Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware Threat. Show all posts
Ransomware Threat
Cyber Security cyber threat Cyberattacks data security INC NHS Ransomware Threat

Data Breach Alert: 3TB of NHS Scotland Data Held Ransom by Cyber Threat

 


A ransomware group targeting a small group of patients has published clinical data related to a small number of those patients on the internet that the Dumfries and Galloway Health Board is aware of. In the meantime, three terabytes of data are also alleged to have been stolen thanks to a security breach that occurred at the National Health Service (NHS) in Scotland, by the INC Ransom extortion gang. 

 As a result of a ransomware attack in a regional branch, NHS Scotland says it has been able to contain the malware, preventing the infection from spreading to other branches and the entire organisation. A group of cybercriminals called INC Ransom claimed responsibility for the attack on NHS Scotland this week, claiming they stole three terabytes (TB) of data and leaked a limited number of sensitive documents as part of the attack. 

Earlier this month, NHS Dumfries and Galloway announced a serious cyberattack that resulted in their hospital being shut down. INC Ransom was offering samples of files that contained medical evaluations, psychological reports, and other sensitive information regarding patients and doctors in accompanying its warning posted on its extortion website. 

Despite the rumours that such a compromise had already been reached, the Scottish government made sure to emphasize that only the NHS Dumfries and Galloway regional health board was affected by this new agreement. Several days later, NHS Dumfries and Galloway officials revealed that during a breach of security two weeks ago, large quantities of personally identifiable information had been accessed, stolen, and exfiltrated, resulting in a large number of people's details being misused. 

As of July 2023, the INC Ransom operation has gained a lot of attention, targeting both government organizations as well as private businesses to extort their data for ransom. Education, healthcare and government institutions, as well as industrial entities like Yamaha Motor Corporation, are among those that suffer losses from this attack. As the attack was likely to have occurred around March 15, reports emerged that a cybersecurity incident was affecting NHS Scotland services. 

There were several sample documents published yesterday by the threat actor in a blog post, including medical assessments, analysis results, and psychological reports on doctors and patients with sensitive details. Throughout its history, INC has shown no restraint in its process of choosing the types of victims it is willing to target, either. 

There have been several incidents of ransomware spreading across the healthcare industry, education, as well as charities. This is something that has happened in its short time on the ransomware scene. The fact remains, though, that very few cybercriminals exercise that level of restraint in the current day and age. Due to the critical nature of healthcare and the fact that it provides several essential services, cybercriminals and ransomware baddies continue to target it. 

There is a chance that there will be a ransom paid if disruptions can be caused, allowing for patients to be cared for with full capability if a ransom is paid. ALPHV/BlackCat was credited by the media with blaming Change Healthcare for a potentially devastating attack spread across a period of weeks across February and March of this year, which knocked out services for weeks on end.

In February, Romania experienced a significant ransomware incident affecting over 100 facilities, highlighting the persistent targeting of healthcare by cybercriminals. This incident is one of numerous examples underscoring the sector's vulnerability to such threats. The United States has responded to this challenge by introducing initiatives like the Advanced Research Projects Agency for Health (ARPA-H) within DARPA. 

This addition to a two-year cash-for-ideas competition aims to discover methods for securing code in critical infrastructure, including healthcare systems. Last summer, the announcement of the Artificial Intelligence Cyber Challenge (AICC) further demonstrated efforts to combat cyber threats. Teams participating in this challenge are tasked with developing autonomous tools to detect code issues in software used by vital organizations like hospitals and water treatment facilities—both prime targets for cybercrime.

ARPA-H has allocated $20 million towards the AIxCC, emphasizing its commitment to safeguarding healthcare from devastating attacks. Such attacks, exemplified by incidents like the one on Change Healthcare, underscore the urgent need for enhanced cybersecurity measures to prevent disruptions that could jeopardize patient care.
Read more »
Zeppelin2
CISA cybersecurity advisory Dark Web FBI malware Online Security Ransomware Threat Zeppelin2

Zeppelin2 Ransomware: An Emerging Menace in the Dark Web Ecosystem

 

In a recent update from an underground online forum, a user is actively promoting the sale of Zeppelin2 ransomware, providing both its source code and a cracked version of its builder tool. This malicious software, known for its destructive capabilities, has garnered the attention of cybersecurity experts and law enforcement agencies globally.

