Search This Blog

Showing posts with label Data Stolen. Show all posts

A New SolidBit Ransomware Variant Hit Famous Games

Cybersecurity researchers reported a new advanced SolidBit ransomware variant that is victimizing the audience of famous games and social media platforms. “The malware was uploaded to GitHub, where it is disguised as different applications and an Instagram follower bot to lure in victims,” cybersecurity solutions firm Trend Micro reported. 

Nathaniel Morales, Monte de Jesus, Ivan Nicole Chavez, Lala Manly, and Nathaniel Gregory Ragasa published technical details of their analysis of the new ransomware variant. “When an unsuspecting victim runs the application, it automatically executes malicious PowerShell codes that drop the ransomware into the system,” the analysis reads. 

Solidbit ransomware is a type of computer virus that executes malicious code into Windows to encrypt all personal files located on it and locks all personal files. “It’s possible that SolidBit’s ransomware actors are currently working with the original developer of Yashma ransomware and likely modified some features from the Chaos builder, rebranding it as SolidBit,” experts observed. 

The League of Legends account checker on GitHub uploaded a file that contains instruction tools, however, it does not include a graphic user interface (GUI) or any other behavior related to its supposed function it is only a lure to the users, Experts at Trend Micro claimed. 

Among the files bundled with the account checker, experts have discovered an executable file Rust LoL Accounts Checker.exe which is protected by Safengine Shielden, once the file is executed in the system, an error window appears and claims that debugging tools have been detected which could be of the malware’s anti-debugging capabilities and anti-virtualization. 

“If users click on this executable file, it will drop and execute a program with malicious codes that drop and execute the SolidBit ransomware. It will begin disabling Windows Defender’s scheduled scans and any real-time scanning of some folders,” Trend Micro said. 

Experts in conclusion have recommended that users use multifactor authentication (MFA) to prevent hacker groups from performing lateral movement inside a network.

New DawDropper Malware Targeting Android Devices via Play Store

Trend Micro security team has discovered a brand new phishing campaign that is distributing banking trojans on the Google Play Store. This malicious software is called DawDropper. These “Droppers” impersonate trusted apps to gain access to victims’ mobile devices and make it very legit to detect threat actors and are highly effective for malware distribution. 

Additionally, Trend Micro security researchers reported that over a dozen fake and malicious Android dropper apps are present on the Google Play store containing banking malware. 

The software (DawDropper) is very famous and, it is also offered for sale as DaaS (dropper-as-a-service) by some threat actors on the malicious web. Additionally, it used a third-party cloud service Firebase Realtime Database to evade detection and obtain a payload download address. It also hosts payloads on GitHub. 

This malicious campaign aims to gain access to users’ banking data to steal money from their banking apps including PIN codes, passwords, banking credentials, etc. Hackers can intercept text and gain complete command over affected devices through malware. 

“We found a malicious campaign that uses a new dropper variant that we have dubbed as DawDropper. Under the guise of several Android apps such as Just In Video Motion, Document Scanner Pro, Conquer Darkness, simpli Cleaner, and Unicc QR Scanner,” Trend Micro security team reported. 

The following are the names of the malicious dropper apps discovered on the Google Play Store: • Fix Cleaner, Crypto Utils, Rooster VPN, Lucky Cleaner, Extra Cleaner, Simple Cleaner, Conquer Darkness, Call Recorder APK, Unicc QR Scanner, Eagle photo editor, Call recorder pro+, Universal Saver Pro, Just In: Video Motion, Document Scanner – PDF Creator, Super Cleaner- hyper & smart. 

These apps are masqueraded as utility and productivity apps, including VPN services, QR code readers, call recorders, and document scanners. With the pretense of general utility apps, dropper apps bypass Play Store security checks. Besides DawDropper, these apps are used to download more capable and intrusive malware on a device, such as Octo (Coper), Hydra, Ermac, and TeaBot. 

Trend Micro’s blog post listed some points to help from infecting mobile devices: 

• Don’t download an app to your device without checking the user reviews in the app store. 
• Before downloading the app first research the developers and publishers of the app. 
• And, Avoid downloading apps from unknown sources.

Watch Out For This Raccoon Stealer 2.0 With New Capabilities


Raccoon Stealer also named Legion, Mohazo, and Racealer, a high-risk trojan-type application that attacks the system and steals personal credentials is back with a second upgraded version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and advanced operational capacity. 

The trojan whose services are being offered by various hacker groups on hacker forums, when installed on one's system can lead to various cyber issues. 

The Raccoon Stealer operation was taken down in march 2022 when its operators reported that one of the lead developers of the forum was killed during Russia’s invasion of Ukraine. Also, the team promised its come back with a second upgraded version with more capabilities. 

“We expect a resurgence of Raccoon Stealer v2, as developers implemented a version tailored to the needs of cybercriminals (efficiency, performance, stealing capabilities, etc.) and scaled their backbone servers to handle large loads,” Sekoia told in the report. 

