Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data theft extortion. Show all posts
UEFI Bootkit
Bookitty Data theft extortion Linux Systems malware Malware Attack News trending news UEFI Bootkit

Bootkitty: The Game-Changing Malware Targeting Linux Systems

 

This malware, named Bootkitty, introduces a new method of attacking Linux, which has traditionally been considered safer from such stealthy threats compared to Windows. Bootkits are highly dangerous because they infect a computer’s boot process, loading before the operating system starts. 

This allows them to take deep control of a system while avoiding detection by traditional security tools.   

Bootkitty specifically targets certain versions of Ubuntu Linux by bypassing critical security checks during system boot.   

How Bootkitty Works  


ESET discovered Bootkitty in November 2024 when a suspicious file, bootkit.efi, was uploaded to VirusTotal. The malware uses advanced techniques to bypass kernel signature verification and inject malicious components during the system boot process.   

It relies on a self-signed certificate, meaning it won’t function on systems with Secure Boot enabled.   The malware hooks into UEFI security protocols and GRUB bootloader functions, disabling key security checks and loading malicious modules into the Linux kernel.  Bootkitty also forces a malicious library to load into system processes upon startup.   

However, the malware is not without flaws.  It only works on specific GRUB and kernel versions, which limits its effectiveness.  It can cause system crashes due to compatibility issues.   

During their investigation, researchers also found another suspicious file, BCDropper, likely associated with Bootkitty. BCDropper installs a rootkit named BCObserver, which provides stealthy control by hiding files, processes, and open ports on the infected system.   

Growing Threat to Linux   


Although Bootkitty is not yet fully developed or actively deployed in real-world attacks, its discovery is concerning. It signals that cybercriminals are increasingly targeting Linux as more businesses rely on it for critical operations.  

To help organizations defend against Bootkitty, ESET has published indicators of compromise (IoCs) on GitHub.   

Recommendations for Protection   


  • Enable Secure Boot: Since Bootkitty cannot operate with Secure Boot enabled, this is a crucial defense. 
  • Update Security Tools: Keeping antivirus and other security software up to date can help detect and block new threats.  

This discovery underscores the growing sophistication of Linux-targeted malware and the need for robust security practices to safeguard critical systems.
Read more »
User Privacy
Black Cat Data Breach Data theft extortion Ransomware Attacks. Spoofing User Privacy

Cybercriminals Stole Data by Spoofing Victim's Webpage

The BlackCat ransomware group is experimenting with a new method of threatening victims into paying extortion building a fake website on the open internet that displays the personal information that was stolen from the victim. 

ALPHV, commonly known as BlackCat ransomware, is notorious for experimenting with unique forms of extortion in an effort to coerce and shame its victims into making a payment. All of the information appears to be accessible on the fake website, which redirects to a domain name that is slightly misspelled compared to the domain of the consulting business.

Hackers Infiltrate a firm 

On December 26, the malicious actors disclosed to have infiltrated a financial services company on their data leak website, which was concealed on the Tor network.

BlackCat publicized all the obtained files as punishment because the victim did not comply with the threat actor's demands, being a common practice for ransomware operators. Instead of following the typical procedure, the hackers chose to publish the data on a website that closely resembles the victims in terms of both design and domain name.

A variety of materials are located on the cloned website, including payment forms, asset and expense information, employment information, notes to staff, financial information for partners, and passport scans. A file-sharing service was also used to distribute the 3.5GB of documents.

According to Brett Callow, a threat researcher at the security firm Emsisoft, published data on a typosquatting site might cause the target company more concern than disseminating it via a webpage on the Tor network, which is primarily used by the infosec community.

This approach might signify the beginning of a new trend that other ransomware gangs may embrace, notably since the costs to execute it are negligible. It includes disclosing the identity of the infiltrated firm, taking data, and threatening to disclose it unless a ransom is paid, as well as the DDoS threat.


Read more »
Vulnerabilities and Exploits
Cyber flaws cyber incident Cyber Vulnerabilities Data theft extortion Flaws Matrix Vulnerabilities and Exploits

A Matrix Update Patches Serious End-to-End Encryption Flaws

Recently the open source Matrix messenger protocol published security warnings on its platform about two critical-severity vulnerabilities that affect the end-to-end encryption in the software development kit (SDK). 

As per the warning statement, the groups of malicious actors are exploiting these vulnerabilities that could break the confidentiality of Matrix communications. The vulnerabilities also allow the threat actors to run man-in-the-middle attacks that expose message contents in a readable form. 

