Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware attack. Show all posts
Zero-click vulnerability
cloud storage security Data Breach malware infection network storage flaw Pwn2Own hack Ransomware attack Synology NAS Synology Photos app Synology QuickConnect Zero-click vulnerability

Zero-Click Vulnerability in Popular NAS Devices Exposes Millions to Cyber Attacks

 

A widely used device and application for storing documents, trusted by millions of users and businesses globally, has been found to have a vulnerability. A team of Dutch researchers revealed that this zero-click flaw could potentially compromise many systems worldwide.

This flaw, termed "zero-click" because it requires no user interaction to trigger, affects Synology's photo application, a default program on network-attached storage (NAS) devices from the Taiwanese company. Through this vulnerability, attackers could gain unauthorized access to these devices, allowing them to steal files, plant malicious code, or install ransomware, which could lock users out of their data.

The Synology Photos app comes pre-installed on Synology’s BeeStation storage devices and is also popular among users of their DiskStation models. These NAS devices enable users to expand storage via add-on components. Since 2019, Synology and other NAS brands have frequently been targeted by ransomware groups. Recently, DiskStation users have reported specific ransomware attacks. The vulnerability was uncovered by Rick de Jager, a security researcher with Midnight Blue in the Netherlands, during the Pwn2Own hacking event in Ireland. De Jager and his team identified hundreds of thousands of vulnerable Synology NAS devices online, although they warn that the real number of at-risk devices is likely in the millions.

The researchers, alongside the Pwn2Own organizers, alerted Synology about the flaw last week.

Network-attached storage systems are attractive targets for cybercriminals due to the large volumes of data they store. Many users connect their NAS directly to the internet or utilize Synology’s cloud storage for backup. Although security credentials can be required to access the devices, this specific zero-click flaw in the photo app doesn’t require authentication. Attackers can exploit it remotely over the internet, granting them root access to execute malicious code on the device.

The photo app allows users to organize images and provides attackers easy access whether the NAS is connected directly to the internet or via Synology’s QuickConnect, which offers remote access. Once an attacker compromises one cloud-connected Synology NAS, it becomes easier to identify others, thanks to how the system registers and assigns IDs.

The researchers found several cloud-connected Synology NAS devices linked to U.S. and French police departments, as well as numerous law firms in North America and France. Other compromised devices were used by logistics and oil companies in Australia and South Korea, along with maintenance firms in South Korea, Italy, and Canada, serving industries like energy, pharmaceuticals, and chemicals.

“These organizations store a range of critical data, including management documents and sensitive case files,” Wetzels said.

Beyond ransomware, the researchers warn of other threats, such as botnets, which infected devices could join to assist in hiding broader hacking operations. The Chinese Volt Typhoon group, for example, previously used compromised home and office routers to mask espionage activities.

Synology has not responded publicly to requests for comment, but on October 25, the company issued two security advisories marking the vulnerability as “critical.” Synology confirmed the discovery was made during the Pwn2Own contest and released patches for the flaw. However, without automatic updates on NAS devices, it is unclear how many users are aware of or have implemented the patch. Releasing the patch also increases the risk that attackers could reverse-engineer it to exploit the vulnerability.

While finding the vulnerability independently is challenging, “it’s not hard to connect the dots from the patch,” Meijer explained.
Read more »
Ransomware attack
8Base 8Base Ransomware corporate cyber attacks Cyber Attacks Dark Web Data Leak data security Ransomware attack

Nidec Corporation Ransomware Attack: Data Leak on Dark Web

 

In a recent disclosure, Nidec Corporation, a global leader in precision motors and automotive components, confirmed a significant data breach from a ransomware attack that occurred earlier this year. Hackers, after failing to extort the company, leaked stolen data on the dark web. This breach did not involve file encryption, but the stolen information has raised concerns for employees, contractors, and associates regarding potential phishing attacks. Nidec operates in over 40 countries and has an annual revenue exceeding $11 billion. 

The affected division, Nidec Precision, is based in Vietnam and specializes in manufacturing optical, electronic, and mechanical equipment for the photography industry. An internal investigation revealed that hackers accessed a server using stolen VPN credentials of a Nidec employee. This server contained sensitive documents, including business letters, purchase orders, invoices, health policies, and contracts. Over 50,000 files were compromised in the breach. The company responded by closing the entry point and implementing additional security measures as advised by cybersecurity experts. 

Employees are undergoing further training to reduce future risks, with Nidec notifying business partners who may have been affected. The attack was initially claimed by the 8BASE ransomware group in June, who alleged they stole personal data and a large volume of confidential information from Nidec’s systems. In July, the Everest ransomware group also published stolen data on the dark web, suggesting a connection to 8BASE and initiating a secondary extortion attempt. While Nidec has confirmed the authenticity of the stolen data, it downplayed the potential for direct financial damage to the company or its contractors. 

However, the company remains vigilant and continues to monitor for any unauthorized use of the information. This attack underlines the vulnerability of even the largest corporations to cybercriminals and the importance of robust security measures. As ransomware groups continue to evolve their tactics, companies like Nidec must ensure they are prepared to mitigate threats and protect their sensitive data. 

The Nidec breach is a stark reminder of the ongoing risks in today’s interconnected business environment. In response to this breach, Nidec has implemented stronger security protocols and is actively educating its workforce on how to mitigate cybersecurity risks moving forward.
Read more »
Victim
Cyber Security Cybersecurity Data Breach Encryption Extortion Healthcare HHS Ransomware Ransomware attack Trinity Victim

New Trinity Ransomware Strain Targets U.S. Healthcare, Federal Officials Warn

 

A new ransomware strain, known as Trinity, has reportedly compromised at least one healthcare organization in the U.S., according to a recent report from federal authorities.

The U.S. Department of Health and Human Services (HHS) issued a warning on Friday, alerting hospitals about the serious threat posed by the ransomware group. They highlighted that Trinity’s methods make it a "notable risk" to both the U.S. healthcare and public health sectors.

HHS's Health Sector Cybersecurity Coordination Center confirmed that one U.S. healthcare entity has recently fallen victim to the Trinity ransomware, which was first detected around May 2024.

To date, seven victims of Trinity ransomware have been identified, including two healthcare providers—one in the U.K. and another in the U.S. The latter, a gastroenterology services provider, lost 330 GB of data. While the facility remains unnamed, it has been listed on Trinity’s data leak site and is currently facing technical disruptions, including limited phone access.

Additionally, researchers have found another case involving a dental group based in New Jersey.

HHS noted similarities between Trinity and two other ransomware groups—2023Lock and Venus—hinting at potential collaboration between these cybercriminals.

Trinity ransomware mirrors other known operations by exploiting common vulnerabilities to extract data and extort victims.

After installation, the ransomware gathers system information, such as available processors and drives, to escalate its attack. Operators then scan for weaknesses to spread the ransomware within the network.

The files encrypted by the attack are marked with the “trinitylock” extension, and victims receive a ransom note demanding payment within 24 hours, with threats of data exposure if they fail to comply.

At present, there is no available decryption tool for Trinity, leaving victims with few options, according to the HHS advisory.

The attackers operate two websites: one to assist those who pay the ransom with decryption, and another that displays stolen data to extort victims further.

Federal officials have discovered code similarities between the Trinity and Venus ransomware strains, noting identical encryption methods and naming schemes, which suggest a close link between them. Trinity also shares features with 2023Lock, including identical ransom notes and code, implying it could be an updated variant.

