Categories: Tech

Ursnif’s cyber attacks on Italian organizations increase

From a recent report by Cynet, the Israeli cybersecurity agency, it emerges that the group Ursnif has intensified cyber attacks on Italy. Ursnif is a criminal group also known as Gozi, and has a long history of cyber attacks behind it. The data are particularly alarming, as they highlight a particularly widespread trend of attacks aimed exclusively at Italian customers.

Ursnif’s purpose would seem to be primarily that of data exfiltration. However, several attacks have been observed variants that add capabilities such as:

  • backdoor: lines of computer code thanks to which a user can enter as an administrator on websites and computers. All without having any authorized access.
  • spyware: software that collects information regarding a user’s online activity without their consent.

In particular the attacks appear to be aimed at the health sector, the armed forces, e-commerce but also to glarge distribution and industry.

Cyber ​​attacks: how Ursnif works

In general, the attacks encountered have in common a preliminary activity of spearfishing. This, which differs from phishing in the personalization of the message, takes place through information found online. The attack is then carried out using information from the victimso that the email is personalized and linked to a service actually used by the target.

At this point the victim is asked to fill in an attached form – in this case an EXCEL file – which contains the malicious payload. Cybercriminals just have to download and run a DLL by crashing regsvr32 – a Windows system file capable of manipulate other programs and monitor applications – to activate a Command-and-control server for the victim’s environment.

“The primary goal of the Ursnif group is data theft for the purpose of receiving unauthorized gains and other attacks using the information there,” he says. Marco Lucchina, Channel Manager Italy, Spain & Portugal of Cynet. “Ursnif has already been reported in several phishing campaigns in recent weeks, associated with messages such as ‘Receipt AgenziaEntrate’ or ‘DHL reminder’ but, thanks to the activity carried out by our Orion Group (Threat Intelligence), we have detected much more use broad and targeted attacks tailored to individual clients.

Furthermore, the fact that Cynet detected and blocked the threat the moment the user double-clicked triggering the first malicious payload, means that previous protection levels such as antispam and user training were not sufficiently effective. ‘alarm indicating the importance of adopting a’ defense in depth ‘”.

Published by
Walker Ronnie

Recent Posts

How to remove MDM from iPhone

In this article we will explain how to remove MDM from iPhone in order to…

9 hours ago

How private is your menstrual cycle app?

Experts from Mozillaa nonprofit Internet research company, have studied more than 20 pregnancy tracking apps…

9 hours ago

Samsung reduces target for smartphone shipments in 2022

According to a report from Korea, Samsung would have reduced the goal of smartphone shipments…

10 hours ago

Ghostbusters Spirits Unleashed: in arrivo a ottobre

Good news is coming for fans of the most popular Ghostbusters ever, the game Ghostbusters:…

10 hours ago

Spotify tests commentary podcasts for albums and playlists

News coming soon from Spotify which would begin testing the possibility for users of rmake…

11 hours ago

Amazon tests a TikTok-like feed to incentivize purchases

Amazon has started the testing phase of a new feature that picks up the TikTok…

11 hours ago