Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Critical Data. Show all posts

Australia's Cyber Strategy: No Ransomware Payment Ban

Australia has recently unveiled its new Cyber Security Strategy for 2023-2030, and amidst the comprehensive plan, one notable aspect stands out – the absence of a ban on ransomware payments. In a world grappling with increasing cyber threats, this decision has sparked discussions about the efficacy of such a strategy and its potential implications.

The strategy, detailed by the Australian government, outlines a sweeping resilience plan aimed at bolstering the nation's defenses against cyber threats. However, the decision not to ban ransomware payments raises eyebrows and prompts a closer examination of the government's rationale.

According to reports, the Australian government aims to adopt a pragmatic approach to ransomware, acknowledging the complex nature of these attacks. Instead of an outright ban, the strategy focuses on improving cybersecurity, enhancing incident response capabilities, and fostering collaboration between government agencies, businesses, and the wider community.

Critics argue that allowing ransom payments may incentivize cybercriminals, fueling a vicious cycle of attacks. The concern is that paying ransoms may encourage hackers to continue their activities, targeting organizations with the expectation of financial gain. In contrast, proponents of the strategy contend that banning payments may leave victims with limited options, especially in cases where critical data is at stake.

Australia's decision aligns with a growing trend in some parts of the world where governments are grappling with finding a balance between protecting national security and providing victims with avenues for recovery. The approach reflects an understanding that rigid and one-size-fits-all policies may not be effective in the ever-evolving landscape of cyber threats.

The new Cyber Security Strategy also emphasizes the importance of international cooperation to combat cyber threats. Australia aims to actively engage with international partners to share threat intelligence, collaborate on investigations, and collectively strengthen global cybersecurity.

Australia's experiment with a more nuanced approach to ransomware payments is being watched by the whole world, and the results will probably have an impact on how other countries formulate their cybersecurity laws. The continuous fight against cyber dangers will depend on finding the ideal balance between deterring illegal activity and helping victims.

In contrast to other nations that have taken more restrictive measures, Australia has decided not to outlaw ransomware payments in its new Cyber Security Strategy. In light of the always-changing cybersecurity landscapes, it underscores the significance of a comprehensive, cooperative, and flexible approach and demonstrates a practical recognition of the difficulties presented by cyber attacks. The future course of international cybersecurity regulations will surely be influenced by this strategy's success.

Idaho National Laboratory Suffers Data Breach, Employee Data Compromised


Idaho National Laboratory, the nuclear energy testing lab that comprise of an estimated 5,700 experts, has recently suffered a major data breach in their systems.

The data breach took place last Sunday, on November 19. The stolen data comprise of the laboratory’s employees’ critical data, which was later leaked on online forums. 

The investigation on the breach is being carried out by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, who are working in collaboration with INL, a spokesperson informed. Physical addresses, bank account details, and Social Security numbers are among the data that are impacted.

In an interview regarding the incident, the spokesperson told local news outlet EastIdahoNews.com that the breach has impacted INL’s Oracle HCM system, a cloud-based workforce management platform that offers payroll and other HR solutions, was impacted by the attack.

SiegedSec, a self-entitled hacktivist group has since taken responsibility of the attack, following which it published a sample of the stolen employee data online, which included full names, dates of birth, email addresses, contact details and other identity info of the INL employees to their data breach forum. 

The group, which seems to have political motivations, was also accused in the past of stealing information from the Communities of Interest Cooperation Portal, an unclassified information-sharing portal run by NATO.

However, INL has not implied that the breach has had any impact on its classified information or nuclear research, and CISA did not immediately respond to the request for a comment. 

Regardless of whether the classified nuclear details were accessed by the threat actors, Colin Little, security engineer at the cybersecurity firm Centripetal, said it is "highly disconcerting that the staff generating that intellectual property and participating in the most advanced nuclear energy research and development have had their information leaked online."

"Now those who are politically motivated and would very much like to know the names and addresses of the top nuclear energy researchers in the U.S. have that data," he said. 

INL supports large-scale initiatives from the Department of Energy, the Department of Defense. The laboratory bills itself as "a world leader in securing critical infrastructure systems and improving the resiliency of vital national security and defense assets."

