Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ransom Attack. Show all posts

Port of Seattle Faces $5.9 Million Ransom Demand in Rhysida Cyberattack

 

The Port of Seattle is confronting a severe cybersecurity crisis as the Rhysida ransomware group demands a ransom of 100 bitcoins (approximately $5.9 million). Rhysida, which has gained notoriety for targeting organizations worldwide, released screenshots of stolen documents, claiming they possess sensitive data such as scanned U.S. passports, Social Security numbers, and tax forms. The group has threatened to sell this data on the dark web if their ransom demands are not met within a week. 

In a joint statement with Seattle-Tacoma International Airport, the Port of Seattle has made it clear they will not pay the ransom, despite threats to publicly release the stolen data. A Port spokesperson emphasized that refusing to comply is part of their firm stance against negotiating with cybercriminals. The extent of the data breach is still under investigation, but Rhysida’s involvement suggests a sophisticated attack that exploited vulnerabilities in the port’s systems. The attack was initially detected on August 24, leading to widespread service disruptions. 

Critical systems were impacted, including baggage handling, check-in kiosks, ticketing, Wi-Fi, and digital display boards, creating significant inconvenience for travelers. The port responded swiftly, isolating affected systems to prevent further breaches. This disruption highlights the real-world consequences of ransomware attacks on essential infrastructure, raising concerns about cybersecurity preparedness in public sectors. Rhysida operates as a ransomware-as-a-service group, enabling other cybercriminals to use its platform for extortion. The group, active since June 2023, has a history of targeting multiple sectors, including government, healthcare, and critical infrastructure, with a focus on the U.S. 

According to cybercrime research platform eCrime.ch, Rhysida has claimed nearly 150 victims since its emergence, demonstrating its rapid growth and effectiveness in breaching high-value targets. The breach at the Port of Seattle emphasizes the growing threat of ransomware attacks on critical infrastructure and serves as a wake-up call for organizations to prioritize cybersecurity measures. Authorities, cybersecurity experts, and the port’s internal IT team are working together to assess the full impact of the attack and develop strategies to restore normal operations. Given the evolving tactics of ransomware groups like Rhysida, this incident underscores the urgent need for comprehensive security strategies and employee training to protect against future breaches. 

In light of this attack, cybersecurity agencies have warned other U.S. ports and critical infrastructure organizations to strengthen their defenses against similar threats. This breach represents a broader trend of ransomware groups targeting critical infrastructure, which, if left unchecked, could have far-reaching implications on national security and economic stability. The Port of Seattle’s refusal to pay the ransom aligns with federal guidelines discouraging negotiations with cybercriminals, but it remains to be seen whether this approach will mitigate the impact of the breach or provoke further retaliation from Rhysida. 

The incident serves as a stark reminder that cybersecurity threats are increasingly sophisticated, requiring organizations to adapt their defense strategies to safeguard sensitive data and operations.

North Korean Hacker Indicted for Cyber Attacks on U.S. Hospitals, NASA, and Military Bases

 

Federal prosecutors announced the indictment of Rim Jong Hyok, a North Korean military intelligence operative, for his role in a conspiracy to hack into American healthcare providers, NASA, U.S. military bases, and international entities. 

The indictment, unveiled on July 25, 2024, in Kansas City, Kansas, details Hyok’s involvement in stealing sensitive information and deploying ransomware to fund further cyberattacks. Rim Jong Hyok is accused of laundering money through a Chinese bank, using the proceeds to acquire computer servers and finance additional cyberattacks targeting defense, technology, and government entities globally. The indictment highlights his connection to the Andariel Unit of North Korea’s Reconnaissance General Bureau, a state-sponsored group responsible for these malicious activities. 

The cyberattacks on American hospitals and healthcare providers disrupted patient care, underscoring the severe impact of such crimes on public health. Prosecutors allege that Hyok targeted 17 entities across 11 U.S. states, including NASA and U.S. military bases. Defense and energy companies in China, Taiwan, and South Korea were also among the victims. Over three months, Hyok and his team infiltrated NASA’s computer systems, extracting over 17 gigabytes of unclassified data. They also accessed systems of defense companies in Michigan and California and breached Randolph Air Force Base in Texas and Robins Air Force Base in Georgia. 

