Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyberattack. Show all posts
Vulnerability
Cyber Attacks Cyber space Cyberattack Intel CPU Vulnerability

New Intel CPU Vulnerability 'Indirector' Found

Researchers from the University of California, San Diego, have discovered a new vulnerability in modern Intel processors, specifically the Raptor Lake and Alder Lake generations. This vulnerability, named 'Indirector,' can be used to steal sensitive information from the CPU. 

The problem lies in two components of the CPU: the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB). These components help the CPU make quick decisions, but they have flaws that attackers can exploit. The researchers identified three main techniques used in Indirector attacks: 

1. iBranch Locator: A tool that helps attackers find specific parts of the CPU's decision-making process by identifying the indices and tags of victim branches. 

2. IBP/BTB Injections: Tricks to manipulate the CPU's predictions, causing it to run unauthorized code through targeted injections. 

3. ASLR Bypass: A method to break security measures that protect the memory layout, making it easier to predict and control the CPU. 

By using these techniques, attackers can trick the CPU into running their own code and accessing sensitive data like passwords or encryption keys. This is accomplished by combining the speculative execution achieved through targeted injections with cache side-channel techniques, such as measuring access times, to infer the accessed data. 

To protect against Indirector attacks, the researchers suggest two main defenses: 

1. Use IBPB More: The Indirect Branch Predictor Barrier (IBPB) can prevent certain types of speculative execution, but it can slow down the CPU by up to 50%. 

2. Improve CPU Design: Making the CPU's prediction systems more complex and secure by adding encryption and randomization, which could involve incorporating more complex tags. 

Intel was informed about the Indirector vulnerability in February 2024 and has shared the information with other affected companies. Intel reviewed the findings and believes that existing protections, such as IBRS, eIBRS, and BHI, are effective against this new attack, so no new mitigations or guidance are required. 

The researchers will present their full findings at the USENIX Security Symposium in August 2024. They have also published more detailed information, proof-of-concept code, and tools related to Indirector on GitHub for further study and understanding. 

These publications provide a deeper dive into the attack methodologies, potential data leak mechanisms, and suggested mitigations. Modern CPUs from Intel are vital for many applications, and discovering such vulnerabilities highlights the importance of continually improving hardware security. 

By addressing these flaws and implementing the recommended defenses, the problem security of these processors can be significantly enhanced, protecting users from potential data leaks and other malicious activities.
Read more »
Ransomware
brain cipher Cyber Attacks Cyberattack data attacks Indonesia Ransomware

Brain Cipher Ransomware Targets Indonesia's National Data Center in Major Cyberattack

 

A new ransomware operation known as Brain Cipher has emerged, targeting organizations worldwide. This operation recently gained media attention due to an attack on Indonesia's temporary National Data Center.

Indonesia is developing National Data Centers to securely store servers used by the government for online services and data hosting. On June 20th, one of these temporary centers was attacked, leading to the encryption of government servers. This disruption affected immigration services, passport control, event permit issuance, and other online services.

The Indonesian government confirmed that Brain Cipher, a new ransomware operation, was responsible for the attack, impacting over 200 government agencies. The attackers demanded $8 million in Monero cryptocurrency for a decryptor and to prevent the leak of allegedly stolen data.

BleepingComputer has learned from negotiation chats that the threat actors claimed they would issue a "press release" about the "quality of personal data protection" in the attack, implying that data was stolen.

Brain Cipher is a new ransomware operation that began earlier this month and has been conducting attacks on organizations worldwide. Initially, the ransomware gang did not have a data leak site, but their latest ransom notes now include links to one, indicating their use of double-extortion tactics. BleepingComputer has found numerous samples of Brain Cipher ransomware on various malware-sharing sites over the past two weeks.

These samples [1, 2, 3] were created using the leaked LockBit 3.0 builder, which has been widely used by other threat actors to launch their own ransomware operations. However, Brain Cipher has made minor modifications to the encryptor.

One change is that it not only appends an extension to encrypted files but also encrypts the file names. The encryptor also creates ransom notes named in the format of [extension].README.txt, which briefly describe the attack, make threats, and provide links to the Tor negotiation and data leak sites. In one instance seen by BleepingComputer, the ransom note deviated from the template and was named 'How To Restore Your Files.txt.'

Each victim receives a unique encryption ID to enter into the threat actor's Tor negotiation site. Similar to other recent ransomware operations, the negotiation site is straightforward, featuring a chat system for communication with the ransomware gang.

Brain Cipher has also launched a new data leak site, although it currently does not list any victims. In negotiations observed by BleepingComputer, the ransomware gang has demanded ransoms ranging from $20,000 to $8 million.

The encryptor, based on the leaked LockBit 3 encryptor, has been thoroughly analyzed. Unless Brain Cipher has modified the encryption algorithm, there are no known methods to recover files for free.
Read more »
Ransowmare
BlackSuit CDK Global Cyber Attacks Cyberattack Data Theft Kadokawa Ransowmare

Cyberattack by BlackSuit Targets Kadokawa and CDK Global

In early June, Kadokawa's video-sharing platform Niconico experienced a server outage, which has now been claimed by the Russia-linked hacker group BlackSuit. This group, a rebrand of the Royal ransomware operation and linked to the defunct Conti cybercrime syndicate, has issued a threat on the dark web to release 1.5 terabytes of sensitive data, including signed documents, contracts, legal statements, and emails, unless a ransom is paid by July 1, 2024. 

Details of the Attack on Kadokawa: 

Kadokawa first acknowledged the cyberattack in early June, which disrupted multiple websites and services. Despite efforts by Kadokawa's IT department, BlackSuit reportedly managed to steal 1.5 terabytes of sensitive data, including business plans, user data, contracts, and financial records. The hackers exploited vulnerabilities in Kadokawa’s network, gaining access to a control center that allowed them to encrypt the entire network, affecting subsidiaries like Dwango and NicoNico. Kadokawa has assured customers that no credit card information was compromised, as it was not stored on their system. 

The company is prioritizing the restoration of accounting functions and normalizing manufacturing and distribution in its publication business, with expected results by early July. Although the production of new publications remains steady, the shipment of existing publications is currently at one-third of normal levels. Kadokawa is implementing alternative arrangements, including increasing human resources, to mitigate the impact. 

