Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
Windows
Cyber Attacks Fake Website Firefox RomCom Windows

Russian Hackers Use Firefox and Windows Vulnerabilities in Global Cyberattack

 



A sophisticated cyberattack carried out by the Russian cyber threat group RomCom APT has raised alarms within the global cybersecurity community. Exploiting two previously unknown zero-day vulnerabilities in Firefox and Windows, the attack, which took place in October, was able to infiltrate systems without any user interaction. This tactic marks a concerning escalation in cyberattack methods, highlighting the ever-growing sophistication of threat actors. 
 

How the Attack Unfolded 

 
RomCom APT used two critical vulnerabilities to carry out its campaign: 
 
1. Firefox Animation Timeline Vulnerability (CVE-2024-9680) 
 
A severe flaw in Firefox's animation timelines allowed the attackers to remotely execute malicious code. Rated 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), the vulnerability was exploited through fake websites. Victims who visited these websites unknowingly downloaded malware disguised as the RomCom backdoor. Once installed, the malware silently redirected users to the legitimate websites they intended to visit, leaving them unaware of the compromise. This vulnerability also affected Tor, which shares a code base with Firefox, broadening its potential impact. 

2. Windows Task Scheduler Vulnerability (CVE-2024-49039) 
 
The second vulnerability resided in the Windows Task Scheduler, with a CVSS score of 8.8. This flaw allowed the attackers to bypass the security sandbox of the browser, escalating privileges and providing them with full access to the victim's system. With this level of control, RomCom hackers were able to execute further malicious activities undetected. 

 
Targets and Techniques 

 
RomCom APT deployed fake websites posing as well-known platforms, including ConnectWise, Devolutions, and Correctiv, to lure victims. The group targeted high-value sectors such as **insurance**, pharmaceuticals, defense, energy, and government institutions, with the majority of victims located in North America and Europe, particularly in Germany, France, and the United States. 
 
RomCom is notorious for combining cybercrime with politically motivated espionage. This attack is part of a broader pattern targeting politically and economically sensitive sectors. Prompt responses from cybersecurity teams, including collaboration with security experts, helped prevent the attack from spreading widely, limiting its impact. 
 

Swift Vulnerability Patching 
 

Fortunately, both vulnerabilities were addressed promptly. Mozilla released a patch for the Firefox flaw on October 9, just 25 hours after it was notified. Similarly, Microsoft issued a patch for the Windows vulnerability on November 12. These swift responses underscore the importance of keeping systems updated, as timely patches are often the first line of defense against zero-day vulnerabilities. 

 
Cybersecurity Takeaways 

 
This attack serves as a stark reminder of the necessity for robust software maintenance and a proactive patch management strategy. Zero-day vulnerabilities are often exploited rapidly, making regular updates crucial for minimizing the risk of exploitation. While the RomCom attack was relatively short-lived, it underscores the evolving nature of cyber threats. Organizations and individuals alike must stay vigilant, prioritize timely software updates, and adopt comprehensive cybersecurity measures to protect against increasingly sophisticated attacks.   
 

Key Points for Cybersecurity Practitioners: 

  • Maintain Updated Software: Regular updates and patches are essential to protecting against zero-day vulnerabilities. 
  • Awareness of Emerging Threats: Understand and mitigate the risks associated with zero-click attacks and other advanced persistent threats. 
  • Strengthen Incident Response: Timely detection and rapid response are critical to minimizing the impact of cyberattacks.
Read more »
RECOPE
Costa Rica cybercrime cyber attack Cyber Attacks Cyberattacks cyberattacks trending news News RECOPE

Costa Rica Faces Another Cyberattack, RECOPE Operations Shift to Manual Mode

 

Costa Rica’s state-owned oil company, RECOPE, suffered a ransomware attack on November 27, disrupting its digital operations and forcing a shift to manual procedures to maintain uninterrupted fuel distribution. 

This attack is the second major cyber incident targeting a government institution in the past month, following a similar assault on the General Directorate of Migration (DGME). 

Impact on Fuel Supply 


Despite the disruption, RECOPE assured citizens that the fuel supply remains unaffected, thanks to sufficient inventories. Manual operations, including extended working hours, have been implemented to meet demand, especially after a surge in fuel sales driven by public concerns. 

The ransomware temporarily disabled RECOPE’s digital payment systems, which are often compromised via phishing emails or malicious downloads. 

Efforts to Restore Systems 


RECOPE is working with Costa Rica’s Ministry of Science, Innovation, Technology, and Telecommunications (MICITT) and U.S. cybersecurity experts to restore the affected systems while ensuring safe operations. However, no timeline for full recovery has been provided. 

In comparison, the DGME attack earlier in November caused significant disruptions to online services, though essential operations like border control and passport issuance continued without interruption. 


Escalating Cyber Threats in Costa Rica 


These incidents highlight the increasing threat to Costa Rica’s public institutions and their digital infrastructure. 

  • 2022 Conti Gang Attack: A notorious attack by the Conti gang paralyzed several government services and prompted Costa Rica to declare a state of emergency. 
  • U.S. Aid: The U.S. provided USD 25 million to help strengthen Costa Rica’s cybersecurity. 

Despite these efforts, the recent breaches expose persistent vulnerabilities in the nation’s rapidly digitizing but under-secured systems.  

Global Implications 


Experts warn that attacks on Costa Rican institutions could serve as testing grounds for cybercriminals, helping refine tactics for larger assaults on critical infrastructure in nations like the United States. 

Ransomware has evolved from a nuisance to a sophisticated criminal enterprise, often leveraging zero-day exploits and ransomware-as-a-service platforms. 

International Response 


Globally, governments are intensifying efforts to combat ransomware. The U.S. has established an international counter-ransomware task force, and there is a growing push to classify ransomware attacks as national security threats. 

These measures aim to curb the escalating threat and protect critical infrastructure from increasingly sophisticated cyberattacks.
Read more »
Ransomware
Cyber Attacks Health Healthcare Hospital Patient Ransomware

Rise in Cyberattacks, Healthcare Industry Top Victim

Rise in Cyberattacks, Healthcare Industry Top Victim


Hospitals in Merseyside, including Arrowe Park Hospital in the Wirral, are facing significant disruptions following a cyber attack on the Wirral University Teaching Hospital Trust. Outpatient appointments have been canceled, and patients have been advised to avoid visiting the A&E department unless in a medical emergency. 

A spokesperson for the Trust confirmed, “A major incident was declared yesterday for cyber security reasons and remains ongoing. Our business continuity processes are in place, and our priority remains ensuring patient safety. We apologize for any inconvenience and will contact patients to reschedule canceled appointments.” 

Rising Cyber Threats to Healthcare   


The breach has also affected staff, who are struggling to access electronic records, highlighting the increasing frequency of cyber attacks on healthcare systems in the UK and globally. Research by KnowBe4 shows that the global healthcare sector faced an average of 1,613 attacks per week during the first three quarters of 2023 — four times higher than the global average.   

Earlier in 2024, a cyber attack on Kings College Hospital Foundation forced the shutdown of critical operations due to a breach at blood test supplier Synnovis.   

