Search This Blog

Showing posts with label Cyberattack. Show all posts

Anonymous : 900,000 Emails From Russian State Media Were Leaked

 

Anonymous which has been trying to target Russia since the invasion of Ukraine has reported more attacks against critical infrastructure sectors, including one which used an "improved" version of Russian Conti ransomware, and has called for the targeting of companies for proceeding to do business in Russia after the slaughter of Ukrainian civilians in Bucha. 

More than 900,000 emails by the All-State Television and Radio Broadcasting Company were purportedly leaked by the NB65 or Network Battalion 65 group, which is linked to the famed hacker collective Anonymous (VGTRK). 

DDoSecrets, a non-profit whistleblower site for news leaks, has rendered the 786.2 GB cache accessible to the public as a torrent file after NB65 apparently shared the hacked emails with them on Monday. In this regard, Emma Best, a co-founder of DDoSecrets said, "An unprecedented expose of state-owned media and propaganda which the Russian government views crucial to the state security."

A hacker organization called NB65 has been infiltrating Russian entities, collecting private data, and exposing it online for the past month, claiming the attacks are related to Russia's occupation of Ukraine. The emails, according to the Everyday Dot, span more than 20 years of correspondence and include discussions about daily operations as well as sanctions put on Russia by many other countries in reaction to its invasion of Ukraine.

Tensor, the Russian space program Roscosmos, and VGTRK, the state-owned Russian Television and Radio broadcaster, are among the Russian organizations said to have been targeted by the hacking group. The stated theft of 786.2 GB of data, comprising 900,000 emails and 4,000 files, was released on the DDoS Secrets website following the attack on VGTRK. Since the end of March, the NB65 hackers have been using a new tactic that is attacking Russian institutions with ransomware assaults. 

Conti's source code was released after the company allied with Russia in the Ukraine invasion, and a security researcher obtained 170,000 internal chat conversations and source code for the company's operation. 

Threat analyst Tom Malka first alerted to NB65's activities but was unable to locate a ransomware sample, and the hacking gang refused to provide it. This changed when a sample of the NB65's updated Conti ransomware executable was published to VirusTotal, letting us see how it functions. 

On VirusTotal, almost all antivirus vendors identify this sample as Conti, and Intezer Analyze discovered it shares 66% of the code with other Conti ransomware samples. When encrypting files, gives NB65's malware a run for its money.

The All-Russian State Television and Radio Broadcaster (VGTRK) is Russia's largest media conglomerate, with five national television channels, two major international networks, five radio shows, and over 80 regional television and radio networks under its umbrella. The ransomware will also leave R3ADM3.txt ransom notes all over the encrypted device, with threat actors accusing President Vladimir Putin of invading Ukraine for the attacks. 

JupyterLab Web Notebooks Targeted by Unique Python-Based Ransomware

 

The first-ever Python-based ransomware virus specifically tailored to target vulnerable Jupyter notebooks has been revealed by researchers. It is a web-based immersive computing platform which allows editing and running programs via a browser. Python isn't widely used for malware development, instead, notably, thieves prefer languages like Go, DLang, Nim, and Rust. Nonetheless, this isn't the first time Python has been used in a ransomware attack. Sophos disclosed Python ransomware, particularly targeting VMware ESXi systems in October 2021. 

Jupyter Notebook is a web-based data visualization platform that is open source. In data science, computers, machine learning, and modular software are used to model data. Over 40 programming languages are supported by the project, which is used by Microsoft, IBM, and Google, as well as other universities. According to Assaf Morag, a data analyst at Aqua Security, "the attackers got early access via misconfigured environments, then executed a ransomware script it encrypts every file on a particular path on the server and eliminates itself after execution to disguise the operation." 

The Python ransomware is aimed at those who have unintentionally made one's systems susceptible. To watch the malware's activities, the researchers set up a honeypot with an exposed Jupyter notebook application. The ransomware operator logged in to the server, opened a terminal, downloaded a set of malicious tools, including encryptors, and then manually generated a Python script. While the assault came to a halt before completing the mission, Team Nautilus was able to gather enough data to mimic the remainder of the attack in a lab setting. The encryptor would replicate and encrypt files, then remove any unencrypted data before deleting itself. 

"There are over 11,000 servers with Jupyter Notebooks which are internet-facing," Aqua researcher Assaf Morag stated. "Users can execute a brute force attack and perhaps obtain access to some of them — one would be amazed how easy it can be to predict these passwords." We believe the attack either timed out on the honeypot or the ransomware is still being evaluated before being used in real-world attacks." Unlike other conventional ransomware-as-a-service (RaaS) schemes, Aqua Security described the attack as "simple and straightforward," adding since no ransom note was displayed on the process, raising the possibility the threat actor was experimenting with the modus operandi or the honeypot scheduled out before it could be completed. 

Regardless, the researchers believe it is ransomware rather than a wiper weapon based on what they have. "Wipers typically exfiltrate data and delete it or simply wipe it," Morag continued. "We haven't observed any attempts to move the data outside the server, and the data wasn't just erased, it was encrypted with a password," says the researcher. This is even additional evidence this is a ransomware attack instead of a wiper."

