Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Brazil. Show all posts

No Backup: Why the Government in Brazil is at High Risk of Cyberattacks

 

According to a new report by the Brazilian Federal Audit Court (TCU), several federal government agencies in Brazil are at a high risk of cyberattacks. Federal government agencies need to reassess their approach to handling cybersecurity threats, the report reads. 

Report points out the number of areas at high risk but one of the biggest problems in the cybercrime section that the report has uncovered is the lack of backups while dealing with cyberattacks. 

A group of 29 areas that represent a high risk in terms of vulnerability, mismanagement, abuse of power, or need for drastic changes was discovered. 

Backups are very important and help against various forms of attack, as well as mistakes and mishaps. The most obvious one of those would be ransomware attacks. 
When systems are hacked and are locked up, a data backup could be the respite you’re looking for to restore the data stored on your devices. 

Additionally, the report cited the data

 • 74.6% of organizations (306 out of 410) do not have a formally approved backup policy—a basic document, negotiated between the business areas (“owners” of the data/systems) and the organization’s IT, with a view to disciplining issues and procedures related to the execution of backups. 

• 71.2% of organizations that host their systems on their own servers/machines (265 out of 372) do not have a specific backup plan for their main system. 

• 60.2% of organizations (247 out of 410) do not keep their copies in at least one non-remotely accessible destination, which carries a risk that, in a cyberattack, the backup files themselves end up being corrupted, deleted, and/or encrypted by the attacker or malware, rendering the organization’s backup/restore process equally ineffective. 

 • 66.6% of organizations that claim to perform backups (254 out of 385), despite implementing physical access control mechanisms to the storage location of these files, do not store them encrypted, which carries a risk of data leakage from the organization, which can cause enormous losses, especially if it involves sensitive and/or confidential information. 

Further, the researchers said that the federal government cannot respond to and treat cybersecurity attacks adequately. Also, there are several vulnerabilities in both information security and cybersecurity across most central bodies.

Brazil's Ministry of Health has been Subjected to a Second Cyberattack in Less than a Week

 

Brazil's Ministry of Health has been subjected to a second cyberattack in less than a week, compromising a number of internal systems, including the platform that stores COVID-19 vaccination data. The announcement came three days after the department had suffered its first big ransomware attack, from which it was still recuperating. On Monday evening, health minister Marcelo Queiroga confirmed the second attack, saying the latest incident, which occurred in the early hours of the same day, was smaller than the first.

The initial cyberattack, which was discovered on Friday, rendered all Ministry of Health websites inaccessible. According to a message left by the Lapsus$ Group, which has claimed responsibility for the attack, 50TB of data was extracted and then erased from the MoH's systems. Queiroga later stated that the department has a backup of the data that was allegedly obtained during the cyberattack. 

According to the Federal Police, which is investigating the issue, the first attack exposed data on COVID-19 case notifications as well as the broader national vaccination programme, in addition to ConecteSUS. 

According to Queiroga, the department is currently attempting to restore the systems as soon as possible. However, he stated that the second attack meant that ConecteSUS, the platform that issues COVID-19 vaccination certificates, will not be accessible as scheduled. Queiroga stated that while the attempt was unsuccessful and no data was lost, the second incident "caused turmoil" and "got in the way" of restoring systems. The minister did not say when the impacted systems would be operational again. 

The governmental confirmation of the second cyberattack was followed by a statement issued by the Ministry of Health stating that Datasus, the department's IT function, performed a preventive systems maintenance exercise on Monday, resulting in systems being temporarily unavailable. Because of the second attack, civil servants were sent home on Monday because it was impossible to access the health ministry's core systems, such as the platforms that create COVID-19 pandemic reports. 

The Brazilian government's Institutional Security Office (GSI) issued a statement confirming new attacks on cloud-based systems managed by government agencies had taken place. It did not, however, disclose which departments or services were targeted. It went on to say that teams are being instructed to keep evidence and that best practices for incident management are being followed. 

An attack on the Brazilian Health Regulatory Agency (Anvisa) occurred in September; the hack targeted the healthcare declaration for travelers, which is required for visitors entering Brazil through airports. The attack occurred shortly after the cancellation of a World Cup qualification match between Brazil and Argentina, which Anvisa called off after four Argentine players were accused of violating COVID-19 travel guidelines.

Brazilian E-commerce Giant Hariexpress Leaks 1.75 billion Records

 

Cybersecurity researchers at SafetyDetectives uncovered that Brazilian marketplace integrator platform Hariexpress exposed nearly 1.8 billion records-worth of the private customer and seller data, after misconfiguring an Elasticsearch server. 

