Search This Blog

Showing posts with label cyber attack. Show all posts

Ukrainians DDoS Russian Vodka Supply Chains

 

According to the Russian news portal Vedomosti, Ukrainian cyber threat actors compromised Russia’s central alcohol distribution portal that is considered crucial for the distribution of alcoholic beverages in Russian regions called Unified State Automated Alcohol Accounting Information System or EGAIS.

EGAIS is a portal that plays important role in alcohol distribution in the nation. As per the law, for all alcohol producers and distributors, it is mandatory to register their shipments with EGAIS. Therefore, this attack caused extensive service blockage across Russia. 

The group hit the portal with DDoS attacks launched on May 2nd and 3rd. Through the DDoS or distributed denial of service attacks, the perpetrators overwhelm servers with superfluous requests in an attempt to overload systems and render some or all legitimate requests from being fulfilled. 

Also, according to the experts, sophisticated strategies have to be required against such types of attacks, as simply attempting to block a single source is insufficient. Three sites belonging to the platform have been hit by DDoS attacks. 

On May 4th, two EGAIS sites showed the error “the server stopped responding,” and the third didn’t work. The attacks took place on May 2nd and the next day system failures became more obvious about the attack. 

Wine trader Fort said that the site stopped working on May 4th, and the Union of Alcohol Producers, Igor Kosarev, and Ladoga representatives claimed the same. 

Fort further added that they had failed to upload about 70% of invoices to EGAIS due to the attack. Its supplies of wine to retail chains and restaurants in the region apparently failed to distribute on May 4 due to the incident. The outage impacted not only vodka distribution but wine companies faced disruption as well alongside purveyors of other types of alcohol. 

“Due to a large-scale failure, factories cannot accept tanks with alcohol, and customers, stores, and distributors cannot receive finished products that have already been delivered to them,” Vedomosti reported.

Ukrainian threat actors group, the Disbalancer took responsibility for the attack and announced their future plans to launch more attacks on the platform.

NIA Starts Probe into Malware Attacks on Social Media of Defense Personnels

NIA (National Investigation Agency) has started an inquiry into the use of fake Facebook profile through which various defense personnel was contacted and their devices hacked using malware for personally identifiable information. NIA suspects that the main account was being handled from Pakistan. Vijaywada Counter Intelligence Cell first found the spying campaign in 2020, after which it registered a case under several provisions of IPC, Official Secrets Act, Information Technology Act, and UAPA (Unlawful Activities Prevention Act). 

According to the allegation, confidential information related to national security was hacked via remotely deploying a hidden malware into electronic devices, which includes mobile phones and computers, belonging to defense personnels and other defense agencies via a FB account with the profile name "Shanti Patel." Actors handling the account added concerned personnel via private Facebook messenger chats on the web. 

The victims' devices were hacked using malware to get unauthorized access to confidential data of computer resources and steal sensitive information with an aim to carry out acts of terrorism and threaten the unity, integrity, and sovereignty of India. As per the report from Counter Intelligence Cell, the threat actors distributed the malware by sending a folder that contained photos of a woman to the defense personnels. The evidence suggests that malware originated somewhere from Islamabad. A similar case happened last year where the police arrested army personnel in Rajasthan, the accused was posted in Sikkim. 

The Hindu reports "on October 31, 2020, following a tip-off from the Military Intelligence, the Rajasthan police nabbed one Ramniwas Gaura, a civilian working with a Military Engineering Services (MES) unit. The accused had been contacted using a Facebook profile by someone using pseudonyms Ekta and Jasmeet Kour. They then remained in touch on Whatsapp. "In the recent years, multiple attacks targeting defense agencies using social media have surfaced." The handlers usually send money to the information providers through the ‘hawala’ channel. Several preventive measures have been taken by the agencies concerned,” an official said," says the Hindu.

Heroku Admits to Customer Database Hack after OAuth Token Theft

 

On Thursday Heroku disclosed that users’ passwords were stolen during a cyberattack that occurred a month ago, confirming that the attack also involved the code repository GitHub. Heroku revealed that the stolen GitHub integration OAuth tokens from last month further led to the compromise of an internal customer database. 

Following the attack, the organization has notified its customer that the company is going to reset their passwords on May 4 unless they change passwords beforehand. In this process, the company has also warned its users that the existing API access tokens will also be inactive and new ones have to be generated for future work. 

"We appreciate your collaboration and trust as we continue to make your success our top priority. The initial detection related to this campaign occurred on April 12 when GitHub Security identified unauthorized access to our npm production infrastructure using a compromised AWS API key," GitHub said.

"Based on subsequent analysis, we believe this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above." 

