Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cyber theft. Show all posts
Ransomware
CISO cyber theft Cyberattacks Cybersecurity Data Breach Deloitte Ransomware

Cyber Theft Hits Providence School District Data

 


On Friday, Providence Public School officials were on their way to finalizing an agreement about credit monitoring for the district's teachers and staff following a recent ransomware attack on the district's network that affected teachers and staff last Friday. Then, over the weekend, information about the theft of data from Providence Public School District (PPSD) was shown on a regular website with a video preview. 

A cybercriminal group called Medusa appears to have taken control of the dark web ransom page where the 201 gigabytes of data from the CIA were allegedly leaked by cybercriminals in September, simply because they can access it through any internet browser. The district hired an undisclosed "vendor with expertise in cyber-security" to conduct an ongoing analysis of the network and audit it on behalf of a third-party IT agency. 

This cyberattack was reported to the FBI, the Department of Homeland Security, and the Rhode Island State Police. It took the district until now to disclose the nature of the security breach, as there has been a tight-lipped stance on the matter. On Sept. 11, IT staff was instructed to shut down the entire network as a result of abnormal activity that was detected, and they wouldn't be able to provide any further details. More than a week has passed since teachers and students were unable to access online curriculum, email, or use computers. 

As the district works on forensics to determine what caused the breach, a credit monitoring agreement has been finalized with a vendor not yet identified and a letter containing information about how staff can access these services is being written for distribution to employees “very soon,” district spokesperson Jay G. Wégimont said in a letter to staff. According to BCC spokesperson Brian Hodge, the Rhode Island Attorney General’s office still has not been officially notified of the data breach and is awaiting formal notification from the company.

Upon confirmation of a breach of personal information, any municipal or government agency must notify the Attorney General's office, credit reporting agencies, and individuals affected by the breach within 30 days of the incident. In a letter from Superintendent Javier Montaez to the Providence School Board on Sept. 25, the PPSD first used the term "unauthorized access" to refer to the breach, though the term "breach" was also used in the public statement that the Providence School Board issued on September 18.

It is "encouraging" that the Providence school district is informing potentially affected employees and finalizing the credit monitoring contract as soon as possible, spokeswoman Anthony Vega said in an email sent to Rhode Island Current on Tuesday, that he received from the mayor. It was reported in an e-mail sent by a spokesperson for the Providence City Council that the council would not be able to comment. Despite requests for comment, the governor's office did not get back to the Guardian with a response. 

Despite repeated requests for comment from Rhode Island Current, Rogel has not responded to any of those requests. There seemed to be a discrepancy between the school board president's use of the term "breach" and that of the district's official language which avoided stating the exact nature of the problem. The PPSD community was informed on Sept. 12 that the district's network had experienced "irregular activity," which ultimately led computer staff to cut off internet access to the district's offices and schools across the district. 

There is still a large lack of broadband availability in Providence schools, aside from a fleet of WiFi hotspots that are being deployed to provide connectivity in the absence of a main network. There was a letter from PPSD to residents sent on Sept. 16 informing them that a forensic analysis was still being conducted and that no evidence had been found that PPSD data had been compromised.  

However, Medusa appeared to claim credit for the "irregular activity" on Monday by posting a message to their publicly accessible ransom blog claiming 41 watermarked, sometimes partially obscured screenshots that preview the contents of the 201 gigabytes of data that the hackers claim to have stolen. The hackers also included identifying information — including serial numbers of employee cell phones and parent contact information — that helped identify the content of the data.   

Medusa ransomware is an extremely dangerous malware that works quietly in the background after it has penetrated a system and accumulated exploitable data. Once the bounty has reached a sufficient amount, the database will encrypt the files to prevent users from accessing them. Ransom notes are then sent to victims demanding that they pay a ransom in exchange for the release of their files. There has also been a growing trend of "double extortion", where the hackers are not only stealing files but are also selling or releasing the data to the public if they do not receive payment.   

A ransom page indicates that, in exchange for a payment of $1 million, PPSD can retrieve or delete its data. An additional day would be added to the timer if $100,000 was paid. Based on the hackers' countdown timer, the deadline for submitting the hack will be Sept. 25 in the morning.  Deloitte, however, released a report on Monday showing that state-level IT officials and security officers are unsure about the budgets that will be allocated to their state's telecommunications network infrastructure due to the uncertainty around it. 

"The attack surface is increasing as state leaders become more reliant on information when it comes to operating government itself as the use of information is becoming more central," Srini Subramanian, a principal at Deloitte & Touche LLP, told States Newsroom in an interview. Chief information security officers (CISOs) face an increasing number of challenges, and they have to make sure that the IT infrastructure survives ever-increasing cyber threats posed by hackers. This difficulty was reflected in the survey results, which revealed that almost half of all respondents did not know their state's cybersecurity budget, which resulted from these challenges. Around 40% of state IT officers reported that they needed more money to comply with regulations or meet other legal requirements to comply with government regulations. 

