Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Dark Web. Show all posts
User Privacy
Dark Web Data Breach Data Leak Private Data Tech Firm User Privacy

Private Data of 7.5 million BoAt Users Leaked in Massive Data Breach

 

More than 7.5 million boAt customers' customer information has surfaced on the dark web. It is possible to purchase personally identifiable information (PII) such as a name, address, contact number, email ID, customer ID, and more. The threat actor leaked around 2GB of data on the forum. 

On April 5, a hacker dubbed ShopifyGUY claimed to have accessed the data of audio products and smartwatch maker boAt Lifestyle. The threat actor leaked data breach files comprising 75,50,000 entries of personally identifiable information (PII) from consumers. Forbes India validated the report by speaking with a number of the consumers who have recently purchased boAt items. 

These data breaches have implications that extend beyond the immediate loss of private data. People are more susceptible to monetary fraud, phishing scams, and identity theft. Threat Intelligence Researcher Saumay Srivastava notes that sophisticated social engineering assaults could be carried out by threat actors who employ users' personal information to get access to bank accounts, carry out transactions, and fraudulently use credit cards.

“The consequences for companies include a loss of customer confidence, legal consequences and reputational harm. The major implications make it even more essential to implement adequate security practices,” Saumya added. 

The leaker's profile (ShopifyGUY) is rather new, with only this leak under his belt. Because the data is genuine, the hacker will establish a good reputation among the forum community, increasing future data purchases, explains Rakesh Krishnan, senior threat analyst at NetEnrich. 

"Considering the timeline, we can assume that the hackers gained access to the boAt customer database at least one month ago and put the data on the forum yesterday.”

Ideally, the company should notify all users, conduct a thorough investigation into how the attackers gained access and what else they could access, and then overhaul their security measures to ensure this does not happen again, but realistically, it will deny and move on, explains Yash Kadakia, founder of Security Brigade. 

The data is available for eight credits on several forums, thus it practically costs two euros to purchase it. It will most likely be available for free on Telegram within a few days. Many scammers will use this information to carry out various phone and email scams, Kadakia noted. 

According to an IDC report, boAt, which was founded in 2016 by Aman Gupta, a judge on Shark Tank, and Sameer Mehta, is now the second most popular wearable brand as of the third quarter of 2023. The Gurugram-based business is well-regarded by Indian customers and is renowned for its affordable headphones and other audio equipment. In addition, it produces speakers and smartwatches.
Read more »
Threat actor
Commonwealth of Independent States Cybersecurity Dark Web Exfiltration Lazy Koala malware password stealer malware Phishing Attacks PT ESC Telegram Threat actor

Lazy Koala: New Cyber Threat Emerges in CIS Region

 

Cybersecurity researchers at Positive Technologies Expert Security Center (PT ESC) recently uncovered a new threat actor they've named Lazy Koala. Despite lacking sophistication, this group has managed to achieve significant results.

The report reveals that Lazy Koala is targeting enterprises primarily in Russia and six other Commonwealth of Independent States countries: Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. Their victims belong to government agencies, financial institutions, and educational establishments. Their primary aim is to acquire login credentials for various services.

According to the researchers, nearly 900 accounts have been compromised so far. The purpose behind the stolen information remains unclear, but it's suspected that it may either be sold on the dark web or utilized in more severe subsequent attacks.

The modus operandi of Lazy Koala involves simple yet effective tactics. They employ convincing phishing attacks, often using native languages to lure victims into downloading and executing attachments. These attachments contain a basic password-stealing malware. The stolen files are then exfiltrated through Telegram bots, with the individual managing these bots being dubbed Koala, hence the group's name.

Denis Kuvshinov, Head of Threat Analysis at PT ESC, describes Lazy Koala's approach as "harder doesn't mean better." Despite their avoidance of complex tools and tactics, they manage to accomplish their objectives. Once the malware establishes itself on a device, it utilizes Telegram, a preferred tool among attackers, to exfiltrate stolen data.

PT ESC has notified the victims of these attacks, warning that the stolen information is likely to be sold on the dark web.
Read more »
Threat Landscape
Business Security CISO Cyber Security Dark Web Data Privacy Threat Landscape

Here's Why Tracking Everything on the Dark Web Is Vital

 

Today, one of the standard cybersecurity tools is to constantly monitor the Dark Web - the global go-to destination for criminals - for any clues that the trade secrets and other intellectual property belonging to the organisation have been compromised. 

The issue lies in the fact that the majority of chief information security officers (CISOs) and security operations centre (SOC) managers generally assume that any discovery of sensitive company data indicates that their enterprise systems have been successfully compromised. That's what it might very well mean, but it could also mean a hundred different things. The data may have been stolen from a supply chain partner, a corporate cloud site, a shadow cloud site, an employee's home laptop, a corporate backup provider, a corporate disaster recovery firm, a smartphone, or even a thumb drive that was pilfered from a car.

When dealing with everyday intellectual property, such as consumer personal identifiable information (PII), healthcare data, credit card credentials, or designs for a military weapons system, knowing that some version of it has been acquired is useful. However, it is nearly hard to know what to do unless the location, timing, and manner of the theft are known. 

In some cases, the answer could be "nothing." Consider some of your system's most sensitive files, including API keys, access tokens, passwords, encryption/decryption keys, and access credentials. If everything is carefully recorded and logged, your team may find that the discovered Dark Web secrets have already been systematically deleted. There would be no need for any further move.

Getting the info right

Most CISOs recognise that discovering secrets on the Dark Web indicates that they have been compromised. However, in the absence of correct details, they frequently overreact — or improperly react — and implement costly and disruptive modifications that may be entirely unnecessary. 

This could even include relying on wrong assumptions to make regulatory compliance disclosures, such as the European Union's General Data Protection Regulation (GDPR) and the Securities and Exchange Commission's (SEC) cybersecurity obligations. This has the potential to subject the organisation to stock drops and compliance fines that are avoidable. 

Establishing best practices

You must keep a tightly controlled inventory of all of your secrets, including intricate and meticulous hashing techniques to trace all usage and activity. This is the only way to keep track of all activity involving your machine credentials in real time. If you do this aggressively, you should be able to detect a stolen machine credential before it reaches the Dark Web and is sold to the highest bidder.

Another good strategy is to regularly attack the Dark Web — and other evil-doers' dens — with false files to add a lot of noise to the mix. Some discriminating bad guys may avoid your data totally if they are unsure if it is genuine or not.
Read more »
Specialists
criminals Cyber Security Dark Web Data Safety Moonlighting Specialists

Cybersecurity Specialists Caught Moonlighting as Dark Web Criminals

 

A recent study conducted by the Chartered Institute of Information Security (CIISec) has uncovered a concerning trend in the cybersecurity field. The study reveals that many cybersecurity professionals, facing low pay and high stress, are resorting to engaging in cybercrime activities on the dark web. This revelation adds to the challenges faced by security leaders who already feel ill-equipped to combat the increasing threat of AI-driven cybercrime.