Cybersecurity researchers have also pointed out that Trinity may be a rebranded version of both Venus and 2023Lock. According to Allan Liska of Recorded Future, Trinity is "not a highly advanced strain of ransomware," and the attackers do not appear particularly sophisticated.

HHS emphasized that the potential collaboration between these threat actors could enhance the complexity and impact of future ransomware attacks.

Previous HHS warnings have covered other ransomware groups such as Royal, Cuba, Venus, Lorenz, and Hive.

Despite heightened law enforcement efforts, ransomware attacks persist, with operations continuing to generate significant revenue—approximately $450 million in the first half of 2024 alone.

The healthcare sector has been particularly affected by these attacks, causing severe disruptions. Just last week, a Texas hospital, the only level 1 trauma center in a 400-mile radius, had to reduce services and turn away ambulances due to a ransomware incident.

As of Friday, the hospital reported restored phone services, with only a limited number of ambulances being redirected to other facilities.
Read more »
Ransomware attack
comcast Comcast data breach Customer Information Data Breach data security Data Theft debt collector FBCS Ransomware attack

Comcast Data Breach: Over 237,000 Customers’ Information Stolen in Cyberattack on Debt Collector

 

Comcast has confirmed that sensitive data on 237,703 of its customers was stolen in a cyberattack on Financial Business and Consumer Solutions (FBCS), a debt collection agency it previously worked with. The breach, which occurred in February 2024, involved unauthorized access to FBCS’s computer systems, resulting in the theft of customer data, including names, addresses, Social Security numbers, and Comcast account information. Although Comcast was initially assured that none of its customers were affected by the breach, FBCS later revealed that the data had indeed been compromised. 

The breach unfolded between February 14 and February 26, 2024. During this period, the attackers downloaded sensitive data and encrypted some systems as part of a ransomware attack. FBCS launched an investigation upon discovering the breach and involved third-party cybersecurity specialists to assess the damage. However, it wasn’t until July 2024 that FBCS contacted Comcast again, informing the company that its customer data had been part of the stolen records. Comcast acted promptly upon receiving this updated information, notifying its affected customers in August and offering support services such as identity and credit monitoring. This move came after FBCS informed Comcast that, due to its current financial difficulties, it could not provide the necessary protection services for those affected. 

Comcast has stepped in to offer these services directly to its customers. The breach exposed not just Comcast’s customers but also a broader group of individuals, with FBCS initially revealing that over 4 million records had been compromised. The exact method of the breach and how the attackers infiltrated FBCS’s systems remain unclear, as FBCS has not disclosed specific technical details. Additionally, no ransomware group has claimed responsibility for the attack, leaving the full scope of the incident somewhat shrouded in mystery. Comcast has made it clear that its own systems, including those of its broadband and television services, were not affected by the breach. The data stolen from FBCS pertains to customers who were registered around 2021, and Comcast had ceased using FBCS for debt collection services by 2020. 

Nevertheless, this breach highlights the risks that third-party service providers can pose to customer data security. In the aftermath, this incident serves as a reminder of the growing threat posed by cyberattacks, particularly ransomware, which has become a common tactic for malicious actors. As companies increasingly rely on third-party vendors for services such as debt collection, the need for stringent security measures and oversight becomes even more critical. Comcast’s experience shows how quickly situations can evolve and how third-party vulnerabilities can directly impact a company’s customers. While Comcast has taken steps to mitigate the damage from this breach, the case of FBCS raises important questions about the security practices of third-party service providers. 

As data breaches become more frequent, customers may find themselves at risk from vulnerabilities in systems beyond the companies with which they interact directly.
Read more »
Ransomware attack
Cyber Attacks data security Hacking Attack Internet Services Library Phishing emails Public Networks Ransomware attack

Delaware Libraries Hit by Ransomware Attack, Internet Services Disrupted

 

Last week, Delaware’s public libraries faced a cyberattack, causing widespread disruption to computer and internet access. Signs posted at libraries informed visitors that Wi-Fi and PCs were out of service, with officials confirming a ransomware attack took down all internet services. Despite the inconvenience, visitors can still check out books and use other library services. Ransomware attacks like this often start with phishing emails or social engineering, where users are tricked into actions that allow hackers access. 

Matt Barnett, CEO of cybersecurity firm Sevn-X, explained that attackers typically cast a wide net with phishing emails, waiting for a target to take the bait. He speculated that the hackers responsible for this attack are likely from Russia or Eastern Europe, suggesting they targeted Delaware not out of malice but simply because it was an easy opportunity. Hackers look for low-hanging fruit, making any vulnerable entity a potential target. Ransomware attacks usually demand payment in exchange for returning access to the compromised systems. 

In this instance, Delaware state officials have not confirmed if any personal information was stolen. However, the situation serves as a stark reminder of the importance of cybersecurity, even for community services like public libraries. Cybersecurity experts stress the need for vigilance and proactive measures to protect against such threats. Organizations should implement strong email security protocols, train employees to recognize phishing attempts, and regularly update software to patch vulnerabilities. Regular data backups are also essential, ensuring that in the event of an attack, systems can be restored without paying a ransom. 

While this attack has disrupted library services, it is also a learning opportunity. Public institutions, often seen as “soft targets,” must prioritize cybersecurity to protect their networks, systems, and the personal data of their users. By investing in robust cybersecurity measures, conducting employee training, and implementing multi-factor authentication, public services can better defend themselves against future attacks. 

This incident serves as a reminder that cyber threats are ever-present, and even seemingly small targets like public libraries are not immune. As ransomware attacks continue to rise, organizations of all sizes must take active steps to fortify their defenses and educate themselves about potential risks.
Read more »
Ransomwares
CISO Cyber Security cybersecurity solutions Healthcare Healthcare Cyberattacks IT Infrastructure Ransomware attack Ransomwares

Preparing Healthcare for Ransomware Attacks: A 12-Step Approach by Dr. Eric Liederman


Dr. Eric Liederman, CEO of CyberSolutionsMD, emphasizes that healthcare organizations must be prepared for ransomware attacks with a structured approach, describing it as akin to a “12-step program.” He highlights that relying solely on protective measures is insufficient since all protections have the potential to fail. Instead, planning and creating a sense of urgency is key to successfully handling a cyberattack. 

According to Liederman, organizations should anticipate losing access to critical systems and have a strategic recovery plan in place. One of the most important components of such a plan is designating roles and responsibilities for the organization’s response. During an attack, the Chief Information Security Officer (CISO) essentially takes on the role of CEO, dictating the course of action for the entire organization. Liederman says the CISO must tell people which systems are still usable and what must be shut down. 

The CEO, in this situation, plays a supporting role, asking what’s possible and what needs to be done to protect operations. A significant misconception Liederman has observed is the assumption that analog systems like phones and fax machines will continue functioning during a ransomware attack. Often, these systems rely on the same infrastructure as other compromised technology. For example, phone systems that seem analog still resolve to an IP address, which means they could be rendered useless along with other internet-based systems. 

Even fax machines, commonly thought of as a fail-safe, may only function as copiers in these scenarios. Liederman strongly advises healthcare institutions to conduct thorough drills that simulate these kinds of disruptions, enabling clinical and IT staff to practice workarounds for potentially critical outages. This level of preparation ensures that teams can still deliver care and operate essential systems even when technological resources are down for days or weeks. 

