Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Data Extortion. Show all posts

The Financial Fallout of UnitedHealth’s Ransomware Attack


A $2.3 Billion Lesson

The recent ransomware attack on UnitedHealth Group serves as a stark reminder of the vulnerabilities that even the largest corporations face. The attack, which has resulted in costs soaring to at least $2.3 billion, underscores the severe financial and operational impacts of cyber threats. 

The health insurance company revealed the estimate in its second-quarter earnings report on Tuesday. The $2 billion cost estimate is based on the millions UnitedHealth has already spent to restore its systems following the attack, which caused a severe outage in February.

The Attack and Immediate Response

UnitedHealth Group, a leading healthcare and insurance provider, fell victim to a sophisticated ransomware attack. The attackers encrypted critical data and demanded a ransom for its release. Despite the company’s robust cybersecurity measures, the breach highlighted gaps that were exploited by the cybercriminals.

In response to the attack, UnitedHealth made the difficult decision to pay a $22 million ransom. While this payment was significant, it represents only a fraction of the total costs incurred. The immediate priority was to restore systems and ensure the continuity of services for millions of customers who rely on UnitedHealth for their healthcare needs.

The Broader Financial Impact

System Restoration: Restoring encrypted data and rebuilding IT infrastructure required substantial investment. This process involved not only technical recovery but also ensuring that systems were secure against future attacks.

Lost Revenue: During the period of disruption, UnitedHealth experienced significant revenue losses. The inability to process claims, manage patient data, and provide timely services had a direct impact on the company’s financial performance.

Operational Costs: Additional costs were incurred in the form of overtime pay for employees working to mitigate the attack’s effects, hiring external cybersecurity experts, and implementing enhanced security measures.

Legal and Regulatory Expenses: Navigating the legal and regulatory landscape post-attack added another layer of costs. Compliance with data protection regulations and managing potential lawsuits required extensive legal resources.

Customer Support Initiatives: To maintain customer trust, UnitedHealth launched several support initiatives. These included offering free credit monitoring services to affected individuals and setting up dedicated helplines to address customer concerns.

Lessons Learned and the Path Forward

The ensuing disruption also hindered UnitedHealth from completing medical prescriptions, resulting in a revenue loss, according to the company's earnings report. 

In Q1, UnitedHealth predicted that the ransomware assault would cost the company between $1 billion and $1.2 billion. However, in Tuesday's results release, the business raised its forecasts to more over $2 billion, citing the need to pay for "financial support initiatives and consumer notification costs," which include providing loans and funds to affected hospitals and pharmacies.

In the second quarter alone, UnitedHealth incurred "$1.1 billion in unfavorable cyber attack effects," according to the business. 

UnitedHealth is still recovering from the ransomware attack, while the "majority" of its IT systems have been restored. Furthermore, multiple class-action lawsuits have been brought against UnitedHealth for failing to protect patient information. As a result, the ransomware attack's costs to the organization may continue to rise.

New Extortion Scheme Targets GitHub Repositories


 

A new wave of cyberattacks is targeting GitHub repositories, wiping their contents, and demanding ransom from victims. This alarming campaign, first identified on Wednesday by Germán Fernández, a security researcher at Chilean cybersecurity firm CronUp, is being orchestrated by a threat actor using the handle "Gitloker" on Telegram.

The attackers are reportedly compromising GitHub accounts using stolen credentials. Once they gain access, they delete the contents of the repositories and create a backup of the data, which they claim can restore the deleted information. The compromised repositories are then renamed, and a single README.me file is added, instructing victims to contact the attackers via Telegram for further details.

Victims receive a ransom note that reads, "I hope this message finds you well. This is an urgent notice to inform you that your data has been compromised, and we have secured a backup." This message is intended to coerce the victims into engaging with the attackers in hopes of recovering their lost data.

GitHub has yet to release an official statement regarding the Gitloker extortion campaign. However, the platform has previously advised users to take several precautionary measures to secure their accounts. These include changing passwords, enabling two-factor authentication, adding a passkey for secure, passwordless login, and reviewing account security logs to track any changes in the repositories.