In recent years, similar incidents have plagued the UK healthcare system:   

- A ransomware attack on Barts NHS Trust by the Russian BlackCat gang resulted in the theft of 7TB of sensitive data.   
- In February 2023, NHS Dumfries and Galloway faced a breach compromising patient and staff information.   

In response to these escalating threats, the National Data Guardian (NDG) and NHS England introduced a new cyber resilience framework in September 2023. Dr. Nicola Byrne, National Data Guardian, stated that the framework provides organizations with a "current and evolving approach to enhance data protection and cyber resilience."
Read more »
Ransomware attack
Bologna FC Cyber Attacks Extortion Gang Football Club Ransomware attack

Bologna FC Acknowledges Data Breach After RansomHub Ransomware Assault

 

Bologna Football Club 1909 has disclosed that it fell victim to a ransomware attack, following the RansomHub extortion gang’s publication of stolen data online. 
 
In an official statement, the club confirmed: “Bologna FC 1909 S.p.a. would like to communicate that a ransomware cyber attack recently targeted its internal security systems. The crime resulted in the theft of company data which may appear online. Please be warned that it is a serious criminal offence to be in possession of such data or facilitate its publication or diffusion.” 
 

RansomHub Claims Theft of Sensitive Data 

 
The announcement comes shortly after the RansomHub ransomware group claimed responsibility for the attack. The group alleges that it exfiltrated 200GB of data, including: 
- Financial documents 
- Player medical records 
- Personal information of customers and staff 
- Business plans 
 
RansomHub has issued multiple threats to Bologna FC, asserting that the leaked data could expose the club’s violations of European data protection regulations and other football-related compliance requirements set by FIFA and UEFA. 
 

Rising Cyber Threats in Football and Sports Organizations 
 

Football clubs and sports organizations have become frequent targets for financially motivated cybercriminals. 
 
- In 2022, the Dutch football governing body was hacked by the now-defunct LockBit ransomware group, which reportedly paid a ransom to secure sensitive data belonging to over 1.2 million employees and members. 
 
- A Premier League club fell victim to a business email compromise attack, where hackers infiltrated a team director’s email during a trade deal and nearly transferred $1.2 million into fraudulent accounts. 
 
- In 2018, an Italian Serie A club lost more than $1.75 million after hackers compromised a club official’s email and intercepted payments from a streaming service provider. Spanish authorities later arrested 11 individuals connected to the scheme in Barcelona. 

 

Cybersecurity Risks in Professional Sports 

 
In 2020, the United Kingdom's National Cyber Security Centre (NCSC) highlighted the growing risk of cyberattacks on sports organizations. A notable incident involved a ransomware attack on a Premier League team that: 
 
- Severely disrupted its corporate systems 
- Paralyzed the turnstile system 
- Nearly led to the cancellation of a scheduled game 

The Need for Strengthened Security 

 
The attack on Bologna FC underscores the urgent need for sports organizations to bolster their cybersecurity defenses. Financially motivated attacks continue to target sensitive information, posing risks not only to the organizations themselves but also to their players, staff, and fans. 
 
As investigations into the Bologna FC incident continue, the club’s response and future security measures will be closely watched by both cybersecurity experts and the football community. Maintaining robust digital defenses is now a critical requirement for ensuring the integrity and continuity of operations in the world of professional sports.
Read more »
Telnet
Cyber Attacks DDOS Attacks Matrix Telecom Telnet

Could Your Device Be Caught in the Matrix Cyber Attack?

 



A recent report has outlined a large-scale cyberattack widely referred to as the Matrix campaign. This attack has put in jeopardy an estimated 35 million internet-connected devices across the globe. "This attack contributes to slowing down internet connections to homes and exposes businesses to data breaches, operational interruptions, and reputational damage among others," said Aqua Security's threat intelligence team.

The Matrix campaign is a threat that has been orchestrated by an actor called Matrix. The attack leverages vulnerabilities and weak security practices in the devices like home routers, surveillance cameras, and enterprise systems. According to experts, this attack signifies an emerging trend of IoT device and enterprise infrastructure targeting in order to build botnets for DDoS attacks.


How the Matrix Attack Works

They take advantage of the openly available hacking tools, poor passwords, and misconfiguration to enter devices. Methods used are brute-force attacks and exploitation of hardcoded default credentials such as "admin:admin" or "root:camera." Once a device is compromised, it joins a botnet—a network of hijacked devices that can be used to carry out large-scale cyber attacks like DDoS, overwhelming targets with traffic.

Matrix is not only targeting the home router but also, for instance, the Telecom equipment and server infrastructure are under attack through common protocols and applications such as Telnet, SSH, and Hadoop. Even software development life cycle servers are vulnerable to attack; it has proven an evolution of cybercrime through the exploitation of corporate vulnerabilities. 


A Cybercrime Evolution: Low Skills, Big Impact

The scariest part of the Matrix attack is that it seems to be the handiwork of a lone, somewhat novice hacker known as a "script kiddie." This attacker, with the aid of widely available AI tools and ready-to-use hacking software, has mounted an unprecedented campaign around the globe.

According to Aqua Security, this attack highlights the ease with which low-skilled hackers can now execute sophisticated attacks, underscoring the growing danger of poorly secured devices.  


How to Protect Yourself

To safeguard your devices from becoming part of a botnet, it is essential to take the following precautions:  

1. Update Firmware: Ensure your router and other devices run the latest software updates.

2. Strengthen Passwords: Replace default credentials with strong, unique passwords. 

3. Secure Access: Where possible, use additional security measures such as two-factor authentication.


Having addressed these vulnerabilities, the users can secure their devices from further attacks. The Matrix campaign reminds everyone that in today's networked world, proper cybersecurity is essential.


Read more »
supply chain security
Cyber Attacks Ransomware attack Ransomwares Software Providers Supply Chain supply chain attacks supply chain security

Ransomware Attack on Blue Yonder Disrupts Global Supply Chains

 

Blue Yonder, a leading supply chain software provider, recently experienced a ransomware attack that disrupted its private cloud services. The incident, which occurred on November 21, 2024, has affected operations for several high-profile clients, including major grocery chains in the UK and Fortune 500 companies. While the company’s Azure public cloud services remained unaffected, the breach significantly impacted its managed services environment. The attack led to immediate operational challenges for key customers. UK supermarket chains Morrisons and Sainsbury’s were among the most affected. 

Morrisons, which operates nearly 500 stores, reported delays in the flow of goods due to the outage. The retailer activated backup systems but acknowledged that its operations were still disrupted. Sainsbury’s similarly implemented contingency plans to address the situation and minimize the impact on its supply chain. In the United States, Blue Yonder serves prominent grocery retailers such as Kroger and Albertsons, though these companies have not confirmed whether their systems were directly affected. 