In terms of system recovery, Liederman encourages organizations to plan for bringing devices back online securely. While the need to restore services quickly is essential to maintaining operations, the process must be carefully managed to avoid reinfection by the ransomware or other vulnerabilities. Given his extensive experience, which includes almost two decades at Kaiser Permanente, Liederman advocates for resilient healthcare IT infrastructures that focus on readiness. This proactive approach allows healthcare organizations to mitigate the potential impacts of cyberattacks, ensuring that patient care can continue even in worst-case scenarios.
Read more »
Rhysida ransomware gang
Cyber Security Data Leak data security Lawsuits Ransomware attack Ransomwares Rhysida Rhysida Ransomware Rhysida ransomware gang

Columbus Faces Scrutiny for Handling of Ransomware Attack and Lawsuit Against IT Consultant

 

In July, Columbus, Ohio, experienced a ransomware attack, which initially appeared to be a typical breach. However, the city’s unusual response sparked concern among cybersecurity experts and legal professionals. IT consultant David Leroy Ross, also known as Connor Goodwolf, uncovered a significant breach exposing sensitive data from various city databases, including arrest records, domestic violence cases, and personal information. 

This attack, carried out by the Rhysida Group, affected the city, police, and prosecutor’s office, with some databases going back to 1999. Goodwolf, whose expertise involves monitoring dark web activities, discovered that over three terabytes of data had been stolen. Among the exposed data were personal identifiable information, protected health information, and social security numbers. Goodwolf expressed particular concern over the exposure of sensitive information involving minors and domestic violence victims, emphasizing that they were now victimized a second time. 

Despite the serious implications, the city’s response appeared to downplay the breach. At a press conference in mid-August, Columbus Mayor Andrew Ginther claimed that the stolen data was encrypted or corrupted, making it largely unusable. Goodwolf, however, contradicted this statement, revealing that the data he found was intact and usable. When he attempted to notify city officials, he was met with resistance and a lack of cooperation. As a result, Goodwolf turned to the media, which led the city of Columbus to file a lawsuit and secure a temporary restraining order against him. The lawsuit, intended to prevent the further dissemination of sensitive information, raised concerns in the cybersecurity community. 

Legal experts pointed out that such lawsuits against data security researchers are uncommon and could have broader implications. Raymond Ku, a professor of law, noted that lawsuits against researchers typically arise when the disclosure of a vulnerability puts others at risk. However, cybersecurity professionals, such as Kyle Hanslovan, CEO of Huntress, argued that Goodwolf was acting as a responsible researcher. Hanslovan warned that this approach could set a dangerous precedent, silencing individuals who work to expose breaches. The city defended its actions, stating that it sought to prevent the release of confidential information, including undercover police identities. Although the restraining order expired, Columbus continues its civil lawsuit against Goodwolf, seeking up to $25,000 in damages. 

As Columbus works to recover from the attack, the broader implications of its actions toward Goodwolf remain a point of contention. Experts argue that the case highlights the need for a legal framework that balances the protection of sensitive information with the role of security researchers in revealing vulnerabilities. As Columbus strives to position itself as a tech hub, this legal battle could affect its reputation and relationships within the tech industry.
Read more »
Ransomware Outfit
Chipmaker Cyber Attacks Data Leak Ransomware attack Ransomware Outfit

Microchip Technology Confirms Private Data Stolen in Ransomware Attack

 

Microchip Technology has acknowledged that employee information was stolen from vulnerable systems in an August incident. The Play ransomware group later claimed responsibility. 

The chipmaker, headquartered in Chandler, Arizona, serves over 123,000 clients across a variety of industries, including industrial, automotive, consumer, aerospace and defence, communications, and computing. 

On August 20, Microchip Technology revealed that a cyberattack discovered on August 17 has disrupted operations across multiple production plants. The incident hampered the company's capacity to meet orders, forcing it to shut down parts of its systems and isolate those affected in order to manage the breach. 

In a Wednesday filing with the Securities and Exchange Commission, Microchip Technology stated that its operationally critical IT systems are now functioning, with operations "substantially restored" with the firm processing customer orders and shipping products for more than a week. 

Microchip Technology also stated that the attackers acquired some staff data from its systems, but it has yet to find proof that customer information was also compromised during the intrusion. 

"While the investigation is continuing, the Company believes that the unauthorized party obtained information stored in certain Company IT systems, including, for example, employee contact information and some encrypted and hashed passwords. We have not identified any customer or supplier data that has been obtained by the unauthorized party," Microchip Technology stated. 

"The Company is aware that an unauthorized party claims to have acquired and posted online certain data from the Company's systems. The Company is investigating the validity of this claim with assistance from its outside cybersecurity and forensic experts,” the chipmaker added. 

Investigating Play ransomware claim 

Microchip Technology continues to assess the scope and consequences of the cyberattack with external cybersecurity consultants. Restoring IT systems affected by the incident is currently ongoing. The company claims that it has been processing customer orders and delivering products for more than a week, despite the fact that it is still working on recovery after the attack. 

Even though Microchip Technology is still investigating the origin and scope of the hack, the Play ransomware gang claimed credit on August 29 by including the American chipmaker on its dark web data dump website. 

The ransomware outfit claimed that it had stolen "private and personal confidential data, clients documents, budget, payroll, accounting, contracts, taxes, IDs, finance information," among other things, from the infiltrated systems of Microchip Technology. 

Since then, the ransomware group has disclosed some of the allegedly stolen material and threatens to release the remaining portion if the company does not respond to the leak.

Notable Play ransomware victims include cloud computing firm Rackspace, car merchant Arnold Clark, the Belgian city of Antwerp, the City of Oakland in California, and, most recently, Dallas County.
Read more »
Ransomware attack
brain cipher Cyber Attacks data security Data Stolen Data Theft Financial Security Olympics Ransomware attack

Ransomware Group Brain Cipher Targets French Museums During Olympics

 

The ransomware group Brain Cipher has claimed responsibility for a cyberattack on several French National Museums that took place during the Olympic Games earlier this month. The attack, which targeted institutions managed by the Réunion des Musées Nationaux – Grand Palais (RMN-GP), allegedly compromised 300 GB of data from a system used to centralize financial information. 

Despite the group’s threat to leak the stolen data, they have not yet revealed the nature of the information. The French Cybersecurity Agency (ANSSI) confirmed it was alerted to the attacks and promptly provided assistance to RMN-GP. ANSSI assured the public that the incident did not affect any systems related to the Olympic Games. Events like taekwondo and fencing, hosted by the RMN-GP, continued without disruption. RMN-GP also confirmed that there were no operational impacts, encrypted systems, or extracted data detected in connection with the attack. 

Nevertheless, the situation remains closely monitored as the countdown to the data leak continues on Brain Cipher’s blog, set to occur at 20:00 UTC. Brain Cipher is a relatively new ransomware group that first emerged in June 2023. Since then, the group has been linked to various cyberattacks targeting different sectors, including medical, educational, and manufacturing organizations, along with Indonesian government servers. Despite their activities, the group has attempted to maintain a controversial public image. 