The forum post asserts that the user successfully breached the security measures of the Zeppelin2 builder tool, originally designed for data encryption. The post includes screenshots of the source code, shedding light on the intricate details of the build process and revealing that the ransomware is programmed in Delphi.

The Zeppelin2 ransomware builder tool, being promoted by the threat actor, showcases various features, such as file settings, ransom notes, IP logging, startup commands, task killers, and auto-unlocking busy files. The threat actor underscores the ransomware's capability to comprehensively encrypt files, rendering data recovery impossible without a unique private key held by the attackers.

Upon completing the encryption process, victims are presented with a ransom note declaring the encryption of all their files. The note instructs victims to contact the attackers via email and offers a method for testing the legitimacy of the decryptor by sending a non-valuable file.

Reports indicate that Zeppelin2 ransomware demands ransom payments in Bitcoin, with extortion amounts ranging from several thousand dollars to over a million dollars. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly issued a cybersecurity advisory to address the Zeppelin2 threat.

Zeppelin2, employed by threat actors since 2019 and continuing at least until June 2022, targets various sectors through its ransomware-as-a-service (RaaS) model. These sectors include defense contractors, educational institutions, manufacturers, technology companies, and notably, organizations in the healthcare and medical industries.

The ransomware's modus operandi involves exploiting vulnerabilities such as remote desktop protocol (RDP) exploitation, SonicWall firewall vulnerabilities, and phishing campaigns to gain access to victim networks. Before deploying the Zeppelin2 ransomware, threat actors meticulously map and enumerate the victim's network, identifying critical data enclaves, including cloud storage and network backups.

Consistent with ransomware groups, Zeppelin2 operators exfiltrate sensitive corporate data with the intention of making it accessible to buyers or the public if the victim resists complying with their demands.

Of significance, the FBI has observed instances where Zeppelin2 actors execute their malware multiple times within a victim's network, generating different IDs or file extensions for each attack instance, necessitating multiple unique decryption keys.
Read more »
Threat Intelligence
2023 Global Threat Report Cloud Data Cyber Security Ransomware Threat Threat Intelligence

Elastic Global Threat Report Discloses Rising Threat of Ransomware

 

The latest study has indicated that ransomware is becoming a more diverse and prevalent threat, making countering it a difficult and time-consuming process. Furthermore, practically every cloud infrastructure attack starts with credential theft.

"Highly prevalent" ransomware 

Having said that, the majority of malware identified is made up of a couple of "highly prevalent" ransomware families linked with off-the-shelf tools. BlackCat, Conti, Hive, Sodinokibi, and Stop have ascended to the top of the list as the most prominent ransomware families, accounting for more than four-fifths (81%) of all ransomware activity.

The majority of threat actors choose Cobalt Strike and Metasploit as off-the-shelf tools (5.7% of all signature events). These families account for over two thirds (68%) of all Windows infection attempts.

91% of malware signature incidents were found on Linux endpoints, with Windows accounting for the remaining 6%. Most threat actors hide in appliances, edge devices, and other extremely low visibility platforms in order to stay undetected. 

Cloud issues 

Elastic discovered that focusing on cloud-based solutions is a completely different beast. Businesses are increasingly moving from on-premises solutions, but they are sloppy, resulting in numerous misconfigurations, inadequate access restrictions, insecure credentials, and no functional principle of least privilege models. Threat actors are taking use of all of this to infiltrate environments and deploy malware. 

Security experts also detected defence evasion (38%), credential access (37%), and execution (21%), as the most common strategies linked to threat detection signals for Amazon Web Services. More than half (53%) of all credential access incidents involved compromised legitimate Microsoft Azure accounts. 

