Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label ransomware attacks. Show all posts
ransomware attacks
Critical Infrastructure Cyber Attacks CyberCrime Cybersecurity CyberThreat Oilfield Supplier ransomware attacks

Texas Oilfield Supplier Operations Impacted by Ransomware Incident

 


About two months before the Newpark Resources attack, oilfield services giant Halliburton had been afflicted with a cyberattack that it then disclosed in a regulatory filing, which occurred about two months earlier.  Last week, Halliburton, the world's largest energy services provider, announced that about $35 million in expenses were incurred because of the attack. Still, the impact on the company's finances is relatively small, especially considering Halliburton is one of the world's largest energy services providers.  

There was an incident in August when Halliburton, a global provider of services for the energy industry, had to shut down the systems of some of its subsidiaries due to a cyber attack. In most cases, this type of breach involves unauthorized access by third parties; oftentimes, this leads to operations being disrupted, systems being shut down, and incident response plans being activated as a result of the breach. A cyber-response plan was activated at that time and a comprehensive investigation was conducted internally with the assistance of external advisors to assess and remedy any unauthorized activity that the company was aware of at that time.  

Halliburton announced last week that in its third-quarter results it incurred a pretax charge of $116 million as a result of severity costs, impairment of assets held for sale, expenses related to cybersecurity incidents, gains on equity investments, and other items. The company said in the release that it recorded a pretax charge of $116 million in the third quarter of 2024. In a report released on Tuesday, Halliburton's chairman, president, and CEO, Jeff Miller, said that Halliburton "experienced a $0.02 per share impact on its adjusted earnings from storms in the Gulf of Mexico and in the Gulf of Mexico due to the August cybersecurity event." 

While the update is not in any way noteworthy, Andy Watkin-Child, founding partner at Veritas GRC told LinkedIn it shows cyber incidents are moving to the top of the corporate agenda, in a post on the social media platform. The board of directors is more transparent, as required by the Securities and Exchange Commission when it comes to the impact of cyber incidents. Following the attack on Halliburton, the company had to postpone billing and collection activities, as well as put a halt on its share buyback program. 

According to the company, the full impact will not be material for the company's operations in the long run.   The Newpark Resources Group announced this week that access to certain information systems and business applications has been disrupted due to a ransomware attack that has hit their network. According to a filing with the Securities and Exchange Commission (SEC), the incident was discovered on October 29 and a cybersecurity response plan was activated immediately, the Texas-based company that provides drilling fluids systems and composite matting systems for the oilfield sector, said in its statement. 

In his statement, Newpark stated that "the incident has caused disruptions and limitations in access to certain of the company's information systems and business applications that support aspects of the company's operations and corporate functions, including financial and operational reporting systems", and the company is still paying the price. To continue operating uninterruptedly, the company reverted to downtime procedures, allowing it to safely continue manufacturing and field operations during the downtime period.  

Based on the company's current understanding of the facts and circumstances regarding this incident, this incident appears not to have a reasonably likely impact on the company's financial situation or its results of operations, the company said in a statement. Newpark declined to provide information about how the attackers accessed its network, as well as who might have been responsible for the incident, nor did it explain how they gained access. No ransomware group is known to be claiming responsibility for the attack, according to SecurityWeek. 

About two months before the Newpark Resources breach, there was also a cyberattack on oilfield services giant Halliburton that was also announced in a regulatory filing by that company.  The company has just reported that as a result of the attack, Halliburton has incurred approximately $35 million in expenses. However, given that the company is one of the leading energy service companies in the world, the financial impact is relatively small.  

The incident at Newpark Resources highlighted the importance of network segmentation in protecting networks, according to Chris Grove, director of cybersecurity strategy at Nozomi Networks. He says that when networks are under attack, network segmentation can ensure their security.  According to Grove, separating OT from IT is one way to minimize the risk of a security breach and possibly hurt key operations if there is a breach. However, organizations are facing an increasingly pressing challenge: securing the advantages of segmentation while enabling controlled connectivity, which is becoming increasingly difficult to maintain. 

Cybersecurity Dive has been informed by researchers from NCC Group via email that there has been no public leak of data from the Newpark Resources attack and that there has been no claim made regarding the leak.  Neither the company nor the company's shareholders have been able to determine what costs and financial impacts will be associated with this incident, but about the company's financial condition and results of operations, they believe that the attack "is not reasonably likely to have a material impact."

As a manufacturer, seller, and rental company, Newpark Resources is dedicated to serving the petroleum industry and various other sectors related to energy, such as pipelines, renewable energy, petrochemicals, construction, and oilfields. In its Thursday earnings report, the Woodlands, Texas-based company disclosed quarterly revenue exceeding $44 million and projected an annual revenue reaching up to $223 million. This performance underscores the company's strong market presence despite recent challenges, though it remains under pressure following a recent ransomware attack by unidentified cyber actors. 

As of Thursday, no specific hacking group had taken responsibility for the attack. The oil and gas sector recognized as a globally essential industry, has increasingly become a focal point for ransomware attacks. Due to the industry’s high financial stakes and critical role in infrastructure, it is often targeted by cybercriminals who expect ransom payments to restore access to compromised systems. Notably, ransomware incidents have affected major players in the sector. Over the past four years, corporations such as Shell, Halliburton, Colonial Pipeline, Encino Energy, Oiltanking, and Mabanaft have experienced cybersecurity breaches that have disrupted operations and prompted significant financial and reputational impacts.

These incidents have drawn heightened attention from government entities, prompting federal authorities to pursue enhanced cybersecurity measures across critical infrastructure sectors. The rise in ransomware attacks has spurred the government to implement stricter cybersecurity regulations, with mandates designed to bolster defense mechanisms within vulnerable industries.
Read more »
ransomware attacks
Critical Infrastructure Cyber Attacks cybersecurity in healthcare data security Healthcare Data Healthcare Industry ransomware attacks

WHO and Global Leaders Warn Against Rise of Ransomware Attacks Targeting Hospitals

 

On November 8, the World Health Organization (WHO) joined over 50 countries in issuing an urgent warning at the United Nations about the increase in ransomware attacks on healthcare systems worldwide. WHO Director-General Tedros Adhanom Ghebreyesus addressed the UN Security Council, emphasizing the critical risks these cyberattacks pose to public health and safety. He highlighted the growing frequency of attacks on hospitals, which could delay urgent care, disrupt essential services, and lead to life-threatening consequences. Calling for global cooperation, he described ransomware as an international security threat that demands a coordinated response. 

Ransomware is a form of cyberattack where hackers lock or encrypt a victim’s data and demand payment in exchange for releasing it. This form of digital extortion has escalated globally, affecting healthcare providers, institutions, and governments alike. In the healthcare sector, such attacks can be particularly devastating, compromising the safety of patients and healthcare workers. The joint statement, endorsed by nations such as Japan, South Korea, Argentina, France, Germany, and the United Kingdom, outlined the immediate dangers these attacks pose to public health and international security, calling on all governments to take stronger cybersecurity measures. The U.S., represented by Deputy National Security Adviser Anne Neuberger, directly blamed Russia for allowing ransomware groups to operate freely within its borders. 

According to Neuberger, some countries knowingly permit these actors to execute attacks that impact critical infrastructure globally. She called out Moscow for not addressing cybercriminals targeting foreign healthcare systems, implying that Russia’s inaction may indirectly support these malicious groups. Additional accusations were made against North Korea by delegates from France and South Korea, who highlighted the country’s alleged complicity in facilitating ransomware attacks. Russia’s UN representative, Ambassador Vassily Nebenzia, defended against these claims, arguing that the Security Council was not the right forum to address such issues. He asserted that Western nations were wasting valuable council time and resources by focusing on ransomware, suggesting instead that they address other pressing matters, including alleged attacks on hospitals in Gaza.  