The attack in question relates to the theft of OAuth tokens that GitHub saw in April, which impacted four OAuth applications related to Heroku Dashboard and one from Travis CI. 

By stealing these OAuth tokens, malicious actors could access and download data from GitHub repositories belonging to those who authorized the compromised Heroku or Travis CI OAuth apps with their accounts. However, GitHub’s infrastructure, private repositories, and systems themselves were not impacted by the attack. 

While reporting that they had informed Heroku and Travis-CI of the incident on April 13 and 14, GitHub said, it "contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users."

Kellogg Community College Closes after Ransomware Attack

 

Kellogg Community College in Michigan has closed its campuses and canceled classes after falling victim to a cyber-attack. It's a Battle Creek-based community college and according to the recent data, it serves approximately 7000 students annually. 

On its official website on Sunday the community posted a statement in which it has shared basic information about the ransomware attack that took place over the weekend. Following the attack, the cancellation of all Monday classes and the closure of its five campuses in Battle Creek, Coldwater, Albion, and Hastings were announced.

Furthermore, as the website notified that the attack is causing continued technology problems in the systems, the college told, “the technology issues we have been experiencing were caused by a ransomware attack that continues to affect our systems.” 

All five Kellogg campuses will remain closed while the security vulnerabilities are under investigation, however, the college community is hoping to reopen the campuses later this week. The community is also working to launch a “forced password reset for all students, faculty, and staff” to better secure the network.

“We want to reassure our faculty and students that we will take any actions necessary for students to complete course work in a timely manner and appreciate your patience and support in the meantime,” the alert read. 

According to the data, since 2021, various community colleges have been the victims of ransomware attacks, including Butler County Community College in Pennsylvania, Sierra College in California Lewis, and Clark Community College in Illinois. 

“As we have previously informed you, we have been the victim of a ransomware attack on our systems and services. We are still working to understand the full extent of this incident, but since our last update, we have been working diligently with our IRT team and have made progress in our restoration process,” said the Kellogg Community College.

Russia-linked APT29 Targets Diplomatic World Wide

 

Security intelligence from Mandiant has discovered a spear-phishing campaign, launched by the Russia-linked APT29 group, designed to victimize diplomats and government entities worldwide including European, the Americas, and Asia. 

The group is believed to be sponsored by the Russian Foreign Intelligence Service (SVR) and to have orchestrated the 2020 SolarWinds attack which hit hundreds of organizations. 

According to the data, the Russia-linked APT29 group popularly known as SVR, Cozy Bear, and The Dukes is active since at least 2014, along with the APT28 cyber threat group which was involved in the Democratic National Committee hack, the wave of attacks aimed at the 2016 US Presidential Elections and a November 2018 attempt to infiltrate DNC. 

The phishing emails have been masqueraded as official notices related to various embassies. Nation-state actors used Atlassian Trello, DropBox, and cloud services, as part of their command and control (C2) infrastructure. 

“APT29 targeted large lists of recipients that Mandiant suspected were primarily publicly-listed points of contact of embassy personnel. These phishing emails utilized a malicious HTML dropper tracked as ROOTSAW, which makes use of a technique known as HTML smuggling to deliver an IMG or ISO file to a victim system.” reads the analysis published by Mandiant. 

The threat actors used the HTML smuggling technique to deliver an IMG or ISO file to the targets. The ISO image contains a Windows shortcut file (LNK) that installs a malicious DLL file when it is clicked. When the attachment file opens, the ROOTSAW HTML dropper will write an IMG or ISO file to disk. Following the steps, once the DLL file is executed, the BEATDROP downloader is delivered and installed in memory. 

“BEATDROP is a downloader written in C that makes use of Trello for C2. Once executed, BEATDROP first maps its own copy of ntdll.dll into memory for the purpose of executing shellcode in its own process. BEATDROP first creates a suspended thread with RtlCreateUserThread which points to NtCreateFile...” 

 “…Following this, BEATDROP will enumerate the system for the username, computer name, and IP address. This information is used to create a victim ID, which is used by BEATDROP to store and retrieve victim payloads from its C2. Once the victim ID is created, BEATDROP will make an initial request to Trello to identify whether the current victim has already been compromised”, the report read.

3 Hacking Teams Working Under the Umbrella of TA410 Group

 

Recently, a campaign has been discovered wherein threat actors are noted to be victimizing a variety of critical infrastructure sectors in different regions such as Africa, the Middle East, and the United States. The group that has been identified as TA410, has been using an improved version of a remote access trojan designed with information-stealing capabilities. 

TA410 is an umbrella group comprising of three teams named FlowingFrog, LookingFrog, and JollyFrog. 