“Today’s threat landscape is truly borderless, as adversaries morph into criminal enterprises focused on monetizing their attack strategies,” stated Jake King, head of security intelligence and director of engineering at Elastic. 

“Open source, commodity malware, and the use of AI have lowered the barrier to entry for attackers, but we’re also seeing the rise of automated detection and response systems that enable all engineers to better defend their infrastructures. It’s a cat-and-mouse game, and our strongest weapons are vigilance and the continued investment in new defence technologies and strategies.”
Read more »
User Security
Cyber Attacks Data Safety Ransomware Ransomware Threat SMB User Security

Ransomware Attacks on the Small and Medium Businesses are on the Rise

 

The risk of being victimised by ransomware has grown over time. The frequency and sophistication of these attacks, which affects every industry, have both steadily increased. Additionally, when these attacks become more well-known among businesses, they search for fresh defenses against them. 

61 percent of all cyberattacks targeted small firms, according to a survey by Checkpoint. The report also notes that few small and medium-sized enterprises (SMBs) are aware that they are vulnerable to these internet risks just like the larger corporations. SMEs may strengthen their internet security by using the three steps Checkpoint has provided. 

Maintain IT equipment, and make routine repairs

Keeping your systems updated with the most recent software and security updates can prove to be extremely beneficial when it comes to safeguarding your organisation against any cyber-attacks. 

According to a recent report, 80% of all BYODs (bring your own devices) at a firm are not monitored, which presents a chance for hackers to exploit these unattended systems. Updates for tablets, smartphones, laptops, and PCs used for office work should be installed as soon as they are made available. This is one of the most crucial steps you can take to increase security. By ensuring that their operating systems, software, phones, and apps are set to update automatically, users can also prevent gaps in their security posture. 

Monitor the usage of hard drives and USB sticks

For at least part of the week, 40% of SMB employees must work remotely. The security of these gadgets must be controlled properly at all times, and that is the top responsibility of the company. Using an external USB drive or memory stick, workers frequently transfer files between teams or to different businesses.

The fact that one unsecured device is all it takes to compromise an entire network should not be overlooked. It is exceedingly challenging to trace the files that are stored on storage devices because they are shared publicly. The likelihood of a breach can be decreased by using endpoint protection measures, restricting access to physical ports, and only permitting the use of authorised sticks or memory cards. 

Avoid backing up data on the main server 

If you keep all of your company's data on the same server, there is a potential that a hacker may access it all in the event of an assault. Organizations should determine the critical information that is necessary for their operations and establish an entirely separate, off-site network backup. Employees will be able to access crucial files, allowing them to carry on with daily operations, and this will assist the company in recovering from a ransomware assault. 
Read more »
Ransomware Threat
Conti Ransomware Cyber Security Cyble data security Ransomware Ransomware Threat

Experts Warn Against Ransomware Hitting Government Organizations

Cyble Research Labs noticed an increase in ransomware incidents in the second quarter of 2022, few of these led a deep impact on the victims, like attack against the Costa Rican government which led to the countrywide crisis. 

Experts warn of ransomware operations targeting government organizations, finding 48 government organizations across 21 countries that suffered 13 ransomware attacks this year. Researchers at Cyble say that hacking groups have modified their strategies, going from enterprises to small states threatening to destabilize government operations. 

Small states become easy targets because of the low levels of critical infrastructure security due to low finances to protect them. 

The notorious ransomware group Conti began targeting the Costa Rican government in April 2022. "A similar attack was seen in May 2021, when the gang targeted Ireland’s publicly funded health care system and demanded a ransom of USD20 million. 

The timing could be a pure coincidence; however, Conti was seemingly trying the same tactics with Costa Rica, but this time on a larger scale, shortly after a change in government in the country," reads a Cyble post. 

After the Costa Rica incident, the Conti ransomware gang also attacked Peru. Other incidents of ransomware attacks were reported in Latin America, which includes Brazil and Peru governmental organizations. 

