Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label DarkSide. Show all posts
Sensitive Information
ALPHV ransomware BlackCat gang BlackMatter Cyber Attacks DarkSide FBI warning First Judicial Circuit Florida state courts MGM Resorts Ransomware Operation Security Breach Sensitive Information

Florida Circuit Court Targeted in Attack by ALPHV Ransomware Group

 

The ALPHV, also known as BlackCat, ransomware group has asserted responsibility for a recent assault on state courts in Northwest Florida, falling under the jurisdiction of the First Judicial Circuit. 

The attackers claim to have obtained sensitive information such as Social Security numbers and CVs of employees, including judges. It's a common tactic for ransomware groups to threaten the public release of stolen data as leverage for negotiations.

The presence of the Florida First Judicial Circuit's data leak page on ALPHV's website suggests that the court has either not engaged in talks with the ransomware group or has firmly refused to meet their demands. 

The breach occurred last week, prompting the Florida circuit court to announce an ongoing investigation into the cyberattack, which disrupted operations on October 2nd. A statement released by the court stated that this incident would have a significant impact on court operations across the Circuit, affecting courts in Escambia, Okaloosa, Santa Rosa, and Walton counties for an extended period. 

The Circuit is prioritizing essential court proceedings but has decided to cancel and reschedule other proceedings, along with suspending related operations for several days starting from October 2, 2023.

In the midst of the investigation, judges in the affected counties have been in contact with litigants and attorneys regarding their regularly scheduled hearings. 

Additionally, the court authorities confirmed that all facilities are operating without any disruptions. As of now, the court has not independently verified the ransomware attack claims made by the ALPHV gang.

The ALPHV ransomware operation, originally known as DarkSide, emerged in November 2021 and is believed to be a rebranding of DarkSide/BlackMatter. 

This group gained international notoriety after the Colonial Pipeline breach, drawing the attention of law enforcement agencies worldwide. After a rebranding to BlackMatter in July 2021, their activities abruptly halted in November 2021 when authorities seized their servers and security firm Emsisoft developed a decryptor exploiting a ransomware vulnerability. 

This ransomware operation is known for consistently targeting global enterprises and continuously refining their tactics.

In a recent incident, an affiliate known as Scattered Spider claimed responsibility for an attack on MGM Resorts, asserting to have encrypted over 100 ESXi hypervisors after the company declined ransom negotiations following the shutdown of internal infrastructure. 

As reported by BleepingComputer, ALPHV's ransomware attack on MGM Resorts resulted in losses of approximately $100 million, as well as the theft of its customers' personal information. The FBI issued a warning in April, highlighting the group's involvement in successful breaches of over 60 entities worldwide between November 2021 and March 2022.
Read more »
Software
ALPHV BlackCat BlackMatter Constellation Network Cyber Attacks DarkSide Ransomware Software

Constellation Software Cyberattack Claimed by ALPHV

 


According to the ALPHV/BlackCat ransomware group's claims, Constellation Software's network was compromised as a result of a cyberattack, it was also mentioned in the recent posting on the ransomware gang's leak site. Essen Medical Associates, as well as a Canadian software company, were victimized by the ransomware gang. 

A statement by Constellation Software Inc., a Toronto-based company, revealed that on Wednesday, it had been affected by a cyber-security incident that affected only one of its IT infrastructure systems. 

As a result, some limited personal information was affected by this incident. Additionally, Constellation's businesses also impacted a limited number of business partners. Rather than directly contacting these individuals or business partners, Constellation's operating groups and businesses will now contact them.  

Those who had their data compromised and those who have business associates in the affected area have also been contacted for further information. 

A small number of individuals had their private information compromised in the incident. Some data belonged to a small number of business partners of various Constellation businesses that were potentially affected. 

The constellation software company is composed of six divisions dedicated to acquiring, managing, and growing software companies. These divisions are Volaris, Harris, Jonas, Vela Software, Perseus Group, and Topics. 

As a Canadian company that employs over 25,000 people in North America, Europe, Australia, South America, and Africa, and generates $4 billion in revenue every year, Vanguard has a global presence. It has also acquired more than 500 companies in the software industry since 1995 and provides services to more than 125,000 customers in more than 100 countries. 