Security Recommendations

To protect against such malicious activities, GitHub users are encouraged to:

Enable Two-Factor Authentication: This adds an extra layer of security to prevent unauthorised access.

Review and Revoke Unauthorised Access: Regularly check for and remove any unauthorised SSH keys, deploy keys, and integrations.

Verify Email Addresses: Ensure all email addresses associated with the account are verified.

Monitor Security Logs: Keep an eye on account security logs to detect any suspicious activities.

Manage Webhooks and Deploy Keys: Regularly review and manage webhooks and deploy keys on repositories.

Review Recent Commits and Collaborators: Continuously check recent commits and collaborators for each repository to identify any unauthorised changes.

Previous Attacks on GitHub

This is not the first time GitHub users have faced such threats. In March 2020, hackers compromised Microsoft's GitHub account, stealing over 500GB of files from private repositories. While the stolen data primarily consisted of code samples and test projects, there was concern that private API keys or passwords might have been exposed.

Phishing Campaigns

In September 2020, GitHub users were targeted by a phishing campaign that used fake CircleCI notifications to steal GitHub credentials and two-factor authentication codes. Once compromised, attackers quickly exfiltrated data from private repositories and added new user accounts to maintain access.




Scattered Spider: Hackers Attacking Commercial Sectors, Cops Troubled

Scattered Spider

Scattered Spider threat actors primarily steal data for extortion using a variety of social engineering approaches, and they have recently used BlackCat/ALPHV ransomware in addition to their usual TTPs.

According to a senior bureau official, the FBI must "evolve" to effectively stop a group of hackers who have wreaked havoc on some of the largest firms in the United States, who asked the public to be patient as law enforcement combats the criminal network.

CISA and FBI issue joint notice

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity Advisory (CSA) on Scattered Spider, a cybercriminal gang that targets commercial facilities and subsectors. The advice contains tactics, methods, and procedures (TTPs) gathered from FBI investigations as recent as November 2023.

The FBI and CISA encourage network defenders and critical infrastructure companies to study the joint CSA for proposed mitigations to decrease the possibility and severity of a cyberattack by Scattered Spider actors. 

Last year, the hacking collective called Scattered Spider made international headlines for its destructive cyberattacks on gambling behemoths MGM Resorts and Caesars Entertainment. Analysts identified the hackers in 2022, who employ social engineering to trick people into disclosing their login credentials or one-time password codes to defeat multifactor authentication.

Once inside, the group — Star Fraud, UNC3944, and Octo Tempest — builds persistence in networks, living off the territory as some state-sponsored hackers do, before deploying ransomware, stealing data, and demanding ransoms from victims.

The Scattered Spider Phenomenon

1. Data Theft and Extortion

Scattered Spider’s modus operandi revolves around data theft. They infiltrate systems, exfiltrate sensitive information, and then hold it hostage for ransom. Their victims include high-profile organizations, and the stakes are high. The group’s ability to extract valuable data without detection is a testament to their skill.

2. BlackCat/ALPHV Ransomware

Scattered Spider doesn’t rely solely on traditional hacking methods. They’ve embraced ransomware, specifically the BlackCat/ALPHV variant. This malicious software encrypts victims’ files, rendering them inaccessible until a ransom is paid. The group’s proficiency in deploying ransomware underscores their adaptability.

The Social Engineering Twist

1. Human Manipulation

What sets Scattered Spider apart is their mastery of social engineering. They exploit human psychology to gain access to systems. Whether through phishing emails, impersonation, or psychological manipulation, they find the weakest link—the human element—and exploit it. Their ability to deceive and manipulate individuals is their secret weapon.

2. The Insider Threat

Scattered Spider often targets employees within organizations. An unsuspecting employee may unwittingly click a malicious link or share sensitive credentials. The group’s understanding of human behavior allows them to bypass technical defenses. Cybersecurity professionals must recognize this insider threat and educate employees accordingly.