"Cyble Research Labs conducted research over vulnerable instances of the Peruvian government’s cyberinfrastructure and identified 21 instances from 11 ministerial websites with the most exploited CVEs from 2021," says Cyble. Experts also report sales on underground cybercrime platforms of data extraction from the server of government organizations. 

It includes the Federal Court of Malaysia, the Ministry of Energy and Natural Resources, the Department of Management Services under the Malaysian Ministry of Personnel and Organizational Development, the Civil Service Commission of the Republic of Philippines, and the National Bank of Angola. Experts have highlighted the need for smaller states to strengthen their threat-finding capabilities and to implement quick response mechanisms to cyberattacks. 

Cyble says the importance to spend in capacity building to promote skilled manpower, promote awareness among users, and lessen the technology gap to mitigate their risk impact.
Read more »
Social Security Number
Data Breach Healthcare Hacking LAPSUS$ Microsoft NVIDIA Ransomware Threat Samsung Social Security Number

LAPSUS$ Group Targets SuperCare Health

 


SuperCare Health, a California-based respiratory care provider, has revealed a data breach that exposed the personal details of over 300,000 patients. Someone had access to specific systems between July 23 and July 27, 2021. By February 4, the company had assessed the scope of the data breach, learning the attackers had also acquired patient files including sensitive personal information such as:
  • Names, addresses, and birth dates.
  • A medical group or a hospital.
  • Along with health insurance details, a patient's account number and a medical record number are required. 
  • Data about one's health, such as diagnostic and treatment information. 
  • A small number of people's Social Security numbers and driver's license information were also revealed. 

"We have no reason to suspect any information was published, shared, or misused," according to SuperCare Health, but all possibly impacted patients should take extra security precautions to avoid identity theft and fraud. 

On March 25, the company notified all affected customers and implemented extra security steps to prevent the following breaches. The breach has affected 318,379 people, according to the US Department of Health and Human Services. Based on the number of people affected, this is presently among the top 50 healthcare breaches disclosed in the last two years. SuperCare Health further told, "We have reported the event to a Federal Bureau of Investigation and it will cooperate to help us identify and prosecute those involved." 

In the last several months, several healthcare institutions have revealed massive data breaches. Monongalia Health System (400,000 people affected), South Denver Cardiology Associates (287,000 people affected), Norwood Clinic (228,000 people affected), and Broward Health (228,000 people affected) are among the organizations on the list (1.3 million). 

Last week, the Health Department issued an advisory to healthcare groups, warning companies about the impact of a major cybercrime attack by the Lapsus$ cybercrime group. In recent months, the hackers have targeted Samsung, NVIDIA, Vodafone, Ubisoft, Globant, Microsoft, and Okta, among others. The organization takes information, often source code, and threatens to release it unless they are paid.

LAPSUS$ steals confidential information from organizations which have been hacked, then threatens to disclose or publish the information if the requested amount is not paid. The LAPSUS$ extortion ring, on the other hand, has abandoned the typical ransomware strategies of file encryption and computer lockout. 

According to the notice, the Health Department is aware of healthcare institutions which have been hacked as a result of the Okta attack; Okta has verified that more than 300 of its clients have been affected by the breach. In the light of the incident, Police in the United Kingdom have identified and charged several accused members of the Lapsus$ gang.
Read more »
South African
Bitcoin Credit Card Theft cybercriminals Data Breach Password Hacking Ransomware Threat South African

Theft of 54 million SA Records, as per TransUnion Linked to the Current Breach

 

Recently one of South Africa's main credit bureaus, TransUnion has been hacked, and the hackers are demanding $15 million in ransom. 

The compromised credit bureau revealed on Friday it had been hacked and had received a ransom demand which "will not be paid." By exploiting an authorised client's credentials, the hackers, dubbed N4aughtysecTU, acquired access to an "isolated server holding restricted data from our South African firm."

