Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberalert. Show all posts
Homeland Security
Cyber Security Cyberalert CyberCrime Cyberhacks CyberThreat Homeland Security

Homeland Security Alerts on Increasing Risks for Schools

 


Educators and other school professionals are playing an increasingly crucial role in providing a safe environment in which students can learn in an era where children are being targeted by increasing physical and online attacks, according to US Homeland Security Secretary Alejandro Mayorkas, in his statement Wednesday. 

During his remarks at the opening of the National Summit on K-12 Safety and Security in 2024, Mayorkas referred to the school shooting that took place in Georgia on Sept. 4 that killed two students and two teachers, as well as his son. Since Sandy Hook Elementary School, in Connecticut, was targeted in a horrific attack nearly 12 years ago, the number of instances of gunfire on school grounds has surpassed 1,300, and this is just one of thousands of incidents that have followed since this heinous attack. 

Jeremy said that as a result of these attacks combined, there have been at least 436 deaths and 936 injuries. Even if there is no credible plan to plot an attack, threats of violence can cause an enormous amount of disruption to schools when it comes to the learning process. School administrators must be able to investigate the reports of threats, determine if they are imminent, and make plans for supporting students involved, as well as to reassure parents that their children are in safe hands. 

It's been reported that at least seven Houston Independent School District students have been arrested and charged as a result of an increase in school threats over the past few weeks. As the Houston ISD school district has informed us, many of the students arrested for making threats have been charged with felonies as a result of these threats. Earlier this month, Bellaire High School went into locked mode after receiving a bomb threat and unidentified officers arrested a student at the school, according to reports in the media. 

There are laws in place that prohibit hoax threats, such as the district's. It's not a joke, and the consequences can be very serious." This is not some kind of joke. Schools around the country have been plagued with an influx of hoax threats in the last few years. At least thirty reports of school threats have been made in August, which is the highest number in three years according to the FBI Houston field division, and it is a growing trend. 

According to Connor Hagan, acting spokesman for the FBI's Houston division, hoax threats can have devastating consequences for both the public and perpetrators if they are not taken seriously. In a scenario where an investigation reveals that a false or hoax threat has been made to a school or another public place, then the possibility of a federal charge, which carries a maximum sentence of ten years in prison, may be considered. 

As Mayorkas noted, it is common for kids to experience a flood of emotions at the beginning of any school year, especially if many are facing challenges. In addition, he remarked, "It is a tragedy that too many schools across the country have seen terror as a result of an attack over the last few weeks, which is entirely unnecessary.". Mayorkas also stressed that schools face challenges related to online threats, despite a lack of resources. 

According to a cybercriminal group claiming responsibility for a recent ransomware attack against some Rhode Island school districts, the attack resulted in the theft of 200 gigabytes of personal information, such as Social Security numbers, medical records, and counselling records. A ransom of $1 million is allegedly demanded to get the data back, and if it does not receive it, the data will be posted online. 

It has also been revealed that a group of men from Michigan, including a high school teacher, are to be charged under federal law with using social media to solicit explicit pictures from local children, said Mayorkas. Aside from the bomb threats that have been made against schools in Springfield, Ohio, Mayorkas also pointed out that social media have been filled with debunked but viral claims spreading worldwide that the town's Haitian immigrant population has stolen and eaten pets in the house. 

The city's officials and the police insist that there is no evidence that cats and dogs have been eaten and stolen. However, it is still worth noting that during the Sept. 10 presidential debate, former President Donald Trump emphasized the falsehood, bringing it to the centre of attention nationwide. In today's world where schools face increasing physical and online threats, it is necessary to take comprehensive security measures and exercise heightened vigilance to protect students and staff. 

During his speech, Secretary Mayorkas reiterated that the safety of students and educators was a top priority for her department, and that state, local, and federal authorities should work together as a team to ensure their safety. Despite the fierce rise of dangers in schools, administrators, law enforcement officials, and other stakeholders must remain proactive in helping to ensure that schools continue to be safe environments for children to learn in. 

It has never been more urgent than now to ensure that the nation's most vulnerable members' children are protected, especially in light of these challenges.
Read more »
Justice
Cyber Attacks Cyberactivity Cyberalert CyberCrime Cyberhackers Cybersecurity CyberThreat Justice

U.S. Courts Under Cyberattack and the Impact on Justice

 


Due to the sophistication of cyber threats, cybercriminals target judicial systems more often, exposing significant vulnerabilities. Numerous attacks disrupt court operations and have broader implications, as they hurt employers who use public records to check their criminal records. Gaining a deeper understanding of the nature and impact of these cyberattacks reveals an urgent need to strengthen cybersecurity measures within the courts to safeguard sensitive information and maintain the public's trust in the system. 