Other notable clients, including Procter & Gamble and Anheuser-Busch, also declined to comment on any disruptions they might have faced as a result of the attack. In response to the breach, Blue Yonder has enlisted the help of external cybersecurity firms to investigate the incident and implement stronger defenses. The company has initiated forensic protocols to safeguard its systems and prevent further breaches. While recovery efforts are reportedly making steady progress, Blue Yonder has not provided a timeline for full restoration. The company continues to emphasize its commitment to transparency and security as it works to resolve the issue. 

This attack highlights the growing risks faced by supply chain companies in an era of increasing cyber threats. Disruptions like these can have widespread consequences, affecting both businesses and consumers. A recent survey revealed that 62% of organizations experienced ransomware attacks originating from software supply chain vulnerabilities within the past year. Such findings underscore the critical importance of implementing robust cybersecurity measures to protect against similar incidents. 

As Blue Yonder continues its recovery efforts, the incident serves as a reminder of the potential vulnerabilities in supply chain operations. For affected businesses, the focus remains on mitigating disruptions and ensuring continuity, while industry stakeholders are left grappling with the broader implications of this growing threat.
Read more »
Rootkit
Avast BYOVD Attack Cyber Attacks Rootkit

Hackers Use Avast Bug to Shut Down Security Tools




A recently discovered campaign of cyberattacks makes use of a vulnerable Avast Anti-Rootkit driver to disable system security mechanisms and gain full control over target machines. With this, hackers can successfully avoid detection by security tools and thus pose a severe threat to users and organizations.


Exploiting a Vulnerable Driver

It is leveraging the so-called "bring-your-own-vulnerable-driver" (BYOVD) technique, where an old version of Avast's Anti-Rootkit driver is used. This kernel-mode driver allows hackers to gain access to essential parts of the system and also disable security defenses. The discovery was made by Trellix cybersecurity researchers.

The malware launching the attack, which is described as a variant of an AV Killer, drops a driver named ntfs.bin in the Windows user folder. It subsequently creates a service named aswArPot.sys using the Service Control tool (sc.exe) for registration and activation of the vulnerable driver.  


Targeting Security Processes

After installing the driver, the malware scans the system based on a hardcoded list of 142 processes associated with popular security tools. Such a list includes software from major vendors like McAfee, Sophos, Trend Micro, Microsoft Defender, and ESET. If it finds a match, the malware issues commands to the driver to terminate such security processes, thus effectively disabling system defenses.


Track of Previous Attacks

This abuse technique of the Avast driver has been seen in past attacks. In 2021, researchers found the same driver being used by Cuba ransomware to enable security tools disabling on victim systems. Trend Micro had discovered this technique while studying AvosLocker ransomware in early 2022.

Adding to the risks, SentinelLabs identified two severe vulnerabilities (CVE-2022-26522 and CVE-2022-26523) in the Avast Anti-Rootkit driver. These flaws, present since 2016, allowed attackers to escalate privileges and disable security measures. Avast addressed these vulnerabilities in 2021 through security updates, but outdated versions of the driver remain exploitable.  


What Should One Do?

To protect against such attacks, security professionals advise that blocking rules based on the digital signatures or hashes of malicious components should be in place. To this end, Microsoft also provides solutions, such as the vulnerable driver blocklist policy, which is enabled automatically on Windows 11 2022 and later devices. Organizations can further bolster protection by using Microsoft's App Control for Business to ensure systems are protected from driver-based exploits.


This campaign is a persistent threat in which the outdated drivers pose the risks, and proactive security measures are emphasized to fight advanced cyberattacks.


Read more »
Ransomwares
ALPHV ALPHV Blackcat Ransomware Change Healthcare Cyber Attacks cybersecurity in healthcare Information Security Ransomware attack Ransomwares

Change Healthcare Restores Clearinghouse Services After Nine-Month Recovery From Ransomware Attack

 

Change Healthcare has announced the restoration of its clearinghouse services, marking a significant milestone in its recovery from a debilitating ransomware attack by the ALPHV/Blackcat group in February. 

The attack caused unprecedented disruption to one of the U.S.’s most critical healthcare transaction systems, which processes over 15 billion transactions annually and supports payments and communications for hospitals, healthcare providers, and patients. The breach led to widespread financial and operational issues, with the American Hospital Association (AHA) reporting that 94% of U.S. hospitals relying on Change Healthcare were affected. Many hospitals experienced severe cash flow challenges, with nearly 60% reporting daily revenue losses of $1 million or more. These difficulties persisted for months as Change Healthcare scrambled to restore its services and mitigate the attack’s impact. 

In response to the financial strain on healthcare providers, UnitedHealth-owned Optum launched a Temporary Funding Assistance Program in March. This initiative provided over $6 billion in interest-free loans to healthcare providers to address cash flow shortages. As of October, $3.2 billion of the funds had been repaid, reflecting progress in stabilizing the industry. However, some services, such as Clinical Exchange, MedRX, and the Payer Print Communication System, are still undergoing restoration, leaving providers to navigate ongoing challenges. 

The breach also exposed sensitive information of approximately 100 million individuals, making it one of the most significant healthcare data breaches in history. Victims’ full names, email addresses, banking details, and medical claims records were among the data compromised. Change Healthcare’s parent company, UnitedHealth, confirmed that the attackers gained access through stolen credentials used to log into a Citrix portal that lacked multi-factor authentication (MFA). UnitedHealth CEO Andrew Witty testified before Congress, admitting to authorizing a $22 million ransom payment to the attackers. He described the decision as one of the hardest he had ever made, emphasizing the urgent need to minimize further harm to the healthcare system. 

Cybersecurity experts have criticized Change Healthcare for failing to implement basic security protocols, including MFA and robust network segmentation, prior to the attack. The attack’s aftermath has been costly, with remediation expenses exceeding $2 billion as of the most recent UnitedHealth earnings report. Critics have described the company’s lack of preventive measures as “egregious negligence.” Tom Kellermann, SVP of cyber strategy at Contrast Security, highlighted that the company failed to conduct adequate threat hunting or prepare for potential vulnerabilities, despite its critical role in the healthcare ecosystem. 

Beyond the immediate financial impact, the incident has raised broader concerns about the resilience of U.S. healthcare infrastructure to cyberattacks. Experts warn that the sector must adopt stronger cybersecurity measures, including advanced threat detection and incident response planning, to prevent similar disruptions in the future. The restoration of Change Healthcare’s clearinghouse services represents a major step forward, but it also serves as a reminder of the severe consequences of insufficient cybersecurity measures in an increasingly digital healthcare landscape. 

The attack has underscored the urgent need for organizations to prioritize data security, invest in robust safeguards, and build resilience against evolving cyber threats.
Read more »
Uttarakhand
Cyber Attacks Policy Sensitive Information Uttarakhand

Cyberattacks Expose Critical Vulnerabilities in Government Systems

 



Cyberattacks are becoming as consequential a threat as physical insurgencies, targeting government systems and vital businesses with growing frequency. A ransomware attack on the Uttarakhand government on October 2, 2024, brought over 90 key state-run websites to a grinding halt, including important platforms such as the CM Helpline, Chardham registration portal, and land registry systems. This breach brought the state's entire IT infrastructure to a standstill, where attackers gained control of sensitive information and demanded ransom, thereby paralyzing all state operations. 


