Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Information. Show all posts

SMB Cyber Threats: Information-Stealing Malware, Ransomware, and BEC

 

In today's digital landscape, small and medium-sized businesses (SMBs) are increasingly becoming prime targets for cybercriminals looking to exploit vulnerabilities for financial gain. A recent report from cybersecurity firm Sophos sheds light on the top cyber threats facing SMBs, highlighting information-stealing malware, ransomware, and business email compromise (BEC) as the most prevalent dangers. 

These malicious programs are designed to clandestinely gather sensitive data and login credentials, posing significant risks to businesses that may not have robust cybersecurity measures in place. The insidious nature of infostealers lies in their ability to operate discreetly, often evading detection until substantial damage has been done. 

Christopher Budd, director of Sophos X-Ops, underscores the escalating value of stolen data among cybercriminals, particularly concerning SMBs. He elucidates a hypothetical scenario where attackers exploit infostealers to compromise a business's accounting software, thereby gaining access to critical financial information and potentially siphoning funds into their own accounts. 

This underscores the dire consequences of falling victim to information-stealing malware, which can have far-reaching financial and reputational implications for SMBs. Despite the prevalence of infostealers, ransomware remains the most significant threat to SMBs' cybersecurity. While Sophos reports that the number of ransomware attacks has stabilized, the evolution of ransomware tactics continues unabated. 

One alarming trend highlighted in the report is the rise of remote encryption attacks, wherein threat actors leverage unmanaged devices within a victim organization to encrypt files on other systems. This sophisticated approach underscores the adaptability and persistence of ransomware operators in their quest to extort businesses for financial gain. 

Following closely behind ransomware, BEC attacks represent another formidable threat to SMBs. These attacks involve cybercriminals engaging in deceptive email correspondence or even phone calls with victims to gather sensitive information or manipulate them into transferring funds. The increasing sophistication of BEC tactics poses significant challenges for SMBs, as attackers leverage social engineering techniques to bypass traditional cybersecurity defenses. 

To mitigate these cyber threats effectively, SMBs must adopt a multi-faceted approach to cybersecurity. This includes implementing robust endpoint protection solutions, regularly updating software to patch known vulnerabilities, and providing comprehensive employee training on cybersecurity best practices. 

Additionally, adopting measures such as multi-factor authentication and encryption can add layers of security to sensitive data and communications, making it more challenging for cybercriminals to exploit vulnerabilities.

The SMBs must remain vigilant in the face of evolving cyber threats and prioritize cybersecurity as a fundamental aspect of their business operations. By staying informed about emerging threats and investing in proactive cybersecurity measures, SMBs can fortify their defenses and safeguard their digital assets against malicious actors. With cyber threats continuing to evolve in sophistication and scale, proactive cybersecurity measures are essential for protecting the interests and integrity of SMBs in today's digital landscape.

Is Your Android Device Tracking You? Understanding its Monitoring Methods

 

In general discussions about how Android phones might collect location and personal data, the focus often falls on third-party apps rather than Google's built-in apps. This awareness has grown due to numerous apps gathering significant information about users, leading to concerns, especially when targeted ads start appearing. The worry persists about whether apps, despite OS permissions, eavesdrop on private in-person conversations, a concern even addressed by Instagram's head in a 2019 CBS News interview.

However, attention to third-party apps tends to overshadow the fact that Android and its integrated apps track users extensively. While much of this tracking aligns with user preferences, it results in a substantial accumulation of sensitive personal data on phones. Even for those trusting Google with their information, understanding the collected data and its usage remains crucial, especially considering the limited options available to opt out of this data collection.

For instance, a lesser-known feature involves Google Assistant's ability to identify a parked car and send a notification regarding its location. This functionality, primarily guesswork, varies in accuracy and isn't widely publicized by Google, reflecting how tech companies leverage personal data for results that might raise concerns about potential eavesdropping.

The ways Android phones track users were highlighted in an October 2021 Kaspersky blog post referencing a study by researchers from the University of Edinburgh and Trinity College. While seemingly innocuous, the compilation of installed apps, when coupled with other personal data, can reveal intimate details about users, such as their religion or mental health status. This fusion of app presence with location data exposes highly personal information through AI-based assumptions.

Another focal point was the extensive collection of unique identifiers by Google and OEMs, tying users to specific handsets. While standard data collection aids app troubleshooting, these unique identifiers, including Google Advertising IDs, device serial numbers, and SIM card details, can potentially associate users even after phone number changes, factory resets, or ROM installations.

