Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberattack. Show all posts
Wayne County Michigan
Cyberattack Data Breach double-extortion encryptor FreeBSD servers Interlock ransomware ransomware attacks Trend Micro Wayne County Michigan

Interlock Ransomware: New Threat Targeting FreeBSD Servers and Critical Infrastructure Worldwide

 

The Interlock ransomware operation, launched in late September 2024, is increasingly targeting organizations around the globe. Distinctly, this new threat employs an encryptor specifically designed to attack FreeBSD servers, a relatively uncommon tactic among ransomware groups.

Interlock has already affected six organizations and publicly leaked stolen data after ransoms went unpaid. One prominent victim, Wayne County in Michigan, experienced a cyberattack early in October, adding to the list of affected entities.

Details about Interlock remain limited, with early reports emerging from cybersecurity responder Simo in October. Simo's analysis noted a new backdoor associated with the ransomware, discovered during an investigation on VirusTotal.

Shortly after, MalwareHunterTeam identified a Linux ELF encryptor related to Interlock. Upon further examination, BleepingComputer confirmed that this executable was built specifically for FreeBSD 10.4, though attempts to execute it in a FreeBSD environment failed.

Although ransomware targeting Linux-based VMware ESXi servers is common, an encryptor for FreeBSD is rare. The now-defunct Hive ransomware, disrupted by the FBI in 2023, was the only other known operation with a FreeBSD encryptor.

Trend Micro researchers shared additional samples of the Interlock FreeBSD ELF encryptor and a Windows variant, noting that FreeBSD is often used in critical infrastructure. This likely makes it a strategic target for Interlock, as attacks on these systems can lead to significant service disruptions.

Trend Micro emphasizes that Interlock’s focus on FreeBSD infrastructure allows attackers to disrupt essential services and demand high ransoms, as these systems are integral to many organizations’ operations.

It is important to note that Interlock ransomware is unrelated to any cryptocurrency token of the same name.

While BleepingComputer encountered issues with running the FreeBSD encryptor, they successfully tested the Windows version, which performed actions like clearing event logs and deleting the main binary using rundll32.exe if self-deletion is enabled.

When encrypting files, Interlock appends the .interlock extension and generates a ransom note titled "!README!.txt" in each affected folder. The note explains the encryption, threats, and includes links to a Tor-based negotiation site where victims can communicate with the attackers. Each victim receives a unique ID and email for registration on this negotiation platform.

During attacks, Interlock breaches networks, steals sensitive data, and then deploys the encryptor to lock down files. The data theft supports a double-extortion scheme, with threats to leak data if ransoms—ranging from hundreds of thousands to millions of dollars—are not paid.
Read more »
trending news
cyber attack news Cyberattack Technology Threats trending news

Cybersecurity and AI Challenges: How Companies Must Evolve to Stay Secure and Competitive

 

Cybersecurity remains a big concern, with a recent study from DataDome showing that 91% of websites are at risk from bot attacks. The study looked at over 14,000 sites in industries like healthcare, luxury goods, and e-commerce, revealing that many businesses with sensitive data are not well protected. Even large companies, though slightly better equipped, let through half of the basic bot threats. 

As cyberattacks become more advanced, companies need to improve their defenses to avoid being targeted. DataDome’s study used simple bots, but it’s a reminder that more sophisticated attacks could cause even more damage. On top of cybersecurity issues, many companies face challenges in managing their data, especially when it comes to using generative AI.
 
Lakshmikant (LK) Gundavarapu, Chief Innovation Officer at Tredence, points out that AI relies on clean, well-organized data to work effectively. Unfortunately, many businesses struggle to keep their data in order, making it hard to get the most out of AI tools. Gundavarapu emphasizes that having a clear picture of their data is key for companies to use AI successfully. 

Meanwhile, President Joe Biden has introduced a new policy that highlights the importance of AI in national security. This policy focuses on protecting AI development and addressing risks like biological, chemical, and nuclear threats, while encouraging collaboration with other countries to manage AI responsibly. 

This follows an earlier executive order aimed at setting rules for AI use in the U.S. As cybersecurity threats grow and AI regulations evolve, tech companies like Microsoft, Google, and Meta are also facing challenges. While all three reported strong earnings driven by cloud and AI services, investors are cautious about their future spending plans. 

In today’s fast-changing environment, businesses need to prioritize strong cybersecurity and proper data management to remain competitive and secure.
Read more »
TrickBot
Bumblebee Cyberattack Cybersecurity Europol malware MSI Netskope phishing Ransomware TrickBot

Bumblebee Malware Resurfaces in New Attacks Following Europol Crackdown

 

iThe Bumblebee malware loader, inactive since Europol's 'Operation Endgame' in May, has recently resurfaced in new cyberattacks. This malware, believed to have been developed by TrickBot creators, first appeared in 2022 as a successor to the BazarLoader backdoor, giving ransomware groups access to victim networks.

Bumblebee spreads through phishing campaigns, malvertising, and SEO poisoning, often disguised as legitimate software such as Zooom, Cisco AnyConnect, ChatGPT, and Citrix Workspace. Among the dangerous payloads it delivers are Cobalt Strike beacons, data-stealing malware, and ransomware.

Operation Endgame was a large-scale law enforcement effort that targeted and dismantled over a hundred servers supporting various malware loaders, including IcedID, Pikabot, TrickBot, Bumblebee, and more. Following this, Bumblebee activity appeared to cease. However, cybersecurity experts at Netskope have recently detected new instances of the malware, hinting at a possible resurgence.

The latest Bumblebee attack involves a phishing email that tricks recipients into downloading a malicious ZIP file. Inside is a .LNK shortcut that activates PowerShell to download a harmful MSI file disguised as an NVIDIA driver update or Midjourney installer.

