Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Hacking Group. Show all posts
Slack
Data Breach Data Hacking data security Disney Disney data leak Disney Slack breach Hacking Group Personal Information Sensitive data Slack

Disney Data Breach Exposes Sensitive Corporate and Personal Information

 

In July, Disney experienced a significant data breach that exposed far more than initially reported, compromising a wide array of sensitive information. While early reports focused on stolen Slack messages, it has since been revealed that the breach extended deep into the company’s critical corporate files. According to sources, hackers gained access to sensitive information, including financial projections, strategic plans, sales data, and streaming forecasts. 

The breach did not stop at corporate data. Hackers also accessed personal information of Disney Cruise Line members, including passport numbers, visa statuses, contact details, and birthplaces. In addition, data related to theme park pass sales was compromised, potentially impacting thousands of visitors. This breach has raised serious concerns about the security of personal data at Disney, one of the world’s most recognized entertainment companies. 

Initially, Disney reported that over a terabyte of data was leaked, but the full extent of the breach is still under investigation. In an August address to investors, the company acknowledged the severity of the attack, prompting questions about the cybersecurity measures in place not only at Disney but also at other major corporations. The incident has highlighted the growing need for robust and effective cybersecurity strategies to protect against increasingly sophisticated cyber threats. The hacking group Nullbulge has claimed responsibility for the attack. 

In a blog post, the group boasted of gaining access to internal data on upcoming projects as well as employee details stored in Disney’s Slack system. This claim has raised further alarms about the potential exposure of sensitive company plans and employee information. When asked to comment on the specifics of the breach, Disney declined to provide details. A spokesperson stated, “We decline to comment on unverified information that has purportedly been obtained as a result of illegal activity.” 

This response underscores the complexity and evolving challenges that companies face in safeguarding sensitive information from cyber threats. As cyber threats become more sophisticated, this breach serves as a stark reminder of the vulnerabilities even within prominent organizations. It emphasizes the urgent need for businesses to strengthen their cybersecurity measures to protect both corporate and personal data from being compromised in an increasingly digital world.
Read more »
Windows zero-day exploit
cybersecurity threat Fudmodule malware Hacking Group Microsoft vulnerability North Korea Vulnerabilities and Exploits Windows zero-day exploit

North Korea Exploited Windows Zero-Day Vulnerability to Install Fudmodule

 

North Korea's Lazarus hacking group has once again exploited a zero-day vulnerability in Microsoft Windows to deploy malware on targeted devices. On August 13, Microsoft addressed this issue with its monthly Patch Tuesday updates, fixing a flaw in the Windows Ancillary Function Driver (Afd.sys) for WinSock, identified as CVE-2024-38193. Security experts strongly recommend applying this update promptly, as Microsoft has confirmed that the vulnerability is actively being exploited.

The flaw allows attackers to escalate system privileges through a use-after-free memory management issue, potentially granting them elevated system access, according to Rapid7. The advisory underscores the urgency of this patch, highlighting the low complexity of attacks, lack of required user interaction, and minimal privileges needed for exploitation.

The warning proved accurate, as Avast researchers Luigino Camastra and Martin Milanek, who initially discovered and reported the flaw to Microsoft in June, revealed that Lazarus had been exploiting this vulnerability before the fix was issued. Their primary aim was to install a rootkit named Fudmodule on the affected systems, utilizing the zero-day vulnerability to remain undetected by security software.

Details on the specific organizations targeted and their industries have not been disclosed. However, Lazarus is known for its focus on stealing cryptocurrency to support North Korea’s financially strained regime. The regime also uses its hacking teams to gather intelligence on Western nuclear facilities and defense systems.

This incident is part of a broader pattern of North Korean hacking activities targeting Windows drivers. In February, Microsoft patched another vulnerability, CVE-2024-21338, which Lazarus had used to gain system-level access. This flaw was in the appid.sys AppLocker driver, crucial for controlling application execution on Windows systems. Avast had previously reported this vulnerability, which was actively being exploited by Lazarus to install Fudmodule. The updated version of Fudmodule included enhancements, such as disabling antivirus protections like Microsoft Defender and CrowdStrike Falcon.

