Search This Blog

Showing posts with label Cyber Attacks. Show all posts

NCA Infiltrates Cybercrime Market With Fake DDoS Sites


UK’s National Crime Agency (NCA) has recently conducted a sting operation as a part of Operation Power Off, a collaboration of international law enforcement agencies to shut down DDoS (distributed denial of service) infrastructure. 

In order to sabotage the online black market, the NCA set up a number of fictitious DDoS websites and offered booter or DDoS-for-hire services. It is important to keep in mind that the UK's Computer Misuse Act of 1990 makes DDoS attacks illegal. 

All of these websites were created by the NCA to appear genuine, giving the visitor the idea that they could initiate DDoS attacks using the provided tools and services. 

According to the agency, many a thousand individuals have visited the sites, although, after registering on the site, visitors are instead presented with a splash screen telling them that their data has been captured and law enforcement authorities would contact them instead of receiving the services they had signed up for. 

In the most recent report, the NCA confirms to have identified one of the websites it was operating, with a message that the data of users has been collected and that they “will be contacted by law enforcement.” 

The individuals who are currently in the UK will be contacted by the NCA or police and are warned about engaging in any cybercrime-related activity, whereas, the details of those overseas are being handed out to international law enforcement. 

DDoS Attacks 

In a DDoS attack, compromised computer systems bombard a target (server or website), causing severe financial or reputational damage to the targeted organization. “DDoS-for-hire, or ‘booter’, services allow users to set up accounts and order DDoS attacks in a matter of minutes […] Such attacks have the potential to cause significant harm to businesses and critical national infrastructure, and often prevent people from accessing essential public services,” said the NCA. 

Alan Merrett, member of NCA’s National Cyber Crime Unit says “booter services” are a key enabler of cybercrime. “The perceived anonymity and ease of use afforded by these services means that DDoS has become an attractive entry-level crime, allowing individuals with little technical ability to commit cyber offences with ease,” he said. 

He added that traditional site takedowns and arrests are key components of law enforcement’s response to threats while adding, “We have extended our operational capability with this activity, at the same time as undermining trust in the criminal market.” 

The NCA says that it will not reveal how many sites it has or for how long they have been running. Therefore, they have urged individuals looking for these services to stay cautious as they might not know who is operating them. 

Schools' Files Leak Online Days After Ransomware Deadline

 


Many documents purported to have been stolen from Minneapolis Public Schools, and have now been posted online. In the days following the announcement of the breach, a cyber gang claimed that the district did not meet its deadline to pay a ransom demand of $1 million. 

It was evident that download links appeared on a website designed to look like a technology news blog in the middle of the night, a front for the attack, on Wednesday morning, and the next day, the links appeared on Telegram, an encrypted instant messaging service widely used by terrorists and far-right extremists.

There is still some doubt about the contents of the large 92-gigabyte file currently being sent to the 74. There is still a significant difference between the available download and what the Medusa ransomware gang claimed it stole from the district. This is 157 terabytes - 1,000 gigabytes in one terabyte. 

Earlier this month, a dark web blog belonging to the criminal group uploaded a file tree detailing the ownership of the files to its website. As the file tree shows on the left, it would appear that a large amount of sensitive information is contained in the records that are visible in the file tree. In addition to these questions, you will be able to obtain information about allegations of sexual violence by students, district finances, student discipline, special education, civil rights investigations, and notification of student maltreatment and sexual offenders, as well as information regarding district finances, student discipline, special education, and civil rights investigations.  

Even though the full scale of the breach is not known yet, cybersecurity experts say present and former Minneapolis residents and district employees should take steps to protect themselves as soon as possible.  

According to Doug Levin, the national director of the K-12 Security Information Exchange and an expert in K-12 cybersecurity incidents, now is a good time to implement two-factor authentication to accounts that can benefit from it as well as avoid reusing passwords across multiple services. 

However, experts said that there are no easy solutions for those who are now at risk of having sensitive personal information accessible to them, including personal information about incidents of student sexual misconduct. Levin is one of the most prominent mental health professionals in the country. He says that if you are the victim of harassment, you should strongly consider seeking mental health counseling or creating an action plan.  

As Levin explained, when a genie has been allowed out of its bottle, it is extremely difficult to re-inject it. As he continued, he stated that the school district had no idea what it could do to comfort these individuals or even to provide them with any recourse. Credit monitoring is not helpful. They would like their well-being and reputation to be protected.  

There have been several complaints about the Minnesota district's public communications about a ransomware attack, which it initially referred to as an "encryption event." This past Friday, the Minneapolis district announced that the ransomware group had released the stolen records on the dark web, a part of the internet accessible only with special software that can leave the user untraceable. 

In a Telegram message, the user identified himself as an 18-year-old Minneapolis high school student who was interested in downloading the data, because they were concerned it might contain sensitive information such as their Social Security number or other personal information, The 74 reported.  

The district has urged the community, as a part of its checklist of safety precautions, that downloads of the breached data should be avoided as much as possible. The paper argues that doing so could contribute to the work of cybercriminals because it would increase our community's fear of the information and increase the level of panic that they would cause.  

Additionally, the district has issued warnings to its residents urging them not to respond to suspicious emails or phone calls because they may be phishing scams. It has also urged them to change their passwords periodically. A statement from the district stated that the district was working to determine which records had been compromised on Friday. As a result of the ongoing process that is expected to take some time, the company planned to inform affected individuals when it was complete.  

Callow believed ransomware victims should take a proactive approach to notify those whose data was stolen in the first place. The investigation will be completed at the end of the investigation rather than waiting until it is completed.   

Okta Post-Exploitation Method Reveals User Passwords


Post-exploitation attack technique has been discovered that enables adversaries to read cleartext user passwords for Okta, the identity access, and management (IAM) provider, acquiring extensive access to the corporate environment. 

Mitiga researchers found that if users unintentionally type their passwords in the "username" field when logging in, the IAM system saves them to audit logs. Threat actors who have acquired access to a company's system can then quickly harvest them, lift privileges, and gain access to several corporate assets that make use of Okta. 

In a post, Doron Karmi, Okta senior security researcher and principal security researcher and developer wrote, "In our research, we could easily use the logs to match the password with the valid user, resulting in gaining credentials to the Okta user account." They added further when adversaries log in to Okta as those users, it "expands the blast radius of the attack to the many platforms that Okta secures, and gaining further access to systems." 

