Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cyber Victim. Show all posts

California's Major Trial Court Falls Victim to Ransomware Attack

 


It has been reported that the computer system at the largest trial court in this country has been infected by ransomware, causing the system to crash. Superior Court officials said they were investigating the incident. As soon as the court learned that the computer network systems had been hacked, the systems were disabled, and they are expected to remain down until the weekend at the very least. 

Following the statement, a preliminary investigation revealed no evidence that the user's data had been compromised in any way. According to officials with the Superior Court of Los Angeles County, the nation's largest trial court was closed Monday as a ransomware attack shut down its computer system late last week, resulting in a shutdown of its library and many other departments. 

As soon as the court became aware of the cyberattack early Friday morning, its computer network was disabled, and the system remained offline throughout the weekend due to the attack. There will be no courthouse operations on Monday, despite reports that the county's 36 courthouses will all remain open to the public on Friday. According to a statement released by the FBI on Friday morning, officials do not believe the cyberattack related to the faulty CrowdStrike software update that has disrupted airlines, hospitals, and governments worldwide is related to the security breach. 

Once the court was made aware of the attack, all computer systems connected to its computer network were disabled. An initial investigation has revealed no evidence that the data of users has been compromised, according to the statement released by the company. KCAL, the CNN affiliate based in Los Angeles, reported Monday that the judicial system continues to be closed as it tries to recover. 

As the largest court system in the United States that serves a broad range of services to more than 10 million residents in 36 courthouses, the Superior Court of Los Angeles County is the largest unified court system in the country. The number of cases filed in 2022 is expected to reach nearly 1.2 million, and there will be almost 2,200 jury trials. According to the Presiding Judge Samantha P. Jessner, "The Court has been experiencing a cyber-attack which has resulted in almost all of our network systems being shut down. 

Companies have contained the damage to their network, ensured data integrity and confidentiality, and ensured future network stability and security" during an unprecedented cyber-attack on Friday. The court has reopened all 36 courthouses tomorrow, July 23, following the tireless dedication of the staff and security experts required to assist in restoring the court to full operation," according to a statement published on the court's website. Court users need to be aware that there will be delays and potential impacts due to limitations in functionality.

Fintech Frenzy as Affirm and Others Emerge as Victims in Evolve Breach

 


The recent attack on one of the largest financial services providers has led to a problem for many companies that work with the provider, two of which have already alluded to possible negative implications for customer data due to the attack. There has been a strong rumour that the LockBit group successfully hacked the US Federal Reserve earlier last week, which has caused the group to receive some undue attention. A breach had also occurred at the far lesser Evolve Bank & Trust, a far less serious breach. Memphis-based Evolve has released a statement regarding the incident. 

According to the statement, the attack was triggered by an Evolve employee clicking on a malicious phishing link sent to him in late May. Even though the attackers did not access most of the cash that customers had in their accounts, the hackers had access to and downloaded their personal information from databases and a file share. Furthermore, the company encrypted some of its data, but since backups were made, the company had to deal with limited loss of data and impact on its operations. Several days ago, the Federal Reserve Board announced that it would enforce the anti-money laundering, risk management, and consumer compliance programs of Evolve Bank & Trust. It accused the company of deficiencies in these areas, as well as other areas. 

In a statement the Federal Reserve published in February 2023, the Fed noted that examinations conducted in 2023 found that Evolve had a risk-management program and controls that were not adequate to comply with anti-money laundering laws and consumer protection laws. According to Stephen Gates, principal security SME for Horizon3.AI, the biggest decision any organization needs to make once they have experienced a breach is what to do about what they are going to do next once the smoke begins to clear. 

A regulated bank, Evolve Bank & Trust, provided USD account details, between 2020 and 2023 as part of the contract with the bank. Recently, Wise has been the victim of a data breach involving the personal information of perhaps some of the company's customers. Wise customers need identifying information for Evolve Bank & Trust to provide USD account details. Information that the company shared with Evolve Bank & Trust to provide USD account details, such as names, addresses, dates of birth, contact info, SSNs or EINs for US customers, or another document number for non-US customers. Neither Evolve nor the company has confirmed what data was affected. 