In one case, they apologized for a cyberattack on Indonesian government servers, claiming they were acting as penetration testers rather than criminals. They even released a decryptor to restore the locked files without being pressured by the government, presenting themselves as ethical hackers or white-hat operators, although their actions and motives remain dubious. The data allegedly stolen from RMN-GP is believed to involve sensitive financial information, but no further details have been disclosed by Brain Cipher. 

The threat of releasing such a large volume of data has sparked concerns over potential exposure of confidential details, which could affect both the organization and the individuals associated with it. As the clock ticks down to the group’s proposed leak, questions are raised about the nature of the stolen data and the potential fallout from its exposure. Cyberattacks like this highlight the growing threat posed by ransomware groups to both public and private institutions worldwide. 

The incident also underscores the importance of robust cybersecurity measures, particularly during high-profile events such as the Olympic Games. Although there has been no impact on the Olympic-related systems, the attack serves as a reminder of the constant vigilance required to protect critical infrastructure and data.
Read more »
U.S. health data breach
ALPHV Blackcat Ransomware Change Healthcare cybersecurity in healthcare Data Breach healthcare data breach Ransomware attack timeline U.S. health data breach

Timeline of the Ransomware Attack on Change Healthcare: How It Unfolded

 

Earlier this year, a ransomware attack targeted Change Healthcare, a health tech company owned by UnitedHealth, marking one of the most significant breaches of U.S. health and medical data in history.

Months after the breach occurred in February, a large number of Americans are receiving notification letters stating that their personal and health information was compromised during the cyberattack on Change Healthcare.

Change Healthcare plays a critical role in processing billing and insurance for hundreds of thousands of hospitals, pharmacies, and medical practices across the U.S. healthcare sector. Consequently, the company stores an extensive amount of sensitive medical data on patients in the United States. Through a series of mergers and acquisitions, Change Healthcare has grown into one of the largest processors of U.S. health data, handling between one-third and one-half of all U.S. health transactions.

Key Events Following the Ransomware Attack:

  • February 21, 2024: The first signs of trouble emerged when outages began affecting doctors' offices and healthcare practices, disrupting billing systems and insurance claims processing. Change Healthcare’s status page was inundated with outage notifications impacting all aspects of its business. The company later confirmed a "network interruption related to a cybersecurity issue," indicating a serious problem. In response, Change Healthcare activated its security protocols, shutting down its entire network to contain the intruders. This led to widespread disruptions across the U.S. healthcare sector. It was later revealed that the hackers had initially infiltrated the company’s systems on or around February 12.
  • February 29, 2024: UnitedHealth disclosed that the cyberattack was carried out by a ransomware gang, rather than state-sponsored hackers as initially suspected. The ransomware group, identified as ALPHV/BlackCat, claimed responsibility for the attack, boasting that they had stolen sensitive health information from millions of Americans. ALPHV/BlackCat is a Russian-speaking ransomware-as-a-service gang, whose affiliates break into victim networks and deploy malware developed by the gang's leaders. These affiliates then share the profits from the ransoms paid by victims to regain access to their data
  • March 3-5, 2024: In early March, the ALPHV ransomware gang disappeared after collecting a $22 million ransom from UnitedHealth. The gang’s dark web site, which had claimed responsibility for the attack, was replaced with a notice suggesting that U.K. and U.S. law enforcement had taken it down, although both the FBI and U.K. authorities denied this. Signs pointed to ALPHV fleeing with the ransom in what appeared to be an "exit scam." The affiliate who executed the hack claimed that the ALPHV leadership had stolen the ransom and provided proof of a bitcoin transaction as evidence. Despite the ransom payment, the stolen data remained in the possession of the hackers.
  • March 13, 2024: Weeks into the cyberattack, the healthcare sector continued to experience outages, causing significant disruption. Military health insurance provider TriCare reported that all military pharmacies worldwide were affected. The American Medical Association expressed concern over the lack of information from UnitedHealth and Change Healthcare regarding the ongoing issues. By March 13, Change Healthcare had secured a "safe" copy of the stolen data, enabling the company to begin identifying the individuals affected by the breach.
  • March 28, 2024:The U.S. government increased its reward to $10 million for information leading to the capture of ALPHV/BlackCat leaders. The move was seen as an attempt to encourage insiders within the gang to turn on their leaders, as well as a response to the threat of having a significant portion of Americans' health information potentially published online.
  • April 15, 2024: In mid-April, the affiliate responsible for the hack formed a new extortion group called RansomHub and demanded a second ransom from UnitedHealth. The group published a portion of the stolen health data to prove their threat. Ransomware gangs often use "double extortion," where they both encrypt and steal data, threatening to publish the data if the ransom is not paid. The situation raised concerns that UnitedHealth could face further extortion attempts.
  • April 22, 2024: UnitedHealth confirmed that the data breach affected a "substantial proportion of people in America," though the company did not specify the exact number of individuals impacted. UnitedHealth also acknowledged paying a ransom for the data but did not disclose the total number of ransoms paid. The stolen data included highly sensitive information such as medical records, health information, diagnoses, medications, test results, imaging, care plans, and other personal details. Given that Change Healthcare processes data for about one-third of Americans, the breach is likely to have affected over 100 million people.
  • May 1, 2024:UnitedHealth Group CEO Andrew Witty testified before lawmakers, revealing that the hackers gained access to Change Healthcare’s systems through a single user account that was not protected by multi-factor authentication, a basic security measure. The breach, which may have impacted one-third of Americans, was described as entirely preventable.
  • June 20, 2024: On June 20, Change Healthcare began notifying affected hospitals and medical providers about the data that was stolen, as required by HIPAA. The sheer size of the stolen dataset likely contributed to the delay in notifications. Change Healthcare also disclosed the breach on its website, noting that it may not have sufficient contact information for all affected individuals. The U.S. Department of Health and Human Services intervened, allowing affected healthcare providers to request UnitedHealth to notify affected patients on their behalf.
  • July 29, 2024: By late July, Change Healthcare had started sending letters to individuals whose healthcare data was compromised in the ransomware attack. These letters, sent by Change Healthcare or the specific healthcare provider affected by the breach, detailed the types of data that were stolen, including medical and health insurance information, as well as claims and payment details, which may include financial and banking information.
Read more »
Threat Management
Business Security Cyber Security Ransomware attack SEC Settlement Threat Management

Here's What Businesses Can Learn From a $2 Million Ransomware Attack SEC Settlement

 

Business leaders and security teams can learn a lot from the recent $2.1 million settlement reached between the Securities and Exchange Commission and R.R. Donnelly & Sons Co. regarding a ransomware assault. The settlement brought RRD's negligence to light and emphasises how crucial it is for publicly listed firms to have robust safety policies and procedures in place. 

Here are key takeaways that private and public organisations can use to improve their cybersecurity posture and comply with SEC standards. 

RRD ransomware attack overview 

RRD is a publicly listed international provider of marketing and corporate communication services. The organisation used a third-party managed security services provider (MSSP) to safeguard and monitor their infrastructure. In late November 2021, RRD's intrusion prevention systems identified odd behaviour and sent notifications to both RRD and their MSSP supplier. Following assessment of these signals, the MSSP opted to escalate three issues to RRD's security personnel. 

  • Similar behaviours were observed on multiple computers throughout the RRD network, indicating that a threat actor was either making lateral movements or had compromised multiple endpoints.
  • Activities had some connection to a larger phishing campaign. 
  • It was revealed by open-source intelligence that the malware could allow arbitrary code to be executed remotely. 