Those findings were confirmed this year by a report published by Moody's Ratings in 2023, which scores and analyzes municipal bonds. Robust cybersecurity practices can reduce exposure to threats to the enterprise, but initiatives that are difficult to implement and take resources away from core business functions may pose a credit challenge, according to Gregory Sobel, a Moody analyst and assistant vice president.

One study by Moody's also revealed that 92% of local governments have cyber insurance, an unprecedented two-fold increase over the last five years, according to Moody's. It is important to note that the popularity of this system did come with higher rates: a county in South Carolina went from paying a $70,000 premium in 2021 to a $210,000 premium in 2022 for this system. Aside from the higher costs, there are also stricter stipulations on risk management practices that need to be followed before a policy can be paid, such as better firewalls, consistent data backups, and multi-factor authentication, all of which make it difficult to get it to pay out. 

During an email exchange with Rhode Island Current, Douglas W. Hubbard, CEO of Hubbard Decision Research, a consulting firm, and the author of “How to Measure Anything in Cybersecurity Risk,” informed the paper that schools should make use of the low-cost, free, or shared resources available to them to manage cyber risk more effectively.
Read more »
Passport System
Cyber Fraud Cyber Security cyber theft data misuse data security Data Theft Passport Passport System

Qantas Employee Data Misuse: Over 800 Bookings Affected by Rogue Staff

 

Qantas recently experienced a security breach involving employees of India SATS, its ground handler in India. These employees exploited their access to alter customer bookings and divert frequent flyer points into their own accounts. The fraud, which occurred in July and August 2024, impacted over 800 bookings and potentially exposed sensitive data, including passport information. 

However, Qantas has emphasized that there is no evidence that the passport data has been misused. This breach was not a result of a cyberattack but rather an instance of insider fraud. Employees of India SATS, using a partner airline’s system, changed frequent flyer details, funneling the earned points into an account they controlled. Following the breach, Qantas promptly suspended the contractors involved, restored customers’ points, and fixed the altered bookings. Qantas reassured its customers that it has implemented new restrictions on accessing bookings to prevent a similar incident in the future. It also clarified that this was not a technical hack, but rather a case of “rogue employees” abusing their position. 

A spokesperson for Qantas further stated that they are unaware of any current bookings being affected by this incident and that an ongoing police investigation is in place. The breach has raised concerns about other airlines in the Oneworld Alliance potentially being affected. However, Qantas has not confirmed any involvement of other airlines in the scandal. Despite the breach, the airline continues to assert that this was an isolated incident tied to two contractors abusing their access. This breach follows another Qantas security issue earlier in 2024, when a technical error in the MyQantas app gave customers access to other users’ accounts. 

While there was no cyberattack involved, the error allowed some customers to view booking information, frequent flyer points, and boarding passes of other users. Qantas promptly fixed the issue and reassured its customers that no financial information was compromised. In both cases, Qantas has emphasized the importance of security and quickly worked to remedy the problems. 

As cybersecurity threats continue to evolve, the airline is working to strengthen its internal systems and access controls, protecting customer data from potential breaches, whether caused by technical errors or human misconduct.
Read more »
XRP cryptocurrency
$112 million blockchain breach cryptocurrency security cyber theft Hackers Ripple Technology XRP cryptocurrency

Cybercriminals Steal $112 Million Worth of Ripple's XRP Cryptocurrency

 

On Tuesday, approximately $112 million worth of the XRP cryptocurrency, which is centered around Ripple, was pilfered by hackers from a crypto wallet, as revealed by Ripple's co-founder and executive chairman, Chris Larsen.

Larsen disclosed on Wednesday that the stolen cryptocurrency belonged to him. In a post on X (formerly Twitter), Larsen mentioned that unauthorized access occurred in some of his personal XRP accounts, distinct from Ripple. He assured that the problem was swiftly identified, and exchanges were notified to freeze the affected addresses. Law enforcement has also been engaged in the matter.

The announcement came less than an hour after crypto security researcher ZachXBT reported the hack on X. According to ZachXBT, the pilfered XRP funds had already been laundered through various crypto exchanges like Binance and Kraken. Binance acknowledged the incident, stating that they are actively supporting the investigation, and Kraken emphasized their proactive review to prevent their platform from being misused.

