Search This Blog

Showing posts with label cyber attack. Show all posts

Empire Company Suffered Information Technology Systems Issue


The Empire Company announced on Monday that some of its brand stores across Canada including Sobeys, Lawtons, Safeway, Farm Boy, IGA, Foodland, and FreshCo are facing disruptions in service due to an information technology systems issue. The technical issues the company is currently facing prevented its pharmacies from filling prescriptions and some services have been delayed and functioned only intermittently. 

A press has been released from the company in which it assured its customers that they are working to patch the glitches, however, the company further added that they are not sure when all services will be restored. "At Sobeys, exceeding the needs of our customers is always our top priority. Our sole focus right now is on getting this problem rectified and we will provide further updates as relevant information becomes available," said chief operating officer Pierre St-Laurent in the news release. 

Additionally, pharmacy staff reported to the press that they could not access their systems. However, the staff supplied its customers with a few days' medications if customers came with their empty bottles. 

Meanwhile, Maple Leaf Foods announced on Sunday that the disruption has been caused by a "cybersecurity incident". 

The organization reported that the issues came to be known over the weekend and immediately the company with its researchers, recovery experts, information systems professionals, and third-party specialists started working to investigate the outage. 

Following the incident, Sylvain Charlebois, the director of the Agri-Food Analytics Lab at Dalhousie University, disclosed that he received a number of messages from people on Friday night about problems at Empire, including copies of internal company letters. 

"The entire food system works on the basis that computers will communicate with each other. So as soon as you have a cyberattack disrupting the efficiency of supply chains, costs could go up. Even worse, access to food could also become a problem. You could see many stores without supplies for days and you don't want that to happen," he further added.

Lockbit Ransomware Attacks German MNC, Threatens to Leak All Data

LockBit attacks Continental with a ransomware attack

The LockBit ransomware gang has taken responsibility for a cyberattack against the German MNC automotive group continental. 

LockBit also stole some data from Continental's systems, and they are blackmailing to leak it on their data leak site if the company doesn't agree with their demands within the next 22 hours. 

The gang hadn't disclosed any info on what info was extracted from Continental's network or when the compromise happened. 

Ransomware gangs usually post data on their leak websites as a strategy to frighten their targets into settling a deal or into getting back to the negotiation table. 

LockBit threatens to leak data

Since LockBit says that it will leak "all available" data, this hints that Continental is yet to negotiate with the ransomware campaign or it has already refused to agree with demands. 

Kathryn Blackwell, Continental's Vice President of Communications and Marketing, didn't acknowledge LockBit's claims and didn't disclose any information regarding the compromise, she said recently the statement the company has given in the press release regarding the issue. 

As per the press release, the company found a security compromise early in August when the hackers invaded parts of its IT systems. 

Continental's response

As soon as the attack surfaced, Continental took all vital security measures to restore the full integrity of its IT systems. 

With the assistance of external cybersecurity analysts, the organization has launched an inquiry into the incident. The investigation is currently under process. 

The automotive MNC is still to share its findings. Blackwell also refused to link the August cyberattack to LockBit's claims, according to her, she couldn't share any more information at the moment. 

Continental reported sales of €33.8 billion in 2021, and it has employed more than 190,000 people across 58 nations and markets. 

The press release said:

"Continental informed the relevant authorities of the incident and is in close contact with them, including the security authorities. The company is aware of its data protection obligations and – in consultation with the responsible data protection authorities – is taking the necessary steps to ensure they are completely fulfilled.

The security of its employees’, customers’, and partners’ information as well as of its own data is paramount to Continental. That is why Continental has taken and continues to take extensive measures to constantly strengthen cybersecurity at the company."