The investigation, led by a former police officer turned cyber investigation specialist, involved six months of scouring dark web sites and job postings. The findings exposed numerous individuals offering their programming skills at remarkably low rates. For instance, one Python developer and Computer Science student advertised their services for as little as $48 (£25) per hour, offering to develop cybercrime tools such as VoIP chatbots, AI chatbots, and hacking frameworks.

In addition to programmers, the investigation uncovered various professionals willing to assist cybercriminals in their activities. These included voiceover artists for vishing campaigns, graphic designers, public relations professionals, and content writers. Despite the presence of these individuals, the investigator noted that it was relatively easy to distinguish between professionals and hardcore cybercriminals, with professionals often referencing their legitimate roles or using language similar to that found on platforms like LinkedIn.

The study's findings suggest that the allure of higher pay and the stress and burnout experienced in cybersecurity roles are driving professionals towards criminal activities. Amanda Finch, CEO of CIISec, highlighted the impact of long hours and high salaries on this trend, noting that the industry must focus on attracting and retaining talent to prevent further defections to cybercrime.

For chief information security officers (CISOs) and executives responsible for safeguarding their companies against cyber threats, these revelations pose a significant challenge. Not only are they contending with escalating cybercriminal activity, including ransomware attacks, but they must also grapple with the possibility of insider threats from their own employees. According to the Office of the Australian Information Commissioner (OAIC), 11% of malicious attacks reported in the latter half of 2023 involved rogue employees.

The escalating threat of AI-augmented cyberattacks further compounds the challenges faced by security professionals. A global survey by Darktrace found that 89% of security professionals anticipate significant impacts from AI-augmented threats within the next two years. Despite this, 60% admit to being unprepared to defend against such attacks.

To combat these evolving threats, defensive AI systems are gaining traction. Initiatives such as the US FTC's push against AI impersonation, Google's AI Cyber Defence Initiative, and the European Union's AI Office demonstrate a concerted effort to develop robust cyber defense mechanisms. The proliferation of AI cyber threat detection-related patents and the entry of new companies into the market underscore the urgency of bolstering defensive capabilities against cyber threats.
Read more »
Stormous
beer production Belgian brewery Cyber Attacks Cyberattack Cybersecurity Dark Web Duvel Moortgat IT department Ransomware Stormous

Ransomware Group Stormous Takes Responsibility for Cyberattack on Belgian Brewery

 

Stormous, a ransomware group, has admitted to orchestrating the cyber assault on Duvel Moortgat Brewery last Wednesday. Fortunately for beer enthusiasts, the brewery has ample stock to withstand the disruption.

The ransom group announced their involvement via the dark web on March 7th, a day following the attack, listing Duvel as their latest target. Despite this, there is no indication that the Belgian brewery intends to comply with any ransom demands, the specifics of which remain undisclosed. 

Duvel Moortgat has shown resilience in the face of adversity, as their IT department detected the ransomware attack in the early hours of March 6th, prompting an immediate halt in production.

Ellen Aarts, a spokesperson, confirmed the incident, stating that production ceased upon detection of the ransomware, with uncertainty about when it could resume. However, she assured that the brewery possesses sufficient beer inventory to manage the production halt.

Located in Breendonk, Antwerp, Duvel Moortgat is renowned for its signature Duvel ale, alongside Vedett and Maredsous beers, which enjoy international popularity.

Belgian beer enthusiasts took to Reddit to jest about the situation, showcasing their typical humour. Meanwhile, it was revealed that despite the disruption, beer pumps remained operational, leading some employees (excluding IT staff) to enjoy drinks in the cafeteria—a fact perhaps lamented by the IT department.

At present, the timeline for Duvel Moortgat to resume full-scale production remains uncertain, and the perpetrators behind the cyberattack remain unidentified.
Read more »
Password Theft
AI Gaming Cyber Security Cybersecurity Dark Web Dark web marketplace Password Theft

Dark Web Sale Exposes 3.6 Crore Stolen AI Gaming Accounts


The widespread sale of credentials obtained from AI-based gaming platforms and services is a worrying trend in the cyber underworld, as shown by a new analysis by antivirus company Kaspersky. An astounding 3.6 crore credentials, including login and password information, have been stolen and sold on the dark web in the last three years. The increase in demand for online gaming and artificial intelligence (AI) services has unintentionally encouraged hackers to develop specialized malware known as info stealers to obtain user data.

Surge of info stealers: Threat to online security

Hackers aiming to take advantage of the growing demand for AI-driven services and online gaming platforms have turned to infostealers, a kind of malware that steals user login credentials covertly. These harmful applications use phishing assaults and other deceptive tactics, among other methods, to infect devices, both personal and corporate. 

Kaspersky reports that the majority of leaked credentials come from the popular gaming site Roblox, where almost 3.4 crore user accounts have been exposed due to malware-related data breaches. The research also reveals an astounding 33-fold rise in credentials that have been taken from OpenAI users, amounting to 6.64 lakh records, some of which are connected to ChatGPT, a popular chatbot service.

AI services under threat

The range of hacked AI services, which includes chatbots, voice generators, picture editing, and translation, highlights how widespread the problem is. The head of Kaspersky Digital Footprint Intelligence, Yuliya Novikova, emphasizes how important it is to have strong cybersecurity safeguards in place to thwart infostealer attacks and prevent the unauthorized use of user credentials.

Online precaution must against cyber threat

One of the biggest challenges to online security is the continued demand for stolen credentials, especially those related to artificial intelligence applications. The research notes that when ChatGPT's fourth version was released in March 2023, there was a noticeable increase in the attention of cybercriminals towards these accounts. The continued demand for credentials related to artificial intelligence, even after things have stabilized, highlights the persistent attraction of bad actors looking to profit from the mass use of these services.

It is crucial that people and organizations strengthen their defenses against infostealer attacks in light of these advancements. Proactive measures, such as strong security protocols and constant attention, are essential to reducing the risks posed by hostile actors operating in the shadows of the dark web as cyber threats continue to adapt and multiply.


Read more »
user data security
cryptocurrency Dark Web Data Breach Identity Theft Information Security user data security

Binance Data Breach Sparks Concerns: Dark Web Sale Rumors Surface

 

In a surprising development, cryptocurrency giant Binance finds itself facing the looming threat of a potential data breach, as claims circulate on the dark web suggesting the sale of sensitive user information. This occurrence has sent shockwaves throughout the cryptocurrency community, prompting apprehension about the security of one of the world's leading digital currency exchanges. 

