Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Extortion. Show all posts
data security
ADT ADT data breach customer data leak customer data privacy Data Breach Data Extortion Data Leak data security

ADT Data Breach Confirmed After ShinyHunters Threatens Leak of Stolen Customer Information

 

Now comes word that ADT, a provider of home security systems, suffered a data breach following threats by the hacking collective ShinyHunters to expose purloined records if payment isn’t made. This event joins others recently where attackers gain access via compromised credentials or outside service providers. 

On April 20, the company noticed unusual activity within its systems - response teams moved quickly to limit exposure and launch a review from within. It turned out some customer and prospective customer details were reached and copied by those responsible. Names, contact numbers, and home locations made up most of what was seen; in a few cases, birth dates showed up alongside incomplete identification digits used for tax or government purposes. Though only a narrow collection of files was involved, steps followed to assess how far the breach extended. 

What ADT made clear is that financial details of high sensitivity stayed secure. It turned out bank accounts, credit cards, along with any payment records, remained untouched through the incident. On top of this, home security setups and active monitoring kept running without interference. Evidently, the breach never reached operational systems - only certain data areas felt its effect. After claims surfaced on a hacker forum, ShinyHunters stated they accessed more than 10 million records - some containing personal details and private business files. 
Despite the threat to publish everything unless met with demands, confirmation of the full extent remains unverified by ADT. Still, notification letters have gone out to impacted users during ongoing review efforts. What happens next depends on internal assessments already underway. One claim points to vishing as the starting point - a tactic aimed at one worker. Posing as known contacts, hackers won entry through a company-wide login system. 

Once inside, they navigated sideways into linked environments without immediate detection. Access likely extended to cloud services including Salesforce, where information was pulled from storage. Identity theft now drives many cyber intrusions, moving past old tactics that hunted software bugs. Instead of probing code flaws, hackers aim at sign-in systems like Okta, Microsoft Entra, or Google logins. Breaching one verified profile opens doors to numerous company tools. 

With entry secured, stolen information gets pulled out quietly. That data then becomes leverage - no malware needed to lock files. What happened lately isn’t new for ADT - earlier leaks of staff and client details came out earlier this year. Facing repeated issues, many companies struggle to protect digital identities while handling permissions in linked platforms. 

Still under investigation, the incident highlights how often social engineering now shapes current cyber attacks. Rather than exploiting software flaws, hackers rely on mistakes people make - slipping past defenses by tricking users. 

Because of this shift, training staff to spot risks matters just as much as strong login protections. Preventing future breaches depends less on technology alone, more on understanding human behavior. Awareness becomes a shield when passwords fail.
Read more »
Ransomware
Backups Cyber Security Data Extortion Data Theft encryption system Ransomware

Why Backups Alone Can No Longer Protect Against Modern Ransomware




For a long time, ransomware incidents have followed a predictable pattern. An organization’s systems are locked, critical files become inaccessible, operations slow down or stop entirely, and leadership must decide whether to recover data from backups or pay a ransom.

That pattern still exists today, but recent findings show that the threat has evolved into multiple forms.

A recent industry report based on hundreds of real-world incident response cases reveals that attackers are increasingly moving toward a different strategy. Instead of encrypting data, many are now stealing it and using it for extortion. These “data-only” attacks have increased sharply, rising from just 2 percent of cases to 22 percent within a year, representing an elevenfold jump.

This trend is also reflected in broader industry data. The Verizon 2025 Data Breach Investigations Report treats both encrypted and non-encrypted ransomware incidents as part of a single extortion category. According to its findings, ransomware was involved in 44 percent of the breaches it studied.


Why resilience needs to be redefined

These developments highlight a critical issue. Many organizations still treat ransomware mainly as a problem of restoring operations. Their focus is often on how quickly systems can be brought back online, whether backups are secure, and how much downtime can be managed.

While these factors remain relevant, they are no longer enough to address the full scope of risk.

When attackers shift their focus from disabling systems to stealing sensitive information, the situation changes completely. The priority is no longer just restoring access to systems. Instead, organizations must immediately understand what data has been taken, who owns it, and how sensitive it is.

This includes identifying whether the exposed information involves customer records, regulated datasets, intellectual property, or internal communications. It also requires knowing where that data was stored, whether in primary systems, cloud services, third-party platforms, or legacy storage that may have been retained unnecessarily.

If leadership teams cannot quickly answer these questions, restoring systems will not prevent further damage, including regulatory consequences, reputational harm, or legal exposure.


Data theft is becoming the main objective

Additional reporting reinforces this shift. Data from Coveware shows that in the second quarter of 2025, data exfiltration occurred in 74 percent of ransomware incidents. The company noted that in many cases, stealing data has become the central objective rather than just a step before encryption.

Attackers are no longer focused only on disruption. Instead, they are aiming to maximize pressure by using stolen data as leverage.


Encryption still exists, but its role is changing

This does not mean that encryption-based attacks have disappeared. Many ransomware operations still use a “double extortion” approach, where they both lock systems and steal data.

However, the key change is that data theft alone can now be enough to force payment. This reduces the effectiveness of relying solely on backups as a defense strategy.

Organizations such as the Cybersecurity and Infrastructure Security Agency continue to stress the importance of maintaining secure and offline backups that are regularly tested. At the same time, they warn that cloud-based backups can fail if compromised data is synchronized back into the system and overwrites clean versions.

This underlines a broader reality: restoring systems is only one part of true resilience.


Moving beyond a recovery-focused mindset

The cybersecurity industry is gradually adjusting to these changes. There is a growing emphasis on protecting and understanding data, rather than focusing only on system recovery.

This reflects a more dynamic turn of events. Resilience is no longer just about recovering from an attack. It is about reducing uncertainty about data exposure before an incident occurs.

However, many organizations still measure their preparedness using disaster recovery metrics such as recovery time objectives and backup testing. Even service providers often frame ransomware readiness in these terms.

In a data-driven threat environment, a more meaningful measure of security maturity is whether an organization truly understands its data. This includes knowing where sensitive information is stored, how it moves across systems, who has access to it, and whether it needs to be retained.

Guidance from the National Institute of Standards and Technology supports this approach. Its Cybersecurity Framework 2.0 recommends maintaining detailed inventories of data, including its type, ownership, origin, and location. It also emphasizes lifecycle management, such as securely deleting unnecessary data and reducing redundant systems that increase exposure.

NIST’s incident response guidance further highlights that organizations with clear data inventories are better equipped to determine what information may have been affected during a breach.


The hidden risk of data sprawl

A major challenge for many organizations is uncontrolled data growth. Sensitive information is often copied across multiple platforms, including cloud storage, collaboration tools, shared drives, employee devices, and third-party services.

At the same time, outdated data is rarely deleted, often because responsibility for doing so is unclear. Access permissions also tend to expand over time without proper review.

As a result, organizations may appear prepared due to strong backup systems, while actually carrying significant hidden risk due to poorly managed data.