The study also emphasized the potential invasiveness of data collection methods, such as Xiaomi uploading app window histories and Huawei's keyboard logging app usage. Details like call durations and keyboard activity could lead to inferences about users' activities and health, reflecting the extensive and often unnoticed data collection practices by smartphones, as highlighted by Trinity College's Prof. Doug Leith.

Vietnamese Cybercriminals Exploit Malvertising to Target Facebook Business Accounts

Cybercriminals associated with the Vietnamese cybercrime ecosystem are exploiting social media platforms, including Meta-owned Facebook, as a means to distribute malware. 

According to Mohammad Kazem Hassan Nejad, a researcher from WithSecure, malicious actors have been utilizing deceptive ads to target victims with various scams and malvertising schemes. This tactic has become even more lucrative with businesses increasingly using social media for advertising, providing attackers with a new type of attack vector – hijacking business accounts.

Over the past year, cyber attacks against Meta Business and Facebook accounts have gained popularity, primarily driven by activity clusters like Ducktail and NodeStealer, known for targeting businesses and individuals operating on Facebook. 

Social engineering plays a crucial role in gaining unauthorized access to user accounts, with victims being approached through platforms such as Facebook, LinkedIn, WhatsApp, and freelance job portals like Upwork. Search engine poisoning is another method employed to promote fake software, including CapCut, Notepad++, OpenAI ChatGPT, Google Bard, and Meta Threads.

Common tactics among these cybercrime groups include the misuse of URL shorteners, the use of Telegram for command-and-control (C2), and legitimate cloud services like Trello, Discord, Dropbox, iCloud, OneDrive, and Mediafire to host malicious payloads.

Ducktail, for instance, employs lures related to branding and marketing projects to infiltrate individuals and businesses on Meta's Business platform. In recent attacks, job and recruitment-related themes have been used to activate infections. 

Potential targets are directed to fraudulent job postings on platforms like Upwork and Freelancer through Facebook ads or LinkedIn InMail. These postings contain links to compromised job description files hosted on cloud storage providers, leading to the deployment of the Ducktail stealer malware.

The Ducktail malware is designed to steal saved session cookies from browsers, with specific code tailored to take over Facebook business accounts. These compromised accounts are sold on underground marketplaces, fetching prices ranging from $15 to $340.

Recent attack sequences observed between February and March 2023 involve the use of shortcut and PowerShell files to download and launch the final malware. The malware has evolved to harvest personal information from various platforms, including X (formerly Twitter), TikTok Business, and Google Ads. It also uses stolen Facebook session cookies to create fraudulent ads and gain elevated privileges.

One of the primary methods used to take over a victim's compromised account involves adding the attacker's email address, changing the password, and locking the victim out of their Facebook account.

The malware has incorporated new features, such as using RestartManager (RM) to kill processes that lock browser databases, a technique commonly found in ransomware. Additionally, the final payload is obfuscated using a loader to dynamically decrypt and execute it, making analysis and detection more challenging.

To hinder analysis efforts, the threat actors use uniquely generated assembly names and rely on SmartAssembly, bloating, and compression to obfuscate the malware.

Researchers from Zscaler also observed instances where the threat actors initiated contact using compromised LinkedIn accounts belonging to users in the digital marketing field, leveraging the authenticity of these accounts to aid in social engineering tactics. This highlights the worm-like propagation of Ducktail, where stolen LinkedIn credentials and cookies are used to log in to victims' accounts and expand their reach.

Ducktail is just one of many Vietnamese threat actors employing shared tools and tactics for fraudulent schemes. A Ducktail copycat known as Duckport, which emerged in late March 2023, engages in information stealing and Meta Business account hijacking. Notably, Duckport differs from Ducktail in terms of Telegram channels used for command and control, source code implementation, and distribution, making them distinct threats.

Duckport employs a unique technique of sending victims links to branded sites related to the impersonated brand or company, redirecting them to download malicious archives from file hosting services. Unlike Ducktail, Duckport replaces Telegram as a channel for passing commands to victims' machines and incorporates additional information stealing and account hijacking capabilities, along with taking screenshots and abusing online note-taking services as part of its command and control chain.

"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook," WithSecure said.

BlackRock's Bitcoin ETF Reveals the Future of Cryptocurrency Surveillance

 


Surveillance is about to reach a new level as Blackrock awaits the SEC's confirmation regarding its Bitcoin ETF launch. An ETF tied to Bitcoin was filed on June 15 by the world's largest asset manager, reportedly the world's largest asset manager. In an era when the Securities and Exchange Commission (SEC) and other regulatory agencies crack down on the financial sector, the timing of the announcement was crucial.  