The FBI’s Battle

1. Resource Allocation

The Federal Bureau of Investigation (FBI) is actively pursuing Scattered Spider. Their dedicated cybercrime units are tracking down group members. However, the group remains elusive, operating across borders and leaving minimal traces. The FBI’s challenge lies in balancing resources to combat this agile adversary.

2. Collaboration and Information Sharing

The FBI collaborates with international agencies, sharing intelligence and pooling resources. Scattered Spider’s attacks span continents, and global cooperation is essential. By working together, law enforcement agencies can build a comprehensive profile of the group and disrupt their operations.

Scattered Spider is a formidable adversary in the cybercrime landscape, and law enforcement agencies are actively working to counter their activities. For more information, check this advisory.

eSIM Vulnerabilities: SIM Swappers Exploit Flaws, Hijack Phone Numbers

 


According to a new report, SIM-swapping crimes are rising worldwide, mainly committed by eSIM (Embedded Subscriber Identity Modules) users. eSIMs are digitally stored SIM cards that are embedded using software into devices. As a result, hackers are now attempting to exploit vulnerabilities within this software to brute force their way into victims' phone accounts to port their mobile numbers to their own devices through brute force. 

A study also indicated that bad actors are primarily interested in victims' online banking accounts and other financial services, which explains why embedded Subscriber Identity Modules (eSIMs) function similarly to physical SIM cards. Still, they are digitally stored on mobile device chips and are similar to physical SIM cards. 

By scanning QR codes provided by service providers, these devices can be remotely reprogrammed and can also be activated and deactivated with various functionalities. In addition, according to this report, F.A.C.C.T., a Russian cybersecurity company, notes that SIM swappers are exploiting eSIM systems with a surge in exploitation. 

Criminals can manipulate eSIM functionalities to gain control of phone numbers, allowing them to gain unauthorized access to sensitive accounts by bypassing security measures. As opposed to social engineering and insider assistance, attackers have switched tactics to exploit vulnerabilities in mobile accounts by using stolen credentials instead of social engineering and insider assistance. 

As a result, they can gain control of the victim's phone number by generating QR codes within compromised accounts that are used to facilitate number porting, which is a method of gaining access to their compromised accounts. SIM swappers have previously relied on social engineering or insider assistance from mobile carriers to port the number of a target.

Cybercriminals, however, have turned their attention to emerging opportunities in new technologies as companies have implemented more protections to thwart these takeovers in the past few years. It has now become common for attackers to breach a victim's mobile account using stolen credentials, brute-forced credentials, or leaked credentials and then start porting the victim's number to another device without their help. 

Essentially, hijackers can activate a new eSIM through the hijacked mobile account by generating a QR code through the hijacked mobile account and scanning it with their device. At the same time, the legitimate owner's eSIM/SIM is deactivated, thus hijacking the number. 

Additionally, attackers who port their SIM numbers to their devices gain access to SIM-linked accounts in various messaging apps, which opens up more opportunities for them to scam other people, such as posing as the victim and tricking them into sending money, with additional advantages. 

Researchers recommend that cellular service providers use complex and unique passwords for their accounts and enable two-factor authentication if they can, to protect themselves from eSIM-swapping attacks. There are several reasons why users should consider protecting their more valuable accounts with physical keys or authenticator apps, such as e-banking and cryptocurrency wallets. 

Among the security measures that users may use to mitigate such risks are to create strong passwords, to enable two-factor authentication, and to consider physical keys or authenticator apps as additional security measures. 

Thus, SIM swappers have inadvertently created new avenues for exploitation as a result of the development of eSIM technology. Efforts must be made to protect users' digital assets and personal information from cyber threats as cyber attacks evolve, and users must maintain vigilance by implementing robust security practices.

Europol Dismantles Ukrainian Ransomware Gang

A well-known ransomware organization operating in Ukraine has been successfully taken down by an international team under the direction of Europol, marking a major win against cybercrime. In this operation, the criminal group behind several high-profile attacks was the target of multiple raids.

The joint effort, which included law enforcement agencies from various countries, highlights the growing need for global cooperation in combating cyber threats. The dismantled group had been a prominent player in the world of ransomware, utilizing sophisticated techniques to extort individuals and organizations.