The malware used by the Andariel Unit enabled them to transmit stolen information to North Korean military intelligence, aiding the country’s military and nuclear ambitions. The stolen data included details of fighter aircraft, missile defense systems, satellite communications, and radar systems, according to a senior FBI official. Stephen A. Cyrus, an FBI agent based in Kansas City, emphasized that North Korea uses cybercrimes to circumvent international sanctions and fund its political and military goals. The impact of these attacks is felt directly by citizens, as evidenced by the disruption of hospital operations in Kansas and other states. 

A reward of up to $10 million has been offered for information leading to his capture or that of other foreign operatives targeting U.S. infrastructure. The Justice Department has a history of prosecuting North Korean hackers. In 2021, three North Korean programmers were charged with a range of cybercrimes, including an attack on an American movie studio and the attempted theft and extortion of over $1.3 billion from banks and companies worldwide. The FBI’s involvement in this case began when a Kansas medical center reported a ransomware attack in May 2021. 

Hackers had encrypted the hospital’s files and servers, blocking access to patient records and critical equipment. A ransom note demanded Bitcoin payments, threatening to leak the files online if the demands were not met. Investigators traced the Bitcoin transactions to two Hong Kong residents, eventually converting the funds to Chinese currency and transferring them to a Chinese bank. The money was accessed from an ATM near the Sino-Korean Friendship Bridge. 

In 2022, the Justice Department announced the seizure of approximately $500,000 in ransom payments, including the entire ransom paid by the Kansas hospital. While Hyok’s arrest is unlikely, the indictment may lead to sanctions that could hinder North Korea’s ability to collect ransoms, potentially reducing the motivation for future attacks on critical infrastructure. 

Cybersecurity analyst Allan Liska from Recorded Future notes that although sanctions may not stop North Korea’s cyber activities entirely, they could deter attacks on hospitals by making ransom payments more difficult to collect. This incident also raises questions about China’s stance on being targeted by its ally, North Korea.

European Oil Port Hubs Hit by a Cyberattack

 

Hamburg, a major port part of northern Germany, was targeted by the cyberattack, as were at least six oil ports in Belgium and the Netherlands. Prosecutors in Belgium have opened an inquiry into the theft of oil supplies in the country's marine entryways, particlarly Antwerp which also happens to be Europe's second-largest port after Rotterdam.

Prosecutors in Germany are said to be looking into a cyberattack on oil facilities which are described as a probable ransomware attack, wherein hackers demand money in exchange for reopening captured networks. 

Last month, oil prices reached a seven-year high amid geopolitical tensions with Russia, and rising energy costs are fueling an increase in costs which has alarmed European authorities. 

"A cyberattack was launched against several terminals, causing significant disruption. The software has been taken over, which is unable to process barges. The operating system is basically down "Jelle Vreeman, a senior trader at Riverlake in Rotterdam, echoed this sentiment.

Europol, the EU's police agency, confirmed the information of the events in Germany had given assistance to authorities. "At this time, the investigation is underway and in a critical stage," said Claire Georges, a spokesman for Europol. 

Last week, the first signs of what looks to be a complex cyberattack were revealed in Germany; on January 29, Oiltranking Group and Mabanaft were found to be the victims of a cyber-attack. 

Belgian authorities were also looking into the incident, which impacted terminals in Ghent and Antwerp-Zeebrugge. In Amsterdam, Ghent, Antwerp, SEA-Tank, Oiltanking, and Evos are all reporting faults with the operating systems. 

Oiltanking Deutschland GmbH & Co. KG, a company that stores and delivers oil, motor fuels, and other petroleum products, announced its website was being hacked. According to the company, it was compelled to function at "restricted efficiency" and was conducting an investigation. The intrusion on Oiltanking was caused by ransomware, which encrypts data and renders computer systems is useless until a ransom is paid.