According to the malware developers, the upgraded Raccoon version was built from scratch using C/C++, featuring a new back-end, front-end, and code to steal credentials and other data. 

Raccoon Stealer 2.0 uses a fake Malwarebytes website to steal personal information including Basic system fingerprinting info, browser passwords, cookies, autofill data, saved credit cards, browser passwords, cookies, and autofill data, and saved credit cards. 

Other information that Raccoon Stealer steals is given below:

• Cryptocurrency wallets and web browser extensions including MetaMask, TronLink, BinanceChain, and Ronin
• Exodus, Atomic, JaxxLiberty, Binance, Coinomi, Electrum, Electrum-LTC, and ElectronCash
• Individual files located on all disks
• Screenshot capturing
• Installed applications list

The data can be misused in various ways, such as transferring users' funds in crypto-wallets and other accounts (e.g., PayPal, bank accounts, etc.). Victims could, therefore, lose their savings. Moreover, hijacked accounts (e.g., Facebook, emails, etc.) can be misused to borrow money. 

The subscription cost of the Stealer which has already attacked over 100,000 devices, is $200 per month. It has become one of the most named viruses on the underground forums in 2019. 

North Orange County Community College District Suffered Ransomware Attack

 

According to an official filing by the District, on Monday, January 10, 2022, the North Orange County Community College District (NOCCCD or the District) noticed malicious activity on both of the District’s college servers including Cypress College and Fullerton College. 

In response to the attack, the District launched an investigation with the assistance of outside computer forensic specialists to learn more about the attack and determine if any employee or student data was breached. The notifications in which the attack has been reported on their component campus sites revealed that this was a ransomware incident. 

On March 25, 2022, following the attack, the NOCCCD reportedly notified more than 19,000 people about a data security incident. It has begun sending out data breach notification letters to all employees and students whose information was breached due to the data security incident. The District furthermore said that it will send additional security letters if it notices other parties were impacted by the attack. 

The investigation has confirmed that files containing sensitive credential data of employees and students may have been compromised or removed from the District’s network. A copy of the notice was also posted on Fullerton College for International Students. 

While disclosing what types of data might have been compromised, the notice read, “name, and passport number or other unique identification number issued on a government document (such as Social Security number or driver’s license number); financial account information; and/or medical information.” 

The district said that they are also coordinating with the colleges to review and enhance existing policies related to data protection. Besides, they have successfully implemented multi-factor authentication as well as an advanced threat protection and monitoring tool to better security and safeguard data. Additionally, new and advanced cybersecurity training for employees is being implemented throughout the District.

Heroku Admits to Customer Database Hack after OAuth Token Theft

 

On Thursday Heroku disclosed that users’ passwords were stolen during a cyberattack that occurred a month ago, confirming that the attack also involved the code repository GitHub. Heroku revealed that the stolen GitHub integration OAuth tokens from last month further led to the compromise of an internal customer database. 

Following the attack, the organization has notified its customer that the company is going to reset their passwords on May 4 unless they change passwords beforehand. In this process, the company has also warned its users that the existing API access tokens will also be inactive and new ones have to be generated for future work. 

"We appreciate your collaboration and trust as we continue to make your success our top priority. The initial detection related to this campaign occurred on April 12 when GitHub Security identified unauthorized access to our npm production infrastructure using a compromised AWS API key," GitHub said.

"Based on subsequent analysis, we believe this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above." 

The attack in question relates to the theft of OAuth tokens that GitHub saw in April, which impacted four OAuth applications related to Heroku Dashboard and one from Travis CI. 

By stealing these OAuth tokens, malicious actors could access and download data from GitHub repositories belonging to those who authorized the compromised Heroku or Travis CI OAuth apps with their accounts. However, GitHub’s infrastructure, private repositories, and systems themselves were not impacted by the attack. 

While reporting that they had informed Heroku and Travis-CI of the incident on April 13 and 14, GitHub said, it "contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users."

Russia-linked APT29 Targets Diplomatic World Wide

 

Security intelligence from Mandiant has discovered a spear-phishing campaign, launched by the Russia-linked APT29 group, designed to victimize diplomats and government entities worldwide including European, the Americas, and Asia. 

The group is believed to be sponsored by the Russian Foreign Intelligence Service (SVR) and to have orchestrated the 2020 SolarWinds attack which hit hundreds of organizations. 

According to the data, the Russia-linked APT29 group popularly known as SVR, Cozy Bear, and The Dukes is active since at least 2014, along with the APT28 cyber threat group which was involved in the Democratic National Committee hack, the wave of attacks aimed at the 2016 US Presidential Elections and a November 2018 attempt to infiltrate DNC. 

The phishing emails have been masqueraded as official notices related to various embassies. Nation-state actors used Atlassian Trello, DropBox, and cloud services, as part of their command and control (C2) infrastructure. 

