Moneybird ransomware sweeping the nation.

May 26 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that will never get woke and go broke 😂 Looking at you Target, Bud Light… Sam Smith, sort of.

Welcome to our weekly segment. It goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it. This week it’s Apple. Again.

Now, the previously covered iOS 16.4 update was a pretty major one so you'd have been forgiven for thinking that was it for iOS 16; roll on iOS 17.

But nope, Apple’s got unfinished business with iOS16. And not only that, it’s another HUGE update.

Here are some of our highlights:

Concert Discovery on Apple Music and Maps: Apple Music will now show the upcoming concerts of your favourite artists being held at your place (available in selected places).

New Sports section: Listen up, sports fans! Previously, you had ‘Sports’ in the Today tab of Apple News. But considering the rising popularity of sports, Apple brought a dedicated tab for it on the Navigation bar. Game on!

Beta profiles are no longer required: Until iOS 16.4, if you wanted to enrol yourself for iOS Dev Beta updates, you had to pay $99 a year, download and install the beta profile to your device.

Now all you gotta do is learn to code, out-of-work steelworkers of America.

Lol, thanks and have a good weekend!

For full list of updates, check this out.

Now on to today’s hottest cyber security stories:

  • Enter Agrius: Iranian hackers target Israeli groups with Moneybird ransomware

  • ‘Volt Typhoon’ unleashes wave of stealth attacks on critical U.S. infrastructure

  • 1.5 MILLION WordPress sites hit with cookie consent plugin exploit

note: generated the above image with Midjourney and Adobe AI Generative Fill, how cool is that, has anyone tried these tools yet, reply back with any cool images you’ve made.

IS THIS THE DAWNING OF THE AGE OF AGRIUS? 🎶

To answer the question posed by the headline above: Let’s f*cking hope not. Still, as always with cybercrime, you gotta admire the creativity of the names…

Is it a bird, is it a plane? No, oh wait, actually it is a bird: Moneybird, to be exact. The new antisemitic ransomware that’s sweeping the nation. The Israeli nation, that is.

From what we can gather, at least some of these cyberattacks are ransomware in name only in that their primary objective is straight sabotage, not financial gain.

The infections walk, talk, and act like ransomware until the time comes to negotiate when they simply open the dump valves on all that sensitive information or, failing that, wipe the whole lot. Ruthless.

Needless to say, these are politically-motivated, and in many cases state-sponsored, acts of espionage-tinged sabotage.

You’ve gotta Americium to believe ‘em 😂 

Indeed, Agrius, also known as Pink Sandstorm (formerly Americium), has a track record of staging destructive data-wiping attacks aimed at Israel under the guise of ransomware infections.

Iran keeps muddying the waters…

Microsoft has attributed the threat actor to Iran's Ministry of Intelligence and Security (MOIS), which also operates MuddyWater. It's known to be active since at least December 2020 and is giving its victims a soulful case of the deep Mississippi delta blues. Geddit? Any blues fans? Muddy Waters? Bueller? Nevermind.

But yeah, this has been going on for a while now and doesn’t appear to be letting up. But don’t just take our word for it, folks…

Here’s what the experts say:

"The use of a new ransomware, written in C++, is noteworthy, as it demonstrates the group's expanding capabilities and ongoing effort in developing new tools," Check Point researchers Marc Salinas Fernandez and Jiri Vinopal said.

"The use of a new ransomware demonstrates the actor's additional efforts to enhance capabilities, as well as hardening attribution and detection efforts.

"Despite these new 'covers,' the group continues to follow its usual behaviour and utilize similar tools and techniques as before."

You know what they say, you can’t teach an old scammer new scams. That’s how it goes, right?

Me so sneaky, I hack you LONG TIME

When it comes to hacking critical infrastructure in the U.S. and Guam, China’s mantra seems to be: softly, softly, catchee monkey.

They’re creeping around like dentists and it appears they’re getting away with it, the sly communist bastards.

Microsoft and the "Five Eyes" nations revealed that an elusive group originating from China (read: Chy-na in Trump’s voice lol) successfully infiltrated vital infrastructure organisations in the United States and Guam without detection.

Microsoft's threat intelligence team, known as Volt Typhoon, is closely monitoring the group's operations, which involve obtaining compromised credentials and exploring network systems. This state-sponsored actor, primarily focused on espionage and gathering information, has been active since June 2021.

To conceal its presence, the group cleverly exploits existing tools or utilises those embedded within compromised machines.

"In addition, Volt Typhoon tries to blend into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware," Microsoft said.

Who left the Backdoor open?

The digital offensive is suspected to have been carried out by BackdoorDiplomacy (aka APT15, Playful Taurus, or Vixen Panda), which is known to target government and diplomatic entities across North America, South America, Africa, and the Middle East at least since 2010.

By the way, did you hear about the Chinese Godfather? He made them an offer they couldn't understand. We’ll show ourselves out.

WAS THE WORDPRESS WORTH THE SQUEEZE?

Man, WordPress can’t seem to catch a break lately. Here’s the latest for the poor, put-upon Pressians.

A series of ongoing attacks are currently focused on exploiting an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability found in a popular WordPress cookie consent plugin called Beautiful Cookie Consent Banner. This plugin boasts over 40,000 active installations.

During an XSS attack, malicious JavaScript scripts are injected into vulnerable websites, causing them to execute within the web browsers of visitors.

The consequences of such attacks can be severe, including unauthorised access to sensitive data, session hijacking, malware infections resulting from redirects to malicious websites, or even the complete compromise of the targeted system.

The attacks were first detected by Defiant, a WordPress security company. According to their findings, the identified vulnerability allows unauthenticated attackers to create unauthorised administrator accounts on WordPress websites that are using outdated versions of the plugin, including versions up to and including 2.10.1.

To address this security flaw, a patch was released in January under version 2.10.2 of the plugin, which successfully mitigates the vulnerability.

As always, our advice is: quit hesitating; get to updating!

So long and thanks for reading all the phish!

Cyber Dawgs top picks from the week, he's your Dawg, he got you.

MONDAY: Blunder reveals identity of cybercrime mastermind

TUESDAY: ‘iSpoof’ scammer jailed for 13 years

WEDNESDAY: Facebook fined record-breaking $1.3 BILLION

THURSDAY: Suzuki motorcycle shutdown by cyberattack

footer graphic cyber security newsletter

Recent articles