Search This Blog

Showing posts with label Ransom. Show all posts

New Emotet Variant Capturing Users' Credit Card Data from Google Chrome

 

The Emotet botnet is now attempting to infect potential victims with a credit card stealer module designed to capture credit card information from Google Chrome user accounts. 

After obtaining credit card information (such as name, expiration month and year, and card numbers), the malware will transfer it to command-and-control (C2) servers that are not the same as those used by the Emotet card stealer module. 

The Proofpoint Threat Insights team said, "On June 6th, Proofpoint observed a new Emotet module being dropped by the E4 botnet. To our surprise, it was a credit card stealer that was solely targeting the Chrome browser. Once card details were collected they were exfiltrated to different C2 servers than the module loader." 

This shift in behaviour follows an increase in activity in April and a move to 64-bit modules, as discovered by the Cryptolaemus security research group. One week later, Emotet began using Windows shortcut files (.LNK) to run PowerShell instructions on victims' devices, abandoning Microsoft Office macros, which were disabled by default beginning in early April 2022. 

The re-emergence of Emotet malware:

In 2014, the Emotet malware was created and used in assaults as a banking trojan. It has developed into a botnet used by the TA542 threat group (also known as Mummy Spider) to deliver second-stage payloads. 

It also enables its operators to steal user data, conduct reconnaissance on compromised networks, and migrate laterally to susceptible devices. Emotet is renowned for deploying Qbot and Trickbot malware trojan payloads on infected PCs, which are then used to spread more malware, such as Cobalt Strike beacons and ransomware like Ryuk and Conti. Emotet's infrastructure was destroyed in early 2021 as part of an international law enforcement operation that also resulted in the arrest of two people.

When Emotet research organisation Cryptolaemus, computer security firm GData, and cybersecurity firm Advanced Intel all spotted the TrickBot malware being used to deliver an Emotet loader in November 2021, the botnet returned utilising TrickBot's previously established infrastructure.

According to ESET, Emotet's activity has increased more than 100-fold since the beginning of the year, with its activity rising more than 100-fold against T3 2021.

BlackCat Ransomware Group Demands $5Million to Unlock Austrian State

 

The BlackCat ransomware group, also known as ALPHV, has targeted the Austrian federal state Carinthia, demanding $5 million to open encrypted computer systems. The threat actor allegedly locked thousands of workstations during the attack on Tuesday, causing serious operational interruption to government services. 

The website and email service for Carinthia are temporarily down, and the government is unable to issue new passports or traffic penalties. Furthermore, the intrusion hampered the completion of COVID-19 testing and contact tracking through the region's administrative offices. 

For $5 million, the hackers offered to deliver a functioning decryption tool. Gerd Kurath, a state spokesperson, told Euractiv that the attacker's demands will not be fulfilled. 

According to the press spokesperson, there is presently no proof that BlackCat was able to take any data from the state's systems, and the aim is to restore the workstations using accessible backups. Kurath stated that the first of the 3,000 impacted systems are likely to be operational again soon. 

At the time of writing, there is no material from Carinthia on BlackCat's data leak site, where hackers post files taken from victims who did not pay a ransom. This might imply a recent incident or that discussion with the victim are still ongoing. 

In November 2021, the ALPHV/BlackCat ransomware group emerged as one of the more advanced ransomware attacks. They are a rebranded version of the DarkSide/BlackMatter gang, which is responsible for the Colonial Pipeline attack last year. 

BlackCat affiliates launched attacks on high-profile companies and brands such as the Moncler fashion firm and the Swissport airline freight handling services provider in early 2022. 

By the completion of the first quarter of the current year, the FBI issued a warning that BlackCat had breached at least 60 businesses globally, adopting the position that it was expected to achieve as one of the most active and dangerous ransomware projects out there. 

The attack on Carinthia and the hefty ransom demands demonstrate that the threat actor targets firms that can pay substantial sums of money to get their systems decrypted and prevent additional financial losses due to lengthy operational interruption.

Russian Group Attack on Bulgarian Refugee Agency

 

A ransomware group that shares strong ties with Russia warned on Wednesday that it will publicly post the files it has stolen from the Bulgarian government agency that is responsible for the refugee management.

LockBit 2.0 published a notice on the dark website saying it had files from the Bulgarian State Agency for Refugees under the Council of Ministers. “All available data will be published!” the notice read under the group’s trademark bright red countdown clock, which has a May 9 publication date. It's worth noting that there was no specific post for a ransom demand. 

According to the Sofia Globe, a news organization in the country’s capital, nearly 5.7 million Ukrainian refugees have fled their country since February and approximately 230,000 fled to Bulgaria, while 100,700 are remaining in the country. 

The official website of the agency remains active, however, a notice on the site’s home page reads, “due to network problems, the e-addresses of the State Agency for Refugees at the Council of Ministers are temporarily unavailable.”

Press contacted an official for a comment on the same matter but the agency didn’t immediately respond to the email. Later, a spokesperson at the Bulgarian embassy in Washington, D.C., said that he did not have information on the incident and would look into the matter. 

LockBit 2.0 is an updated version of LockBit, a ransomware variant that first was spotted in September 2019, as per the cybersecurity firm Emsisoft. Originally known as ABCD ransomware, LockBit is famous for the file extension appended to encrypted files, with the extension later updating to “LockBit”.  Moreover, in September, the group made headlines for launching its own leak website. 

