GoDaddy malware installations, record-breaking DDoS attack and the new WhiskerSpy malware
GoDaddy reveals a security breach led to malware on customer sites, Cloudflare mitigates record-breaking HTTP DDoS attack and the WhiskerSpy backdoor. Catch all this and more in this week’s edition of Cybersecurity Weekly.
Should you pay the ransom?
1. GoDaddy reveals hackers installed malware and stole source code in a multi-year security incident
GoDaddy, the popular web hosting giant, recently disclosed a breach in which hackers stole its source code and installed malware on GoDaddy customer websites, following an intrusion in its cPanel shared hosting environment over multiple years. The company discovered the breach when customers reported their websites being redirected to unknown domains. GoDaddy has confirmed that earlier breaches reported in November 2021 and March 2020 are linked to the same multi-year campaign. As part of an ongoing investigation, the company is collaborating with external cybersecurity experts and law enforcement agencies worldwide.
2. Cloudflare blocked DDoS super attack exceeding 71 million rps
Cloudflare recently mitigated a record number of hyper-volumetric DDoS attacks during the weekend of Feb. 11, with more than a dozen attacks ranging from 50 million to 70 million requests per second. The largest attack detected was over 71 million rps, 35% higher than the previously reported record. The attacks were HTTP/2-based, originating from over 30,000 IP addresses of multiple cloud providers. The campaign targeted websites such as gaming providers, cryptocurrency companies, hosting providers, and cloud computing platforms. Cloudflare recommends that organizations use automated detection and mitigation tools and prepare for the next DDoS wave.
3. New WhiskerSpy malware targets individuals on a pro-North Korea website
A new backdoor dubbed WhiskerSpy has been identified by researchers at Trend Micro, who linked it to a malware campaign from the relatively new threat actor Earth Kitsune. The actor, known for targeting those interested in North Korea, carried out the attack using a watering hole tactic, compromising a pro-North Korea website and injecting a malicious script. The victim would then be prompted to install a fake codec that instead installed the backdoor. Researchers found that only visitors from Shenyang, China; Nagoya, Japan; and Brazil were targeted.
4. U.S. Windows systems targeted by new MortalKombat ransomware
Cybersecurity researchers from Cisco Talos have discovered a new ransomware variant that uses Mortal Kombat imagery to lure victims. The malware encrypts all files on an infected computer, leaving it inoperable, and then displays a ransom note demanding payment in Bitcoin. The ransomware is being distributed via phishing emails, which purport to come from the cryptocurrency payment platform CoinPayments, and contain a ZIP file with a malicious executable that can trigger the infection. The attack has targeted individuals, small businesses, and large organizations in the U.S. since January.
5. Large Adsense fraud campaign infects nearly 11,000 WordPress websites
A malicious attack targeting WordPress sites has infected nearly 11,000 websites, according to a report by cybersecurity company Sucuri. The campaign uses over 70 fake domains that mimic URL shorteners to artificially increase traffic to pages with Google AdSense IDs, generating revenue from ad fraud. Visitors to compromised WordPress sites are redirected to fake Q&A portals, artificially increasing the authority of spammy sites in search engine results. Researchers found the threat actors to use Twitter's link shortener, pseudo-short URL domains, and Bing search result links to expand their reach.
Phishing simulations & training