Extent of the Attack 

This attack compromised the central data center of the Uttarakhand government and compromised not only sensitive information regarding citizens and other important departments but also compromised the Chief Minister's office.

Though the government said on October 10 that no data had been lost, the incident highlighted glaringly the lack of preparedness in mitigating such threats. This incident also represents a trend, as India suffered 388 data breaches, 107 data leaks, and close to 5 billion cyberattacks in 2023. Such attack gravity was previously witnessed in 2022, when AIIMS Delhi remained closed for two weeks following a ransomware attack that crippled healthcare services. 


Scrutiny over Preparedness and Accountability

The question on the preparedness and accountability of Uttarakhand government in terms of cybersecurity has now been raised.

An initiative two years ago even assigned ITI Limited in Bengaluru to design a disaster recovery plan, which still did not come into existence.

Experts are now wondering why this state did not have the basic cybersecurity protocols in place such as data backup systems and security audits that would have minimized damage, and that there is still no dedicated cybersecurity task force or enough technical experts within the Information Technology Development Agency (ITDA). 


Urgency for Policy Overhauls


The attack puts a primer on the need for overhaul in Uttarakhand and, by extension, other states across the nation. It calls for hiring subject matter experts, carrying regular audits, and placing cybersecurity nodal officers in each department. A comprehensive program to train officials along with collabingotals with cybersecurity professionals is the need of the hour to structure an effective system for future assault. 


Learning from the Crisis  

What has been called Uttarakhand's "Cyber Security Cloud Burst," this is a wake-up call. Rather than waiting for the restoration of the state's infrastructure, by putting in place stringent protocols and opening channels for frank dialogues with cybersecurity experts, steps can be taken to create precedence for other states as well. Cybersecurity cannot and should not be considered something to be done on the back burner but something integral to governance.



Read more »
Threat actors
beIN Sports Cloud Security Cyber Attacks data analysis FFmpeg Hackers Jupyter Notebooks live streaming sports piracy stream ripping Threat actors

Hackers Exploit Jupyter Notebooks for Sports Piracy Through Stream Ripping Tools

 

Malicious hackers are taking advantage of misconfigured JupyterLab and Jupyter Notebooks to facilitate sports piracy through live stream capture tools, according to a report by Aqua Security shared with The Hacker News.

The attack involves hijacking unauthenticated Jupyter Notebooks to gain initial access and execute a series of steps aimed at illegally streaming sports events. This activity was uncovered during an investigation into attacks on Aqua's honeypots.

"First, the attacker updated the server, then downloaded the tool FFmpeg," explained Assaf Morag, director of threat intelligence at Aqua Security. "This action alone is not a strong enough indicator for security tools to flag malicious activity."

Morag noted that the attackers then executed FFmpeg to capture live sports streams, redirecting them to their server. The campaign’s ultimate objective is to download FFmpeg from MediaFire, capture live feeds from Qatari network beIN Sports, and rebroadcast the content illegally via ustream[.]tv. This tactic allows the attackers to misuse compromised Jupyter Notebook servers as intermediaries while profiting from advertising revenues linked to the unauthorized streams.

Although the identity of the hackers remains unclear, one of the IP addresses used (41.200.191[.]23) suggests they may originate from an Arabic-speaking region.

"However, it's crucial to remember that the attackers gained access to a server intended for data analysis, which could have serious consequences for any organization's operations," Morag added.

He warned that the risks extend beyond piracy, potentially leading to denial-of-service attacks, data manipulation, theft, corruption of AI and ML processes, lateral movement within critical systems, and severe financial and reputational harm.
Read more »
Ransomwares
Cyber Attacks Defense Hacker attack Inc ransomware IT Systems IT systems breach Military Data NATO Ransomwares

Hungarian Defence Agency Hacked: Foreign Hackers Breach IT Systems

 

Foreign hackers recently infiltrated the IT systems of Hungary’s Defence Procurement Agency, a government body responsible for managing the country’s military acquisitions. According to Gergely Gulyas, the chief of staff to Hungarian Prime Minister Viktor Orban, no sensitive military data related to Hungary’s national security or its military structure was compromised during the breach. Speaking at a press briefing, Gulyas confirmed that while some plans and procurement data may have been accessed, nothing that could significantly harm Hungary’s security was made public. The attackers, described as a “hostile foreign, non-state hacker group,” have not been officially identified by name. 

However, Hungarian news outlet Magyar Hang reported that a group known as INC Ransomware claimed responsibility for the breach. According to the outlet, the group accessed, encrypted, and reportedly published some files online, along with screenshots to demonstrate their access. The Hungarian government has refrained from confirming these details, citing an ongoing investigation to assess the breach’s scope and potential impact fully. Hungary, a NATO member state sharing a border with Ukraine, has been increasing its military investments since 2017 under a modernization and rearmament initiative. 

This program has seen the purchase of tanks, helicopters, air defense systems, and the establishment of a domestic military manufacturing industry. Among the notable projects is the production of Lynx infantry fighting vehicles by Germany’s Rheinmetall in Zalaegerszeg, a region in western Hungary. The ongoing conflict in Ukraine, which began with Russia’s 2022 invasion, has further driven Hungary to increase its defense spending. The government recently announced plans to allocate at least 2% of its GDP to military expenditures in 2024. Gulyas assured reporters that Hungary’s most critical military data remains secure. 

The Defence Procurement Agency itself does not handle sensitive information related to military operations or structural details, limiting the potential impact of the breach. The investigation aims to clarify whether the compromised files include any material that could pose broader risks to the nation’s defense strategy. The breach raises concerns about the cybersecurity measures protecting Hungary’s defense systems, particularly given the escalating reliance on advanced technology in modern military infrastructure. With ransomware attacks becoming increasingly sophisticated, governments and agencies globally are facing heightened pressure to bolster their cybersecurity defenses. 

Hungary’s response to this incident will likely involve a combination of intensified cybersecurity protocols and ongoing collaboration with NATO allies to mitigate similar threats in the future. As the investigation continues, the government is expected to release further updates about the breach’s scope and any additional preventive measures being implemented.
Read more »
Rhadamanthys malware
Check Point Cyber Attacks data security Gmail Gmail Hack Gmail-Accounts Personal Data Phishing scam Rhadamanthys malware

Gmail Alert: Massive Phishing Campaign Spreads Rhadamanthys Malware

 

Cybersecurity experts have issued a new warning about a large-scale phishing attack targeting Gmail users worldwide. Researchers at Check Point have uncovered the threat, which uses fake Gmail accounts to send emails impersonating well-known companies. These fraudulent messages claim recipients have violated copyright laws on their social media accounts, urging them to take immediate action. 

The goal of these emails is to trick victims into downloading attachments laced with the Rhadamanthys Stealer malware. Once installed, this malware infiltrates systems to steal sensitive personal data. The attackers’ strategy is both sophisticated and alarming. They create convincing fake Gmail accounts and customize emails to appear as if they are from legitimate organizations. Victims are informed of supposed copyright violations and pressured to resolve the issue by downloading attached files. 

