Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Global Attacks. Show all posts

BBC, British Airways Among High Profile Victims in Global Supply-Chain Hack

 

A rising number of organisations, including the BBC, British Airways, Boots, and Aer Lingus, are being impacted by a widespread attack.

Staff members have received warnings that personal information, including social security numbers and, in some circumstances, bank information, may have been stolen.

The hackers used a well-known piece of software as a gateway to access numerous businesses simultaneously. There are no reports of money being taken or requests for ransom.

One of the impacted businesses in the UK is the payroll services provider Zellis, which reported that data from eight of its customer organisations had been stolen. 

Organisations are notifying employees on their own, though it wouldn't give names. The BBC informed the staff via email that the stolen data contained staff ID numbers, dates of birth, residential addresses, and national insurance numbers. 

British Airways employees have been told that some of their bank information may have been stolen. The National Cyber Security Centre of the UK stated that it was keeping an eye on the situation and recommended businesses using the affected software to apply security updates.

The attack was initially made public last week when US business Progress Software said that hackers had discovered a way to access its MOVEit Transfer application. The majority of MOVEit's users are in the US, although the programme is well-known throughout the world for safely moving sensitive files.

When the exploit was found, according to Progress Software, it immediately informed its clients and made a security update available for download. 

A company spokeswoman stated that the company is collaborating with the police to "combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products".

Businesses using MOVEit were advised to download a security patch on Thursday by the US Cybersecurity and Infrastructure Security Agency to prevent further breaches. 

However, security researcher Kevin Beaumont claimed that because many impacted companies had not yet installed the remedy, internet scans revealed that thousands of company datasets may still be exposed.

Experts predicted that instead of extorting money from individuals, cybercriminals would try to do so from businesses. Although no public ransom demands have been made as of yet, it is anticipated that cybercriminals will start emailing impacted firms to demand payment. They'll probably threaten to release the info online for other hackers to browse. 

Victim organisations caution personnel to be alert for any dubious communications that could result in additional cyberattacks. Microsoft stated that it felt the perpetrators were connected to the infamous Cl0p ransomware organisation, which is thought to have its base of operations in Russia, despite the fact that no official attribution had been established.

The US tech giant claimed in a blog post that it was attributing assaults to Lace Tempest, a ransomware operator and owner of the Cl0p extortion website where victim data is exposed. According to the business, the hackers who were behind the attack have previously used similar methods to extort victims and steal data. 

"This latest round of attacks is another reminder of the importance of supply chain security," stated John Shier, from cyber security company Sophos. "While Cl0p has been linked to this active exploitation it is probable that other threat groups are prepared to use this vulnerability as well."

IRS Sends Cyber Attachés Abroad to Combat Cybercrime

 

The Criminal Investigation (CI) of the Internal Revenue Service (IRS) is taking a courageous initiative in the fight against cybercrime by sending cyber attachés across four continents. Earlier on Thursday, the regulator provided this update.

The most recent plan focuses on preventing tax and financial crimes involving cryptocurrencies, decentralised finance, peer-to-peer payments, and mixing services; the CI hopes to improve global cooperation in the struggle against these illegal practises. 

The effort highlights the IRS's dedication to always being one step ahead of cybercriminals in the rapidly changing digital environment. 

Beginning of the global cyber showdown

A pilot programme run by the IRS CI will begin in June and place cyber attachés in key sites throughout the world. Sydney, Singapore, Bogota, and Frankfurt were selected as the cities for deployment, representing Australia, Asia, South America, and Europe, respectively. 

These attachés will use their specialised expertise in close cooperation with regional law enforcement organisations to combat tax evasion, financial fraud, and other illegal actions made possible by digital currency. 

The IRS CI seeks to foster a seamless interchange of knowledge, information, and resources with foreign counterparts by stationing cyber attachés abroad. This proactive strategy is aware that a unified worldwide front is necessary to effectively battle cybercrime.

Jim Lee, Chief of the CI, emphasises the significance of providing international partners with the same level of expertise and resources as those available within the United States. To address the global scope of cyber threats, this programme will need to forge powerful multinational coalitions. 

The use of cyber attachés expands on the CI's prior international cooperation initiatives. A permanent cyber attaché from the CI has been based at the Europol headquarters in The Hague, Netherlands, since 2020. 

To promote collaboration and coordination with European law enforcement authorities, this role was created. With the expansion of the attaché programme, the CI is now able to reach more people and have a greater influence in areas that are known to be hubs for cybercriminal activity. 

An emphasis on crypto-inspired crimes 

Cybercriminals are using cryptocurrency for different illegal activities as the world becomes more digitised. The IRS's decision to give tax and financial crimes involving cryptocurrencies top priority shows how determined it is to confront these new dangers head-on. 

The CI attempts to safeguard people, businesses, and the economy by focusing on criminal activity such as tax fraud, drug trafficking, money laundering, public corruption, and healthcare fraud.

U.S. authorities are increasingly going after cybercriminals, especially those who use cryptocurrencies or decentralised finance (DeFi) to do their crimes. In a recent development, the IRS seized two domains connected to the notorious mixing service, ChipMixer, which is notorious for its involvement in hacking schemes, fraud, cryptocurrency heists, and ransomware operations. 