In the Web Services business, all Niconico family services are still suspended, but provisional services like Niconico Video (Re: tmp) and Niconico Live Streaming (Re: tmp) have been provided. Existing services such as Niconico Manga smartphone version and NicoFT have resumed. The Merchandise business has seen limited impact, with shipping functions operating normally. However, the failure of Kadokawa’s account authentication function has prevented users from logging into certain online shops. Temporary pages have been created for affected users, and Kadokawa will keep providing updates regarding this issue. 

Impact on CDK Global: 

BlackSuit is also believed to be behind ongoing outages at CDK Global, a software provider for approximately 15,000 North American car dealerships. Several major U.S. auto dealers, including AutoNation, Group 1 Automotive, Penske Automotive Group, Sonic Automotive, and Lithia Motors, have reported disruptions in their services due to the cyberattack. As a result, many dealerships have had to revert to pen and paper for managing auto repairs, closing new car sales, and conducting other business. 

CDK attempted to restore its systems but was hit with a second cyberattack, causing them to shut down all systems again. The company has yet to acknowledge that the attack is a result of ransomware, but an incident like this could take weeks to recover from. Even after operations return to normal, CDK will have to investigate what data was stolen, how the attack happened, and the impact on its customers. 

Allan Liska, a ransomware analyst at Recorded Future, mentioned that the CDK attack has been attributed to BlackSuit in hacker forums and private chat channels. Malicious cybercriminal gangs are known to boast about their schemes on these platforms. While CDK is not yet listed on BlackSuit's dark web site, indicating ongoing negotiations, Bloomberg reported that the hackers are asking for a ransom in the tens of millions of dollars.
Read more »
TeamViewer breach
Advanced Persistent Threat APT group attack corporate network hack Cyberattack Cybersecurity Data Breach Remote Access Software TeamViewer breach

TeamViewer's Corporate Network Compromised in Suspected APT Hack

 

iTeamViewer, a remote access software company, has announced that its corporate environment was compromised in a cyberattack. According to the company, the breach was detected on Wednesday, June 26, 2024, and is believed to have been carried out by an advanced persistent threat (APT) hacking group.

"On Wednesday, June 26, 2024, our security team detected an irregularity in TeamViewer’s internal corporate IT environment," TeamViewer stated in a post on its Trust Center. "We immediately activated our response team and procedures, started investigations together with a team of globally renowned cybersecurity experts, and implemented necessary remediation measures."

TeamViewer assured that its internal corporate IT environment is entirely separate from its product environment. They emphasized that there is no evidence suggesting that the product environment or customer data has been affected. The company continues to investigate and is focused on maintaining the integrity of its systems.

Despite their commitment to transparency, the "TeamViewer IT security update" page includes a <meta name="robots" content="noindex"> HTML tag, preventing search engines from indexing the document and making it harder to find.

TeamViewer is widely used for remote access, allowing users to control computers remotely as if they were physically present. The software is currently used by over 640,000 customers worldwide and has been installed on over 2.5 billion devices since its launch.

While TeamViewer has stated there is no evidence of a breach in its product environment or customer data, the extensive use of their software in both consumer and corporate settings makes any breach a significant concern, potentially granting full access to internal networks.

In 2019, TeamViewer confirmed a 2016 breach linked to Chinese threat actors through the Winnti backdoor. At the time, the company did not disclose the breach as no data was stolen.

News of the latest breach was first reported on Mastodon by IT security professional Jeffrey, who shared parts of an alert from the Dutch Digital Trust Center. This web portal is used by the government, security experts, and Dutch corporations to share information about cybersecurity threats.

"The NCC Group Global Threat Intelligence team has been made aware of significant compromise of the TeamViewer remote access and support platform by an APT group," warned an alert from cybersecurity firm NCC Group. "Due to the widespread usage of this software, the following alert is being circulated securely to our customers."

Another alert from Health-ISAC, a community for healthcare professionals to share threat intelligence, warned that TeamViewer services were allegedly being targeted by the Russian hacking group APT29, also known as Cozy Bear, NOBELIUM, and Midnight Blizzard.

"On June 27, 2024, Health-ISAC received information from a trusted intelligence partner that APT29 is actively exploiting TeamViewer," reads the Health-ISAC alert shared by Jeffrey. "Health-ISAC recommends reviewing logs for any unusual remote desktop traffic. Threat actors have been observed leveraging remote access tools. TeamViewer has been observed being exploited by threat actors associated with APT29."

APT29 is a Russian advanced persistent threat group linked to Russia's Foreign Intelligence Service (SVR). The group is known for its cyberespionage capabilities and has been involved in numerous attacks, including breaches of Western diplomats and a recent compromise of Microsoft's corporate email environment.

Although TeamViewer disclosed the incident at the same time as the alerts from NCC Group and Health-ISAC, it is unclear if they are directly related. TeamViewer's and NCC's alerts address the corporate breach, while the Health-ISAC alert focuses on targeting TeamViewer connections.

BleepingComputer reached out to TeamViewer for comments on the attack but was informed that no further information would be provided during the ongoing investigation. NCC Group also told BleepingComputer that they had nothing further to add beyond the alert issued to their clients.

On June 28, 2024, TeamViewer informed BleepingComputer that they had removed the noindex tag from their Trust Center, and the page should soon be indexed by search engines.
Read more »
IT Infrastructure
Australia Australian Businesses Cyberattack cybercriminals Data Breach Fortinet Hacker attack Hackers IT Infrastructure

The Growing Threat of Data Breaches to Australian Businesses

 

Data breaches are now a significant threat to Australian businesses, posing the risk of "irreversible brand damage." A cybersecurity expert from Fortinet, a global leader in the field, has raised alarms about cybercriminals increasingly targeting the nation’s critical infrastructure. Cybercriminals are continually finding new ways to infiltrate Australia’s infrastructure, making businesses highly vulnerable to attacks. 

The Australian federal government has identified 11 critical sectors under the Security of Critical Infrastructure Act, which was amended in 2018 to enforce stricter regulations. Businesses in these sectors are required to complete annual reporting to notify the federal government of any attempts to access their networks. Michael Murphy, Fortinet’s Head of Operational Technology and Critical Infrastructure, recently discussed the severity of cyber threats on Sky News Business Weekend. During the 2022-2023 financial year, 188 cybersecurity incidents were reported across critical sectors, highlighting ongoing risks to national networks like water and energy supplies. 