The bigger strategic lesson

The key takeaway is not that backups are unimportant. They remain a critical part of cybersecurity. However, they solve a different problem.

Backups help restore systems after disruption. They do not protect against the consequences of stolen data, such as loss of confidentiality, reputational damage, or reduced negotiating power during an extortion attempt.

To address modern threats, resilience must become more focused on data. This includes better classification of sensitive information, stronger access controls, improved visibility across cloud and third-party systems, and stricter data retention practices to reduce unnecessary exposure.

Organizations also need to communicate more clearly with leadership and stakeholders about the difference between operational recovery and true resilience.

Ultimately, the organizations best prepared for modern ransomware are not just those that can recover quickly, but those that already understand their data well enough to respond immediately.

In today’s environment, the gap between having backups and truly understanding data is where attackers gain their advantage.

Read more »
Ransomware
Cyber Crime Data Extortion Encryption Files RansomHouse Ransomware

RansomHouse Develops More Complex Encryption for Recent Attacks

 


The ransomware group known as RansomHouse has recently enhanced the encryption mechanism used in its attacks, moving away from a basic, single-step process to a more advanced, multi-layered approach. This change reflects a deliberate effort to strengthen the effectiveness of its ransomware operations.

Earlier versions of the encryptor relied on a linear method, where data was transformed in one continuous pass. The updated version introduces multiple stages of processing, which results in stronger encryption, improved execution speed, and greater stability across modern systems. These improvements increase the pressure on victims by making encrypted data harder to recover and negotiations more favorable for attackers after systems are locked.

RansomHouse first appeared in late 2021 as a cybercrime group focused on data extortion, where stolen information was used as leverage rather than encryption alone. Over time, the group expanded its tactics and began deploying ransomware encryptors during attacks. It also developed an automated tool, known as MrAgent, designed to simultaneously encrypt multiple VMware ESXi hypervisors, a technique that allows attackers to disrupt large virtualized environments efficiently.

In more recent activity, security analysts observed RansomHouse using more than one ransomware strain during attacks on a major Japanese e-commerce company. This suggests a flexible operational strategy rather than reliance on a single malware family.

Further insight into the group’s evolving capabilities comes from a new analysis by cybersecurity researchers, who examined RansomHouse’s latest encryptor, internally referred to as “Mario.” This version introduces a two-stage data transformation process that relies on two different encryption keys: one substantially longer than the other. Using multiple keys increases the randomness of the encrypted output, making partial file recovery or reconstruction far more challenging.

The updated encryptor also changes how files are handled during the encryption process. Instead of treating all files the same way, it adjusts its behavior based on file size. Large files are processed in dynamically sized chunks, with encryption applied intermittently rather than continuously. This irregular pattern makes the malware harder to analyze because it avoids predictable processing behavior.

Researchers also noted improvements in how the encryptor manages memory. The newer version separates tasks across multiple buffers, with each buffer assigned a specific role during encryption. This design increases operational complexity and reduces inefficiencies found in earlier variants.

Another visible change is the amount of internal information displayed during file processing. Unlike older versions, which only indicated when encryption was complete, the new encryptor provides more detailed status output as it operates.

Despite these changes, the ransomware continues to focus on virtual machine-related files, renaming encrypted data with a new extension and placing ransom instructions across affected directories.

Security researchers caution that these upgrades indicate a troubling direction in ransomware development. While RansomHouse does not carry out attacks at the scale of larger ransomware groups, its continued investment in advanced encryption techniques points to a strategy centered on precision, resilience, and evasion rather than volume.

Read more »
Ransomware
Akira Cyber Security Data Extortion Ransomware

Akira Ramps up Ransomware Activity With New Variant And More Aggressive Intrusion Methods

 


Akira, one of the most active ransomware operations this year, has expanded its capabilities and increased the scale of its attacks, according to new threat intelligence shared by global security agencies. The group’s operators have upgraded their ransomware toolkit, continued to target a broad range of sectors, and sharply increased the financial impact of their attacks.

Data collected from public extortion portals shows that by the end of September 2025 the group had claimed roughly 244.17 million dollars in ransom proceeds. Analysts note that this figure represents a steep rise compared to estimates released in early 2024. Current tracking data places Akira second in overall activity among hundreds of monitored ransomware groups, with more than 620 victim organisations listed this year.

The growing number of incidents has prompted an updated joint advisory from international cyber authorities. The latest report outlines newly observed techniques, warns of the group’s expanded targeting, and urges all organisations to review their defensive posture.

Researchers confirm that Akira has introduced a new ransomware strain, commonly referenced as Akira v2. This version is designed to encrypt files at higher speeds and make data recovery significantly harder. Systems affected by the new variant often show one of several extensions, which include akira, powerranges, akiranew, and aki. Victims typically find ransom instructions stored as text files in both the main system directory and user folders.

Investigations show that Akira actors gain entry through several familiar but effective routes. These include exploiting security gaps in edge devices and backup servers, taking advantage of authentication bypass and scripting flaws, and using buffer overflow vulnerabilities to run malicious code. Stolen or brute forced credentials remain a common factor, especially when multi factor authentication is disabled.

Once inside a network, the attackers quickly establish long-term access. They generate new domain accounts, including administrative profiles, and have repeatedly created an account named itadm during intrusions. The group also uses legitimate system tools to explore networks and identify sensitive assets. This includes commands used for domain discovery and open-source frameworks designed for remote execution. In many cases, the attackers uninstall endpoint detection products, change firewall rules, and disable antivirus tools to remain unnoticed.

The group has also expanded its focus to virtual and cloud based environments. Security teams recently observed the encryption of virtual machine disk files on Nutanix AHV, in addition to previous activity on VMware ESXi and Hyper-V platforms. In one incident, operators temporarily powered down a domain controller to copy protected virtual disk files and load them onto a new virtual machine, allowing them to access privileged credentials.

Command and control activity is often routed through encrypted tunnels, and recent intrusions show the use of tunnelling services to mask traffic. Authorities warn that data theft can occur within hours of initial access.

Security agencies stress that the most effective defence remains prompt patching of known exploited vulnerabilities, enforcing multi factor authentication on all remote services, monitoring for unusual account creation, and ensuring that backup systems are fully secured and tested.



Read more »
Supply chain vulnerability
Airport Cyberattack Aviation Cyber Threats Collins Aerospace Hack Critical Infrastructure Security Cybersecurity Breach Data Extortion Digital Resilience Ransomware attack Supply chain vulnerability

Collins Aerospace Deals with Mounting Aftermath of Hack


One of the most disruptive cyber incidents to have hit Europe's aviation sector in recent years was a crippling ransomware attack that occurred on September 19, 2025, causing widespread chaos throughout the continent's airports.  

The disruption was not caused by adverse weather, labour unrest or mechanical failure but by a digital breakdown at the heart of the industry's technological core. The Collins Aerospace MUSE platform, which is used for passenger check-ins and baggage operations at major airport hubs including Heathrow, Brussels, Berlin, and Dublin, unexpectedly went down, leading airports to revert to paper-based, manual procedures. 