Another Singlet Subsidiary Faces Cyber Attack, Weeks after Optus Data Breach


Weeks after the data breach at the Australian telcom giant, Optus, Singapore Telecommunication Ltd, Singlet recently confirmed that its unit, Dialog has faced a cyber-attack. The attack has reportedly affected 1,000 of the company’s current and former employees and about 20 clients. 
A similar case of a data breach at Optus, the Australian subsidiary of Singlet took place late this September. The data breach reportedly compromised the personal data of up to 10 million customers, including present and former employees. 
Days after the breach, the threat actors withdrew a ransom demand of $1 million from the telecom company, describing there were “too many eyes” on the hacked data. The hackers nonetheless went ahead and leaked customer records of more than 10,000 customers, in order to prove that they actually have access to the data. 
“On Saturday 10 September 2022, we detected unauthorized access on our servers, which were then shut down as a preventive measure. Within two business days, our servers were restored and fully operational. We contracted a leading cyber security specialist to work within our IT Team to undertake a deep forensic investigation and continuous monitoring of the Dark Web. Our ongoing investigation showed no evidence of unauthorized downloading of the data[…]On Friday 7 October 2022 we became aware that a very small sample of Dialog’s data, including some employees’ personal information, was published on the Dark Web.” states Dialog regarding the data breach. 
Dialog mentioned how its systems were completely independent of Optus and IT unit NCS while assuring that there was in fact no evidence of any link between the data breaches at Dialog and Optus.  
"With this being the third large breach impacting the company in the last few years, it sounds like it is time to review the company's cybersecurity program because something is clearly not working," states O'Toole. 
"Everyone knows employees are the number one target for criminals looking to steal and compromise an organization's data, so addressing this risk must be the priority," she added. 
As per the CEO, one of the prominent solutions to tackle the risk is by deploying encrypted network access and segmentation tools, which encrypt employee credentials and other information so they cannot be hacked or stolen. "This closes doors on attackers, and it will significantly improve Singtel's security defenses against data breaches in the future," she added.

ADATA: RansomHouse Cyberattack Result of a Leak of 2021 Data

Taiwanese chip manufacturer ADATA denies all allegations of a RansomHouse cyberattack. This is following the announcement that threat actors began posting stolen data on a leak website belonging to the data leak group. 

Earlier this week, the RansomHouse gang added ADATA files to their data leak site. In this leak, they claimed they had taken 1TB worth of documents during a cyberattack in the year 2022. To demonstrate how much information the gang had staked, the threat actors posted samples of supposed stolen files that appear to be from ADATA. 

"Based on several technical methods of checking, we believe what Ransomhouse alleged was fake data and that it was stolen by Ragnar Locker in 2021, which is all confirmed by ADATA's spokesperson," said BleepingComputer in an email. 

ADATA implemented effective methods to provide strong security following the Ragnar Locker attack in 2021. Since then, no attack on ADATA has been successful, and no confidential information about ADATA was leaked. 

It can be stated that based on the comparison of the timestamps for the data shared by RansomHouse and the data that Ragnar Locker leaked in June 2021, both sets of stolen data had similar timestamps, which meant that both files were no older than May 2021 when compared to the timestamps for the data shared by RansomHouse. 

The company added that RansomHouse left no ransom notes on their servers that would demonstrate that an attack had been conducted against their servers. Ransom House maintains that they have taken advantage of ADATA recently through a data theft attack and that they have negotiated with the company regarding the stolen data. 

RansomHouse - who are they? 

After the release of SLGA's files in 2021, RansomHouse's extortion operation ended when it leaked the passwords of its first victim, the Saskatchewan Liquor and Gaming Authority (SLGA). Although the threat actors claim that they don't use any ransomware in their attacks, the White Rabbit ransom notes link the encryption attacks to Ransom House. 

This is a key part of the Ransom House attack. In the latest attack, RansomHouse appears to have claimed responsibility for attacks on eight Italian municipalities. A ransomware attack occurred as a result of this incident and the encryption of files with a .mario extension was appended and a ransom note leaving a greeting of, "Buongiorno to my lovely Italy" appeared on affected computers. 

The RansomHouse operation has also targeted other high-profile companies, such as AMD and Shoprite Holdings, one of Africa's largest supermarket chains, as well as large governments.

Ferrari Refutes Ransomware Attack Following RansomEXX’s Online Claims


Italian vehicle designer Ferrari S.p.A might have become the latest victim of a ransomware attack. As per a Reuters report, internal documents belonging to the brand were published on a dark web leak site owned by ransomware group RansomEXX. 

However, the car manufacturer thwarted such claims, stating that there was no evidence of a ransomware attack or of a breach of the company's system. The company said that it is investigating the leak of the internal documents and that appropriate actions would be taken as needed, adding that there has been no disruption to its business and operations. 

Earlier this week Monday, Corriere Della Sera newspaper, citing the Italian website the Red Hot Cyber, reported that the luxury car designer had been a victim of a ransomware attack. 

 According to Red Hot Cyber, a notorious hacking group called RansomEXX claimed on its Tor leak site that it has breached Ferrari stealing 6.99 GB of data, which not only included internal documents but also datasheets and repair manuals, etc. The source of the documents remains unclear.  

In December 2021, ransomware gang Everest indirectly targeted Ferrari, when Italian manufacturing firm Speroni was hit by the ransomware group. That time around, the hackers siphoned 900 GB of data containing sensitive details regarding the firm’s partners such as Ferrari, Lamborghini, Fiat Group, and other Italian car manufacturers. 