The rise of "Bring Your Own Vulnerable Driver" (BYOVD) attacks, where attackers use legitimate but vulnerable drivers to bypass security measures, has been noted. Lazarus has employed this tactic since at least October 2021, using it to infiltrate systems by loading drivers with known vulnerabilities. Other groups have also utilized similar methods, such as Sophos reporting on RansomHub's use of outdated drivers to disable endpoint detection and response tools, and deploying ransomware.

Overall, as Lazarus and similar groups continue to adapt their strategies, the need for vigilance and timely updates is crucial to protect systems from these sophisticated attacks.
Read more »
Tor Website
Cyber Security Hacking Group Ransomware Gang Threat Landscape Tor Website

LockBit is Recruiting Members of ALPHV/BlackCat and NoEscape Ransomware Outfit

 

Recruiting affiliates and developers from the troubled BlackCat/ALPHV and NoEscape ransomware operations is one of the calculated steps being taken by the LockBit ransomware group. An ideal opportunity emerged for LockBit to expand its network due to the recent disruptions and exit scams within NoEscape and BlackCat/ALPHV. 

Affiliates of NoEscape and BlackCat/ALPHV Tor organisations are in disarray due to the sudden inaccessibility of their websites, as well as reports of escape scams and ransom payments being stolen. While the exact reason of the disruptions is unknown, speculations include hardware malfunctions, internal issues, and law enforcement intervention. 

LockBitSupp, the manager of LockBit, has actively recruited affiliates on Russian-speaking hacking forums in response to the chaos surrounding BlackCat and NoEscape. LockBitSupp makes a tempting offer, stating that affiliates who have copies of stolen data can use LockBit's bargaining panel and data leak website to keep blackmailing victims. 

Additionally, LockBitSupp is trying to hire the coder who created the ALPHV encryptor. Although LockBit's relationship to the troubled ransomware gangs is still unknown, there have been reports of a victim who was BlackCat's previous target now showing up on LockBit's data leak website. 

The change emphasises how groups dealing with ransomware experience disruptions, rebranding, and sometimes even changing affiliations. The ransomware ecosystem continues to evolve, and outfits such as LockBit, by taking advantage of other people's vulnerabilities and interruptions, demonstrate the flexibility and intelligence that these nefarious activities possess.

In the always changing threat landscape, this particular situation may lead to additional rebranding and restructuring as it calls into doubt the reliability of ransomware groups such as BlackCat and NoEscape.
Read more »
Sensitive data
aerospace giant Boeing data breach CISA report Cybersecurity Data Breach Extortion Hacking Group Lockbit cybercrime Online Threat Ransomware attack Sensitive data

Boeing Evaluates Cyber Group's Data Dump Threat

 

Boeing Co announced on Friday that it is currently evaluating a claim made by the Lockbit cybercrime group, which asserts that it has obtained a significant volume of sensitive data from the aerospace giant. The group has threatened to release this information online unless Boeing pays a ransom by November 2.

To emphasize their ultimatum, the hackers displayed a countdown timer on their data leak website, accompanied by a message stating, "Sensitive data was exfiltrated and ready to be published if Boeing do not contact within the deadline!"

The group conveyed that, for now, they will refrain from providing lists or samples of the data in order to safeguard the company. However, they asserted that this stance may change before the deadline arrives.

Lockbit typically deploys ransomware on an organization's system to encrypt it and also pilfers sensitive information as a means of extortion.

A spokesperson for Boeing stated, "We are assessing this claim" via email.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Lockbit was the most active ransomware group globally last year, based on the number of victims it claimed on its data leak blog.

The gang, known for its eponymous ransomware, which emerged on Russian-language cybercrime forums in January 2020, has reportedly conducted 1,700 attacks on U.S. organizations since then, as per CISA's report in June.

Lockbit did not disclose the volume of data it purportedly acquired from Boeing, nor did they reveal the ransom amount they are demanding. Boeing declined to provide further comments.

The hacking group has yet to respond to a request for comment sent to the address mentioned on their data leak site.
Read more »
User Privacy
Chinese Hackers Data Breach Hacking Group Malicious actor Phishing Attacks Red Cross Unauthorized access User Privacy

AtlasCross Hackers Target Organizations with Red Cross Phishing Lures

A new hacking group called AtlasCross is targeting organizations with phishing lures impersonating the American Red Cross. The group uses macro-enabled Word documents to deliver backdoor malware to victims' devices.