This MSI file is executed silently, and Bumblebee uses it to deploy itself in the system's memory. The malware uses a DLL unpacking process to establish itself, showing configuration extraction methods similar to previous versions. The encryption key "NEW_BLACK" was identified in recent attacks, along with two campaign IDs: "msi" and "lnk001."

Although Netskope hasn't shared details about the payloads Bumblebee is currently deploying, the new activity signals the malware’s possible return. A full list of indicators of compromise can be found on a related GitHub repository.
Read more »
TrickMo
Banking Security Banking Trojan C2 servers Cyberattack Data Breach device access malware Mobile Threats Security TrickMo

TrickMo Banking Trojan Unveils Advanced Threat Capabilities in Latest Variant

Malware Analyst at Zimperium, Aazim Yaswant, has released an in-depth report on the most recent TrickMo samples, highlighting worrisome new functionalities of this banking trojan. Initially reported by Cleafy in September, this new version of TrickMo employs various techniques to avoid detection and scrutiny, such as obfuscation and manipulating zip files. 

Yaswant’s team discovered 40 variants of TrickMo, consisting of 16 droppers and 22 active Command and Control (C2) servers, many of which remain hidden from the broader cybersecurity community.

Although TrickMo primarily focuses on stealing banking credentials, Yaswant's analysis has exposed more sophisticated abilities. "These features allow the malware to access virtually any data on the device," Yaswant stated. TrickMo is capable of intercepting OTPs, recording screens, remotely controlling the device, extracting data, and misusing accessibility services to gain permissions and perform actions without the user’s approval. Additionally, it can display misleading overlays designed to capture login credentials, enabling unauthorized financial transactions.

A particularly concerning discovery in Yaswant's findings is TrickMo’s ability to steal the device’s unlock pattern or PIN. This enables attackers to bypass security measures and access the device while it is locked. The malware achieves this by mimicking the legitimate unlock screen. “Once the user enters their unlock pattern or PIN, the page transmits the captured data, along with a unique device identifier,” Yaswant explained.

Zimperium’s researchers managed to gain entry to several C2 servers, identifying approximately 13,000 unique IP addresses linked to malware victims. The analysis revealed that TrickMo primarily targets regions such as Canada, the UAE, Turkey, and Germany. Yaswant’s investigation also uncovered millions of compromised records, with the stolen data including not only banking credentials but also access to corporate VPNs and internal websites, posing significant risks to organizations by potentially exposing them to larger-scale cyberattacks.
Read more »
Unauthorized
Breach Casio Cyber Attacks Cyberattack Cybersecurity Data Disruption losses restructuring services Unauthorized

Casio Hit by Cyberattack Causing Service Disruption Amid Financial Challenges

 

Japanese tech giant Casio recently experienced a cyberattack on October 5, when an unauthorized individual accessed its internal networks, leading to disruptions in some of its services.

The breach was confirmed by Casio Computer, the parent company behind the iconic Casio brand, recognized for its watches, calculators, musical instruments, cameras, and other electronic products.

"Casio Computer Co., Ltd. has confirmed that on October 5, its network was accessed by an unauthorized third party," the company revealed in a statement today. Following an internal review, the company discovered the unauthorized access led to system disruptions, which have caused some services to be temporarily unavailable. Casio mentioned it cannot provide further details at this stage, as investigations are still ongoing. The company is working closely with external specialists to assess whether personal data or confidential information was compromised during the attack.

Although the breach has disrupted services, Casio has yet to specify which services have been impacted.

The company reported the cyber incident to the relevant data protection authorities and quickly implemented measures to prevent further unauthorized access. BleepingComputer reached out to Casio for more information, but a response has not yet been provided.

So far, no ransomware group has claimed responsibility for the attack on Casio.

This attack comes nearly a year after a previous data breach involving Casio's ClassPad education platform, which exposed customer data from 149 countries, including names, email addresses, and other personal information.

The recent cyberattack adds to the company's challenges, as Casio recently informed shareholders of an expected $50 million financial loss due to significant personnel restructuring.
Read more »
Vulnerabilities
CPS critical Cyber Security Cyberattack Cybersecurity Digital Infrastructure National Security public safety Supply Chain Vulnerabilities

Cyberattacks on Critical Infrastructure: A Growing Threat to Global Security

 

During World War II, the U.S. Army Air Forces launched two attacks on ball bearing factories in Schweinfurt, aiming to disrupt Germany’s ability to produce machinery for war. The belief was that halting production would significantly affect Germany’s capacity to manufacture various war machines.

This approach has a modern parallel in the cybersecurity world. A cyberattack on a single industry can ripple across multiple sectors. For instance, the Colonial Pipeline attack affected American Airlines operations at Charlotte Douglas Airport. Similarly, the Russian NotPetya attack against Ukraine spilled onto the internet, impacting supply chains globally.

At the 2023 S4 Conference, Josh Corman discussed the potential for cascading failures due to cyberattacks. The creation of the Cybersecurity and Infrastructure Security Agency’s National Critical Functions was driven by the need to coordinate cybersecurity efforts across various critical sectors. Corman highlighted how the healthcare sector depends on several infrastructure sectors, such as water, energy, and transportation, to provide patient care.

The question arises: what if a cyber incident affected multiple segments of the economy at once? The consequences could be devastating.

What makes this more concerning is that it's not a new issue. The SQL Slammer virus, which appeared over two decades ago, compromised an estimated one in every 1,000 computers globally. Unlike the recent CrowdStrike bug, Slammer was an intentional exploit that remained unpatched for over six months. Despite differences between the events, both show that software vulnerabilities can be exploited, regardless of intent.

Digital technology now underpins everything from cars to medical devices. However, as technology becomes more integrated into daily life, it brings new risks. Research from Claroty’s Team82 reveals that insecure code and misconfigurations exist in software that controls physical systems, posing potential threats to national security, public safety, and economic stability.

Although the CrowdStrike incident was disruptive, businesses and governments must reflect on the event to prevent larger, more severe cyber incidents in the future.