“This is simply the latest in a very long list of hits on organizations which provide critical services...,” said Brett Callow, a threat analyst at Emsisoft. 

“...Hospitals, [search and rescue], fire departments, and charities for the disabled have all been targeted. The individuals involved with ransomware are conscienceless scumbags and the sooner we find a way to deal with the problem, the better.”

Hackers Expose 190GB of Alleged Samsung Data

 

Hackers that exposed secret information from Nvidia have now turned their attention to Samsung. The hacker group known as Lapsus$ is suspected of taking 190GB of data from Samsung, including encryption and source codes for many of the company's new devices. 

On Saturday, hackers launched an attack on Samsung, leaking critical data collected through the attack and making it accessible via torrent. The hackers shared the complete data in three sections in a note to their followers, as seen by Bleeping Computer, along with a text file that details the stuff available in the download. 

The exposed material includes "source code from every Trusted Applet" installed on every Samsung smartphone, as per the message. It also includes "confidential Qualcomm source code," algorithms for "all biometric unlock operations," bootloader source code for the devices, and source codes for Samsung's activation servers and Samsung account authentications, including APIs and services. 

In short, the Lapsus$ attack targets Samsung Github for critical data compromise: mobile defence engineering, Samsung account backend, Samsung pass backend/frontend, and SES, which includes Bixby, Smartthings, and store. 

The attack on Samsung comes after the cyber organisation attempted to extort money from Nvidia in a ransom scheme. It's worth noting that it's not a straightforward monetary request. Instead, the hackers have asked Nvidia to lift the restriction on Ethereum cryptocurrency mining that it has placed on its Nvidia 30-series GPUs. Nvidia's GPU drivers must be open-sourced forever, according to the hackers. 

The hackers are plainly looking for money from the disclosed data, as evidenced by the updates. For $1 million, one of them promised to sell anyone a bypass for the crypto nerf on Nvidia GPUs. Another communication from the group, according to The Verge, claimed that instead of making the data public, they are attempting to sell it straight to a buyer. 

Last Monday, Nvidia confirmed the breach, acknowledging a leak of "employee credentials" and "proprietary information." It, on the other hand, disputed that the attack was linked to the ongoing Russia-Ukraine crisis and claimed that the cyberattack would have no impact on its operations. 

As of currently, there are no reports of Lapsus$ demanding a similar ransom from Samsung. If they do, however, Samsung is likely to suffer a significant setback, especially given the type of data that the hacking group now claims to have access to.

Swissport Ransomware Attack Delays Flights, Disturbs Operations

 

Swissport International, a supplier of aviation services, was struck by a ransomware attack that disrupted its operations. 

Swissport International Ltd. is an aviation services firm controlled by an international group of investors that provides airport ground, lounge hospitality, and cargo handling services. On behalf of 850 aviation clients, the corporation manages over 282 million passengers and 4.8 million tonnes of cargo each year. Swissport employs over 66,000 people at 307 locations across 50 countries and has combined operating revenue of EUR 2.8 billion. 

Swissport International was the victim of a ransomware assault that disrupted company operations and prompted aircraft delays. As per the German website Spiegel, the ransomware attack only affected a minor section of the corporation's global IT infrastructure, and a company spokesperson verified that the security breach occurred at 6 a.m. on Thursday. 

The attack has been substantially contained, according to the company, which is attempting to rectify the situation as swiftly as possible. 

A spokeswoman for Zurich Airport added, “Due to system problems at our airport partner Swissport, 22 flights were delayed by 3 to 20 minutes yesterday.”

The company spokesman added, “The attack has now been contained and everything is being done to solve the problem as quickly as possible and limit the impact on flight operations. Swissport can continue to provide ground services for airlines safely, but there may be delays in some cases.” 

On Friday afternoon, the Swissport website was unavailable. The organisation has not yet revealed information regarding the attack, such as the ransomware family that attacked its systems or if the attack resulted in a data leak. The attack on their leak sites was not claimed by any ransomware group. 

Other recent attacks in Europe have affected key infrastructure, such as the one that crippled Oiltanking GmbH, a German petrol distributor that supplies Shell gas stations across the country. The oil provider Mabanaft GmbH was also impacted by the attack, according to the media. The Marquard & Bahls group owns both companies. As per local media, the attacks could have compromised the country's fuel supplies. 

A cyberattack was launched this week on some of the main oil terminals in Western Europe's largest ports. The Amsterdam-Rotterdam-Antwerp oil trading centre, as well as the SEA-Tank Terminal in Antwerp, are among the affected port infrastructure.

REvil Ransomware Operations Seem Unaffected by Recent Arrests

 

According to threat intelligence firm ReversingLabs, the REvil (Sodinokibi) ransomware cooperative's operation has not reduced despite Russia's recent arrest of numerous suspected members of the group. 

The Russian law enforcement agency FSB declared the takedown of the REvil organisation "at the request of US authorities" two weeks ago, yet the ransomware-as-a-service (RaaS) business is still running. 

After years of being accused of permitting malicious hackers to flourish within its borders as long as no Russian citizens or organisations are harmed, Russia appeared to be sending a distinct signal with the arrest of 14 members of the REvil group, even if some witnessed it as a political move amidst rising tensions along the Ukraine border. 

The high-profile arrests of affiliates, however, did not halt REvil operations, as ReversingLabs points out. In reality, the group is operating at the same speed as it was before the arrests. 

