Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cybercriminals. Show all posts
Shadow AI
AI Deepfakes AI threats Cyber Security cybercriminals Cybersecurity measures IABs Open Source Ransomwares Shadow AI

Emerging Cybersecurity Threats in 2025: Shadow AI, Deepfakes, and Open-Source Risks

 

Cybersecurity continues to be a growing concern as organizations worldwide face an increasing number of sophisticated attacks. In early 2024, businesses encountered an alarming 1,308 cyberattacks per week—a sharp 28% rise from the previous year. This surge highlights the rapid evolution of cyber threats and the pressing need for stronger security strategies. As technology advances, cybercriminals are leveraging artificial intelligence, exploiting open-source vulnerabilities, and using advanced deception techniques to bypass security measures. 

One of the biggest cybersecurity risks in 2025 is ransomware, which remains a persistent and highly disruptive threat. Attackers use this method to encrypt critical data, demanding payment for its release. Many cybercriminals now employ double extortion tactics, where they not only lock an organization’s files but also threaten to leak sensitive information if their demands are not met. These attacks can cripple businesses, leading to financial losses and reputational damage. The growing sophistication of ransomware groups makes it imperative for companies to enhance their defensive measures, implement regular backups, and invest in proactive threat detection systems. 

Another significant concern is the rise of Initial Access Brokers (IABs), cybercriminals who specialize in selling stolen credentials to hackers. By gaining unauthorized access to corporate systems, these brokers enable large-scale cyberattacks, making it easier for threat actors to infiltrate networks. This trend has made stolen login credentials a valuable commodity on the dark web, increasing the risk of data breaches and financial fraud. Organizations must prioritize multi-factor authentication and continuous monitoring to mitigate these risks. 

A new and rapidly growing cybersecurity challenge is the use of unauthorized artificial intelligence tools, often referred to as Shadow AI. Employees frequently adopt AI-driven applications without proper security oversight, leading to potential data leaks and vulnerabilities. In some cases, AI-powered bots have unintentionally exposed sensitive financial information due to default settings that lack robust security measures. 

As AI becomes more integrated into workplaces, businesses must establish clear policies to regulate its use and ensure proper safeguards are in place. Deepfake technology has also emerged as a major cybersecurity threat. Cybercriminals are using AI-generated deepfake videos and audio recordings to impersonate high-ranking officials and deceive employees into transferring funds or sharing confidential data. 

A recent incident involved a Hong Kong-based company losing $25 million after an employee fell victim to a deepfake video call that convincingly mimicked their CFO. This alarming development underscores the need for advanced fraud detection systems and enhanced verification protocols to prevent such scams. Open-source software vulnerabilities are another critical concern. Many businesses and government institutions rely on open-source platforms, but these systems are increasingly being targeted by attackers. Cybercriminals have infiltrated open-source projects, gaining the trust of developers before injecting malicious code. 

A notable case involved a widely used Linux tool where a contributor inserted a backdoor after gradually establishing credibility within the project. If not for a vigilant security expert, the backdoor could have remained undetected, potentially compromising millions of systems. This incident highlights the importance of stricter security audits and increased funding for open-source security initiatives. 

To address these emerging threats, organizations and governments must take proactive measures. Strengthening regulatory frameworks, investing in AI-driven threat detection, and enhancing collaboration between cybersecurity experts and policymakers will be crucial in mitigating risks. The cybersecurity landscape is evolving at an unprecedented pace, and without a proactive approach, businesses and individuals alike will remain vulnerable to increasingly sophisticated attacks.
Read more »
kiberphant0m
BSNL data breach CERT-In Critical Data cyberattack on BSNL cybercriminals Dark web marketplace Data Breach Data protection data security kiberphant0m

U.S. soldier linked to BSNL data breach: Arrest reveals cybercrime

 

The arrest of Cameron John Wagenius, a U.S. Army communications specialist, has unveiled potential connections to a significant data breach targeting India’s state-owned telecom provider, BSNL. The breach highlights the global reach of cybercrime networks and raises concerns about the security of sensitive data across continents. 

Wagenius, stationed in South Korea, was apprehended on December 20, 2023, for allegedly selling hacked data from U.S. telecom companies. According to cybersecurity experts, he may also be the individual behind the alias “kiberphant0m” on a dark web marketplace. In May 2023, “kiberphant0m” reportedly attempted to sell 278 GB of BSNL’s critical data, including subscriber details, SIM numbers, and server snapshots, for $5,000. Indian authorities confirmed that one of BSNL’s servers was breached in May 2023. 

While the Indian Computer Emergency Response Team (CERT-In) reported the intrusion, the identity of the perpetrator remained elusive until Wagenius’s arrest. Efforts to verify the hacker’s access to BSNL servers through Telegram communication and sample data proved inconclusive. The breach exposes vulnerabilities in telecom providers’ security measures, as sensitive data such as health records, payment details, and government-issued identification was targeted. 

Additionally, Wagenius is accused of selling call records of prominent U.S. political figures and data from telecom providers across Asia. The arrest also sheds light on Wagenius’s links to a broader criminal network led by Connor Riley Moucka. Moucka and his associates reportedly breached multiple organizations, extorting millions of dollars and selling stolen data. Wagenius’s involvement with this network underscores the organized nature of cybercrime operations targeting telecom infrastructure. 

Cybersecurity researchers, including Allison Nixon of Unit 221B, identified Wagenius as the individual behind illicit sales of BSNL data. However, she clarified that these activities differ from state-sponsored cyberattacks by groups such as Salt Typhoon, a Chinese-linked advanced persistent threat actor known for targeting major U.S. telecom providers. The case has also exposed challenges in prosecuting international cybercriminals. Indian authorities have yet to file a First Information Report (FIR) or engage with U.S. counterparts on Wagenius’s case, limiting legal recourse. 

Experts suggest leveraging international treaties and cross-border collaboration to address such incidents. As the investigation unfolds, the breach serves as a stark reminder of the growing threat posed by insider actions and sophisticated cybercriminal networks. It underscores the urgent need for robust data protection measures and international cooperation to counter cybercrime.
Read more »
Smishing Scam
Cyber Security cybercriminals Data Theft Financial Theft Personal Data Shopping Scam Smishing Scam

Beware of Fake Delivery Text Scams During Holiday Shopping

 

As the holiday shopping season peaks, cybercriminals are taking advantage of the increased online activity through fake delivery text scams. Disguised as urgent notifications from couriers like USPS and FedEx, these scams aim to steal personal and financial information. USPS has issued a warning about these “smishing” attacks, highlighting their growing prevalence during this busy season.

How Fake Delivery Scams Work

A recent CNET survey shows that 66% of US adults are concerned about being scammed during the holidays, with fake delivery notifications ranking as a top threat. These fraudulent messages create urgency, urging recipients to act impulsively. According to Brian Cute of the Global Cyber Alliance, this sense of urgency is key to their success.

Victims typically receive texts claiming issues with their package and are directed to click a link to resolve them. These links lead to malicious websites designed to mimic legitimate courier services, tricking users into providing private information or downloading harmful software. The spike in online shopping makes both seasoned shoppers and those unfamiliar with these tactics potential targets.

Many scam messages stem from previous data breaches. Cybercriminals use personal information leaked on the dark web to craft convincing messages. Richard Bird of Traceable AI notes that breaches involving companies like National Public Data and Change Healthcare have exposed sensitive data of millions.

Additionally, advancements in artificial intelligence allow scammers to create highly realistic fake messages, making them harder to detect. Poor grammar, typos, and generic greetings are becoming less common in these scams, adding to their effectiveness.