Since Okta audit logs include specific data pertaining to user activity, such as usernames, IP addresses, and login timestamps, the vulnerability exists. The logs also reveal whether login attempts were made using a web browser or a mobile app and whether they were successful or failed. 

In Defense of Okta Features 

The cloud-based enterprise-grade IAM service, Okta, which links business users across applications and devices is now utilized by more than 17,000 customers around the globe. Although it was designed for cloud-based systems, many on-premises apps can also use it. 

According to a statement from the company released by Mitiga, representatives from Okta agree that preserving cleartext passwords in audit logs is "expected behavior when users mistakenly enter their password in the username field." Furthermore, only platform administrators, who are the system's most privileged users, have access to audit logs that store cleartext passwords, and they "should be trusted not to engage in malicious activities." 

It is not the first time the business has had to defend a platform feature that governs how user passwords are handled. In response to a report by Authomize researchers, Okta's architecture for password syncing allows malicious actors signed in as an app administrator of a downstream app to access passwords in plaintext, including admin credentials, even over encrypted channels, the company published a blog post in July of last year. 

The news followed claims made by the threat organization Lapsus$, which posted screenshots they claimed were taken from internal systems and claimed to have breached Okta using "superuser" account credentials. Although Okta later claimed it only discovered two actual breaches, it was revealed that 366 Okta customers could have been negatively impacted by that incident.   

LockBit Attacks Oakland with Ransomware Twice in as Many Weeks

 

Following a ransomware attack on LockBit's network last month that caused information from its network to be leaked, the city of Oakland in the state of California has been uploaded to the dark web victim blog. In order to avoid further information from the city being released, the gang has given Oakland's city council until April 10 to begin negotiations. 

The tax office and several non-emergency phone lines are among the essential services that have been impacted by a network outage, according to a notification on the city services website, which is still accessible. 

Earlier today, LockBit published the city on its blog. It also includes a brief history of the city and states that "all available data shall be shared." The cutoff date looks to be April 10. 

Second ransomware attack in Oakland in recent weeks 

The purported attack occurs only a few weeks after Oakland's city council disclosed that the Play ransomware group attacked it in February. 

According to a council statement, "we are aware that some of the information obtained from our network has been released by an unauthorised party." 

The statement continued, referring to the breach as a "ransomware incident," and said that "the findings to date indicate that an unauthorised actor accessed computer systems where certain individuals' personal information was stored as part of their employment with the city."

It's possible that LockBit used this information to start today's attack. Cybercriminals frequently use stolen data in phishing attacks to get their victims to download malware that is hidden from view from what seems to be a reliable source. 

LockBit's expanding landscape

Russian ransomware gang LockBit has been operating since 2019. LockBit 3.0, also known as LockBit Black, is the most recent version, and it has been very aggressive, attacking over 850 businesses in 2022 alone. For the past 12 months, the gang has targeted US organisations the most frequently.

According to a report last week from the FBI and CISA, the gang's new malware is more modular and evasive than its earlier iterations and is comparable to those employed by the Blackmatter and Blackcat ransomware gangs from Russia. 

Companies are advised to take a number of precautions to protect themselves from LockBit 3.0 by both US government agencies. This includes using password managers that are acknowledged in the industry to save passwords in hashed format" and "needing administrator privileges to install applications.

An Arrested Administrator Shut Down the Notorious Hacking Forum

 


An FBI officer has arrested a former administrator and owner of an infamous hacker forum that exposed data on companies such as HDB Financial Services, Rail Yatri, Acer, WhatsApp, Truecaller India, Hyundai India, Skoda India, etc. 

According to the FBI, a man was arrested last week who is suspected of being "Pumpompurin", the administrator of the infamous and popular BreachForums website. As soon as the cybercrime website's new administrator was informed of the arrest and the arrest of its administrators, he announced plans to close the forum down permanently. 

According to the FBI, a New York man has been arrested on suspicion of being Pompompurin, the owner of the BreachForums hacking forum. Documents filed in court indicate that he is charged with conspiracy to solicit an individual to sell an unauthorized access device. 

A defendant, Connor Brian Fitzpatrick, was allegedly arrested on the charge of fraud and admitted to being Connor Brian Fitzpatrick during his arrest. It was also revealed that the person who owned the Breach Forums cybercrime forum was Pompourin, who is the owner of the forum. 

The suspect, Conon Brian Fitzpatrick, who is known to the public as "Pompompurin" or "Pom" has earned a high-profile status online for several years now. He has been a target of authorities for quite some time. Fitzpatrick claimed responsibility for the November 2021 attack on an FBI server under the pseudonym Pompompurin, before the breachforums.com website was founded in 2022 by him. 

A million fake cybersecurity emails were sent from the FBI's eims@is.fbi.gov address at the time of Fitzpatrick's alleged exploit in 2021 based on the false information they were provided by Fitzpatrick. A series of emails, containing the subject lines “threat actor in systems” and describing the attack as “a sophisticated chain attack” on your virtualized clusters, were sent out claiming that their intelligence monitoring reported the exfiltration of several of your virtualized clusters. 

There was an operation by U.S. and European law enforcement agencies in April 2022 that led to the takedown of RaidForums, one of the most popular regular internet forums for hackers at the time. Having been a regular member of Raid Forums, Fitzpatrick is known to have become the most popular successor site to Raid Forums after it was demolished. 

There are countless hacking stories linked to BreachForums since its creation because it quickly developed into one of the most popular sites for selling stolen data, especially among independent hackers and other groups that are not associated with ransomware gangs or other ransomware threats. 

In the cybercriminal underground, Pompompurin has gained a reputation of a very well-known player involved in a wide range of activities including hacking companies, and selling or leaking stolen data through forums and social media networks. 

The Raid Forum's cybercrime forum was also a well-known forum where he was active. 

It was an initiative of Pompourin to fill the void left by RaidForums' seizure by the FBI in 2022 by founding an independent forum called 'BreachForums.' 

In recent years, it has been one of the largest forums of its kind, used by malicious users of ransomware and hackers to leak stolen information to the public. 

