Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Data Stolen. Show all posts

Port of Seattle Battles Ransomware Attack, Refuses to Pay

 



The Port of Seattle and Seattle-Tacoma International Airport have corroborated that the major system outages which took place late August were caused by a ransomware attack. On August 24, a cyberattack partially disrupted the critical operations at the airport with websites, emails, and phone services down and even affected some services at the airport. The attack was immediately detected and in response, the IT team decided to shut the entire system in order to prevent further damage.

Ransomware attack, by the criminal group, Rhysida, into the computer systems at the airport accessed unauthorised and encrypted some parts of their data. The spokesperson to the airport, Perry Cooper said that IT noticed some malicious activities in the system on the day of the attack and took immediate actions to stop the spread of malware. The Port of Seattle said the measures by its staff, including forensic experts and law enforcement, were effective in thwarting the attack since no further unauthorised activity was detected following the breach.

Operational Disruptions

Even with these measures being put into place, the attack had a great impact on the day-to-day running of Sea-Tac Airport. Passengers were denied the luxury of getting information on arrival and departure flight schedules from the reader boards for the past several days. The airlines at the airport could not use the digital systems and had to revert back to the old method of pen and paper for marking baggage. In addition to the others, critical services such as check-in kiosks, lost and found, Wi-Fi, and reserved parking were affected too, leaving many of both airline customers and employees greatly inconvenienced.

Its official website, portofseattle.org, is still unavailable, leaving travellers to rely on an alternate website, washingtonports.org, for information and updates. These services have been returning to normal gradually, but the attack affected a number of different parts of airport and port operations across the board.

Port of Seattle Refuses to Pay Ransom

Even at this advanced stage, the Port of Seattle has categorically rejected the ransom demands from the attackers. The executive director of the Port Steve Metruck stated in a public statement that to grant the ransom demand would go against the very purpose of the values of the Port and add nothing to its responsibility to protect the money that the taxpayer entrusts to the Port. The Port is alert to the fact that Rhysida may upload all the stolen data on the dark web in the name of retaliation, but it has been faithfully committed to not paying any ransom to criminals.

Although the nature and extent of the stolen data remain unknown, the Port has vowed to inform any employee or passenger whose personal data may have been compromised that their data was stolen.

Securing a Brighter Tomorrow

Over the past few months, other than trying to regain its systems following an attack, the Port of Seattle is also fortifying its defences against future attacks. On its part, the organisation has taken further actions to fortify its cybersecurity to prevent a future version of such attacks. Metruck says, "This has been a learning experience for us and lessons derived from this attack will be instrumental in building on a more resilient IT infrastructure." Apart from that, Port is working with partners to secure business and critical infrastructure.

Despite the hold-up caused by the attack, Port of Seattle officials assured the public that it is still safe to travel from Sea-Tac Airport and to make use of its maritime facilities. This shows commitment to maintaining the safety and the efficiency of its operations, including response and continued recovery.




Ransomware Group Brain Cipher Targets French Museums During Olympics

 

The ransomware group Brain Cipher has claimed responsibility for a cyberattack on several French National Museums that took place during the Olympic Games earlier this month. The attack, which targeted institutions managed by the Réunion des Musées Nationaux – Grand Palais (RMN-GP), allegedly compromised 300 GB of data from a system used to centralize financial information. 

Despite the group’s threat to leak the stolen data, they have not yet revealed the nature of the information. The French Cybersecurity Agency (ANSSI) confirmed it was alerted to the attacks and promptly provided assistance to RMN-GP. ANSSI assured the public that the incident did not affect any systems related to the Olympic Games. Events like taekwondo and fencing, hosted by the RMN-GP, continued without disruption. RMN-GP also confirmed that there were no operational impacts, encrypted systems, or extracted data detected in connection with the attack. 

Nevertheless, the situation remains closely monitored as the countdown to the data leak continues on Brain Cipher’s blog, set to occur at 20:00 UTC. Brain Cipher is a relatively new ransomware group that first emerged in June 2023. Since then, the group has been linked to various cyberattacks targeting different sectors, including medical, educational, and manufacturing organizations, along with Indonesian government servers. Despite their activities, the group has attempted to maintain a controversial public image. 

In one case, they apologized for a cyberattack on Indonesian government servers, claiming they were acting as penetration testers rather than criminals. They even released a decryptor to restore the locked files without being pressured by the government, presenting themselves as ethical hackers or white-hat operators, although their actions and motives remain dubious. The data allegedly stolen from RMN-GP is believed to involve sensitive financial information, but no further details have been disclosed by Brain Cipher. 

The threat of releasing such a large volume of data has sparked concerns over potential exposure of confidential details, which could affect both the organization and the individuals associated with it. As the clock ticks down to the group’s proposed leak, questions are raised about the nature of the stolen data and the potential fallout from its exposure. Cyberattacks like this highlight the growing threat posed by ransomware groups to both public and private institutions worldwide. 

The incident also underscores the importance of robust cybersecurity measures, particularly during high-profile events such as the Olympic Games. Although there has been no impact on the Olympic-related systems, the attack serves as a reminder of the constant vigilance required to protect critical infrastructure and data.

The Hidden Cost of Connected Cars: Your Driving Data and Insurance

 

Driving to a weekend getaway or a doctor's appointment leaves more than just a memory; it leaves a data trail. Modern cars equipped with internet capabilities, GPS tracking, or services like OnStar, capture your driving history. This data is not just stored—it can be sold to your insurance company. A recent report highlighted how ordinary driving activities generate a data footprint that can be sold to insurers. These data collections often occur through "safe driving" programs installed in your vehicle or connected car apps. Real-time tracking usually begins when you download an app or agree to terms on your car's dashboard screen. 