Fulton County, Georgia, which includes most of Atlanta, has also suffered a significant ransomware attack in late January and was similar in scope and impact to the one in California. It is claimed that the attack, which is attributed to the ransomware group LockBit, has caused a suspension of most government services, including the issuance of vehicle registrations, and marriage licenses, as well as the ability of the courts to process legal documents online. 

As a consequence, if the hacker's demands were not met by the government, they threatened to release sensitive data, including potentially high-profile information related to ongoing criminal investigations. Although Fulton County officials were threatened with such threats, they refused to pay the ransom and have been constantly working to restore services and systems across the county. As of more than a month after the hacking attack, some services have not been restored, showing the long-term impact of attacks like these on the operations of local governments and courts for years to come. 

In Georgia's largest county, hackers shut down office phone lines, left clerks unable to issue motor vehicle registrations or marriage licenses, and threatened to publically release sensitive data they claimed to have stolen if officials did not pay ransom. The county is currently in the process of repairing the damage that was inflicted on it a month ago by hackers. This post is part of a series on the Ransomware syndicate LockBit, which took credit for a cyberattack that crippled the government services in Fulton County, which is the largest county in Atlanta and includes much of the city. 

They started demanding payment from the residents, threatening to dump personal information as part of the data dump online if payment was not made. There is also a claim that the hackers were able to steal records relating to the criminal case against former President Donald Trump, which is pending at the moment. Ransomware groups routinely steal data from victims before activating malware that encrypts networks before they activate it to maximize their chances of getting paid. 

According to some cybersecurity analysts, it doesn't appear that the Fulton County hackers had actual access to files related to Donald Trump. Kansas Court System Breach During October, the Kansas Office of Judicial Administration detected some unauthorized activity on its computers and networks, and immediately took action to protect its systems and data from any further harm. It was determined by the office and cybersecurity experts that some files were stolen after they were involved in the investigation of the incident. 

As a result of the complexity of the data, it took until May to be able to determine the specific personal information that was affected or identified impacted individuals based on a manual review of the relevant data. Kansas courts began notifying victims in May, and the courts offered credit monitoring and identity recovery services to those who were affected. 

Although reported breaches have generally been detected fairly quickly, it should be noted that recovery efforts have not yet been completed. It is with great regret to inform you that Kansas courts have enhanced their security measures in response to this incident to protect their networks and information systems even better. After the Kansas judicial system was knocked offline for weeks in October by a cyberattack that involved the theft of personal information from about 150,000 people, the Kansas judicial system may have been breached and may have had their personal information stolen. 

As a result of an independent investigation conducted by a third party, the Office of Judicial Administration on Monday announced that it found evidence to support the cyberattack. Information that the office has accessed during this attack has been obtained through documents that have belonged to the office as a result of litigation appealed to the Kansas appellate court, applications made to the Kansas bar, and other documents. 

There is a possibility that information from any number of sources, such as social security numbers, driving licenses, government identification cards, credit card information, tax ID numbers, passport numbers, and information about health insurance policies, could have been accessed. Cybersecurity threats posed by the federal government In recent years, cyberattacks have become more common in the judicial system, and this is not a new issue. It was disclosed recently that two federal judges have issued warnings before a committee of the U.S. 

The committee noted that the ageing database systems of the judiciary could be vulnerable to attacks, making a case for the need to upgrade them and increase funding for security measures. U.S. Supreme Court Justice Amy St. Eve, who chairs the Judicial Conference of the United States budget committee, has emphasized that the judiciary has suffered from a lack of investment for years, leaving it vulnerable as a result of continuing under-investment. 

U.S. District Judge Roslynn Mauskopf, serving as the director of the Administrative Office of the U.S. Courts, has brought to attention a significant escalation in cyberattacks targeting the judiciary. Judge Mauskopf emphasized that these rising threats not only jeopardize the functioning of the justice system but also pose a broader danger to the integrity of democracy itself. In response to this growing menace, the federal judiciary has sought $8.6 billion in discretionary funding for the fiscal year 2023, representing a 7.2% increase from the previous year. 