The operation comes at a crucial time, with Ukraine already facing challenges due to ongoing geopolitical tensions. Europol's involvement underscores the commitment of the international community to address cyber threats regardless of the geopolitical landscape.

One of the key events leading to the takedown was a series of coordinated raids across Ukraine. These actions, supported by Europol, aimed at disrupting the ransomware gang's infrastructure and apprehending key individuals involved in the criminal activities. The raids not only targeted the group's operational base but also sought to gather crucial evidence for further investigations.

Europol, in a statement, emphasized the significance of international collaboration in combating cybercrime. "This successful operation demonstrates the power of coordinated efforts in tackling transnational threats. Cybercriminals operate globally, and law enforcement must respond with a united front," stated the Europol representative.

The dismantled ransomware gang was reportedly using the Lockergoga ransomware variant, known for its sophisticated encryption methods and targeted attacks on high-profile victims. The group's activities had raised concerns globally, making its takedown a priority for law enforcement agencies.

In the aftermath of the operation, cybersecurity experts are optimistic about the potential impact on reducing ransomware threats. However, they also stress the importance of continued vigilance and collaboration to stay ahead of evolving cyber threats.

As the international community celebrates this successful operation, it serves as a reminder of the ongoing battle against cybercrime. The events leading to the dismantlement of the Ukrainian-based ransomware gang underscore the necessity for countries to pool their resources and expertise to protect individuals, businesses, and critical infrastructure from the ever-evolving landscape of cyber threats.

Shimano Suffers Cyberattack: 4.5 Terabytes Company Data Breached


Shimano, the market-leading cycling component manufacturer, has been the subject of a ransomware attack that has affected 4.5 terabytes of important company data. 

The Japanese manufacturing has apparently been targeted by ransomware organization LockBit, who are threatening to expose the data on November 5, 2023, at 18:34:13 UTC, according to a post on X (previously Twitter) by technology security company Falcon Feeds.

The attack, first reported by Escape Collective, is also recorded on the Ransom-db website's Live Ransomware Updates, with Shimano.com listed as a victim of LockBit 3.0 and the date November 2, 2023, as the attack date. 

The whole ransom note is also available on Ransomlook.io, which is known as an open-source initiative intended to support users in tracking ransomware-related posts and actions across numerous sites, forums, and Telegram groups. 

The gang breached highly sensitive data

  • Identification, social security numbers, residences, and passport scans of employees
  • Balance sheets, profit and loss statements, bank statements, and numerous tax forms and reports are examples of financial papers.
  • Addresses, internal documents, postal exchanges, confidential reports, legal documents, and factory inspection findings are examples of client data.
  • Non-disclosure agreements, contracts, confidential designs and drawings, development materials, and laboratory testing are among the other documents.

LockBit is a cybercriminal group that employs malware to compromise critical company data and then tries to extort money in exchange for preventing its public publication. 

Lockbit world's most active ransomware

According to the cyber-crime prevention firm Flashpoint, it is the world's most active ransomware organization, responsible for 27.93% of all known ransomware assaults in the year ending June 2023. It stated a total of 1,036 victims is more than double that of the second-placed organization known as BlackCat. 

Other victims of the cyberattack

Shimano is the latest in a long line of high-profile LockBit victims. Trendmicro reports that the British postal service Royal Mail was attacked in January, virtually suspending its international export services. Dublin software firm Ion Group was targeted in February, while Taiwanese chipmaker TSMC was targeted in June with a US$70 million ransom demand. 

Boeing, the world's largest aircraft manufacturer, is also being extorted by the organization. 

A Shimano spokeswoman told Cyclingnews, "This is an internal matter at Shimano that is being investigated, but we cannot comment on anything at this time."

Aftermath of the attack

It is unclear what ransom, if any, has been sought by the organization at this time, but it is apparent that the revelation will be another significant blow in an already difficult period for the Japanese brand. 

