Search This Blog

Showing posts with label Cyberattacks. Show all posts

Data Being Nuked by Malware Unseen Before in Russia's Courts and Mayors' Offices

 


According to Kaspersky and Russian news source Izvestia, mayors' offices and courts there are being attacked by never-before-seen malware masquerading as ransomware but wiping out data. 

It has been named CryWiper by Kaspersky researchers, which is a nod to the file extensions that are appended to deleted files after they are destroyed. Kaspersky says that its team has witnessed the malware deliver "pinpoint attacks" on Russian targets via a spyware program. On the other hand, the Izvestia newspaper reported that the targets of the attack were the office of the mayor and the court of the city. 

There was no immediate word on how many organizations were affected, how the malware managed to erase data, or whether data was successfully erased at this time. 

During the past decade, wiper malware has grown in popularity and become increasingly common. A virus called Shamoon was discovered in 2012 and caused havoc for companies named Saudi Aramco and RasGas of Qatar. In Saudi Arabia, Shamoon was again reworked four years later, and a version of the malware that was used to attack multiple organizations was introduced. There have been an approx. $10 billion of damage by the self-replicating malware dubbed NotPetya that spread across the globe within hours and has affected hundreds of thousands of computers worldwide. 

The past year has seen a slew of updated wiper blades emerge. Some examples include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and ransom. 

It has been reported by Kaspersky that the company has discovered recent attacks carried out by CryWiper. A note was left after the malware had infected a target. The message reportedly demanded 0.5 bitcoin and included the wallet address for payment. 

The results from Kaspersky's analysis of a sample of malware indicate that although this Trojan disguises itself as ransomware and extorts money from the victims for 'decrypting' their data, it does not encrypt data, but destroys it on purpose on the affected computer, according to the report from Kaspersky. A study of the Trojan's code showed that this was not a mistake made by the developer, but something that he had planned to do originally.

There are some similarities between CryWiper and IsaacWiper, which targeted organizations in Ukraine as part of its campaign. These two types of wipers are composed of pseudo-random numbers that are then used to corrupt targeted files by overwriting the contents of these files. There is a set of algorithms known as the Mersenne Vortex PRNG, these algorithms are rarely used, so the commonalities within these algorithms are striking. 

A unique characteristic that CryWiper shares with other ransomware families is its close connection with Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent. In particular, all three ransom notes contain the same email address. 

While analyzing the sample of CryWiper, Kaspersky discovered that it was a 64-bit Windows executable file. A C++ version of the software was written and compiled with the MinGW-w64 toolkit and the GCC compiler using the MinGW-w64 data set. 

Using Microsoft Visual Studio for malware that is written in C++ is quite unusual. This is because it is more common for malware written in C++ to use Microsoft Visual Studio for that purpose. 

This could have resulted from a choice to allow developers to port their code from Windows to Linux without going through a third-party compiler. 

Due to the large number of API calls that CryWiper makes to the Windows programming interface, it seems unlikely that this is the cause of the problem. In most cases, the developer who wrote the code was probably using a non-Windows device while writing the code. 

An attack that succeeds in wiping out a network often exploits the poor security of the network. Network engineers are advised by Kaspersky to take precautions by using the following tools:

  • A behavioral analysis-based endpoint protection solution is based on the analysis of files. 
  • When an intrusion is detected, security operations centers are responsible for managing detection, response, and taking action to resolve the problem.
  • Detects malicious files and URLs in your email attachments and blocks them to ensure that your mail is safe. Using such a system will make it much more difficult for attack vectors such as email attacks, which are the most common. 
  • Ensure that regular penetration testing and RedTeam projects are conducted. Identifying vulnerabilities in infrastructure and protecting them will help to reduce the attack surface for intruders, which in turn reduces the attack surface of the organization. 
  • Analyzing and monitoring threat data. There is a need to maintain up-to-date knowledge about the tactics intruders employ, the tools they use, and the infrastructure they use to detect and stop malicious activity promptly. 

There is no doubt that wiper malware is likely to continue to spread over the coming months. This is given Russia's invasion of Ukraine and other geopolitical conflicts around the world. 

According to the report by Kaspersky on Friday, "in many cases, wiper attacks and ransomware incidents are caused by weak network security, and it is critical to make sure that these security measures are strengthened." The firm also stated that it could be assumed that the number of cyberattacks, as well as those using wipers, will grow, in large part because of the unstable situation around the world.

The Professionalization of Cybercrime: Exploits and Experts


Your adversaries are doing exactly, what you are doing in terms of keeping up with the latest news, tools, and thought leadership. This will enable them to defend your organization against cyber criminals. Their efforts mainly focus on networking on forums, evaluating the latest software tools, interacting with potential buyers, and searching for ways to outsmart your security systems. 

Considering their capabilities reveals that they can outmaneuver well-funded security teams and corporate security tools, especially when compared with legacy solutions such as signature-based antivirus solutions. As a result, several security operation centers (SOCs) fail to prioritize the real threats but instead waste their time and energy on solving problems that, realistically, they will never be able to address at scale. 

To effectively defend against cyberattacks, security experts need to move beyond the mental image they tend to associate with the lone hooded figure sitting in a dimly lit basement where cigarette smoke seeps from a filthy ashtray. Consider the state of cybercrime in the modern world as it stands today: strategic, commoditized, and collaborative (especially in a world where there is money to be made). 

Every attack is backed by strategic intent

Every time a piece of malware is released, there is a purpose for it. There is always a plan for what the malware will do. First and foremost, cybercriminals spy on your environment to gain access to it. They are looking for something they can steal and potentially re-sell to another person or organization. Once an attacker gains access to your environment, they quickly recognize the value that can be accessed as soon as they become aware of it. This is even if they do not know what they may do with it.

During reconnaissance, these attackers may exploit misconfigurations or open ports. This is often facilitated by the known CVE databases and free network scanners, which make this task easier. There is also a possibility that a breach can be facilitated at the beginning by stealing the credentials of a user to gain access to the environment. This process can sometimes be a lot simpler than identifying assets later. 

Cyber weapons' black market is maturing at a rapid pace


There is an underground marketplace managed by cybercriminals that have developed over the years. The evolution of tools from relatively inexpensive and low-tech products to more advanced capabilities that are delivered using business models familiar to legitimate consumers, such as software as a service (SaaS), has helped improve their accessibility to legitimate consumers. The commoditization of hacking tools is a phenomenon that threat hunters have been experiencing recently. 