There was confusion in the terminals and gate agents resorted to handwritten manifests and improvised coordination methods to handle the surge, while thousands of passengers stranded in transit faced flight cancellations and delays. While flight safety systems remained unaffected, and a suspect (a British national) was apprehended within a few days of the attack, it also exposed an increasingly frightening vulnerability in aviation's growing reliance on interconnected digital infrastructure. 

This ripple effect revealed how one breach of security could cause shockwaves throughout the entire ecosystem of insurers, logistics companies, and national transport networks that are all intertwined with the digital backbone of air travel itself, far beyond an aviation issue. 

In the aftermath of the Collins Aerospace cyberattack, the crisis became worse when on Sunday, a group linked to Russian intelligence and known as the Everest Group claimed to have accessed sensitive passenger information allegedly stolen by Dublin Airport and claimed to have been possessed by the group. This group, which operates on the dark web, announced that they had acquired 1.5 million passenger records and threatened to release the data unless a ransom was paid by Saturday evening before releasing the data. 

It has been reported that Everest, which had earlier claimed credit for breaching systems connected to Collins Aerospace's MUSE software on October 17, believes that the security breach occurred between September 10 and 11, using credentials obtained from an insecure FTP server in order to infiltrate the company's infrastructure. 

On September 19, Collins Aerospace shut down affected servers that blocked cybercriminals from accessing these servers, according to the cybercriminals who claimed their access to those servers was later stopped. This move occurred simultaneously with a wide array of operational outages in major European airports including Heathrow, Berlin Brandenburg, Brussels, and Dublin. 

A spokesperson for the Dublin Airport Authority (DAA) confirmed that a probe has been initiated in response to the mounting concerns regarding the incident, as well as in coordination with regulators and impacted airlines. It should be pointed out that as of yet no evidence has been found of a direct hacking attack on DAA's internal systems, indicating that the dataset exposed primarily consists of details regarding passenger boarding for flights departing Dublin Airport during the month of August.

While this happened, ENISA, the European Union Agency for Cybersecurity, categorised the Collins Aerospace hack as a ransomware attack, which underlined the escalation of sophistication and reach of cybercriminals targeting critical aviation infrastructure across the globe. There have been signs of gradual recovery as European airports have struggled to regain operational stability since the Collins Aerospace cyber incident. 

Although challenges persisted throughout the days of the cyberattack, signs of gradual recovery did emerge. While flight schedules at London's Heathrow airport and Berlin Brandenburg airport had begun to stabilize on Sunday, Brussels Airport continued to experience significant disruptions. A statement issued by Brussels Airport on Monday stated that it had requested airlines cancel about half of the 276 departures scheduled for Monday due to the non-availability of Collins Aerospace's new secure check-in software, which had not been available for the previous few days.

As manual check-in procedures remained in place, the airport warned that cancellations and delays were likely to continue until full digital functionality had been restored. In spite of the ongoing disruptions, airport authorities reported that roughly 85% of weekend flights operated, which was made possible by ensuring additional staffing from airline partners and ensuring that the online check-in and self-service baggage system were still operational, according to Airport Authority reports. 

The airport’s spokesperson Ihsane Chioua Lekhli explained that the cyberattack impacted only the computer systems being used at the counters staffed by employees, and that in order to minimize the inconvenience to passengers, backup processes and even laptops have been used as workarounds.

It is important to note that RTX Corporation, the parent company of Collins Aerospace, refused to comment on this matter in a previous statement issued on Saturday, when RTX Corporation acknowledged the disruption and said it was working to fully restore its services as soon as possible. According to the company, the impact will only be felt by electronic check-in and baggage drop and can be minimized by manual operations. 

During the weekend, Heathrow and Brandenburg airports both encouraged passengers to check their flight statuses before arriving at the airport, as well as to take advantage of online or self-service options to cut down on traffic. In its latest communication, Heathrow Airport stated that it was working with airlines "to recover from Friday's outage," stressing that despite the delays, a majority of scheduled flights were able to run throughout the weekend despite the delay. 

There has been a broader discussion around the fragility of digital supply chains and the increasing risk that comes with vendor dependency as a result of the Collins Aerospace incident. Increasingly, ransomware and data extortion groups are exploiting third-party vulnerabilities in order to increase the likelihood of a systemic outage, rather than an isolated cyber event. 

An analysis by industry analysts indicates that the true differentiator between organizations that are prepared, visible, and quick to respond during such crises lies in their ability to deal with them quickly, and in the ability to anticipate problems before they arise. According to Resilience's cybersecurity portfolio, only 42% of ransomware attacks in 2025 were followed by incurred claims, a significant decrease from 60% in 2024.

According to experts, this progress is largely due to the adoption of robust backup protocols, periodic testing, and well-defined business continuity frameworks, which are the foundation of this improvement. However, broader industry figures paint a more worrying picture. Approximately 46% of organizations that have been affected by ransomware opted to pay ransoms to retrieve data, according to Sophos' State of Ransomware report, while in the Resilience dataset, the number of affected organizations paid ransoms fell from 22% in 2024 to just 14% in 2025.

This contrast illustrates the fact that companies that have tested recovery capabilities are less likely to succumb to extortion demands because they have viable options for recovering their data. A new approach to cybersecurity has emerged – one that is based on early detection, real-time threat intelligence, and preemptive mitigation. Eye Security uncovered a critical vulnerability in Microsoft SharePoint in July 2025 and issued targeted alerts in response to the vulnerability. This proactive approach enabled Eye Security to scan its client ecosystem, alert its clients, and contain active exploitation attempts before significant damage could occur. 

According to experts, Collins Aerospace's breach serves as a lesson for what happens when critical vendors fail in a network that is interconnected. A recent outage that crippled airports across Europe was more than just an aviation crisis; it was an alarming reminder of the concentration risk that cloud-based and shared operating technologies carry across industries as well. 

Organizations are increasingly reliant on specialized vendors to manage essential systems in order to ensure their success, so the question isn't if a major outage will occur again, but whether businesses have the resilience infrastructure to stay operational if it happens again. It is clear from the Collins Aerospace incident that cybersecurity is no longer a separate IT concern, but rather a core component of operational continuity. 

It stands as a defining moment for digital resilience in the evolving narrative. The emphasis in navigating this era of global infrastructure disruption must shift to building layered defense ecosystems, combining predictive intelligence, rigorous vendor vetting, and a real-time crisis response framework, as businesses navigate through the challenges of a single vendor outage disrupting global infrastructure. 