According to Cybernews, the malicious hackers also got involved with Ferrari’s entry into the NFT market, taking control of the company’s subdomain and exploiting it to host an NFT scam almost immediately after Ferrari disclosed it would mint tokens based on their cars, earlier this year. 

RansomEXX has been operating since 2018, after updating its name in June 2020. The gang's modus operandi has become more potent and is targeting high-profile firms. 

Some of the high-profile organizations targeted by the RansomExx group in the past include the Texas Department of Transportation (TxDOT), Konica Minolta, Brazilian government networks, IPG Photonics, and Tyler Technologies. RansomExx has designed its own Linux version to make certain that they target all critical servers and data in a firm.

Rise in Cyber-Attacks Targeting U.S. Defense Security


In the context of a cyberattack campaign, which may be related to the act of cyber espionage itself, it is clear that cyber threats are becoming increasingly sophisticated with each passing. Threat actors are engineering the attacks to target defence contractors in the US and throughout the world. 

There have been several covert campaigns against weapons contractors in Europe over the last few months, which have been detected by researchers at Securonix. The campaign has adversely affected a supplier to the US program to build the F-35 Lightning II fighter plane, which has been identified as STEEP#MAVERICK by Securonix. 

According to the security vendor, the campaign is noteworthy for the overall attention the attacker has paid to operations security (OpSec) and in ensuring their malware is difficult to detect, remove, and analyse.  

The report from Securonix stated, the malware stager used in these attacks used an array of tactics, persistence methodology, counter-forensics, and layers upon layers of obfuscation to hide its code. 

As of late summer, it appears that the STEEP#MAVERICK campaign had started to attack two high-profile defence contractors in Europe as part of its attacks on their facilities. There is a similar trend in spear-phishing attacks that begin with an email that contains a compressed (.zip) file and a shortcut link (.lnk) to a PDF document that purports to describe company benefits, like many spear-phishing campaigns.  

According to SecurityTel, the sample email was sent this month via North Koreas APT37 threat group. 

APT37 (also known as Konni) is a North Korean threat group that was found sending emails earlier this month similar to a scam email they encountered earlier this month during another campaign that involved the North Korean threat group.  

The rising number of cyberattacks is indeed a matter of concern, especially for a department like defence which has access to secrets that require to be guarded with extra caution.  

The security research performed by Black Kite on the top 100 defence contractors, showed that 32% of them are having security flaws that can cause ransomware attacks. The major reasons for these defence contractors to be vulnerable to ransomware attacks include leaked credentials, lack of secure personal data management, etc, as per the research.

Evil Colon Attacks: A Quick Guide


The high-tech era has made the emergence of new cyber attacks more common than social media trends. One such case of a rapidly evolving threat is the Evil-Colon attack, which shares similarities with Poison-NULL-byte attacks. Despite the fact that poison-NULL-Byte attacks are now non-functioning, it has been suggested that they could have led to new versions of hacking and malware on your systems in case of inappropriate handling. 

In one of his articles, Leon Juranic, a security researcher at Mend, detailed his encounter with the Evil-colon attack. He mentioned that during auditing a source code he discovered a case where an Evil-Colon could be used to evade the path sanitization process. By using novel strategies, the threat actors were able to exploit the vulnerabilities in applications running on Windows operating systems. The analysis concluded that as Evil-Colon is a specific issue in windows-based services, it is more likely to affect any Windows servers. 

When applications or servers use path-based operations, such as using user input when forming the file path, the information stored in that file can be modified by external code flows, which can cause severe security issues like arbitrary data injection, etc. Leon illustrated the working of Evil-Colon with the example of the Java application WriterFile.jsp source code. 

He stated that the working of Evil-Colon includes creating a file in the directory whereas, with sanitization, the new files will append .txt. After passing a colon character at the end of the user’s input, the file gets created as an Altered Data Stream with an arbitrary file extension. 

Later the file is again created in the directory, but as a colon character was added at the end of the filename and it stripped off the rest of the filename string into Alternate Data Stream, the file is recreated with the .jsp extension. 

He furthermore described how the possibility of altering the files that are created earlier in the applicating workflow can lead to serious security threats. When malicious actors can edit the existing files later in code, it will also allow them to modify the .jsp file content into anything they want. On further searching of the modified file in-depth, you will find a string named EVIL-CONTENT. 

Leon concluded his example by warning that, in real-world scenarios, JSP webshell scripts can allow threat actors to remotely execute codes on vulnerable servers or applications. 

To protect your files and data from the Evil-Colon attacks, it is important to remove colon characters from any possible path operations. The elimination of colon characters can be done by using filters, string check operations, etc.

