Ransomware eCh0raix Targeting NAS Machines
A new ransomware called eCh0raix is targeting NAS (network attached storage) machines produced by the vendor QNAP Systems. The eCh0raix ransomware uses brute-force attacks to infect QNAP NAS systems.
The eCh0raix ransomware is specifically targeting unpatched QNAP NAP systems. If eCh0raix successfully infects a system, it can decrypt files stored on QNAP NAS systems. eCh0raix will then deliver the ransomware by maliciously encrypting data.
Once successful, attackers will demand a ransom in order to decrypt data. Attackers using ransomware have been known to not decrypt data even after being paid. This could impact businesses with revenue loss, public image degradation, and temporary or permanent data loss.
It is recommended to check for updates and patch NAS systems from the vendor QNAP immediately. Administrators should review password policies for QNAP NAS systems. Specifically, failed password threshold and password strength should be reviewed due to the brute-force threat vector of eCh0raix. If possible, administrators should create backups and/or snapshots of QNAP NAS systems for redundancy.
Phishing Kit Targets Amazon Prime Day Shoppers
A new phishing kit called 16shop contains tools that can be used to easily kick off a phishing campaign. It has been designed to specifically target Amazon customers. 16Shop is able to craft an email that looks like it comes from Amazon with a PDF attached. That PDF contains links to malicious sites that have been made to look like an Amazon login page.
16shop usage is expected to increase due to the arrival of Prime Day, with phishers creating Prime Day-themed phishing campaigns.
Anyone who enters in their credentials in one of these malicious sites will be giving the attacker both their username and password for their Amazon account and any other service for which uses the same username and password.
We recommend that if anyone wants to view something on Amazon which they received via email or other sources, that they go to Amazon.com directly and navigate from there rather than following suspicious links.