Although evidence discovered during the incident study leads to a Russian actor, citing similarities with prior crypto mining assaults focused on Jupyter notebooks, the attacker's identity remains unknown.

Indian Banks Failing to Protect Their Cyber Security

 


Indian Banks Failing to Protect Their Cyber Security In Thane, Maharastra some unidentified fraudsters hacked the server and tampered with the data of a cooperative bank. According to Police, the hackers allegedly siphoned off Rs. 1.51 crore to various accounts from the Dombivli Nagarik Sahkari (DNS) bank on March 12. 
 
Following the attack, a case has been registered against unidentified persons under section 420 (Cheating and dishonestly inducing delivery of property) of the Indian Penal Code (IPC) and section 65 of the Information Technology Act at Manpada police station under the Kalyan division who has started a probe into the incident in collaboration with Thane cyber police.  
 
The security incident draws light on the issue of bank frauds that have become deep-seated in the Indian Financial System. In just over seven years, Indian banks have witnessed frauds surpassing $5 trillion with total fraud loans amounting to Rs. 1.37 lakh crore in the last year alone.  
 
Shocking scams like Punjab National Bank (PNB) scam (2018), Cosmos Bank cyberattack (2018), Canara Bank ATM Hack (2018), along with many other vishing, phishing, ATM skimming, and spamming attacks have continued to plague Indian banks over the recent years. With an increase in digital-based transactions, money cheating cases have also witnessed a sharp rise. The techniques and resistance measures employed by banks to safeguard their customers’ financial data and money have met with progressive and sophisticated hacking techniques used by fraudsters in India.  
 
John Maynard Keynes, after examining the condition of banking in India said banking in India should be conducted on the safest possible principles while calling India a “dangerous country for banking”. The apprehension has proven to be prophetic in the modern world as financial institutions failing to conduct prudent banking have become the center of monetary scams. Reportedly, the State Bank of India (SBI), HDFC Bank, and ICICI Bank constituted a majority of incidents totaling more than 50,000 fraudulent incidents in the last 11 fiscal years.  
 
Digitalization in India has led to the manifestation of ‘Digital Money’ and cashless transactions have been on a continual rise. Consequently, the protection of data and privacy becomes more important as a fragile cybersecurity system can have serious repercussions for any bank’s customer base.  
 
Data breaches have emerged to be a serious threat in the banking sector which further amplifies the need for an impenetrable banking system as recovering from data breaches and regaining control of a breached server can be extremely stressful and time-consuming. In order to strengthen the evolution of the banking system, banks require to identify and plug the gaps in security. Part of the problem can be attributed to the accelerated pace of digitization which has increasingly required the same kind of investment on the cyber hygiene side as well.  
 
Some of the viable measures that banks can undertake include proactive security techniques like ‘Whitelisting’ (blocks unapproved programs while only allowing a limited set of programs to run) and BIOS passwords (prevents external access to systems and servers). Awareness of employees, stringent filtering, and communicating regularly with regional offices are some of the other preventive measures as advised by the security experts.

Carpet Bombing DDoS Attacks Increased in 2021

 

In a carpet bombing, a DDoS attack targets different IPs of any company in a short span of time, these account for 44% of total attacks that happened last year, but the difference between the first and second half of 2021 is huge. Carpet bombing accounted for 34% of total attacks resolved in Q1 and Q2, however, the attacks increased in the second half accounting for 60% attacks and 56% attacks in Q3 and Q4 respectively. The longest attack recorded 9 days, 22 hours, and 42 minutes, however, these were over within minutes. Around 40% of the attacks were observed by SOC in 2021 in the first quarter of 2021. 

The figures dropped in second and third quarters while rising again in the fourth quarter. "The domain name system (DNS) has long been a popular target for DDoS attacks, both as an amplification vector and as a direct target, as well as for other types of exploits," reports Helpnet Security. Attacks varied in nature compared to the past few years. Single attack vectors account for 54% of attacks in 2021, in comparison to 5% in 2020, representing more activity of attackers. Also, the number of attacks using more than four-vectors also increased, accounting for a record 4% of total attacks, this means when an attacker gets serious, it gets difficult for victims to protect themselves. 

Botnets continue to be the main part in DDoS attacks in 2021, security experts are discovering new botnets and command and control (C2) servers every day. The high-profile botnet in 2021 was Meris, it uses HTTP pipelines to stuff web applications, bombarding websites and apps with large numbers of requests per second. The SOC also observed high-intensity amplification km DDoS attacks, which use familiar vectors like DNS and Remote Desktop Protocol (RDP) and new variants as well. 

The report covers how web apps are vulnerable from different fronts, threats against web services have risen with the increase in usage of web applications, making web apps the top hacking vector in the attacks. "While the vast majority of attacks fell into the 25 gigabits per second (Gbps) and undersize category, and the average attack was just 4.9 Gbps last year, 2021 saw many large-scale attacks as well. The largest measured 1.3 terabits per second (Tbps) and the most intense was 369 million packets per second (Mpps)," reports Helpnet Security.