Earlier this week, a threat actor attempted to use BreachForums to sell the personally identifiable information of U.S. politicians that had been breached in a breach in Washington. 

The Washington Health Link is a healthcare provider for U.S. congressmen and women. Members of the House, their staff, and their families will be affected by the legislation. 

Pompompurin has also been involved in various high-profile breaches of high-profile companies over the years, as BreachForums has become a force in cybercrime. 

Several breaches have been reported, including sending bogus cyberattack emails through a vulnerability in the FBI's Law Enforcement Enterprise Portal (LEEP), stealing customer data from Robinhood, and allegedly confirming the email addresses of 5.4 million Twitter users using a bug.

The DEA Portal Hack was Perpetrated by Two Cybercriminals Last Year


During the investigation into the hacking of the DEA portal in 2022, one of the young American men was accused of breaking in and stealing data from the site. The portal breach provided criminals with access to sensitive information because it was connected to 16 data repositories of federal law enforcement organizations.  

In addition to Nicholas Ceraolo, 25, also known as "Convict" or "Ominus," the suspects are Sagar Steven Singh, 19, commonly known as "Weep." According to the Justice Department, Singh and Ceraolo pretended to be police officers to gain access to Bangladeshi police officials' email accounts. 

Ceraolo is also accused of accessing Bangladeshi police officials' emails. As a result, he got his fake identity used to contact various US-based social networking platforms, claiming members were either in danger or committing crimes to get their personal information. 

In a press release issued by the Justice Department, it was noted that Ceraolo and Singh face five years in prison for conspiring to infiltrate computers. Moreover, they could be sentenced to up to 20 years in prison for conspiring to commit wire fraud, which would represent a significant punishment. 

Because the complaint only contains allegations, the defendants will always be considered innocent until proven guilty. “ViLE,” a notorious cybercrime organization, was occupying the apartment, where doxing experts kept gathering and using personal information for intimidation, harassment, or extortion. The group is infamous for providing shelter to doxing experts who specialize in gathering personal information for illegal purposes and collecting personal information from people. Currently, at large, Ceraolo could be sentenced to up to 20 years in prison for wire fraud and computer crimes for which he is facing multiple charges. He faces up to five years in prison if convicted of the charges against him, which he was charged with in Rhode Island this week. 

In this case, Singh was taken into custody due to an error by an official, which allowed authorities to connect him to the incident, wherein the suspect accessed a social media account using the same email address as the login to access the portal. According to reports, an investigator from Homeland Security verified that Singh had utilized the portal through a raid at his home. 

There is a report that the compromised DEA portal granted access to 16 different law enforcement databases which contain sensitive information on Ceraolo, Singh and their cybercriminal group called "ViLE" which they were a part of.  

Singh in one case claimed to have access to a victim's Social Security number, home address, and driver's license information by utilizing data gathered from the hack. In response, the victim complained that he had been scammed. When they refused to comply with Singh's demands, Singh told them if they did not comply he would "harm" their families. 

A Bangladeshi police officer's email account was used by Ceraolo to gain an official account on social media platforms for his social media operations. In this case, personal information was requested about one of its subscribers. A company employee claimed Ceraolo had allegedly received threats from Bangladeshi officials and had accused them of "child extortion" and blackmailing the subscriber. 

Earlier today, United States Attorney Breon Peace announced the charges against Singh and Ceraolo. The prosecutor noted that Singh and Ceraolo belonged to a group called 'Vile' because of their crime or conduct. As alleged in the complaint, the defendants shamed, intimidated, and extorted others online as a form of harassment. To protect citizens,  the  Office said that it will not tolerate those who misappropriate the public safety infrastructure by impersonating law enforcement officers.

Furthermore, Ivan J. Arvelo, a Homeland Security Investigations official, stated: “These charges highlight how serious these offenses are, and criminals who perpetrate these schemes will be held accountable for their crimes,” in response to the allegations of unauthorized access to and impersonation of a US federal law enforcement system.

EV Charging Stations Prone to Cyber Attacks : Indian Govt to Parliament

 

Electric vehicle charging stations, like any other technological application, are vulnerable to cyber attacks and cyber security incidents, Indian Parliament was informed on Thursday. 

Union Minister Nitin Gadkari stated in a written reply to the Lok Sabha that the Indian Computer Emergency Response Team (CERT-In), which is tasked with tracking and monitoring cyber security incidents in India, obtained reports of security flaws in products and applications pertaining to electric vehicle charging stations. 

"The government is fully cognizant and aware of various cyber security threats and is actively taking steps to combat the issue of hacking," Gadkari said. 

According to the information reported to and tracked by CERT-In, the number of cyber security incidents reported in 2018, 2019, 2020, 2021, and 2022 is 2,08,456; 3,94,499; 11,58,208; 14,02,809 and 13,91,457, respectively.

In response to a separate question, the road transport and highways minister stated that Rs 147 lakh was paid out in compensation to victims of hit-and-run accidents during the current fiscal year until February.

The ministry  has announced the 2022 Compensation to Victims of Hit-and-Run Motor Accidents Scheme. It increases compensation for victims of hit-and-run accidents to Rs 50,000 (for serious injury) and Rs 2,00,000 (for death), with a detailed procedure for obtaining this compensation.

In reply to another question, Gadkari stated that the ministry has set a higher target of 12,200 km for National Highway construction in the current fiscal year than in the previous three fiscal years.

"The target of construction of NHs for financial year 2023-24 has not yet been finalized," he added.

The minister stated that 19 projects totaling Rs 21,864 crore have been delayed as a result of  land acquisition.

Lender Latitude Customer Records Were Hacked in a Cyberattack

 


Cyber-attacks on a finance company belonging to Latitude Financial that could have compromised the privacy of more than 300,000 people may have led to the breach of more than 300,000 people's data in New Zealand and Australia. 

With Genoapay, Gem Visa, and GO Mastercard, the company also provides 28° Global credit cards, Infinity Rewards credit cards, and Low Rate credit cards. It also provides personal loans and vehicle loans through Latitude. 

Meanwhile, two Latitude service providers had been compromised and some of their personal information had been stolen. According to an announcement published by the company on the Australian share market, this affected customers across Australia and New Zealand. 

A sophisticated cyberattack has resulted in the theft of more than 100,000 identification documents including customer information. This includes 225,000 records relating to the customers of consumer lender Latitude Financial. 