Following a ransomware attack on US oil distributor Colonial Pipeline in May of last year, supplies were tightened across the US, prompting various states to declare an emergency. However, cyber-security experts warn against assuming many events are part of a coordinated campaign to destabilize the European energy industry. 

"Some varieties of malware harvest emails and contact information and use it to actively spam dangerous attachments or links," said Brett Callow, Threat Researcher at cyber-security firm Emsisoft. While investigating the degree of the infiltration, the organizations report taking steps to rectify the situation and strengthen the network.

Morley Businesses Provider Uncovered a Ransomware Attack

 

Morley, a business services company revealed this week , it had been the target of a ransomware assault which could have exposed the personal information of over 500,000 people. The incident was found in August 2021 when it observed certain files had become unavailable owing to a ransomware attack.

Morley Companies, Inc., based in Saginaw, Michigan, provides business operations to Fortune 500 and Global 100 companies, such as session management, back-office procedures, contact centers, and trade show showcases and displays. 

According to an investigation, for all individuals affected, Morley will cover the expenses of 2 years of IDX identity protection. Those who are affected will be alerted and given instructions on how to join IDX's program. The intruders may have had access to user and staff data, including confidential and sensitive health information. To be precise, the hack exposed the personal information of 521,046 people in total. The company did not explain why it took about 6 months after discovering the breach to begin alerting victims in its letters to victims. 

Morley's security incident notification noted, "As a result, Morley realized the data may have been stolen from its digital environment." "Morley then started collecting personal information needed to notify possibly affected persons, which he finished in early 2022." 

In order to determine why the files weren't accessible anymore, Morley said it had to engage a cybersecurity specialist. When the root of the incident was uncovered, which was revealed to have been a ransomware epidemic, the company engaged the assistance of local experts to analyze the information and identify all those who had been impacted. 

Although this looks to be optimistic, the cyber-intelligence platform claims to have only recently uncovered Morley's data on the dark web. This is often a caution, the data will be used in future attacks by other threat actors, such as specific phishing.

 Tennessee State University was Targeted by a Cyber Attack

 

Officials say a data security breach at a Tennessee community college might just have resulted in a sensitive data breach of previous and present students, instructors, and employees. 

In 2021, educational institutions are expected to experience a record number of ransomware attacks, with K-12 schools being the top targets. Productive one-device-per-student and learn-from-anywhere programs have increased the attack surface for numerous cyber risks while improving educational achievements. 

Ransomware is a type of destructive software created by coordinated cybercriminals, often known as "bad actors, "A hacker employs software, which is generally transmitted via phishing emails, to encrypt or prevent access to information systems and documents in a ransomware assault. The victim is told that the only option to regain access is to pay a ransom or a set amount of money.

Officials say a data security breach at a Tennessee community college might just have resulted in unauthorized private data of previous and present students, instructors, and employees being breached. The Tennessee Board of Regents said in a press release, “Pellissippi State Community College is issuing out notices regarding a ransomware attack aimed primarily at encrypting school data in order to extort a ransom payment.” According to the Knoxville college's website, Pellissippi State did not pay a ransom. 

According to the board, which governs the state's community colleges, the college's core database and online payment systems have not been infected, and no data from such networks was accessed by unauthorized individuals. Officials believe a data leak at a Tennessee community college may have exposed the personal information of former and current students, professors, and workers to the public. 

Schools have become increasingly subject to security concerns and potential assaults as a result of the buzz of new technology required to enable the move to remote learning as a reaction to the growing health issue. 

New applications, patching delays, and security measures falling short of mark have added complexity and risks to situations where security had previously been a last-minute consideration. These flaws constitute a serious risk if they are exploited. 

As per the experts, absolute research is significant because it evaluates how virtual learning disruption, particularly new technology adoption, has enabled new attack avenues for bad actors and hackers.

