Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label attackers. Show all posts
Secure
attackers Cyber Security Safety Safety Data Secure

Why Mid-Sized Businesses Are Attractive Targets for Cyber Criminals

 

An increase in cybersecurity incidents among mid-market firms has been observed in recent years. For example, a survey in the UK revealed that 45% of medium-sized businesses experienced cybercrimes, with phishing attacks being the most common. Despite this, many mid-sized companies struggle with being prepared for such threats, with only 55% having formal incident response plans in place.

Ransomware attacks, in particular, have caused significant financial and operational damage to businesses. A report found that recovery from these attacks took an average of 22 days, with costs often surpassing the ransom demand by fiftyfold.

Mid-sized companies are vulnerable to cyber threats due to limited budgets and resources for cybersecurity measures. With valuable data at stake, these businesses are attractive targets for cybercriminals seeking to profit from selling stolen information. Additionally, mid-sized firms serving as suppliers to larger corporations can make global supply chains more vulnerable to cyber attacks.

The increasing regulatory pressures surrounding data protection also pose challenges for mid-sized businesses in complying with standards such as GDPR and HIPAA. Non-compliance can lead to hefty fines and legal repercussions, making it crucial for these companies to enhance their cybersecurity measures.

To address these challenges, mid-sized firms should take proactive steps to improve their cybersecurity posture. Adopting Public Cloud ERP solutions can significantly enhance security by providing built-in features, regular updates, compliance support, scalability, and advanced threat detection.

By investing in cybersecurity and leveraging cloud-based solutions, mid-market companies can protect their valuable assets, comply with regulations, and maintain trust with customers and partners. This proactive approach can help mitigate the risks posed by evolving cyber threats and ensure the security of business operations in a cost-effective manner.
Read more »
Security
attackers British Library Cyber Attacks Data Data Safety Hackers Safety Security

British Library Hit by Cyber Incident, Disrupting Services

 

The British Library in London, known for its serene study environment and vast collection of 170 million items, has been disrupted by a "cyber incident." This event has led to the shutdown of its website, impeding access to the online catalog, and the cessation of Wi-Fi services. 

Staff members are unable to use computers, creating a predigital atmosphere within the library. Ordering books now involves consulting hardback catalogs or external websites, writing down catalog numbers, and handing them to librarians for verification. The incident has affected various users, including authors and academics, who rely on the library for their work.

Despite the significance of the British Library, the institution has provided minimal information about the incident on social media. The library stated that it is facing a major technology outage due to the cyber incident, impacting both online and on-site services. 

The staff is collaborating with Britain's National Cyber Security Center to investigate the matter. Speculation about the cause of the shutdown abounds among users, with many having to adjust their work plans to accommodate the disruption.

While details remain scarce, other European libraries presume the British Library was deliberately targeted. The National Library of Scotland, for instance, has intensified its monitoring and protection in response to the attack. 

This incident underscores a shift in cybercriminals targeting libraries, which traditionally flew under the radar. Tasmina Islam, a cybersecurity education lecturer, suggests that financial motives may be driving such attacks, as libraries house valuable information, including personal data and intellectual property. She emphasizes the need for libraries and institutions to enhance their security measures.

Within the British Library, employees are puzzled by the event, describing it as a "nightmare." However, not all users are dismayed by the interruption. Eric Langley, a Shakespeare scholar, finds the blackout oddly liberating, allowing him to focus solely on the bard's work. Nevertheless, he acknowledges that an extended disruption would pose challenges.
Read more »
Security
attackers Cyber Attacks Data Data Safety data security Europe Hackers Safety Security

Europe's Shipping Industry Grapples with Widespread Cyberattack

 

A significant cyberattack has impacted shipping companies across Europe, commencing on Thursday afternoon. The attack, believed to be a Distributed Denial of Service (DDoS) incident, has led to the widespread unavailability of numerous websites. IT teams are currently hard at work, actively addressing and resolving the situation.