Car technology has evolved significantly since General Motors introduced OnStar in 1996. From mobile data enhancing navigation to telematics in the 2010s, today’s cars are more connected than ever. This connectivity offers benefits like emergency alerts, maintenance notifications, and software updates. By 2030, it's predicted that over 95% of new cars will have some form of internet connectivity. Manufacturers like General Motors, Kia, Subaru, and Mitsubishi offer services that collect and share your driving data with insurance companies. Insurers purchase this data to analyze your driving habits, influencing your "risk score" and potentially increasing your premiums. 

One example is the OnStar Smart Driver program, which collects data and sends it to manufacturers who then sell it to data brokers. These brokers resell the data to various buyers, including insurance companies. Following a critical report, General Motors announced it would stop sharing data with these brokers. Consumers often unknowingly consent to this data collection. Salespeople at dealerships may enroll customers without clear consent, motivated by bonuses. The lengthy and complex “terms and conditions” disclosures further obscure the process, making it hard for consumers to understand what they're agreeing to. Even diligent readers struggle to grasp the full extent of data collection. 

This situation leaves consumers under constant surveillance, with their driving data monetized without their explicit consent. This extends beyond driving, impacting various aspects of daily life. To address these privacy concerns, the Electronic Frontier Foundation (EFF) advocates for comprehensive data privacy legislation with strong data minimization rules and clear, opt-in consent requirements. Such legislation would ensure that only necessary data is collected to provide requested services. For example, while location data might be needed for emergency assistance, additional data should not be collected or sold. 

Consumers need to be aware of how their data is processed and have control over it. Opt-in consent rules are crucial, requiring companies to obtain informed and voluntary permission before processing any data. This consent must be clear and not hidden in lengthy, jargon-filled terms. Currently, consumers often do not control or even know who accesses their data. This lack of transparency and control highlights the need for stronger privacy protections. By enforcing opt-in consent and data minimization, we can better safeguard personal data and maintain privacy.

Cybercriminals Threaten Release of Stolen World-Check Database, Exposing Millions to Financial Risk

 

A financially motivated criminal hacking group, self-identified as GhostR, has claimed responsibility for the theft of a confidential database containing millions of records from the renowned World-Check screening database. The stolen data, totaling 5.3 million records, includes sensitive information used by companies for screening potential customers and assessing their links to sanctions and financial crime.
 
World-Check, a vital tool for conducting "know your customer" (KYC) checks, enables companies to identify high-risk individuals with potential ties to money laundering, government sanctions, or other illicit activities. The hackers disclosed that they obtained the data from a Singapore-based firm with access to the World-Check database, though the specific company remains unnamed. 

A portion of the stolen data encompasses individuals sanctioned as recently as this year. The compromised records include details of current and former government officials, diplomats, politically exposed persons (PEPs), individuals associated with organized crime, suspected terrorists, intelligence operatives, and even a European spyware vendor. These individuals are deemed high-risk for involvement in corruption, bribery, or other illicit activities. 

The stolen data comprises a wealth of sensitive information, including names, passport numbers, Social Security numbers, online cryptocurrency account identifiers, bank account numbers, and more. Such a breach poses significant risks, as it could potentially expose innocent individuals to unwarranted scrutiny and financial harm. 

Simon Henrick, a spokesperson for the London Stock Exchange Group (LSEG), which oversees World-Check, clarified that the breach did not originate from LSEG's systems but involved a third party's data set. While LSEG did not disclose the identity of the third-party company, they emphasized their commitment to collaborating with the affected party to safeguard data integrity and notify relevant authorities. 

Privately operated databases like World-Check are not immune to errors, raising concerns about the accuracy and fairness of their content. Past incidents, such as the 2016 leak of an older World-Check database, underscore the potential repercussions of erroneous data, including wrongful accusations and financial repercussions for innocent individuals. 

The breach highlights the critical need for enhanced cybersecurity measures and regulatory oversight to protect sensitive personal information and mitigate the risks associated with data breaches. As investigations into the incident continue, stakeholders must prioritize transparency, accountability, and proactive measures to prevent future breaches and safeguard consumer data privacy.

Motel One Says Ransomware Gang Stole Customer Credit Card Information

Motel One, a prominent hotel chain in Europe, recently experienced a ransomware attack, resulting in unauthorized access to customer data. The hotel is recognized for its budget-friendly accommodations and operates a network of 90 hotels across Europe and the United States. The hotel has assured that the impact of the attack was kept to a bare minimum. 

Nevertheless, it has been confirmed that the attackers were able to access specific sensitive customer credentials, including address details and the information associated with 150 credit cards. Prior to the hotel's official statement concerning the attack, the company's name appeared on the dark web leak site associated with the ALPHV ransomware gang. 

The group has stated that they successfully obtained several terabytes of data from the company, notably encompassing portions of customer information. Additionally, TechCrunch company has gained access to a segment of this data, as claimed by the ransomware gang, which is purported to contain details of both employees and specific customers. 

What measures we can take against ransomware attacks? 

1. Extensive research underlines that a significant portion of cyberattacks find their roots in phishing emails. However, through ongoing education and training in social engineering tactics, we have the power to effectively decrease the likelihood of a data breach by as much as 70%. 

2. Insufficient software updates significantly contribute to cybersecurity breaches. It is imperative to uphold a thorough system inventory, conduct comprehensive vulnerability assessments, and apply patches promptly and consistently. 

3. Promote a practice of not reusing passwords and encourage regular password changes among employees. Employing browser-based password managers can be a beneficial tool. The implementation of MFA provides an additional level of user validation and authorization. 

4. Incorporating backups into your risk management and contingency strategies is paramount. Regularly testing and keeping backups isolated from the primary network are critical measures. It's worth noting that while backups are invaluable, they may not always provide complete protection against extortion attempts in the event of a ransomware attack. 

5. Being prepared for unexpected events is essential. A thoroughly rehearsed incident response plan, when coupled with the deployment of endpoint detection and response (EDR) tools, empowers businesses to adeptly handle cyberattacks, lessen the repercussions of a security incident, and accelerate recovery initiatives. 