Renowned for its extensive selection of digital assets and user-friendly interface, Binance has not been impervious to the escalating menace of cyberattacks targeting the cryptocurrency sector. Reports indicate that an individual or a group of hackers is asserting possession of a significant amount of user data from Binance, purportedly offering it for sale on the dark web. 

The alleged data breach has cast a spotlight on Binance's security infrastructure, compelling the company to initiate a comprehensive investigation to verify the authenticity of the claims. Users anxiously await official statements from the exchange detailing the extent of the breach, identifying potential vulnerabilities, and outlining measures taken to mitigate the repercussions. 

Should the dark web sale prove to be true, it could expose sensitive information, including user account credentials, email addresses, and other personally identifiable details. This not only raises concerns about individual privacy but also the potential exploitation of this data for illicit activities, such as phishing attempts and identity theft. 

Despite Binance's proactive approach to security, incorporating measures such as two-factor authentication and cold wallet storage, the dynamic nature of cyber threats poses an ongoing challenge for even the most robust security protocols. 

Users are strongly advised to exercise vigilance and adopt precautionary measures, including password updates, enabling two-factor authentication, and regular monitoring of their accounts for any signs of suspicious activity. Binance has reassured users that it is treating the situation seriously and is diligently working to validate the extent of the alleged data breach. 

This potential breach at Binance also prompts broader inquiries into the overall security stance of cryptocurrency exchanges. As the digital asset landscape continues to expand, the imperative to secure user data and assets becomes increasingly paramount. Regulatory bodies and industry stakeholders are expected to scrutinize such incidents, emphasizing the necessity for stringent cybersecurity measures across the cryptocurrency ecosystem. 

In summary, the potential data breach at Binance and the accompanying dark web sale claims underscore the persistent challenges confronting cryptocurrency exchanges in safeguarding user information. This incident serves as a poignant reminder for users to prioritize security best practices, while exchanges must continually reassess and fortify their cybersecurity measures to counter evolving cyber threats. The cryptocurrency community awaits further updates from Binance regarding the investigation and any actions taken to address this disconcerting situation.
Read more »
Network Security
cyber espionage Cyber Security Dark Web ISP Network Security

Hundreds of Network Operators' Credentials Compromised on Dark Web


Leaked creds of RIPE, APNIC, AFRINIC, and LACNIC are available on the Dark Web

After doing a comprehensive scan of the Dark Web, Resecurity discovered that info stealer infections had compromised over 1,572 customers of RIPE, the Asia-Pacific Network Information Centre (APNIC), the African Network Information Centre (AFRINIC), and the Latin America and Caribbean Network Information Center (LACNIC). 

Included in this number are new artifacts and historical records discovered in January 2024 as a result of an examination of subterranean marketplaces and Command and Control (C2) servers. In light of the highly disruptive hack that occurred recently against telecom provider Orange España, the cybersecurity community should reconsider how it protects the digital identities of employees who work in network engineering and IT infrastructure management.

Victims whose credentials were revealed on the Dark Web by info stealers such as Azorult, Redline, Vidar, Lumma, and Taurus have been alerted by Resecurity. 

Cybersecurity experts were able to compile the following data using the feedback that was gathered:

  • 16% of respondents were already aware that their accounts had been compromised due to a malicious code infection, and they had made the required password changes and enabled two-factor authentication. 
  • The remaining 45% did not know about the compromised credentials and acknowledged that their password change had been successful.
  • 14% knew of the compromised credentials, however, they didn't activate 2FA until they were notified (statement received).
  • Twenty percent of respondents agreed that further investigation into the incident that compromised credentials was necessary.
  • Five percent of the recipients were unable to offer any comments.

Cyberespionage organizations active

It's noteworthy that the majority of network administrators (those found to have been infiltrated) who oversaw networks used email addresses registered with free services like Gmail, GMX, and Yahoo. 
Cyberespionage organizations that are intensely focused on particular targets, including network administrators and their social networks, may find great value in these facts. Finding out about their private emails might result in more advanced campaigns and increase the chances of successful reconnaissance.

Malicious actors do more than just steal credentials. If they have access to network settings, they might change current setups or add dishonest components, which could seriously damage company infrastructure. 

Unauthorized changes of this nature have the potential to cause serious service interruptions and security breaches, which emphasizes how important it is to protect digital assets with strong security procedures and increased awareness.

The gathered data might verify that personnel engaged in mission-critical IT administration and network engineering tasks are similarly susceptible to malicious programming. If their accounts are compromised, they could serve as "low-hanging fruit" for significant cyberattacks.

What are experts saying?

Resecurity's cybersecurity specialists have drawn attention to the growing threats posed by the Dark Web, where nefarious actors could take advantage of credential compromises held by network engineers, data center technicians, ISP/Telco engineers, IT infrastructure managers, and outsourcing firms that oversee networks for their corporate customers. 

Therefore, for highly skilled threat actors, this employee category represents a high-value target. Resecurity's Dark Web study highlighted the danger landscape by identifying several compromised network engineer credentials that could allow threat actors to access gateways.
Read more »
Zeppelin2
CISA cybersecurity advisory Dark Web FBI malware Online Security Ransomware Threat Zeppelin2

Zeppelin2 Ransomware: An Emerging Menace in the Dark Web Ecosystem

 

In a recent update from an underground online forum, a user is actively promoting the sale of Zeppelin2 ransomware, providing both its source code and a cracked version of its builder tool. This malicious software, known for its destructive capabilities, has garnered the attention of cybersecurity experts and law enforcement agencies globally.

The forum post asserts that the user successfully breached the security measures of the Zeppelin2 builder tool, originally designed for data encryption. The post includes screenshots of the source code, shedding light on the intricate details of the build process and revealing that the ransomware is programmed in Delphi.

The Zeppelin2 ransomware builder tool, being promoted by the threat actor, showcases various features, such as file settings, ransom notes, IP logging, startup commands, task killers, and auto-unlocking busy files. The threat actor underscores the ransomware's capability to comprehensively encrypt files, rendering data recovery impossible without a unique private key held by the attackers.

Upon completing the encryption process, victims are presented with a ransom note declaring the encryption of all their files. The note instructs victims to contact the attackers via email and offers a method for testing the legitimacy of the decryptor by sending a non-valuable file.

Reports indicate that Zeppelin2 ransomware demands ransom payments in Bitcoin, with extortion amounts ranging from several thousand dollars to over a million dollars. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly issued a cybersecurity advisory to address the Zeppelin2 threat.

Zeppelin2, employed by threat actors since 2019 and continuing at least until June 2022, targets various sectors through its ransomware-as-a-service (RaaS) model. These sectors include defense contractors, educational institutions, manufacturers, technology companies, and notably, organizations in the healthcare and medical industries.