The USA will Continue to Support Ukraine in Ensuring Cybersecurity

 

The U.S. authorities will continue to support Ukraine aimed at improving its cybersecurity. U.S. Undersecretary of Homeland Security Robert Silvers said Thursday. 

He claimed at an online cybersecurity conference that they have been warning publicly and privately for months that cyberattacks could be part of a large-scale Russian effort to destabilize and invade Ukraine. “Of course, we offer support to Ukraine to help Ukraine strengthen its cyber defenses. We will continue to do so in the days ahead." 

According to Silvers, the American side also works closely with other international partners and strengthens its own security. "At the moment, there are no specific and credible threats [from the Russian Federation] to the United States [in cyberspace], however, we, of course, are attentive to the fact that Russia may consider [options] for escalation in ways that may have an impact on other [countries] outside Ukraine. So we are actively working here in the US with industry representatives, with owners and operators of critical infrastructure to strengthen protection," he added. 

The Washington Post newspaper in its article reported on hackers associated with Russia, who, if necessary, will bring down many networks of Ukraine. At the same time, the publication refers to American intelligence data. "We don't know if they intend to do this. But we are working with Ukraine to strengthen their cyber defense," the unnamed official's words are quoted in the article. 

On Tuesday, the Information Security Center of Ukraine announced a DDoS attack on the websites of the Ministry of Defense, the Armed Forces, state Privatbank and Oschadbank. White House Press Secretary Jen Psaki noted at a briefing on Wednesday that Washington is not yet ready to say who the US authorities consider responsible for these cyberattacks. The press secretary of the President of the Russian Federation Dmitry Peskov said earlier that Russia has nothing to do with cyberattacks in Ukraine. 

EU Ready to Send a Mission to Kiev to Fight Cyberattacks

 

The EU countries, while discussing the situation around Ukraine, expressed their readiness, if necessary, to adopt a set of sanctions against Russia. French Foreign Minister Jean-Yves Le Drian said this on Monday after the EU Council meeting in Brussels. 

"This meeting showed a great degree of agreement between the Europeans and the United States. This cohesion is very important," he said, adding that diplomatic efforts are underway in connection with the escalation along the Ukrainian border. 

"I was greatly impressed by the firmness of the Europeans and their willingness to jointly present a set of sanctions, measures to contain Russia in order to prevent an offensive - military or otherwise - in Ukraine," Le Drian said. 

On the night of January 14, the websites of the Ministry of Foreign Affairs of Ukraine, the Ministry of Education, the Ministry of Agrarian Policy and Food were subjected to massive cyberattacks. Hackers posted messages warning residents to "fear and expect the worst." In addition, Ukrainians were warned that the allegedly personal information of residents of the country, which was uploaded to the "common network," would be destroyed without the possibility of recovery. 

According to Deputy Secretary of the National Security and Defense Council of Ukraine Sergei Demedyuk, hackers associated with the intelligence services of Belarus are behind the cyber attack on Ukrainian departments. Later, a criminal case was opened on the fact of the cyber attack. 

White House Press Secretary Jen Psaki noted that the United States is in contact with Ukraine regarding the incident, and also offered its assistance in the investigation. According to her, the United States, its allies, and partners are "concerned about this cyberattack." 

NATO Secretary-General Jens Stoltenberg announced that the organization will sign an agreement with Ukraine on strengthening cyber cooperation. He condemned cyberattacks on the government of Ukraine. 
 
On December 21, the American newspaper New York Times reported that the United States and Great Britain secretly sent a group of cybersecurity specialists to Ukraine. As specified, the West wants to help Kiev to be ready for allegedly preparing cyber attacks.

Saltzer Health Says Patient Data Exposed in Cyberattack

 

Saltzer Health, an Intermountain Healthcare company has recently witnessed a cyberattack. The company has started alarming its employees and patients about the breach and sent alerts informing them that their protected health information might have been compromised following a hack on a connected third party. 

According to the static data, the company operates 12 clinics and urgent care facilities in Boise, Caldwell, Meridian, and Nampa, Idaho. After the attack’s findings, the company issued a statement in which it stated that the attackers had access to the employee email account between May 25 and June 1, 2021. 

Also, during the investigation researchers discovered that the email account did contain personal data that was compromised during the period of unauthorized access. Compromised data includes names, contacts, driver’s license numbers, and state identification numbers, and, in some cases, social security numbers and financial account details. 

Additionally, medical information that has been compromised includes medical history, diagnosis, treatment details, physician information, and prescription medication information, along with health insurance information. All impacted individuals will receive two years of identity theft detection resolution services. 

While the company did not issue any statement on the number of affected personnel, the company told the U.S. Department of Health and Human Services that 15,650 individuals’ data was potentially compromised during the hack. 

The company said that it has taken steps to mitigate the risk of data theft including resetting the affected email accounts passwords and also monitoring its systems for any suspicious activity. 

“Saltzer Health encourages all individuals to remain vigilant against incidents of identity theft and fraud by reviewing account statements and explanation of benefits, and monitoring free credit reports for suspicious activity,” the organization says.

