Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Data Security Breach. Show all posts

Protecting Against Fog Ransomware: Key Strategies and Insights

 

In August 2024, a mid-sized financial firm was targeted by a ransomware attack using compromised VPN credentials to deploy a variant called “Fog” on both Windows and Linux systems. Fortunately, the attack was detected and neutralized by Adlumin’s innovative technology, which uses decoy files as sensors to detect ransomware activity. Fog, a variant of the STOP/DJVU ransomware family first observed in 2021, exploits compromised VPN credentials to breach networks and often targets sectors like education and recreation. 

Once inside, the ransomware uses techniques such as pass-the-hash attacks to escalate privileges, disable security mechanisms, encrypt critical files like Virtual Machine Disks (VMDKs), and delete backup data. Victims are usually directed to a negotiation platform on the Tor network through a ransom note. The lack of direct ties to known threat groups suggests that Fog may originate from a new, highly skilled actor. The attackers initiated their operation by pinging endpoints and using tools like “Advanced Port Scanner” for network reconnaissance. 

They then moved laterally through the network using compromised service accounts, mapped network drives, and harvested credentials. For execution, they used the open-source tool ‘Rclone’ to transfer data and deployed ‘locker.exe’ to encrypt files. Additionally, they deleted system backups to prevent victims from restoring their data. Adlumin’s Ransomware Prevention feature played a critical role in neutralizing the attack. This technology, launched in April 2024, uses decoy files that lie dormant until ransomware activity is detected, triggering the automatic isolation of affected machines and blocking further data theft. 

The feature alerts security teams for a deeper investigation, representing a significant advancement in the fight against ransomware. After isolating compromised systems, security engineers conducted a thorough analysis to identify vulnerabilities and restore the affected systems. In the aftermath of the attack, several key measures were recommended to prevent future incidents: ensuring all VPN connections require Multi-Factor Authentication (MFA), keeping VPN software up to date, monitoring VPN access for unusual activity, and deploying automated isolation procedures when ransomware is detected. 

It is also important to protect endpoints with comprehensive security platforms capable of real-time threat monitoring and response, limit administrative privileges, conduct regular security audits, and establish effective incident response plans. Additionally, organizations should regularly back up critical data in secure environments and monitor network traffic for signs of unusual or malicious activity. These proactive steps help organizations prepare for and mitigate the impact of sophisticated ransomware threats like Fog.

Hackers Exploit Snowflake Data, Targeting Major Firms

 

Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they gained access to some Snowflake accounts by breaching a Belarusian-founded contractor working with those customers. Approximately 165 customer accounts were potentially affected in this hacking campaign targeting Snowflake’s clients, with a few identified so far. 

It was a Snowflake account, with stolen data including bank details for 30 million customers and other sensitive information. Lending Tree and Advance Auto Parts might also be victims. Snowflake has not detailed how the hackers accessed the accounts, only noting that its network was not directly breached. Google-owned security firm Mandiant, involved in investigating the breaches, revealed that hackers sometimes gained access through third-party contractors but did not name these contractors or explain how this facilitated the breaches. 

A hacker from the group ShinyHunters said they used data from an EPAM Systems employee to access some Snowflake accounts. EPAM, a software engineering firm founded by Belarus-born Arkadiy Dobkin, denies involvement, suggesting the hacker’s claims were fabricated. ShinyHunters has been active since 2020, responsible for multiple data breaches involving the theft and sale of large data troves. EPAM assists customers with using Snowflake's data analytics tools. The hacker said an EPAM employee’s computer in Ukraine was infected with info-stealer malware, allowing them to install a remote-access Trojan and access the employee’s system. 

They found unencrypted usernames and passwords stored in a project management tool called Jira, which were used to access and manage Snowflake accounts, including Ticketmaster’s. The lack of multifactor authentication (MFA) on these accounts facilitated the breaches. Although EPAM denies involvement, hackers did steal data from Snowflake accounts, including Ticketmaster's, and demanded large sums to destroy the data or threatened to sell it. The hacker claimed they directly accessed some Snowflake accounts using the stolen credentials from EPAM’s employee. The incident underscores the growing security risks from third-party contractors and the importance of advanced security measures like MFA. 

Mandiant noted that many credentials used in the breaches were harvested by infostealer malware from previous cyber incidents. Snowflake’s CISO, Brad Jones, acknowledged the breaches were enabled by the lack of MFA and mentioned plans to mandate MFA for Snowflake accounts. This incident highlights the need for robust cybersecurity practices and vigilance, particularly when dealing with third-party contractors, to safeguard sensitive data and prevent similar breaches in the future.