WHO and the supporting nations warn that cybercrime, particularly ransomware, requires a global response to strengthen defenses in vulnerable sectors like healthcare. Dr. Ghebreyesus underscored that without collaboration, cybercriminals will continue to exploit critical systems, putting lives at risk. The joint statement also condemned nations that knowingly enable cybercriminals by allowing them to operate within their jurisdictions. This complicity, they argue, not only endangers healthcare systems but also threatens peace and security globally. 

As ransomware attacks continue to rise, healthcare systems worldwide face increasing pressure to strengthen cybersecurity defenses. The WHO’s call to action emphasizes that nations need to take ransomware threats as seriously as traditional security issues, working together to protect both patient safety and public health infrastructure.
Read more »
Ransomwares
Company Breach Cyber Attacks Cybersecurity awareness Data Theft Financial Data Breach Hackers ransomware attacks Ransomwares

How to Prevent a Ransomware Attack and Secure Your Business

 

In today’s world, the threat of cyberattacks is an ever-present concern for businesses of all sizes. The scenario of receiving a call at 4 a.m. informing you that your company has been hit by a ransomware attack is no longer a mere fiction; it’s a reality that has affected several major companies globally. In one such instance, Norsk Hydro, a leading aluminum and renewable energy company, suffered a devastating ransomware attack in 2019, costing the company an estimated $70 million. This incident highlights the vulnerabilities companies face in the digital age and the immense financial and reputational toll a cyberattack can cause. 

Ransomware attacks typically involve hackers encrypting sensitive company data and demanding a hefty sum in exchange for decryption keys. Norsk Hydro chose not to pay the ransom, opting instead to rebuild their systems from scratch. Although this route avoided funding cybercriminals, it proved costly in both time and resources. The question remains, what can be done to prevent such attacks from occurring in the first place? The key to preventing ransomware and other cyber threats lies in building a robust security infrastructure. First and foremost, organizations should implement strict role-based access controls. By defining specific roles for employees and limiting access to sensitive systems based on their responsibilities, businesses can reduce the attack surface. 

For example, financial analysts should not have access to software development repositories, and developers shouldn’t be able to access the HR systems. This limits the number of users who can inadvertently expose critical systems to threats. When employees change roles or leave the company, it’s essential to adjust their access rights to prevent potential exploitation. Additionally, organizations should periodically ask employees whether they still require access to certain systems. If access hasn’t been used for a prolonged period, it should be removed, reducing the risk of attack. Another critical aspect of cybersecurity is the implementation of a zero-trust model. A zero-trust security approach assumes that no one, whether inside or outside the organization, should be trusted by default. 

Every request, whether it comes from a device on the corporate network or a remote one, must be verified. This means using tools like single sign-on (SSO) to authenticate users, as well as device management systems to assess the security of devices trying to access company resources. By making trust contingent on verification, companies can significantly mitigate the chances of a successful attack. Moreover, adopting a zero-trust strategy requires monitoring and controlling which applications employees can run on their devices. Unauthorized software, such as penetration testing tools like Metasploit, should be restricted to only those employees whose roles require them. 

This practice not only improves security but also ensures that employees are using the tools necessary for their tasks, without unnecessary exposure to cyber risks. Finally, no security strategy is complete without regular fire drills and incident response exercises. Preparing for the worst-case scenario means having well-documented procedures and ensuring that every employee knows their role during a crisis. Panic and confusion can worsen the impact of an attack, so rehearsing responses and creating a calm, effective plan can make all the difference. 

 Preventing cyberattacks requires a combination of technical measures, strategic planning, and a proactive security mindset across the entire organization. Business leaders must prioritize cybersecurity just as they would profitability, growth, and other business metrics. By doing so, they will not only protect their data but also ensure a safer future for their company, employees, and customers. The impact of a well-prepared security system is immeasurable and could be the difference between an incident being a minor inconvenience or a catastrophic event.
Read more »
ransomware attacks
Cyber Attacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Hospitals ransomware attacks

Cyberattack Impacts Georgia Hospital, Colorado Pathology Services

 


The number of hospitals that have been affected by ransomware, business email compromise, and other cyber threats is increasing across all sectors, from small community hospitals such as Memorial Hospital and Manor in Bainbridge, Georgia, to those with a large number of beds.  In his opening keynote address at the HIMSS Healthcare Cybersecurity Forum last week in Washington, D.C., Greg Garcia, executive director of the Health Sector Coordinating Council Cybersecurity Working Group, indicated that there is now an average of two data breaches conducted every day within the American health care system. 

People who work in hospitals and health systems are often targeted by cyber threat actors exploiting the basic vulnerabilities of their systems and taking advantage of the vulnerabilities. To illustrate these types of breaches, Kaiser Permanente, one of the country's largest health systems, said it had sent a notice Sunday to those in Southern California whose personal health data had been compromised as a result of unauthorized access to two email accounts of employees. 

The bad guys can also be skilled at exploiting their victim's vulnerability, with sophisticated social engineering techniques coupled with phishing attacks that focus on bots. As part of a cyber exploit, originally discovered earlier this month, Summit Pathology, an independent pathology service provider based in Colorado, had patient data associated with more than 1.8 million people exfiltrated from its system. 

In a report issued by Kaiser Permanente, it was reported that an unauthorised third party gained access to the email accounts of two employees and was able to view the health information of patients. As the U.S. grows and grows, ransomware, business email compromise, and other cyber threats are causing disruptions to care for millions of people across the nation, including small community hospitals such as Memorial Hospital and Manor in Bainbridge, Georgia, as well as the largest providers. 

A recent study conducted by the Health Sector Coordinating Council Cybersecurity Working Group found that the United States amounted to two data breaches per day on average, Greg Garcia, executive director of the ASHC Cybersecurity Working Group, said in his opening address at the HIMSS Healthcare Cybersecurity Forum, held in Washington, DC, last week. In many cases, cybercriminals target people who work in hospitals and health systems to exploit weaknesses in the system. A health system in Southern California posted a notice informing its members on Friday there was an issue about the security of health information that was discovered on September 3. 

A notice on the company's website advised that two of its employees' email accounts had been accessed by an unauthorized party, according to the notice. "Immediately following the discovery of this incident, Kaiser Permanente terminated the unauthorized access and immediately began investigating to determine the scope of the access." this statement was made by Kaiser Permanente. It was found that some protected health information about some patients were included in the email's contents after we validated them." 

According to the health system, although Social Security numbers and financial information were not involved, protected health information, such as first and last names, dates of birth, medical records numbers, and medical information, had the potential to be accessed and/or viewed by third parties. As part of Kaiser Permanente's maintenance of health system operations, affected individuals were contacted directly by the company, Kaiser Permanente said. There is evidence out there that on October 18, Summit Pathology of Loveland, Colorado, reported to the Department of HHS that there are 1,813,538, whose data had been breached in a hacking incident, in which their data has been compromised. 

 As outlined in the pathology services company's notice on its website, the impacted systems contained data such as names, addresses, medical billing and insurance information, certain medical information such as diagnosis, demographic information such as dates of birth, social security numbers, and financial information. There was an incident that occurred on or around April 18 when Summit announced it had noticed suspicious activity on its computer network and that it had taken the necessary steps to secure it, including contacting third parties to assist in the investigation. 

The affected healthcare entities have reported that they successfully identified files that unauthorized individuals may have accessed or acquired during the ransomware attack. In response to the incident, Summit conducted a thorough review of its internal policies and procedures. Following this review, they implemented additional administrative and technical safeguards to strengthen security and mitigate the risk of future attacks. 