Additionally, in the event of a ransomware attack, it's crucial not to give in to the extortionists' demands. Instead, we strongly advise reaching out to your local cybersecurity authority, Cyber Watch officers, or the Internet Crime Complaint Center. Remember, paying the ransom will only embolden further ransomware criminal activity.

North Korean Hackers Breach Russia’s Top Missile Maker’s Data


Reuters reported on Tuesday about a North Korea-based elite hacker group that is in a bid to steal technology by covertly breaching the computer networks of a Russian missile developer giant. Apparently, the hackers have been running the campaign for nearly five months in 2022. 

The North Korean cyberespionage group has targeted Mashinostroyeniya, a rocket design based in Reutov, Moscow. The hackers group, code-named ScarCruft and Lazarus installed covert digital backdoors into the system at NPO Mashinostroyeniya and was located by Reuters’ James Pearson and Christopher Bing.

However, it has not been made clear as to what data was acquired in the breach. In the following month, the digital break-in Pyongyang introduced several new developments in its banned ballistic missile program, while is not clear if this was in any regards to the breach.

Moreover, no official confirmation has been provided of the espionage by NPO Mashinostroyeniya officials.

About the Targeted Company

The company, commonly known as NPO Mash, specialized in developing hypersonic missiles, satellite technologies and new-generation ballistic armaments. The company was prominent in the Cold War as a premier satellite maker for Russia's space program and as a provider of cruise missiles.

According to experts, the hackers garnered interest in the company after it underlined its mission to develop an Intercontinental Ballistic Missile (ICBM), capable of bringing catastrophe to the mainland United States.

Apparently, the hackers acquired access to the company’s documents and leaked them between 2021, and May 2022. Following this, the IT engineers detected the cybercrime activities, the news agency reported. 

Hackers Read Email Traffic, Jumped Between Networks and Extracted Data from the Company 

According to Tom Hegel, a security researcher with U.S. cybersecurity firm SentinelOne, following the hack, the hackers gained access to the company’s IT environment, which enabled them to read email traffic, jump between networks, and extract data. "These findings provide rare insight into the clandestine cyber operations that traditionally remain concealed from public scrutiny or are simply never caught by such victims," Hegel said.

Digging further into the findings, Hegel’s team of security analysts discovered that one of the NPO Mash IT employees unintentionally exposed his company's internal communications while attempting to investigate the North Korean attack by uploading evidence to a secret portal used by cybersecurity researchers worldwide.

Experts speculate that the data stolen by the hacker group is of great importance, however, it will take a lot more information, effort and expertise for them to actually develop a missile. 

"That's movie stuff[…]Getting plans won't help you much in building these things, there is a lot more to it than some drawings," Hegel further added.

With 95% Accuracy, New Acoustic Attack can Steal from Keystrokes


UK universities’ researchers have recently developed a deep learning model, designed to extract information from keyboard keystrokes collected using a microphone, with 95% accuracy. 

The prediction accuracy decreased to 93% when Zoom was used to train the sound classification algorithm, still exceedingly good and a record for that medium.

Such an attack has a significantly adverse impact on the users’ data security since it is capable of exposing users' passwords, conversations, messages, and other sensitive information to nefarious outsiders.

When compared to the other side attacks that need specific circumstances and are susceptible to data rate and distance restrictions, these acoustic attacks are easier to operate because of the popularity of devices that are now equipped with high-end microphones. 

This makes sound-based side-channel attacks achievable and far more hazardous than previously thought, especially given the rapid advances in machine learning.

Listening to Keystrokes

The attack is initiated in order to acquire keystrokes on the victim’s keyboard, since the data is required for the prediction algorithm to work. This can be done via a nearby microphone or by accessing the microphone on the target's phone, which may have been compromised by malware.

Additionally, keystrokes can also be recorded via Zoom call, in which, rogue meeting attendee compares the messages entered by the target with the auditory recording of that person.

The researchers acquired training data by pressing 36 keys on a modern MacBook Pro, 25 times each, further recording the sounds produced on each press. 

The spectrogram images were used to train the image classifier "CoAtNet," and it took some trials and errors with the epoch, learning rate, and data splitting parameters to get the best prediction accuracy outcomes.

The same laptop, whose keyboard has been present in all Apple laptops over the past two years, an iPhone 13 mini positioned 17 cm from the target, and Zoom were utilized in the researchers' tests.

The CoatNet classifier gained 95% accuracy in the smartphone recordings and 93% from the content captured via Zoom. Skype, on the other, produced comparatively lower accuracy, i.e. 91.7%.

Possible Security Measures

In order to protect oneself from side-channel attacks, users are advised to try “altering typing styles,” or generating passwords with randomized keys. 

Another safety measure includes utilizing software in order to generate keystroke sounds, white noise, or software-based keystroke audio filters. 

Moreover, since the attack model proved highly efficient even against a very silent keyboard, installing sound dampeners to mechanical keyboards or shifting to membrane-based keyboards is unlikely to help in any way. 

Finally, using password managers to avoid manually entering sensitive information and using biometric authentication whenever possible also serve as mitigating factors.

Dragos Hacked: Cybersecurity Firm Reveals “Cybersecurity Event”, Extortion Attempt


Industrial cybersecurity company Dragos  recently revealed a “cybersecurity event,” where a notorious cybercrime gang attempted to breach Dragos' defenses and access the internal network to encrypt devices.

The firm disclosed the incident on its blog on May 10, alleging that it took place on May 8 where hackers acquired access to SharePoint and the Dragos contract management system by compromising a new sales employee's personal email address before the employee's start date. The hacker then impersonated the employee to complete the first steps of Dragos' employee-onboarding procedure using the stolen personal information from the hack.