How to Protect Yourself

Staying vigilant is essential to avoid falling victim to these scams. Here are some key tips:

  • Be cautious of texts or emails from unknown sources, especially those with urgent requests.
  • Verify suspicious links or messages directly on the courier’s official website.
  • Check for red flags like poor grammar, typos, or unexpected requests for payment.
  • Always confirm whether you’ve signed up for tracking notifications before clicking on links.

What to Do If You Suspect a Scam

If you believe you’ve encountered a scam, take immediate action:

  • Contact your financial institution to report potential fraud and secure your accounts.
  • Report the scam to relevant authorities such as the FCC, FTC, or FBI’s Internet Crime Complaint Center.
  • Use courier-specific contacts, like spam@uspis.gov for USPS or abuse@fedex.com for FedEx.

Consider freezing your credit to prevent unauthorized access to your financial data. Monitor your bank statements regularly for unusual activity. For added security, identity theft protection services bundled with cybersecurity tools can help detect and prevent misuse of your information.

Awareness and vigilance are your best defenses against fake delivery text scams. By following these tips and staying informed, you can shop with confidence and protect yourself from falling prey to cybercriminals this holiday season.

Read more »
spyware and malware
Cyber Attacks cybercriminals data security Data Theft NCC Group Ransomware attack Ransomwares Spyware spyware and malware

Ymir Ransomware: A Rising Threat in the Cybersecurity Landscape

 

The evolving threat landscape continues to present new challenges, with NCC Group’s latest Threat Pulse report uncovering the emergence of Ymir ransomware. This new ransomware strain showcases the growing collaboration among cybercriminals to execute highly sophisticated attacks.

First documented during the summer of 2024, Ymir initiates its attack cycle by deploying RustyStealer, an infostealer designed to extract credentials and serve as a spyware dropper. Ymir then enters its locker phase, executing swiftly to avoid detection. According to an analysis by Kaspersky, based on an attack in Colombia, Ymir’s ransomware locker employs a configurable, victim-tailored approach, focusing on a single-extortion model, where data is encrypted but not stolen.

Unlike many modern ransomware groups, Ymir’s operators lack a dedicated leak site for stolen data, further distinguishing them. Linguistic analysis of the code revealed Lingala language strings, suggesting a possible connection to Central Africa. However, experts remain divided on whether Ymir operates independently or collaborates with other threat actors.

Blurred Lines Between Criminal and State-Sponsored Activities

Matt Hull, NCC Group’s Head of Threat Intelligence, emphasized the challenges of attribution in modern cybercrime, noting that blurred lines between criminal groups and state-sponsored actors often complicate motivations. Geopolitical tensions are a driving factor behind these dynamic threat patterns, as highlighted by the UK’s National Cyber Security Centre (NCSC).

Ransomware Trends and Global Incidents

Recent incidents exemplify this evolving threat landscape:

  • The KillSec hacktivist group transitioned into ransomware operations.
  • Ukraine’s Cyber Anarchy Squad launched destructive attacks targeting Russian organizations.
  • North Korea’s Jumpy Pisces APT collaborated with the Play ransomware gang.
  • The Turk Hack Team attacked Philippine organizations using leaked LockBit 3.0 lockers.

NCC Group’s report indicates a 16% rise in ransomware incidents in November 2024, with 565 attacks recorded. The industrial sector remains the most targeted, followed by consumer discretionary and IT. Geographically, Europe and North America experienced the highest number of incidents. Akira ransomware overtook RansomHub as the most active group during this period.

State-Backed Threats and Infrastructure Risks

State-backed cyber groups continue to escalate their operations:

  • Sandworm, a Russian APT recently reclassified as APT44, has intensified attacks on Ukrainian and European energy infrastructure.
  • As winter deepens, threats to critical national infrastructure (CNI) heighten global concerns.

Ransomware is evolving into a multipurpose tool, used by hacktivists to fund operations or to obfuscate advanced persistent threats (APTs). With its trajectory pointing to continued growth and sophistication in 2025, heightened vigilance and proactive measures will be essential to mitigate these risks.

Read more »
Visual Studio Code
CyberCrime cybercriminals Cyberespionage Operation Cyberhackers CyberThreat Data Breach IT Service Operation Digital Eyes Visual Studio Code

Operation Digital Eye Reveals Cybersecurity Breach

 


It has been recently reported that a Chinese group of Advanced Persistent Threats (APTs) has carried out a sophisticated cyberespionage operation dubbed "Operation Digital Eye" against the United States.  Between the end of June and the middle of July 2030, a campaign targeting large business-to-business (B2B) IT service providers in southern Europe between late June and mid-July 2024 was reported by Aleksandar Milenkoski, Senior Threat Researcher at SentinelLabs, and Luigi Martire, Senior Malware Analyst at Tinexta Cyber. 

Several threats are targeting business-to-business IT service providers in southern Europe, according to Tinexta Cyber and SentinelLabs, both of which have been tracking these activities. As a result of assessing the malware, infrastructure, techniques used, victimology, and timing of the activities, it has been concluded that there is a high likelihood that a cyberespionage actor of the China nexus conducted these attacks. 

A group of Chinese hackers has been observed utilizing Visual Studio Code (VSCode) tunnels to maintain persistent remote access to compromised systems at large IT service providers in Southern Europe. There is no information regarding which hacker group aligned with China is behind the attacks at this time, which is complicated by the fact that many of those aligned with the East Asian nation share a multitude of toolsets and infrastructure. 

VS Code is the latest version of Microsoft's code editor that is optimized for building and debugging modern web and cloud applications that utilize modern web technologies. VS Code is a lightweight but feature-rich source code editor that runs on your desktop and is available for Windows, Mac OS X, and Linux clients. It is available on most major platforms. In addition to these built-in support technologies, it also comes with a rich ecosystem of extensions that can be used with other languages and runtimes, including JavaScript, TypeScript, and Node.js. According to companies, most breaching chains that firms observe entail using SQL injections as a first point of access for breaching systems connected to the internet, such as web applications and databases. 

To inject code into the target computer, a legitimate penetration testing tool called SQLmap was used. This tool made it possible to detect and exploit SQL injection flaws automatically. Following gaining access to the system, PHPsert was deployed, which was a PHP-based web shell that would allow them to execute commands remotely or to introduce additional payloads once they fully established access. To move laterally, the attackers used RDP and pass-the-hash attacks to migrate from one target to another, specifically using a custom version of Mimikatz ('bK2o.exe') in addition to RDP. 

Using the 'WINSW' tool, the hackers installed a portable, legitimate version of Visual Studio Code on the compromised computers ('code.exe') and set it up as a persistent Windows service to make sure it would run on every device. VSCode was configured with the tunnel parameter, enabling remote development access on the machine, and then the tunnel parameter was configured to be enabled by default. Visual Studio Code tunnels are a feature of Microsoft's Remote Development feature. 

This feature allows VSCode developers to select files on remote systems for editing and working via Visual Studio Code's remote servers. As a powerful development tool, RemoteDeveloper allows developers to run commands and access the file systems of remote devices, which makes it a viable option for developers. With the use of Microsoft Azure infrastructure for the tunnel creation and the signing of executables, trustworthy access to the network can be assured. 

"Operation Digital Eye" illustrates the concept of lateral movement using techniques linked to a single vendor or a "digital quartermaster" operating within the Chinese APT ecosystem in the form of lateral movement. During the study, the researchers discovered that the attackers used Visual Studio Code and Microsoft Azure for command-and-control (C2) to evade detection, which they considered to be a matter of good judgment. 