However, there is ambiguity regarding the ownership of the hacked wallet, whether it is linked to Ripple or not. XRPScan's on-chain data revealed that the compromised wallet was labeled "Ripple (50)" and was activated by another wallet called "~FundingWallet1" on November 5, 2018. Larsen's account activated ~FundingWallet1 on February 6, 2013, shortly after his own account, ~chrislarsen, was created.

When approached for comment, Ripple's spokesperson referred to Larsen's post and clarified that Ripple itself was not impacted. Ripple, established in 2012, aspires to be a payments and enterprise infrastructure provider, consisting of a network, protocol, and decentralized public ledger known as XRP Ledger. The value of XRP, the network's token, dropped by approximately 4% on the day of the hack.

In response to the incident, some XRP holders are urging the co-founders to disclose their crypto wallets and XRP holdings to enhance transparency. Meanwhile, others, including Thinking Crypto podcast host Tony Edward, are urging Larsen to distance himself from Ripple.

This cyber attack stands out as the most significant cryptocurrency theft in 2024 and ranks as the twentieth largest in recorded history, based on data compiled by Rekt, a website monitoring web3 and crypto breaches. In the previous year, hackers targeted approximately $2 billion in cryptocurrency, as reported by crypto security firms specializing in tracking such incidents.
Read more »
North Korean Hackers
Coin Mixer Crypto Crime Cyber Crime cyber theft North Korean Hackers

North Korean Hacking Outfit Lazarus Siphons $1.2M of Bitcoin From Coin Mixer

 

Lazarus Group, a notorious hacker group from North Korea, reportedly moved almost $1.2 million worth of Bitcoin (BTC) from a coin mixer to a holding wallet. This move, which is the largest transaction they have made in the last month, has blockchain analysts and cybersecurity experts talking. 

Details of recent transactions

Two transactions totaling 27.371 BTC were made to the Lazarus Group's wallet, according to blockchain analysis firm Arkham. 3.34 BTC were subsequently moved to a separate wallet that the group had previously used. The identity of the coin mixer involved in these transactions remains unknown. Coin mixers are used to conceal the trail of cryptocurrency transactions, making it difficult to track down the ownership and flow of funds.

The Lazarus Group's latest effort adds to its long history of sophisticated cyber crimes, notably involving cryptocurrency. The US Treasury Department has linked them to a $600 million bitcoin theft from the Ronin bridge, which is linked to Axie Infinity, a famous online game. 

Growing cryptocurrency reservoir

According to Arkham, the Lazarus Group's combined wallet holdings are currently worth approximately $79 million. This includes around $73 million in Bitcoin and $3.4 million in Ether. This huge wealth accumulation through illicit techniques exemplifies the group's persistent and expanding cryptocurrency operations.

Furthermore, a recent TRM Labs study discovered that North Korean-affiliated hackers, notably the Lazarus Group, were responsible for one-third of all cryptocurrency attacks and thefts in 2023. These operations apparently earned them roughly $600 million. 

Cyber attack patterns  

Multiple cybersecurity firms have carried out investigations into the Lazarus Group's operational tactics. Taylor Monahan, a Metamask developer, stated that the latest Orbit assault, which resulted in a loss of $81 million, was similar to prior Lazarus Group operations. Such patterns provide significant insights into their strategies and can assist in the development of more effective defensive measures for future attacks.

Over the last three years, the cybersecurity firm Recorded Future has attributed more than $3 billion in cryptocurrency breaches and vulnerabilities to the Lazarus Group. Their consistent and effective execution of high-profile cyber thefts highlights the advanced nature of their skills, as well as the challenges encountered in combatting such attacks.
Read more »
Ledger
Cyber Crime cyber theft CyberCrime Cybersecurity Cyverattacks Data exposed Ledger

Data Insights Exposes Ledger's Granular Tracking: Is Privacy at Stake?

 


An investigation by Rekt Builder has raised concerns about the extent of data collection by Ledger Live, the official software for managing Ledger hardware wallets. The developer claims that Ledger Live tracks every move users make, including the apps they install and the crypto they hold. A ledger in accounting can be described as a book of accounts. It is the second book of entry for all accounting transactions. 

A company records their classified financial information in a ledger. Transactions are recorded in the ledger in different accounts as debits and credits. The ledger is intended to provide a clear history of a business's financial health by providing an accurate account of all its transactions, both present and past. 

A ledger contains all the financial activities of a company in an orderly manner. When preparing financial statements, various active account records such as assets, liabilities, equity, income and expenses are provided as a record of the transactions or events that have occurred during a certain period. 

The ledger contains all of the accounts required to compile financial statements and is also necessary for audit purposes. The entire list of accounts is also called the chart of accounts. 