It just announced a global recall of 2.8 million road cranksets due to a long-standing bonding separation issue. As a result, a class-action lawsuit was filed in North America in the weeks that followed. According to its most recent quarterly report, overall sales of bicycle components declined by 24.8%, with operational profitability decreasing by nearly half. 

Cybercriminal Groups Unleashing Ransomware Within a Day of Target Breach

 

A recent threat report reveals a significant shift in cybercriminal tactics, indicating a noteworthy decline in the time it takes for them to deploy ransomware after initially infiltrating their targets. 

Last year's average of 4.5 days has now plummeted, with cybercriminals now striking within the first 24 hours of gaining access, according to findings by cybersecurity firm Secureworks. 

This alarming trend underscores the company's warning that 2023 may witness an unprecedented surge in ransomware attacks, with three times as many victims appearing on leak sites in May compared to the same period last year.

However, Secureworks highlights a caveat regarding leak sites as a metric for gauging the scale of the ransomware issue. Notably, the report emphasizes that leak sites may only represent around 10% of the total victims known to law enforcement. 

Consequently, it urges caution when interpreting leak site data. Despite this, the aggregate data undeniably underscores the enduring appeal of ransomware and data extortion as lucrative criminal enterprises, posing a substantial threat to businesses.

Secureworks further reveals a disturbing statistic: in over 50% of its incident response cases, hackers managed to unleash their malware within a mere 24 hours of infiltrating the victim's network. 

This marks a stark drop from the 4.5-day average observed last year. In 10% of cases, ransomware was deployed within a staggeringly short five-hour window from initial access.

Don Smith, VP Threat Intelligence at Secureworks Counter Threat Unit, sheds light on the driving force behind this reduction in dwell time. He posits that cybercriminals are motivated by a desire to minimize the chances of detection, as the cybersecurity industry has become more proficient at identifying precursors to ransomware attacks. 

Consequently, threat actors are shifting focus towards simpler and faster operations, forsaking larger-scale, complex encryption events that span multiple enterprise sites. However, the risk posed by these expedited attacks remains significantly high.

Smith adds a cautionary note, emphasizing that despite the prevalence of familiar threat actors, the emergence of new and highly active threat groups is contributing to a notable surge in both victims and data breaches. 

Even in the face of high-profile crackdowns and sanctions, cybercriminals exhibit a remarkable capacity for adaptation, ensuring that the threat continues to escalate at an alarming pace.

Are Your Google Docs Safe From AI Training?

 

AI systems like Google's Bard and OpenAI's ChatGPT are designed to generate content by analyzing a huge amount of data, including human queries and responses. However, these systems have sparked legitimate worries regarding privacy. Google has emphasized that it will solely utilize customer data with proper permission. However, the question of trust is complex. 

According to an article on Yahoo! News, Google's policy allows the company to utilize publicly available data for training its AI models. However, Google explicitly states that it does not use any of your personal content.  

Furthermore, there is a link provided in Google's documentation that leads to a privacy commitment piece. In that document, one particular paragraph captures attention: "In regards to the utilization of publicly available information, Google acknowledges its potential to improve AI models. However, it assures users that their personal content is not incorporated into these models. Google remains committed to upholding privacy standards and safeguarding user data throughout its operations." 

At first glance, one might be inclined to say, Yes, we can trust them because they explicitly state “they won't utilize customer data without permission." Nevertheless, it's conceivable that we may have unintentionally granted them permission by agreeing to the ever-changing End User License Agreement (EULA) for Google Docs/Drive. 

Additionally, even though privacy is a significant concern for users, there is no assurance that companies like Google, iCloud, OneDrive, or Dropbox will change their policies to ensure that any content stored on their platforms remains private and inaccessible to them. 

In other words, the current policies may not provide a guarantee of privacy for user data, and there is uncertainty about whether these companies will make changes to address this concern in the future. AI training involves educating an AI system to understand, interpret, and gain knowledge from data. 

This enables the AI to make decisions based on the information it receives, a process known as inferencing. To achieve successful AI training, three crucial elements are required. First, there needs to be a well-crafted AI model, which serves as the foundation for the system. Second, a significant volume of top-notch data is necessary, with accurate annotations to aid learning. Lastly, a robust computing platform is essential to handle the computational demands of the training process. 