In the end, the lesson is clear: resilience is not built when disruption happens but in anticipation of it, ensuring that when the next digital storm hits, we are prepared, not panicked.
Read more »
Ransomwares
AI Chatbots AI Models AI Techniques Cyber Crime Cyber Extortion Cyber Hackers Data Extortion international cybercrime operation Ransomwares

Hacker Exploits AI Chatbot Claude in Unprecedented Cybercrime Operation

 

A hacker has carried out one of the most advanced AI-driven cybercrime operations ever documented, using Anthropic’s Claude chatbot to identify targets, steal sensitive data, and even draft extortion emails, according to a new report from the company. 

It Anthropic disclosed that the attacker leveraged Claude Code — a version of its AI model designed for generating computer code — to assist in nearly every stage of the operation. The campaign targeted at least 17 organizations across industries including defense, finance, and healthcare, making it the most comprehensive example yet of artificial intelligence being exploited for cyber extortion. 

Cyber extortion typically involves hackers stealing confidential data and demanding payment to prevent its release. AI has already played a role in such crimes, with chatbots being used to write phishing emails. However, Anthropic’s findings mark the first publicly confirmed case in which a mainstream AI model automated nearly the entire lifecycle of a cyberattack. 

The hacker reportedly prompted Claude to scan for vulnerable companies, generate malicious code to infiltrate systems, and extract confidential files. The AI system then organized the stolen data, analyzed which documents carried the highest value, and suggested ransom amounts based on victims’ financial information. It also drafted extortion notes demanding bitcoin payments, which ranged from $75,000 to more than $500,000. 

Jacob Klein, Anthropic’s head of threat intelligence, said the operation was likely conducted by a single actor outside the United States and unfolded over three months. “We have robust safeguards and multiple layers of defense for detecting this kind of misuse, but determined actors sometimes attempt to evade our systems through sophisticated techniques,” Klein explained. 

The report revealed that stolen material included Social Security numbers, bank records, medical data, and files tied to sensitive defense projects regulated by the U.S. State Department. Anthropic did not disclose which companies were affected, nor did it confirm whether any ransom payments were made. 

While the company declined to detail exactly how the hacker bypassed safeguards, it emphasized that additional protections have since been introduced. “We expect this model of cybercrime to become more common as AI lowers the barrier to entry for sophisticated operations,” Anthropic warned. 

The case underscores growing concerns about the intersection of AI and cybersecurity. With the AI sector largely self-regulated in the U.S., experts fear similar incidents could accelerate unless stronger oversight and security standards are enforced.
Read more »
Ransomware
AI tools Anthropic Claude Cyber Attacks Data Extortion Ransomware

Hackers Used Anthropic’s Claude to Run a Large Data-Extortion Campaign

 



A security bulletin from Anthropic describes a recent cybercrime campaign in which a threat actor used the company’s Claude AI system to steal data and demand payment. According to Anthropic’s technical report, the attacker targeted at least 17 organizations across healthcare, emergency services, government and religious sectors. 

This operation did not follow the familiar ransomware pattern of encrypting files. Instead, the intruder quietly removed sensitive information and threatened to publish it unless victims paid. Some demands were very large, with reported ransom asks reaching into the hundreds of thousands of dollars. 

Anthropic says the attacker ran Claude inside a coding environment called Claude Code, and used it to automate many parts of the hack. The AI helped find weak points, harvest login credentials, move through victim networks and select which documents to take. The criminal also used the model to analyze stolen financial records and set tailored ransom amounts. The campaign generated alarming HTML ransom notices that were shown to victims. 

Anthropic discovered the activity and took steps to stop it. The company suspended the accounts involved, expanded its detection tools and shared technical indicators with law enforcement and other defenders so similar attacks can be detected and blocked. News outlets and industry analysts say this case is a clear example of how AI tools can be misused to speed up and scale cybercrime operations. 


Why this matters for organizations and the public

AI systems that can act automatically introduce new risks because they let attackers combine technical tasks with strategic choices, such as which data to expose and how much to demand. Experts warn defenders must upgrade monitoring, enforce strong authentication, segment networks and treat AI misuse as a real threat that can evolve quickly. 

The incident shows threat actors are experimenting with agent-like AI to make attacks faster and more precise. Companies and public institutions should assume this capability exists and strengthen basic cyber hygiene while working with vendors and authorities to detect and respond to AI-assisted threats.



Read more »
Ransom
Cyber Attacks Data Breach Data Extortion FBI Ransom

FBI Warns Business Executives About Fake Extortion Scam

 



The Federal Bureau of Investigation (FBI) has warned corporate executives about a new scam designed to trick them into paying large sums of money. Criminals are sending threatening letters claiming to have stolen sensitive company data and demanding a ransom. They are falsely using the name of a well-known hacker group to appear more convincing. However, the FBI has found no actual link between the scammers and the group they claim to represent.  


How the Scam Operates  

According to an FBI alert issued on March 6, 2025, the scammers are mailing letters to company executives marked as urgent. These letters state that hackers have broken into their company's systems and taken confidential data. The scammers then demand a payment of anywhere between 250,000 and 500,000 dollars to prevent the data from being exposed online.  

To pressure victims into paying, the letter includes a QR code that directs them to a Bitcoin wallet for the ransom payment. The message also warns that the criminals will not negotiate, adding to the urgency.  

The letter claims to be from a group known for past cyberattacks, but investigators have found no evidence that the real organization is behind these threats. Instead, scammers are using the group's name to make their claims seem more credible and to scare victims into complying.  


Why Executives Are Being Targeted  

Top business leaders often have access to critical company information, making them valuable targets for cybercriminals. Attackers believe that these individuals will feel pressured to act quickly when they receive threats about stolen data. By creating a sense of urgency, the scammers hope their victims will pay the ransom without questioning its legitimacy.  

The FBI has stressed that companies should not assume the threats are real just because they mention a well-known hacking group. Instead, businesses should focus on improving their cybersecurity defenses and educating employees about potential scams.  


How to Protect Against This Scam  

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have shared several important steps businesses can take to safeguard themselves against such scams:  

1. Inform and Educate – Business executives and employees should be aware of this type of scam so they can identify suspicious threats and avoid panic.  

2. Strengthen Security Systems – Companies should ensure that their firewalls, antivirus software, and security protocols are up to date and functioning effectively.  

3. Establish a Response Plan – Organizations should have a clear strategy in place for handling extortion threats. They should not respond or pay the ransom but instead follow proper security procedures.  

4. Report Suspicious Activity – If a business receives one of these extortion letters, it should immediately inform the FBI or report the incident through the Internet Crime Complaint Center (IC3). Reporting such cases helps authorities track cybercriminals and take action against them.  


Why Awareness is Crucial  

This scam highlights the growing trend of cybercriminals using fear to manipulate victims into handing over large amounts of money. While there is no confirmation that the real hacker group mentioned in the letter is involved, this situation serves as a reminder for businesses to stay cautious.  

The best way to prevent falling victim to such scams is through strong security measures, employee awareness, and prompt reporting of suspicious activity. The FBI is closely monitoring the situation and urges companies to take cybersecurity seriously to avoid financial and reputational damage.