Unfortunately, RRD decided not to remove the compromised devices from the network and did not carry out their own investigation to prevent further compromise until nearly a month later. Between November and December, the MSSP identified at least 20 more security alerts connected to the same incident, but failed to elevate them to RRD, including malware execution on the domain controller. 

The attacker then installed encryption software on RRD machines and stole 70 gigabytes of data, including financial and personal data from 29 of RRD's 22,000 clients. RRD eventually launched its ransomware response actions on December 23, 2021, and filed their 8-K on December 27, 2021. 

Overview of SEC's findings and judgement 

The SEC's filing cites RRD's incompetence in the following areas: 

  • RRD's policies and controls were not intended to ensure that all relevant information about security alerts and incidents were reported to RRD's disclosure decision makers on a timely basis. 
  • RRD failed to offer guidance to its internal and external people on reporting safety incidents and responding to them.
  • Even though RRD got alerts and escalations from its systems and service provider about three weeks before the encryption, it failed to analyse them and take appropriate investigative and remedial action. 

Based on these findings, the SEC claimed that RRD violated the disclosure controls and procedures requirements of Exchange Act Rule 13a-15(a) and the internal accounting controls provisions of Exchange Act Section 13(b)(2)(B). The SEC evaluated a $2.125 million penalty on RRD. 

Key takeaways for security teams

The RRD verdict highlights the SEC's tightening grasp on cybersecurity controls and laws. Here are some significant takeaways for security teams in publicly listed companies: 

Ensure close oversight of service providers: In your contracts and meetings with MSSPs, be clear about security requirements and adherence to security processes. Streamline the process for increasing notifications. All such contracts, protocols, and processes must be evaluated annually or on a regular basis to ensure that there are no gaps. 

Implement effective disclosure processes: RRD was fortunate that the new SEC disclosure standards were not in existence when this incident occurred. If those restrictions had been in effect, they may have faced far more severe fines. The present disclosure requirements compel organisations to file a disclosure (Form 8-K) within four days of the material determination of an incident. As a result, it is vital that organisations adopt rigorous disclosure procedures. 

Train your staff: There is a direct correlation between phishing and ransomware. Phishing emails are often successful because busy users are distracted by various jobs and communication channels, making them less vigilant in identifying phishing efforts. The Conti ransomware group, suspected to be responsible for the RRD attack, is known to use normal phishing tactics as an entry point. 

Phishing is clearly the result of poor security awareness, judgement, and consciousness among users. Organisations that use phishing simulation exercises and gamification can significantly reduce phishing attacks. Employees should also receive training on security escalation and incident response procedures.

The settlement between the SEC and RRD is a big wake-up call for organisations that have failed to prioritise cybersecurity enforcement and regulatory compliance. It is critical for organisations to actively supervise security providers, periodically train personnel on security awareness practices, update escalation and incident management policies, and prioritise security alerts and notifications. By implementing these key best practices, businesses can assure compliance with the most recent SEC standards while also improving their overall security posture.
Read more »
Ransomware attack
CMIT Cyber Crime cyber threat CyberCrime Cybersecurity Dark Web Data Ransomware attack

Ransomware Attack on the Washington Times Leads to a Dark Web Data Auction

 


In a countdown clock that showed that the auction would begin in seven days, the Rhysida cartel promoted an online auction that promised to sell Washington Times' unique data. The auction was set to start within seven days of the date of the notice. As a result of observing an unidentified criminal group deploying a new utility designed to terminate endpoint detection and response (EDR) tools, it appears that it is part of an attempt by the group to attack an organization with ransomware, RansomHub. 

As a result of this news, many security professionals began to express concern because RansomHub is used in many prominent hacks, including those against Change Healthcare, Frontier Communications, and Christie's auction house. The hacker group who attacked Columbus last week dumped over three terabytes of stolen data, including files belonging to employees, on the dark web early Thursday morning after their efforts to auction off the data failed to attract or satisfy buyers.

A few hours after a lengthy auction ended on the dark web, the Rhysida ransomware group started leaking the data after it had disappeared from the encryption site, according to Ohio State assistant professor Carter Yagemann, CMIT Solutions' Daniel Maldet, and other cybersecurity experts who have observed the onion site. As much as the hackers claimed that they had 6.5 terabytes of data at their disposal, only a portion of that data has been uploaded online, including databases that are backed up for dozens of city employees, and SQL backup files for entire databases that contain personal information. 

Since the files are so large, it is difficult to make out what exactly has been contained in them due to the size of the files. It is what NBC4 found, however, that Rhysida's leak not only included a list of employees' names from a company database but also a list of contractors and former employees who left the company in 2021, making it clear that the leak did not just cover current employees.

In a bid to sell off the massive amount of data it allegedly stole as a result of a city ransomware attack, a group claiming to have carried out the hack claims responsibility for several bank accounts being hacked by the thieves. According to the hacking gang Rhysida, who originally hacked into the City of Columbus servers to steal sensitive information, they have managed to steal 6.5 terabytes' worth of data. It was reported by multiple cybersecurity watchdogs, including Dark Web Intelligence and Ransom Look, that Rhysida is offering a service which can only be accessed using the specialized internet browser Tor, which has become synonymous with the dark web. 

The fine details about this treasure trove of compromised data have emerged after Columbus Mayor Andrew Ginther announced some of the city's online services had been shut down due to a ransomware attack that occurred on July 18. It is fair to say that the mayor has given credit to the city's IT department for cutting off access before any data from the city was encrypted by the hackers. However, he added that they are investigating how much of the data was stolen. 

In addition to not naming Rhysida or any other suspected hacking group on Monday, Corbett said the attack had been carried out by an "established and sophisticated threat actor working from overseas." It is stated on the group's website that the price for the data is 5 bitcoins, which are currently worth $295,198.50 at the time of this writing. This group does not specify what the data supposedly consists of in the post, but a screenshot that is attached to the post appears to show many scans of official documents, including an identification card and a Texas driver's license. 

Previously, cybersecurity analyst Dominic Alvier told a story on the Daily Dot that based on the screenshot, it didn't appear that the hackers had accessed any critical information other than your personal information, which could be linked to someone in your organization. The Daily Dot contacted Rhysida for information regarding the alleged breach but has not received a response to the inquiry. In addition, it remains unclear if there have been any negotiations between the hacking group and the outlet itself. As of Wednesday afternoon, the Washington Times had not made any public statements regarding the alleged cyberattack that targeted its systems. 

Despite attempts to seek clarification, the publication did not respond to an email inquiry from the Daily Dot at the time of their report. The incident drew attention to the Rhysida ransomware group, which has been recognized by U.S. government advisories as a significant cyber threat. Rhysida operates under a subscription-based model known as Ransomware as a Service (RaaS), where it leases its ransomware tools to cybercriminals. This model has facilitated attacks across various sectors, including education, healthcare, manufacturing, information technology, and government, since Rhysida's emergence in May 2023. 

Earlier this month, Rhysida gained widespread attention after successfully hacking a law enforcement agency in a Florida county. The group threatened to expose sensitive data, including scanned driver’s licenses and fingerprints, highlighting the severity of the breach. Cybersecurity experts have noted that while the identities of those behind Rhysida remain unknown, the group's operational patterns are reminiscent of cybercriminals based in Russia, Belarus, and Kazakhstan. 