Cyber-Physical Systems: A Shifting Threat Landscape

Nearly every facility, from water treatment plants to hospitals, relies on digital systems known as cyber-physical systems (CPS) to function. These systems manage critical tasks, but they also introduce vulnerabilities. Today, billions of tiny computers are embedded in systems across all industries, offering great benefits but also exposing the soft underbelly of society to cyber threats.

The Stuxnet malware attack in 2014, which disrupted Iran's nuclear program, was the first major cyber assault on CPS. Since then, there have been several incidents, including the 2016 Russian Industroyer malware attack that disrupted part of Ukraine’s power grid, and the 2020 Iranian attempt to attack Israeli water utilities. Most recently, Chinese hackers have targeted U.S. critical infrastructure.

These incidents highlight how cybercriminals and nation states exploit vulnerabilities in critical infrastructure to understand weaknesses and the potential impact on security. China, for example, has expanded its objectives from espionage to compromising U.S. infrastructure to weaken its defense capabilities in case of a conflict.

The CrowdStrike Bug and Broader Implications

The CrowdStrike bug wasn’t a malicious attack but rather a mistake tied to a gap in quality assurance. Still, the incident serves as a reminder that our dependence on digital systems has grown significantly. Failures in cyber-physical systems—whether in oil pipelines, manufacturing plants, or hospitals—can have dangerous physical consequences.

Although attacks on CPS are relatively rare, many of these systems still rely on outdated technology, including Windows operating systems, which account for over 25% of vulnerabilities in the CISA Known Exploited Vulnerabilities Catalog. Coupled with long periods of technological obsolescence, these vulnerabilities pose significant risks.

What would happen if a nation-state deliberately targeted CPS in critical infrastructure? The potential consequences could be far worse than the CrowdStrike bug.

Addressing the vulnerabilities in CPS will take time, but there are several steps that can be taken immediately:

  • Operationalize compensating controls: Organizations must inventory assets and implement network segmentation and secure access to protect vulnerable systems.
  • Expand secure-by-design principles: CISA has emphasized the need to focus on secure-by-design in CPS, particularly for medical devices and automation systems.
  • Adopt secure-by-demand programs: Organizations should ask the right questions of software vendors during procurement to ensure higher security standards.
Although CPS drive innovation, they also introduce new risks. A failure in one link of the global supply chain could cascade across industries, disrupting critical services. The CrowdStrike bug wasn’t a malicious attack, but it underscores the fragility of modern infrastructure and the need for vigilance to prevent future incidents
Read more »
Salt Typhoon
China Cyber Attacks Cyberattack Cybersecurity Data Breach FBI Hacking internet providers Routers Salt Typhoon

Chinese Government-Linked Hackers Infiltrate U.S. Internet Providers in 'Salt Typhoon' Attack

 

Hackers linked to the Chinese government have reportedly breached several U.S. internet service providers, according to The Wall Street Journal. Investigators are calling the cyberattack "Salt Typhoon," which occurred just a week after the FBI dismantled another China-backed operation called "Flax Typhoon." That attack targeted 200,000 internet-connected devices such as cameras and routers.

In the Salt Typhoon incident, hackers infiltrated broadband networks to access sensitive information held by internet service providers. Sources close to the matter told WSJ that unlike past attacks focused on disrupting infrastructure, this one seems to be aimed at gathering intelligence. FBI Director Christopher Wray had warned at the Aspen Cyber Summit that China would persist in targeting U.S. organizations and critical infrastructure, either directly or through proxies.

Chinese cyberattacks have been ongoing, but their complexity and precision have escalated, intelligence officials told the WSJ. Earlier this year, Wray described China's hacking program as the largest in the world, surpassing all other major nations combined.

China has denied involvement in these attacks. Liu Pengyu, spokesperson for the Chinese embassy in Washington, accused U.S. intelligence agencies of fabricating evidence linking China to the Salt Typhoon breach.

The WSJ report revealed that investigators are focusing on Cisco Systems routers, though a Cisco spokesperson said there is no evidence of their involvement. Microsoft is also looking into the attack. Lumen Technologies, the parent company of CenturyLink and Quantum Fiber, recently detected malware in routers that could expose customers' passwords but did not specify which ISPs were affected.

Although there's no indication that individual customers’ data was the target, you can take basic precautions:

  • Change your passwords regularly—especially your Wi-Fi router's password.
  • Consider identity theft protection services, which monitor your credit and banking activity.
  • Review your credit reports regularly to catch any suspicious activity.
Read more »
ransomware attacks
Conti Ransomware Cyber Security Cyberattack Japan Japan Cyber attack Logs Malware Detection ransomware attacks

JPCERT Shares Tips for Detecting Ransomware Attacks Using Windows Event Logs

 

Japan’s Computer Emergency Response Center (JPCERT/CC) recently revealed strategies to detect ransomware attacks by analyzing Windows Event Logs, offering vital early detection before the attack spreads. JPCERT’s insights focus on identifying digital traces left behind by ransomware within four key types of event logs: Application, Security, System, and Setup logs. These logs reveal valuable clues about the entry points used by attackers and can assist in quicker mitigation. Ransomware attacks often target system vulnerabilities and attempt to encrypt files, delete backups, or modify network settings, leaving detectable traces within the event logs. 

For example, the notorious Conti ransomware can be recognized by multiple event logs connected to the Windows Restart Manager, showing event IDs 10000 and 10001. Other ransomware variants like Akira, Lockbit3.0, and HelloKitty, which share similar encryptor technology, leave comparable logs. Additionally, ransomware such as Phobos records when system backups are deleted, a key indicator of malicious activity. Detecting these logs promptly allows administrators to intervene before damage escalates. Midas ransomware, known for spreading infection via network changes, logs event ID 7040. Similarly, BadRabbit leaves event ID 7045 when installing its encryption component, while Bisamware logs events during the beginning and end of a Windows Installer transaction (event IDs 1040 and 1042). 

