Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Security Experts. Show all posts

MUN President Confirms: Ransomware was Behind Cyberattack on Their Grenfell Campus


Canada-based Memorial University has confirmed that its Grenfell Campus in Corner Brook suffered a cyberattack in December. It has been noted that the attack involved ransomware. 

MUN president Neil Bose told CBC News on Wednesday that the hack on December 29 encrypted Grenfell's servers' data and prevented users from accessing it. The attack caused a week-long delay in classes.

An investigation by the university’s technology and external teams, in collaboration with the Canadian Centre for Cyber Security revealed that no data was compromised in the attack. 

"The affected damage was no one could access anything, and none of the data was accessible to us," Bose said Wednesday. "As soon as it was identified that it was a cyberattack and that data was unavailable … we then took direction from the cybersecurity experts to take us through how to respond, what we should do and so on and so forth. And it's been pretty intense since then, actually."

In an emailed statement, the university mentions that they cannot give details regarding the ransom, as this could impact the investigation. 

Following this MUN officials did not comment regarding the issue for a few days. On Wednesday, Bose noted that the university did not want to compromise any information in the initial days of the investigation. 

Before MUN agreed to an interview, Sheldon Handcock, an information technology expert located in Gander, spoke to CBC News and said that the university's initial response is standard procedure among affected parties as they investigate attacks and attempt to shore up possible flaws.

When a ransomware attack hit the province's healthcare system in 2021, then-health minister John Haggie stated that discussing the attack could jeopardize the investigation, the government of Newfoundland and Labrador took a similar stance.

Bose further informs that the affected Grenfell sever is slowly improving and some of its components are gradually returning online. He stated that email systems are operational, but it is taking longer than expected to have Internet connectivity restored in some laboratories.

"The new system at Grenfell will look somewhat different from the old system in some ways. It's not just a question of, you know, switching the switch and going back to what it was, partly because we have to take the advice of our cybersecurity experts to make sure that what we have going forward is … even more strong than it was," he added. "We have been planning a process of consolidation of [the three] networks, partly to improve the security aspects of our outreach."

FBI: HelloKitty Ransomware Adds DDoS to Extortion Techniques

 

The FBI has released a flash notice to private industry partners, alerting them that the HelloKitty ransomware gang (also known as FiveHands) has incorporated distributed denial-of-service (DDoS) attacks into its toolbox of extortion techniques. 

The FBI claimed in a notice coordinated with the Cybersecurity and Infrastructure Security Agency (CISA) that the ransomware group would use DDoS assaults to take down its victims' official websites if they didn't pay the ransom. 

HelloKitty is also notorious for collecting and encrypting sensitive data from victims' infected servers. Later, the stolen files are then used as leverage to compel the victims to pay the ransom under the fear of the stolen material being leaked publicly on a data leak site. 

The FBI stated, "In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company's public-facing website. Hello Kitty/FiveHands actors demand varying ransom payments in Bitcoin (BTC) that appear tailored to each victim, commensurate with their assessed ability to pay it. If no ransom is paid, the threat actors will post victim data to the Babuk site payload.bin) or sell it to a third-party data broker." 

To breach the targets' networks, the group's ransomware operators would utilize a variety of tactics, including compromised credentials and newly fixed security flaws in SonicWall products (e.g., CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-2002). 

About HelloKitty 

HelloKity is a ransomware operation created by people operating since November 2020 and was first discovered by the FBI in January 2021. The group is well known for breaking into and encrypting CD Projekt Red's networks and claiming to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and other games in February. 

The ransomware gang has also been seen utilizing a Linux version that targets VMware's ESXi virtual machine infrastructure since at least July 2021. They're just one of several ransomware gangs targeting Linux systems after enterprises switched to virtual machines for more effective resource use and easier device management. Ransomware operators may now encrypt numerous servers concurrently with a single order by targeting their virtual machines, saving time and effort. 

HelloKitty rapidly expanded its activity in July and August, shortly after commencing to use the Linux variant in assaults, as per submissions made by their victims on the ID Ransomware site. The HelloKitty ransomware, or versions of it, has also gone by the names DeathRansom and Fivehands. 