N4aughtysecTU told IT Web it had 4 terabytes of client data and had accessed 54 million records, including information from more than 200 businesses. It allegedly threatened to attack TransUnion's corporate clients unless the credit bureau paid it $15 million in Bitcoin (about R223 million). 

The breach affects many South Africans who have entered into credit agreements, regardless of loan size. Users automatically consent to the credit bureaus disclosing about credit and payment history when they sign into agreements with banks or other financial institutions, credit card providers, vehicle lenders, utilities, or other creditors. The fact that your account information and payment history will be submitted to credit reporting agencies is outlined in these agreements.

According to a statement on the TransUnion website: 
  • An isolated server containing limited information from our South African operations was impacted by the attack.
  • The team is working closely with other specialists to figure out what data was impacted. 
  • Consumer information, such as phone numbers, email addresses, and identity information, may be affected. 
People should not give out personal information such as passwords and PINs to strangers over the phone or over email, according to Sabric, and demands for personal information should be confirmed first.

Experian, a credit bureau, had a data breach in 2020, potentially exposing the personal information of 24 million South Africans. Alongside, a ransomware attack hit Debt-IN Consultants, a debt recovery partner to various South African financial sector companies, in 2021. It is estimated that over 1.4 million South Africans' personal information was fraudulently accessed from its systems.

Moreover, banks have also been targeted. Absa revealed a data breach in November 2020, and over a year and a half later, it is still identifying more compromised customers. 
Read more »
Security Risk
Cyber Security Mid-market Organizations Ransomware Threat Security Risk

One in Three Mid-Market UK Organizations Suffered from Attacker Outages in 2021

 

A third of mid-market UK organizations hit by cyberattacks in 2021 suffered breakdowns that knocked them offline for more than a day, a new research from cybersecurity firm Censornet revealed.

The survey discloses that more than one in five (21%) were forced to pay attackers to put an end to the attack, with the average pay-out amounting to £144,000 and 7% handing over more than £500,000. As a result, the primary demand for cybersecurity in 2022 was to see security vendors open up traditionally closed point products to enable an automated response to cyberattacks.

The report, which surveyed 200 IT decision-makers across the UK, covering ten different industries, found that ransomware was particularly problematic, as more workers work from home.

“For the UK mid-market, the cybersecurity situation is serious. The financial and reputational cost of cybercrime is rising, putting more pressure on overwhelmed professionals, who are tackling hundreds of alerts a day from siloed point products,” said Ed Macnair, CEO at Censornet. Organizations must work smarter, not harder. Only when security systems work seamlessly together, faster than humanly possible, will we see the needle begin to move in the right direction.”

Nearly half of mid-market organizations participating in the survey said they hadn’t purchased cybersecurity products specifically manufactured to guard against threats for hybrid and remote workers. As a result, 76% of organizations said they plan to invest in a cloud-based security platform that allows their security products to autonomously share security event data to better protect their organization. 

In response to the challenges that organizations are facing, respondents indicated a clear need for fundamental change in the way cybersecurity is designed and run over the next year. 46% want security vendors to open up traditionally closed point products to enable an automated response to cyber threats.

Last week, Slovak cybersecurity firm ESET published a separate report revealing that London has the highest cybercrime rate in the UK, with 5,258 reports in total followed by the West Midlands at 1,242. Cumbria was the area with the lowest cybercrime, with only 174 reports, followed by Cleveland 194 and Dyfed-Powys 213. 

In its report, ESET researchers discovered an overall decline of 2.97% in cybercrime in 2021. The most common form of cybercrime for 2021 was social media and email hacking, which accounted for 53.1% of reports. This was followed by computer viruses, which accounted for 28% of reports.
Read more »
Windows
Antivirus Industrial control system LockBit malware Multi-factor authentication PowerShell Ransomware Threat Windows

Bridgestone USA Alleges to be Infiltrated by a LockBit Ransomware Cell

 

The LockBit ransomware gang claims to have infiltrated Bridgestone Americas' network and stolen data. It is an American subsidiary of Bridgestone Corporation, a Japanese tire, and automobile components manufacturer. It is a conglomerate of companies with more than 50 manufacturing locations and 55,000 people spread across America. If the corporation does not pay the ransom, Lock bit operators aim to reveal the private documents by March 15, 2022, 23:59. 