Europol reported the arrests of seven people engaged in the spread of REvil and GandCrab ransomware assaults in November 2021 (during seven months), at a time when ReversingLabs was seeing an average of 47 new REvil implants per day (326 per week). 

This was greater than September (43 new implants per day - 307 per week) and October (22 new daily implants - 150 per week), but far lower than July (87 per day - 608 per week) when the group went offline. Following the arrests in Russia, the number of REvil implants observed jumped from 24 per day (169 per week) to an average of 26 per day (180 per week). 

“While it's true that more time may be needed to assess the full impact of the arrests on REvil’s activity, the data so far would suggest that it is ‘business as usual’ for the ransomware gang,” ReversingLabs noted. ReversingLabs senior threat researcher Andrew Yeates stated.

“Threat groups exploit regionalised regulation and distributed organizational structure with sovereign state safe housing, all while leveraging a ‘no-rule’ borderless attack strategy. That makes it ever harder for national and international criminal policing organizations to put an end to threat groups such as REvil.” 

While synchronised action against REvil infrastructure may have had short-term repercussions on the RaaS's prevalence, much stronger action is required to truly stop the cybercrime ring's operations, especially given the group's corporation-like structure, where affiliates launch attacks and receive payments. 

As a result, removing simply affiliates does not affect the core of the RaaS, allowing it to continue operating. Affiliates, on the other hand, can either rebuild the enterprise or relocate to a new RaaS if only the core is removed, and this is relevant for other comparable cybercriminal groups as well.

Defense Contractor Hensoldt Confirms Lorenz Ransomware Attack

 

Hensoldt, a multinational defence contractor, disclosed that Lorenz ransomware has infected part of its UK subsidiary's systems. A spokesman for Hensholdt acknowledged the security vulnerability to BleepingComputer this week. 

Hensoldt's Head of Public Relations, Lothar Belz, told BleepingComputer, "I can confirm that a small number of mobile devices in our UK subsidiary has been affected." 

Belz, on the other hand, refused to provide any other specifics on the incident, adding, "for obvious reasons, we do not reveal any more facts in such cases." 

Since April, the Lorenz ransomware group has targeted several institutions around the world, demanding hundreds of thousands of dollars in ransom. Lorenz operators, like other ransomware groups, use a double-extortion approach, acquiring data before encrypting it and threatening victims if they don't pay the ransom. Ransom demands have been quite high, between $500.000 and $700.000.

Hensoldt AG emphasizes sensor technology for security and surveillance missions in the defence, security, and aerospace sectors. Radar, optoelectronics, and avionics are the company's core product areas, and it is listed on the Frankfurt Stock Exchange. 

The defence multinational, which is listed on the Frankfurt Stock Exchange and with a revenue of 1.2 billion euros in 2020, offers sensor solutions for defence, aerospace, and security applications. The corporation works with the US government on classified and sensitive contracts, and its products include and equip tanks, helicopter platforms, submarines, and Littoral Combat Ships, among other things. 

The Lorenz ransomware group has already published the names of the firms that have been compromised on their Tor leak site. The ransomware group claims to have already transferred 95 percent of all stolen files to its leak site as of this time of writing. The gang named the archive file "Paid," implying that someone else paid to keep the Hensoldt files from being exposed. 

Tesorion, a cybersecurity firm, studied the Lorenz ransomware and produced a decryptor that may allow victims to decrypt their files for free in some situations.

The GootLoader Hackers are After Law Firms and Accounting Firms

 

GootLoader is a piece of initial access malware that allows its operators to install a variety of other malware families, including ransomware, on affected devices. It was first discovered in December 2020. The GootLoader hacking organization has been primarily targeting personnel at law and accounting firms in recent weeks, with the most recent attack occurring on January 6. So far, eSentire claims to have intercepted three such assaults. Potential victims are directed to hacked genuine websites that include hundreds of pages of business-related content, including free document samples for download, but they are instead infected with GootLoader. 

GootLoader is distributed using Drive-By-Download programmes, which are driven by SEO, specifically through Google. The hackers are enticing business professionals to authentic but compromised websites that they have packed with hundreds of pages of content, including multiple connections to business agreements, including legal and financial agreements, in these recent attacks.
 
The content claims to provide free downloads of these documents. eSentire's Threat Response Unit (TRU) discovered that the GootLoader hackers set up over 100,000 malicious webpages marketing various forms of commercial deals during an intensive GootLoader campaign that began last December. 

How are the GootLoader threat actors able to infiltrate reputable websites with hundreds of pages of malicious content? 

Tragically, it is just too simple. Hundreds of legitimate websites employing WordPress as the content management system have been detected by the GootLoader gang. WordPress, like many other content management systems, has several vulnerabilities, which hackers may simply exploit to load websites with as many harmful pages as all without the knowledge of the website owner. These websites, according to the TRU team, encompass a wide spectrum of industries, including hotel, high-end retail, education, healthcare, music, and visual arts. 

"The abundance of content that threat actors have pushed onto the web, when professional looks for a sample business agreement on Google, the hackers' malicious web pages appear in the top Google searches," said Keegan Keplinger, TRU's research and reporting lead. 

Three law businesses and an accounting firm were targeted by the cybersecurity services provider, which said it intercepted and demolished the attacks and the victims' identities have not been revealed. Organizations should implement a vetting process for business agreement samples, train staff to open documents only from reputable sources, and confirm that the content downloaded matches the content intended for download.