Investigating Chainalysis Data Reliability in Cryptocurrency Cases

 

Chainalysis has been a key player in bitcoin investigations in recent years, giving financial institutions and law enforcement authorities vital information and insights. But as its impact expands, concerns regarding the veracity and reliability of the information it offers have surfaced.

The scrutiny over Chainalysis data was thrust into the spotlight by the recent 'Bitcoin Fog' case, which raised concerns about the reliance on Chainalysis in criminal investigations. Critics argue that the reliance on a single source for such critical information may lead to potential biases or inaccuracies. Bloomberg's report on the case highlights the complexities surrounding the use of Chainalysis in legal proceedings, emphasizing the need for a nuanced understanding of the data it provides.

One of the primary concerns regarding Chainalysis data is its potential impact on privacy and civil liberties. As blockchain analysis becomes more prevalent, there are fears that innocent individuals may be caught in the crossfire of investigations. The delicate balance between effective law enforcement and protecting individual rights remains a key challenge.

Chainalysis, however, defends its practices and emphasizes its commitment to transparency and accuracy. In a recent blog post, the company provided insights into its methodology and highlighted its efforts to continuously improve the quality of the data it delivers. Michael Gronager, CEO of Chainalysis, affirmed, "We understand the weight of responsibility that comes with providing data for legal proceedings, and we take every measure to ensure its reliability."

Experts in the field also weigh in on the matter. Dr. Sarah Hopkins, a leading blockchain analyst, commented, "While Chainalysis has undoubtedly been a game-changer in tracking illicit activities, it's essential to remember that it's just one piece of the puzzle. It should be used in conjunction with other investigative techniques to ensure a comprehensive understanding of the situation."

The controversy about Chainalysis data's dependability serves as a reminder of how bitcoin research is changing. Despite the fact that it has frequently been useful, it is crucial to view its conclusions critically. The techniques and equipment used to research cryptocurrencies must change as technology improves and the market itself develops. In this quickly evolving industry, a multifaceted strategy that balances privacy concerns with the requirement for efficient law enforcement is still crucial.

Johnson & Johnson Reveals: IBM Data Breach Compromised Customer Data


Johnson & Johnson Health Care Systems (Janssen) recently informed their CarePath customers of a third-party data breach involving IBM, that has resulted in the compromise of their sensitive information.

IBM is a technology service provider for Janssen. In particular, it oversees the administration of the CarePath application and database.

CarePath is a software program created to assist patients in obtaining Janssen medications, provide discounts and cost-saving tips on prescriptions, explain insurance eligibility, and provide drug refiling and administration reminders.

The pharmaceutical company learned about an undocumented technique that could provide unauthorized individuals access to the CarePath database, according to the notification on Janssen's website.

Later, the company informed the issue to IBM that swiftly took action in patching the security gap and conducted an internal investigation to see whether the bug had been exploited by anyone.

The investigation wrapped up in August 2nd, 2023, and revealed that unauthorized persons had access to the following CarePath user details, that are as follows: 

  • Full name 
  • Contact information 
  • Date of birth 
  • Health insurance information 
  • Medication information 
  • Medical condition information 

Users of CarePath who signed up for Janssen's online services before July 2nd, 2023, are affected by the exposure, which may be a sign that the breach happened on that date or that the compromised database was a backup.

Since social security numbers and financial account data was not involved in the database that was breached, critical details have not been revealed.

The company further revealed that the breach did not affect Janssen's Pulmonary Hypertension patients.

Given the significance of medical data, there is a strong likelihood that the leaked data will be sold for a premium on darknet markets. The compromised data could support very effective phishing, scamming, and social engineering attacks.

Also, IBM published an announcement in regards to the incident claiming that there are no signs that indicate that the stolen data has been exploited. However, it advises Janssen CarePath users to keep a sharp eye out for any unusual activity on their account statements./ The tech giant is now providing affected people with a free one-year credit monitoring to help shield them against fraud.

Both announcements include toll-free phone numbers that customers and providers can use to ask inquiries about the incident or get assistance signing up for credit monitoring services.

