Search This Blog

Showing posts with label Backups. Show all posts

A New Decryptor by Bitdefender for Victims of LockerGoga Ransomware


As part of Bitdefender's official announcement, the company notified that it had released a free decryptor for ransomware called LockerGoga to recover the encrypted files without paying any ransom.
The Romania-based cybersecurity firm, Bitdefender released a universal LockGoga decryptor. The company stated in its published announcement, that the new decryptor is a combination of international law agencies, including Bitdefender, Europol, the NoMoreRansom project, the Zurich Public Prosecutor’s office, and the Zurich Cantonal Police. 
The new decryptor by Bitdefender is a helping tool for decrypting the files of the victims, free of cost. It uses the path containing pairs of clean-encrypted files and scans the entire system of files or file folders. This decryptor provides a feature called as “backup file”, which comes in handy in case of any problem during the decryption of the files.
LockerGoga is a program classified as ransomware, it came into notice in the 2019 cyber-attack against the U.S. and Norway-based companies, where the threat actors targeted high-profile organisations and individuals, including the world's greatest aluminum producer Norsk Hydro, and engineering firm Altran Technologies of France. They used it to encrypt the stored data on computers and blackmailed the users for ransom in exchange for decryption tools.
The National Cyber Security Centre (NCSC) reported that this computer infection was used in attacking over 1800 organizations all around the world. Cyberattacks involving various ransomware, one of them being LockerGoga, led to monetary damages of approximately 104 million US Dollars in 71 countries.
Around 12 of the attackers involved in the cyber-attack were arrested in October 2021 under an international law enforcement operation for spreading ransomware. In the wake of the arrest of its operator, LockerGoga was dismantled – which also led to the termination of all master private keys used in the encryption. As a result, those victims who did not pay the ransom to the threat actors were left with encrypted files waiting to recover them.

New Zero-day Flaw in BackupBuddy Plugin Leaves WordPress Users at Risk


Wordfence, a WordPress security company, has disclosed that a zero-day vulnerability in the BackupBuddy plugin is being actively exploited. 

"This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it stated.

Users can back up their entire WordPress installation from the dashboard, including theme files, pages, posts, widgets, users, and media files, among other things. The flaw (CVE-2022-31474, CVSS score: 7.5) affects versions to of the plugin, which has an estimated 140,000 active installations. It was fixed in version 8.7.5, which was released on September 2, 2022. 

The problem stems from the "Local Directory Copy" function, which is intended to keep a local copy of the backups. The vulnerability, according to Wordfence, is the consequence of an insecure implementation that allows an unauthenticated threat actor to download any arbitrary file on the server. Additional information about the vulnerability has been withheld due to active in-the-wild abuse and the ease with which it can be exploited.

The plugin's developer, iThemes, said, "This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd."

Wordfence reported that the targeting of CVE-2022-31474 began on August 26, 2022, and that it has blocked nearly five million attacks since then. The majority of the intrusions attempted to read the files listed below -
  • /etc/passwd
  • /wp-config.php
  • .my.cnf
  • .accesshash
Users of the BackupBuddy plugin are encouraged to update to the most recent version. They should determine that they may have been compromised, it's recommended to reset the database password, change WordPress Salts, and rotate API keys stored in wp-config.php.

Albania's Government Networks Were Disabled Amid Cyberattack


According to a report from the Albanian National Agency for the Information Society, a cyberattack from an anonymous source led the Albanian government to shut down the websites of the prime minister's office and the parliament. 

Most Albanian nationals and tourists from other countries utilize the e-Albania website, which currently acts as a hub for several formerly operational civil state offices. 

According to the Albanian National Agency for the Information Society (AKSHI), "we have been compelled to shut down government systems to survive these unprecedented and dangerous strikes until the enemy attacks are neutralized."

Only a few crucial services, like online tax filing, are still operating since they are provided by servers that were not targeted in the attack, while the majority of desk services for the public were disrupted.

