Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Data Hacking. Show all posts

Disney Data Breach Exposes Sensitive Corporate and Personal Information

 

In July, Disney experienced a significant data breach that exposed far more than initially reported, compromising a wide array of sensitive information. While early reports focused on stolen Slack messages, it has since been revealed that the breach extended deep into the company’s critical corporate files. According to sources, hackers gained access to sensitive information, including financial projections, strategic plans, sales data, and streaming forecasts. 

The breach did not stop at corporate data. Hackers also accessed personal information of Disney Cruise Line members, including passport numbers, visa statuses, contact details, and birthplaces. In addition, data related to theme park pass sales was compromised, potentially impacting thousands of visitors. This breach has raised serious concerns about the security of personal data at Disney, one of the world’s most recognized entertainment companies. 

Initially, Disney reported that over a terabyte of data was leaked, but the full extent of the breach is still under investigation. In an August address to investors, the company acknowledged the severity of the attack, prompting questions about the cybersecurity measures in place not only at Disney but also at other major corporations. The incident has highlighted the growing need for robust and effective cybersecurity strategies to protect against increasingly sophisticated cyber threats. The hacking group Nullbulge has claimed responsibility for the attack. 

In a blog post, the group boasted of gaining access to internal data on upcoming projects as well as employee details stored in Disney’s Slack system. This claim has raised further alarms about the potential exposure of sensitive company plans and employee information. When asked to comment on the specifics of the breach, Disney declined to provide details. A spokesperson stated, “We decline to comment on unverified information that has purportedly been obtained as a result of illegal activity.” 

This response underscores the complexity and evolving challenges that companies face in safeguarding sensitive information from cyber threats. As cyber threats become more sophisticated, this breach serves as a stark reminder of the vulnerabilities even within prominent organizations. It emphasizes the urgent need for businesses to strengthen their cybersecurity measures to protect both corporate and personal data from being compromised in an increasingly digital world.

Understanding Qilin Ransomware: Threats, Origins, and Impacts on Healthcare

 

Qilin, also known as Agenda, is a ransomware-as-a-service operation that collaborates with affiliates to encrypt and exfiltrate data from hacked organizations, demanding a ransom in return. 

Despite its name deriving from a mythical Chinese creature that combines features of a dragon and a horned beast, the Qilin ransomware group is linked to Russia. Qilin has been active since October 2022, when it first posted about a victim on its darknet leak site. Since then, its activities have increased, affecting notable organizations such as the street newspaper The Big Issue, automotive parts giant Yanfeng, and the Australian court service. 

Recently, Qilin made headlines following a ransomware attack against Synnovis, a firm involved in blood testing and transfusions. This attack led to an emergency "critical incident" being declared at several London hospitals, with Qilin threatening to release stolen data unless a ransom is paid. Reports suggest that Qilin is demanding a substantial ransom of $50 million from Synnovis for the decryption tools and a promise not to publish the data. 

However, in media interviews, the group claimed that the attack was not financially motivated but a protest against the British government's involvement in an unspecified war. This claim is dubious given Qilin's history of targeting various businesses and healthcare organizations without prior political motivations. The high ransom demand likely reflects the significant disruption caused to the hospitals and their patients, rather than any genuine political agenda. 

Healthcare organizations and hospitals are frequent targets of ransomware attacks due to their complex IT systems and limited budgets. The consequences of such attacks are severe, as they can disrupt critical medical services. Ransomware groups view these entities as "soft targets," hoping to extract payments due to the urgent need to restore services. To protect against Qilin and similar ransomware threats, organizations should implement several key measures.

These include making secure offsite backups, using up-to-date security solutions, and applying the latest security patches to guard against vulnerabilities. Network segmentation can restrict an attacker's ability to move laterally within an organization. Using strong, unique passwords and enabling multi-factor authentication can protect sensitive data and accounts. Encrypting sensitive data and disabling unnecessary functionalities can further reduce the attack surface. 

Educating staff about cyber risks and attack methods is also crucial in maintaining organizational security. By taking these precautions, organizations can reduce the risk of falling victim to ransomware groups like Qilin, ensuring they are better prepared to defend against such malicious activities.

