Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberattack. Show all posts
Scam
Cyber Fraud Cyberattack CyberCrime Hacking Pune Scam

Pune Company Falls Victim to ₹6.49 Crore Cyber Fraud in Major Man-in-the-Middle Attack

 

A 39-year-old director of a Mohammedwadi-based firm, which operates in IT services and dry fruit imports, was duped into transferring ₹6.49 crore following a sophisticated Man-in-the-Middle (MitM) cyberattack on March 27. In a MitM scam, cybercriminals secretly intercept communications between two parties, impersonating one to deceive the other, often stealing sensitive information or funds.

According to investigators, the company director was at his residence near NIBM Road when he received what appeared to be a legitimate payment request via email from a business associate. Trusting the authenticity, he initiated the payment and even instructed his bank to process it. However, when he later contacted the exporter to confirm receipt, they denied getting any money.

Upon closer inspection, the director discovered subtle changes in the sender's email ID and bank account details — just one letter altered in the email address and a different bank account number. These minor discrepancies went unnoticed initially, police said.

Senior Inspector Swapnali Shinde of the Cyber Police told TOI, "It has two divisions, one for IT services and another for importing dry fruits. The company director would import the dry fruits from different countries, including the United States and those in the Middle-East. On March 27, he received a payment request from an exporter of dry fruits based in the US. The email demanded payment of nearly Rs 6.5 crore. The victim, thinking it was for the almonds he'd recently imported, initiated the transaction."

Realizing the fraud only on April 17, the director registered an FIR with Pune's cyber police on April 23.

Shinde added, "Officials from his bank called him to verify the transaction, but he told them to proceed. The amount was across in five transactions," explaining that the online ledger displayed only the first few letters of the firm's name and bank details.

"The victim did not realise that the account number of the company, with whom he had regular business with, was changed. He just clicked on the button and initiated the transactions," Shinde said.

Cyber investigators are now tracing the trail of the siphoned funds. "The cash went to several accounts. We're still trying to establish a trail. As of now we can say that about Rs 3 crore is yet to reach the suspects. We will try our best to salvage the money," Shinde stated.
Read more »
Zoom
BlackSuit Cyberattack Encryption malware phishing Ransomware Zoom

Fake Zoom Download Sites Spreading BlackSuit Ransomware, Experts Warn

 

A new cyberattack campaign is targeting Zoom users by disguising ransomware as the popular video conferencing tool, according to Cybernews. Researchers from DFIR have uncovered a scheme by the BlackSuit ransomware gang, which uses deceptive websites to distribute malicious software.

Instead of downloading Zoom from the official site, unsuspecting users are being lured to fraudulent platforms that closely mimic the real thing. One such site, zoommanager[.]com, tricks users into installing malware. Once downloaded, the BlackSuit ransomware remains dormant for several days before launching its full attack.

The malware first scrapes and encrypts sensitive personal and financial data. Then, victims are presented with a ransom demand to regain access to their files.

BlackSuit has a history of targeting critical infrastructure, including schools, hospitals, law enforcement, and public service systems. The ransomware begins by downloading a malicious loader, which can bypass security tools and even disable Windows Defender.

Researchers found that the malware connects to a Steam Community page to fetch the next-stage server, downloading both the legitimate Zoom installer and malicious payload. It then injects itself into a MSBuild executable, staying inactive for eight days before initiating further actions.

On day nine, it executes Windows Commands to collect system data and deploys Cobalt Strike, a common hacker tool for lateral movement across networks. The malware also installs QDoor, allowing remote access through a domain controller. The final phase involves compressing and downloading key data before spreading the ransomware across all connected Windows systems. Victims’ files are locked with a password, and a ransom note is left behind.

Cybersecurity experts stress the importance of downloading software only from official sources. The genuine Zoom download page is located at zoom[.]us/download, which is significantly different from the deceptive site mentioned earlier.

"Zoom isn't nearly as popular with hackers now as it was a few years ago but given how widely used the service is, it's an easy way to target unsuspecting users online."

To protect against these kinds of attacks, users should remain vigilant about phishing tactics, use reputable antivirus software, and ensure it stays updated. Many modern antivirus tools now offer VPNs, password managers, and multi-device protection, adding extra layers of security.