The phishing emails typically contain a link to a malicious website or an attachment containing a macro-enabled Word document. If the victim opens the attachment and enables macros, the malware will be installed on their device.

The malware used by AtlasCross is called DangerAds and AtlasAgent. DangerAds is a system profiler and malware loader, while AtlasAgent is a backdoor that allows attackers to remotely control the victim's device.

Once the attackers have control of the victim's device, they can steal sensitive data, such as login credentials, financial information, and trade secrets. They can also use the device to launch further attacks against other organizations.

Bill Toulas, CEO of NSS Labs, aptly notes, "The AtlasCross phishing campaign is a reminder that even the most sophisticated organizations can be targeted by cybercriminals. It is important to be vigilant and take steps to protect yourself from these attacks."

How to protect your organization from AtlasCross phishing attacks:

  • Exercise Caution with Unsolicited Emails: Especially those bearing attachments or links.
  • Scrutinize Known Senders: Verify email addresses to confirm legitimacy.
  • Exercise Restraint with Unknown Emails: Refrain from opening attachments or clicking links if authenticity is in doubt.
  • Disable Macros in Microsoft Office: Unless they are absolutely essential, it's prudent to keep macros disabled to thwart potential malware delivery.
  • Maintain Updated Software: Ensure your operating system, web browser, and antivirus software are up-to-date, as these updates frequently contain vital security patches.

Organizations can take the following steps to augment their defense against AtlasCross phishing campaigns:
  • Employee Education: Provide thorough training on recognizing and evading phishing attempts, as employees are the first line of defense.
  • Utilize a Robust Security Solution: Employ a solution adept at detecting and thwarting phishing emails based on various indicators.
  • Segment Your Network: Isolate devices to prevent easy lateral movement in case of a compromise.
  • Enforce Stringent Password Policies: Implement multi-factor authentication to bolster device and account security.
Global organizations and individuals are seriously threatened by the AtlasCross hacking group. The aforementioned advice can help you safeguard yourself from phishing attempts. It is significant to remember that there is a possibility that you could fall victim to a phishing assault even if you take all necessary safeguards. Cybercriminals are continually creating new phishing attack methods as they get more proficient.

.



Read more »
Threat Landscape
Cyber Crime Espionage Campaign Hacking Group Malicious Ads Phishing email Threat Landscape

This Hacker Outfit has Targeted Thousands of Companies Across the Globe

 

ESET's cybersecurity researchers have recently uncovered a relatively new hacker outfit that has had great success targeting organisations all around the world. 

The researchers are still unsure of the group's eventual goal, which goes by the name of Asylum Ambuscade. BleepingComputer claims that over the past three years, it has been active all over the world, but primarily in the West.

It makes use of many different tools, such as the Sunseed malware, Akhbot, and Nodebot, which enable the team to carry out a wide range of malicious operations, such as stealing screenshots, stealing passwords stored in well-known web browsers, deploying Cobalt Strike loaders, running a keylogger, and more. In short, the group's skills encompass everything from espionage to cybercrime. 

They have a wide range of targets, including small and medium-sized businesses (SMB), government officials and organisations, bank customers, cryptocurrency speculators, and traders. 

Modus operandi 

Typically, a phishing email including a malicious script is the first step in an assault. Depending on the target's endpoints, the group selects which extra payloads to send after downloading the Sunseed virus. 

The researchers discovered that in certain cases the group generated Google Ads that drove consumers to websites that included malicious JavaScript code.

Additionally, the organisation appears to be very successful. Researchers at ESET began monitoring the gang's activity in January of last year and have since discovered almost 4,500 victims, which suggests the group targeted 265 businesses and organisations each month.

The group's intentions continue to be the biggest mystery. The researchers are unable to precisely identify what the group is attempting to do because they have access to a wide variety of tools that can be used to commit all types of cybercrime and a diverse list of victims. One explanation contends that the group is just selling knowledge and access to other threat actors, which explains their diverse strategy.
Read more »
Toronto-area Police
Cyber Attacks FBI Hacking Group Hive Hive Ransomware Ransomware group Toronto-area Police

Here is How Toronto-area Police Force Helped Take Down a Russian-linked Hacking Group


The Toronto police force has recently been explanatory on how it ended up getting involved with the international attempt on legally hack Hive, one of most ruthless ransomware groups in the world. 

