A Ukrainian flag flies above the ruins of buildings destroyed during fighting between Ukrainian and Russian occupying forces on Oct. 24, 2022, in Kam'yanka, Kharkiv oblast, Ukraine. (Photo by Carl Court/Getty Images)Researchers on Wednesday reported that the RomCom threat group has been running a series of new attacks via a remote access trojan (RAT) that leverage the brands of SolarWinds, KeePass, and PDF Technologies.In a blog post, BlackBerry researchers said while RomCom has primarily been targeting Ukraine, they believe that some English-speaking countries have been targeted, including the United Kingdom.Given the geography of the targets and the current geopolitical situation, the BlackBerry researchers say it's unlikely the RomCom RAT threat actor is cybercrime-motivated.
Given the targets and the nature of the attack, there's more than just a cybercriminal motivation in play, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said with the current geopolitical situation, it's quite likely there’s a state-level involvement behind the scenes. “At its core, though, this is an attack against human targets,” Parkin said. “They are primarily relying on victims being social engineered through email to go to a malicious site disguised as a legitimate one. That makes the users the first line of defense, as well as the primary attack surface.”The RomCom attack looks like a direct copycat of some attacks we investigated during the pandemic where we saw a number of vendor products support tools being mimicked or "wrapped" with malware, said Andrew Barratt, vice president at Coalfire.“The ‘wrapping’ means that the underlying legitimate tool is still deployed, but as part of that deployment some malware is dropped into the target environment,” Barratt said. “Major APTs like FIN7 have used these tactics in the past. Leveraging well-known brands that they have probably identified are in use gives an intruder a high possibility of a positive response by a user they mislead.”
Organizations across multiple critical infrastructure industries worldwide could be remotely compromised in attacks leveraging a critical missing authentication flaw in the Lantronix XPort remote connectivity offering, reports SecurityWeek.
Massive Scallywag ad fraud campaign combated BleepingComputer reports that the wide-reaching Scallywag ad fraud operation that generated up to 1.4 billion fake ad requests daily to monetize pirating and URL shortening websites had its operations nearly dismantled following efforts from bot and fraud detection company HUMAN, prompting most of its affiliates to join other scams.
SecurityWeek reports that information-stealing payloads have been distributed by North Korean threat actors against cryptocurrency traders and venture investors through the exploitation of the Zoom remote collaboration feature.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