The LockBit ransomware group recently attacked Evolve Bank, an Arkansas-based financial institution. The attack resulted in data leaks on the Dark Web. After claiming to have hacked the US Fed earlier this week, LockBit got a lot of attention. When LockBit posted a threat to release "33 terabytes of juicy banking information containing Americans' banking secrets" if a ransom was not paid, it released some of the stolen data. At the end of the month, LockBit was kicked out of Evolve's system. 

As soon as the victim wouldn't pay the ransom, the group leaked the information. It's also a payments processor, and it offers business-to-business (B2B) banking-as-a-service (BaaS) and business-to-consumer (B2C) banking-as-a-service. More victims are coming forward of the breach, which has affected more than just its direct customers. The multibillion-dollar London-based fintech company Wise, according to a statement released last week, disclosed its partnership with Evolve Bank & Trust from 2020 to 2023. 

During this period, Wise collaborated with Evolve to "provide USD account details" to its customers. To facilitate this service, Wise shared sensitive customer information with Evolve, including names, addresses, dates of birth, contact details, and identification numbers, such as employer identification numbers and Social Security numbers. Wise indicated that this data "may have been involved" in Evolve's recent security breach. Similarly, the buy now, pay later (BNPL) company Affirm, which utilizes Evolve for the issuance and servicing of its Affirm Cards, reported potential exposure of customer information. 

Although Affirm clarified that customers' cards remained unaffected, the personal data shared with Evolve posed a significant concern. In an 8-K filing with the Securities and Exchange Commission (SEC), Affirm stated, "The full scope, nature, and impact of the incident on the Company and Affirm Card users, including the extent to which there has been unauthorized access to Affirm Card user Personal Information, are not yet known." Evolve's breach has prompted many of its other prominent partners in the financial services industry, including Stripe and Shopify, to investigate the potential impact on their customers' data. The situation remains under scrutiny as these companies assess whether their customers' sensitive information has been compromised.

Behind the LockBit Takedown: Strategies and Significance

 


It was widely hailed as a major victory for law enforcement to take down LockBit in the sprawling war against ransomware and was considered one of the most important victories for law enforcement. However, after law enforcement takes down ransomware groups, they usually reemerge, albeit with less power to continue their criminal activity. 

There was a back-and-forth tussle between law enforcement and the AlphV ransomware group in December when the group resurfaced on the dark web hours after being taken down by the police. As of today, AlphaV has been active for over ten years and lists new victims on its data leak site. 

Over the past decade, ransomware has become an increasingly prevalent problem worldwide, with modern ransomware gangs running complex businesses, and governments and private companies working together to stop these gangs have been working together for the past year. As a part of Operation Cronos, LockBit's infrastructure was used by the coordinating organizations involved with the operation to publish information about the gang's activities. 

There is no doubt that this activity against LockBit is an important victory, but ransomware continues to be a major threat, even from LockBit. To combat ransomware better, cybersecurity communities need to reflect on some lessons learned to improve the fight against ransomware. There have been instances where a victim has paid LockBit but has yet to receive the data that they promised was deleted from their servers, according to the UK's National Crime Agency (NCA). 

As a result of this, a victim trusts that the criminal will keep their end of the bargain after paying the ransom. This is one of the top risks associated with paying a ransom. The disclosure that LockBit failed to delete the data as promised severely tarnished its reputation. If a ransomware group appears trustworthy, its victims will not be willing to pay. 

Organizations need to be prepared for such eventualities and have plans in place in case of such an event. When a company's data is compromised, it needs to prioritize the creation of a thorough disaster recovery plan and procedure in case of data loss or damage, rather than relying on decryption for the sake of recovery. In response to a law enforcement takedown last week, which resulted in police seizing both LockBit's cyber extortion operations and its darknet site, as well as receiving significant intelligence, the criminals are attempting to relaunch their cyber extortion operation. 

The group's administrator, LockbitSupp, launched a new extortion site on Saturday that contains the names and contact information of five victim companies they are threatening to leak stolen documents. Even so, the site is no longer showing any of the old listings from before the law enforcement operation occurred.