The contributions made by the Peel Regional Police are one of the reasons why Canadian flag is among the icons displayed on what was the dark website for the Russian-linked ransomware group Hive, along with the logos of the U.S. Department of Justice, the FBI, and a variety of police forces around the globe. 

According to Detective Const. Karim Hussain in an interview with CTV News Toronto, Peel's detectives got engaged early when a local firm contacted them in 2021 claiming that their systems were down and a text message on their desktops revealed a ransom note. 

“We had one of the first cases in Canada of Hive ransomware[…]It was the first to market. At the time we started gathering evidence, Hive was a fairly new ransomware group. Everything we brought to the table was interesting because no one had seen it before,” he says. 

The attributes of the Hive case were similar to numerous other high-profile incidents, like a hospital in Louisiana where threat actors had accessed data of around 270,000 patients, and a Ohio hospital that was attacked and made them incapable of accepting new patients even during the massive surge of COVID-19. 

Those were only a few of the more than 1,500 attacks throughout the globe that had the digital traces of Hive, an organization whose associates, according to authorities, have made $150 million since 2021 as they demand money from companies in exchange for access to their data or system. 

The attacks are carried out via a "ransomware as a service" (RaaS) model, in which a small group of individuals create malicious software and then distribute it to numerous users, allowing them to quickly scale up their attacks before the security flaws they exploit are addressed. 

“You have an overarching group that provides everything down to the infrastructure, to lesser-capable cyber criminals, and they provide them the tools to conduct the hack,” Hussain said. 

The case brought the RCMP, the FBI, the police from France, Germany, Norway, and Lithuania together with Peel Police and other agencies dealing with Hive's impact. 

In retaliation, the group took over Hive's website earlier this year and replaced it with a landing page with the logos of numerous investigative agencies. “Simply put, using lawful means, we hacked the hackers,” said U.S. Deputy Attorney General Lisa Monaco in a press conference in January. 

Adding to this, she says that the police had found and then openly disseminated decryptor keys that may aid anyone who had been assaulted in independently recovering their data or liberating their systems. 

According to Christopher Wray, director of the FBI, these actions have prevented around $130 million in ransom from being paid. “This cut off the gas that is fueling Hive’s fire,” Wray said. 

According to Hussain, the inquiry is still ongoing as the prevalence of ransomware grows. Ransomware assaults made up 11% of all cyber security incidents in 2021, according to Statistics Canada. 

“There’s no end in sight to cybercrime right now,” Hussain said.  

Read more »
ransomware attacks
Antwerp Cyber Security Hacking Group Play Website ransomware attacks

Hacking Group Takes Down "Antwerp" from Website

 

The City of Antwerp is no longer listed as one of the organizations that the hacker group Play has compromised on its website. Uncertainty surrounds the meaning of this. Geert Baudewijns, a cyber security specialist, asserts that it's possible that either talk between the hackers and the City of Antwerp is in progress or that there is already a deal in place, in which case a ransom payment may have been made. 

A week and a half ago, the City of Antwerp was the target of a significant cyber-attack, which has since caused the suspension of several of the city's public services. A City Hall position is not often easy to get, and the hacking impacts libraries, museums, and schools. 

The Play hacker collective claimed responsibility for the hacking of its website on the so-called "dark web" not long after the City of Antwerp's websites were compromised. The city officials had until Monday, December 19 to comply with the collective's ransom demand. 

If not, the gang threatens to upload more than 500 gigabytes of information on the city and its residents, including all personal information, to the internet. 

Negotiation or ransomware? 

Only two possible explanations exist for the city's disappearance from the Play website. Geert Baudewijns of Secutec, a cyber-security specialist, told VRT News, a local media outlet, "Either the talks are proceeding apace. or the city has made the payment. Despite the fact that I am not taking part in the negotiations, I can speak from negotiation experience." 

"A firm may occasionally be required to pay a ransom equal to up to 10% of its annual revenue." For municipal or city officials, however, things may be very different. I am unable to remark on that.

According to Tim Verheyden of VRT NWS, Play is well-known in the hacker community. They were in charge of significant cyberattacks against the United States, Canada, Bulgaria, Switzerland, and now the City of Antwerp. The reason it is no longer visible on Play's website has not yet been addressed by the City of Antwerp.
Read more »
Subscribe to: Posts (Atom)