There has never been an observation of a suspected Chinese APT group using Visual Studio Code for C2 operations before, signalling a significant change in what China is doing about APTs. According to recent research conducted by Unit 42, it has been discovered that Stately Taurus has been abusing popular web development software Visual Studio Code in its espionage operations targeting government organizations in Southeast Asia. Defending the Chinese government from attacks by Stately Taurus, a group of advanced persistent threats (APTs) involved in cyber espionage. It seems that this threat actor relied on Microsoft's Visual Studio Code embedded reverse shell feature to gain an entry point into the target network. 

An expert in the field of security discovered this technique as recently as 2023, which is relatively new. Even though European countries and China have complex ties, there is also a great deal of cooperation, competition, and undercurrent tension in areas like trade, investment, and technology, due to the complex relationships between them. China-linked cyber espionage groups target public and private organizations across Europe sporadically to gather strategic intelligence, gain competitive advantages, as well as advance the geopolitical, economic, and technological interests of China. 

In the summer of 2024, a coordinated attack campaign dubbed Operation Digital Eye was carried out by Russian intelligence services, lasting approximately three weeks from late June to mid-July 2024. As a result of the targeted organizations' capabilities to manage data, infrastructure, and cybersecurity for a wide range of clients across various industries, they are prime targets for cyberespionage activities.

As part of Operation Digital Eye, researchers highlight how Chinese cyberespionage groups continue to pose an ongoing threat to European entities, with these actors continuing to use high-value targets as targets of espionage. Even though the campaign emphasizes the strategic nature of this threat, it is important to realize that when attackers breach organizations that provide data, infrastructure, and cybersecurity services to other industries, they gain access to the digital supply chain, allowing them to extend their influence to downstream companies. 

This exploit relies on SSH and Visual Studio Code Remote Tunnels, which were used by the attackers to execute remote commands on their compromised endpoints by using their GitHub accounts as authentication credentials and connections. By using the browser-based version of Visual Studio Code ("vscode[.]dev"), they were able to access the compromised endpoints. Despite this, it remains unclear whether the threat actors used freshly created GitHub accounts to authenticate their access to the tunnels or if they had already compromised GitHub accounts. 

In addition to mimicking, several other aspects point to a Chinese presence, including the presence of simplified Chinese comments within PHPsert, the fact that M247 provides the infrastructure for this server, and the fact that Visual Studio Code is being used as a backdoor, the last of which has been attributed to the actor who portrayed Mustang Panda. The investigation uncovered that the threat actors associated with Operation Digital Eye demonstrated a notable pattern of activity within the networks of targeted organizations. 

Their operations were predominantly aligned with conventional working hours in China, spanning from 9 a.m. to 9 p.m. CST. This consistent timing hints at a structured and deliberate approach, likely coordinated with broader operational schedules. One of the standout features of this campaign was the observed lateral movement within compromised environments. This capability was traced back to custom modifications of Mimikatz, a tool that has been leveraged in earlier cyberespionage activities. 

These tailored adjustments suggest the potential involvement of centralized entities, often referred to as digital quartermasters or shared vendors, within the ecosystem of Chinese Advanced Persistent Threats (APTs). These centralized facilitators play a pivotal role in sustaining and enhancing the effectiveness of cyberespionage campaigns. 

By providing a steady stream of updated tools and refined tactics, they ensure threat actors remain adaptable and ready to exploit vulnerabilities in new targets. Their involvement underscores the strategic sophistication and collaborative infrastructure underlying such operations, highlighting the continuous evolution of capabilities aimed at achieving espionage objectives.
Read more »
voice API
AI Security bank transfer fraud ChatGPT-4o Credential Theft cybercriminals Deepfake financial scams OpenAI Technology text-to-speech tools voice API

UIUC Researchers Expose Security Risks in OpenAI's Voice-Enabled ChatGPT-4o API, Revealing Potential for Financial Scams

 

Researchers recently revealed that OpenAI’s ChatGPT-4o voice API could be exploited by cybercriminals for financial scams, showing some success despite moderate limitations. This discovery has raised concerns about the misuse potential of this advanced language model.

ChatGPT-4o, OpenAI’s latest AI model, offers new capabilities, combining text, voice, and vision processing. These updates are supported by security features aimed at detecting and blocking malicious activity, including unauthorized voice replication.

Voice-based scams have become a significant threat, further exacerbated by deepfake technology and advanced text-to-speech tools. Despite OpenAI’s security measures, researchers from the University of Illinois Urbana-Champaign (UIUC) demonstrated how these protections could still be circumvented, highlighting risks of abuse by cybercriminals.

Researchers Richard Fang, Dylan Bowman, and Daniel Kang emphasized that current AI tools may lack sufficient restrictions to prevent misuse. They pointed out the risk of large-scale scams using automated voice generation, which reduces the need for human effort and keeps operational costs low.

Their study examined a variety of scams, including unauthorized bank transfers, gift card fraud, cryptocurrency theft, and social media credential theft. Using ChatGPT-4o’s voice capabilities, the researchers automated key actions like navigation, data input, two-factor authentication, and following specific scam instructions.

To bypass ChatGPT-4o’s data protection filters, the team used prompt “jailbreaking” techniques, allowing the AI to handle sensitive information. They simulated interactions with ChatGPT-4o by acting as gullible victims, testing the feasibility of different scams on real websites.

By manually verifying each transaction, such as those on Bank of America’s site, they found varying success rates. For example, Gmail credential theft was successful 60% of the time, while crypto-related scams succeeded in about 40% of attempts.

Cost analysis showed that carrying out these scams was relatively inexpensive, with successful cases averaging $0.75. More complex scams, like unauthorized bank transfers, cost around $2.51—still low compared to the potential profits such scams might yield.

OpenAI responded by emphasizing that their upcoming model, o1-preview, includes advanced safeguards to prevent this type of misuse. OpenAI claims that this model significantly outperforms GPT-4o in resisting unsafe content generation and handling adversarial prompts.

OpenAI also highlighted the importance of studies like UIUC’s for enhancing ChatGPT’s defenses. They noted that GPT-4o already restricts voice replication to pre-approved voices and that newer models are undergoing stringent evaluations to increase robustness against malicious use.
Read more »
Online Security
cookie theft Cookies Cyber Security cybercriminals FBI Hacking https MFA Bypass Online Security

FBI Warns of Cybercriminals Stealing Cookies to Bypass Security

 

Cybercriminals are now targeting cookies, specifically the “remember-me” type, to gain unauthorized access to email accounts. These small files store login information for ease of access, helping users bypass multi-factor authentication (MFA). However, when a hacker obtains these cookies, they can use them to circumvent security layers and take control of accounts. The FBI has alerted the public, noting that hackers often obtain these cookies through phishing links or malicious websites that embed harmful software on devices. Cookies allow websites to retain login details, avoiding repeated authentication. 

By exploiting them, hackers effectively skip the need for usernames, passwords, or MFA, thus streamlining the process for unauthorized entry. This is particularly concerning as MFA typically acts as a crucial security measure against unwanted access. But when hackers use the “remember-me” cookies, this layer becomes ineffective, making it an appealing route for cybercriminals. A primary concern is that many users unknowingly share these cookies by clicking phishing links or accessing unsecured sites. Cybercriminals then capitalize on these actions, capturing cookies from compromised devices to access email accounts and other sensitive areas. 