It was disclosed in a statement to the market on Thursday that the majority of identification documents used by the lender were copies of motorist licenses, which are issued by companies such as JB Hi-Fi and Harvey Norman who offer personal loans and credit to their customers. 

During the last few days, the company detected unusual activity on its systems, which it said led to the investigation. 

Even though Latitude took immediate action, the attacker was able to obtain access to the login credentials of Latitude employees before it was possible to isolate the incident, the company explained. 

It appears that the attacker obtained personal information from two other providers of services by using employee login credentials provided by employees of the third company. 

A series of hacks have occurred on Australian companies over the past few months, including hacks on Optus and Medibank, among others. This is the latest in this series of attacks. 

The all too common case of massive data breaches that exposed the personal details of their customers has led to legal action being taken, or at least being considered, by several law firms against the telcos and health insurers. 

According to a recent study by Professor Alex Frino of the University of Wollongong, many Australian listed companies weren't alerting their shareholders to serious cyber-attacks when they were facing serious cyber-attacks.   

During the ten years covered by the study, 11 of the 36 cyber-attacks that were reported by the media against listed companies remained unreported to the market initially, according to the study released last month. 

Since the mandatory data breach notification scheme was implemented in late 2014, it has received 853 notifications as the scheme has been in place for four years. Many cases are never publicly announced. 

There have been suspensions of Latitude's share trading sessions as the lender attempts to contain the incident as much as possible. 

According to Latitude, the company is taking immediate action to notify the affected customers and apologizes to those customers. 

In response to this attack, Latitude continues to respond and is doing everything it can to contain it and prevent further data theft from taking place, including isolating and blocking access to some of the systems and data that are directly used by customers and internal employees.

A former CEO of Australia Post, Ahmed Fahour leads Latitude. In August, he will be retiring from the company as he will be stepping down at the end of the year. 

As a result of the alleged promotion of no-deposit and interest-free payments for goods in the lender's advertisements, Harvey Norman and the corporate regulator are currently facing a lawsuit from the corporate regulator.

As a result of the ads allegedly failing to disclose that Latitude credit cards were required for purchases and that fees would apply, the Australian Securities and Investment Commission believes them to be misleading. As part of its cooperation with the regulator, Latitude announced in a statement.   

Stay Alert Against Messages Like 'Account Suspended, Update PAN'



Banking fraud has increased in recent years. There has been an increase in digital phishing attacks claimed by HDFC Bank customers as the social media outcry has mounted in recent days. Several HDFC Bank customers reported to the authorities that many of the incidents involved phishing SMSes that they received in February. 

There are indications that they have adopted a revised method of operation to step up their efforts to protect others which may have been the case. To strengthen cybersecurity measures, phishing links masquerade as verification processes as part of their phishing campaign. 

There has been a significant number of customers who have been receiving false text messages in the last few days, which claim that they have been blocked or suspended because they have not updated their Permanent Account Numbers (PAN) because their PAN has not been updated. The message you are receiving is a fake one, so keep an eye out and be aware of it. 

The Public Information Bureau (PIB) has recently issued a warning to the customers of the State Bank of India (SBI) regarding fake messages purporting to be from SBI officials that claim the recipient's YONO account has been disabled as a result of a power cut. 

One of the most common ways scammers use to trick people is through phishing SMS messages, which is one of the methods they use to steal their money in different ways. Cyber fraudsters use phishing bank SMS as a means of scaring people away by telling them their bank account has been suspended by cyber thieves. 

A link is attached to the SMS and it asks the users to click on it to update their KYC or PAN details. The problem arises, however, when someone is tricked into believing that the SMS is legitimate and clicks on the link, and their phone is hacked and money is lost. 

Often more common than you might think is phishing SMS fraud. Most banks have issued an advisory informing customers not to be fooled by them. Earlier this month, HDFC alerted its customers that these types of frauds have been taking place. 

There was a viral HDFC bank SMS sent to some of its users that they received on their mobile phones. Some of their users tagged the bank with the message. There has been an attempt by fraudsters to create a fake HDFC Bank website, giving the false appearance that there is a verification process when it is not. HDFC customers have now received a link with the details of the offer.  

An alert was sent by Manoj Nagpal, the CEO of Outlook Asia Capital, who posted a picture of the infected email to Twitter with a description of what he had seen. The same message has also been received by many other customers as well. It has been recommended by Nagpal that people should refrain from clicking on links that have been sent via email or SMS.  

What Are the Methods Used by Fraudsters?

To use fraudsters to commit fraud. Here is how HDFC bank explains how this happens. 

First step: The fraudsters create bogus emails impersonating bank employees that ask consumers to activate a link in the email that instructs them to verify or update the account information in their accounts as soon as possible. 

Second step: When a customer clicks on the link provided by the email, the victim is taken to a fake site that appears to be the official website of the Bank. There is a web form on this site that allows the customer to enter their personal information so that we can communicate with them. 

If you doubt any SMS request, report any suspicious SMSes, or confirm a bank alert with a bank manager to avoid having your account hacked, make sure to check the sender's identity before acting on it.   

 A two-factor authentication system should be implemented for online banking to keep personal information secure. The OTP and password that you used to access your account must be entered every time you want to access it. Using your fingerprints as a second password is even possible if you have a secure device. The message you receive should not be clicked on and any unidentified links should be deleted.    

Targeting Businesses Globally, the Medusa Ransomware Gang Gains Momentum

 

In 2023, a ransomware operation by the name of Medusa began to gain momentum. It targets corporate targets globally and demands a million-dollar ransom.

Starting in June 2021, the Medusa operation saw just a small number of victims and a low level of activity. However, the ransomware gang ramped up its operations in 2023 and established a "Medusa Blog" that allowed victims who declined to pay a ransom to have their data released. 

Last week, Medusa came under public scrutiny after claiming responsibility for an attack on the Minneapolis Public Schools (MPS) district and sharing a video of the data that was taken. 

Will the genuine Medusa rise up? 

Medusa is the name of several malware families, including the well-known MedusaLocker ransomware operation, an Android malware family, and a Mirai-based botnet with ransomware capabilities.

Owing to the family's popularly used name, there has been some ambiguous information about it, leading many people to believe it is the same as MedusaLocker. Yet, there are significant operational differences between the Medusa and MedusaLocker malware.