XorDDoS, Mirai, and Mozi are Most Prominent Linux-targeted Malware

 

Linux-based computers are numerous and are an integral component of the internet backbone, but Linux malware has increasingly targeted low-power Internet of Things (IoT) devices. With billions of internet-connected devices such as vehicles, refrigerators, and network equipment online, IoT devices have become a prominent target for malware and distributed denial of service (DDoS) attacks, in which junk data is aimed at flooding a target and knocking it offline. 

Although ransomware is currently wreaking havoc on the malware scene in a deluge of high-profile attacks, a recent study on Linux security finds it only ranks third among the top threat kinds. Such shift in attitude stems in part from an increasing recognition among Linux hobbyists and system administrators that a compromised Linux system, such as a web server, presents attackers with a high return on investment.' In addition, malware research has improved visibility into the dangers that Linux systems face in recent years. 

In 2021, the XorDDoS, Mirai, and Mozi malware families and variants emerged to be the most prevalent, accounting for over 22% of all IoT Linux-targeting malware, according to an analysis of the current Linux threat landscape. 

XorDDoS is a Linux trojan that has been developed for a variety of Linux architectures, including ARM, x86, and x64. It gets its name from the fact that it uses XOR encryption in malware and network connection with the C2 infrastructure. XorDDoS variations on Linux PCs demonstrate that operators monitor and hunt for Docker servers with the 2375 port open. The port provides an unencrypted Docker socket and remote root passwordless access to the host, both of which can be exploited by attackers to get root access to the machine. 

Mozi is a P2P botnet network that uses the distributed hash table (DHT) architecture and implements its own expanded DHT. Mozi can mask C2 communication behind a significant volume of valid DHT traffic thanks to DHT's distributed and decentralized lookup method. By brute-forcing SSH and Telnet ports, Mozi attacks computers. It then blocks those ports to prevent additional malicious actors or viruses from overwriting them. 

Mirai virus has earned a name for itself in recent years, especially when its creator made the source code public. Mirai, like Mozi, employs brute-force assaults to infiltrate devices using weak protocols and passwords, such as Telnet.

Many business-critical applications use Linux as one of their core operating systems. Protecting Linux servers, which can be found on-premises as well as in private and public clouds, necessitates a solution that delivers runtime protection and visibility for all Linux hosts, independent of location.

 New Mexico Jail went on Lockdown due to Cyberattack

 

The Metropolitan Detention Center (MDC) in Bernalillo County, New Mexico, went on lockdown five days after the new year. In the wake of a ransomware attack, an Albuquerque jail lost access to its video feeds and its automatic door mechanisms were rendered ineffective. As a result, inmates have been confined to their cells as technicians work to restore service. The jail's internet connection has been knocked out by a ransomware attack, putting most of their data systems, security cameras, and automatic doors inoperable. While MDC personnel worked to get everything back up and running, inmates were confined to their cells. 
 
"Most county buildings are closed to the public," officials said shortly after the incident in a statement. "However, given the circumstances, county personnel are working remotely and will assist the public as much as possible. County system vendors are notified, and are working to resolve the problem and restore system functionality." 

The Metropolitan Detention Center in the state lost access to some of its most important security technologies, such as camera feeds and automated jail doors. For obvious reasons, the county was compelled to lock down the whole jail, confining all of the inmates to the cells for the time being. 

Ransomware is becoming one of the most serious dangers to both commercial companies and government institutions around the world. As more official and commercial businesses are conducted online, ransomware attacks, in which a hacker steals data from the victim or takes control of a computer system until a ransom is paid, are becoming more widespread. 

A township spokeswoman, Tia Bland, said workers had some luck getting MDC cameras to work over the weekend. Officials at the facility expressed optimism that additional progress would be made on Monday. Beginning Monday at 8 a.m., public access to the county headquarters at Alvarado Square will be restricted. Following this, companies and organizations are under a lot of pressure to pay up not only to get the company's data unlocked but also to avoid enraged clientele and authorities who issue severe warnings about giving money to criminals.