IBM is one of the hundreds of companies that were compromised by Clop ransomware earlier this year, when the notorious threat actors employed a zero-day vulnerability on the MOVEit Transfer software used by various organizations globally.

However, an IBM spokesperson on being asked if the recent attacks are related to the MOVEit attack confirmed that the two are in fact separate incidents caused by different threat actors.  

ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access

 

An ALPHV/BlackCat ransomware affiliate was spotted gaining early access to the target network by abusing three flaws in the Veritas Backup product. The ALPHV ransomware operation first appeared in December 2021, and it is thought to be controlled by former members of the Darkside and Blackmatter programs, which shut down abruptly to avoid law enforcement scrutiny. 

Mandiant identifies the ALPHV affiliate as 'UNC4466,' noting that the method differs from the conventional breach, which depends on stolen credentials. Mandiant reports that on October 22, 2022, it spotted the first occurrences of Veritas flaw exploitation in the field. UNC4466 focuses on the following high-severity flaws:
  • CVE-2021-27876: Arbitrary file access flaw caused by an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.1)
  • CVE-2021-27877: Remote unauthorized access and privileged command execution to the BE Agent via SHA authentication. (CVSS score: 8.2)
  • CVE-2021-27878: Arbitrary command execution flaw result of an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.8)
The Veritas Backup software is affected by all three issues. They were disclosed by the vendor in March 2021, and a remedy was published with version 21.2. Despite the fact that it has been over two years, many endpoints remain vulnerable since they have not been updated to a safe version.

According to Mandiant, a commercial scanning service discovered more than 8,500 IP addresses on the public web advertising the "Symantec/Veritas Backup Exec ndmp" service on the default port 10000 as well as ports 9000 and 10001.

"While this search result does not directly identify vulnerable systems, as the application versions were not identifiable, it demonstrates the prevalence of Internet exposed instances that could potentially be probed by attackers" - Mandiant

On September 23, 2022, a Metasploit module to exploit these flaws was made available to the public. The code enables attackers to establish a session and interact with the compromised endpoints. According to Mandiant, UNC4466 began using the specific module a month after it was released.

Specifics of the attack

According to Mandiant's findings, UNC4466 compromises an internet-exposed Windows server running Veritas Backup Exec by utilizing the publicly accessible Metasploit module and gains persistent access to the host.

Following the first compromise, the threat actor gathered information on the victim's surroundings using the Advanced IP Scanner and ADRecon utilities.  Next, they downloaded  more tools on the host like LAZAGNE, LIGOLO, WINSW, RCLONE, and ultimately the ALPHV ransomware encryptor through the Background Intelligent Transfer Service (BITS).

To interact with the command and control server, the threat actor employed SOCKS5 tunneling. (C2). According to the researchers, UNC4466 used BITS transfers to download SOCKS5 tunneling tools before deploying the ransomware payload by adding immediate tasks to the default domain policy, disabling the security software, and executing  encryptors.

UNC4466 uses Mimikatz, LaZagne, and Nanodump to steal valid user credentials in order to escalate privileges. Finally, the threat actor avoids discovery by erasing event logs and turning off Microsoft Defender's real-time monitoring capability.

Mandiant's report gives recommendations for defenders to take in order to detect and prevent UNC4466 assaults before the ALPHV payload is executed on their systems.

Singapore Ups Investemnt in Quantum Technology, to Stay Ahead of Security Risks

 

Singapore focuses on enhancing its quantum computing capabilities through new initiatives to build necessary skill sets and quantum equipment. It emphasises the importance of doing so in order to keep encryption technology resilient and capable of withstanding "brute force" attacks. 

The Singapore government announced on Tuesday that it will set aside SG$23.5 million (17.09 million) to support three national platforms under its Quantum Engineering Programme (QEP) for up to 3.5 years. The initiative is a component of the country's Research, Innovation, and Enterprise 2020 (RIE2020) strategy. 