There was a time when phishing kits, pre-packaged exploits, and website cloning tools were very common and used by several people. This tool is designed to simulate the login pages used by many websites for authentication purposes. For example, Microsoft Office 365 or Netflix has been pretty effective at collecting passwords from the user for many years. There has been a considerable amount of response to this type of activity over the past 20 years. This response includes pattern recognition, URL crawling, and the sharing of threat intelligence tools. Through tools such as VirusTotal, it has become almost instantaneous for data on malicious files to be shared with the security community. This is within a few days of discovery. As a result, adversaries have adapted to these conditions and are well aware of their presence.

Phishing: A New Methodology 

By taking advantage of the rise of multi-factor authentication (MFA), today's adversaries have also been able to steal the verification process to benefit their activities. 

The EvilProxy phishing scam is a new type of phishing scam that has emerged. In the same way as previous kits, this kit mimics the login page on the user's website to trick them into providing their login credentials. In contrast to the one-off purchases of phishing kits of the past, these updated methodologies are sold by companies specializing in access compromise and operate via a rental model where the company rents out space on its server to conduct fraud campaigns. 

This company hosts a proxy server that works similarly to a SaaS model in terms of how it operates. To access the service for ten days, it costs about $250. It enables SaaS providers to earn more money, as well as gives them the possibility to analyze the information they collect. This will make them able to publish it on forums for hackers. In this way, they will be able to market their products and compete against other sellers who sell similar products. 

As part of the redesigned model, several built-in protections are included to protect the phishing environment against an uninvited visitor. To prevent web crawlers from indexing their sites, they implement bot protection to block crawlers. As well as using nuanced virtualization detection technology to ward off reconnaissance teams using virtual machines (VMs), the security operations team also relies on automation detection to avoid security researchers crawling their kit websites from different angles by using automation detection. 

A scenario is known as "Adversary in the Middle" 


Serving as a reverse proxy to authenticate login page content created by bypassing MFA presents several problems for detecting phishing attacks. Using the reverse proxy server, the adversary can acquire access to sensitive information such as the username, password, and session cookie. This information was previously set by MFA between the user and the target website. By replaying the session, the user can then access the website and assume the role of the user at the destination they are visiting. 

At first, everything appears normal to the user. A cybercriminal can create the impression that the website is authentic by using slight variations in the names in the URLs. This will disguise the fact that everything works as it should. As a result, they have gained unauthorized access through that user. After gaining unauthorized access to the website, they may be able to exploit it or sell it for profit to the highest bidder. 

What is the business model of the adversary? 

Malware is being sold illegally over the Internet, and new phishing techniques are also. The malware is sold in a gray area, near the line between legal and illegal. It is one of many companies offering security software like BreakingSecurity.net, which aims to provide enterprises with remote surveillance tools. 

The price point associated with each malware is intended to motivate it to achieve some results. The results of these attacks have a clear business intent in mind. This is whether it's stealing credentials, generating cryptocurrency, requesting a ransom, or gaining spy capabilities to snoop around a network's infrastructure to steal information. 

Today, developers of these tools have partnered with buyers through affiliate programs to create a connection between these two parties. The affiliate marketing scheme functions very similarly to a multi-level marketing scheme. The affiliate will be told to come to the affiliate company when they have an affiliate product that they wish to sell. They will even give them product guarantees and 24/7 customer support if they decide to split profits with them. By doing so, they can build a hierarchy and scale their business.

Trojan Apps Stole Facebook Credentials From Over 300,000 Android Users

 


In the aftermath of the chaos caused by Schoolyard Bully Trojan, a new malware program for Android phones, more than 300,000 people in 71 countries have been affected. 

This malware is mainly intended to steal Facebook credentials from unsuspecting users. It is disguised as legitimate educational applications designed to trick users into downloading the malware without realizing that they are doing so. 

This week, it was announced that the apps had been removed from the official Google Play Store, where they had been available for download. However, it is still possible to download them from third-party app stores. 

According to Zimperium researchers Nipun Gupta and Aazim Bill SE Yashwant, this trojan uses JavaScript injection to steal Facebook credentials. The method by which it achieves this is by launching the Facebook login page within a WebView, which also includes malicious JavaScript code that encrypts and exfiltrates the user's phone number, email address, and password, which are then forwarded to one of the command-and-control (C2) servers in just one click. 

It is important to note that the Schoolyard Bully Trojan also uses native libraries to avoid detection by antivirus software, such as "libabc. so", for example. 

Aside from Vietnamese-language apps, the malware has also been detected in several other apps from over 70 countries, underscoring the global scope and scale of the problem. 

In a campaign codenamed FlyTrap, Zimperium discovered similar activity in the past year. This involved rogue Android apps delivering spam messages that intended to compromise Facebook accounts through Twitter accounts and Instant Messages. 

In a recent report by Zimperium, Richard Melick, director of mobile threat intelligence at Zimperium, stated that hackers have the potential to wreak havoc if they steal Facebook passwords. It becomes effortless for phishers to exploit friends and other contacts if they can impersonate someone from their legitimate Facebook account. Consequently, they can be tricked into sending money or sensitive information to fraudsters. 

The users' tendency to reuse the same passwords makes them more vulnerable to being attacked by an attacker who can more easily acquire their Facebook password. 

This is to access banking or financial apps, corporate accounts, web browsing, etc. If someone steals one's Facebook password, there is a high likelihood that the same password will also work with other apps or services. 

Social media has become popular with each sector and age group. With a rapidly growing number of social media users, caution while using social media should also be increased. There are several cyber-attack cases where malicious actors attacked the victim’s social media to steal sensitive information. Social media is a necessity in current times, so to use it without being a victim, you need to protect your social media from such attacks. There are some points you can follow: 
  • Prefer using stronger passwords.
  • Use different passwords for different platforms.
  • Enable two-step authentication security.

Malware and Trojans on Android: How to Avoid Them

As a first step, you should avoid installing apps from unofficial app stores and unknown sources. This will prevent your Facebook and other credentials from being stolen by hackers. The ability to sideload apps is one of the perks of using an Android device, but if caution is not exercised, it may result in harm. 

It is also wise to ensure that Google Play Protect is enabled on your Android device. This app can scan newly downloaded apps and other installed apps for malware. Aside from this application, you can also consider using one of the most effective Android antivirus applications to provide additional protection. 

Additionally, before updating any apps on your device, you must be mindful. While Google ensures that the apps it uploads to the Play Store are free of malware and viruses, it is still possible for malicious apps to creep their way into the store. To avoid this, it is recommended to read external reviews of an app before you decide to install it. You can also look at the app's developer before downloading it. 