Other ransomware strains, like Shade, GandCrab, and Vice Society, create errors related to accessing COM applications and deleting Volume Shadow Copies, which are pivotal for restoring encrypted data. JPCERT’s findings illustrate that monitoring for these specific event IDs in combination with a broader security framework could be a game-changer in ransomware defense. Though older ransomware variants like WannaCry and Petya left no such traces in Windows logs, modern ransomware often does. As a result, tracking these logs offers an effective layer of protection against new threats, helping to prevent encryption and data loss. 

It is important to note that no single method of detection is foolproof. A multi-layered approach that combines monitoring event logs with other security tools and protocols remains crucial for protecting systems from ransomware attacks. By using this event log analysis strategy, organizations can significantly reduce the chances of ransomware spreading undetected, giving them the edge in stopping an attack before it cripples their network.
Read more »
Financial Security
Ai Data AI technology Cortex-M Cyber Security Cyberattack data security Financial Security

Snowflake Faces Declining Growth Amid Cybersecurity Concerns and AI Expansion

 

Snowflake Inc. recently faced a challenging earnings period marked by slowing growth and concerns following multiple cyberattacks. Despite being an AI data company with innovative technology, these events have impacted investor confidence, causing the stock price to retest recent lows. The company’s latest financial results reflect a continuing trend of decelerating growth, which is compounded by a valuation that assumes far higher growth rates than currently achieved.  

Snowflake’s sales growth has slowed considerably, with its FQ2 revenue growing by just under 29%, down from nearly 33% in the previous quarter. Projections for FQ3 suggest an even sharper decline, with product revenue growth forecasted to rise by only 22% year-over-year. The slowdown in revenue is significant, with growth rates expected to dip to as low as 20% in FQ4. In past quarters, Snowflake experienced higher sequential growth on a much smaller base, indicating that the company’s growth challenges are becoming more pronounced as it scales. The deceleration in sales has not been mitigated by the company’s focus on AI. During the earnings call, Snowflake highlighted the adoption of AI technologies among its 2,500 customers. 

However, these new product features, such as those centered around AI products like Cortex, are not expected to materially impact revenues in the near term. Snowflake’s guidance for FY 2025 does not factor in any significant contributions from these AI initiatives, further dampening expectations for a quick turnaround. Snowflake’s recent performance is further complicated by lingering cybersecurity issues. The company faced a series of cyberattacks where customer data stored on their platforms was compromised, partly due to inadequate sign-on controls by customers. Additionally, the recent CrowdStrike (CRWD) cybersecurity incident has only added to investor concerns about the company’s data security posture. 

Despite the concerns, Snowflake points to growth in remaining performance obligations (RPOs), with commitments reaching $5.2 billion, a 48% increase. Yet, management admits that RPOs may not be the best leading indicator for growth, given that product revenue is declining. The company also contends with multiple top customers operating on flexible, month-to-month contracts, which creates uncertainty in long-term revenue projections. Snowflake remains priced for perfection, trading at 12 times its FY25 revenue target of $3.5 billion, with a fully diluted market cap of $41.4 billion. However, the stock price has already fallen nearly 50% this year, and non-GAAP gross margins are slim, sitting at just 5% in the most recent quarter. 

While Snowflake generates significant free cash flow due to upfront customer payments, it also carries future obligations, further straining its financial outlook. The key takeaway for investors is that while Snowflake continues to innovate in AI and data management, it faces substantial headwinds due to slowing growth, cybersecurity concerns, and a valuation that does not reflect current market realities. Given these factors, potential investors might be wise to stay on the sidelines until there is clearer evidence of a turnaround in the company’s growth trajectory.
Read more »
Personal Information
ADT data breach Customer Data Cyberattack Data Breach impact data privacy. Home Security Personal Information

ADT Data Breach: Millions of Customers Potentially Exposed

Home security behemoth ADT has confirmed a substantial data breach affecting an undisclosed number of its six million customers. The incident, which remains shrouded in mystery due to the company's reluctance to provide specifics, involved unauthorized access to sensitive customer information stored within ADT's databases.

Hackers successfully infiltrated the company's systems, exfiltrating data that included customers' home addresses, email addresses, and phone numbers. While ADT has categorically denied any compromise of home security systems, the company has been notably reticent about disclosing the methods used to reach this conclusion. The lack of transparency has raised concerns among customers and cybersecurity experts alike.

The breach came to light following allegations from an anonymous online figure who claimed to have acquired over 30,000 ADT customer records. Although the authenticity of these claims has yet to be independently verified, ADT's admission of a data breach lends credence to the hacker's assertions.

The incident underscores the growing vulnerability of even the most established companies to cyberattacks. As a major player in the home security industry, ADT's breach has far-reaching implications for the broader cybersecurity landscape. Customers are now left grappling with the potential misuse of their personal information, while the company faces mounting pressure to provide a comprehensive and transparent account of the incident.

The breach also highlights the complex web of corporate ownership in today's digital age. ADT's parent company, Apollo Global Management, is a significant player in the financial industry and also owns TechCrunch, a leading technology news outlet. This interconnectedness raises questions about potential conflicts of interest and the extent to which such relationships might influence the handling of cybersecurity incidents.

As the investigation unfolds, industry experts and consumers will be watching closely to see how ADT responds to the crisis. The company's ability to regain customer trust and strengthen its security posture will be crucial in determining the long-term impact of this breach.
Read more »
Vulnerability
Cyber Attacks Cyber space Cyberattack Intel CPU Vulnerability

New Intel CPU Vulnerability 'Indirector' Found

Researchers from the University of California, San Diego, have discovered a new vulnerability in modern Intel processors, specifically the Raptor Lake and Alder Lake generations. This vulnerability, named 'Indirector,' can be used to steal sensitive information from the CPU. 