Two of these platforms were announced on 31st May, including the National Quantum Computing Hub, which will pool knowledge and resources from the Centre for Quantum Technologies (CQT), local universities, and research institutes to strengthen key skill sets. University, A*STAR's Institute of High Performance Computing (IHPC), and the National Supercomputing Centre (NSCC) would seek to establish international collaborations and train new talent in order to address a skill scarcity in the emerging industry. CQT and IHPC researchers would also create quantum computing hardware and middleware, with potential applications in finance, supply chain, and chemistry. 

The National Supercomputing Center (NSCC) would offer the supercomputing capacity required to design and train algorithms for usage on quantum computers. A second programme, National Quantum Fabless Foundry, was launched to facilitate the micro and nano-fabrication of quantum devices in cleanrooms run by industrial partners. 

Both efforts would boost local talent and allow academics to investigate how quantum computing may help diverse businesses as well as build quantum gadgets. The Quantum Engineering Programme also included a quantum-safe network that was billed as demonstrating "crypto-agile connectivity" and supporting experiments with both public and commercial entities. 

The initiative, which was announced earlier in February, intended to improve network security for vital infrastructures and had 15 partners at the time of introduction, including ST Telemedia Global Data Centres, Cyber Security Agency, and Amazon Web Services. 

Singapore's Deputy Prime Minister and Coordinating Minister for Economic Policies, Heng Swee Keat, stated in his address announcing the new efforts that the country needs to stay alert in the face of growing dangers. Heng likened cyber threats to a "cat and mouse game," adding that efforts were made to keep ahead of hostile actors who were always looking for new loopholes to attack. With the cyber world rapidly developing, he believes quantum technology has the potential to be a "game changer." "Strong encryption is key to the security of digital networks. The current encryption standard, AES 256, has held up, as few have the computing power to use brute force to break the encryption. But this could change with quantum computing," he cautioned. 

"For some cryptographic functions, the fastest quantum computer is more than 150 million times faster than the fastest supercomputer. Quantum computers can solve in minutes a problem which takes a supercomputer 10,000 years." According to the minister, this highlights the significance of quantum technology research. 

He added, "Our investment in quantum computing and quantum engineering is part of our approach of trying to anticipate the future and proactively shaping the future that we want." 

He noted that as digitalisation grew, so did cyber concerns and that Singapore must continue to invest to keep ahead of possible threats. He went on to say that the fabless foundry will use the country's manufacturing skills to create quantum devices that would tackle "real-world challenges" in collaboration with industry partners.

APT27 Hackers are Backdooring Business Networks in Germany

 

The German domestic intelligence services BfV issued a warning about ongoing operations orchestrated by the Chinese-backed hacker group APT27. The attackers are utilising the HyperBro remote access trojans (RAT) to backdoor German commercial enterprises' networks in this active campaign. By operating as an in-memory backdoor with remote administration capabilities, HyperBro assists threat actors in maintaining persistence on the victims' networks.

HyperBro is a RAT that has been seen predominantly in the gambling industries, while it has also been seen in other places. The malware is typically composed of three or more components: a) a genuine loader with a signed certification, b) a malicious DLL loader loaded from the former component via DLL hijacking, and c) an encrypted and compressed blob that decrypts to a PE-based payload with its C2 information hardcoded within.

APT27 (also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse) is a Chinese-sponsored threat group that has been active since at least 2010 and is noted for its emphasis on data theft and cyber espionage efforts. 

Since March 2021, APT27 has been exploiting flaws in Zoho AdSelf Service Plus software, an enterprise password management solution for Active Directory and cloud apps, according to the German intelligence agency. This is consistent with prior reports that Zoho ManageEngine installations will be the target of many campaigns in 2021, coordinated by nation-state hackers employing techniques and tooling similar to APT27. 

The threat group's objective, according to the agency, is to steal critical information and may potentially seek to target its victims' customers in supply chain attacks.

"The Federal Office for the Protection of the Constitution has information about an ongoing cyber espionage campaign by the cyber-attack group APT27 using the malware variant HYPERBRO against German commercial companies," the BfV said. "It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of customers or service providers." 

In addition, the BfV issued indicators of compromise (IOCs) and YARA rules to assist targeted German organisations in detecting HyperBro infections and connections to APT27 command-and-control (C2) servers. 