This budget request includes a substantial allocation of $403 million specifically designated for IT security and modernization, as well as $786 million earmarked for court security. These figures underscore the heightened concerns regarding the safety of federal judges and courthouses. As cyber threats continue to advance in sophistication and frequency, it is anticipated that funding requests will persistently rise, particularly in critical areas such as IT security and court protection, to address ongoing challenges and support essential modernization initiatives. 

While the federal judiciary can request significant funds to bolster its cybersecurity measures, state and local courts often operate under considerably tighter financial constraints. These courts, which are responsible for handling the majority of everyday legal proceedings, contain vast repositories of sensitive personal information. However, due to limited budgets, they may struggle to implement robust cybersecurity defences. This disparity highlights a critical issue: as cyber threats grow increasingly sophisticated, the need for cybersecurity investment is not confined to the federal level alone. 

State and local courts face substantial risks if they are unable to adequately protect their data, a vulnerability that could have far-reaching consequences for the justice system and undermine public trust. The judiciary's role as custodian of some of the nation's most sensitive information makes cybersecurity an essential and urgent priority. 

The testimonies of Judges St. Eve and Mauskopf underscore the critical need to modernize and safeguard vital judicial data. As cyberattacks continue to evolve, both federal and state judicial systems must prioritize cybersecurity measures to ensure the integrity of their operations and to maintain public confidence in the judicial process. Without adequate investment, particularly at the state and local levels, the judicial system may remain exposed to increasingly sophisticated cyber threats, thereby endangering not only individual court cases but also the broader principles of justice and democracy.
Read more »
Voldemort
Artificial Inteligence CYBER Research Cyberalert CyberCrime Cybersecurity CyberThreat Google malware Proofprint TryCloudflare TTP Voldemort

Espionage Concerns Arise from Newly Discovered Voldemort Malware

 


As a result of Proofpoint researchers' research, in August 2024, they discovered an unusual campaign in which custom malware was being delivered by a novel attack chain. Cybercriminals are believed to have named the malware "Voldemort" based on the internal file names and strings used in it.  As part of the attack chain, multiple tactics have been employed, some of which are currently popular in the threat landscape, while others are less common, such as using Google Sheets as a program for command and control (C2). 

It is noteworthy that in addition to tactical, technical, and procedural (TTPs) components, it takes advantage of a lure theme impersonating the government agencies of a variety of countries, and it uses odd file naming and passwords such as "test". Several researchers initially suspected that the activity may be a red team, but analysis of the malware and the number of messages indicated that it was a threat actor very quickly.   

There has been an aggressive malware campaign known as "Voldemort" launched against organizations all over the world, impersonating tax authorities in Europe, Asia, and the U.S. Since the malicious activity was launched on Aug. 5, more than 20,000 phishing messages were reported worldwide by dozens of companies. According to Proofpoint, over 20,000 phishing messages were reported during the last three months. 

A custom backdoor has been written in C and was designed to enable data exfiltration and the deployment of additional malicious payloads, as well as the exfiltration of data itself. The exploit is based on an exploit that takes advantage of a browser extension called 'Google Sheets' to be used as the C2 communication tool for the attack, and files that are infected with a malicious Windows search protocol are used to carry out the attack. 

As soon as the victim downloads the malware, it uses WebEx software to load a DLL that communicates with the C2 server using a legitimate version of WebEx software. There are several attack chains outlined in this attack chain, which include a variety of techniques currently common in the threat landscape, as well as a variety of rarely used methods of command and control (C2) such as the use of Google Sheets. 

Various tactics, techniques, and procedures (TTP) have been applied to it in combination with lure themes impersonating government agencies of various countries as well as its strange file naming and passwords, such as "test". Initial suspicions were that this activity might have been the work of a red team, but the large volume of messages and an analysis of the malware indicated that it was the work of a threat actor very quickly.   

In Proofpoint's assessment, there is a moderate amount of confidence that this is likely the actions of an advanced persistent threat (APT) actor that is seeking to gather intelligence. Although Proofpoint is well-versed in identifying named threat actors, it is still not confident enough with the data available to attribute a specific TA with high certainty. There is no doubt that some aspects of the malware, such as the widespread targeting and characteristics, are associated more often with cybercrime activity, but the nature of the malware does not appear to be motivated by financial gain at this time, but more by espionage.  

Powered by C, Voldemort is a custom backdoor that was written to gather information. As well as the capability to gather information, it also can drop additional payloads on the target. As Proofpoint discovered, Cobalt Strike was being hosted on the actor's infrastructure, and that would likely be one of the payloads that is being delivered by the actor.   There was a significant increase in phishing emails sent daily by the hackers beginning on August 17, when nearly 6,000 emails appeared to be impersonating tax agencies, which was high, according to the researchers. 