WordPress Sites Hacked in Fake Ransomware Attacks

 

A new wave of cyberattacks began late last week, hacking over 300 WordPress sites and displaying fraudulent encryption notifications in an attempt to mislead site owners into paying 0.1 bitcoin for recovery. 

These ransom requests include a countdown timer in order to create a feeling of urgency and perhaps terrify a web administrator into paying the ransom. While the 0.1 bitcoin ($6,069.23) ransom demand is little in contrast to what is seen in high-profile ransomware operations, it may still be a significant sum for many website owners. 

Sucuri, a cybersecurity firm hired by one of the victims to conduct incident response, identified these attacks. The researchers revealed that the websites had not been encrypted, but rather that the threat actors had altered an installed WordPress plugin to show a ransom message and countdown when the page was accessed. 

In addition to presenting a ransom note, the plugin would change the 'post status' of all WordPress blog entries to 'null,' leading them to become unpublished. As a result, the cyber actors developed a simple but strong illusion that gave the impression that the site had been encrypted. 

The site was restored to its usual state after deleting the plugin and running a command to republish the posts and pages. Sucuri discovered that the first place where the actor's IP address showed in the network traffic records was the wp-admin panel. This suggests that the infiltrators gained access to the site as administrators, either by brute-forcing the password or by obtaining stolen credentials from dark web markets. 

This was not an isolated attack, but rather part of a larger campaign, giving legitimacy to the second scenario. Sucuri discovered a plugin called Directorist, which is a tool for creating online company directory listings on websites. 

Sucuri has identified around 291 websites hit by this attack, with a Google search revealing a mix of cleaned-up and still-displaying ransom letters. All of the sites BleepingComputer found in search results utilise the same Bitcoin address, 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc, which has not received any ransom payments. 

Safeguarding against website encryptions

Sucuri recommends the following security procedures to keep WordPress sites safe from hackers: • Review the site's admin users, delete any fraudulent accounts, and update/change any wp-admin passwords. 
  • Protect the wp-admin administrator page. 
  • Modify the passwords for all other access points (database, FTP, cPanel, etc). 
  • Protect your website using a firewall. 
  • Adhere to dependable backup techniques that will make restoration simple in the event of a genuine encryption incident. 
Because WordPress is frequently targeted by threat actors, it is also critical to ensure that all of your installed plugins are up to date. 

BleepingComputer was notified about a recent fix for the Directorist plugin, which addressed an issue that enabled low-privilege users to run arbitrary code. While Sucuri's analysis does not identify the plugin as an infiltration point, the presence of this vulnerability makes sense in the context of the specific assault. 

This also implies that eradicating the virus and restoring the site would not prevent the attackers from striking again as long as the Directorist plugin is still in an older, vulnerable version.

Ransomware Attacks At An All Time High, Reports Palo Alto

 

Presently, RaaS (ransom as a service) and ransomware attacks are at an all time high, topping the list in cybersecurity community since the last few months, threat actors and hackers are constantly attacking businesses, corporate and emails for personal monetory gains. The BEC (Business Email Compromise), EAC (personal email account compromise) , scams have caused the most threat and impact, as per the cybersecurity reports. 

FBI in its enquiry found that BEC and EAC accounts for a minimum $1.86 billion losses in 2020, that too in the US region only, a 5% jump in losses compared to 2019. EAC and BEC amount for 45% of total reported cybersecurity incidents in the US and 11% of users are over the age of 60. 

A roughly estimate suggests that largest reported ransomware payment till date has been $40 million. Unit 42 reports "when scammers use this tactic, it usually starts with a baited email enticing the recipient to open the attachment or click on the link to a webpage. 

The emails usually focus on some segment of business operations (including finance, human resources, logistics and general office operations) and point to an attachment or link related to topics requiring user action." Experts say that average ransomware demands in 2020 were $847,344, meanwhile, the average ransom that victims paid was $312,493. 

In 2021, the ransom amount paid has risen upto 82% to $570,000. The amount mentioned for average ransom clients paid only includes direct financial losses given in ransoms. They do not include losses related with organization which lost revenue while being compelled to work in a compromised state during a cyberattack, and do not consist resources cost during the incident breach, but only include attacks that are known. The company decides not to report a cybersecurity incident depending upon nature and impact of the ransomware attack. 