Additionally, the Australian Bureau of Statistics found that 34 percent of businesses experienced resource losses managing cybersecurity attacks in the 2021-2022 financial year, and 22 percent of Australian businesses faced a cybersecurity attack during that period—more than double the previous year’s figure. Even small businesses are now vulnerable to cybercrime. Murphy pointed out that among entities with mandatory reporting, 188 incidents were reported, with 142 incidents reported by entities outside of critical infrastructure, demonstrating the widespread nature of the threat. He explained that hackers are motivated by various factors beyond financial gain, including the desire for control. 

The consequences of cyber attacks can be severe, disrupting systems and causing significant downtime, which leads to revenue loss and irreversible brand damage. Critical infrastructure sectors face unique challenges compared to the IT enterprise. Quick restoration of systems is often not an option, and recovery can take considerable time. This extended downtime not only affects revenue but also damages the reputation and trustworthiness of the affected organizations. Murphy noted that many incidents are driven by motives such as financial profiteering, socio-political influence, or simply the desire of hackers and syndicates to boost their credibility. 

As cyber threats evolve, it is crucial for businesses, especially those in critical infrastructure sectors, to strengthen their cybersecurity measures. While annual reporting and adherence to federal regulations are essential, proactive strategies and advanced security technologies are necessary to mitigate risks effectively.
Read more »
SEC filing cyber incident
credit monitoring services Cyber Attacks Cyberattack December cyberattack impact First American Financial breach personal information accessed SEC filing cyber incident

First American Reveals Impact of December Cyberattack

 

 















The cyberattack that disrupted First American Financial's systems in late December impacted 44,000 individuals, according to regulatory filings on Friday.

In an 8K disclosure to the Securities and Exchange Commission (SEC), the title insurance company stated that its investigation of the incident is complete, though it provided few additional details.

"Based on our investigation, the Company has determined that personal information of approximately 44,000 individuals may have been accessed without authorization due to the incident," First American reported. "The Company will notify potentially affected individuals and offer them credit monitoring and identity protection services at no cost."

HousingWire initially reported on December 21, 2023, that the company had been hacked. First American took about a week to restore its systems and contain the threat.

The breach significantly affected the company's fourth-quarter operations, leading to a 15% revenue drop compared to the same period in 2022.

The attack occurred less than a month after First American was fined $1 million by the New York Department of Financial Services (DFS) for a cybersecurity violation settlement.

First American was the second major title insurance company hit by a cybersecurity incident within a month. In late November, Fidelity National Financial experienced a ransomware attack that took its systems offline for a few days, with the ransomware group AlphV/BlackCat claiming responsibility.

Mortgage lenders and servicers Mr. Cooper and loanDepot also faced significant cyberattacks that resulted in substantial financial losses.
Read more »
Middle East
CR4T backdoor Cyber Attacks Cyberattack Cybersecurity evasive governments Hackers Middle East

Cyberattackers Employ Elusive "CR4T" Backdoor to Target Middle Eastern Governments

 

A recent revelation by Russian cybersecurity firm Kaspersky sheds light on a covert cyber campaign dubbed DuneQuixote, which has been clandestinely targeting government bodies in the Middle East. This campaign involves the deployment of a newly identified backdoor called CR4T.

Kaspersky's investigation, initiated in February 2024, suggests that the operation might have been underway for at least a year prior. The perpetrators have taken sophisticated measures to evade detection, employing intricate methods to shield their implants from scrutiny and analysis.

The attack commences with a dropper, available in two versions: a standard executable or a DLL file, and a manipulated installer for a legitimate software tool called Total Commander. Regardless of the variant, the dropper's main task is to extract a concealed command-and-control (C2) address, utilizing a unique decryption technique to obfuscate the server's location and thwart automated malware analysis tools.

The decryption process involves combining the dropper's filename with snippets of Spanish poetry embedded in its code, followed by calculating an MD5 hash to decode the C2 server address. Upon successful decryption, the dropper establishes connections with the C2 server and fetches a subsequent payload, employing a hardcoded ID as the User-Agent string in HTTP requests.

Kaspersky notes that the payload remains inaccessible unless the correct user agent is provided, indicating a deliberate effort to restrict access. Additionally, the payload may only be downloaded once per victim or for a limited time following the malware's release.

Meanwhile, the trojanized Total Commander installer exhibits some variations while retaining the core functionality of the original dropper. It omits the Spanish poem strings and incorporates additional anti-analysis checks to detect debugging or monitoring tools, monitor cursor activity, check system RAM and disk capacity, among other measures.

CR4T, the central component of the campaign, is a memory-only implant written in C/C++, facilitating command-line execution, file operations, and data transfers between the infected system and the C2 server. Kaspersky also identified a Golang version of CR4T with similar capabilities, including executing arbitrary commands and creating scheduled tasks using the Go-ole library. The Golang variant employs COM objects hijacking for persistence and utilizes the Telegram API for C2 communication, indicating a cross-platform approach by the threat actors.

The presence of the Golang variant underscores the threat actors' ongoing efforts to refine their techniques and develop more resilient malware. Kaspersky emphasizes that the DuneQuixote campaign poses a significant threat to entities in the Middle East, showcasing advanced evasion tactics and persistence mechanisms through the use of memory-only implants and disguised droppers masquerading as legitimate software.
Read more »
patient information
affected patients Cyberattack Data Breach Data Privacy data security notification letters Ontario hospitals patient information

Ontario Hospitals Dispatch 326,000 Letters to Patients Affected by Cyberattack Data Breach

 

Five hospitals in Ontario, which fell victim to a ransomware attack last autumn, are initiating a mass notification effort to inform over 326,000 patients whose personal data was compromised.

The cyber breach on October 23, targeted Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital.

While electronic medical records at all affected hospitals, except Bluewater Health, remained unscathed, personal health information stored within their systems was unlawfully accessed. Subsequently, some of this pilfered data surfaced on the dark web.

A collective statement released by the hospitals highlights that approximately 326,800 patients were impacted, though this figure might include duplications for individuals seeking medical care at multiple sites.

The hospitals have undertaken a meticulous data analysis process spanning several months to ensure comprehensive notification of affected patients. For those whose social insurance numbers were compromised, arrangements for credit monitoring will also be provided.

