Search This Blog

Showing posts with label cyber attack. Show all posts

Twitter Returns After Two-Hour Outage Affecting Tweets

On Wednesday, Twitter experienced a service disruption that resulted in users being unable to access certain parts of the platform, specifically the "Following" and "For you" feed. These feeds displayed an error message rather than the expected content. 

The problem was widespread and affected users globally. The issue persisted for approximately two hours before being resolved by Twitter's engineering team. 

DownDetector, a website that tracks service outages, reported issues with Twitter at 10:00 GMT, but the problem was resolved by 12:00. In the UK alone, over 5,000 users reported problems to DownDetector within half an hour of the Twitter service outage. 

The root cause of the outage is still unknown, and it is unclear if Twitter's recent 200 staff layoffs on Monday played any role in the incident. Further investigation is needed to identify the underlying cause of the outage and prevent similar incidents from occurring in the future. 

Even though some parts of Twitter, like the feeds, were not working, users could still send tweets as usual. However, no one could see or interact with those tweets. This caused top trending hashtags including "#TwitterDown" and "Welcome To Twitter".

Nevertheless, Twitter has had some temporary problems in the past few months. During a short outage in early February, some users were mistakenly told they had reached the daily limit for sending tweets. 

"It started shortly before the Musk takeover itself. The main spike has happened after the takeover, with four to five incidents in a month - which was comparable to what used to happen in a year,” Alp Toker, director of internet outage tracker NetBlocks, said Twitter has started experiencing more issues under Mr. Musk's tenure as CEO. 

Now we will learn why social media platforms generally suffer service disruptions and sudden outrage:

Social media networks can suffer shutdowns for a variety of reasons, including technical issues, cyber-attacks, policy violations, and government censorship. Technical issues such as server errors or bugs can cause social media networks to crash and become unavailable to users. 

In some cases, these issues can be quickly resolved, and the platform can be restored. However, if the issue is more severe, it may take longer to fix, and the platform may be down for an extended period. 

Cyber attacks such as Distributed Denial of Service (DDoS) attacks can also cause social media networks to go down. These attacks overwhelm a network with traffic, causing it to become unavailable to users. Cyber attackers may launch DDoS attacks for various reasons, such as to disrupt a particular organization or to extort money.

Dish Network Blames Ransomware for Ongoing Outage

Dish, a satellite television provider in the United States, has confirmed that a ransomware attack is responsible for an ongoing service outage. The company also warned that the malicious actors have also exfiltrated data from its systems during the breach. 

The outage, which has persisted for several days and was initially attributed to "internal systems issues," affects Dish's primary website, mobile applications, customer support systems, as well as the firm's Sling TV streaming and wireless services. 

The threat actors behind the breach compromised the company’s internal systems. “It is possible the investigation will reveal that the extracted data includes personal information,” Dish says. 

In a public filing released on Tuesday, the company acknowledged that the cause of the outage was a cybersecurity incident. The company has informed law enforcement authorities about the situation. 

However, as of now, the company reported that the effects of the attack continue to disrupt its “internal communications, customer call centers, and internet sites.” 

Additionally, the company has provided some details on how they are managing the situation. They are working to manage and contain the effects of the attack, assess the extent of the damage, and address any issues caused by the attack.

The company is also worried about the attack's potential impact on its employees, customers, business, financials, and operations. Following the matter, the company further reported that the threat actors have stolen some data from their computer systems, which could include personal credentials. 

Presently, it remains uncertain whether this data belongs to Dish's customers, employees, or both, and the extent of the data theft is also unknown. Dish has a big network, it serves 10 million customers through its satellite TV, streaming, and other services. 

The company on its website reported that “as a result of this incident, many of our customers are having trouble reaching our service desks, accessing their accounts, and making payments we’re making progress on the customer service front every day, including ramping up our call capacity, but it will take a little time before things are fully restored." 

The company stated that they are still evaluating the damage caused by the cyber-attack. However, their services, including Dish, Sling, and wireless and data networks, are running without issues.

The LockBit Ransomware Takes Responsibility for the Royal Mail Cyberattack

 

The LockBit ransomware operation has asserted responsibility for the cyberattack on Royal Mail, the UK's leading mail delivery service, which forced the company to stop its international shipping services due to "severe service disruption." 

This emerges after LockBitSupport, the public-facing representative of the ransomware group, earlier told BleepingComputer that the LockBit cybercrime group did not target Royal Mail. They instead blamed the attack on other threat actors who used the LockBit 3.0 ransomware builder, which was leaked on Twitter in September 2022. LockBitSupp did not clarify why printed Royal Mail ransom notes seen by BleepingComputer included links to LockBit's Tor negotiation and data leak sites rather than those operated by a different threat actor.

However, LockBitSupp validated LockBit's involvement in the attack in a post on a Russian-language hacking forum after discovering that one of their affiliates deployed the gang's ransomware payloads on Royal Mail's systems.