“APT29 targeted large lists of recipients that Mandiant suspected were primarily publicly-listed points of contact of embassy personnel. These phishing emails utilized a malicious HTML dropper tracked as ROOTSAW, which makes use of a technique known as HTML smuggling to deliver an IMG or ISO file to a victim system.” reads the analysis published by Mandiant. 

The threat actors used the HTML smuggling technique to deliver an IMG or ISO file to the targets. The ISO image contains a Windows shortcut file (LNK) that installs a malicious DLL file when it is clicked. When the attachment file opens, the ROOTSAW HTML dropper will write an IMG or ISO file to disk. Following the steps, once the DLL file is executed, the BEATDROP downloader is delivered and installed in memory. 

“BEATDROP is a downloader written in C that makes use of Trello for C2. Once executed, BEATDROP first maps its own copy of ntdll.dll into memory for the purpose of executing shellcode in its own process. BEATDROP first creates a suspended thread with RtlCreateUserThread which points to NtCreateFile...” 

 “…Following this, BEATDROP will enumerate the system for the username, computer name, and IP address. This information is used to create a victim ID, which is used by BEATDROP to store and retrieve victim payloads from its C2. Once the victim ID is created, BEATDROP will make an initial request to Trello to identify whether the current victim has already been compromised”, the report read.

1.3 million Iberdrola Customers Hit In Cyberattack

 

A few days ago, the Iberdrola group was hit by a cyberattack that successfully exposed the sensitive credentials of 1.3 million customers, the company confirmed. 

The company further added that the computer breach was stopped within a few hours and the matter was resolved the same day. However, unfortunately, the attack has affected 1.3 million users. The hackers, reportedly, could only access name, surname, and ID. They failed to get access to bank, tax, or electricity consumption data. The next day, once the breach was closed, the company detected massive attacks that did not achieve its objective. 

Following the attack, a statement was released by the company for its customers in which Iberdrola assured that all the necessary steps have been taken to mitigate the impact of the attack and no financial data such as bank details, account numbers, or credit cards details have been violated. Additionally, for future safety, the company has recommended its customers be more cautious of any emails or communications impersonating to be from Iberdrola. 

"If you have received the statement issued by the company, you must be vigilant and regularly monitor what information circulates on the Internet to detect if your private data is being used without your consent," the representatives added. 

The group was chaired by Ignacio Galán who brought forth the same attacks that took place in the Cercanías service in Madrid, in the Congress of Deputies, or in other European institutions. However, he said that the attackers have not had access to critical data. Further, Iberdrola revealed that “we were warned by the United States government about the possibility of a cyber-attack after the invasion of Ukraine.”

Iberdrola is a giant Spanish multinational electric utility company that has more than 34,000 employees serving around 31.67 million customers. The company has the largest shareholders in the global market. According to the 2013 report, the largest shareholder of the company was Qatar Investment Holding, Norges Bank, Kutxabank, and CaixaBank.

Microsoft Fixes Critical Azure Bug That Exposed Customer Data

Microsoft has discovered a new vulnerability in the Azure Automation service, addressed as ‘AutoWarp’, that could have allowed malicious actors to take full control of other Azure customers' credentials. 

Microsoft Azure Automation Service facilitates various functions such as process automation, configuration management, and update management features with each scheduled job running inside isolated sandboxes for each Azure customer. 

According to Orca Security's Cloud Security Researcher Yanir Tsarimi, the vulnerability could allow cyber actors to steal other Azure customers' Managed Identities authentication tokens from an internal server that organizes the sandboxes of other users.

"Someone with malicious intentions could've continuously grabbed tokens, and with each token, widen the attack to more Azure customers. This attack could mean full control over resources and data belonging to the targeted account, depending on the permissions assigned by the customer. We discovered large companies at risk (including a global telecommunications company, two car manufacturers, a banking conglomerate, big four accounting firms, and more)." Yanir Tsarimi said. 

Microsoft team said that the security flaw has been fixed by blocking access to auth tokens to all sandboxes except the one that has authentic access permission. 

Following the incident, the company informed all its affected Azure users and recommended the best security practices for further protection of the system.

1.5 Billion Facebook Users Data Breach or a Scam?

 

Facebook, Messenger, Instagram, and WhatsApp were all down for 7 hours worldwide meanwhile unknown hackers allegedly stole 1.5 billion Facebook users’ data and sold it on the dark web, the Russian Privacy Affairs agency confirmed in its recent findings. The data includes user names, email addresses, addresses, locations, and phone numbers, as per RPA's findings. 

“It’s the biggest and most significant Facebook data dump to date– about three times greater than the April leak of 533 million phone numbers,” the publication noted. 

However, while responding to the security incident, Facebook siad that “this was old data and the security vulnerability responsible had been patched back in 2019”. 