According to the technical data, the users who were using the matrix-js-sdk, matrix-android-sdk2, and matrix-ios-sdk, like Element, Cinny, SchildiChat, Beeper, Circuli, and Synod.im have been hit by the bugs. However, the platform clarified that clients using a different encryption implementation such as Hydrogen, Nheko, ElementX, FluffyChat, Timmy, Syphon, Gomuks, Pantalaimon) are safe from the attacks. 

The vulnerabilities were reported to Matrix by the researchers of Brave Software, the University of Sheffield, and the Royal Holloway University in London. The group published the technical details of the research findings. 

List of the critical severity flaws discovered by the team

 
  • CVE-2022-39255: Same as CVE-2022-39251 but impacting matrix-ios-sdk (iOS clients). 
  • CVE-2022-39251: Protocol-confusion bug in matrix-js-sdk, leading to incorrectly accepting messages from a spoofed sender, possibly impersonating a trusted sender. 

The same flaw makes it possible for malicious home server admins to add backup keys to the target's account. 

  • CVE-2022-39250: Key/Device identifier confusion in SAS verification on matrix-js-sdk, enabling a malicious server administrator to break emoji-based verification when cross-signing is used, authenticating themselves instead of the target user.
  • CVE-2022-39257: Same as CVE-2022-39249 but impacting matrix-ios-sdk (iOS clients).
  • CVE-2022-39248: Same as CVE-2022-39251 but impacting matrix-android-sdk2 (Android clients). 
  • CVE-2022-39249: Semi-trusted impersonation problem in matrix-js-sdk leading to accepting keys forwarded without request, making impersonation of other users in the server possible. Clients mark these messages as suspicious on the recipient's end,  thus dropping the severity of the bug. 
  • CVE-2022-39246: Same as CVE-2022-39249 but impacting matrix-android-sdk2 (Android clients). 
Furthermore, the report detailing listed two problems that are yet to receive an identification number. One of these problems allows malicious actors access to the home server and the second refers to using AES-CTR. 

Read more »
Ransomware
Babuk Data theft extortion malware Ransom Ransomware

Babuk Quits Ransomware Encryption, Focuses on Data-Theft Extortion

 

The Babuk ransomware group has decided to close the affiliate program and switch to an extortion model that does not rely on encrypting victim computers, according to a new message sent out today by the gang. The clarification comes after the group posted and then deleted two announcements yesterday about their intention to close the project and release the malware's source code. 

The group seems to have taken a different path than the ransomware-as-a-service (RaaS) model, in which the hackers steal data before deploying the encryption stage to use as leverage in ransom payment negotiations. 

Babak's newly announced model is nearly identical except for the data encryption part, according to a third "Hello World" message posted on their leak site. In other words, the cybercriminals will run an extortion-without-encryption operation, demanding a ransom for data stolen from compromised networks. 

“Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement,” stated Babuk ransomware. 

Maze ransomware began exfiltrating data in November 2019 in order to boost ransom demands. All big ransomware operations quickly adopted it. In starting of 2021, Clop ransomware exploited zero-day vulnerabilities in Accellion's File Transfer Appliance to ran a series of data-theft attacks on high-value companies without encrypting systems. The group stole a large number of files and demanded large sums of money in exchange for not leaking or trading the information. 

Several victims paid tens of millions of dollars in ransom. Babuk ransomware claims that despite being a new team on the ransomware scene, they are already well-known in the industry because they have “the best darknet pentesters.” 

The benefits of this extortion business for Babuk are currently unclear, but the group will have to exfiltrate greater amounts of data than with encryption. Babuk reports one victim from whom they claim to have copied 10 terabytes of data on their leak site. The group claims to have stolen 250GB of data from the Metropolitan Police Department (MPD) in their most recent attack. It's also possible that this will increase the group's benefit, either by requiring higher ransoms or by selling the data to competitors or other parties. 

RaaS operations have become so large in terms of affiliates that it's difficult to keep track of anything. This has recently translated into technological and management changes that have resulted in victims losing data due to faulty decryption tools or having to deal with multiple attacks by the same group.

This happened with Conti, Lockbit, and REvil and these issues affected many ransomware gangs that were dependent on their reputation of a party that respects their end of the deal to demand higher ransoms.
Read more »
Subscribe to: Posts (Atom)