The hospitals confirm that their notification strategy was devised in consultation with Ontario’s Information and Privacy Commissioner. Expressing regret for the disruption caused by the cyber incident, the hospitals extend their apologies to patients, communities, and healthcare professionals affected.

Apart from the hospitals, TransForm, a non-profit organization overseeing the hospitals’ IT infrastructure, was also affected by the ransomware attack. Despite the disruption to hospital operations and data breach affecting certain patient and staff information, the group opted not to meet ransom demands, based on expert advice.
Read more »
Ransomware attack
aerospace research firm Cyber Attacks Cyberattack Cybersecurity NIA investigation Ransomware attack

NIA Investigates Cyberattack on Aerospace Research Firm

 

The National Investigation Agency (NIA) is examining a ransomware attack on the National Aerospace Laboratories (NAL), India’s leading aerospace research institution, which occurred on November 15 last year. Suspected to be a cyberterrorist attack, the NIA has initiated an investigation into the incident. People familiar with the matter, speaking on the condition of anonymity, disclosed that the federal anti-terror agency has filed a case regarding the ransomware attack, believed to have been orchestrated by the notorious cybercrime group LockBit.

NAL Bengaluru, an affiliate of the government’s Council of Scientific and Industrial Research, stands as the sole government aerospace R&D laboratory in India's civilian sector. It fell victim to a ransomware attack on November 15, with LockBit threatening to expose stolen data, including classified documents, unless an unspecified ransom was paid. "We have registered a case to investigate the ransomware attack at the NAL from the cyberterrorism angle," stated an NIA officer.

The NIA operates a specialized anti-cyberterrorism unit tasked with investigating cyber attacks perpetrated by state or non-state actors targeting government and private entities in India. In the past, it has collaborated with other agencies, including CERT-In, during the ransomware attack at the All India Institute of Medical Sciences in November 2022. Tarun Wig, an information security expert and co-founder of Innefu Labs, described LockBit as "one of the most prolific cybercriminal groups," noting that ransomware attacks, typically driven by financial motives, frequently target Indian establishments.

LockBit, recognized as one of the world's most active ransomware-as-a-service operations, engages in data theft, encryption, extortion, and data leakage. Initially known as ABCD when it surfaced in 2019, LockBit has targeted thousands of businesses, schools, medical facilities, and government entities worldwide. Following a multinational law enforcement operation led by British authorities and involving agencies from 10 countries, including the US, France, Germany, and Japan, the UK's National Crime Agency announced last month that it had disrupted LockBit's services, compromising their criminal operations.

Graeme Biggar, director-general of the British agency, stated, "Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems." This action has effectively crippled LockBit's capabilities and credibility, according to Biggar, who labeled LockBit as the world's most harmful cybercrime group. Additionally, the US Department of Justice revealed that it had partnered with the Federal Bureau of Investigation to disrupt LockBit's activities, highlighting its extensive ransom demands and the significant ransom payments it has received.
Read more »
ransomware-as-a-service
BlackByte ransomware Critical Infrastructure Cyberattack Cybersecurity Cybersecurity Agencies Data Breach Encina Wastewater Authority ransomware-as-a-service

Encina Wastewater Authority Reportedly Targeted by BlackByte Ransomware

Carlsbad, California – Encina Wastewater Authority (EWA) has become the latest target of the notorious BlackByte ransomware group. The group, known for its aggressive tactics, has hinted at a cyberattack on EWA's platform, suggesting the potential sale of sensitive company documents obtained during the intrusion.

Despite BlackByte's claims, EWA's website, http://encinajpa.com, remains operational without immediate signs of intrusion. However, cybersecurity experts speculate that the threat actor may have infiltrated the organization's backend systems or databases rather than launching a visible front-end attack like a distributed denial-of-service (DDoS) assault.

Encina Wastewater Authority serves over 379,000 residents and businesses across North San Diego County, playing a crucial role in wastewater treatment, resource recovery, and environmental protection for public health and regional water sustainability.

The Cyber Express has reached out to Encina Wastewater Authority for clarification on the alleged cyberattack. As of writing, no official statement or response has been issued by the organization, leaving the claims unconfirmed. The BlackByte ransomware group has also shared sample documents, indicating the attack and offering their sale or removal via email.

BlackByte has been a concern for cybersecurity agencies since its emergence in July 2021, targeting critical infrastructure and gaining attention from the Federal Bureau of Investigation (FBI) and the US Secret Service (USS). Despite mitigation efforts, such as the release of a decrypter by Trustwave in October 2021, BlackByte continues to evolve its tactics and persists in targeting organizations worldwide through a ransomware-as-a-service (RaaS) model.

The situation regarding the alleged cyberattack on Encina Wastewater Authority will be closely monitored by The Cyber Express, and updates will be provided as more information becomes available or any official statement from the organization is issued.
Read more »
Stormous
beer production Belgian brewery Cyber Attacks Cyberattack Cybersecurity Dark Web Duvel Moortgat IT department Ransomware Stormous

Ransomware Group Stormous Takes Responsibility for Cyberattack on Belgian Brewery

 

Stormous, a ransomware group, has admitted to orchestrating the cyber assault on Duvel Moortgat Brewery last Wednesday. Fortunately for beer enthusiasts, the brewery has ample stock to withstand the disruption.

The ransom group announced their involvement via the dark web on March 7th, a day following the attack, listing Duvel as their latest target. Despite this, there is no indication that the Belgian brewery intends to comply with any ransom demands, the specifics of which remain undisclosed. 

Duvel Moortgat has shown resilience in the face of adversity, as their IT department detected the ransomware attack in the early hours of March 6th, prompting an immediate halt in production.

Ellen Aarts, a spokesperson, confirmed the incident, stating that production ceased upon detection of the ransomware, with uncertainty about when it could resume. However, she assured that the brewery possesses sufficient beer inventory to manage the production halt.

Located in Breendonk, Antwerp, Duvel Moortgat is renowned for its signature Duvel ale, alongside Vedett and Maredsous beers, which enjoy international popularity.

Belgian beer enthusiasts took to Reddit to jest about the situation, showcasing their typical humour. Meanwhile, it was revealed that despite the disruption, beer pumps remained operational, leading some employees (excluding IT staff) to enjoy drinks in the cafeteria—a fact perhaps lamented by the IT department.

