Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Russian Hacker. Show all posts
Russian Hacker
Cyber Attacks Data Leak NHS Hospital Ransomware attack Russian Hacker

Ransomware Attackers Launch New Cyberattacks Against NHS Hospitals

 

Ransomware hackers have disrupted emergency services, compromised several hospitals, and exposed private patient data in an ongoing cyberattack targeting National Health Service (NHS) trusts across the United Kingdom. The attacks, which have raised serious concerns about cybersecurity in critical infrastructure, highlight vulnerabilities in the healthcare sector.

Alder Hey Children's Hospital Targeted

After claiming responsibility for an earlier attack on NHS Scotland, the ransomware gang Inc Ransom, known for its alleged ties to Russia, now claims to have infiltrated the Alder Hey Children's Hospital Trust, one of Europe’s largest children’s hospitals. In a post on its dark web leak site, the gang claimed to have stolen donor reports, procurement data, and patient records spanning from 2018 to 2024.

The stolen records reportedly include sensitive health information and personally identifiable data such as patient addresses and dates of birth. Samples of the data have allegedly been shared to substantiate the breach, increasing concerns over the privacy of vulnerable patients.

Hospital Statement and Scope of the Breach

Alder Hey acknowledged the cybersecurity incident on November 28, confirming that hackers had infiltrated a "digital gateway service" used by multiple hospitals. This breach affected Alder Hey Children’s Hospital, Liverpool Heart and Chest Hospital, and Royal Liverpool University Hospital. The hospital issued a statement, noting:

"The attacker has claimed to have extracted data from impacted systems. We are continuing to take this issue very seriously while investigations continue into whether the attacker has obtained confidential data."

While Alder Hey assured that hospital services remain operational, it cautioned that the perpetrators might publish the stolen data before the investigation concludes. This underscores the need for immediate cybersecurity measures to prevent further fallout.

Wirral University Teaching Hospital Also Attacked

Just miles from Alder Hey, the Wirral University Teaching Hospital faced a separate ransomware attack, prompting it to declare a "major incident" after shutting down its systems. The network, which oversees Arrowe Park Hospital, Clatterbridge Hospital, and Wirral Women and Children’s Hospital, is working to restore clinical systems while acknowledging that some services remain disrupted.

In a statement issued on Wednesday, the Wirral Hospital Trust said:

"Emergency treatment is being prioritized but there are still likely to be longer than usual waiting times in our Emergency Department and assessment areas. We urge all members of the public to attend the Emergency Department only for genuine emergencies."

Broader Implications of Healthcare Cyberattacks

The incidents affecting Alder Hey and Wirral University Teaching Hospital highlight the broader risks of ransomware attacks in healthcare. The potential exposure of private patient data and operational disruptions can have life-threatening consequences, particularly in emergency care settings.

While Alder Hey continues to investigate, it remains unclear whether data extracted from affected systems has been leaked or sold. The situation underscores the urgency for robust cybersecurity frameworks to safeguard critical healthcare infrastructure. Hospitals must adopt advanced threat detection and mitigation strategies to protect sensitive patient data and maintain operational integrity.

Next Steps for Affected Hospitals

In response to the attacks, hospitals are advised to:

  1. Strengthen Cybersecurity Protocols
    Implement robust access controls, monitor for unusual network activity, and update vulnerable systems promptly.
  2. Engage Incident Response Teams
    Collaborate with cybersecurity experts to mitigate damage and secure compromised systems.
  3. Maintain Transparent Communication
    Regularly update patients and stakeholders on the status of investigations and the steps taken to secure their data.
  4. Prioritize Emergency Services
    Ensure minimal disruption to critical services while restoring operational systems.

The Growing Threat of Ransomware in Healthcare

As ransomware attacks on healthcare organizations increase in frequency and sophistication, it is imperative for hospitals to invest in robust cybersecurity measures. Governments and regulatory bodies must also introduce stricter policies and provide support to enhance the resilience of healthcare systems.

The attacks on Alder Hey and Wirral Teaching Hospital serve as a stark reminder of the devastating impact cyber threats can have on healthcare services. Proactive measures and collaborative efforts are essential to prevent similar incidents and protect patient trust in the digital age.

Read more »
Spear Phishing
Business Security Cyber Attacks Malicious Campaign Russian Hacker Spear Phishing

Microsoft Warns of Russian Spear-Phishing Campaign Targeting Multiple Organizations

 

Microsoft Threat Intelligence has discovered a new attack campaign by Russian hacker group Midnight Blizzard, targeted at thousands of users from over 100 organisations. The attack uses spear-phishing emails that contain RDP configuration files, allowing perpetrators to connect to and potentially compromise the targeted systems. 

The malicious campaign targeted thousands of users from higher education, defence, non-governmental organisations, and government institutions. Dozens of nations have been impacted, mainly in the United Kingdom, Europe, Australia, and Japan, consistent with previous Midnight Blizzard phishing attacks. 

In the most recent Midnight Blizzard assault campaign, victims received meticulously targeted emails including social engineering lures related to Microsoft, Amazon Web Services, and the concept of Zero Trust. 

According to Microsoft Threat Intelligence, the emails were sent using email addresses from legitimate organisations obtained by the threat actor during earlier breaches. Every email included an RDP configuration file signed with a free LetsEncrypt certificate and included multiple sensitive parameters. When the user accessed the file, an RDP connection was established with an attacker-controlled system. 

The threat actor could then use the established RDP connection to acquire information regarding the targeted device, such as files and folders, connected network drives, and peripherals such as printers, microphones, and smart cards. 

It would also allow for the collection of clipboard data, web authentication via Windows Hello, passkeys and security keys, and even point-of-sale devices. Such a link may also enable the threat actor to install malware on the targeted device or mapped network share(s). 

Outbound RDP connections were established to domains constructed to deceive the victim into thinking they were AWS domains. Amazon, which is collaborating with the Ukrainian CERT-UA to combat the threat, began grabbing affected domains immediately in order to stop operations. Meanwhile, Microsoft alerted all impacted customers who had been targeted or compromised.
Read more »
Russian Hacker
APT29 AWS Cyber Attacks Phishing Campaign Russian Hacker

Amazon Identified Internet domains Exploited by Russian APT29

 

The leading advanced persistent threat group in Russia has been phishing thousands of targets in businesses, government agencies, and military institutions. 

APT29 (also known as Midnight Blizzard, Nobelium, and Cozy Bear) is one of the world's most prominent threat actors. It is well known for the historic breaches of SolarWinds and the Democratic National Committee (DNC), which are carried out by the Russian Federation's Foreign Intelligence Service (SVR). It has recently breached Microsoft's codebase and political targets in Europe, Africa, and beyond. 

"APT29 embodies the 'persistent' part of 'advanced persistent threat,'" notes Satnam Narang, senior staff research engineer at Tenable. "It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations.”

In the same vein, the Computer Emergency Response Team of Ukraine (CERT-UA) recently found APT29 phishing Windows credentials from government, military, and commercial sector targets in Ukraine. After comparing notes with authorities in other nations, CERT-UA discovered that the campaign had expanded across "a wide geography."

It is not surprising that APT29 would target sensitive credentials from geopolitically influential and diversified organisations, according to Narang. However, "the one thing that does kind of stray from the path would be its broad targeting, versus [its typical more] narrowly focused attacks.” 

AWS and Microsoft

Malicious domain names that were intended to seem to be linked to Amazon Web Services (AWS) were used in the August campaign. The emails received from these domains simulated to give recipients advice on how to set up zero trust architecture and combine AWS with Microsoft services. Despite the charade, AWS stated that neither Amazon nor its customers' AWS credentials were the target of the attackers.

The attachments to those emails revealed what APT29 was really looking for: configuration files for Remote Desktop, Microsoft's application for implementing the Remote Desktop Protocol. RDP is a common remote access technique used by regular consumers and hackers. 

"Normally, attackers will try to brute force their way into your system or exploit vulnerabilities, then have RDP configured. In this case, they're basically saying: 'We want to establish that connection [upfront],'" Narang added. 

Launching one of these malicious attachments would have resulted in an immediate outbound RDP connection to an APT29 server. But that wasn't all: the files contained a number of other malicious parameters, such that when a connection was established, the perpetrator gained access to the target computer's storage, clipboard, audio devices, network resources, printers, communication (COM) ports, and more, as well as the ability to execute custom malicious scripts.
Read more »
WinRAR
Aerospace APT29 CVE vulnerability Data Breach Foreign policy Russia-Ukraine War Russian Hacker Software Bug supply chain security Ukraine WinRAR

APT29 Strikes: WinRAR Exploits in Embassy Cyber Attacks

During the latest wave of cyberattacks, foreign embassies have been the target of a malicious group known as APT29. They have employed a highly complex attack method that takes advantage of weaknesses in WinRAR, a widely used file compression software. There have been shockwaves throughout the cybersecurity world due to this worrisome disclosure, leading to immediate action to strengthen digital defenses.

According to reports from cybersecurity experts, APT29 has ingeniously employed the NGROK feature in conjunction with a WinRAR exploit to infiltrate embassy networks. The NGROK service, designed for secure tunneling to localhost, has been repurposed by hackers to conceal their malicious activities, making detection and attribution a formidable challenge.

WinRAR, a widely used application for compressing and decompressing files, has been targeted due to a specific vulnerability, identified as CVE-2023-38831. This flaw allows the attackers to execute arbitrary code on the targeted systems, giving them unfettered access to sensitive information stored within embassy networks.

The attacks, initially discovered by cybersecurity researchers, have been corroborated by the Ukrainian National Security and Defense Council (RNBO). Their November report outlines the APT29 campaigns, shedding light on the extent of the damage inflicted by these cyber intruders.

The fact that foreign embassies are specifically being targeted by this onslaught is very disturbing. Because these organizations handle so much private, political, and diplomatic data, they are often the focus of state-sponsored cyber espionage. The attackers' capacity to take advantage of flaws in popular software, such as WinRAR, emphasizes the necessity of constant watchfulness and timely software updates to reduce any threats.

Cybersecurity professionals advise companies, particularly those in delicate industries like diplomacy, to conduct extensive security assessments, quickly fix holes, and strengthen their defenses against ever-evolving cyber attacks in reaction to these disclosures. The APT29 attacks highlight the significance of a multi-pronged cybersecurity strategy that incorporates advanced threat detection methods, personnel awareness training, and strong software security procedures.

International cybersecurity organizations must work together as governments struggle with the ever-changing world of cyber threats. The APT29 attacks are a sobering reminder that the digital sphere has turned into a combat zone and that, in order to preserve diplomatic relations and maintain national interests, defense against such threats necessitates a united front.

Read more »
USB
Cyber Crime Flash drive Malicious Software Russian Hacker USB

Preventing a USB Killer Threat

A USB Killer is a USB drive that was altered to emit an electrical surge that can break or destroy hardware when a modified flash drive is plugged into a computer's USB port.

The concept for USB Killers was created by a Russian researcher named Dark Purple with the stated objective to eliminate delicate computer parts. When a USB Killer device is inserted into a USB port, it draws power from the devices' USB power sources and stores it in its own capacitors. It holds this procedure until a high voltage is reached. Once finished, it discharges the accumulated negative 220 volts of high voltage onto the USB data pins. An estimated 215–220 volts can be produced by the USB Killers that are now on the market. The host device's circuitry is harmed or destroyed as a result.

Its capacitors rapidly accumulate this enormous voltage. As long as the gadget is connected and hasn't been damaged to the point that it can no longer charge itself, the charge/discharge cycle also continues numerous times per second.

This approach makes nearly any unprotected equipment susceptible to high voltage attack. For years, malicious software has been spread via USB sticks, including viruses that can infect computers. This is probably because they are easy and affordable to design and buy. Unaware users frequently utilize them to store and transport data.


A USB Killer Attack: How to Prevent It

1. Keep Unknown Drives Out of the Plug

Social engineering, or using deceptive techniques to persuade people to connect a malicious device, is at the heart of many USB risks.

2. When possible, turn off USB ports

If it is possible, disabling USB ports is a great way to stop USB attacks, including USB Killer attacks.

3. Register online

A computer's virtual environment that hosts a mockup of your computer inside of your computer. It won't have an impact on your data or network if you connect to the drive and open it in the virtual environment.

It swiftly ruins a PC once you plug it into a USB port. Moreover, refraining from using unknown USB devices on computers is the greatest approach to stop USB Killers from causing PC damage. The majority of USB-related attacks can be effectively prevented by following the best cybersecurity measures. For complete security, you can physically cap and disable the USB ports in your business.

Even measures implemented to guard against USB assaults are not 100% secure. Never trust unknown disks, periodically examine those you do use, and utilize security features like passwords, PIN codes, and data encryption. Ideally, being informed of the strategies that hackers employ as well as having strong hardware and software security can keep you safe from any unpleasant digital illnesses.

Read more »
Vulnerabilities and Exploits
FBI LockBit LockBit 3.0 Phishing Attacks Ransomware Attacks. Russian Hacker User Privacy Vulnerabilities and Exploits

Following a Breach at ION Group, LockBit Hackers Received a Ransom

LockBit hackers who took credit for a severe hack at financial data company ION claim that a ransom was paid, although they would not specify the sum or provide any proof that the payment had been transferred. Meanwhile, the ION Group chose not to comment on the situation. 

The British spying intelligence agency GCHQ's National Cyber Security Agency told Reuters there's nothing further to add. A key to access the files should be provided by the hacking gang if a ransom is paid. As per cybersecurity experts, ransomware often demands the individual file-by-file decryption of computer servers, which can involve days or weeks. Additionally, a machine that has had its data decrypted cannot be trusted after that point and must be wiped clean and rebuilt from scratch. PCs often speed up the process.

After a business pays a ransom, additional ransomware gangs might try to extort them once more by using the company's IT system flaws. Considering to be completely secure, ransomware victims might seek to redesign their technical infrastructure.

In addition, victims' files are kidnapped by LockBit, the group behind the ION assault, which also demands payment by February 4 to prevent their disclosure.

Ransoms should not be paid, according to the National Cyber Security Centre of the UK, 42 of ION's clients were impacted by the early-morning Tuesday attack. Eventually, it caused several banks and brokers in Europe and the US to conduct some trades manually, thus setting them back for decades. About the attack, the FBI has contacted ION management.

LockBit Ransomware Group

In certain cases, the affiliate of LockBit 3.0 is required to start the ransomware binary using a 32-character password. The typical assault procedure consists of infecting the device, encrypting files, removing specific services, and changing the device's background image.

The information can be offered for sale on the dark web if the ransom is not paid. Cobalt Strike, a security testing tool, and a series of malware attacks have been linked to LockBit 3.0's abuse of Windows Defender.

Operating with affiliates who may lack the means to develop and launch attacks, LockBit uses a ransomware-as-a-service (RaaS) business model. The associated hacker in this case receives a percentage of the ransom, based on a December 2022 warning from the U.S. Department of Health & Human Services.

Among the most expensive and disruptive concerns for businesses globally in recent years has been ransomware. Several ransomware groups not only encrypt a victim's files in exchange for a ransom payment, but they also steal data and threaten to expose it online as an added inducement to pay up.

Numerous brokers have experienced difficulties as a result of the exchange-traded financial derivatives trading and clearance being impacted by the ransomware attack on ION. Reuters reports that among the numerous ION customers whose operations have been interrupted are ABN Amro Clearing and Intesa Sanpaolo, the largest bank in Italy.

Read more »
User Privacy
Cyber Crime FSB Russia-Ukraine War Russian Hacker Scam User Privacy

Russian Scam Industry Expands as a Result of Mobilization

 

After experiencing setbacks on the Ukrainian front, Russian President Vladimir Putin ordered a partial mobilization. Russian men who are eligible for enlistment have turned to illegal channels that grant them fabricated exemptions, whereas those fleeing the country to neighboring regions have turned to using identity masking tools.

Due to the aforesaid circumstance, it is now highly profitable for people to sell illegal services. In a similar vein, scammers and hackers see a good opportunity to take advantage of anxious people in haste.