The MedusaLocker operation debuted in 2019 as a Ransomware-as-a-Service, with a large number of affiliates, a ransom note typically called How_to_back_files.html, and a wide range of file extensions for encrypted files. 

For negotiation, the MedusaLocker operation uses a Tor website at qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion. 

However, the.MEDUSA static encrypted file extension and the !!!READ_ME_MEDUSA!!!.txt ransom notes have been used by the Medusa ransomware operation since its launch in June 2021. 

Using Windows devices to encrypt data 

Currently, it is unknown if BleepingComputer has a Medusa encryption programme for Linux; they have only been able to analyse the Windows version. The Windows encryptor will accept command-line arguments that let a threat actor control the encryption settings for files on the system. For instance, the ransomware will display a console and display status messages as it encrypts a device if the -v command line argument is used.

The Medusa ransomware terminates over 280 Windows services and processes for programmes that might stop files from being encrypted on a regular basis, without command line parameters. Windows services for database servers, backup servers, and security applications are among them. Then, in order to impede file recovery, the ransomware will erase Windows Shadow Volume Copies. 

Michael Gillespie, a ransomware expert, examined the encryptor as well and revealed to BleepingComputer that it encrypts files using AES-256 + RSA-2048 encryption with the BCrypt library. 

Like the majority of ransomware operations that target businesses, Medusa features a website called "Medusa Blog" that leaks data. The usage of this website is a part of the gang's double-extortion scheme, in which victims who decline to pay a ransom are given access to their data. 

A victim's data is not instantly made public when they are joined to the data leak. As an alternative, the threat actors offer the victims payment choices to delay the release of data, erase the data, or download the entire set of data. The cost of each of these choices varies. 

The ransom is demanded to increase the victim's stress and frighten them into paying a ransom. Regrettably, there are no documented flaws in the Medusa Ransomware encryption that allow victims to recover their files without paying.

Expert Suggested Ban on TikTok for Government-issued Phones in Australia

The Australian government recently decided to stop their employees from using TikTok, which is an app that lets people make and share short videos. The government is worried that the company that owns TikTok has connections to the Chinese government and that the Chinese government could get access to information about TikTok users. 

Following the action, some experts think that it is a good idea to ban TikTok, and they also think other social media apps should be banned too. Furthermore, an increasing number of government agencies in Australia are taking action to prohibit the use of the widely-used ByteDance app. 

This is due to heightened security concerns surrounding the app's connection to China, prompting worries about potential risks and threats to national security. 

“I don’t think it’s as simple as TikTok – bad; American companies – good, I think they’re all bad,” Professor Vanessa Teague, a cybersecurity researcher at the Australian National University reported. 

The Canberra Times newspaper has reported that almost half of the government agencies in Australia have stopped their employees from using TikTok on devices owned by the government. 

Teague mentioned that although Apple and Google offer users more control over what data they share with social media apps, these apps can still gather a significant amount of information on their users.

“It’s all well and good to turn off location permission, but if you then upload a photo or a video that has your GPS coordinates … then you told them where you are, so it’s better but it doesn’t completely solve the problem…,” Teague told. “…I don’t actually think they’re really solving the problem unless they’re solving the problem of Australians’ privacy and security, which would mean strong privacy laws, better education, encouragement of end-to-end encryption, and an end to this nonsense that encryption is only for paedophiles.”

Although many people are mainly worried about TikTok, the Department of Home Affairs is looking at all social media apps to see if they are safe to use or not. The home affairs minister has asked for this review, and the report will be ready in the first three months of this year. 

Flutterwave Hit by Unknow Hackers Lost Millions of Dollars

Flutterwave, Africa's largest startup, suffered a cyberattack resulting in the disappearance of over ₦2.9 billion (~$4.2 million) from its accounts last month. According to the reports, the missing funds were transferred across 28 accounts in 63 transactions in early February by unknown threat actors.
 
Flutterwave is currently investigating the attack with law enforcement agencies to freeze accounts across 27 financial institutions that were involved in the transactions. Following the news about the case, several tweets surfaced regarding the alleged hack, some providing information while others complained about frozen accounts possibly linked to the incident. 

Meanwhile, Flutterwave has denied hacking by saying that “at Flutterwave, we understand that our customer’s personal and financial information is of the utmost importance. We take this responsibility seriously and understand that any potential security breach can cause anxiety and concern among our customers. We want to reassure you that Flutterwave has not been hacked”. 

Following the investigation, a legal request has been made to freeze 107 accounts, including the fifth beneficiary of those accounts, which has been placed on lien/Post-No-Debit (PND) to prevent the account owners from withdrawing any funds. 

These measures have been taken to ensure that the money remains in those accounts until the investigation into the hack is completed and the issue is resolved. The term "fifth beneficiaries" refers to the individuals who received the funds from those 107 accounts. 

“As a financial institution, we monitor transactions through our transaction monitoring systems and 24-hour fraud desk and review any suspicious activity. We collaborate with other financial institutions and law enforcement agencies to keep our ecosystem safe and secure...” 

“…During a routine check of our transaction monitoring system, we identified an unusual trend of transactions on some users’ profiles. Our team immediately launched a review (in line with our standard operating procedure), which revealed that some users who had not activated some of our recommended security settings might have been susceptible", Flutterwave further added to the statement. 

However, as of now, it is unclear how the threat actors were able to carry out the attack, but some people online are suggesting that the hackers might have tricked the merchants into giving away their security keys. This could have given the threat actors access to the money in the merchants' Flutterwave accounts.

Despite the Risk of Ransomware Attacks, Businesses Continue to Pay

 

Most companies in four Asia-Pacific countries have had to protect against phishing and ransomware attacks, with those infected in Australia being the most willing to pay ransomware demands. Australians are also the most likely to be victims of such attacks, with 92% reporting phishing incidents and 90% reporting business email compromise attacks.

 As per Proofpoint's State of the Phish report, another 86% and 80% have had to deal with ransomware and supply chain attacks, respectively. In Singapore, South Korea, Japan, and Australia, 2,000 employees and 200 security professionals were polled. Singaporeans experienced the next highest number of attacks, with 85% dealing with phishing incidents and 78% dealing with ransomware attacks. Another 72% reported business email compromise, with 46% reporting direct financial loss.