HomeLand Justice: Government of Albania attacked by Iranian Cyber Threat Actors


The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity advisory on the recent cyber operations held by the Iranian state cyber actors against the Government of Albania in July and September. 

The advisory provides a detailed timeline pertaining to activities that were detected, from the initial software access to the execution of encryption and wiper attacks. The information also included the files that the actors used for the attacks. 
The hackers, referred to as HomeLand Justice, who are state-sponsored Iranian advanced persistent threat (ATP) actors, attempted to paralyse public services, delete and steal governmental data, and disrupted the government’s websites and services, wreaking havoc and panic on the state.  
As per the agencies, the threat actors had the access to the Albanian government servers for 14 months before executing the cyber attacks that included the execution of encryption and wiper attacks. 
A series of cyberattacks was then launched by the threat actors, on July 17th, 2022, after conducting lateral movements, network reconnaissance, and credential harvesting from the Albanian government network, leaving an anti-Mujahideen E- Khalq (MEK) messages on the desktops.  
After the network defenders detected and begin responding to the ransomware activities, HomeLand Justice employed a new family ransomware ROADSWEEP, along with a variant of wiper malware, ZEROCLEAR. 
While claiming to have carried out these cyber attacks, on July 23rd, HomeLand Justice took to social media, demonstrating a repeated pattern of advertising the Albanian Government about the leaks, and posting polls asking the viewers to select the information they want to be leaked. It was followed by the release of information in a .zip file or video of a screen recording with the documents. 
The cyber actors launched another thread of cyberattacks in September against the Albanian government, using similar TTPs and malware as the attacks made in July. The attacks were possibly done in retaliation for public attribution of the previous attack and severed diplomatic ties between the Albanian and Iranian governments. 
Although Albania lacks an efficient cyber defense, it is a member of NATO which can be confirmed by Appathurai's statement, “You can be sure of NATO’s continued political and practical support.” Thus, apparently, NATO will be supporting Albania with the incident to deal with immediate challenges and long-term requirements.

A New Decryptor by Bitdefender for Victims of LockerGoga Ransomware


As part of Bitdefender's official announcement, the company notified that it had released a free decryptor for ransomware called LockerGoga to recover the encrypted files without paying any ransom.
The Romania-based cybersecurity firm, Bitdefender released a universal LockGoga decryptor. The company stated in its published announcement, that the new decryptor is a combination of international law agencies, including Bitdefender, Europol, the NoMoreRansom project, the Zurich Public Prosecutor’s office, and the Zurich Cantonal Police. 
The new decryptor by Bitdefender is a helping tool for decrypting the files of the victims, free of cost. It uses the path containing pairs of clean-encrypted files and scans the entire system of files or file folders. This decryptor provides a feature called as “backup file”, which comes in handy in case of any problem during the decryption of the files.
LockerGoga is a program classified as ransomware, it came into notice in the 2019 cyber-attack against the U.S. and Norway-based companies, where the threat actors targeted high-profile organisations and individuals, including the world's greatest aluminum producer Norsk Hydro, and engineering firm Altran Technologies of France. They used it to encrypt the stored data on computers and blackmailed the users for ransom in exchange for decryption tools.
The National Cyber Security Centre (NCSC) reported that this computer infection was used in attacking over 1800 organizations all around the world. Cyberattacks involving various ransomware, one of them being LockerGoga, led to monetary damages of approximately 104 million US Dollars in 71 countries.
Around 12 of the attackers involved in the cyber-attack were arrested in October 2021 under an international law enforcement operation for spreading ransomware. In the wake of the arrest of its operator, LockerGoga was dismantled – which also led to the termination of all master private keys used in the encryption. As a result, those victims who did not pay the ransom to the threat actors were left with encrypted files waiting to recover them.

Watch Out For This Raccoon Stealer 2.0 With New Capabilities

Raccoon Stealer also named Legion, Mohazo, and Racealer, a high-risk trojan-type application that attacks the system and steals personal credentials is back with a second upgraded version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and advanced operational capacity. 

The trojan whose services are being offered by various hacker groups on hacker forums, when installed on one's system can lead to various cyber issues. 

The Raccoon Stealer operation was taken down in march 2022 when its operators reported that one of the lead developers of the forum was killed during Russia’s invasion of Ukraine. Also, the team promised its come back with a second upgraded version with more capabilities. 

“We expect a resurgence of Raccoon Stealer v2, as developers implemented a version tailored to the needs of cybercriminals (efficiency, performance, stealing capabilities, etc.) and scaled their backbone servers to handle large loads,” Sekoia told in the report. 