In regard to the incident, the Slovak cybersecurity firm ESET has reported that "these subgroups operate somewhat independently, but that they may share intelligence requirements, and access team that runs their spear-phishing campaigns, and also the team that deploys network infrastructure." 

Following the incident, it has been observed that the TA410 shares behavioral and tooling overlaps with APT10 (aka Stone Panda or TA429) which has a history of targeting U.S.-based organizations in the utility sector as well as diplomatic entities in the Middle East and Africa region. 

Moreover, the group has also targeted many firms in different regions all across the world including a manufacturing company in Japan, mining business in India, a charity foundation in Israel, and unnamed victims in the education and military verticals. 

Im 2019, TA410 was recorded by Proofpoint for the first  time when the members of the group executed phishing campaigns containing macro-laden documents to compromise utility providers across the U.S. with a modular malware called LookBack. 

The group made a comeback with a new backdoor codenamed FlowCloud, also delivered to U.S. utility providers that Proofpoint described as malware that gives attackers full remote control over targeted systems. 

"Its remote access trojan (RAT) functionality includes the ability to access installed applications, the keyboard, mouse, screen, files, services, and processes with the ability to exfiltrate information via command-and-control," the company reported in June 2020. 

Cybersecurity firm Dragos, which is investigating the activities of the group under the moniker TALONITE, said that the adversary has a penchant for blending techniques and tactics in order to ensure a successful intrusion. 

"TALONITE focuses on subverting and taking advantage of trust with phishing lures focusing on engineering-specific themes and concepts, malware that abuses otherwise legitimate binaries or modifies such binaries to include additional functionality, and a combination of owned and compromised network infrastructure," Dragos said in April 2021.

WhatsApp Voice Message Phishing Campaign

 

Recently Armorblox researchers have discovered that the new WhatsApp phishing campaign is targeting users by impersonating WhatsApp's voice message feature, in one of their latest researches.

At least 27,655 email addresses have been targeted by a phishing campaign spoofing WhatsApp's voice message attempting to spread information-stealing malware. This phishing campaign is designed to lead the users through a series of steps that will ultimately end with the installation of an information-stealing malware infection which further will open the way to credential theft. 

Following the incident, researchers released a statement in which they have explained the entire fraudulent process and also warned to identify signs of fraudulent activity for users to better protect themselves from phishing attempts. 

The researchers said that the malicious actors are using the "Whatsapp Notifier" service with an address owned by the Center for Road Safety of the Moscow Region, which notifies recipients regarding a new private message, with the email including a "Play" button, as well as the duration of the audio clip and details regarding the creation of the message. 

Clicking on the "Play" button will redirect recipients to a website that will trigger an allow/block prompt for JS/Kryptic trojan installation, with users lured to click "Allow" to confirm that they are not a robot. Selecting "Allow" would then prompt the installation of the information-stealing malware.

Looking into the issue for Digital Journal Josh Rickard, Security Automation Architect at Swimlane said “Phishing attacks are one of the most common methods of cyberattacks and, unfortunately, have become all too easy for cybercriminals to leverage.” In terms of how this form of attack works, he continues: “ These types of social engineering attacks that exploit human error are highly effective and well-masked. In this case, WhatsApps’s voice message feature was manipulated in an attempt to spread information-stealing malware to over 27,000 email addresses associated with the app.”

FBI Investigating More than 100 Ransomware Variants

 

Ransomware attacks spread more quickly than most organizations can respond. The United States Federal Bureau of Investigation (FBI) is on a mission to investigate more than 100 different variants of ransomware, many of which have been used extensively in various cyberattack campaigns. 

Bryan Vorndran, assistant director of the FBI’s Cyber Division has explained his team’s efforts against the malware threats to the United States House Committee on the Judiciary in Washington. 

Following the incident, Bryan Vorndran said that “There is not a day that goes by without multiple FBI field offices responding to ransomware attacks. The ransomware threat is not new, and it has been one of the FBI’s top cybercriminal investigative priorities for some time, but we have seen ransomware attack reporting increase significantly in the past two years, and the impact of these attacks has grown to dangerous proportions, threatening our economic and national security.” 

According to new data published by the FBI this week, cyberattackers wreaked havoc across the U.S., resulting in a record-high number of cyber threat complaints. Describing the rise in ransomware attacks, Vorndran said that from 2019 to 2021, the number of ransomware complaints reported to the FBI’s Internet Crime Complaint Center (IC3) increased by 82%, with a 449% rise in ransom payments and more than 847,000 total complaints that corresponded with crimes had cost victims an estimated sum exceeding $6.9 billion. 