On October 31, the Murphy Law Firm, based in Oklahoma City, stated its involvement in the case. The firm announced that it is pursuing a class action lawsuit and actively investigating claims related to the breach. According to Murphy Law Firm, Summit’s forensic investigation revealed that cybercriminals were able to infiltrate the organization's inadequately secured network, leading to unauthorized access to sensitive data files. The law firm is now seeking to hold Summit accountable for the potential data security lapses that may have enabled the breach.
Read more »
Wayne County Michigan
Cyberattack Data Breach double-extortion encryptor FreeBSD servers Interlock ransomware ransomware attacks Trend Micro Wayne County Michigan

Interlock Ransomware: New Threat Targeting FreeBSD Servers and Critical Infrastructure Worldwide

 

The Interlock ransomware operation, launched in late September 2024, is increasingly targeting organizations around the globe. Distinctly, this new threat employs an encryptor specifically designed to attack FreeBSD servers, a relatively uncommon tactic among ransomware groups.

Interlock has already affected six organizations and publicly leaked stolen data after ransoms went unpaid. One prominent victim, Wayne County in Michigan, experienced a cyberattack early in October, adding to the list of affected entities.

Details about Interlock remain limited, with early reports emerging from cybersecurity responder Simo in October. Simo's analysis noted a new backdoor associated with the ransomware, discovered during an investigation on VirusTotal.

Shortly after, MalwareHunterTeam identified a Linux ELF encryptor related to Interlock. Upon further examination, BleepingComputer confirmed that this executable was built specifically for FreeBSD 10.4, though attempts to execute it in a FreeBSD environment failed.

Although ransomware targeting Linux-based VMware ESXi servers is common, an encryptor for FreeBSD is rare. The now-defunct Hive ransomware, disrupted by the FBI in 2023, was the only other known operation with a FreeBSD encryptor.

Trend Micro researchers shared additional samples of the Interlock FreeBSD ELF encryptor and a Windows variant, noting that FreeBSD is often used in critical infrastructure. This likely makes it a strategic target for Interlock, as attacks on these systems can lead to significant service disruptions.

Trend Micro emphasizes that Interlock’s focus on FreeBSD infrastructure allows attackers to disrupt essential services and demand high ransoms, as these systems are integral to many organizations’ operations.

It is important to note that Interlock ransomware is unrelated to any cryptocurrency token of the same name.

While BleepingComputer encountered issues with running the FreeBSD encryptor, they successfully tested the Windows version, which performed actions like clearing event logs and deleting the main binary using rundll32.exe if self-deletion is enabled.

When encrypting files, Interlock appends the .interlock extension and generates a ransom note titled "!README!.txt" in each affected folder. The note explains the encryption, threats, and includes links to a Tor-based negotiation site where victims can communicate with the attackers. Each victim receives a unique ID and email for registration on this negotiation platform.

During attacks, Interlock breaches networks, steals sensitive data, and then deploys the encryptor to lock down files. The data theft supports a double-extortion scheme, with threats to leak data if ransoms—ranging from hundreds of thousands to millions of dollars—are not paid.
Read more »
ransomware attacks
Columbus Data Breach CyberCrime Cyberhackers Cybersecurity CyberThreat Data Breach ransomware attacks

Columbus Data Breach Affects 500,000 in Recent Cyberattack

 


In July, a ransomware attack on Columbus, Ohio, compromised the personal information of an estimated 500,000 residents, marking one of the largest cyber incidents to affect a city in the United States in recent years. There has been great interest in the attack linked to the Rhysida ransomware group due to the extent of the data stolen as well as the controversy surrounding the city's response. 

The City of Columbus, the state capital of Ohio, has confirmed that hackers stole data from 500,000 residents during a ransomware attack in July, locking them out.  The City of Columbus confirmed in a filing with the state attorney general that a "foreign cyber threat actor" had infiltrated the city's network to access information about residents, including their names, dates of birth, addresses, ID documents, Social Security numbers, and bank accounts.  

With a population of 900,000 people, the city in Ohio has the largest population of any municipality in the state, with around half a million people affected by the flooding, but the exact number of victims has yet to be determined.  In a regulatory filing, the city revealed that it had "thwarted" a ransomware attack on July 18 of this year, which was the effect of disconnecting its network from the internet to thwart the attack. This attack has been claimed by the Rhysida ransomware group, which specializes in crypto-ransomware attacks.

Cybercriminals believed to be connected to Russian threat actors sought a ransom from Columbus in the initial stages of the attack, claiming that 6.5 TB of data was stolen by this group. It is alleged that Rhysida introduced 3.1 TB of data from this database to the dark web leak site after negotiations with the city failed. A significant data breach in the public sector has occurred within the last two years as a result of this exposure. 

 According to Rhysida, the ransomware gang, the attack occurred the same day. They claim they have stolen databases containing 6.5 TB of data, including information about staff credentials, video feeds from the city camera system, and server dumps, along with other sensitive data. There has been no increase in the amount of stolen data that is now being published on the dark web leak portal of the gang because they failed to extort the City. Some 45% of the stolen data includes 260,000 documents (3.1 TB) on this portal. 

There was no need to be concerned about the leak of the data because the data was "encrypted or corrupted" as the mayor of Columbus Andrew Ginther said in his statement to the Columbus media. As a result, David Leroy Ross (aka Connor Goodwolf) of the Security Research Group, a British security research company, refuted the Mayor's claim by sharing some samples of the leaked data with press outlets, which showed that it contained unencrypted personal information belonging to city employees, residents, and visitors. 

As of early August, Columbus had filed a lawsuit against security researcher David Leroy Ross, escalating the situation to a point where it became an extreme situation. In an announcement to the local media, Ross, who goes by the username "Connor Goodwolf", reported that residents' personal information had been uploaded on the dark web. According to the disclosure, Columbus officials had earlier claimed that only unusable, corrupted data had been stolen, which was contrary to the new disclosure.

The first cyber analysts to investigate the stolen data discovered a significant volume of sensitive files among them databases, password logs, cloud management files, employee payroll records, and even footage culled from city traffic cameras in the aftermath of Ross's revelations. In response to this attack, the city said it has committed to improving its cybersecurity protocols in the future to prevent similar attacks from happening again. 

In Columbus, a town of approximately 915,000 people, the Maine Attorney General's Office received a report from the city informing them that the breach may affect approximately 55% of its citizens. Those affected by this tragedy will receive two years of free credit monitoring and identity protection services as a gesture of goodwill from the city. The city of Columbus has been put under increasing public pressure to ensure that data is protected and transparent communications about the extent of the breach are made in light of rising public pressure. As a result of the City's lawsuit, Goodwolf is alleged to have spread stolen data illegally and negligently. 

There was a request for monetary damages with a request for a temporary restraining order and a permanent injunction, and the researcher was ordered to stop further dissemination of the leaked data to prevent future disclosures. It was decided in December 2011 that a temporary restraining order would be issued in Franklin County prohibiting Goodwolf from downloading and disseminating the data they stole from the City.

The City had previously claimed that the leaked data was useless, but as shown in breach notification letter samples filed with the Maine Attorney General's Office, despite its claims, it informed 500,000 people in early October that some of their financial and personal information had been stolen and published on the dark web by those who stole it. There has been a breach of the City information system, according to the breach notification letters, which include your personal information, including your first and last name, date of birth, address, bank account information, driver's license number, Social Security number, and other identifying information that may have been included as a result of the incident. 

Although the City has yet to find evidence of the misuse of its data, it warns those affected by this breach to keep a close eye on their credit reports and financial accounts to ensure no suspicious activity is taking place. It is now also offering 24 months of free 24 months of monitoring of credit and identity, provided by Experian IdentityWorks, as well as identity restoration services provided by Experian.
Read more »
User Security
Cyber Attacks Healthcare Sector ransomware attacks threat report User Security

Microsoft: Healthcare Sector Sees 300% Surge in Ransomware Assaults

 

A Microsoft investigation published earlier this week revealed that ransomware attacks on the healthcare sector are rising and threatening lives. 

