Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label cyber theft. Show all posts

Cybercriminals Steal $112 Million Worth of Ripple's XRP Cryptocurrency

 

On Tuesday, approximately $112 million worth of the XRP cryptocurrency, which is centered around Ripple, was pilfered by hackers from a crypto wallet, as revealed by Ripple's co-founder and executive chairman, Chris Larsen.

Larsen disclosed on Wednesday that the stolen cryptocurrency belonged to him. In a post on X (formerly Twitter), Larsen mentioned that unauthorized access occurred in some of his personal XRP accounts, distinct from Ripple. He assured that the problem was swiftly identified, and exchanges were notified to freeze the affected addresses. Law enforcement has also been engaged in the matter.

The announcement came less than an hour after crypto security researcher ZachXBT reported the hack on X. According to ZachXBT, the pilfered XRP funds had already been laundered through various crypto exchanges like Binance and Kraken. Binance acknowledged the incident, stating that they are actively supporting the investigation, and Kraken emphasized their proactive review to prevent their platform from being misused.

However, there is ambiguity regarding the ownership of the hacked wallet, whether it is linked to Ripple or not. XRPScan's on-chain data revealed that the compromised wallet was labeled "Ripple (50)" and was activated by another wallet called "~FundingWallet1" on November 5, 2018. Larsen's account activated ~FundingWallet1 on February 6, 2013, shortly after his own account, ~chrislarsen, was created.

When approached for comment, Ripple's spokesperson referred to Larsen's post and clarified that Ripple itself was not impacted. Ripple, established in 2012, aspires to be a payments and enterprise infrastructure provider, consisting of a network, protocol, and decentralized public ledger known as XRP Ledger. The value of XRP, the network's token, dropped by approximately 4% on the day of the hack.

In response to the incident, some XRP holders are urging the co-founders to disclose their crypto wallets and XRP holdings to enhance transparency. Meanwhile, others, including Thinking Crypto podcast host Tony Edward, are urging Larsen to distance himself from Ripple.

This cyber attack stands out as the most significant cryptocurrency theft in 2024 and ranks as the twentieth largest in recorded history, based on data compiled by Rekt, a website monitoring web3 and crypto breaches. In the previous year, hackers targeted approximately $2 billion in cryptocurrency, as reported by crypto security firms specializing in tracking such incidents.

North Korean Hacking Outfit Lazarus Siphons $1.2M of Bitcoin From Coin Mixer

 

Lazarus Group, a notorious hacker group from North Korea, reportedly moved almost $1.2 million worth of Bitcoin (BTC) from a coin mixer to a holding wallet. This move, which is the largest transaction they have made in the last month, has blockchain analysts and cybersecurity experts talking. 

Details of recent transactions

Two transactions totaling 27.371 BTC were made to the Lazarus Group's wallet, according to blockchain analysis firm Arkham. 3.34 BTC were subsequently moved to a separate wallet that the group had previously used. The identity of the coin mixer involved in these transactions remains unknown. Coin mixers are used to conceal the trail of cryptocurrency transactions, making it difficult to track down the ownership and flow of funds.

The Lazarus Group's latest effort adds to its long history of sophisticated cyber crimes, notably involving cryptocurrency. The US Treasury Department has linked them to a $600 million bitcoin theft from the Ronin bridge, which is linked to Axie Infinity, a famous online game. 

Growing cryptocurrency reservoir

According to Arkham, the Lazarus Group's combined wallet holdings are currently worth approximately $79 million. This includes around $73 million in Bitcoin and $3.4 million in Ether. This huge wealth accumulation through illicit techniques exemplifies the group's persistent and expanding cryptocurrency operations.

Furthermore, a recent TRM Labs study discovered that North Korean-affiliated hackers, notably the Lazarus Group, were responsible for one-third of all cryptocurrency attacks and thefts in 2023. These operations apparently earned them roughly $600 million. 

