Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomeware. Show all posts
Ransomeware
CISA & FBI Cyber Security Cyber space Data Theft Ransomeware

FBI and Allies Dismantle Dispossessor Ransomware Network

 

The FBI announced on Monday that it has taken down the servers and websites used by the Radar/Dispossessor ransomware group. This action was part of a global investigation involving the U.K.'s National Crime Agency, the Bamberg Public Prosecutor's Office, and the Bavarian State Criminal Police Office (BLKA). Law enforcement agencies seized several servers and websites, including three in the U.S., three in the U.K., 18 in Germany, and nine domains, some of which included radar[.]tld, dispossessor[.]com, and cybertube[.]video. These sites were used by the group to carry out their attacks. 

Since August 2023, the Dispossessor group, led by a hacker known as "Brain," has been targeting small to mid-sized businesses around the world. The FBI identified 43 victims across various countries, including the U.S., Argentina, Australia, India, and Germany. 

The ransomware gang gained access to company networks by exploiting security weaknesses like outdated software, weak passwords, and a lack of multi-factor authentication. Once inside, they stole data and then used ransomware to lock the companies out of their own systems by encrypting their files. 
If the companies didn’t contact them, the criminals would reach out to other people in the company to pressure them into paying, sometimes sharing stolen files through fake video platforms. The FBI is urging past victims or those targeted by this group to share any information they have by contacting the Internet Crime Complaint Center or calling 1-800-CALL-FBI. 

When Dispossessor first appeared, they acted as an extortion group, reposting old data stolen during previous ransomware attacks by a group called LockBit. They claimed to be affiliates of LockBit and even tried to sell stolen data on hacking forums. 

As of June 2024, Dispossessor began using a ransomware tool leaked from LockBit 3.0 to carry out their own attacks. In the past year, law enforcement has been actively cracking down on various cybercrimes, including cryptocurrency scams, malware development, phishing attacks, and other ransomware operations. They have also targeted and disrupted other ransomware groups like ALPHV/Blackcat, LockerGoga, MegaCortex, and Hive.
Read more »
U.S. healthcare
ALPHV Blackcat Ransomware Cyber Attacks Healthcare Data Ransomeware U.S. healthcare

Healthcare in Crosshairs: ALPHV/Blackcat Ransomware Threat Escalates, FBI Issues Warning

 

In a joint advisory, the FBI, CISA, and HHS have issued a stark warning to healthcare organizations in the United States about the heightened risk of targeted ALPHV/Blackcat ransomware attacks. This cautionary announcement follows a series of alerts dating back to April 2022 and underscores the severity of the threat posed by the BlackCat cybercrime gang, suspected to be a rebrand of infamous ransomware groups DarkSide and BlackMatter. 

The advisory highlights that ALPHV Blackcat affiliates have shown a notable focus on the healthcare sector. The FBI, in particular, has linked BlackCat to over 60 breaches within its first four months of activity, accumulating a staggering $300 million in ransoms from over 1,000 victims up until September 2023. Recent developments indicate a shift in BlackCat's targeting strategy, with the healthcare sector becoming a prime victim since mid-December 2023. This shift aligns with an administrator's call for affiliates to target hospitals following operational actions against the group and its infrastructure earlier that month. 

Notably, the warning coincides with a cyberattack on UnitedHealth Group subsidiary Optum, affecting Change Healthcare, a crucial payment exchange platform in the U.S. healthcare system. Although not confirmed, the attack has been linked to the BlackCat ransomware group, and sources suggest the threat actors exploited the ScreenConnect auth bypass vulnerability (CVE-2024-1709) for initial access. 

The joint advisory emphasizes the critical need for healthcare organizations, considered part of the nation's critical infrastructure, to implement robust mitigation measures against Blackcat ransomware and data extortion incidents. Authorities urge these entities to bolster cybersecurity safeguards, specifically tailored to counteract prevalent tactics, techniques, and procedures commonly employed in the Healthcare and Public Health (HPH) sector. This development underscores the evolving nature of cyber threats, especially within the healthcare landscape, and the necessity for proactive measures to safeguard sensitive patient data and critical infrastructure. 