A Trojan horse, Schoolyard Bully, was prominent on the Internet over four years ago. During that time, it was successful in stealing over 300,000 user credentials from users who were infected with it. Therefore, it is probable that cybercriminals will continue to use Trojan computers to steal passwords and account information from unsuspecting users as long as they continue to exist. 

Researchers Updated Twitter Data Breach as “More Harmful” Than Reported


Last year, Twitter exposed more than five million phone numbers and email addresses following a massive data breach. The research team of 9TO5Mac has been provided with evidence that suggests the same security vulnerability was exploited by multiple threat actors at the same time. Additionally, several sources have advertised the availability of the hacked data on the dark web for sale as well. 

This vulnerability was first reported back in January by HackerOne. Using this tool, anyone could enter a phone number or e-mail address and then find the Twitter account associated with that number or email address. A Twitter handle can be easily converted into an internal identifier used by Twitter, even though it is an internal identifier utilized by Twitter. 

In reality, a threat actor would be able to construct a single database that would contain Twitter handles, email addresses, and phone numbers accumulated from the web. 

When Twitter released an announcement in May, it confirmed that the vulnerability existed and had been patched, but it did not mention that anyone had exploited it. 

According to the restoration privacy report, a hacker had indeed used the vulnerability to gain access to millions of accounts around the world. He had gotten access to personal information as a result. 

There has been a massive breach of Twitter data, and not just one

In a Twitter thread yesterday, there was a suggestion that some threat actors had accessed the same personal data in more than one way. Having seen evidence of multiple breaches, 9to5Mac can now verify that this is indeed the case. 

The security researchers explained that, in a previous report, they had seen a dataset that contained the same information in a different format, and the source told researchers that it was "definitely a different threat actor." This was just one of several files that they had seen. The researchers at 9TO5Mac found that the dataset was just one of several similar files. 

The majority of the data is based on Twitter users in the UK, most EU member countries, and several US states. 

Essentially, the setting the security researchers are referring to here refers to a setting that is quite deeply buried within the settings of Twitter. This setting appears to be on by default if you open Twitter's settings. 

An estimated 500k record was downloaded within one hour by the bad actors, it has been reported. On the dark web, multiple sources have offered this data for sale for a price between $5,000 and $10,000. 

It has been reported that a security expert's account has been suspended after tweeting about it. There was also another security specialist whose Twitter account was suspended the same day. Chad Loder, a well-recognized computer security expert, predicted Twitter's reaction within minutes of it being announced and it was confirmed by other experts. 

There is evidence that multiple hackers have obtained the same data and combined it with other data sourced from other breaches to steal the information.

German Citizen Suspected of Major Fraud Arrested by Greek Police

 


In a police announcement on Thursday, Greece police arrested a 35-year-old German citizen who has been charged with four cases of fraud and cybercrime, out of which three cases are from Germany and one International. The fraud was more than 1.4 million euros. 

On Wednesday, the man arrested for the fraud cases was stopped at Thessaloniki airport in Northern Greece. Later he was taken into custody in the afternoon on a European Arrest warrant and was arrested on Thursday, though police did not reveal his name. 

After further analysis, on Saturday, the organized division of crime and human trafficking of Thessaloniki police found 1,000 photos and videos of child pornography in the mobile of the suspect. The study also revealed that he was accused of leading a gang that included persuading the targeted people to invest large amounts of money. The fraudster made attractive promises of giving good returns. Later the invested amount was distributed to a Europe-wide network. 

The man was also charged with impersonating a police officer while checking into the hospital in a police uniform that was later found in his house. 

While investigating his house, his mother showed the police an ID of a German police officer. She claimed that he was associated with a specific unit investigating networks of pedophiles. After further analysis, the ID was found to be fake, and “the man” had to face a Greek prosecutor in next week for impersonating both a German and Greek police officer. 

On investigating his house and car, police found two license plates with numbers that belong to German state vehicles. Of those two license plates, one was fake, and along with it, fake payment statements of salary from German state authorities were also found. 

The report also mentioned that the fraud was not limited to only Germany, the gang has approached their targets through email and telephone from all across the globe. 

After analyzing the charges on the suspect, he has been convicted of 10 years in prison in Germany for the fraud of 1.4 million euros. According to authorities, the gang has defrauded at least 1,440.991 euros from its victims.

Ransomware Group DEV-0569 Exhibits Remarkable Innovation, Microsoft Issues a Warning

 


There are many types of ransomware and they generally start with spam and then move to infect the system with ransomware. 

As per a report published by the computing giant this week, the DEV-0569 cyberattack group, tracked by Microsoft Security Threat Intelligence, has been spotted enhancing its detection, detection evasion, and post-compromise payloads as it continues to advance its detection capabilities. 

A specific characteristic of DEV-0569 is that it uses malvertising and phishing links in spam emails and fake forum pages to convince the recipient to download a malware downloader masquerading as a software installer or update, the Microsoft researchers added. 

As a result of the group's innovations in just a few months, the Microsoft team was able to observe the group's actions. These included hiding malicious links in contact forms and burying fake installers on legitimate download sites. They also used Google ads to mask the group's malicious activity through their advertising campaigns. 

The Microsoft team explained that the malware payloads for DEV-0569 are encrypted and delivered as signed binaries, according to their report. In recent campaigns, the group has also been seen to use the open-source tool NSUDO in an attempt to disable antivirus solutions, as the group is well-known for relying heavily on defense evasion techniques to get around defenses. 

DEV-0569 has proven successful, and Microsoft Security described the group as a platform where other ransomware operations can use DEV-0569 as an access broker. 

Cyberattacks: How Ingenuity Can Counter Them 

Apart from the new tricks, Mike Parkin, senior technical engineer at Vulcan Cyber, notes that the threat group effectively adjusts its campaign tactics along the edges. Despite this, they depend on users making mistakes during the process. The key to ensuring a successful defense program is to educate the user, according to Mike Parkin. 

Dark Reading reports that the phishing and malvertising attacks reported here entirely depend on the user interacting with the lure to make the attacks successful. As a consequence, when the user does not interact with the system, there is no security threat. 

According to Mike, Security teams need to keep an eye on the latest exploits and malware being deployed in the wild to stay ahead of the game, alongside a certain level of user awareness and education is necessary for the user community to become a solid line of defense instead of being the main attack surface. 

