Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware Gang. Show all posts
Ransomware Gang
Armenia Cyber Security Azure Azure Storage Data Theft Ransomware Gang

Ransomware Outfits Are Exploiting Microsoft Azure Tool For Data Theft

 

Ransomware gangs like BianLian and Rhysida are increasingly using Microsoft's Azure Storage Explorer and AzCopy to steal data from compromised networks and store it in Azure Blob Storage. Storage Explorer is a graphical management tool for Microsoft Azure, whereas AzCopy is a command-line utility for large-scale data transfers to and from Azure storage. 

The stolen data in these attacks is thereafter kept in an Azure Blob container in the cloud, where threat actors can subsequently move it to their own storage, according to cybersecurity firm modePUSH's observations. 

However, the researchers observed that the perpetrators had to do additional work to make Azure Storage Explorer operate, such as installing prerequisites and upgrading.NET to version 8. This reflects the growing emphasis on data theft in ransomware operations, which is the primary leverage for threat actors in the subsequent extortion phase. 

Why Azure?

Though each ransomware gang has a unique set of exfiltration tools, they often use Rclone for syncing data with various cloud providers and MEGAsync for syncing with the MEGA cloud. 

Furthermore, Azure's scalability and efficiency, which allow it to manage massive volumes of unstructured data, are extremely useful when attackers want to exfiltrate large numbers of files in the least amount of time. 

ModePUSH claims to have noticed ransomware attackers employing numerous instances of Azure Storage Explorer to upload data to a blob container, hence speeding up the process. 

Uncovering ransomware exfiltration

The researchers discovered that the threat actors set the default 'Info' level logging while using Storage Explorer and AzCopy, which generates a log file at%USERPROFILE%\.azcopy. 

This log file is especially useful for incident responders since it contains information on file actions, allowing investigators to rapidly determine which data was stolen (UPLOADSUCCESSFUL) and which payloads were potentially injected (DOWNLOADSUCCESSFUL). 

Defence strategies include establishing alarms for odd patterns in file copying or access on crucial systems, monitoring for AzCopy execution, and tracking outbound network traffic to Azure Blob Storage endpoints at ".blob.core.windows.net" or Azure IP ranges. 

If an organisation already uses Azure, it is advised to use the 'Logout on Exit' feature, which will log users out automatically when they close the program, to stop hackers from stealing files with an ongoing session.
Read more »
Ticketmaster data breach
BreachForums cybercriminal group Data Breach NC5537 Ransomware Gang Santander Bank data theft Scattered Spider ShinyHunters Ticketmaster data breach

Cybercriminal Group UNC5537 Strikes with Major Data Breaches

 

In recent weeks, the cybercriminal group UNC5537 has made significant waves. This ransomware gang, potentially linked to ShinyHunters or Scattered Spider, stole over 560 million customer records from Ticketmaster. On May 28, they listed this data for sale on their revamped leak site, BreachForums, with a price tag of $500,000. Just two days later, the group claimed to have obtained 30 million account records from Santander Bank in Spain, demanding $2 million for the data. Both companies confirmed the breaches after these announcements.

A June 10 analysis by Mandiant, an incident-response firm now part of Google, revealed that these data leaks, along with at least 163 other breaches, were not due to system vulnerabilities but rather the exploitation of stolen credentials and inadequate multifactor authentication (MFA) controls. According to Mandiant, no evidence indicates that the breaches stemmed from Snowflake's enterprise environment. Instead, all incidents are traced back to compromised customer credentials.

While implementing MFA could have prevented the data theft from Snowflake's systems, the companies involved have broader issues beyond this single control. Businesses must ensure visibility into their attack surfaces, promptly disable accounts of former employees and contractors, and minimize entry points for attackers. Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, emphasizes that attackers often exploit basic security lapses. "Targeting the low-hanging fruit — in this case, insecure credentials — can be achieved with little effort from the threat actor but provides ample opportunities," he notes.

Key Lessons from Recent Cloud Breaches

1. Start With MFA and Then Go Beyond

There is significant room for improvement in MFA adoption. Despite reports showing that 64% of workers and 90% of administrators use MFA, over 60% of organizations still have at least one root user or administrator without MFA enabled. According to Ofer Maor, co-founder and CTO at Mitiga, achieving consistent and verifiable MFA implementation is crucial. He suggests that companies enforce and require MFA, disable non-SSO logins, and enhance security measures with device- or hardware-based authentication for sensitive infrastructure.

2. Use Access Control Lists to Limit Authorized IP Addresses

Organizations should implement access control lists (ACLs) to restrict user access to cloud services or at least review access logs daily for anomalies. Jake Williams, a faculty analyst at IANS Research, recommends restricting IP addresses for cloud infrastructure access and emphasizes the importance of access reviews to identify unexpected access points.

3. Maximize Visibility Into Cloud Services

Continuous monitoring of applications, log data, access activity, and data aggregation services is essential for detecting and preventing attacks. Organizations need to alert on specific behaviors or threats, which could have identified the cybercriminals' attempts to access cloud data, says Brian Soby, CTO and co-founder at AppOmni.

4. Don't Rely on Your Cloud Providers' Defaults

Cloud providers often prioritize usability over security, so relying solely on their default settings can be risky. For example, Snowflake's default settings do not require MFA, making it easier for attackers with compromised credentials to gain full access. Companies must go beyond these defaults and enforce higher security standards.

5. Check Your Third Parties

Even if a company does not directly use Snowflake or another cloud service, third-party providers might, exposing their data to risk. Ensuring that all service providers handling company data follow proper security measures is essential, as highlighted by IANS Research's Williams. Reaching out to service providers to confirm their security practices is crucial in protecting data in today's complex supply chain environment.
Read more »
US Department Of Justice
Cyber Crime LockBit Ransomware Gang US Court US Department Of Justice

US Authorities Charge LockBit Ransomware Ringleader

 

US officials have uncovered and indicted the ringleader of LockBit, a widespread ransomware operation that has extorted victims out of half a billion dollars. He is facing over two dozen criminal charges. 