APT27 initially exploited an ADSelfService zero-day exploit until mid-September, then transitioned to an n-day AdSelfService vulnerability before beginning to exploit a ServiceDesk flaw on October 25. According to Palo Alto Networks researchers, they effectively infiltrated at least nine organisations from vital industries around the world, including defence, healthcare, energy, technology, and education.

'Tropic Trooper' Makes a Comeback to Target Transportation Organizations

 

Trend Micro reports that a Chinese state-sponsored threat actor known as 'Tropic Trooper' has been targeting transportation firms and government bodies associated with the transportation sector since the middle of 2020. The advanced persistent threat (APT), also known as Earth Centaur and KeyBoy, has been active since 2011, conducting espionage attacks targeting organizations in the government, healthcare, high-tech, and transportation sectors in Hong Kong, the Philippines, and Taiwan. 

Trend Micro warned that the group attempted to access flight schedules, financial plans, and other internal documents at the target organizations, as well as any personal information available on the compromised hosts, including search histories, as part of the attacks carried out over the last year and a half.

According to the report, the analysts were able to tie the new Earth Centaur activity to Tropic Trooper after discovering comparable code in configuration decoding. “Currently, we have not discovered substantial damage to these victims as caused by the threat group,” Trend Micro’s analysts explained. “However, we believe that it will continue collecting internal information from the compromised victims and that it is simply waiting for an opportunity to use this data.” 

The researchers noticed that one of the group's signature tactics, techniques, and procedures (TTPs) includes astute red teamwork. According to the research, Earth Centaur is skilled at evading security and remaining unnoticed. “Depending on the target, it uses backdoors with different protocols, and it can also use the reverse proxy to bypass the monitoring of network security systems. The usage of the open-source frameworks also allows the group to develop new backdoor variants efficiently, ” the report said. 

According to the research, the threat group typically penetrates target computers via a weak Exchange or Internet Information Services (IIS) server, then drops backdoors such as ChiserClient and SmileSvr. According to the researchers, a customized version of Gh0st RAT then sets out to collect data from active sessions on the host. The attackers then go across the infiltrated organization's network and exfiltrate valuable data. 

The rise in threat actor's interest in transportation and government coincides with the November passage of the Infrastructure Deal, which promises massive investments across the transportation sector, including $39 billion for transit modernization, $89.9 billion for public transit, $25 billion for airports, $66 billion in rail funding, and much more. The government is set to pour billions of dollars into the transportation sector, and Earth Centaur appears to be perfectly prepared to profit.

Alert Android Users: These 23 Apps Found Spying via Mobile Camera

 

A new malware, PhoneSpy, that eavesdrops on Android users, was detected in 23 applications recently,  As of present, none of these applications are available on Google Play Store. 

The malware that has primarily been active in the United Kingdom and Korea, is capable of stealing critical data such as images, call logs, contacts, and messages, as well as obtaining the full list of installed apps, recording audio and video in real-time using the phone's cameras and microphone. It can also extract device information such as the IMEI number, device name, and brand, and even grant remote access to the device. 

Zimperium stated in a statement, “The application is capable of uninstalling any user-installed applications, including mobile security apps. The device’s precise location is available in real-time to the malicious actors, all without the victim knowing. The spyware also enables the threat actor to use phishing pages for harvesting credentials of Facebook, Instagram, Google, and Kakao Talk." 

“PhoneSpy hides in plain sight, disguising itself as a regular application with purposes ranging from learning Yoga to watching TV and videos, or browsing photos," the mobile security agency Zimperium added. 

Since the spyware or any of its shadow applications were listed on the Play Store, experts believe the attackers may have used online traffic redirection or social engineering to spread the malware. The latter is used by cyber thieves to trick device owners into performing voluntary actions. 

If users carefully examine their online traffic habits, they may be able to discover the malware invasion. The PhoneSpy software begins by sending requests for on-device authorization. Once the user has provided these details, attackers can manage and hide the app from the main menu. 

According to Zimperium, Android users should avoid installing apps from third-party app stores. It’s recommended that users only download applications from the Google Play Store. Also, users are suggested to avoid clicking on questionable links or downloading any applications sent by text message or email.