Taking to X on December 27, Rekt Builder claims that Ledger Live embeds the genuine check into the app’s listing procedure. As such, it means that whenever you plug in your Ledger device and open Ledger Live, the software checks whether the device is genuine and sends this information to Ledger’s servers. This data includes the device’s serial number, firmware version, and the list of apps installed. 

Rekt Builder also notes that Ledger Live tracks the crypto balances stored on the device. However, what’s concerning is that all this data is sent to Ledger’s servers. Accordingly, it means Ledger can access a detailed record of its clients’ crypto holdings.  

To determine whether Ledger was trailing user activity, the developer attempted to turn off the remote tracking feature in Ledger Live, but this was impossible. Any attempt to disable tracking resulted in the software breaking. This suggests that Ledger has intentionally designed Ledger Live to track user activity. Rekt Builder’s findings raise serious concerns about the privacy of Ledger hardware wallet users. 

If Ledger is tracking each move users make, then it is possible that this data could be used to identify users and track their crypto transactions. This can be dangerous because a hack into any of Ledger’s centralized servers can mean malicious agents can control critical data, which can then be used to target individuals with large holdings of Bitcoin and other coins.  


Rekt Builder also notes that Ledger Live tracks the crypto balances stored on the device. However, what’s concerning is that all this data is sent to Ledger’s servers. Accordingly, it means Ledger can access a detailed record of its clients’ crypto holdings.  

The Purpose Of A Ledger Account Business owners can focus their efforts on recording all business transactions. Such records facilitate easy tracking of income and expenses and keep client/customer accounts and records accurately maintained. These records can either be written or can be in an electronic format, i.e., accounting software.

One-off costs can have a significant impact on the projected budget for an upcoming year, which is why it is important to remove them from a budget before the correct figures are calculated. The most reasonable way to get an accurate picture of the budget is by reviewing the ledger in detail. Users can check what expenses were done and what income came through as a one-time thing. These can be overlooked at the budget preparation stage so they do not affect the upcoming budget. 

Current income and expenditure can be used to gain more precise figures. There has been a crucial debate in the cryptocurrency community regarding the delicate balance between convenience and data security as users grapple with the potential privacy risks that may be brought to light by Rekt Builder's investigation into Ledger Live. Considering all of these revelations, one must reevaluate user protections as well as transparency measures in this ever-evolving world of digital asset management.
Read more »
Securities and Exchange Commission
Cyber Security cyber theft Cyberattacks CyberCrime Securities and Exchange Commission

Demystifying the SEC's Enhanced Cybersecurity Disclosure Requirements

 


SEC (Securities and Exchange Commission) issued a regulation recently that imposes a greater level of transparency regarding cybersecurity risk management, governance, and incident reporting and response. There will be compliance requirements for public companies listed on U.S. stock exchanges starting mid-December 2023 (or early spring 2024 for small companies that meet the qualification criteria) regarding cyber risk management and incident disclosures under the rule. 

There will be an advantage to companies that proactively identify and fix vulnerabilities as a result of the new rule requiring companies to disclose features of their security programs to the public. By providing investors with information about public companies' cybersecurity risk management, the SEC aims to help them make informed investment decisions for their hard-earned money. 

A company's maturity in security can be used by investors as a market divider when it comes to its security as security becomes increasingly important to corporate governance. The regulatory authorities have taken a significant step towards improving cybersecurity disclosures for public companies by adopting new rules designed to give investors comprehensive and standardized information about how cybersecurity risks should be managed, strategies implemented, governance processes adopted, and incidents reported. 

The new rules were adopted in July 2023 following an extensive rule-making and public comment process that began back in January 2024. The rules represent an official recognition that cybersecurity threats are constantly present and impact investor decisions in several ways. 

It should be noted that the rules published by the US Securities and Exchange Commission apply only to American companies that are registrants of the SEC. The attack on the assets of US-registered companies is not restricted to assets located in the US - so incidental attacks that affect assets in other countries of SEC-registered companies are also included in the scope of this attack. 

The scope of this report excludes not only the government, but also non-SEC regulated companies (i.e. private companies who are not subject to SEC reporting requirements), and other types of organizations also. Various breach notification requirements will be implemented both within these categories as well as for others, to potentially harmonize and/or unified in some way with the SEC reporting requirements at some point in the future. 

To comply with the new rules, registrants will have to report any cybersecurity incident they determine to be material on Item 1.05 of Form 8-K and describe how the incident has materially affected the registrant and its material impact. They will also have to describe how the incident has materially affected the registrant, or whether it is reasonably likely to have materially affected the registrant.

When a registrant determines a cybersecurity incident as material, he or she will generally be required to file an Item 1.05 Form 8-K within four business days of determining that it is material. If the United States Attorney General determines that immediate disclosure poses a substantial risk to national security or public safety, and informs the Commission in writing, the disclosure may be delayed. 