Novel Fileless Malware Uses Windows Registry as Storage to Bypass Detection

 

Cybersecurity researchers from Prevailion Adversarial Counterintelligence Team (PACT), have unearthed a new fileless malware dubbed DarkWatchman propagated via a social engineering campaign. 

The RAT is designed to completely bypass detection and analysis; thereby could easily be employed in ransomware operations. DarkWatchman uses a complex domain generation algorithm (DGA) to identify its command-and-control (C2) infrastructure and exploit the Windows Registry storage operations.

The malware "utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation," researchers Matt Stafford and Sherman Smith stated. 

“It represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools." 

According to the researchers, the RAT began its operations in November and exploited multiple known TLS certificates. Given its backdoor and persistence features, the researchers believe that DarkWatchman could be an 'initial access and reconnaissance tool' used by ransomware groups. 

Typically, ransomware operators need other attackers for managing the persistence and wide distribution of their programs. The use of fileless malware with such detection evading techniques helps the developers of the ransomware with better oversight over the operation beyond negotiating ransoms.

The novel RAT is both a fileless JavaScript RAT and a C#-based keylogger, the latter of which is stored in the registry to avoid detection. Both the components are also extremely lightweight. The malicious JavaScript code just takes about 32kb, while the keylogger barely registers at 8.5kb. 

"The storage of the binary in the registry as encoded text means that DarkWatchman is persistent yet its executable is never (permanently) written to disk; it also means that DarkWatchman's operators can update (or replace) the malware every time it's executed," the researchers said. 

Once installed, the malware can execute arbitrary binaries, load DLL files, run JavaScript code, and PowerShell commands, upload files to a remote server, update itself, and even uninstall the RAT and keylogger from the exploited device. The JavaScript routine is also responsible for establishing persistence by creating a scheduled task that runs the malware at every user log on. 

"It would appear that the authors of DarkWatchman identified and took advantage of the complexity and opacity of the Windows Registry to work underneath or around the detection threshold of security tools and analysts alike," the researchers concluded. "Registry changes are commonplace, and it can be difficult to identify which changes are anomalous or outside the scope of normal OS and software functions."

'The Community' Has Been Sentenced For a Multimillion-dollar SIM Swapping Conspiracy

 

The U.S. Department of Justice (DoJ) has sentenced a sixth member of the international hacking group known as ‘The Community’ in association with a multimillion-dollar SIM swapping conspiracy. 

Garrett Endicott, 22 years old from Warrensburg, Missouri, is the last of the six accused that has been sent to prison in connection with a multi-million-dollar SIM-swapping conspiracy that targeted victims across the country, including in California, Michigan, Missouri, Utah, New York, Texas, and Illinois. He has been sentenced to 10 months and pronounced to pay $121,549.37 amount in reparation. 

Before delving into more details, first, we must understand what exactly went down? Let’s go over what SIM swapping is and how it usually plays out. 

SIM swapping or SIM hijacking, is a type of identity theft fraud wherein the perpetrator persuades phone carriers into porting their victims' cell services to SIM cards under their control. 

This usually happens by stealing the data of victims from numerous sources including data breach leaks, social media profiles, phishing, and other types of social engineering. Once this is done, the group of hackers gets access to the victim’s accounts that are linked to their phone number including email account, cloud storage, and cryptocurrency exchange accounts, etc. 

The main reason why cybercriminals do this is to intercept two-factor authentication (2FA) texts that give access to secure services such as banks and crypto-wallets. 

"Members of The Community engaged in Sim Hijacking to steal cryptocurrency from victims across the country, including California, Missouri, Michigan, Utah, Texas, New York, and Illinois, resulting in the theft of cryptocurrency valued, at the time of the theft, ranging anywhere between $2,000 to more than $5 million, from different affected parties,” the justice department said. 

"The actions of these defendants resulted in the loss of millions of dollars to the victims, some of whom lost their entire retirement savings. This case should serve as a reminder to all of us to protect our personal and financial information from those who seek to steal it said Acting U.S. Attorney Saima Mohsin for the Eastern District of Michigan”.

WIRTE Hacker Group Constantly Targeting Middle East Countries

 

Cyberattacks in the Middle East have typically been carried out by cybercriminals targeting the primary sectors of governments such as oil and gas sectors and other key industries, however, since 2019, a conspiratorial malware campaign is targeting the middle east region that used malicious Microsoft Excel and Word documents to victimize government and its important organs such as military groups, diplomatic agencies, law firms, and financial institutions mainly based in the Middle East. 

Russian cybersecurity company Kaspersky has investigated and confirmed that the state-sponsored hacking group, 'WIRTE' is behind the attacks. The earlier investigation done by Kaspersky researchers disclosed the method of targeting by the WIRTE group. “MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant”, which is a Visual Basic Script (VBS) with functionality to amass system information and execute malicious code sent by the hackers on the vulnerable system. 