The FBI, CISA, and HHS have shared indicators of compromise to assist organizations in identifying potential threats, emphasizing the importance of collaboration to combat the persistent and evolving threat posed by ransomware groups like BlackCat. As the healthcare sector grapples with escalating cyber risks, the advisory serves as a stark reminder of the urgent need for comprehensive cybersecurity measures, including timely patching of vulnerabilities and robust incident response plans. Organizations are encouraged to stay vigilant, collaborate with cybersecurity agencies, and prioritize the security of their networks and systems to mitigate the impact of ransomware attacks. 

The U.S. State Department's substantial rewards for information leading to the identification or location of BlackCat gang leaders underscore the severity of the threat and the government's commitment to dismantling these cybercriminal operations. In this high-stakes environment, the healthcare industry must remain resilient, continually adapting to emerging threats, and fortifying its defenses against ransomware attacks.
Read more »
RMM Software
ConnectWise Data Breach Data Theft Ransomeware RMM Software

ConnectWise ScreenConnect Vulnerability: Navigating the Breach Risk

 

ConnectWise ScreenConnect, a widely-used remote access software, is facing a critical vulnerability that could expose sensitive data and allow the deployment of malicious code. Described as an authentication bypass flaw, the severity-rated vulnerability poses a significant risk to more than a million small to medium-sized businesses that rely on ConnectWise's remote access technology. 

The flaw was initially reported to ConnectWise on February 13, with the company publicly disclosing details on February 19. The vulnerability enables attackers to bypass authentication, potentially leading to the remote theft of confidential data or the injection of malware into vulnerable servers. While ConnectWise initially stated there was no indication of public exploitation, recent updates confirm compromised accounts and active exploitation. 

ConnectWise has not disclosed the exact number of affected customers, but it has seen "limited reports" of suspected intrusions. Approximately 80% of customer environments are cloud-based and were automatically patched within 48 hours. However, concerns persist, with cybersecurity firm Huntress reporting active exploitation and signs of threat actors moving towards more targeted post-exploitation and persistence mechanisms. 

ConnectWise spokesperson Amanda Lee declined to comment on the number of affected customers but emphasized that there has been no reported data exfiltration. However, the situation is serious, with cybersecurity experts warning of potential widespread ransomware attacks given the extensive reach of ConnectWise's software. Florida-based ConnectWise provides remote access technology to more than a million small to medium-sized businesses. 

The vulnerability, actively exploited by threat actors, poses a significant risk to the security of these businesses. Cybersecurity company Huntress reported early signs of threat actors deploying Cobalt Strike beacons and installing a ScreenConnect client onto affected servers. ConnectWise has released patches for the actively exploited vulnerability and is urging on-premise ScreenConnect users to apply the fix immediately. 

Additionally, the company has addressed another vulnerability affecting its remote desktop software, for which there is no evidence of exploitation. The incident comes in the wake of warnings from U.S. government agencies. These agencies observed a "widespread cyber campaign" involving the malicious use of legitimate remote monitoring and management (RMM) software, including ConnectWise SecureConnect. 

The current vulnerability adds to concerns about the security of remote access solutions, following recent incidents involving AnyDesk, which had to reset passwords and revoke certificates due to evidence of compromised production systems. ConnectWise is actively working to address the vulnerability, but the situation remains critical. 

The potential for a large-scale ransomware free-for-all underscores the importance of swift action and heightened cybersecurity measures to protect businesses from the evolving threat landscape. Businesses relying on remote access solutions must prioritize security to mitigate the risks associated with vulnerabilities in widely-used software platforms.
Read more »
Security Vulnerabilities
Cyberattacks 2023 Data Breach data security Ransomeware Security Vulnerabilities

Exploring the Spike in Data Breaches in 2023

 

In 2023, there has been a significant surge in data breaches, raising concerns globally. The upswing in cyber incidents can be attributed to various factors, reflecting the intricate dynamics of our digital age. 

Firstly, the rapid pace of digital transformation across industries has created an expansive attack surface. The interconnected systems, cloud services, and IoT devices have inadvertently provided cyber criminals with more opportunities to exploit vulnerabilities. 

