Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Extortion. Show all posts
Vulnerabilities and Exploits
Cyberattacks CyberCrime Cybersecurity Data Extortion eSIM Mobile Cyber Attacks Phone Hijacks Vulnerabilities and Exploits

eSIM Vulnerabilities: SIM Swappers Exploit Flaws, Hijack Phone Numbers

 


According to a new report, SIM-swapping crimes are rising worldwide, mainly committed by eSIM (Embedded Subscriber Identity Modules) users. eSIMs are digitally stored SIM cards that are embedded using software into devices. As a result, hackers are now attempting to exploit vulnerabilities within this software to brute force their way into victims' phone accounts to port their mobile numbers to their own devices through brute force. 

A study also indicated that bad actors are primarily interested in victims' online banking accounts and other financial services, which explains why embedded Subscriber Identity Modules (eSIMs) function similarly to physical SIM cards. Still, they are digitally stored on mobile device chips and are similar to physical SIM cards. 

By scanning QR codes provided by service providers, these devices can be remotely reprogrammed and can also be activated and deactivated with various functionalities. In addition, according to this report, F.A.C.C.T., a Russian cybersecurity company, notes that SIM swappers are exploiting eSIM systems with a surge in exploitation. 

Criminals can manipulate eSIM functionalities to gain control of phone numbers, allowing them to gain unauthorized access to sensitive accounts by bypassing security measures. As opposed to social engineering and insider assistance, attackers have switched tactics to exploit vulnerabilities in mobile accounts by using stolen credentials instead of social engineering and insider assistance. 

As a result, they can gain control of the victim's phone number by generating QR codes within compromised accounts that are used to facilitate number porting, which is a method of gaining access to their compromised accounts. SIM swappers have previously relied on social engineering or insider assistance from mobile carriers to port the number of a target.

Cybercriminals, however, have turned their attention to emerging opportunities in new technologies as companies have implemented more protections to thwart these takeovers in the past few years. It has now become common for attackers to breach a victim's mobile account using stolen credentials, brute-forced credentials, or leaked credentials and then start porting the victim's number to another device without their help. 

Essentially, hijackers can activate a new eSIM through the hijacked mobile account by generating a QR code through the hijacked mobile account and scanning it with their device. At the same time, the legitimate owner's eSIM/SIM is deactivated, thus hijacking the number. 

Additionally, attackers who port their SIM numbers to their devices gain access to SIM-linked accounts in various messaging apps, which opens up more opportunities for them to scam other people, such as posing as the victim and tricking them into sending money, with additional advantages. 

Researchers recommend that cellular service providers use complex and unique passwords for their accounts and enable two-factor authentication if they can, to protect themselves from eSIM-swapping attacks. There are several reasons why users should consider protecting their more valuable accounts with physical keys or authenticator apps, such as e-banking and cryptocurrency wallets. 

Among the security measures that users may use to mitigate such risks are to create strong passwords, to enable two-factor authentication, and to consider physical keys or authenticator apps as additional security measures. 

Thus, SIM swappers have inadvertently created new avenues for exploitation as a result of the development of eSIM technology. Efforts must be made to protect users' digital assets and personal information from cyber threats as cyber attacks evolve, and users must maintain vigilance by implementing robust security practices.
Read more »
Ukraine Organization
Cyber Security Data Extortion Encryption EU EU Regulators European Union Europol Geopolitical Malicious actor Ransomware Attacks. Ransomware Gang Ukraine Organization

Europol Dismantles Ukrainian Ransomware Gang

A well-known ransomware organization operating in Ukraine has been successfully taken down by an international team under the direction of Europol, marking a major win against cybercrime. In this operation, the criminal group behind several high-profile attacks was the target of multiple raids.

The joint effort, which included law enforcement agencies from various countries, highlights the growing need for global cooperation in combating cyber threats. The dismantled group had been a prominent player in the world of ransomware, utilizing sophisticated techniques to extort individuals and organizations.

The operation comes at a crucial time, with Ukraine already facing challenges due to ongoing geopolitical tensions. Europol's involvement underscores the commitment of the international community to address cyber threats regardless of the geopolitical landscape.