According to a 26-count indictment released on Tuesday, Dmitry Khoroshev, 31, served as LockBit's "developer and administrator," overseeing code development and recruiting affiliates to execute the ransomware on its victims. The alleged cybercriminal got 20% of each ransom payment for his role in the operation, totaling $100 million in cryptocurrency over four years, the US Justice Department noted.

“Today’s indictment…continues the FBI’s ongoing disruption of the BlockBit criminal ecosystem,” FBI Director Christopher Wray noted in the statement. 

Since its founding in 2019, LockBit has allegedly defrauded at least 2,500 individuals across more than 120 countries of at least $500 million in extortion. The U.S. Justice Department noted in its statement that it is also accountable for several billions of dollars' worth of "broader losses" linked to lost profits, incident responses, and ransom recoveries. 

In the indictment, US investigators demanded that Khoroshev surrender his $100 million share of the ill-gotten gains. Meanwhile, the UK, United States, and Australia have sanctioned the mastermind, freezing his assets and prohibiting him from travelling. The US State Department is offering a $10 million prize for information that leads to Khoroshev's capture. The latest charge comes several months after authorities took steps to shut down the ransomware operation. In February, international law enforcement confiscated LockBit's infrastructure, thereby halting operations. Around the same time, US authorities prosecuted two Russian cybercriminals using Lockbit ransomware to target a number of businesses and organisations. 

LockBit's rebuild issue 

The group's attempt to rebuild over the last few months looks to be failing, with the gang still operating at a low capacity and its new leak site being used to publicise victims targeted prior to the takedown, as well as to claim credit for the crimes of others. 

According to the NCA's most recent data, the frequency of monthly LockBit assaults in the UK has decreased by 73% since late February, and those that do occur are carried out by less sophisticated attackers with far lower impact. 

“Since Operation Cronos took disruptive action, LockBit has been battling to reassert its dominance and, most importantly, its credibility within the cyber criminal community,” stated Don Smith, vice-president of SecureWorks’ Counter Threat Unit.
Read more »
United States
Cyber Attacks Data Privacy Healthcare Breach Ransomware Gang United States

BlackCat Ransomware Linked to UnitedHealth Subsidiary Optum Hack

 

A cyberattack against Optum, a UnitedHealth Group company, was linked to the BlackCat ransomware gang and resulted in an ongoing outage that impacted the Change Healthcare payment exchange platform. 

Customers were notified by Change Healthcare earlier this week that due to a cybersecurity incident, some of its services are unavailable. The cyberattack was orchestrated by alleged "nation-state" hackers who gained access to Change Healthcare's IT systems, according to a statement made by UnitedHealth Group in an SEC 8-K filing a day later. 

Since then, Optum has been posting daily incident updates on a dedicated status page, alerting users to the fact that most services are temporarily unavailable due to Change Healthcare's systems being offline to contain the breach and prevent future damage. 

"We have a high level of confidence that Optum, UnitedHealthcare and UnitedHealth Group systems have not been affected by this issue," Optum stated. "We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online.” 

Links to BlackCat 

Change Healthcare has been holding Zoom calls with partners in the healthcare sector to share information regarding the cyberattack since it affected its systems

One of the individuals involved in these calls informed a local media source that forensic experts participating in the incident response had linked the attack to the BlackCat (ALPHV) ransomware gang (Reuters first reported the Blackcat link on Monday).

Last week, another source informed BleepingComputer that one indicator of attack is a critical ScreenConnect auth bypass vulnerability (CVE-2024-1709), which is being actively used in ransomware attacks against unpatched servers. 

Tyler Mason, vice president of UnitedHealth Group, stated that 90% of the impacted pharmacies had put new electronic claim procedures in place to deal with Change Healthcare issues, but he did not confirm if BlackCat was the root of the attack. 

"We estimate more than 90% of the nation’s 70,000+ pharmacies have modified electronic claim processing to mitigate impacts from the Change Healthcare cyber security issue; the remainder have offline processing workarounds," Mason stated. "Both Optum Rx and UnitedHealthcare are seeing minimal reports, including less than 100 out of more than 65 million PBM members not being able to get their prescriptions. Those patients have been immediately escalated and we have no reports of continuity of care issues.” 

8,000 hospitals and other care facilities, as well as more than 1.6 million doctors and other healthcare professionals, are under contract with United Health Group (UHG), a health insurance provider with operations in all 50 states of the United States. With 440,000 employees globally, UHG is the largest healthcare corporation in the world by sales ($324.2 billion in 2022).
Read more »
Threat Intelligence
Cyber Security Global Operations Law Enforcement Agencies Ransomware Gang Threat Intelligence

UK Led Global Operations Disrupt LockBit's Criminal Network

 

One of the most notorious cybercrime organisations in the world has been hit by an unprecedented police operation involving the arrest and indictment of members of the Lockbit ransomware group by the FBI and Britain's National Crime Agency. 

The United States has charged two Russian citizens with deploying Lockbit ransomware against organisations and companies across the globe. Police in Poland and Ukraine made two arrests. 

The disruption of a criminal network, which has targeted over 2,000 victims globally, accepted over $120 million in ransom payments, and demanded hundreds of millions of dollars, was announced by the NCA, FBI, Europol, and U.S. Department of Justice at a meeting in London. 

Britain's National Crime Agency Cyber Division, in collaboration with the U.S. Department of Justice, the Federal Bureau of Investigation, and other law enforcement agencies seized control of websites used by Lockbit the gang and U.S. and British authorities said. The law enforcement agencies also went over and beyond by releasing internal data about the group through Lockbit's own website. 

“We have hacked the hackers," Graeme Biggar, director general of the National Crime Agency, told journalists. "We have taken control of their infrastructure, seized their source code and obtained keys that will help victims decrypt their systems.” 