The representative of the ransomware gang also stated that they would only provide a decryptor and delete data stolen from Royal Mail's network after a ransom was paid. The entry for the Royal Mail attack on LockBit's data leak site currently states that stolen data will be published online on Thursday, February 9, at 03:42 AM UTC.

The attack was termed a "cyber incident"

On January 10, Royal Mail discovered the attack and hired outside forensic experts to assist with the investigation.

A Royal Mail spokesperson told BleepingComputer on January 11 when we reached out for more details, "Incident was detected yesterday, UK/ domestic mail remains unaffected."

"We're experiencing disruption to our international export services and are temporarily unable to despatch items to overseas destinations. Please do not post any export items while we work to resolve the issue. Sorry for any disruption this may cause," the company tweeted.

The incident was also reported to UK security agencies, and the company is investigating it alongside the National Crime Agency and the UK National Cyber Security Centre (NCSC).

However, Royal Mail has yet to acknowledge that it is the victim of a ransomware attack, which could result in a data breach because LockBit ransomware operators are known for stealing data and leaking it online if their ransom demands are not met.

For the time being, the company is still referring to the attack as a "cyber incident" and claims to have restored some of the services that were impacted by the attack. The incident last month follows a November 2022 outage that caused the Royal Mail's tracking services to be unavailable for more than 24 hours.

The Royal Mail's recurring IT problems come at a time when its mailing services are already under strain due to planned national strikes and ongoing talks with the Communication Workers Union.     

Hackers can Hijack Antivirus Software to Erase Data

 


In a report released this week, a top cybersecurity researcher revealed that many popular antivirus software programs had been exploited, for their ability to erase data, including Microsoft, SentinelOne, TrendMicro, Avast, and AVG. 

Yair Or, a consultant for the cybersecurity firm SafeBreach and works as a time-of-check to time-of-use vulnerability researcher, explained how the exploit works in a proof-of-concept document titled "Aikido" that outlines the method for exploiting this vulnerability. 

One of the most renowned martial arts forms is Aikido. It is one of the Japanese arts that use the movement and force of the opponent against the practitioner to achieve an advantage. 

What does this process entail? 


According to Yair, it is possible to exploit this vulnerability to facilitate cyberattacks known as "Wipers," commonly used to commit offensive war crimes. 

An eraser, also known as a wiper, is a type of malware designed to delete all the data and programs on the hard drive of the computer it infects to prevent it from functioning aptly. 

As stated in the slide deck, the exploit redirects the "superpower" of endpoint detection software into the capability to "delete any file regardless of its permission levels". 

This entire process was achieved by creating a malicious file in the directory "C:\temp\Windows\System32\drivers\ndis.sys". 

Subsequently, it needed to capture down while the "AV/EDR should ask to delay deleting the feature until after the next reboot by holding its handle". 

Following that, it is necessary to delete the "C:/temp directory" to create a junction between C:/temp and C:/ and to restart your computer after completing this process. 

It has been confirmed that only some of the most popular antivirus brands have been affected, approximately 50% of them. 

As reported by the researcher, Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus were some of the antivirus programs affected by this vulnerability, according to a slide deck prepared by him.

Meanwhile, some products are lucky to have survived the attack intact. These include Palo Alto, XDR, Cylance, CrowdStrike, McAfee, and BitDefender.

AirAsia Ransomware Attack Affected 5 Million People, Investigated in Malaysia

 



It was announced last month that approximately five million AirAsia passengers, as well as all of the company's employees, were affected by a ransomware attack. Malaysian authorities have yet to find the source of the attack and determine the overall impact but have gathered few leads so far. 

A spokesman from the ministry said the ministry viewed the incident of the data breach by the malicious group as a serious breach of the privacy of passengers and staff of the budget airline. This is following the hacker group Daixin Team gaining access to the personal information of its passengers and staff. 

On 1st December, an investigation team from the ministry, composed of the Personal Data Protection Department and CyberSecurity Malaysia, commenced its investigation by having discussions with Capital A Bhd, the company that runs AirAsia. 

Initially, it was revealed that the cyberattack on the AirAsia server, which took place on Nov 12, was caused by unauthorized access to the system as a result of "early investigations." 

In a statement released on Saturday, Mr. Fahmi said that this led to the ransomware attack, which could result in a data leak. 

As a consequence of the discussion with Capital A, the company has been ordered to provide relevant documentation and evidence about the incident. This is to aid the investigation into the incident. 

Mr. Fahmi said further investigation is being conducted to determine what triggered the attack as well as what impact it may have had. It is their policy not to reveal details of the case to the public while the investigation is still ongoing. This is to avoid any legal complications in the future. 

As stated by the minister, all data users should always be aware of cybersecurity threats and should enhance their security from time to time. As a result, their databases and infrastructure will remain safe and secure for a long time. 

The Minister also expressed that data users would outline cybersecurity policies and ensure these precautions are followed. This will enable us to avoid the use of data in the hands of irresponsible parties. 