However, clicking on these files triggers the malware’s installation, granting hackers access to a victim’s computer. The malware operates silently, collecting private information such as login credentials and other sensitive data without the user’s knowledge. The phishing campaign has already reached a global audience, targeting users in Europe, Asia, and the United States. Check Point highlights the staggering scale of the operation, noting that nearly 70% of the impersonated companies belong to the entertainment, media, technology, and software industries. This wide range of targets makes the attack more challenging to detect and stop. 

The campaign leverages people’s trust in established companies and creates urgency, making victims more likely to fall for the scam. One of the most concerning aspects of the attack is the advanced capabilities of the Rhadamanthys Stealer malware. This sophisticated program is specifically designed to evade detection by traditional security measures. Once installed, it can extract a variety of data from the infected system, including passwords, financial information, and personal files. The malware’s ability to operate covertly increases the risk for users who are unaware that their devices have been compromised. 

Experts stress the importance of vigilance in protecting against this type of phishing attack. Email users should carefully verify the sender’s identity and be cautious of messages that create a sense of urgency or demand immediate action. Legitimate organizations rarely use generic Gmail accounts to contact users, and they typically do not send unsolicited attachments or links. Users should also avoid downloading files or clicking on links from unknown sources, as these actions can initiate malware installation. 

Keeping antivirus software up to date is another critical step in preventing infections. Modern security programs are designed to detect and block malicious files like those associated with Rhadamanthys Stealer. Additionally, users are encouraged to report any suspicious emails to their email providers, which can help prevent further spread of such attacks. By staying informed and adopting safe online practices, individuals can reduce their vulnerability to these increasingly sophisticated phishing campaigns.
Read more »
ransomware attacks
Critical Infrastructure Cyber Attacks CyberCrime Cybersecurity CyberThreat Oilfield Supplier ransomware attacks

Texas Oilfield Supplier Operations Impacted by Ransomware Incident

 


About two months before the Newpark Resources attack, oilfield services giant Halliburton had been afflicted with a cyberattack that it then disclosed in a regulatory filing, which occurred about two months earlier.  Last week, Halliburton, the world's largest energy services provider, announced that about $35 million in expenses were incurred because of the attack. Still, the impact on the company's finances is relatively small, especially considering Halliburton is one of the world's largest energy services providers.  

There was an incident in August when Halliburton, a global provider of services for the energy industry, had to shut down the systems of some of its subsidiaries due to a cyber attack. In most cases, this type of breach involves unauthorized access by third parties; oftentimes, this leads to operations being disrupted, systems being shut down, and incident response plans being activated as a result of the breach. A cyber-response plan was activated at that time and a comprehensive investigation was conducted internally with the assistance of external advisors to assess and remedy any unauthorized activity that the company was aware of at that time.  

Halliburton announced last week that in its third-quarter results it incurred a pretax charge of $116 million as a result of severity costs, impairment of assets held for sale, expenses related to cybersecurity incidents, gains on equity investments, and other items. The company said in the release that it recorded a pretax charge of $116 million in the third quarter of 2024. In a report released on Tuesday, Halliburton's chairman, president, and CEO, Jeff Miller, said that Halliburton "experienced a $0.02 per share impact on its adjusted earnings from storms in the Gulf of Mexico and in the Gulf of Mexico due to the August cybersecurity event." 

While the update is not in any way noteworthy, Andy Watkin-Child, founding partner at Veritas GRC told LinkedIn it shows cyber incidents are moving to the top of the corporate agenda, in a post on the social media platform. The board of directors is more transparent, as required by the Securities and Exchange Commission when it comes to the impact of cyber incidents. Following the attack on Halliburton, the company had to postpone billing and collection activities, as well as put a halt on its share buyback program. 

According to the company, the full impact will not be material for the company's operations in the long run.   The Newpark Resources Group announced this week that access to certain information systems and business applications has been disrupted due to a ransomware attack that has hit their network. According to a filing with the Securities and Exchange Commission (SEC), the incident was discovered on October 29 and a cybersecurity response plan was activated immediately, the Texas-based company that provides drilling fluids systems and composite matting systems for the oilfield sector, said in its statement. 

In his statement, Newpark stated that "the incident has caused disruptions and limitations in access to certain of the company's information systems and business applications that support aspects of the company's operations and corporate functions, including financial and operational reporting systems", and the company is still paying the price. To continue operating uninterruptedly, the company reverted to downtime procedures, allowing it to safely continue manufacturing and field operations during the downtime period.  

Based on the company's current understanding of the facts and circumstances regarding this incident, this incident appears not to have a reasonably likely impact on the company's financial situation or its results of operations, the company said in a statement. Newpark declined to provide information about how the attackers accessed its network, as well as who might have been responsible for the incident, nor did it explain how they gained access. No ransomware group is known to be claiming responsibility for the attack, according to SecurityWeek. 

About two months before the Newpark Resources breach, there was also a cyberattack on oilfield services giant Halliburton that was also announced in a regulatory filing by that company.  The company has just reported that as a result of the attack, Halliburton has incurred approximately $35 million in expenses. However, given that the company is one of the leading energy service companies in the world, the financial impact is relatively small.  

The incident at Newpark Resources highlighted the importance of network segmentation in protecting networks, according to Chris Grove, director of cybersecurity strategy at Nozomi Networks. He says that when networks are under attack, network segmentation can ensure their security.  According to Grove, separating OT from IT is one way to minimize the risk of a security breach and possibly hurt key operations if there is a breach. However, organizations are facing an increasingly pressing challenge: securing the advantages of segmentation while enabling controlled connectivity, which is becoming increasingly difficult to maintain. 

Cybersecurity Dive has been informed by researchers from NCC Group via email that there has been no public leak of data from the Newpark Resources attack and that there has been no claim made regarding the leak.  Neither the company nor the company's shareholders have been able to determine what costs and financial impacts will be associated with this incident, but about the company's financial condition and results of operations, they believe that the attack "is not reasonably likely to have a material impact."

As a manufacturer, seller, and rental company, Newpark Resources is dedicated to serving the petroleum industry and various other sectors related to energy, such as pipelines, renewable energy, petrochemicals, construction, and oilfields. In its Thursday earnings report, the Woodlands, Texas-based company disclosed quarterly revenue exceeding $44 million and projected an annual revenue reaching up to $223 million. This performance underscores the company's strong market presence despite recent challenges, though it remains under pressure following a recent ransomware attack by unidentified cyber actors. 

As of Thursday, no specific hacking group had taken responsibility for the attack. The oil and gas sector recognized as a globally essential industry, has increasingly become a focal point for ransomware attacks. Due to the industry’s high financial stakes and critical role in infrastructure, it is often targeted by cybercriminals who expect ransom payments to restore access to compromised systems. Notably, ransomware incidents have affected major players in the sector. Over the past four years, corporations such as Shell, Halliburton, Colonial Pipeline, Encino Energy, Oiltanking, and Mabanaft have experienced cybersecurity breaches that have disrupted operations and prompted significant financial and reputational impacts.