The takedown, dubbed “Operation Cronos” was an international coalition of 10 countries, he added. “Together, we have arrested, indicted or sanctioned some of the perpetrators and we have gained unprecedented and comprehensive access to Lockbit’s systems”. 

Billions in damages 

Ransomware is malicious software that encrypts data; Lockbit and its affiliates profit by coercing victims into paying a ransom to decrypt or unlock that data using a digital key. In recent months, some of the world's largest organisations have been targeted by the gang's digital extortion tools.

Its affiliates are like-minded criminal groups that Lockbit recruits to carry out attacks with those tools. Those affiliates carry out the attacks and pay Lockbit a portion of the ransom, which is typically sought in cryptocurrency, making it difficult to track. 

Operation Cronos confiscated 34 of Lockbit's computers, detained two gang members, frozen 200 cryptocurrency accounts, and shuttered 14,000 "rouge accounts" used online to launch Lockbit's operations, the officials said. 

Lockbit has caused monetary losses totaling billions, the NCA's Biggar stated, to businesses who not only had to pay ransom payments, but also had to shoulder the cost of getting their systems back online. 

Before it was disrupted, Lockbit's website displayed an ever-growing gallery of victim organisations that was updated nearly daily. Next to their names were digital clocks that showed the number of days left to the deadline given to each organisation to provide ransom payment.
Read more »
Vulnerabilities and Exploits
Antivirus System BYOVD Attack Ransomware Ransomware Gang Vulnerabilities and Exploits

Kasseika Ransomware Employs AntiVirus Driver to Disarm Other Antiviruses

 

Kasseika, a ransomware gang, has become the latest to leverage the Bring Your Own Vulnerable Driver (BYOVD) assault to disable security-related processes on compromised Windows hosts, following groups such as Akira, AvosLocker, BlackByte, and RobbinHood. 

Trend Micro claimed in a research that the technique enables "threat actors to terminate antivirus processes and services in order to deploy ransomware." 

Kasseika, identified by the cybersecurity firm in mid-December 2023, shares similarities with the now-defunct BlackMatter, which formed following DarkSide's disintegration. 

Given that the source code of BlackMatter was never made public after its demise in November 2021, there is evidence to imply that the ransomware strain may have been created by an experienced threat actor who purchased or secured access to the code. 

Modus operandi 

Kasseika attack chains begin with phishing emails to gain access, then drop remote administration tools (RATs) to escalate privileges and propagate across the target network. 

The threat actors have been spotted employing Microsoft's Sysinternals PsExec command-line tool to run a malicious batch script. The script searches for a process called "Martini.exe" and ends it if it is located, thereby guaranteeing the process is only running on one machine. 

The executable's primary task is to disable 991 security tools by downloading and executing the "Martini.sys" driver from a remote server. It is important to note that "viragt64.sys," an authentic signed driver, has been placed on Microsoft's vulnerable driver blocklist and is known as "Martini.sys.” 

The researchers noted that "if Martini.sys does not exist, the malware will terminate itself and not proceed with its intended routine," highlighting the vital role that the driver plays in defence evasion.

After that, "Martini.exe" starts the ransomware payload ("smartscreen_protected.exe"), which uses the RSA and ChaCha20 algorithms to encrypt data. However, not before it terminates all services and processes that are attempting to reach Windows Restart Manager. 

The computer's wallpaper is subsequently modified to display a note requesting a 50 bitcoin payment to a wallet address within 72 hours, or risk paying an additional $500,000 every 24 hours once the deadline elapses. A ransom note is then dumped in every directory that has been encrypted. 

Furthermore, in order to acquire a decryptor, victims are required to send a screenshot of their successful payment to a Telegram channel that is managed by attackers. The Kasseika ransomware also has additional tricks up its sleeve, such as wiping traces of activity from the system's event logs using the wevtutil.exe component.

"The command wevutil.exe efficiently clears the Application, Security, and System event logs on the Windows system," the researchers concluded. "This technique is used to operate discreetly, making it more challenging for security tools to identify and respond to malicious activities.”
Read more »
Ransomware Gang
Cyber Crime Data Leak Extortion Threat Food Vendors LockBit Ransomware Gang

LockBit Ransomware Outfit Claims Subway as its Latest Victim

 

Due to an alleged ransomware attack by the notorious LockBit ransomware gang, the multinational fast-food restaurant giant Subway is facing a potential PR nightmare. Reports suggest Subway’s systems were exploited by the LockBit gang, known for its aggressive modus operandi. 

After the LockBit ransomware organisation claimed to have breached Subway's internal SUBS systems and stolen an abundance of data, the firm launched an investigation. The ransomware-as-a-service provider listed the company on its data leak website, claiming that one of its affiliates took gigabytes of critical details. 

LockBit indicated that they are allowing the company some time to preserve the data, "which includes hundreds of gigabytes of data and all financial of the franchise, including employee salaries, franchise royalty payments, master franchise commission payments, restaurant turnovers, etc." If they do not, the notorious outfit plans to sell it to competitors.

The message was posted on January 21, and the criminals gave Subway till February 2 to pay the extortion. However, Subway's spokesperson states that the company is still investigating the hackers' claims. 

For your information, LockBit is one of the most active ransomware groups, having targeted thousands of organisations. The US authorities claimed in June 2023 that the LockBit gang had targeted 1,700 companies in the US since 2020, collecting more than $90 million in ransom. 

Many people were surprised to learn that Subway was unaware of the ransomware attack. However, this is not surprising given that hackers are increasingly focusing on data theft rather than ransomware encryption, since developing, creating, maintaining, and delivering ransomware has become too difficult. Companies have significantly improved their data backup and defence systems; as a result, criminals steal data and demand payment for not releasing it publicly. 