This type of attack is less detectable because it bypasses traditional security notifications or alerts for suspicious login attempts, providing hackers with direct, uninterrupted access to accounts. To combat this, the FBI recommends practical steps, including regularly clearing browser cookies, which removes saved login data and can interrupt unauthorized access. Another strong precaution is to avoid questionable links and sites, as they often disguise harmful software. Additionally, users should confirm that the websites they visit are secure, checking for HTTPS in the URL, which signals a more protected connection. 

Monitoring login histories on email and other sensitive accounts is another defensive action. Keeping an eye on recent activity can help users identify unusual login patterns or locations, alerting them to possible breaches. If unexpected entries appear, changing passwords and re-enabling MFA is advisable. Taking these actions collectively strengthens an account’s defenses, reducing the chance of cookie-based intrusions. While “remember-me” cookies bring convenience, their risks in today’s cyber landscape are notable. 

The FBI’s warning underlines the importance of digital hygiene—frequently clearing cookies, avoiding dubious sites, and practicing careful online behavior are essential habits to safeguard personal information.
Read more »
Technology
Cyberattacks cybercriminals Cybersecurity CyberThreat Federal Agencies Lazarus Groups North Korean Technology

Federal Agencies Move Against North Korea’s Cybercrime Profits

 


The media have reported that the US government has filed yet another lawsuit to recover nearly $2.69 million worth of stolen digital assets from North Korea's notorious Lazarus hacking group. It was filed on October 4, 2024, and concerns funds taken from two of the largest cryptocurrency heists in 2022 and 2023: the Deribit hack and the Stake.com hack. 

Court documents indicate that the police are pursuing about $1.7 million from the options exchange Deribit in an incident that resulted in a loss of $28 million, which is the amount of Tether (USDT) that was stolen. First of all, we have to deal with a lawsuit filed by a North Korean criminal group relating to the 2022 Deribit hack that saw nearly $28 million drained from the hot wallet of the cryptocurrency exchange. 

For covert purposes, the crooks attempted to launder the money through a combination of virtual currency exchanges, the Tornado Cash mixer, and virtual currency bridges as a means of obscuring their identity. It was thought that the hackers were concealing their actions and laundering the stolen money by using the Tornado Cash mixer and multiple Ethereum addresses that were used by the hackers. 

Avalanche-bridged-Bitcoins (BTC.b) are also being sought by the government as compensation for the loss of revenues from a $4.1 million hacking of the Stake.com gambling platform, which led to a loss of 970,000 Avalanche-bridged-Bitcoins (BTC.b). In these cases, we have only seen a few examples of the alleged activities of the Lazarus Group when it comes to cybercrime. Several blockchain analysts have also implicated this group in the hacking of WazirX in July 2024, which ultimately led to victims losing an estimated $235 million to the hacker group. 

According to a report published by ZackXBT, a blockchain research and investigative team in August, North Korean developers were suspected of hacking into at least 25 cryptocurrencies using fake identities, modifying the code, and taking directly from their Treasury accounts with the use of fake identities. Recently, the FBI has been stepping up its warnings regarding the activities of the Lazarus Group in a bid to alert citizens. 

A report by The Electronic Frontier Foundation on September 20, 2024, exposed some of the highly sophisticated social engineering techniques used by the cybercrime group. These techniques may include cunningly constructed fake job offers, which have been designed to trick users into downloading malicious software masquerading as employment documents to steal data from their computers. 

Approximately a year after the Lazarus Group, an online gambling and casino site, was alleged to have stolen $41 million from Stake.com, it has again been reported. As a result of that heist, a second lawsuit has been filed against the thief. It was discovered that North Koreans and their money laundering co-conspirators stole roughly tens of millions of dollars worth of virtual currency by hacking into Stake.com's computer systems. 

It is explained in the forfeiture action notes [PDF] that the stolen funds were transferred through virtual currency bridges, multiple BTC addresses, and virtual currency mixers before consolidation and depositing at various virtual currency exchanges were conducted. The Lazarus Group moved this stolen cryptocurrency through Bitcoin mixers Sinbad and Yonmix, which were used to handle the move. In the aftermath of the North Korean heist, Sinbad has been sanctioned by the US government because he laundered millions of dollars in return for the money. 

According to court documents, law enforcement was able to freeze assets from seven transactions. However, the North Koreans were able to transfer a majority of the stolen funds to the Bitcoin blockchain to avoid being tracked, the documents say. The FBI recovered another .099 BTC, or approximately $6,270, from another exchange in a further investigation.
Read more »
Microsoft
cybercriminals Hacking malware Malware attacks Microsoft

Hackers Exploit Visual Studio Code as a Remote Access Tool, Researchers Find

 

In a new wave of cyberattacks, hackers are using Microsoft’s Visual Studio Code (VSCode) as a remote access tool to gain unauthorized entry into computers, according to Cyble Research and Intelligence Labs. Visual Studio, a popular integrated development environment (IDE) for app development on the .NET framework, supports languages like C#, VB.NET, and C++. 

While the tool is widely used for legitimate purposes, cybercriminals have now found a way to exploit it for malicious activities. The attack begins with a seemingly harmless file, a malicious “.LNK” shortcut, which is likely spread through spam emails. Once opened, the file displays a fake “Installation Successful” message in Chinese. 

In the background, however, it secretly downloads a Python package named “python-3.12.5-embed-amd64.zip” and creates a directory on the target system. This malicious file then executes an obfuscated Python script (update.py) from the online source paste[.]ee, which was not detected by the VirusTotal scanning service. 

To maintain access, the malware sets up a scheduled task, “MicrosoftHealthcareMonitorNode,” which runs every four hours or when the computer starts, using SYSTEM-level privileges. If the system does not have VSCode already installed, the malware fetches the Visual Studio Code Command Line Interface (CLI) from Microsoft’s servers. 

This tool is then used to open a remote tunnel that enables the attackers to generate an 8-character activation code, giving them unauthorized remote access to the victim’s computer. Once access is established, the malware gathers sensitive system information, such as data from critical directories, running processes, user details, and even geographical locations. 

With this, hackers can fully control the victim’s machine, accessing files, directories, and the terminal. This discovery highlights the growing sophistication of cyberattacks and emphasizes the need for vigilance, especially with common developer tools like VSCode. Users are advised to be cautious of unexpected email attachments and ensure their systems are protected against such threats.
Read more »
Technology
Checkmarx Crypto Crypto Wallets cryptocurrency CyberCrime cybercriminals Cyberthreats PyPI Technology

PyPI Hosts Malicious Tools Targeting Crypto Wallets

 


During an investigation conducted recently, it was discovered that several malicious packages masquerading as services for recovering cryptocurrency wallets were found in the Python Package Index repository, revealing that they were spying on sensitive personal information and helping to steal cryptocurrency. A Checkmarx researcher described the attack as targeting Atomic, Trust Wallet, Metamask, Ronin, TronLink, Exodus, and many other prominent wallets within the crypto ecosystem in a report released on Tuesday. 

It was found that the packages presented themselves as tools that could extract mnemonic phrases and decrypt wallet data, suggesting that they could provide value to cryptocurrency users who are looking to recover or manage wallets" As long as cryptocurrencies remain a prime target for cybercriminals, they will continue to thrive in the ecosystem. 

The recent discovery of malicious packages located on the Python Package Index (PyPI) repository in the Python distribution has led to several tools that masquerade as tools that can help recover and manage crypto wallets. It is a fake tool that is used to steal sensitive information from users and facilitate the theft of valuable digital assets, among other things. 

