Search This Blog

Showing posts with label RSA. Show all posts

North Korea: Maui Ransomware Attacks Healthcare Services

 

North Korean state-sponsored hackers are using Maui to encrypt computers and data for vital healthcare services, including electronic health records, diagnostics, imaging, and intranet. A joint advisory from the FBI, the Treasury Department, and the Cybersecurity and Infrastructure Security Agency (CISA) describes a ransomware campaign that Pyongyang has been executing at least since May 2021. 

Traits of threat actors

It is unknown how these threat actors enter organizations through the initial access vector. The less well-known ransomware family stands out, according to cybersecurity firm Stairwell, since it lacks numerous essential characteristics typically found in ransomware-as-a-service (RaaS) groups. Stairwell's findings served as the basis for the alert. 

The lack of an "embedded ransom letter to provide recovery instructions or automated means of transferring encryption keys to attackers" is one analogy of this, according to security expert Silas Cutler in a technical analysis of the ransomware.

Instead, Maui sample analysis indicates that the malware is made to be manually executed by a remote actor using a command-line interface, utilizing it to target particular files on the compromised machine for encryption, as recently seen in the case of Bronze Starlight.

Each of these keys is then encrypted with RSA using a key pair generated for the first time when Maui is launched, in addition to encrypting target files with AES 128-bit encryption with a new key. The RSA keys are encrypted using a hard-coded, particular-to-each-campaign RSA public key as a third-degree of security.

The fact that Maui is not provided as a service to other affiliates for use in exchange for a cut of the money earned is another thing that sets it apart from other conventional ransomware products. 

Why is DPRK targeting healthcare?

Ransomware is highly hazardous in the healthcare industry. Such businesses often don't provide cybersecurity much attention or funds. Hospitals and other similar organizations also own critical medical and health data prone to abuse. Furthermore, such facilities cannot afford to be shut down for an extended period, which increases the possibility that they might pay the ransom to resume services.

Although these North Korean-sponsored ransomware operations targeting healthcare companies have been occurring for a year, iboss claims that they have increased significantly and become more sophisticated since then. It's the most recent example of how North Korean enemies are changing their strategies to shadily produce an ongoing flow of income for the country's struggling economy. 

The ransomware attacks are alleged to have temporarily or permanently affected health services in several cases. It is currently uncertain what infection vector was first used to carry out the incursions. Only 2% of those who paid the ransom in 2021 received their whole data recovered, according to the Sophos' State of Ransomware in Healthcare 2022 report. This compares to the global average of 46%. 

PYSA Ransomware Group: Experts Share In-Depth Details

 

Since August 2020, the cybercrime group adopted a five-stage system design, with the malware developers prioritizing enhancements to boost the efficiency of its activities, according to an 18-month examination of the PYSA ransomware operation. The GSOC explores the PYSA ransomware inside this Threat Analysis Report. Once the Federal Bureau of Investigation (FBI) informed of the ransomware's increased activity and significant harmful impact early this year, it became known as the PYSA ransomware. 

This includes a user-friendly tool, such as a full-text search engine, to make metadata extraction easier and allow threat actors to easily locate and access victim information. "The group is notorious for thoroughly researching high-value targets before unleashing its operations, compromising business systems, and forcing researchers to pay significant ransoms to retrieve sensitive data," stated PRODAFT, a Swiss cybersecurity firm, in a comprehensive report released last week. 

PYSA, which stands for "Protect Your System, Amigo" and is a descendant of the Mespinoza ransomware, was initially discovered in December 2019 and has since risen to become the third most common ransomware strain reported in the fourth quarter of 2021. The cybercriminal cell is thought to have exfiltrated confidential info linked to as many as 747 individuals since September 2020, until its databases were taken down earlier this January. 

The majority of its victims are in the United States and Europe, and the gang primarily targets the federal, medical, and educational sectors. "The United States was the most-affected country, contributing for 59.2 percent of all PYSA occurrences documented," Intel 471 stated in a review of ransomware assaults observed from October to December 2021. PYSA, like all other malware attacks, is renowned for using the "big game hunting" method of double ransom, which involves making the stolen data public if the victim refuses to comply with the firm's demands. 