“Ransomware-as-a-service’ (when a developer sells or leases ransomware tools to criminal customers) has decreased the barrier to entry and technological savviness needed to carry out and benefit from these compromises and increased the number of criminals conducting ransomware campaigns,” noted Vorndran. 

Further, FBI Deputy Director Paul Abbate has said that the bureau’s cyber division is investigating and working harder than before against the surging cyber threats to protect people. 

He further said, “We can put a cyber-trained FBI agent on nearly any doorstep in this country within one hour, and we can accomplish the same in more than 70 countries in one day through our network of legal attachés and cyber assistants legal attachés.”

Cyber-Attack on New York Ethics Watchdog



Databases maintained by New York’s public watchdog agency have to shut down their systems after state information technology researchers discovered a malicious cyber-attack on its web servers. 

The ethics watchdog, which regulates lobbying at the State Capitol reported last Friday evening that an investigation has been launched to determine the scope of the attack and the perpetrators behind the attack after it received an alert regarding suspicious activity on JCOPE’s network.

Following the attack, the Commission has shut down the systems as a precaution, including its lobbying application and financial disclosure statement online filing system.

JCOPE reported that the systems will remain shut down until the agency resume normal operations safely. As of the present, the Agency officials did not report anything regarding who was responsible for the attack. However, the agency said that they are planning to work with state law enforcement officials to investigate the attack.

“Our first and highest priority is the safety and integrity of the data entrusted to the Commission by the regulated community,” said JCOPE Executive Director Sanford Berland in a statement.

Following the attack, the public was not able to access the data about lobbyist expenditures. Lobbyists were kept from submitting their required records. JCOPE said that it will grant automatic extensions to the people who missed a deadline because of the outage. 

Walter McClure, a JCOPE spokesperson added that "the outage also affects searches using the agency’s legacy lobbyist filing system, which was in use until 2019".

Cyber Attacks Targeted on Websites Using Wordpress

Thirty Ukrainian Universities were hacked as a result of the targeted cyberattack supporting Russia's attack on Ukraine. In the latest report, experts from Wordfence said that the cyber attack had massive repercussions on Ukrainian Education organizations by hackers known as Monday Group. The threat actor has openly supported Russia's invasion of Ukraine. The members of the hacking group identify themselves as 'the Mxonday' has attacked the websites using WordPress hosting more than in the past two weeks, since the start of the Russian invasion of Ukraine. 


As per the Wordfence blog, the firm protects more than 8,000 Ukranian websites, around 300 of these belong to education websites. Wordfence also offers assistance to government agencies, police, and military websites. The security firm also mentioned that it experienced a rise of 144,000 cyber attacks on February 25, the second day of the Kinetic attack. The rise is three times the number of regular attacks compared to the starting of the month across the Ukranian websites that Wordfence protects. According to founder and CEO Mark Maunder, a threat actor was continuously trying to attack Ukranian websites, immediately after the Ukranian invasion. 

An inquiry into the issue found four IP addresses associated with the campaign, these are distributed through a VPN service from Sweden. The hacking group also has ties with Brazil, Wordfence is supposed to be operating from here. But the threat actors behind the cyber attack are yet to be known. The report comes after ESET's new research, which mentioned various malware families that are used in targeted cyber attacks against organizations in Ukraine. An ESET blog reported a destructive campaign that used HermeticWiper that targets different organizations. 

The cyberattacks comprised of three elements; HermeticWiper, which corrupts a system making it inoperable, HermeticWizard, which spreads HermeticWiper across the local network via WMI and SMB, and lastly, HermeticRansom. According to the blog, the cyberattack was preceded by a few hours from the start of the Russian invasion of Ukraine. The malware used in these attacks suggests that the planning of the campaign was done months ago. HermeticWiper has been found in hundreds of systems in the last five Ukrainian organizations, says ESET. It also mentioned that no tangible connection with a known threat actor has been found yet.

CNN Learned About the Preparation of the US Authorities to Repel Cyber Attacks from Russia

 

CNN reported citing US administration sources that representatives of the White House, US intelligence, the US Department of Homeland Security (DHS), and other agencies have discussed preparations to repel cyber attacks that could be carried out in the United States and Ukraine. 

According to the interlocutors of the TV channel, the meeting at the interdepartmental level took place on Friday, February 11, in the format of a videoconference. It discussed the measures that the U.S. leadership in cooperation with private companies could take in various areas of the economy in case of "a potential attack by cybercriminals or government-linked" hackers. 