Cyber attack patterns  

Multiple cybersecurity firms have carried out investigations into the Lazarus Group's operational tactics. Taylor Monahan, a Metamask developer, stated that the latest Orbit assault, which resulted in a loss of $81 million, was similar to prior Lazarus Group operations. Such patterns provide significant insights into their strategies and can assist in the development of more effective defensive measures for future attacks.

Over the last three years, the cybersecurity firm Recorded Future has attributed more than $3 billion in cryptocurrency breaches and vulnerabilities to the Lazarus Group. Their consistent and effective execution of high-profile cyber thefts highlights the advanced nature of their skills, as well as the challenges encountered in combatting such attacks.

Data Insights Exposes Ledger's Granular Tracking: Is Privacy at Stake?

 


An investigation by Rekt Builder has raised concerns about the extent of data collection by Ledger Live, the official software for managing Ledger hardware wallets. The developer claims that Ledger Live tracks every move users make, including the apps they install and the crypto they hold. A ledger in accounting can be described as a book of accounts. It is the second book of entry for all accounting transactions. 

A company records their classified financial information in a ledger. Transactions are recorded in the ledger in different accounts as debits and credits. The ledger is intended to provide a clear history of a business's financial health by providing an accurate account of all its transactions, both present and past. 

A ledger contains all the financial activities of a company in an orderly manner. When preparing financial statements, various active account records such as assets, liabilities, equity, income and expenses are provided as a record of the transactions or events that have occurred during a certain period. 

The ledger contains all of the accounts required to compile financial statements and is also necessary for audit purposes. The entire list of accounts is also called the chart of accounts. 

Taking to X on December 27, Rekt Builder claims that Ledger Live embeds the genuine check into the app’s listing procedure. As such, it means that whenever you plug in your Ledger device and open Ledger Live, the software checks whether the device is genuine and sends this information to Ledger’s servers. This data includes the device’s serial number, firmware version, and the list of apps installed. 

Rekt Builder also notes that Ledger Live tracks the crypto balances stored on the device. However, what’s concerning is that all this data is sent to Ledger’s servers. Accordingly, it means Ledger can access a detailed record of its clients’ crypto holdings.  

To determine whether Ledger was trailing user activity, the developer attempted to turn off the remote tracking feature in Ledger Live, but this was impossible. Any attempt to disable tracking resulted in the software breaking. This suggests that Ledger has intentionally designed Ledger Live to track user activity. Rekt Builder’s findings raise serious concerns about the privacy of Ledger hardware wallet users. 

If Ledger is tracking each move users make, then it is possible that this data could be used to identify users and track their crypto transactions. This can be dangerous because a hack into any of Ledger’s centralized servers can mean malicious agents can control critical data, which can then be used to target individuals with large holdings of Bitcoin and other coins.  


Rekt Builder also notes that Ledger Live tracks the crypto balances stored on the device. However, what’s concerning is that all this data is sent to Ledger’s servers. Accordingly, it means Ledger can access a detailed record of its clients’ crypto holdings.  

The Purpose Of A Ledger Account Business owners can focus their efforts on recording all business transactions. Such records facilitate easy tracking of income and expenses and keep client/customer accounts and records accurately maintained. These records can either be written or can be in an electronic format, i.e., accounting software.

One-off costs can have a significant impact on the projected budget for an upcoming year, which is why it is important to remove them from a budget before the correct figures are calculated. The most reasonable way to get an accurate picture of the budget is by reviewing the ledger in detail. Users can check what expenses were done and what income came through as a one-time thing. These can be overlooked at the budget preparation stage so they do not affect the upcoming budget. 

Current income and expenditure can be used to gain more precise figures. There has been a crucial debate in the cryptocurrency community regarding the delicate balance between convenience and data security as users grapple with the potential privacy risks that may be brought to light by Rekt Builder's investigation into Ledger Live. Considering all of these revelations, one must reevaluate user protections as well as transparency measures in this ever-evolving world of digital asset management.