There were a few market observers who wondered if BlackRock, the world's largest asset manager, would have a better chance of securing approval than other competitors who had been rejected by the U.S. Securities and Exchange Commission when it filed to establish a spot bitcoin exchange-traded fund in the U.S. Their investigation quickly led them to identify an application feature that made it possible for authorities to be made aware of questionable trades. 

The Surveillance-Sharing Agreement (SSA), now commonly known as the Surveillance-Sharing Agreement (SSA), was introduced after BlackRock's application was submitted. Nevertheless, the issue of information-sharing agreements that change the balance of power and give regulators the authority to request details about the application will significantly impact the U.S. Securities and Exchange Commission's (SEC) decision. 

As a result of regulators' misgivings about its first effort to file for an exchange-traded fund that focuses on Bitcoin spot markets, BlackRock has submitted an amended application to the SEC to apply with an emphasis on Bitcoin spot markets.

It was announced recently by the Nasdaq exchange that BlackRock plans to finalize a surveillance agreement with Coinbase (COIN), addressing one of the main issues the Securities and Exchange Commission has raised when rejecting Bitcoin spot ETF applications in the past. In a new filing made by the Nasdaq exchange on BlackRock's behalf, the company explained that it intends to finalize the surveillance agreement with Coinbase (COIN).  

Bitcoin ETF is expected to be approved more quickly by the world's largest asset manager because of its strong financial background. The application also triggered a series of follow-up documents with the Surveillance-Sharing Agreement (SSA), which initiated several follow-up filings. The Securities and Exchange Commission may approve the application if the information-sharing agreement is crafted to give the regulator increased control over the application.  

A client of the agency claims there is a protocol in place that uses information sharing and surveillance to circumvent the manipulation of the cryptocurrency market. When the Winklevoss twins applied for a Bitcoin ETF in 2017, they were the first to bring these requirements to light. The details of the exchange of information between Coinbase and NASDAQ were also required as part of the request.  

As it seems, there is a tug-of-war between spot exchanges and regulators, ETF providers, and listing exchanges over how data surveillance carried out by spot exchanges will be administered. It was a great relief to see that the information-sharing agreement also allowed the exchange to share this data with the providers of ETFs and regulators.  

Here is a spotlight on specific trades or traders to spread information about them. In addition, the agreement would compel cryptocurrency exchanges to share data, including personally identifiable information (PII), with each other. The information contained in this report will include the names, addresses, and other details of the customers. According to Bitcoin ETF filings, no agreements allow information sharing. A similar structure is present in other markets, however, and this is similar to what is visible in the US.  

There is also the matter of specificity and the difference between the specific request for sharing information and the subpoena. This is also a significant factor. An individual familiar with the matter told a reporter that the proposed scenario might be more like a fishing expedition. This is where trade information is communicated between two points at the same time rather than across a wide spectrum.  

Cryptocurrency traders prefer to remain anonymous and keep their information private to avoid identification. For this reason, they came into the world of crypto trading. Nevertheless, if the Exchange Traded Fund strategy is to succeed, this will have to be addressed, if it is to succeed.  

There are some things to improve regarding the recent Bitcoin ETF applications submitted to the Securities and Exchange Commission. The Commission has asked applicants to resubmit their applications. Whether or not this scenario will benefit the crypto industry, and for what reason, can only be determined by time.  

What Are The Benefits of Sharing Information? 


Brokers and exchanges in equity markets know the unique combination of information and surveillance sharing. They have been doing this for a long time. Here the regulatory authority can ask for extra information regarding a client’s trading history, and they have to oblige.  

Suppose that a broker has a client, and NASDAQ receives an order from the broker on behalf of the client. In this instance, the exchange's SMARTS surveillance system flagged this order as suspicious to prevent execution. A suspicious activity report (SAR) must be filed by the broker and the exchange. 

Regulators can investigate the SAR report and ask for private information about a person. To achieve this goal, it is necessary to determine if the same beneficial owner is behind all trades. Depending on the facts of the case, a consolidated audit trial might be an appropriate course of action. 

The SEC may also approve all other filings submitted on the same day if it approves BlackRock's Bitcoin ETF. While there has been a lot of speculation regarding its functioning and sharing of information, one thing is certain: it will expose users to crypto assets, thus inadvertently increasing cryptocurrency adoption rates.  

According to BlackRock's revised application for a Bitcoin ETF, a new level of regulatory oversight is being implemented on digital currency markets. There is a possibility that regulatory dynamics will shift and a stronger focus on trade oversight. This will be done through a Surveillance-Sharing Agreement and partnerships with exchanges such as Coinbase.