According to the malware developers, the upgraded Raccoon version was built from scratch using C/C++, featuring a new back-end, front-end, and code to steal credentials and other data. 

Raccoon Stealer 2.0 uses a fake Malwarebytes website to steal personal information including Basic system fingerprinting info, browser passwords, cookies, autofill data, saved credit cards, browser passwords, cookies, and autofill data, and saved credit cards. 

Other information that Raccoon Stealer steals is given below:

• Cryptocurrency wallets and web browser extensions including MetaMask, TronLink, BinanceChain, and Ronin
• Exodus, Atomic, JaxxLiberty, Binance, Coinomi, Electrum, Electrum-LTC, and ElectronCash
• Individual files located on all disks
• Screenshot capturing
• Installed applications list

The data can be misused in various ways, such as transferring users' funds in crypto-wallets and other accounts (e.g., PayPal, bank accounts, etc.). Victims could, therefore, lose their savings. Moreover, hijacked accounts (e.g., Facebook, emails, etc.) can be misused to borrow money. 

The subscription cost of the Stealer which has already attacked over 100,000 devices, is $200 per month. It has become one of the most named viruses on the underground forums in 2019. 

Disneyland's Official Handles Hacked to Take Revenge


Disneyland Resort’s Instagram and Facebook pages have been compromised on Thursday by a self-proclaimed “super hacker” who posted a number of posts that included foul language and racist slurs. A Disneyland spokesperson said that the accounts “were compromised early this morning.” The posts have since been removed. 

“We worked quickly to remove the reprehensible content, secure our accounts, and our security teams are conducting an investigation,” the spokesperson said in a statement. 

Following the incident, The Los Angeles Times reported that the hacker named “David Do,” claimed that he was taking his “revenge” on Disneyland workers who had allegedly insulted him. 

“I am a super hacker that is here to bring revenge upon Disneyland [...] Who’s the tough guy now Jerome?” one of the posts read. The hacker also uploaded posts in which he was claiming to have “invented” COVID-19 and suggested he was working on a new variant of the “COVID20” virus. 

The culprit posted overall four posts on Disneyland’s Instagram account before 5 am PT, according to a post on the Disneyland blog

Disneyland's Facebook and Instagram handles were temporarily taken down shortly after the officials found out the posts on live and were brought back online after the cybersecurity team removed the posts. However, the park’s other social media handles and pages were not compromised. 

“It’s not known how this person managed to gain access to the Disneyland Instagram account. Was it a stranger hack or a previous employee with access to the logins? We worked quickly to remove the reprehensible content, secure our accounts and our security teams are conducting an investigation,” Disneyland said in an update to the post today.

No Backup: Why the Government in Brazil is at High Risk of Cyberattacks


According to a new report by the Brazilian Federal Audit Court (TCU), several federal government agencies in Brazil are at a high risk of cyberattacks. Federal government agencies need to reassess their approach to handling cybersecurity threats, the report reads. 

Report points out the number of areas at high risk but one of the biggest problems in the cybercrime section that the report has uncovered is the lack of backups while dealing with cyberattacks. 

A group of 29 areas that represent a high risk in terms of vulnerability, mismanagement, abuse of power, or need for drastic changes was discovered. 

Backups are very important and help against various forms of attack, as well as mistakes and mishaps. The most obvious one of those would be ransomware attacks. 
When systems are hacked and are locked up, a data backup could be the respite you’re looking for to restore the data stored on your devices. 

Additionally, the report cited the data

 • 74.6% of organizations (306 out of 410) do not have a formally approved backup policy—a basic document, negotiated between the business areas (“owners” of the data/systems) and the organization’s IT, with a view to disciplining issues and procedures related to the execution of backups. 

• 71.2% of organizations that host their systems on their own servers/machines (265 out of 372) do not have a specific backup plan for their main system. 

• 60.2% of organizations (247 out of 410) do not keep their copies in at least one non-remotely accessible destination, which carries a risk that, in a cyberattack, the backup files themselves end up being corrupted, deleted, and/or encrypted by the attacker or malware, rendering the organization’s backup/restore process equally ineffective. 

 • 66.6% of organizations that claim to perform backups (254 out of 385), despite implementing physical access control mechanisms to the storage location of these files, do not store them encrypted, which carries a risk of data leakage from the organization, which can cause enormous losses, especially if it involves sensitive and/or confidential information. 

Further, the researchers said that the federal government cannot respond to and treat cybersecurity attacks adequately. Also, there are several vulnerabilities in both information security and cybersecurity across most central bodies.

