Security

ConnectWise warns of ongoing ransomware attacks targeting its customers Ravensdale Digital

ConnectWise warns of ongoing ransomware attacks targeting its customers

ConnectWise warns of ongoing ransomware attacks targeting its customers

ConnectWise

Image Source: ZDNet

Hackers are trying to break into on-premise ConnectWise Automate systems and install ransomware on customer networks.

ConnectWise, a Florida-based company that provides remote IT management solutions, is warning customers that hackers are targeting its software to gain access to client networks and install ransomware.

ConnectWise Automate is a software package that lets IT admins manage a company’s computer fleet and other IT assets from a central location. It’s a classic remote access/management solution that many large companies use when they have assets spread across a large number of locations.

The software is available in a cloud-based offering, but also as on-premise servers, for more secure setups.

Read More

Phishing campaign delivers data-stealing malware via fake court summons emails Ravensdale Digital

Phishing campaign delivers data-stealing malware via fake court summons emails



A newly uncovered hacking campaign is targeting employees in the insurance and retail industries with phishing emails, claiming to be from the Ministry of Justice, that infect the victim with information-stealing malware.

Uncovered by researchers at cybersecurity company Cofense, the phishing emails have the subject ‘Court’ and feature UK Ministry of Justice logos. They claim to provide information about ‘Your Subpoena’ and ask the victim to click a link because they’ve been ordered to attend a law court and have 14 days to comply. There’s no information about what the court case supposedly relates to.

If victims click through to the link, they’re directed to a cloud hosting provider which redirects them to a document containing Predator the Thief, a form of malware that’s commonly up for sale on underground hacking forums.

Predator the Thief can steal usernames, passwords, browser data and the contents of cryptocurrency wallets, as well as take photos using a webcam. The malware first emerged in July 2018.

The phishing emails use a number of layers to hide the malicious intention of the message from security software. The email contains a Google Docs link which, if clicked, automatically redirects the user to Microsoft OneDrive, which delivers a Microsoft Word document to the victim. As in many other phishing campaigns, the document asks users to enable macros; if they do, the malware is downloaded via PowerShell.

The malware then connects to a command-and-control server and provides the attacker with a gateway to the infected system and the ability to secretly steal data. When the cybercriminals decide they have gathered all the data they need, Predator the Thief self-destructs, cleaning up any evidence that it was there in the first place.

Legal technicality

Shock tactics like telling a potential victim they have a court date is a regular trick used by cybercriminals, designed to scare people into clicking phishing links and downloading malware. However, there’s a prominent clue that all is not right with this message — and it’s not just the strange email address.

The message refers to a subpoena. The term is regularly used in the United States, but the UK court system hasn’t used ‘subpoena’ since 1999 when the relevant term was changed to ‘witness summons’.

The email’s phrasing, therefore, suggests that while the cybercriminals are using UK imagery in an attempt to dupe victims, they’re not familiar with the details of the local system.

To help protect against these kinds of attacks, researchers recommend that macros are disabled by default and that users are educated about the dangers of enabling them.

Malware infection disrupts production at defence contractor plants in three countries Ravensdale Digital

Malware infection disrupts production at defence contractor plants in three countries

One of the biggest defence contractors in the world is having a very bad week after malware infected the company’s network and caused “significant disruption” at plants in three countries, the company said on Thursday.

The infection took root on Tuesday, September 24, and affected Rheinmetall AG, a German corporation based in Düsseldorf, and one of the biggest manufacturer of armored fighting vehicles, tanks, ammunition, and various electronic systems.

Plants in Brazil, Mexico, and the US have been impacted, Rheinmetall said in a press release.

The company did not reveal any details about the incidents, or what type of malware was involved.

RHEINMETALL EXPECTS LOSSES IN THE TENS OF MILLIONS OF EUROS

Rheinmetall said it expects to malware incident to have an impact on its bottom line in the long run, with losses in the tens of millions of euros.

While deliverability is assured in the short term, the length of the disruption cannot be predicted at this time. The most likely scenarios suggest a period lasting between two and four weeks,

it said

“As things stand, the Group expects the malware event to have an adverse impact on operating results of between €3 million and €4 million per week starting with week two.”

A spokesperson was not available for comment and additional details.

Rheinmetall is not the only major company to suffer a major malware infection in the past year. Past incidents mostly include ransomware incidents, such as those at aeroplane parts manufacturer Asco, aluminium provider Norsk Hydro, cyber-security firm Verint, the UK Police Federation, utility vehicles manufacturer Aebi SchmidtArizona Beverages, engineering firm Altran, the Cleveland international airport, and chemicals producers Hexion and Momentive.

Earlier this week, French TV station France24 revealed that Chinese state-sponsored hackers breached multiple Airbus suppliers by using unpatched VPN systems to enter their internal networks. The same hackers are said to have also targeted British engine-maker Rolls-Royce and the French technology consultancy and supplier Expleo.

 

  • 1
  • 2
Privacy Preferences

When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your Privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer.

Click to enable/disable Google Analytics tracking code.
Click to enable/disable Google Fonts.
Click to enable/disable Google Maps.
Click to enable/disable video embeds.
Our website uses cookies, mainly from 3rd party services. Define your Privacy Preferences and/or agree to our use of cookies.