If you have concerns about Google's updated privacy policy, there are actions you can take to safeguard your data and privacy: 

1. Be cautious about what you share: Only share information publicly that you're comfortable with Google or any other company accessing and using. 

2. Use Google's privacy controls: Take a look at your privacy settings within your Google account. You can choose to opt out of features like "Web & App Activity," "Location History," and "Voice & Audio Activity" to have more control over your data. 

3. Explore other services: Look into alternative providers that have stricter privacy policies. For example, you can try DuckDuckGo for search, ProtonMail for email, Vimeo for video sharing, and Brave for web browsing. 

4. Use private browsing: When using Google services, activate the incognito or private browsing mode. This helps limit the collection of your browsing history. 

5. Stay informed: Before using any website, mobile app, or service, make sure to read and understand their privacy policies. Be cautious with platforms that explicitly share your data with Google.

HinataBot: The Growing DDoS Threat

 

The emergence of the HinataBot botnet has the cybersecurity community on high alert, as it has the potential to launch massive DDoS attacks with a capacity of 3.3 Tbps. This new botnet, which is based on Golang and exploits vulnerable devices, was first discovered by cybersecurity researchers in March 2023.

According to experts, the HinataBot botnet is incredibly sophisticated and could be difficult to detect and remove. It is also highly scalable, which means that it can easily expand to include thousands or even millions of devices. This makes it a serious threat to businesses and organizations of all sizes.

The HinataBot botnet is able to exploit devices that have not been properly secured, such as those that still use default login credentials. Once it has gained access to a device, it can then be used to launch DDoS attacks, which can disrupt entire networks and cause significant financial and reputational damage to businesses.

As of now, it is not clear who is behind the HinataBot botnet, but it is suspected to be a criminal group with sophisticated skills and resources. It is believed that the botnet is being used for financial gain, such as through ransom demands or by using it to extort businesses and organizations.

To protect against the threat of the HinataBot botnet, it is important to ensure that all devices are properly secured with strong passwords and up-to-date security software. Additionally, businesses and organizations should regularly monitor their networks for any signs of suspicious activity and have a comprehensive incident response plan in place.

In conclusion, the emergence of the HinataBot botnet is a reminder of the ongoing threat posed by cybercriminals and the need for businesses and organizations to remain vigilant and take proactive steps to protect their networks and data. Failure to do so could result in devastating consequences, both financially and operationally.

CrowdSrike: Cybercriminals Are Choosing Data Extortion Over Ransomware Attacks


CrowdStrike’s threat intelligence recently reported that cybercriminals have been learning how data extortion attacks are more profitable than ransomware attacks, leading to a drastic shift in the behavior of cyber activities throughout 2022. 

The cybersecurity vendor's "2023 Global Threat Report," which summarizes CrowdStrike's research on cybercrime (or "e-Crime") from the previous year, was released this week. The report's major sections address ongoing geopolitical disputes, cloud-related attacks, and extortion attacks without the use of software. 

One of the major findings from the CrowdStrike research is that the number of malicious actors who conducted data theft and extortion attacks without the use of ransomware increased by 20% in 2022 compared to the previous year. Data extortion is the practice of obtaining confidential information from target companies and then threatening to post the information online if the victim does not provide the ransom demanded by the attacker. 

Data extortion has frequently been a part of ransomware operations, with the fear of data exposure intended to provide additional incentive for the victim to pay the demanded ransom. However, as per the CrowdStrike findings, more attackers are now inclining toward data extortion, while abandoning the ransomware element altogether. 

Adam Meyers, head of intelligence at CrowdStrike says that “We’re seeing more and more threat actors moving away from ransomware[…]Ransomware is noisy. It attracts attention. It’s detectable. Encryption is complex.” 

According to Meyers, the rise in extortion addresses the adaptability of cyber adversaries. He further adds that while ransom payments were down slightly in 2022, both extortion and ransomware-as-a-service (RaaS) have witnessed a significant boost. 