Demystifying the SEC's Enhanced Cybersecurity Disclosure Requirements

 


SEC (Securities and Exchange Commission) issued a regulation recently that imposes a greater level of transparency regarding cybersecurity risk management, governance, and incident reporting and response. There will be compliance requirements for public companies listed on U.S. stock exchanges starting mid-December 2023 (or early spring 2024 for small companies that meet the qualification criteria) regarding cyber risk management and incident disclosures under the rule. 

There will be an advantage to companies that proactively identify and fix vulnerabilities as a result of the new rule requiring companies to disclose features of their security programs to the public. By providing investors with information about public companies' cybersecurity risk management, the SEC aims to help them make informed investment decisions for their hard-earned money. 

A company's maturity in security can be used by investors as a market divider when it comes to its security as security becomes increasingly important to corporate governance. The regulatory authorities have taken a significant step towards improving cybersecurity disclosures for public companies by adopting new rules designed to give investors comprehensive and standardized information about how cybersecurity risks should be managed, strategies implemented, governance processes adopted, and incidents reported. 

The new rules were adopted in July 2023 following an extensive rule-making and public comment process that began back in January 2024. The rules represent an official recognition that cybersecurity threats are constantly present and impact investor decisions in several ways. 

It should be noted that the rules published by the US Securities and Exchange Commission apply only to American companies that are registrants of the SEC. The attack on the assets of US-registered companies is not restricted to assets located in the US - so incidental attacks that affect assets in other countries of SEC-registered companies are also included in the scope of this attack. 

The scope of this report excludes not only the government, but also non-SEC regulated companies (i.e. private companies who are not subject to SEC reporting requirements), and other types of organizations also. Various breach notification requirements will be implemented both within these categories as well as for others, to potentially harmonize and/or unified in some way with the SEC reporting requirements at some point in the future. 

To comply with the new rules, registrants will have to report any cybersecurity incident they determine to be material on Item 1.05 of Form 8-K and describe how the incident has materially affected the registrant and its material impact. They will also have to describe how the incident has materially affected the registrant, or whether it is reasonably likely to have materially affected the registrant.

When a registrant determines a cybersecurity incident as material, he or she will generally be required to file an Item 1.05 Form 8-K within four business days of determining that it is material. If the United States Attorney General determines that immediate disclosure poses a substantial risk to national security or public safety, and informs the Commission in writing, the disclosure may be delayed. 

In addition, Regulation S-K Item 106 has been added to the new rules, which requires that registrants explain their processes, if any, for assessing, identifying, and managing material risks resulting from cybersecurity threats, along with the material effects or reasonably likely material effects of risks resulting from cybersecurity threats and previous incidents affecting the company. 

A registrant's annual report on Form 10-K will also have to describe the board of directors' oversight of cybersecurity threats, as well as the management's role and expertise in assessing and managing material risks from cybersecurity threats. An annual report on Form 10-K will contain these disclosures, which will be required for all companies. 

Foreign private issuers are required to provide comparable disclosures for material cybersecurity incidents on Form 6-K and cyber risk management, strategy, and governance on Form 20-F by the regulations. It is always mandatory for the SEC to report material cybersecurity events that have occurred as part of general reporting requirements, however, it is only in the last few years that the timelines and nature of the reporting have become more so, and there is a ticking four-day clock on the reporting requirements. 

Taking a step back from all the rules, it is clear that the importance of visibility and continuous monitoring can’t be underestimated. Time to detection cannot be at the speed of your least experienced analyst. Platforms allow unified visibility instead of a wall of consoles. 

A robust array of telemetry must be available within the internal visibility system for breaches to be detected and stopped, as well as continuously monitored. It is clear from these new SEC rules that the risk of cyberattacks is a business risk for a great number of companies with operations outside of the US, and that means that visibility needs to extend beyond the US to other geographies as well. 

There are many ways in which companies can make proactive efforts to identify and mitigate security vulnerabilities, as well as bug bounties, that should encourage them to invest in proactive measures to ensure that vulnerabilities are identified and remedied as early as possible. 