The report, which uses both internal corporate data and external data, shows a 300% spike in ransomware attacks on the health sector since 2015, as well as an increase in stroke and cardiac arrest cases at hospitals receiving patients from nearby facilities that have been paralysed by similar assaults.

It all amounts to a worrisome pattern that began during the peak of the COVID-19 pandemic, when certain ransomware gangs pledged not to attack the healthcare industry. 

“That [pledge has] been shoved off the table, unfortunately, and we are seeing a broader targeting of everything that has to do with health care, from hospital systems to clinics to doctors’ offices — really, anything where patient care can be impacted,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, stated. “Threat actors know people’s lives are at stake, and therefore the organization is more likely to pay.” 

According to Microsoft's second-quarter 2024 data, health care is one of the top ten most targeted sectors, with an average payment of $4.4 million reported in a survey of health care organisations. Additionally, Microsoft analysts believe Iranian gangs are mostly targeting healthcare organisations. 

A research published last year discovered that ransomware attacks on hospitals have a spillover effect, with unaffected institutions seeing an increase in patients, resulting in stroke cases soaring by 113% and cardiac arrest cases reaching 81%. Those cardiac arrest instances also had lower survival rates. 

“We know that these types of incidents have impacts on many of the technologies, such as CT scanners or laboratory machines that are used to take care of patients suffering from things like heart attack, stroke or sepsis,” Jeff Tully, co-director and of the University of California San Diego Center for Healthcare Cybersecurity and co-author of that study, noted. “And we know that there are delays in our ability to care for these patients during these types of down times.” 

Tully stated that the centre was working on developing a ransomware response playbook for health care organisations, but DeGrippo emphasised the need of creating resilience to survive an assault when it occurs.
Read more »
ransomware attacks
Cyber Attacks Cybersecurity awareness Gaming PC Microsoft Microsoft Security Response PC Ransomware attack prevention ransomware attacks

How to Protect Your PC from Ransomware with Windows Defender

 

Ransomware is a significant threat that can lock users out of their own files until a ransom is paid to recover the data. CBS News recently highlighted the devastating impact of ransomware, focusing on the Scattered Spider group, which caused millions in damage by targeting Las Vegas casinos. While personal computers are less common targets, it’s still crucial to take precautions. 

The best way to protect your system from ransomware is by avoiding sites or downloads likely to contain malware. However, using additional measures like modern antivirus software or built-in protections in Windows can enhance security. Microsoft Defender, integrated into Windows, offers ransomware protection, but users need to enable it manually. To activate ransomware protection in Windows, you must access the Windows Security app. This can be done by searching for “Windows Security” via the Start Menu or settings. Once inside the app, go to “Virus & threat protection” and activate Controlled folder access. 

This feature limits which applications can alter files in crucial folders, such as Documents, Pictures, and others. While trusted programs like Microsoft Office automatically retain access, unauthorized apps cannot modify or even see these folders until granted permission. This restriction is vital for stopping ransomware from encrypting sensitive files. An essential step to further enhance security is backing up your data. Windows Security facilitates this through integration with OneDrive. By logging into your OneDrive account, either through the Windows PC itself or directly in the OneDrive app, you can ensure automatic backups of your important files. 

This provides an additional layer of security, helping to recover encrypted data without paying a ransom. While OneDrive offers convenient cloud backup, it’s also recommended to keep offline backups. These backups are immune to ransomware that might affect your online accounts. Without an offline backup, relying solely on cloud services still leaves a vulnerability. Turning on ransomware protection comes with minor inconveniences, especially for those who save files in common folders. 

For instance, gamers might experience issues with save files being restricted, but this can be remedied by adding specific apps to the access list or adjusting where files are saved. Overall, securing your PC against ransomware involves enabling the built-in features in Windows, setting up OneDrive backups, and keeping an offline backup for extra safety. Taking these steps ensures you’re prepared in case your files are ever threatened by ransomware attacks.
Read more »
Threat Intelligence
Cyber Security Law Enforcement Ransomware ransomware attacks Threat Intelligence

Law Enforcement From Thirty Nine Nations Team Up to Tackle Ransomware Attacks

 

Ransomware continues to pose significant issues for businesses and organisations around the world, and with attacks on the rise, the UK and 38 other nations have joined forces with international cyber insurance authorities to create new guidelines aimed at bolstering resilience and providing help to victims.

The new guidance will advise ransomware victims to carefully evaluate all options before making payments, as data restoration and malware eradication are not guaranteed even if the ransom is paid, and hackers are just encouraged to continue. 

Instead, firms are advised to create a thorough response architecture in the case of an attack, that includes regulations and contingency plans. If an organisation is targeted, the policy suggests reporting the attack to law police and consulting with security professionals. 

Global crackdown 

With an expected $1 billion lost to ransomware attacks in 2023, ransomware is a lucrative business for criminals. But the new regulations aim to undercut the ransomware playbook and, if at all possible, stop future attacks by removing the incentive for attackers. 

“Cyber criminality does not recognize borders. That is why international co-operation is vital to tackle the shared threat of ransomware attacks. This guidance will hit the wallets of cyber criminals, and ultimately help to protect businesses in the UK and around the world”, stated Security Minister Dan Jarvis.

The United Kingdom is eager to lead the collaborative approach to combating cybercrime, so three major UK insurance bodies (the Association of British Insurers, the British Insurance Brokers' Association, and the International Underwriting Association) have joined forces to launch co-sponsored guidance for businesses. 

The UK National Crime Agency recently sanctioned 16 members of the 'Evil Corp' cybercriminal outfit, which is responsible for stealing more than $300 million from critical infrastructure, healthcare, and government organisations worldwide.

“Ransomware remains an urgent threat and organisations should act now to boost resilience," noted Jonathon Ellison, NCSC Director for National Resilience. “The endorsement of this best practice guidance by both nations and international cyber insurance bodies represents a powerful push for organisations to upgrade their defences and enhance their cyber readiness. "

“This collective approach, guided by last year’s CRI statement denouncing ransomware and built on guidelines from the NCSC and UK insurance associations earlier this year, reflects a growing global commitment to tackling the ransomware threat.”
Read more »
Security Guidelines
Cyber Security CyberCrime Cyberhackers CyberThreat Global Governments ransomware attacks Security Guidelines

Global Governments Address Ransomware Threat with New Guidelines

 


In response to the recent publication of the Counter Ransomware Initiative (CRI), members of the initiative have provided new guidance to organizations so they can consider other possibilities before paying cyber criminals a ransom. The new guidelines aim to reduce the overall impact of ransomware incidents and help reduce the number of ransoms paid by victims and the size of the ransoms when victims decide to pay them. 

A new voluntary ransomware guide released in conjunction with the International Counter Ransomware Initiative meeting this week outlines recommendations that victims may need to report ransomware attacks more promptly - and that they should involve as many advisers as possible when deciding whether to pay a ransom. 

On Wednesday, the governments of the United Kingdom and Singapore, which are leading discussions as to how to increase the resilience of the country's network against ransomware attacks, published a voluntary guidance document aimed at helping victims respond to ransomware attacks in the best way possible. In the proposed legislation, victims are encouraged to report attack information and any ransom demands or payments they may be required to make to law enforcement agencies, cyber insurance companies, and other outside agencies that may be able to assist.

Ransoms are discouraged so victims don't have to pay them, but if victims decide to pay the ransom, it should only be done after ensuring that it has a strong chance of changing the outcome of the incident and is following any local regulations. In the guidance, it is strongly discouraged that firms make payments to victims, however, there is an acknowledgement that there may be times when consumers can afford to make payments to victims. 