At present, it is yet to be confirmed if the RPA's findings are legitimate or not. However, some people reported that they tried to buy Facebook users’ data. However, after paying $5,000 amount to the hackers in exchange for data, the buyers got nothing, hence the probability of a scam underneath is on the cards. 

The fact that the buyers who paid the hackers in an attempt to buy the stolen data got nothing could be proof that the group's claims of having stolen data are baseless. However, security experts still suggest all Facebook users stay vigilant for unusual activities on their accounts. 

At a Senate subcommittee hearing with a Facebook whistle-blower on Tuesday, Senator Marsha Blackburn from Tennessee said, “News broke yesterday that the private data of over 1.5 billion — that’s right, 1.5 billion — Facebook users are being sold on a hacking forum.” “That’s its biggest data breach to date,”  the subcommittee’s ranking Republican member further added. 

Although many believe that data has been breached, there is no solid proof of it yet. Aric Toler, a researcher with Bellingcat, an investigative journalism group, made a statement and added that someone claimed to have paid for the hacked data and they found out that it was a scam so it has to be confirmed as of yet. 

Ursnif Trojan Steals Personal User Data, Proofpoint Report Says

 

Researchers at Proofpoint have found a a latest Ursnif banking malware used by a hacking group called TA544 which is attacking companies in Italy. Cybersecurity experts found 20 major campaigns providing harmful messages directed towards Italian organizations. 

TA544 is a threat actor working for financial purposes, it has been active since 2017, the group targets attacks on banking users, aggravating banking trojans and different payloads to compromise companies across the world, primarily in Italy and Japan. Experts observed that from the time period between January and August 2021, total number of identified Ursnif campaigns affecting Italian companies, was almost equal to the number of Ursnif campaigns attacks in Italy in 2020. 

"Today’s threats – like TA544’s campaigns targeting Italian organizations – target people, not infrastructure. That’s why you must take a people-centric approach to cybersecurity. That includes user-level visibility into vulnerability, attacks and privilege and tailored controls that account for individual user risk," suggests concludes Proofpoint. 

TA544 threat actor uses social engineering techniques and phishing to attract victims into clicking macro present in weaponized docs. Once the macro is enabled, the malware process starts. If we look into recent attacks against Italian companies, the threat actor impersonated an energy company or an Italian courier, scamming victims via payments. 

These spams use weaponized office docs to deploy Ursnif banking malware in the last stage. While investigating these campaigns, TA544 used geofencing methods to find if we're targeted in geographic areas before attacking them with the malware. If the user wasn't in the target area, the malware C2C would direct it to an adult site. As of now in 2021, experts have found around five lakhs messages related with the malware campaigns. The threat actor used file injectors to deploy malicious codes used to steal personal user data like login credentials and banking details. 

The research of web injections used by hacking groups reveals that hackers were also trying to steal website credentials with related to major sellers. 

Proofpoint reports "recent TA544 Ursnif campaigns included activity that targeted multiple sites with web injects and redirections once the Ursnif payload was installed on the target machine. Web injects refer to malicious code injected to a user’s web browser that attempts to steal data from certain targeted websites. The list included dozens of targeted sites."

LockBit 2.0 Ransomware Hit Israeli Defense Firm E.M.I.T. Aviation Consulting

 

LockBit 2.0 ransomware operators have reportedly hit the Israeli aerospace and defense firm E.M.I.T. in a new campaign of attacks. According to Aviation Consulting Ltd, hackers claim to have accessed the internal system and also have stolen credential data from the company. 

Post attack, the group is threatening to publish the stolen data which includes sensitive information, invoices, employees, and possibly payment data, onto their dark web leak site in case the company is not ready to pay the ransom. Although the group of attackers is yet to leak the stolen data as proof of the attack, the countdown will end on 07 October 2021. 

Currently, it has not been disclosed how the attackers' group acquired access to the system of the company and when the incident took place. Similar to other ransomware attacks, LockBit 2.0 has also executed a ransomware-as-a-service model and maintains a network of affiliates. 

According to the technical data, the ransomware operation group LockBit ransomware has been in action since September 2019, in June the group announced the LockBit 2.0 RaaS. After ransomware ads were banned on the hacking forums, the group of LockBit operators came with their own leak site and also promoting the latest model and advertising the LockBit 2.0 affiliate program. 

At present, the LockBit gang is highly active targeting numerous organizations including Riviana, Anasia Group, Wormington & Bollinger, Vlastuin Group, DATA SPEED SRL, SCIS Air Security, Peabody Properties, Island independent buying group, Buffington Law Firm Day Lewis, and many others worldwide. 

A few months, the Australian Cyber Security Centre (ACSC) had warned its Australian organizations against LockBit 2.0 ransomware attacks. E.M.I.T. Aviation Consulting Ltd was established in 1986, the company is involved in designing and assembling complete aircraft, tactical and sub tactical UAV systems, and mobile integrated reconnaissance systems.