Johanna Boijer-Svahnström, the Senior Vice President of Viking Line, discussed the extensive cyberattack that occurred on Thursday. In a statement to HBL, she emphasized that the cyber assault had a notable impact on major shipping companies operating throughout Europe.

"It appears to be a DDOS cyber attack targeting shipping companies across Europe. Our webpages are currently inaccessible, and our IT department is actively working to resolve the issue," Johanna conveyed to HBL.

The Cyber Express reached out to the company to verify the security incident and gather additional information following the cyberattack. Regrettably, at the time of preparing this report, no confirmation has been received from Viking Line.

According to media reports, the Viking Line cyberattack appears to have been a DDoS attack stemming from an overload on the company's website. This cyber assault had a widespread impact, affecting nearly all major shipping companies in the region.

About Viking Line

Viking Line, established in 1959, is a prominent shipping company specializing in cruise, cargo, and passenger services primarily within the Baltic Sea region. The company maintains a fleet of more than 50 vessels offering services in all three categories, with a current workforce of over 2,000 employees.

A recent report citing research conducted by the law firm HFW suggests that the shipping industry is considered an "easy target" for cybercriminals. The same report indicates a notable increase in ransomware attacks, with ransom demands rising by an astounding 350% over the past year.

"Our findings reveal that despite improvements in maritime cybersecurity, the industry remains vulnerable. Shipping organizations are facing a surge in cyberattacks, along with a substantial increase in ransom payment demands. As technology continues to play a larger role across all aspects of shipping, encompassing ship networks, offshore installations, and onshore control centers, the potential for cybersecurity breaches also escalates," reported Heavylift PFI, quoting Tom Walters, a partner at Hollman Fenwick Willan, a global law firm.

Incidents like the Viking Line Cyberattack underscore the critical importance of robust cybersecurity measures within the shipping industry. It serves as a reminder that a proactive approach to cybersecurity across various sectors is imperative to prevent escalating challenges.
Read more »
servers
attackers Cloud Servers Crime Cyber Attacks Data Data Safety data security Hacker Groups Ransomware Safety Security servers

Rival Cybercrime Groups Offer Conflicting Accounts of Casino Attack

 

In the latest development, members of the hacking group Scattered Spider have asserted that they were the initial perpetrators of the MGM network breach last week. 

However, the ransomware gang Alphv, also known as Black Cat, countered this claim with a detailed statement on their dark-web platform, insisting that they were the true culprits.

Alphv's statement, while claiming responsibility, left a crucial question unanswered: whether Scattered Spider was acting as an affiliate of Alphv or an independent group utilizing Alphv-developed ransomware. This conflicting narrative is further muddying an already tumultuous news cycle, marked by speculative discussions on social media.

Definitive confirmation regarding the identity of the MGM attacker remains elusive until either the company or law enforcement authorities release public details about the incident. 

Both Scattered Spider and Alphv represent significant cyber threats in their own right, according to experts. Scattered Spider, believed to be comprised of young adults in the U.S. and the U.K., is notorious for employing social engineering tactics in their attacks. 

Charles Carmakal, CTO at Google Cloud's Mandiant, noted their recent use of Alphv's encryption. Their past exploits include a high-profile attack affecting over 130 organizations, resulting in the theft of more than 10,000 employees' login credentials.

Meanwhile, Alphv, thought to be based in Russia, has earned a reputation for conducting ruthless and widespread attacks. Their tactics have included releasing sensitive images from breast cancer patients' examinations while extorting the Lehigh Valley Health Network earlier this year. Notable victims have also included Western Digital and Sun Pharmaceuticals.

In the realm of ransomware, identities are intentionally obscured to hinder law enforcement's efforts to trace attacks back to their source. It's not uncommon for a major ransomware operator to claim credit for an attack initiated by an affiliate. Additionally, a larger group like Alphv could independently carry out an entire attack internally.