There was a report on Nov 23, which stated that the Daixin Team had compromised the personal information of about five million AirAsia passengers and all of its employees. Ransomware was released by a group that claimed responsibility for the attack. 

Reports suggested that the information included the names and identifiers of the passengers, as well as details of their bookings. Additionally, details such as employee photos, secret questions, and answers, as well as nationalities and dates of birth, may be utilized by the recovery team to find the account. 

Earlier, AirAsia announced on the Bursa Malaysia website that it had taken all reasonable precautions to resolve the data incident. It was stated in that announcement that the cyberattack affected redundant systems and did not affect our critical systems and that all measures had been taken to resolve this data incident as soon as possible and prevent similar incidents in the future.

Latest Cyberattack on LJ Hooker by a Ransomware Gang

 


It is reported that a ransomware gang has been able to steal the personal data of at least 375 gigabytes from a franchise of the Australian real estate giant, LJ Hooker, as a result of its ransomware attacks. The data collected include passport scans, credit card information, and loan information. 

As part of a blog post used to preview some of the data stolen in the cyber-attack against LJ Hooker, which was posted on the dark web on November 30, the blog mentioned LJ Hooker's name as a victim of the Russia-linked ransomware gang ALPHV, also known as "BlackCat." 

As VICE has already reported, the company began publishing personal information about employees' passports. Many social media login credentials, profit-loss statements, and a contract for the sale of a property have also been posted by the group. 

The group claimed to have even more “internal company data,” including employees' personal information, such as IDs, and client data, including “financial information” and “credit card information.” 

Using independent verification, VICE corroborates part of the preview, which pertains to an office of LJ Hooker, located in New South Wales. 

As confirmed by a spokesperson for LJ Hooker in a statement to VICE, at least one of their offices had become the victim of a data breach. LJ Hooker is still working to determine the scope of the breach while the company is currently taking steps to protect the data of its customers from another breach. The company has "informed the relevant government cyber and data bodies." The company is still investigating the scope of the infringement. 

As far as the Australian authorities are concerned, ALPHV was first identified by the security community in late 2021 as a "ransomware-as-a-service" program associated with "Russian-speaking cybercriminals". There is a growing concern that the group, in 2022, will pose an "increased threat" to Australia's "government" and "critical infrastructure." 

There is widespread understanding that this collective was one of those responsible for last year's breach of the Colonial Pipeline. This is the world's largest fuel pipeline in the United States. Oil refineries provide about 45 percent of the gasoline consumed in the eastern part of the country. 

There were approximately 10,000 gas stations left without gas in the country as a result of the action of hackers. This led to a panic buying spree among people. Hence, Colonial bowed to the orders of the group and paid a ransom of approximately $US5 million, which was equal to a total of 75 Bitcoins at the time. This was a result of this ransom demand. 

A large-scale data breach has been carried out against an Australian company, LJ Hooker, for the third time in the last three months resulting in substantial data leakage. 

Initially, Optus was hit back on September 22, when it was reported that the telecommunications giant had been attacked by hackers who had compromised the data of up to 9.8 million Australians due to the cyberattack. Later, the hack would become one of the largest ever recorded in the history of Australian hackers. 

After a similar attack was reported on October 13 on Medibank, it was reported shortly after that approximately 3.9 million Australians were subjected to a similar attack. This resulted in compromised personal information regarding them. 

During November, the dark web was flooded with patient records of more than 1,500 individuals. Last week, the hackers posted a new 5GB dump of data announcing that the case had been closed.

Empire Company Suffered Information Technology Systems Issue

 

The Empire Company announced on Monday that some of its brand stores across Canada including Sobeys, Lawtons, Safeway, Farm Boy, IGA, Foodland, and FreshCo are facing disruptions in service due to an information technology systems issue. The technical issues the company is currently facing prevented its pharmacies from filling prescriptions and some services have been delayed and functioned only intermittently. 

A press has been released from the company in which it assured its customers that they are working to patch the glitches, however, the company further added that they are not sure when all services will be restored. "At Sobeys, exceeding the needs of our customers is always our top priority. Our sole focus right now is on getting this problem rectified and we will provide further updates as relevant information becomes available," said chief operating officer Pierre St-Laurent in the news release. 

Additionally, pharmacy staff reported to the press that they could not access their systems. However, the staff supplied its customers with a few days' medications if customers came with their empty bottles. 

Meanwhile, Maple Leaf Foods announced on Sunday that the disruption has been caused by a "cybersecurity incident". 

The organization reported that the issues came to be known over the weekend and immediately the company with its researchers, recovery experts, information systems professionals, and third-party specialists started working to investigate the outage. 

Following the incident, Sylvain Charlebois, the director of the Agri-Food Analytics Lab at Dalhousie University, disclosed that he received a number of messages from people on Friday night about problems at Empire, including copies of internal company letters. 

"The entire food system works on the basis that computers will communicate with each other. So as soon as you have a cyberattack disrupting the efficiency of supply chains, costs could go up. Even worse, access to food could also become a problem. You could see many stores without supplies for days and you don't want that to happen," he further added.