Since its launch four years ago, this prolific ransomware-as-a-service outfit has hosted more than 2,000 documents that have been stolen from its victims. Last Monday, police posted a splash page to the dark web that said that they were in control, the most of any of the several extortion gangs operating on it. A week after LockBit's .onion website was hijacked by the U.K. National Crime Agency (NCA), the gang parodied LockBit's infrastructure in a series of posts about how the police had possessed “unprecedented technological access” to the company's infrastructure. 

To downplay the extent of the access, the ransomware service attempted to downplay it. The arrests of alleged affiliates as well as the shutting down of 14,000 accounts on third-party services have come as a result of the ransomware gang's failure to destroy the data of victims, even after it promised to. In an attempt to minimize the reputational damage caused by police action, a new LockBit post attempts to minimize the damage caused by the action. 

The criminals repeat what they claim in the beginning that police had compromised outdated PHP servers. To counter ransomware-as-a-service (RaaS), agencies will resort to a two-fold attack: first, to disrupt the administrative staff of the gang, and then to disrupt its affiliates. It is generally the task of the administrative staff to manage the data leak site, and the task of the affiliates to deploy the ransomware and encrypt networks is the task of the affiliates. 

There is a significant part of the administration staff that enables criminals, and without them being removed, there will be many more criminals assisting them. A disruption of the administration staff will result in the affiliates of the ransomware gangs working for other ransomware gangs. Infrastructure is used by affiliates themselves, either by purchasing it or by illegally accessing it. 

The tools, network connections, and behaviours of this infrastructure provide a considerable amount of information about this infrastructure. The ransom process exposes some details about the administrators: For the ransom process to proceed, the administrator must provide a method of communication and a method of payment for the ransom to be paid. 

The significance of these details may not seem useful to an organization immediately, but law enforcement and researchers will be able to leverage these details to uncover more about the individuals who committed these crimes. Using details from past incidents, law enforcement was able to disrupt LockBit's infrastructure as well as some affiliates of the group by using information from past incidents. 

Likely, Operation Cronos could not have been undertaken without that information, which was gathered with the assistance of attack victims and the allied agencies of the governmental organizations. The fact that an organization does not need to be a victim to help is an important thing to remember. Private organizations are eager to work with governments and are eager to collaborate with them. 

By partnering with CISA, the US government division that formed the Joint Cyber Defense Collaborative (JCDC) to create a global partnership platform to share critical and timely information to fight ransomware, organizations in the US can contribute to the effort to fight ransomware. Government agencies and public organizations can share information through the JCDC in a bidirectional manner. 

To stay on top of emerging trends as well as identify the infrastructure being used by attackers, CISA and organizations work together. There are several ways in which law enforcement can take advantage of collaboration and information sharing to gain a critical advantage against even the most powerful attacker groups, as the LockBit takedown demonstrated.

GitHub Issues Alert on Lazarus Group's Social Engineering Attack on Developers

 


According to a security alert issued by GitHub, this social engineering campaign is designed to compromise developers' accounts in the blockchain, cryptocurrency, online gambling, and cybersecurity industries. This is done through social engineering techniques. 

The campaign was reportedly linked to the Lazarus hacking group sponsored by the North Korean state. It was also linked to the groups Jade Sleet and TraderTraitor (both tools of Microsoft Threat Intelligence). There was a report released by the United States government in 2022 which detailed threat actors' tactics. 

Hacking group targets cryptocurrency companies and cybersecurity researchers to eavesdrop on them and steal their coins. The Lazarus Group is a cybercrime organization that targets cryptocurrency companies and cyber researchers using various names, such as Jade Sleet and TraderTraitor. Cyberespionage and cryptocurrency theft are two of the group's activities. According to GitHub, no GitHub accounts were compromised in this campaign, nor were any npm systems accounts.  

Lazarus Group reportedly uses legitimate GitHub or social media accounts that have been compromised or fake personas to pose as developers or recruiters on the platforms where they operate. This includes GitHub or social media. There is a wide range of personas designed to engage individuals in targeted industries. Ultimately, these personas will lead individuals to another platform, such as WhatsApp, through conversation. 