However, while Singapore reported the highest number of ransomware infections (68%), their Australian counterparts (58% of whom were infected) were more likely to cave to ransom demands when breached. In Australia, 90% admitted to making a payment at least once, compared to 71% in Singapore and 63% in South Korea. Only 18% of Japanese businesses paid at least one ransom, the lowest overall, while the global average was 64%.

In accordance with the report, Japanese law forbids local businesses from transferring funds to organized crime, which may include cybercrime. According to Proofpoint, 64% of Japanese respondents reported a successful phishing attack, compared to the global average of 84%. According to the security vendor, this could be due to cybercriminals' lack of fluency in the local language, which makes it easier for Japanese employees to identify poorly worded phishing lures.

"Around the world, English is the language most used in phishing attacks, so businesses that don't conduct activities in English may receive some protection," the report noted. However, it highlighted that it might be less culturally acceptable in some countries to acknowledge they suffered a security breach, resulting in under-reporting. 

In South Korea, 48% of the 72% who experienced ransomware attacks became infected. In Australia, 83% of the 96% who had cyber insurance said their insurer paid the ransom in full or in part. In Singapore, 90% of respondents reported having cyber insurance, with 95% reporting that their insurers paid the ransom in full or in part.

In South Korea, 82% had cyber insurance, while 74% and 72%, respectively, said their insurers covered the ransom payment in full or in part. Globally, 76% of organizations were targeted by ransomware, with 64% becoming infected. 82% of insurers stepped up to pay the ransom in full or in part for those who had a cyber insurance policy for ransomware attacks.

"While conventional phishing remains successful, many threat actors have shifted to newer techniques, such as telephone-oriented attack delivery and adversary-in-the-middle (AitM) phishing proxies that bypass multi-factor authentication," said Ryan Kalember, Proofpoint's executive vice president of cybersecurity strategy. "These techniques have been used in targeted attacks for years, but 2022 saw them deployed at scale. We have also seen a marked increase in sophisticated, multi-touch phishing campaigns, engaging in longer conversations across multiple personas. Whether it's a nation state-aligned group or a business email compromise actor, there are plenty of adversaries willing to play the long game."

The security vendor emphasized the significance of employee training and security awareness, especially as phishing attempts become more sophisticated.

"The awareness gaps and lax security behaviours demonstrated by employees create substantial risk for organisations and their data," said Jennifer Cheng, Proofpoint's Asia-Pacific Japan director of cybersecurity strategy. "While email remains the favoured attack method for cybercriminals, we've also seen them become more creative--using techniques much less familiar such as smishing and vishing. Since the human element continues to play a crucial role in safeguarding companies, there is clear value in building a culture of security that spans the entire organisation." 

Air Fryers are Offered by Scammers as a 'Free' Kitchen Gadget

 


The deputy chief executive officer of Sainsbury's and Argos has warned shoppers to be vigilant against an air fryer scam targeting them at the moment. 

Taking part in an online survey is the only way to receive a free Ninja Air Fryer, which is the subject of the air fryer scam. To receive the free item, they will need to enter their credit card details as well as their shipping address. 

There is a convincing scam out there, as reported by secure card payment provider Dojo, in which fraudsters pose as Argos to entice you into making a payment. 

Due to the ongoing cost of living crisis, many people are still keen to buy air fryers, mostly at the cheapest possible price, to get the most bang for their buck. Unfortunately, the scam came at an unfortunate time. You can reduce your energy bills and cooking time by using this handy kitchen gadget.

There is a phishing email going around now that claims to offer a free Ninja Air Fryer, but Dojo is warning people to be wary of it. To qualify for the free item, users must complete an online survey and submit their card payment details along with the survey to receive it. In many ways, this is quite similar to the scam that has been going around with Curry's Smeg kettle in recent weeks, 

A link to the survey is provided on the Argos UK website, which appears to be an official Argos survey page. There are, however, several red flags that consumers should be aware of when it comes to online shopping. It is important to note that the website address and email address are not from Argos or its parent company, Sainsbury's. 

As far as the currency is concerned, it is the dollar. The payment offers will disappear after a certain time, which adds to the pressure on victims by adding another dimension to the scam. It is also intended to encourage anyone who has not completed the survey to fill it out and input their personal information. 

A concept known as a survey scam is a form of communication through email, text messages, and social media that mostly looks legitimate and tries to entice consumers to enter a survey to get free stuff. Usually, once fraudsters gain access to the consumer's credit card details, they will use those details to make lavish online purchases or empty the victim's bank account with the money they stole. 

According to Dojo's chief security officer Naveed Islam, one of the most common warning signs of a scam is to entice consumers with free items that seem too good to be true, thereby enticing them to become victims. As is visible in the Argos scam, these offers are usually time-limited to pressure victims into entering their bank details without any double-checking as to whether the transaction is legitimate, which is what many people do when they are scammed by these offers. 

The recent Currys scam, which has now spread to other retailers like Argos, has made consumers aware that they must remain vigilant about any offers they are presented with via their inboxes or social media accounts. If you are a victim of a scam, you should contact your bank immediately so that your credit card and account be suspended. Once that has taken place, your bank or building society's scam unit will provide you with specialized support.   

Twitter Returns After Two-Hour Outage Affecting Tweets

On Wednesday, Twitter experienced a service disruption that resulted in users being unable to access certain parts of the platform, specifically the "Following" and "For you" feed. These feeds displayed an error message rather than the expected content. 

The problem was widespread and affected users globally. The issue persisted for approximately two hours before being resolved by Twitter's engineering team. 

DownDetector, a website that tracks service outages, reported issues with Twitter at 10:00 GMT, but the problem was resolved by 12:00. In the UK alone, over 5,000 users reported problems to DownDetector within half an hour of the Twitter service outage. 

The root cause of the outage is still unknown, and it is unclear if Twitter's recent 200 staff layoffs on Monday played any role in the incident. Further investigation is needed to identify the underlying cause of the outage and prevent similar incidents from occurring in the future. 

Even though some parts of Twitter, like the feeds, were not working, users could still send tweets as usual. However, no one could see or interact with those tweets. This caused top trending hashtags including "#TwitterDown" and "Welcome To Twitter".