The cyber security researchers at Kaspersky have shown some possibilities after analyzing the campaign as well as the adversary’s toolset and methodology that the WIRTE group has links with other state-sponsored cyber groups known as the Gaza Cyber gang. Furthermore, Armenia, Cyprus, Egypt, Jordan, Palestine, Syria, Lebanon, and Turkey are among the countries that were affected. 

"WIRTE operators use simple and rather common TTPs that have allowed them to remain undetected for a long period of time. This suspected subgroup of the Gaza Cyber gang used simple yet effective methods to compromise its victims with better OpSec than its suspected counterparts,"  Kaspersky researcher Maher Yamout said.

"WIRTE modified their toolset and how they operate to remain stealthy for a longer period of time. Living-off-the-land (LotL) techniques are an interesting new addition to their TTPs. Using interpreted language malware such as VBS and PowerShell scripts, unlike the other Gaza Cyber gang subgroups, adds flexibility to update their toolset and avoid static detection controls," Yamout added.

Threat Actors Targeting Vaccine Manufacturing Facility with Tardigrade Malware

 

Biomanufacturing facilities in the US are being actively targeted by an anonymous hacking group leveraging a new custom malware called ‘Tardigrade’. 

In a new threat advisory, the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) claimed this week that the first attack was launched using this new malware in spring 2021, followed by the second assault in October.

 New malware strain

According to BIO-ISAC, Tardigrade possesses advanced features and is supposedly the work of an advanced threat detection group or a nation-state intelligence service. The malware is primarily used for espionage though it can also cause other issues including network outages. The recent assaults are also believed to be linked to Covid-19 research as the pandemic has shown just how crucial biomanufacturing research is when creating vaccines and other drugs. 

Tardigrade’s functionality includes a Trojan, keylogger, data theft, and also establishes a backdoor into targeted systems. There is some debate regarding the origins of the code used in Tardigrade as BIO-ISAC believes the malware is based on Smoke Loader, a Windows-based backdoor operated by a hacking group called Smoky Spider. However, security researchers that spoke with Bleeping Computer believe that it is a form of the Cobalt Strike HTTP. 

“The biomanufacturing industry along with other verticals are so far behind in cybersecurity, making them a prime target for bad actors. Cyberattacks mostly happen to those that provide easy access or least path of resistance,” George Gerchow, chief security officer of machine data analytics company Sumo Logic Inc., told SiliconANGLE. 

“This is a blatant example of how attackers are focusing on human health during a time of high anxiety, and bioscience is an easy target. The industry is going to have to move quickly to put proper cyber security controls in place. It is going to be a huge mountain for them to climb as some of the companies in the industry have antiquated technology, lacked the proper skill sets, and relied too much on legacy security tools,” Gerchow added. 

The BIO-ISAC report recommends the following steps for biomanufacturing sites that will enhance the security and response postures (i) Scan your biomanufacturing network segmentation, (ii)  Collaborate with biologists and automation experts to design a full-proof analysis for your firm, (iii) Employ antivirus with behavioral analysis capabilities, (iv) Participate in phishing detection training (v) Stay vigilant.

UK Man Arrested for Cryptocurrency Fraud, Sentenced 20 Years

 

A United Kingdom man who was earlier charged in the US for links to hacking celebrities' and politicians' Twitter accounts was recently arrested for stealing cryptocurrency worth $784,000 of cryptocurrency. Prosecutors in Manhattan, US said that Joseph James O'Connor (age 22) along with his partners stole Bitcoin, Litecoin, and Ethereum, after getting access to target's cellphone no. by linking it to SIM cards. 

O Connor, aka PlugwalkJoe, along with his partners orchestrated a SIM swapping attack targeting three Manhattan cryptocurrency company executives, stealing cryptocurrency from two clients, while laundering it. O Connor's lawyer isn't yet known. As per the prosecutors, the campaign ran from March 2019 to May 2019. O'Connor awaits possible extradition from Spain after the July arrest concerned with a last year's July hack which compromised several Twitter accounts and stole around $118,000 worth of Bitcoins. 

"It named the British man as Joseph James O'Connor and said he faced multiple charges. He was also accused in a criminal complaint of computer intrusions related to takeovers of TikTok and Snapchat accounts, including one incident involving sextortion, as well as cyberstalking a 16-year-old juvenile," reported Reuters earlier in July. These hacked accounts include current US president Joe Biden, former president Barack Obama, Ex Amazon CEO Jeff Bezos, Bill Gates, Warren Buffett, Kim Kardashian, Elon Musk, and rapper Kanye West (currently known as Ye). 

The accused teenager, Graham Ivan Clark, the mastermind behind the Twitter hack, pleaded guilty in March in state court of Florida and is currently serving three years in a juvenile prison. The latest charges against Connor consist of money laundering and conspiracies to commit wire fraud, carrying a minimum of 20 years prison sentence, along with aggravated identity theft and computer hacking conspiracy. 

Reuters reports, "the alleged hacker used the accounts to solicit digital currency, prompting Twitter to take the extraordinary step of preventing some verified accounts from publishing messages for several hours until security to the accounts could be restored."