At present, the timeline for Duvel Moortgat to resume full-scale production remains uncertain, and the perpetrators behind the cyberattack remain unidentified.
Read more »
zero Day vulnerability
Computer Virus Avast Cyberattack CyberCrime Lazarus Virus Microsoft s Cybersecurity Vulnerabilities and Exploits zero Day vulnerability

Lazarus Group Exploits Microsoft Zero-Day in a Covert Rootkit Assault

 


The North Korean government-backed hackers were able to gain a major victory when Microsoft left a zero-day vulnerability unpatched for six months after learning it was actively exploited for six months. As a result of this, attackers were able to take advantage of existing vulnerabilities, thereby gaining access to sensitive information. Although Microsoft has since patched this vulnerability, the damage had already been done. 

Researchers from the Czech cybersecurity firm Avast discovered a zero-day vulnerability in AppLocker earlier this month, and Microsoft patched the flaw at the beginning of this month. AppLocker is a service that allows administrators to control which applications are allowed to run on their systems. 

APT38, the Lazarus group, is a state-run hacking team operated by the North Korean government. It's tasked with cyberespionage, sabotage, and sometimes even cybercrime to raise money for the regime. Although Lazarus has operated for many years, some researchers believe it is essentially a group of subgroups operating their campaigns and developing specific types of malware for specific targets that they use to accomplish their objectives. 

In addition to Lazarus's toolset tools, FudModule has been analyzed by other cybersecurity firms in the past in 2022 and is not new to Lazarus. Essentially, it is an in-user data-only rootkit that is active within the user space, utilizing kernel read/write privileges through the drivers to alter Windows security mechanisms and hinder the detection of other malicious components by security products. 

In August 2023, the security company Avast developed a proof-of-concept exploit for this vulnerability after observing the Lazarus attack and sending it to Microsoft. The vulnerability has been tracked as CVE-2024-21338 and was identified in the Lazarus attack last year. In an updated version of its FudModule rootkit, which ESET first documented in late 2022, Lazarus exploited CVE-2024-21338 to create a read/write kernel primitive, which Avast reports. 

As part of the rootkit, previously, BYOVD attacks were performed using a Dell driver. Avast reported that threat actors had previously established the administrative-to-kernel primitive through BYOVD (Bring Your Own Vulnerable Driver) techniques, which are noisy. However, there seems to be no doubt that this new zero-day exploit has made it easier for kernel-level read/write primitives to be established. 

The issue was discovered in further detail due to a thin line in Microsoft Windows Security that has been left for a very long time, which was the cause of this issue. Since "administrator-to-kernel vulnerabilities are not a security boundary", Microsoft still retains the right to patch them. Furthermore, it is also important to remember that threat actors with administrative privileges have access to the Windows kernel. 

Since this is an open space that attackers can play around with, they take advantage of any vulnerabilities they find to gain access to the kernel.  The threat actors will gain kernel-level access to the OS once they have managed to disrupt the software, conceal infection indicators, and disable kernel-mode telemetry, among other malicious activities once they have gained kernel-level access to the OS. 

In an announcement made by Avast, a cybersecurity vendor that discovered an admin-to-kernel exploit for the bug, the company noted that by weaponizing the kernel flaw, the Lazarus Group could manipulate kernel objects directly in an updated version of their data-only rootkit FudModule by performing direct kernel object manipulation.." 

A rootkit named FudModule has been detected by ESET and AhnLab since October 2022 as capable of disabling the monitoring of all security solutions on infected hosts. As a result of the Bring Your Own Vulnerable Driver (BYOVD) attack, in which an attacker implants a driver with known or unknown flaws to escalate privileges, the security solution is unable to monitor the network. 

There is something important about the latest attack because it goes "beyond BYOVD by exploiting a zero-day vulnerability in a driver that is already installed on the target machine, which is known to be a zero-day vulnerability." It is an appid.sys driver, which plays a crucial role in the functioning of an application control feature in Windows called AppLocker. 

In a study published earlier this week, researchers discovered that Lazarus was spreading malicious open-source software packages to a repository where Python software is hosted, aimed directly at software developers. The researchers report that the malicious packages have been downloaded hundreds of times, according to their findings. 

The South Korean judicial system was also targeted by Lazarus as part of his endeavours. There was a large hack at the Supreme Court of South Korea last year, which was allegedly carried out by the criminal Lazarus group of hackers. Police confiscated servers from the court in February. It is still being investigated whether or not the servers are compromised. 

North Korean hackers, including Lazarus, are said to have hacked more crypto platforms for the first time last year, according to a report by crypto analytics firm Chainalysis. The number of stolen assets reached $1 billion, more than any other year.
Read more »
Safety
communication Cyber Security Cyberattack Cybersecurity data security Optum CEO Safety

Optum CEO Stresses Communication's Vital Role in Cyberattack Management

 

UnitedHealth Group's subsidiary, Change Healthcare, is anticipated to provide a significant update possibly by Tuesday, following a severe ransomware attack that has persisted for five consecutive days, causing disruptions in healthcare services nationwide.

Change Healthcare plays a pivotal role in handling claims and payments for various healthcare entities, including hospitals and pharmacies.

Dr. Amar Desai, CEO of Optum Health, a division of UnitedHealthcare, stated that the company is actively addressing the issue. Desai, along with other Optum executives, has been in constant communication with affected companies' top executives, particularly those in charge of security, information, and technology.

Desai emphasized the importance of robust communication channels among stakeholders during such incidents to ensure a coordinated response. He made these remarks during the Vive healthcare conference in Los Angeles, where he was part of a panel discussion alongside Huntington Health CEO Dr. Lori Morgan, moderated by Yahoo Finance.

UnitedHealth initially reported the cyberattack to the Securities and Exchange Commission (SEC) on Thursday, revealing that the attack commenced on February 21. The filing indicated that the company was suspected of involvement of a nation-state-linked cyber threat actor.

According to Optum, the perpetrator behind the attack has been identified as Blackcat, a ransomware group with Russian sponsorship. Despite the FBI's efforts to dismantle Blackcat late last year, the group has persisted in its malicious activities, targeting healthcare entities and government agencies.

In response to the ongoing threat, the American Hospital Association (AHA) advised healthcare systems to disconnect from Change Healthcare and develop contingency plans should the attack prolong.