Marcus & Millichap Hit With Potential BlackMatter Ransomware

 

Marcus & Millichap, a publicly-traded real estate investment corporation became the victim of a recent cyberattack that may have been the activity of the BlackMatter ransomware group, as per the malware sample discovered on Hatching Triage.

In an 8-K filing with the SEC on Monday, the company said that it "had been subject to a cybersecurity attack on its information technology systems." Marcus & Millichap stated that there was no indication of a data leak and the attack is not categorized as a ransomware attack. 

The filing stated, "[Marcus & Millichap] immediately engaged cybersecurity experts to secure and restore all essential systems and was able to do so with no material disruption to its business." 

"The Company's investigation of the attack is ongoing; however, at this time there is no evidence of any material risk or misuse relating to personal information." 

Moreover, a BlackMatter ransomware sample found by Valéry Marchive of TechTarget sister site LeMagIT on Hatching Triage displayed a ransom message that indicated the link between the sample and Marcus & Millichap. 

However the ransomware gang does not specifically mention Marcus & Millichap, it does mention systems connected to the domain "mmreibc.prv," which is almost similar to a site owned by the firm i.e mmreibc.com. 

A question from a user is included in a Malwarebytes forum post from 2010, including a list of documents that comprises both the mmreibc.prv domain and two clear links to Marcus & Millichap. Last year, a Microsoft community post made clear allusions to both the company and mmreibc.prv. 

The note reads, "If you are not going to contact us in the next 3 days, we will prepare your data for the publications. Your personal company info will be leaked and will be in the news. This will lead to a fall of your stock." 

The ransomware note further claimed that 500 GB of data had been stolen. Since the ransom negotiation chat site has been locked, the status of any prospective ransomware settlements between the victim and BlackMatter is unclear. 

According to the company's 8-K filing, Marcus & Millichap carries cyber insurance, which it believes will pay most of the expenditures connected to this attack. 

SearchSecurity reached out to Marcus & Millichap for the response on whether the event was a BlackMatter ransomware assault or the firm paid the threat actors a ransom. The following statement was issued by a spokesperson: 

"Marcus & Millichap's 8-K filing stands on its own and best provides the context of what occurred and how we responded to a cyberattack. In keeping with our tradition of placing the highest priority on corporate systems, client service and agent and originator support, we immediately deployed all necessary resources to respond to the incident. As mentioned in the filing, we were able to restore all essential systems and at present, there is no interruption to our business." 

The BlackMatter ransomware group first surfaced in July. At that point, security intelligence provider Flashpoint stated that the threat actor resembled ransomware giants REvil and DarkSide and was aiming for large-scale victims.

Hackers Steal Data of 40,000 Patients From a Kidney Hospital in Thailand


On Wednesday, Thirachai Chantharotsiri, director of Bhumirajanagarindra Kidney Institute Hospital lodged a complaint that the personal information of over 40,000 patients has been stolen by a hacker. The compromised data included personal details and allegedly medical history of the patients. 

While talking to local media at Phaya Thai police station, Dr. Chantharotsiri told that on Monday, the database of the patients at a hospital in the Ratchathewi district of Bangkok became inaccessible to the hospital staff. A subsequent system check was carried out which revealed that the data had been stolen. The breach damaged the data system of the hospital which resulted in an inability to access the X-ray archive. 

According to the commissioner of the CCBI, Pol Lt Gen Kornchai Kalyklueng – owing to the ambiguity regarding the criminals – the investigating agency will seek support from American authorities and other international organizations to track down the hackers. 

Dr. Thirachai told that later, the facility received a call from a foreigner claiming to have hacked the system, the English-speaking man tried to negotiate for payment in exchange for the important information belonging to the hospital. 

The director filed a police complaint along with a recording of the call, reportedly, he did not hear from the anonymous caller again. 

In an attempt to mitigate concerns, the officials at the hospital maintained that the compromised data only include the primary data of the patients, emphasizing that diagnostic or medical records were untouched. 

As per the investigation of CCIB, the group behind the hacking is probably the one that hacked the systems of Krungthai Bank exposing client information and that of a hospital in the Northeast. Although the group identified is seemingly of Indian origins using a server in Singapore, most recent findings indicate that the threat actors were operating from the US.

Beaumont Health: The Latest Victim of Accellion Breach

 

Beaumont Health, headquartered in Michigan, is the latest victim of the Accellion data breach, which began in December 2020 and has so far claimed 100 victims. Threat actors exploited zero-day vulnerabilities in Accellion's File Transfer Application (FTA), compromising the data of millions of patients. 

Approximately 1500 patients have been alerted by Beaumont Health that their personal information may have been compromised as a result of the December cyberattack on Accellion software. Beaumont hired Goodwin Procter LLP to offer legal services, and the firm used Accellion's File Transfer software to make massive transfers on behalf of its customers. 