According to Checkmarx researchers, there have been several malicious Python packages found on PyPI that attack users of leading cryptocurrency wallets like Atomic, Trust Wallet, MetaMask, Ronin, TronLink, and Exodus, as well as other popular apps. According to Checkmarx, the names of the packages in the Cryptocurrency ecosystem packages are deliberate efforts aimed at luring developers who are active in cryptocurrency ecosystems. 

The package descriptions on PyPI also came with links to installation instructions, examples on how to use them, and in one case, even an explanation of the "best practices" for virtual environments for installation. Again, this was meant to lend legitimacy to the libraries. Furthermore, the threat actor behind the campaign did more than simply deceive users about the popularity of the packages within the campaign, as they also displayed false download statistics, creating the impression that the packages were trustworthy and popular. 

In the identified PyPI packages, there was a dependency called cipherbcryptors that was required for the malicious code to be executed while in a few other cases, the Malware relied on ccl_leveldbases, which seemed to be an attempt to obfuscate the functionality by using another package. This is an important point to note in the case of the malicious functionality in the packages since the malicious functionality is only activated when certain functions are called, which is a departure from the typical pattern where such behaviour would be activated automatically by the installed package upon installation. 

An end-to-end process is then used to exfiltrate the data from the remote server into the hinterland. As Gelb explains, the attacker deployed an additional layer of security as he did not hard-code the address of their command-and-control server into any of the packages that were distributed. They had to rely on external sources to retrieve the information in a dynamic way rather than using internal resources. A technique commonly referred to as a dead drop resolver provides attackers with the flexibility to update the server information without having to update the packages themselves to take advantage of this type of attack. 

Furthermore, should the servers have to be taken down, it will make the process of switching between server infrastructures as simple as possible. This information has been collected to determine whether the attackers as part of their strategy to lure developers and end users will be successful. The author provides a great deal of information about the packages, including detailed descriptions, installation instructions, usage examples, and even best practices for running virtual machines at home. The hackers also manipulated download statistics to mislead the users into believing that the program was popular and trustworthy. 

It is noteworthy that the attackers used a technique known as a dead drop resolver to retrieve the addresses of their command and control servers efficiently. As a result of not hard-coding the server addresses within the packages, they will be able to update information about the servers without having to push new package versions, so security measures will be unable to detect and block the server updates. There was a recent discovery of fake crypto wallet recovery tools on PyPI. This underlines how cybercriminals are continuously evolving their tactics to target cryptocurrency and the crypto sector as a whole. 

The developers and users are equally responsible for safeguarding their digital assets, ensuring they are vigilant, practising due diligence when installing software packages, and utilizing security solutions such as Vulert to protect their assets. According to details revealed in August 2024, CryptoCore, an elaborate cryptocurrency scam that uses fake videos or hijacked accounts on social media platforms such as Facebook, Twitch, X, and YouTube as a method of tying users into selling their crypto assets under the guise of fast and easy profits, has been operating since August 2024. 

"This scam group and its giveaway campaigns will deceive users into sending their cryptocurrencies to the scammers' wallets by using deepfake technology, hijacked YouTube accounts, and professionally designed websites to deceive them into sending their cryptocurrencies to the scammers' wallets," Avast researcher Martin Chlumecký said. The most common way for scammers to convince potential victims that messages or events published online are official communications from trusted social media accounts or event pages is to persuade them to believe what is being posted online can be trusted. As a result, they can profit from the trust attached to the chosen brand, person, or event. 

Last week, a rogue Android app was impersonating the genuine WalletConnect protocol, which was used by the malware to steal around $70,00 in cryptocurrency by initiating fraudulent transactions from infected devices, as revealed by Check Point.
Read more »
MoneyGram
Cyber Security Cyberattacks cybercriminals Cyberhackers Cyberthreats Data Leak Threat MoneyGram

MoneyGram Faces Service Disruption Amid Cybersecurity Threat

 


A cyberattack that began on September 20 impacted MoneyGram International Inc.'s services significantly, likely due to a ransomware attack, causing significant disruptions to its services. There were reports of outages affecting company networks, and by September 23, the company was able to confirm that the problem had come from a cybersecurity vulnerability. 

It took MoneyGram's systems offline to prevent further damage, consulted with cybersecurity experts, and informed law enforcement authorities about its efforts as it worked to restore normal operations as soon as possible. After widespread outages, MoneyGram's website and several of its services were restored after widespread outages that impeded millions of people from sending money to families around the world due to widespread outages. As MoneyGram announced on X, it immediately launched an investigation. 

It took preventative steps to address the situation, including working with leading cybersecurity experts and coordinating with law enforcement agencies to address it. As a follow-up to Wednesday's note from MoneyGram, the company explained on Wednesday that several of its partners were now "available for sending and receiving money, as well as fulfilling pending transactions as part of MoneyGram's restoration process." 

MoneyGram's app and several MoneyGram locations remain inaccessible for millions of customers and businesses across the globe, preventing them from transferring funds or processing transactions. To ensure safety, several systems of the company were taken offline as a precaution, causing many countries to experience extended service disruptions. 

As MoneyGram processes over 120 million transactions a year, the company's enormous customer base has been significantly impacted by the incident, however, the full extent of the damage has yet to be determined. There has not been any official confirmation as to whether ransomware was involved in the attack, despite the company working closely with cybersecurity experts and law enforcement. 

There was still no news on Tuesday as to when MoneyGram's website might be up and running, and there was no update on when it would be fully operational again. There are more than $200 billion in transactions processed by MoneyGram each year, serving thousands of individuals and businesses around the world. 

In addition to disrupting financial services, a cyberattack of this scale also risks exposing sensitive customer information that can be used to identify customers. There have been increasingly frequent ransomware attacks against financial institutions, and these incidents highlight the vulnerability of digital payment networks, along with their potential for causing significant economic disruption when some of these attacks are successful. 

Modern businesses are often faced with several immediate threats that can disrupt their operations, such as ransomware attacks, that can disrupt operations to the point of total failure. Whenever sensitive data and critical system components are taken over, an organization will find that its operations are crippled as a result.   ‍As a result, the impact of the incident goes beyond the direct disruption to the company's operations only. 

The revenue loss, opportunities missed, and damage to the company's reputation are only a few of the consequences.   Despite the warnings from experts, MoneyGram is likely to sustain serious financial and reputational damage as a result of this disruption. It is estimated that over 120 million transactions are processed each year, making even a few days of downtime damaging the company's reputation, customer trust, and even the company's reputation for security. 

The impact of downtime can be seen as significant, according to cybersecurity experts. The chief product officer at Aryaka Networks Inc.'s integrated secure access service edge company, Renuka Nadkarni, said, "Breach into critical infrastructure such as this can have devastating effects on both organizations and their users."

There are some cases where MoneyGram processes up to 120 million transactions annually from tens of millions of users, according to Nadkarni. MoneyGram is the world's second-largest money transfer company. As there are millions of users and transactions involved, even a few days of downtime can have severe consequences in terms of financial losses and damage to the company's reputation as well as customer trust." 

Research conducted by the International Monetary Fund (IMF) has indicated that, since the onset of the Pandemic a decade ago, the frequency of cyberattacks has more than doubled. It should be noted that despite modest direct losses from these incidents in the past, the overall financial impact that they have had has been significant. 

An example of such a breach is the breach involving Equifax, one of the largest credit reporting agencies in the United States in 2017 that resulted in the payment of over $1 billion in penalties. It is becoming increasingly clear that cyber incidents come with several potential risks. Since 2017, the International Monetary Fund has reported that extreme losses from cyberattacks have quadrupled, reaching an estimated $2.5 billion in damages. 