Ultimately, MGM, in conjunction with the FBI and third-party cyber incident response firms, will possess the most reliable information regarding the assailant's identity and the specifics of how the breach occurred.
Read more »
Security Data
attackers attacks Cyber Attacks Data data security Safety Security Security Data

Espionage Group Suspected of Intruding Asian Nation's Power Grid

 

Earlier this year, cyber attackers targeted an undisclosed Asian country's national power grid using ShadowPad malware, commonly associated with entities linked to the Chinese government, according to cybersecurity experts. 

While Symantec did not explicitly attribute the incident to China, they identified the group as RedFly, who infiltrated the network for up to six months, siphoning credentials and targeting multiple computers. 

ShadowPad, which first emerged in 2017, has also been linked to the APT41 hacking group, which researchers have connected to China's Ministry of State Security and the People's Liberation Army. In recent years, various China-linked groups have employed ShadowPad for cyber-espionage activities.

The attack's initial signs emerged on February 28, when ShadowPad was deployed on a single computer, Symantec reported. The malware reappeared in the network on May 17, indicating that the hackers had maintained access for over three months.

Over the following week, the attackers worked to broaden their access to storage devices, collect system credentials, and conceal their tracks. They utilized the legitimate Windows application oleview.exe to gain insights into the victim's network and move laterally.

Dick O'Brien, principal intelligence analyst at Symantec Threat Hunter, expressed concern about the escalating trend of hackers targeting critical national infrastructure (CNI) with malware. He highlighted that attacks on CNI are particularly worrisome due to the potential for serious disruption, and emphasized that this incident is part of a broader pattern.

Experts warn that the frequency of attacks on CNI organizations has risen over the past year, posing a heightened risk of disruptions to power supplies and essential services during times of heightened political tension.

While Symantec has not observed disruptive actions from RedFly, they acknowledge that such actions have occurred in other regions, underscoring the potential threat.

ShadowPad has been identified in cyberattacks on seven electricity grid management facilities in Northern India, as well as Pakistani government agencies, a state bank, and a telecommunications provider. Critical industries in various countries across Asia and Europe have also been targeted with ShadowPad and other malicious tools.

Designed as a successor to Korplug/PlugX, another popular strain among some Chinese espionage groups, ShadowPad briefly appeared on underground forums, making it challenging for researchers to attribute all instances of its use directly to China-based actors.
Read more »
User Privacy
3 am 3 am Ransomware attackers Data Hackers LockBit LockBit ransomware malware Safety Security User Privacy

LockBit Ransomware Falters, Attackers Deploy New '3AM' Malware

 

In a recent cyberattack targeting a construction company, hackers attempted to deploy the LockBit ransomware on a target network but were thwarted. In an unexpected twist, they resorted to a previously unknown ransomware variant called 3AM, successfully infiltrating the system.

The newly discovered ransomware, 3AM, follows a fairly typical pattern by disabling various cybersecurity and backup-related software before encrypting files on the compromised computer. However, it stands out with an unusual theme: the name 3AM, a reference to the eerie hour when only insomniacs, night owls, and malicious hackers are typically active.

Researchers from Symantec highlighted this double-pronged attack in their recent report. It marked the first documented instance of 3AM being used alongside the LockBit ransomware in a single compromised machine.

Dick O'Brien, the principal intelligence analyst for the Symantec threat hunter team, cautioned, "This isn't the first time we've seen attackers employ multiple ransomware families simultaneously, and organizations should be prepared for such scenarios."

Upon gaining access to the target network, the threat actors wasted no time gathering user information and deploying tools for data extraction. They utilized tools like Cobalt Strike and PsExec to escalate privileges and performed reconnaissance tasks such as identifying users and network status. They also sought out other servers for lateral movement and established a new user for persistence. Subsequently, they employed the Wput utility to transfer the victim's files to their FTP server.

Their initial plan was to deploy LockBit ransomware, but the target's robust cybersecurity defenses prevented its execution. Unfortunately for the victim, the attackers had an alternative weapon at their disposal: 3AM ransomware. This malware is characterized by its encryption of files with the ".threeamtime" suffix and references to the time of day in its ransom note.