As of the latest update on Monday, Change Healthcare stated that it promptly disconnected its systems upon detecting the threat. Notably, Optum, UnitedHealthcare, and UnitedHealth Group systems remain unaffected.

Change Healthcare reiterated its commitment not to compromise on security measures during the recovery process, emphasizing a proactive approach to addressing any potential issues promptly.

The full extent of the impact on Change Healthcare's partners remains unclear, and it may take some time before a comprehensive assessment is possible.
Read more »
sensitive healthcare data
Cyberattack Data Breach GDPR obligations health insurance companies privacy watchdog Ransomware attack sensitive healthcare data

Privacy Watchdog Issues Warning

 

Information about over 33 million individuals in France, roughly half of the nation's population, was compromised in a cyber assault after January, as per statements from the country's data protection authority.
The Commission Nationale Informatique et Libertés (CNIL) disclosed this development recently after being notified by two healthcare insurance firms, Viamedis and Almerys.

The agency cautioned that the breached data, impacting policyholders and their families, encompasses details such as "marital status, date of birth, social security number, the name of the health insurer, as well as the guarantees of the contract."

Thankfully, unlike the situation involving Australian health insurer Medibank, sensitive medical records and treatment histories were not accessed.

CNIL emphasized that the responsibility lies with the health insurance firms to inform the affected parties. However, individuals are advised to remain vigilant against potential phishing schemes aiming to defraud them.

While the contact information of policyholders remained untouched, CNIL highlighted the possibility of combining the breached data with other previously compromised information for further malicious activities.

In light of the magnitude of the breach, CNIL swiftly initiated investigations to assess the adequacy of security measures implemented both before and after the incident, in alignment with GDPR obligations.

Failure of the implicated companies to adhere to cybersecurity protocols mandated by the EU's GDPR could result in penalties of up to €20 million or 4% of their global revenue, whichever is greater.

The ransomware attack on Medibank stirred considerable distress in Australia when the perpetrators began disclosing sensitive healthcare claims data for approximately 480,000 individuals, including details on drug addiction treatments and abortions, for extortion purposes.

Last month, Australia, the United Kingdom, and the United States publicly attributed the attack to Russian hacker Aleksandr Ermakov, imposing financial sanctions and travel restrictions on him.
Read more »
Personal Data
Cyberattack Data Breach Medical Data Orrick Orrick Law Firm Patient Data Personal Data

Orrick Data Breach: Law Firm Dealing with Data Breaches Hit by One


An international law firm assists businesses impacted by security events has experienced a cyberattack, where it compromised the sensitive health information of hundreds of thousands of data breach victims. 

Orrick, Herrington & Sutcliffe, the San Francisco-based company revealed last week that that during an attack in March 2023, threat actors stole personal information and critical health data of more than 637,000 data breach victims.

Orrick said that the hackers had taken massive amounts of data from its systems related to security incidents at other organizations, for which he provided legal assistance, in a series of letters notifying those impacted of the data breach.

Orrick informs that the data involved in the breach involved its customers’ data, including those with dental policies with Delta Dental, a major healthcare insurance network that covers millions of Americans' dental needs, and those with vision plans with insurance company EyeMed Vision Care.

The company further added that it had contacted with the U.S. Small Business Administration, the behavioral health giant Beacon Health Options (now Carelon), and the health insurance provider MultiPlan that their data was also exposed in Orrick's data breach.

Apparently, the stolen data includes victims’ names, dates of birth, postal address and email addresses, and government-issued identification numbers, such as Social Security numbers, passport and driver license numbers, and tax identification numbers. Also, information about patient’s medical treatment and diagnosis details, insurance claim like date and service-charges, and healthcare insurance numbers and provider details have been compromised. 

Orrick further says that credit or debit card details as well as online account credentials were also involved in the breach. 

Since the initial announcement of the breach, the number of affected individuals have been on the rise. In its recent breach notice, Orrick states that it “does not anticipate providing notifications on behalf of additional businesses,” however the company did not specify how it came to this conclusion. 

Orrick said in December to a federal court in San Francisco that it reached a preliminary settlement to end four class action lawsuits that claimed Orrick failed to disclose the breach from victims for months after it had occurred.

“We are pleased to reach a settlement well within a year of the incident, which brings this matter to a close, and will continue our ongoing focus on protecting our systems and the information of our clients and our firm,” added Orrick’s spokesperson.  

Read more »
Safety
Central Bank of Lesotho Cyber News Cyber Security Cyberattack Intelligence Cloud Outages Safety

Cybersecurity Incident Causes Outage at Lesotho's Central Bank

 

Lesotho's central bank is grappling with widespread disruptions following a cyberattack detected earlier this week. The landlocked country, surrounded by South Africa and home to over 2 million people, disclosed multiple statements acknowledging the impact of the recent cyber incident on various systems.

In an official announcement on Tuesday, the Central Bank of Lesotho revealed, "The Central Bank of Lesotho advises the public that, on Monday 11th December 2023, it experienced a cybersecurity incident on its systems. The Bank has investigated the matter and is working around the clock to restore the systems."

Despite assuring the public that no financial losses occurred, the bank has suspended certain systems to prevent further intrusion by the attackers. Consequently, the suspension may lead to delayed payments as the institution focuses on restoring normalcy to its systems.

In a subsequent statement on Wednesday, in conjunction with the Bankers Association of Lesotho, it was revealed that the National Payments System's continued downtime is hindering inter-bank transactions across the country. Although technical teams are actively addressing the issue, officials have agreed to implement business continuity processes and measures to facilitate payments and transactions among banks. However, the specifics of these alternatives were not detailed in the statement.

Local news sources reported concerns about the potential impact on the exchange rate, given that Lesotho's currency, the Loti, is pegged to South Africa's rand. This cyber incident adds to a series of cybersecurity challenges faced by South Africa, including ransomware attacks on the state-owned Development Bank of Southern Africa in June and the Defense Department in September, which almost caused an international incident during the BRICS Summit in Johannesburg.