It is documented that bug bounty can be a very effective means of preventing cyber incidents and demonstrating security maturity to investors when combined with comprehensive security safeguards. Companies that have placed a high priority on protecting their digital assets and sensitive data will stand out more and more as investors become more aware of cyber risks.

Hackers Threatened to Leak 80GB of Data Allegedly Stolen From Reddit in February

 


An independent cybersecurity expert and CNN reviewed a post from the BlackCat ransomware gang, also known as ALPHV. The post said the group had stolen 80 gigabytes of confidential data from Reddit during a February breach and claimed to have accessed it. A cyber-security expert and CNN examined the dark web post, and the group claimed it had stolen 80 gigabytes. 

A hacker group in Russia is threatening to release Reddit data if it doesn't pay a ransom demand - as well as reverse the controversial API pricing increases. 

According to the hackers, they demand a ransom of $4.5 million and an API price hike from the company. This is if they hope to prevent data release, which was hacked. 

It appears that phishing attacks allow threat actors to gain access to the company's systems to steal internal documents, source code, employee data, and a limited amount of information about Reddit's advertising partners. 

Reddit spokesperson confirmed that "BlackCat's claims refer to a cyber incident that Reddit confirmed on February 9 as related to BlackCat's claims". During a high-targeted phishing attack carried out at the incident, hackers accessed information about employees and internal documents. 

Information about employees and internal documents was accessed through a targeted phishing attack. It is believed that the company was unaware that the passwords or accounts of customers had been stolen. 

Reddit provided no further information regarding the attack or the culprits. Nevertheless, over the weekend, BlackCat raised the stakes in the February cyber intrusion, claiming responsibility for it. It threatened to leak the "confidential" information obtained during the attack. BlackCat has not shared any evidence of data theft by the hackers, and it's unclear exactly what type of information the hackers have stolen.  

BlackCat has threatened to leak the "confidential" data but there is no sign of what it is supposed to be. They have neither provided evidence of data theft nor evidence to back up their claim. 

CTO of Reddit Chris Slowe recently talked about a security incident that happened in February, and he posted about the incident here. Throughout the post, Slowe said that, as a result of a highly targeted and sophisticated phishing attack, the company's "systems were hacked," with hackers gaining access to "some internal documents, code, and some internal business systems." The hackers only obtained employee information, according to Slowe.

In a statement to CNN on Monday, a Reddit spokesperson confirmed that BlackCat's post refers to the incident in February. No user data was accessed, according to the spokesperson, but he refused to elaborate further on the matter. 

Several Reddit forums remained dark last Monday during the planned two-day protest. This was intended to highlight the company's plan to charge steep fees for third-party apps to access the company's platform in the future. 

There are still more than 3,500 Reddit forums unresponsive a week after the attack happened. Some experts argue that BlackCat's actual motives are questionable while some are sympathetic to the protestors' cause based on the ransom note. 

This is the second Reddit data breach in six years. This time, the attackers could access Reddit data dating back to 2007. A user's username, hashed password, email address, and the content of public posts and private messages were included in that report. 

In February, hackers reportedly stole 80GB of data from Reddit and threatened to leak it in three days as part of their threat. In response to the breach, Reddit acknowledged the incident and is actively investigating the matter. A ransom demand has been made by the hackers, who have warned that if they are not paid, the thieves will release sensitive information about their victims.

As of right now, it is impossible to verify the authenticity of stolen data. There are persistent cyber threats that online platforms face daily. This incident reminds us of the importance of robust security measures against such threats. Reddit is striving to improve its privacy and security protocols, and users are advised to remain vigilant at all times.

Royal Ransomware Gang adds BlackSuit Encryptor to their Arsenal

A new encryptor named BlackSuit is currently being tested by the notorious Royal ransomware gang. This encryptor bears striking resemblances to their customary encryption tool, suggesting it may be an evolved version or a closely related variant. 

In January 2023, the Royal ransomware gang emerged as the direct successor to the infamous Conti operation, which ceased its activities in June 2022. This private ransomware group consists of skilled pentesters and affiliates hailing from 'Conti Team 1,' as well as individuals recruited from various other ransomware gangs that target enterprises. 