Regardless, it should be noted that, for instance, the UK government does not endorse or condone the act of paying ransom for any reason.  In a recent Chainalysis study published earlier in the year, it was reported that ransomware actors will collect more than 1 billion dollars in payments by 2023. From 2019, when Blockchainalysis began recording the market for ransomware payments, the general trend has been that payment amounts have been on the rise. 

In this commentary, the CRI emphasizes that even if the decryption key has been obtained, that may not be sufficient to bring an end to the incident. Payment does not guarantee access to data and devices. A welcome statement was made by Jonathon Ellison, NCSC Director for National Resilience, when he stated, "Ransomware remains an urgent threat, and organizations need to act now to enhance their resilience." 38 countries, including the United Kingdom, Australia, Canada, Japan, the United States, and New Zealand, have joined the International Cyber Insurance Federation (ICIF) to back the guidance outlined in the CRI. 

According to Ellison, the endorsement of these best practice guidelines, both by nations and international cyber insurance bodies, represents an enormous push for organizations to upgrade their defence systems and enhance their cyber readiness in the coming year. As a part of the event, participants tackled several initiatives, more specifically the completion of a project to ensure secure software and labelling principles are in place by both the U.K. Government and the United States Government.

It was announced that Australia had launched the 'Member Portal' to share information with members and that a new U.S. Government fund has been established to strengthen the cybersecurity capabilities of its members. It was in response to an announcement made one day earlier by the U.S., U.K., and European governments announcing arrests, indictments, sanctions, and the downing of servers related to the Russian cybercrime network, all aimed at targeting Russian hackers.
Read more »
ransomware attacks
Conti Ransomware Cyber Security Cyberattack Japan Japan Cyber attack Logs Malware Detection ransomware attacks

JPCERT Shares Tips for Detecting Ransomware Attacks Using Windows Event Logs

 

Japan’s Computer Emergency Response Center (JPCERT/CC) recently revealed strategies to detect ransomware attacks by analyzing Windows Event Logs, offering vital early detection before the attack spreads. JPCERT’s insights focus on identifying digital traces left behind by ransomware within four key types of event logs: Application, Security, System, and Setup logs. These logs reveal valuable clues about the entry points used by attackers and can assist in quicker mitigation. Ransomware attacks often target system vulnerabilities and attempt to encrypt files, delete backups, or modify network settings, leaving detectable traces within the event logs. 

For example, the notorious Conti ransomware can be recognized by multiple event logs connected to the Windows Restart Manager, showing event IDs 10000 and 10001. Other ransomware variants like Akira, Lockbit3.0, and HelloKitty, which share similar encryptor technology, leave comparable logs. Additionally, ransomware such as Phobos records when system backups are deleted, a key indicator of malicious activity. Detecting these logs promptly allows administrators to intervene before damage escalates. Midas ransomware, known for spreading infection via network changes, logs event ID 7040. Similarly, BadRabbit leaves event ID 7045 when installing its encryption component, while Bisamware logs events during the beginning and end of a Windows Installer transaction (event IDs 1040 and 1042). 

Other ransomware strains, like Shade, GandCrab, and Vice Society, create errors related to accessing COM applications and deleting Volume Shadow Copies, which are pivotal for restoring encrypted data. JPCERT’s findings illustrate that monitoring for these specific event IDs in combination with a broader security framework could be a game-changer in ransomware defense. Though older ransomware variants like WannaCry and Petya left no such traces in Windows logs, modern ransomware often does. As a result, tracking these logs offers an effective layer of protection against new threats, helping to prevent encryption and data loss. 

It is important to note that no single method of detection is foolproof. A multi-layered approach that combines monitoring event logs with other security tools and protocols remains crucial for protecting systems from ransomware attacks. By using this event log analysis strategy, organizations can significantly reduce the chances of ransomware spreading undetected, giving them the edge in stopping an attack before it cripples their network.
Read more »
ransomware attacks
Cyber Attacks Data Theft Google Microsoft ransomware attacks

Microsoft Warns of Storm-0501 Ransomware Attacks on U.S. Cloud Systems

 

Microsoft has uncovered a multi-stage cyberattack by the financially motivated group Storm-0501, targeting sectors in the U.S., including government, manufacturing, transportation, and law enforcement. 

The attackers compromised hybrid cloud environments, stealing credentials, tampering with data, and deploying ransomware. Storm-0501, active since 2021, first gained attention for using the Sabbath ransomware against U.S. school districts. 

The group later evolved into a ransomware-as-a-service (RaaS) affiliate, deploying ransomware variants like Hive, BlackCat, and the newer Embargo ransomware. 

In its latest attacks, Storm-0501 exploited weak credentials and over-privileged accounts to move from on-premises systems to cloud environments, gaining persistent backdoor access. Microsoft reported that the group used several known vulnerabilities, including those in Zoho ManageEngine and Citrix NetScaler, to gain initial access. 

The group then leveraged admin privileges to compromise further devices and collect sensitive data, using tools like Impacket and Cobalt Strike for lateral movement and to evade detection. Storm-0501 also deployed open-source tools, such as Rclone, to exfiltrate data. 

They masked these tools by renaming them to familiar Windows binary names. Their ability to exploit weak credentials and gain access to Microsoft Entra ID accounts enabled the group to establish persistent cloud access, further increasing the risk to organizations. 

In response to these attacks, Microsoft highlighted the growing security challenges posed by hybrid cloud environments. The company stressed the need for organizations to adopt stronger security measures, including multi-factor authentication (MFA) and regular software updates to fix known vulnerabilities. 

To help mitigate future attacks, Microsoft has enhanced its security protocols, particularly around Microsoft Entra ID, to prevent the abuse of Directory Synchronization Accounts. Storm-0501's activities underscore the increasing sophistication of cyber threats and the urgent need for businesses to bolster their defenses across both on-premises and cloud infrastructures.
Read more »
Turkey
CosmicBeetle Cyber Attacks ESET ESET Research Malware Attack ransomware attacks small business security Small Businesses Turkey

CosmicBeetle Exploits Vulnerabilities in Small Businesses Globally

 

CosmicBeetle is a cybercriminal group exploiting vulnerabilities in software commonly used by small and medium-sized businesses (SMBs) across Turkey, Spain, India, and South Africa. Their main tool, a custom ransomware called ScRansom, is still under development, leading to various issues in the encryption process. This sometimes leaves victims unable to recover their data, making the ransomware not only dangerous but also unpredictable. 

Based on analysis by Slovakian cybersecurity firm ESET, CosmicBeetle’s skills as malware developers are relatively immature. This inexperience has led to chaotic encryption schemes, with one victim’s machines being encrypted multiple times. Such issues complicate the decryption process, making it unreliable for victims to restore their data, even if they comply with ransom demands. Unlike well-established ransomware groups that focus on making the decryption process smoother to encourage payment, CosmicBeetle’s flawed approach undermines its effectiveness, leaving victims in a state of uncertainty. 

Interestingly, the group has attempted to boost its reputation by implying ties to the infamous LockBit group, a well-known and more sophisticated ransomware operation. However, these claims seem to be a tactic to appear more credible to their victims. CosmicBeetle has also joined the RansomHub affiliate program, which allows them to distribute third-party ransomware, likely as an attempt to strengthen their attack strategies. The group primarily targets outdated and unpatched software, especially in SMBs with limited cybersecurity infrastructure. They exploit known vulnerabilities in Veeam Backup & Replication and Microsoft Active Directory. 

While CosmicBeetle doesn’t specifically focus on SMBs, their choice of software vulnerabilities makes smaller organizations, which often lack robust patch management, easy targets. According to ESET, businesses in sectors such as manufacturing, pharmaceuticals, education, healthcare, and legal industries are particularly vulnerable. CosmicBeetle’s attacks are opportunistic, scanning for weak spots in various sectors where companies might not have stringent security measures in place. Turkey, in particular, has seen a high concentration of CosmicBeetle’s attacks, suggesting that the group may be operating from within the region. 