Coupled with this, the sophistication of cyber threats has increased. Threat actors are now utilizing advanced techniques such as ransomware, zero-day exploits, and social engineering tactics, outpacing traditional cybersecurity measures. 

Many organizations still grapple with inadequate cybersecurity postures. The failure to implement robust security measures, conduct regular updates, and provide comprehensive employee training leaves entities vulnerable to a wide array of cyber attacks. 

The vulnerabilities within supply chains have also become apparent. Cybercriminals often exploit weak links in supply chains, targeting smaller partners or third-party vendors with less stringent cybersecurity measures as gateways to larger targets. 

Insider threats, whether intentional or unintentional, are significant contributors to data breaches. Employees with access to sensitive information may inadvertently compromise data security through human error, or malicious insiders may intentionally exploit their positions for personal gain. 

Despite the growing awareness of cybersecurity threats, some organizations continue to underinvest in cybersecurity measures. Limited budgets, competing priorities, and a lack of cybersecurity awareness at the executive level can result in insufficient resources being allocated to protect against evolving cyber threats. 

Ransomware attacks have become more prevalent and sophisticated. The profitability of ransomware attacks, coupled with the difficulty of tracing cryptocurrency payments, incentivizes cybercriminals to target a wide range of organizations, from small businesses to critical infrastructure. 

Global geopolitical tensions can spill over into cyberspace, leading to an increase in state-sponsored cyber attacks. Nation-state actors may engage in cyber espionage, targeting critical infrastructure, government institutions, or private businesses, contributing to the overall spike in data breaches. 

In some cases, lax regulatory compliance and enforcement contribute to the rise in data breaches. Organizations may neglect to implement necessary security measures or fail to report breaches promptly due to lenient regulatory frameworks. 

The surge in data breaches in 2023 is a complex issue with multiple contributing factors. Addressing this challenge requires a comprehensive and proactive approach to cybersecurity that considers technological, human, and systemic vulnerabilities. As organizations and governments grapple with these multifaceted issues, the need for strengthened cybersecurity measures, improved regulatory frameworks, and heightened global cooperation becomes increasingly evident.
Read more »
Vulnerability
CISA Clop Ransomware Cyberattacks Cybersecurity ID malware MOVIEit Ransomeware Vulnerability

Uncovered: Clop Ransomware's Lengthy Zero-Day Testing on the MOVEit Platform

 


Security experts have uncovered shocking evidence that the notorious Clop ransomware group has been spending extensive amounts of time testing zero-day vulnerabilities on the popular MOVEit platform since 2021, according to recent reports. This study has raised a lot of concerns about cybersecurity systems' vulnerability. For this reason, affected organizations and security agencies have taken urgent action to prevent these vulnerabilities. In light of this discovery, it only highlights the fact that ransomware attacks are becoming increasingly sophisticated. The need for robust defense measures to mitigate various types of cyber threats is critical. 

There is now close work collaboration between authorities and the parties affected by the breach to investigate this incident and develop appropriate countermeasures. 

A recent Clop data theft attack aimed at weak MOVEit Transfer instances was examined, and it was discovered that the technique employed by the group to deploy the recently revealed LemurLoot web shell can be matched with the technique used by the gang to target weak MOVEit Transfer instances. Using logs from some affected clients' networks, they determined which clients were affected. 

As a result of a joint advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) regarding the active exploitation of a recently discovered critical vulnerability in Progress Software's MOVEit Transfer application, ransomware is now being dropped on the internet. 

Kroll researchers performed a forensic review of the exploit carried out by the Clop cybergang in July 2021. They determined that they may have experimented with the now-patched file transfer vulnerability (CVE-2023-34362) that month. 

BBC, British Airways, Boots, a UK drugstore chain and the Halifax provincial government are some of the organizations that have reported that their data was exfiltrated by the group at the end of last month as well as payroll company Zellis. There was a breach of employee data by three organizations, Vodafone, BBC, and Boots, which used Zellis' services to store employee data. 