These incidents have drawn heightened attention from government entities, prompting federal authorities to pursue enhanced cybersecurity measures across critical infrastructure sectors. The rise in ransomware attacks has spurred the government to implement stricter cybersecurity regulations, with mandates designed to bolster defense mechanisms within vulnerable industries.
Read more »
ransomware attacks
Critical Infrastructure Cyber Attacks cybersecurity in healthcare data security Healthcare Data Healthcare Industry ransomware attacks

WHO and Global Leaders Warn Against Rise of Ransomware Attacks Targeting Hospitals

 

On November 8, the World Health Organization (WHO) joined over 50 countries in issuing an urgent warning at the United Nations about the increase in ransomware attacks on healthcare systems worldwide. WHO Director-General Tedros Adhanom Ghebreyesus addressed the UN Security Council, emphasizing the critical risks these cyberattacks pose to public health and safety. He highlighted the growing frequency of attacks on hospitals, which could delay urgent care, disrupt essential services, and lead to life-threatening consequences. Calling for global cooperation, he described ransomware as an international security threat that demands a coordinated response. 

Ransomware is a form of cyberattack where hackers lock or encrypt a victim’s data and demand payment in exchange for releasing it. This form of digital extortion has escalated globally, affecting healthcare providers, institutions, and governments alike. In the healthcare sector, such attacks can be particularly devastating, compromising the safety of patients and healthcare workers. The joint statement, endorsed by nations such as Japan, South Korea, Argentina, France, Germany, and the United Kingdom, outlined the immediate dangers these attacks pose to public health and international security, calling on all governments to take stronger cybersecurity measures. The U.S., represented by Deputy National Security Adviser Anne Neuberger, directly blamed Russia for allowing ransomware groups to operate freely within its borders. 

According to Neuberger, some countries knowingly permit these actors to execute attacks that impact critical infrastructure globally. She called out Moscow for not addressing cybercriminals targeting foreign healthcare systems, implying that Russia’s inaction may indirectly support these malicious groups. Additional accusations were made against North Korea by delegates from France and South Korea, who highlighted the country’s alleged complicity in facilitating ransomware attacks. Russia’s UN representative, Ambassador Vassily Nebenzia, defended against these claims, arguing that the Security Council was not the right forum to address such issues. He asserted that Western nations were wasting valuable council time and resources by focusing on ransomware, suggesting instead that they address other pressing matters, including alleged attacks on hospitals in Gaza.  

WHO and the supporting nations warn that cybercrime, particularly ransomware, requires a global response to strengthen defenses in vulnerable sectors like healthcare. Dr. Ghebreyesus underscored that without collaboration, cybercriminals will continue to exploit critical systems, putting lives at risk. The joint statement also condemned nations that knowingly enable cybercriminals by allowing them to operate within their jurisdictions. This complicity, they argue, not only endangers healthcare systems but also threatens peace and security globally. 

As ransomware attacks continue to rise, healthcare systems worldwide face increasing pressure to strengthen cybersecurity defenses. The WHO’s call to action emphasizes that nations need to take ransomware threats as seriously as traditional security issues, working together to protect both patient safety and public health infrastructure.
Read more »
Ransomwares
Company Breach Cyber Attacks Cybersecurity awareness Data Theft Financial Data Breach Hackers ransomware attacks Ransomwares

How to Prevent a Ransomware Attack and Secure Your Business

 

In today’s world, the threat of cyberattacks is an ever-present concern for businesses of all sizes. The scenario of receiving a call at 4 a.m. informing you that your company has been hit by a ransomware attack is no longer a mere fiction; it’s a reality that has affected several major companies globally. In one such instance, Norsk Hydro, a leading aluminum and renewable energy company, suffered a devastating ransomware attack in 2019, costing the company an estimated $70 million. This incident highlights the vulnerabilities companies face in the digital age and the immense financial and reputational toll a cyberattack can cause. 

Ransomware attacks typically involve hackers encrypting sensitive company data and demanding a hefty sum in exchange for decryption keys. Norsk Hydro chose not to pay the ransom, opting instead to rebuild their systems from scratch. Although this route avoided funding cybercriminals, it proved costly in both time and resources. The question remains, what can be done to prevent such attacks from occurring in the first place? The key to preventing ransomware and other cyber threats lies in building a robust security infrastructure. First and foremost, organizations should implement strict role-based access controls. By defining specific roles for employees and limiting access to sensitive systems based on their responsibilities, businesses can reduce the attack surface. 

For example, financial analysts should not have access to software development repositories, and developers shouldn’t be able to access the HR systems. This limits the number of users who can inadvertently expose critical systems to threats. When employees change roles or leave the company, it’s essential to adjust their access rights to prevent potential exploitation. Additionally, organizations should periodically ask employees whether they still require access to certain systems. If access hasn’t been used for a prolonged period, it should be removed, reducing the risk of attack. Another critical aspect of cybersecurity is the implementation of a zero-trust model. A zero-trust security approach assumes that no one, whether inside or outside the organization, should be trusted by default. 

Every request, whether it comes from a device on the corporate network or a remote one, must be verified. This means using tools like single sign-on (SSO) to authenticate users, as well as device management systems to assess the security of devices trying to access company resources. By making trust contingent on verification, companies can significantly mitigate the chances of a successful attack. Moreover, adopting a zero-trust strategy requires monitoring and controlling which applications employees can run on their devices. Unauthorized software, such as penetration testing tools like Metasploit, should be restricted to only those employees whose roles require them. 

This practice not only improves security but also ensures that employees are using the tools necessary for their tasks, without unnecessary exposure to cyber risks. Finally, no security strategy is complete without regular fire drills and incident response exercises. Preparing for the worst-case scenario means having well-documented procedures and ensuring that every employee knows their role during a crisis. Panic and confusion can worsen the impact of an attack, so rehearsing responses and creating a calm, effective plan can make all the difference. 

 Preventing cyberattacks requires a combination of technical measures, strategic planning, and a proactive security mindset across the entire organization. Business leaders must prioritize cybersecurity just as they would profitability, growth, and other business metrics. By doing so, they will not only protect their data but also ensure a safer future for their company, employees, and customers. The impact of a well-prepared security system is immeasurable and could be the difference between an incident being a minor inconvenience or a catastrophic event.
Read more »
ransomware attacks
Cyber Attacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Hospitals ransomware attacks

Cyberattack Impacts Georgia Hospital, Colorado Pathology Services

 


The number of hospitals that have been affected by ransomware, business email compromise, and other cyber threats is increasing across all sectors, from small community hospitals such as Memorial Hospital and Manor in Bainbridge, Georgia, to those with a large number of beds.  In his opening keynote address at the HIMSS Healthcare Cybersecurity Forum last week in Washington, D.C., Greg Garcia, executive director of the Health Sector Coordinating Council Cybersecurity Working Group, indicated that there is now an average of two data breaches conducted every day within the American health care system. 