In addition, Regulation S-K Item 106 has been added to the new rules, which requires that registrants explain their processes, if any, for assessing, identifying, and managing material risks resulting from cybersecurity threats, along with the material effects or reasonably likely material effects of risks resulting from cybersecurity threats and previous incidents affecting the company. 

A registrant's annual report on Form 10-K will also have to describe the board of directors' oversight of cybersecurity threats, as well as the management's role and expertise in assessing and managing material risks from cybersecurity threats. An annual report on Form 10-K will contain these disclosures, which will be required for all companies. 

Foreign private issuers are required to provide comparable disclosures for material cybersecurity incidents on Form 6-K and cyber risk management, strategy, and governance on Form 20-F by the regulations. It is always mandatory for the SEC to report material cybersecurity events that have occurred as part of general reporting requirements, however, it is only in the last few years that the timelines and nature of the reporting have become more so, and there is a ticking four-day clock on the reporting requirements. 

Taking a step back from all the rules, it is clear that the importance of visibility and continuous monitoring can’t be underestimated. Time to detection cannot be at the speed of your least experienced analyst. Platforms allow unified visibility instead of a wall of consoles. 

A robust array of telemetry must be available within the internal visibility system for breaches to be detected and stopped, as well as continuously monitored. It is clear from these new SEC rules that the risk of cyberattacks is a business risk for a great number of companies with operations outside of the US, and that means that visibility needs to extend beyond the US to other geographies as well. 

There are many ways in which companies can make proactive efforts to identify and mitigate security vulnerabilities, as well as bug bounties, that should encourage them to invest in proactive measures to ensure that vulnerabilities are identified and remedied as early as possible. 

It is documented that bug bounty can be a very effective means of preventing cyber incidents and demonstrating security maturity to investors when combined with comprehensive security safeguards. Companies that have placed a high priority on protecting their digital assets and sensitive data will stand out more and more as investors become more aware of cyber risks.
Read more »
Russia
API Artificial Intelligence BlackCat CNN cyber theft Cyberattacks CyberCrime Cybersecurity Data Breach Reddit Russia

Hackers Threatened to Leak 80GB of Data Allegedly Stolen From Reddit in February

 


An independent cybersecurity expert and CNN reviewed a post from the BlackCat ransomware gang, also known as ALPHV. The post said the group had stolen 80 gigabytes of confidential data from Reddit during a February breach and claimed to have accessed it. A cyber-security expert and CNN examined the dark web post, and the group claimed it had stolen 80 gigabytes. 

A hacker group in Russia is threatening to release Reddit data if it doesn't pay a ransom demand - as well as reverse the controversial API pricing increases. 

According to the hackers, they demand a ransom of $4.5 million and an API price hike from the company. This is if they hope to prevent data release, which was hacked. 

It appears that phishing attacks allow threat actors to gain access to the company's systems to steal internal documents, source code, employee data, and a limited amount of information about Reddit's advertising partners. 

Reddit spokesperson confirmed that "BlackCat's claims refer to a cyber incident that Reddit confirmed on February 9 as related to BlackCat's claims". During a high-targeted phishing attack carried out at the incident, hackers accessed information about employees and internal documents. 

Information about employees and internal documents was accessed through a targeted phishing attack. It is believed that the company was unaware that the passwords or accounts of customers had been stolen. 

Reddit provided no further information regarding the attack or the culprits. Nevertheless, over the weekend, BlackCat raised the stakes in the February cyber intrusion, claiming responsibility for it. It threatened to leak the "confidential" information obtained during the attack. BlackCat has not shared any evidence of data theft by the hackers, and it's unclear exactly what type of information the hackers have stolen.  

BlackCat has threatened to leak the "confidential" data but there is no sign of what it is supposed to be. They have neither provided evidence of data theft nor evidence to back up their claim. 

CTO of Reddit Chris Slowe recently talked about a security incident that happened in February, and he posted about the incident here. Throughout the post, Slowe said that, as a result of a highly targeted and sophisticated phishing attack, the company's "systems were hacked," with hackers gaining access to "some internal documents, code, and some internal business systems." The hackers only obtained employee information, according to Slowe.

In a statement to CNN on Monday, a Reddit spokesperson confirmed that BlackCat's post refers to the incident in February. No user data was accessed, according to the spokesperson, but he refused to elaborate further on the matter. 

Several Reddit forums remained dark last Monday during the planned two-day protest. This was intended to highlight the company's plan to charge steep fees for third-party apps to access the company's platform in the future. 