Rafe Pilling, Director of Threat Research at Secureworks, has emphasized that Rhysida exhibits behaviours common to criminal organizations in these regions. Since its inception, the Rhysida group has claimed responsibility for 114 cyberattacks, a fact evidenced by the list of victims published on its dark web blog. This list underscores the group's approach of targeting "targets of opportunity," as it has infiltrated multiple sectors, including education, healthcare, manufacturing, and local government entities. 

An updated profile by the U.S. Defense Department in November 2023 corroborates these findings. Rhysida's operations are further characterized by their use of double extortion tactics. In this approach, even after victims have paid the initial ransom to receive a decryption key, the group threatens to leak the stolen data unless a second payment is made. This strategy adds another layer of pressure on the victims, exacerbating the impact of the attacks. This year, Rhysida took responsibility for breaches at the British Library, the world’s largest repository of historical knowledge, and the Anne & Robert H. Lurie Children’s Hospital in Chicago. 

These incidents further demonstrate the group’s willingness to target prestigious and vulnerable institutions. The growing list of Rhysida’s victims serves as a stark reminder of the pervasive and escalating nature of ransomware threats in today’s digital landscape. The recent incident involving The Washington Times is yet another example of the significant damage cyberattacks can inflict, particularly when they target well-known organizations. 

The audacity of Rhysida’s operations underscores the critical need for organizations to prioritize robust cyber defence mechanisms. Protecting sensitive data has become increasingly important as cyber threats continue to evolve and grow more sophisticated. Security analysts consistently recommend the adoption of strong data protection policies to effectively combat ransomware. As The Washington Times and other organizations navigate these complex threats, they must remain acutely aware of the high stakes involved, not only in their operations but also in their readership and the broader media environment. 

In summary, the ongoing activities of the Rhysida group illustrate the serious challenges posed by ransomware in the current cybersecurity climate. Each incident involving Rhysida offers invaluable lessons for organizations striving to develop effective strategies to counter and prevent future attacks.
Read more »
User Privacy
Data Breach Data Leak hospital data Ransomware attack User Privacy

Rhysida Ransomware Takes Responsibility for Bayhealth Hospital Breach

 

The Rhysida Ransomware outfit claims to have infiltrated Bayhealth Hospital in Delaware and is offering the allegedly stolen data for 25 BTC. Bayhealth Hospital is a technologically equipped not-for-profit healthcare facility with around 4,000 employees and a medical team of over 450 physicians and 200 advanced practice clinicians. 

Bayhealth Medical Centre, which covers central and southern Delaware, runs two hospitals, Bayhealth Hospital, Kent Campus in Dover and Bayhealth Hospital, Sussex Campus in Milford, as well as the Bayhealth Emergency Centre in Smyrna. The facility has 316 beds and offers inpatient services such as labour, cardiology, and cancer care.

It also offers outpatient care, support services, community outreach, and imaging. Both the Kent and Sussex campuses include 24-hour emergency departments with Level III trauma centres, as does the Smyrna centre. The Rhysida Ransomware organisation claims to have infiltrated Bayhealth Hospital and added it to the list of victims on their Tor leak website. The group claims to have stolen data from the hospital and is asking for 25 BTC to stop the leak. The hacking outfit released screenshots of stolen passports and ID cards as evidence of the hack. 

“With just 7 days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data. Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner!” announced the ransomware gang. 

This is not the first time that the Rhysida ransomware outfit has targeted a hospital. In December 2023, the group claimed to have hacked Abdali Hospital, a multi-specialty hospital in Jordan. At the end of November, the ransomware organisation claimed to have hacked the King Edward VII Hospital in London. The organisation also claimed to have hacked the British Library and the China Energy Engineering Corporation. 

The ransomware group has been active since May 2023. According to the gang's Tor leak site, the operation has affected at least 62 companies. The ransomware group targeted organisations across several industries, including education, healthcare, manufacturing, information technology, and government. The victims of the gang are considered "targets of opportunity.”
Read more »
Technological Threats
Cyber Attacks Data Leak Ransomware attack Rhysida ransomware gang Technological Threats

Massive Data Breach in Columbus Over 3TB Files Leaked by Rhysida Ransomware Group

 

Columbus is grappling with the fallout from a significant data breach, as the Rhysida ransomware group has begun leaking over three terabytes of stolen data on the dark web. The breach, which targeted the city's employees, comes after two failed auctions by the hackers to sell the data. 

The leak, which started early Thursday morning, includes a substantial portion of the 6.5 terabytes of data that Rhysida claims to have stolen. Among the leaked files are personal data from city employees’ computers and SQL backup files containing entire databases. 

Cybersecurity experts, including Ohio State Assistant Professor Carter Yagemann and CMIT Solutions' Daniel Maldet, have confirmed the data's release. While the complete extent of the breach remains unclear, NBC4 has verified that the leaked data contains files related to current city employees, as well as at least one contractor and a former staff member who left in 2021. 

The hackers initially demanded 30 bitcoin (approximately USD 1.7 million) as the starting bid for the auction, but this failed to attract buyers. However, cybersecurity expert Shawn Waldman has warned that the situation is dire, especially as the city has only just begun rolling out credit monitoring for affected individuals. 

"The fact that some of the personally identifiable information is already out and available means the damage could be irreversible," Waldman said. 

He also suggested that the data not yet released may have been sold privately, although this cannot be confirmed. Columbus Mayor Andrew Ginther acknowledged the breach in a statement, though he downplayed the severity of the leaked data, noting that the failure to sell the data could indicate it lacks value. 

However, Waldman and other experts caution that the situation is far from resolved. "If the city doesn’t continue negotiations, we could see the entire data set leaked in the near future," Waldman said. Rigwht now, the city is working with the FBI and the Department of Homeland Security to look into the data breach that was first noticed on July 18. 

Even though the city's IT team stopped the hackers from locking down the city's systems, they still managed to steal a lot of important information. This has put Columbus officials and residents on high alert as the investigation continues.
Read more »
Security Flaws
Black hat Cyber Hacking Cyber Security Data Leak data security Ransomware attack Security Flaws

Researcher Saves Six Companies from Ransomware by Exploiting Security Flaws in Ransomware Gangs’ Infrastructure

 

A security researcher has revealed that six companies were saved from potentially paying significant ransom demands due to security flaws found in the web infrastructure of the ransomware gangs targeting them. In a rare win for the victim organizations, two companies received decryption keys that allowed them to restore their data without paying a ransom, while four hacked cryptocurrency companies were alerted before the ransomware gang could begin encrypting their files.  

Stykas, a security researcher and chief technology officer at Atropos.ai, conducted a research project aimed at identifying the command and control servers behind more than 100 ransomware and extortion-focused groups and their data leak sites. His goal was to find vulnerabilities that could expose information about these gangs, including details about their victims. Stykas disclosed his findings to TechCrunch ahead of his presentation at the Black Hat security conference in Las Vegas. He identified several rookie security flaws in the web dashboards used by at least three ransomware gangs, which were sufficient to compromise the inner workings of their operations. 

Ransomware gangs typically conceal their identities and activities on the dark web, an anonymous section of the internet accessible through the Tor browser. This anonymity makes it difficult to trace the real-world servers used for cyberattacks and the storage of stolen data. However, coding errors and security vulnerabilities in the leak sites used by these gangs to extort victims by publishing stolen files allowed Stykas to access information about their operations without needing to log in. In some cases, the bugs exposed the IP addresses of the leak site’s servers, providing a way to trace their real-world locations. For instance, Stykas discovered that the Everest ransomware gang was using a default password to access its back-end SQL databases, exposing its file directories. 