AT&T Denies Involvement in Massive Data Leak Impacting 71 Million People

 


AT&T has categorically denied any involvement in a significant data breach affecting approximately 71 million individuals. The leaked data, disseminated by a hacker on a cybercrime forum, allegedly originates from a 2021 breach of the company's systems. Despite assertions made by the hacker, known as ShinyHunters, and subsequent releases by another threat actor named MajorNelson, AT&T maintains its position, asserting that the leaked information did not originate from its infrastructure.

While the authenticity of the entire dataset remains unconfirmed, the verification of some entries suggests potential accuracy. This includes personal data that is not readily accessible for scraping, such as names, addresses, mobile phone numbers, encrypted dates of birth, encrypted social security numbers, and other internal details.

Despite refuting claims of a breach within its systems, AT&T has not provided definitive evidence to support its stance. Speculation persists regarding the involvement of third-party service providers or vendors, with AT&T yet to respond to inquiries seeking clarification on this matter.

While the leaked data purportedly includes sensitive personal information, such as social security numbers and dates of birth, decryption efforts by threat actors have rendered this data accessible. However, the precise origin of the leaked information remains elusive, fueling speculation and concern among affected individuals and cybersecurity experts alike.

For individuals who were AT&T customers before and during 2021, caution is advised, as the leaked data could potentially be exploited in various forms of targeted attacks, including SMS and email phishing, as well as SIM swapping schemes. Users are urged to exercise heightened caution and verify the authenticity of any communications purportedly from AT&T, refraining from disclosing sensitive information without direct confirmation from the company.

As investigations into the origins of the leaked data continue, the implications for affected individuals underscore the importance of robust cybersecurity measures and heightened awareness of potential threats. The incident serves as a telling marker of the ever-present risks associated with the digital realm and the imperative for proactive measures to safeguard personal information.

While AT&T denies any involvement in the data leak, concerns regarding the security and privacy of affected individuals persist. The unprecedented nature of cyber threats necessitates ongoing vigilance and collaborative efforts to combat risks and ensure the protection of personal data in an increasingly interconnected world.


HPE Cybersecurity Challenge: Data Breach Sparks Investigation

 

Hewlett Packard Enterprise (HPE), a leading technology company, is currently grappling with a potential security breach as reports emerge of sensitive data being offered for sale on a prominent hacking forum. This latest incident underscores the persistent challenges faced by major corporations in safeguarding their digital assets and protecting user information. 

The breach, which is currently under investigation by HPE's cybersecurity teams, comes amid a wave of increased cyber threats targeting organizations across various industries. The data purportedly for sale on the hacking forum includes information that, if exploited, could pose serious risks to the company and its clients. 

HPE, known for its extensive range of enterprise solutions and IT services, is taking the reported breach seriously. The company has initiated a comprehensive internal investigation to assess the scope of the incident, identify potential vulnerabilities, and implement necessary measures to mitigate the impact. 

The data on the hacking forum is said to contain a variety of sensitive information, including user credentials, proprietary software details, and potentially confidential client data. The potential exposure of such data raises concerns not only about the privacy of individuals associated with HPE but also about the potential misuse of corporate information. 

This incident highlights the evolving tactics employed by cybercriminals, who are becoming increasingly sophisticated in their approach. As organizations fortify their cybersecurity defences, threat actors adapt, finding new avenues to exploit vulnerabilities and gain unauthorized access to sensitive data. 

The timing of this breach is particularly noteworthy, given the global increase in remote work and reliance on digital infrastructure. With a growing attack surface, companies must remain vigilant in implementing robust cybersecurity measures to counteract the heightened risk of cyber threats. 

HPE is urging its clients and stakeholders to exercise caution and implement additional security measures. This includes advising users to update passwords, enable multi-factor authentication, and monitor their accounts for any suspicious activity. The company is also liaising with law enforcement agencies to track down the perpetrators and hold them accountable. The potential fallout from this breach extends beyond the immediate concerns of HPE and its clients. It raises broader questions about the cybersecurity landscape and the need for a collective effort to address the escalating threats faced by organizations globally. 

As the investigation unfolds, HPE will likely face increased scrutiny from industry regulators and cybersecurity experts. The incident serves as a stark reminder that no organization is immune to cyber threats, and constant vigilance and adaptation are imperative in safeguarding digital assets. 