It is normally threat actors who initiate collaboration on a project. They invite targets to clone a GitHub repository related to media players and cryptocurrency trading tools after establishing trust between them. There are, however, malicious NPM dependencies on these projects that can download additional malware onto the devices of their targets. 

In June 2022, Phylum published a report on NPM packages that have been based on malicious code, with details about how they behave despite GitHub not providing details about the malware's specific behavior. Phylum reports that these packages function as malware downloaders that connect to remote websites via a browser. The download of additional payloads onto the infected machine. Several limitations in the payload reception process meant that researchers were unable to analyze the final malware delivered. 

As a consequence of this campaign, all NPM accounts and GitHub accounts associated with it have been suspended by GitHub. Additionally, they have published a list of indicators that can be used to identify whether a campaign is successful, including domains, GitHub accounts, and NPM packages. GitHub says the campaign was not intended to damage their systems. 

Lazarus has run previous social engineering campaigns similar to this one in the past. A few of these attacks included the targeting of security researchers in January 2021, a fake company website that was created in March 2021, and a fake email campaign in July 2021. As a result of these attacks, threat actors were effective at creating elaborate personas and distributing malware disguised as exploits for vulnerabilities. 

Lazarus is a group that targets cryptocurrency companies and developers to fund initiatives for the North Korean government. Several million dollars worth of cryptocurrency was stolen from them due to their involvement in the crime. It is worth noting that the theft of over 617 million dollars worth of Ethereum and USDC tokens was reported in an attack recently on Axie Infinity. 

Aside from fund theft and phishing scams, Lazarus has allegedly employed other tactics as well, including sending malicious PDF files disguised as job offers to targets that could compromise their bank accounts. In this case, the group has successfully delivered malware using false employment opportunities as a method of delivering their malware. 

Those in the target industries and developers should remain vigilant against the various types of social engineering attacks that are out there. Generally, individuals can protect themselves and their devices from malicious software and potentially compromised devices if they are aware of the tactics used by threat actors and adopt good cybersecurity practices, such as verifying the authenticity of requests and avoiding links and downloads that appear suspicious or unknown. 

Attack Process by the Lazarus Group


To begin with, the threat actor claims to be a developer or recruiter. He poses as them on GitHub and other social media websites related to the developer or recruiter niche. For contacting victims, they use their accounts as well as compromised accounts by Jade Sleet exploited by the group. 

There may be instances when the actor initiates contact on one platform and switches to another platform after a few minutes. When a threat actor connects with a victim he or she invites the victim to collaborate on a GitHub repository and uses the target as a means of cloning and executing the contents of the repository. The attacker may send the malicious software directly through a messaging service or file-sharing service, without inviting people to the repository and cloning it, in some cases. 

A malicious npm dependency has been included in the GitHub repository for the software. In addition to media players, the threat actor uses tools for selling cryptocurrencies in some of the software he builds. In addition to the malicious npm packages, these malicious npm packages also download secondary malware onto the victim's machine. A malicious package will normally not be published until a fake repository invitation is sent to you by an unknown threat actor.  

IOC details have been shared on the GitHub blog along with the suspension of npm and GitHub accounts associated with the campaign. As a practice, the most effective method of avoiding this campaign is to be cautious of social media solicitations for collaboration on or the installation of software that relies on NPM packages or dependencies. 

Lazarus Attacks in The Past 


Cryptocurrency companies and developers have been the target of North Korean hackers for a long time to steal assets needed to fund their country's initiatives. To steal cryptocurrency wallets and funds, Lazarus spreads Trojanized cryptocurrency wallets and exchange apps to target cryptocurrency users. 

It has been revealed that the U.S. Secret Service and the FBI have linked the Lazarus group to the theft of USDC and Ethereum tokens worth over $617 million from the blockchain-based game Axie Infinity by members of the Lazarus group. A malicious laced PDF file was later revealed to have been sent to one of the blockchain engineers by the threat actors, claiming to be a lucrative job offer disguised as a malicious PDF file. In this case, the attack was a result of this. 

Additionally, in 2020, a campaign called "Operation Dream Job" was used to deliver malware to employees at prominent aerospace and defense companies in the US through fake employment opportunities used to spread malware to them.