Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Royal Ransomware Goes Cross-Platform, Targets Linux & VMware ESXi Virtual Machines
BreachForums, a notorious online criminal marketplace and stolen-data bazaar, has reportedly shut down for good following the arrest of its alleged chief administrator. The site quickly rose in popularity after a similar stolen-data bazaar, RaidForums, was shut down. However, the FBI and Department of Homeland Security recently arrested Conor Brian Fitzpatrick, also known as "pompompurin," the administrator of BreachForums. In a recent court document, Fitzpatrick confessed to running the illicit souk. ## Shut Down for Good Following the arrest of Fitzpatrick, the site's second admin, "baphomet," declared the forum and stolen-data-mart not safe and posted a message on the BreachForums channel on Telegram on March 21. Initially, baphomet had indicated that they planned to migrate the forum to new infrastructure to keep it running. However, in a final update on Tuesday, the site's admins wrote that they had confirmed the government likely had access to Fitzpatrick's machine, and shutting down the site was the only option. ## Uncertain Future According to Flashpoint, a cybersecurity intelligence firm, the site shutdown is a short-term disruption, but it remains unclear what the new forum will look like. Baphomet's latest message indicated that the forum would likely relaunch in another format, but it is unclear whether it would continue in the spirit of Raid or Breach or be something new entirely. Threat actors will likely continue to have an appetite for breached databases, and it remains to be seen if this can be through an alternative venue or requires a new forum entirely. ## The Rise of BreachForums BreachForums appeared on the dark web shortly after the demise of RaidForums. The site quickly grew in popularity, and its members traded in stolen data and hacking tools. BreachForums became known as a hub for cybercriminals looking to buy and sell stolen data, including usernames, passwords, credit card numbers, and social security numbers. According to a recent blog post by Flashpoint, BreachForums played a significant role in the monetization of the Chinese data leak in April 2020, which saw the personal data of over 1.8 billion Chinese citizens for sale on the dark web. The forum also hosted several high-profile data breaches, including the Zynga data breach, the Edmodo data breach, and the Comodo Forum data breach. ## The Arrest of Pompompurin The recent arrest of Conor Brian Fitzpatrick, the alleged chief administrator of BreachForums, has shed new light on the inner workings of the cybercriminal underworld. According to court documents, Fitzpatrick confessed to running the illicit souk and boasted about his profits, claiming to have made over $1.5 million in Bitcoin from the site's operations. Fitzpatrick's arrest followed a joint operation by the FBI and Department of Homeland Security. The authorities seized several of Fitzpatrick's electronic devices and found evidence linking him to BreachForums. Fitzpatrick now faces several charges, including conspiracy to commit computer fraud and abuse, conspiracy to commit wire fraud, and aggravated identity theft. ## The Future of Cybercrime The shutdown of BreachForums is a significant victory for law enforcement, but it is unlikely to stop cybercriminals from finding new ways to monetize stolen data. As cybersecurity intelligence firms have noted, cybercriminals will continue to have an appetite for breached databases, and it remains to be seen if a new forum will emerge to fill the void left by BreachForums. According to Brett Callow, a threat analyst at Emsisoft, "I have no idea what will replace BreachForums, but you can bet your bottom dollar that it will be replaced." Cybercrime is a lucrative business, and as cybersecurity measures improve, criminals will always look for new ways to exploit vulnerabilities and make a profit. The shutdown of BreachForums is just a temporary setback for cybercriminals, and they will undoubtedly find new platforms to buy and sell stolen data. This is not the first time that online criminal marketplaces have been shut down by law enforcement agencies, and it won't be the last. As technology evolves and cybercriminals become more sophisticated, it becomes increasingly difficult for authorities to keep up with the latest threats. However, recent arrests such as that of Conor Brian Fitzpatrick, the alleged chief administrator of BreachForums, show that law enforcement agencies are making progress in their fight against cybercrime. The shutdown of BreachForums also highlights the importance of cybersecurity for businesses and individuals. The stolen data that was sold on the site was obtained through various means, including phishing attacks, malware