In the wake of the reported breach at HPE and the emergence of sensitive data on a hacking forum, the incident serves as a poignant reminder of the perpetual challenges organisations face in safeguarding their digital assets. As HPE undertakes a thorough investigation and implements measures to mitigate potential repercussions, the broader cybersecurity landscape calls for renewed vigilance, adaptability, and collaborative efforts. The evolving tactics of cybercriminals underscore the necessity for constant innovation in cybersecurity strategies. 

The aftermath of this breach will likely resonate across industries, prompting a collective reflection on the imperative of proactive measures and the ongoing commitment required to stay ahead of ever-evolving cyber threats in our digitally interconnected world.

Social Engineering Attacks Resulted in Compromise of Morgan Stanley Client Accounts

 

Morgan Stanley's wealth and asset management division, Morgan Stanley Wealth Management, says that social engineering attacks have compromised some of its customers' accounts. 

Vishing (also known as voice phishing) is a social engineering attack in which scammers impersonate a reputable business (in this case Morgan Stanley) over the phone to persuade their targets to expose or pass over sensitive information such as banking or login credentials. 

According to a notice sent to impacted clients, a threat actor portraying Morgan Stanley acquired access to their accounts "on or around February 11, 2022" after deceiving them into submitting their Morgan Stanley Online account information. The attacker also electronically transferred money to their accounts after successfully compromising their own accounts. 

The alert reads, "As you are aware, on or around February 11, 2022, you were contacted by a bad actor claiming to be with Morgan Stanley. The bad actor was able to obtain information relating to your Morgan Stanley Online account, subsequently accessing this account and initiating unauthorized Zelle payments." 

A Morgan Stanley spokesperson told BleepingComputer that "there was no data breach or information leak from Morgan Stanley." The Morgan Stanley division also stated that all affected customers' accounts had been disabled, adding that its systems "remain secure." 

The company explained, "This compromise was not a result of any action of Morgan Stanley Wealth Management and our systems remain secure. Your Morgan Stanley Wealth Management account has been flagged to our Customer Call Center so that any callers into the Call Center will be prompted with additional verification. Your previous Morgan Stanley Online account was also disabled." 

Morgan Stanley advises customers not to answer calls from numbers they don't recognise as a way to protect themselves from vishing attacks and other sorts of social engineering frauds. 

"Also, be guarded when providing your personal data by phone. Make sure the person asking for the information is from a legitimate organization and is who they claim to be. You can always hang up and call the organization back using a phone number found through a trusted source – such as the company’s official website or perhaps a financial statement," the company further recommended. 

Morgan Stanley announced a data breach in July 2021 when the Clop ransomware group hacked into the Accellion FTA server of Guidehouse, one of Morgan Stanley's third-party providers, and stole personal information belonging to its clients. 

Morgan Stanley is a significant investment banking and global financial services corporation based in the United States that offers investment banking, securities, wealth management, and investment management services around the world.  

Caketap: A New Unix Rootkit Used to Steal ATM Banking Data

 

Following the activities of LightBasin, a financially motivated group of hackers, threat analysts have discovered a previously undisclosed Unix rootkit that is utilized to capture ATM banking data and execute fraudulent transactions. 

The specific group of adversaries has lately been seen targeting telecom businesses with tailored implants, as well as hacking managed service providers and victimising their clients back in 2020. Researchers present more proof of LightBasin activities in a new paper from Mandiant, focused on bank card fraud and the compromise of critical infrastructure. The new rootkit from LightBasin is a Unix kernel module called "Caketap" that is installed on servers running Oracle Solaris systems. 

Caketap hides network connections, processes, and files when it is loaded; it installs various hooks into system services so that remote commands and configurations can be received. The various commands observed by the analysts are as follows: 

• Add the CAKETAP module back to the loaded modules list 
• Change the signal string for the getdents64 hook 
• Add a network filter (format p) 
• Remove a network filter 
• Set the current thread TTY to not to be filtered by the getdents64 hook 
• Set all TTYs to be filtered by the getdents64 hook \
• Displays the current configuration Caketap's ultimate purpose is to steal financial card and PIN verification data from compromised ATM switch servers and utilise it to enable fraudulent transactions. 

Caketap intercepts data on their way to the Payment Hardware Security Module (HSM), a tamper-resistant hardware device used in the banking industry to generate, manage and validate cryptographic keys for PINs, magnetic stripes, and EMV chips. 