In its advisory, the FBI also included an extensive list of indications of compromise (IOCs) to assist cybersecurity experts and system administrators in preventing attacks organized by the HelloKitty ransomware.

Lazarus Has Started to Target the IT Supply Chain

 

The Lazarus hacker gang, which is backed by North Korea, has shifted its emphasis to new targets and has been detected by Kaspersky security experts improving its supply chain assault capabilities. After breaching a Latvian IT provider in May, Lazarus utilized a new form of the BLINDINGCAN backdoor to attack a South Korean research tank in June.

Lazarus built an infection chain in the first case found by Kaspersky researchers, which began with legitimate South Korean security software distributing a malicious payload. The target in the second case was a Latvian company that develops asset monitoring solutions, an unusual victim for Lazarus. CISA and the FBI were the first to notice the backdoor utilized in these assaults. It can elude detection by removing itself from infiltrated computers, exfiltrate data, create and destroy processes, and tamper with file and folder timestamps, according to the researchers. 

The infection chain included the Racket downloader, which was signed with a stolen certificate. The hacker gang infiltrated weak web servers and installed scripts that gave them control over the dangerous implants. 

Lazarus has been targeting the defence industry using the MATA malware architecture for cyber-espionage purposes for some months, according to Kaspersky. MATA had previously been utilized by the gang for a variety of reasons, including data theft and ransomware transmission. A downloader was used to collect further malware from the command and control (C&C) server in the attacks, which leveraged a multi-stage infection chain. For this campaign, Lazarus upgraded the MATA framework and signed some of its components with a legitimate but stolen digital certificate. 

“Through this research, we discovered a stronger connection between MATA and the Lazarus group, including the fact that the downloader malware fetching MATA malware showed ties to TangoDaiwbo, which we had previously attributed to the Lazarus group,” Kaspersky said. 

Lazarus, also known as Hidden Cobra, has been active since at least 2009 and is suspected of orchestrating a number of high-profile strikes. In 2020, the group targeted COVID-19 research, as well as members of the security research community and vaccine maker Pfizer. 

"These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks," said Ariel Jungheit, a senior security researcher at Kaspersky. "When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization – something we saw clearly with the SolarWinds attack last year."

Credit Scores of Americans were Exposed Through Experian API

 

According to a researcher, almost every American's credit score was leaked due to an API platform used by the Experian credit bureau that was left accessible on a lender's website without even basic security safeguards. Experian, for its part, dismissed security experts' fears that the problem could be structural. 

The Experian Connect API is a platform that helps lenders to simplify FICO-score queries. According to a published article, Bill Demirkapi, a sophomore at Rochester Institute of Technology, was looking for student loans when he came across a lender who would verify his eligibility with only his name, address, and date of birth. Demirkapi was taken aback and wanted to look into the code, which revealed that the tool was driven by an Experian API, he said.

“No one should be able to perform an Experian credit check with only publicly available information,” Demirkapi told Krebs On Security, which was the first to break the story of the leak. “Experian should mandate non-public information for promotional inquiries, otherwise an attacker who found a single vulnerability in a vendor could easily abuse Experian’s system.” 

Demirkapi said he was able to create a command-line tool called "Bill's Cool Credit Score Lookup Utility" that allowed him to automate lookups even after entering all zeros in the fields for date of birth. Krebs said he was able to use the API link to get “risk factors” from Experian that clarified possible vulnerabilities in a person's credit background, in addition to raw credit scores. He ran a credit check for his buddy "Bill," who had “Too many consumer-finance company accounts,” according to his mid-700s credit score.

Demirkapi refused to reveal the identity of the lender or the website where the API was revealed to Experian. He declined because he believes there are hundreds, if not thousands, of firms using the same API, and that all of those lenders are leaking Experian's customer data in the same way. “If we let them know about the specific endpoint, they can just ban/work with the loan vendor to block these requests on this one case, which doesn’t fix the systemic problem,” he explained. 

“We have been able to confirm a single instance of where this situation has occurred and have taken steps to alert our partner and resolve the matter,” Experian said in a written statement. “While the situation did not implicate or compromise any of Experian’s systems, we take this matter very seriously. Data security has always been, and always will be, our highest priority.”