Australia's Premier Non-Bank Lender Suffers Data Security Breach

 


One of Australia's largest non-bank mortgage lenders, Firstmac, has suffered a cyberattack, which resulted in customer information such as credit card and passport numbers, Medicare numbers and driver's licence numbers being stolen and published on the dark web. In a letter sent to its customers, the Brisbane-based lender informed them that one of its information technology systems had been successfully breached by an unauthorised third party, making it one of Australia's largest non-bank lenders. 

According to the non-bank lender, hackers have taken possession of nearly ten thousand driver's licenses and two hundred and fifty thousand "customer records" over the last few days. The company notified the Australian Stock Exchange of the incident. As a result of the unusual activity it has detected on its systems "in the last few days," the company has suspended trading until Monday. The hackers were said to be very sophisticated.

There is no indication that the hackers gained access to Latitude information held at two separate service providers by using employee login credentials - whether they have been stolen or if this was a credential stuffing attack - which they were not aware of. A consortium of investors, including KKR and Deutsche Bank, acquired Latitude from GE in 2015 to sell its credit cards and instalment payment plans to retailers. In 2021, the company became public. 

Firstmac Limited, one of the largest firms in the country, has informed its customers that it has suffered a data breach the day after an alleged theft of 500GB of data from the company by the new Embargo cyber-extortion group was uncovered. In the financial services industry of Australia, Firstmac is primarily known for its mortgage lending, investment management, and securitization services, which it provides to its clients. 

Based in Brisbane, Queensland, the company employs 460 people and has issued 100,000 home loans. At the moment, the firm manages around $15 billion in mortgage loans. Troy Hunt, the creator of Have I Been Pwned, published on X yesterday a sample of the notice letter sent to Firstmac's customers informing them of a major data breach. 

Cyberdaily, the technology industry publication, reported that a large amount of data was posted on the dark web by the hackers behind the attack. EMBARGO, a ransomware gang with roots in the Netherlands, is credited with the hack – which was carried out sometime in April, according to the publication. As a report points out, Firstmac was given a ransom deadline of May 8 by the gang, a deadline that seems to have lapsed since the gang did not appear to have met that deadline. 

Cyberdaily posted screenshots of the dark website EMBARGO, which provided customer information such as their loan and financial information, as well as their email addresses. Several FirstMac executives and IT departments were also published by the gang. It is unclear how many customers and employees have been affected by the breach. 

FirstMac has been contacted for further information. While Firstmac's security systems have been strengthened in recent months, it still assured its beneficiaries that their funds and accounts are safe, and the firm's systems have been bolstered to ensure this. There has been a new requirement that everyone who wants to change an account or add a card to an account will need to provide their two-factor authentication code or biometric information to verify their identity as one of the measures that increased security.

IDCare is offering free identity theft protection services for recipients of the notices. Users are advised to be cautious when responding to unsolicited correspondence and to regularly check their account statements for any unusual activity or transactions. As a resOn the newly formed threat group's extortion page, it appears that only two victims have been identified, and it is unclear whether or not the new threat group is doing their own data breaches, or if they have been buying stolen data from others intending to blackmail the owners. 

A sample of Embargo encryption has still not been found, so it is unknown if this is a ransomware group, or if they are simply aiming to profit by extorting funds. A large number of hacks against Australian servers were recorded in the 2022-23 financial year, which is an increase of more than 300 per cent compared to the previous financial year, according to the Australian Signals Directorate, an agency under the federal government responsible for security and information. 

A data breach was discovered late last year affecting Melbourne travel agency Inspiring Vacations, in which approximately 112,000 records, totalling 26.8 gigabytes of data, were exposed online as a result of an insecure database that couldn't be password protected. The recent data breach of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World, and Dymocks has been labelled a "new normal" of constant attacks and breaches which have affected millions of Australians including customers of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World, and Dymocks among others. 

There have now been significant increases in penalties for serious or repeated breaches of customer data, largely due to the Optus breach in particular. As a result of the Embargo extortion group having announced the attack online on its site, there was extensive coverage by Australian media outlets about the attack on Firstmac which occurred at the end of April. Earlier this week, Embargo published all of the data they claimed to have stolen from Firstmac's systems, including documents, source code, email addresses, phone numbers, and database backups, one day after they made a claim it had been stolen.