Caketap tampers with card verification messages, blocking those that match fraudulent bank cards instead of generating a genuine response. In a second phase, it saves valid messages that match non-fraudulent PANs (Primary Account Numbers) internally and delivers them to the HSM, ensuring that normal customer transactions are not disrupted and implant operations remain undetected. 

“We believe that CAKETAP was leveraged by UNC2891 (LightBasin) as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks,” explains Mandiant’s report. 

Slapstick, Tinyshell, Steelhound, Steelcorgi, Wingjook, Wingcrack, Binbash, Wiperight, and the Mignogcleaner are further tools related to the actor in prior assaults, all of which Mandiant confirmed are still used in LightBasin attacks. 

LightBasin is a highly skilled threat actor that exploits weak security in mission-critical Unix and Linux systems, which are frequently viewed as intrinsically secure or are mostly ignored due to their obscurity. 

LightBasin and other attackers thrive in this environment, and Mandiant expects them to continue to use the same operating model. In terms of attribution, the analysts noticed some overlaps with the UNC1945 threat cluster, but they don't have enough clear evidence to draw any judgments.

Ukraine’s “IT Army” Struck with Info-stealing Malware

 

Pro-Ukrainian actors should be cautious of downloading DDoS tools to attack Russia, according to security experts, because they could be booby-trapped with data-stealing malware. 

Mykhailo Fedorov, Ukraine's vice prime minister, called for a volunteer "IT army" of hackers to DDoS Russian targets in late February. Cisco Talos, on the other hand, claims that opportunistic cyber-criminals are attempting to take advantage of the subsequent outpouring of support for the Eastern European country. It specifically detected Telegram posts offering DDoS tools that were actually malware-loaded. An organisation calling itself "disBalancer" offers one such tool, named "Liberator,". Although authentic, has been spoofed by others, according to Cisco. 

It explained, “The file offered on the Telegram page ended up being malware, specifically an infostealer designed to compromise unwitting users. The malware, in this case, dumps a variety of credentials and a large amount of cryptocurrency-related information, including wallets and metamask information, which is commonly associated with non-fungible tokens (NFTs).” 

Since none of the malicious spoofs is digitally signed, there is no way to distinguish them apart from the real DDoS tool, according to the vendor. Because the perpetrators of this harmful behaviour have been disseminating infostealers since November, Cisco concluded that it is not the work of fresh people, but rather those aiming to profit from the Ukraine conflict. 

However, Cisco warned that if Russia is subjected to a continuous DDoS attack, such techniques could proliferate. 

It concluded, “In this case, we found some cyber-criminals distributing an infostealer, but it could have just as easily been a more sophisticated state-sponsored actor or privateer group doing work on behalf of a nation-state. We remind users to be wary of installing software whose origins are unknown, especially software that is being dropped into random chat rooms on the internet.” 

The discovery comes as the Russian government revealed this week that hackers targeted an externally loaded widget used to collect visitor statistics and caused temporary disruptions on numerous agency websites. 

Pro-Ukrainian hacktivists have also been seen searching for and deleting Russian cloud databases, according to security researchers.

Microsoft Accounts Attacked by Russian-Themed Credential Theft

 

The Ukrainian conflict is being capitalized by malicious emails notifying Microsoft users of "unusual sign-in activity" from Russia. While there are valid concerns that the Russian-Ukrainian conflict would launch a global cyber warfare conflagration, small-time cybercriminals are stepping up their efforts amid the crisis. 

According to Malwarebytes, which discovered a slew of spam emails referencing Russian hacking activities. Phishing emails to Microsoft users have begun to circulate, warning of Moscow-led account hacking and attempting to steal credentials and other personal information. The messages' subject line reads, "Microsoft account unusual sign-in activity." The text in the body is as follows:  

“Unusual sign-in activity
We detected something unusual about a recent sign-in to the Microsoft account
Sign-in details
Country/region: Russia/Moscow
IP address:
Date: Sat, 26 Feb 2022 02:31:23 +0100
Platform: Kali Linux
Browser: Firefox
A user from Russia/Moscow just logged into your account from a new device, If this wasn’t you, please report the user. If this was you, we’ll trust similar activity in the future.
Report the user
Thanks,
The Microsoft account team”

According to Malwarebytes' Tuesday research, the emails then include a button to "report the user" as well as an unsubscribe option. When you click the button, a new message is created with the short subject line "Report the user." Microsoft account protection is referenced in the recipient's email address. Using email to answer could expose users to a variety of threats. 