Bridgestone began an investigation into "a potential information security incident" on February 27, which was discovered in the morning hours of the same day. The incident remained unknown until recently when the LockBit ransomware gang claimed responsibility for the attack by adding Bridgestone Americas to its list of victims.

LockBit is one of the most active ransomware groups today, demanding significant sums of money in exchange for stolen data. According to a Kaspersky investigation, the ransomware gang utilizes LockBit, a self-spreading malware that uses tools like Windows Powershell and Server Message Block to proliferate throughout an enterprise. 

As per Dragos' study, the transportation and food and beverage industries were the second and third most targeted industries, respectively. LockBit is currently threatening Bridgestone with the release of their data.

The examination by the tire company indicated the attacker followed a "pattern of behavior" which is usual in ransomware assaults. Bridgestone went on to say the attacker had taken information from a small number of its systems and had threatened to make the stolen data public.

In a statement, the company said they are "committed to conducting a rapid and definitive inquiry to identify as swiftly as possible what precise data was obtained" from their environment. "The security of our teammates, customers, and partners' information is extremely important to Bridgestone."

Despite the fact that the LockBit ransomware gang has primarily targeted the industrial and manufacturing sectors, ransomware like the one utilized by the gang can still infect your PC.

To prevent ransomware criminals from getting into users' accounts, Kaspersky recommends using strong passwords and enabling multi-factor authentication. The antivirus firm also advised having system-wide backups in case data was lost due to malware infection. Additionally, keeping your system configurations up to date and following all security measures will help you avoid being a ransomware victim, saving you a lot of time and aggravation.
Read more »
WordPress
Acunetix vulnerability Cyber Attacks Cyber flaws FBI Iranian hackers Ransomware Threat SQL VPNS WordPress

FBI Issued a Warning to U.S Firms Concerning Iranian Hackers

 

The FBI issues a warning concerning Iranian hackers, posing as radical right organization Proud Boys during the 2020 presidential election, have now broadened operations, launching cyberattacks against a variety of industry divisions and spreading propaganda hostile to Saudi Arabia. 

"Over time, as Iranian operators have evolved both the strategic priorities and tradecraft, the hackers have matured into more proficient malicious attackers being capable of performing a whole spectrum of operations," read a Microsoft report.

Ransomware works by encrypting a device's data and making it inaccessible until the hacker receives a ransom payment. 

In a recent alert, the FBI stated, in addition to its election-related operation, the Emennet malicious attacker has been engaged in "conventional cyber exploitation activity," targeting industries such as news, transportation, tourism, oil and petrochemicals, telecoms, and financial services. It has been using VPNs to launch attacks on websites operated by certain software applications, such as WordPress, which cybercriminals can exploit to launch hacks in countries other than the United States, Europe, and the Middle East. 

The hackers employed multiple free source and commercial tools in activities, including SQLmap, Acunetix, DefenseCode, Wappalyzer, Dnsdumpster, Netsparker, wpscan, and Shodan, to mask location. The threat actor picked possible victims during the discovery phase of the hacking operations by browsing the web for prominent corporations representing various sectors. For initial access, the hackers would try to locate flaws in the program. 

"In certain cases, the goal may have been to target a large assortment of networks/websites inside a specific sector rather than a specific target company. Emennet would also attempt to discover hosting/shared hosting services in other scenarios," according to the FBI. 

Users must keep personal anti-virus and anti-malware products up to date, patch obsolete software, and make use of reliable web hosting companies, according to the authorities. In any case, Iran's state-sponsored hacker organizations aren't the only ones who have exploited the BIG-IP flaw.
Read more »
Windows
Antivirus domains Malware Detection Microsoft Ransomware Threat Vulnerabilities and Exploits Windows

Endpoint Antivirus Detection Has Reached its Apex

 

Endpoint security is a term used to describe cybersecurity services provided to network endpoints, it included providing  Antivirus, email filtering, online filtering, and firewall services. Businesses rely on endpoint security to protect vital systems, intellectual property, customer details, employees, and visitors from ransomware, phishing, malware, and other threats. 