Goodwin notified the healthcare provider on February 5 that patient data had been breached. Following the announcement of the Accellion breach, Goodwin conducted a digital forensics investigation and discovered that an unknown person had exploited a vulnerability in the application to obtain specific documents. 

“The potentially impacted information included a listing of roughly 1500 patients who had one of two procedures performed at a Beaumont Hospital,” mentioned in a statement issued on August 27 by Beaumont Health. 

“The list included the patient name, procedure name, physician name, the internal medical record number and the date of service. This incident is limited to these patients and does not affect all patients of Beaumont.” 

The healthcare provider also stated that the breach had no financial implications and neither Beaumont nor Goodwin had discovered any indication of the exposed data being exploited. 

On behalf of Beaumont, Goodwin contacted impacted people via mail on August 27 at their last known address to inform them about the data breach. The letter advises patients on the actions they should take to protect themselves from identity theft. 

“The notice letter specifies steps impacted individuals may take to protect themselves against identity fraud, including enrolling in complimentary credit monitoring services (if eligible), placing a fraud alert/security freeze on their credit files, obtaining free credit reports, remaining vigilant in reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis and taking steps to safeguard themselves against medical identity theft,” stated Beaumont. 

“At Beaumont, protecting the privacy of personal information is a top priority,” the statement concluded. 

Goodwin is examining its data security policies and protocols in the aftermath of the incident. 

Accellion is now facing lawsuits

As the number of breaches escalates, Accellion is experiencing over a dozen lawsuits. In February, the Cybersecurity and Infrastructure Security Agency (CISA), together with security agencies in the United Kingdom, New Zealand, Singapore, and Australia, issued a warning to companies about the Accellion hack. 

Clop ransomware took responsibility for the assault and abused four previously unknown vulnerabilities. Some of the ransomware group's most recent victims include Kroger, Bombardier, Southern Illinois University School of Medicine, and Trillium Community Health Plan. 

In April, Trinity Health, located in Michigan, alerted over 580,000 patients that their information had been compromised. Demographic data, names, medical record numbers, and medical tests were among the information stolen. 

Centene also alerted over 1.3 million patients of the Accellion data leak in April. Contact information, birthdates, insurance ID numbers, and treatment information were all acquired by the hackers. 

During a major extortion attempt, the Clop ransomware published stolen data online, and some of the affected companies got emails from the intruders attempting to intensify extortion attempts. The number of victims continues to rise months after the initial attack.

Hackers Publish Classified Documents Stolen from Lithuanian Ministry of Foreign Affairs

 

The Lithuanian Ministry of Foreign Affairs has refused to comment regarding the credibility of e-mail files allegedly stolen from its own system and offered for sale on the RaidForums hacking platform. The archive consists of 1.6 million emails including discussions and also documentations designated as vulnerable and also highly sensitive in attributes.

To lure potential purchasers, the hacker published several documents and correspondence belonging to Lithuanian diplomatic as proof of the authenticity of the data. In a blog post yesterday, the hacker shared two files saying that they were email archives of conversations from top representatives of Lithuania’s embassy in Georgia.

The hacker claims to have a 300GB cache of 102 Outlook Data File files (PST) with some discussions related to secret negotiations against U.S. President Biden, and preparation for the war with Belarus, including a “nuclear strike”.

The leaked documents are marked as secret, top-secret, and cosmic. The seller also shared a list with names that presumably work for the Lithuanian Ministry of Foreign Affairs.

The Lithuanian Ministry of Foreign Affairs on Thursday posted a short statement declining to comment about the potential leak or even if it is legitimate.

“The Ministry of Foreign Affairs is unable to confirm the veracity of the information disseminated to the public and will not comment. We see this as an information attack by unfriendly countries” the Lithuanian Ministry of Foreign Affairs stated. 

The ministry was targeted in November 2020 and the attack was attributed to Russian actors, but the incident was not disclosed at the time. However, it remains unclear how much the vendor is asking for the cache but some forum users expressed interest in purchasing the leak. According to them, some inboxes have about 10 years of documents.

Gitanas Nausėda, the president of Lithuania said this week that there is proof suggesting that information was stolen in the November attack and that some of it is deemed classified.

"An investigation is ongoing, with no doubt, we well assess that damage done during this cyber-attack. But there are certain signs showing that certain information leaked. And that information is deemed classified," the president said in an interview with the Delfi.lt news website.

SpearTip: New Diavol Ransomware Does Steal Data

 

The Wizard Spider threat organization, which is behind the Trickbot botnet, has been connected to a new ransomware outbreak called Diavol, as per security experts. 

According to BleepingComputer, the ransomware families use almost similar command-line parameters for the same functionality and leverage the same I/O operations for file encryption queueing. 

Although there are some commonalities, as they've indicated and as SpearTip has confirmed, there are two key distinctions that make a direct link unlikely. By performing a location check, Diavol ransomware does not prevent its payloads from executing on Russian targets. This is significant since most malware avoids Russian systems. 