Both the duration of the government systems' downtime and the identity of the cyberattack's perpetrator are unknown. According to Albanian media, the attack was comparable to those targeting critical systems in Ukraine, Belgium, Malta, Netherland, Germany, Lithuania, and Belgium.

While there have been instances of 'independent hacker groups' attacking countries in the past, Oliver Pinson-Roxburgh, CEO of cybersecurity platform, said it is unlikely that such a group would be able to operate on this scale.

The report states that due to the early detection, the government's essential systems were able to shut down safely and they are all "backed-up and safe."

It said that to resolve the issue and 'restore normalcy,' Albanian officials were working with Microsoft and Jones Group International experts.

Bogus Backup Message from WhatsApp Delivers Malware to Spanish Users


Authorities in Spain have issued a warning about a phishing campaign that impersonates WhatsApp to deceive consumers into installing a trojan. The recipients are advised to get copies of their chats and call records from a website that only sells the NoPiques virus. 

The NoPiques (“Do not chop”) malware is packaged in an archive that infects vulnerable devices on execution. The Spanish language subject line for dangerous emails is often ‘Copia de seguridad de mensajes de WhatsApp *913071605 No (xxxxx)', however, this may not be the case always as it can vary. Unlike many malware-peddling phishing messages in English and other languages, the emails are written in grammatically correct Spanish, or at least with few faults. 

The Spanish National Cybersecurity Institute's (INCIBE) Oficina de Seguridad del Internauta (OSI) has issued a warning regarding the malware campaign. “If you haven't run the downloaded file, your device may not have been infected. All you have to do is delete the file that you will find in the download folder. You should also send the mail you have received to the trash,” said INCIBE. 

“If you have downloaded and run the malicious file, your device may have been infected. To protect your device, you must scan it with an updated antivirus or follow the steps that you will find in the device disinfection section. If you need support or assistance to eliminate the Trojan, INCIBE offers you its response and support service for security incidents,” they added. 

INCIBE said that they remind consumers: in case of doubt about the legitimacy of an email, they should not click on any link or download any attached file. To check the veracity, consumers can contact the company or the service that supposedly sent them the email, always through their official customer service channels. 

They also said that in addition, for greater security, it is advisable to periodically back up all the information that consumers consider important so that, if their computer is affected by a security incident, they do not lose it. They further added that it is also advisable to keep their devices updated and always protected with an antivirus.

A2 Hosting finds 'restore' the hardest word as Windows outage slips into May

The great A2 Hosting Windows TITSUP has entered its second week as the company continues to struggle to recover from a security breach that forced its System Operations team to shut down all its Windows services.

To recap, things went south on 23 April as malware spread over the company's Windows operation, causing a problem so severe that the A2 Hosting team decided the only way to recover was to restore data from backups. The company told furious customers last week that "Restores continue to progress at a steady pace".

Except, alas, things have not gone smoothly.

As some services gradually tottered into life, users made the horrifying discovery that the backups being restored from were less than minty fresh.

A "day or two" is bad enough for an ecommerce site, but the loss of several months' worth of data is an altogether angrier bag of monkeys. To make matters worse, the company has left it to users to work out just how whiffy those backups are.

Register reader David Sapery, who was lucky enough to see his services stagger back to life after a five-day liedown, was then somewhat embarrassed when his customers, finally able to access his sites, told him things looked a tad outdated.

Sapery told us: "Anything on any of my websites that was updated over the past 2+ months is gone."

Still, Sapery was at least able to recover. Another reader was not so lucky, describing his experience as "an unmitigated disaster."

Having spent eight months and "thousands of dollars", the unfortunate A2 Hosting customer told us that "my business and all my hard work has been gutted within seven days by a hosting company that clearly did not have robust security in place."

A2 Hosting will, of course, point to its Terms of Service where it makes it quite clear that it is not responsible for any data loss and that users are responsible for their own backups.