounce has been deployed by the Chinese-speaking group APT41, aka Winnti. Researchers found that the backdoor is used to enable the deployment of user-mode malware that will execute further payloads from the internet.