Data Exfiltration FortiGuard Labs explains in their analysis of Diavol that, “According to the note, the authors claim they stole data from the victim’s machine, though we did not find a sample that was capable of performing that. This is either a bluff or a placeholder for future capabilities.” 

Following additional analysis by SpearTip's engineers, the Diavol ransomware gang appears to be stealing data. Despite the lack of this capacity in the ransomware executable, the group employs techniques that allow for the exfiltration of data from a, particularly evasive environment. 

For Cobalt Strike, the Diavol ransomware gang utilizes an HTTP beacon, which appears to be used to assist data exfiltration. The beacon's name was sysr.dll, and it was kept in a folder made by the threat actors. This network connectivity, as well as the mechanism utilized by the beacon to inject into memory, are hard to trace. 

SpearTip has confirmed that the beacon had deleted files and exfiltrated them as well. SpearTip engineers acknowledged that the Diavol gang stole data and provided evidence of data exfiltrated from several organizations through threat actor interaction. When SpearTips's engineers looked into it, they discovered that the evasive Cobalt Strike’s HTTPS Beacon was utilized, which can be used to exfiltrate data. 

Over the past few years, the former Trickbot operators have been previously targeted by law enforcement actions, have proven resilient, and integrated themselves into different ransomware groups. It's not unexpected to see signs of their activities and tactics in another ransomware gang. When evaluating data exfiltration, it's critical to perform a thorough investigation and comprehend the growth of the group's techniques. These associations guarantee that forensic reporting is accurate.

Cyber Criminals Leak Hackney Council Files on the Darknet Website

 

Cybercriminal group recognized as Pysa/Mespinoza has leaked the sensitive information stolen from the Hackney Council on the Darknet website. The group of attackers claimed that the stolen documents are from Hackney Council in a ransomware attack last year. The council in East London stated that they are collaborating with the Ministry of Housing and the UK’s National Cyber Security Centre (NCSC) to scrutinize and perceive the impact of the incident.

The stolen data published on the ‘dark web contains the personal information of council staff and residents; the files include critical information regarding the PhotoID, staff data, passports dump’. Cybercriminal group is utilizing the stolen data as their leverage to extort payment from the Hackney Council.

Cybersecurity expert, Brett Callow stated that “It’s an increasingly common place for ransomware groups to steal data and use the threat of its release as additional leverage to extort payment. Organizations in this position are without good option. Whether they pay or not, they’ve had a data breach and the criminals have their information. The most they can hope for is a pinky-promise that it will be destroyed”.

In this regard, the National Cyber Security Centre (NCSC) guidelines announced that there is no assurance that organizations, companies, or councils will get access to their stolen data even if the ransom demand from extorters is fulfilled. Hence law enforcement ‘does not encourage, endorse, nor condone the payment of ransom demands’.

Hackney council spokesperson asserted that in their initial investigation there are no indications that the majority of the critical and personal information of our residents have been published or affected. There are also not any signs of this critical information visible via search engines on the Internet.

He further asserted that necessary precautionary measures have been taken and they are closely monitoring the whole incident. They have collaborated with the local authorities including the Information Commissioner’s Office, Metropolitan Police, and National Crime Agency to investigate the whole incident.

Data Breach: Stolen User Records from 26 Companies Being Sold Online

 

A data broker has been allegedly selling stolen user data of twenty-six companies on a hacker forum. Reportedly, the hacker who has put on sale the stolen data for certain companies at a particular price – is yet to decide the pricing for the rest of the stolen databases. 

The hacker behind the sale has stolen a whopping total of 368.8 million user records majorly from companies that previously reported 'Data Breach', however, seven new companies that joined the list were – Sitepoint.com, Anyvan.com, MyON.com, Teespring.com, Eventials.com, ClickIndia.com, and Wahoofitness.com.

Dark Web and Hacking Forums keep making headlines for their notorious relationship with data brokers and hackers who extensively use these platforms to leak or sell databases containing user information/credentials/records acquired during data breaches of various companies worldwide who later confirm the breaches. However, in the aforementioned case, only MyON and Chqbook have confirmed the data breaches, the other six companies have not given any statement confirming that they have experienced a data breach.

In a conversation with BleepingComputer, while confirming that their networks were compromised, MyON.com said, "In July 2020 we were made aware of a bad actor trying to sell portions of our data on the dark web. We immediately began investigating to shut down any continued threats to our data or the data of our customers. We were then able to confirm that according to federal and state privacy laws, no confidential student or customer data was compromised, and this incident did not rise to the level of an actual breach of student private data."  