Since its inception, Royal Ransomware has quickly gained notoriety as one of the most active and prolific operations, carrying out numerous high-profile attacks on enterprises. Furthermore, starting from late April, there have been growing indications that the Royal ransomware operation has been contemplating a rebranding effort under a fresh identity. 

This notion gained significant momentum when the group encountered intensified scrutiny from law enforcement following their targeted attack on the City of Dallas, Texas. Feeling the mounting pressure from authorities, the ransomware group has seemingly considered the necessity of adopting a new name, potentially as part of their strategy to evade detection and evade the repercussions of their illicit activities. 

In May, a distinct ransomware operation known as BlackSuit emerged, employing its unique encryptor and Tor negotiation sites. Speculation arose suggesting that this could be the rebranded version of the Royal ransomware group as initially anticipated. However, contrary to expectations, the Royal ransomware gang has not undergone a rebranding process and continues its active assault on enterprise targets. 

While BlackSuit has been employed in a limited number of attacks, the overall identity and operations of the Royal ransomware group remain unchanged. The notion of a rebranding for the Royal ransomware group appears to have lost its viability, given the recent findings presented in a report by Trend Micro. 

The report highlights significant resemblances between the encryptors used by BlackSuit and the Royal Ransomware, rendering it challenging to persuade anyone that they are distinct and unrelated entities. Consequently, attempting to present themselves as a new ransomware operation would likely face considerable skepticism due to these noticeable similarities. 

The resemblances between BlackSuit and Royal Ransomware go beyond surface-level similarities. In-depth analysis, as outlined in the Trend Micro report, reveals a range of shared characteristics. These include similarities in command line arguments, code structures, file exclusion patterns, and even intermittent encryption techniques. 

Such consistent parallels across various aspects make it increasingly difficult to present BlackSuit as a genuinely distinct ransomware operation separate from the Royal group. These findings strongly suggest a strong connection or shared origin between the two entities.

Google Receives Sensitive Data From Abortion Pill Websites

 


Several online pharmacies are selling abortion pills online and sharing their customers' personal information, such as their search history and geolocation, with Google and other third parties. ProPublica has learned that by using this information, one can identify the users of these websites, which could be used to track them down. 

In post-Roe America, where there is no abortion, this type of private information could prove to be downright dangerous when law enforcement subpoenas such sensitive information to prosecute women who wish to end their pregnancies, even though data privacy advocates may be concerned about it. It could prove even more dangerous for women who wish to end their pregnancies in this country. 

It is not uncommon for police to not even have to use the courts if they wish to compel businesses to hand over this data. This is because executives often hand it over willingly and without a court order. 

In the aftermath of the Supreme Court's ruling in Dobbs, which overturned Roe v. Wade and ended the right to abortion, there have been more than a dozen states in the country that are now prohibiting surgical and medical abortions - aka abortion pills - across their borders. 

ProPublica analyzed the pharmacies' websites through The Markup's website privacy inspector to find out which types of trackers they are using and why they are using them. There was a report that found a minimum of nine websites selling abortion medication also collected and shared records regarding their customers. This includes other websites they visited, search terms entered, general location, and general device information. 

It is essentially the website's actual visitor data that is shared with online tools that enable websites to track visitor numbers and traffic patterns. These tools enable websites to provide live chat support and do other helpful things with the information. 

According to ProPublica's investigation, nine of the sites are sending Google data that could potentially identify users, including random numbers associated with the browser of each user, which then could be matched with other information acquired through the sites, the investigative non-profit documented.  

In total, there are nine pharmacies available for abortion-related services, including Abortion Ease, BestAbortionPill.com, PrivacyPillRX, PillsOnlineRX, Secure Abortion Pills, AbortionRx, Generic Abortion Pills, Abortion Privacy, and Online Abortion Pill Rx. 

The Register contacted several pharmacies about the issue, but no one responded. Companies dealing with abortion pills must stop sharing data with Google and Facebook immediately, said Cooper Quintin, Senior Staff Technologist at the Electronic Frontier Foundation (EFF).  