Read more »
United Health
Data Extortion Healthcare Privacy Ransomware United Health

The Financial Fallout of UnitedHealth’s Ransomware Attack


A $2.3 Billion Lesson

The recent ransomware attack on UnitedHealth Group serves as a stark reminder of the vulnerabilities that even the largest corporations face. The attack, which has resulted in costs soaring to at least $2.3 billion, underscores the severe financial and operational impacts of cyber threats. 

The health insurance company revealed the estimate in its second-quarter earnings report on Tuesday. The $2 billion cost estimate is based on the millions UnitedHealth has already spent to restore its systems following the attack, which caused a severe outage in February.

The Attack and Immediate Response

UnitedHealth Group, a leading healthcare and insurance provider, fell victim to a sophisticated ransomware attack. The attackers encrypted critical data and demanded a ransom for its release. Despite the company’s robust cybersecurity measures, the breach highlighted gaps that were exploited by the cybercriminals.

In response to the attack, UnitedHealth made the difficult decision to pay a $22 million ransom. While this payment was significant, it represents only a fraction of the total costs incurred. The immediate priority was to restore systems and ensure the continuity of services for millions of customers who rely on UnitedHealth for their healthcare needs.

The Broader Financial Impact

System Restoration: Restoring encrypted data and rebuilding IT infrastructure required substantial investment. This process involved not only technical recovery but also ensuring that systems were secure against future attacks.

Lost Revenue: During the period of disruption, UnitedHealth experienced significant revenue losses. The inability to process claims, manage patient data, and provide timely services had a direct impact on the company’s financial performance.

Operational Costs: Additional costs were incurred in the form of overtime pay for employees working to mitigate the attack’s effects, hiring external cybersecurity experts, and implementing enhanced security measures.

Legal and Regulatory Expenses: Navigating the legal and regulatory landscape post-attack added another layer of costs. Compliance with data protection regulations and managing potential lawsuits required extensive legal resources.

Customer Support Initiatives: To maintain customer trust, UnitedHealth launched several support initiatives. These included offering free credit monitoring services to affected individuals and setting up dedicated helplines to address customer concerns.

Lessons Learned and the Path Forward

The ensuing disruption also hindered UnitedHealth from completing medical prescriptions, resulting in a revenue loss, according to the company's earnings report. 

In Q1, UnitedHealth predicted that the ransomware assault would cost the company between $1 billion and $1.2 billion. However, in Tuesday's results release, the business raised its forecasts to more over $2 billion, citing the need to pay for "financial support initiatives and consumer notification costs," which include providing loans and funds to affected hospitals and pharmacies.

In the second quarter alone, UnitedHealth incurred "$1.1 billion in unfavorable cyber attack effects," according to the business. 

UnitedHealth is still recovering from the ransomware attack, while the "majority" of its IT systems have been restored. Furthermore, multiple class-action lawsuits have been brought against UnitedHealth for failing to protect patient information. As a result, the ransomware attack's costs to the organization may continue to rise.

Read more »
Repository
cyber attack Cyber Attacks Data Extortion GitHub Gitloker Repository

New Extortion Scheme Targets GitHub Repositories


 

A new wave of cyberattacks is targeting GitHub repositories, wiping their contents, and demanding ransom from victims. This alarming campaign, first identified on Wednesday by Germán Fernández, a security researcher at Chilean cybersecurity firm CronUp, is being orchestrated by a threat actor using the handle "Gitloker" on Telegram.

The attackers are reportedly compromising GitHub accounts using stolen credentials. Once they gain access, they delete the contents of the repositories and create a backup of the data, which they claim can restore the deleted information. The compromised repositories are then renamed, and a single README.me file is added, instructing victims to contact the attackers via Telegram for further details.

Victims receive a ransom note that reads, "I hope this message finds you well. This is an urgent notice to inform you that your data has been compromised, and we have secured a backup." This message is intended to coerce the victims into engaging with the attackers in hopes of recovering their lost data.

GitHub has yet to release an official statement regarding the Gitloker extortion campaign. However, the platform has previously advised users to take several precautionary measures to secure their accounts. These include changing passwords, enabling two-factor authentication, adding a passkey for secure, passwordless login, and reviewing account security logs to track any changes in the repositories.

Security Recommendations

To protect against such malicious activities, GitHub users are encouraged to:

Enable Two-Factor Authentication: This adds an extra layer of security to prevent unauthorised access.

Review and Revoke Unauthorised Access: Regularly check for and remove any unauthorised SSH keys, deploy keys, and integrations.

Verify Email Addresses: Ensure all email addresses associated with the account are verified.

Monitor Security Logs: Keep an eye on account security logs to detect any suspicious activities.

Manage Webhooks and Deploy Keys: Regularly review and manage webhooks and deploy keys on repositories.

Review Recent Commits and Collaborators: Continuously check recent commits and collaborators for each repository to identify any unauthorised changes.

Previous Attacks on GitHub

This is not the first time GitHub users have faced such threats. In March 2020, hackers compromised Microsoft's GitHub account, stealing over 500GB of files from private repositories. While the stolen data primarily consisted of code samples and test projects, there was concern that private API keys or passwords might have been exposed.

Phishing Campaigns

In September 2020, GitHub users were targeted by a phishing campaign that used fake CircleCI notifications to steal GitHub credentials and two-factor authentication codes. Once compromised, attackers quickly exfiltrated data from private repositories and added new user accounts to maintain access.




Read more »
Scattered Spider
Critical Infrastructure Cyber Attacks Data Extortion data security Scattered Spider

Scattered Spider: Hackers Attacking Commercial Sectors, Cops Troubled

Scattered Spider

Scattered Spider threat actors primarily steal data for extortion using a variety of social engineering approaches, and they have recently used BlackCat/ALPHV ransomware in addition to their usual TTPs.

According to a senior bureau official, the FBI must "evolve" to effectively stop a group of hackers who have wreaked havoc on some of the largest firms in the United States, who asked the public to be patient as law enforcement combats the criminal network.

CISA and FBI issue joint notice

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity Advisory (CSA) on Scattered Spider, a cybercriminal gang that targets commercial facilities and subsectors. The advice contains tactics, methods, and procedures (TTPs) gathered from FBI investigations as recent as November 2023.

The FBI and CISA encourage network defenders and critical infrastructure companies to study the joint CSA for proposed mitigations to decrease the possibility and severity of a cyberattack by Scattered Spider actors. 

Last year, the hacking collective called Scattered Spider made international headlines for its destructive cyberattacks on gambling behemoths MGM Resorts and Caesars Entertainment. Analysts identified the hackers in 2022, who employ social engineering to trick people into disclosing their login credentials or one-time password codes to defeat multifactor authentication.

Once inside, the group — Star Fraud, UNC3944, and Octo Tempest — builds persistence in networks, living off the territory as some state-sponsored hackers do, before deploying ransomware, stealing data, and demanding ransoms from victims.