The ransomware's modus operandi involves exploiting vulnerabilities such as remote desktop protocol (RDP) exploitation, SonicWall firewall vulnerabilities, and phishing campaigns to gain access to victim networks. Before deploying the Zeppelin2 ransomware, threat actors meticulously map and enumerate the victim's network, identifying critical data enclaves, including cloud storage and network backups.

Consistent with ransomware groups, Zeppelin2 operators exfiltrate sensitive corporate data with the intention of making it accessible to buyers or the public if the victim resists complying with their demands.

Of significance, the FBI has observed instances where Zeppelin2 actors execute their malware multiple times within a victim's network, generating different IDs or file extensions for each attack instance, necessitating multiple unique decryption keys.
Read more »
Sensitive data Leaked
BSNL Cyber Crime Cyberattacks CyberCrime Cybersecurity Dark Web Data Breach Data Leak Sensitive data Leaked

Hacked and Exposed: BSNL's Battle Against a Dark Web Data Breach

 



A hacker named Ellis is now selling thousands of internet and landline records from the telecom operator BSNL on the dark web, as a result of a data breach that saw the operator suffer a data breach in the recent past. BSNL users' sensitive information, including email addresses, billing details, and contact numbers, has been compromised, raising concerns of identity theft, financial fraud, and targeted phishing attacks that target these individuals. 

An excerpt from the stolen data has been posted on the dark web by the hacker. There are sensitive details contained in the document, such as email addresses, billing details, contact details, as well as other private details, which are concerned with BSNL customers with fibre and landlines, raising concerns about identity theft, financial fraud, and targeted phishing attacks that target these individuals. 

Furthermore, it appears that information like outage records for mobile phones, network details, information about completed orders, and personal information about customers is also compromised. According to the hacker's claims on the dark web, he has obtained critical data regarding users of BSNL's fibre and landline services in India, under the alias "Perell." 

The hacker claimed that his data regarding BSNL's fibre and landline services in India was stolen. The information that was stolen has already been revealed in part, which comprises some 32,000 lines of information relating to the theft. There is nothing more noteworthy than the fact that "Perell" is in control of approximately 2.9 million lines of data covering all databases of BSNL, which contains details about customers at the district level. 

The compromised data also included mobile outage reports, network information, orders that have been completed, and client details, as told to me by a source familiar with the situation familiar with the situation. In a report circulated in the media, an unidentified individual expressed concerns over a potential data breach at Bharat Sanchar Nigam Limited (BSNL), a company considered to be a critical infrastructure entity, which places the privacy and security of customers at risk. 

It appears that the hack was carried out by an individual, rather than by an organization, according to Saket Modi, founder and CEO of Safe Security, a cyber risk management company. Modi told in a report that there is a high probability that it is a single website that has been breached as the hacker claims that there are around 2.9 million rows of data in the database. 

It should be noted that in addition to being able to exploit SQL (Structured Query Language) Injection vulnerabilities, the sample data structure that was posted on the dark web could signal a potential attack. While BSNL has not officially acknowledged the data breach, cybersecurity expert Kanishk Gaur, founder and president of India Future Foundation, has described the breach as "deeply concerning." 

BSNL has not acknowledged the data breach, but the cybersecurity watchdog Cert-in has been informed. In this regard, cybersecurity expert Kanishk Gaur expressed deep concern over the recent data breach at BSNL, saying, "The recent data breach raises profound apprehensions. It presents a serious risk that has implications for both the company as a service provider as well as its users." 

There was a significant breach of sensitive information, which Gaur highlighted as being extremely serious. He has emphasized that this compromise is not just harmful to user privacy, but also puts them at increased risk of identity theft, financial fraud, and targeted phishing attacks due to the compromise of sensitive information. As a result of the warning, comprehensive measures are urgently needed to deal with the potential fallout from this security lapse and to protect BSNL's users' interests and security from potential consequences.
Read more »
tutorials
business protection Cyber Crime Cybersecurity Dark Web data trade espionage hacking services Insider Threats keyloggers network access tools operational data tutorials

The Dark Web: A Hidden Menace for Businesses

 

In recent months, the Indian capital's remote region of Nuh has garnered unwanted attention for its transformation into a cybercrime hub, mirroring the notorious Jamtara region. With over 28,000 cybercrime cases spearheaded by unemployed social engineers, Nuh has firmly entrenched itself in the dark web's criminal ecosystem.

Earlier this year, James Roland Jones, a SpaceX engineer operating under the alias "MillionaireMike," admitted to discreetly purchasing personal information and selling insider tips of an anonymous company on the dark web. This incident highlights the pervasiveness of illicit activities on the dark web, a concealed realm of the internet frequently linked to anonymous crimes.

Unlike the conventional web, the dark web evades search engine indexing and remains inaccessible to standard web browsers. Instead, users employ specialized software like Tor (The Onion Router) to navigate its encrypted pathways. Initially developed by the U.S. government for secure communication, the dark web has since morphed into a haven for criminal enterprises.

The 2019 study "Into the Web of Profit" by criminology professor Dr. Michael McGuire from the University of Surrey revealed that cybercrime has evolved into a thriving economy, generating an annual turnover of $1.5 trillion. Alarmingly, the study also uncovered a 20% surge in harmful dark web listings since 2016. Among these listings, a staggering 60% pose a direct threat to businesses. Dr. McGuire identified 12 domains where enterprises face the risk of compromised data or network breaches.

Common Threats Posed by the Dark Web

1. Illicit Data Trade: The dark web serves as a marketplace for stolen personal data, including login credentials, intellectual property, credit card details, and other confidential information. This stolen data fuels malicious activities and identity theft, often sold to the highest bidder.

2. Competitive Intelligence and Espionage: The clandestine nature of the dark web provides a fertile ground for competitors to gather intelligence on each other, often through industrial espionage, where trade secrets and confidential data are illicitly acquired.

3. nsider Threats:The dark web can entice insiders within organizations with financial rewards to reveal confidential information or aid in cyberattacks.

4. Hacking Services: The dark web offers a vast array of hacking services, ranging from customized malware to phishing kits, empowering attackers to execute sophisticated cyberattacks.

5. Operational Data, Network Access Tools, Tutorials, and Keyloggers: These resources are readily available on the dark web, enabling attackers to gather sensitive information, gain unauthorized access to networks, and monitor user activity.

Protecting Your Business from the Dark Web's Shadows

1. Stay Informed: Familiarize yourself with the latest dark web trends and threats to proactively identify potential risks.

2. Implement Robust Cybersecurity Measures: Employ strong passwords, multi-factor authentication, and network security solutions to safeguard your organization's data and systems.