Lockbit Ransomware Attacks German MNC, Threatens to Leak All Data


LockBit attacks Continental with a ransomware attack

The LockBit ransomware gang has taken responsibility for a cyberattack against the German MNC automotive group continental. 

LockBit also stole some data from Continental's systems, and they are blackmailing to leak it on their data leak site if the company doesn't agree with their demands within the next 22 hours. 

The gang hadn't disclosed any info on what info was extracted from Continental's network or when the compromise happened. 

Ransomware gangs usually post data on their leak websites as a strategy to frighten their targets into settling a deal or into getting back to the negotiation table. 

LockBit threatens to leak data

Since LockBit says that it will leak "all available" data, this hints that Continental is yet to negotiate with the ransomware campaign or it has already refused to agree with demands. 

Kathryn Blackwell, Continental's Vice President of Communications and Marketing, didn't acknowledge LockBit's claims and didn't disclose any information regarding the compromise, she said recently the statement the company has given in the press release regarding the issue. 

As per the press release, the company found a security compromise early in August when the hackers invaded parts of its IT systems. 

Continental's response

As soon as the attack surfaced, Continental took all vital security measures to restore the full integrity of its IT systems. 

With the assistance of external cybersecurity analysts, the organization has launched an inquiry into the incident. The investigation is currently under process. 

The automotive MNC is still to share its findings. Blackwell also refused to link the August cyberattack to LockBit's claims, according to her, she couldn't share any more information at the moment. 

Continental reported sales of €33.8 billion in 2021, and it has employed more than 190,000 people across 58 nations and markets. 

The press release said:

"Continental informed the relevant authorities of the incident and is in close contact with them, including the security authorities. The company is aware of its data protection obligations and – in consultation with the responsible data protection authorities – is taking the necessary steps to ensure they are completely fulfilled.

The security of its employees’, customers’, and partners’ information as well as of its own data is paramount to Continental. That is why Continental has taken and continues to take extensive measures to constantly strengthen cybersecurity at the company."

Another Singlet Subsidiary Faces Cyber Attack, Weeks after Optus Data Breach

 

Weeks after the data breach at the Australian telcom giant, Optus, Singapore Telecommunication Ltd, Singlet recently confirmed that its unit, Dialog has faced a cyber-attack. The attack has reportedly affected 1,000 of the company’s current and former employees and about 20 clients. 
 
A similar case of a data breach at Optus, the Australian subsidiary of Singlet took place late this September. The data breach reportedly compromised the personal data of up to 10 million customers, including present and former employees. 
 
Days after the breach, the threat actors withdrew a ransom demand of $1 million from the telecom company, describing there were “too many eyes” on the hacked data. The hackers nonetheless went ahead and leaked customer records of more than 10,000 customers, in order to prove that they actually have access to the data. 
 
“On Saturday 10 September 2022, we detected unauthorized access on our servers, which were then shut down as a preventive measure. Within two business days, our servers were restored and fully operational. We contracted a leading cyber security specialist to work within our IT Team to undertake a deep forensic investigation and continuous monitoring of the Dark Web. Our ongoing investigation showed no evidence of unauthorized downloading of the data[…]On Friday 7 October 2022 we became aware that a very small sample of Dialog’s data, including some employees’ personal information, was published on the Dark Web.” states Dialog regarding the data breach. 
 
Dialog mentioned how its systems were completely independent of Optus and IT unit NCS while assuring that there was in fact no evidence of any link between the data breaches at Dialog and Optus.  
 
"With this being the third large breach impacting the company in the last few years, it sounds like it is time to review the company's cybersecurity program because something is clearly not working," states O'Toole. 
 
"Everyone knows employees are the number one target for criminals looking to steal and compromise an organization's data, so addressing this risk must be the priority," she added. 
 
As per the CEO, one of the prominent solutions to tackle the risk is by deploying encrypted network access and segmentation tools, which encrypt employee credentials and other information so they cannot be hacked or stolen. "This closes doors on attackers, and it will significantly improve Singtel's security defenses against data breaches in the future," she added.

ADATA: RansomHouse Cyberattack Result of a Leak of 2021 Data


Taiwanese chip manufacturer ADATA denies all allegations of a RansomHouse cyberattack. This is following the announcement that threat actors began posting stolen data on a leak website belonging to the data leak group. 

Earlier this week, the RansomHouse gang added ADATA files to their data leak site. In this leak, they claimed they had taken 1TB worth of documents during a cyberattack in the year 2022. To demonstrate how much information the gang had staked, the threat actors posted samples of supposed stolen files that appear to be from ADATA. 

"Based on several technical methods of checking, we believe what Ransomhouse alleged was fake data and that it was stolen by Ragnar Locker in 2021, which is all confirmed by ADATA's spokesperson," said BleepingComputer in an email. 

ADATA implemented effective methods to provide strong security following the Ragnar Locker attack in 2021. Since then, no attack on ADATA has been successful, and no confidential information about ADATA was leaked. 