Night Sky: New Ransomware Targeting Corporate Networks

 

The new year has brought with it new ransomware named 'Night Sky,' which targets corporate networks and steals data in double-extortion attacks. 

The Night Sky operation began on December 27th, according to MalwareHunterTeam, which was the first to identify the new ransomware. The ransomware has since published the data of two victims. 

One of the victims got an initial ransom demand of $800,000 in exchange for a decryptor and the promise that the stolen material would not be made public. 

How Night Sky encrypts devices

A sample of the Night Sky ransomware seen by BleepingComputer has a personalised ransom note and hardcoded login credentials to access the victim's negotiation page. 

When the ransomware is activated, it encrypts all files except those with the.dll or.exe file extensions. The ransomware will not encrypt the following files or folders: 
AppData
Boot
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
ProgramData
All Users
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
Program Files
Program Files (x86)
#recycle

Night Sky appends the.nightsky extension to encrypted file names while encrypting them. A ransom letter named NightSkyReadMe.hta is included in each folder, and it provides details about what was stolen, contact emails, and hardcoded passwords to the victim's negotiation page. 

Instead of communicating with victims through a Tor site, Night Sky employs email addresses and a transparent website that runs Rocket.Chat. The credentials are used to access the Rocket.Chat URL specified in the ransom note. 

Double extortion tactic: 

Before encrypting devices on the network, ransomware operations frequently grab unencrypted data from victims. Threat actors then utilize the stolen data in a "double-extortion" scheme, threatening to leak the information unless a ransom is paid. 

Night Sky built a Tor data leak site to leak the data of victims, which now contains two victims, one from Bangladesh and the other from Japan. While there hasn't been much activity with the new Night Sky ransomware operation, one should keep a watch on it as we enter the new year.

Lapsus$ Ransomware Gang Hacked Portugal's Largest Media Conglomerate

 

The Lapsus$ ransomware group has compromised and is actively extorting Impresa, Portugal's largest media conglomerate and owner of SIC and Expresso, the country's leading TV channel and a weekly newspaper, respectively. The attack occurred during the New Year's holiday and targeted the company's online IT server infrastructure. Impresa, Expresso, and all SIC TV channels' websites are presently offline. National airwave and cable TV broadcasts are unaffected, however, the attack has disabled SIC's internet streaming capability. 

Both the Expresso newspaper and the SIC TV station stated that they had reported the incident to the PJ criminal investigation police agency and the National Cybersecurity Centre (CNCS) and would file a complaint. The claimed hackers posted a message on the websites threatening to reveal internal data if the media firm did not pay a ransom. The message includes contact information for e-mail and Telegram. 

The Lapsus$ group claimed responsibility for the attack by displaying a ransom letter on all of Impresa's websites. In addition to a ransom demand, the message says that the organization has gained access to Impresa's Amazon Web Services account. When all of the sites were put into maintenance mode on Monday, Impresa workers looked to have regained control of this account, but the attackers promptly tweeted using Expresso's verified Twitter account to demonstrate that they still had access to company resources. 

Lino Santos, CNCS's coordinator, informed the Observador newspaper that this was the group's first attack in the country. In the meantime, both media outlets are disseminating news pieces via their social media networks. It was an "unprecedented attack on press freedom in the digital age," they said. 

The Impresa hack is among the most significant cybersecurity events in Portugal's history. Impresa is by far the largest media group in the country. According to September 2021 TV ratings, SIC and all of its secondary channels lead the TV market, while Expresso has the highest weekly periodical circulation numbers. Nonetheless, Impresa owns a slew of other media organizations and periodicals, all of which are likely to be impacted by the attack.

Before the Impresa attack, the Lapsus$ group hacked and ransomed the Ministry of Health of Brazil, as well as Claro and Embratel, two South American telecommunications firms. This is the second ransom attack on a media conglomerate during the holiday season, following the Ryuk gang's December 2018 attack on Tribune Publishing, owner of the Los Angeles Times.

Report: PYSA Emerges as Top Ransomware Actor in November

 

As per NCC Group, a UK-based risk mitigation organisation, PYSA and Lockbit were the most significant ransomware attacks in November 2021.

Lockbit has been a leading ransomware threat since August of this year, with Conti dominating the landscape as well. Conti's popularity began to fade in November, and PYSA took its place. The total number of organisations infected with PYSA climbed by 50% last month. 

The number of hacked governmental institutions has also increased by 400 per cent, according to the NCC Group. PYSA is for 'Protect Your System Amigo,' and it has been active since late 2019, mostly targeting the education, healthcare, and government sectors.

In March 2021, the FBI issued a warning about PYSA. PYSA was thought to only target Windows systems until September 2021, but the evidence was discovered that the ransomware was getting prepared to target Linux PCs as well. 

NCC Group noted, “PYSA is a malware capable of exfiltrating data and encrypting users’ critical files and data, which typically targets large or high-value finance, government and healthcare organizations.” 

In November, the total number of ransomware assaults was 1.9 per cent higher than in October, with firms in North America and Europe being hit the hardest. According to the NCC Group, ransomware affected 154 companies in North America last month (140 in the United States and 14 in Canada). A total of 96 European victims have been identified, the majority of whom are from the United Kingdom (32), France (14), Italy, and Germany (11 each). 

“The industrial sector continued to be the most targeted sector in November. Meanwhile, automotive, housing, entertainment, and retail businesses overtook technology this month, with attacks targeting the sector decreasing by 38.1%,” NCC Group stated. 