After infiltrating Dragos’ SharePoint cloud platform, the hackers apparently downloaded “general use data” and access 25 intel reports, generally only made available to the customers.

“Dragos' swift response prevented the threat group from achieving its objective — the deployment of ransomware — or to engage in further activity, such as lateral movement, escalating privileges, establishing persistent access, or making changes to any Dragos infrastructure[…]No Dragos systems were breached, including anything related to the Dragos Platform,” the company noted. 

Due to role-based access control (RBAC) regulations, the threat actors were unable to access several Dragos systems during the 16 hours they had access to the employee's account, including its messaging, IT helpdesk, finance, request for proposal (RFP), employee recognition, and marketing systems.

Eleven hours into the attack, after failing to break into the company's internal network, they sent an email of extortion to Dragos executives. Because the message was sent after business hours, it was read five hours later.

Five minutes into reading the extortion message, Dragos disabled the compromised user account, terminated all open sessions, and prevented the hackers' infrastructure from accessing company resources.

The cybercriminal group also attempted to extort the firm by threatening to make the issue public in emails sent to CEOs, senior employees, and family members of Dragos who have public contacts.

One of the IP addresses specified in the IOCs is 144.202.42[.]216, earlier discovered hosting SystemBC malware and Cobalt Strike, both frequently used by ransomware gangs for remote access to compromised systems.

"While the external incident response firm and Dragos analysts feel the event is contained, this is an ongoing investigation. The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable," Dragos said.   

Clearview AI Scraps 30 Billion Images Illicitly, Giving Them to Cops


Clearview’s CEO has recently acknowledged the notorious facial recognition database, used by the law enforcement agencies across the nation, that was apparently built in part using 30 billion photos that were illicitly scraped by the company from Facebook and other social media users without their consent. Critics have dubbed this practice as creating a "perpetual police line-up," even for individuals who did not do anything wrong. 

The company often boasts of its potential for identifying rioters involved in the January 6 attack on the Capitol, saving children from being abused or exploited, and assisting in the exoneration of those who have been falsely accused of crimes. Yet, critics cite two examples in Detroit and New Orleans where incorrect face recognition identifications led to unjustified arrests. 

Last month, the company CEO, Hoan Ton-That admitted in an interview with the BBC that Clearview utilized photos without users’ knowledge. This made it possible for the organization's enormous database, which is promoted to law enforcement on its website as a tool "to bring justice to victims." 

What Happens When Unauthorized Data is Scraped 

Privacy advocates and digital platforms have long criticized the technology for its intrusive aspects, with major social media giants like Facebook sending cease-and-desist letters to Clearview in 2020, accusing the company of violating their users’ privacy. 

"Clearview AI's actions invade people's privacy which is why we banned their founder from our services and sent them a legal demand to stop accessing any data, photos, or videos from our services," says a Meta spokesperson in an email Insider, following the revelation. 

The spokesperson continues by informing Insider that Meta, since then, has made “significant investments in technology and devotes substantial team resources to combating unauthorized scraping on Facebook products.”

When unauthorized scraping is discovered, the company may take action “such as sending cease and desist letters, disabling accounts, filing lawsuits, or requesting assistance from hosting providers to protect user data,” the spokesperson said. 

In spite of internal policies, biometric face prints are made and cross-referenced in the database once a photo has been scraped by Clearview AI, permanently linking the individuals to their social media profiles and other identifying information. Individuals in the photos have little recourse to try to remove themselves from the photos. 

Searching Clearview’s database is one of the many methods where police agencies can make use of social media content to aid in investigations, like making requests directly to the platform for user data. Although the use of Clearview AI or other facial recognition technologies by law enforcement is not monitored in most states and is not subject to federal regulation, some critics argue that it should even be banned.  

Latitude Financial Reveals Extent of Cyber Attack: 14 Million Customers Affected

 

Recently, Latitude Financial, a company listed on the Australian Securities Exchange (ASX), reported that it had suffered a cyber attack. The company stated that the attack was believed to have originated from a major vendor used by the company and that the attacker had obtained login credentials from an employee. The attacker then used these credentials to steal personal information that was held by two other service providers. 

Latitude Financial provides a range of financial services, including loans, credit cards, and insurance, in Australia, New Zealand, Canada, and Singapore. The company also offers interest-free installments for customers of retailers such as JB Hi-Fi, The Good Guys, and David Jones when they shop online. 

Following the attack, DXC Technology, a global technology services company, issued a statement on its website confirming that its global network and customer support networks were not compromised in the attack on Latitude Financial. 

Ten days after Latitude Financial revealed that it had suffered a cyber attack, the company discovered that the breach was much more severe than initially believed. Data from 14 million people had been accessed, rather than the 330,000 that was initially thought. 

The attacker had used the stolen employee credentials to access customer data stored by both service providers before the incident was patched. As of 27 March, Latitude Financial had identified that 7.9 million Australian and New Zealand driver license numbers were stolen, with approximately 3.2 million of them provided to the company in the last 10 years. Additionally, around 53,000 passport numbers were accessed, and fewer than 100 customers had a monthly financial statement stolen. 

The company further confirmed that 6.1 million records dating back to 2005 had been accessed, including customers' names, addresses, telephone numbers, and dates of birth. 

In response to the breach, Latitude Financial's Chief Security Officer, Ahmed Fahour, stated that the company was committed to working closely with affected customers and applicants to minimize risk and disruption, including compensating the cost of replacing ID documents. The company also urged its customers to be vigilant and report any suspicious behavior relating to their accounts and reminded them that the company would never contact them to request passwords.

Data Breach: Data of 168 Million Citizens Stolen and Sold, 7 Suspects Arrests


A new case of a massive data breach that would have had consequences over the national security has recently been exposed by Cyberabad Police. The investigation further led to the arrest of seven individuals hailing from a gang, allegedly involved in the theft and sale of the sensitive government data and some significant organizations, including credentials of defense personnel as well as the personal and confidential data of around 168 million citizens. 