The problem lies in two components of the CPU: the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB). These components help the CPU make quick decisions, but they have flaws that attackers can exploit. The researchers identified three main techniques used in Indirector attacks: 

1. iBranch Locator: A tool that helps attackers find specific parts of the CPU's decision-making process by identifying the indices and tags of victim branches. 

2. IBP/BTB Injections: Tricks to manipulate the CPU's predictions, causing it to run unauthorized code through targeted injections. 

3. ASLR Bypass: A method to break security measures that protect the memory layout, making it easier to predict and control the CPU. 

By using these techniques, attackers can trick the CPU into running their own code and accessing sensitive data like passwords or encryption keys. This is accomplished by combining the speculative execution achieved through targeted injections with cache side-channel techniques, such as measuring access times, to infer the accessed data. 

To protect against Indirector attacks, the researchers suggest two main defenses: 

1. Use IBPB More: The Indirect Branch Predictor Barrier (IBPB) can prevent certain types of speculative execution, but it can slow down the CPU by up to 50%. 

2. Improve CPU Design: Making the CPU's prediction systems more complex and secure by adding encryption and randomization, which could involve incorporating more complex tags. 

Intel was informed about the Indirector vulnerability in February 2024 and has shared the information with other affected companies. Intel reviewed the findings and believes that existing protections, such as IBRS, eIBRS, and BHI, are effective against this new attack, so no new mitigations or guidance are required. 

The researchers will present their full findings at the USENIX Security Symposium in August 2024. They have also published more detailed information, proof-of-concept code, and tools related to Indirector on GitHub for further study and understanding. 

These publications provide a deeper dive into the attack methodologies, potential data leak mechanisms, and suggested mitigations. Modern CPUs from Intel are vital for many applications, and discovering such vulnerabilities highlights the importance of continually improving hardware security. 

By addressing these flaws and implementing the recommended defenses, the problem security of these processors can be significantly enhanced, protecting users from potential data leaks and other malicious activities.
Read more »
Ransomware
brain cipher Cyber Attacks Cyberattack data attacks Indonesia Ransomware

Brain Cipher Ransomware Targets Indonesia's National Data Center in Major Cyberattack

 

A new ransomware operation known as Brain Cipher has emerged, targeting organizations worldwide. This operation recently gained media attention due to an attack on Indonesia's temporary National Data Center.

Indonesia is developing National Data Centers to securely store servers used by the government for online services and data hosting. On June 20th, one of these temporary centers was attacked, leading to the encryption of government servers. This disruption affected immigration services, passport control, event permit issuance, and other online services.

The Indonesian government confirmed that Brain Cipher, a new ransomware operation, was responsible for the attack, impacting over 200 government agencies. The attackers demanded $8 million in Monero cryptocurrency for a decryptor and to prevent the leak of allegedly stolen data.

BleepingComputer has learned from negotiation chats that the threat actors claimed they would issue a "press release" about the "quality of personal data protection" in the attack, implying that data was stolen.

Brain Cipher is a new ransomware operation that began earlier this month and has been conducting attacks on organizations worldwide. Initially, the ransomware gang did not have a data leak site, but their latest ransom notes now include links to one, indicating their use of double-extortion tactics. BleepingComputer has found numerous samples of Brain Cipher ransomware on various malware-sharing sites over the past two weeks.

These samples [1, 2, 3] were created using the leaked LockBit 3.0 builder, which has been widely used by other threat actors to launch their own ransomware operations. However, Brain Cipher has made minor modifications to the encryptor.

One change is that it not only appends an extension to encrypted files but also encrypts the file names. The encryptor also creates ransom notes named in the format of [extension].README.txt, which briefly describe the attack, make threats, and provide links to the Tor negotiation and data leak sites. In one instance seen by BleepingComputer, the ransom note deviated from the template and was named 'How To Restore Your Files.txt.'

Each victim receives a unique encryption ID to enter into the threat actor's Tor negotiation site. Similar to other recent ransomware operations, the negotiation site is straightforward, featuring a chat system for communication with the ransomware gang.

Brain Cipher has also launched a new data leak site, although it currently does not list any victims. In negotiations observed by BleepingComputer, the ransomware gang has demanded ransoms ranging from $20,000 to $8 million.

The encryptor, based on the leaked LockBit 3 encryptor, has been thoroughly analyzed. Unless Brain Cipher has modified the encryption algorithm, there are no known methods to recover files for free.
Read more »
Ransowmare
BlackSuit CDK Global Cyber Attacks Cyberattack Data Theft Kadokawa Ransowmare

Cyberattack by BlackSuit Targets Kadokawa and CDK Global

In early June, Kadokawa's video-sharing platform Niconico experienced a server outage, which has now been claimed by the Russia-linked hacker group BlackSuit. This group, a rebrand of the Royal ransomware operation and linked to the defunct Conti cybercrime syndicate, has issued a threat on the dark web to release 1.5 terabytes of sensitive data, including signed documents, contracts, legal statements, and emails, unless a ransom is paid by July 1, 2024. 

Details of the Attack on Kadokawa: 

Kadokawa first acknowledged the cyberattack in early June, which disrupted multiple websites and services. Despite efforts by Kadokawa's IT department, BlackSuit reportedly managed to steal 1.5 terabytes of sensitive data, including business plans, user data, contracts, and financial records. The hackers exploited vulnerabilities in Kadokawa’s network, gaining access to a control center that allowed them to encrypt the entire network, affecting subsidiaries like Dwango and NicoNico. Kadokawa has assured customers that no credit card information was compromised, as it was not stored on their system. 

The company is prioritizing the restoration of accounting functions and normalizing manufacturing and distribution in its publication business, with expected results by early July. Although the production of new publications remains steady, the shipment of existing publications is currently at one-third of normal levels. Kadokawa is implementing alternative arrangements, including increasing human resources, to mitigate the impact. 