Security experts recorded more than 500,000 attacks on smart devices in 2 hours


Avast experts conducted an experiment installing in Russia (in Moscow and Khabarovsk) and in other countries of the world more than 500 trap servers (Honeypots), posing as IoT devices, such as streaming devices, webcams or routers. With this, the experts wanted to prove how many potential attacks smart home devices face.

More than 500 traps were scanned by potential attackers 561,003 times in two hours, and five devices located in Russia were scanned 5,370 times in two hours. Honeypots traps were located in Russia, Mexico, France, Germany, South Korea, Australia, the United Kingdom, Australia, Japan, Spain, Ireland, Singapore, the United States, and India. According to the research, the three main countries from which the attacks came were the US, the Netherlands and Japan.

It is worth noting that Avast researchers chose typical connected devices with open ports to make attackers believe they were connecting to real routers, smart TVs, Webcams, or other smart devices.

The purpose of the trap was to calculate the activity of cyber criminals and study the methods of attackers who believe they attack real devices with real data. Avast traps were programmed with open ports such as TCP: 23 (telnet Protocol), TCP: 22 (ssh Protocol), TCP: 80 (HTTP Protocol), which are usually found in Internet-connected devices such as routers, security cameras and smart TVs.

According to Avast research, streaming devices are among the top 5 most vulnerable in the home, and two-thirds of routers in Russia have weak credentials or software vulnerabilities.

According to Michal Salat, Director of the Avast Threat Analysis Department, most people do not pay much intention to the vulnerabilities of home devices such as smart speakers, TVs or light bulbs, as they believe that they can not become a target of cybercriminals.

"For many people, it probably doesn't matter if their devices are used to attack other people, but they should know that hackers can also target them".

An attacker needs only one hacked device to take control of the entire home network. A vulnerable coffee maker can become the front door for a hacker to spy on households with a smart speaker and a security camera. In addition, connected devices may contain GPS data, so that an attacker will receive information about the exact location of the device.

Expert warns cyber threats to worsen with tech advances


Technological advances like Artificial Intelligence, Internet of Things, Automatic Cards and others will throw up new challenges for cyber security and all countries must unite to foresee and combat them, a leading Israeli cyber security expert said on Monday.

"The Internet was not designed for security, hence it is inherently insecure since everything is hackable. It is more difficult to be a cyber security personnel than a hacker. The hacker has to succeed only once, where the the cyber security personnel has to succeed always to remain safe, within many rules and regulations," Menny Barzilay, the CEO, Cyber Research Centre of Tel Aviv University and CEO of Cytactic, said.

He pointed out how "smart people" from different countries are joining hands to commit cyber crimes and hence there is "a need for super-smart people" from around the world to join as cyber security experts.

"Cyber threats don't create a sense of urgency, unlike a bomb threat, and we cannot feel it in our senses. It is therefore more difficult to convince people that the 'cyber' threat is real," said Barzilay, addressing a panel discussion on cyber security at Nehru Science Centre (NSC) via videoconference.

The discussion was also attended by Israeli Consul-General in Mumbai, Yaakov Finkelstein, security experts from the Mumbai Police and students.

Recalling an incident of cyber attack on Sony Corporation after the release of its film, "The Interview", Barzilay said that corporates are not prepared to face cyber crimes and the government must support them during such cyber hits.

"Billions of devices, part of Internet of Things implies they are prone to hacking, a smart device means being vulnerable, it will also affect our privacy. Big companies have lot of data about users and can manipulate them for private gains, something which allegedly happened in the US elections," he said.

Apple Mac Book vulnerable to hack using Battery

Ethical Hacker Charlie Miller has find a way to hack the MacBook using the battery.

"Laptop battery contains its own monitoring circuit which reports the status of the battery to the OS. It also ensure that the battery does not overcharge even when the laptop is turned off." Digitizor report reads.


He identified the battery chips are shipped with default password.  It means the hacker who finds the default password and learns to control the firmware is able to control them to do anything he wants.

 "You could put a whole hard drive in, reinstall the software, flash the BIOS, and every time it would reattack and screw you over. There would be no way to eradicate or detect it other than removing the battery." Digitizor quoted as Miller saying.