Controls in IAM are important 

IAM controls are an important part of RSA's identity and access management (IAM) team recommendations, according to Robert Hughes, RSA CISO. 

Despite the inability to prevent malware at the human and endpoint level, strong identity and access governance can assist in controlling the spread of malware. This can limit its impact. For instance, Hughes says that it is possible to stop authorized individuals from clicking a link or installing software that they are authorized to install. This is done by preventing them from clicking on a link. Having your data and identities protected from ransomware attacks will help to mitigate the damage that could be caused by such attacks in the future - and it will also make it easier to re-image your endpoints when it comes to resolving the issue. 

As Phil Neray of CardinalOps confirms, we are on the right track. According to him, security teams must also focus on minimizing the fallout after a hacker successfully downloads and executes a ransomware attack. This means that techniques like malicious Google Ads are tough to defend against.

"For instance, if this is the case, Neray recommends making sure the SoC is capable of detecting suspicious or unauthorized behavior, such as privilege escalation and the use of remote management and admin tools like PowerShell that live off the land," Neray says.

Medibank Data Breach: Hackers Threaten to Release Data Within 24 Hours


Australian health insurance company, Medibank announces that it would not be fulfilling the ransom demands of the threat group or individual involved in the mid-October data breach. The insurance company confirmed this less than a day after the breach. The threat actor, claiming to have possession of the data is now threatening the company to release it within 24 hours if the ransom demand is not made. 

A day before this announcement, on November 7, Medibank confirmed that its 9.7 million current and former customers had their basic personal data accessed by hackers. The victims include 5.1 million Medibank customers, 2.8 AHM and 1.8 million international customers. 

The accessed data involved victims’ names, date of birth, addresses, phone numbers and email addresses. 

Medibank adds that along with the personal information, the hackers had access to the health claims data for 16,000 of its customers, 300,000 AHM customers and 20,000 international customers.

For the first time, Medibank confirmed they believed that the data was not just accessed but could have been taken by the criminal or criminals involved. The health insurer yesterday said it would not pay any ransom to the hackers. Medibank made a public statement, refusing to be paying the ransom demand. 

In the message, the supposed hacker quotes Confuscious, implying Medibank is making a "mistake" by not paying the ransom. The malicious actor then said that they would release the data within the next 24 hours, and advised readers to "sell Medibank stock". 

Around midnight, the threat actor or group posted a ransom demand to its dark web blog, “data will be public [sic] in 24 hours.” “P.S. I recommend to sell Medibank [sic] stocks,” the post further read. 

By the close of trade on Tuesday, the insurance company’s shares went down by 21 percent from AU$3.51 to AU$2.78 in the last three weeks, following the announcement of the data breach. 

Medibank called the threat to release the data “distressing developments.” 

Following the data breach, David Koczkar, CEO of Medibank, apologized to those affected, saying that "We unreservedly apologize to our customers. We take seriously our responsibility to safeguard our customers and support them. The weaponization of their private information is malicious, and it is an attack on the most vulnerable members of our community."  

After the threat surfaced, Medibank contacted its customers, warning them of possible scam and direct phishing attacks. The company also urged all those who were victims of cybercrime or had been contacted by someone claiming to have their data to report it to the Australian Cyber Security Centre. 

Moreover, Medibank continues to work with the Australian Government, along with the Australian Cyber Security Centre and the Australian Federal Police to investigate the cyberattack and prevent the leak and selling of its customer's stolen data.  

Vulnerabilities in Software Supply Chains Must be Re-valuated

 


The year ended in fine style for many IT teams as 2021 came to a close. However, they were caught off guard just before the holiday season by an unpleasant surprise. 

Hundreds of servers around the globe are susceptible to a vulnerability in Log4Shell, which requires urgent remediation. Consequently, the experts froze their leaves and returned to the scene to check the position of the band-aid after freezing their leaves. 

In the wake of this vulnerability, many organizations are still working to gain peace of mind. The company wants to make sure that this vulnerability, which affects so many segments of today's modern information technology infrastructure, is not lurking somewhere in its systems. 

This is because it affects Java enterprise applications often used in small and medium-sized companies. Another surprise is just around the corner this holiday season when it comes to this vulnerability. 

Among the challenges is finding the most appropriate place to apply a patch or repair the loophole to fix the problem. It is estimated that more than 35,000 Java packages, or 8% of all Java packages in the Maven Central repository, may have been affected by the Log4Shell problem. This is based on some calculations. 

With the sheer volume of third-party code that modern IT systems rely upon today, even outside of Java, it is easy to imagine the kind of headaches that IT teams face in dealing with today's complex IT systems. The problem is that we have too much to sort through to come up with a solution. If you do not see the problem, you can not fix it. 

It is estimated that approximately 40% to 80% of the lines of code in software today come from third parties, such as libraries, components, and software development kits (SDKs) that are provided by third parties. Gartner's research determined that by 2025, 45% of organizations around the world will have experienced attacks on their software supply chains. This is a threefold increase over what was seen in 2021, according to a report by Gartner, a company specializing in information security research. 
 

The Need for More Automation and Visibility Must be Addressed 


Currently, an industry has been built around cyberattacks. Currently, this industry has numerous specialists waiting on the Dark Web. These specialists can play specific roles in a ransomware attack, from crafting the phishing message to collecting the ransom in the case of a ransomware attack. 

In a world where malicious actors have been developing such intricate supply chains and weaponizing malware as a tool for criminals, businesses should step up their game if they want to maintain a competitive edge in their software supply chains. 

A tool that can improve automation within their IT systems as well as provide them with visibility into their IT systems is what they need to provide the level of service they currently provide. Essentially, this means that they will be able to find vulnerabilities in their software supply chain more easily, instead of manually searching for such vulnerabilities. 

A software supply chain has so many parts that it can be quite intimidating. If we were to narrow it down to Java software specifically, here are some of the features to keep an eye out for: 

• An application-level vulnerability assessment can be performed continuously without the need to obtain source code to assess visibility at the application level. A Java-specific CVE database is used to compare code against the CVE database that is run against Java. 

• It is critical to ensure that false positives are avoided by monitoring code executed by the Java runtime (JVM) and building accurate results that are not detected by traditional tools. 

• Performance transparency: By adding additional agents to the production system, we avoid performance degradation caused by overheads that are added to the machine. There should be a way to run a solution without any agents being involved. 

• The tool must perform thorough checks to ensure that it works on all versions of Java software installed on users' computers. This is to avoid missing any loopholes that may exist. 