The accused were discovered selling data on more than 140 distinct groups of individuals, including military personnel, bank clients, energy sector consumers, NEET students, government employees, gas agencies, high net worth individuals, and demat account holders. 

Another category of victims include Bengaluru women’s consumer data, data of people who have applied for loans and insurance, credit card and debit card holders (of AXIS, HSBC and other banks), WhatsApp users, Facebook users, employees of IT companies and frequent flyers. 

"When an individual calls the toll-free numbers of JustDial and asks for any sector or category related confidential data of individuals, their query is listed and sent to that category of the service provider. Then these fraudsters call those clients/ fraudsters and send them samples. If the client agrees to purchase, they make payment and provide the data. This data is further used for committing crime," stated the commissioner. 

The accused gang apparently operated via registered and unregistered organizations: Data Mart, Infotech, Global Data Arts and MS Digital Grow. 

The accused were found to have access to 2.5 lakh defense personnel's sensitive data, including their ranks, email addresses, places of posting, etc. The thieves gained access to the data of 35,000 Delhi government employees, 12 million WhatsApp users, 17 lakh Facebook users, and 11 million customers of six banks. Also, the defendants had access to information on 98 lakh applicants for credit cards. 

Main suspect Kumar in Noida, Nitish Bhushan had created a call center and obtained credit card records from Muskan Hassan, another defendant. The other suspects, Pooja Pal and Susheel Thomar were reportedly operating as tele-callers at Bhushan’s call center. While, Atul Pratap Singh's business, "Inspiree Digital," gathered credit cardholder data and profitably marketed it. Atul's workplace had employed Muskan as a telemarketer before she started her own business, "MS Digital Grow." She served as a middleman, selling data. She organized the data that Atul had provided and sold it to Bhushan. 

Sandeep Pal founded Global Data Arts and sold private consumer information to fraudsters engaging in online crimes through Justdial services and social media platforms. The seventh defendant, Zia Ur Rehman, shared the database with Atul and Bhushan and offered bulk message services for advertising.  

Home Security: Breaches and Ransomware Making it Impossible to Review Firms and Their Security


The recent Ring home security ransomware incident and Eufy's insecure network has left numerous researchers and users wondering about the cyber safety these home security and surveillance firms possess. 

Product reviewers and tech journalists are even left with a sense of perplexity on what security camera, or security product must they recommend to potential users, knowing for a fact that the backend could or could not be secure. 

According to Michael Hicks, senior editor at Android Central “When I review a product, I try to be as nitpicky as possible. Not because I want to give a bad review, but because it's my job to go past the idealized press releases and spec sheets to see the cracks beneath the surface.” 

While it is possible to cite certain problems pertaining to a security camera, like the video quality or an unreliable AI detection. However, there is always the possibility of some undiscovered breach, even with the some of the best cameras around, that are tested and appreciated. 

Hicks says, this is not something most tech journalists are qualified to detect. With a smartphone, one can examine most software and security for themselves, and users too have almost complete control to block or enable apps from tracking them. The entire data security for a security camera is managed remotely, therefore we can only trust the company to protect ones data safely. 

The issue is that, if ever, we really can trust a security business to provide an honest assessment of its cybersecurity. 

Companies like LastPass or Eufy, whether they specialize in hardware or software, frequently conceal any ongoing breaches for months until they become public, at which point they play down their seriousness with technical jargons and mitigating factors. 

Some Recent Unsettling Incidents 

According to a report Vice published this past week regarding a third-party associated with Ring being infected by BlackCat ransomware, Ring employees have been instructed to “anything about this,” and that they are unsure yet what user data is at risk if Amazon does not pay. 

Prior to this incident, security researcher Paul Moore found that Eufy cameras were sending users' images and facial recognition data to the cloud without them knowing or consent, that one could stream anyone's private camera feeds from a web browser, and that Eufy's AES 128 encryption was easily cracked due to the use of simple keys. 

In response, Eufy patched some issues and edited its privacy guidelines to provide fewer protections for its users. 

Accepting the Unknown 

The bottom line is: even the renowned security firms with encryption that seems impenetrable can make choices that expose your personal information or home feeds, or they can recruit someone who unethically abuses their position of authority. And even if someone blows the whistle or a security expert notices the error, there is absolutely no guarantee that you will learn about it after that corporation learns about it. 

In an environment like this, casually reviewing any company's security camera on the basis of its merits and recommending online readers seems like an irresponsible take. Michael Hicks in his article wrote “It's my job to do so, and I will write about the Blink Indoor and Blink Mini once it's clear how its parent company handles the Ring ransomware attack.” 

However, in doing so, Michael Hicks adds he will have to include certain big disclaimers that he “just don't know what Blink's (or any company's) weakest link is.” There is a possibility that it could be a dishonest employee, an unreliable third-party team, shoddy encryption, or something else. 

In the meantime, he advises individuals to use security cams with local storage in order to avoid storing their private footages and information on company servers. However, there is no guarantee of security, considering the fact that firms like Eufy was well received and trusted as a local storage option before its numerous problems were revealed.  

Ring Data Breach: What you Need to Know About the Home Security Company Attack


With innovative doorbells and security cameras making a huge breakthrough for home security across the world, Ring now stores a great amount of data. Although the company has recently been facing ransomware gang threats to expose the data online. 

About Ring LLC 

Ring LLC is a home security and smart home company owned by Tech-giant Amazon. The firm creates home security systems with exterior cameras, such as the Ring Video Doorbell smart doorbell, and runs the Neighbors app, which allows users to share video footage with each other online in a communal setting. 

Ring Data Breach 

According to a report by Motherboard, the ALPHV ransomware gang has claimed to have acquired access to Amazon-owned Ring’s systems and its data. Despite the fact that there is no proof of a system breach, Ring did indicate as much in a statement to the news organization. But, it is well known to them that a ransomware assault has affected one of its third-party providers. 