3. Educate Employees: Train employees on cybersecurity best practices, including recognizing phishing attempts and handling sensitive data with care.

4. Engage Cybersecurity Experts: Collaborate with experienced IT professionals to assess your business requirements and develop tailored cybersecurity strategies.

5. Monitor Dark Web Activity: Utilize specialized tools and services to monitor the dark web for mentions of your organization or stolen data related to your business.

By staying vigilant, implementing robust cybersecurity measures, and educating employees, businesses can effectively mitigate the risks posed by the dark web and protect their valuable assets. Remember, knowledge is your shield in the digital realm.
Read more »
Ransomware
Cyberattacks CyberCrime Cybersecurity Dark Web Group-IB malware Nokayawa Group RaaS Ransomware

From Concealed to Revealed: Dark Web Slip-Up Exposes Ransomware Mastermind





A group of researchers responded to an ad offering the opportunity to join up with a RaaS operation and found themselves attending a cybercriminal job interview held by an organization that is one of the most active threat actors in the affiliate market today. At least five strains of ransomware have been created by the same individual known as "farnetwork". 

A Group-IB threat researcher posing as a member of the Nokoyawa ransomware group eventually became able to unmask the criminal after giving too many specifics to a Person-IB threat researcher pretending to be one of its affiliates.

Aside from being known by the alias of jingo, it has also been identified as jsworm and farnetwork, along with razvrat, piparuka, and piparuka. Upon learning that the undercover researcher had demonstrated they could not only escalate their privileges but also use ransomware to encrypt files and finally demand hard cash to get an encryption key, farnetwork was ready to reveal more details. 

The researcher at Group-IB, during his correspondence with the researcher from Farnetwork, discovered that Farnetwork already had a foothold in various enterprise networks, and was just looking for someone to help them take the next step - namely, deploying the ransomware and collect the money collected. 

There is a deal that would allow Group IB's team to make money by extorting money from victims and then giving 65% of the money to the Nokoyawa affiliate as well as 20% to the botnet owner and 15% to the ransomware owner. 

According to Group-IB's latest report, Nokayawa was only the latest ransomware operation farnetwork had been executing, and it was only the most recent of several, it explained. After a lengthy discussion with the threat actor, the team was able to assemble enough information about farnetwork's ransomware activities for the entire year of 2019. 

During their meeting with Farnetwork, the researchers were told that the company had been the recipient of ransomware payments totalling as much as $1 million in the past, as it has previously operated with Nefilim and Karma ransomware. 

There is also evidence that the crook has experience working with NEMTY and Hive. Group-IB has reported that it was behind JSWORM, Karma, Nemty, and Nefilim ransomware strains between 2019 and 2021 according to its Report on Ransomware Group. 

In addition, the report states that the RaaS program offered by Nefilim is responsible for over 40 victims alone. Farnetwork, which had been a part of the Nokoyawa operation since 2022, had found a new home with the company by last February and was actively recruiting affiliates for the program. 

In terms of the timeline of operations and the factors that have had an impact on this market, there is no doubt that farnetwork has made a significant contribution to the RDaaS market across the globe over the past couple of years. 

The RaaS operation at Nokoyawa has since been shuttered, and Farnetwork has announced it will retire soon. However, Group-IB researchers believe that he is going to appear again with another strain of ransomware shortly.
Read more »
Ransomware
CSA cyber attack Cyber Attacks Dark Web Medusa Ransomware Ransomware

Medusa Ransomware Group Takes Ownership for Cyber-attack on Canadian Psychological Association

Medusa ransomware

The Canadian Psychological Association (CPA), the main official body for psychologists in Canada, is said to have been the target of a cyberattack by the infamous Medusa ransomware group. 

The recent incident points out the rising risk posed by threat actors demanding confidential data from enterprises. The CPA, founded in 1939 and registered under the Canada Corporations Act in May 1950, is currently dealing with the fallout from this breach.

The cyberattack on the Canadian Psychological Association

Medusa, an infamous cyber threat actor, took involvement in the CPA attack. On its dark web channel, "MEDUSA BLOG," the gang released details of the Canadian Psychological Association data breach, adding a countdown timer to put heat to the situation at hand. 

They have issued deadlines, seeking $10,000 to postpone the release of hacked info for another day, and a whopping $200,000 to completely delete the data, which may then be retrieved again.

The CPA has yet to publish an official comment or statement in response to the Canadian Psychological Association data leak.

Victims of Medusa Ransomware group

This cyberattack on the CPA is not a single incident. The Minneapolis Public School (MPS) District suffered a massive ransomware attack. In this instance, highly sensitive data regarding children and teachers was revealed on the internet, including complaints of abuse and psychological reports.

MPS initially declined to pay a $1 million ransom, and their encrypted systems were successfully restored using backups. The Medusa hacker gang, on the other hand, had not only encrypted the data but also exfiltrated their own copy, which they then published on the web and promoted via links on a Telegram channel.

Let’s try to understand MedusaLocker ransomware

MedusaLocker Ransomware was discovered in September 2019 and mostly attacks Windows devices via SPAM. This malware has unusual characteristics, such as booting into safe mode before action and file encryption. Depending on the version, it uses BAT files or PowerShell. Due to changes made by the current edition, the infected machine may suffer issues at boot-up.

After initial access, MedusaLocker grows over a network by launching a PowerShell script via a batch file. It deactivates security and forensic applications, restarts the machine in safe mode to avoid getting caught, and then locks files with AES-256 encryption. In addition, it disables start-up recovery, disables local backups, and leaves a ransom notice in every folder holding compromised data.

Read more »
penetration tests
Cyber Security Dark Web data security Hacker-for-hire Online Security penetration tests

Hackers for Hire: Navigating the Dark Web, Penetration Tests, and More

 

As the digital landscape undergoes transformation, it is imperative for organizations to remain vigilant in the face of a persistent threat from for-hire hackers. 

To safeguard their networks, customers, and financial stability, organizations must comprehend the risks associated with cyber threats and take proactive measures. 

Sourcing Hackers for Hire:

Hackers for hire, malevolent individuals who offer their hacking services to carry out cyberattacks on behalf of others or as a paid service, provide a range of offerings. These services encompass malware as a service (MaaS), ransomware as a service (RaaS), phishing as a service (PhaaS), distributed denial of service (DDoS) as a service, and targeted attacks on specific systems or environments.

These nefarious hacker-for-hire services are widely available on the dark web, an unregulated corner of the internet beyond the reach of conventional search engines like Chrome™, Safari®, or Firefox™. The dark web serves as a notorious marketplace for hackers offering services such as MaaS, RaaS, PhaaS, and DDoS attacks. Potential clients can peruse various hackers' offerings on dark web marketplaces and select the services they require. 