LastPass Experiences its Second Major Data Breach in 4 Months

 

LastPass's data breach in August permitted a hacker to infiltrate the company again and steal customer data. LastPass announced on Wednesday that it was investigating the breach, which involved a third-party cloud storage service linked to company systems. 
“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information,” the company wrote in a blog post(Opens in a new window). 

It is unknown what data was stolen. LastPass, on the other hand, has stated that customers' passwords should be safe because the company does not store(Opens in a new window) information on the "Master Password" that customers use to access the encrypted password vaults on the platform.

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional,” the company said.  

Nonetheless, the incident demonstrates that the August breach at LastPass was more serious than previously thought. At the time, the company confirmed that the August breach only affected internal software development systems and did not include any customer password information. Despite this, the hacker was able to steal portions of the company's source code as well as some proprietary LastPass technical information, which likely paved the way for the subsequent intrusion.

LastPass also announced in September that it had completed its investigation into the breach with the assistance of cybersecurity firm Mandiant. According to the findings, the hacker only had access to the internal systems for four days. 

There was also no evidence of tampering. However, it appears that LastPass did not uncover all of the possible ways the hacker could use the access to breach the company again. LastPass did not identify the third-party cloud storage service used by the hacker to breach the company a second time. LastPass, on the other hand, has been sharing the cloud storage service with its affiliate GoTo. Private equity firms currently own both companies.

In response to the new breach, LastPass has implemented additional security measures and increased monitoring of its IT infrastructure. It has also contacted Mandiant and law enforcement to inquire about the hack.

Is it Safe to Use Virtual Credit Cards?

 

People all over the world use the internet to pay their bills, buy goods and services, and transfer money. This has many benefits, but one major disadvantage is security: millions of people fall victim to fraud and identity theft each year. 

Staying safe online necessitates constant vigilance, secure software, and a variety of skills required to navigate the World Wide Web. However, when it comes to online payments, virtual credit cards can add an extra layer of security. Virtual credit cards are primarily short-term digital cards intended for one-day or even one-time use. A virtual card is linked to a physical credit card or bank account.

It generates a card number, expiration date, and security code at random. As a result, your true information is not visible to or shared with anyone. Consider the following scenario to better understand how virtual credit cards work. You've logged into your preferred e-commerce platform, added various items to your cart, entered your information, and are about to pay. Instead of entering your credit card number, you create a new virtual credit card and enter all of the required information from it.

You learn several weeks later that this e-commerce platform was compromised by an unknown threat actor. The cybercriminal gained access to the company's systems, injected malicious code into the website, and stole user data, including credit card numbers. Your information and bank account, however, are safe because you used a virtual credit card rather than a real, physical card. 

Because the virtual credit card you used has already expired, you can proceed without concern about the breach. This is essentially the purpose of virtual credit cards. They conceal your true identity from threat actors and safeguard you from cybercrime. They obviously provide more privacy than physical credit cards, which is an added bonus.

Virtual credit cards are clearly something that everyone who values their security (and their hard-earned money) should consider. So, how does one go about obtaining one? The answer may be disappointing, but your best option is to contact your bank and inquire about virtual credit cards. Many people nowadays do.

However, if your bank or card issuer is incapable to provide you with a virtual credit card for whatever reason, there is another service called Privacy that you could utilize. It is a simple and easy-to-understand online platform for creating virtual credit cards. Essentially, all you need to do is add a funding source, create a card, and you're ready to go.

Of course, privacy provides much more. Setting spending limits, creating an online wallet with multiple cards, setting recurring payments (great for subscription services), tracking your spending, and more are all possible with the platform. Privacy also has a mobile app and a chrome extension, enabling you to access the service from almost any device.

More notably, privacy is extremely safe. It is PCI-DSS compliant, which means it is held to the same standards as US banks. Internet Protocol Security (IPsec) with AES-256 encryption protects all data center communications, while Transport Layer Security protects web traffic (TLS). Customers' passwords are hashed, and their data is stored on servers spread across the globe.

Privacy has three different plans: personal, professional, and team. Personal is free, but you can only create 12 virtual credit cards each month. You can make up to 36 cards with Pro and up to 60 with Teams. These two plans charge $10 and $25 per month, respectively.

However, there is one major drawback to Privacy: it is only available to US citizens and legal residents, as well as residents of Puerto Rico, Guam, the Virgin Islands, the Northern Mariana Islands, and American Samoa. According to the company's official website, it is striving to make its services available globally, so keep an ear to the ground if you are not based in the US but require a virtual credit card.