Earlier this year in June, SafetyDetectives researchers unearthed exposed data and were able to trace the leak back to Hariexpress. Hariexpress is a firm that allows vendors to manage and automate their activity across several marketplaces such as Facebook, Amazon, Magazine Luiza, and Mercado Livre.

According to researchers, the company’s Elasticsearch server was left unencrypted with no password protection in place. It contained 610GB of data, including users’ full names, home, and delivery addresses, contact numbers, and billing details including billing addresses. Also leaked were vendors’ full names, CPF numbers, billing details, contact numbers, email and business/home addresses, and CNPJ numbers (National Register of Brazilian business).

However, SafetyDetectives could not estimate the total number of victims due to the size of the trove and the potential for fake email addresses.

“A data breach of this magnitude could easily affect hundreds of thousands, if not millions of Brazilian Hariexpress users and e-commerce shoppers. Hariexpress’ leaked server’s content could also affect its own business,” SafetyDetectives stated. 

Additionally, it is not possible to know if another party has accessed the data, according to researchers. Experts have warned that datasets containing information that directly identifies customers in the marketplace integrated by the firm could be used in phishing and social engineering attacks. The report also includes the purchase of intimate products, so the exposed data includes residence and company addresses, blackmail, and other types of crimes such as robbery are possible. 

“We cannot know whether unethical hackers have discovered Hariexpress’ unsecured Elasticsearch server. Users, couriers, consumers, and Hariexpress itself should understand the risks they could face from this data breach,” researchers added. 

According to security experts, victims can cover up their damage because Brazil’s data protection law, the Lei Geral de Proteção de Dados (LGPD), apparently provide regulators the power to fine companies a maximum of 2% of the previous year’s revenue for violating the law, up to 50 million Brazilian reals ($10m). Due to the scale of the problem, Safety Detectives also recommends ecommerce users double their awareness of phishing attempts and particularly social engineering frauds.

Numando: a Banking Trojan Targeting Brazil Abuses YouTube for Spreading

 

ESET researchers have continued their investigation on the Latin American banking trojans with Numando, primarily targeting Brazil and seldom Mexico and Spain in particular. This time it disassembles. Numando is comparable in its use of phony overlay windows, backdoor capability, and the manipulation of utilities such as YouTube to maintain remote configuration to the other malware families. However, Numando doesn't show symptoms of continual evolution, as did several of the Latin American banking trojans. 

Numando is operational since 2018, focusing entirely on Brazil but rare attacks are focused on consumers in Mexico and Spain were reported by specialists. This financial malware, which was written in Delphi, shows bogus overlaying windows to mislead victims into entering sensitive data, including bank services information. 

It spreads exclusively via spam and phishing campaigns. Such efforts aren't precisely sophisticated, and just a few hundred victims were found at the time of writing. As a consequence, it seems Numando is "considerably less successful" than others, such as Mekotio and Grandoreiro, across Latin America. 

The absence of complexity of the operator has probably helped to achieve a low rate of infection. Recent campaigns comprise spam addressed to Numando, which includes an email with a phishing message and a.ZIP attachment. 

“Some Numando variants store these images in an encrypted ZIP archive inside their .rsrc sections, while others utilize a separate Delphi DLL just for this storage. Backdoor capabilities allow Numando to simulate mouse and keyboard actions, restart and shut down the machine, display overlay windows, take screenshots and kill browser processes.” reads the analysis published by ESET. “Unlike other Latin American banking trojans, however, the commands are defined as numbers rather than strings, which inspired our naming of this malware family.” 

A decoy. ZIP file and a genuine file are downloaded containing a. CAB archive — with a valid software application included — an injector, and the Trojan. The malware is hidden within a large . BMP picture file. The injecter is laterally loaded and the malware is decrypted using an XOR method and a key for the software program is implemented. 

Numando will build counterfeit overlays whenever a victim visits financial services once downloaded on a targeted system. If users give their credentials, they are taken and forwarded to the C2 server of the malware. In addition to managing remote configuration settings, Numando exploits public services, particularly Pastebin and YouTube. Numando may also replicate mouse clicks and key shell operations; hijack the shutdown of a PC and restart operations.

REvil Hits Brazilian Healthcare Giant Grupo Fleury

 

São Paulo-based medical diagnostic firm Grupo Fleury has suffered a ransomware attack that has impaired business operations after the company shut down its systems. On the 22nd of June, the company website began displaying an alert message, alerting to the fact that its systems were suffering an attack and are no longer accessible.

Brazilian healthcare giant provides medical laboratory services across the nation with over 200 service centers and more than 10,000 employees. The company performs approximately 75 million clinical exams in a year.