According to Constellation, the incident involved a small number of systems involved in internal financial reports and data storage related to them. There was a requirement for Constellation's operating groups and businesses to comply with this. There was no impact on the operations and businesses of Constellation's autonomous IT systems that were within its control. In addition, the company's business operations have not been adversely affected by the incident. 

Listed on ALPHV/BlackCat's leak site was the list of attachments the ransomware group had gathered from two data breaches that had been compromised. 

Following the Essen Medical Associates cyberattack, 24 attachments were breached as a result, although 25 attachments were breached following the Constellation Software cyberattack.   

Statement from the company regarding the cyberattack on Constellation Software 

As a result of the ALPHV/BlackCat leak site post released shortly after the announcement of the cyberattack, Constellation Software issued a press release confirming the attack. On April 3, a limited number of the company's IT systems were compromised due to a cyber incident reported by the company. 

It is understood that only a few business and operating groups within the organization utilize the organization's financial reporting and data storage systems. These groups provide internal financial reporting to the organization.   

Constellation's independent IT systems are not impacted by this incident in any shape or form, so it is not an issue with any of its operating groups or businesses. According to the press release issued, Constellation's business operations have not been impacted by the incident.   

ALPHV has already leaked some documents containing business information online to prove they were accessing and exfiltrating files from Constellation's network. This information can be found in the documents they leaked.  

In November 2021, the DarkSide/BlackMatter gang launched a ransomware operation that has been hacked to get the keys to the country. This was believed to be a rebranding of them. First becoming aware of the group as DarkSide, they attacked the Colonial Pipeline in 2012 and immediately found themselves in the crosshairs of international law enforcement. 

As a result of the servers being seized in November, they were forced to shut down operations one month later in July 2021. This was even though they rebranded themselves as BlackMatter one month later. The Emsisoft decryptor exploits a vulnerability in ransomware to exploit a weakness in the encryption algorithm.   

To demonstrate the access that ALPHV gained and the exfiltration of files from Constellation's network, ALPHV has already posted many documents online that contain business information about Constellation. 

A lot of people are currently aware of the ALPHV group as one of the biggest ransomware threats threatening corporations all around the globe. It was also named as the most likely attacker by the FBI in April, after they hacked over 60 companies between November 2021 and March 2022 as part of a ransomware operation. According to the FBI, ALPHV has "extensive networks and extensive experience with ransomware operations."
Read more »
REvil
Cyber Attacks DarkSide Data Data Privacy Data Safety LockBit Ransomware REvil

FIN7 Cybercrime Syndicate: Emerges as a Major Player in Ransomware Ecosystem

 

A thorough investigation of FIN7 has revealed the organisational structure of the cybercrime group as well as its function as an associate for launching ransomware assaults. Additionally, it has revealed deeper connections between the group and the larger threat ecosystem, which includes the now-defunct DarkSide, REvil, and LockBit families of ransomware. 

The extremely active threat group Carbanak is known for using a wide range of instruments and strategies to broaden its "cybercrime horizons," including adding ransomware to its playbook and setting up fictitious security companies to entice researchers into performing ransomware attacks under the pretext of penetration testing. The financially motivated adversary has compromised more than 8,147 victims worldwide, with the majority of the affected businesses being based in the United States. Other notable nations include China, Germany, Canada, Italy, and the U.K.

Over the years, FIN7's invasion techniques have extended beyond conventional social engineering to include infected USB drives, compromised software supply chains, and the exploitation of stolen credentials obtained from dark web markets.

"Nowadays, its initial approach is to carefully pick high-value companies from the pool of already compromised enterprise systems and force them to pay large ransoms to restore their data or seek unique ways to monetize the data and remote access," PRODAFT said in a report shared with The Hacker News.

The Russian-speaking hacking group has also reportedly been seen using a number of Microsoft Exchange security weaknesses, including CVE-2020-0688, CVE-2021-42321, ProxyLogon, and ProxyShell, as weapons to infiltrate target environments. Even in situations where the victim has previously paid a ransom, the organization has launched operations that have installed SSH backdoors on the compromised systems. This is despite the use of double extortion tactics.

As part of its illegal money-making scheme, the plan is to resell access to other ransomware organizations and retarget the victims, underlining its attempts to minimize effort and maximize profits. In addition, it prioritizes businesses based on their annual revenues, dates of founding, and the number of employees. According to the researchers, this "demonstrates a certain form of feasibility study regarded a distinctive habit among cybercrime gangs."