Hackers Using 'Brute Ratel C4' Red-Teaming Tool to Evade Detection


Palo Alto Networks’ Unit 42 security researchers have uncovered that Russian state-sponsored hackers are compromising the latest Brute Ratel C4 or BRc4 red-teaming and adversarial simulation/penetration software in their latest and active attacks in an attempt to stay under the radar and evade detection.

Following the attack, Palo Alto Networks Unit  42 reported that a malware sample was uploaded to the VirusTotal database on May 19, 2022, in which they found a payload associated with Brute Ratel C4, a relatively new advanced toolkit that is designed to avoid detection and response (EDR) and antivirus (AV) capabilities. 

“The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market. While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated. Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal,” said the network in their blog. 

Cyber intelligence at the network believes that malicious actors are targeting entities worldwide, however, they are making their primary targets in South and North America. 

The researchers issued a warning in which they urged the cybersecurity fraternity to investigate the attack and look in-depth for any sign of malware, including the BRc4 tool. 

Researchers have found that the malicious payloads indicate the involvement of the Advanced Persistent Threat group 29,  The Dukes, or Cozy Bear as the tactics employed were similar to this group. CozyBear is a Russian state-sponsored malicious group that was previously involved in the devastating Solar Winds attacks in 2020.

This commercial software was released in 2020 and has since gained over 480 licenses across 350 customers. BRc4 is equipped with a wide variety of features, it provides process injection, capturing screenshots, automating adversary TTPs, uploading and downloading files, support for multiple command-and-control channels, and it also has the ability to keep memory artifacts concealed from anti-malware engines.

Crypto Scam to be Investigated by British Army


On Sunday, the UK Ministry of Defence confirmed that the British Army’s YouTube and Twitter accounts were hacked. The hackers were using both handles for their cryptocurrency promotion scams. However, at present Ministry department has not confirmed the exact dates of the takeover, and both accounts appear to be back to normal now. 

“We are aware of a breach of the Army’s Twitter and YouTube accounts and an investigation is underway. The Army takes information security extremely seriously and is resolving the issue. Until the investigation is complete it would be inappropriate to comment further,” The Ministry of Defence Press Office said on Twitter. 

Malicious actors took control of the British Army’s Twitter page, swapping out the organization’s profile picture, bio, and cover photo to make it appear genuine like it was associated with The Possessed NFT collection, and promote crypto giveaway schemes. Meanwhile, its YouTube handle aired livestreams with clips of Elon Musk, Jack Dorsey, and Ark CEO Katie Wood discussing cryptocurrency-directed users to crypto scam websites. 

The clips feature the promotion of “double your money” Bitcoin and Ethereum scams. According to Web3 is Going Great, a similar scheme took place in May. However, it is unclear which group is behind this campaign. 

The malicious actors changed the army’s verified Twitter account name to The Possessed, a project involving a collection of 10,000 animated NFTs with a price floor of 0.58 Ethereum (approximately $1,063). 

According to the Department of Ministry, it is possible that the hack is part of a broader campaign to leverage the recent popularity of The Possessed. On Saturday, the project’s official Twitter handle notified its followers of another verified account that was also hacked to promote an NFT scam using The Possessed brand. 

“The breach of the Army’s Twitter and YouTube accounts that occurred earlier today has been resolved and an investigation is underway. The Army takes information security extremely seriously and until their investigation is complete it would be inappropriate to comment further,” the UK Ministry of Defence Press Office tweeted later.

Free Smartphone Stalkerware Detection Tool Gets Dedicated Hub

Kaspersky, Russian multinational cybersecurity and anti-virus provider has come up with a new information hub for their open-source stalkerware detection tool named TinyCheck which was created in 2019 to help people detect if their devices are being monitored. 

‘Stalkerware’ is software programs, apps, and devices – that enables people to secretly monitor others' private life via their devices. The term came into existence when people started using commercial spyware to monitor their spouses or intimate partners. 

Stalkerware has been criticized because of its use by attackers, abusers, stalkers, and employers. With the use of Stalkware abusers can remotely get access to victims’ devices including web searches, locations, photos, text messages, voice calls, and much more. Such programs are easy to buy and install, hence it leads to more cyber risks for the public. 

These tools exploit vulnerabilities in the security of modern mobile operating systems. These programs run hidden in the background, without the consent of the victim. Kaspersky's TinyCheck is a program that can identify activity associated with stalkerware in a non-invasive way by running on an external device (Raspberry Pi) and monitoring its outgoing traffic via WiFi. 

How TinyCheck Work? 

TinyCheck scans a device’s outgoing traffic, using a regular Wi-Fi connection, and identifies interactions with known sources, such as stalkerware-related servers, it can be used to check any device and on any platform, including iOS, Android, or any other OS.