In addition, there was a discussion of the "possible increase in ransomware attacks on U.S. companies" that "Russian-speaking hackers" allegedly might carry out. The issue of providing cybersecurity support to Ukraine was also raised, where, according to sources, there is a "concrete, credible threat" of attacks on infrastructure facilities. No such threat currently exists in the United States. A CNN source stressed that the administration was working on steps in case the situation changed for the worse. 

In mid-January, unknown hackers attacked at least 70 state websites of Ukraine, including portals of the Cabinet of Ministers, the Ministry of Education, the Ministry of Foreign Affairs, the Ministry of Sports, and other departments An appeal in Ukrainian, Russian and Polish appeared on them, the authors of which urged Ukrainian citizens "to fear and wait for the worst. In Ukraine, they believe that Russia is involved in the incident. The US said that the attack was carried out "according to the Russian scheme." On January 16, Russian presidential spokesman Dmitry Peskov said that Moscow had nothing to do with the incidents. He noted that no evidence of Moscow's culpability has been provided. 

White House Press Secretary Jen Psaki noted that the United States is in contact with Ukraine regarding the incident, and also offered its assistance in the investigation. According to her, Washington, their allies, and partners are "concerned about this cyberattack." 

Western media and officials have been speculating about an impending Russian invasion of Ukraine since the fall of 2021. Washington and Brussels threaten Moscow with new sanctions in case of an invasion. On February 9, Politico newspaper reported that U.S. senators suggested adding to the bill on sanctions against Russia the possibility of imposing restrictions "for cyberattacks" on Ukraine.

Swissport Ransomware Attack Delays Flights, Disturbs Operations

 

Swissport International, a supplier of aviation services, was struck by a ransomware attack that disrupted its operations. 

Swissport International Ltd. is an aviation services firm controlled by an international group of investors that provides airport ground, lounge hospitality, and cargo handling services. On behalf of 850 aviation clients, the corporation manages over 282 million passengers and 4.8 million tonnes of cargo each year. Swissport employs over 66,000 people at 307 locations across 50 countries and has combined operating revenue of EUR 2.8 billion. 

Swissport International was the victim of a ransomware assault that disrupted company operations and prompted aircraft delays. As per the German website Spiegel, the ransomware attack only affected a minor section of the corporation's global IT infrastructure, and a company spokesperson verified that the security breach occurred at 6 a.m. on Thursday. 

The attack has been substantially contained, according to the company, which is attempting to rectify the situation as swiftly as possible. 

A spokeswoman for Zurich Airport added, “Due to system problems at our airport partner Swissport, 22 flights were delayed by 3 to 20 minutes yesterday.”

The company spokesman added, “The attack has now been contained and everything is being done to solve the problem as quickly as possible and limit the impact on flight operations. Swissport can continue to provide ground services for airlines safely, but there may be delays in some cases.” 

On Friday afternoon, the Swissport website was unavailable. The organisation has not yet revealed information regarding the attack, such as the ransomware family that attacked its systems or if the attack resulted in a data leak. The attack on their leak sites was not claimed by any ransomware group. 

Other recent attacks in Europe have affected key infrastructure, such as the one that crippled Oiltanking GmbH, a German petrol distributor that supplies Shell gas stations across the country. The oil provider Mabanaft GmbH was also impacted by the attack, according to the media. The Marquard & Bahls group owns both companies. As per local media, the attacks could have compromised the country's fuel supplies. 

A cyberattack was launched this week on some of the main oil terminals in Western Europe's largest ports. The Amsterdam-Rotterdam-Antwerp oil trading centre, as well as the SEA-Tank Terminal in Antwerp, are among the affected port infrastructure.

Cyber Attack: North Korea Suffers Internet Outage

North Korea faced an internet shutdown, and experts suspect cyber-attacks are the main reason. The internet outage remained for six hours in the country on Wednesday last week during local morning time. It is the second incident causing internet outages in North Korea in the past two weeks. Cybersecurity expert Junaid Ali from Britain says the recent outage may be due to a denial-of-service (DDoS) attack. 

If a user in North Korea tried to connect to an IP address, the internet could not route the data into the country. The servers were back to normal within a few hours after the DDoS attack. Individual servers, however, could not function normally because of the disruption, these servers include-Naenara, the North Korean government official portal, Air Koryo Airlines, and the North Korea Ministry of Affairs. 

News website NK Pro reports network records and log files suggest that websites hosted in North Korean domains that end with ".kp" could not be accessed. A similar incident happened in North Korea earlier on January 24, 2022. In simple terms, network disturbance, not power cut, caused the internet outage. Experts observed that no internet traffic went in and out of North Korea during the attack. 

According to Junaid ", it is common for one server to go offline for some periods, but these incidents have seen all web properties go offline concurrently. It is not common to see their entire internet dropped offline. 