CrowdStrike observed and noted the overall waning interest in malware. The firm reported that in 2022, up from 62% in 2021, malware-free activity accounted for 71% of its threat detections. 

"This was partly related to adversaries' prolific abuse of valid credentials to facilitate access and persistence in victim environments[…]Another contributing factor was the rate at which new vulnerabilities were disclosed and the speed with which adversaries were able to operationalize exploits," the report said. 

While also noting the improved resilience of the RaaS network, CrowdStrike stated that affiliated hackers will continue to be a major concern as they move from one network to another despite the move away from conventional ransomware deployment.  

U.S. Cyber Command Officially Links MuddyWater Gang to Iranian Intelligence

 

The US military's Cyber Command on Wednesday officially tied the Iranian-backed MuddyWatter hacking group to Iran's Ministry of Intelligence and Security (MOIS).

According to Cyber Command, the hacking group was first identified in 2017 and is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), which is involved in both domestic surveillance operations and the targeting of a wide spectrum of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East.

"MuddyWater is an Iranian threat group; previously, the industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations," Cyber Command said in a statement.

On Twitter, Cyber Command said the malicious group was employing a suite of malware for espionage and malicious activity. "MOIS hacker group MuddyWater is using open-source code for malware," it said. "MuddyWater and other Iranian MOIS APTs are using DNS tunneling to communicate to its C2 infrastructure; if you see this on your network, look for suspicious outbound traffic."

In partnership with the FBI, USCYBERCOM's Cyber National Mission Force (CNMF) has also shared multiple malware samples of PowGoop, a DLL loader designed to decrypt and run a PowerShell-based malware downloader. Five of the files that CYBERCOM has uploaded to VirusTotal this week aren’t identified as malicious by any of the antivirus engines in the scanning service, while six others have very low detection rates.

"If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network. MuddyWater has been seen using a variety of techniques to maintain access to victim networks," the US military command added. "These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions."

Last year in November, cyber authorities across the US, UK, and Australia attributed attacks exploiting loopholes in Fortinet and Exchanges to Iranian-backed attackers. Rather than targeting a particular sector of the economy, the malicious actors were simply focused on exploiting the vulnerabilities wherever possible; following the operation, they then attempted to turn that initial access into data exfiltration, a ransomware attack, or extortion.

Night Sky: New Ransomware Targeting Corporate Networks

 

The new year has brought with it new ransomware named 'Night Sky,' which targets corporate networks and steals data in double-extortion attacks. 

The Night Sky operation began on December 27th, according to MalwareHunterTeam, which was the first to identify the new ransomware. The ransomware has since published the data of two victims. 

One of the victims got an initial ransom demand of $800,000 in exchange for a decryptor and the promise that the stolen material would not be made public. 

How Night Sky encrypts devices

A sample of the Night Sky ransomware seen by BleepingComputer has a personalised ransom note and hardcoded login credentials to access the victim's negotiation page. 

When the ransomware is activated, it encrypts all files except those with the.dll or.exe file extensions. The ransomware will not encrypt the following files or folders: 
AppData
Boot
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
ProgramData
All Users
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
Program Files
Program Files (x86)
#recycle

Night Sky appends the.nightsky extension to encrypted file names while encrypting them. A ransom letter named NightSkyReadMe.hta is included in each folder, and it provides details about what was stolen, contact emails, and hardcoded passwords to the victim's negotiation page. 

Instead of communicating with victims through a Tor site, Night Sky employs email addresses and a transparent website that runs Rocket.Chat. The credentials are used to access the Rocket.Chat URL specified in the ransom note. 

Double extortion tactic: 

Before encrypting devices on the network, ransomware operations frequently grab unencrypted data from victims. Threat actors then utilize the stolen data in a "double-extortion" scheme, threatening to leak the information unless a ransom is paid. 

Night Sky built a Tor data leak site to leak the data of victims, which now contains two victims, one from Bangladesh and the other from Japan. While there hasn't been much activity with the new Night Sky ransomware operation, one should keep a watch on it as we enter the new year.