It can be stated that based on the comparison of the timestamps for the data shared by RansomHouse and the data that Ragnar Locker leaked in June 2021, both sets of stolen data had similar timestamps, which meant that both files were no older than May 2021 when compared to the timestamps for the data shared by RansomHouse. 

The company added that RansomHouse left no ransom notes on their servers that would demonstrate that an attack had been conducted against their servers. Ransom House maintains that they have taken advantage of ADATA recently through a data theft attack and that they have negotiated with the company regarding the stolen data. 

RansomHouse - who are they? 


After the release of SLGA's files in 2021, RansomHouse's extortion operation ended when it leaked the passwords of its first victim, the Saskatchewan Liquor and Gaming Authority (SLGA). Although the threat actors claim that they don't use any ransomware in their attacks, the White Rabbit ransom notes link the encryption attacks to Ransom House. 

This is a key part of the Ransom House attack. In the latest attack, RansomHouse appears to have claimed responsibility for attacks on eight Italian municipalities. A ransomware attack occurred as a result of this incident and the encryption of files with a .mario extension was appended and a ransom note leaving a greeting of, "Buongiorno to my lovely Italy" appeared on affected computers. 

The RansomHouse operation has also targeted other high-profile companies, such as AMD and Shoprite Holdings, one of Africa's largest supermarket chains, as well as large governments.

Ferrari Refutes Ransomware Attack Following RansomEXX’s Online Claims

 

Italian vehicle designer Ferrari S.p.A might have become the latest victim of a ransomware attack. As per a Reuters report, internal documents belonging to the brand were published on a dark web leak site owned by ransomware group RansomEXX. 

However, the car manufacturer thwarted such claims, stating that there was no evidence of a ransomware attack or of a breach of the company's system. The company said that it is investigating the leak of the internal documents and that appropriate actions would be taken as needed, adding that there has been no disruption to its business and operations. 

Earlier this week Monday, Corriere Della Sera newspaper, citing the Italian website the Red Hot Cyber, reported that the luxury car designer had been a victim of a ransomware attack. 

 According to Red Hot Cyber, a notorious hacking group called RansomEXX claimed on its Tor leak site that it has breached Ferrari stealing 6.99 GB of data, which not only included internal documents but also datasheets and repair manuals, etc. The source of the documents remains unclear.  

In December 2021, ransomware gang Everest indirectly targeted Ferrari, when Italian manufacturing firm Speroni was hit by the ransomware group. That time around, the hackers siphoned 900 GB of data containing sensitive details regarding the firm’s partners such as Ferrari, Lamborghini, Fiat Group, and other Italian car manufacturers. 

According to Cybernews, the malicious hackers also got involved with Ferrari’s entry into the NFT market, taking control of the company’s subdomain and exploiting it to host an NFT scam almost immediately after Ferrari disclosed it would mint tokens based on their cars, earlier this year. 

RansomEXX has been operating since 2018, after updating its name in June 2020. The gang's modus operandi has become more potent and is targeting high-profile firms. 

Some of the high-profile organizations targeted by the RansomExx group in the past include the Texas Department of Transportation (TxDOT), Konica Minolta, Brazilian government networks, IPG Photonics, and Tyler Technologies. RansomExx has designed its own Linux version to make certain that they target all critical servers and data in a firm.

Rise in Cyber-Attacks Targeting U.S. Defense Security

 

In the context of a cyberattack campaign, which may be related to the act of cyber espionage itself, it is clear that cyber threats are becoming increasingly sophisticated with each passing. Threat actors are engineering the attacks to target defence contractors in the US and throughout the world. 

There have been several covert campaigns against weapons contractors in Europe over the last few months, which have been detected by researchers at Securonix. The campaign has adversely affected a supplier to the US program to build the F-35 Lightning II fighter plane, which has been identified as STEEP#MAVERICK by Securonix. 

According to the security vendor, the campaign is noteworthy for the overall attention the attacker has paid to operations security (OpSec) and in ensuring their malware is difficult to detect, remove, and analyse.  

The report from Securonix stated, the malware stager used in these attacks used an array of tactics, persistence methodology, counter-forensics, and layers upon layers of obfuscation to hide its code. 

As of late summer, it appears that the STEEP#MAVERICK campaign had started to attack two high-profile defence contractors in Europe as part of its attacks on their facilities. There is a similar trend in spear-phishing attacks that begin with an email that contains a compressed (.zip) file and a shortcut link (.lnk) to a PDF document that purports to describe company benefits, like many spear-phishing campaigns.  

According to SecurityTel, the sample email was sent this month via North Koreas APT37 threat group. 

APT37 (also known as Konni) is a North Korean threat group that was found sending emails earlier this month similar to a scam email they encountered earlier this month during another campaign that involved the North Korean threat group.  

The rising number of cyberattacks is indeed a matter of concern, especially for a department like defence which has access to secrets that require to be guarded with extra caution.  