UMass Memorial Health Suffers Data Breach, 209,000 Users Affected

 

UMass Memorial health, a health care network based in Massachusetts reported a phishing incident that might have leaked personal information of hundreds of thousands of victims. An unauthorised access to restricted employee mail accounts lasted for around seven months, from June 2020 to Jan 2021, before the attack was identified, UMass Memorial said in its statement on the official website. UMass Memorial health consists a medical center, three other healthcare institutes along with a medical group, in a report to Department of Health and Human services mentioned about an email incident affecting around 209,000 individuals. 

According to UMass Memorial health, it confirmed the breach (on 7 January) when some employees' mail accounts were accessed by an unauthorised user. The information was posted on HIPAA-Breach Reporting Tool website (belonging to HHS' Office for Civil Rights.' Generally known as the "wall of shame," the website contains health data breaches impacting 500 or more users. The healthcare institute (on 25 August) concluded identifying the affected users whose information might have been leaked. 

For patients who have been affected with the breach, the leaked data includes names, ID numbers, subscribers, and election beneficiary information. Whereas for few individuals, driver's license number and social security numbers were also there in the breach. For health plan participant victims, the leaked data includes names, dob, health insurance information, medical record numbers and treatment information, like date of service, diagnoses, prescription information, procedure information and provider names. According to UMass, it does not have any evidence that any information was in fact viewed or accessed, only that it was simply contained within an email account that was compromised. 

UMass also says that there is no proof to suggest data misuse, however, the affected individuals would be offered one year complimentary credit and identify monitoring. "UMass Memorial Health says that to prevent similar incidents in the future, it has reinforced education with its staff regarding how to identify and avoid suspicious emails and the organization is also making additional security enhancements to its email environment, including enabling multifactor authentication," reports Gov Info Security.

RDP Attacks On A Massive Increase, Warns ESET Threat Report

 

Cybersecurity firm ESET released a report warning a sudden rise in attacks RDP (Remote desktop protocol) endpoints, besides this Nobelium gang has also been active against European government organisations. ESET data tells that attacks on RDP servers went upto 103.9% in its T1 June reports that ESET publishes three times a year. The report shows total number of identified brute force attacks to be 55 billion, owing to a hacking campaign targeting Spanish victims. From the T1 2021 ESET report, one would assume that RDP attacks would go down. 

However, it came as a surprise when RDP related attacks were found again. The pattern suggests a potential increase in hacking attempts, especially a stark one in T3, it being the busiest time of 2021. The RDP attacks notice a small increase in some parts, but there was a huge uptick in RDP attacks against the Spanish targets. ESET data suggests that the total number of attacks against the Spanish targets in August accounts for one third globally. In addition to Spain, the US, Germany and Italy were also in the list. A similar pattern was noticed in SQL password guessing incidents. Meanwhile there was a 200% increase in RDP related attacks, cryptocurrency attacks noticed a slight downside. 

ESET experts believe that there might be a relation between cryptocurrency attacks and cryptocurrency price, especially in matters of cryptomining. ESET says "our report even mentions PayPal's and Twitter's announcements which sent the prices of major cryptocurrencies up following this increase (visible in the trend toward the end of T2). If there are more high-profile adoptions/announcements supporting cryptocurrencies in the coming months, we expect their prices to grow and cryptomining to follow." 

Even though ransomware attacks observed a single digit deficit (ESET also linked it to fall in cryptocurrency prices), the company is sure that the problem still persists. It wasn't possible to keep a full account of ransomware attacks in T2 as it was too busy, however, some incidents couldn't be ignored. "The attack shutting down the operations of Colonial Pipeline – the largest pipeline company in the US – and the supply-chain attack leveraging a vulnerability in the Kaseya IT management software, sent shockwaves that were felt not only in the cybersecurity industry," says ESET.

US House Homeland Leaders Introduce Bipartisan Cyber Incident Reporting Legislation

 

Representative Yvette D. Clarke (D-NY), Chairwoman of the Cybersecurity, Infrastructure Protection & Innovation Subcommittee, along with other representatives and with other ranking officers of the Cybersecurity, Infrastructure Protection & Innovation Subcommittee, presented the Cyber Incident Reporting for Critical Infrastructure Act of 2021. Meanwhile, the Biden administration expressed public support during congressional testimony for such requirements. 

If this legislation is to come to fruition, it would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to organize requirements and procedures for critical infrastructure owners and operators to report cyber-attack incidents under this law. Additionally, under this legislation, critical infrastructure organizations and operators have to report cyber-attacks to the cybersecurity and Infrastructure Security agencies within 72 hours. 

The bill will also mandate it to organizations, including businesses with more than 50 employees, state and governments, and non-profits organizations, to report CISA of any ransomware payments they make within 24 hours. Along with this, the law reads that any organization when infected by ransomware should use recovery tactics instead of paying ransom to the attackers. 

According to the act, a new office will come into existence under CISA and it will be named “Review new Cyber Incident Office”. The office will be responsible for receiving, aggregating, and analyzing the reported cyberattack incidents. 

The introduced law is partly in response to a surge of major cyber-attacks particularly from ransomware that has hit the government agencies and private sectors which own and operate 85% of critical infrastructure. 

