By Jon Munshaw.
- As of right now, Sept. 22, there is no real or formal application to have a portion of your student debt forgiven. Don’t believe anything that says otherwise.
- There is no way to get early access to this program. Anyone offering this for a fee is very likely a scam.
- The U.S. Department of Education will not reach out with a phone call to communicate regarding this program, do not provide any requested information over the phone.
- Just because something shows up in the mail doesn’t mean it’s legit. Attackers are also likely to send phishing letters via traditional USPS delivery methods.
- And, as always: If it seems too good to be true, it probably is.
The one big thing
Why do I care?Gamaredon is actively targeting Ukrainian entities, specifically government organizations and critical infrastructure. These are all crucial industries to protect during Russia’s invasion of Ukraine, as they’ll likely be targeted regularly by state-sponsored actors. And as we outlined in last week’s Talos Takes, Gamaredon’s activities are not likely to remain isolated to Ukraine.
So now what?
There are new Cisco Secure product protections in place to protect against this actor’s activities. Additionally, if you fear you could be targeted by this campaign, there are two artifcats to scan for on the system that can indicate a compromise:
- A registry key is created under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the name "Windows Task" for persistence.
- A mutex is created with the name Global\flashupdate_r.
Top security headlines from the week
Rideshare app Uber blamed the Lapsus$ ransomware group for a recent data breach. The company said the actor gained access to multiple internal Uber systems after stealing a third-party contractor's credentials and then tricking that user into approving a multi-factor authentication request. Uber engaged the U.S. Department of Justice and the FBI shortly after learning about the breach and is still investigating it. However, it does not appear that attackers accessed any customer or user data stored by its cloud providers, though they did download some internal messages and information from an internal finance team. (ZDNet, Washington Post)
New York’s Suffolk County is still recovering from a cyber attack that’s affected multiple areas of the local government. The county’s 911 system was still offline as of Tuesday, with responders forced to switch to pen and paper for tracking emergency calls. They’ve also had to enlist the help of the New York City Police Department to assist with background checks. The attackers may have also stolen and leaked some residents’ personal information and have allegedly posted images of stolen documents on the dark web. The adversaries say they’ve demanded an unspecified “small amount” of money for the return of access to its computers. (NBC 4 New York, Newsday)
The ChromeLoader malware is more dangerous than ever, according to new research from VMWare and Microsoft. Security researchers at the companies say the malware — which started as a browser-hijacking credential stealer — is now being used as a tool to deliver ransomware and steal sensitive information. The updated version of ChromeLoader has been used in hundreds of attacks over the past few weeks targeting enterprise networks in the education, government, health care and business services industries. Attackers are disguising ChromeLoader as legitimate Chrome browser services and plugins, such as OpenSubtitles, a site designed to help users to find subtitles for popular TV shows and movies. (Dark Reading, The Register)
Can’t get enough Talos?
- Russian Gamaredon Hackers Target Ukrainian Government Using Info-Stealing Malware
- Novel infostealer leveraged in Gamaredon attacks against Ukraine
- Talos Takes Ep. #113: Digging into Gamaredon's cave and its recent campaign against Ukraine
- Our current world, health care apps and your personal data
- Threat Roundup for Sept. 9 - 16
Upcoming events where you can find Talos
Most prevalent malware files from Talos telemetry over the past week
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg