Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Safety. Show all posts
Safety
Cyber Security Data Data Safety data security Google Safety

Google Report Warns Cybercrime Poses a National Security Threat

 

When discussing national security threats in the digital landscape, attention often shifts to suspected state-backed hackers, such as those affiliated with China targeting the U.S. Treasury or Russian ransomware groups claiming to hold sensitive FBI data. However, a recent report from the Google Threat Intelligence Group highlights that financially motivated cybercrime, even when unlinked to state actors, can pose equally severe risks to national security.

“A single incident can be impactful enough on its own to have a severe consequence on the victim and disrupt citizens' access to critical goods and services,” Google warns, emphasizing the need to categorize cybercrime as a national security priority requiring global cooperation.

Despite cybercriminal activity comprising the vast majority of malicious online behavior, national security experts predominantly focus on state-sponsored hacking groups, according to the February 12 Google Threat Intelligence Group report. While state-backed attacks undoubtedly pose a critical threat, Google argues that cybercrime and state-sponsored cyber warfare cannot be evaluated in isolation.

“A hospital disrupted by a state-backed group using a wiper and a hospital disrupted by a financially motivated group using ransomware have the same impact on patient care,” Google analysts assert. “Likewise, sensitive data stolen from an organization and posted on a data leak site can be exploited by an adversary in the same way data exfiltrated in an espionage operation can be.”

The escalation of cyberattacks on healthcare providers underscores the severity of this threat. Millions of patient records have been stolen, and even blood donor supply chains have been affected. “Healthcare's share of posts on data leak sites has doubled over the past three years,” Google notes, “even as the number of data leak sites tracked by Google Threat Intelligence Group has increased by nearly 50% year over year.”

The report highlights how Russia has integrated cybercriminal capabilities into warfare, citing the military intelligence-linked Sandworm unit (APT44), which leverages cybercrime-sourced malware for espionage and disruption in Ukraine. Iran-based threat actors similarly deploy ransomware to generate revenue while conducting espionage. Chinese spy groups supplement their operations with cybercrime, and North Korean state-backed hackers engage in cyber theft to fund the regime. “North Korea has heavily targeted cryptocurrencies, compromising exchanges and individual victims’ crypto wallets,” Google states.

These findings illustrate how nation-states increasingly procure cyber capabilities through criminal networks, leveraging cybercrime to facilitate espionage, data theft, and financial gain. Addressing this challenge requires acknowledging cybercrime as a fundamental national security issue.

“Cybercrime involves collaboration between disparate groups often across borders and without respect to sovereignty,” Google explains. Therefore, any solution must involve international cooperation between law enforcement and intelligence agencies to track, arrest, and prosecute cybercriminals effectively.
Read more »
Vidar infostealer
Cybersecurity Threats malware Safety Steam game malware Vidar infostealer

Steam Removes Malware-Infested Game PirateFi

 

Valve recently removed a game from its online platform, Steam, after it was discovered to contain malware. The game, PirateFi, was analyzed by cybersecurity researchers who found that it had been modified to deceive players into installing the Vidar info-stealer.

Marius Genheimer, a researcher from SECUINFRA Falcon Team, told TechCrunch that based on the malware’s command and control servers and configuration, “we suspect that PirateFi was just one of multiple tactics used to distribute Vidar payloads en masse.”

“It is highly likely that it never was a legitimate, running game that was altered after first publication,” Genheimer added.

Investigations revealed that PirateFi was created by modifying an existing game template called Easy Survival RPG. This tool, designed for game development, costs between $399 and $1,099 for licensing. By leveraging this template, hackers were able to distribute a fully functional game embedded with malicious software with minimal effort.

Vidar, the malware found in PirateFi, is an infostealer designed to extract sensitive data from infected computers. According to Genheimer, the malware can steal passwords saved in web browsers, session cookies, browsing history, cryptocurrency wallet credentials, screenshots, two-factor authentication codes, and various other personal files.

Vidar has been linked to multiple cybercriminal campaigns, including attempts to steal Booking.com credentials, deploy ransomware, and insert malicious advertisements into Google search results. The Health Sector Cybersecurity Coordination Center (HC3) reported that since its discovery in 2018, Vidar has become one of the most prolific infostealers in circulation.

Infostealers are commonly distributed through a malware-as-a-service (MaaS) model, making them accessible to even low-skilled hackers. This model complicates efforts to trace the origins of attacks. Genheimer noted that identifying those behind PirateFi is particularly challenging because Vidar “is widely adopted by many cybercriminals.”

Researchers analyzed multiple samples of the malware, including one uploaded to VirusTotal by a Russian gamer and another identified through SteamDB, a database tracking Steam-hosted games. A third sample was found in a threat intelligence repository, and all three exhibited the same malicious functionality. Valve has not issued a response regarding the incident.

The supposed developer of PirateFi, Seaworth Interactive, has no online presence. Until recently, the game had an X (formerly Twitter) account linking to its Steam page, but the account has since been deleted. Attempts to contact the owners via direct messages went unanswered before the account was removed.
Read more »
Yutaka Sejiyama
Cyber Security Data Japanese security researcher Safety Sonic Wall Yutaka Sejiyama

Ransomware Groups Exploiting SonicWall VPN Vulnerability for Network Breaches

 

Ransomware operators Akira and Fog are increasingly gaining unauthorized access to corporate networks by exploiting SonicWall VPN vulnerabilities. The attackers are believed to be targeting CVE-2024-40766, a critical flaw in SonicWall's SSL VPN access control, to breach networks and deploy ransomware.

SonicWall addressed this vulnerability in August 2024. However, within a week, reports indicated that it was already being actively exploited. According to Arctic Wolf security researchers, Akira ransomware affiliates have been observed using this flaw to establish an initial foothold in victim networks. In their latest findings, Arctic Wolf disclosed that at least 30 network intrusions involving Akira and Fog ransomware began with unauthorized VPN access through SonicWall accounts.

Of the incidents reported, Akira affiliates accounted for 75% of breaches, with the remainder linked to Fog ransomware. Notably, the two groups appear to use shared infrastructure, suggesting ongoing collaboration, a trend previously noted by cybersecurity firm Sophos.

Although researchers can't confirm the vulnerability was exploited in every case, all breached systems were running unpatched versions susceptible to the flaw. In most attacks, ransomware encryption followed initial access within about ten hours, with some cases taking as little as 1.5 to 2 hours. The attackers often connected through VPNs or VPSs to mask their IP addresses.

Arctic Wolf highlights that many targeted organizations had unpatched endpoints, lacked multi-factor authentication for their VPN accounts, and were running services on default port 4433. In cases where firewall logs were available, events indicating remote user logins (message IDs 238 or 1080) were observed, followed by SSL VPN logins and IP assignments.

The ransomware groups moved swiftly, targeting virtual machines and backups for encryption. Stolen data mainly included documents and proprietary software, though files older than six months were often disregarded, with more sensitive files retained up to 30 months.

Fog ransomware, active since May 2024, typically uses compromised VPN credentials for initial network access. Meanwhile, the more established Akira ransomware has recently faced some downtime with its Tor site, though access has been gradually restored.

Japanese security researcher Yutaka Sejiyama reports approximately 168,000 SonicWall endpoints remain vulnerable to CVE-2024-40766. Sejiyama also suggested that the Black Basta ransomware group might be exploiting this flaw in recent attacks.
Read more »
Security
Cyber Attacks Data Data Safety data security perso Safety Security

Cyberattack on Maui's Community Clinic Affects 123,000 Individuals in May

 

The Community Clinic of Maui, also known as Mālama, recently notified over 123,000 individuals that their personal data had been compromised during a cyberattack in May. Hackers gained access to sensitive information between May 4 and May 7, including Social Security numbers, passport details, financial account information (such as CVV codes and expiration dates), and extensive medical records.

In addition to this, hackers obtained routing numbers, bank names, financial account details, and some biometric data. A total of 123,882 people were affected by the breach, which resulted in the clinic taking its servers offline.

Local reports suggested the incident was a ransomware attack, sparking public frustration as Mālama was forced to close for nearly two weeks. Upon reopening at the end of May, the clinic operated with limited services, and nurses had to rely on paper charts due to system-wide computer outages.

Following the attack, Mālama worked with law enforcement and cybersecurity experts to investigate the breach, with the findings confirmed on August 7. 

In a statement on its website, the clinic offered complimentary credit monitoring to those whose Social Security numbers may have been exposed, although a regulatory filing in Maine indicated that identity theft protection services were not provided. The organization has not responded to requests for clarification, and a law firm is reportedly exploring potential lawsuits against Mālama related to the breach.

The ransomware group LockBit, which was taken down by law enforcement earlier this year, claimed responsibility for the attack in June. On Tuesday, Europol and other agencies announced a coordinated effort to target the gang, resulting in four arrests and the seizure of servers critical to LockBit's operations in France, the U.K., and Spain.

In 2024, healthcare providers across the U.S. have been increasingly targeted by cyberattacks, disrupting services and threatening public safety. Notably, McLaren Health Care and Ascension, two major health systems, have faced severe ransomware incidents, and last week, one of the region's only Level 1 trauma centers had to turn away ambulances following a cyberattack.

Read more »
Security
Data Breach Data Safety data security Safety Security

Seattle Port Suffers Data Breach, Rhysida Ransomware Suspected

 

The ransomware attack has significantly disrupted the port's operations, highlighting the challenges that critical infrastructure providers face in the immediate aftermath of a cybersecurity breach. While recovery efforts are ongoing, the impact continues for some areas.

Most affected systems have been restored, but the port's website, internal portals, and the airport's mobile app remain offline. Despite this, officials reported that the majority of flights have adhered to their schedules, and cruise ship operations have remained unaffected.

The port made it clear that it refused to meet the attackers' demands, warning that the hackers may attempt to post stolen data on the dark web. In an update on Friday, the port stated, "The Port of Seattle does not plan to pay the criminals responsible for this cyberattack," said Steve Metruck, the port’s executive director. "Paying them would go against the values of the port and our responsibility to wisely manage taxpayer funds."

Port authorities have confirmed that some data was compromised by the Rhysida group in mid-to-late August. An investigation is ongoing to determine the specific nature of the stolen information, and those affected will be informed as soon as the analysis is complete.

In November 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint advisory regarding the Rhysida group.

Metruck emphasized the port's efforts not only to restore operations but to use the experience to strengthen future security. "We remain committed to building a more resilient port and will share insights from this incident to help safeguard other businesses, critical infrastructure, and the public," he said.
Read more »
Security
Cybersecurity Data Data Breach Data Safety data security Safety Security

Fortinet Confirms Data Breach Involving Limited Number of Customers, Linked to Hacker "Fortibitch"

 

Fortinet has disclosed a data breach impacting a "small number" of its clients after a hacker, using the alias "Fortibitch," leaked 440GB of customer information on BreachForums. The hacker claimed to have accessed the data from an Azure SharePoint site, following the company's refusal to meet a ransom demand. This incident emphasizes the need for companies to secure data stored in third-party cloud services, cybersecurity experts have noted.

In a statement released on September 12, Fortinet reported that the breach involved unauthorized access to files stored on its cloud-based shared file drive. The company did not confirm the exact source of the breach but reassured that the affected data represented less than 0.3% of its over 775,000 customers—approximately 2,300 organizations. Fortinet also stated that no malicious activity had been detected around the compromised data, and no ransomware or data encryption was involved. The company has since implemented protective measures and directly communicated with impacted customers.

Dark Reading noted that the hacker also leaked financial and marketing documents, product information, HR data from India, and some employee records. After unsuccessful attempts to extort the company, the hacker released the data. There was also a mention of Fortinet’s acquisitions of Lacework and NextDLP, as well as references to a Ukrainian threat group, though no direct connections were identified.

This breach highlights the growing risk of cloud data exposure. A recent analysis by Metomic revealed that more than 40% of sensitive files on Google Drive were vulnerable, with many shared publicly or with external email addresses. Experts stress the importance of using multifactor authentication (MFA), limiting employee access, and regularly monitoring cloud environments to detect and mitigate potential security lapses. They also recommend encrypting sensitive data both in transit and at rest, and enforcing zero-trust principles to reduce the risk of unauthorized access.
Read more »
User Safety
Data Breach Leak Personal Data Safety Security User Data User Safety

ICBC London Branch Hit by Ransomware Attack, Hackers Steal 6.6TB of Sensitive Data

 

The London branch of the Industrial and Commercial Bank of China (ICBC) recently fell victim to a ransomware attack, resulting in the theft of sensitive data. According to a report by The Register, which references information posted on the hackers' data leak site, the bank has until September 13 to meet the ransom demand or risk the stolen data being publicly leaked.

The attack was orchestrated by a group called Hunters International, who claim to have exfiltrated 5.2 million files, amounting to 6.6 terabytes of sensitive information. Despite being a relatively new name in the ransomware scene, some experts believe Hunters International is a rebranded version of Hive, a notorious ransomware group that was dismantled by the FBI in July 2022. At that time, the FBI successfully infiltrated the Hive group, seizing decryption keys and halting its operations.

Emerging approximately a year ago, Hunters International has shifted its focus toward data theft rather than system encryption. Some cybersecurity researchers suggest that developing and deploying encryption tools is complex and time-consuming, making data theft alone an equally profitable, yet simpler, approach for the group.

ICBC, the world’s largest bank by total assets and market capitalization, is a state-owned financial institution in China. It provides a variety of banking services, including corporate and personal banking, wealth management, and investment banking. With an extensive global presence, ICBC plays a significant role in funding infrastructure projects both domestically and abroad.

As of now, ICBC has not made any public statements regarding the attack or responded to requests for comment.
Read more »
Vulnerabilities and Exploits
Data Flaws Patch Safety Security flaw Vulnerabilities and Exploits

CISA Issues Warning on Critical Vulnerabilities in Vonets WiFi Bridge Devices, No Patch Released

 

The Cybersecurity and Infrastructure Security Agency (CISA) has released a security advisory highlighting several critical vulnerabilities discovered in Vonets WiFi Bridge devices. These vulnerabilities present significant risks, including the potential for attackers to execute arbitrary code, access sensitive data, or disrupt device operations.

This poses a serious threat to the security of industrial and commercial networks that depend on these devices. Despite the gravity of these issues, Vonets has not responded to CISA’s outreach for collaboration on mitigation efforts, leaving users at risk.

Key Vulnerabilities and Their Impacts:

The vulnerabilities identified in the Vonets devices vary in severity and include:

  • CVE-2024-41161 (CVSSv4 8.7): This flaw involves the use of hard-coded credentials, allowing unauthorized users to bypass authentication and gain full device access using pre-set administrator credentials that cannot be disabled. This makes it a particularly dangerous vulnerability.
  • CVE-2024-29082 (CVSSv4 8.8): An issue with improper access control permits attackers to bypass authentication and perform a factory reset on the device through unprotected endpoints, leading to potential service disruptions and loss of configuration data.
  • CVE-2024-41936 (CVSSv4 8.7): A directory traversal vulnerability that enables attackers to read arbitrary files on the device, bypassing authentication and exposing sensitive information.
  • CVE-2024-37023 (CVSSv4 9.4): OS command injection vulnerabilities allow authenticated attackers to execute arbitrary operating system commands on the device, potentially giving them control over its operation.
  • CVE-2024-39815 (CVSSv4 8.7): A flaw in the handling of exceptional conditions could lead to a denial-of-service (DoS) scenario when attackers send specially crafted HTTP requests to the device.
  • CVE-2024-39791 (CVSSv4 10): The most severe vulnerability, a stack-based buffer overflow, allows remote attackers to execute arbitrary code, potentially gaining full control of the device without needing authentication.
  • CVE-2024-42001 (CVSSv4 6.1): An issue with improper authentication enables attackers to bypass authentication by sending specially crafted requests during an active user session.

CISA’s Recommendations

In light of Vonets' lack of response, CISA has issued several recommendations to help organizations mitigate the risks associated with these vulnerabilities:

  • Minimize Network Exposure: Ensure that control system devices and networks are not directly accessible from the internet to reduce the risk of unauthorized access.
  • Isolate Control Systems: Position control system networks and remote devices behind firewalls and separate them from business networks to prevent cross-network attacks.
  • Secure Remote Access: When remote access is necessary, use secure methods like Virtual Private Networks (VPNs). However, it's crucial to keep VPNs updated and ensure the security of connected devices.
CISA stresses the importance of conducting thorough impact analysis and risk assessments before implementing any defensive measures to avoid unintended operational disruptions.

While no public exploitation of these vulnerabilities has been reported yet, the critical nature of these issues demands immediate attention. Organizations and individuals must act swiftly to safeguard their networks and reduce the risk of potential attacks
Read more »
Subscribe to: Posts (Atom)