Nevertheless, Twitter has had some temporary problems in the past few months. During a short outage in early February, some users were mistakenly told they had reached the daily limit for sending tweets. 

"It started shortly before the Musk takeover itself. The main spike has happened after the takeover, with four to five incidents in a month - which was comparable to what used to happen in a year,” Alp Toker, director of internet outage tracker NetBlocks, said Twitter has started experiencing more issues under Mr. Musk's tenure as CEO. 

Now we will learn why social media platforms generally suffer service disruptions and sudden outrage:

Social media networks can suffer shutdowns for a variety of reasons, including technical issues, cyber-attacks, policy violations, and government censorship. Technical issues such as server errors or bugs can cause social media networks to crash and become unavailable to users. 

In some cases, these issues can be quickly resolved, and the platform can be restored. However, if the issue is more severe, it may take longer to fix, and the platform may be down for an extended period. 

Cyber attacks such as Distributed Denial of Service (DDoS) attacks can also cause social media networks to go down. These attacks overwhelm a network with traffic, causing it to become unavailable to users. Cyber attackers may launch DDoS attacks for various reasons, such as to disrupt a particular organization or to extort money.

Blind Eagle: Hackers Targets Prominent Industries in Columbia


BlackBerry has recently published a report on a malicious actor, Blind Eagle. It is a cyberespionage campaign based in South America that has been targeting systems in Ecuador, Chile, Spain, and Colombia since the year 2019. 

The most recent threat activities conducted were primarily targeted at organizations in Colombia, involving sectors like “health, finance, law enforcement, immigration, and an agency in charge of peace negotiation in the country.” 

Check Point researchers, who recently examined the Blind Eagle, also known as APT-C-36, noted the adversary and its advanced toolset that includes Meterpreter payloads, distributes through spear-phishing emails. 

How Does APT-C-36 Operate? 

Blind Eagle’s phishing emails lure its victims over the false impression of fear and urgency. The email notifies its recipients that they have "obligaciones pendentes," or "outstanding obligations," with some letters informing them that their tax payments are forty-five days overdue. 

The cleverly-crafted emails are being provided with a link, navigating users to a PDF file that appears to be hosted on DIAN’s website but actually installs malware to the targeted systems, effectively launching the infection cycle. 

The BlackBerry researchers explain it further: 

"The fake DIAN website page contains a button that encourages the victim to download a PDF to view what the site claims to be pending tax invoices," says the BlackBerry researchers. "Clicking the blue button initiates the download of a malicious file from the Discord content delivery network (CDN), which the attackers are abusing in this phishing scam." 

"A malicious [remote access trojan] installed on a victim's machine enables the threat actor to connect to the infected endpoint any time they like, and to perform any operations they desire," they further add. 

The researchers also noted that the threat actors utilize dynamic DNS services such as DuckDNS in order to take control of the compromised hosts. 

Blind Eagle’s Operators are Supposedly Spanish 

Owing to the use of Spanish in its spear-phishing emails, Blind Eagle is believed to be a group of Spanish-speaking hackers. However, the headquarters from where the attacks are conducted and whether the attacks are carried out for espionage or financial gain are both currently undetermined. 

"The modus operandi used has mostly stayed the same as the group's previous efforts – it is very simple, which may mean that this group is comfortable with its way of launching campaigns via phishing emails, and feels confident in using them because they continue to work," BlackBerry said.  

Dish Network Blames Ransomware for Ongoing Outage

Dish, a satellite television provider in the United States, has confirmed that a ransomware attack is responsible for an ongoing service outage. The company also warned that the malicious actors have also exfiltrated data from its systems during the breach. 

The outage, which has persisted for several days and was initially attributed to "internal systems issues," affects Dish's primary website, mobile applications, customer support systems, as well as the firm's Sling TV streaming and wireless services. 

The threat actors behind the breach compromised the company’s internal systems. “It is possible the investigation will reveal that the extracted data includes personal information,” Dish says. 

In a public filing released on Tuesday, the company acknowledged that the cause of the outage was a cybersecurity incident. The company has informed law enforcement authorities about the situation. 

However, as of now, the company reported that the effects of the attack continue to disrupt its “internal communications, customer call centers, and internet sites.” 

Additionally, the company has provided some details on how they are managing the situation. They are working to manage and contain the effects of the attack, assess the extent of the damage, and address any issues caused by the attack.

The company is also worried about the attack's potential impact on its employees, customers, business, financials, and operations. Following the matter, the company further reported that the threat actors have stolen some data from their computer systems, which could include personal credentials. 

Presently, it remains uncertain whether this data belongs to Dish's customers, employees, or both, and the extent of the data theft is also unknown. Dish has a big network, it serves 10 million customers through its satellite TV, streaming, and other services. 

The company on its website reported that “as a result of this incident, many of our customers are having trouble reaching our service desks, accessing their accounts, and making payments we’re making progress on the customer service front every day, including ramping up our call capacity, but it will take a little time before things are fully restored." 

The company stated that they are still evaluating the damage caused by the cyber-attack. However, their services, including Dish, Sling, and wireless and data networks, are running without issues.

U.S Marshals Service Suffers Data Breach, Hackers Steal Personal Data



The U.S. Marshals Service, one the oldest law enforcement agencies in the US, was hit by a major breach in which threat actors stole sensitive data. The attack highlights the rising problems of cyber attacks on government agencies and the necessity for robust cybersecurity actions.

Hackers steal sensitive data

The incident happened when threat actors got into the U.S. Marshals Service's internal systems, which stored confidential data on federal fugitives, as well as details of people involved in witness protection programs. The cybercriminals were able to get these details by abusing a flaw in the federal agency’s systems.

"The affected system contains law enforcement sensitive information, including returns from legal process, administrative information and personally identifiable information pertaining to subjects of USMS investigations, third parties and certain USMS employees," said Drew Wade, the chief of the Marshals’ public affairs office, to Reuters

About U.S. Marshals Service

The U.S. Marshals Service is an important law enforcement agency that plays a crucial role in hunting down criminals and making sure the protection of witnesses. The agency's capability to carry out these functions depends greatly on the functioning of its internal computer systems. The attack has impacted the U.S. Marshals Service's ability to do its operations.