The ransom note began with an ominous message: "Hello, '3 am' The time of mysticism, isn't it? All your files are mysteriously encrypted, and the systems 'show no signs of life,' the backups disappeared. But we can correct this very quickly and return all your files and operation of the systems to [sic] original state."

In contrast to the creative ransom note, the authors displayed less innovation in the design of the malware itself. 3AM is a 64-bit executable coded in Rust, a language favored by both hackers and defenders. It attempts to terminate various security and backup-related software on the infected machine before proceeding with its primary tasks: scanning the disk, identifying specific file types, encrypting them, delivering the ransom note, and erasing any Volume Shadow (VSS) backup copies of files that could offer a potential lifeline to the victim.

In this particular attack, the hackers only succeeded in deploying 3AM on three machines, with two of them subsequently blocking the malware. However, the third machine was compromised successfully, where LockBit had failed. While the attackers claimed to have stolen sensitive data from this machine, Symantec couldn't independently verify this claim.

When it comes to defending against ransomware attacks, especially multi-faceted ones like this, O'Brien recommends a defense-in-depth strategy. He emphasizes that organizations should focus on addressing all stages of a potential attack rather than solely concentrating on blocking the ransomware payloads. He underscores the importance of early intervention in thwarting cyberattacks, stating that "the earlier you stop an attack, the better."
Read more »
Security
attackers Cyber Attacks Data Safety data security EvilProxy Hackers Microsoft Microsoft 365 Microsoft Office Safety Secure Data Security

EvilProxy Phishing Campaign Targets Microsoft 365 Executives Worldwide

 

Cybercriminals have launched an EvilProxy phishing campaign with the aim of infiltrating thousands of Microsoft 365 user accounts across the globe. 

Over a span of three months from March to June, the attackers distributed a barrage of 120,000 phishing emails targeting more than 100 organizations worldwide. The primary objective of this operation was to compromise high-ranking executive accounts, paving the way for subsequent, deeper attacks within these enterprises.

Researchers from Proofpoint have shed light on the ongoing campaign, revealing that it employs a range of phishing strategies, including brand impersonation, scan blocking, and a multi-step infection process. 

These tactics have enabled the attackers to successfully seize control of cloud accounts belonging to top-level executives. Notably, over the past half-year, there has been an alarming surge of over 100% in these takeover incidents. These breaches occurred within organizations that collectively represent 1.5 million employees globally.

The attackers leveraged the EvilProxy phishing-as-a-service platform, utilizing reverse proxy and cookie-injection methods. These techniques allowed them to bypass multi-factor authentication (MFA), which is often touted as a defense mechanism against phishing attacks. The use of tools like EvilProxy, which operate as reverse-proxy hacker tools, is making it increasingly feasible for malicious actors to overcome MFA.

Upon obtaining credentials, the attackers wasted no time in accessing executives' cloud accounts, achieving entry in mere seconds. Subsequently, they maintained control by employing a native Microsoft 365 application to incorporate their own MFA into the "My Sign-Ins" section. The favored method for this action was the "Authenticator App with Notification and Code."

Surprisingly, the researchers noted that there has been a rise in account takeovers among tenants with MFA protection. Their data suggests that at least 35% of all compromised users over the past year had MFA enabled.

The EvilProxy attack typically commences with attackers masquerading as trusted services such as Concur, DocuSign, and Adobe. They send phishing emails from spoofed addresses, purportedly originating from these services, containing links to malicious Microsoft 365 phishing sites.

Clicking on these links initiates a multi-step infection process involving redirects to legitimate sources like YouTube, followed by further redirects utilizing malicious cookies and 404 errors. This convoluted approach is designed to scatter the traffic, minimizing the chances of detection.

Ultimately, the user traffic arrives at an EvilProxy phishing framework—a landing page functioning as a reverse proxy. This page imitates recipient branding and third-party identity providers.

