Cloud Hosting

Lumen Technologies' Black Lotus Labs this morning announced their discovery of a watering hole campaign that compromised a number of Ukrainian websites and at least one Canadian site. The campaign affected a range of sectors including manufacturing, oil, media, sport, and investment banking. The unidentified attackers used malicious JavaScript on the sites to induce the victims to send their New Technology LAN Manager (NTLM) hashes to an attacker-controlled server via Server Message Block (SMB) protocol.

Avanan reports that a phishing campaign has been active, in some cases successfully, against users of WeTransfer, another popular file transfer app. The attackers are phishing, as one might expect, for user credentials, and their phishbait is a bogus message telling recipients, "You have received some files."

Elsewhere in the criminal-to-criminal souks, Intel471 has been observing EtterSilent, a tool for building malicious documents that's achieving significant marketshare. EtterSilent, first available on Russophone hacking fora, typically creates a bogus DocuSign template. It's been used to spread Trickbot, the Bazar loader, and three banking Trojans: BokBot, Gozi ISFB and QBot.

The big, and old, Facebook breach remains in the news. Business News points out that Mr. Zuckerberg himself was among the five-hundred-thirty-three-million users affected.Ireland's Data Protection Commission has, the BBC reports, opened an investigation into the incident. The Commission is looking into whether the data recently made freely available are in fact identical to those compromised in 2019. So far the Commission says the data seem to be from the older leak, as Facebook has maintained.

Read more:
Watering hole campaign described. WeTransfer phishing. EtterSilent used to build maldocs. Updates on the old Facebook breach. - The CyberWire