Every relevant key is encrypted and assigned the ".pysa" extension, which can only be decoded with the RSA private key given after paying the fee. PYSA victims are claimed to have paid about 58 percent in digital payments to get access to protected data. PRODAFT was able to find a publicly accessible. git folder owned by PYSA operators and designated one of the project's writers as "dodo@mail.pcc," a danger actor based on the commit history thought to be situated in a country that observes daylight savings time.

As per the study, at least 11 accounts are in control of the whole operation, the mass of which was formed on January 8, 2021. However, four of these accounts — t1, t3, t4, and t5 — account for approximately 90% of activity on the management panel of the company. Other operational security failures committed by the group's members allowed a concealed system running on the TOR secrecy network — a server provider (Snel.com B.V.) based in the Netherlands — to be identified, providing insight into the actor's techniques. PYSA's infrastructure also includes dockerized containers for global leak servers, database servers, administrative servers, and an Amazon S3 cloud for storing the files, which total 31.47TB.

The panel is written in PHP 7.3.12 by using the Laravel framework and uses the Git version monitoring system to oversee the development process. Furthermore, the admin panel exposes several API endpoints that allow the system to display files, auto-generate GIFs, and scan data, which is used to group stolen victim data into broad categories for simple retrieval. Several or more potential threat groups spent nearly five months within the system of an undisclosed regional US government agency before delivering the LockBit ransomware malware at the start of the year, as per research from cybersecurity firm Sophos.

The Emotet Malware is Alive and Using TrickBot to Rebuild its Botnet

 

The malicious Emotet botnet, which made a comeback in November 2021 after a 10-month break, is showing indications of steady expansion once again, collecting a colony of over 100,000 infected hosts to carry out its destructive actions. 

In a new round of attacks, Emotet, a Banking Trojan which has evolved into a formidable modular threat, has reappeared with improved features. It has infected devices to carry out additional spam campaigns and install various payloads like the QakBot (Qbot) and Trickbot malware. These payloads would subsequently be utilized to give threat actors, such as Ryuk, Conti, ProLock, Egregor, and others, early access to deploy ransomware. 

"While Emotet has not yet reached the same magnitude as before, the botnet is displaying a strong resurrection with a total of around 130,000 unique bots scattered over 179 countries since November 2021," Lumen's Black Lotus Labs researchers wrote in a report. On April 25th, 2021, German law enforcement used the network to send an Emotet module that removed the malware from afflicted devices. 

The TrickBot malware has begun to dump an Emotet loader on affected devices, according to Emotet research group Cryptolaemus, GData, and Advanced Intel. While Emotet used to deploy TrickBot, the threat actors now use a mechanism called "Operation Reacharound" by the Cryptolaemus group, which rebuilds the botnet utilizing TrickBot's current infrastructure. 

Apart from command-and-control (C2) lists and RSA keys, which change from version to version, Emotet's main payload hasn't changed much, but the list of phrases used to establish a process name for its bot has been renewed. Along with new binaries, words like engine, finish, magnify, resapi, query, skip, and many more are utilized and modified. Researchers may be able to construct signatures to detect Emotet infections on machines once these lists have been secured, but signature-based detection is more challenging if the list changes. 

Abuse.ch has published a list of the new Emotet botnet's command and control servers and strongly advises network administrators to ban the linked IP addresses. Another new feature is the ability to collect extra system information from compromised workstations in addition to a list of running processes. The number of bots and associated dispersion are crucial indicators of Emotet's success in reconstructing its once-vast infrastructure.

SEGA's Europe Security : AWS S3 Bucket Exposed Provides Steam API Access

 


During a cloud-security assessment, SEGA Europe discovered that critical data was being kept in an unsecured Amazon Web Services (AWS) S3 bucket, and it's sharing the story to encourage other companies to double-check their own systems. VPN Overview researcher Aaron Phillips collaborated with SEGA Europe to protect the leaked data. SEGA's revelation, according to Phillips, is designed to assist the broader cybersecurity community in improving their own defenses.