In the end, the decision complicates it for federal and cybersecurity agencies to calculate the full impact of these attacks. The EAC and BEC ransomware attacks have one thing in common, they need access privilege to victim's account and networks. 

"The lucrative nature of BEC/EAC scams drives criminals to continually modify and upgrade their tactics to defeat protections. One of the newer techniques integrates spear phishing, custom webpages and the complex cloud single sign-on ecosystem to trick users into unwittingly divulging their credentials," reports Unit 42 of palo alto networks.

Ransomware Attack On Major European Bookseller

 

Recently a ransomware attack targeted a leading book supplier software, the attack interrupted regular functions of thousands of bookstores in Europe including France, Belgium, and the Netherlands. The data stolen may have included not only personally identifiable information but also payment details. 
The ransomware group targeted TiteLive, a French company that provides cloud-based software for book sales and inventory management. Bookstores that have been affected by the ransomware attack included Libris, Aquarius, Donner, Malperthuis, and Atheneum Boekhandels. Additionally, some other clients have also been listed on the company’s website including Paris Libraries, Gallimard, Furet du Nord SciencesPo, and La Pro-Cure. 

In order to prevent the ransomware attack from spreading, TiteLive shut down its IT infrastructure, which resulted in a days-long downtime of MediaLog. Media Log includes processing online orders and shipping, cash sales, and customer relationship functions such as loyalty cards, direct mail, and financial information. 

According to the company’s website, the company offers its primary product to more than 1,000 bookstores. Owing to the disruption, around 130 independent bookshops in the Netherlands, Belgium, and France are largely shut down. Currently, these stores do not have access to billing and inventory data. For now, the form of ransomware that was used in the attack has not been disclosed. 

The group of attackers asked for a huge ransom payment for the encryption which targeted Windows servers run by TiteLive, forcing the company’s products offline. Furthermore, at present, what data may have been stolen is also unclear. However, the company has clarified that it is not going to pay ransom to the malicious actors.

McAfee: Hacking Team Babuk Has Flaws In It's Business Models

 

Recently, ransomware hacking groups have been mostly focusing on Microsoft Windows OS. McAfee researched dedicated Linux and Unix based ransomware, but cross platform ransomware didn't happen. But, hackers are always on the go, McAfee experts recently discovered that from the past few months, many hackers are experimenting with the binary writings in cross-platform script Golang (Go). The worst case scenario was confirmed when Babuk on an underground platform said that it was building a cross-platform focused on ESXi or VMware and Linux/Unix systems. 

Various core backend operating systems in organizations are using the nix operating systems. Besides this, in case of virtualization, wonder about ESXi hosting virtual desktop environment or various servers. McAfee previously wrote a brief blog covering many coding mess ups that Babuk team did while building. McAfee reports "Initially, in our research the entry vector and the complete tactics, techniques and procedures (TTPs) used by the criminals behind Babuk remained unclear. However, when its affiliate recruitment advertisement came online, and given the specific underground meeting place where Babuk posts, defenders can expect similar TTPs with Babuk as with other Ransomware-as-a-Service families." 

Despite Babuk being new to the scene, the group is continuously hacking high profile targets , even though various issues related to binary leading to a stage where files can't be retrieved, even if the transaction was successful. In the end, the problems faced by Babuk developers while creating the ESXi ransomware could've led to change of business model, from extortion to encryption and data theft. To summarise it all, the built and coding of decryption softwares is poorly done, which means that if an organisation is to pay a ransom, the process of files decryption can be delayed without the guarantee that stolen files will be completely retrieved. 