In a response to Ring, ALPHV shares a post on Twitter saying “There’s always an option to let us leak your data”. The ransomware group has not yet made any of the data it is said to have stolen from the business available. But, there is still cause for alarm when Motherboard discovered a Ring listing on ALPHV's data dump website. 

Ransomware groups like ALPHV have evolved into using data dump sites to entice victims into paying ransoms in order to regain access to their data. In an effort to persuade businesses to cooperate with the hackers holding their data hostage, a tiny percentage of the stolen data from those businesses is frequently posted publicly. 

ALPHV Ransomware Gang 

The ALPHV ransomware gang has attacked companies in the US, Europe, and Asia. The group has also been referred to as BlackCat, named after the malware it deploys. In the past, ALPHV has taken credit for hacking hospitality firms like the Westmont Hospitality Group, which manages IHG and Hilton hotels around the world, as well as leaking medical data from the Lehigh Valley Health Network. 

ALPHV's data dump site, where it posts stolen data in collections referred to as "Collections," is another feature that sets it distinct from other ransomware organizations. Other ransomware organizations may have comparable websites, but ALPHV's is renowned for being indexed and simpler to search. 

Should you be Worried About Your Ring Data? 

Currently, Amazon is looking into a third-party vendor's data breach that ALPHV has claimed responsibility for. We are unlikely to hear anything more until this investigation is over. Ring's products are widely utilized in homes all over the world since they are among the best video doorbells and home security cameras today. 

However, the firm employs end-to-end encryption (E2EE) in the majority of nations to prevent governments and other parties from accessing the data from your cameras and snooping on them. If the ALPHV ransomware gang did end up infiltrating Ring’s third-party vendors, it is possible that the group has also managed to steal corporate or customer data in the attack. 

If you are concerned about your Ring data or even the fact that the firm is charging for features that were previously free, it is a good time to consider some alternatives instead. In any case, we will probably soon learn whether or not the ALPHV ransomware gang managed to steal client data.  

No Evidence: Twitter Denies Hacking Claims and The Stolen Data Being Sold Online


Twitter has denied the claim of getting hacked and the stolen data being sold online. 

According to a LinkedIn post last week by Alon Gal, co-founder of the Israeli cybersecurity monitoring company Hudson Rock, stolen data has been discovered, that contained email addresses of more than 200 million twitter users. 

The breach would probably result in "hacking, targeted phishing, and doxxing," according to Gal, who labeled it as a "significant leak" and said that the information had been uploaded on an internet hacker forum. 

He claimed that despite alerting the firm, Twitter, he had not received a response. 

"I urge security researchers to conduct a thorough examination of the leaked data and rule out Twitter's conclusion of the data being an enrichment of some sort which did not originate from their own servers," says Alon Gal. 

Although, Twitter has denied all claims of the emails, allegedly linked to the users’ accounts, being obtained through a hack. 

In regards to the issue Twitter responded by stating “in response to recent media reports of Twitter users’ data being sold online, we conducted a thorough investigation and there is no evidence that data recently being sold was obtained by exploiting a vulnerability of Twitter systems.” 

According to Twitter, the stolen records in question was instead probably a collection of data “already publicly available online.” While it still warns online users to be wary of suspicious emails. 

Gal, meanwhile, disapproved of Twitter's answer in a fresh post on LinkedIn. In contrast to instances of data enrichments, he noted, “The authenticity of the leak is evident in the lack of false positives between Twitter usernames and emails found in the database, opposite to cases of data enrichments.” 

The disclosure came to light following the multiple reports that Twitter data of millions of users – 5.4 million in November 2022, 400 million in December 2022, and 200 million last week – have been exposed online for sale on cybercrime forums. 

The Breach Could Not Be Correlated to Previous or New Incidents 

Twitter, in its latest post says that the latest dataset breach of 200 million users “could not be correlated with the previously reported incident, nor with any new incident or any data originating from an exploitation of Twitter systems.” 

It added that, “None of the datasets analyzed contained passwords or information that could lead to passwords being compromised.” 

Moreover, in December 2022, another set of reports claimed that 400 million email addresses and phone numbers were stolen from Twitter – which the company denied as well.  

Military Device Comprising of Thousands of Peoples' Biometric Data Sold on eBay


The last time the U.S. military used its Secure Electronic Enrollment Kit (SEEK II) devices was more than ten years ago, close to Kandahar, Afghanistan. The bulky black rectangle piece of technology, which was used to scan fingerprints and irises, was switched off and put away.

That is, until Matthias Marx, a German security researcher, purchased the device for $68 off of eBay in August 2022 (a steal, at about half the listed price). Marx had unintentionally acquired sensitive, identifying information on thousands of people for the cheap, low price of less than $70. The biometric fingerprint and iris scans of 2,632 people were accompanied by names, nationalities, photographs, and extensive descriptions, according to a story by The New York Times. 

From the war zone areas to the government equipment sale to the eBay delivery, it seems that not a single Pentagon official had the foresight to remove the memory card out of the specific SEEK II that Marx ended up with. The researcher told the Times, “The irresponsible handling of this high-risk technology is unbelievable […] It is incomprehensible to us that the manufacturer and former military users do not care that used devices with sensitive data are being hawked online.”  

According to the Times, the majority of the data in the SEEK II was gathered on people who the American military has designated as terrorists or wanted people. Others, however, were only ordinary citizens who had been detained at Middle Eastern checkpoints or even people who had aided the American administration. 

Additionally, all of that information might be utilized to locate someone, making the devices and related data exceedingly hazardous, if they ended up in the wrong hands. For instance, the Taliban may have a personal motive for tracking down and punishing anyone who cooperated with U.S. forces in the area. 