However, organizations in Spain, India, and South Africa have also been affected, illustrating the group’s global reach. CosmicBeetle’s focus on exploiting older vulnerabilities demonstrates the need for businesses to prioritize patching and updating their systems regularly. One key issue with CosmicBeetle’s operations is the immaturity of their ransomware development. Unlike more experienced cybercriminals, CosmicBeetle’s encryption tool is in a constant state of flux, making it unreliable for victims. While ESET has been able to verify that the decryption tool technically works, its rapid and frequent updates leave victims uncertain whether they can fully recover their data. To reduce the risk of falling victim to such attacks, SMBs must prioritize several cybersecurity measures. 

First and foremost, regular software updates and patch management are essential. Vulnerabilities in widely used platforms like Veeam Backup and Microsoft Active Directory must be addressed promptly. Businesses should also invest in employee cybersecurity training, emphasizing the importance of recognizing phishing attacks and suspicious links. In addition to these basic cybersecurity practices, companies should back up their data regularly and have robust incident response plans. Having a reliable backup strategy can mitigate the damage in the event of a ransomware attack, ensuring that data can be restored without paying the ransom. Companies should also invest in cybersecurity solutions that monitor for unusual network activity, providing early warning signs of potential breaches.
Read more »
Threat Management
Cyber Security Cyber Threats Risk data security Digital Assets Gartner ransomware attacks Threat Management

Continuous Threat Exposure Management: A Proactive Cybersecurity Approach

 

Continuous Threat Exposure Management (CTEM) represents a significant shift in cybersecurity strategy, moving beyond the limitations of traditional vulnerability management. In an era where data breaches and ransomware attacks remain prevalent despite substantial cybersecurity investments, CTEM offers a comprehensive approach to proactively identify, prioritize, and mitigate risks while ensuring alignment with business goals and compliance requirements. 

Introduced by Gartner in July 2022, CTEM is a continuous program that evaluates the accessibility, exposure, and exploitability of an organization’s digital and physical assets. Unlike reactive vulnerability management, which focuses on patching known vulnerabilities, CTEM addresses potential threats before they escalate into major security incidents. It employs various tools, such as Penetration Testing as a Service (PTaaS), attack surface management (ASM), automated pen-testing, and red-teaming, to maintain a proactive defense posture. 

At the core of CTEM is its iterative approach, emphasizing integration, continuous improvement, and communication between security personnel and executives. This alignment ensures that threat mitigation strategies support organizational goals, thereby enhancing the effectiveness of security programs and fostering a culture of cybersecurity awareness across the organization. The CTEM process, as defined by Gartner, involves several stages: scoping, discovery, prioritization, validation, and mobilization. Scoping identifies the organization’s total attack surface, including internal and external vulnerabilities. 

Discovery uses ASM tools to detect potential threats and vulnerabilities, while prioritization focuses on assessing risks based on their likelihood of exploitation and potential impact. Validation confirms the existence and severity of identified threats through techniques like red-teaming and automated breach-and-attack simulations. Mobilization then implements remediation measures for validated high-priority threats, ensuring that they are aligned with business objectives and effectively communicated across departments. 

Exposure management, a critical aspect of CTEM, involves determining the attack surface, assessing exploitability, and validating threats in a continuous cycle, thereby minimizing vulnerabilities and enhancing security resilience. CTEM and exposure management are crucial for fostering a proactive security culture and addressing cybersecurity challenges before they escalate. By leveraging existing security tools and processes, organizations can integrate CTEM into their operations more efficiently, optimizing resource usage and complying with regulatory requirements. CTEM focuses on outcome-driven, business-aligned metrics that facilitate informed decision-making at the executive level. 

It recognizes that while complete risk elimination is impossible, strategic risk reduction aligned with organizational objectives is essential. By prioritizing vulnerabilities based on their impact and feasibility, CTEM enables organizations to navigate the complex cybersecurity landscape effectively. CTEM offers a pragmatic and systematic framework to continuously refine priorities and mitigate threats. By adopting CTEM, organizations can proactively protect their assets, improve resilience against evolving cyber threats, and ensure that their security initiatives align with broader business imperatives.
Read more »
ransomware attacks
Cyber Attacks Data Security Breach Financial Firm Fog Ransomware Linux MFA ransomware attacks

Protecting Against Fog Ransomware: Key Strategies and Insights

 

In August 2024, a mid-sized financial firm was targeted by a ransomware attack using compromised VPN credentials to deploy a variant called “Fog” on both Windows and Linux systems. Fortunately, the attack was detected and neutralized by Adlumin’s innovative technology, which uses decoy files as sensors to detect ransomware activity. Fog, a variant of the STOP/DJVU ransomware family first observed in 2021, exploits compromised VPN credentials to breach networks and often targets sectors like education and recreation. 

Once inside, the ransomware uses techniques such as pass-the-hash attacks to escalate privileges, disable security mechanisms, encrypt critical files like Virtual Machine Disks (VMDKs), and delete backup data. Victims are usually directed to a negotiation platform on the Tor network through a ransom note. The lack of direct ties to known threat groups suggests that Fog may originate from a new, highly skilled actor. The attackers initiated their operation by pinging endpoints and using tools like “Advanced Port Scanner” for network reconnaissance. 

They then moved laterally through the network using compromised service accounts, mapped network drives, and harvested credentials. For execution, they used the open-source tool ‘Rclone’ to transfer data and deployed ‘locker.exe’ to encrypt files. Additionally, they deleted system backups to prevent victims from restoring their data. Adlumin’s Ransomware Prevention feature played a critical role in neutralizing the attack. This technology, launched in April 2024, uses decoy files that lie dormant until ransomware activity is detected, triggering the automatic isolation of affected machines and blocking further data theft. 

The feature alerts security teams for a deeper investigation, representing a significant advancement in the fight against ransomware. After isolating compromised systems, security engineers conducted a thorough analysis to identify vulnerabilities and restore the affected systems. In the aftermath of the attack, several key measures were recommended to prevent future incidents: ensuring all VPN connections require Multi-Factor Authentication (MFA), keeping VPN software up to date, monitoring VPN access for unusual activity, and deploying automated isolation procedures when ransomware is detected. 

It is also important to protect endpoints with comprehensive security platforms capable of real-time threat monitoring and response, limit administrative privileges, conduct regular security audits, and establish effective incident response plans. Additionally, organizations should regularly back up critical data in secure environments and monitor network traffic for signs of unusual or malicious activity. These proactive steps help organizations prepare for and mitigate the impact of sophisticated ransomware threats like Fog.
Read more »
zero Day vulnerability
APTs Citrine Sleet CyberCrime Cybersecurity CyberThreat FudModule Rootkit Googlex Chrome lazarus Microsoft ransomware attacks Vulnerabilites and Exploits zero Day vulnerability

Citrine Sleet APT Exploits Chrome Zero-Day Vulnerability for Rootkit Infiltration

 


It is believed that North Korean hackers have been able to use unpatched zero-day in Google Chrome (CVE-2024-7971) to install a rootkit called FudModule after gaining admin privileges by exploiting a kernel vulnerability in Microsoft Windows. An investigation by Microsoft has revealed that a North Korean threat actor exploited a zero-day vulnerability in the Chromium browser that has been tracked as CVE-2024-7971 to conduct a sophisticated cyber operation.  