The security research performed by Black Kite on the top 100 defence contractors, showed that 32% of them are having security flaws that can cause ransomware attacks. The major reasons for these defence contractors to be vulnerable to ransomware attacks include leaked credentials, lack of secure personal data management, etc, as per the research.

Evil Colon Attacks: A Quick Guide

 

The high-tech era has made the emergence of new cyber attacks more common than social media trends. One such case of a rapidly evolving threat is the Evil-Colon attack, which shares similarities with Poison-NULL-byte attacks. Despite the fact that poison-NULL-Byte attacks are now non-functioning, it has been suggested that they could have led to new versions of hacking and malware on your systems in case of inappropriate handling. 

In one of his articles, Leon Juranic, a security researcher at Mend, detailed his encounter with the Evil-colon attack. He mentioned that during auditing a source code he discovered a case where an Evil-Colon could be used to evade the path sanitization process. By using novel strategies, the threat actors were able to exploit the vulnerabilities in applications running on Windows operating systems. The analysis concluded that as Evil-Colon is a specific issue in windows-based services, it is more likely to affect any Windows servers. 

When applications or servers use path-based operations, such as using user input when forming the file path, the information stored in that file can be modified by external code flows, which can cause severe security issues like arbitrary data injection, etc. Leon illustrated the working of Evil-Colon with the example of the Java application WriterFile.jsp source code. 

He stated that the working of Evil-Colon includes creating a file in the directory whereas, with sanitization, the new files will append .txt. After passing a colon character at the end of the user’s input, the file gets created as an Altered Data Stream with an arbitrary file extension. 

Later the file is again created in the directory, but as a colon character was added at the end of the filename and it stripped off the rest of the filename string into Alternate Data Stream, the file is recreated with the .jsp extension. 

He furthermore described how the possibility of altering the files that are created earlier in the applicating workflow can lead to serious security threats. When malicious actors can edit the existing files later in code, it will also allow them to modify the .jsp file content into anything they want. On further searching of the modified file in-depth, you will find a string named EVIL-CONTENT. 

Leon concluded his example by warning that, in real-world scenarios, JSP webshell scripts can allow threat actors to remotely execute codes on vulnerable servers or applications. 

To protect your files and data from the Evil-Colon attacks, it is important to remove colon characters from any possible path operations. The elimination of colon characters can be done by using filters, string check operations, etc.

HomeLand Justice: Government of Albania attacked by Iranian Cyber Threat Actors

 

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint Cybersecurity advisory on the recent cyber operations held by the Iranian state cyber actors against the Government of Albania in July and September. 

The advisory provides a detailed timeline pertaining to activities that were detected, from the initial software access to the execution of encryption and wiper attacks. The information also included the files that the actors used for the attacks. 
 
The hackers, referred to as HomeLand Justice, who are state-sponsored Iranian advanced persistent threat (ATP) actors, attempted to paralyse public services, delete and steal governmental data, and disrupted the government’s websites and services, wreaking havoc and panic on the state.  
 
As per the agencies, the threat actors had the access to the Albanian government servers for 14 months before executing the cyber attacks that included the execution of encryption and wiper attacks. 
 
A series of cyberattacks was then launched by the threat actors, on July 17th, 2022, after conducting lateral movements, network reconnaissance, and credential harvesting from the Albanian government network, leaving an anti-Mujahideen E- Khalq (MEK) messages on the desktops.  
 
After the network defenders detected and begin responding to the ransomware activities, HomeLand Justice employed a new family ransomware ROADSWEEP, along with a variant of wiper malware, ZEROCLEAR. 
 
While claiming to have carried out these cyber attacks, on July 23rd, HomeLand Justice took to social media, demonstrating a repeated pattern of advertising the Albanian Government about the leaks, and posting polls asking the viewers to select the information they want to be leaked. It was followed by the release of information in a .zip file or video of a screen recording with the documents. 
 
The cyber actors launched another thread of cyberattacks in September against the Albanian government, using similar TTPs and malware as the attacks made in July. The attacks were possibly done in retaliation for public attribution of the previous attack and severed diplomatic ties between the Albanian and Iranian governments. 
 
Although Albania lacks an efficient cyber defense, it is a member of NATO which can be confirmed by Appathurai's statement, “You can be sure of NATO’s continued political and practical support.” Thus, apparently, NATO will be supporting Albania with the incident to deal with immediate challenges and long-term requirements.

A New Decryptor by Bitdefender for Victims of LockerGoga Ransomware

 

As part of Bitdefender's official announcement, the company notified that it had released a free decryptor for ransomware called LockerGoga to recover the encrypted files without paying any ransom.
 
The Romania-based cybersecurity firm, Bitdefender released a universal LockGoga decryptor. The company stated in its published announcement, that the new decryptor is a combination of international law agencies, including Bitdefender, Europol, the NoMoreRansom project, the Zurich Public Prosecutor’s office, and the Zurich Cantonal Police. 
  