Traceability history: Establish a history of the components and code used so forensics efforts can concentrate on finding vulnerable code that led to exploits so that forensic efforts can focus on determining what caused the exploit. 

Adapting to an uncertain environment 


As IT environments become more complex, businesses need to be able to observe more of what is going on and increase automation as required. There is no possibility of using manual labor in the future. During production, a piece of software that is running in production daily needs to be closely monitored and observed at a high level. As the supply chain of software becomes more and more complex, malicious actors are increasingly seeking a way to gain access to victims' systems by digging deeper into them. 

Cyberattackers have come up with new ways to penetrate software supply chains, not just through the Log4Shell issue. This vulnerability was classified as one of the most serious software vulnerabilities in history by the United States Department of Homeland Security, but also through various other creative approaches. Their attacks are also somewhat more brazen in the way they do so, as well as in the way they mount them. 

Users of MiMi, a Chinese messaging app whose version was spiked with malicious code earlier this year, have seen a fake version of it being served to them. Depending on how the software is configured, this could allow an attacker to remotely control the program. As a result, the spies could see what the users were chatting about during their chat sessions. 

One of the most remarkable things about this attack was the fact that the attackers somehow managed to gain control over the servers on which the app was delivered to the users. As a result, the attackers added code to the app, removed the original version, and tricked victims into downloading and installing it without their knowledge. 

There is no doubt that this was not a Java-based issue, however, it demonstrates how dangerous software supply chain vulnerabilities have become in the past few years, as well as just how challenging it is to stem the tide of attacks such as this. 

The issue of trust is also one that needs to be taken into account. The majority of digital services today rely on several third parties to provide them with services, ranging from open-source repositories, where attackers can plant malicious code, to packaged apps that are installed by enterprises on their devices. 

This is the background against which businesses have to adopt a smarter approach if they wish to ensure that their digital communications efforts do not go astray. They must also be careful not to encumber themselves with excessive security measures that are too onerous and do not benefit the customer's experience at all. 

To become more agile, companies must look for streamlined solutions that can detect threats automatically as it will enable them to maintain the competitiveness they need.

7 Minutes a Day, Malicious Cyber Criminals Strike, Here's How to Defend

 


There has been an increase in malicious cyberattacks targeting Australian businesses over the last few years. As a result, these businesses are being advised to raise their standards when protecting customer information. 

In a new report published by the Australian Cyber Security Centre (ASCS), it has been found sophisticated state and criminal actors are striking more frequently, with a cyber crime being reported every seven minutes, according to the paper. 

In the wake of the "concerning" report that was released by the Department of Homeland Security, Cyber Security Minister Clare O'Neil put businesses on notice that they will need to handle the cyber data of their customers more securely and effectively. 

During the past financial year, the Cyber Security Agency received over 76,000 reports from the community about cyber-related issues, which was a 13 percent increase from last year's number. 

The number of publicly reported security holes also increased by 25 percent over the previous year. 

An estimated $100 million has been lost by Australians with compromised email systems. This amounts to an average of $64,000 in compromised emails reported to the authorities, each time.

Fraudulent emails are sent by scammers who send emails purporting to be businesses to solicit payments. For example, a real estate agent will ask for a deposit on a property. 

Richard Marles, the Deputy Prime Minister, has said that everyone needs to be more alert to possible threats. 

"In comparison to cyberspace, the environment in which we live is much more challenging. Although there are many pickpockets around, this appears to be happening at an unprecedented level," he told ABC radio station. 

Keeping yourself safe does not have to be complicated. There are several simple steps anyone can take to do so. 

The measures include not clicking on links in text messages or emails that are not marked as such, ensuring that their software is up-to-date, and taking additional care when dealing with their data. 

In a recent interview, Marles said the government was investing heavily in the cybersecurity sector. In response to this, the company updated its systems and considered a public education campaign. 

There has been a study that suggests small businesses lose on average $39,000 as a result of cyberattacks, and the figure reaches $88,000 for medium-sized businesses as a result of these attacks. 

It has been reported that the average loss was $112,000 in Western Australia and $26,000 in the Northern Territory, according to the Australian Bureau of Statistics. 

As per the NSW government, the average loss was almost $70,000, and the losses in all other states and territories were between $50,000 and $50,000 on average. 

Cyber incidents affect about a third of the total number of computers in the state and Commonwealth of Australia, with the Commonwealth and state governments at risk. 

As a result, the next big target was healthcare systems. This is mainly because cybercriminals are targeting vulnerable businesses that are more likely to pay a ransom when they want their data back. Therefore, health systems are the ideal next target. 

Abigail Bradshaw, the agency's director, said that cyber threats are continually evolving and that they are more frequently targeting the country's critical infrastructure, which is becoming more widespread. 

As a result of the program, more than 24 million malicious domain requests have been blocked. In addition, 29,000 attacks on Australian services have been taken down. Furthermore, 185 ransomware movements have been stopped, which represents an increase of 75 percent. 

Besides this, the agency was also involved in five successful operations, which included the shutdown of online criminal marketplaces as well as foreign scam networks. 

How to protect yourself 


As part of its recommendations, the ACSC urges individuals to take steps to protect themselves from cybercrime. 

  • Information that is critical to the organization should be protected by updated devices 
  • Turn on multi-factor authentication to make the system more secure 
  • Make sure that you regularly back up your devices 
  • Passphrases should be set up to ensure their security 
  • You should report scams and keep an eye out for threats if you come across them

Australian Department of Defense Hit by Cyberattack


Department of Defense Suspects Cyberattack

The Department of Defence is afraid that the personal information of personnel, like DoB, may have been breached after a communications platform used by the military suffered a ransomware attack. 

Hackers attacked the ForceNet service, which is operated by an external information and communications technology (ICT) provider. 

The organisation in the beginning told the Defense Department no data of former or current personnel was breached.

Defense says personal info not stolen 

However, the Department of Defense believes that personal details like the date of enlisting and DoB may have been stolen, despite initial hints being contrary to what the external provider is saying. 

In a message notification to the staff, the defence chief and secretary said the issue is being taken "very seriously."

There has been a series of cyberattacks in recent times, from health insurance companies to telecommunications.

Cyberattacks on rise in recent time

Medibank earlier this week confirmed a criminal organization behind a cyber attack on its company had access to the data of around 4 million customers, some of these consist of health claims. 

In September, Optus said a cyberattack had leaked the data of around 10 Million Australian users, with a considerable amount of information stolen from around 2.8 million people.