"While the total volume of cyberattacks decreased slightly, malware per device increased for the first period since the pandemic began," said Corey Nachreiner, CSO at WatchGuard. "Zero-day malware increased by only 3% to 67.2 percent in Q3 2021, and malware delivered via Transport Layer Security (TLS) increased from 31.6 percent to 47 percent." 

As consumers update to newer versions of Microsoft Windows and Office, cybercriminals are focused on fresh vulnerabilities — versions of Microsoft's widely used programs. CVE-2018-0802, which exploits a weakness in Microsoft Office's Equation Editor, cracked WatchGuard's top 10 entryway antivirus malware list in Q3, reaching number 6 after appearing on the widespread malware list.

In addition, two Windows software injectors (Win32/Heim.D and Win32/Heri) ranked first and sixth, on the most detected list. In Q3, the Americans were the focus of 64.5 percent of network attacks, compared to 15.5 percent for Europe and 15.5 percent for APAC (20 percent ). 

Following three-quarters of more than 20% increase, a reduction of 21% brought volumes back to Q1 levels. The top ten network attack signatures are responsible for the majority of attacks – The top 10 signatures were responsible for 81 percent of the 4,095,320 hits discovered by IPS in Q3. In fact, 'WEB Remote File Inclusion /etc/passwd' (1054837), which targets older, commonly used Microsoft Internet Information Services (IIS) web servers, was the only new signature in the top ten in Q3. One signature (1059160), a SQL injection, has remained at the top of the list since the second quarter of 2019. 

From application flaws to script-based living-off-the-land attacks, even those with modest skills may use scripting tools like PowerSploit and PowerWare, there were also 10% additional attack scripts than there were in all of 2020, a 666 percent raise over the previous year. 

In total, 5.6 million harmful domains were blocked in the third quarter, including many new malware domains attempting to install crypto mining software, key loggers, and wireless access trojans (RATs), as well as SharePoint sites harvesting Office365 login information. The number of blacklisted domains is down 23% from the past quarter, it is still several times greater than the level seen in Q4 2020.

Ransomware attacks reached 105 percent of 2020 output by the end of September, as expected after the previous quarter, and are on track to exceed 150 percent after the entire year of 2021 data is analyzed. 

According to WatchGuard's investigation, attackers operating with the REvil ransomware-as-a-service (RaaS) operation exploited three zero-day vulnerabilities in Kaseya VSA Remote Monitoring and Management (RMM) applications to deliver ransomware to more than 1,500 organizations and potentially millions of endpoints.
Read more »
Zyxel
Akamai cybercriminals Log4Shell Microsoft Mirai botnet Ransomware Threat Remote Code Execution SolarWinds Vulnerabilities and Exploit Zyxel

Log4j Attack Target SolarWinds and ZyXEL

 

According to reports published by Microsoft and Akamai, cybercriminals are targeting SolarWinds devices with the Log4Shell vulnerability, and ZyXEL is known to use the Log4j library in their software.

Attacks have been reported on SolarWinds and ZyXEL devices using the log4j library, according to Microsoft and Akamai reports. CVE-2021-35247 has been assigned to the vulnerability, which has been paired with a zero-day in the SolarWinds Serv-U file-sharing service.

According to Microsoft's Threat Intelligence Center (MSTIC), the SolarWinds vulnerability, dubbed CVE-2021-35247, is a data validation hole that might allow attackers to compose a query based on some data and send it across the network without sanitizing. 

Jonathan Bar-Or, a Microsoft security researcher, is credited with identifying the flaw, which affects Serv-U versions 15.2.5 and earlier. In Serv-U version 15.3, SolarWinds patched the vulnerability. "A closer look helped discover the feed Serv-U data and it generates an LDAP query using the user unsanitized input!" he claimed. Not only might this be included in log4j attacks but it also is used for LDAP injection. 