In addition to the Internal Revenue Service (IRS) in the United States, the HM Revenue & Customs in the United Kingdom, and the Direction Générale des Finances Publiques in France joined the list of potential regulators. A layer of credibility was added to the lures by crafting the phishing email in the native language of the respective tax authority, adding a high degree of legitimacy to the message. As part of their authenticity, the emails received from what appeared to be compromised domains contained the legitimate domain names of the tax agencies, to make them appear more genuine. 

There is no definitive answer to the overall objective of the campaign, though Proofpoint researchers say it seems likely that the campaign is aimed at espionage, given Voldemort's intelligence-gathering capacities as well as his ability to deploy additional payloads into the mainstream. There are more than half of all targeted organizations fall into the sectors of insurance, aerospace, transportation, and education. 

The threat actor behind this campaign is unknown, but Proofpoint believes that it may be engaged in cyber espionage operations as a means of obtaining information. Likewise, the messages also contain Google AMP Cache URLs that redirect to the landing page on InfinityFree, as well as a direct link to the landing page, which is included in the campaign later on. Towards the bottom of the landing page, there is a button that says "Click to view the document", which when clicked, checks the User Agent or software in the browser. 

When the User Agent contains "Windows," the browser is automatically redirected to a search-ms URI, which points to a TryCloudflare-tunneled URI ending in .search-ms. This redirection prompts the victim to open Windows Explorer, although the specific query responsible for this action remains hidden from the victim, leaving only a popup visible. Concurrently, an image is loaded from a URL ending in /stage1 on an IP address that is managed by the logging service pingb.in. This service enables the threat actor to record a successful redirect and collect additional browser and network information about the victim. 

A distinguishing feature of the Voldemort malware is its use of Google Sheets as a command and control (C2) server. The malware pings Google Sheets to retrieve new commands to execute on the compromised device and to serve as a repository for exfiltrated data. Each infected machine writes its data to specific cells within the Google Sheet, which are often designated by unique identifiers, such as UUIDs. This method ensures that data from different breached systems remains isolated, allowing for more efficient management. 

Voldemort interacts with Google Sheets using Google's API, relying on an embedded client ID, secret, and refresh token, all of which are stored in its encrypted configuration. This strategy offers malware a dependable and widely available C2 channel while minimizing the chances of its network communications being detected by security tools. Given that Google Sheets is commonly used in enterprise environments, blocking this service could be impractical, further reducing the likelihood of detection. 

In 2023, the Chinese advanced persistent threat (APT) group APT41 was observed using Google Sheets as a C2 server, employing the red-teaming GC2 toolkit to facilitate this activity. To defend against such campaigns, security firm Proofpoint recommends several measures: restricting access to external file-sharing services to trusted servers only, blocking connections to TryCloudflare when not actively required, and closely monitoring for suspicious PowerShell executions. These steps are advised to mitigate the risks posed by the Voldemort malware and similar threats.
Read more »
ransomware attacks
Cyber Attacks cyber threat Cyberalert CyberCrime Cyberhackers Cybersecurity Immigratino System ransomware attacks

Cybersecurity Nightmare Unfolds as Malawi's Immigration Systems Under Attack

 


There has been a recent cyberattack on Malawi, according to President Lazarus Chakwera, which has caused the government to stop issuing passports. However, some observers believe such an attack did not occur. Chakwera informed parliament on Wednesday that security measures were in place to identify and apprehend the attackers who compromised the country's security. 

It was his statement that the attackers were demanding millions in ransom, but the administration was unwilling to pay it. The hacker has been causing the Department of Immigration and Citizenship Services' passport printing system to malfunction over the past three weeks, according to him. In Malawi, there is a high demand for passports with many young people seeking to migrate to find employment. 

As a result of Mr Chakwera's request, the immigration department is expected to provide a temporary solution within three weeks of regaining control of the system to resume passport issuance. There would be an additional security safeguard developed as part of the long-term solution, he said. 

In his address on Wednesday, Chakwera said that he had given the immigration department a three-week deadline to provide a temporary solution to the passport printing issue and to resume printing of passports. He further said at the same event that he had reassured hackers that the Malawi government would not pay ransoms. As a result of the government's termination of the contract with Techno Brain, which had supplied Malawi’s passports since 2019, Malawi has experienced passport issues since 2021. 