In other words, FIN7's method of operation is to shortlist businesses and organizations with the largest income by using tools like Dun & Bradstreet (DNB), Crunchbase, Owler, and Zoominfo. In order to track visitor traffic to the victims' websites, it also makes use of other website analytics tools like MuStat and Similarweb.

One of the various intrusion vectors is used to gain initial access, after which data is exfiltrated, files are encrypted, and finally the ransom price is calculated based on the company's income.
The remote access trojans Carbanak, Lizar (also known as Tirion), and IceBot are likewise intended to be loaded using these infection sequences. IceBot was initially identified by Recorded Future-owned Gemini Advisory in January 2022.

Other tools created and provided by FIN7 include the Cobalt Strike post-exploitation tool and the Checkmarks module, which automates mass scans for vulnerable Microsoft Exchange servers and other public-facing online applications.

Another example of how criminal organizations behave like legitimate businesses is FIN7, which has a team structure with top-level management, development, pentesting, affiliate, and marketing teams, all of which have specific tasks to do.

While Alex and Rash are the main drivers of the operation, Sergey-Oleg, the third management member, assigns tasks to the other members of the group and supervises their completion. A review of the group's Jabber communication history, however, has shown that operators in administrator roles use coercion and extortion to force team members to put in more effort and issue threats to "harm their family members in case of resigning or escaping from duties."

The information was uncovered more than a month after cybersecurity firm SentinelOne suspected FIN7 may have connections to the Black Basta ransomware operation.

PRODAFT concluded, "FIN7 has established itself as an extraordinarily versatile and well-known APT group that targets enterprise companies. Their signature move is to thoroughly research the companies based on their revenue, employee count, headquarters and website information to pinpoint the most profitable targets."

"Although they have internal issues related to the unequal distribution of obtained monetary resources and somewhat questionable practices towards their members, they have managed to establish a strong presence in the cybercrime sphere."
Read more »
Tools
Affiliate Hackers Arcane Babuk DarkSide malware Ransomware sabbath Tools

Hack 'Sabbath': Evasive New Ransomware Discovered

 

Due to its small size and unique approaches, a small yet strong ransomware group has been executing attacks largely undiscovered. 

According to Mandiant, the operation, named UNC2190 or "Sabbath," began in September and started attacks in October. Since then, the gang claims to have infected several firms and has threatened to reveal the stolen data if their ransom demand is not met. 

As per a Mandiant blog post, the Sabbath ransomware group has attacked and extorted at least one school system in the United States. Sabbath, like other ransomware operations, is thought to depend heavily on the ransomware-as-a-service model, in which the operators engage individual "affiliate" hackers to execute the on-the-ground labour of infiltrating networks and installing the ransomware.

One of the risks posed by the Sabbath ransomware operation is that the group has managed to avoid detection owing to a number of variables. To begin, the organisation has altered its tools, including the including the Cobalt Strike Beacon remote control tool, to avoid detection. The scale of the operation in comparison to other ransomware brands also helped keep the operations under the radar. 

Sabbath, according to Mandiant, has its origins in a prior ransomware attack known as Arcane. Both are believed to be managed by the same UNC2190 group. However, unlike larger, more well-known ransomware groups, UNC2190's transition from Arcane to Sabbath was not quickly noticed. 

While it's not uncommon for huge ransomware gangs to rebrand their activities, Tyler McLellan, a principal analyst at Mandiant and co-author of the blog post, told SearchSecurity that a tiny, relatively unknown team like Arcane doesn't generally alter its brand. 

McLellan explained, "We've seen some of the larger groups like DarkSide and Babuk rebrand when public and government pressure was too great. In the case of the smaller groups like Sabbath, it could be rebranded over much more mundane reasons such as a payment dispute between group members and a rebranding is an attempt to start fresh minus the problem group members." 

Sabbath may have some influence over the ransomware scene, even if it is not as large as DarkSide or Babuk. As per McLellan, some of Sabbath's approaches, notably their use of several customised malware payloads, might be exploited by other ransomware crews attempting to avoid detection by security providers and law authorities. 