Earlier this week, cybersecurity company Zimperium reported an increase in cyber threats, with 29 malware families targeting 1,800 banking applications across 61 countries over the past year. This marks a significant escalation compared to 2022, where researchers identified 10 prolific malware families targeting 600 banking apps.
Read more »
Rhysida ransomware gang
British Library Cyberattack Data Breach Rhysida Rhysida ransomware gang

Rhysida: The New Ransomware Group Behind British Library Cyberattack


This week, ransomware group – Rhysida – claimed responsibility for the attack on the British Library, that was witnessed last month, where the library’s personal data was compromised and later sold on online forums. 

While the name of the threat actors is indeed new to the list, the tactic however remains conventional. Ransomware gangs use malware to infect computers within an organization, making the contents unreadable. They then demand payment, usually in Bitcoin, to unlock the files.

However, in recent years, ‘double extortion’ is a tactic in trend, in which a majority of ransomware groups steal the data simultaneously and threaten to leak it online.

This week, the threat actor in question – Rhysida uploaded low-quality pictures of the personal data that was obtained during the attack to the internet. On her leak site, Rhysida threatened to sell the stolen information for a starting price of 20 bitcoin, or almost £590,000.

According to Rafe Pilling, director of threat research at cybersecurity firm Secureworks, this is “a classic example of a double extortion ransomware attack and they are using the threat of leaking or selling stolen data as leverage to extort a payment.”

While the British Library is the current high-profile victim of the ransomware gang, Rhysida has also notably attacked government institutions in Portugal, Chile and Kuwait. In August, the group also claimed responsibility for attacking the US hospital group Prospect Medical Holdings.

In regards to these emerging cases, the US government agencies have released an advisory note on Rhysida, stating that the “threat actors leveraging Rhysida ransomware are known to impact “'targets of opportunity,' including victims in the education, healthcare, manufacturing, information technology, and government sectors.”

The advisory noted that the Rhysida gang has been running a “ransomware as a service” (Raas) operation, in which it deploys malware to threat actors and shares any ransom proceeds. 

Rhysida Ransomware Group

Although Rhysida’s name is relatively new to the public, according to US cybersecurity firm Secureworks, the group first came to light in 2021. Secureworks refers to the group as Gold Victor, noting that it runs a ransomware scheme called Vice Society. 

While the Rhysida gang's precise identity is unknown, Pilling assumes that it adheres to a pattern of comparable operators who are typically from Russia or the Commonwealth of Independent States, which is made up of Kazakhstan, Belarus, and Russia.

“I would assume that they are probably Russian-speaking but we don’t have any hard evidence,” said Pilling.

The US agencies claim that groups using the Rhysida ransomware have gained access to systems through virtual private networks (VPNs), generally used by staff to access their employers' systems from distant locations. They have also used the well-known tactic of phishing attacks, in which victims are duped—typically through email — into clicking on a link that downloads malicious software or divulges personal information like passwords.

After gaining access to the systems, the gang continues to lurk in the system for a while, in order to evade detection. According to Securework, when compared to that of 2022, this dwell time has now been significantly reduced to less than 24 hours for cybercrime groups. 

The US agencies further note that, like other members of the criminal hacking community, Rhysida attackers frequently seek cryptocurrencies as payment for their extortion. Ransomware gangs are drawn to digital assets like Bitcoin because they are decentralized, meaning they operate outside of traditional financial systems and avoid routine checks. Additionally, transactions can be hidden, making them more challenging to follow.  

Read more »
Telecom
Cyberattack CyberCrime Cybersecurity Data protection DSCI NASSCOM Privacy Telecom

Privacy Act Compliance Staggered, NASSCOM Seeks Collaboration

 


During its representation to the government, Nasscom, the leading industry body in the sector, suggested that the Ministry of Electronics and Information Technology need to consider different deadlines for compliance with the upcoming rules on data protection and protection of personal information. 

As a result of discussions with the industry, Nasscom stated that organizations that do not have any prior experience with data security, including governments, logistics companies, professionals, offline retailers, research institutes, and schools, would need to start from scratch if they wish to implement a compliance program. These will be the most time-consuming and time-consuming tasks as they will be the most necessary. 

According to industry organizations NASSCOM and the Data Security Council of India (DSCI), there needs to be a minimum compliance period of 24 months from the date of notification of any obligation, standard, code of practice or rule. 

As part of their submissions to the Joint Parliamentary Committee on the Personal Data Protection Bill, both organizations pointed out that such a period will be required. It was reported that Nasscom has partnered with companies in the e-commerce, financial, healthcare, and other industry sectors. The report explained that the compliance programmes would need to be adapted to account for the new obligations (e.g., rights as to personal data) that will apply to all types of digital personal data. 

As the Ministry of Electronics and Information Technology (MeitY) said on Friday, it is likely that organisations without any experience in privacy-related legislation, such as the Digital Personal Data Protection Act (DPDPA), will have the most difficulty complying with the new law. 

The observation made by Nasscom came as a part of a representation made to MeitY describing how the DPDPA can be effectively implemented. There were questions about the full scope of the Act, and the agency requested clarification and guidance on it. 

The Data Protection Authority (DPA) will also need to be formed within a set period that must also be defined in the legislation. There must be additional time given to those companies that are handling the data of foreign nationals so that they may renegotiate their international contracts when the bill is passed. To clarify the extent to which the proposal could be applied extraterritorially, examples must be provided. 

A very important aspect of the Indian regulatory landscape is NASSCOM, one of the key industry groups. A data protection body called the DSCI has been set up in India to focus on the protection of data. Ashwini Vaishnaw, the IT minister of India, has recently stated that the government does not intend to allow companies to comply with the Act within 12-18 months. Is it reasonable to expect the protection of personal data to take so much time? Since the introduction of the GDPR and the Singapore Data Protection Act, the entire industry is already accustomed to it as a result of [the European Union's] GDPR and others. In effect, since they were enacted," he said. He also mentioned that regarding the 25 sets of rules to be adopted to implement the DPDP Act, they would be released in one shot and everyone would be notified at the same time. 

Vaishnaw had also commented that the draft rules would be made public for 45 days for public consultation. In their request, Nasscom pointed out that generally, 30 days are allotted for the public to comment on each set of rules. As a result, Nasscom requested MeitY to give a period that is sufficiently long for the public to comment. 

The idea, as mentioned by Nasscom, is not merely to indirectly create new rules, but rather to provide comprehensive clarification on how the central government is interpreting these sections. This clarification aims to identify the best practices and international reference points that can confidently be applied to the Indian context. 