The Russian-backed Clop organization, also known as Lace Tempest, TA505, and FIN11, has claimed responsibility for attacks that exploited Fortra’s GoAnywhere Managed File Transfer solution by exploiting a zero-day vulnerability. Over 130 organizations have been targeted and over one million patients' data has been compromised as a result. 

It has been reported that the MOVEit Transfer SQL injection vulnerability exploit on Wednesday was similar to a 2020-21 campaign in which the group installed a DEWMODE web shell on Accellion FTA servers in a joint advisory issued by the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency. 

It has also been discovered that threat actors were testing methods for gathering and extracting sensitive data from compromised MOVEit Transfer servers as far back as April of 2022. These methods were probably using automated tools and these methods may have been used to gain access to servers. 

It is possible that actors tested access to organizations using automated means and pulled back information from MOVEit Transfer servers. This was in the weeks leading up to last month's attacks. This is in addition to the 2022 activity. They also did this to determine which organizations they were accessing using information obtained from the MOVEit Transfer servers. 

During the malicious activity, it appeared that specific MOVEit Transfer users' Organization IDs ("Org IDs") were being exfiltrated, which in turn would have allowed Clop to determine which organizations to access. 

It has been reported on Clop's website that it has claimed responsibility for the MOVEit attacks and that victims are invited to contact it until July 14 if they do not wish that their names be posted on the site. Because a ransom deal would not guarantee that the stolen data would remain secure, the company has offered examples of data that has been exfiltrated and data that has been publicly published as part of an unresolvable ransom deal. 

In a LinkedIn post, Charles Carmakal, CEO of Mandiant Consulting, expressed surprise at the number of victims MOVEit has provided. Carmakal characterized MOVEit as "overwhelming.".
Read more »
Ransomeware
cyber attack Cyber Attacks Data Theft Dish Ransomeware

Dish Network Blames Ransomware for Ongoing Outage

Dish, a satellite television provider in the United States, has confirmed that a ransomware attack is responsible for an ongoing service outage. The company also warned that the malicious actors have also exfiltrated data from its systems during the breach. 

The outage, which has persisted for several days and was initially attributed to "internal systems issues," affects Dish's primary website, mobile applications, customer support systems, as well as the firm's Sling TV streaming and wireless services. 

The threat actors behind the breach compromised the company’s internal systems. “It is possible the investigation will reveal that the extracted data includes personal information,” Dish says. 

In a public filing released on Tuesday, the company acknowledged that the cause of the outage was a cybersecurity incident. The company has informed law enforcement authorities about the situation. 

However, as of now, the company reported that the effects of the attack continue to disrupt its “internal communications, customer call centers, and internet sites.” 

Additionally, the company has provided some details on how they are managing the situation. They are working to manage and contain the effects of the attack, assess the extent of the damage, and address any issues caused by the attack.

The company is also worried about the attack's potential impact on its employees, customers, business, financials, and operations. Following the matter, the company further reported that the threat actors have stolen some data from their computer systems, which could include personal credentials. 

Presently, it remains uncertain whether this data belongs to Dish's customers, employees, or both, and the extent of the data theft is also unknown. Dish has a big network, it serves 10 million customers through its satellite TV, streaming, and other services. 

The company on its website reported that “as a result of this incident, many of our customers are having trouble reaching our service desks, accessing their accounts, and making payments we’re making progress on the customer service front every day, including ramping up our call capacity, but it will take a little time before things are fully restored." 

The company stated that they are still evaluating the damage caused by the cyber-attack. However, their services, including Dish, Sling, and wireless and data networks, are running without issues.
Read more »
Vastaamo Centre
Data Breach Finland Ransomeware Vastaamo Centre

Finland’s Most-Wanted Hacker Nabbed in France

Julius “Zeekill” Kivimäki, a 25-year-old Finnish man who has been apprehended on Friday by French police is suspected of breaching the patient records of more than 33,000 psychotherapy clients and leaking therapy notes for more than 22,000 patients online in Finland. 