One of the key events leading to the takedown was a series of coordinated raids across Ukraine. These actions, supported by Europol, aimed at disrupting the ransomware gang's infrastructure and apprehending key individuals involved in the criminal activities. The raids not only targeted the group's operational base but also sought to gather crucial evidence for further investigations.

Europol, in a statement, emphasized the significance of international collaboration in combating cybercrime. "This successful operation demonstrates the power of coordinated efforts in tackling transnational threats. Cybercriminals operate globally, and law enforcement must respond with a united front," stated the Europol representative.

The dismantled ransomware gang was reportedly using the Lockergoga ransomware variant, known for its sophisticated encryption methods and targeted attacks on high-profile victims. The group's activities had raised concerns globally, making its takedown a priority for law enforcement agencies.

In the aftermath of the operation, cybersecurity experts are optimistic about the potential impact on reducing ransomware threats. However, they also stress the importance of continued vigilance and collaboration to stay ahead of evolving cyber threats.

As the international community celebrates this successful operation, it serves as a reminder of the ongoing battle against cybercrime. The events leading to the dismantlement of the Ukrainian-based ransomware gang underscore the necessity for countries to pool their resources and expertise to protect individuals, businesses, and critical infrastructure from the ever-evolving landscape of cyber threats.

Read more »
Shimano
cyber attack Data Extortion LockBit Ransomware Shimano

Shimano Suffers Cyberattack: 4.5 Terabytes Company Data Breached


Shimano, the market-leading cycling component manufacturer, has been the subject of a ransomware attack that has affected 4.5 terabytes of important company data. 

The Japanese manufacturing has apparently been targeted by ransomware organization LockBit, who are threatening to expose the data on November 5, 2023, at 18:34:13 UTC, according to a post on X (previously Twitter) by technology security company Falcon Feeds.

The attack, first reported by Escape Collective, is also recorded on the Ransom-db website's Live Ransomware Updates, with Shimano.com listed as a victim of LockBit 3.0 and the date November 2, 2023, as the attack date. 

The whole ransom note is also available on Ransomlook.io, which is known as an open-source initiative intended to support users in tracking ransomware-related posts and actions across numerous sites, forums, and Telegram groups. 

The gang breached highly sensitive data

  • Identification, social security numbers, residences, and passport scans of employees
  • Balance sheets, profit and loss statements, bank statements, and numerous tax forms and reports are examples of financial papers.
  • Addresses, internal documents, postal exchanges, confidential reports, legal documents, and factory inspection findings are examples of client data.
  • Non-disclosure agreements, contracts, confidential designs and drawings, development materials, and laboratory testing are among the other documents.

LockBit is a cybercriminal group that employs malware to compromise critical company data and then tries to extort money in exchange for preventing its public publication. 

Lockbit world's most active ransomware

According to the cyber-crime prevention firm Flashpoint, it is the world's most active ransomware organization, responsible for 27.93% of all known ransomware assaults in the year ending June 2023. It stated a total of 1,036 victims is more than double that of the second-placed organization known as BlackCat. 

Other victims of the cyberattack

Shimano is the latest in a long line of high-profile LockBit victims. Trendmicro reports that the British postal service Royal Mail was attacked in January, virtually suspending its international export services. Dublin software firm Ion Group was targeted in February, while Taiwanese chipmaker TSMC was targeted in June with a US$70 million ransom demand. 

Boeing, the world's largest aircraft manufacturer, is also being extorted by the organization. 

A Shimano spokeswoman told Cyclingnews, "This is an internal matter at Shimano that is being investigated, but we cannot comment on anything at this time."

Aftermath of the attack

It is unclear what ransom, if any, has been sought by the organization at this time, but it is apparent that the revelation will be another significant blow in an already difficult period for the Japanese brand. 

It just announced a global recall of 2.8 million road cranksets due to a long-standing bonding separation issue. As a result, a class-action lawsuit was filed in North America in the weeks that followed. According to its most recent quarterly report, overall sales of bicycle components declined by 24.8%, with operational profitability decreasing by nearly half. 

Read more »
victim statistics
Cyber Security Cyber Threats Data Extortion malware deployment ransomware attacks Secureworks threat report victim statistics

Cybercriminal Groups Unleashing Ransomware Within a Day of Target Breach

 

A recent threat report reveals a significant shift in cybercriminal tactics, indicating a noteworthy decline in the time it takes for them to deploy ransomware after initially infiltrating their targets. 