infections, and data breaches. It's essential to implement strong cybersecurity measures, such as using multi-factor authentication, keeping software up to date, and backing up data regularly, to protect against these threats. The shutdown of BreachForums and the possible emergence of new platforms also raise questions about the role of technology companies in preventing cybercrime. Tech giants such as Google, Facebook, and Twitter have been criticized in the past for not doing enough to tackle online crime. However, as more companies become aware of the risks and consequences of cybercrime, they are taking steps to improve their cybersecurity measures and work more closely with law enforcement agencies. In conclusion, the shutdown of BreachForums is a reminder of the ongoing threat posed by cybercriminals and the importance of robust cybersecurity measures. It also highlights the need for increased collaboration between technology companies, law enforcement agencies, and cybersecurity experts to combat online crime. While the emergence of new platforms for cybercriminals
Italian luxury sports car maker Ferrari has disclosed a data breach after attackers gained access to some of its IT systems and demanded a ransom. The company has confirmed that sensitive customer data, including names, addresses, email addresses, and telephone numbers, has been exposed in the incident. Although Ferrari has yet to find evidence of any payment details or sensitive payment information being accessed or stolen, the cyberattack is a worrying reminder of the ongoing threat posed by hackers. ## Attackers Demand Ransom After Accessing Ferrari's IT Systems Ferrari [confirmed](https://www.ferrari.com/en-EN/corporate/articles/cyber-incident-in-ferrari), the cyberattack in a statement, stating that a threat actor had contacted its Italian subsidiary with a ransom demand related to certain client contact details. Upon receiving the ransom demand, the company immediately launched an investigation in collaboration with a leading global third-party cybersecurity firm. ![Ferrari data breach notification.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Ferrari_data_breach_notification_f36839f296.jpg) ***Data Breach Notification*** Ferrari revealed that the attackers could access a limited number of systems within its IT environment. While the extent of the damage is still unclear, it is believed that the attackers were able to gain access to customer data stored on the compromised systems. ## Ferrari Takes Measures to Secure Compromised Systems After discovering the breach, Ferrari took immediate measures to secure the compromised systems. The company has confirmed that the attack has had no impact on its operations, and it is continuing to work with cybersecurity experts to investigate the scope of the impact. Ferrari has also reported the attack to relevant authorities and is urging customers to remain vigilant and report any suspicious activity to the company. As a policy, Ferrari has stated that it will not be held for ransom, as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks. ## Sensitive Customer Data Exposed Exposure to sensitive customer data is a major concern for Ferrari and its customers. The company has confirmed that the customer information exposed in the incident includes names, addresses, email addresses, and telephone numbers. While no evidence of payment details or other sensitive payment information being accessed or stolen has been found, the incident highlights the importance of protecting customer data from cyber threats. Ferrari has apologized to its customers for the incident and assured them that it is taking all necessary measures to prevent such incidents from occurring in the future. The company also offers affected customers free identity theft protection services and credit monitoring for a limited period. ## The Ongoing Threat Posed by Hackers The cyberattack on Ferrari is a reminder of the ongoing threat posed by hackers and cybercriminals. With more and more businesses relying on digital technology and the internet to conduct their operations, the risk of cyberattacks is only increasing. Companies need to remain vigilant and take proactive measures to protect their IT systems and sensitive customer data from cyber threats. Ferrari has previously faced other cybersecurity incidents, including an [NFT scam that targeted one of its subdomains](https://bit.ly/3slfnad). In May 2022, hackers hijacked the forms.ferrari.com subdomain to host a fake NFT collection campaign. The scam claimed Ferrari had released "a collection of 4,458 horsepower NFTs on the Ethereum network" and maliciously persuaded users to purchase NFT tokens. The attackers used an Adobe Experience Manager exploit to compromise the subdomain and collect over $800 in Ethereum before the takedown.