It is worth mentioning that Subway has 20,000 stores worldwide and over 400,000 employees, so the data leak might have long-term consequences for its customers if it unfolds. To protect yourself from online risks, avoid clicking links or opening attachments, use strong passwords, enable two-factor authentication, maintain software and operating systems up to date, and invest in reliable antivirus and anti-malware software. Adequate cyber hygiene is the best approach to fight against cybercrime.
Read more »
Threat Intelligence
Cyber Security Dark Web leak sites Law Enforcement Ransomware Gang Threat Intelligence

International Authorities Take Down ALPHV ransomware Gang’s Dark Web Leak Site

 

An international group of law enforcement groups has taken down the dark web leak site of the notorious ransomware gang known as ALPHV, or BlackCat. 

"The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against ALPHV Blackcat Ransomware," a message currently reads on the gang's dark web leak site. 

According to the press release, law enforcement agencies from the United Kingdom, Denmark, Germany, Spain, and Australia were also involved in the takedown operation. 

The US Department of Justice later confirmed the disruption, stating that the global takedown effort, led by the FBI, allowed US officials to obtain visibility into the ransomware group's computer and seize "several websites" that ALPHV operated. 

Additionally, the FBI released a decryption tool that has already assisted over 500 victims of the ALPHV ransomware patch their systems. (The number of victims is 400 according to the government's search warrant.) The tool assisted several victims in the US and prevented them from having to pay ransom demands that came to around $68 million. 

According to the government's notification, ALPHV stole hundreds of millions of dollars by breaking into the networks of over a thousand victims worldwide. The gang has targeted vital infrastructure in the United States, including government structures, emergency services, defence industrial base companies, critical manufacturing, healthcare and public health facilities, and other businesses, educational institutions, and governmental entities. 

The FBI said it worked with a “confidential human source” linked to the ransomware gang, which granted agents access to the ALPHV/BlackCat affiliate panel that the gang used to manage its victims, according to the government's search warrant. The State Department previously stated that it will reward those who offer insights "about Blackcat, their affiliates, or activities.” 

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” stated U.S. deputy attorney general Lisa Monaco in remarks. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and healthcare and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.” 

In recent years, the ALPHV/BlackCat ransomware group has been one of the most active and devastating. ALPHV, which is believed to be a successor to the now-defunct sanctioned REvil hacking gang, claims to have infiltrated a number of high-profile victims, including news-sharing site Reddit, healthcare provider Norton, and the United Kingdom's Barts Health NHS Trust. 

The group's tactics have become more violent in recent months. The ALPHV filed a first-of-its-kind complaint with the U.S. Securities and Exchange Commission (SEC) in November, alleging that digital lending provider MeridianLink failed to disclose "a significant breach compromising customer data and operational information," which the gang claimed responsibility for.
Read more »
Tor Website
Cyber Security Hacking Group Ransomware Gang Threat Landscape Tor Website

LockBit is Recruiting Members of ALPHV/BlackCat and NoEscape Ransomware Outfit

 

Recruiting affiliates and developers from the troubled BlackCat/ALPHV and NoEscape ransomware operations is one of the calculated steps being taken by the LockBit ransomware group. An ideal opportunity emerged for LockBit to expand its network due to the recent disruptions and exit scams within NoEscape and BlackCat/ALPHV. 

Affiliates of NoEscape and BlackCat/ALPHV Tor organisations are in disarray due to the sudden inaccessibility of their websites, as well as reports of escape scams and ransom payments being stolen. While the exact reason of the disruptions is unknown, speculations include hardware malfunctions, internal issues, and law enforcement intervention. 

LockBitSupp, the manager of LockBit, has actively recruited affiliates on Russian-speaking hacking forums in response to the chaos surrounding BlackCat and NoEscape. LockBitSupp makes a tempting offer, stating that affiliates who have copies of stolen data can use LockBit's bargaining panel and data leak website to keep blackmailing victims. 

Additionally, LockBitSupp is trying to hire the coder who created the ALPHV encryptor. Although LockBit's relationship to the troubled ransomware gangs is still unknown, there have been reports of a victim who was BlackCat's previous target now showing up on LockBit's data leak website. 

The change emphasises how groups dealing with ransomware experience disruptions, rebranding, and sometimes even changing affiliations. The ransomware ecosystem continues to evolve, and outfits such as LockBit, by taking advantage of other people's vulnerabilities and interruptions, demonstrate the flexibility and intelligence that these nefarious activities possess.

In the always changing threat landscape, this particular situation may lead to additional rebranding and restructuring as it calls into doubt the reliability of ransomware groups such as BlackCat and NoEscape.
Read more »
Ukraine Organization
Cyber Security Data Extortion Encryption EU EU Regulators European Union Europol Geopolitical Malicious actor Ransomware Attacks. Ransomware Gang Ukraine Organization

Europol Dismantles Ukrainian Ransomware Gang

A well-known ransomware organization operating in Ukraine has been successfully taken down by an international team under the direction of Europol, marking a major win against cybercrime. In this operation, the criminal group behind several high-profile attacks was the target of multiple raids.

The joint effort, which included law enforcement agencies from various countries, highlights the growing need for global cooperation in combating cyber threats. The dismantled group had been a prominent player in the world of ransomware, utilizing sophisticated techniques to extort individuals and organizations.

The operation comes at a crucial time, with Ukraine already facing challenges due to ongoing geopolitical tensions. Europol's involvement underscores the commitment of the international community to address cyber threats regardless of the geopolitical landscape.

One of the key events leading to the takedown was a series of coordinated raids across Ukraine. These actions, supported by Europol, aimed at disrupting the ransomware gang's infrastructure and apprehending key individuals involved in the criminal activities. The raids not only targeted the group's operational base but also sought to gather crucial evidence for further investigations.

Europol, in a statement, emphasized the significance of international collaboration in combating cybercrime. "This successful operation demonstrates the power of coordinated efforts in tackling transnational threats. Cybercriminals operate globally, and law enforcement must respond with a united front," stated the Europol representative.

