Last week in security news, researchers observed the Nefilim ransomware family threatening to publish its victims’ data if they did not pay their ransoms within a week. Nefilim wasn’t the only malware that made headlines last week. Ursnif also drew some attention with a new campaign targeting Italy. Additionally, researchers spotted Cookiethief attempting to steal access to its victims’ social media accounts.

Top Story of the Week: Nefilim Threatens to Publish Victims’ Data After 7 Days

Security researchers informed Bleeping Computer that Nefilim first started up in February 2020. Their analysis of the threat determined that Nefilim shared some code with Nemty, another ransomware family. Even so, Nefilim differed from Nemty in that it lacked a ransomware-as-a-service (RaaS) component and told its victims they could receive payment instructions by contacting an email address, not visiting a Tor portal, according to the researchers.

Upon successful infection, Nefilim used AES-128 encryption to render its victims’ data inaccessible. It then dropped a note in which it informed its victims that it would publish their stolen data unless they paid their ransom within a week.

Source: iStock

Also in Security News

• New Campaign Launched by Ursnif Targets Italy: Researchers at Cybaze-Yoroi Zlab detected a new phishing campaign that leveraged a compromised Italian law-themed website as a DropURL to download a self-extracting archive. This file’s contents ultimately led the campaign to execute a JavaScript module containing an executable responsible for running Ursnif malware.
• Website for Manufacturer Infected by Magecart Skimmer: Near the end of February, RiskIQ observed that Magecart Group 8 had injected a JavaScript-based skimmer onto the website of a blender manufacturer. The security firm ultimately stopped the attack by taking down the exfiltration domain employed by the threat actors.
• All Other Stalkerware Dwarfed by MonitorMinor: Kaspersky Lab discovered that MonitorMinor arrived with the ability to run the SuperUser (SU) utility on an infected Android device for the purpose of gaining access to numerous social networking apps and functionality. Running the SU utility also gave MonitorMinor the ability to steal a victim’s screen lock credentials.
• Social Media Accounts Targeted by Cookiethief Infostealer: Just a day prior to its discovery of MonitorMinor, Kaspersky Lab disclosed its discovery of a new cookie-stealing Android Trojan called Cookiethief. This malware used root privileges to transfer cookies for social networking accounts and browsers, all for the purpose of distributing spam.
• Security of Intel CPUs Threatened by Snoop Attacks: According to Intel, a software engineer demonstrated that a susceptibility in its processors could enable attackers to insert malicious code after a change in the L1D cache, causing the CPU to update all cache levels. Bad actors could then leverage that technique to produce errors that would leak data from a CPU’s inner memory.
• Most Ransomware Executed Three Days After First Signs of Malicious Activity: In its analysis of ransomware response investigations between 2017 and 2019, FireEye found that most ransomware infections had occurred at least three days after the first signs of malicious activity appeared. The security firm also found that approximately three-quarters of ransomware infections had occurred outside of normal working hours.

Security Tip of the Week: Strengthen Your Anti-Ransomware Measures

Security professionals can help strengthen their organizations’ anti-ransomware measures by ensuring that they have access to the latest threat intelligence. Doing so will help organizations stay abreast of the latest techniques and attacks employed by ransomware actors. Additionally, infosec personnel should endeavor to inventory the locations of the organization’s critical business assets so they can craft defensive strategies accordingly.