During the incidents, operational degradation would build up first with network timeouts, then individual servers going offline and then their key routers dropping off the internet." Internet access is restricted in North Korea, we don't know how many people have direct access to it, but the data suggests that around 25 million people have access to the internet, which is only 1% of the total population.

Google Docs Comment Flaw Exploited by Hackers

 

A flaw has been deducted in the comment feature of Google Docs which is allowing cybercriminals to compromise users with phishing emails. 

A unit of cyber threats has reported that the hackers are using the “Comments” feature of Google Docs to send malicious links in a phishing campaign. Researchers also unveiled in their findings that the group primarily targeted Outlook users. 

Researchers from email collaboration and security firm Avanan, a CheckPoint company have discovered what they call “a new, massive wave of hackers’’ leveraging the comment feature in Google Docs during December 2021 to execute attacks, Avanan Cybersecurity Researcher/Analyst Jeremy Fuchs mentioned in a report that has been published on Thursday. 

The team said that the hackers mentioned the target with an @ in the comment box of the users and by doing so an email was automatically sent to that person's inbox. The email includes malicious links and texts. Furthermore, researchers said that the email address of the commenter was not shown, just the name of the attacker. 

The attackers who have already hit more than 500 users across 30 different locations, employing more than 100 different Gmail accounts, are difficult to be caught as of now, according to the researchers at Avanan.

"In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators," reinstates Jeremy Fuchs, cybersecurity researcher/analyst at Avanan.

Following the incident, Jeremy Fuchs shared an example in which he explained the whole incident, "let’s say the intended target has a work address of vic.tim@company.com. The end-user will have no idea whether the comment came from bad.actor@gmail.com or bad.actor@company.com. It will just say 'Bad Actor' mentioned you in a comment in the following document," Fuchs says. "If Bad Actor is a colleague, it will appear trusted. Further, the email contains the full comment, along with links and text."

Israeli Media Outlets Hacked on Soleimani Killing Anniversary

 

On the anniversary of the killing of a prominent Iranian general, malicious actors attacked two major Israeli media outlets with a threatening message. Hackers replaced websites’ content with an image that threatened a site associated with Israel's undeclared nuclear weapons program. 

The websites that have been taken over by the hackers are Jerusalem Post and the Twitter account of Maariv. As of now, no group has taken the responsibility for the attack. While the image posted on the Jerusalem Post's website included a fist firing a shell out of a ring with a red stone towards Israel’s Dimona nuclear facility. 

"We are close to you where you do not think about it", read the text in English and Hebrew below the fist. 

We are aware of the apparent hacking of our website, alongside a direct threat to Israel. We are working to resolve the issue & thank readers for your patience and understanding. For now, you can continue reading us on our app: https://t.co/UrEXIpatDPhttps://t.co/veBDuWgucp — The Jerusalem Post (@Jerusalem_Post) January 3, 2022.  

Qassem Soleimani was the head of the Quds Force, the foreign operations arm of Iran's Revolutionary Guards -- hailed as a hero in Iran -- brave, charismatic, and beloved by the troops. He, who was the most important figure in the Iranian administration, was killed 2 years ago by a US drone strike at Baghdad International Airport, Iraq. Since then this incident incites hatred in Iraq towards USA and Israel.

Chinese Threat Actors Spy On Windows 10 Users, Reports Kaspersky

 

An unknown anonymous Chinese speaking hacker has been associated with a long term evasive campaign targeted towards South East Asian victims, the campaign dates back to July 2020, deploying a kernel-mode rootkit on breached Windows devices. Attacks carried out by the group (Hackers) is termed GhostEmperor by Kaspersky cybersecurity, the group is said to have deployed a "sophisticated multi-stage malware framework" which enables persistence help and remote control over the victim host.

Kaspersky has termed the rootkit as Demodex, findings indicate infections has been spread out throughout various high-profile organizations in Malaysia, Vietnam, Indonesia, and Thailand, besides this Egypt, Afghanistan and Ethiopia outliers are also in the list. Threat actors use Demodex toolkit to cover up malware artefacts (user mode) from experts and cybersecurity agencies, meanwhile showing a surprisingly good undocumented loading program which involves kernel mode component of an open source project called Cheat Engine to evade Windows Driver Signature Enforcement feature.

Experts have observed that GhostEmperor infections leverage multiple access paths that end in the deployment of malware in memory, exploiting known vulnerabilities in open source servers like Apache, Oracle, Microsoft Exchange and Windows IIS, which includes ProxyLogon exploits that surfaced in March 2021. The purpose was to have an upper hand and then move out to other parts of target's network, including machines that run on earlier versions of Windows 10 OS. 