Security researchers have identified a new spam campaign of Emotet malware that exploits Microsoft OneNote email attachments to bypass macro-based security restrictions. This comes after [three months of inactivity](https://www.secureblink.com/cyber-security-news/emotet-resurrected-after-3-months-with-a-new-emails-phishing-campaign) before its resurrection. Emotet is a sophisticated banking Trojan that steals sensitive information, spreads via email spam campaigns, and has been used as a malware delivery tool to distribute ransomware, banking Trojans, and other malicious payloads. This [Threatfeed](https://www.secureblink.com/cyber-security-news) will analyze the technical aspects of the Emotet campaign and how it uses Microsoft OneNote attachments to compromise systems. ### Emotet Campaign Leveraging Malicious OneNote Attachments Emotet was initially a [derivative](https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/dridex) of the [Cridex](https://securelist.com/dridex-a-history-of-evolution/78531/) [banking worm](https://services.global.ntt/en-au/insights/blog/dridex-and-emotet-infrastructure-overlaps), which was [replaced](https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a) by Dridex around the same time GameOver Zeus was disrupted in 2014. [Emotet](https://www.secureblink.com/cyber-security-news/emotet-reincarnated-through-trickbot's-infrastructure) has since evolved into a potent and resilient threat that has become a _"monetized platform for other threat actors to run malicious campaigns on a pay-per-install model."_ This allows for the theft of sensitive data and ransom extortion. Despite attempts by law enforcement to shut it down, Emotet has persisted, with multiple periods of inactivity occurring each year. ![Emotet at OneNote.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Emotet_at_One_Note_d9fc556e31.jpg) ***Emotet Campaign*** Towards the end of 2021, Emotet, a type of dropper malware, resurfaced, aided by [TrickBot](https://www.secureblink.com/cyber-security-news/trickbot-is-going-through-a-transformational-transition-into-a-new-malware), another malware strain. Emotet typically spreads through spam emails containing malicious attachments. However, Microsoft's macro-blocking measures for downloaded Office files have forced the attackers to find new ways to distribute their malware. As a result, OneNote attachments have become an [attractive alternative](https://www.huntress.com/blog/addressing-initial-access) for them. Meanwhile, a security researcher named Abel [detected](https://twitter.com/abel1ma/status/1636121052526039040) a new Emotet spam campaign. In this campaign, the attackers sent out malicious emails that contained OneNote attachments disguised as guides, how-to documents, invoices, job references, and other types of files. These emails were designed to look like replies to earlier communications, making them appear legitimate and trustworthy. ![Emotet-phishing-email.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Emotet_phishing_email_d1f8e1ad57.jpg) ***Spam Email Sample of Emotet*** According to [Malwarebytes](https://www.malwarebytes.com/blog/threat-intelligence/2023/03/emotet-onenote), the OneNote file is simple but effective in social engineering users with a fake notification that the document appears to be password-protected. When instructed to double-click the View button, victims will inadvertently double-click on an embedded script file instead. ![showing-embedded-file.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/showing_embedded_file_ac69a685db.jpg) ***Malicious OneNote Attachment*** ## Hidden Malicious VBScript When the user clicks on the 'View' button, a hidden VBScript file called 'click.wsf' is executed, which downloads and executes the Emotet malware. The VBScript file is hidden underneath a design element of the Microsoft OneNote document. Microsoft OneNote allows you to create documents that contain design elements that overlay an embedded document. However, double-clicking on the location of the embedded file, even if there is a design element over it, launches the file. ![microsoft-onenote-attachment.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/microsoft_onenote_attachment_008c946688.jpg) ***Microsoft OneNote Attachment Conceals click.wsf*** The VBScript file contains a heavily obfuscated script that downloads a DLL from a remote, likely compromised website and executes it. If the user clicks on the 'OK' button to get rid of the alert, the embedded click.wsf VBScript file will be executed using WScript.exe from OneNote's Temp folder, which will likely be different for each user. The script then downloads the Emotet malware as a DLL and stores it in the same Temp folder. Finally, it launches the random named DLL using regsvr32.exe. ![click_wsf-vbscript.