There are still more than 3,500 Reddit forums unresponsive a week after the attack happened. Some experts argue that BlackCat's actual motives are questionable while some are sympathetic to the protestors' cause based on the ransom note. 

This is the second Reddit data breach in six years. This time, the attackers could access Reddit data dating back to 2007. A user's username, hashed password, email address, and the content of public posts and private messages were included in that report. 

In February, hackers reportedly stole 80GB of data from Reddit and threatened to leak it in three days as part of their threat. In response to the breach, Reddit acknowledged the incident and is actively investigating the matter. A ransom demand has been made by the hackers, who have warned that if they are not paid, the thieves will release sensitive information about their victims.

As of right now, it is impossible to verify the authenticity of stolen data. There are persistent cyber threats that online platforms face daily. This incident reminds us of the importance of robust security measures against such threats. Reddit is striving to improve its privacy and security protocols, and users are advised to remain vigilant at all times.
Read more »
Royal Ransomware
BlackSuit Cyber Security cyber theft Ransomware Gang Royal Ransomware

Royal Ransomware Gang adds BlackSuit Encryptor to their Arsenal

A new encryptor named BlackSuit is currently being tested by the notorious Royal ransomware gang. This encryptor bears striking resemblances to their customary encryption tool, suggesting it may be an evolved version or a closely related variant. 

In January 2023, the Royal ransomware gang emerged as the direct successor to the infamous Conti operation, which ceased its activities in June 2022. This private ransomware group consists of skilled pentesters and affiliates hailing from 'Conti Team 1,' as well as individuals recruited from various other ransomware gangs that target enterprises. 

Since its inception, Royal Ransomware has quickly gained notoriety as one of the most active and prolific operations, carrying out numerous high-profile attacks on enterprises. Furthermore, starting from late April, there have been growing indications that the Royal ransomware operation has been contemplating a rebranding effort under a fresh identity. 

This notion gained significant momentum when the group encountered intensified scrutiny from law enforcement following their targeted attack on the City of Dallas, Texas. Feeling the mounting pressure from authorities, the ransomware group has seemingly considered the necessity of adopting a new name, potentially as part of their strategy to evade detection and evade the repercussions of their illicit activities. 

In May, a distinct ransomware operation known as BlackSuit emerged, employing its unique encryptor and Tor negotiation sites. Speculation arose suggesting that this could be the rebranded version of the Royal ransomware group as initially anticipated. However, contrary to expectations, the Royal ransomware gang has not undergone a rebranding process and continues its active assault on enterprise targets. 

While BlackSuit has been employed in a limited number of attacks, the overall identity and operations of the Royal ransomware group remain unchanged. The notion of a rebranding for the Royal ransomware group appears to have lost its viability, given the recent findings presented in a report by Trend Micro. 

The report highlights significant resemblances between the encryptors used by BlackSuit and the Royal Ransomware, rendering it challenging to persuade anyone that they are distinct and unrelated entities. Consequently, attempting to present themselves as a new ransomware operation would likely face considerable skepticism due to these noticeable similarities. 

The resemblances between BlackSuit and Royal Ransomware go beyond surface-level similarities. In-depth analysis, as outlined in the Trend Micro report, reveals a range of shared characteristics. These include similarities in command line arguments, code structures, file exclusion patterns, and even intermittent encryption techniques. 

Such consistent parallels across various aspects make it increasingly difficult to present BlackSuit as a genuinely distinct ransomware operation separate from the Royal group. These findings strongly suggest a strong connection or shared origin between the two entities.
Read more »
ProPublica
Abortion Pills cyber theft Data Breach Google Investigation ProPublica

Google Receives Sensitive Data From Abortion Pill Websites

 


Several online pharmacies are selling abortion pills online and sharing their customers' personal information, such as their search history and geolocation, with Google and other third parties. ProPublica has learned that by using this information, one can identify the users of these websites, which could be used to track them down. 

In post-Roe America, where there is no abortion, this type of private information could prove to be downright dangerous when law enforcement subpoenas such sensitive information to prosecute women who wish to end their pregnancies, even though data privacy advocates may be concerned about it. It could prove even more dangerous for women who wish to end their pregnancies in this country. 

It is not uncommon for police to not even have to use the courts if they wish to compel businesses to hand over this data. This is because executives often hand it over willingly and without a court order. 

In the aftermath of the Supreme Court's ruling in Dobbs, which overturned Roe v. Wade and ended the right to abortion, there have been more than a dozen states in the country that are now prohibiting surgical and medical abortions - aka abortion pills - across their borders. 

ProPublica analyzed the pharmacies' websites through The Markup's website privacy inspector to find out which types of trackers they are using and why they are using them. There was a report that found a minimum of nine websites selling abortion medication also collected and shared records regarding their customers. This includes other websites they visited, search terms entered, general location, and general device information. 

