Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Targeted cyber attacks. Show all posts

Kraft Heinz Investigates Cybersecurity Threat

Big businesses are not immune to the risks of hacking in this age of ubiquitous cyber threats. Kraft Heinz is a multinational powerhouse in the food and beverage industry and the most recent organization to find itself targeted by cybercriminals. The company's systems may have been the target of a cyberattack, according to recent claims, which prompted Kraft Heinz to investigate further.

According to sources, the company is diligently looking into the alleged breach while assuring stakeholders that its systems are currently operating normally. The incident raises concerns about the vulnerability of critical infrastructure, especially in industries where information security is paramount.

The announcement serves as a reminder that, regardless of an organization's size or industry, cybersecurity is an ongoing concern. Companies need to be on the lookout for new threats all the time to protect their digital assets.

Kraft Heinz has not divulged specific details about the nature of the alleged cyberattack, but the incident underscores the importance of proactive cybersecurity measures. As businesses increasingly rely on digital infrastructure, the need for robust defense mechanisms against cyber threats becomes imperative.

Experts in the field have commented on the importance of cybersecurity in the connected world of today following the inquiry. Cybersecurity analyst John Doe highlighted, "The Kraft Heinz incident underscores the evolving tactics of cybercriminals. It's a stark reminder that no company can afford to be complacent when it comes to protecting sensitive data."

Kraft Heinz's cybersecurity team is actively collaborating with external experts to evaluate the potential breach's scope and enhance defensive measures against future cyber threats. This episode underscores the imperative for a comprehensive cybersecurity strategy, integrating advanced technologies and employee training to mitigate the inherent risks.

As the investigation unfolds, Kraft Heinz's proactive approach aligns with the broader trend of companies acknowledging the gravity of cybersecurity threats and promptly addressing them. In the ever-changing digital landscape, organizations must sustain agility and resilience to effectively navigate emerging cyber threats.

The purported intrusion on Kraft Heinz is a clear warning of the ongoing and dynamic nature of cyberthreats. The event emphasizes the value of strong cybersecurity defenses and prompt action to protect sensitive data. A thorough and flexible cybersecurity plan is essential for businesses navigating the intricacies of the digital era in order to protect vital infrastructure.

WhisperGate Wiper Malware Far More Dangerous Than Previous Malware

 

Cybersecurity researchers with Cisco Talos have examined the WhisperGate wiper malware employed to strike Ukrainian government websites, noting similarities between the ‘WhisperGate’ and the previously seen NotPetya wiper.

According to researchers, WhisperGate has more capabilities ‘designed to inflict additional damage’ using multiple wipers to successfully target multiple modern systems. 

The first wiper attempts to eradicate the master boot record (MBR) and to block any recovery options. "Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten," the researchers explained.

However, with many modern systems now shifting to GUID Partition Tables (GPTs), this executable may not be as penetrative, therefore malicious authors have included an additional wipe in the attack chain.

In the second stage of the infection chain is a downloader that retrieves the third stage from a Discord server URL that's hard-coded in the downloader. The downloader starts by implementing a base64-encoded PowerShell command twice to make the endpoint sleep for 20 seconds. 

The restored file is a DLL and serves as the third stage of the infection chain. After restoration, it loads the third-stage DLL and attempts to retrieve all of its public methods to search for a method with the name "Ylfwdwgmpilzyaph". If the method is discovered, the downloader will execute it by calling ".Invoke(null, null)", transferring the execution flow over to the third-stage DLL. 

"The fourth-stage wiper payload is probably a contingency plan if the first-stage wiper fails to clear the endpoint," Cisco Talos says. 

The wiper seeks out fixed and remote logical drives to target in the fourth stage. Enumeration then occurs, and files are wiped in drives outside of the "%HOMEDRIVE%\Windows" directory. Files with one of 192 extensions, including .HTML, .PPT, .JPG, .RAR, .SQL, and .KEY is destroyed. 

"The wiper will overwrite the content of each file with 1MB worth of 0xCC bytes and rename them by appending each filename with a random four-byte extension. After the wiping process completes, it performs a delayed command execution using Ping to delete "InstallerUtil.exe" from the %TEMP% directory. Finally, it attempts to flush all file buffers to disk and stop all running processes (including itself) by calling ExitWindowsEx Windows API with EWX_SHUTDOWN flag," the researchers concluded.

 To mitigate risks, CISA has advised organizations to implement multi-factor authentication for remote systems, disable ports and access points that are not business-critical, and that strong controls be implemented for cloud services.

Misinformation is a Hazard to Cyber Security

 

Most cybersecurity leaders recognize the usefulness of data, but data is merely information. What if the information you've been given is actually false? Or it is deception? What methods does your cybersecurity program use to determine what is real and what isn't?

Ian Hill, Global Director of Cyber Security with Royal BAM Group defined misinformation as "inaccurate or purposely misleading information." This might be anything from misinformation to deceptive advertising to satire carried too far. So, while disinformation isn't meant to be destructive, it can cause harm. 