In the Web Services business, all Niconico family services are still suspended, but provisional services like Niconico Video (Re: tmp) and Niconico Live Streaming (Re: tmp) have been provided. Existing services such as Niconico Manga smartphone version and NicoFT have resumed. The Merchandise business has seen limited impact, with shipping functions operating normally. However, the failure of Kadokawa’s account authentication function has prevented users from logging into certain online shops. Temporary pages have been created for affected users, and Kadokawa will keep providing updates regarding this issue. 

Impact on CDK Global: 

BlackSuit is also believed to be behind ongoing outages at CDK Global, a software provider for approximately 15,000 North American car dealerships. Several major U.S. auto dealers, including AutoNation, Group 1 Automotive, Penske Automotive Group, Sonic Automotive, and Lithia Motors, have reported disruptions in their services due to the cyberattack. As a result, many dealerships have had to revert to pen and paper for managing auto repairs, closing new car sales, and conducting other business. 

CDK attempted to restore its systems but was hit with a second cyberattack, causing them to shut down all systems again. The company has yet to acknowledge that the attack is a result of ransomware, but an incident like this could take weeks to recover from. Even after operations return to normal, CDK will have to investigate what data was stolen, how the attack happened, and the impact on its customers. 

Allan Liska, a ransomware analyst at Recorded Future, mentioned that the CDK attack has been attributed to BlackSuit in hacker forums and private chat channels. Malicious cybercriminal gangs are known to boast about their schemes on these platforms. While CDK is not yet listed on BlackSuit's dark web site, indicating ongoing negotiations, Bloomberg reported that the hackers are asking for a ransom in the tens of millions of dollars.
Read more »
TeamViewer breach
Advanced Persistent Threat APT group attack corporate network hack Cyberattack Cybersecurity Data Breach Remote Access Software TeamViewer breach

TeamViewer's Corporate Network Compromised in Suspected APT Hack

 

iTeamViewer, a remote access software company, has announced that its corporate environment was compromised in a cyberattack. According to the company, the breach was detected on Wednesday, June 26, 2024, and is believed to have been carried out by an advanced persistent threat (APT) hacking group.

"On Wednesday, June 26, 2024, our security team detected an irregularity in TeamViewer’s internal corporate IT environment," TeamViewer stated in a post on its Trust Center. "We immediately activated our response team and procedures, started investigations together with a team of globally renowned cybersecurity experts, and implemented necessary remediation measures."

TeamViewer assured that its internal corporate IT environment is entirely separate from its product environment. They emphasized that there is no evidence suggesting that the product environment or customer data has been affected. The company continues to investigate and is focused on maintaining the integrity of its systems.

Despite their commitment to transparency, the "TeamViewer IT security update" page includes a <meta name="robots" content="noindex"> HTML tag, preventing search engines from indexing the document and making it harder to find.

TeamViewer is widely used for remote access, allowing users to control computers remotely as if they were physically present. The software is currently used by over 640,000 customers worldwide and has been installed on over 2.5 billion devices since its launch.

While TeamViewer has stated there is no evidence of a breach in its product environment or customer data, the extensive use of their software in both consumer and corporate settings makes any breach a significant concern, potentially granting full access to internal networks.

In 2019, TeamViewer confirmed a 2016 breach linked to Chinese threat actors through the Winnti backdoor. At the time, the company did not disclose the breach as no data was stolen.

News of the latest breach was first reported on Mastodon by IT security professional Jeffrey, who shared parts of an alert from the Dutch Digital Trust Center. This web portal is used by the government, security experts, and Dutch corporations to share information about cybersecurity threats.

"The NCC Group Global Threat Intelligence team has been made aware of significant compromise of the TeamViewer remote access and support platform by an APT group," warned an alert from cybersecurity firm NCC Group. "Due to the widespread usage of this software, the following alert is being circulated securely to our customers."

Another alert from Health-ISAC, a community for healthcare professionals to share threat intelligence, warned that TeamViewer services were allegedly being targeted by the Russian hacking group APT29, also known as Cozy Bear, NOBELIUM, and Midnight Blizzard.

"On June 27, 2024, Health-ISAC received information from a trusted intelligence partner that APT29 is actively exploiting TeamViewer," reads the Health-ISAC alert shared by Jeffrey. "Health-ISAC recommends reviewing logs for any unusual remote desktop traffic. Threat actors have been observed leveraging remote access tools. TeamViewer has been observed being exploited by threat actors associated with APT29."

APT29 is a Russian advanced persistent threat group linked to Russia's Foreign Intelligence Service (SVR). The group is known for its cyberespionage capabilities and has been involved in numerous attacks, including breaches of Western diplomats and a recent compromise of Microsoft's corporate email environment.

Although TeamViewer disclosed the incident at the same time as the alerts from NCC Group and Health-ISAC, it is unclear if they are directly related. TeamViewer's and NCC's alerts address the corporate breach, while the Health-ISAC alert focuses on targeting TeamViewer connections.

BleepingComputer reached out to TeamViewer for comments on the attack but was informed that no further information would be provided during the ongoing investigation. NCC Group also told BleepingComputer that they had nothing further to add beyond the alert issued to their clients.

On June 28, 2024, TeamViewer informed BleepingComputer that they had removed the noindex tag from their Trust Center, and the page should soon be indexed by search engines.
Read more »
IT Infrastructure
Australia Australian Businesses Cyberattack cybercriminals Data Breach Fortinet Hacker attack Hackers IT Infrastructure

The Growing Threat of Data Breaches to Australian Businesses

 

Data breaches are now a significant threat to Australian businesses, posing the risk of "irreversible brand damage." A cybersecurity expert from Fortinet, a global leader in the field, has raised alarms about cybercriminals increasingly targeting the nation’s critical infrastructure. Cybercriminals are continually finding new ways to infiltrate Australia’s infrastructure, making businesses highly vulnerable to attacks. 