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/click_wsf_vbscript_87433259c3.jpg) ***click.wsf VBScript file*** ![Microsoft OneNote Warning Prompt.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Microsoft_One_Note_Warning_Prompt_6f85d785c9.jpg) ***Alert Prompt of Microsoft OneNote*** The Windows Script File (WSF) is engineered to retrieve and execute the Emotet binary payload from a remote server. Similar findings have been echoed by Cyble, [IBM X-Force](https://exchange.xforce.ibmcloud.com/threats/guid:7ad7053de0ccf1eb06b272bd3deb0fa5), and [Palo Alto Networks Unit 42](https://twitter.com/Unit42_Intel/status/1636739251277647874). However, Emotet still employs social engineering lures to entice users into enabling macros to activate the attack chain. Such documents have been observed to leverage a technique called a decompression bomb to conceal a large file (over 550 MB) within ZIP archive attachments to fly under the radar, according to multiple reports from [Cyble](https://blog.cyble.com/2023/03/17/recent-emotet-spam-campaign-utilizing-new-tactics/), [Deep Instinct](https://www.deepinstinct.com/blog/emotet-again-the-first-malspam-wave-of-2023), [Hornetsecurity](https://www.hornetsecurity.com/en/press-releases/dangerous-new-instance-of-emotet/), and [Trend Micro](https://www.trendmicro.com/en_us/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html). ## Threat Actors' Flexibility and Agility The latest development in the Emotet threat is a sign of the operators' flexibility and agility in switching attachment types for initial delivery to evade detection signatures. This trend is not limited to Emotet but extends to other malware, as threat actors are also using OneNote documents to distribute a wide range of malware such as AsyncRAT, Icedid, RedLine Stealer, Qakbot, and XWorm. ## Impact of Emotet Malware Once the Emotet malware is installed, it steals email and contact information and waits for further commands from the command and control server. The campaign is likely to drop additional payloads, such as Cobalt Strike or other malware that allows threat actors to gain access to the compromised device and spread further in the network. Emotet has been used extensively as a malware delivery tool to distribute ransomware, banking Trojans, and other malicious payloads. ## Protecting against Malicious OneNote Attachments Microsoft OneNote has become a significant malware distribution problem, with multiple malware campaigns using these attachments. While Microsoft is adding [improved protections in OneNote against phishing documents](https://www.secureblink.com/cyber-security-news/one-note-attachments-hackers-new-weapon-to-spread-malware), Windows admins can configure group policies to protect against malicious Microsoft OneNote files. ![OneNote Attachment Blocked.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/One_Note_Attachment_Blocked_4b3d291065.jpg) ***Protection Added on Microsoft OneNote Documents*** Admins can use these group policies to block embedded files in Microsoft OneNote altogether or allow specific file extensions to be blocked from running. Windows admins should utilize these options until Microsoft adds further protections to OneNote. ## Targeted Sectors & Geographies Trellix [reports](https://www.trellix.com/en-us/about/newsroom/stories/research/qakbot-evolves-to-onenote-malware-distribution.html) that in recent years, the United States, South Korea, Germany, Saudi Arabia, Poland, India, the United Kingdom, Italy, Japan, and Croatia have been the countries with the highest number of reported OneNote detections. Additionally, the manufacturing, high-tech, telecom, finance, and energy industries are increasingly being targeted by these malicious attacks. ## Spam Email Campaigns Went Too Far! Emotet malware campaigns are using Microsoft OneNote email attachments to bypass macro-based security restrictions. This campaign is likely to drop additional payloads, leading to significant damage and data breaches. Windows admins must protect their systems against malicious OneNote attachments by configuring group policies to block embedded files in Microsoft OneNote or allow specific file extensions to be blocked from running. While Microsoft is working on improving the protections in OneNote, Windows admins must take immediate action to prevent malware attacks."