The cybersecurity firm also saw the Everest ransomware group providing paid access to their victims' infrastructure in November. Other groups are also anticipated to forego a ransom demand in the future and instead grant access to the compromised infrastructure.

MediaMarkt Struck by Hive Ransomware, Initial $240 Million Ransom Demand

 

A Hive ransomware operation hit MediaMarkt, a German multinational chain of consumer electronics stores, with the threat actors initially demanding a ransom of $240 million. IT systems in the Netherlands and Germany were closed down as a result of the incident and store operations were hampered. 

With over 1,000 stores in 13 countries, MediaMarkt is Europe's largest consumer electronics retailer. It employs around 53,000 people and has total sales of €20.8 billion. At the start of this week, a ransomware attack targeted MediaMarkt, encrypting servers, workstations and creating an outage of IT services to stop the attack from propagating. 

The ransomware attack, according to BleepingComputer, affected several retail stores across Europe, particularly in the Netherlands. While online sales are unaffected, affected stores' cash registers are unable to accept credit cards or generate receipts. The system shutdown is also restricting returns due to the inability to search for previous purchases. Employees are instructed to avoid encrypted systems and to turn off networked cash registers on the network. 

As per screenshots of alleged internal communications posted on Twitter, the hack compromised 3,100 servers. However, at this moment, BleepingComputer has been unable to verify those claims. The Hive Ransomware organization is behind the attack, according to BleepingComputer, and requested a huge, but unrealistic, $240 million ransom to acquire a decryptor for encrypted files. 

Ransomware groups frequently demand high ransoms at first to allow for negotiation, and they generally only get a portion of what they demand. However, BleepingComputer has been told that during the attack on MediaMarkt, it was almost automatically dropped to a significantly smaller amount. 

While it is unclear whether unencrypted data was captured in the attack, Hive ransomware is known to steal files and post them on its 'HiveLeaks' data breach site if a ransom is not paid. When BleepingComputer contacted MediaMarkt about the hack, they received the following response: 

“The MediaMarktSaturn Retail Group and its national organizations became the target of a cyberattack. The company immediately informed the relevant authorities and is working at full speed to identify the affected systems and repair any damage caused as quickly as possible. In the stationary stores, there may currently be limited access to some services. MediaMarktSaturn continues to be available to its customers via all sales channels and is working intensively to ensure that all services will be available again without restriction as soon as possible. The company will provide information on further developments on the topic. - MediaMarkt.”

About the Hive ransomware 
Hive ransomware was first discovered in June 2021 and has already hit over 30 companies, counting just those who did not pay the demanded ransom. The Hive group, according to the FBI, uses a range of tactics, methods, and processes to breach targeted networks. 

Hive ransomware was first discovered in June 2021 and has already hit over 30 companies, counting just those who did not pay the demanded ransom. The Hive group, according to the FBI, uses a range of tactics, methods, and processes to breach targeted networks. 

Hive ransomware is a data encryption malware that has gained notoriety as a result of strikes against the Memorial Health System, where employees were made to work with paper charts as their computers were encrypted. Altus Group was another victim, with hackers stealing corporate information and data from the software supplier, which were then made public on HiveLeaks. 

Hive has also created variants to encrypt Linux and FreeBSD servers, which are often used to host virtual machines.

PNG's Finance Ministry Suffers a Ransomware Attack

 

According to Bloomberg News, a ransomware cyberattack has targeted Papua New Guinea's government finance office, and the hackers are demanding bitcoin. While many details of the attack are still unknown, it's becoming clear that ransomware attacks will no longer be limited to the world's wealthiest countries and organizations. 

The attack on the Department of Finance's Integrated Financial Management System began a week ago, according to John Pundari, the finance minister and interim treasurer. Attackers disabled the system, which controls access to hundreds of millions of dollars in international aid funds, and demanded Bitcoin as ransom from PNG. The government did not pay a ransom to any hacker or third party, according to Pundari, who also stated that the system had been "completely restored."

"The government and the people of Papua New Guinea can be assured that the government financial services will continue as usual," Pundari said in a statement. "The Department (of Finance) is conscious of the security and integrity of its data. Therefore restoration of services to all government agencies, including the sub-national level, will be done gradually, so as not to compromise or allow any further spread of this malware or other virus." 

PNG's cyber security settings are susceptible, therefore it had to rely on its development partners for help. However, a data center established in PNG by Chinese telecommunications giant Huawei exposed classified government papers to theft, according to an Australian-funded investigation commissioned by PNG's National Cyber Security Centre in 2020. 

According to Jonathan Pryke, director of the Lowy Institute's Pacific Islands Program in Sydney, PNG's financial constraints have precluded it from developing a viable cybersecurity environment. He said the government's systems were so vulnerable that it would have to start again with a secure network, which would cost a lot of money. He also stated that cyber security was not on the top of the PNG priority list. 

To top it off, Papua New Guinea has been dealing with some of its worst covid-19 surges to date in recent weeks. According to Australia's ABC News, the country is presently averaging roughly 388 cases each day, which is largely regarded to be an undercount of the true number due to poor testing. Covid-19 vaccines have also been a challenge for the Pacific nation, with a poor 1.2 percent immunization rate so far.

Shipping Giant Forward Air Reports Ransomware Data Breach

 

Forward Air, a shipping company, has revealed a data breach as a result of a ransomware attack that enabled threat actors to acquire employees' personal information.