It is essentially the website's actual visitor data that is shared with online tools that enable websites to track visitor numbers and traffic patterns. These tools enable websites to provide live chat support and do other helpful things with the information. 

According to ProPublica's investigation, nine of the sites are sending Google data that could potentially identify users, including random numbers associated with the browser of each user, which then could be matched with other information acquired through the sites, the investigative non-profit documented.  

In total, there are nine pharmacies available for abortion-related services, including Abortion Ease, BestAbortionPill.com, PrivacyPillRX, PillsOnlineRX, Secure Abortion Pills, AbortionRx, Generic Abortion Pills, Abortion Privacy, and Online Abortion Pill Rx. 

The Register contacted several pharmacies about the issue, but no one responded. Companies dealing with abortion pills must stop sharing data with Google and Facebook immediately, said Cooper Quintin, Senior Staff Technologist at the Electronic Frontier Foundation (EFF).  

As web developers may not have thought that they were placing their users at risk when they used Google Analytics and third-party tracking, they now have to consider the risk of putting their users at risk. In the current political climate, all websites, but especially those that serve at-risk users, must consider whether assisting Google, Facebook, and others in building user profiles could lead to an extremely horrific outcome, Quintin told in a report. They can not continue acting as though Roe's decision is still the law of the land. 

It is worth noting that the EFF has not yet witnessed any instances where law enforcement agencies have used this type of information to prosecute abortion seekers or providers. According to Quintin, he is concerned that someday, the data stored on big tech platforms such as Google, Facebook, and even Facebook themselves may be used as a dragnet tool to search for women seeking abortions or other reproductive care services and prosecute them. 

If a court order is served on a tech company, they will typically turn over their users' private information and messages to the police. This is if served with a court order. It has been revealed that Google received more than 87,000 search warrants and subpoenas in 2021. 

'Purely Hypothetical and Technically Impossible,' States Google

Google does not specify whether any of these requests were related to health information in its report. The major search engine company is not afraid to take action against government demands to turn over customer data to the government. This is according to a spokesperson for the company. 

It is also prohibited for Google Analytics customers to upload any information that might give away a person's identity to Google during the process of analyzing their data. Moreover, Google has strongly disputed the conclusions of the non-profit organization. 

According to Google Analytics Product Director Steve Ganem, the allegations described in ProPublica's latest article regarding Google Analytics are purely hypothetical. They are technically impossible in the real world. 

As Ganem noted, "Google Analytics was designed specifically so that we and other third parties, including law enforcement, would be unable to identify users through Google, possibly under some circumstances." As well as that, Google also has strict policies against advertising to people who provide sensitive information on their website. 

Last year, Google promised to update the system used to track where users are located. This will ensure that trips to medical clinics and other sensitive places are automatically excluded.   
Read more »
Social Media threats
Cyber Secuirty Cyber Security cyber theft New Technology Social Media threats

Mobile App Users API Exposed

 

It was recently disclosed that thousands of social media apps are actively leaking Algolia API keys, and various other applications with hardcoded admin secrets, which allows threat actors to steal the important credentials of millions of users. 

The research analysed 600 applications on the Google Play store and it was found that 50% were leaking application programming interface (API) keys of three popular transactional and marketing email service providers. 

According to the data, 1,550 applications have been listed that disclosed Algolia API keys, of which 32 applications had hardcoded admin secrets, providing malicious actors access to pre-defined Algolia API keys. 

Malicious actors could exploit the data to read important user information, such as IP addresses, analytics data, and access details, they could also delete user information. 

As per the recent study by Salt Security, “malicious API attack traffic surged 117% over the past year, from an average of 12.22 million malicious calls per month to an average of 26.46 million calls.” 

On Monday, three famous transactional and marketing email service providers – Mailgun, Sendgrid, and MailChimp disclosed that more than 54 million mobile app users are at potential risk worldwide, including from India. 

Users from the United States have downloaded these apps the most, followed by the UK, Spain, Russia, and India, leaving over 54 million mobile app users vulnerable. 


Read more »
Technology Threats
Crypto Crime cyber theft Data Breach Gemini Users Technology Threats

Hackers Leaked Stolen Data of 5.7M Gemini Users

Gemini crypto exchange recently made an announcement this week that its customers have been victimized in a phishing campaign after a group of malicious actors collected their personal credentials by breaching a third-party vendor. 

The notification of the attack came to light after multiple posts on hacker forums observed by BleepingComputer offered to sell a database reportedly from the Gemini crypto exchange containing email addresses and phone numbers of 5.7 million customers. 