According to the report, Citrine Sleet, the notorious group behind the attack that targets cryptography sectors in particular, is responsible for the attack. It has been reported that CVE-2024-7971 is a type of confusion vulnerability in the V8 JavaScript and WebAssembly engine that had been impacted in versions of Chrome before 128.0.6613.84. By exploiting this vulnerability, threat actors could gain remote code execution (RCE) access to the sandboxed Chromium renderer process and conduct a remote attack. 

There was a vulnerability that was fixed by Google on August 21, 2024, and users should ensure that they are running the most recent version of Chrome. It is clear from this development that the nation-state adversary is trying to increase its penetration of Windows zero-day exploits in recent months, indicating that they are persistent in their efforts to acquire and introduce oodles of zero-day exploits. 

A Microsoft security researcher found evidence that Citrine Sleet (formerly DEV-0139 and DEV-1222) was responsible for the activity. Citrine Sleet is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736, all of which are associated with Citrine Sleet. There is an assessment that this sub-cluster is part of the Lazarus Group (a.k.a. Diamond Sleet and Hidden Cobra) which is related to Lazarus. 

Several analysts have previously credited the use of AppleJeus malware to a Lazarus subgroup called BlueNoroff (also known as APT38, Nickel Gladstone, and Stardust Chollima), indicating the fact that the threat actors share both toolsets and infrastructure from one subgroup to another. Some cybersecurity vendors maintain track of this North Korean threat group under different names, such as AppleJeus, Labyrinth Chollima, and UNC4736, among others. 

Hidden Cobra is a term used by the U.S. government to describe malicious actors sponsored by the North Korean government collectively as being influenced by the state. It is mostly targeted at financial institutions, with a special focus on cryptocurrency organizations and individuals who are closely associated with the cryptocurrency industry. 

In the past, it has been linked to Bureau 121 of the Reconnaissance General Bureau of North Korea, where it practices intelligence gathering. Moreover, North Korean hackers are also known for using malicious websites that appear to be legitimate cryptocurrency trading platforms to infect prospective victims with fake job applications, weaponized cryptocurrency wallets, and cryptocurrency trading apps designed to steal sensitive information. 

This is the first time UNC4736 malware has been identified in a supply chain attack, for example in March 2023 it attacked the Electron-based desktop client of video conferencing software provider 3CX. Further, they were able to breach the website of Trading Technologies, an automation company for stock market trading, to sneakily push trojanized versions of the X_TRADER software into the system. In a March 2022 report, Google's Threat Analysis Group (TAG) also linked AppleJeus to the compromise of Trading Technologies' website, highlighting AppleJeus as being behind the attack. 

For years, the U.S. government has repeatedly issued warnings about state-sponsored cyberattacks targeting cryptocurrency-related businesses and individuals with AppleJeus malware that is backed by the North Korean government. As a result of the security vulnerability CVE-2024-7971 that was discovered last week, Google patched Chrome's version 8 JavaScript engine and reported it as a type confusion vulnerability. 

In a recent cybersecurity incident report, it was revealed that victims were directed to a domain controlled by the threat group Citrine Sleet, identified as voyagorclub[.]space. The exact method by which victims were lured to this domain remains undetermined, though it is suspected that social engineering tactics were employed. This is consistent with Citrine Sleet’s established modus operandi, which frequently involves manipulating individuals through social engineering to initiate attacks. 

Upon successful redirection to the malicious domain, attackers leveraged a zero-day remote code execution (RCE) vulnerability, identified as CVE-2024-7971. This vulnerability is linked to a type of confusion flaw in Chrome’s V8 JavaScript engine. Google addressed this security issue in a recent patch, highlighting that it allowed attackers to achieve RCE within the sandboxed Chromium renderer process of the victim's browser. Once inside this sandboxed environment, the attackers further escalated their access by exploiting a secondary vulnerability in the Windows kernel. 

The additional vulnerability, CVE-2024-38106, was exploited to escape the browser’s sandbox environment. This kernel vulnerability, which Microsoft had patched in their latest Patch Tuesday release, allowed attackers to gain SYSTEM-level privileges on the compromised system. Following this, the attackers downloaded and activated a highly sophisticated rootkit known as FudModule. This malware, when loaded into memory, enabled direct kernel object manipulation (DKOM), providing attackers with the capability to bypass critical kernel security measures.

The FudModule rootkit is particularly concerning, as it is designed to manipulate kernel-level processes, enabling attackers to establish persistent backdoor access to the compromised system. Through DKOM, the rootkit effectively tampers with core system functions, allowing attackers to evade detection, steal sensitive information, and potentially deploy additional malicious software. Interestingly, the FudModule rootkit has been linked to another North Korean state-sponsored group known as Diamond Sleet, which has utilized this malware since its discovery in October 2022. 

This suggests a potential collaboration between Citrine Sleet and Diamond Sleet or, at the very least, shared access to malicious tools and infrastructure. Furthermore, the rootkit bears similarities to tools used by another notorious hacking group, the Lazarus Group, indicating that FudModule may be part of a broader North Korean cyber-espionage toolkit. Citrine Sleet's attack demonstrates a highly coordinated and multi-faceted approach, beginning with social engineering techniques to lure victims to a compromised domain and culminating in the exploitation of critical vulnerabilities to gain deep control over target systems. 

By leveraging both CVE-2024-7971 and CVE-2024-38106, the attackers were able to bypass multiple layers of security, from browser sandboxing to Windows kernel defences. Microsoft has issued a series of recommendations to help organizations mitigate the risk of such attacks. They stress the importance of maintaining up-to-date software and operating systems, as timely patching is critical to closing vulnerabilities before they can be exploited. 

Additionally, Microsoft advocates for the deployment of security solutions that provide unified visibility across the entire cyberattack chain. Such tools can detect and block attacker tools and post-compromise malicious activity. Lastly, strengthening the configuration of the operating environment is recommended to minimize the likelihood of successful exploitation and post-compromise activity. This incident underscores the evolving nature of cyber threats and highlights the importance of proactive cybersecurity measures to detect, block, and mitigate advanced persistent threats (APTs).
Read more »
Trend Micro
Cyber Attacks data security data theft Trend Mirco Digital Infrastructure Digital Security ransomware attacks Trend Micro

Rise in Ransomware Attacks in Southeast Asia Driven by Rapid Digitalization and Security Gaps

 

A wave of ransomware attacks across Southeast Asia during the first half of this year marks just the beginning of a larger trend. Companies and government agencies, particularly in countries like Thailand, Japan, South Korea, Singapore, Taiwan, and Indonesia, have experienced a dramatic rise in cyberattacks, outpacing the rate of ransomware growth in Europe, as shown by data from Trend Micro. 

With incidents like the June attack by the ransomware group Brain Cipher, which disrupted more than 160 Indonesian government agencies, the frequency of such attacks is expected to increase as the region’s economies expand. Many organizations in Southeast Asia are rapidly digitizing their infrastructure, often prioritizing speed over security. Ryan Flores, a senior manager at Trend Micro, points out that the rush to launch digital services often sidelines security measures. 

This rush, combined with a lack of stringent cybersecurity practices, makes organizations in Asia prime targets for cybercriminals. Recent incidents, such as the ransomware attack on a major Vietnamese brokerage in March and malicious code injections in Japan, indicate that cyber attackers are increasingly focusing on this region. Although North America and Europe remain the primary targets for ransomware, the Asia-Pacific region is experiencing a significant surge in attacks. In 2023, ransomware incidents in Asia grew by 85%, according to cybersecurity firm Comparitech. 

Countries like India and Singapore have become major targets, ranking among the top six countries affected by ransomware, based on Sophos’ “State of Ransomware 2024” report. Ransomware groups are especially targeting critical sectors in the Asia-Pacific region. Manufacturing saw the highest number of attacks, followed by government and healthcare sectors. Rebecca Moody of Comparitech suggests that the absence of strict breach notification laws in many Asian countries contributes to underreporting, which in turn reduces the focus on cybersecurity. While ransomware attacks in Asia are increasing, experts like Trend Micro’s Flores believe this rise is not due to targeted efforts but rather the sheer number of potential victims as companies in the region adopt digital tools without adequately upgrading their security. 