Payment is typically made using cryptocurrencies, which offer a degree of anonymity to both parties involved. Privacy-centric digital currencies like Monero, Zcash, and AXEL provide the highest level of anonymity, although investigative techniques can still be employed to trace transaction origins.

However, hacker-for-hire services are not limited to the dark web. These services can also be found on social media platforms and messaging apps such as WhatsApp and Telegram, as these apps provide end-to-end encryption for all messages, making them attractive to both hackers and their customers.

Crowe cybersecurity experts conducted an investigation to assess the ease of hiring a hacker, both on the regular internet and the dark web. The study found that DDoS services are the most straightforward to access. A simple search using terms like "IP booter" or "IP stresser," along with advanced techniques for identifying forums and communities that offer these tools, yielded a wealth of information from active sites providing hacker-for-hire services.

DDoS services are often categorized into tiers based on resource usage, application programming interface (API) access, and attack duration. For instance, Tier 1 offers a 300-second attack duration, while Tier 4 extends to 3,600 seconds with access to the developer API (dev API) for use in other applications. DDoS services are accessible and affordable to individuals or groups with disposable income.

To explore more significant hacker-for-hire services such as malware and ransomware, the investigators turned to the dark web, utilizing a specialized browser to search for hubs offering these services. They identified marketplaces, vendors, and individual developers offering custom payloads for customer-specific scenarios. 

Some marketplaces provided guaranteed escrow, indicating a level of professionalism and significant resources allocated to market, sell, and purchase these services. The range of offerings included malware, adware, worms, keyloggers, and other custom-developed tools, many of which included developer support for setup and execution.

The researchers also encountered a market on the dark web selling stolen cryptocurrency wallets, offering access to the wallets' private keys in exchange for bitcoin (BTC).

Investigation Results:

The investigation unveiled the disconcerting reality that virtually anyone with internet access can engage the services of hackers, employ their skills, and purchase compromised credentials, wallets, and personal information. These threats demand serious attention, and organizations and individuals should take immediate action to mitigate these potential risks before they materialize.

The services identified in the investigation were tailored based on specific exploitation criteria, the hacker's skill set, and available toolkits. Most of these services were reasonably affordable for individuals with the financial means and motivation to acquire them. The scope of hacker-for-hire services is limited only by the online presence of potential targets, suggesting that anyone can become a target for the right price.

Typical Customers:

A report from the cyberthreat intelligence firm Mandiant identified government-sponsored groups like UNC2589 and APT28 as significant clients for hackers for hire. Government-sponsored groups leverage hackers for hire to carry out espionage, sabotage, or disruptive activities against their adversaries. Corporate entities also resort to hacker-for-hire services to access their competitors' trade secrets, customer financial data, or to launch attacks like DDoS on competitors' websites. Individuals use hacker-for-hire services for personal motives, including revenge or personal gain.

Potential customers do not need to possess an in-depth understanding of cyberattacks; they merely need to provide a target and payment. Hiring a hacker for DDoS services, for example, can be as straightforward as searching for relevant keywords.

Serious Consequences:

Cyberattacks orchestrated by hackers for hire can inflict severe damage on organizations and individuals. In addition to the direct financial costs associated with a breach, organizations experience reputational harm, potentially leading to a loss of revenue as customers lose trust in a compromised business. According to a 2022 report by IBM, 83% of organizations have faced multiple data breaches.

Hackers for hire themselves can also face severe consequences if caught. For instance, in December 2022, the Federal Bureau of Investigation (FBI) seized approximately 48 domains related to DDoS-for-hire services. These domains were operated by six individuals who were subsequently arrested and faced criminal charges. The FBI linked these domains to DDoS attacks on educational organizations, government agencies, and prominent gaming platforms between 2014 and 2022.

Consequences have also befallen hackers offering ransomware as a service (RaaS). In January 2023, the FBI dismantled Hive, a major Russian crime syndicate that had been selling ransomware tools and services to affiliates since spring 2021.

The Importance of Pen Tests:

One of the most effective means for organizations to mitigate the threat posed by hackers for hire is by employing penetration testers (pen testers). These experts evaluate an organization's security by assessing its external internet presence, internal network, websites, applications, and even simulating scenarios like ransomware, malware, and social engineering campaigns.

Pen tests identify vulnerabilities that could be exploited by malicious hackers, enabling organizations to address these issues before they are used against them. Pen tests often reveal specific areas where improvements can be made, including network segmentation, Microsoft Active Directory™ security, and missing security patches on various systems.

Pen tests are a valuable investment for organizations of all sizes, ranging from small businesses like restaurants and banks to large multinational corporations and government entities. Even seemingly insignificant businesses can be targeted by hackers for hire, and the costs associated with a successful breach can be devastating.

Pen Tests and Staying Ahead of Threats:

The proliferation of hackers for hire represents a significant threat to both organizations and individuals. These malicious actors offer an array of services, including malware, ransomware, phishing, and DDoS attacks, and their services are increasingly accessible. 

However, organizations can protect themselves by conducting regular pen tests, which identify vulnerabilities in their systems or networks before they can be exploited by malevolent hackers. It is crucial for businesses to regularly assess the security of their environments and services and take proactive steps to enhance their security posture.
Read more »
Software
antivirus software Cyber Security Dark Web Europol Extortion Malicious actor NCA Ragnar Locker Ransomware Group Ransomware Attacks. Software

Group Behind Ragnar Locker Ransomware Debunked

International law enforcement organizations have effectively dismantled the renowned Ragnar Locker ransomware gang, marking a huge win against cybercrime. This operation shows the value of international cooperation in the fight against digital criminal businesses and represents a turning point in the ongoing war against cyber threats.

The Ragnar Locker gang had been a formidable force in the realm of cyber extortion, targeting businesses worldwide with their sophisticated ransomware attacks. Their modus operandi involved encrypting sensitive data and demanding hefty ransoms for its release, often crippling the operations of affected organizations. 

The takedown operation was a joint effort between various agencies, including the European Union Agency for Law Enforcement Cooperation (Europol), the Federal Bureau of Investigation (FBI), and the UK's National Crime Agency (NCA). It was a testament to the power of international cooperation in combating cybercrime.

Europol, in a statement, emphasized the significance of this operation, stating, "The arrest of the alleged leader and the seizure of the infrastructure used by the group to conduct its malicious activities is a clear signal that Europol and its partners are actively targeting ransomware groups, their infrastructure, and the financial proceeds they extract from their victims."

One of the key achievements of this operation was the seizure of the Ragnar Locker gang's dark web portal, where they conducted their extortion activities. This move has disrupted their ability to continue their illegal operations and sends a powerful message to other cybercriminals.