By doing so, it will not only avoid redefining statutory provisions or constraining the (Data Protection) Board or the Telecom Disputes Settlement and Appellate Tribunal, but also ensure that the interpretation of key terms and concepts, such as "purposes of employment", "voluntary provision of personal data", "technical and organisational measures", "security safeguards", "detrimental effect on the well-being of a child", and "erasure" under the Act, are clearly defined and understood. This guidance will enable stakeholders to navigate the complexities of data protection with greater clarity and confidence.
Read more »
DNA
23andMe Cyberattack CyberCrime Cybersecurity Data Breach Data Leak DNA

Unravelling the 23andMe Data Leak: A Deep Dive into the Extent of the Breach

 


Hackers have claimed to have accessed "millions" of profiles of 23andMe.com users, which are a popular genetic testing service that has been around for several years. To be able to sell the information of potentially millions of 23andMe customers for thousands of dollars, hackers have claimed to have access to the names, photos, birth details, and ethnicities of those customers. 

There is no indication that 23andMe's security systems have been breached, according to the company's security policy, and data from previous breaches of data appears to have been used to gather the data. There has been another leak of millions of user records that have been leaked in recent days, including the same hacker who leaked information about 23andMe's genetic tests two weeks ago. 

An individual under the name Golem has posted to BreachForums, a network that is known to be used by cybercriminals, a new dataset containing the personal information of four million 23andMe users. The dataset is believed to have been released on Tuesday. 

Despite not being compromised, the attacker managed to gain access to the data of several users who opted to use the DNA Relatives feature on their computers. By taking advantage of the DNA Relatives feature, the attacker was able to access the personal information of many users who were not themselves compromised but had opted in to get the updates. 

The attack will have an even greater impact as a result of this. If both uncompromised and compromised accounts have selected DNA Relatives, the information from both accounts might be on the compromised account since both accounts have had the option to do so. 

Consequently, one attack could potentially lead to the leakage of a wider spectrum of information in the long run. Though passwords of other users are still secure, even if they lack in strong password security as reports have emerged indicating that some of the newly leaked stolen data matched genetic information and user IDs of known 23andMe users who were publically available. 

There is a lot of information about people who have immigrated from Great Britain to the United States, including data from "the most wealthy people in the U.S. and Western Europe on this list, as well as information about people who have immigrated from Great Britain." 

It has been reported today that 23andMe has been made aware of a new data leak, which has led Andy Kill, the spokesperson for the company, to share that the company is examining the data to determine if it is legitimate. It was revealed on October 6th that 23andMe was breached by hackers, claiming that they used credential stuffing as a method for obtaining some user data, a technique that consists of trying combinations of usernames or emails with passwords that are already public from previous data breaches to amass the stolen information. 

The company believes the hackers accessed a much smaller number of user accounts, based on the preliminary investigation it has conducted, but managed to scrape the data of several other 23andMe users through a feature called DNA Relatives, which was designed to let people share their DNA results. 

With this feature, users can connect with other users whom they share a recent ancestor with –which according to their website is defined as nine generations or less back – and see information and share details about them. Furthermore, 23andMe had not confirmed whether this attack was directed at any specific ethnic group, no matter what the ethnicity of the victims. 

It has been reported in BreachForums that a data sample of "1 million Ashkenazi individuals" apparently was breached earlier this week. However, the company claims that it is safe to assume that an individual with just 1% Jewish ancestry can be regarded as Ashkenazi. As 23andMe also notes on its website, individuals with European or Ashkenazi ancestry are more likely than those with Asian or Middle Eastern ancestry to have a lot of matches through the DNA Relatives feature compared to those with other ancestries. 

A major security breach has compromised 23andMe's user profiles and genetic information, which includes names, photos, birthdates, and ethnicities of more than six million 23andMe users. The breach is reportedly a result of the DNA Relatives feature. Despite the fact that 23andMe has yet to confirm whether a specific ethnic group has been targeted by the breach, concerns are raised because the company is investigating the legitimacy of this breach in order to secure user information. Moreover, it is very important for users to keep a watchful eye on their account security settings and to remain vigilant. 
Read more »
Ransomware attack
Automation Giant Cyberattack Johnson Controls Ransomware attack

Automation Giant Johnson Controls Hit by Ransomware Attack

 
A big cyber attack hit Johnson Controls International. It locked up a bunch of their computer stuff, including VMware ESXi servers. This caused problems for This has led to disruptions in operations for both the company and its affiliated subsidiaries. 

Johnson Controls is a significant global company that creates and produces systems for controlling industry, security gear, air conditioners, and safety equipment for fires. With its primary operations and related companies like York, Tyco, Luxaire, Coleman, Ruskin, Grinnel, and Simplex, the company has a workforce of 100,000 people. 

"We are currently experiencing IT outages that may limit some customer applications such as the Simplex Customer Portal. We are actively mitigating any potential impacts to our services and will remain in communication with customers as these outages are resolved, “reads a message on the Simplex website. 

Some customers of York, a subsidiary of Johnson Controls, have mentioned that they're being informed about the company's systems being offline. A few have even mentioned being told that this is because of a cyberattack. 

"Their computer system crashed over the weekend. Manufacturing and everything is down. I talked to our rep and he said someone hacked them," a York customer posted to Reddit. Earlier today, Gameel Ali, a threat researcher at Nextron Systems, shared a sample of a Dark Angels VMware ESXi encryptor on Twitter. 

This encryptor included a ransom note, claiming it was deployed in an attack against Johnson Controls. Dark Angels, a ransomware group that emerged in May 2022, has been actively targeting organizations on a global scale. In their approach, much like other human-operated ransomware groups, Dark Angels infiltrates corporate networks and then moves laterally within, seizing data from file servers for potential double-extortion tactics. 

Once they gain entry to the Windows domain controller, the threat actors set loose the ransomware to encrypt all devices connected to the network. Initially, the threat actors utilized encryptors for Windows and VMware ESXi, which were derived from the source code leak of the Babuk ransomware. 

During the attack, the perpetrators assert that they have not only encrypted the company's VMWare ESXi virtual machines but also made off with more than 27 terabytes of corporate data. As of now, the extortion site has identified nine victims, among them Sabre and Sysco, both of whom have recently reported cyberattacks.
Read more »
Subscribe to: Posts (Atom)