As a result of the government's inability to find a replacement for the company in 2023, the company was re-engaged temporarily. Nevertheless, immigration officials often had to scale back production due to shortages of materials or unpaid bills, which resulted in them having to scale down production several times. In addition to being the executive director of the Center for Democracy and Economic Development Initiatives, Sylvester Namiwa is also a member of the organization that has threatened to hold protests within the coming days if it does not receive an immediate resolution. 

According to Chakwera, he has questioned the integrity of the claim that the system had been hacked by someone else. During a radio interview with a local radio station on Thursday, Malawi's Information Minister Moses Nkukuyu explained that the information Chakwera presented in parliament had been provided by immigration experts. VOA's calls and texts to Wellington Chiponde, a spokesperson for the immigration department, were not responded to.
Read more »
Ransomware
CISA Cyber Security Cyberalert Cyberattacks CyberCrime Ransomware

CISA's Proactive Measures averted Ransomware, Millions Preserved

 


The threat of ransomware attacks has increased in recent years, causing significant disruptions across a wide range of industries across the country, causing significant disruptions. Various industries have been affected by these attacks, with schools closing, hospitals diverting patients, and businesses going through operational changes. 

It has never been more pressing for a robust defence mechanism to be in place because mitigation and recovery costs have been astronomical. It is the mission of the Cybersecurity and Infrastructure Security Agency (CISA) to combat this menace in a concerted manner. 

As a result of its collaboration with various stakeholders, CISA is committed to reducing both ransomware attack frequencies and severity. As a part of this initiative, organizations are also launching several programs designed to help them swiftly address the vulnerabilities that are frequently exploited by ransomware attackers to avoid them being compromised. 

To further the anti-ransomware campaign, CISA has announced the Pre-Ransomware Notification Initiative as a significant step forward. It is part of the interagency Joint Ransomware Task Force's efforts to mitigate ransomware damage, which are already making significant headway in mitigating ransomware damage. Using tips from cybersecurity researchers, infrastructure providers, and threat intelligence firms, CISA's Joint Cyber Defense Collaborative notifies victims of early-stage ransomware activity to prevent victims from becoming victims being damaged. 

A major increase in notifications of potential pre-ransomware intrusions was carried out by the federal cyber authorities during the first quarter of 2023 across multiple critical infrastructure sectors across multiple different sectors. The notification activity continued to be substantially ramped up during the remainder of the year.  CISA does not stop at alerts when it comes to ransomware. 

In February, CISA assisted a Fortune 500 company that had been hit with a $60 million ransomware attack to establish a CISO position, as well as identify areas for improving its IT infrastructure and security controls. Additionally, the agency said it assisted a mass transit operator in preventing an attack of $350 million on critical infrastructure of the transit system. 

It was announced by CISA that its rundown of accomplishments in 2023 was quite impressive, including the fact that over 1,700 alerts were sent out for its ransomware vulnerability warning program and that nearly 7,000 organizations that are vital to global trade and commerce were scanned for vulnerabilities. This initiative has been a very successful one with the support of the Joint Cyber Defense Collaborative (JCDC), which has played a central role in ensuring the success of the project. 

Several cybersecurity researchers, infrastructure providers, and threat intelligence companies provide information to the JCDC on the earliest signs of ransomware activity that should be kept an eye on by the JCDC. A field representative will respond immediately to a tip and address the mitigation needs of the affected organization. 

The CISA global CERT partners will work closely with CISA to ensure timely notification is achieved when a case involves an international component. There have been over 60 entities in critical sectors such as energy, healthcare, water/wastewater, and education that have been notified by CISA of potential pre-ransomware intrusions that have been detected since the beginning of 2023. 

The majority of companies managed to identify and remediate these intrusions promptly, stopping further damage from occurring. As a result, the JCDC works closely with the affected entities when the encryption of data has already occurred, giving them insight into the new threat actors' tactics, procedures, and techniques (TTPs) and providing guidance on how to mitigate the vulnerability. 

Additionally, the development of advisories on ransomware actors and variants is also a contribution made to the broader cybersecurity community, providing better network defences on a wider scale by providing information on the actors and variants of the ransomware. To strengthen collective cyber defences, collaborative efforts and information sharing are essential. 

The CISA urges organizations to report any ransomware-related activities, as well as indicators of compromise and techniques for removing ransomware, to their federal law enforcement partner or CISA or their partner IT security company. It helps to immediately respond to an attack, and it also compliments the pool of intelligence available to prevent future attacks from occurring in the future.
Read more »
Subscribe to: Posts (Atom)