“As our nation continues to be faced with more frequent and increasingly sophisticated cyberattacks, authorizing mandatory cyber incident reporting is a key cybersecurity and national security priority,” said Chairman Thompson. 

“I applaud Chairwoman Clarke, as well as Ranking Member Katko and Ranking Member Garbarino, for their months of dedicated work to put together this legislation to require covered critical infrastructure entities to report certain cyber incidents to CISA. Once enacted, CISA will be on the path to getting the information it needs to identify malicious cyber campaigns early, gain a greater understanding of the cyber threat landscape, and be a better security partner to its critical infrastructure partners.” He added. 

Hackers Hit President Putin and Citizens at a TV show

 

Recently, a massive cyberattack took place while Russian president Vladimir Putin was answering citizen queries through the state-broadcast Rossiya 24 Network. The televised phone-in is an annual session where President Vladimir Putin gives answers to all questions that have been submitted by the citizens. 

However, this year's phone-in on Wednesday, which continued for four hours, faced connectivity issues, particularly when the president was answering calls from remote regions. 

"Our digital systems are right now facing attacks, powerful DDoS attacks," a Rossiya-24 presenter informed the Russian President after a caller from the Kuzbass region in southwestern Siberia experienced connection problems repeatedly. 

President Putin responded by saying “Are you joking? Seriously? Turns out we have hackers in Kuzbass.”

Russia’s telecommunications giant Rostelecom has confirmed massive cyberattacks and further informed that the network is adopting advanced countermeasures to prevent such kinds of cyberattacks. While currently it remains unclear as to who led this attack and no further technical details have been shared by the channel. 

Putin’s spokesman Dmitry Peskov told the RIA Novosti news agency that “the origin of the attacks was unclear”. 

In June 2021, the world witnessed an important summit between Putin and US president Joe Biden wherein cybersecurity was one of the main topics on the agenda.

Furthermore,  in April 2021, Biden's administration slapped sanctions on the Russian government over the SolarWinds cyberattack that targeted several US federal organizations and more than 100 US private companies.

What is "Sunburst"? A look into the Most Serious Cyberattack in American History

 

A number of organisations have been attacked by what has been chronicled as one of the most severe acts of cyber-espionage in history named "Sunburst", the attackers breached the US Treasury, departments of homeland security, state, defence and the National Nuclear Security Administration (NNSA), part of Department of Energy responsible for safeguarding national security via the military application of nuclear science. While 4 out of 5 victims were US organisations, other targets include the UK, the UAE, Mexico, Canada, Spain, Belgium, and Israel. 
 
The attack came in the wake of the recent state-sponsored attack on the US cybersecurity firm FireEye. The company's CEO, Kevin Mandia said in his blog that the attackers primarily sought information pertaining to certain government customers.  
 
FireEye classified the attack as being 'highly sophisticated and customized; on the basis of his 25 years of experience in cybersecurity, Mandia concluded that FireEye has been attacked by a nation with world-class offensive capabilities. 

Similarly, last Sunday, the news of SolarWinds being hacked made headlines for what is being called as one of the most successful cyber attacks yet seen. As the attack crippled SolarWinds, its customers were advised to disengage the Orion Platform, which is one of the principal products of SolarWinds   used to monitor the health and performance of networks.  
 
Gauging the amplitude of the attack, the US Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA) described the security incident as a "serious threat", while other requesting for anonymity labelled it as the "the most serious hacking incident in the United State's history". The attack is ongoing and the number of affected organisations and nations will unquestionably rise. The espionage has been called as "unusual", even in this digital age.  
 
As experts were assessing how the perpetrator managed to bypass the defences of a networking software company like SolarWinds, Rick Holland came up with a theory, "We do know that SolarWinds, in their filing to the Security and Exchange Commission this week, alluded to Microsoft, which makes me think that the initial access into the SolarWinds environment was through a phishing email. So someone clicked on something they thought was benign - turned out it was not benign." 
 
Meanwhile, certain US government officials have alleged Russia for being behind these supply chain attacks, while Russia has constantly denied the allegations as the Russian Embassy wrote on Facebook, "Malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations,".  
 
"Russia does not conduct offensive operations in the cyber domain." The embassy added in its post to the US.

UK Finance Body: Beware of Parcel Delivery Scam, Especially During Christmas Season

 


After months of lockdown, this Christmas season has become even more special to people but fraudsters are also beginning to capitalize on the much-delayed excitement of the users. The banking trade body UK Finance has warned the public against parcel delivery scams getting popular during the Christmas shopping season. 

The banking trade body said that this Christmas, more people across the nation are expected to shop online than ever before and there are high chances that con men will take advantage of this.
 
According to Intelligences from UK Finance Trade body, malicious actors’ are sending purportedly phishing emails from genuine delivery companies, claiming that companies have been unable to deliver parcels, large letters or packages and later requesting recipients to send their personal and financial information such as their date of birth, address, bank details, and mobile numbers along with a fee in order to rearrange the delivery. 