Minister for Defense Personnel Matt Keogh ForceNet kept upto 40,000 records, saying "I think all Australians, and rightly the Australian government, is quite concerned about this sort of cyber activity that's occurring, people seeking through nefarious means to get access to others' personal data."

ForceNet involved, however IT department safe

In the email to the staff, the Defense Department was confident that the hack of ForceNet was not targeted at the IT systems of the department. 

It said "we are taking this matter very seriously and working with the provider to determine the extent of the attack and if the data of current and former APS [Australian public service] staff and ADF personnel has been impacted. If you had a ForceNet account in 2018, we urge you to be vigilant but not alarmed."

Earlier talks with the service provider hint that there is no substantial proof that data of former and current ADF Personnel and APS staff personnel have been breached. 

It said, "we are nevertheless examining the contents of the 2018 ForceNet dataset and what personal information it contains."




The TommyLeaks and SchoolBoys Ransomware Gangs Share a Common Enemy

 



New extortion gangs, TommyLeaks and SchoolBoys, have emerged out of China attacking companies around the world with dangerous extortion threats. Even though they are both connected, there is one catch - both are part of the same ransomware gang. 

Earlier this month, security researcher MalwareHunterTeam warned of a new extortion gang called TommyLeaks that was trying to extort companies. 

As a result of the hacking group's activity, companies claim it has breached their networks, stolen data, and demanded a ransom not to leak this data. In a recent report, BleepingComputer reported that ransom demands ranged from $400,000 to $700,000. 

MalwareHunterTeam discovered yet another ransomware extortion gang in October, dubbed 'SchoolBoys Ransomware Gang'. They claim to use ransomware to steal data from victims and encrypt their devices as part of their attacks as part of their ransomware extortion campaigns.

Threat actors steal data during their attacks. However, as of yet, no site with public data leaks is known to have been used by threat actors to leak that data. 

Even though there was nothing that connected the two groups at the time, they both used the same Tor chat system to negotiate over the privacy of their members.

What is even more suspicious about the use of this particular chat system is that it had only ever before been used by the Karakurt extortion group.

BleepingComputer reported this week that TommyLeaks and SchoolBoys Ransomware Gang are both part of the same extortion group called the SchoolBoys Ransomware Gang, also called TommyLeaks.

During a SchoolBoys negotiation chat that BleepingComputer saw, the threat actors appeared to address their victim as TommyLeaks in their attempt to coerce a ransom payment from him. 

Even though it is not entirely clear why they are using two different names as part of their operation, they may be trying to take a similar approach to Konti and Karakurt in terms of the operation. 

As previously reported by BleepingComputer, AdvIntel CEO Vitali Kremez has revealed that Karakurt is a member of the Conti cybercrime syndicate and a member of the DefConti crime family. 

During attacks on Conti's ransomware encryptor, the malware's hackers blocked Conti's encryptor. They then extorted the victim using data that was already stolen under the Karakurt name rather than the Conti brand to gain access to the data. 

To take it one step further, as the TommyLeaks/SchoolBoys group uses the chat system as Karakurt, we may be seeing a rebrand of the Conti offshoot into these newer brands.

While it is too soon to tell if this is what is occurring, the extortion group is one that enterprises need to keep an eye on as they are targeting entities of all sizes.

Mewat: The New Cybercrime Hub in India

 

The Mewat region, situated between the Rajasthan and Haryana states of India is emerging as the new cyber fraud hub in India. 
 
After Jamtara, the infamous hotspot for cyber fraud cases where the young fraudsters involved in the racket would acquire SIM cards, open bank accounts, and dupe victims by posing as bank officials or representatives of telecom service providers, Mewat fraudsters have turned up with more malicious ways to dupe the online victims. 
 
Apparently, the Mewat fraudsters leverage sextortion, a blackmail category of cybercrime, as a weapon in order to deceive victims. 
 
The scammers target online victims while posing as young women, engaging them in conversations, and enticing the targets into sharing sexually explicit images. The scam is then followed by victims being threatened to leak the shared images unless paid.  
 
On being asked about the case's method of operation, Yusuf, one of the suspects held for the charges of sextortion revealed his gang's modus operandi. 
 
“It starts by writing a ‘hi’. He (the target) would usually ask about a video call. I’d do the video call. He’d be lured into going explicit. The woman on the phone does the same,” Yusuf says. 
 
On being asked about the ‘woman', Yusuf tells the investigating officer “It’s (actually the video) on the other phone. That device is placed right under the back camera of my phone, with a video of a woman playing over. It’s like a web call.” 
 
Reportedly, a phone on the other side uses screen recording software in order to capture the events. The victims are then threatened, and if they comply, the money is typically credited into a third party's account. 

In another cyber fraud case, a suspect was held for duping online victims via digital marketplaces.  
 
The scammer, Rahul Khan explains his fraud tactics as: Advertising expensive products for sale at deep discounts on online marketplaces such as OLX, claiming to be certain defence personnel, and fabricating a plausible story about distress. 
 
With the stats going higher in recent years, India recorded a total of 52,974 cases of cybercrime in 2021, up from 50,035 in 2020, 44,735 in 2019, and 27,248 in 2018.  
 
As per a report by the National Crime Records Bureau, nearly 60 percent of similar cybercrime cases were witnessed, pertaining to fraud followed by sexual exploitation (8.6 percent) and extortion (5.4 percent) in 2021.

Phishing Scam Targeting American Express Customers

Armorblox security researchers discovered a brand new phishing campaign targeting American Express customers. Threat actors sent emails to lure American Express cardholders into opening an attachment and trying to get access to their confidential data and their accounts. Also, the hackers created a fake setup process for an “American Express Personal Safe Key” attack. 

The emails sent by hackers to customers urged them to create this account to protect their system from phishing attacks. Once you click the given link, it takes you to a fake page that asks for private data such as social security number, mother's maiden name, date of birth, email, and all American Express card details, including codes and expiration date. 

Additionally, the group of threat actors crafted the counterfeit webpage smartly to resemble the original American Express login page, including a logo, a link to download the American Express app, and navigational links. 

“The victims of this targeted email attack were prompted to open the attachment in order to view the secure message. Upon opening the attachment, victims were greeted with a message announcing additional verification requirements for the associated account. The urgency was instilled within the victims through the inclusion of the language, “This is your last chance to confirm it before we suspend it”, and a prompt for victims to complete a one-time verification process that was needed as part of a global update from the American Express team,” Armorblox security blog reads. 