Also, users don’t have to install it on their devices because it works separately (on a Raspberry Pi) to avoid being detected by a stalker. Additionally, TinyCheck is available for everyone, it does not charge a fee. 

It is a safe and open-source tool that can be used by NGOs and police units to help support victims of cyberstalking. At present many NGOs use this program, however, it should be noted that this program is not recommended for independent individual use. The organization recommended users get in touch with a local support institution before starting the scan to get advice and support if stalkerware is running on their devices. 

Ukrainians DDoS Russian Vodka Supply Chains


According to the Russian news portal Vedomosti, Ukrainian cyber threat actors compromised Russia’s central alcohol distribution portal that is considered crucial for the distribution of alcoholic beverages in Russian regions called Unified State Automated Alcohol Accounting Information System or EGAIS.

EGAIS is a portal that plays important role in alcohol distribution in the nation. As per the law, for all alcohol producers and distributors, it is mandatory to register their shipments with EGAIS. Therefore, this attack caused extensive service blockage across Russia. 

The group hit the portal with DDoS attacks launched on May 2nd and 3rd. Through the DDoS or distributed denial of service attacks, the perpetrators overwhelm servers with superfluous requests in an attempt to overload systems and render some or all legitimate requests from being fulfilled. 

Also, according to the experts, sophisticated strategies have to be required against such types of attacks, as simply attempting to block a single source is insufficient. Three sites belonging to the platform have been hit by DDoS attacks. 

On May 4th, two EGAIS sites showed the error “the server stopped responding,” and the third didn’t work. The attacks took place on May 2nd and the next day system failures became more obvious about the attack. 

Wine trader Fort said that the site stopped working on May 4th, and the Union of Alcohol Producers, Igor Kosarev, and Ladoga representatives claimed the same. 

Fort further added that they had failed to upload about 70% of invoices to EGAIS due to the attack. Its supplies of wine to retail chains and restaurants in the region apparently failed to distribute on May 4 due to the incident. The outage impacted not only vodka distribution but wine companies faced disruption as well alongside purveyors of other types of alcohol. 

“Due to a large-scale failure, factories cannot accept tanks with alcohol, and customers, stores, and distributors cannot receive finished products that have already been delivered to them,” Vedomosti reported.

Ukrainian threat actors group, the Disbalancer took responsibility for the attack and announced their future plans to launch more attacks on the platform.

NIA Starts Probe into Malware Attacks on Social Media of Defense Personnels

NIA (National Investigation Agency) has started an inquiry into the use of fake Facebook profile through which various defense personnel was contacted and their devices hacked using malware for personally identifiable information. NIA suspects that the main account was being handled from Pakistan. Vijaywada Counter Intelligence Cell first found the spying campaign in 2020, after which it registered a case under several provisions of IPC, Official Secrets Act, Information Technology Act, and UAPA (Unlawful Activities Prevention Act). 

According to the allegation, confidential information related to national security was hacked via remotely deploying a hidden malware into electronic devices, which includes mobile phones and computers, belonging to defense personnels and other defense agencies via a FB account with the profile name "Shanti Patel." Actors handling the account added concerned personnel via private Facebook messenger chats on the web. 

The victims' devices were hacked using malware to get unauthorized access to confidential data of computer resources and steal sensitive information with an aim to carry out acts of terrorism and threaten the unity, integrity, and sovereignty of India. As per the report from Counter Intelligence Cell, the threat actors distributed the malware by sending a folder that contained photos of a woman to the defense personnels. The evidence suggests that malware originated somewhere from Islamabad. A similar case happened last year where the police arrested army personnel in Rajasthan, the accused was posted in Sikkim. 

The Hindu reports "on October 31, 2020, following a tip-off from the Military Intelligence, the Rajasthan police nabbed one Ramniwas Gaura, a civilian working with a Military Engineering Services (MES) unit. The accused had been contacted using a Facebook profile by someone using pseudonyms Ekta and Jasmeet Kour. They then remained in touch on Whatsapp. "In the recent years, multiple attacks targeting defense agencies using social media have surfaced." The handlers usually send money to the information providers through the ‘hawala’ channel. Several preventive measures have been taken by the agencies concerned,” an official said," says the Hindu.

Heroku Admits to Customer Database Hack after OAuth Token Theft


On Thursday Heroku disclosed that users’ passwords were stolen during a cyberattack that occurred a month ago, confirming that the attack also involved the code repository GitHub. Heroku revealed that the stolen GitHub integration OAuth tokens from last month further led to the compromise of an internal customer database. 