Despite the large number of attacks, the cybercriminals exhibited precision, specifically targeting top-tier executives. C-level executives were the focus in approximately 39% of the attacks, with 17% targeting CFOs and 9% aimed at presidents and CEOs.

The success of this campaign in breaching MFA and its extensive scale underscore the advancing sophistication of phishing attacks. This necessitates organizations to bolster their security measures and adopt proactive cybersecurity intelligence to detect anomalous activities, emerging threats, and potential vulnerabilities.

While the effectiveness of EvilProxy as a phishing tool is acknowledged, there remains a significant gap in public awareness regarding its risks and implications. 

Proofpoint recommends a series of steps to mitigate phishing risks, including blocking and monitoring malicious email threats, identifying account takeovers, detecting unauthorized access to sensitive cloud resources, and isolating potentially malicious sessions initiated through email links.
Read more »
Ukraine
attackers Cyber Attacks Data Data Safety data security Hackers Russian Safety Security Ukraine

SolarWinds Hackers Dangle BMWs to Eavesdrop on Diplomats

 

The Russia-backed group responsible for the SolarWinds attack, known as Cloaked Ursa or Nobelium/APT29, has shifted its tactics and is now targeting foreign diplomats working at embassies in Ukraine. Instead of using traditional political lures, the group is employing more personalized approaches to entice victims into clicking on malicious links.

Researchers from Palo Alto Networks' Unit 42 have been monitoring the activities of Cloaked Ursa and discovered that the initial lure in the campaign involved a legitimate flyer advertising the sale of a used BMW sedan in Kyiv. The flyer, which was originally shared by a diplomat within the Polish Ministry of Foreign Affairs, caught the attention of potential victims, particularly new arrivals to the region. 

Exploiting this opportunity, Cloaked Ursa created a counterfeit version of the flyer and sent it to multiple diplomatic missions as a bait for their malware campaign. The malicious message contained a link that promised additional photos of the car, but instead, it executed malware in the background when clicked.

The malware payload used by Cloaked Ursa is JavaScript-based and provides the attackers with a backdoor into the victim's system, enabling them to load further malicious code through a command-and-control connection. 

The group meticulously compiled its target list, using publicly available embassy email addresses for 80% of the victims and unpublished email addresses for the remaining 20%. This deliberate selection aimed to maximize their access to desired networks.

While the researchers observed the campaign being conducted against 22 out of the 80 foreign missions in Ukraine, they suspect that the actual number of targets is higher. The extensive scope of the attacks is remarkable for operations that are typically secretive and narrowly focused.

In a strategic shift, Cloaked Ursa has moved away from using job-related topics as bait and instead crafted lures that appeal to recipients' personal interests and desires. This change aims to increase the campaign's success rate by compromising not only the initial targets but also others within the same organization, extending its reach. 

The researchers noted that these unconventional lures have broad applicability across the diplomatic community and are more likely to be forwarded to other individuals within and outside the organization.

Cloaked Ursa, also known as Nobelium/APT29, is a state-sponsored group associated with Russia's Foreign Intelligence Service (SVR). The group gained notoriety for the SolarWinds attack, which involved a backdoor discovered in December 2020 and affected approximately 18,000 organizations through infected software updates.

Since then, the group has remained active, targeting foreign ministries, diplomats, and the US government, exhibiting sophistication in both tactics and custom malware development.

To mitigate APT cyberattacks like those conducted by Cloaked Ursa, the researchers provided some recommendations for diplomatic personnel. They advised administrators to educate newly assigned diplomats about cybersecurity threats specific to the region before their arrival. 

Additionally, individuals should exercise caution when downloading files, even from seemingly legitimate sources, and be vigilant about URL redirection when using URL-shortening services, as this could be indicative of a phishing attack. Verifying file extension types and avoiding files with mismatched or obfuscated extensions is crucial to prevent falling victim to phishing attempts. 

Finally, the researchers suggested that diplomatic employees disable JavaScript as a preventive measure, rendering JavaScript-based malware unable to execute.
Read more »
Subscribe to: Posts (Atom)