The dismantled ransomware gang was reportedly using the Lockergoga ransomware variant, known for its sophisticated encryption methods and targeted attacks on high-profile victims. The group's activities had raised concerns globally, making its takedown a priority for law enforcement agencies.

In the aftermath of the operation, cybersecurity experts are optimistic about the potential impact on reducing ransomware threats. However, they also stress the importance of continued vigilance and collaboration to stay ahead of evolving cyber threats.

As the international community celebrates this successful operation, it serves as a reminder of the ongoing battle against cybercrime. The events leading to the dismantlement of the Ukrainian-based ransomware gang underscore the necessity for countries to pool their resources and expertise to protect individuals, businesses, and critical infrastructure from the ever-evolving landscape of cyber threats.

Read more »
Security Breach
Automakers Cyber Attacks Data Leak Ransomware Gang Security Breach

Toyota Acknowledges Security Breach After Medusa Ransomware Threatens to Leak Data

 

Toyota Financial Services (TFS) announced that unauthorised access was detected on some of its systems in Europe and Africa after the Medusa ransomware claimed responsibility for the attack. 

Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is a global entity that provides auto financing to customers in 90% of the markets where Toyota sells its vehicles. 

The Medusa ransomware gang added TFS to its data leak site on the dark web earlier this week, demanding $8,000,000 to delete data allegedly stolen from the Japanese company. Toyota was given ten days by the threat actors to respond, with the option to extend for an additional $10,000 per day. 

Toyota Finance did not confirm whether data was taken in the attack, but the threat actors say they have files exfiltrated and threaten to release data if the ransom is not paid.

The hackers published sample data, such as spreadsheets, purchase invoices, agreements, passport scans, financial performance reports, internal organisation charts, hashed account passwords, cleartext user IDs and passwords, and more, as proof of the intrusion. 

The file tree structure of all the data that Medusa claims to have taken from Toyota's systems is also included in a.TXT file that they supply. The majority of the documents are written in German, suggesting that the hackers were able to gain access to the systems supporting Toyota's activities in Central Europe.

The Japanese automaker was contacted by BleepingComputer for a comment regarding the leaked data, and a company representative gave the following statement: 

“Toyota Financial Services Europe & Africa recently identified unauthorized activity on systems in a limited number of its locations. We took certain systems offline to investigate this activity and to reduce risk and have also begun working with law enforcement. As of now, this incident is limited to Toyota Financial Services Europe & Africa.” 

The spokesperson informed us that most countries are currently in the process of bringing their systems back online. This information pertains to the status of the affected systems and when they are expected to resume regular operations.

One more breach of Citrix Bleed?

Security analyst Kevin Beaumont brought attention to the fact that the company's German office had an internet-exposed Citrix Gateway endpoint that had not been updated since August 2023, making it susceptible to the critical Citrix Bleed (CVE-2023-4966) security vulnerability earlier today, in response to Medusa's revelation that TFS was their victim. 

It was confirmed a few days ago that the hackers behind the Lockbit ransomware were breaching the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing by means of publicly accessible Citrix Bleed exploits.

It's likely that added ransomware groups have begun to utilise Citrix Bleed, capitalising on the extensive attack surface that is believed to encompass thousands of endpoints.
Read more »
User Privacy
Dark Web Data Breach Data Leak PlayStation Ransomware Gang Sony User Privacy

Sony Launches Investigation After Hackers Threaten to Sell Stolen Data on Dark Web

 

It's likely that you have seen the prominent headlines about the "Sony data breach 2023" and are wondering whether you are at risk or not. Sony, however, is likewise unaware of what is happening at the moment, but at least they have begun investigating it.

Sony has once again found itself in the crosshairs of a cyber attack, this time from the ruthless group known as 'Ransomed.vc' claiming to have successfully breached the tech giant's networks. The gang has stated its aim to sell the stolen data on the black market. 

Earlier in the week Ransomed.vc boldly claimed that it had accessed "all Sony systems" and was ready to dump the stolen data because the company was supposedly "unwilling to pay" a ransom. The group went a step further, warning that if no purchasers materialised by Thursday, September 28, they may start publicising the stolen information. 

Despite the gravity of these allegations, it is critical to recognise that they remain unverified. However, Ransomed.vc did provide some evidence in the form of posted files (about 6,000 in total). This pales in comparison to the broad claim that they corrupted "all Sony systems," including your beloved PlayStation. 

In response to these concerning developments, Sony said on September 26 that it had launched an investigation. The company's spokesperson replied, "We are currently investigating the situation, and we have no further comment at this time." 

Sony's measured response reflects the gravity of the problem and the importance of conducting an in-depth investigation into the suspected breach. 

There is still some ambiguity over the scope of the data that "Ransomed.vc" acquired access to and whether any consumer personal information has been stolen as the investigation into the Sony Data Breach 2023 progresses. The stakes are unquestionably high, and Sony will be meticulously investigating the situation and securing its networks with the assistance of cybersecurity professionals.

The current Sony cyber controversy is being closely watched across the globe. It serves as an alarming reminder of the constantly changing panorama of online risks and the crucial role that cybersecurity measures play in protecting private information in the interconnected world.
Read more »
User Safety
Charity Organisation Cyber Attacks Data Leak Ransomware Gang User Safety

BianLian Ransomware Gang Siphons 6.8TB of Data from Save The Children

 

One of the biggest and oldest charities in the world, Save the Children, has admitted it was a victim of a ransomware attack by the BianLian operation. The attack first came to light on Monday, September 11, when details concerning the assault were posted to the gang's leak site. 

The attack was originally tracked by VX Underground and Brett Callow of Emsisoft. VX Underground declared that the gang needed "to be punched in the face," which is a statement that is difficult to dispute. 

Save the Children was not specifically mentioned at first by BianLian, who instead claimed to have struck "the world's leading non-profit organisation, employing around 25,000 staff and operating in 116 countries" with $2.8 billion in revenue. 