Forward Air was struck with a ransomware attack in December 2020 by what was thought to be a new cybercrime group known as Hades. Forward Air's network was shut down as a consequence of the assault, causing commercial interruption and the inability to release freight for transport. 

Forward Air stated in an SEC filing that it lost $7.5 million of less than load (LTL) freight revenue mainly due to the Company's requirement to momentarily halt its electronic data interfaces with its clients. 

Researchers later discovered that this assault was most likely carried out by members of the Evil Corp cybercrime group, who frequently carry out operations under different ransomware identities, such as Hades, to avoid US penalties. 

Multiple Forward Air workers contacted BleepingComputer at the time, concerned that the hack had revealed their personal information. As part of the attack, the threat actors built up a Twitter account that they stated would be utilized to leak Forward Air data. However, no data was ever found to be released by threat actors. 

After almost a year, Forward Air has revealed that the current and ransomware attacks exposed the data of previous workers. 

A data breach notification sent to Forward Air employees stated, "On December 15, 2020, Forward Air learned of suspicious activity occurring within certain company computer systems. Forward Air immediately launched an investigation to determine the nature and scope of the incident." 

"The investigation determined that certain Forward Air systems were accessible in November and early December 2020 and that certain data, which may have included your personal information, was potentially viewed or taken by an unknown actor." 

Employee names, addresses, dates of birth, Social Security numbers, driver's licence numbers, passport numbers, and bank account numbers are among the data that the Evil Corp threat actors may have obtained. 

While Forward Air claims there is no evidence that the data was misused, they are providing impacted individuals with a complimentary one-year membership to the myTrueIdentity credit monitoring service. 

Since there is no way to detect if a threat actor utilised stolen data, even if they promise not to after receiving a ransom payment, all impacted workers should presume that their data has been compromised. This implies that individuals should keep track of their credit reports, bank records, and other financial information.

Ransomware Attacks At An All Time High, Reports Palo Alto

 

Presently, RaaS (ransom as a service) and ransomware attacks are at an all time high, topping the list in cybersecurity community since the last few months, threat actors and hackers are constantly attacking businesses, corporate and emails for personal monetory gains. The BEC (Business Email Compromise), EAC (personal email account compromise) , scams have caused the most threat and impact, as per the cybersecurity reports. 

FBI in its enquiry found that BEC and EAC accounts for a minimum $1.86 billion losses in 2020, that too in the US region only, a 5% jump in losses compared to 2019. EAC and BEC amount for 45% of total reported cybersecurity incidents in the US and 11% of users are over the age of 60. 

A roughly estimate suggests that largest reported ransomware payment till date has been $40 million. Unit 42 reports "when scammers use this tactic, it usually starts with a baited email enticing the recipient to open the attachment or click on the link to a webpage. 

The emails usually focus on some segment of business operations (including finance, human resources, logistics and general office operations) and point to an attachment or link related to topics requiring user action." Experts say that average ransomware demands in 2020 were $847,344, meanwhile, the average ransom that victims paid was $312,493. 

In 2021, the ransom amount paid has risen upto 82% to $570,000. The amount mentioned for average ransom clients paid only includes direct financial losses given in ransoms. They do not include losses related with organization which lost revenue while being compelled to work in a compromised state during a cyberattack, and do not consist resources cost during the incident breach, but only include attacks that are known. The company decides not to report a cybersecurity incident depending upon nature and impact of the ransomware attack. 

In the end, the decision complicates it for federal and cybersecurity agencies to calculate the full impact of these attacks. The EAC and BEC ransomware attacks have one thing in common, they need access privilege to victim's account and networks. 

"The lucrative nature of BEC/EAC scams drives criminals to continually modify and upgrade their tactics to defeat protections. One of the newer techniques integrates spear phishing, custom webpages and the complex cloud single sign-on ecosystem to trick users into unwittingly divulging their credentials," reports Unit 42 of palo alto networks.

JVCKenwood Company Suffers Ransomware Attacks, Hackers Demand $7 Million Ransom

 

JVCKenwood was hit by a Conti ransomware attack, the attackers claim that 1.7 TB of data has been stolen and are asking for a $7 million ransom. JVCKenwood is an electronics multinational company from Japan having around 17000 employees and total revenue of $2.45 Billion in 2021. The company is famous for its brands Victor, Kenwood, and JVC which builds cat and home sound equipments, healthcare and radio equipments, portable power stations, and professional and in-vehicle cameras. 
Earlier this week, JVCKenwood revealed that its servers belonging to sales companies from Europe were compromised on 22 September and the hackers might have had access to data while the attack was ongoing. The company noticed unauthorized access in September 2021 to the servers handled by  JVCKenwood Group's sales organizations in Europe. The company in a press conference revealed that there might be a potential of data leak by third parties that made unauthorized entry attempts. 

As of now, a thorough inquiry is being done by external specialized firms of the company teamed up with associated authorities. Experts haven't confirmed any data leak, to date. Other details related to the breach would be given on the company website after they are available. According to experts, a source shared a ransom note for the Conti ransomware sample used in the JVCKenwood data breach. While negotiating, the hacking group claims to have stolen 1.5 TB of files and is asking $7 million for ransom for not leaking the data in return for providing the decryption key. To make sure that the attack was legit, the hackers shared a file that contained scanned passport copies of employees, as proof. 