The impact of this takedown is expected to be far-reaching. With the dismantling of Ragnar Locker's infrastructure, countless potential victims have been spared from falling prey to their malicious activities. This operation serves as a stark reminder to cybercriminals that the global community is united in its determination to combat cyber threats.

However, it is crucial to remain vigilant in the face of evolving cyber threats. As the digital landscape continues to evolve, criminals may adapt their tactics. Organizations and individuals alike must prioritize cybersecurity measures, including robust antivirus software, regular backups, and employee training to recognize and respond to potential threats.

An important step forward in the battle against cybercrime was made with the successful operation against the Ragnar Locker ransomware organization. It demonstrates the value of global cooperation and makes it quite obvious that cybercriminals will be hunted down and made to answer for their deeds. While this win deserves praise, it also highlights the necessity of ongoing watchfulness and investment in cybersecurity measures to guard against potential attacks.


Read more »
Unauthorized access
Cloudfare Dark Web Data Breach Domain Proxy Jacking Proxy Server Sensitive data SSH Unauthorized access

Proxyjacking Threat: Exploited SSH Servers for Sale on the Dark Web

A new attack targeting Secure Shell (SSH) servers has surfaced in the constantly changing world of cybersecurity. Concerningly, exploited SSH servers are now being provided as proxy pools on the dark web, which is a worrying trend. The integrity of global digital infrastructures as well as the security of sensitive data are seriously jeopardized by this trend.

The Proxyjacking Menace

Proxyjacking, as it is now termed, involves cybercriminals compromising SSH servers and selling them on the dark web as part of proxy pools. These servers are then used as a gateway for malicious activities, bypassing traditional security measures and gaining unauthorized access to networks. This technique allows attackers to conceal their true identity and location, making it difficult for cybersecurity professionals to trace and mitigate the threat.

Cloudflare, a prominent cybersecurity firm, highlights the significance of SSH in secure networking. SSH tunneling is a powerful tool for encrypting connections and safeguarding sensitive data during transmission. However, when these tunnels are breached, they become a potential point of vulnerability. Cloudflare emphasizes the need for robust security measures to protect against SSH-related threats.

SSH Tunneling and its Vulnerabilities

SSH tunneling is widely used to establish secure connections over untrusted networks. However, when improperly configured or outdated, SSH servers become susceptible to exploitation. Cybercriminals are quick to capitalize on these vulnerabilities, using compromised servers to launch attacks that can lead to data breaches, unauthorized access, and network compromise.

The exploitation of SSH servers for proxy jacking poses a significant risk to organizations and individuals alike. By leveraging these compromised servers, attackers can gain access to sensitive information, compromise critical systems, and disrupt operations. The consequences of such breaches can be severe, ranging from financial losses to reputational damage.

To defend against this emerging threat, organizations must prioritize the security of their SSH servers. Regularly updating and patching systems, implementing strong access controls, and employing advanced intrusion detection systems are essential to fortifying defenses against proxy jacking attacks. Furthermore, organizations should consider monitoring the dark web for any indications of compromised servers associated with their domains.

Proxyjacking has become more prevalent due to vulnerable SSH servers, which emphasizes the constant necessity for cybersecurity awareness. Being knowledgeable about new strategies and bolstering defenses are essential as cyber threats continue to change. Organizations may preserve their digital assets and shield themselves from the sneaky threat of proxyjacking by putting in place strong security measures and being diligent in monitoring for any breaches.



Read more »
User Privacy
Dark Web Data Breach Data Leak PlayStation Ransomware Gang Sony User Privacy

Sony Launches Investigation After Hackers Threaten to Sell Stolen Data on Dark Web

 

It's likely that you have seen the prominent headlines about the "Sony data breach 2023" and are wondering whether you are at risk or not. Sony, however, is likewise unaware of what is happening at the moment, but at least they have begun investigating it.

Sony has once again found itself in the crosshairs of a cyber attack, this time from the ruthless group known as 'Ransomed.vc' claiming to have successfully breached the tech giant's networks. The gang has stated its aim to sell the stolen data on the black market. 

Earlier in the week Ransomed.vc boldly claimed that it had accessed "all Sony systems" and was ready to dump the stolen data because the company was supposedly "unwilling to pay" a ransom. The group went a step further, warning that if no purchasers materialised by Thursday, September 28, they may start publicising the stolen information. 

Despite the gravity of these allegations, it is critical to recognise that they remain unverified. However, Ransomed.vc did provide some evidence in the form of posted files (about 6,000 in total). This pales in comparison to the broad claim that they corrupted "all Sony systems," including your beloved PlayStation. 

In response to these concerning developments, Sony said on September 26 that it had launched an investigation. The company's spokesperson replied, "We are currently investigating the situation, and we have no further comment at this time." 

Sony's measured response reflects the gravity of the problem and the importance of conducting an in-depth investigation into the suspected breach. 

There is still some ambiguity over the scope of the data that "Ransomed.vc" acquired access to and whether any consumer personal information has been stolen as the investigation into the Sony Data Breach 2023 progresses. The stakes are unquestionably high, and Sony will be meticulously investigating the situation and securing its networks with the assistance of cybersecurity professionals.

The current Sony cyber controversy is being closely watched across the globe. It serves as an alarming reminder of the constantly changing panorama of online risks and the crucial role that cybersecurity measures play in protecting private information in the interconnected world.
Read more »
Malicious actor
Blockchain Crypto heist Crypto Mining cryptocurrency Dark Web Data Breach DeFi Platforms Ethereum Malicious actor

BitBrowser Hackers Launder 70.6% of Stolen Funds

Hackers were able to transfer a remarkable 70.6% of the stolen BitBrowser cash through the eXch crypto mixer in a recent cyber robbery that startled the cryptocurrency world. Concerns regarding the security of digital assets and the increasing sophistication of thieves have been sparked by this bold action.

The attack, which targeted BitBrowser, a decentralized finance (DeFi) platform, first came to light when users reported unauthorized transactions and missing funds. The hackers managed to siphon off a substantial amount of cryptocurrency before the breach was discovered. According to reports, the stolen funds included 236 ETH (Ethereum), which were promptly moved through the eXch crypto mixer to obfuscate their origins.

The eXch crypto mixer, known for its privacy-centric features, allows users to mix their cryptocurrencies with those of other users, making it difficult to trace the source of the funds. This tool has become increasingly popular among hackers looking to launder stolen digital assets.

The BitBrowser hack and subsequent use of the eXch crypto mixer highlight the ongoing battle between cybersecurity experts and cybercriminals. As blockchain technology and cryptocurrencies gain mainstream adoption, they also attract malicious actors seeking to exploit vulnerabilities.

