Magento Websites Targeted By New Ransomware, Kimcilware

This week, we hear the latest on US government has been under attack by a ‘group of malicious cyber actors’ for years and Magento websites are target of new ransomware, Kimcilware.

Malware

Magento websites are target of new ransomware, Kimcilware

Security experts have discovered a new variant of ransomware, called Kimcilware, which has recently been targeting websites running the Magento ecommerce platform. Once installed on the webserver, Kimcilware uses block ciphers to encrypt the website’s files and demand a Bitcoin payment ranging between $140 and $415. Magento was contacted regarding this malicious activity, and they claim that the attacks are not singling out Magento, but rather targeting “more general web server vulnerabilities.” It is still unknown who is behind these attacks, but MalwareHunterTeam has been working to uncover the cyber criminals, finding that the malware used most likely stems from the open-source ransomware sample called Hidden Tear. Magento has applied all available patches to its software and encourages merchants to check their Security Center for news about any issues regarding the Magento platform.

References:  New Ransomware Kimcilware Targets Magento Websites | “KimcilWare” Ransomware Targets Magento Websites | Magento becomes fresh target for KimcilWare ransomware

Mitigation Strategies:

Breach

US government has been under attack by a ‘group of malicious cyber actors’ for years

The FBI has issued a warning to US companies and agencies revealing that the US government’s networks have been compromised by a ‘group of malicious cyber actors’ since at least 2011. It has been confirmed that the group has stolen sensitive information from “various government and commercial networks,” and the FBI released the list of malicious domain names. Although the FBI has not confirmed the identity of the group of hackers, threat researchers from multiple different organizations claim that the activity aligns with a Chinese state-sponsored group called APT6. According to the FBI, the domains associated with the hacking group were “suspended” as of December 2015, but the alarming fact is that the FBI is unclear whether or not the hackers are still present in the US government’s networks or not. Regardless, this alert accompanied with the recent admission of guilt by Chinese national Su Bin to hacking US defense contractors in 2014, should motivate the government to further secure their networks.

References: FBI Says a Mysterious Hacking Group Has Had Access to US Govt Files for Years | FBI issues alert on hacking campaign targeting federal networks | APT6 compromised the US government networks for years

Mitigation Strategies:

  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies.
  • Security Operations Center team provides around-the-clock security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • Log management could detect any suspicious user account activity. 

Top 20 IP Addresses

223.234.142.127 107.180.64.84
188.118.2.26 118.170.130.207
46.109.168.179 81.183.56.217
185.117.75.227 93.174.93.94
183.60.48.25 134.96.217.62
103.242.190.57 195.191.158.226
223.25.233.46 125.88.177.94
47.89.36.68 87.222.67.194
123.168.123.28 123.249.0.151
58.218.205.69 104.236.231.72

*IP addresses provided by Recorded Future.