The Scattered Spider Phenomenon

1. Data Theft and Extortion

Scattered Spider’s modus operandi revolves around data theft. They infiltrate systems, exfiltrate sensitive information, and then hold it hostage for ransom. Their victims include high-profile organizations, and the stakes are high. The group’s ability to extract valuable data without detection is a testament to their skill.

2. BlackCat/ALPHV Ransomware

Scattered Spider doesn’t rely solely on traditional hacking methods. They’ve embraced ransomware, specifically the BlackCat/ALPHV variant. This malicious software encrypts victims’ files, rendering them inaccessible until a ransom is paid. The group’s proficiency in deploying ransomware underscores their adaptability.

The Social Engineering Twist

1. Human Manipulation

What sets Scattered Spider apart is their mastery of social engineering. They exploit human psychology to gain access to systems. Whether through phishing emails, impersonation, or psychological manipulation, they find the weakest link—the human element—and exploit it. Their ability to deceive and manipulate individuals is their secret weapon.

2. The Insider Threat

Scattered Spider often targets employees within organizations. An unsuspecting employee may unwittingly click a malicious link or share sensitive credentials. The group’s understanding of human behavior allows them to bypass technical defenses. Cybersecurity professionals must recognize this insider threat and educate employees accordingly.

The FBI’s Battle

1. Resource Allocation

The Federal Bureau of Investigation (FBI) is actively pursuing Scattered Spider. Their dedicated cybercrime units are tracking down group members. However, the group remains elusive, operating across borders and leaving minimal traces. The FBI’s challenge lies in balancing resources to combat this agile adversary.

2. Collaboration and Information Sharing

The FBI collaborates with international agencies, sharing intelligence and pooling resources. Scattered Spider’s attacks span continents, and global cooperation is essential. By working together, law enforcement agencies can build a comprehensive profile of the group and disrupt their operations.

Scattered Spider is a formidable adversary in the cybercrime landscape, and law enforcement agencies are actively working to counter their activities. For more information, check this advisory.

Read more »
Vulnerabilities and Exploits
Cyberattacks CyberCrime Cybersecurity Data Extortion eSIM Mobile Cyber Attacks Phone Hijacks Vulnerabilities and Exploits

eSIM Vulnerabilities: SIM Swappers Exploit Flaws, Hijack Phone Numbers

 


According to a new report, SIM-swapping crimes are rising worldwide, mainly committed by eSIM (Embedded Subscriber Identity Modules) users. eSIMs are digitally stored SIM cards that are embedded using software into devices. As a result, hackers are now attempting to exploit vulnerabilities within this software to brute force their way into victims' phone accounts to port their mobile numbers to their own devices through brute force. 

A study also indicated that bad actors are primarily interested in victims' online banking accounts and other financial services, which explains why embedded Subscriber Identity Modules (eSIMs) function similarly to physical SIM cards. Still, they are digitally stored on mobile device chips and are similar to physical SIM cards. 

By scanning QR codes provided by service providers, these devices can be remotely reprogrammed and can also be activated and deactivated with various functionalities. In addition, according to this report, F.A.C.C.T., a Russian cybersecurity company, notes that SIM swappers are exploiting eSIM systems with a surge in exploitation. 

Criminals can manipulate eSIM functionalities to gain control of phone numbers, allowing them to gain unauthorized access to sensitive accounts by bypassing security measures. As opposed to social engineering and insider assistance, attackers have switched tactics to exploit vulnerabilities in mobile accounts by using stolen credentials instead of social engineering and insider assistance. 

As a result, they can gain control of the victim's phone number by generating QR codes within compromised accounts that are used to facilitate number porting, which is a method of gaining access to their compromised accounts. SIM swappers have previously relied on social engineering or insider assistance from mobile carriers to port the number of a target.

Cybercriminals, however, have turned their attention to emerging opportunities in new technologies as companies have implemented more protections to thwart these takeovers in the past few years. It has now become common for attackers to breach a victim's mobile account using stolen credentials, brute-forced credentials, or leaked credentials and then start porting the victim's number to another device without their help. 

Essentially, hijackers can activate a new eSIM through the hijacked mobile account by generating a QR code through the hijacked mobile account and scanning it with their device. At the same time, the legitimate owner's eSIM/SIM is deactivated, thus hijacking the number. 

Additionally, attackers who port their SIM numbers to their devices gain access to SIM-linked accounts in various messaging apps, which opens up more opportunities for them to scam other people, such as posing as the victim and tricking them into sending money, with additional advantages. 

Researchers recommend that cellular service providers use complex and unique passwords for their accounts and enable two-factor authentication if they can, to protect themselves from eSIM-swapping attacks. There are several reasons why users should consider protecting their more valuable accounts with physical keys or authenticator apps, such as e-banking and cryptocurrency wallets. 

Among the security measures that users may use to mitigate such risks are to create strong passwords, to enable two-factor authentication, and to consider physical keys or authenticator apps as additional security measures. 

Thus, SIM swappers have inadvertently created new avenues for exploitation as a result of the development of eSIM technology. Efforts must be made to protect users' digital assets and personal information from cyber threats as cyber attacks evolve, and users must maintain vigilance by implementing robust security practices.
Read more »
Ukraine Organization
Cyber Security Data Extortion Encryption EU EU Regulators European Union Europol Geopolitical Malicious actor Ransomware Attacks. Ransomware Gang Ukraine Organization

Europol Dismantles Ukrainian Ransomware Gang

A well-known ransomware organization operating in Ukraine has been successfully taken down by an international team under the direction of Europol, marking a major win against cybercrime. In this operation, the criminal group behind several high-profile attacks was the target of multiple raids.

The joint effort, which included law enforcement agencies from various countries, highlights the growing need for global cooperation in combating cyber threats. The dismantled group had been a prominent player in the world of ransomware, utilizing sophisticated techniques to extort individuals and organizations.

The operation comes at a crucial time, with Ukraine already facing challenges due to ongoing geopolitical tensions. Europol's involvement underscores the commitment of the international community to address cyber threats regardless of the geopolitical landscape.

One of the key events leading to the takedown was a series of coordinated raids across Ukraine. These actions, supported by Europol, aimed at disrupting the ransomware gang's infrastructure and apprehending key individuals involved in the criminal activities. The raids not only targeted the group's operational base but also sought to gather crucial evidence for further investigations.

Europol, in a statement, emphasized the significance of international collaboration in combating cybercrime. "This successful operation demonstrates the power of coordinated efforts in tackling transnational threats. Cybercriminals operate globally, and law enforcement must respond with a united front," stated the Europol representative.

The dismantled ransomware gang was reportedly using the Lockergoga ransomware variant, known for its sophisticated encryption methods and targeted attacks on high-profile victims. The group's activities had raised concerns globally, making its takedown a priority for law enforcement agencies.

In the aftermath of the operation, cybersecurity experts are optimistic about the potential impact on reducing ransomware threats. However, they also stress the importance of continued vigilance and collaboration to stay ahead of evolving cyber threats.