Whereas, while denying the claims of a data breach, Chqbook.com emailed BleepingComputer, saying, "There has been no data breach and no information belonging to our customers has been compromised. Data security is a key priority area for us and we conduct periodic security audits to ensure the safety of our customers’ information,"  

The companies that fell prey to the data breach are as follows: MyON.com (13 million), Singlesnet.com (16 million), Teespring.com (8.2 million), ModaOperandi.com (1.2 million), Chqbook.com (1 million), Pizap.com (60 million), Anyvan.com (4.1 million), Fotolog.com (33 million), Eventials.com (1.4 million), Wahoofitness.com (1.7 million), Reverbnation.com (7.8 million), Sitepoint.com (1 million), Netlog.com (53 million), Clickindia.com (8 million), Cermati.com (2.9 million), Juspay.in (100 million), Everything5pounds.com (2.9 million), Knockcrm.com (6 million), Accuradio.com (2.2 million), Mindful.org (1.7 million), Geekie.com.br (8.1 million), Bigbasket.com (20 million), Wognai.com (4.3 million), Reddoorz.com (5.8 million), Wedmegood.com (1.3 million), Hybris.com (4 million). 

Users who happen to be a part of any of the abovementioned websites are strongly advised to update their passwords, preferably something unusual and strong enough to thwart a brute-force attack.

Devicelock: data from 115 thousand Russians was put up for sale on the Web


A database with the data of Russians stuck abroad because of the coronavirus and returning to their homeland was put up for sale, its authenticity has not been confirmed, said Ashot Hovhannisyan, Technical Director of DeviceLock.

According to him, the first announcement of the sale appeared in late April. The seller asked for 240 thousand dollars for the database and claimed that it contained 79.6 thousand lines.

The seller did not provide any evidence that this database exists and it is authentic, and a few days later removed the advertisement.

In June, a similar offer appeared from another seller, who claims that the database is relevant for the current month and it has about 115 thousand lines. The data was estimated at 66.6 bitcoins (about 627 thousand dollars).

"Based on the samples provided by the seller, we can say that the database contains 58 columns, including full name, date of birth, passport data, address, phone number, e-mail, date of entry and exit from Russia, date of application on the public services portal, as well as Bank card and account data, passport data and country of location," said Hovhannisyan.

He explained that, most likely, the database was copied when it was transferring from one Department to another via electronic communication channels.

Expert added that it is also likely that this is a fake, since the seller put an unusually high price and did not confirm the authenticity of the data, except for screenshots with 34 lines.

The expert warned that if the database exists, victims may receive phishing emails about allegedly accrued compensation and receive calls from fraudsters asking them to name the code from the Internet Bank.

According to Hovhannisyan, the seller writes that he uses the database for carding, purchasing App Store & iTunes Gift Card gift certificates with the existing card details, which he then sells.

Conduent's European Operations Hit by Maze Ransomware, Data Stolen


Conduent, a business process outsourcing organization confirms that their European operations were crippled by a ransomware attack on Friday, in an immediate response to the attack the IT services giant was able to restore most of the affected systems within eight hours of the incident.

The security software company, Emsisoft and cybersecurity research and threat intelligence firm Bad Packets, expressed a large probability of Conduent been attacked by Maze ransomware.

What is a Maze ransomware attack?

The maze is a sophisticated strain of Windows ransomware that not only encrypts individual systems but also proliferate across the whole network of computers infecting each one of it. Typically, Maze attacks organizations around the globe and demand a ransom in cryptocurrency for a safe recovery of the data encrypted by the attackers.

It's the same variant of ransomware that attacked IT services company, Cognizant on April 18 – although the New-Jersey headquartered company chose not to share many details about the security incident, it said that its services were disrupted and internal security teams were taking active measures to contain the impact. Reportedly, some of the company's employees were locked out of the mail systems as a result of the attack.

In Conduent's case, the threat actors have posted online two zip files that appear to contain data regarding the company's services in Germany, as per the evaluations made by Emsisoft. The documents were published on a website that leaks Maze ransomware attacks.

The company's operations witnessed a disruption around 12:45 AM CET on Friday, May 29th. It was by 10.00 AM CET that morning – the systems were restored and functional again. Meanwhile, the ransomware was identified by the systems and was later addressed by their cybersecurity protocols.

While commenting on the matter, Cognizant CFO Karen McLoughlin said, "While we have restored the majority of our services and we are moving quickly to complete the investigation, it is likely that costs related to the ransomware attack will continue to negatively impact our financial results beyond Q2."

As per the statements released by Conduent to confirm the attack that happened last week, “Conduent's European operations experienced a service interruption on Friday, May 29, 2020."

"Our system identified ransomware, which was then addressed by our cybersecurity protocols. This interruption began at 12.45 AM CET on May 29th with systems mostly back in production again by 10.00 AM CET that morning, and all systems have since then been restored. This resulted in a partial interruption to the services that we provide to some clients. As our investigation continues, we have on-going internal and external security forensics and anti-virus teams reviewing and monitoring our European infrastructure"

However, Conduent did not answer the questions regarding the loss of the data and the researches carried out by two cybersecurity companies indicating the same.