The fact that virtual credit cards cannot be used in person is an evident disadvantage. You can, however, add some virtual credit cards to a safe and dependable mobile wallet and pay that way whenever possible.
 
The main disadvantage of using virtual credit cards over physical ones is that they are only destined for one-time or one-day use. Furthermore, even if a virtual card is not intended for temporary use, you would need to generate new ones on a regular basis to ensure maximum security. The issue is that if you pay for something online with your virtual credit card and then demand a refund because the goods do not arrive or receive the product damaged, you will have no way of getting your money back if the card number has already expired.

Another potential disadvantage is that you sometimes need to utilize the same card to pay for a service. For example, if you make a hotel reservation online using your virtual credit card but do not pay the full amount in advance, the hotel may ask you to pay for your room with the same card you used to book it—which you will be unable to do if your virtual credit card has already expired.

Virtual credit cards are secure, simple to use, free (or, at the very least, inexpensive), and will improve your security and privacy. Most importantly, they will safeguard you against fraud, theft, and other forms of cybercrime.

There is always the potential of having problems getting a refund or something similar, but that is probably a reasonable compromise for most people. And, until you get a virtual credit card, make sure you are familiar with the most common online shopping security threats and how to avoid them.

Shangri-La Reports Major Data Breach at Eight Hotels, Guests Data Leaked

 

A database breach at Shangri-La Group has potentially exposed the personal information of guests who stayed at its hotels in Singapore, Hong Kong, Chiang Mai, Taipei, and Tokyo. 

Mr. Brian Yu, the group's senior vice-president for operations and process transformation, stated in an e-mail to affected guests on Friday: "A sophisticated threat actor managed to bypass Shangri-IT La's security monitoring systems undetected and illegally accessed the guest databases." The breach occurred between May and July 2022, according to its investigation. 

Around the same time, Asia's top security summit, the Shangri-La Dialogue, returned to Singapore after a two-year hiatus due to the pandemic. From June 10 to 12, the event was held at the eponymous Shangri-La hotel on Orange Grove Road near Orchard Road. In the e-mail sent to the affected guests, Mr. Yu confirmed that certain data files had been stolen from the breached databases.

"Although we were not able to confirm the content of the exfiltrated data files, it is likely that they contained guest data," he added.

Upon being asked whether the Shangri-La Dialogue was specifically targeted, a hotel spokesman said, “There is no evidence to suggest any specific hotel or event was singled out. As a matter of policy, we do not disclose information about our guests.” 

"Data related to the Shangri-La Dialogue was stored on a separate secure server and was not affected in this incident," stated a spokesman for the event's organiser, the International Institute for Strategic Studies (IISS).

The Singapore Cyber Security Agency mentioned that it is aware of the incident and urged organisations to monitor and check their IT networks for signs of suspicious activity regularly. The  properties affected are listed below:

• Shangri-La Apartments, Singapore
• Shangri-La Singapore
• Island Shangri-La, Hong Kong
• Kerry Hotel, Hong Kong
• Kowloon Shangri-La, Hong Kong
• Shangri-La Chiang Mai
• Shangri-La Far Eastern, Taipei
• Shangri-La Tokyo

Following the discovery of unauthorised network activity, the hotel group said it hired cyber forensic experts to investigate the discrepancies. The databases of the hotels affected by this incident contained a combination of the following data sets: guest names, e-mail addresses, phone numbers, postal addresses, Shangri-La Circle membership numbers, reservation dates, and company names, according to the statement.

The hotel chain assured guests that there is currently no evidence that their personal information has been released or misused by third parties. As a precaution, in destinations where local regulations allow, it is providing affected guests with a one-year complimentary identity monitoring service provided by Experian, a third-party cyber security service provider.

"We deeply regret this has occurred and wish to assure you that all necessary steps have been taken to investigate and contain this incident. This notice provides information about what happened and how we can assist you," wrote Mr. Yu in the e-mail.

He ensured guests that data such as passport numbers, ID numbers, dates of birth, and credit card numbers with expiry dates are encrypted. "Protecting our guests' information is very important to us and we wish to assure you that all necessary steps have been taken to further strengthen the security of our networks, systems, and databases. Once again, we deeply regret any inconvenience or concerns this incident may cause."

Watchdog Finds, Over Half of Operating Systems at VA Medical Center in Texas are Outdated

 

According to an IT security assessment released on Tuesday by the Department of Veterans Affairs' Office of Inspector General, more than half of the network switches at the Harlingen VA Health Care Center in Harlingen, Texas, were running outdated operating systems and did not meet the department's baseline configurations. 