The new decryptor by Bitdefender is a helping tool for decrypting the files of the victims, free of cost. It uses the path containing pairs of clean-encrypted files and scans the entire system of files or file folders. This decryptor provides a feature called as “backup file”, which comes in handy in case of any problem during the decryption of the files.
 
LockerGoga is a program classified as ransomware, it came into notice in the 2019 cyber-attack against the U.S. and Norway-based companies, where the threat actors targeted high-profile organisations and individuals, including the world's greatest aluminum producer Norsk Hydro, and engineering firm Altran Technologies of France. They used it to encrypt the stored data on computers and blackmailed the users for ransom in exchange for decryption tools.
 
The National Cyber Security Centre (NCSC) reported that this computer infection was used in attacking over 1800 organizations all around the world. Cyberattacks involving various ransomware, one of them being LockerGoga, led to monetary damages of approximately 104 million US Dollars in 71 countries.
 
Around 12 of the attackers involved in the cyber-attack were arrested in October 2021 under an international law enforcement operation for spreading ransomware. In the wake of the arrest of its operator, LockerGoga was dismantled – which also led to the termination of all master private keys used in the encryption. As a result, those victims who did not pay the ransom to the threat actors were left with encrypted files waiting to recover them.
 

Watch Out For This Raccoon Stealer 2.0 With New Capabilities


Raccoon Stealer also named Legion, Mohazo, and Racealer, a high-risk trojan-type application that attacks the system and steals personal credentials is back with a second upgraded version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and advanced operational capacity. 

The trojan whose services are being offered by various hacker groups on hacker forums, when installed on one's system can lead to various cyber issues. 

The Raccoon Stealer operation was taken down in march 2022 when its operators reported that one of the lead developers of the forum was killed during Russia’s invasion of Ukraine. Also, the team promised its come back with a second upgraded version with more capabilities. 

“We expect a resurgence of Raccoon Stealer v2, as developers implemented a version tailored to the needs of cybercriminals (efficiency, performance, stealing capabilities, etc.) and scaled their backbone servers to handle large loads,” Sekoia told in the report. 

According to the malware developers, the upgraded Raccoon version was built from scratch using C/C++, featuring a new back-end, front-end, and code to steal credentials and other data. 

Raccoon Stealer 2.0 uses a fake Malwarebytes website to steal personal information including Basic system fingerprinting info, browser passwords, cookies, autofill data, saved credit cards, browser passwords, cookies, and autofill data, and saved credit cards. 

Other information that Raccoon Stealer steals is given below:

• Cryptocurrency wallets and web browser extensions including MetaMask, TronLink, BinanceChain, and Ronin
• Exodus, Atomic, JaxxLiberty, Binance, Coinomi, Electrum, Electrum-LTC, and ElectronCash
• Individual files located on all disks
• Screenshot capturing
• Installed applications list

The data can be misused in various ways, such as transferring users' funds in crypto-wallets and other accounts (e.g., PayPal, bank accounts, etc.). Victims could, therefore, lose their savings. Moreover, hijacked accounts (e.g., Facebook, emails, etc.) can be misused to borrow money. 

The subscription cost of the Stealer which has already attacked over 100,000 devices, is $200 per month. It has become one of the most named viruses on the underground forums in 2019. 

Disneyland's Official Handles Hacked to Take Revenge

 

Disneyland Resort’s Instagram and Facebook pages have been compromised on Thursday by a self-proclaimed “super hacker” who posted a number of posts that included foul language and racist slurs. A Disneyland spokesperson said that the accounts “were compromised early this morning.” The posts have since been removed. 

“We worked quickly to remove the reprehensible content, secure our accounts, and our security teams are conducting an investigation,” the spokesperson said in a statement. 

Following the incident, The Los Angeles Times reported that the hacker named “David Do,” claimed that he was taking his “revenge” on Disneyland workers who had allegedly insulted him. 

“I am a super hacker that is here to bring revenge upon Disneyland [...] Who’s the tough guy now Jerome?” one of the posts read. The hacker also uploaded posts in which he was claiming to have “invented” COVID-19 and suggested he was working on a new variant of the “COVID20” virus. 

The culprit posted overall four posts on Disneyland’s Instagram account before 5 am PT, according to a post on the Disneyland blog

Disneyland's Facebook and Instagram handles were temporarily taken down shortly after the officials found out the posts on live and were brought back online after the cybersecurity team removed the posts. However, the park’s other social media handles and pages were not compromised. 

“It’s not known how this person managed to gain access to the Disneyland Instagram account. Was it a stranger hack or a previous employee with access to the logins? We worked quickly to remove the reprehensible content, secure our accounts and our security teams are conducting an investigation,” Disneyland said in an update to the post today.

No Backup: Why the Government in Brazil is at High Risk of Cyberattacks

 

According to a new report by the Brazilian Federal Audit Court (TCU), several federal government agencies in Brazil are at a high risk of cyberattacks. Federal government agencies need to reassess their approach to handling cybersecurity threats, the report reads. 

Report points out the number of areas at high risk but one of the biggest problems in the cybercrime section that the report has uncovered is the lack of backups while dealing with cyberattacks. 