The researchers explained, “People sending a reply will almost certainly receive a request for login details, and possibly payment information, most likely via a bogus phishing page. It’s also entirely possible the scammers will keep everything exclusively to communication via email. Either way, people are at risk of losing control of their accounts to the phishers. The best thing to do is not reply, and delete the email.” 

As usual, the spam contains red flags in the form of grammatical problems, such as misspellings like "acount." To put it another way, it's not a highly sophisticated attempt, but it's clever. Climbing curiosity (or terror) is a catnip for social engineers, as it is with any significant world event. 

“Given current world events, seeing ‘unusual sign-in activity from Russia’ is going to make most people do a double, and it’s perfect spam bait material for that very reason. [The emails] (deliberately or not) could get people thinking about the current international crisis. Being on your guard will pay dividends over the coming days and weeks, as more of the below is sure to follow,” stated researchers. 

The email is targeted just at Microsoft account holders, but the good news is that Outlook is sending it directly to spam.. However, the firm pointed out that, “depending on personal circumstance and/or what’s happening in the world at any given moment, one person’s ‘big deal’ is another one’s ‘oh no, my stuff.’ That’s all it may take for some folks to lose their login, and this mail is perhaps more salient than most for the time being.”

Live XSS Flaw Exists in DMCA-dot-com

 

The user interface of the takedowns website DMCA-dot-com has an active cross-site scripting (XSS) vulnerability. It's been there for almost a year and has not been addressed. 

After more than a year of attempting and failing to convince DMCA-dot-com to take the XSS seriously, Infosec researcher Joel Ossi, founder of Dutch security firm Websec, disclosed his findings. "I registered at DMCA at first with an intention to protect my own website," he blogged, explaining that he found unescaped free-text entry boxes in the DMCA user interface that allowed him to create an XSS. 

A copyright takedown service is DMCA-dot-com. Users pay the site to conduct the time-consuming task of obtaining an alleged copyright infringer's work to be removed from the Internet utilising the infamous US Digital Millennium Copyright Act. The cost of a takedown could be as high as $199. 

On a video conference with The Register, Ossi shared his findings in real-time. The typical XSS tell-tale — a popup with a personalized message – displayed every time he navigated to a new webpage in the DMCA-dot-com user area. The script for doing so was actually fairly straightforward: When he originally discovered the flaw in late 2020, he spent a year attempting and failed to obtain the attention of the operators of DMCA-dot-com. 

DMCA-dot-last com's message to Ossi stated, "Our development team will be reaching out if / when they need to. Our support department cannot help you on this," as he tried to persuade helpdesk staff to forward his vulnerability report. When he asked for a bug bounty, El Reg confirmed that Ossi had made complete confidential disclosure of his discoveries before addressing the issue of payment.

Both Ossi and The Register attempted to contact DMCA-dot-com several times and in The Register's instance, the company didn't even respond to the attempts to reach them. While Ossi was the first to discover the XSS flaws in DMCA-dot-com, he isn't the only one. Two different entries on the Open Bug Bounty site, one from April and the other from June, indicate XSS vulnerabilities in DMCA. 

Cross-site scripting vulnerabilities, let a malicious person run scripts on another person's website. The problem often exists because free text entry forms do not sanitize user inputs, as per MITRE. An attacker could gain access to a DMCA-dot-com account by extracting active login tokens from cookies. According to Ossi, it wouldn't take much to falsely bill for services, remove DMCA-dot-com's security features from a webpage, or delete an account. 

Jake Moore, a global cybersecurity advisor to infosec firm ESET, told The Register: "Cross-site scripting vulnerabilities can allow an attacker to masquerade as a standard user and carry out any actions that the user is able to perform such as access the user's data. User accounts can then ultimately be compromised and credentials or other information could be stolen with great ease." 

Immersive Labs' app security specialist Sean Wright further added: "Despite the fact they have been a part of the attacker toolkit for some time, many still underestimate the risks from XSS vulnerabilities. However, they are effectively client-side remote code execution vulnerabilities. In the right circumstances, and combined with tools such as the Browser Exploitation Framework, XSS vulnerabilities give an attacker almost complete control of a browser. Ultimately, this could lead to redirects to malicious sites and even performing actions on behalf of the user."