The audit was conducted to evaluate whether Harlingen was complying with the Federal Information Security Management Act, or FISMA, information security safeguards. The OIG stated that it chose Harlingen for an assessment because it had not previously been reviewed during the annual FISMA audit. 

Harlingen is part of the Texas Valley Coastal Bend Healthcare System, which receives approximately 300,000 outpatient visits per year. The OIG discovered flaws in three of the four security control areas at Harlingen, including configuration management, contingency planning and access controls. OIG’s inspection team did not document any issues with the center’s security management.

OIG discovered flaws in three of Harlingen's four security control areas, including configuration management, contingency planning, and access controls. The OIG inspection team found no problems with the centre's security management.

The audit found significant flaws in Harlingen's configuration management controls, which were used to identify and track the centre's hardware and software components. These flaws included an inaccurate component inventory list, unaddressed security flaws, and an inability to identify all critical and high-risk vulnerabilities across the centre's network.

Most concerning was OIG’s finding that “almost 53 per cent of the Harlingen centre’s network switches used operating systems that no longer receive maintenance or vulnerability support from the vendor.” And the outdated devices did not meet the baseline configurations for network equipment mandated by the VA Office of Information and Technology Configuration Control Board, which reflect “agreed-on specifications for systems or configuration items within those systems." 

“Network devices and IT systems are an organization’s most critical infrastructure,” OIG said in its assessment. “Upgrading is not just a defensive strategy but a proactive one that protects network stability.”

Despite VA's use of an automated inventory system, the OIG assessment revealed varying tallies of IT components at Harlingen. The VA discovered 1,568 devices at the centre, while the OIG assessment team discovered 1,544 devices on the Harlingen network. However, according to the audit, VA's Enterprise Mission Assurance Support Services system, or eMASS, which "allows for FISMA systems inventory tracking and reporting activities," only identified 942 devices.

“Because VA’s eMASS is used for developing system security and privacy plans, without an accurate inventory of network devices in eMASS, VA has no assurance that these plans implement security controls for all the components within the system,” the audit said. 

OIG's inspection team also compared on-site vulnerability scans from Jan. 10 to Jan. 13, 2022, with those conducted remotely by VA's Office of Information and Technology, and discovered 16 serious vulnerabilities on the Harlingen network that had not been mitigated within VA's established timeframe for addressing vulnerabilities. These included "five critical vulnerabilities on less than 1% of the computers and 11 high-risk vulnerabilities."

The OIG's inspection team also discovered that database managers were not adequately maintaining log data; that computer rooms and communications closets throughout the facility lacked fire detection systems; and that the computer room housing the center's police servers lacked a visitor access log. Furthermore, the OIG discovered that Harlingen's contingency plan "did not fully address reconstituting all systems to restore IT operations to a fully operational state following a disaster."

The OIG made four recommendations to the VA's assistant secretary for information and technology and chief information officer "due to enterprise-wide IT security issues similar to those identified during previous FISMA audits and IT security reviews." The OIG also made another recommendation to Harlingen's director to “validate that appropriate physical and environmental security measures are implemented and functioning as intended.” VA concurred with all five recommendations. 

VA has long struggled to meet FISMA requirements, with the Government Accountability Office stating in a November 2019 report that VA was one of the federal agencies with inadequate information security protections, including when it came to implementing effective security controls and mitigating vulnerabilities.

On Sept. 22, the OIG released a separate IT security assessment of the Alexandria VA Medical Center in Pineville, Louisiana, documenting deficiencies in three of the facility's four security control areas and discovering "critical and high-risk vulnerabilities on 37% of the devices."

The FISMA audit of VA's agencywide compliance for fiscal year 2021, released in April, found that the department as a whole "continues to face significant challenges in complying with FISMA due to the nature and maturity of its information security program.” OIG noted in Tuesday’s assessment of Harlingen that the FY2021 FISMA audit made 26 recommendations to VA, and that “all 26 recommendations were repeated from the prior year.”

In-Depth Look at Ragnar Locker Ransomware Targeting Vital Industries

 

The Ragnar group, responsible for the Ragnar Locker ransomware, has been active since 2019, targeting critical industries and using double extortion. The FBI warned in March 2022 that at least 52 entities from ten critical industry sectors had been affected. 

In August 2022, the group launched an attack on Greek gas supplier Desfa, claiming to have stolen sensitive data. Cybereason researchers examined Ragnar Locker's encryption process. Ragnar Locker performs a location check during execution. Execution is stopped if the location is any country in the Commonwealth of Independent States (CIS).