Last year's average of 4.5 days has now plummeted, with cybercriminals now striking within the first 24 hours of gaining access, according to findings by cybersecurity firm Secureworks. 

This alarming trend underscores the company's warning that 2023 may witness an unprecedented surge in ransomware attacks, with three times as many victims appearing on leak sites in May compared to the same period last year.

However, Secureworks highlights a caveat regarding leak sites as a metric for gauging the scale of the ransomware issue. Notably, the report emphasizes that leak sites may only represent around 10% of the total victims known to law enforcement. 

Consequently, it urges caution when interpreting leak site data. Despite this, the aggregate data undeniably underscores the enduring appeal of ransomware and data extortion as lucrative criminal enterprises, posing a substantial threat to businesses.

Secureworks further reveals a disturbing statistic: in over 50% of its incident response cases, hackers managed to unleash their malware within a mere 24 hours of infiltrating the victim's network. 

This marks a stark drop from the 4.5-day average observed last year. In 10% of cases, ransomware was deployed within a staggeringly short five-hour window from initial access.

Don Smith, VP Threat Intelligence at Secureworks Counter Threat Unit, sheds light on the driving force behind this reduction in dwell time. He posits that cybercriminals are motivated by a desire to minimize the chances of detection, as the cybersecurity industry has become more proficient at identifying precursors to ransomware attacks. 

Consequently, threat actors are shifting focus towards simpler and faster operations, forsaking larger-scale, complex encryption events that span multiple enterprise sites. However, the risk posed by these expedited attacks remains significantly high.

Smith adds a cautionary note, emphasizing that despite the prevalence of familiar threat actors, the emergence of new and highly active threat groups is contributing to a notable surge in both victims and data breaches. 

Even in the face of high-profile crackdowns and sanctions, cybercriminals exhibit a remarkable capacity for adaptation, ensuring that the threat continues to escalate at an alarming pace.
Read more »
Google Policies
AI Training Data Extortion Data Policies Data Theft Google Policies

Are Your Google Docs Safe From AI Training?

 

AI systems like Google's Bard and OpenAI's ChatGPT are designed to generate content by analyzing a huge amount of data, including human queries and responses. However, these systems have sparked legitimate worries regarding privacy. Google has emphasized that it will solely utilize customer data with proper permission. However, the question of trust is complex. 

According to an article on Yahoo! News, Google's policy allows the company to utilize publicly available data for training its AI models. However, Google explicitly states that it does not use any of your personal content.  

Furthermore, there is a link provided in Google's documentation that leads to a privacy commitment piece. In that document, one particular paragraph captures attention: "In regards to the utilization of publicly available information, Google acknowledges its potential to improve AI models. However, it assures users that their personal content is not incorporated into these models. Google remains committed to upholding privacy standards and safeguarding user data throughout its operations." 

At first glance, one might be inclined to say, Yes, we can trust them because they explicitly state “they won't utilize customer data without permission." Nevertheless, it's conceivable that we may have unintentionally granted them permission by agreeing to the ever-changing End User License Agreement (EULA) for Google Docs/Drive. 

Additionally, even though privacy is a significant concern for users, there is no assurance that companies like Google, iCloud, OneDrive, or Dropbox will change their policies to ensure that any content stored on their platforms remains private and inaccessible to them. 

In other words, the current policies may not provide a guarantee of privacy for user data, and there is uncertainty about whether these companies will make changes to address this concern in the future. AI training involves educating an AI system to understand, interpret, and gain knowledge from data. 

This enables the AI to make decisions based on the information it receives, a process known as inferencing. To achieve successful AI training, three crucial elements are required. First, there needs to be a well-crafted AI model, which serves as the foundation for the system. Second, a significant volume of top-notch data is necessary, with accurate annotations to aid learning. Lastly, a robust computing platform is essential to handle the computational demands of the training process. 

If you have concerns about Google's updated privacy policy, there are actions you can take to safeguard your data and privacy: 

1. Be cautious about what you share: Only share information publicly that you're comfortable with Google or any other company accessing and using. 