Cybercriminals are opportunistic, targeting any vulnerable infrastructure, regardless of its location. National governments in Asia are beginning to take steps to enhance their cybersecurity regulations. For instance, Singapore updated its Cybersecurity Act in May, and Malaysia introduced new legislation requiring cybersecurity service providers to be licensed. However, experts stress that organizations must prioritize basic security practices, such as regular software patching, strong password policies, and multifactor authentication, to mitigate risks effectively.
Read more »
Security threats
Cicada3301 Cyber Attacks ransomware attacks Security threats

Cicada3301 Ransomware Operation Impersonates Legitimate Organization, Targets Global Firms

 

A new ransomware-as-a-service (RaaS) operation named Cicada3301 has emerged, impersonating the legitimate Cicada 3301 organization, which was known for its cryptographic puzzles in the early 2010s. The cybercriminal group has already listed 19 victims on its extortion portal and has rapidly targeted companies worldwide. 

Despite using the same name and logo as the original online/real-world game, there is no connection between the two. The legitimate Cicada 3301 organization has publicly condemned the ransomware group's actions, distancing itself from the cybercriminals. 

The ransomware operation began recruiting affiliates on the RAMP forum in June 2024, but attacks were observed as early as June 6. Cicada3301 employs double-extortion tactics, breaching corporate networks to steal data before encrypting devices. The stolen data is used as leverage to demand ransom payments. 

Research by cybersecurity firm Truesec reveals striking similarities between Cicada3301 and the ALPHV/BlackCat ransomware, including shared encryption methods and system shutdown commands, suggesting a possible rebrand by former ALPHV members. Notably, both operations utilize the Rust programming language and the ChaCha20 encryption algorithm. 

Cicada3301 is also linked to the Brutus botnet, known for brute-forcing VPN appliances to gain access to networks, a method seen after ALPHV ceased operations. Targeting VMware ESXi environments, the ransomware is designed to maximize damage by encrypting virtual machines and removing recovery options. 

Its sophisticated methods suggest an experienced group, possibly affiliated with ALPHV, aiming to cause widespread disruption and force victims into paying substantial ransoms.
Read more »
US Healthcare
Cyber Security CyberCrime Cyberhackers Cyberstrealing CyberThreat Everest Gang Malware attacks NASA ransomware attacks US Healthcare

Everest Gang Poses New Cybersecurity Threat to US Healthcare

 


According to the Health Sector Cybersecurity Coordination Center, the Everest Ransomware group is a threat profile of the recent ransomware attack that took place at Gramercy Surgery Center in New York. The Everest Ransomware group is behind the recent attack. In addition to this, the group has also claimed responsibility for attacks on Horizon View Medical Center in Las Vegas, 2K Dental in Ohio, Prime Imaging in Tennessee, and Stages Pediatric Care in Florida, with more attacks targeted toward the healthcare and public health sectors since 2021. 

More than 120 victims have been added to the site of this group, of which 34% are in the United States, and 27% of them are in the healthcare industry, according to information gathered from their data leak. At least 20 attacks have been carried out by the group between April 2021 and July 2024 on healthcare organizations, with disproportionately high rates of attacks on medical imaging organizations during that period.

As one of the most prevalent types of cybercrime experienced by the world today, ransomware has rapided over the last few years. As a result, criminals are luring victims with highly automated and easy-to-distribute crypto-locking malware to encrypt systems forcibly to demand Bitcoin ransoms in exchange for keys that would allow them to unlock the systems. There are several sources of information available on this Ransomware Resource Center, including information on emerging ransomware variants, threat intelligence on attackers, as well as best practices for detecting, responding, and remediating ransomware. 

A relatively new Russian-speaking ransomware group is looking for targets in the healthcare sector and claims to have stolen sensitive patient information in recent attacks on at least two medical care providers in New York and Nevada. The Everest ransomware group was first identified in December 2020. Following the attack on the Brazilian government and NASA in April 2012, it quickly became well-known within the cybercrime community after several high-profile targets were targeted. 

The group has used double extortion tactics to extort money and exfiltrate data by infecting files with ransomware and then encrypting them with a ransom payment to be paid to decrypt the files and prevent them from being uploaded to its dark web data dump site. According to researchers, there are similarities between the encryptor used by Everest, as well as other ransomware groups, such as Ransomed, which is known to work in collaboration with Everest. Everest has previously been associated with BlackByte ransomware. 

Ransomware is only a recent attack method that was used by the group, as they initially focused on data exfiltration to run malware. Everest, a company that's been around since late 2022, has become a market leader in the initial access broker (IAB) niche. IABs are a group of malicious hackers whose primary objective is to breach company networks, install malware to provide remote access to those networks, and then sell that access to other groups of malicious hackers who need that access to carry out their threats. 

When it comes to threat groups making money with ransomware attacks, this tactic is relatively uncommon. That is because if a threat group can breach company networks and has an encryption tool, it might be able to make more money if it conducts the attack itself rather than outsource access to another group. It is possible that this could be happening to keep a low profile and avoid any law enforcement scrutiny as the explanation. Among the many victims listed on Everest's dark web leak site is Gramercy Surgery Center, which was struck down in January of this year. 

According to the company, it has exfiltrated from the New York-based practice 450 gigabytes of data, including patient and doctor information, which it claims is all private and confidential. Gramercy announced in a statement published on its website on June 18 that it may have been the victim of a cyberattack and that it would be investigating the matter. From June 14 to June 17, Gramercy Medical Center determined that some documents were lost within its information technology environment and as part of the incident, copies of these documents were made and viewed within its systems. 

There is a report that Gramercy reported the hacking incident to federal regulators on Aug. 9 as a data breach by HIPAA regulations that affects nearly 51,000 people. In addition, Everest also listed the Nevada-based Horizon View Medical Center on its data leak site and alleged that the Medical Records Information, which included test results and other sensitive information about patients, had been stolen. The notice about the alleged incident was not posted on Horizon View's website as of Thursday, and the company did not immediately respond to an inquiry for comment from Information Security Media Group regarding Everest's statements regarding the alleged incident.

Following the HHS HC3 alert, the American Hospital Association on Wednesday issued a warning to hospitals regarding the threat of Everest that could pose a threat to patient safety. To move from one victim's network to another, the group employs compromised user accounts and remote desktop protocols to gain entry into the victim's computer networks. It is well known that Everest attacks are made possible by exploiting weak or stolen credentials. 

They can exploit the credentials of several systems that are within an organization. They use tools like ProcDump to make copies of the LSASS process which allows them to steal additional credentials. Following the recommendations of the AHA and HC3, hospitals and healthcare organizations should set up network monitoring systems so that alerts can be sent out for activations of the Cobalt Strike. The US authorities have advised organizations within the healthcare sector to undertake a thorough review of their cybersecurity infrastructure in response to emerging threats from the Everest Gang. 

Specifically, they have recommended the meticulous examination of domain controllers, servers, workstations, and active directories to identify and address any new or unrecognized user accounts. Additionally, it is advised that organizations regularly back up their data, implement air-gapping for data copies, and ensure that backup copies are stored offline and secured with strong passwords. Moreover, the Everest Gang's malicious activities are not confined solely to the healthcare industry. 

The group has also targeted a wide array of sectors, including construction and engineering, financial services, legal and professional services, manufacturing, and government institutions. The authorities have urged all organizations within these industries to remain vigilant and adopt stringent cybersecurity measures to safeguard against potential breaches.
Read more »
Subscribe to: Posts (Atom)