"Please be advised that our systems are currently unavailable and that we are prioritizing the restoration of services. The causes of this unavailability originated from the attempted external attack on our systems, which are having operations reestablished with all the resources and technical efforts for the rapid standardization of our services," read the message translated into English. 

With their systems being knocked down, patients are unable to book appointments for labs and other medical examinations online. Since the announcement, multiple cybersecurity sources have confirmed that Grupo Fleury suffered an attack by the ransomware operation known as REvil, also known as Sodinokibi. 

“The Healthcare industry and healthcare supply chain are both one of the top three targeted sectors worldwide. Additionally, REvil are launching a lot of attacks at the moment, having hit a maritime organization in Brazil earlier this month,” Andy Norton, European cyber risk officer at Armis, stated.

The fact that Grupo Fleury's data is of significant concern as it contains enormous amounts of personal and medical data of patients, REvil is demanding $5 million for the decryptor key and the assurance that no vital information will be leaked online. REvil is known for exfiltrating data before encrypting devices and then using the stolen information as leverage to extort money from the company.

“In a previous statement made to the Russian-OSINT Telegram channel, a REvil representative stated that they were targeting Brazil for revenge. However, it is not known what that revenge is for. REvil is known for exfiltrating data and the data could include personally identifiable information and sensitive medical information of their patients and staff, which could be detrimental for the organization,” Jamie Hart, cyber threat intelligence analyst at digital risk protection company Digital Shadows Ltd, said.

Prior to this attack, JBS Foods, the world’s largest meat producer, was the victim of a REvil ransomware attack. JBS paid a ransom of $11 million in order to keep their stolen information from being leaked online. REvil has targeted numerous high-profile organizations, including Brazil's the Rio Grande do Sul court system, nuclear weapons contractor Sol Oriens.

Brazilian Cybercriminals Created Fake Accounts for Uber, Lyft and DoorDash

 

According to a recent report by the Federal Bureau of Investigation (FBI), a Brazilian organization is planning to defraud users of digital networks such as Uber, Lyft, and DoorDash, among others. According to authorities, this group may have used fake IDs to build driver or delivery accounts on these sites in order to sell them to people who were not qualified for the companies' policies. 

This scam may have also included the use of GPS counterfeiting technologies to trick drivers into taking longer trips and earning more money. Furthermore, the Department of Justice (DOJ) states that this organization would have begun operations in 2019 and would have expanded its operations after the pandemic paralyzed many restaurants and supermarkets. 

The gang, which worked mainly in Massachusetts but also in California, Florida, and Illinois, communicated through a WhatsApp group called "Mafia," where they allegedly agreed on similar pricing strategies to avoid undercutting each other's income, according to the FBI. 

The party leased driver accounts on a weekly basis, according to court records. A ride-hailing service driver account costs between $250 and $300 per week, while a food delivery web account costs $150 per week. The FBI claimed to have tracked more than 2,000 accounts created by gang members during their investigation. 

According to the agents in charge of the investigation, the suspects made hundreds of thousands of dollars from this scheme, depositing their earnings in bank accounts under their control and withdrawing small sums of money on a regular basis to avoid attracting the attention of the authorities. Thousands of dollars were also made by criminals due to referral incentives for new accounts. One of the gang members received USD 194,800 through DoorDash's user referral system for 487 accounts they had on the website, according to a screenshot posted on the group's WhatsApp page. 

The DOJ has charged 19 Brazilian people so far, as well as revealing that six members of the fraudulent party are still on the run. The Department of Justice reported the second round of charges against five Brazilian citizens last week. Four were apprehended and charged in a San Diego court, while a fifth is still on the run and assumed to be in Brazil.

Court of Justice of the State of Rio Grande do Sul, Brazil Hit by REvil Ransomware

 

REvil ransomware group on 28th April 2021, had attacked the Tribunal de Justiça do Estado do Rio Grande do Sul (Court of Justice of the State of Rio Grande do Sul) in Brazil, which compromised the staff data and also obligated the courts to disable their network. Also labeled as Sodinokibi, REvil is a private service for the ransomware-as-a-service operations which rose in 2019. 

The Tribunal de Justiça do estado do rio Grande do Sul (TJRS), is a legal framework of the Brazilian state of Rio Grande do Sul. The attack started on April 28th, after personnel unexpectedly found that they are not able to access any of their documentation and photographs anymore, and also that ransom notices were displayed on Windows. 

Relatively soon after the intrusion was started, the verified TJRS Twitter account alerted staff not to sign into local and remote TJ network systems. 

“The TJRS reports that it faces instability in computer systems. The systems security team advises internal users not to access computers remotely, nor to log into computers within TJ’s network,” tweeted the TJRS judicial system. 