The Australian federal government has identified 11 critical sectors under the Security of Critical Infrastructure Act, which was amended in 2018 to enforce stricter regulations. Businesses in these sectors are required to complete annual reporting to notify the federal government of any attempts to access their networks. Michael Murphy, Fortinet’s Head of Operational Technology and Critical Infrastructure, recently discussed the severity of cyber threats on Sky News Business Weekend. During the 2022-2023 financial year, 188 cybersecurity incidents were reported across critical sectors, highlighting ongoing risks to national networks like water and energy supplies. 

Additionally, the Australian Bureau of Statistics found that 34 percent of businesses experienced resource losses managing cybersecurity attacks in the 2021-2022 financial year, and 22 percent of Australian businesses faced a cybersecurity attack during that period—more than double the previous year’s figure. Even small businesses are now vulnerable to cybercrime. Murphy pointed out that among entities with mandatory reporting, 188 incidents were reported, with 142 incidents reported by entities outside of critical infrastructure, demonstrating the widespread nature of the threat. He explained that hackers are motivated by various factors beyond financial gain, including the desire for control. 

The consequences of cyber attacks can be severe, disrupting systems and causing significant downtime, which leads to revenue loss and irreversible brand damage. Critical infrastructure sectors face unique challenges compared to the IT enterprise. Quick restoration of systems is often not an option, and recovery can take considerable time. This extended downtime not only affects revenue but also damages the reputation and trustworthiness of the affected organizations. Murphy noted that many incidents are driven by motives such as financial profiteering, socio-political influence, or simply the desire of hackers and syndicates to boost their credibility. 

As cyber threats evolve, it is crucial for businesses, especially those in critical infrastructure sectors, to strengthen their cybersecurity measures. While annual reporting and adherence to federal regulations are essential, proactive strategies and advanced security technologies are necessary to mitigate risks effectively.
Read more »
SEC filing cyber incident
credit monitoring services Cyber Attacks Cyberattack December cyberattack impact First American Financial breach personal information accessed SEC filing cyber incident

First American Reveals Impact of December Cyberattack

 

 















The cyberattack that disrupted First American Financial's systems in late December impacted 44,000 individuals, according to regulatory filings on Friday.

In an 8K disclosure to the Securities and Exchange Commission (SEC), the title insurance company stated that its investigation of the incident is complete, though it provided few additional details.

"Based on our investigation, the Company has determined that personal information of approximately 44,000 individuals may have been accessed without authorization due to the incident," First American reported. "The Company will notify potentially affected individuals and offer them credit monitoring and identity protection services at no cost."

HousingWire initially reported on December 21, 2023, that the company had been hacked. First American took about a week to restore its systems and contain the threat.

The breach significantly affected the company's fourth-quarter operations, leading to a 15% revenue drop compared to the same period in 2022.

The attack occurred less than a month after First American was fined $1 million by the New York Department of Financial Services (DFS) for a cybersecurity violation settlement.

First American was the second major title insurance company hit by a cybersecurity incident within a month. In late November, Fidelity National Financial experienced a ransomware attack that took its systems offline for a few days, with the ransomware group AlphV/BlackCat claiming responsibility.

Mortgage lenders and servicers Mr. Cooper and loanDepot also faced significant cyberattacks that resulted in substantial financial losses.
Read more »
Middle East
CR4T backdoor Cyber Attacks Cyberattack Cybersecurity evasive governments Hackers Middle East

Cyberattackers Employ Elusive "CR4T" Backdoor to Target Middle Eastern Governments

 

A recent revelation by Russian cybersecurity firm Kaspersky sheds light on a covert cyber campaign dubbed DuneQuixote, which has been clandestinely targeting government bodies in the Middle East. This campaign involves the deployment of a newly identified backdoor called CR4T.

Kaspersky's investigation, initiated in February 2024, suggests that the operation might have been underway for at least a year prior. The perpetrators have taken sophisticated measures to evade detection, employing intricate methods to shield their implants from scrutiny and analysis.

The attack commences with a dropper, available in two versions: a standard executable or a DLL file, and a manipulated installer for a legitimate software tool called Total Commander. Regardless of the variant, the dropper's main task is to extract a concealed command-and-control (C2) address, utilizing a unique decryption technique to obfuscate the server's location and thwart automated malware analysis tools.

The decryption process involves combining the dropper's filename with snippets of Spanish poetry embedded in its code, followed by calculating an MD5 hash to decode the C2 server address. Upon successful decryption, the dropper establishes connections with the C2 server and fetches a subsequent payload, employing a hardcoded ID as the User-Agent string in HTTP requests.

Kaspersky notes that the payload remains inaccessible unless the correct user agent is provided, indicating a deliberate effort to restrict access. Additionally, the payload may only be downloaded once per victim or for a limited time following the malware's release.

Meanwhile, the trojanized Total Commander installer exhibits some variations while retaining the core functionality of the original dropper. It omits the Spanish poem strings and incorporates additional anti-analysis checks to detect debugging or monitoring tools, monitor cursor activity, check system RAM and disk capacity, among other measures.

CR4T, the central component of the campaign, is a memory-only implant written in C/C++, facilitating command-line execution, file operations, and data transfers between the infected system and the C2 server. Kaspersky also identified a Golang version of CR4T with similar capabilities, including executing arbitrary commands and creating scheduled tasks using the Go-ole library. The Golang variant employs COM objects hijacking for persistence and utilizes the Telegram API for C2 communication, indicating a cross-platform approach by the threat actors.