Aftern a successful breach, the selected infection chains which deployed toolkits were carried out remotely via different system in the same network using genuine software like PsExec or WMI, resulting in the execution of implant (in-memory) that could install additional payloads during run time. The Hacker News reports "disclosure comes as a China-linked threat actor codenamed TAG-28 has been discovered as being behind intrusions against Indian media and government agencies such as The Times Group, the Unique Identification Authority of India (UIDAI), and the police department of the state of Madhya Pradesh."

World’s Biggest Meat Supplier JBS Suffered a Cyber Attack

 

An advanced cyber attack was carried out at the largest meat processing enterprise in the world. 

JBS, the largest beef supplier in the world, stated that its systems returned online late on Tuesday, following a severe cyberattack that took down certain activities of the USA and Australia. 

The attack damaged servers in North America and Australia that were supporting their IT systems, the corporation said in a press release. 

"The company is not aware of any evidence at this time that any customer, supplier, or employee data has been compromised or misused as a result of the situation," JBS said. "Resolution of the incident will take time, which may delay certain transactions with customers and suppliers." 

JBS USA, the food giant, is part of JBS Foods. According to its website, it operates in 15 countries and has clients in around 100 nations. Pilgrim's, Great Southern, and Aberdeen Black are among its brands. JBS said that it is working with an incident response company to restore its systems as quickly as possible. 

During a press conference on Tuesday, the White House acknowledged the attack. Principal Deputy Secretary of Press, Karine Jean-Pierre, briefed reporters that JBS has been a victim of a ransomware attack "from a criminal organization likely based in Russia." The FBI investigates the attack, the White House confirms. 

President Biden has also instructed his government, to assess the impact on the supplies of beef in the country that may be mitigated, alongside the United States Dollars. 

According to Union officials, JBS stopped slaughtering cattle in every U.S. plant on Tuesday. The incident on Monday brought Australian activities to a halt. JBS controls approximately 20% of the US livestock slaughter capability with North American operations based in Greeley, Colorado. 

Australia's Agriculture, Drought, and Emergency Management Minister David Littleproud tweeted regarding the JBS cyber-attack on Tuesday, stating that the company works tightly with law enforcement authorities and in Australia and abroad, to get operational activities back and forth and "to bring those responsible to account." 

The attack happened a few weeks after a cyberattack that prompted a six-day shutdown from one of the largest gas pipelines in the United States: Colonial Pipeline. Since then, the pipeline has returned to normal working. 

"If the Colonial Pipeline cyberattack didn't impact enough consumers to spur response by the international community, the JBS meat supplier incident likely will," Meg King, the director of the science and technology innovation program at The Wilson Center, told CNN Business. "Now is the time for a global agreement to break the business model of ransomware," she added. 

However, "The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals," Jean-Pierre said. 

In the past, the US government has suggested that firms do not compensate offenders for ransomware attacks if they encourage such hacking in the future.

FBI – CISA Published a Joint Advisory as Colonial Pipeline Suffers a Catastrophic Ransomware Attack

 

Following a catastrophic ransomware assault on a Colonial Pipeline, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory. The notice, issued on Tuesday 11th May, contains information on DarkSide, malware operators running a Ransomware-as-a-Service (RaaS) network. 

DarkSide is in charge of the latest Colonial Pipeline cyber assault. Past Friday - 7th May, the fuel giant has said that a Cyberattack had obliged the company, which was found to be an intrusion of DarkSide affiliates, to stop pipeline activities and to pull the IT systems offline. 

Cybercriminal gangs use DarkSide for data encryption and to gain entry to a victim's server. These groups attempt to disclose the information if the victim is not paying the ransom. DarkSide leverage groups have recently targeted organizations, including production, legal, insurance, healthcare, and energy, through various sectors of CI. 

Colonial pipeline is yet to be recovered, and the FBI is engaged with them as a key infrastructure supplier – one of which provides 45% of the fuel of the East Coast and typically provides up to 100 million gallons of fuel per day. 

"Cybercriminal groups use DarkSide to gain access to a victim's network to encrypt and exfiltrate data," the alert says. "These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy." 

The ransomware from DarkSide is available to RaaS clients. This cybercriminal template has become prominent because only a core team needs to create malware that can be transmitted to other people. 

RaaS can also be offered on a subscription basis as a ransomware partner, and/or the developers may earn cuts in income when a ransom is paid. In exchange, developers continue to enhance their 'product' malware. 

Furthermore the FBI - CISA advisory also provides tips and best practices to avoid or mitigate ransomware threats. 

The most important defense act against ransomware is prevention. It is crucial to follow good practices to defend against attacks by ransomware, that can be damaging to a person or an organization. 