As the international community celebrates this successful operation, it serves as a reminder of the ongoing battle against cybercrime. The events leading to the dismantlement of the Ukrainian-based ransomware gang underscore the necessity for countries to pool their resources and expertise to protect individuals, businesses, and critical infrastructure from the ever-evolving landscape of cyber threats.

Read more »
Shimano
cyber attack Data Extortion LockBit Ransomware Shimano

Shimano Suffers Cyberattack: 4.5 Terabytes Company Data Breached


Shimano, the market-leading cycling component manufacturer, has been the subject of a ransomware attack that has affected 4.5 terabytes of important company data. 

The Japanese manufacturing has apparently been targeted by ransomware organization LockBit, who are threatening to expose the data on November 5, 2023, at 18:34:13 UTC, according to a post on X (previously Twitter) by technology security company Falcon Feeds.

The attack, first reported by Escape Collective, is also recorded on the Ransom-db website's Live Ransomware Updates, with Shimano.com listed as a victim of LockBit 3.0 and the date November 2, 2023, as the attack date. 

The whole ransom note is also available on Ransomlook.io, which is known as an open-source initiative intended to support users in tracking ransomware-related posts and actions across numerous sites, forums, and Telegram groups. 

The gang breached highly sensitive data

  • Identification, social security numbers, residences, and passport scans of employees
  • Balance sheets, profit and loss statements, bank statements, and numerous tax forms and reports are examples of financial papers.
  • Addresses, internal documents, postal exchanges, confidential reports, legal documents, and factory inspection findings are examples of client data.
  • Non-disclosure agreements, contracts, confidential designs and drawings, development materials, and laboratory testing are among the other documents.

LockBit is a cybercriminal group that employs malware to compromise critical company data and then tries to extort money in exchange for preventing its public publication. 

Lockbit world's most active ransomware

According to the cyber-crime prevention firm Flashpoint, it is the world's most active ransomware organization, responsible for 27.93% of all known ransomware assaults in the year ending June 2023. It stated a total of 1,036 victims is more than double that of the second-placed organization known as BlackCat. 

Other victims of the cyberattack

Shimano is the latest in a long line of high-profile LockBit victims. Trendmicro reports that the British postal service Royal Mail was attacked in January, virtually suspending its international export services. Dublin software firm Ion Group was targeted in February, while Taiwanese chipmaker TSMC was targeted in June with a US$70 million ransom demand. 

Boeing, the world's largest aircraft manufacturer, is also being extorted by the organization. 

A Shimano spokeswoman told Cyclingnews, "This is an internal matter at Shimano that is being investigated, but we cannot comment on anything at this time."

Aftermath of the attack

It is unclear what ransom, if any, has been sought by the organization at this time, but it is apparent that the revelation will be another significant blow in an already difficult period for the Japanese brand. 

It just announced a global recall of 2.8 million road cranksets due to a long-standing bonding separation issue. As a result, a class-action lawsuit was filed in North America in the weeks that followed. According to its most recent quarterly report, overall sales of bicycle components declined by 24.8%, with operational profitability decreasing by nearly half. 

Read more »
victim statistics
Cyber Security Cyber Threats Data Extortion malware deployment ransomware attacks Secureworks threat report victim statistics

Cybercriminal Groups Unleashing Ransomware Within a Day of Target Breach

 

A recent threat report reveals a significant shift in cybercriminal tactics, indicating a noteworthy decline in the time it takes for them to deploy ransomware after initially infiltrating their targets. 

Last year's average of 4.5 days has now plummeted, with cybercriminals now striking within the first 24 hours of gaining access, according to findings by cybersecurity firm Secureworks. 

This alarming trend underscores the company's warning that 2023 may witness an unprecedented surge in ransomware attacks, with three times as many victims appearing on leak sites in May compared to the same period last year.

However, Secureworks highlights a caveat regarding leak sites as a metric for gauging the scale of the ransomware issue. Notably, the report emphasizes that leak sites may only represent around 10% of the total victims known to law enforcement. 

Consequently, it urges caution when interpreting leak site data. Despite this, the aggregate data undeniably underscores the enduring appeal of ransomware and data extortion as lucrative criminal enterprises, posing a substantial threat to businesses.

Secureworks further reveals a disturbing statistic: in over 50% of its incident response cases, hackers managed to unleash their malware within a mere 24 hours of infiltrating the victim's network. 

This marks a stark drop from the 4.5-day average observed last year. In 10% of cases, ransomware was deployed within a staggeringly short five-hour window from initial access.

Don Smith, VP Threat Intelligence at Secureworks Counter Threat Unit, sheds light on the driving force behind this reduction in dwell time. He posits that cybercriminals are motivated by a desire to minimize the chances of detection, as the cybersecurity industry has become more proficient at identifying precursors to ransomware attacks. 

Consequently, threat actors are shifting focus towards simpler and faster operations, forsaking larger-scale, complex encryption events that span multiple enterprise sites. However, the risk posed by these expedited attacks remains significantly high.

Smith adds a cautionary note, emphasizing that despite the prevalence of familiar threat actors, the emergence of new and highly active threat groups is contributing to a notable surge in both victims and data breaches. 

Even in the face of high-profile crackdowns and sanctions, cybercriminals exhibit a remarkable capacity for adaptation, ensuring that the threat continues to escalate at an alarming pace.
Read more »
Google Policies
AI Training Data Extortion Data Policies Data Theft Google Policies

Are Your Google Docs Safe From AI Training?

 

AI systems like Google's Bard and OpenAI's ChatGPT are designed to generate content by analyzing a huge amount of data, including human queries and responses. However, these systems have sparked legitimate worries regarding privacy. Google has emphasized that it will solely utilize customer data with proper permission. However, the question of trust is complex. 

According to an article on Yahoo! News, Google's policy allows the company to utilize publicly available data for training its AI models. However, Google explicitly states that it does not use any of your personal content.  

Furthermore, there is a link provided in Google's documentation that leads to a privacy commitment piece. In that document, one particular paragraph captures attention: "In regards to the utilization of publicly available information, Google acknowledges its potential to improve AI models. However, it assures users that their personal content is not incorporated into these models. Google remains committed to upholding privacy standards and safeguarding user data throughout its operations." 

At first glance, one might be inclined to say, Yes, we can trust them because they explicitly state “they won't utilize customer data without permission." Nevertheless, it's conceivable that we may have unintentionally granted them permission by agreeing to the ever-changing End User License Agreement (EULA) for Google Docs/Drive. 

Additionally, even though privacy is a significant concern for users, there is no assurance that companies like Google, iCloud, OneDrive, or Dropbox will change their policies to ensure that any content stored on their platforms remains private and inaccessible to them. 

In other words, the current policies may not provide a guarantee of privacy for user data, and there is uncertainty about whether these companies will make changes to address this concern in the future. AI training involves educating an AI system to understand, interpret, and gain knowledge from data. 