The charity's own boilerplate matches some of this description, but BianLian's assessment of Save the Children's financial situation seems to be wildly off; the organisation's entire revenue in 2022 was £294m. 

It claimed to have stolen 6.8TB of data, including 800GB of the charity's financial data, along with data on its human resources department, as well as individual users' personal information, including their health and medical records and email texts.

The BianLian ransomware gang is largely unknown, and although its name refers to a type of Chinese opera from Sichuan Province, it is far more likely that the group is a Russian-speaking one. It was one of many crews that appeared during 2022, ascending around the same time as groups like Black Basta, Hive, and Alphv/BlackCat and establishing themselves as a successful criminal organisation. 

It joined the group of ransomware groups that, as of 2023, have shifted away from encrypting the data of their victims and instead prefer to just grab it and demand payment in exchange for a promise not to disclose it. 

The US Cybersecurity and Infrastructure Security Agency (CISA) claims that BianLian generally uses legitimate Remote Desktop Protocol (RDP) credentials to access its victims' systems and makes use of a number of open source tools and command-line scripting for credential harvesting. 

It uses a variety of techniques to steal their data, most commonly using File Transfer Protocol (FTP) and legal cloud storage and file transfer services like Rclone and Mega. It makes a show of printing its ransom note on printers on its networks to put pressure on its victims, and staff of victimised companies have reported receiving threatening phone calls from individuals posing as group members.
Read more »
Ransomware Gang
Clop Ransomware Clop Ransomware Gang Cyber Attacks MOVEit NCC Group Ransomware Gang

MOVEit Attacks Makes Clop the Most-active Ransomware Threat Actor This Summer


According to numerous threat intelligence reports, this July, Clop had been the reason for about one-third, executing financially-motivated, placing the financially driven threat actor to emerge as the most active ransomware threat actor this summer.

The ransomware gang’s mass exploit of a zero-day vulnerability in the MOVEit file transfer service has now made it to the top of the ransomware threat actor hierarchy.

Emsisoft and KonBriefing Research traceked Clop’s activities, noting that till now, the threat actor has compromised more than 730 organizations in the course of its campaign.

In July, Clop had been responsible for 171 out of the 502 ransomware attacks reported by NCC Group, the firm confirmed. NCC Group added, Clop's actions are most likely to blame for a 16% overall rise in ransomware assaults from the preceding month. NCC and Flashpoint further noted that clop was the threat actor behind for at least twice as many attacks as Lockbit, its next-closest rival, in illegal ransomware activity in July.

“Many organizations are still contending with the impact of Clop’s MOVEit attack, which goes to show just how far-reaching and long-lasting ransomware attacks can be — no organization or individual is safe[…]This campaign is particularly significant given that Clop has been able to extort hundreds of organizations by compromising one environment,” Hull said. “Not only do you need to be vigilant in protecting your own environment, but you must also pay close attention to the security protocols of the organizations you work with as part of your supply chain,” Matt Hull, global head of threat intelligence at NCC Group, said in a statement.

These instances eventually indicate that the impact of Clop's attacks against companies in highly sensitive and regulated industries is enormous, as is the possible exposure. It is still not clear as of how many victims are actually downstream. 

Some other instances of Clop’s threat activities include Colorado State University, which was hit six times, in six different ways. Also, the ransomware’s target include three of the big four accounting firms – Deloitte, Ernst & Young and PwC – consequently putting their sensitive customer data in high risk.  

Read more »
Varian
Data Breach Exposed Patient Records Healthcare Data LockBit LockBit ransomware group Ransomware Gang Siemens Healthineers Varian

LockBit Attack: Ransomware Gang Threatens to Leak Cancer Patients’ Medical Data


LockBit ransomware group recently revealed its intent to leak private medical data of cancer patients, stolen in the breach on Varian Medical Systems.

Varian, a subsidiary of Siemens Healthineeres, provides software for the oncology department's applications and specializes in offering therapeutic and diagnostic oncology services. The California-based corporation has more than 10,000 employees as of 2021 and had an annual profit of £269 million. 

While it is still unclear how LockBit got access to Varian's systems or how much data was stolen, the ransomware gang warned readers of its "victim blog" that if the company did not meet their demands within two weeks, soon, its private databases and patient medical data would be made public. Apparently, Varian has until 17 August to meet the negotiation demands in order to restore their stolen data, if they wish to avoid ‘all databases and patient data’ from being exposed in LockBit’s blog. 

The attack is most likely to be a part of ‘triple extortion,’ a strategy usually used by ransomware actors. The strategy involves a three-part attack on an organization that starts with the theft of data that appears to be sensitive before it is encrypted. The corporate victim of the breach can only get their data back and keep it private if they pay a ransom, following which they will receive – in theory – a decryption key from the hackers. 

In regards to the breach, Siemens Healthineers – Varian’s parent company confirmed that an internal investigation is ongoing. However, they did not provide any further details of the breach. 

“Siemens Healthineers is aware that a segment of our business is allegedly affected by the Lockbit ransomware group[…]Cybersecurity is of utmost importance to Siemens Healthineers, and we are making every effort to continually improve our security and data privacy,” said a spokesperson.

Growing Cases of LockBit

Recent months have witnessed a good many cyberattacks conducted by LockBit against some major companies. According to a report by the US Cybersecurity and Infrastructure Security Agency, in the first quarter of 2023, the ransomware gang has already targeted 1,653 companies. They frequently repurposed freeware and open-source tools for use in network reconnaissance, remote access, tunnelling, credential dumping, and file exfiltration. 

Some examples of the LockBit hit companies would be their recent campaign against the port of Nagoya, which ossified supply chains for Japanese automobile company Toyota, and SpaceX in which the ransomware gang claims to have led to a haul of 3,000 proprietary schematics, and an attempt to extort $70 million from Taiwanese chip maker TSMC.  