"As well as making sure you're always downloading software from the correct source, make sure you are aware of common phishing techniques and tricks so you can recognize them when you see them."

It’s also recommended to manually navigate to software websites instead of clicking links in emails or search results, reducing the risk of accidentally landing on malicious clones.
Read more »
Stolen Data
Cyberattack Cybersecurity Data Breach health data medical records Personal Information Ransomware Social Security Stolen Data

Sunflower and CCA Suffer Data Breaches, Exposing Hundreds of Thousands of Records

 

Sunflower recently disclosed a cyberattack on its systems, revealing that hackers gained access on December 15 but remained undetected until January 7. 

During this time, sensitive personal and medical data — including names, addresses, dates of birth, Social Security numbers, driver’s license details, medical records, and health insurance information—were compromised. According to its filing with the Maine Attorney General’s Office, the breach impacted 220,968 individuals.

Meanwhile, CCA experienced a similar data breach in July last year. The organization reported that cybercriminals stole extensive patient information, including names, addresses, dates of birth, driver's license numbers, Social Security numbers, diagnoses, lab results, prescriptions, patient ID numbers, and provider details. The breach affected 114,945 individuals, as per its filing with Maine’s Attorney General’s Office.

The Rhysida ransomware group has claimed possession of 7.6TB of Sunflower’s data, including a 3TB SQL database, according to The Register. With the data still listed online, it suggests that either negotiations are ongoing or have collapsed. However, as of now, there is no confirmed evidence of the stolen data being misused on the dark web.

Following these incidents, both organizations have taken steps to strengthen cybersecurity measures to prevent future breaches.
Read more »
Threat Intelligence
APT37 Cyberattack Cybersecurity Data Breach Hacking North Korea phishing RokRat Threat Intelligence

North Korean Hackers Exploit ZIP Files in Sophisticated Cyber Attacks

 

State-sponsored hacking group APT37 (ScarCruft) is deploying advanced cyber-espionage tactics to infiltrate systems using malicious ZIP files containing LNK shortcuts. These files are typically disguised as documents related to North Korean affairs or trade agreements and are spread through phishing emails.

Once opened, the attack unfolds in multiple stages, leveraging PowerShell scripts and batch files to install the RokRat remote access Trojan (RAT) as the final payload.

The infection starts with carefully crafted phishing emails, often using real information from legitimate websites to enhance credibility. These emails contain malicious ZIP attachments housing LNK files. When executed, the LNK file verifies its directory path, relocating itself to %temp% if necessary.

It then extracts multiple components, including:

-A decoy HWPX document
-A batch script (shark.bat)

Additional payloads like caption.dat and elephant.dat
The shark.bat script executes PowerShell commands discreetly, launching the elephant.dat script, which decrypts caption.dat using an XOR key. The decrypted content is then executed in memory, ultimately deploying RokRat RAT.

Once active, RokRat collects detailed system information, such as:
  • Operating system version
  • Computer name
  • Logged-in user details
  • Running processes
  • Screenshots of the infected system
The stolen data is then exfiltrated to command-and-control (C2) servers via legitimate cloud services like pCloud, Yandex, and Dropbox, utilizing their APIs to send, download, and delete files while embedding OAuth tokens for stealthy communication.

RokRat also allows attackers to execute remote commands, conduct system reconnaissance, and terminate processes. To avoid detection, it implements anti-analysis techniques, including:
  • Detecting virtual environments via VMware Tools
  • Sandbox detection by creating and deleting temporary files
  • Debugger detection using IsDebuggerPresent
The malware ensures secure communication by encrypting data using XOR and RSA encryption, while C2 commands are received in AES-CBC encrypted form, decrypted locally, and executed on the compromised system. These commands facilitate data collection, file deletion, and malware termination.

By leveraging legitimate cloud services, RokRat seamlessly blends into normal network traffic, making detection more challenging.

“This sophisticated approach highlights the evolving tactics of APT37, as they continue to adapt and expand their operations beyond traditional targets, now focusing on both Windows and Android platforms through phishing campaigns.”