Zeekill convicted of committing tens of thousands of cybercrime is a well-known cyber-criminal  According to Finland's National Bureau of Investigation, he had been running from police since October 2022, when he failed to show up in court and Finland issued an international arrest warrant for him.  

According to the officials, in late October 2022, Kivimäki was charged and arrested in absentia for attempting to extort money from the Vastaamo Psychotherapy Center. The NBI announced in November that the Helsinki District Court remanded Kivimäki in absentia last October and he was also added to Europol's "most wanted" list.  

However, he denied being involved in Vastaamo's data breach. Additionally, the National Bureau of Investigation (NBI) said that the Finnish officials are working and investigating closely with their French counterparts about Kivimäki's extradition.  

Vastaamo was the major data breach in November 2018 and March 2019, in which the sensitive credentials of around 30,000 patients were compromised, and then money was extorted from the victim organizations as well as its clients. 

However, when the Vastaamo refused to pay ransom money, then the threat actor started sending threatening emails to targeted individuals to publish their therapy notes unless a ransom worth 500 euros was paid. Nevertheless, the hacker got little success in its mission. 

“Among those who grabbed a copy of the database was Antti Kurittu, a team lead at Nixu Corporation and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP)...,” Kurittu said. “…It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder and a lot of known hosts that we could take a very good look at declining to discuss specifics of the evidence investigators seized. There were also other projects and databases.” 
Read more »
Ransomware attack
Bitdefender Cyber Attacks Cybersecurity Cybersecurity Firms MegaCortex ransomware Ransomeware Ransomware attack

MegaCortex Rasomware Attack: Victims Can Now Restore Stolen Files For Free


Cybersecurity company, Bitdefender, has launched a new tool that would help victims of MegaCortex ransomware unlock their files, offering a sigh of relief to those whose files had been locked for years following the cyberattack.  

MegaCortex Ransomware

The MegaCortex ransomware first came to light in January 2019. It included many interesting characteristics, such as utilizing signed executables as a part of the payload, and the malware's developer was additionally offered security consulting services. 

The ransomware used both automated and manual components in order to attack as many targeted victims as possible. 

Moreover, MegaCortex ransomware may be employing networks that have already been infiltrated in an initial attack using Emotet and Qakbot malware to target businesses rather than individual consumers. 

According to The Malware Wiki, MegaCortex used AES encryption to encrypt user files. The only way to regain access to protected data is through a private key, which victims would need to buy from the hackers, according to a readme file that came with infections. 

The MegaCortex ransomware attack was capable of information theft, file encryption as well disabling usage capability. According to an estimate by TechCrunch, MegaCortex may have infected as many as 1,800 companies around the globe, including a number of “high profile” targets. Although it has been indicated that the figure is likely to be far higher. 

Later, in October 2021, law enforcement detained 12 suspected of being involved in more than 1,800 ransomware assaults in 71 different nations. Police reportedly spent months searching through the data gathered during the arrests, according to TechCrunch. In the end, they discovered individual decryption keys that were utilised to produce and disseminate a program in September of last year to decode files encrypted by the LockerGoga ransomware. 

Free Decryptor Built by Bitdefender 

The free decryptor is being deployed by Bitdefender and the EU’s initiative ‘No More Ransom’ in cooperation with the Zürich Cantonal Police, the Zürich Public Prosecutor’s Office, and Europol. 

The authorities announced in September that 12 culprits have been detained in connection with the Dharma, LockerGoga, and MegaCortex ransomware families. 

The arrests at the time, according to a statement from Zürich's prosecutor, enabled investigators to collect numerous private keys used by the ransomware gang, which would allow victims to restore data that had been previously encrypted using the LockerGaga or MegaCortex virus. A decryptor for LockerGoga was made available by BitDefender last year. 

The cybersecurity company has recently confirmed that the free MegaCortex decryptor is now being made available. The tool will work to unlock files that were encrypted by MegaCortex ransomware and all its variants. It is available to download from Bitdefender and through No More Ransom’s decryption tools portal, which is, in fact, home to 136 other free tools for 165 ransomware variants such as Babuk, DarkSide, Gandcrab, and REvil.  

Read more »
Subscribe to: Posts (Atom)