Read more »
Ransomware Gang
Asset Manager Cyber Attacks Italian Firm Ransomware attack Ransomware Gang

BlackCat Attackers Target Italian Asset Manager Azimut

 

Azimut Group, an Italian asset management firm that oversees over $87.2 billion in assets, declared in a public statement that it will "not comply by any means" with a ransomware demand from the notorious hacking organisation BlackCat. 

Israeli hacking monitoring start-up DarkFeed said the same ransomware group in September stole large amounts of data from state-owned Italian energy services firm GSE. It revealed on its website that Azimut was one of BlackCat's 477 victims on July 21. Azimut did not respond immediately. 

BlackCat, also known as ALPHV, first appeared in late 2021 and is notorious for carrying out sophisticated assaults on a number of firms in the United States and Europe. 

"The attack did not affect data or information that might allow access to the personal position of clients and financial advisors or the execution of unauthorised transactions," Azimut said in a press release. 

Palo Alto Networks, a cybersecurity firm based in California, also confirmed that BlackCat was behind the hack. 

According to the firm, Azimut was one of 23 enterprises targeted in July alone. The hackers claimed to have taken more than 500GB (Gigabytes) of private data from Azimut. 

Security experts at Unit 42 claimed that BlackCat is the second most active multi-extortion ransomware organisation behind LockBit, based on leak site tracking. 

"We've seen a wide range of industries [as targets], including law firms, engineering firms, health care systems, manufacturing, and more," the researchers stated.

Azimut, which handles 85 billion euros in assets, nearly half of which are in Italy, claimed it discovered an unauthorised entry to its IT systems as part of its usual monitoring activity. 

It had notified the appropriate authorities and had implemented an internal safety procedure that "successfully limited the impact of the criminal action," the company added.
Read more »
TSMC cyberattack
Cyber Attacks Kinmax LockBit LockBit ransomware group National Hazard Agency Ransomware attack Ransomware Gang Royal Mail TSMC TSMC cyberattack

TSMC Cyberattack: LockBit Demands a Ransom of $70m


Taiwan Semiconductor Manufacturing Company (TSMC) accused one of its equipment suppliers for its LockBit breach that, that has emerged in the on the gang’s dark web victim blog. Apparently, the ransomware has demanded a whopping $70 million ransom demand./ Without disclosing the type of data hacked, the corporation has named the affected third-party supplier as Kinmax Technology, a system integrator with offices in Taiwan.

TSMC stated on the issue, saying "TSMC has recently been aware that one of our IT hardware suppliers experienced a cybersecurity incident, which led to the leak of information pertinent to server initial setup and configuration." The company confirms that no customer data has been exposed in the breach.

“After the incident, TSMC has immediately terminated its data exchange with this concerned supplier in accordance with the company’s security protocols and standard operating procedures,” the statement added.

One of the affiliates of LockBit, National Hazard Agency shared screenshots of directory listings of stolen TSMC files on their leak website on Thursday, giving them a deadline of August 6 to pay the ransom amount. However, the ransomware gang did not reveal details of the amount of data it stole from the company.

The blog also gave the company an option to extend the said deadline by 24 hours for $5,000, or to delete all stolen content or download it immediately for $70 million.

Kinmax Issues an Apology

Kinmax Technology expertise in networking, cloud computing, storage, security and database management. The company claims to have experienced a breach on 29 June, stating “internal specific testing environment was attacked, and some information was leaked.” The leaked information included “system installation preparation that the company provided to our customers,” Kinmax said.

LockBit Emerges Again

LockBit is a Russian ransomware gang that first came to light in year 2019. As of the first quarter of 2023, it has a total of 1,653 alleged victims, as per a report released by US cybersecurity firm CISA.

According to the report, since its first known attack in January 2020, the cybercrime group has gathered nearly $91m in ransoms from US victims.

LockBit has also been a reason for a number of high-profile cyberattacks in the UK. This year, the gang has been responsible for the popular Royal Mail attacks, where it demanded a ransom of $80m in Bitcoin. The company however did not pay the ransom, deeming the demand as “ridiculous.” The ransomware gang then responded by exposing the data online, along with the copies of the negotiations held between LockBit and the Royal Mail representatives.

The ransomware gang was also responsible for stealing data from WH Smith, a high-end retailer in the UK. The attack was directed at present and former employees' personal information. Since then, there has been no information indicating whether the business has paid the ransom.

Read more »
Zero-day vulnerability
CIOp MOVEit Attacks Cyber Attacks GoAnywhere MFT MoveIt Hack Ransomware Gang Zero-day vulnerability

CIOp Attacks: Ransomware Group Reveal Names of the MOVEit Zero-Day Attack Victims


CIOp ransomware group has revealed names of more than two dozen organizations that are apparently attacked in their campaign via a zero-day vulnerability in the MOVEit managed file transfer (MFT) software.

The ransomware group utilized the MOVEit transfer vulnerability, CVE-2023-34362, to steal data from firms that had been using the product. Despite some evidence indicating that the hackers tested the vulnerability as early as 2021, broad exploitation appears to have begun in late May 2023.

In no time, the attacked were proved to be connected to the CIOp group, that had earlier utilized a zero-day in the GoAnywhere MFT products, stealing data of several firms. The MOVEit zero-day campaign's perpetrators have acknowledged their involvement, and they have given victims until June 14 to contact them in order to stop the release of data taken from their systems. They say they have struck hundreds of targets.

The victims of the attacks include energy giant Shell, as well as firms from various sectors like financial, healthcare, manufacturing, IT, pharmaceutical, and education sectors. A large number of victims include US-based banks and other financial institutions, followed by healthcare organizations. The hackers declared they would not target pediatric healthcare facilities after the breach was discovered.

The first known victims of the attacks included UK-based payroll and HR company Zellis (and its clients British Airways, Aer Lingus, the BBC, and the Boots), the Canadian province of Nova Scotia, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE).