 “Some Gemini customers have recently been the target of phishing campaigns that we believe are the result of an incident at a third-party vendor. This incident led to the collection of Gemini customer email addresses and partial phone numbers...,” reads the advisory published by the crypto exchange. “…No Gemini account information or systems were impacted as a result of this third-party incident, and all funds and customer accounts remain secure.” 

The Gemini security team released a short notice in which it described the attack but did not disclose the name of a third-party vendor who suffered an "incident" that allowed unauthorized access to malicious actors. Because of the breach, customers of the company received phishing emails. 

However, as per the analysis of the attack, it has been observed that the mission of the threat actors is unknown. In the short report, the company wrote that the account information and its systems are safe from the attack and that fund and customer accounts "remain secure." 

After the attack, the company came back online after seven hours due to scheduled maintenance. "The Gemini Spaceship will undergo scheduled Exchange maintenance on Thursday, December 15th from approximately 10:00 p.m. until Friday, December 16th at 12:30 a.m. ET, and all user interfaces and trading will be unavailable during that time”, a notice on the exchange's status page read. 

Gemini advised its customers to use strong authentication methods and two-factor authentication (2FA) and/ or the hardware security keys to protect their networks and systems.
Read more »
ransomware attacks
BlackCat Cyber Attacks cyber theft Europe ransomware attacks

Ransomware Hit European Pipeline & Energy Supplier Encevo Linked to BlackCat

 

BlackCat ransomware gang claimed responsibility for the attack that occurred last week on Creos Luxembourg S.A., a company that owns and provides electricity networks and natural gas pipelines in the Grand Duchy of Luxembourg. 

In the wake of the news, cyber security researchers reported that they are currently investigating the extent of the damage done. 

Encevo, the parent company of Creos and energy that facilitates five EU countries confirmed on July 25 that the firm suffered a cyberattack over the weekend of July 22–23. The cyberattack had rendered Encevo and Creos’ customer portals inaccessible however, the services themselves remained unaffected. 

According to the reports, the BlackCat ransomware group uploaded 150GB of data on its exaction site stolen from Encevo, including contracts, bills, passports, and emails. The gang is now threatening to release and sell the data within hours if the ransom isn't paid. 

The attack majorly affected the natural gas pipeline and the energy supplier Enovos, however, Encevo assured its users that the supply would not be disrupted. The firm recommended its users update their login credentials as soon as possible, alongside, customers should also change their passwords on other websites if they are the same. 

"For now, the Encevo Group does not yet have all the information necessary to inform personally each potentially affected person. This is why we ask our customers not to contact us at the moment. Once again we apologize to our customers for the inconvenience and we do our best to restore full service as soon as possible. Creos and Enovos emphasize once again that the supply of electricity and gas are not affected and that the breakdown service is guaranteed’’, the company added. 

Reportedly, Creos has been contacted by many cyber news portals enquiring about more technical details and the consequences of the cyberattack, however, the representatives of the company did not share any information on the matter.
Read more »
data security
cyber attack Cyber Attack Exploit Cyber Attacks cyber theft data security

Hackers Using 'Brute Ratel C4' Red-Teaming Tool to Evade Detection

 

Palo Alto Networks’ Unit 42 security researchers have uncovered that Russian state-sponsored hackers are compromising the latest Brute Ratel C4 or BRc4 red-teaming and adversarial simulation/penetration software in their latest and active attacks in an attempt to stay under the radar and evade detection.

Following the attack, Palo Alto Networks Unit  42 reported that a malware sample was uploaded to the VirusTotal database on May 19, 2022, in which they found a payload associated with Brute Ratel C4, a relatively new advanced toolkit that is designed to avoid detection and response (EDR) and antivirus (AV) capabilities. 

“The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market. While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated. Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal,” said the network in their blog. 

Cyber intelligence at the network believes that malicious actors are targeting entities worldwide, however, they are making their primary targets in South and North America. 

The researchers issued a warning in which they urged the cybersecurity fraternity to investigate the attack and look in-depth for any sign of malware, including the BRc4 tool. 

Researchers have found that the malicious payloads indicate the involvement of the Advanced Persistent Threat group 29,  The Dukes, or Cozy Bear as the tactics employed were similar to this group. CozyBear is a Russian state-sponsored malicious group that was previously involved in the devastating Solar Winds attacks in 2020.

This commercial software was released in 2020 and has since gained over 480 licenses across 350 customers. BRc4 is equipped with a wide variety of features, it provides process injection, capturing screenshots, automating adversary TTPs, uploading and downloading files, support for multiple command-and-control channels, and it also has the ability to keep memory artifacts concealed from anti-malware engines.
Read more »
Subscribe to: Posts (Atom)