As web developers may not have thought that they were placing their users at risk when they used Google Analytics and third-party tracking, they now have to consider the risk of putting their users at risk. In the current political climate, all websites, but especially those that serve at-risk users, must consider whether assisting Google, Facebook, and others in building user profiles could lead to an extremely horrific outcome, Quintin told in a report. They can not continue acting as though Roe's decision is still the law of the land. 

It is worth noting that the EFF has not yet witnessed any instances where law enforcement agencies have used this type of information to prosecute abortion seekers or providers. According to Quintin, he is concerned that someday, the data stored on big tech platforms such as Google, Facebook, and even Facebook themselves may be used as a dragnet tool to search for women seeking abortions or other reproductive care services and prosecute them. 

If a court order is served on a tech company, they will typically turn over their users' private information and messages to the police. This is if served with a court order. It has been revealed that Google received more than 87,000 search warrants and subpoenas in 2021. 

'Purely Hypothetical and Technically Impossible,' States Google

Google does not specify whether any of these requests were related to health information in its report. The major search engine company is not afraid to take action against government demands to turn over customer data to the government. This is according to a spokesperson for the company. 

It is also prohibited for Google Analytics customers to upload any information that might give away a person's identity to Google during the process of analyzing their data. Moreover, Google has strongly disputed the conclusions of the non-profit organization. 

According to Google Analytics Product Director Steve Ganem, the allegations described in ProPublica's latest article regarding Google Analytics are purely hypothetical. They are technically impossible in the real world. 

As Ganem noted, "Google Analytics was designed specifically so that we and other third parties, including law enforcement, would be unable to identify users through Google, possibly under some circumstances." As well as that, Google also has strict policies against advertising to people who provide sensitive information on their website. 

Last year, Google promised to update the system used to track where users are located. This will ensure that trips to medical clinics and other sensitive places are automatically excluded.   

Mobile App Users API Exposed

 

It was recently disclosed that thousands of social media apps are actively leaking Algolia API keys, and various other applications with hardcoded admin secrets, which allows threat actors to steal the important credentials of millions of users. 

The research analysed 600 applications on the Google Play store and it was found that 50% were leaking application programming interface (API) keys of three popular transactional and marketing email service providers. 

According to the data, 1,550 applications have been listed that disclosed Algolia API keys, of which 32 applications had hardcoded admin secrets, providing malicious actors access to pre-defined Algolia API keys. 

Malicious actors could exploit the data to read important user information, such as IP addresses, analytics data, and access details, they could also delete user information. 

As per the recent study by Salt Security, “malicious API attack traffic surged 117% over the past year, from an average of 12.22 million malicious calls per month to an average of 26.46 million calls.” 

On Monday, three famous transactional and marketing email service providers – Mailgun, Sendgrid, and MailChimp disclosed that more than 54 million mobile app users are at potential risk worldwide, including from India. 

Users from the United States have downloaded these apps the most, followed by the UK, Spain, Russia, and India, leaving over 54 million mobile app users vulnerable. 


Hackers Leaked Stolen Data of 5.7M Gemini Users

Gemini crypto exchange recently made an announcement this week that its customers have been victimized in a phishing campaign after a group of malicious actors collected their personal credentials by breaching a third-party vendor. 

The notification of the attack came to light after multiple posts on hacker forums observed by BleepingComputer offered to sell a database reportedly from the Gemini crypto exchange containing email addresses and phone numbers of 5.7 million customers. 

 “Some Gemini customers have recently been the target of phishing campaigns that we believe are the result of an incident at a third-party vendor. This incident led to the collection of Gemini customer email addresses and partial phone numbers...,” reads the advisory published by the crypto exchange. “…No Gemini account information or systems were impacted as a result of this third-party incident, and all funds and customer accounts remain secure.” 

The Gemini security team released a short notice in which it described the attack but did not disclose the name of a third-party vendor who suffered an "incident" that allowed unauthorized access to malicious actors. Because of the breach, customers of the company received phishing emails. 