"CISA and FBI urge CI [critical infrastructure] asset owners and operators to adopt a heightened state of awareness and implement recommendations [...] including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections," the agencies say. "These mitigations will help CI owners and operators improve their entity's functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware."

Twilio Impacted by The Recent Codecov Supply-Chain Attack

 





Cloud Communications Company ‘Twilio’ has posted a blog on Tuesday and unfolded that its small number of users' emails have been penetrated by the Codecov supply chain attack by unidentified threat actors. 

As per some of last month's reports, the most simplified code coverage tool Codecov was a victim of a supply-chain attack that lasted for two months. Twilio said that the security of its users and products is the first priority but as of now, they are seeing this cyberattack as a piece of disturbing news for the organization and as well as for their customers. Additionally, they wanted to inform us briefly about the Codecov vulnerability that they have experienced and about the impact that it leftover on them, and lastly how they had managed it. 

"On April 22, 2021, we received a notification from GitHub.com that suspicious activity had been detected related to the Codecov event and a Twilio user token that had been exposed…”

"…GitHub.com had identified a set of GitHub repositories that had been cloned by the attacker in the time before we were notified by Codecov," as per the company.

In a recent post, Twilio disclosed that the firm uses Codecov code coverage tools, including the compromised Bash Uploader script, in a number of its projects. As soon as the company got to know about the incident and found out that some of its customers have been targeted, they reviewed their security measures while warning the impacted customers and rotating all "potentially exposed credentials and secrets." 

Additionally, the company concluded its blog post by saying that there are no signals of any other customer data been accessed or at risk. 

"This process ensures our technology supply chain always meets our standards for security. When we become aware of an incident or vulnerability within that supply chain, we move quickly to remediate the issue or remove the software from our environment," the post reads. 

Twilio has become the second known organization that has witnessed a security attack related to the supply chain attack involving Codecov. Cloud Cyber Security person HashiCorp had disclosed a breach publically on April 22. Interestingly, like Twilio, a key action that the company took was rotating attacked information.

Microsoft Finds Critical Code Execution Bugs In IoT, OT Devices

 

Recently, world-leading giant Microsoft security unit has reported that around 24 critical remote code execution (RCE) vulnerabilities have been found in Operational Technology (OT) industrial systems and Internet of Things (IoT) appliances. The research unit said that this security flaw in the system is collectively known as BadAlloc and because of the memory allocation Integer Overflow or Wraparound bugs, the attack occurred. 

The unit reported that the cybercriminal could utilize this access into the system to crash and execute malicious code remotely into the system. The vulnerabilities have been discovered by Microsoft's researchers into standard memory allocation systems that come into use in multiple real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. 

"Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations…”, the research team noted. 

"…Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device, the Microsoft security research team has reported”, they further added.

There is a long list of appliance that get affected by the BadAlloc vulnerabilities: 

• Amazon FreeRTOS, Version 10.4.1 
• ARM Mbed OS, Version 6.3.0 
• eCosCentric eCosPro RTOS, Versions 2.0.1 through 4.5.3 
• ARM mbed-uallaoc, Version 1.3.0 
• Cesanta Software Mongoose OS, v2.17.0 
• ARM CMSIS-RTOS2, versions prior to 2.1.3 
• Apache Nuttx OS, Version 9.1.0 
• Media Tek LinkIt SDK, versions prior to 4.6.1 
• Google Cloud IoT Device SDK, Version 1.0.2 
• Micrium OS, Versions 5.10.1 and prior 
• Micrium uCOS II/uCOS III Versions 1.39.0 and prior 
• Linux Zephyr RTOS, versions prior to 2.4.0 
• NXP MCUXpresso SDK, versions prior to 2.8.2 
• NXP MQX, Versions 5.1 and prior 
• RIOT OS, Version 2020.01.1 
• Samsung Tizen RT RTOS, versions prior 3.0.GBB 
• Redhat newlib, versions prior to 4.0.0 
• Texas Instruments SimpleLink MSP432E4XX 
• Texas Instruments CC32XX, versions prior to 4.40.00.07 
• Texas Instruments SimpleLink-CC13XX, versions prior to 4.40.00 
• Texas Instruments SimpleLink-CC32XX, versions prior to 4.10.03 
• Texas Instruments SimpleLink-CC26XX, versions prior to 4.40.00 
• Windriver VxWorks, prior to 7.0 
• Uclibc-NG, versions prior to 1.0.36 
• TencentOS-tiny, Version 3.1.0 

Reportedly, as soon as the security flaw was found out into the system the research unit reported it to the CISA and the vendors.