Marx and his co-researchers from Chaos Computer Club, which claims to be the largest hacker group in Europe, purchased the SSEK II and five other biometric capture devices- all from eBay. The group then went on with analyzing the devices for potential flaws, following a 2021 report by The Intercept, regarding military tech seize by the Taliban. 

Marx was nonetheless concerned by the extent of what he discovered, despite the fact that he had set out from the start to assess the risks connected with biometric devices. The Times reports that a second SEEK II purchased by CCC and last used in Jordan in 2013 contained data on U.S. troops—likely gathered during training—in addition to the thousands of individuals identified on the single SEEK II device last used in Afghanistan.  

Darknet Markets: Millions in Revenue Generated by Selling Stolen Personal Data

 

A recent research report by The Conversation demonstrates that, much like many legal commodities, stolen products are distributed via a supply chain that includes producers, wholesalers, and consumers. However, this supply chain entails links of several criminal organizations, operating in an illicit underground marketplace. 

Producers, Wholesalers, and Distributors

This supply chain of compromised data begins with the inclusion of a producer, i.e. a hacker or a threat group, who gains unauthorized access to vulnerable systems and steals sensitive information. The stolen data may include credit card numbers, bank account information, social security number, etc. 

The stolen data is then advertised by wholesalers and distributors, in order to trade the data. 

In the end, a consumer may purchase the stolen data. This data is utilized in order to commit cybercrime activities, or scams like fraudulent credit card transactions, identity thefts, or phishing attacks. 

This trade of stolen data between producers, wholesalers, and consumers is reportedly carried out in the darknet markets, which are illicit websites, imposing as legitimate e-commerce websites, except they are accessible only when operated through a special browser or authorization codes. 

According to reports, several thousand sellers were found selling tens of thousands of stolen data products, on just 30 darknet markets. Over an eight-month period, these data retailers have generated a whopping sum of $140 million or more in sales. 

Darknet Markets: 

Darknet markets offer a platform for sellers to get in touch with potential customers to aid transactions, much like any conventional e-commerce website. However, darknet markets are well-recognized for selling illegal products. Another significant distinction is the need for specialized software, such as the Onion Router, or TOR browser, which offers security and anonymity to the user, to access darknet markets. 

Renowned darknet market, Silk Road came to light in the year 2011 by apparently combining TOR and bitcoin. Later, in 2013, the market was eventually seized, with the founder, Ross Ulbricht being sentenced to two life sentences plus an additional 40 years of imprisonment without the chance of parole. The severe prison term given to Ulbricht did not have the anticipated deterrent impact. To fill the void, numerous markets developed, which led to the development of a robust ecosystem that profited from stolen personal data. 

Taking into consideration how major a role the darknet market plays in trafficking stolen data, the study conducted the largest systematic examination of stolen data markets, in order to better comprehend the extent of the illegal darknet ecosystem. The study first examined 30 darknet markets, which advertised stolen products. 

Further information was deciphered about the stolen products of the market in the course of a week for eight months, from September 1, 2020, through April 30, 2021. The information extracted from this scrutiny was utilized to determine the number of vendors trading the stolen products, the number of stolen data products advertised, the number of products sold and the amount of revenue generated. 

The study, after evaluating the ecosystem's overall characteristics, analyzed each market separately. In doing so, it was discovered that a small number of markets were in charge of selling the majority of the stolen data items. Apollon, WhiteHouse, and Agartha were the three biggest markets, accounting for 58% of all sellers. The total number of sales ranged from 0 to 237,512, and the number of listings ranged from 38 to 16,296. During the 35-week period, there were significant variations in each market's total revenue, which ranged from $0 to $91,582,216 for Agartha, the most successful of all markets mentioned.  

Darknet Stolen Data Marketplaces

The research done by The Conversation sheds like on the booming underground economy and illicit supply chains of stolen data, that are being operated in the darknet markets. For as long as the data continues to be stolen, there is a possibility of an upsurge of marketplaces to trade the stolen information. 

While the darknet markets could not be possibly taken down directly, efforts to prevent the customers from utilizing the stolen data offer some hope in the picture. One way to do this is, by utilizing the advancement of A.I. technology, which can provide law enforcement agencies, financial institutions, and others with the information required to prevent data from being stolen, or stolen data utilized for cybercrime activities. 

This would further halt the flow of stolen data in supply chains, eventually disrupting the underground economy that is largely benefitting from your personal information.   

A New SolidBit Ransomware Variant Hit Famous Games

Cybersecurity researchers reported a new advanced SolidBit ransomware variant that is victimizing the audience of famous games and social media platforms. “The malware was uploaded to GitHub, where it is disguised as different applications and an Instagram follower bot to lure in victims,” cybersecurity solutions firm Trend Micro reported. 

Nathaniel Morales, Monte de Jesus, Ivan Nicole Chavez, Lala Manly, and Nathaniel Gregory Ragasa published technical details of their analysis of the new ransomware variant. “When an unsuspecting victim runs the application, it automatically executes malicious PowerShell codes that drop the ransomware into the system,” the analysis reads. 

Solidbit ransomware is a type of computer virus that executes malicious code into Windows to encrypt all personal files located on it and locks all personal files. “It’s possible that SolidBit’s ransomware actors are currently working with the original developer of Yashma ransomware and likely modified some features from the Chaos builder, rebranding it as SolidBit,” experts observed. 

The League of Legends account checker on GitHub uploaded a file that contains instruction tools, however, it does not include a graphic user interface (GUI) or any other behavior related to its supposed function it is only a lure to the users, Experts at Trend Micro claimed. 

Among the files bundled with the account checker, experts have discovered an executable file Rust LoL Accounts Checker.exe which is protected by Safengine Shielden, once the file is executed in the system, an error window appears and claims that debugging tools have been detected which could be of the malware’s anti-debugging capabilities and anti-virtualization. 