2. Use Google's privacy controls: Take a look at your privacy settings within your Google account. You can choose to opt out of features like "Web & App Activity," "Location History," and "Voice & Audio Activity" to have more control over your data. 

3. Explore other services: Look into alternative providers that have stricter privacy policies. For example, you can try DuckDuckGo for search, ProtonMail for email, Vimeo for video sharing, and Brave for web browsing. 

4. Use private browsing: When using Google services, activate the incognito or private browsing mode. This helps limit the collection of your browsing history. 

5. Stay informed: Before using any website, mobile app, or service, make sure to read and understand their privacy policies. Be cautious with platforms that explicitly share your data with Google.
Read more »
Software
Botnet Data Breach Data Extortion DDOS Attacks. Ransomware Attacks. Software

HinataBot: The Growing DDoS Threat

 

The emergence of the HinataBot botnet has the cybersecurity community on high alert, as it has the potential to launch massive DDoS attacks with a capacity of 3.3 Tbps. This new botnet, which is based on Golang and exploits vulnerable devices, was first discovered by cybersecurity researchers in March 2023.

According to experts, the HinataBot botnet is incredibly sophisticated and could be difficult to detect and remove. It is also highly scalable, which means that it can easily expand to include thousands or even millions of devices. This makes it a serious threat to businesses and organizations of all sizes.

The HinataBot botnet is able to exploit devices that have not been properly secured, such as those that still use default login credentials. Once it has gained access to a device, it can then be used to launch DDoS attacks, which can disrupt entire networks and cause significant financial and reputational damage to businesses.

As of now, it is not clear who is behind the HinataBot botnet, but it is suspected to be a criminal group with sophisticated skills and resources. It is believed that the botnet is being used for financial gain, such as through ransom demands or by using it to extort businesses and organizations.

To protect against the threat of the HinataBot botnet, it is important to ensure that all devices are properly secured with strong passwords and up-to-date security software. Additionally, businesses and organizations should regularly monitor their networks for any signs of suspicious activity and have a comprehensive incident response plan in place.

In conclusion, the emergence of the HinataBot botnet is a reminder of the ongoing threat posed by cybercriminals and the need for businesses and organizations to remain vigilant and take proactive steps to protect their networks and data. Failure to do so could result in devastating consequences, both financially and operationally.
Read more »
Threat Detection
2023 Global Threat Report CrowdStrike Cyber Crime Data Extortion Ransomware ransomware attacks Threat Detection

CrowdSrike: Cybercriminals Are Choosing Data Extortion Over Ransomware Attacks


CrowdStrike’s threat intelligence recently reported that cybercriminals have been learning how data extortion attacks are more profitable than ransomware attacks, leading to a drastic shift in the behavior of cyber activities throughout 2022. 

The cybersecurity vendor's "2023 Global Threat Report," which summarizes CrowdStrike's research on cybercrime (or "e-Crime") from the previous year, was released this week. The report's major sections address ongoing geopolitical disputes, cloud-related attacks, and extortion attacks without the use of software. 

One of the major findings from the CrowdStrike research is that the number of malicious actors who conducted data theft and extortion attacks without the use of ransomware increased by 20% in 2022 compared to the previous year. Data extortion is the practice of obtaining confidential information from target companies and then threatening to post the information online if the victim does not provide the ransom demanded by the attacker. 

Data extortion has frequently been a part of ransomware operations, with the fear of data exposure intended to provide additional incentive for the victim to pay the demanded ransom. However, as per the CrowdStrike findings, more attackers are now inclining toward data extortion, while abandoning the ransomware element altogether. 

Adam Meyers, head of intelligence at CrowdStrike says that “We’re seeing more and more threat actors moving away from ransomware[…]Ransomware is noisy. It attracts attention. It’s detectable. Encryption is complex.” 

According to Meyers, the rise in extortion addresses the adaptability of cyber adversaries. He further adds that while ransom payments were down slightly in 2022, both extortion and ransomware-as-a-service (RaaS) have witnessed a significant boost. 

CrowdStrike observed and noted the overall waning interest in malware. The firm reported that in 2022, up from 62% in 2021, malware-free activity accounted for 71% of its threat detections. 