Additionally, exposed API endpoints revealed the targets of the BlackCat ransomware gang’s attacks while they were still in progress. Stykas also identified an insecure direct object reference (IDOR) vulnerability, which he used to access and cycle through the chat messages of a Mallox ransomware administrator. Through this, he discovered two decryption keys that he shared with the affected companies. The researcher informed TechCrunch that the victims included two small businesses and four cryptocurrency companies, two of which were unicorns—startups with valuations exceeding $1 billion. However, he declined to name the companies involved. He also noted that none of the companies he notified have publicly disclosed the security incidents, though he did not rule out revealing their names in the future. 

The FBI and other government authorities have long advised victims of ransomware not to pay ransoms, as doing so only incentivizes cybercriminals. However, this advice often leaves companies with few options to regain access to their data or resume operations. Law enforcement agencies have occasionally succeeded in compromising ransomware gangs to obtain decryption keys and cut off their illegal revenue streams, though these efforts have had mixed results. 

Stykas’ research underscores that ransomware gangs can be vulnerable to the same basic security flaws that affect large companies. This presents a potential opportunity for law enforcement to target these criminal hackers, even when they operate outside of traditional jurisdictional reach.
Read more »
Trojan
Cyber Attacks IT Sector Malware Attack Ransomware attack Ransomware Threat Remote Access Trojan Trojan

New Ransomware Threat: Hunters International Deploys SharpRhino RAT

 

In a troubling development for cybersecurity professionals, the Hunters International ransomware group has introduced a sophisticated new remote access trojan (RAT) called SharpRhino. This C#-based malware is specifically designed to target IT workers and breach corporate networks through a multi-stage attack process. The malware’s primary functions include achieving initial infection, elevating privileges on compromised systems, executing PowerShell commands, and ultimately deploying a ransomware payload. 

Recent findings from Quorum Cyber researchers reveal that SharpRhino is distributed via a malicious site masquerading as Angry IP Scanner, a legitimate networking tool widely used by IT professionals. The deceptive website uses typosquatting techniques to lure unsuspecting users into downloading the malware. This approach highlights a new tactic by Hunters International, aiming to exploit the trust IT workers place in well-known tools. The SharpRhino RAT operates through a digitally signed 32-bit installer named ‘ipscan-3.9.1-setup.exe.’ 

This installer contains a self-extracting, password-protected 7z archive filled with additional files necessary for the malware’s execution. Upon installation, SharpRhino modifies the Windows registry to ensure persistence on the compromised system and creates a shortcut to Microsoft.AnyKey.exe, which is normally a Microsoft Visual Studio binary but is abused here for malicious purposes. Additionally, the installer drops a file named ‘LogUpdate.bat,’ which executes PowerShell scripts to run the malware stealthily. To facilitate command and control (C2) operations, SharpRhino creates two directories: ‘C:\ProgramData\Microsoft: WindowsUpdater24’ and ‘LogUpdateWindows.’ 

These directories are used to manage communication between the malware and its operators. SharpRhino also includes hardcoded commands such as ‘delay’ to set the timer for the next POST request and ‘exit’ to terminate communication. This enables the malware to execute various dangerous actions, including launching PowerShell commands. For instance, Quorum Cyber researchers demonstrated the malware’s capability by launching the Windows calculator. Hunters International, which began operations in late 2023, has been associated with several high-profile ransomware attacks. Notable victims include U.S. Navy contractor Austal USA, Japanese optics giant Hoya, Integris Health, and the Fred Hutch Cancer Center. 

In 2024 alone, the group has claimed responsibility for 134 ransomware attacks, ranking it among the top ten most active ransomware operators globally. The deployment of SharpRhino through a fake website underscores Hunters International’s strategic focus on IT professionals, leveraging their reliance on familiar software to infiltrate corporate networks. To protect against such threats, users should exercise caution with search results and sponsored links, use ad blockers, and verify the authenticity of download sources. Implementing robust backup plans, network segmentation, and keeping software up-to-date are essential measures to mitigate the risk of ransomware attacks.
Read more »
Ransomware attack
C-Edge Technologies core banking solutions Cyber Security fintech industry Indian banking sector IT solutions provider payment services disruption Ransomware attack

C-Edge Technologies: An In-Depth Look at the Indian Fintech Leader Impacted by a Major Cyberattack

 

C-Edge Technologies, a prominent IT solutions provider for India's banking and financial sector, has recently faced significant challenges following a major ransomware attack. This incident has severely impacted its systems, leading to disruptions in payment services for nearly 300 small banks across the country.

Established in 2010, C-Edge is a joint venture between State Bank of India (SBI), the nation’s largest public sector bank, and TCS, a global leader in IT services. The company was created to serve the specific technological needs of Indian banks, particularly those in the cooperative and regional sectors.

Over the years, C-Edge has become a key player in the Indian fintech industry, offering a wide range of products and services, including:

  • Core Banking Solutions: Their core banking platform, Finacle, is widely adopted by banks across India, supporting essential banking functions such as account management, transactions, and customer service.
  • Payment Solutions: C-Edge provides various payment gateway services, mobile banking solutions, and ATM management systems, facilitating smooth digital transactions for millions of users.
  • Cybersecurity Services: The company offers a comprehensive suite of cybersecurity solutions, including threat detection, vulnerability assessment, and incident response, aimed at protecting banks from cyber threats. This area has come under intense scrutiny following the recent attack.
  • Data Analytics and AI: Utilizing data analytics and AI, C-Edge delivers insights and solutions in areas such as risk management, fraud detection, and customer relationship management.

Commitment to Financial Inclusion

C-Edge has significantly contributed to advancing financial inclusion in India. By offering affordable and accessible technology solutions, the company has empowered smaller banks and financial institutions to reach a broader customer base, particularly in rural and semi-urban regions. Their solutions have enabled these institutions to:

  • Offer Modern Banking Services: Providing access to online banking, mobile banking, and ATM services, even in remote locations.
  • Expand Their Reach: Helping banks extend their customer base and promote financial literacy among underserved populations.
  • Reduce Operational Costs: Streamlining processes and enhancing efficiency through digital solutions.
  • Future Focus Areas
  • Enhanced Cybersecurity: Addressing the vulnerabilities exposed by the ransomware attack and improving cybersecurity measures.
  • Cloud-Based Solutions: Facilitating the transition of smaller banks to cloud-based platforms for greater scalability and flexibility.

C-Edge’s ability to navigate these challenges and reinforce its cybersecurity will be critical in maintaining its position in the fintech landscape and continuing its mission to drive financial inclusion across India.
Read more »
University Hack
Data Breach Data Leak New Jersey Ransomware attack University Hack

New Jersey City University Targeted by ransomware Outfit Demanding $700K

 

A ransomware outfit launched an assault on New Jersey City University's computer network, threatening to reveal sensitive private details of students and staff unless $700,000 in Bitcoin is paid by Saturday. The institution notified staff and students of the June 4-10 data breach on Friday, some seven weeks after the incident that resulted in the loss of social security numbers, driver's licence numbers, financial account information, and credit card details. 