However, as per the analysis of the attack, it has been observed that the mission of the threat actors is unknown. In the short report, the company wrote that the account information and its systems are safe from the attack and that fund and customer accounts "remain secure." 

After the attack, the company came back online after seven hours due to scheduled maintenance. "The Gemini Spaceship will undergo scheduled Exchange maintenance on Thursday, December 15th from approximately 10:00 p.m. until Friday, December 16th at 12:30 a.m. ET, and all user interfaces and trading will be unavailable during that time”, a notice on the exchange's status page read. 

Gemini advised its customers to use strong authentication methods and two-factor authentication (2FA) and/ or the hardware security keys to protect their networks and systems.

Ransomware Hit European Pipeline & Energy Supplier Encevo Linked to BlackCat

 

BlackCat ransomware gang claimed responsibility for the attack that occurred last week on Creos Luxembourg S.A., a company that owns and provides electricity networks and natural gas pipelines in the Grand Duchy of Luxembourg. 

In the wake of the news, cyber security researchers reported that they are currently investigating the extent of the damage done. 

Encevo, the parent company of Creos and energy that facilitates five EU countries confirmed on July 25 that the firm suffered a cyberattack over the weekend of July 22–23. The cyberattack had rendered Encevo and Creos’ customer portals inaccessible however, the services themselves remained unaffected. 

According to the reports, the BlackCat ransomware group uploaded 150GB of data on its exaction site stolen from Encevo, including contracts, bills, passports, and emails. The gang is now threatening to release and sell the data within hours if the ransom isn't paid. 

The attack majorly affected the natural gas pipeline and the energy supplier Enovos, however, Encevo assured its users that the supply would not be disrupted. The firm recommended its users update their login credentials as soon as possible, alongside, customers should also change their passwords on other websites if they are the same. 

"For now, the Encevo Group does not yet have all the information necessary to inform personally each potentially affected person. This is why we ask our customers not to contact us at the moment. Once again we apologize to our customers for the inconvenience and we do our best to restore full service as soon as possible. Creos and Enovos emphasize once again that the supply of electricity and gas are not affected and that the breakdown service is guaranteed’’, the company added. 

Reportedly, Creos has been contacted by many cyber news portals enquiring about more technical details and the consequences of the cyberattack, however, the representatives of the company did not share any information on the matter.

Hackers Using 'Brute Ratel C4' Red-Teaming Tool to Evade Detection

 

Palo Alto Networks’ Unit 42 security researchers have uncovered that Russian state-sponsored hackers are compromising the latest Brute Ratel C4 or BRc4 red-teaming and adversarial simulation/penetration software in their latest and active attacks in an attempt to stay under the radar and evade detection.

Following the attack, Palo Alto Networks Unit  42 reported that a malware sample was uploaded to the VirusTotal database on May 19, 2022, in which they found a payload associated with Brute Ratel C4, a relatively new advanced toolkit that is designed to avoid detection and response (EDR) and antivirus (AV) capabilities. 

“The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market. While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated. Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal,” said the network in their blog. 

Cyber intelligence at the network believes that malicious actors are targeting entities worldwide, however, they are making their primary targets in South and North America. 

The researchers issued a warning in which they urged the cybersecurity fraternity to investigate the attack and look in-depth for any sign of malware, including the BRc4 tool. 

Researchers have found that the malicious payloads indicate the involvement of the Advanced Persistent Threat group 29,  The Dukes, or Cozy Bear as the tactics employed were similar to this group. CozyBear is a Russian state-sponsored malicious group that was previously involved in the devastating Solar Winds attacks in 2020.

This commercial software was released in 2020 and has since gained over 480 licenses across 350 customers. BRc4 is equipped with a wide variety of features, it provides process injection, capturing screenshots, automating adversary TTPs, uploading and downloading files, support for multiple command-and-control channels, and it also has the ability to keep memory artifacts concealed from anti-malware engines.