Armorblox security researchers further added in their blog that, the hackers try to create a sense of urgency within the victim's mind that the sent email is essential and should be opened at once. Once the customer opens the link, the email appears as a legitimate email communication from American Express. 

“The language used within this attachment evoked a sense of trust in the victim, with the inclusion of the American Express logo in the top left and a signature that made the message seem to have come from the American Express Customer Service Team,” Armorblox security blog reads. 

Armorblox co-founder and CEO DJ Sampath said that financial institutions are often targeted with credential phishing scams. The main targets of this phishing scam are American Express charge card holders.

The Fodcha DDoS Botnet Hits Over 100 Victims

 

Qihoo 360 researchers have found a rapidly spreading new botnet called Fodcha which is capable of performing over 100 attacks every day. Employing this new malware, the threat actor is attacking routers, DVRs, and servers. The actors were able to infect nearly 62,000 machines with the Fodcha virus in less than a month, as per the researchers. 

360 Netlab reports that the number of unique IP addresses affiliated with the botnet fluctuates, as they are monitoring a 10,000-strong Fodcha army of bots utilizing Chinese IP addresses every day, with the majority of them using China Unicom (59.9%) and China Telecom (59.9%) services (39.4 percent ). 

Researchers alleged that "Based on firsthand data from the security industry with whom we collaborated, the frequency of live bots is more than 56000." "The global infection appears to be quite large, as there are over 10,000 daily active bots (IPs) in China, as well as over 100 DDoS victims are targeted daily." 

The Fodcha infects devices by exploiting n-day vulnerabilities in many devices and employing the Crazyfia brute-force cracking tool. The botnet targets a variety of devices and services, including but not limited to: 

RCE for Android ADB Debug Server 
CVE-2021-22205 on GitLab 
CVE-2021-35394 in the Realtek Jungle SDK 
JAWS Webserver unverified shell command execution on MVPower DVR 
LILIN DVR RCE: LILIN DVR
TOTOLINK Routers: Backdoor TOTOLINK Routers
ZHONE Router: Web RCE ZHONE Router 

After successfully acquiring access to susceptible Internet-exposed devices samples, Fodcha attackers use Crazyfia result data to deploy malware payload. The botnet samples, according to 360 Netlab, target MIPS, MPSL, ARM, x86, and other CPU platforms. 

The botnet used the folded[.]in command-and-control (C2) domain from January 2022 until March 19, when it switched to fridgexperts[.]cc when the cloud vendor took down the essential C2 domain. 

"The switch from v1 to v2 is due to a cloud vendor shutting down the C2 servers corresponding to the v1 version, leaving Fodcha's operators with no alternative but to re-launch v2 and upgrade C2," the researchers reported. "The new C2 is mapped to over a dozen IP addresses and is scattered across different countries, including the United States, Korea, Japan, and India." It also includes more cloud providers, including Amazon, DediPath, DigitalOcean, Linode, and others. 


Emotet : The Infamous Botnet Has Returned

 

Kaspersky researchers were able to retrieve and analyze 10 out of 16 modules, with most having been used by Emotet in the past in one form or another. Kaspersky Lab was created in 1997 as multinational cybersecurity and digital privacy organization. Kaspersky's deep risk intelligence and security expertise are continually evolving into new security solutions and services to safeguard enterprises, vital infrastructure, governments, and consumers all around the world. 

Emotet was discovered in the wild for the first time in 2014. Its major purpose back then was to steal user's financial credentials. Since then, it has gone through several modifications, began transmitting other viruses, and eventually evolved into a strong botnet. Emotet is a type of malware classified as banking Trojans. Malspam, or spam emails with malware, is the most common way for it to propagate. To persuade users, these communications frequently contain familiar branding, imitating the email structure of well-known and trustworthy companies such as PayPal or DHL. 

As per Kaspersky telemetry, the number of victims increased from 2,843 in February 2022 to 9,086 in March 2022, indicating the attackers targeted more than three times the number of users. As a result, the number of threats detected by Kaspersky solutions has increased, from 16,897 in February 2022 to 48,597 in March 2022. 

A typical Emotet infection starts with spam e-mails containing malicious macros in Microsoft Office attachments. The actor can use this macro to launch a malicious PowerShell command which will drop and start a module loader, which will then talk with a command and control server to download and start modules. In the percent Windows percent SysWOW64 or percent User percent AppDataLocal directory, Emotet creates a subfolder with a random name and replicates itself under a completely random name and extension. The exported Control RunDLL method is used to launch the Emotet DLL's primary activity. These modules can be used to carry out a range of actions on the infected computer. Kaspersky researchers were able to extract and evaluate 10 of the 16 modules, the majority of which had previously been utilized by Emotet. 

Researchers now state that the Emotet can download 16 modules judging by the recent Emotet protocol and C2 answers. They were able to recover ten of them (including two separate copies of the Spam module), which were utilized by Emotet to steal credentials, passwords, accounts, and e-mail addresses, as well as spam. We present a brief examination of these modules and also statistics on current Emotet attacks in this post. 

To gather the account details of various email clients, the current version of Emotet can create automated spam campaigns which are further spread down the network from infected devices, retrieving emails and email addresses from Thunderbird and Outlook apps and accumulating passwords from popular web browsers like Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera. 

Emotet infects computers in businesses and homes all around the world. As per our telemetry, Emotet most frequently targeted users from the following countries in Q1 2022: Italy (10.04%), Russia (9.87%), Japan (8.55%), Mexico (8.36%), Brazil (6.88%), Indonesia (4.92%), India (3.21%), Vietnam (2.70%), China (2.62), Germany (2.19%) and Malaysia (2.13%). 

The present set of components is capable of a wide range of malicious activities, including stealing e-mails, passwords, and login data from a variety of sources, as well as spamming. Except for the Thunderbird components, Emotet has utilized all of these modules in some form or another before. However, there are still a few modules that we haven't been able to get our hands-on.

Nvidia Confirms Company Data Was Stolen in a Breach

 

Last week Chipmaker company Nvidia witnessed a cyberattack that breached its network. The company has confirmed that the intruders got access to proprietary information data and employee login data. 
As the breach came to light last week, the organization attributed the security breach to a threat group called "Lapsus$".

“We are aware that the threat actor took employee credentials and some Nvidia proprietary information from our systems and has begun leaking it online,” the company said in a statement. 