As APT37 refines its cyberattack strategies, organizations must remain vigilant against such persistent threats and enhance their cybersecurity defenses.
Read more »
Ransomware attack. Cyber Attacks
Cyberattack Polish Space Agency POLSA hack Ransomware attack. Cyber Attacks

Polish Space Agency Faces Cyberattack, Takes IT Systems Offline

 

The Polish Space Agency (POLSA) recently experienced a cybersecurity breach, prompting the organization to disconnect its IT infrastructure from the internet. POLSA confirmed the incident through a post on X, stating that relevant authorities had been notified.

“There has been a cybersecurity incident at POLSA,” the machine-translated X post reads. “The relevant services and institutions have been informed. The situation is being analyzed. In order to secure data after the hack, the POLSA network was immediately disconnected from the Internet. We will keep you updated.”

The brief statement led to speculation about the nature of the attack, with some reports suggesting it could be a ransomware incident. Typically, organizations hit by ransomware isolate their systems to prevent further damage and block unauthorized access.

An anonymous source disclosed to The Register that POLSA’s email systems had been compromised. As a precaution, employees were instructed to switch to phone-based communication instead of email.

Poland’s digitalization minister, Krzysztof Gawkowski, later confirmed the breach, stating that the government had launched "intensive operational activities" to identify the perpetrators. He also noted that POLSA was receiving support from the country’s cybersecurity teams, CSIRT NASK and CSIRT MON.

At this stage, the attackers' identities and motives remain unclear. However, Reuters reports that Warsaw has “repeatedly” accused Moscow of attempts to destabilize Poland, particularly due to its military assistance to Ukraine amid the ongoing conflict.
Read more »
U.S. Social Security Administration
Cyber Security Cyberattack Remote Access Tool Sophisticated Phishing Attack U.S. Social Security Administration

Phishing Campaign Impersonating SSA Deploys Remote Access Tool

Hackers have launched a sophisticated phishing campaign impersonating the United States Social Security Administration (SSA) to deliver the ConnectWise Remote Access Tool (RAT), according to a report by Cofense Intelligence. This operation, active since September 2024 and intensifying by November, employs advanced evasion techniques to compromise devices and extract sensitive information.

The phishing emails mimic official SSA communications, promising updated benefits statements to lure victims. Embedded links, disguised as legitimate SSA web pages, lead to the installation of the ConnectWise RAT, granting attackers control over compromised systems. The campaign incorporates enhanced email spoofing and credential phishing strategies, leveraging SSA logos and branding to heighten credibility.

One unique technique involves one-time use payloads. Victims who access the malicious link are directed to the RAT installer, while subsequent visits redirect to legitimate SSA pages. This method utilizes browser cookies to bypass automated defenses and security research tools.

Exploitation and Goals

After installing the malware, attackers exploit victims further by redirecting them to phishing pages designed to capture sensitive personal and financial data, including:

  • Social Security Numbers
  • Credit card details
  • Mother’s maiden name
  • Phone carrier PINs

The focus on phone carrier PINs indicates an intent to facilitate account takeovers and unauthorized transfers. Early versions of the campaign used ConnectWise’s infrastructure for command-and-control operations, but recent iterations rely on dynamic DNS services and attacker-owned domains to evade detection.

Evolving Threats

Follow-up phishing emails prompt victims to confirm actions via buttons labelled “I Have Opened the File,” directing them to further credential-harvesting sites. These tactics expand the scope of the breach and demonstrate the attackers’ ability to adapt and refine their methods.

The Cofense report emphasizes the ongoing risk posed by such campaigns, urging organizations and individuals to adopt robust cybersecurity practices to counter these threats effectively.

Read more »
Threats from Technology
Britain Cyberattack cyberattacks trending news Data Theft NCSC News Technology Threats from Technology

UK Faces Growing Cyber Threats from Russia and China, Warns NCSC Head

The UK is facing an increasing number of cyberattacks from Russia and China, with serious cases tripling in the past year, according to a new report by the National Cyber Security Centre (NCSC). On Tuesday, Richard Horne, the new NCSC chief, stated that the country is at a critical point in safeguarding its essential systems and services from these threats.