People who work in hospitals and health systems are often targeted by cyber threat actors exploiting the basic vulnerabilities of their systems and taking advantage of the vulnerabilities. To illustrate these types of breaches, Kaiser Permanente, one of the country's largest health systems, said it had sent a notice Sunday to those in Southern California whose personal health data had been compromised as a result of unauthorized access to two email accounts of employees. 

The bad guys can also be skilled at exploiting their victim's vulnerability, with sophisticated social engineering techniques coupled with phishing attacks that focus on bots. As part of a cyber exploit, originally discovered earlier this month, Summit Pathology, an independent pathology service provider based in Colorado, had patient data associated with more than 1.8 million people exfiltrated from its system. 

In a report issued by Kaiser Permanente, it was reported that an unauthorised third party gained access to the email accounts of two employees and was able to view the health information of patients. As the U.S. grows and grows, ransomware, business email compromise, and other cyber threats are causing disruptions to care for millions of people across the nation, including small community hospitals such as Memorial Hospital and Manor in Bainbridge, Georgia, as well as the largest providers. 

A recent study conducted by the Health Sector Coordinating Council Cybersecurity Working Group found that the United States amounted to two data breaches per day on average, Greg Garcia, executive director of the ASHC Cybersecurity Working Group, said in his opening address at the HIMSS Healthcare Cybersecurity Forum, held in Washington, DC, last week. In many cases, cybercriminals target people who work in hospitals and health systems to exploit weaknesses in the system. A health system in Southern California posted a notice informing its members on Friday there was an issue about the security of health information that was discovered on September 3. 

A notice on the company's website advised that two of its employees' email accounts had been accessed by an unauthorized party, according to the notice. "Immediately following the discovery of this incident, Kaiser Permanente terminated the unauthorized access and immediately began investigating to determine the scope of the access." this statement was made by Kaiser Permanente. It was found that some protected health information about some patients were included in the email's contents after we validated them." 

According to the health system, although Social Security numbers and financial information were not involved, protected health information, such as first and last names, dates of birth, medical records numbers, and medical information, had the potential to be accessed and/or viewed by third parties. As part of Kaiser Permanente's maintenance of health system operations, affected individuals were contacted directly by the company, Kaiser Permanente said. There is evidence out there that on October 18, Summit Pathology of Loveland, Colorado, reported to the Department of HHS that there are 1,813,538, whose data had been breached in a hacking incident, in which their data has been compromised. 

 As outlined in the pathology services company's notice on its website, the impacted systems contained data such as names, addresses, medical billing and insurance information, certain medical information such as diagnosis, demographic information such as dates of birth, social security numbers, and financial information. There was an incident that occurred on or around April 18 when Summit announced it had noticed suspicious activity on its computer network and that it had taken the necessary steps to secure it, including contacting third parties to assist in the investigation. 

The affected healthcare entities have reported that they successfully identified files that unauthorized individuals may have accessed or acquired during the ransomware attack. In response to the incident, Summit conducted a thorough review of its internal policies and procedures. Following this review, they implemented additional administrative and technical safeguards to strengthen security and mitigate the risk of future attacks. 

On October 31, the Murphy Law Firm, based in Oklahoma City, stated its involvement in the case. The firm announced that it is pursuing a class action lawsuit and actively investigating claims related to the breach. According to Murphy Law Firm, Summit’s forensic investigation revealed that cybercriminals were able to infiltrate the organization's inadequately secured network, leading to unauthorized access to sensitive data files. The law firm is now seeking to hold Summit accountable for the potential data security lapses that may have enabled the breach.
Read more »
Microsoft
cyber attack Cyber Attacks data information Data Theft Microsoft

Chinese Botnet Quad7 Targets Global Organizations in Espionage Campaign



Microsoft has unveiled a sweeping cyber threat posed by a sophisticated Chinese botnet, Quad7, targeting organizations worldwide through advanced password spray attacks. Operated by a group identified as Storm-0940, this campaign primarily aims at high-value entities, including think tanks, government organizations, NGOs, law firms, and the defense industry, with espionage as its primary objective. 

Microsoft researchers report that Storm-0940 employs stolen credentials to establish persistent access, facilitating deeper intrusions and more extensive cyber espionage. The botnet’s initial actions include harvesting credentials and deploying remote access trojans (RATs) and proxies to maintain long-term access, enhancing the group’s ability to conduct disruptive attacks. 

The infiltration tactics of Quad7 stand out for their precision and stealth. According to Microsoft, Storm-0940 relies on a separate covert network, CovertNetwork-1658, to submit a limited number of sign-in attempts across multiple accounts within targeted organizations. 

In most cases — around 80 percent — CovertNetwork-1658 limits attempts to just one per account per day, minimizing the likelihood of detection. Once a password is successfully guessed, Storm-0940 quickly moves to compromise the system further, sometimes completing the breach within the same day. Quad7’s operational scope has recently expanded beyond its initial focus on TP-Link routers, now encompassing ASUS routers, Zyxel VPN endpoints, Ruckus wireless routers, and Axentra media servers. 

Researchers first identified Quad7 in late September 2024, noting its targeted attacks on specific device ports, particularly port 7777. Cybersecurity experts, including those from Sekoia and a researcher known as Gi7w0rm, initially linked the botnet to TP-Link devices. However, it has since broadened its scope, targeting new clusters labeled based on device type, such as “rlogin” for Ruckus and “zylogin” for Zyxel. 

Each variant, including clusters named xlogin, alogin, axlogin, and others, showcases Quad7’s adaptability. Some of these clusters comprise thousands of compromised devices, while others involve as few as two infections, reflecting the botnet’s flexibility in scaling its operations. 

This escalating threat underlines the urgent need for enhanced cybersecurity vigilance across potentially vulnerable devices worldwide. As Quad7’s reach expands, securing routers and other entry points is essential in protecting against ongoing cyber espionage and disruption.
Read more »
Threat Landscape
APT36 Cyber Attacks Indian Organizations Pakistan Hacker Threat Landscape

Check Point Uncover Pakistan-Linked APT36’s New Malware Targeting Indian Systems

 

Pakistan's APT36 threat outfit has been deploying a new and upgraded version of its core ElizaRAT custom implant in what looks to be an increasing number of successful assaults on Indian government agencies, military entities, and diplomatic missions over the last year. 

Cybersecurity researchers at Check Point Research (CPR) identified that the latest ElizaRAT variant includes new evasion strategies, enhanced command-and-control (C2) capabilities, and an additional dropper component that makes it more difficult for defenders to spot the malware.

A new stealer payload known as ApoloStealer has been used by APT36 to collect specified file types from compromised systems, retain their metadata, and transport the data to the attacker's C2 server, therefore increasing the risk. 

"With the introduction of their new stealer, the group can now implement a 'step-by-step' approach, deploying malware tailored to specific targets," stated Sergey Shykevich, threat intelligence group manager at Check Point Software. "This ensures that even if defenders detect their activities, they primarily find only a segment of the overall malware arsenal.”

The threat group's use of legitimate software, living off the land binaries (LoLBins), and lawful C2 communication services such as Telegram, Slack, and Google Drive complicates the situation. According to Shykevich, the adoption of these services has made it much more difficult to monitor malware transmissions in network traffic. 