The estimated number of potential victims was not known till Monday afternoon, although the 100-year-old university enrols about 6,000 undergraduate and graduate students annually in addition to a small number of teachers and staff members. When asked about how quickly they found out about the data breach, school officials had no response. 

“In June 2024, our computer network was accessed without permission by an unknown actor,” the university stated in a post under its webpage’s data events. “In response, we immediately notified law enforcement authorities, took steps to secure our computer network, and conducted a thorough assessment of the matter to determine what happened and how it may affect information that was stored on the network.” 

A university spokesperson and a representative for the state Department of Homeland Security did not reply to requests for comment. Hack Manac, a cybersecurity business that monitors various cyber security risks across the country, stated the Rhysida Ransomware Group is responsible for the hack and is seeking 10 Bitcoins, or around $700,000, by August 3. 

Sentinel One, another cybersecurity company, stated that Rhysida believes it is doing "victims a favour" by raising security concerns. The institution, which did not name the hacker, stated that the "unknown actor" copied "certain files" between June 4 and June 10. 

The school will notify individuals who may be affected by email, and those who believe they have been affected may contact the institution. It will provide free identification monitoring to possibly affected individuals. The school emphasised that just because someone has been contacted does not imply that they are a victim of identity theft.
Read more »
US Military
Cyber Attacks NASA North Korea Hackers North Korean cyber attacks Ransom Attack Ransomware attack US Military

North Korean Hacker Indicted for Cyber Attacks on U.S. Hospitals, NASA, and Military Bases

 

Federal prosecutors announced the indictment of Rim Jong Hyok, a North Korean military intelligence operative, for his role in a conspiracy to hack into American healthcare providers, NASA, U.S. military bases, and international entities. 

The indictment, unveiled on July 25, 2024, in Kansas City, Kansas, details Hyok’s involvement in stealing sensitive information and deploying ransomware to fund further cyberattacks. Rim Jong Hyok is accused of laundering money through a Chinese bank, using the proceeds to acquire computer servers and finance additional cyberattacks targeting defense, technology, and government entities globally. The indictment highlights his connection to the Andariel Unit of North Korea’s Reconnaissance General Bureau, a state-sponsored group responsible for these malicious activities. 

The cyberattacks on American hospitals and healthcare providers disrupted patient care, underscoring the severe impact of such crimes on public health. Prosecutors allege that Hyok targeted 17 entities across 11 U.S. states, including NASA and U.S. military bases. Defense and energy companies in China, Taiwan, and South Korea were also among the victims. Over three months, Hyok and his team infiltrated NASA’s computer systems, extracting over 17 gigabytes of unclassified data. They also accessed systems of defense companies in Michigan and California and breached Randolph Air Force Base in Texas and Robins Air Force Base in Georgia. 

The malware used by the Andariel Unit enabled them to transmit stolen information to North Korean military intelligence, aiding the country’s military and nuclear ambitions. The stolen data included details of fighter aircraft, missile defense systems, satellite communications, and radar systems, according to a senior FBI official. Stephen A. Cyrus, an FBI agent based in Kansas City, emphasized that North Korea uses cybercrimes to circumvent international sanctions and fund its political and military goals. The impact of these attacks is felt directly by citizens, as evidenced by the disruption of hospital operations in Kansas and other states. 

A reward of up to $10 million has been offered for information leading to his capture or that of other foreign operatives targeting U.S. infrastructure. The Justice Department has a history of prosecuting North Korean hackers. In 2021, three North Korean programmers were charged with a range of cybercrimes, including an attack on an American movie studio and the attempted theft and extortion of over $1.3 billion from banks and companies worldwide. The FBI’s involvement in this case began when a Kansas medical center reported a ransomware attack in May 2021. 

Hackers had encrypted the hospital’s files and servers, blocking access to patient records and critical equipment. A ransom note demanded Bitcoin payments, threatening to leak the files online if the demands were not met. Investigators traced the Bitcoin transactions to two Hong Kong residents, eventually converting the funds to Chinese currency and transferring them to a Chinese bank. The money was accessed from an ATM near the Sino-Korean Friendship Bridge. 

In 2022, the Justice Department announced the seizure of approximately $500,000 in ransom payments, including the entire ransom paid by the Kansas hospital. While Hyok’s arrest is unlikely, the indictment may lead to sanctions that could hinder North Korea’s ability to collect ransoms, potentially reducing the motivation for future attacks on critical infrastructure. 

Cybersecurity analyst Allan Liska from Recorded Future notes that although sanctions may not stop North Korea’s cyber activities entirely, they could deter attacks on hospitals by making ransom payments more difficult to collect. This incident also raises questions about China’s stance on being targeted by its ally, North Korea.
Read more »
Ransomware attack
Cyber Security Cyber Threats Los Angeles county Network Ransomware attack

LA County Superior Court Hit by Ransomware Attack

 


The Superior Court of Los Angeles County experienced a notable disruption early on July 19 when a ransomware attack forced the court to disable its network systems. This prompt action was taken to prevent any additional damage from occurring. Court officials have announced that the network shutdown will remain in place until at least Monday, allowing IT experts sufficient time to conduct a thorough investigation and resolve the issue comprehensively.

Based on preliminary investigations, officials have indicated that there is no evidence to suggest that the personal data of court users has been compromised. This initial assessment is crucial as it helps to reassure the public that their sensitive information remains secure despite the cyber attack. The court's proactive measures in disabling the network were aimed at safeguarding user data and preventing further infiltration by the ransomware, demonstrating a commitment to protecting the privacy and security of all individuals involved.

Support from Multiple Agencies

To aid in the investigation and mitigate the impact of the attack, the California Governor's Office of Emergency Services, alongside local, state, and federal law enforcement agencies, has provided substantial resources and support. The collective effort underscores the severity of the breach and highlights the importance of a swift and comprehensive response to such cyber threats. This coordinated approach ensures that all available expertise and resources are being utilised to address the situation effectively and limit any potential repercussions.

Cybersecurity Investments

In recent years, the LA County Superior Court has significantly invested in strengthening its cybersecurity infrastructure. These investments were aimed at protecting the court's digital assets from potential threats, reflecting a proactive stance towards cybersecurity. Despite these efforts, the attack highlights the ongoing risks that even well-prepared institutions face and the continuous need for robust cybersecurity measures. The court's experience serves as a reminder that cybersecurity is a changing field requiring constant vigilance and adaptation to new threats.

Global Context

Interestingly, the attack on the LA County Superior Court occurred concurrently with a worldwide issue related to CrowdStrike, a prominent cybersecurity company. However, court officials have clarified that the two events are not believed to be connected. This clarification is essential to avoid misinformation and ensure that efforts are focused on resolving the specific ransomware attack affecting the court. By distinguishing between the two incidents, officials can better direct their resources and attention to the immediate problem at hand.

The ransomware attack on the Superior Court of Los Angeles County is a stark reminder of the vulnerabilities that even the most fortified systems can face in today's digital infrastructure. While the court's immediate response and the lack of evidence of data compromise are positive signs, the incident underscores the need for continuous vigilance and improvement in cybersecurity practices. As the investigation unfolds, the support from various agencies will be crucial in restoring the court's systems and preventing future attacks. This incident serves as a wake-up call to all institutions, emphasizing the importance of preparedness and the need to stay ahead of evolving cyber threats.


Read more »
Subscribe to: Posts (Atom)