The unsecured S3 bucket may be used to access user data, including information on thousands of members of the Football Manager forums at community.sigames.com. The following are the issues that have been detected in SEGA Europe's Amazon cloud: 

  • Developer key for Steam 
  • RSA keys are a type of cryptography. 
  • PII and passwords that have been hashed 
  • API key for MailChimp 
  • Credentials for Amazon Web Services 

Sensitive data in hands of a malicious actor could be disastrous for any company, but as Lookout's Hank Schless explained to Threatpost, gaming companies continue to be of particular interest to attackers. To threat actors, gaming firms hold a gold mine of personal data, development information, proprietary code, and payment information. Gaming firms must ensure that their data is protected while consumers from all over the world play their games, thanks to data privacy rules like the CCPA and GDPR.

Indeed, well-known brands like Steam, Among Us, Riot Games, and others have been hacked and utilized to deceive innocent gamers. There is no evidence that malevolent third parties had previously accessed sensitive data or exploited any of the disclosed vulnerabilities, according to the security firm. Researchers were able to upload files, run scripts, edit existing web pages, and change the settings of critically susceptible SEGA domains, according to the researchers. Downloads.sega.com, cdn.sega.com, careers.sega.co.uk, sega.com, and bayonetta.com are among the affected sites. The domain authority scores of several of the afflicted domains are high. 

This cybersecurity research should serve as a wake-up call for enterprises to evaluate their cloud security procedures. The researchers are hoping that more companies follow SEGA's lead in researching and addressing known vulnerabilities before fraudsters use them. There is no evidence that malevolent third parties had previously accessed sensitive data or exploited any of the disclosed vulnerabilities, according to the security firm.

Cyberattacks can even take human lives

Cyberattacks by nation-states will soon kill people, either deliberately or unintentionally, a senior security researcher told attendees at the RSA Conference this week.

The May 2017 WannaCry attacks by North Korea and the NotPetya attacks by the Russian military in June 2017 shut down hospitals, disrupted shipping and cost hundreds of millions of dollars in losses — much of it in the form of collateral damage.

It is inevitable, she said during her RSA presentation yesterday (March 5), that future nation-state attacks on such scale will cause loss of life.

"I rarely get to stand up in front of groups and tell them that the news is getting better," Joyce told the crowd. "But if you have purely destructive malware backed by a nation-state, then where does that leave us?"

NotPetya, which targeted tax-collection software that every business in Ukraine was obliged to run, masqueraded as ransomware, Joyce explained. But it was impossible to decrypt the affected data even if a ransom was paid. The goal of NotPetya was purely destructive, and the destruction streamed outward from Ukraine to infect companies and other institutions in 65 other countries.
Part of the collateral damage was at U.S. hospitals, Joyce said, where some patients could not be immediately treated as a result.

"A friend of mine who was suffering from throat cancer was turned away and told to come back next week," Joyce said.

"If you have purely destructive malware backed by a nation-state, then where does that leave us?"
—Sandra Joyce, FireEye senior vice president


Had anyone died as a result of NotPetya, that would have been an unintended consequence of a specific attack on Ukraine's economy. But nation-state malware already exists that is designed to deliberately kill people, according to Joyce.

NSA paid $10 million to RSA for making flawed algorithm to weaken encryption


The US National Security Agency(NSA) has secretly paid $10 million for one of the major & respected security firm RSA, to make a flawed algorithm in order to weaken the encryption, according to exclusive report from Reuters.

In September, New York Times reported a story based on documents leaked by former NSA contractor Edward Snowden that NSA created a flawed formula for generating random numbers to create "backdoor" in encryption software.

Reuters later reported RSA became the lead distributor of the formula by using it into an encryption tool known as Bsafe that is used by software developers to improve security in their products.

Two sources disclosed a new information to Reuters that RSA had received the money in exchange for making the NSA's formula as the default method for number generation in the BSafe software.

In a statement to Reuters, RSA denied the allegations saying "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own."

Source: Reuters