Cybersecurity experts and law enforcement agencies are working tirelessly to track the stolen funds and identify the hackers responsible. However, the use of crypto mixers and other privacy-enhancing tools complicates these efforts. These tools are not inherently illegal, as they also serve legitimate purposes, such as protecting user privacy and enhancing fungibility in cryptocurrencies.

This incident underscores the importance of robust security measures for cryptocurrency platforms and the need for continued innovation in the field of blockchain forensics. Blockchain analysis companies are developing advanced techniques to trace the flow of cryptocurrencies through mixers and dark web marketplaces, but it remains a challenging endeavor.

Cryptocurrency exchanges and DeFi platforms must prioritize security and invest in state-of-the-art cybersecurity measures to protect their users' assets. Additionally, regulatory bodies around the world are tightening their grip on cryptocurrency-related activities to prevent money laundering and illegal financial activities.


Read more »
Dark Web Security
Access Threat Cyber Security Dark Web Dark Web Monitoring Dark Web Security

Dark Web Grows Stronger. And So Does the Value of Monitoring


The Growing Threat of the Dark Web 

The Dark Web is rapidly growing along with the variety of cybercrime, and so is the value in monitoring it. The cybercrime ecosystem now not only includes private communications platforms like I2P and Tor but also reaches across clear websites and Telegram channels.

One of the most significant threats on the Dark Web is stealer logs with corporate access. These logs are likely one of the most significant vectors for data breaches. Infostealer variants such as Raccoon, Vidar, Titan, and Aurora infect computers, then exfiltrate the browser fingerprint containing all the saved passwords in the browser. Threat actors then sell the results on the Dark Web.

The Value of Monitoring 

To detect malicious actors distributing stealer logs across the Dark Web and Telegram, companies can monitor for any logs that contain an internal corporate domain access, such as sso.companyname.com.

Another threat on the Dark Web is Initial Access Brokers (IABs). IABs are active across Dark Web forums, such as XSS and Exploit.in. They establish initial access to companies, which they resell in auction and forum threads, typically for $10,000 to $500,000 per listing, depending on the company and level of access. 

A listing usually contains information such as the number of devices and services compromised, industry of the victim company, antivirus or endpoint detection and response platform the company is using, geographic location of company, and compromised hosts or servers.

Threat actors can purchase this access

Threat actors can purchase this access and use it to deploy ransomware or steal sensitive data or financial resources. Monitoring IAB forums can provide early warning that malicious actors have compromised devices. IABs never list the exact company name but generally provide enough detail that if your organization is a victim, there is a reasonable chance you can identify it.

Read more »
Uofl Health
CIOp MOVEit Attacks CLOP Clop Ransomware Cyber Attacks Dark Web Dark Web leak sites Data Leak Jones Lang LaSalle Mass-hack MOVEit Raddison Hotels Americas TomTom Uofl Health

Clop Attacks: More Organizations Confirm to have Fallen Prey to MOVEit Mass-hack


As the ongoing MOVEit hack is getting exposed, their seems to be some new names that have fallen prey to the attack. These organizations involve hotel chain Radisson, U.S. based 1st Source Bank, real estate giant Jones Lang LaSalle and Dutch GPS company TomTom.

Numerous victims have already fallen victim to the Clop ransomware gang, responsible for the widespread data raids that targeted corporate customers of Progress Software's MOVEit file-transfer program.

Radisson Hotels Americas

One of the recently known victim organizations is the Radisson Hotels Americas. The international hotel chain has more than 1,100 locations, which is now appearing on the Clop dark web leak sites following the attack.

Spokesperson, Moe Rama of Choice Hotels’ (which acquired Radisson Hotels Group in 2022), says that a “limited number of guest records were accessed by hackers exploiting the MOVEit Transfer vulnerability, but declined to say how many guests had been affected.”

Jones Lang LaSalle

Jones Lang LaSalle, the U.S. based real estate giant, also claims to have suffered a data breach as a result of the cyberattack. According to a source with the knowledge of the incidents informs that the company informed its employee about the attack via emails. The emails says that all the employee data had been compromised, except the Social Security numbers. Apparently, the data breach affected all of the organization’s 43,000 employees.

“We were notified by MOVEit of a previously unknown security vulnerability in their software. Our immediate investigation detected unauthorized access to a limited number of files; we contained the malicious activity and patched our systems per vendor-provided instructions,” said JLL spokesperson Allison Heraty.

“Our priority has been to communicate directly with those impacted as well as all relevant authorities, which we have done,” she added. One of the first MOVEit victims to be identified by Clop, 1st Source Bank, disclosed in a regulatory filing on Monday that hackers gained access to "sensitive client data of commercial and individual clients, including personally identifiable information."

In a statement, the bank says, “The company has notified and is working with its commercial clients so impacted and is in the process now of identifying and directly notifying individual clients who have been impacted.”

Uofl Health

After appearing on Clop's dark web leak site, UofL Health, an academic health system with headquarters in Kentucky, acknowledged that it had been the subject of the hacks. However, UofL Health did not confirm if data had been accessed.

“Recently, the United States government confirmed that multiple federal agencies had been affected by cyberattacks which exploited a security vulnerability in a popular file transfer tool called MOVEit[…]Unfortunately, a small number of UofL Health medical practices used this software to transfer files to third party vendors," said UofL Health spokesperson David McArthur. “Upon learning of this event, UofL Health immediately took action and is now working with a forensic IT agency to determine the scope of the matter. The security of normal operations at UofL Health hospitals, medical centers, and physician offices has not been jeopardized.”

TomTom

On Tuesday, Dutch navigation giant TomTom also confirmed to have been fallen victims of Clop. “We at TomTom were immediately aware of a data breach that occurred on our vendor’s platform, MOVEit, last month,” said TomTom spokesperson Ivo Bökkerink. “We have taken all necessary safety and security measures to protect the data, and we have informed the relevant authorities,” the company stated. However, it has not been made clear of what data (if any) was stolen.

Following the recent disclosure, several other companies came forward, confirming to have fallen prey to the Clop cyberattacks. Some of them include German investment bank Deutsche Bank, the University of Colorado, the University of Illinois, diagnostics company Realm IDX, and New York-based biopharmaceutical firm Bristol Myers Squibb.

Moreover, there are many other organizations that appeared on Clop’s dark web leak site. However, they did not provide any official statement over the issue. These companies include an electronics maker, a global technology company, a corporate travel management giant and a human resources software maker.

With this, MOVEit hackers have claimed almost 270 victims organizations as of yet, impacting no less than 17 million individuals, as per the latest report by Emsisoft threat analyst Brett Callow.  

Read more »
Subscribe to: Posts (Atom)