SolarWinds claimed in its advisory, the Serv-U online log-in screen for LDAP authentication is  permitting symbols that are not appropriately sanitized and it had modified the input method "to do further validation and sanitization." The attacker cannot log in to Serv-U, according to a SolarWinds official, and the Microsoft researcher is referring to failed attempts because Serv-U doesn't use Log4J code. 

The unverified remote code execution (RCE) vulnerability in Log4j – identified as CVE-2021-44228 – has also been repurposed to infect and assist in the dissemination of malware used for the Mirai botnet by targeting Zyxel networking equipment, according to Akamai researchers. When researchers intended to access the Java payload class, the LDAP server in which the exploit was located was no longer active. It's claimed that Zyxel was particularly singled out since published an article claiming to have been hit by the log4j flaw. 

The scenario surrounding the Log4Shell breach has remained unchanged since last month, and threat actors looking to get access to corporate networks continue to target and exploit the vulnerability. Threat actors including ransomware gangs, nation-state cyber-espionage groups, crypto-mining gangs, initial access brokers, and DDoS botnets have all been reported to have exploited the vulnerability in the past. Although the Apache Software Foundation has issued patches for the Log4j library, threats against applications using it are likely to persist because not all of these apps have published a set of security updates, abandoning many systems vulnerable and creating a breeding soil for exploitation that will last for years.
Read more »
threats
Cyber Security Ransomware Ransomware Threat Report Research Safety threats

Security Professionals View Ransomware and Terrorism as Equal Threats

 

Venafi published the results of a global poll of over 1,500 IT security decision-makers, which showed that 60% of security professionals believe ransomware threats should be treated on par with terrorism. 

Following the attack on the Colonial Pipeline earlier this year, the US Department of Justice upgraded the threat level of ransomware. According to the report, just about a third of respondents have put in place basic security protections to break the ransomware kill chain. 

Other significant findings:
  • Over the last 12 months, 67 per cent of respondents from companies with more than 500 employees have suffered a ransomware assault, rising to 80 per cent for companies with 3,000-4,999 employees. 
  • Although 37% of respondents said they would pay the ransom, 57% said they would reconsider if they had to publicly publish the payment, as required by the Ransomware Disclosure Act, a bill introduced in the US Senate that would require corporations to reveal ransomware payments within 48 hours.
  • Despite the increased frequency of ransomware assaults, 77 percent of respondents are optimistic that the mechanisms they have in place would keep them safe from ransomware. IT decision makers in Australia have the most faith in their tools (88 percent), compared to 71 percent in the United States and 70 percent in Germany.
  • Paying a ransom is considered "morally wrong" by 22% of respondents. 
  • Seventeen per cent of those hacked admitted to paying the ransom, with Americans paying the highest (25 per cent) and Australian businesses paying the least (9 per cent). 

Many depend on traditional security controls to tackle ransomware threats 

Kevin Bocek, VP ecosystem and threat intelligence at Venafi stated, “The fact that most IT security professionals consider terrorism and ransomware to be comparable threats tells you everything you need to know; these attacks are indiscriminate, debilitating, and embarrassing.” 

“Unfortunately, our research shows that while most organizations are extremely concerned about ransomware, they also have a false sense of security about their ability to prevent these devastating attacks. Too many organizations say they rely on traditional security controls like VPNs and vulnerability scanning instead of modern security controls, like code signing, that are built-in to security and development processes.” 

According to the survey, most businesses do not employ security controls that disrupt the ransomware kill chain early in the attack cycle. Many ransomware attacks begin with phishing emails including a malicious attachment, yet only 21% of ransomware assaults restrict all macros in Microsoft Office documents. 

Only 28% of firms require all software to be digitally signed by their organization before employees are permitted to execute it, and only 18% utilize group policy to limit the usage of PowerShell. 
Read more »
Subscribe to: Posts (Atom)