After the hackers gave proof, the JVCKenwood representative hasn't made any contact with the hacker which means that the company isn't willing to pay the ransom. "Conti is a ransomware family believed to be operated by the TrickBot threat actor group and is commonly installed after networks are compromised by the TrickBot, BazarBackdoor, and Anchor trojans. The ransomware gang has been responsible for a wide range of attacks over the years, including high-profile attacks against the City of Tulsa, Ireland's Health Service Executive (HSE), Advantech, and numerous health care organizations," reports Bleeping Computers.

US House Homeland Leaders Introduce Bipartisan Cyber Incident Reporting Legislation

 

Representative Yvette D. Clarke (D-NY), Chairwoman of the Cybersecurity, Infrastructure Protection & Innovation Subcommittee, along with other representatives and with other ranking officers of the Cybersecurity, Infrastructure Protection & Innovation Subcommittee, presented the Cyber Incident Reporting for Critical Infrastructure Act of 2021. Meanwhile, the Biden administration expressed public support during congressional testimony for such requirements. 

If this legislation is to come to fruition, it would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to organize requirements and procedures for critical infrastructure owners and operators to report cyber-attack incidents under this law. Additionally, under this legislation, critical infrastructure organizations and operators have to report cyber-attacks to the cybersecurity and Infrastructure Security agencies within 72 hours. 

The bill will also mandate it to organizations, including businesses with more than 50 employees, state and governments, and non-profits organizations, to report CISA of any ransomware payments they make within 24 hours. Along with this, the law reads that any organization when infected by ransomware should use recovery tactics instead of paying ransom to the attackers. 

According to the act, a new office will come into existence under CISA and it will be named “Review new Cyber Incident Office”. The office will be responsible for receiving, aggregating, and analyzing the reported cyberattack incidents. 

The introduced law is partly in response to a surge of major cyber-attacks particularly from ransomware that has hit the government agencies and private sectors which own and operate 85% of critical infrastructure. 

“As our nation continues to be faced with more frequent and increasingly sophisticated cyberattacks, authorizing mandatory cyber incident reporting is a key cybersecurity and national security priority,” said Chairman Thompson. 

“I applaud Chairwoman Clarke, as well as Ranking Member Katko and Ranking Member Garbarino, for their months of dedicated work to put together this legislation to require covered critical infrastructure entities to report certain cyber incidents to CISA. Once enacted, CISA will be on the path to getting the information it needs to identify malicious cyber campaigns early, gain a greater understanding of the cyber threat landscape, and be a better security partner to its critical infrastructure partners.” He added. 

A Look at the Triple Extortion Ransomware

 

Ransomware has traditionally concentrated on encryption, but one of the most common recent additions is the exfiltration and threatening disclosure of critical data in a "double extortion" assault. Threat actors, on the other hand, must continually develop new ways to enhance the effect of a successful assault since the financial incentives are so high. One of the most recent methods is known as "triple extortion," which adds another way to extort money from targets. 

The prospect of stolen data being released online has been a typical point of leverage for criminals seeking further ransom payments in what is known as double extortion. More than 70% of ransomware assaults now include exfiltrate data, demonstrating how quickly this type of attack tactic has become the norm.

Threat actors have lately introduced another layer to ransomware assaults based on this approach. In other words, this latest ransomware advancement means that a ransomware assault no longer stops at the first victim. Ransom demands may now be directed towards a victim's clients or suppliers under triple extortion. At the same time, other pressure points such as DDoS attacks or direct media leaks are added to the mix. 

The more leverage the perpetrators have in a ransomware assault, the more likely the victim is to pay. If the gang is successful in not just encrypting vital systems but also downloading sensitive data and threatening to leak it, they will have the upper hand and will be able to demand payment if the victim does not have sufficient backup procedures. 

According to Brian Linder, a cybersecurity evangelist at Check Point Software, triple extortion has become more common in the previous six months, with ransomware gangs making robocalls to customers, shareholders, partners, the press, and financial analysts if the victimised organisation fails to fall victim to the first two extortion efforts. 

“So, imagine if you don’t pay the ransom, we’re going to let all the stock analysts know that you’ve been attacked and likely drive some percentage of your market value out of the market,” Linder says. “We do expect this to be highly exploited. It’s fairly easy to do.” 

Depending on the attacker's initial effectiveness in infiltrating the network, they can get access to information about the victim's clients, including names and phone numbers, and have automated messages ready to go. 

Companies and organizations that retain client or customer data, as well as their own, are the most apparent targets for ransomware operations that go beyond single or double extortion. Healthcare organizations are obvious targets in this regard. As a result, the first known instance of triple extortion occurred late last year when hackers obtained access to Vastaamo, a Finnish physiotherapy provider. Threat actors demanded money directly from the thousands of Vastaamo clients whose records they were able to exfiltrate, rather than contacting the provider for a ransom.

New Zealand Banks and Post Offices Hit by a Cyber Attack

 

On Wednesday, the websites of a number of financial institutions in New Zealand, as well as the country's national postal service, were momentarily unavailable due to a cyber-attack, according to officials. A DDoS (distributed denial of service) attack targeting a number of organizations in the nation has been reported, according to the country's Computer Emergency Response Team (CERT). 

Minister David Clark, who is in charge of the digital economy and communications, said CERT has informed him that "a number" of organizations have been compromised. “At this time, efforts to ascertain the impact of this incident are ongoing. I won’t get ahead of this process,” Clark said, in a statement. “CERT assures me it is actively engaging with affected parties to understand and monitor the situation.” 

