FluBot malware poses as Flash Player app
FluBot is banking malware that attacks Android phones that attempts to obtain banking credentials. The attack occurs by overlaying FALSE login forms against many banks worldwide. It is distributed by smishing (SMS phishing) including fake security updates, fake Adobe Flash Players, voicemail memos, and impersonating parcel delivery notices.
Once in the device, FluBot will steal online banking credentials, send or intercept your SMS messages (and one-time passwords), and capture screenshots. The malware will also send new smishing messages to all their contacts. Note that in many cases, a link to download FluBot will arrive on your device via one of your contacts, maybe even a friend or family. As such, if you receive an unusual SMS that contains a URL and urges you to click it, it’s likely a message generated by FluBot. Finally, avoid installing APK files from unusual sources, regularly check that Google Play Protect is enabled on your Android device, and use a mobile security solution from a reputable vendor.
FinalSite ransomware attack shuts down thousands of school websites
FinalSite, a leading school website services provider, has suffered a ransomware attack disrupting access to websites for thousands of schools worldwide including Australia. FinalSite provides website design, hosting, and content management solutions for K-12 school districts and universities. FinalSite provides solutions for over 8,000 schools and universities across 115 different countries. Schools that hosted their websites with FinalSite found that they were no longer reachable or were displaying errors.
A school IT administrator said that FinalSite did not provide them with a time frame as to when services would be restored and were forced to send emails to parents alerting them of the outage. “Our website is currently down due to an issue that our service provider is experiencing. We apologize for any inconvenience this may cause you,” .
In addition to the website outages, a system administrator shared on Reddit that the attack prevented schools from sending closure notifications due to weather or COVID-19. “Many districts are complaining that they are unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol,” .
Outages caused by a ransomware attack
After three days of disruption, FinalSite confirmed today that a ransomware attack on their network is causing the outages. “We are incredibly sorry for this prolonged outage and fully realize the stress it is causing your organizations. While we have made progress overnight to get all websites up and running, full restoration has taken us longer than anticipated,” FinalSite apologized in a status update today.
Night Sky is the latest ransomware targeting corporate networks
It’s a new year, and with it comes a new ransomware to keep an eye on called ‘Night Sky’ that targets corporate networks and steals data in double-extortion attacks.
One of the victims has received an initial ransom demand of $800,000 to obtain a decryptor and for stolen data not to be published.
When launched, the ransomware will encrypt all files except those ending with the .dll or .exe file extensions. The ransomware will also not encrypt files or folders in the list below:
AppData Boot Windows Windows.old Tor Browser Internet Explorer Google Opera Opera Software Mozilla Mozilla Firefox $Recycle.Bin ProgramData All Users autorun.inf boot.ini bootfont.bin bootsect.bak bootmgr bootmgr.efi bootmgfw.efi desktop.ini iconcache.db ntldr ntuser.dat ntuser.dat.log ntuser.ini thumbs.db Program Files Program Files (x86) #recycle
When encrypting files, Night Sky will append the .nightsky extension to encrypted file names, as shown in the image below.
A common tactic used by ransomware operations is to steal unencrypted data from victims before encrypting devices on the network.
The threat actors then use this stolen data in a “double-extortion” strategy, where they threaten to leak the data if a ransom is not paid.
To leak victim’s data, Night Sky has created a Tor data leak site that currently includes two victims, one from Bangladesh and another from Japan.