Such measures strongly suggest that law enforcement organisations are aggressively going after persons who use digital currencies for illegal purposes. Nevertheless, despite the ongoing cybercrimes in the sector, the cryptocurrency market has remained calm. With a valuation firmly above $1 trillion, the global cryptocurrency market has lost 1.1% during the last 24 hours.

Targeting Businesses Globally, the Medusa Ransomware Gang Gains Momentum

 

In 2023, a ransomware operation by the name of Medusa began to gain momentum. It targets corporate targets globally and demands a million-dollar ransom.

Starting in June 2021, the Medusa operation saw just a small number of victims and a low level of activity. However, the ransomware gang ramped up its operations in 2023 and established a "Medusa Blog" that allowed victims who declined to pay a ransom to have their data released. 

Last week, Medusa came under public scrutiny after claiming responsibility for an attack on the Minneapolis Public Schools (MPS) district and sharing a video of the data that was taken. 

Will the genuine Medusa rise up? 

Medusa is the name of several malware families, including the well-known MedusaLocker ransomware operation, an Android malware family, and a Mirai-based botnet with ransomware capabilities.

Owing to the family's popularly used name, there has been some ambiguous information about it, leading many people to believe it is the same as MedusaLocker. Yet, there are significant operational differences between the Medusa and MedusaLocker malware.

The MedusaLocker operation debuted in 2019 as a Ransomware-as-a-Service, with a large number of affiliates, a ransom note typically called How_to_back_files.html, and a wide range of file extensions for encrypted files. 

For negotiation, the MedusaLocker operation uses a Tor website at qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion. 

However, the.MEDUSA static encrypted file extension and the !!!READ_ME_MEDUSA!!!.txt ransom notes have been used by the Medusa ransomware operation since its launch in June 2021. 

Using Windows devices to encrypt data 

Currently, it is unknown if BleepingComputer has a Medusa encryption programme for Linux; they have only been able to analyse the Windows version. The Windows encryptor will accept command-line arguments that let a threat actor control the encryption settings for files on the system. For instance, the ransomware will display a console and display status messages as it encrypts a device if the -v command line argument is used.

The Medusa ransomware terminates over 280 Windows services and processes for programmes that might stop files from being encrypted on a regular basis, without command line parameters. Windows services for database servers, backup servers, and security applications are among them. Then, in order to impede file recovery, the ransomware will erase Windows Shadow Volume Copies. 

Michael Gillespie, a ransomware expert, examined the encryptor as well and revealed to BleepingComputer that it encrypts files using AES-256 + RSA-2048 encryption with the BCrypt library. 

Like the majority of ransomware operations that target businesses, Medusa features a website called "Medusa Blog" that leaks data. The usage of this website is a part of the gang's double-extortion scheme, in which victims who decline to pay a ransom are given access to their data. 

A victim's data is not instantly made public when they are joined to the data leak. As an alternative, the threat actors offer the victims payment choices to delay the release of data, erase the data, or download the entire set of data. The cost of each of these choices varies. 

The ransom is demanded to increase the victim's stress and frighten them into paying a ransom. Regrettably, there are no documented flaws in the Medusa Ransomware encryption that allow victims to recover their files without paying.

Significant Rise in Cyberattacks Against Healthcare Facilities, 68 Attacks in Q3 2021

 

Cyberattacks against healthcare facilities increased alarmingly last month, around 68 healthcare providers were locked out of their networks by ransomware attacks in the third quarter of this year, putting patient security and privacy at risk. 

Without a holistic whole-facility cybersecurity approach, specialists fear that patients would be unable to get essential care at a targeted facility. The Hillel Yaffe Medical Center in Hadera, Israel, and Johnson Memorial Health Hospital in Franklin, Indiana, are just two examples of the medical facilities targeted. 

The early-October cyberattack at Johnson Memorial Hospital locked databases and compromised patient data. A ransom amount was surprisingly not demanded. Hillel Yaffe Medical Center was attacked by Black Shadow, a reportedly Iran-backed group, in early November. Investigators believed it would take many weeks to recover and grasp the full scope of what had happened because 290,000 people's personal data had been leaked. 

Healthcare facilities' legacy OT equipment becomes exposed to hackers as they upgrade. Water, HVAC, oxygen, electrical, and other key systems are all connected, yet they may not be properly monitored or protected in terms of cybersecurity. Any of these utilities being compromised will have a detrimental influence on patient care, perhaps putting the lives of individuals being treated at risk. 

Ilan Barda, CEO of Radiflow stated, “Accessing patient data is worrisome, but the idea of hackers gaining access to components in a specific ward or even a single operating room is alarming.” 

“CISOs at facilities should focus on both IT systems and OT environments, starting from risk assessment to threat monitoring. There should be continuous holistic risk management for more mature organizations that combine both IT and OT systems. With Radiflow, teams can monitor the full range of a healthcare OT security from one central location.” 

With 68 global attacks on healthcare facilities in Q3 of this year alone, the US Department of Health and Human Services (HHS) had warned of worrisome trends in 2021.