CERT's objective is to assist businesses and government agencies on how to respond to and prevent cyber-attacks. It also collaborates with other government institutions and law enforcement, such as the National Cyber Security Centre (NCSC). 

According to local media sources, Australia and New Zealand Banking Group's (ANZ.AX) New Zealand site and NZ Post were among the websites hit by the attack. ANZ informed clients through Facebook that it was aware that some of them were unable to use online banking services. "Our tech team are working hard to get this fixed, we apologize for any inconvenience this may cause," the post said. 

The "intermittent interruptions" on NZ Post's website were caused by a problem with one of its third-party suppliers, according to the company. Several Kiwibank clients took to social media to complain outages at the little institution, which is partially controlled by the New Zealand Post. In a Twitter post, Kiwibank apologized to clients and said it was trying to resolve "intermittent access" to its app, online banking, phone banking, and website. 

A DDoS assault overloads a website with more traffic than it can manage, causing it to fail. While the identity of the attacker and their motivation are unknown in this case, the goal might be to extract a ransom from the victim in order for the assault to be stopped. During the NZX assault, Minister for Intelligence Agencies Andrew Little expressed the government's advice: Don't pay the ransom.

Cyber Firm: Ransomware Group Demanding $50M in Accenture Security Breach

 

The hacking group behind a ransomware attack on global solution provider powerhouse Accenture has demanded $50 million in ransom, as per the cybersecurity firm that saw the demand. 

According to a tweet from Cyble, a dark web and cybercrime monitoring company, the threat actor is seeking $50 million in return for more than 6 TB of data. 

On Thursday, Accenture responded it had no additional information to add to its statement, pointing CRN to a statement issued on Wednesday that claimed it had "contained the matter and isolated the affected servers" and that "there was no impact on Accenture's operations, or on our clients' systems." 

The hacking group apparently used LockBit ransomware to target Accenture, which is ranked No. 1 on CRN's Solution Provider 500 for 2021, in the attack revealed on Wednesday. 

As per Emsisoft, a cybersecurity firm located in New Zealand, LockBit is a ransomware strain that stops users from accessing infected devices until a ransom payment is completed. The incident arises after a ransomware assault on Kaseya in July, which involved a $70 million ransom demand to decrypt victim files. Kaseya later stated that it had acquired a decryptor for the REvil ransomware, but it had not paid the ransom. 

“At the end of the day, paying the ransom is never a good idea,” stated Douglas Grosfield, founder and CEO of Kitchener, Ontario-based Five Nines IT Solutions, in an interview with CRN. 

“The majority of folks that do end up paying the ransom don’t necessarily get all of their data back. And what you do get back, you can’t trust. There could be a payload there—a ticking time bomb—that will make it easier for the perpetrators to get in again.” 

He stated that ransomware groups targeting IT service companies such as Accenture is unsurprising. “The only surprise is that it took the bad guys this long to figure out that service providers are a pretty juicy target,” he added. 

According to Grosfield, the Accenture incident serves as a reminder of the proverb, "physician, heal thyself," which states that IT service providers must verify their own systems are safe to propose security solutions to their own clients. 

Accenture claims to have contained the assault, however, this is a questionable assertion. The firm confirmed the ransomware assault in an emailed response to a request for information from CRN but stated it had no impact on the organization. 

“Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected servers from back up. There was no impact on Accenture’s operations, or on our clients’ systems,” Accenture wrote. 

However, a CNBC reporter spoke on Wednesday that the hackers behind the Accenture attack uploaded over 2,000 files to the dark web, including PowerPoint presentations and case studies. 

On Wednesday, VX Underground, which claims to possess the Internet's largest collection of malware source code, tweeted a timer allegedly from the hacking group, indicating how the time until the attack on Accenture's data would begin. The timer's timer ultimately ran out. The LockBit ransomware gang published 2,384 files for a short period, according to VX-Underground, however, those files were unavailable due to Tor domain issues, most likely due to excessive traffic. 

The LockBit attack clock was restarted with a new date of Aug. 12, 2021, 20:43 UTC, or 4:43 p.m. ET Thursday, according to the group. 

The Accenture incident, according to Ron Bradley, vice president of third-party risk management firm Shared Assessments, is "a perfect example of the distinction between business resiliency and business continuity," he told Threatpost on Wednesday. 

“This particular example with Accenture is interesting in the fact that it was a known/published vulnerability,” Bradley continued. “It highlights the importance of making sure systems are properly patched in a timely manner. The ability for Accenture to manage the repercussions of potentially stolen data will be an important lesson for many organizations going forward.” 

According to Hitesh Sheth, president, and CEO of cybersecurity firm Vectra, all organizations should expect such assaults, but especially a global consultancy firm with many links. 

“First reports suggest Accenture had data backup protocols in place and moved quickly to isolate affected servers,” he informed Threatpost on Wednesday. “It’s too soon for an outside observer to assess the damage. However, this is yet another reminder to businesses to scrutinize security standards at their vendors, partners, and providers. Every enterprise should expect attacks like this – perhaps especially a global consulting firm with links to so many other companies. It’s how you anticipate, plan for and recover from attacks that counts.” 

LockBit encrypts files with AES encryption and generally asks a high-five-figure ransom to decrypt the data. LockBit's procedures are mostly automated, allowing it to operate with little human monitoring once a victim has been hacked, according to Emsisoft. It may be used as the foundation for a ransomware-as-a-service business model, in which ransomware authors can utilize it in exchange for a share of the ransom payments.