In the absence of effective cybersecurity management, indirect costs can far exceed those of direct financial losses, such as reputational damage and the need for additional security measures. This demonstrates the importance of managing cybersecurity efficiently at all costs. As a result, cyber attacks against financial institutions account for nearly 20% of all incidents in the financial sector, making them one of the most vulnerable sectors to cybercrime. 

It is often found that banks are the most frequently targeted group due to the sensitive nature of their operations which makes them a prime target. In the event of a successful cyberattack, public confidence in the financial system could be undermined, essential services may be disrupted, and additional consequences may be experienced by other institutions as a consequence. 

It was reported by Security Week that Zscaler, in its ThreatLabz 2024 Ransomware Report, is aware of a company that is known to have paid a record-breaking $75 million ransom to Dark Angels, an organized ransomware group reputed to be based in Russia. According to the company's report, between April 2023 and April 2024, the company collected data demonstrating an 18% increase year-over-year in the number of ransomware attacks recorded. 

There has been a record-breaking ransom payment made in early 2024, according to Wyse Cyber, according to the company, and the victim has not been identified. A report released by Zscaler estimates that $75 million is nearly double the highest publicly known ransom payment that has ever been paid. With thousands of millions of users in over 200 countries having been affected by MoneyGram's outage, this has caused significant disruptions for the company's vast customer base. 

MoneyGram is the world's second-largest money transfer company, coming in second only to Western Union in total money transfers each year, with over 120 million transactions processed. Customers have been experiencing issues sending or receiving payments in recent days, which has raised concerns about the prospect of a data breach, and the impact this may have on the company's reputation long-term. 

MoneyGram has assured its customers that restoring services is its top priority. However, the company has not provided a specific timeline for when full functionality will be restored. In the interim, users are left in a state of uncertainty, awaiting updates regarding when they will be able to regain access to their funds and finalize any pending transactions. 

Despite MoneyGram's efforts to resolve the issue, the lack of a clear timeframe continues to affect customers, many of whom rely on the platform for essential financial transfers.
Read more »
RansomHub
Cyber campaign Cyberattackers CyberCrime cybercriminals Cybersecurity CyberThreat NoName Hackers Ransomaware RansomHub

NoName Hackers Use RansomHub in Recent Cyber Campaigns

 


Despite active attacks by gangs such as the NoName ransomware group, which has targeted small and medium-sized businesses worldwide for the past three years, the group has continued to grow by using custom malware and evolving its attack methods. A recent link pointing to NoName has led to the conclusion that the group is no longer independent, but is now affiliated with RansomHub. As a result of this development, cyber security levels worldwide are in danger, especially for small and medium-sized businesses. 

A new affiliate has now joined extortion group RansomHub, an up-and-coming online criminal extortion group, and its main claim to fame so far has been impersonating LockBit ransomware-as-a-service, which is based out of the Netherlands. It has been well-documented that NoName exploits vulnerabilities that date back many years. 

Over the last three years, it has been well documented that the NoName ransomware gang, also known as CosmicBeetle, has been creating waves worldwide by targeting small and medium-sized businesses. Recent observations have shown that the gang is making use of a new type of malware called RansomHub to carry out its crimes. For gaining access to networks, the gang uses a variety of custom tools, including those from the Spacecolon malware family, which it acquired from cybercriminals. 

A number of the tools that are used to distribute these tools use brute force methods to deploy them and exploit known vulnerabilities such as EternalBlue (CVE-2017-0144) and ZeroLogon (CVE-2020-1473). In recent attacks, the NoName gang has been using the ScRansom ransomware to encrypt documents and digital files, replacing the Scarab encryptor that it had previously used. Additionally, the gang has already begun experimenting with the leaked LockBit 3.0 ransomware builder, creating a similar site for leaking data and issuing similar ransom notes based on the design of the released code. 

A cybersecurity company called ESET has been tracking the activities of the NoName gang since 2023, which is almost four years ago. Even though ScRansom is less sophisticated than other ransomware threats, but still poses a significant threat to the operating system, it has been observed to develop and become more sophisticated over time. Several aspects of ScRansom are complex, including AES-CTR-128 encryption and RSA-1024 decryption, causing problems when decrypting the files sometimes. It has been reported that victims received multiple decryption keys but are still unable to recover all the files they lost. ScRansom allows attackers to take advantage of different speed modes for partial encryption, allowing them flexibility. 

A 'ERASE' mode can be also operated to replace the contents of the file with a constant value, thereby ensuring that the contents cannot be recovered. With ScRansom, file encryption is possible across all drives and the operator can decide what file extensions to encrypt, and what folders they want to encrypt. ScRansom kills several processes and services on the Windows host before the encryptor fires. These include Windows Defender, the Volume Shadow Copy service, SVCHost, RDPclip, and LSASS, as well as processes related to VMware tools. There are several encryption schemes used by ScRansom to protect the public key, and one of them is AES-CTR-128 which is combined with RSA-1024 to generate an extra AES key for security reasons. 

As a result of the multi-step process, there are times when errors occur in this process that can lead to the failure of the decryption process. As a result of executing the ransomware on the same device a second time, or in a network with multiple systems running different versions of the virus, new sets of unique keys will be generated for every victim, making the entire decryption process rather difficult to perform. Furthermore, in addition to brute force attacks that are used by the NoName gang to gain access to networks, several other vulnerabilities are exploited by them that are common in SMB environments. CVE-2017-0144 (also known as EternalBlue), CVE-2023-27532 (a vulnerability in Veeam Backup & Replication), CVE-2021-42278 and CVE-2021-42287 (AD privilege escalation vulnerabilities) through noPac, CVE-2022-42475 (a vulnerability in FortiOS SSL-VPN), and CVE-2020-1472 (also known as Zerologon) are some of the vulnerabilities. 

With ScRansom's file encryption capabilities, it can encrypt files on all types of drives, including fixed, remote, removable, and cloud storage, and allows users to personalize the list of file extensions they wish to encrypt. When ESET researchers were investigating a ransomware attack that began with a failed ScRansom deployment in early June, they discovered that the threat actor executed on the same machine less than a week later. 

The EDR killer tool, which provides privilege escalation and the ability to disable security agents by deploying legitimate and vulnerable drivers on targeted computers, was a tool that was released by RansomHub shortly after. The compromised computer was ransomware-encrypted two days later, on June 10, by the hackers who used the RansomHub ransomware. There was an interesting way of extracting the EDR killer described by the researchers, one that was characteristic of CosmicBeetle rather than RansomHub's affiliates. 
 
It was noted that there has been no leak in the past of the RansomHub code and its builder, so ESET researchers were "pretty confident" that CosmicBeetle was enrolled as a new RansomHub affiliate. Even though ESET does not claim to have any affiliation with RansomHub, they do state that the Ransom Encrypter is being actively developed by their engineers.
Read more »
Senior Citizen Scam
₹6 Crore Scam 85-Year-Old Woman Cyber Fraud CyberCrime cybercriminals Digital Arrest Financial Fraud Hyderabad Fraud Senior Citizen Scam

Cybercriminals Place 85-Year-Old Woman Under 'Digital Arrest' in Hyderabad, Cheat Her of ₹5.9 Crore

 

Cybercriminals recently targeted an 85-year-old woman from the city, subjecting her to what can be described as a 'digital arrest' and extorting a staggering ₹5.9 crore from her. This elaborate scam involved convincing the elderly woman that her Aadhaar details were allegedly linked to serious money laundering cases involving Bollywood actress Shilpa Shetty and Jet Airways founder Naresh Goyal. 