It then gathers host information, such as the computer and user names, as well as the machine GUID and Windows version. A custom hashing function concatenates and conceals this data. The combined hashes are used to name a new event. Ragnar Locker then attempts to locate existing file volumes by utilising the Windows APICreateFileW.

The encrypted list of services contained within the Ragnar Locker code is decrypted. VSS, sql, memtas, mepocs, sophos, veeam, backup, pulseway, logme, logmein, connectwise, splashtop, kaseya, vmcompute, Hyper-v, vmms, Dfs are all included. If any of these are discovered to be running services, the malware terminates them.

The malware then decrypts and prepares an embedded RSA public key for use. It decrypts the ransom note and then proceeds to delete any shadow copies of the host via vssadmin.exe and Wmic.exe.

The ransom note also states in the analysed sample, "Also, all of your sensitive and private information was gathered, and if you decide NOT to pay, we will upload it for public view!" Tor's Ragnar Locker data leak site (http [://] rgleaktxuey67yrgspmhvtnrqtgogur35lwdrup4d3igtbm3pupc4lyd [.] onion/) currently lists approximately 70 claimed victims.

The note demands a ransom of 25 bitcoins, but suggests that if contact is made within two days, this can be negotiated. However, it warns that if no contact is made within 14 days, the ransom will double, and the decryption key will be destroyed if no payment agreement is reached within 21 days. It also states that the attackers customised the ransom amount based on the victim's "network size, number of employees, annual revenue."

Ragnar Locker begins the encryption process once the ransom note is complete. The files like autoruns.inf, boot.ini, bootfront.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, ntuser.dat, ntuser.dat.log, ntuser.ini, thumbs.db; specific processes and objects such as Windows.old, Tor Browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox, $Recycle.bin, ProgramData, All Users; and files with the extensions .db, .sys, .dll, lnk, .msi, .drv, .exe.are among those excluded.

Other files' filenames are sent to the encryption function, which encrypts them and appends the suffix '.ragnar [hashed computer name]'. Ragnar Locker creates a notepad.exe process after encryption and displays the ransom note on the user's screen.

The stolen data used in the double extortion process is continuously exfiltrated until it reaches the point of encryption. According to Loic Castel, a principal security analyst at Cybereason's Global SOC, “In general, ransomware operatives doing double extortion always require full privileges on the network they are looking to encrypt.. Between the initial access phase (when they take control of an asset, for instance through spearphishing) and the encryption phase, they have access to many machines, which they can extract data from and send through exfiltration services / external domains.”

As per the FBI alert, data exfiltration occurred nearly six weeks after the initial access and continued for about ten days before the encryption process began. Ragnar Locker primarily targets critical industry companies. 

“Ragnar Locker ransomware actors work as part of a ransomware family, frequently changing obfuscation techniques to avoid detection and prevention,” warned the FBI in its March 2022 alert.

Massive China-Linked Disinformation Campaign Taps PR Firm for Help

 

Security experts have discovered another Chinese information operation that is attempting to improve the country's image overseas by utilising a large number of fake news sites and social media assets. 

The content, which is available in 11 languages, tries to win hearts and minds over to Beijing's way of thinking by undermining criticism of the Xinjiang genocide and the deterioration of democracy in Hong Kong. 

According to Mandiant, among the Communist Party opponents targeted in the campaign are Chinese billionaire Guo Wengui and German anthropologist Adrian Zenz, who is known for his study on Uyghur oppression. The campaign's most striking feature is that it appears to leverage infrastructure owned by local public relations business Shanghai Haixun Technology, a company that promotes "positive thinking." 

According to Mandiant in a blog post, the word "positive energy" is particularly loaded in China since it is frequently used by the Xi Jinping government to refer to communications that reflect Beijing positively. As a result, Mandiant dubbed the information operations effort "HaiEnergy." 

“While we do not currently have sufficient evidence to determine the extent to which Haixun is involved in, or even aware of HaiEnergy, our analysis indicates that the campaign has at least leveraged services and infrastructure belonging to Haixun to host and distribute content,” the firm explained. 

“In total, we identified 72 websites (59 domains and 14 subdomains) hosted by Haixun, which were used to target audiences in North America, Europe, the Middle East and Asia.” 

The campaign has solely relied on Haixun's internet infrastructure to post information and host websites. In reality, those sites share significant commonalities, indicating a coordinated strategy, including: 
  • Nearly all the English language sites are built with a Chinese-language HTML template
  • Several of the sites that include a domain and subdomain are disguised to appear as different, independent sites
  • Many of the sites link directly to other sites in the network
  • The same articles are often published across multiple sites
If Haixun is actively involved in this effort, it would be a continuation of a pattern in which threat actors utilise "info ops for hire" organisations to perform their dirty work, according to Mandiant. The one advantage is that it does not appear to have paid off on this occasion.