"As detection of ransomware intrusions improves at the early pre-ransomware stages, we expect the threat actors will continue to adapt to stay ahead of the detection curve and increase the pace to deploy ransomware faster after an initial intrusion," McLellan added.
Read more »
Threat actors
Cyber Security DarkSide LockBit Ransomware REvil Russia Russian Firm Threat actors

Russian Organizations Targeted By Outdated Threat Actors

 

Currently, European and American organizations top the list in ransomware from Russian state sponsored hackers, however, organizations from these countries are not ready for managing file encryption and double extortion problems on their own. Threat actors troubling CIS and Russian based companies are generally LockBit, REvil, DarkSide and many more criminal groups that target high profile victims with critical infrastructure cyberattacks. According to Kaspersky's report on first half of 2021, the Commonwealth of Independent States (CIS) was also targeted by threat actors which attack Russian organizations monthly, meanwhile no such attacks are reported. 

These groups, under unnoticed subcategory of ransomware actors are generally less sophisticated, and mostly use leaked malware or outdated strains, and build their own hacking access instead of buying access to the victims. Some of these famous ransomware families that were used earlier this year against the Russian targets are as followed: XMRLocker, Thanos/Hakbit, Limbozar/VoidCrypt, Fonix/XINOF, CryptConsole, Cryakl/CryLock, Phobos/Eking, Crysis/Dharma, /BigBobRoss. The most effective older strains include Phobos and Dharma. 

Phobos first surfaced in 2017 and reached its final stage in 2020. The threat actors had unauthorised RDP access as the main entry point. It consists of a C++/C malware having similar contextual technicalities to Dharma strain, but has no relation. Dharma came out in the open in 2016 by the name of Crysis, even though outdated, it has one of the most effective encryption schemes. Like Phobos, Dharma has similar unauthorised RDP access following brute-force of credentials and manual planting of malware. 

As per Kaspersky, such attacks come and go, however, they can't be left unnoticed. Kaspersky says these strains are still under development, with threat actors constantly making their strains effective, therefore, they are not without firepower. "Russian companies can prevent many of these threats by simply blocking RDP access, using strong passwords for domain accounts that are changed regularly, and accessing corporate networks through VPN," reports Bleeping Computers.
Read more »
REvil
Cyber Security DarkSide Grief Ransomware REvil

Ransomware Groups Never Perish, They Reincarnate

 

It is no longer a matter of shock that ransomware attacks have surged over the past few years,  the technological advancements have proved to be a boon for them. Ransomware is indeed a malware type that encodes the files of the victim. The offender subsequently asks the victim to make payment in order to regain access to the encrypted information as he explains the directions to make payment and receive the decryption key. 

Several ransomware organizations are now in the phase of their third incarnation. In the cybercrime sphere, reinvention is a key survival technique. The earliest techniques include the fake death or retirement and then subsequently the invention of a new identity. A fundamental objective of such a ruse is to make researchers focus their attention temporarily elsewhere. 

The DarkSide, which collected a $5 million payment from the Colonial Pipeline earlier last year, is only one of the most intriguing and newest reinventions to see much of this crushed by the U.S. Department of Justice. Once someone noticed that their Internet servers had indeed been seized, DarkSide stated that it was collapsing. However, just over a couple of months later, BlackMatter was created, a new affiliate ransomware operation, and specialists immediately found out that BlackMatter was using the same unique form of encryption used by DarkSide. 

The downfall of DarkSide occurred closely with that of REvil, a long-term ransomware gang claiming more than 100 million dollars from victims. Kaseya, a Miami-based corporation, was REvil's last major victim. This exploit allowed REvil to disseminate ransomware to as many as 1500 Kaseya using organizations. REvil called upon all victims of Kaseya's attack to pay a $70 million amount for decryption. 

REvil too is commonly regarded as a boost-up for GandCrab, a prominent ransomware group with over $2 billion in extortion for 12 months before it shut down in June 2019. 

The latest ransomware start-up "Grief" was only the current DoppelPaymer paintwork, which matched most of its code with a previous iteration named BitPaymer in 2016. All three were created by a renowned cybercriminal organization, known as TA505, 'Indrik Spider' and Evil Corp.

Mark Arena, CEO of cyber threat intelligence company Intel 471, stated that whether BlackMatter is a new name for the REvil group, or merely a rebirth of DarkSide, is uncertain. “Likely we will see them again unless they’ve been arrested,” Arena further added. 
Read more »
UNC
CCTV Cyber Attacks DarkSide Ransomware Supply Chain UNC

Supply Chain Attack Conducted by Darkside Operator

 

Mandiant researchers have identified a supply chain attack against a CCTV provider by a Darkside ransomware gang affiliate that has been distinguished as UNC2465. UNC2465 and other linked gangs identified by FireEye/Mandiant as UNC2628 and UNC2659 are regarded as one of the key affiliates of the DARKSIDE Group. 