Rising Threats and Attacks

The report reveals a disturbing rise in sophisticated cyber threats targeting Britain’s public services, businesses, and critical infrastructure. Over the past year, the agency responded to 430 cyber incidents, a significant increase from 371 the previous year. Horne highlighted notable incidents such as the ransomware attack on pathology provider Synnovis in June, which disrupted blood supplies, and the October cyberattack on the British Library. These incidents underscore the severe consequences these cyber threats have on the UK.

Challenges and Alliances

Similar challenges are being faced by the UK’s close allies, including the U.S., with whom the country shares intelligence and collaborates on law enforcement. Horne emphasized the UK’s deep reliance on its digital infrastructure, which supports everything from powering homes to running businesses. This dependency has made the UK an appealing target for hostile actors aiming to disrupt operations, steal data, and cause destruction.

“Our critical systems are the backbone of our daily lives—keeping the lights on, the water running, and our businesses growing. But this reliance also creates vulnerabilities that our adversaries are eager to exploit,” Horne stated.

Cybersecurity Challenges from Russia and China

According to the report, Russia and China remain at the forefront of the UK’s cybersecurity challenges. Russian hackers, described as “reckless and capable,” continue to target NATO states, while China’s highly advanced cyber operations aim to extend its influence and steal critical data. Horne called for swift and decisive action, urging both the government and private sector to enhance their defenses.

Recommendations for Strengthening Cybersecurity

Horne emphasized the need for more robust regulations and mandatory reporting of cyber incidents to better prepare for future threats. He stressed that a coordinated effort is necessary to improve the UK’s overall cybersecurity posture and defend against adversaries’ growing capabilities.

Read more »
Wayne County Michigan
Cyberattack Data Breach double-extortion encryptor FreeBSD servers Interlock ransomware ransomware attacks Trend Micro Wayne County Michigan

Interlock Ransomware: New Threat Targeting FreeBSD Servers and Critical Infrastructure Worldwide

 

The Interlock ransomware operation, launched in late September 2024, is increasingly targeting organizations around the globe. Distinctly, this new threat employs an encryptor specifically designed to attack FreeBSD servers, a relatively uncommon tactic among ransomware groups.

Interlock has already affected six organizations and publicly leaked stolen data after ransoms went unpaid. One prominent victim, Wayne County in Michigan, experienced a cyberattack early in October, adding to the list of affected entities.

Details about Interlock remain limited, with early reports emerging from cybersecurity responder Simo in October. Simo's analysis noted a new backdoor associated with the ransomware, discovered during an investigation on VirusTotal.

Shortly after, MalwareHunterTeam identified a Linux ELF encryptor related to Interlock. Upon further examination, BleepingComputer confirmed that this executable was built specifically for FreeBSD 10.4, though attempts to execute it in a FreeBSD environment failed.

Although ransomware targeting Linux-based VMware ESXi servers is common, an encryptor for FreeBSD is rare. The now-defunct Hive ransomware, disrupted by the FBI in 2023, was the only other known operation with a FreeBSD encryptor.

Trend Micro researchers shared additional samples of the Interlock FreeBSD ELF encryptor and a Windows variant, noting that FreeBSD is often used in critical infrastructure. This likely makes it a strategic target for Interlock, as attacks on these systems can lead to significant service disruptions.

Trend Micro emphasizes that Interlock’s focus on FreeBSD infrastructure allows attackers to disrupt essential services and demand high ransoms, as these systems are integral to many organizations’ operations.

It is important to note that Interlock ransomware is unrelated to any cryptocurrency token of the same name.

While BleepingComputer encountered issues with running the FreeBSD encryptor, they successfully tested the Windows version, which performed actions like clearing event logs and deleting the main binary using rundll32.exe if self-deletion is enabled.

When encrypting files, Interlock appends the .interlock extension and generates a ransom note titled "!README!.txt" in each affected folder. The note explains the encryption, threats, and includes links to a Tor-based negotiation site where victims can communicate with the attackers. Each victim receives a unique ID and email for registration on this negotiation platform.

During attacks, Interlock breaches networks, steals sensitive data, and then deploys the encryptor to lock down files. The data theft supports a double-extortion scheme, with threats to leak data if ransoms—ranging from hundreds of thousands to millions of dollars—are not paid.
Read more »
Subscribe to: Posts (Atom)