Following the ransomware attacks, the group has not yet leaked any data stolen from these organizations.

The number of businesses that have reported being impacted keeps expanding. In recent days, statements about the incident have been released by Johns Hopkins University and Johns Hopkins Health System, UK media authority Ofcom, and a Missouri state agency.

Moreover, in a report published on Thursday, CNN noted that a number of US federal government organizations were also impacted with the attacks, as per Eric Goldstein who is the executive director for CISA. These agencies include Department of Energy, which is now working on the issue to control the impact of the attack.

However, the ransomware gang claims that their prime motive behind these attacks is to acquire ransoms from businesses and confirms that all the state-related data they may have acquired in the attacks has been deleted.

Read more »
Royal Ransomware
BlackSuit Cyber Security cyber theft Ransomware Gang Royal Ransomware

Royal Ransomware Gang adds BlackSuit Encryptor to their Arsenal

A new encryptor named BlackSuit is currently being tested by the notorious Royal ransomware gang. This encryptor bears striking resemblances to their customary encryption tool, suggesting it may be an evolved version or a closely related variant. 

In January 2023, the Royal ransomware gang emerged as the direct successor to the infamous Conti operation, which ceased its activities in June 2022. This private ransomware group consists of skilled pentesters and affiliates hailing from 'Conti Team 1,' as well as individuals recruited from various other ransomware gangs that target enterprises. 

Since its inception, Royal Ransomware has quickly gained notoriety as one of the most active and prolific operations, carrying out numerous high-profile attacks on enterprises. Furthermore, starting from late April, there have been growing indications that the Royal ransomware operation has been contemplating a rebranding effort under a fresh identity. 

This notion gained significant momentum when the group encountered intensified scrutiny from law enforcement following their targeted attack on the City of Dallas, Texas. Feeling the mounting pressure from authorities, the ransomware group has seemingly considered the necessity of adopting a new name, potentially as part of their strategy to evade detection and evade the repercussions of their illicit activities. 

In May, a distinct ransomware operation known as BlackSuit emerged, employing its unique encryptor and Tor negotiation sites. Speculation arose suggesting that this could be the rebranded version of the Royal ransomware group as initially anticipated. However, contrary to expectations, the Royal ransomware gang has not undergone a rebranding process and continues its active assault on enterprise targets. 

While BlackSuit has been employed in a limited number of attacks, the overall identity and operations of the Royal ransomware group remain unchanged. The notion of a rebranding for the Royal ransomware group appears to have lost its viability, given the recent findings presented in a report by Trend Micro. 

The report highlights significant resemblances between the encryptors used by BlackSuit and the Royal Ransomware, rendering it challenging to persuade anyone that they are distinct and unrelated entities. Consequently, attempting to present themselves as a new ransomware operation would likely face considerable skepticism due to these noticeable similarities. 

The resemblances between BlackSuit and Royal Ransomware go beyond surface-level similarities. In-depth analysis, as outlined in the Trend Micro report, reveals a range of shared characteristics. These include similarities in command line arguments, code structures, file exclusion patterns, and even intermittent encryption techniques. 

Such consistent parallels across various aspects make it increasingly difficult to present BlackSuit as a genuinely distinct ransomware operation separate from the Royal group. These findings strongly suggest a strong connection or shared origin between the two entities.
Read more »
Ransomware Gang
Cyber Attacks Data exposed Fujitsu Kyocera avx LockBit LockBit ransomware MalwareBytes ransomware attacks Ransomware Gang

Kyocera AVX: Electronic Manufacturer Company the Current Target of LockBit


Kyocera, a global electronics manufacturer, has apparently experienced what seems like a data breach, wherein their data was exposed by ransomware gang LockBit on their dark web blog. The company was one of several who felt the aftershocks of a breach at Japanese tech firm Fujitsu last year.

The group has set a June 9 deadline for the payment of an undetermined ransom. According to the blog, "all available data will be published" if the company does not collaborate with the cybercriminals before then.

Kyocera AVX

Kyocera AVX’s clients involves military, industrial and automotive industries, for whom the company manufactures electronic products. It was established in the 1970s, and since 1990, it has been a part of Kyocera, a Japanese electronics business best known for its printers. Over 10,000 individuals are employed by it globally.

On May 26th, security researchers revealed that selected data of the company has been leaked and posted to LockBit’s dark web victim blog.

Apparently, the company’s data was breached following a cyberattack that took place on Fujitsu last year. The attack might have been the reason why LockBit was able to launch a supply chain attack on Kyocera AVX, and other companies that are partnered with Fujitsu via cyber or other social engineering attacks.

According to a Financial Times report, Fujitsu confirmed the attacks in December following a heads-up given by police agency of a potential intrusion. The intrusion further gave outsiders access to emails sent through an email system powered by Fujitsu.

It was later revealed that at least ten Japan-based companies, along with Kyocera AVX were victims of the attack.

LockBit Continues Cyber Activities Against Russia’s Enemy 

Ransomware gang LockBit, which is assumed to have originated in Russia has been on news highlights pertaining to its interest on targeting organizations based in US and allied countries. 

According to a report by security firm Malwarebytes, 126 victims have been posted by the ransomware gang in February alone.

This year, the gang targeted the UK Royal Mail, demanding ransom of $80 million in bitcoin. When the business refused to pay up, labeling the demands "ridiculous," the gang retaliated by sharing the information along with copies of the conversations between LockBit and Royal Mail's officials.

Later, it stole client information from WH Smith, a high-end street retailer in the UK. The hacker used current and previous employees' personal information. Since then, there has been no information indicating whether the business has paid the ransom.

In its recent case, this month, an individual named Mikhail Pavlovich Matveev who claims to have been involved with LockBit, has a bounty of $10 million on his head placed by the FBI. With connections to both the Hive and Babuk organizations, Matveev is believed to be a major participant in the Russian ransomware ecosystem.  

Read more »
Subscribe to: Posts (Atom)