The intrusion began on 18 May 2021, a day after the public suspension of the DARKSIDE general program (Mandiant Advantage background). Mandiant believes that although no ransomware has been discovered, membership groups that have performed DARKSIDE attacks could employ several ransomware affiliate programs and switch to each other at any time. 

Mandiant found that the installers were malicious at the commencement of June and informed the CCTV firm of a possible compromise on this website, making it possible for UNC2465 to substitute legitimate and Trojanised files.

Although Mandiant does not anticipate that many individuals have been affected, this strategy is reported to boost awareness. 

Software supply chain attacks can be very complex, from the recent attacks discovered by FireEye to attacks targeting smaller suppliers. A single infiltration of the software supply chain attack gives access to all businesses running the software of a victim company – in this situation, UNC2465 has modified the installer instead of the software itself.

Mandiant noted in mid-May 2021, that numerous threat players quoted a notice that the operators of the service seemed to share with the DARKSIDE RaaS members. That notification indicated that it had lost the access and would be closing its service to its infrastructure, including its blog, payment, and CDN servers. 

Since then, other underground members have claimed that they are unpaid DARKSIDE affiliates, and in certain cases privately gave forum admins with proof indicating their claims are legitimate. 

Mandiant consulting responded to an intrusion in June 2021; The first vector, which Mandiant found was a trojanized security camera PVR installer from a reputable website. As a result of ongoing infrastructure use and equipment use since October 2020, Mandiant has attributed the general intrusion to DARKSIDE affiliate UNC2465. 

On 18 May 2021, a person accessed the Trojanized link in the concerned organization and installed a ZIP. A chain of Downloads and Scripts was run when the software was installed which led to SMOKEDHAM and afterward NGROK on the computer of the victim. 

Further malware use like BEACON is also reported to have taken place. The trojan program was enabled in Mandiant's opinion between 18 May 2021, and 08 June 2021. 

Mandiant indicates that the majority of publicly identified victims of ransomware shaming websites have progressed steadily over the last month. Despite the recent restriction on posts concerning ransomware in underground forums, threat actors may still exploit private chats and links to find ransomware services.
Read more »
Darkside Ransomware
Cyber Security DarkSide Darkside Ransomware

Hacking Group DarkSide Attacks Colonial Pipeline With a Ransomware

Hacking group DarkSide, which was behind the recent ransomware attack on Colonial Pipeline, operates in a much common way than people assume. It works in a franchise manner, in a way that independent hackers would get to use ransomware software, along with the name of DarkSide, as the aim was to steal money from the victims, which are based in the US mostly. 

"Cybereason reports that DarkSide has a perverse desire to appear ethical, even posting its own code of conduct for its customers telling them who and what targets are acceptable to attack. Protected organizations not to be harmed include hospitals, hospices, schools, universities, nonprofit organizations, and government agencies. Also apparently protected are entities based in former Soviet countries," says CNBC. Ransomware is a kind of harmful software that stops access to a computer when planted. In return for providing the access, hackers demand hefty ransom. 

Reports suggest that Colonial paid a sum of $5 million as a ransom to DarkSide. The business model upon which DarkSide operates, allows a hacker to carry out an attack without much computer knowledge, unlike earlier scenarios where it was much needed. It is because the hackers are provided readymade ransomware software from DarkSide. The hacker only has to perform a small task and the software takes care of the rest of it. As per the experts, DarkSide appears to be a new hacking group, but the experts know enough about it to get an idea about how dangerous it is. Experts say DarkSide provides a 'Ransomware as a service' business model. 

In simple terms, DarkSide hackers make ransomware tools and put them up in the market, where cybercriminals buy them and use them for their attacks. You may say it is an evil replica of silicon valley software startup. The FBI earlier this week confirmed that DarkSide was behind the Colonial Pipeline attack. CNBC says "DarkSide also maintains that it will donate a portion of its profits to charities, although some of the charities have turned down the contributions. Hackers continue to expand: Cybereason reports they recently released a new version of their malware: DarkSide 2.0."

Read more »
Subscribe to: Posts (Atom)