The presence of the Golang variant underscores the threat actors' ongoing efforts to refine their techniques and develop more resilient malware. Kaspersky emphasizes that the DuneQuixote campaign poses a significant threat to entities in the Middle East, showcasing advanced evasion tactics and persistence mechanisms through the use of memory-only implants and disguised droppers masquerading as legitimate software.
Read more »
patient information
affected patients Cyberattack Data Breach Data Privacy data security notification letters Ontario hospitals patient information

Ontario Hospitals Dispatch 326,000 Letters to Patients Affected by Cyberattack Data Breach

 

Five hospitals in Ontario, which fell victim to a ransomware attack last autumn, are initiating a mass notification effort to inform over 326,000 patients whose personal data was compromised.

The cyber breach on October 23, targeted Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital.

While electronic medical records at all affected hospitals, except Bluewater Health, remained unscathed, personal health information stored within their systems was unlawfully accessed. Subsequently, some of this pilfered data surfaced on the dark web.

A collective statement released by the hospitals highlights that approximately 326,800 patients were impacted, though this figure might include duplications for individuals seeking medical care at multiple sites.

The hospitals have undertaken a meticulous data analysis process spanning several months to ensure comprehensive notification of affected patients. For those whose social insurance numbers were compromised, arrangements for credit monitoring will also be provided.

The hospitals confirm that their notification strategy was devised in consultation with Ontario’s Information and Privacy Commissioner. Expressing regret for the disruption caused by the cyber incident, the hospitals extend their apologies to patients, communities, and healthcare professionals affected.

Apart from the hospitals, TransForm, a non-profit organization overseeing the hospitals’ IT infrastructure, was also affected by the ransomware attack. Despite the disruption to hospital operations and data breach affecting certain patient and staff information, the group opted not to meet ransom demands, based on expert advice.
Read more »
Ransomware attack
aerospace research firm Cyber Attacks Cyberattack Cybersecurity NIA investigation Ransomware attack

NIA Investigates Cyberattack on Aerospace Research Firm

 

The National Investigation Agency (NIA) is examining a ransomware attack on the National Aerospace Laboratories (NAL), India’s leading aerospace research institution, which occurred on November 15 last year. Suspected to be a cyberterrorist attack, the NIA has initiated an investigation into the incident. People familiar with the matter, speaking on the condition of anonymity, disclosed that the federal anti-terror agency has filed a case regarding the ransomware attack, believed to have been orchestrated by the notorious cybercrime group LockBit.

NAL Bengaluru, an affiliate of the government’s Council of Scientific and Industrial Research, stands as the sole government aerospace R&D laboratory in India's civilian sector. It fell victim to a ransomware attack on November 15, with LockBit threatening to expose stolen data, including classified documents, unless an unspecified ransom was paid. "We have registered a case to investigate the ransomware attack at the NAL from the cyberterrorism angle," stated an NIA officer.

The NIA operates a specialized anti-cyberterrorism unit tasked with investigating cyber attacks perpetrated by state or non-state actors targeting government and private entities in India. In the past, it has collaborated with other agencies, including CERT-In, during the ransomware attack at the All India Institute of Medical Sciences in November 2022. Tarun Wig, an information security expert and co-founder of Innefu Labs, described LockBit as "one of the most prolific cybercriminal groups," noting that ransomware attacks, typically driven by financial motives, frequently target Indian establishments.

LockBit, recognized as one of the world's most active ransomware-as-a-service operations, engages in data theft, encryption, extortion, and data leakage. Initially known as ABCD when it surfaced in 2019, LockBit has targeted thousands of businesses, schools, medical facilities, and government entities worldwide. Following a multinational law enforcement operation led by British authorities and involving agencies from 10 countries, including the US, France, Germany, and Japan, the UK's National Crime Agency announced last month that it had disrupted LockBit's services, compromising their criminal operations.

Graeme Biggar, director-general of the British agency, stated, "Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems." This action has effectively crippled LockBit's capabilities and credibility, according to Biggar, who labeled LockBit as the world's most harmful cybercrime group. Additionally, the US Department of Justice revealed that it had partnered with the Federal Bureau of Investigation to disrupt LockBit's activities, highlighting its extensive ransom demands and the significant ransom payments it has received.
Read more »
ransomware-as-a-service
BlackByte ransomware Critical Infrastructure Cyberattack Cybersecurity Cybersecurity Agencies Data Breach Encina Wastewater Authority ransomware-as-a-service

Encina Wastewater Authority Reportedly Targeted by BlackByte Ransomware

Carlsbad, California – Encina Wastewater Authority (EWA) has become the latest target of the notorious BlackByte ransomware group. The group, known for its aggressive tactics, has hinted at a cyberattack on EWA's platform, suggesting the potential sale of sensitive company documents obtained during the intrusion.

Despite BlackByte's claims, EWA's website, http://encinajpa.com, remains operational without immediate signs of intrusion. However, cybersecurity experts speculate that the threat actor may have infiltrated the organization's backend systems or databases rather than launching a visible front-end attack like a distributed denial-of-service (DDoS) assault.

Encina Wastewater Authority serves over 379,000 residents and businesses across North San Diego County, playing a crucial role in wastewater treatment, resource recovery, and environmental protection for public health and regional water sustainability.

The Cyber Express has reached out to Encina Wastewater Authority for clarification on the alleged cyberattack. As of writing, no official statement or response has been issued by the organization, leaving the claims unconfirmed. The BlackByte ransomware group has also shared sample documents, indicating the attack and offering their sale or removal via email.

BlackByte has been a concern for cybersecurity agencies since its emergence in July 2021, targeting critical infrastructure and gaining attention from the Federal Bureau of Investigation (FBI) and the US Secret Service (USS). Despite mitigation efforts, such as the release of a decrypter by Trustwave in October 2021, BlackByte continues to evolve its tactics and persists in targeting organizations worldwide through a ransomware-as-a-service (RaaS) model.

The situation regarding the alleged cyberattack on Encina Wastewater Authority will be closely monitored by The Cyber Express, and updates will be provided as more information becomes available or any official statement from the organization is issued.
Read more »
Subscribe to: Posts (Atom)