A group of 29 areas that represent a high risk in terms of vulnerability, mismanagement, abuse of power, or need for drastic changes was discovered. 

Backups are very important and help against various forms of attack, as well as mistakes and mishaps. The most obvious one of those would be ransomware attacks. 
When systems are hacked and are locked up, a data backup could be the respite you’re looking for to restore the data stored on your devices. 

Additionally, the report cited the data

 • 74.6% of organizations (306 out of 410) do not have a formally approved backup policy—a basic document, negotiated between the business areas (“owners” of the data/systems) and the organization’s IT, with a view to disciplining issues and procedures related to the execution of backups. 

• 71.2% of organizations that host their systems on their own servers/machines (265 out of 372) do not have a specific backup plan for their main system. 

• 60.2% of organizations (247 out of 410) do not keep their copies in at least one non-remotely accessible destination, which carries a risk that, in a cyberattack, the backup files themselves end up being corrupted, deleted, and/or encrypted by the attacker or malware, rendering the organization’s backup/restore process equally ineffective. 

 • 66.6% of organizations that claim to perform backups (254 out of 385), despite implementing physical access control mechanisms to the storage location of these files, do not store them encrypted, which carries a risk of data leakage from the organization, which can cause enormous losses, especially if it involves sensitive and/or confidential information. 

Further, the researchers said that the federal government cannot respond to and treat cybersecurity attacks adequately. Also, there are several vulnerabilities in both information security and cybersecurity across most central bodies.

Hackers Using 'Brute Ratel C4' Red-Teaming Tool to Evade Detection

 

Palo Alto Networks’ Unit 42 security researchers have uncovered that Russian state-sponsored hackers are compromising the latest Brute Ratel C4 or BRc4 red-teaming and adversarial simulation/penetration software in their latest and active attacks in an attempt to stay under the radar and evade detection.

Following the attack, Palo Alto Networks Unit  42 reported that a malware sample was uploaded to the VirusTotal database on May 19, 2022, in which they found a payload associated with Brute Ratel C4, a relatively new advanced toolkit that is designed to avoid detection and response (EDR) and antivirus (AV) capabilities. 

“The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market. While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated. Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal,” said the network in their blog. 

Cyber intelligence at the network believes that malicious actors are targeting entities worldwide, however, they are making their primary targets in South and North America. 

The researchers issued a warning in which they urged the cybersecurity fraternity to investigate the attack and look in-depth for any sign of malware, including the BRc4 tool. 

Researchers have found that the malicious payloads indicate the involvement of the Advanced Persistent Threat group 29,  The Dukes, or Cozy Bear as the tactics employed were similar to this group. CozyBear is a Russian state-sponsored malicious group that was previously involved in the devastating Solar Winds attacks in 2020.

This commercial software was released in 2020 and has since gained over 480 licenses across 350 customers. BRc4 is equipped with a wide variety of features, it provides process injection, capturing screenshots, automating adversary TTPs, uploading and downloading files, support for multiple command-and-control channels, and it also has the ability to keep memory artifacts concealed from anti-malware engines.

Crypto Scam to be Investigated by British Army

 

On Sunday, the UK Ministry of Defence confirmed that the British Army’s YouTube and Twitter accounts were hacked. The hackers were using both handles for their cryptocurrency promotion scams. However, at present Ministry department has not confirmed the exact dates of the takeover, and both accounts appear to be back to normal now. 

“We are aware of a breach of the Army’s Twitter and YouTube accounts and an investigation is underway. The Army takes information security extremely seriously and is resolving the issue. Until the investigation is complete it would be inappropriate to comment further,” The Ministry of Defence Press Office said on Twitter. 

Malicious actors took control of the British Army’s Twitter page, swapping out the organization’s profile picture, bio, and cover photo to make it appear genuine like it was associated with The Possessed NFT collection, and promote crypto giveaway schemes. Meanwhile, its YouTube handle aired livestreams with clips of Elon Musk, Jack Dorsey, and Ark CEO Katie Wood discussing cryptocurrency-directed users to crypto scam websites. 

The clips feature the promotion of “double your money” Bitcoin and Ethereum scams. According to Web3 is Going Great, a similar scheme took place in May. However, it is unclear which group is behind this campaign. 

The malicious actors changed the army’s verified Twitter account name to The Possessed, a project involving a collection of 10,000 animated NFTs with a price floor of 0.58 Ethereum (approximately $1,063). 

According to the Department of Ministry, it is possible that the hack is part of a broader campaign to leverage the recent popularity of The Possessed. On Saturday, the project’s official Twitter handle notified its followers of another verified account that was also hacked to promote an NFT scam using The Possessed brand. 

“The breach of the Army’s Twitter and YouTube accounts that occurred earlier today has been resolved and an investigation is underway. The Army takes information security extremely seriously and until their investigation is complete it would be inappropriate to comment further,” the UK Ministry of Defence Press Office tweeted later.