A Brazilian security analyst named Brute Bee took a screenshot and shared it with the staff of Bleeping Computer including ransom notes and talked about the attack. These ransom notices are there for the REvil service as they were the ones responsible for the attack, which is also autonomously verified by Bleeping Computer. 

“Files of TJRS could've been lost forever unless backups are available! DDoS attacks are yet to come if its victims refuse to cooperate”, added Brute Bee. 

Bleeping Computer further added that the threat actors have demanded a $5,000,000 ransom for the REvil Ransomware project to decrypt documents and further not to leak any of their data. 

One individual characterized the incident as "horrible," and "the worst thing happened there," in an interpreted audio recording that has been exchanged with Bleeping Computer, and also the IT workers experienced a "hysterical stress attack" while they scrambled to restore thousands of computers. 

The Superior Court of Justice of Brazil was targeted by the RansomEXX ransomware community last November as well, which started encrypting computers in the center of conference call tribunals. At the very same moment, the domains of several other Federal government departments in Brazil went down, but whether they were shut down or were under attack wasn't visible.

Janeleiro a New Banking Trojan Targeting Corporate, Government Targets

 

A banking Trojan has been found out by cybersecurity researchers, which has targeted many organizations across the state of Brazil. An advisory has been released on Tuesday by ESET on the malware that was being developed in 2018. 
According to cyber intelligence, the Trojan named Janeleiro primarily focused on Brazil and launched multiple cyber attacks against corporate giants in various sectors such as engineering, healthcare sector, finance, retail, and manufacturing. Notably, the threat actors who are operating the banking trojan have also made attempts to get access into government systems using the malware.

According to the researchers, the Trojan is similar to other Trojans that are currently being operated across the state, specifically in Grandoreiro, Casbaneiro, and Mekotio, to name a major few. 

Janeleiro enters into smart devices similar to most malware, however, some features are different. First, Phishing emails will be sent in small batches, masked as unpaid invoices of the firm. These emails contain links that compromise servers into the system and download a .zip archive hosted in the cloud. If the target opens the archive file, a Windows-based MSI installer then loads the main Trojan DLL into the system. 

"In some cases, these URLs have distributed both Janeleiro and other Delphi bankers at different times," ESET says. 

“…This suggests that either the various criminal groups share the same provider for sending spam emails and for hosting their malware, or that they are the same group. We have not yet determined which hypothesis is correct." 

Interestingly, the Trojan first checks the geo-location of the targeted system's IP address. If the state code is Brazil and it remains and runs its operation but if it is other than Brazil then the malware will exit automatically. 

Janeleiro is being used to frame fake pop-up windows "on-demand," such as when operators compromised banking-related keywords from its machine. Once the operators get access to the system then they ask for sensitive credentials and banking details from targets.

Bitcoin fraud worth $ 359M caught by the Brazil Police


The Brazilian police have found what is said to be an alleged Bitcoins fraud that stole $ 359M from the sufferers. "The Brazillian state police have been able to counter the anonymous operation and have caught 9 criminals," says the Parana state government in a statement. "Growing concern in crypto-currency businesses has been followed by an increase of scams,” the report states. “The absence of supervision and attention along with large levels of distraction, unfamiliarity, cross-perimeter activities, and other characteristics crucial to the cryptocurrency business reveals possible dangers to the users," says Brazilian Congressman Aureo Ribeiro.


The 4 months inquiry exposed five hundred personalities from over 6 states that have fallen prey to the Bitcoin grant fraud. However, the figures could go up to 5000 persons. “It was obvious that the plan was a fraud when the victims got a notification from the organization, informing the users that the investors would not be able to debit their money for 6 months,” says the Parana state government's statement.

The company responded to the situation by saying it too had suffered a scam estimating $5 million. But the investors' withdrawal money was delayed even after 6 months passed, and that's how the company was caught red-handed.' According to one of the victims, a fraud had promised everyday returns up to 4% on investments. The people arrested for the theft are accused of money laundering, scam, counterfeit and unlawful connection. 

Cryptocurrency Frauds happened recently-

Sadly, it is not the first instance when people have fallen prey to the cryptocurrency scam. "In May, a cryptocurrency fraud gang had was locked down for theft of $200M from over 50,000 victims," reports Hard Fork. Criminals pretended to give crypto-currency grants assuring people 15% of profits for their money. "During the time, the firm had collected about $215M through February 2019, however, police concluded the figure could be around $250M," says Federal Revenue Service.

The police in April caught an individual on doubt that he was running drugs racket gang and stealing money through Bitcoins. In the region Porto Alegre, Southern Brazil, the police officials have discovered a secret drug lab having Bitcoin digging facilities.