The ideas, tactics, and actions used in cybersecurity and misinformation attacks are very similar. Misinformation takes advantage of our cognitive biases and logical fallacies, whereas cyberattacks target computer systems. Information that has been distorted, miscontextualized, misappropriated, deep fakes, and cheap fakes are all used in misinformation attacks. To wreak even more harm, nefarious individuals combine both attacks. 

Misinformation has the potential to be more damaging than viruses, worms, and other malware. Individuals, governments, society, and corporations can all be harmed by misinformation operations to deceive and damage people. 

The attention economy and advertisement-centric business models to launch a sophisticated misinformation campaign that floods the information channels the truth at unprecedented speed and scale. Understanding the agent, message, and interpreter of a specific case of information disorder is critical for organizations to stop it. Find out who's behind it — the "agent" — and what the message is that's being sent. Understanding the attack's target audience — the interpreter — is just as critical.

Misconceptions and deceptions from basic phishing scams, cyberattacks have progressed. Misinformation and disinformation are cybersecurity risks for four reasons, according to Disinfo. EU. They're known as the 4Ts:

  •  Terrain, or the infrastructure that disseminates falsehoods 
  •  Misinformation tactics, or how the misinformation is disseminated
  •  The intended victims of the misinformation that leads to cyberattacks, known as targets.
  •  Temptations, or the financial motivations for disseminating false information in cyberattacks.
 
Employees who are educated on how threat actors, ranging from an amateur hacker to a nation-state criminal, spread false information will be less likely to fall for false narratives and harmful untruths. It is now up to cybersecurity to distinguish between the true and the fraudulent.

Spanish Government Witnesses Cyber Attack

 

Earlier this morning, the Ministry of Labour and Social Economy of the Spanish government witnessed a cyber-attack. At the moment, Ministry did not comment on the specifications, nature, and severity of the attack. 

According to the official website of the department, the Ministry organizes and supervises Spain’s employment work, social economy, and look after social responsibility policies. This Ministerial Department has an annual budget of around €39 million. 

In the wake of the attack, the IT cyber-researchers at the department – an agency within Spain’s National Intelligence Centre from the National Cryptological Centre together with the Spanish Ministry of Labor and Social Economy (MITES) are investigating the attack and working to restore services. 

“The Ministry of Labor and Social Economy has been affected by a computer attack…” 

“…The technical managers of the Ministry and the National Cryptological Center are working together to determine the origin and restore normality as soon as possible," MITES’ media office said earlier today. 

After the cyber-attack the official website of the Ministry was still accessible, however, the communications office and the multimedia room were down. 

"The computer attack that the Ministry of Labor and Social Economy has suffered has NOT affected the operation of the State Public Employment Service, The Electronic Office, the website, and the set of services continue to be provided normally,"  SEPE reported. 

Furthermore, a government agency of the Spanish, Servicio Público de Empleo Estatal (SEPE) – a part of MITES that took a severe hit by ransomware in March due to which the services of the department were inaccessible for around two weeks – reported that it was not affected by the cyberattack. 

According to the resources, the SEPE department was hit by a Russian Ryuk ransomware gang on March 09, 2021.  As a result, over 700 agency offices across Spain were badly impacted. Besides, the agency’s workstations, the ransomware attack had impacted remote working stations of the department. It should be noted that the Spanish labor agency is the only ministry that has been hit by a ransomware attack in Spain.

US cyber attacks on Iranian targets not successful: Minister

U.S. cyber attacks against Iranian targets have not been successful, Iran's telecoms minister said on Monday, within days of reports that the Pentagon had launched a long-planned cyber attack to disable his country's rocket launch systems.

Tension runs high between longtime foes Iran and the United States after U.S. President Donald Trump on Friday said he called off a military strike to retaliate for the Middle East nation's downing of an unmanned U.S. drone.

U.S. President Donald Trump said on Saturday he would impose fresh sanctions on Iran but that he wanted to make a deal to bolster its flagging economy, an apparent move to defuse tensions following the shooting down of an unmanned U.S. drone this week.

On Thursday, however, the Pentagon launched a long-planned cyber attack, Yahoo News said, citing former intelligence officials. The cyber strike disabled Iranian rocket launch systems, the Washington Post said on Saturday.

"They try hard, but have not carried out a successful attack," Mohammad Javad Azari Jahromi, Iran's minister for information and communications technology, said on social network Twitter.

"Media asked if the claimed cyber attacks against Iran are true," he said. "Last year we neutralised 33 million attacks with the (national) firewall."

Azari Jahromi called attacks on Iranian computer networks "cyber-terrorism", referring to Stuxnet, the first publicly known example of a virus used to attack industrial machinery, which targeted Iran's nuclear facilities in November 2007.

Stuxnet, widely believed to have been developed by the United States and Israel, was discovered in 2010 after it was used to attack a uranium enrichment facility in the Iranian city of Natanz.

Washington accused Tehran of stepping up cyber attacks.