This enables the AI to make decisions based on the information it receives, a process known as inferencing. To achieve successful AI training, three crucial elements are required. First, there needs to be a well-crafted AI model, which serves as the foundation for the system. Second, a significant volume of top-notch data is necessary, with accurate annotations to aid learning. Lastly, a robust computing platform is essential to handle the computational demands of the training process. 

If you have concerns about Google's updated privacy policy, there are actions you can take to safeguard your data and privacy: 

1. Be cautious about what you share: Only share information publicly that you're comfortable with Google or any other company accessing and using. 

2. Use Google's privacy controls: Take a look at your privacy settings within your Google account. You can choose to opt out of features like "Web & App Activity," "Location History," and "Voice & Audio Activity" to have more control over your data. 

3. Explore other services: Look into alternative providers that have stricter privacy policies. For example, you can try DuckDuckGo for search, ProtonMail for email, Vimeo for video sharing, and Brave for web browsing. 

4. Use private browsing: When using Google services, activate the incognito or private browsing mode. This helps limit the collection of your browsing history. 

5. Stay informed: Before using any website, mobile app, or service, make sure to read and understand their privacy policies. Be cautious with platforms that explicitly share your data with Google.
Read more »
Software
Botnet Data Breach Data Extortion DDOS Attacks. Ransomware Attacks. Software

HinataBot: The Growing DDoS Threat

 

The emergence of the HinataBot botnet has the cybersecurity community on high alert, as it has the potential to launch massive DDoS attacks with a capacity of 3.3 Tbps. This new botnet, which is based on Golang and exploits vulnerable devices, was first discovered by cybersecurity researchers in March 2023.

According to experts, the HinataBot botnet is incredibly sophisticated and could be difficult to detect and remove. It is also highly scalable, which means that it can easily expand to include thousands or even millions of devices. This makes it a serious threat to businesses and organizations of all sizes.

The HinataBot botnet is able to exploit devices that have not been properly secured, such as those that still use default login credentials. Once it has gained access to a device, it can then be used to launch DDoS attacks, which can disrupt entire networks and cause significant financial and reputational damage to businesses.

As of now, it is not clear who is behind the HinataBot botnet, but it is suspected to be a criminal group with sophisticated skills and resources. It is believed that the botnet is being used for financial gain, such as through ransom demands or by using it to extort businesses and organizations.

To protect against the threat of the HinataBot botnet, it is important to ensure that all devices are properly secured with strong passwords and up-to-date security software. Additionally, businesses and organizations should regularly monitor their networks for any signs of suspicious activity and have a comprehensive incident response plan in place.

In conclusion, the emergence of the HinataBot botnet is a reminder of the ongoing threat posed by cybercriminals and the need for businesses and organizations to remain vigilant and take proactive steps to protect their networks and data. Failure to do so could result in devastating consequences, both financially and operationally.
Read more »
Threat Detection
2023 Global Threat Report CrowdStrike Cyber Crime Data Extortion Ransomware ransomware attacks Threat Detection

CrowdSrike: Cybercriminals Are Choosing Data Extortion Over Ransomware Attacks


CrowdStrike’s threat intelligence recently reported that cybercriminals have been learning how data extortion attacks are more profitable than ransomware attacks, leading to a drastic shift in the behavior of cyber activities throughout 2022. 

The cybersecurity vendor's "2023 Global Threat Report," which summarizes CrowdStrike's research on cybercrime (or "e-Crime") from the previous year, was released this week. The report's major sections address ongoing geopolitical disputes, cloud-related attacks, and extortion attacks without the use of software. 

One of the major findings from the CrowdStrike research is that the number of malicious actors who conducted data theft and extortion attacks without the use of ransomware increased by 20% in 2022 compared to the previous year. Data extortion is the practice of obtaining confidential information from target companies and then threatening to post the information online if the victim does not provide the ransom demanded by the attacker. 

Data extortion has frequently been a part of ransomware operations, with the fear of data exposure intended to provide additional incentive for the victim to pay the demanded ransom. However, as per the CrowdStrike findings, more attackers are now inclining toward data extortion, while abandoning the ransomware element altogether. 

Adam Meyers, head of intelligence at CrowdStrike says that “We’re seeing more and more threat actors moving away from ransomware[…]Ransomware is noisy. It attracts attention. It’s detectable. Encryption is complex.” 

According to Meyers, the rise in extortion addresses the adaptability of cyber adversaries. He further adds that while ransom payments were down slightly in 2022, both extortion and ransomware-as-a-service (RaaS) have witnessed a significant boost. 

CrowdStrike observed and noted the overall waning interest in malware. The firm reported that in 2022, up from 62% in 2021, malware-free activity accounted for 71% of its threat detections. 

"This was partly related to adversaries' prolific abuse of valid credentials to facilitate access and persistence in victim environments[…]Another contributing factor was the rate at which new vulnerabilities were disclosed and the speed with which adversaries were able to operationalize exploits," the report said. 

While also noting the improved resilience of the RaaS network, CrowdStrike stated that affiliated hackers will continue to be a major concern as they move from one network to another despite the move away from conventional ransomware deployment.  

Read more »
United States
Cyber Security Data Extortion data security Extortion Iran hackers Threat Intel United States

U.S. Cyber Command Officially Links MuddyWater Gang to Iranian Intelligence

 

The US military's Cyber Command on Wednesday officially tied the Iranian-backed MuddyWatter hacking group to Iran's Ministry of Intelligence and Security (MOIS).

According to Cyber Command, the hacking group was first identified in 2017 and is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), which is involved in both domestic surveillance operations and the targeting of a wide spectrum of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East.

"MuddyWater is an Iranian threat group; previously, the industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations," Cyber Command said in a statement.

On Twitter, Cyber Command said the malicious group was employing a suite of malware for espionage and malicious activity. "MOIS hacker group MuddyWater is using open-source code for malware," it said. "MuddyWater and other Iranian MOIS APTs are using DNS tunneling to communicate to its C2 infrastructure; if you see this on your network, look for suspicious outbound traffic."

In partnership with the FBI, USCYBERCOM's Cyber National Mission Force (CNMF) has also shared multiple malware samples of PowGoop, a DLL loader designed to decrypt and run a PowerShell-based malware downloader. Five of the files that CYBERCOM has uploaded to VirusTotal this week aren’t identified as malicious by any of the antivirus engines in the scanning service, while six others have very low detection rates.

"If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network. MuddyWater has been seen using a variety of techniques to maintain access to victim networks," the US military command added. "These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions."

Last year in November, cyber authorities across the US, UK, and Australia attributed attacks exploiting loopholes in Fortinet and Exchanges to Iranian-backed attackers. Rather than targeting a particular sector of the economy, the malicious actors were simply focused on exploiting the vulnerabilities wherever possible; following the operation, they then attempted to turn that initial access into data exfiltration, a ransomware attack, or extortion.
Read more »
Subscribe to: Posts (Atom)