Ransomware Gang Exploits AWS Feature to Encrypt and Hold Data Hostage
Phishing Texts Trick iMessage Users into Disabling Security
Fake CrowdStrike Job Offers Used to Distribute Cryptominer
Stealthy WordPress Skimmers Infiltrate Database Tables
A New AI-Driven Ransomware Group Blurs the Lines Between Hacktivism and Cybercrime
Ransomware Gang Exploits AWS Feature to Encrypt and Hold Data Hostage
https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c
A new ransomware campaign leverages Amazon Web Services' (AWS) Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt victims' data stored in S3 buckets. This tactic, discovered by cybersecurity firm Halcyon, sees threat actors, such as the group dubbed "Codefinger," infiltrate AWS accounts and utilize the SSE-C feature with their own encryption keys.
The campaign hinges on the fact that AWS does not store these customer-provided keys. This makes data recovery impossible for victims even if they report the incident to Amazon. After encrypting the data, attackers set a seven-day file deletion policy and leave ransom notes demanding Bitcoin payments in exchange for the decryption key.
Halcyon advises AWS customers to implement strict security protocols, including disabling unused keys, regularly rotating active keys, and minimizing account permissions. They also recommend setting policies that restrict the use of SSE-C on S3 buckets where possible.
This incident highlights the critical need for robust security measures within cloud environments, emphasizing the importance of secure key management and vigilant monitoring for unauthorized activity.
Phishing Texts Trick iMessage Users into Disabling Security
Cybercriminals are employing a new tactic in their smishing (SMS phishing) campaigns: tricking Apple iMessage users into replying to texts, thereby disabling the platform's built-in phishing protection.
iMessage automatically disables links in messages from unknown senders as a security measure. However, replying to such a message or adding the sender to your contacts list will enable these links.
Recent smishing attacks, such as those mimicking USPS shipping issues or unpaid road tolls, instruct recipients to reply with "Y" to enable a disabled link. This plays on the common user behavior of replying to texts to confirm appointments or opt-out of services.
By replying, users inadvertently disable iMessage's security for that specific text, potentially exposing themselves to malicious links and scams. Even if the user doesn't click the enabled link, their response signals to attackers that they are susceptible to phishing attempts.
Security experts advise against replying to texts with disabled links from unknown senders. Instead, users should contact the purported sender directly to verify the message's legitimacy.
Fake CrowdStrike Job Offers Used to Distribute Cryptominer
Cybercriminals are targeting developers with a new phishing campaign that impersonates CrowdStrike, a cybersecurity company. The campaign tricks victims into downloading a malicious application that installs a cryptominer on their devices.
Here's how the scam works:
Phishing Email: The attacker sends a phishing email that appears to be from a CrowdStrike recruiter. The email congratulates the recipient on being shortlisted for a junior developer position and asks them to schedule an interview.
Malicious Link: The email contains a link that takes the victim to a fake website that looks like a legitimate CrowdStrike domain.
Fake CRM Application: The website prompts the victim to download a "customer relationship management (CRM)" application to schedule the interview. However, this application is actually malware.
Cryptominer Download: Once downloaded and installed, the malware downloads and installs a cryptominer on the victim's device. Cryptominers use the victim's device to mine cryptocurrency for the attacker.
This is a sophisticated phishing campaign that leverages the credibility of a well-known company. Here are some tips to avoid falling victim to this scam:
Be wary of unsolicited emails: Don't click on links or download attachments from emails from unknown senders.
Verify the sender's email address: If you receive an email from a recruiter, carefully check the email address to make sure it's legitimate.
Don't download software from untrusted sources: Only download software from the official website of the company.
Be suspicious of urgent requests: If an email asks you to take immediate action, it's probably a scam.
Stealthy WordPress Skimmers Infiltrate Database Tables
Cybersecurity researchers have uncovered a new wave of credit card skimmers targeting WordPress e-commerce sites. This campaign injects malicious JavaScript into the wp_options table of the WordPress database, making it difficult to detect with traditional scanning tools.
How the Skimmer Works
Database Injection: The skimmer code is injected into the wp_options table disguised as a widget block.
Checkout Page Activation: The malicious code springs into action only on checkout pages.
Fake Payment Form: The skimmer either hijacks existing payment fields or injects a fraudulent payment form that mimics legitimate processors like Stripe.
Data Theft: The form captures credit card details, including numbers, expiration dates, CVV codes, and billing information. The stolen data is then encoded to evade detection and sent to attacker-controlled servers.
Campaign Similarities to Previous Attacks
This campaign shares similarities with a previous attack discovered by Sucuri in December 2024. That attack also used JavaScript to create fake payment forms or steal data from legitimate forms on checkout pages. However, the stolen data was obfuscated differently, using a combination of JSON encoding, XOR encryption, and Base64 encoding.
These recent discoveries highlight the evolving tactics of cybercriminals. E-commerce website owners should stay updated on the latest threats and implement robust security measures, including regular vulnerability scanning and database backups. Also users should be cautious about entering payment information on unfamiliar websites and look for signs of a secure connection (HTTPS).
A New AI-Driven Ransomware Group Blurs the Lines Between Hacktivism and Cybercrime
https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/
FunkSec, a recently emerged ransomware group, has taken the cybersecurity world by storm with its aggressive tactics and claims of over 85 victims in just a month. However, a closer look reveals a more complex story.
Key Points:
Rapid Rise: FunkSec emerged in late 2024 and quickly gained notoriety for its high number of claimed victims.
Low Expertise: Despite their claims, FunkSec appears to be run by inexperienced actors, with the malware riddled with redundancies and the group recycling leaked data from other sources.
AI-Assisted Development: The group leverages AI tools to enhance their capabilities, including generating code comments and potentially aiding in ransomware development.
Hacktivist Leanings: FunkSec aligns itself with hacktivist causes and targets specific countries, but the legitimacy of these connections remains unclear.
Blurred Lines: FunkSec's activities blur the line between hacktivism and cybercrime, raising questions about their true motivations.
Motives and Methods
FunkSec uses a combination of data theft and encryption (double extortion) to pressure victims into paying ransoms. They offer their custom ransomware, DDoS tools, and password generation utilities. Interestingly, their ransomware demands are unusually low, sometimes as little as $10,000, and they also sell stolen data to third parties.
Technical Analysis
The FunkSec ransomware is written in Rust and exhibits several peculiarities. The code contains redundancies, with functions being called repeatedly. Additionally, the malware leverages AI-generated comments, suggesting a reliance on AI tools for development.
Uncertainties and Challenges
FunkSec's true expertise and motivations remain unclear. Their use of recycled data casts doubt on the authenticity of their leaks, and their connection to hacktivism is questionable. This case highlights the evolving threat landscape where even less-skilled actors can leverage AI and readily available tools to cause significant disruption.
The Future
FunkSec serves as a wake-up call for the cybersecurity community. We need to develop better methods for assessing ransomware threats and be wary of groups that rely on self-promotion and manipulation. As AI becomes more accessible, it's crucial to stay ahead of its potential misuse by malicious actors.
Share this post