Officials have detected a rise in "malicious cyber activity" directed at the United States by people tied to the Iranian government, Chris Krebs, director of the Department of Homeland Security's cybersecurity agency, said on Saturday on Twitter.

New SamSam Ransomware Variant Requires Password from Hacker Before Execution


Researchers at Malwarebytes have found that a new variant to the SamSam ransomware has been hitting users wherein the attacker has to put in a password before the malware could be executed.

“In its time being active, SamSam has gone through a slight evolution, adding more features and alterations into the mix,” read the blog post by Malwarebytes Labs. “These changes do not necessarily make the ransomware more dangerous, but they are added to make it just a bit more tricky to detect or track as it is constantly changing.”

According to researchers, this variant does not go into effect without the password, even if the malware is already present in the system. This makes for a more “targeted” attack as the attackers can decide which computers to execute the ransomware on.

Aside from targeted attacks, it also means that only those who know the password can access the ransomware code or execute the attack, making it a tricky malware to understand.

“As analysts, without knowing the password, we cannot analyze the ransomware code. But what’s more important to note is that we can’t even execute the ransomware on a victim or test machine. This means that only the author (or someone who has intercepted the author’s password) can run this attack,” the blog post said on the issue.

“This is a major difference from the vast majority of ransomware, or even malware, out there,” the post went on to say. “SamSam is not the type of ransomware that spreads like wildfire. In fact, this ransomware quite literally cannot spread automatically and naturally.”

SamSam has been a part of several massive cyber attacks since early 2018 and has led to severe damages worldwide. This new variant has only made it more elusive, as the code is inaccessible even to security researchers, which might be another reason for the password requirement.

The ransomware has in the past targeted hospitals, state agencies, city councils, and other enterprises, and caused huge losses when it hit the IT network of Atlanta earlier this year.

Romanian Cybersecurity firm reveals all-in-one espionage tool: RadRAT

Bitdefender, a Romanian Cybersecurity firm, has flushed out a powerful all-in-one toolkit for espionage operations dubbed “RadRAT,” which it became aware of in February this year. The toolkit is an advanced remote access tool that allows full control over seized computers.

“Buried in the malware zoo, the threat seems to have been operational since at least 2015, undocumented by the research community,” the company said in a post.

RadRAT offers powerful remote access options that allow “unfettered control of the compromised computer, lateral movement across the organization and rootkit-like detection-evasion mechanisms.”

“Powered by a vast array of features, this RAT was used in targeted attacks aimed at exfiltrating information or monitoring victims in large networked organizations,” the post read.

Apart from its data exfiltration mechanisms, it also features lateral movement mechanisms such as credentials harvesting, NTLM hash harvesting, retrieving a Windows password, and more, and its command set currently supports 92 instructions.

These commands can be used for various malicious purposes, including file or registry operations, data theft operations, network operations, operations on processes, system information, propagation, and more.

“Unfortunately, while our information about the behavior and technical implementation of this remote access toolkit is complete, we can only guess at the original infection vector, which is most likely a spear phishing e-mail or an exploit,” the cybersecurity firm wrote in its whitepaper on the toolkit.

#OpISIS: A Cyber attack against Twitter accounts related to ISIS


The Islamic State(ISIS) terrorist group is using social networking sites like Twitter to recruit people.  To bring an end to this, Anonymous hacktivists and their affiliates earlier this year launched an operation called "#OpISIS" against the ISIS.

The main motive of the operation is to take down all the websites and mainly Social Media accounts related to the ISIS.

The hacktivists have been on a search to identify Twitter accounts linked to ISIS. In March 2015, they reportedly tracked more than 25,000 Twitter accounts.  Most of the accounts have been reported and removed from Twitter. They also reportedly "destroyed" more than 100 websites.

Anonymous hackers now leaked more than 4000 email addresses, IP addresses and logs which is said to be taken from online communities supporting ISIS. Few links to the dumps have been shared in the Hackers Leaks website.

Some of the Email addresses listed in the dump ends with "*.gov" extension.

Hackers used Xtreme RAT malware to gain access to Israeli Defense computer



 
Seculert, an Israel Cyber Security firm, told Reuters that hackers gained access to the Israeli Defense ministry computer by sending a malicious email containing an Xtreme RAT.

Seculert CTO Aviv Raff told Reuters that earlier this month hackers took control of around 15 computers including the Israel's Civil Administration computer which monitors Palestinians in Israeli-occupied territory.

The firm declined to identify other 14 computers targeted by the hackers. An anonymous source told Reuters these included companies involved in supplying Israeli defense infrastructure.

The latest attack is appeared to be originated from US servers. However, experts noticed some similarities to previous attacks. The firm suspects the Palestinians to be behind the cyber attack.

The firm hadn't determined what hackers did after gaining access to the systems. It believes that hackers had access to the infected computers several days.

Xtreme RAT is the remote access trojan that gives hackers complete access to the infected systems. An attacker is able to steal any documents or execute any other malware code in the system.

The same malware has been used in several other targeted-attacks including attacks targeting 'the Israeli police department', 'syrian anti-government activists' and other governments.