The fraudsters, posing as officials from the Mumbai Cybercrime Wing, manipulated the woman into believing that her bank accounts and fixed deposits were under investigation and needed immediate verification by the Reserve Bank of India (RBI). Under this false pretext, they coerced her into transferring significant sums of money into specific accounts that they claimed were set up by the RBI for verification purposes.

When the woman attempted to contact her son for advice, the criminals threatened her, insisting that the matter was of utmost confidentiality. They warned that any attempt to inform her family would lead to severe consequences, including potential legal trouble for her son and the entire family. 

The incident came to light when her son, a software professional based in Bengaluru, visited her after about a week. He noticed her distress and learned of the fraudulent activities. Realizing his mother was in a state of psychological manipulation and fear, he immediately contacted the Telarigarra Cyber Security Bureau (TGCSB) to report the crime.

Fearful for her family's safety, the woman complied with their demands, transferring large sums into various accounts. It was only when her son arrived and intervened that the ongoing fraud was halted. He quickly reassured his mother, explaining that she had been deceived, and together, they reported the incident to the authorities. The police are now investigating the case, and efforts are underway to trace the criminals responsible for this heinous act.
Read more »
Mobile Encryption
Cyber Security Cyberattacks CyberCrime cybercriminals CyberThreat Europol Mobile Encryption

Mobile Encryption Innovation Aids Criminals, Europol Reports

 


Europol has proposed solutions to address some of the challenges posed by privacy-enhancing technologies found in Home Routing, which pose a challenge for law enforcement agencies in intercepting communications during criminal investigations as a result of these technologies. There was a previous report by the agency in its Digital Challenges series in which it discussed the difficulty of gathering admissible evidence during investigations due to end-to-end encryption on communication platforms. 

This is the name given to an in-home routing system used by telecommunications companies to allow customers to send traffic to their home network, from calls, messages, and internet data, even when they are away from home. In a new report that was published by the EU Innovation Hub for Internal Security, it was examined how users can uphold citizens' privacy while simultaneously facilitating criminal investigations and prosecutions. 

There is no doubt that encryption is one of the most important means by which private communications may be protected. Meanwhile, it is also conducive to allowing threat actors to always remain hidden from the eyes of law enforcement to carry out their malicious activities. Companies must understand the needs, challenges, and priorities of their stakeholders within the Justice and Home Affairs (JHA) community to take the necessary measures to preserve the fundamental rights of the citizens of Europe while maintaining a safe environment. 

The privacy-enhancing technologies (PETs) that can be applied in Home Routing support data encryption at the service level, and the devices that are subscribed in the home network exchange session-based keys with the provider. In the case of the home network provider using PET technology, all traffic remains encrypted, as the key is inaccessible to both the home network's backend and the visiting network, which serves as a forwarder. It is due to this setup that authorities are prevented from obtaining evidence through the use of local Internet service providers (ISPs) as part of lawful interception activities. 

It explains that by implementing Home Routing, any suspect using a foreign SIM card cannot be intercepted after that device is deployed, says the European agency in a press release. If this is the case, then it may be necessary for police forces to rely on the cooperation of foreign service providers or issue a European Investigation Order (EIO), which can take significantly longer than it would normally take to complete an investigation, especially in cases where emergency interceptions are required; for example, replying to an EIO can take up to four months in most cases. 

There is no doubt that criminals are aware of this loophole in the law and are exploiting it to avoid being caught by law enforcement in their respective countries, as summarized by the European agency. The European Union's law enforcement agency Europol is appealing to stakeholders to consider two possible solutions that would effectively eliminate delays and procedural frictions associated with lawful communication interceptions. 

One of the first variants being considered is the enforcement of a regulation in the European Union that disables PE in the home routing protocol. It will be possible for domestic service providers to intercept calls made by individuals who are using foreign SIM cards but they will not have to share information about the person of interest with outside parties. A spokesperson for the agency said that by using this solution, both roaming subscribers, as well as subscribers in their local area, will be able to take advantage of the same level of encryption as communication through their national SIM card. 

However, subscribers abroad do not benefit from the added encryption of their home country, which is included in the subscription package. Furthermore, there is a second proposal where companies propose implementing a cross-border mechanism that allows law enforcement agencies within the European Union to issue interception requests that are promptly handled by the service providers to assist law enforcement agencies. Europol has identified two potential solutions to address the challenges posed by Home Routing and mobile encryption in criminal investigations. 

The first solution allows Privacy-Enhancing Technologies (PET) to be enabled for all users. However, this could result in a service provider in another EU member state learning about individuals of interest in an investigation, which may not be desirable. The second proposed solution involves establishing a mechanism for rapidly processing interception requests from service providers in other EU member states. Europol emphasizes that these two solutions are merely possible avenues for safeguarding and maintaining existing investigatory powers. 

The agency's goal is to highlight the impact that Home Routing encryption has on investigations, urging national authorities, legislatures, and telecommunications service providers to collaborate in finding a viable solution to this problem.
Read more »
Ransomware attack
Cyber Attacks cybercriminals data security healthcare sectors LockBit Malware attacks Ransom Demand Ransomware attack

Comparitech Report Reveals Average Ransom Demands of Over $5.2 Million in Early 2024

 

In the first half of 2024, the average ransom demand per ransomware attack reached over $5.2 million (£4.1 million), according to a new analysis by Comparitech. This figure is derived from 56 known ransom demands issued by cybercriminals from January to June 2024. 

The largest of these demands was a staggering $100 million (£78.9 million) following an attack on India’s Regional Cancer Center (RCC) in April 2024. The second-highest confirmed demand was issued to UK pathology provider Synnovis, with attackers demanding $50 million (£39.4 million). This incident led to the cancellation of thousands of operations and appointments at hospitals in South East England, with the Qilin group claiming to have stolen 400GB of sensitive NHS patient data. The third-highest ransom demand in the first half of 2024 targeted Canadian retailer London Drugs in May 2024, with the LockBit group demanding $25 million (£19.7 million). 

Overall, Comparitech’s researchers logged 421 confirmed ransomware attacks during this period, impacting around 35.3 million records. These figures mark a reduction compared to the same period in 2023, which saw 704 attacks affecting 155.7 million records. However, disclosures for the first half of 2024 are ongoing, so these figures may increase. Comparitech also noted an additional 1,920 attacks claimed by ransomware gangs but not acknowledged by the victims. Private businesses experienced the highest number of incidents, with 240 attacks affecting 29.7 million records. 

The government sector followed with 74 attacks impacting 52,390 records, and the healthcare sector reported 63 attacks affecting 5.4 million records. LockBit remains the most prolific ransomware group, responsible for 48 confirmed attacks in the first half of 2024, despite a significant law enforcement operation that temporarily disrupted its activities in February. Following a brief period of dormancy, LockBit resurfaced as the most prominent ransomware group in May 2024, according to an analysis by NCC Group. Other notable ransomware groups during this period include Medusa with 31 attacks, BlackBasta with 27, Akira with 20, 8Base with 17, and INC Ransom with 16. 

The researchers observed an increasing trend among ransomware groups to forego file encryption and instead rely solely on data theft for extortion. This shift in tactics highlights the evolving landscape of ransomware attacks and underscores the need for robust cybersecurity measures.
Read more »
IT Infrastructure
Australia Australian Businesses Cyberattack cybercriminals Data Breach Fortinet Hacker attack Hackers IT Infrastructure

The Growing Threat of Data Breaches to Australian Businesses

 

Data breaches are now a significant threat to Australian businesses, posing the risk of "irreversible brand damage." A cybersecurity expert from Fortinet, a global leader in the field, has raised alarms about cybercriminals increasingly targeting the nation’s critical infrastructure. Cybercriminals are continually finding new ways to infiltrate Australia’s infrastructure, making businesses highly vulnerable to attacks. 