“If users click on this executable file, it will drop and execute a program with malicious codes that drop and execute the SolidBit ransomware. It will begin disabling Windows Defender’s scheduled scans and any real-time scanning of some folders,” Trend Micro said. 

Experts in conclusion have recommended that users use multifactor authentication (MFA) to prevent hacker groups from performing lateral movement inside a network.

New DawDropper Malware Targeting Android Devices via Play Store

Trend Micro security team has discovered a brand new phishing campaign that is distributing banking trojans on the Google Play Store. This malicious software is called DawDropper. These “Droppers” impersonate trusted apps to gain access to victims’ mobile devices and make it very legit to detect threat actors and are highly effective for malware distribution. 

Additionally, Trend Micro security researchers reported that over a dozen fake and malicious Android dropper apps are present on the Google Play store containing banking malware. 

The software (DawDropper) is very famous and, it is also offered for sale as DaaS (dropper-as-a-service) by some threat actors on the malicious web. Additionally, it used a third-party cloud service Firebase Realtime Database to evade detection and obtain a payload download address. It also hosts payloads on GitHub. 

This malicious campaign aims to gain access to users’ banking data to steal money from their banking apps including PIN codes, passwords, banking credentials, etc. Hackers can intercept text and gain complete command over affected devices through malware. 

“We found a malicious campaign that uses a new dropper variant that we have dubbed as DawDropper. Under the guise of several Android apps such as Just In Video Motion, Document Scanner Pro, Conquer Darkness, simpli Cleaner, and Unicc QR Scanner,” Trend Micro security team reported. 

The following are the names of the malicious dropper apps discovered on the Google Play Store: • Fix Cleaner, Crypto Utils, Rooster VPN, Lucky Cleaner, Extra Cleaner, Simple Cleaner, Conquer Darkness, Call Recorder APK, Unicc QR Scanner, Eagle photo editor, Call recorder pro+, Universal Saver Pro, Just In: Video Motion, Document Scanner – PDF Creator, Super Cleaner- hyper & smart. 

These apps are masqueraded as utility and productivity apps, including VPN services, QR code readers, call recorders, and document scanners. With the pretense of general utility apps, dropper apps bypass Play Store security checks. Besides DawDropper, these apps are used to download more capable and intrusive malware on a device, such as Octo (Coper), Hydra, Ermac, and TeaBot. 

Trend Micro’s blog post listed some points to help from infecting mobile devices: 

• Don’t download an app to your device without checking the user reviews in the app store. 
• Before downloading the app first research the developers and publishers of the app. 
• And, Avoid downloading apps from unknown sources.

Watch Out For This Raccoon Stealer 2.0 With New Capabilities


Raccoon Stealer also named Legion, Mohazo, and Racealer, a high-risk trojan-type application that attacks the system and steals personal credentials is back with a second upgraded version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and advanced operational capacity. 

The trojan whose services are being offered by various hacker groups on hacker forums, when installed on one's system can lead to various cyber issues. 

The Raccoon Stealer operation was taken down in march 2022 when its operators reported that one of the lead developers of the forum was killed during Russia’s invasion of Ukraine. Also, the team promised its come back with a second upgraded version with more capabilities. 

“We expect a resurgence of Raccoon Stealer v2, as developers implemented a version tailored to the needs of cybercriminals (efficiency, performance, stealing capabilities, etc.) and scaled their backbone servers to handle large loads,” Sekoia told in the report. 

According to the malware developers, the upgraded Raccoon version was built from scratch using C/C++, featuring a new back-end, front-end, and code to steal credentials and other data. 

Raccoon Stealer 2.0 uses a fake Malwarebytes website to steal personal information including Basic system fingerprinting info, browser passwords, cookies, autofill data, saved credit cards, browser passwords, cookies, and autofill data, and saved credit cards. 

Other information that Raccoon Stealer steals is given below:

• Cryptocurrency wallets and web browser extensions including MetaMask, TronLink, BinanceChain, and Ronin
• Exodus, Atomic, JaxxLiberty, Binance, Coinomi, Electrum, Electrum-LTC, and ElectronCash
• Individual files located on all disks
• Screenshot capturing
• Installed applications list

The data can be misused in various ways, such as transferring users' funds in crypto-wallets and other accounts (e.g., PayPal, bank accounts, etc.). Victims could, therefore, lose their savings. Moreover, hijacked accounts (e.g., Facebook, emails, etc.) can be misused to borrow money. 

The subscription cost of the Stealer which has already attacked over 100,000 devices, is $200 per month. It has become one of the most named viruses on the underground forums in 2019. 

North Orange County Community College District Suffered Ransomware Attack

 

According to an official filing by the District, on Monday, January 10, 2022, the North Orange County Community College District (NOCCCD or the District) noticed malicious activity on both of the District’s college servers including Cypress College and Fullerton College. 

In response to the attack, the District launched an investigation with the assistance of outside computer forensic specialists to learn more about the attack and determine if any employee or student data was breached. The notifications in which the attack has been reported on their component campus sites revealed that this was a ransomware incident. 

On March 25, 2022, following the attack, the NOCCCD reportedly notified more than 19,000 people about a data security incident. It has begun sending out data breach notification letters to all employees and students whose information was breached due to the data security incident. The District furthermore said that it will send additional security letters if it notices other parties were impacted by the attack. 

The investigation has confirmed that files containing sensitive credential data of employees and students may have been compromised or removed from the District’s network. A copy of the notice was also posted on Fullerton College for International Students. 

While disclosing what types of data might have been compromised, the notice read, “name, and passport number or other unique identification number issued on a government document (such as Social Security number or driver’s license number); financial account information; and/or medical information.” 

The district said that they are also coordinating with the colleges to review and enhance existing policies related to data protection. Besides, they have successfully implemented multi-factor authentication as well as an advanced threat protection and monitoring tool to better security and safeguard data. Additionally, new and advanced cybersecurity training for employees is being implemented throughout the District.