Following the attack, the organization has notified its customer that the company is going to reset their passwords on May 4 unless they change passwords beforehand. In this process, the company has also warned its users that the existing API access tokens will also be inactive and new ones have to be generated for future work. 

"We appreciate your collaboration and trust as we continue to make your success our top priority. The initial detection related to this campaign occurred on April 12 when GitHub Security identified unauthorized access to our npm production infrastructure using a compromised AWS API key," GitHub said.

"Based on subsequent analysis, we believe this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above." 

The attack in question relates to the theft of OAuth tokens that GitHub saw in April, which impacted four OAuth applications related to Heroku Dashboard and one from Travis CI. 

By stealing these OAuth tokens, malicious actors could access and download data from GitHub repositories belonging to those who authorized the compromised Heroku or Travis CI OAuth apps with their accounts. However, GitHub’s infrastructure, private repositories, and systems themselves were not impacted by the attack. 

While reporting that they had informed Heroku and Travis-CI of the incident on April 13 and 14, GitHub said, it "contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users."

Kellogg Community College Closes after Ransomware Attack


Kellogg Community College in Michigan has closed its campuses and canceled classes after falling victim to a cyber-attack. It's a Battle Creek-based community college and according to the recent data, it serves approximately 7000 students annually. 

On its official website on Sunday the community posted a statement in which it has shared basic information about the ransomware attack that took place over the weekend. Following the attack, the cancellation of all Monday classes and the closure of its five campuses in Battle Creek, Coldwater, Albion, and Hastings were announced.

Furthermore, as the website notified that the attack is causing continued technology problems in the systems, the college told, “the technology issues we have been experiencing were caused by a ransomware attack that continues to affect our systems.” 

All five Kellogg campuses will remain closed while the security vulnerabilities are under investigation, however, the college community is hoping to reopen the campuses later this week. The community is also working to launch a “forced password reset for all students, faculty, and staff” to better secure the network.

“We want to reassure our faculty and students that we will take any actions necessary for students to complete course work in a timely manner and appreciate your patience and support in the meantime,” the alert read. 

According to the data, since 2021, various community colleges have been the victims of ransomware attacks, including Butler County Community College in Pennsylvania, Sierra College in California Lewis, and Clark Community College in Illinois. 

“As we have previously informed you, we have been the victim of a ransomware attack on our systems and services. We are still working to understand the full extent of this incident, but since our last update, we have been working diligently with our IRT team and have made progress in our restoration process,” said the Kellogg Community College.

Russia-linked APT29 Targets Diplomatic World Wide


Security intelligence from Mandiant has discovered a spear-phishing campaign, launched by the Russia-linked APT29 group, designed to victimize diplomats and government entities worldwide including European, the Americas, and Asia. 

The group is believed to be sponsored by the Russian Foreign Intelligence Service (SVR) and to have orchestrated the 2020 SolarWinds attack which hit hundreds of organizations. 

According to the data, the Russia-linked APT29 group popularly known as SVR, Cozy Bear, and The Dukes is active since at least 2014, along with the APT28 cyber threat group which was involved in the Democratic National Committee hack, the wave of attacks aimed at the 2016 US Presidential Elections and a November 2018 attempt to infiltrate DNC. 

The phishing emails have been masqueraded as official notices related to various embassies. Nation-state actors used Atlassian Trello, DropBox, and cloud services, as part of their command and control (C2) infrastructure. 

“APT29 targeted large lists of recipients that Mandiant suspected were primarily publicly-listed points of contact of embassy personnel. These phishing emails utilized a malicious HTML dropper tracked as ROOTSAW, which makes use of a technique known as HTML smuggling to deliver an IMG or ISO file to a victim system.” reads the analysis published by Mandiant. 

The threat actors used the HTML smuggling technique to deliver an IMG or ISO file to the targets. The ISO image contains a Windows shortcut file (LNK) that installs a malicious DLL file when it is clicked. When the attachment file opens, the ROOTSAW HTML dropper will write an IMG or ISO file to disk. Following the steps, once the DLL file is executed, the BEATDROP downloader is delivered and installed in memory. 

“BEATDROP is a downloader written in C that makes use of Trello for C2. Once executed, BEATDROP first maps its own copy of ntdll.dll into memory for the purpose of executing shellcode in its own process. BEATDROP first creates a suspended thread with RtlCreateUserThread which points to NtCreateFile...” 

 “…Following this, BEATDROP will enumerate the system for the username, computer name, and IP address. This information is used to create a victim ID, which is used by BEATDROP to store and retrieve victim payloads from its C2. Once the victim ID is created, BEATDROP will make an initial request to Trello to identify whether the current victim has already been compromised”, the report read.