It also has been observed that in certain cases, bank customers are also receiving a phone call from the fraudsters as their bank’s fraud team, suggesting them to move their money to a safe account or reveal their passcodes. 

Katy Worobec, managing director of economic crime at UK Finance said, "We are urging people not to give gift to fraudsters this Christmas and to follow the advice of the Take Five to Stop Fraud campaign. Criminals will stop at nothing to commit fraud and that includes exploiting the festive season to target their victims". 

Steps to Prevent Fraud Campaign:

• According to intelligence, people must be vigilant against phishing emails with fake links which can lead people to fake platforms and will ask them to fill in important data, particularly personal and financial. It can be seen that these emails may appear more genuine and trusted but be aware of any fraud scam like this which can cost you more than you expect. 

• People are advised to check their delivery notification attentively to ensure that they are genuine. Criminals are employing the same pattern as genuine companies use for their customers. 

• Customers should always remember that they are about to claim and hence, they should ask questions to the authorities or companies before sending information and money. 

• If one feels that the company is not genuine then he is advised to contact the company directly before sending any form of information. 

• Last and also the most important step to take is to report and register a complaint on a genuine platform if you are being attacked by any fraud or scam.

US Cybersecurity Company FireEye Hacked by 'Nation-Backed' Threat Actors


On Tuesday, one of the leading cybersecurity firms, FireEye said that it has been attacked by "highly sophisticated" state-sponsored hackers who stole the company's valuable hacking tools used for testing customers' security and computer networks. The attack was heavily customized to breach FireEye's systems. 
 
The breach substantiated the biting reality that the most advanced security vendors out there, primarily to protect others from intrusions can also be targeted and consequently hacked. Notably, the attacker mainly sought data of some government customers, using an unprecedented combination of tactics, according to the firm. CEO Kevin Mandia in his blogpost characterized the attack as a 'highly targeted cyberattack', a kind never witnessed before. So far, no customer data seem to be accessed by the attackers. 
 
There are a number of speculations about who might have performed the attack, however, the firm gave no clarity about the origins of the attackers and is investigating the matter along with the FBI. In a similar context, Mandia indicated in his blog post that the nation responsible for the attack is someone with world-class offensive capabilities as the unfamiliarity of the attack speaks volumes about the top-notch capabilities tailor-made to attack FireEye.  
 
On the basis of his 25 years of experience in cybersecurity, Mr. Mandia further said in his Saturday's blog that this attack was “different from the tens of thousands of incidents we have responded to throughout the years,” and “used a novel combination of techniques not witnessed by us or our partners in the past.” 
 
“These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers,” the company said in the filing. “Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools.” 
 
While giving insights, a CISA spokesperson told, "As details are made available we are working to share and implement countermeasures across the federal networks and with our private sector partners," 
 
Meanwhile, FireEye has been said to have a "ringside seat" for some of the most advanced intrusions carried out globally by Mike Chapple, a former NSA official who's currently working at the University of Notre Dame as a cybersecurity expert.

Massive BEC Phishing Ring Uncovered, 3 Nigerian Nationals Arrested

 

In the city of Lagos, three Nigerian nationals suspected of participation in an organized cybercrime group behind malware distribution, phishing attacks, and a massive business email compromise (BEC) ring responsible for scams globally, have been arrested under “Operation Falcon” carried out jointly by international police organization with Nigeria Police Force and Singapore-based cybersecurity firm Group-IB, according to the reports by Interpol. 
 
In a Business Email Compromise (BEC) attack, the threat actor hacks and spoofs email to impersonate an organization’s CEO, vendors, or senior executives to trick employees and customers by gaining their trust; which later is exploited as the attackers encourage actions relating to funds transfer to criminal’s account or transferring confidential data, in some cases. 
 
The cybercriminals behind the operations performed a number of their phishing campaigns in disguise; masked as product inquiries, Coronavirus aid, or purchasing orders. Stealing authentication data from emails, web browsers, and FTP clients from organizations based in the UK, the US, Japan, Nigeria, and Singapore, has been identified as the primary objective of these phishing attacks, as per Group IB. 
 
As the ongoing investigation continues to uncover other suspects and monetization means employed by the ring, around 50,000 targeted victims have been discovered, so far. Allegedly, the participants of the rings developed phishing links and domains before performing mass BEC campaigns wherein they sophisticatedly targeted corporations of all sizes. Reportedly, 26 different malware variants were being deployed by the criminals including remote access Trojans (RATs) and spyware. 
 
"They then used these campaigns to disseminate 26 malware programmes, spyware, and remote access tools, including AgentTesla, Loki, Azorult, Spartan, and the nanocore and Remcos Remote Access Trojans,’ the INTERPOL said. 
 
"This group was running a well-established criminal business model," Interpol's Cybercrime Director Craig Jones noted. "From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits." 
 
“These programs were used to infiltrate and monitor the systems of victim organizations and individuals, before launching scams and siphoning funds,” as per an announcement by INTERPOL. “According to Group-IB, the prolific gang is believed to have compromised government and private-sector companies in more than 150 countries since 2017.”