APT36, also known as Transparent Tribe, Operation C-Major, Earth Karkaddan, and Mythic Leopard by security vendors, is a Pakistani threat group that has predominantly targeted Indian government and military entities in intelligence gathering operations from about 2013. Like many other tightly focused threat groups, APT36's attacks have occasionally targeted organisations in other nations, such as Europe, Australia, and the United States.

The malware that the threat actor now possesses comprises tools for infiltrating Android, Windows, and increasingly Linux devices. BlackBerry revealed earlier this year that in an APT36 campaign, ELF binaries (Linkable Executable and Linkable Format) accounted for 65% of the group's attacks against Maya OS, a Unix-like operating system created by India's defence ministry as a Windows substitute. Additionally, SentinelOne reported last year that APT36 was spreading the CopraRAT malware on Android devices owned by Indian military and diplomatic personnel by using romantic lures. 

ElizaRAT is malware that the threat actor included in their attack kit last September. The malware has been propagated using phishing emails that include links to malicious Control Panel files (CPL) hosted on Google Storage. When a user opens the CPL file, code is executed that starts the malware infection on their device, potentially granting the attacker remote access or control of the system. 

Over the last year, Check Point analysts detected APT36 operators using at least three different versions of ElizaRAT in three consecutive campaigns, all of which targeted Indian businesses. The first was an ElizaRAT variation that utilised Slack channels for C2 infrastructure. APT36 began employing that variation late last year, and approximately a month later began deploying ApoloStealer with it. 

Starting early this year, the threat group began using a dropper component to discreetly drop and unpack a compressed file carrying a new and enhanced version of ElizaRAT. The new variation, like its predecessor, initially checked to see if the machine's time zone was configured to Indian Standard Time before executing and engaging in malicious behaviour.

"Introducing new payloads such as ApolloStealer marks a significant expansion of APT36’s malware arsenal and suggests the group is adopting a more flexible, modular approach to payload deployment," CPR noted in its report. "These methods primarily focus on data collection and exfiltration, underscoring their sustained emphasis on intelligence gathering and espionage.”
Read more »
TLS
C2 Chinese Hackers Chinese Threat Actors Cyber Attacks Malware Attack NCSC Sophos TLS

NCSC Unveils “Pigmy Goat” Malware Targeting Sophos Firewalls in Advanced Chinese Cyberattack

 

The National Cyber Security Centre (NCSC) recently disclosed the presence of a Linux malware, “Pigmy Goat,” specifically designed to breach Sophos XG firewall devices. This malware, allegedly developed by Chinese cyber actors, represents a significant evolution in network infiltration tactics due to its complexity and advanced evasion methods. 

This revelation follows Sophos’ recent “Pacific Rim” reports, which detail a five-year campaign involving Chinese threat actors targeting network devices at an unprecedented scale. Among the identified tools, “Pigmy Goat” stands out as a rootkit crafted to resemble legitimate Sophos product files, making it challenging to detect. This strategy is known to use stealth by masking its identity within commonly named system files to evade basic detection protocols. “Pigmy Goat” enables threat actors to establish persistent, unauthorized access to the target’s network. Using the LD_PRELOAD environment variable, it embeds itself in the SSH daemon (sshd), allowing it to intercept and alter incoming connections. 

The malware seeks specific sequences called “magic bytes” to identify backdoor sessions, which it redirects through a Unix socket, thereby concealing its presence from standard security monitoring. Once a connection is established, it communicates with command and control (C2) servers over TLS. The malware cleverly mimics Fortinet’s FortiGate certificate, blending into networks where Fortinet devices are prevalent, to avoid suspicion. This backdoor offers threat actors multiple capabilities to monitor, control, and manipulate the network environment. Through commands from the C2, attackers can remotely open shell access, track network activity, adjust scheduled tasks, or even set up a SOCKS5 proxy, which helps them remain undetected while maintaining control over the network. These actions could allow unauthorized data access or further exploitation, posing significant threats to organizational cybersecurity. 

The NCSC report aligns “Pigmy Goat” with tactics used in “Castletap” malware, which cybersecurity firm Mandiant has linked to Chinese nation-state actors. The report’s insights reinforce concerns over the evolving sophistication in state-sponsored cyber tools aimed at infiltrating critical network infrastructure worldwide. Detection and prevention of “Pigmy Goat” are crucial to mitigating its impact. The NCSC report provides tools for identifying infection, including file hashes, YARA rules, and Snort rules, which can detect specific sequences and fake SSH handshakes associated with the malware. 

Additionally, monitoring for unusual files and behaviours, such as encrypted payloads in ICMP packets or the use of ‘LD_PRELOAD’ within the sshd process, can be effective. These insights empower network defenders to recognize early signs of compromise and respond swiftly, reinforcing defences against this sophisticated threat.
Read more »
Sextortion Scam
Cyber Attacks Cyber Awareness Email Fraud Email Phishing Email Spoofing Online Security Personal Data Phishing Scams Sextortion Scam

How to Protect Yourself Against Phishing Extortion Scams Involving Personal Data

 

Imagine receiving an email with a photo of your house, address, and a threatening message that seems ripped from a horror movie. Unfortunately, this is the reality of modern phishing scams, where attackers use personal information to intimidate victims into paying money, often in cryptocurrency like Bitcoin. One victim, Jamie Beckland, chief product officer at APIContext, received a message claiming to have embarrassing video footage of him, demanding payment to keep it private. 

While such emails appear terrifying, there are ways to verify and protect yourself. Many images in these scams, such as photos of homes, are copied from Google Maps or other online sources, so confirming this can quickly expose the scam. To check if an image is pulled from the internet, compare it to Google Maps street views. Additionally, always scrutinize email addresses for legitimacy. Cybersecurity expert Al Iverson from Valimail advises checking for any small variations in the sender’s email domain and examining SPF, DKIM, and DMARC authentication results to determine if the email domain is real. 

Be cautious if a message appears to come from your own email address, as it’s often just a spoofed sender. Links in phishing emails can lead to dangerous sites. Founder of Loop8, Zarik Megerdichian, recommends extreme caution and encourages reporting such scams to the Federal Trade Commission (FTC). Monitoring your financial accounts, disputing unauthorized charges, and updating or canceling compromised payment methods are other essential steps. To reduce vulnerability, it’s wise to change your passwords, set up a VPN, and isolate your network. Yashin Manraj, CEO of Pvotal Technologies, suggests transferring critical accounts to a new email, informing your family about the scam, and reporting it to law enforcement, such as the FBI, if necessary. 

One of the best defenses against these types of scams is to control your data proactively. Only share essential information with businesses, and avoid giving excessive details to online services. Megerdichian emphasizes the importance of asking whether every piece of data is truly necessary, as oversharing can open the door to future scams. 

With these strategies, individuals can better protect themselves from extortion phishing scams. It’s crucial to stay vigilant and avoid interacting with suspicious emails, as this will help shield you from falling victim to increasingly sophisticated cyber threats.
Read more »
Subscribe to: Posts (Atom)