Besides the potential damage to the agency, the cyber attack has also risked the security of victims whose data was stolen. The compromised data in the federal agency's computer system includes important personal data, like home addresses and social security numbers. Threat actors can misuse the stolen to perpetrate identity theft or other types of scams.

The rising threat of cyberattacks on government agencies

To prevent future breaches, the U.S. Marshals Service must take steps to strengthen its cybersecurity measures. This includes implementing stronger access controls, conducting regular security assessments, and providing ongoing training to staff on how to detect and respond to cyber threats.

The attack also raises questions about the urgent need for implementing strong cybersecurity measures throughout all levels of government. With the increase in numbers and the threat of cyber-attacks, it is important that government agencies prioritize cybersecurity and take preventive measures to safeguard their sensitive data.

The U.S. Marshals Service breach is a grave warning of the growing threat of cyber attacks on government and federal agencies. It is a sign that threat actors are becoming more sophisticated as each day passes. Therefore cybersecurity experts should be vigilant in finding and responding to cyber threats. If we follow these steps, it can help government agencies to perform their duties and protect the personal data of the individuals they serve.



GoDaddy, a Web Hosting Provider Hit Multiple Times by the Same Group

 

This month, GoDaddy, a leading web hosting provider, revealed that it had experienced a major security breach over several years, resulting in the theft of company source code, customer and employee login credentials, and the introduction of malware onto customer websites. 

It means that the hackers were able to access and modify certain websites hosted by GoDaddy, in a way that allowed them to install malicious software (malware) onto these websites. This malware could then potentially harm visitors to these sites by stealing their personal information, infecting their devices, or performing other malicious actions. 

While much of the media attention has focused on the fact that GoDaddy was targeted by the same group of hackers in three separate attacks. The threat actors typically employ social engineering tactics such as calling employees and luring them to a phishing website. 

While reporting the matter to the U.S. Securities and Exchange Commission (SEC) the company said that the same group of hackers was responsible for three separate security breaches, including: 

In March 2020, a phishing attack on an employee resulted in compromised login credentials for around 28,000 GoDaddy customers and a few employees. 

In November 2021, attackers stole source code and information related to 1.2 million customers by using a compromised GoDaddy password, including website administrator passwords, sFTP credentials, and private SSL keys. 

In December 2022, hackers accessed GoDaddy's cPanel hosting servers and installed malware that redirected some customer websites to malicious sites intermittently. 

We don't have much information about the cause of the November 2021 incident, except that GoDaddy has said it involved a compromised password and took two months to discover. For the December 2022 malware breach, GoDaddy has not disclosed how it occurred. 

However, we do know that the March 2020 attack was initiated through a spear-phishing attack on a GoDaddy employee. While GoDaddy had initially described the incident as a social engineering attack, one of their affected customers actually spoke directly to one of the hackers involved. 

GoDaddy is a company with around 7,000 employees and an additional 3,000 workers through outsourcing firms in India, the Philippines, and Colombia. 

When employees log in to company resources online, many companies require them to use a one-time password along with their regular username and password. This password can be sent via SMS or generated by an app. But this type of security measure can be easily bypassed by phishing attacks that ask for a one-time password along with the regular password. 

However, using physical security keys is a multi-factor option that is resistant to advanced phishing scams. These keys are inexpensive USB devices that implement Universal 2nd Factor (U2F) multi-factor authentication. 

Physical security keys are small devices that can help protect your online accounts from being hacked. When you log in to your account, you have to insert the key and press a button on it to complete the login process. This makes it hard for hackers to steal your password or trick you into giving it away. Even if you accidentally go to a fake website, the security key won't work and your account will stay safe.

Here is How Toronto-area Police Force Helped Take Down a Russian-linked Hacking Group


The Toronto police force has recently been explanatory on how it ended up getting involved with the international attempt on legally hack Hive, one of most ruthless ransomware groups in the world. 

The contributions made by the Peel Regional Police are one of the reasons why Canadian flag is among the icons displayed on what was the dark website for the Russian-linked ransomware group Hive, along with the logos of the U.S. Department of Justice, the FBI, and a variety of police forces around the globe. 

According to Detective Const. Karim Hussain in an interview with CTV News Toronto, Peel's detectives got engaged early when a local firm contacted them in 2021 claiming that their systems were down and a text message on their desktops revealed a ransom note. 

“We had one of the first cases in Canada of Hive ransomware[…]It was the first to market. At the time we started gathering evidence, Hive was a fairly new ransomware group. Everything we brought to the table was interesting because no one had seen it before,” he says. 

The attributes of the Hive case were similar to numerous other high-profile incidents, like a hospital in Louisiana where threat actors had accessed data of around 270,000 patients, and a Ohio hospital that was attacked and made them incapable of accepting new patients even during the massive surge of COVID-19. 

Those were only a few of the more than 1,500 attacks throughout the globe that had the digital traces of Hive, an organization whose associates, according to authorities, have made $150 million since 2021 as they demand money from companies in exchange for access to their data or system. 

The attacks are carried out via a "ransomware as a service" (RaaS) model, in which a small group of individuals create malicious software and then distribute it to numerous users, allowing them to quickly scale up their attacks before the security flaws they exploit are addressed. 

“You have an overarching group that provides everything down to the infrastructure, to lesser-capable cyber criminals, and they provide them the tools to conduct the hack,” Hussain said. 

The case brought the RCMP, the FBI, the police from France, Germany, Norway, and Lithuania together with Peel Police and other agencies dealing with Hive's impact. 

In retaliation, the group took over Hive's website earlier this year and replaced it with a landing page with the logos of numerous investigative agencies. “Simply put, using lawful means, we hacked the hackers,” said U.S. Deputy Attorney General Lisa Monaco in a press conference in January. 

Adding to this, she says that the police had found and then openly disseminated decryptor keys that may aid anyone who had been assaulted in independently recovering their data or liberating their systems. 

According to Christopher Wray, director of the FBI, these actions have prevented around $130 million in ransom from being paid. “This cut off the gas that is fueling Hive’s fire,” Wray said. 

According to Hussain, the inquiry is still ongoing as the prevalence of ransomware grows. Ransomware assaults made up 11% of all cyber security incidents in 2021, according to Statistics Canada. 

“There’s no end in sight to cybercrime right now,” Hussain said.