"In its recruitment posting Babuk specifically asks for individuals with pentest skills, so defenders should be on the lookout for traces and behaviors that correlate to open source penetration testing tools like winPEAS, Bloodhound and SharpHound, or hacking frameworks such as CobaltStrike, Metasploit, Empire or Covenant. Also be on the lookout for abnormal behavior of non-malicious tools that have a dual use, such as those that can be used for things like enumeration and execution, (e.g., ADfind, PSExec, PowerShell, etc.) We advise everyone to read our blogs on evidence indicators for a targeted ransomware attack" said McAfee in its blog.

Canadian IoT Solutions Provider, Sierra Wireless Hit by a Ransomware Attack


Sierra Wireless, a Canadian IoT solutions provider said that it has reopened its manufacturing site's production after the company suffered a ransomware attack that breached its internal infrastructure and official website on March 20. When the company came to know about the attack, it called one of the world's best cybersecurity firms "KPMG," to help Sierra Wireless in the investigation and inquiry of the incident.

According to Sierra Wireless, "security is a top priority, and Sierra Wireless is committed to taking all appropriate measures to ensure the highest integrity of all of our systems. As the investigation continues, Sierra Wireless commits to communicating directly to any impacted customers or partners, whom we thank for their patience as we work through this situation." 

Currently, the staff at Sierra Wireless is working on re-installing the company's internal infrastructure, after the corporate website was brought back online. Besides this, the Canadian MNC said that ransomware attacks couldn't breach services and customer-oriented products as the internal systems that were attacked were separated. The company believes that the scope of the attack was limited to Sierra Wireless' corporate website and internal systems, it is confident that the connectivity services and products weren't affected, and the breach couldn't penetrate the systems during the incident. 

As of now, the company isn't expected to issue any firmware or software security updates or product security patches, which are generally required after the ransomware attack. The company hasn't disclosed the ransomware operator behind the attack, it has also not specified what data was stolen from the incident before the encryption could happen. 

The attack happened in March, after that the company took back its Q1 guidance. A company spokesperson said that Sierra wireless won't reveal any further information regarding the attack as per the company protocol, because the data involved is highly confidential and sensitive. Bleeping Computer reports, "Siera Wireless' products (including wireless modems, routers, and gateways) sold directly to OEMs are being used in IoT devices and other electronic devices such as smartphones, and an extensive array of industries." Stay updated for more news.

Data Analytics Agency Polecat Held To Ransom After Server Exposed 30TB Of Records

 


On October 29, 2020, the Wizcase CyberResearch Team which was lead by Ata Hakcil has discovered that the server ‘Elasticsearch’ which is being owned by Polecat company, displayed about 30TB of record data on the website without any authentication required to access the records or any other form of encryption in place. 

A UK-based data agency ‘Polecat’ that provides “a combination of advanced data analytics and human expertise, [to help] the world’s largest organizations achieve reputation, risk, and ESG (environmental, social, and governance) management success” its official website reads. 

Researchers team had found records dating back to 2007 containing important information including employees’ usernames and passwords, social media records, around 6.5 billion tweets, and around one billion posts that generated from independent websites and blogs. 

Polecat’s cyber research team ‘Chase Williams’ has reported its discovery in a blog post which has been published on First March of 2021. 

The public information collected by the Polecat organization is gleaned on a foundation of daily happening events including subjects such as Covid-19, politicians, firearms, racism, and healthcare. Polecat was warned by the Wizcase research team about the data ransom on October 30 and the first of November 2020. Nevertheless, it just takes some seconds for an open unsecured server or bucket to be traced and exploited by malicious actors – and this took place a day after the researcher’s findings. 

“On October 30, a Meow attack was launched against the database. Meow attacks replace database indexes with the suffix ‘gg-meow’, leading to the destruction of swathes of data” Wizcase said. 

Additionally, it added “approximately half of the firm’s records were wiped, and then in a second wave a further few terabytes of information were deleted. At this point, roughly 4TB remained in the server. Most of these records were then destroyed and a ransom note was spotted by the researchers that demanded 0.04 Bitcoin (BTC) – roughly $550 at the time – in return for the files’ recovery”. 

Wizcase research team has warned against these types of scams by saying that it is very essential to note that these types of cyberattacks are usually automated and sent to many unprotected open databases.