"This was partly related to adversaries' prolific abuse of valid credentials to facilitate access and persistence in victim environments[…]Another contributing factor was the rate at which new vulnerabilities were disclosed and the speed with which adversaries were able to operationalize exploits," the report said. 

While also noting the improved resilience of the RaaS network, CrowdStrike stated that affiliated hackers will continue to be a major concern as they move from one network to another despite the move away from conventional ransomware deployment.  

Read more »
United States
Cyber Security Data Extortion data security Extortion Iran hackers Threat Intel United States

U.S. Cyber Command Officially Links MuddyWater Gang to Iranian Intelligence

 

The US military's Cyber Command on Wednesday officially tied the Iranian-backed MuddyWatter hacking group to Iran's Ministry of Intelligence and Security (MOIS).

According to Cyber Command, the hacking group was first identified in 2017 and is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), which is involved in both domestic surveillance operations and the targeting of a wide spectrum of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East.

"MuddyWater is an Iranian threat group; previously, the industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations," Cyber Command said in a statement.

On Twitter, Cyber Command said the malicious group was employing a suite of malware for espionage and malicious activity. "MOIS hacker group MuddyWater is using open-source code for malware," it said. "MuddyWater and other Iranian MOIS APTs are using DNS tunneling to communicate to its C2 infrastructure; if you see this on your network, look for suspicious outbound traffic."

In partnership with the FBI, USCYBERCOM's Cyber National Mission Force (CNMF) has also shared multiple malware samples of PowGoop, a DLL loader designed to decrypt and run a PowerShell-based malware downloader. Five of the files that CYBERCOM has uploaded to VirusTotal this week aren’t identified as malicious by any of the antivirus engines in the scanning service, while six others have very low detection rates.

"If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network. MuddyWater has been seen using a variety of techniques to maintain access to victim networks," the US military command added. "These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions."

Last year in November, cyber authorities across the US, UK, and Australia attributed attacks exploiting loopholes in Fortinet and Exchanges to Iranian-backed attackers. Rather than targeting a particular sector of the economy, the malicious actors were simply focused on exploiting the vulnerabilities wherever possible; following the operation, they then attempted to turn that initial access into data exfiltration, a ransomware attack, or extortion.
Read more »
Websites
Corporate Data Exfiltration Data Extortion Data Hacking Double extortion malware Night Sky Ransom Ransom note Ransomware Tor Site Websites

Night Sky: New Ransomware Targeting Corporate Networks

 

The new year has brought with it new ransomware named 'Night Sky,' which targets corporate networks and steals data in double-extortion attacks. 

The Night Sky operation began on December 27th, according to MalwareHunterTeam, which was the first to identify the new ransomware. The ransomware has since published the data of two victims. 

One of the victims got an initial ransom demand of $800,000 in exchange for a decryptor and the promise that the stolen material would not be made public. 

How Night Sky encrypts devices

A sample of the Night Sky ransomware seen by BleepingComputer has a personalised ransom note and hardcoded login credentials to access the victim's negotiation page. 

When the ransomware is activated, it encrypts all files except those with the.dll or.exe file extensions. The ransomware will not encrypt the following files or folders: 
AppData
Boot
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
ProgramData
All Users
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
Program Files
Program Files (x86)
#recycle

Night Sky appends the.nightsky extension to encrypted file names while encrypting them. A ransom letter named NightSkyReadMe.hta is included in each folder, and it provides details about what was stolen, contact emails, and hardcoded passwords to the victim's negotiation page. 

Instead of communicating with victims through a Tor site, Night Sky employs email addresses and a transparent website that runs Rocket.Chat. The credentials are used to access the Rocket.Chat URL specified in the ransom note. 

Double extortion tactic: 

Before encrypting devices on the network, ransomware operations frequently grab unencrypted data from victims. Threat actors then utilize the stolen data in a "double-extortion" scheme, threatening to leak the information unless a ransom is paid. 

Night Sky built a Tor data leak site to leak the data of victims, which now contains two victims, one from Bangladesh and the other from Japan. While there hasn't been much activity with the new Night Sky ransomware operation, one should keep a watch on it as we enter the new year.
Read more »
Subscribe to: Posts (Atom)