It's anticipated that someone at DMCA-dot-com pays attention to the flaw disclosure from a year and a half ago.

This Android Malware Wipes Your Device After Stealing Data

 

The BRATA Android malware has been updated to include additional functions such as GPS tracking and the ability to execute a factory reset on the device. 

The Android RAT BRATA (the term originates from 'Brazilian RAT Android') was founded in 2019 by Kaspersky security professionals and was used to eavesdrop on Brazilian users. In January 2019, the BRATA RAT was discovered circulating over WhatsApp and SMS communications. 

The RAT was distributed both through Google's official Play Store and through alternative Android app marketplaces. The majority of the infected apps masquerade as an update to the popular instant messaging service WhatsApp, claiming to fix the CVE-2019-3568 vulnerability in the app. The malware will begin keylogging after it has infected the victim's device, adding real-time streaming features to it. 

To connect with other apps on the victim's device, the malware makes use of the Android Accessibility Service function. Many instructions are supported by BRATA, including unlocking the victims' devices, gathering device information, shutting off the device's screen to run tasks in the background, executing any specific application, uninstalling itself, and removing any infection traces. 

Researchers from security firm Cleafy discovered a new variation affecting Android banking users in Europe in December 2021, with the goal of stealing their passwords. The same researchers have now discovered a new version that has the new features mentioned above. 

The Android RAT's current version is aimed at e-banking users in the United Kingdom, Poland, Italy, Spain, China, and Latin America. It uses custom overlay pages to target specific banking applications and steal users’ PINs. All the versions employ the same obfuscation strategies, allowing the danger to remain undetected. 

The following is a list of new features in the most recent BRATA releases: 

• Capability to perform the device factory reset: it appears that TAs are leveraging this feature to erase any trace, right after an unauthorized wire transfer attempt. 
• GPS tracking capability 
• Capability to use multiple communication channels (HTTP and TCP) between the device and the C2 server to keep a persistent connection. 
• Capability to continuously monitor the victim’s bank application through VNC and keylogging techniques. 

Researchers believe that the factory reset option enables threat actors to erase all signs of a hack once it has been completed or when the application detects that it is running in a virtual environment for analysis. 

The report stated, “this mechanism represents a kill switch for this malware. In fact, it was also observed that this function is executed in two cases: 
• A bank fraud has been completed successfully. In this way, the victim is going to lose even more time before understanding that a malicious action happened. 
• The application is installed in a virtual environment. BRATA tries to prevent dynamic analysis through the execution of this feature.” 

The BRATA RAT's recent evolution implies that threat actors are working to improve it in order to broaden its target demographic.

Night Sky: New Ransomware Targeting Corporate Networks

 

The new year has brought with it new ransomware named 'Night Sky,' which targets corporate networks and steals data in double-extortion attacks. 

The Night Sky operation began on December 27th, according to MalwareHunterTeam, which was the first to identify the new ransomware. The ransomware has since published the data of two victims. 

One of the victims got an initial ransom demand of $800,000 in exchange for a decryptor and the promise that the stolen material would not be made public. 

How Night Sky encrypts devices

A sample of the Night Sky ransomware seen by BleepingComputer has a personalised ransom note and hardcoded login credentials to access the victim's negotiation page. 

When the ransomware is activated, it encrypts all files except those with the.dll or.exe file extensions. The ransomware will not encrypt the following files or folders: 
AppData
Boot
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
ProgramData
All Users
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
Program Files
Program Files (x86)
#recycle

Night Sky appends the.nightsky extension to encrypted file names while encrypting them. A ransom letter named NightSkyReadMe.hta is included in each folder, and it provides details about what was stolen, contact emails, and hardcoded passwords to the victim's negotiation page. 

Instead of communicating with victims through a Tor site, Night Sky employs email addresses and a transparent website that runs Rocket.Chat. The credentials are used to access the Rocket.Chat URL specified in the ransom note. 

Double extortion tactic: 

Before encrypting devices on the network, ransomware operations frequently grab unencrypted data from victims. Threat actors then utilize the stolen data in a "double-extortion" scheme, threatening to leak the information unless a ransom is paid. 

Night Sky built a Tor data leak site to leak the data of victims, which now contains two victims, one from Bangladesh and the other from Japan. While there hasn't been much activity with the new Night Sky ransomware operation, one should keep a watch on it as we enter the new year.