Cybercriminals selling fake documents on the dark web, Telegram, and other encrypted channels are the initial scams to attempt to profit from the situation.

The scammers have even gone to the point of actively publicizing their phony services on social media and making direct contact with individuals through channels that preach about mobilization. The hackers allegedly offer people certificates of ineligibility for military duty, which they claim will enable them to avoid enlistment, according to a report by RIA Novosti.

For the recruitment officers to never hunt for the buyer, the agreement also calls for updating the regional enlistment office's database within 48 hours. The scammers demand 27,000 rubles ($470) in exchange for the same, as well as a copy of the client's passport.

Once the funds are paid, the con artists cut off contact with the victim and probably utilize the identity they have stolen to commit more fraud or sell it on the dark web. These advertisements claim to be able to produce fake HIV and hepatitis certificates for 33,000 and 38,000 rubles ($630), respectively.

According to Russian news site Kommersant, there is a 50% increase in demand for so-called 'gray' SIM cards as a result of the widespread migration of Russians. These SIM cards support 'pay-as-you-use' plans and thus are compatible with the networks of MTS, MegaFon, Beeline, Tele2, and Yota. Since the government can use regular SIMs to trace young men liable for military duty and potentially halt them at the border, Russians are eagerly looking for these cards.

IMEI (International Mobile Equipment Identity), is a special 15-digit number that is connected to the device's hardware instead of the SIM card. Roskomsvoboda, a Russian internet rights group, says there have been numerous cases of people being forced by FSB officers to divulge their IMEI numbers while entering Georgia, Kazakhstan, and Finland. IMEI monitoring is aided by using telecommunication stations for approximate location triangulation. 

Law enforcement has used IMEI for several years, and tracking software that promises to find your lost or stolen device also employs it. Except for a few Huawei, Xiaomi, and ZTE models that store the IMEI in a rewritable memory region in violation of the technology's rules and allow users to flash it with specific tools, assigned IMEIs are not interchangeable or editable.

As an alternative, Roskomvoboda advises evacuating Russians to either submit a burner phone at the border or purchase a new device once they have left the nation.


Read more »
VMware
Cyber Secuirty Cyber Security Darknet Double extortion Linux Ransomware Attacks. Russian Hacker VMware

ESXi , Linux, and Windows Systems at Risk From New Luna Ransomware

Luna is a brand-new ransomware family that was written in Rust, making it the third strain to do so after BlackCat and Hive, according to Kaspersky security researchers

The experts who examined the ransomware's command-line options believe that Luna is a reasonably straightforward ransomware program. 

Luna ransomware

This interesting encryption method combines x25519 with AES. The researchers discovered that the Linux and ESXi samples, which are compiled using the identical source code, differ only slightly from the Windows version.

Darknet forum advertisements for Luna imply that the ransomware is only meant to be used by affiliates who speak Russian. Due to spelling errors in the ransom note that are hard-coded into the malware, its main creators are also thought to be of Russian descent.

The Luna ransomware is also able to avoid automated static code analysis attempts by utilizing a cross-platform language.

"The source code used to compile the Windows version and the Linux and ESXi samples are identical. The remaining code is almost unchanged from the Windows version" the researchers added. Luna "confirms the trend for cross-platform ransomware," the researchers wrote, pointing out how hackers are able to target and strike at scale while avoiding static analysis, thanks to the platform flexibility of languages like Golang and Rust.

Nevertheless, considering that Luna is a recently identified criminal organization and its activities are still being constantly monitored, there is very little knowledge available regarding the victimology trends.

Black Basta

Researchers have also revealed information about the Black Basta ransomware group, which modified its software to target ESXi systems. By adding compatibility for VMware ESXi, various ransomware families, including LockBit, HelloKitty, BlackMatter, and REvil, hope to increase their potential targets.

The double-extortion attack model is used by Black Basta, a ransomware operation that has been operational since April 2022.

Researchers from Kaspersky said that operators had introduced a new feature that relies on launching the computer in safe mode before encrypting data and imitating Windows Services in order to maintain persistence.

Black Basta can avoid detection from a variety of endpoint security solutions by starting Windows in safe mode.




Read more »
Subscribe to: Posts (Atom)