However, as of now, Nvidia didn’t produce any specific details of the stolen data. Meanwhile, LAPSUS$, the alleged culprit, has claimed that it has looted 1TB of data, including files related to the hardware and software belonging to the organization. Following the incident, Lapsus$ started demanding ransom in cryptocurrency in order to prevent the data from being published online. However, Nvidia has not confirmed its stance or response to the demands made by the hackers. 

The primary purpose of a ransomware attack is to encrypt the victim's credentials and threaten to permanently delete it unless a ransom is paid, often in Bitcoin due to the relative anonymity that cryptocurrency provides. Additionally, the threat groups use Ransomware attacks to steal the victim’s data and then threaten to release sensitive details in public unless certain demands are met. Either way, it amounts to extortion. 

According to the sources, the organization did not confirm technical details yet, therefore, it is difficult to confirm anything as of present. However, as a matter of concern, the information related to the attack continues to trickle out. For instance, some of the leaked data contain references to future GPU architectures, including Blackwell. Also, an anonymous source has apparently sent what they claim is proof of stolen DLSS source code to the folks at TechPowerUp. 

"We are investigating an incident. Our business and commercial activities continue uninterrupted. We are still working to evaluate the nature and scope of the event and don’t have any additional information to share at this time," NVIDIA initially said.

Cyber Attackers Exploiting Microsoft Excel add-in Files

 


Recently a unit of researchers delivered a detailed study on a new phishing campaign at HP Wolf Security. As per the report, threat actors are exploiting Microsoft Excel add-in files in order to send various forms of malware into the systems that could leave businesses vulnerable to data theft, ransomware, and other cybercrime. 

Researchers said that threat actors are excessively using malicious Microsoft Excel add-in (XLL) files to damage the systems and it has been observed that there was an almost six-fold (588%) increment in attacks using this technique during the final quarter of 2021 compared to the previous three months.

XLL add-in files are very famous among people because they provide users to execute a wide range of extra tools and functions in Microsoft Excel. But like macros, they're a tool that can be exploited by threat actors. 

According to the report, threat actors distributed malicious links via phishing emails related to payment references, quotes, invoices, shipping documents, and orders that come with malicious Excel documents with XLL add-in files. The recipient is then tricked into clicking a malicious link, which can lead to the installation and activate the add-in of malware, freezing of the system as part of a ransomware attack, or the revelation of sensitive information. 

Malware families that have been used in attacks leveraging XLL files include Dridex, BazaLoader, IcedID, Agent Tesla, Stealer, Raccoon Formbook, and Bitrat. Some of these forms of malware also create backdoors onto infected Windows systems, which gives attackers remote access to the system. 

Additionally, Some XLL Excel Dropper services are advertised as costing over $2,000, which is expensive for community malware but criminal forum users seem willing to pay the price. 

Alex Holland, senior malware analyst at HP Wolf Security said, "Abusing legitimate features in the software to hide from detection tools is a common tactic for attackers, as is using uncommon file types that may be allowed past email gateways. Security teams need to ensure they are not relying on detection alone and that they are keeping up with the latest threats and updating their defenses accordingly…” 

"…Attackers are continually innovating to find new techniques to evade detection, so it's vital that enterprises plan and adjust their defenses based on the threat landscape and the business needs of their users. Threat actors have invested in techniques such as email thread hijacking, making it harder than ever for users to tell friend from foe," he added.

SPAR Stores Hit by Cyberattacks In UK

 

The SPAR retail has been compelled to shut down a few of its convenience stores in Britain after a cybersecurity breach on its IT systems. The cyberattack happened on Sunday, currently being investigated by Lancashire Police. SPAR consists of around 2600 stores placed across the UK. Due to the incident, 330 SPAR stores in England (North) couldn't finalize the payments, made using debit or credit cards. The attack also stopped the shops from using their stock control systems and their accounting. 

Meanwhile, some of the stores remained closed due impact of the attack, few of the stores have started running but currently taking only cash payments. "There has been an online attack on our IT systems which is affecting stores' ability to process card payments, meaning that a number of SPAR stores are currently closed. We apologize for any inconvenience, we are working as quickly as possible to resolve the situation," SPAR said in a tweet. A SPAR store located in Hull University campus in Yorkshire was one of the targets affected by the attack and had to be closed. 

Stores presented at other locations in Yorkshire and Lancashire were also affected by the attack. SPAR disclosed on social media that the company suffer an online attack on the IT systems of its main wholesaler, James Hall, and Co. Ltd, of Preston in Lancashire. BBC reports "question for James Hall is now the one all cyber attack victims dread - shall we pay criminals to get our shops back online? But of course, for the hundreds of thousands of Spar customers affected by the hack, the more pressing question is when will their local stores open again." 

The James Hall company site was closed during the time of publication. "Due to a major & widespread IT failure across the entire Northern SPAR network, all Northern SPAR stores will be closed for an unknown period of time," said SPAR Ribchester.

Dell and AWS Partner to Prevent Customer Data from Cyberattacks

 

Dell Technology has partnered with AWS (Amazon Web Services) to safeguard customer data from cyberattacks by incorporating Dell's cyber recovery solution to the AWS Marketplace with the release of Dell EMC PowerProtect Cyber Recovery for AWS. Outdated cybersecurity firms are finding it difficult to prevent against malware and cyberattacks. With an increase in with from home culture and remote work since past two years, cybersecurity throughout the internet and cloud platforms has become more sophisticated. 

During the same time, the number of ransomware, malware, and hacking attacks has risen drastically, with more than 33% of organizations suffering ransomware breaches. Even amateur threat actors use RaaS (ransomware as a service) platforms to execute efficient and sophisticated cyber attacks. Via the AWS Marketplace, consumers can easily buy and use air tight cyber vault from Dell, to help safeguard and separate data away from a ransomware attack. 

Dell EMC PowerProtect Cyber Recovery for AWS offers multiple levels of protection with a unique approach that helps AWS customers to start normal business task easily and without any fear after a ransomware attack. In a statement, Dell said "the solution moves a customer’s critical data away from the attack surface, physically and logically isolating it with a secure, automated operational air gap. Unlike standard backup solutions, this air gap locks down management interfaces, requiring separate security credentials and multi-factor authentication for access." 

Nowadays, organizations are adopting various IT infrastructures across the on-premises environment and public cloud, data safety solutions can help in robust data security. Dell EMC PowerProtect Cyber Recovery for AWS offers customers help via addressing the rising risks of ransomware and different cyberattacks. Dell VP of data protection product management, David Noy said "data is a strategic asset and protecting it against ransomware and other cyberattacks is critical for organizations to make informed decisions about their business and thrive in today’s digital economy."