“We note that despite the capabilities and global reach advertised by Haixun, there is at least some evidence to suggest HaiEnergy failed to generate substantial engagement,” the report concluded.

“Most notably, despite a significantly large number of followers, the political posts promoted by inauthentic accounts we attribute to this campaign failed to gain much traction outside of the campaign itself.”

Hackers Target National Portal of India Via ‘Unprecedented’ Phishing Method

 

On Thursday, cyber-security experts announced the discovery of an "unprecedented, sophisticated" phishing method that has been extorting people from official websites worldwide, including the Indian government's portal https://india.gov.in. 

According to AI-driven cyber-security startup CloudSEK, threat actors have been targeting the Indian government's webpage by using a fake URL to deceive users into entering sensitive information such as credit card numbers, expiration months, and CVV codes. 

In a most advanced phishing technique known as Browser-in-the-Browser (BitB) attack, hackers imitate the browser window of the Indian government website, most typically SSO (single sign-on) pages, with a unique login. BitB attacks impersonate reputable websites in order to steal user passwords and other sensitive data such as personally identifying information (PII). The new URL that emerges as a result of the BitB attack looks to be legitimate. 

"The bad actors have also replicated the original page's user interface. Once their victims click into the phishing page, a pop-up appears on the phoney window claiming that their systems have been blocked, posing as a notification from the Home Affairs Enforcement and Police," the researchers asserted. 

The users are then alerted that their excessive usage of pornographic websites is banned under Indian law, and they are asked to pay a Rs 30,000 fee in order to unlock their computers.

"They are given a form to fill out in order to pay the fine, which asks them to divulge personal information, including their credit card information. The victims become panicked because the warning has a sense of urgency and appears to be time-bound," the researchers stated. 

The information entered by the victims into the form is sent to the attacker's server. Once the attackers have obtained the card information, it may be sold to other purchasers in a bigger network of cyber criminals, or the victim may be extorted for more funds. 

When users attempt to connect to a website, they may click on a malicious link that appears as an SSO login pop-up window. Users are requested to check in to the website using their SSO credentials when they visit the provided URL. The victims are then sent to a fraudulent webpage that appears just like the SSO page. The attack often triggers single sign-on windows and presents bogus web pages that are identical to the legitimate page. 

"Combine SSO with MFA (multi-factor authentication) for secure login across accounts, check for suspicious logins and account takeovers and avoid clicking on email links from unknown sources," the researchers suggested.

Japanese City Worker Loses USB Containing Resident's Personal Data

 

A Japanese city has been compelled to apologise after a contractor admitted to losing a USB memory stick holding the personal data of over 500,000 inhabitants following an alcohol-fueled night out. 

Amagasaki, western Japan, officials claimed the man – an unidentified employee of a private contractor hired to administer Covid-19 compensation payments to local homes – had taken the flash drive from the city's offices to transfer the data to a contact centre in neighbouring Osaka. 

After spending Tuesday evening drinking at a restaurant, he realised on his way home that the bag holding the drive, as well as the personal information of all 460,000 Amagasaki residents, had gone missing. The next morning, he reported the loss to the police. 

According to the Asahi Shimbun, the information contained the residents' names, residences, and dates of birth, as well as data on their residence tax payments and the bank account numbers of those receiving child benefits and other welfare payments. There have been no complaints of data leaks because all of the information is encrypted and password secured. 

“We deeply regret that we have profoundly harmed the public’s trust in the administration of the city,” an Amagasaki official told reporters. The city told in a statement that it would “ensure security management when handling electronic data. We will work to regain our residents’ trust by heightening awareness of the importance of protecting personal information.” 

Not a new affair 

Last month, a man in Abu was handed £279,000/US$343,000 in Covid-19 relief payments meant for 463 low-income people. Local officials said this week that they had recovered all of the money via internet payment services after the individual claimed he had gambled it all away. 

The Amagasaki event highlights worries about some Japanese organisations' ongoing usage of obsolete technologies. According to media reports last week, dozens of businesses and government agencies were rushing to transition away from Internet Explorer before Microsoft retired the browser at midnight on Wednesday. 

According to Nikkei Asia, a sense of "panic" seized businesses and government organisations who were slow to abandon their dependency on IE before Microsoft formally ceased support services, leaving surviving users susceptible to flaws and hacks.