The Australian federal government has identified 11 critical sectors under the Security of Critical Infrastructure Act, which was amended in 2018 to enforce stricter regulations. Businesses in these sectors are required to complete annual reporting to notify the federal government of any attempts to access their networks. Michael Murphy, Fortinet’s Head of Operational Technology and Critical Infrastructure, recently discussed the severity of cyber threats on Sky News Business Weekend. During the 2022-2023 financial year, 188 cybersecurity incidents were reported across critical sectors, highlighting ongoing risks to national networks like water and energy supplies. 

Additionally, the Australian Bureau of Statistics found that 34 percent of businesses experienced resource losses managing cybersecurity attacks in the 2021-2022 financial year, and 22 percent of Australian businesses faced a cybersecurity attack during that period—more than double the previous year’s figure. Even small businesses are now vulnerable to cybercrime. Murphy pointed out that among entities with mandatory reporting, 188 incidents were reported, with 142 incidents reported by entities outside of critical infrastructure, demonstrating the widespread nature of the threat. He explained that hackers are motivated by various factors beyond financial gain, including the desire for control. 

The consequences of cyber attacks can be severe, disrupting systems and causing significant downtime, which leads to revenue loss and irreversible brand damage. Critical infrastructure sectors face unique challenges compared to the IT enterprise. Quick restoration of systems is often not an option, and recovery can take considerable time. This extended downtime not only affects revenue but also damages the reputation and trustworthiness of the affected organizations. Murphy noted that many incidents are driven by motives such as financial profiteering, socio-political influence, or simply the desire of hackers and syndicates to boost their credibility. 

As cyber threats evolve, it is crucial for businesses, especially those in critical infrastructure sectors, to strengthen their cybersecurity measures. While annual reporting and adherence to federal regulations are essential, proactive strategies and advanced security technologies are necessary to mitigate risks effectively.
Read more »
UNC
CrowdStrike Cyber Security cybercriminals Financial Threat Google Cloud Google Mandiant Mandiant Threat Intelligence UNC

Protecting Your Business from Snowflake Platform Exploitation by UNC5537

 

A recent report from Mandiant, a subsidiary of Google Cloud, has uncovered a significant cyber threat involving the exploitation of the Snowflake platform. A financially motivated threat actor, identified as UNC5537, targeted around 165 organizations' Snowflake customer instances, aiming to steal and exfiltrate data for extortion and sale. Snowflake, a widely-used cloud data platform, enables the storage and analysis of vast amounts of data. The threat actor gained access to this data by using compromised credentials, which were obtained either through infostealer malware or purchased from other cybercriminals. 

UNC5537 is known for advertising stolen data on cybercrime forums and attempting to extort victims. The sold data can be used for various malicious purposes, including cyber espionage, competitive intelligence, and financial fraud. The joint statement from Snowflake, Mandiant, and cybersecurity firm CrowdStrike clarifies that there is no evidence of a vulnerability, misconfiguration, or breach within Snowflake’s platform itself. 

Additionally, there is no indication that current or former Snowflake employees' credentials were compromised. Instead, the attackers acquired credentials from infostealer malware campaigns that infected systems not owned by Snowflake. This allowed them to access and exfiltrate data from the affected Snowflake customer accounts. Mandiant's research revealed that UNC5537 primarily used credentials stolen by various infostealer malware families, such as Vidar, Risepro, Redline, Racoon Stealer, Lumma, and Metastealer. Many of these credentials dated back to November 2020 but remained usable. The majority of credentials exploited by UNC5537 were exposed through previous infostealer malware incidents. 

The initial compromise often occurred on contractor systems used for personal activities like gaming and downloading pirated software, which are common vectors for spreading infostealers. Once obtained, the threat actor used these credentials to access Snowflake accounts and extract valuable customer data. UNC5537 also purchased credentials from cybercriminal marketplaces, often through Initial Access Brokers who specialize in selling stolen corporate access. The underground market for infostealer-obtained credentials is robust, with large lists of stolen credentials available for free or for purchase on the dark web and other platforms. 

According to Mandiant, 10% of overall intrusions in 2023 began with stolen credentials, making it the fourth most common initial intrusion vector. To protect your business from similar threats, it is crucial to implement robust cybersecurity measures. This includes regular monitoring and updating of all systems to protect against infostealer malware, enforcing strong password policies, and ensuring that all software is kept up to date with the latest security patches. Employee training on cybersecurity best practices, especially regarding the dangers of downloading pirated software and engaging in risky online behavior, is also essential. 

Moreover, consider using multi-factor authentication (MFA) to add an extra layer of security to your accounts. Regularly audit your systems for any unusual activity or unauthorized access attempts. Engage with reputable cybersecurity firms to conduct thorough security assessments and implement advanced threat detection solutions. By staying vigilant and proactive, businesses can better protect themselves from the threats posed by cybercriminals like UNC5537 and ensure the security and integrity of their data.
Read more »
Telecom Sector
Cyber Fraud cybercriminals DoT Fake Calls Fraud Calls Identity Fraud India Indian Government Spoofing Telecom Sector

Combatting International Spoofed Calls: India's New Measures to Protect Citizens

 

In recent times, fraudsters have increasingly used international spoofed calls displaying Indian mobile numbers to commit cybercrime and financial fraud. These calls, which appear to originate within India, are actually made by criminals abroad who manipulate the calling line identity (CLI). 

Such spoofed calls have been used in various scams, including fake digital arrests, FedEx frauds, narcotics in courier schemes, and impersonation of government and police officials. To combat this growing threat, the Department of Telecommunications (DoT) and Telecom Service Providers (TSPs) in India have developed a system to identify and block incoming international spoofed calls. 

This initiative aims to prevent such calls from reaching any Indian telecom subscriber. The Ministry of Communications announced that TSPs have been directed to block these calls and are already taking steps to prevent calls with spoofed Indian landline numbers. In addition to this, the DoT has launched the Sanchar Saathi portal, a citizen-centric platform designed to enhance user safety and security amid the rising threat of fraud and international call scams. This portal includes a feature called "Chakshu," which allows individuals to report suspicious calls and messages. 

Chakshu simplifies the process of flagging fraudulent communications, providing an extra layer of protection against cybercriminals. Chakshu serves as a backend repository for citizen-initiated requests on the Sanchar Saathi platform, facilitating real-time intelligence sharing among various stakeholders. The platform also provides information on cases where telecom resources have been misused, helping to coordinate actions among stakeholders. 

Union Minister Ashwini Vaishnaw has highlighted additional measures, including creating a grievance redressal platform for reporting unintended disconnections and a mechanism for returning money frozen due to fraud. These efforts aim to address the concerns of citizens who may have been inadvertently affected by the anti-fraud measures. Since its launch in May last year, the Sanchar Saathi portal has been instrumental in enhancing the security of telecom users. It has helped track or block over 700,000 lost mobile phones and detect more than 6.7 million suspicious communication attempts. 

These efforts underscore the government's commitment to safeguarding citizens from cyber threats and ensuring the integrity of telecom services. The DoT and TSPs' proactive measures, along with the Sanchar Saathi portal, represent significant steps towards protecting Indian citizens from international spoofed calls and other forms of cybercrime. By leveraging advanced technology and fostering collaboration among stakeholders, these initiatives aim to create a safer digital environment for all.
Read more »
Subscribe to: Posts (Atom)