Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cyber threat. Show all posts
Wireless
Cyber Scammers cyber threat Cyberattacks CyberCrime FBI FCC Financial Loss Reddit SIM SIM swap Swap Scam T-Mobile Technology Verizon Wireless

Inside Job Exposed: T-Mobile US, Verizon Staff Solicited for SIM Swap Scam

 


T-Mobile and Verizon employees are being texted by criminals who are attempting to entice them into swapping SIM cards with cash. In their screenshots, the targeted employees are offering $300 as an incentive for those willing to assist the senders in their criminal endeavours, and they have shared them with us. 

The report indicates that this was part of a campaign that targets current and former mobile carrier workers who could be able to access the systems that would be necessary for the swapping of SIM cards. The message was also received by Reddit users claiming to be Verizon employees, which indicates that the scam isn't limited to T-Mobile US alone. 

It is known that SIM swapping is essentially a social engineering scam in which the perpetrator convinces the carrier that their number will be transferred to a SIM card that they own, which is then used to transfer the number to a new SIM card owned by the perpetrator. 

The scammer can use this information to gain access to a victim's cell phone number, allowing them to receive multi-factor authentication text messages to break into other accounts. If the scammer has complete access to the private information of the victim, then it is extremely lucrative. 

SIM swapping is a method cybercriminals utilize to breach multi-factor authentication (MFA) protected accounts. It is also known as simjacking. Wireless carriers will be able to send messages intended for a victim if they port the victim’s SIM card information from their legitimate SIM card to one controlled by a threat actor, which allows the threat actor to take control of their account if a message is sent to the victim. 

Cyber gangs are often able to trick carrier support staff into performing swaps by presenting fake information to them, but it can be far more efficient if they hire an insider to take care of it. In the past, both T-Mobile and Verizon have been impacted by breaches of employee information, including T-Mobile in 2020 and Verizon last year, despite it being unclear how the hackers obtained the mobile numbers of the workers who received the texts. 

The company stated at the time that there was no evidence that some of the information had been misused or shared outside the organization as a result of unauthorized access to the file, as well as in 2010 a Verizon employee had accessed a file containing details for about half of Verizon s 117,00-strong workforce without the employee's authorization.

It appears that the hackers behind the SIM swap campaign were working with outdated information, as opposed to recent data stolen from T-Mobile, according to the number of former T-Mobile employees who commented on Reddit that they received the SIM swap message. As the company confirmed the fact that there had not been any system breaches at T-Mobile in a statement, this was reinforced by the company. 

Using SIM swap attacks, criminals attempt to reroute a victim's wireless service to a device controlled by the fraudster by tricking their wireless carrier into rerouting their service to it. A successful attack can result in unauthorized access to personal information, identity theft, financial losses, emotional distress for the victim, and financial loss. Criminals started hijacking victims' phone numbers in February 2022 to steal millions of dollars by performing SIM swap attacks. 

The FBI warned about this in February 2022. Additionally, the IC3 reported that Americans reported 1,075 SIM-swapping complaints during the year 2023, with an adjusted loss of $48,798,103 for each SIM-swapping complaint. In addition to 2,026 complaints about SIM-swapping attacks in the past year, the FBI also received $72,652,571 worth of complaints about SIM-swapping attacks from January 2018 to December 2020. 

Between January 2018 and December 2020, however, only 320 complaints were filed regarding SIM-swapping incidents resulting in losses of around $12 million. Following this huge wave of consumer complaints, the Federal Communications Commission (FCC) announced new regulations that will protect Americans from SIM-swapping attacks to protect Americans from this sort of attack in the future.

It is required by the new regulations that carriers have a secure authentication procedure in place before they transfer the customer's phone numbers to a different device or service provider. Additionally, they need to warn them if their accounts are changed or they receive a SIM port out request.
Read more »
Vulnerabilities and Exploits
CISA cyber threat DLL hijacking North Korea North Korea Hackers Security Breach Vulnerabilities and Exploits

Navigating the Complex Landscape of Cyber Threats: Insights from the Sisense Breach and North Korean Tactics

 

In the intricate tapestry of cybersecurity, recent events have thrust vulnerabilities and threats into the spotlight once again. The breach of data analytics powerhouse Sisense, coupled with the emergence of novel sub-techniques utilized by North Korean threat actors, underscores the dynamic and relentless nature of cyber warfare. Let's delve deeper into these incidents and glean valuable insights for bolstering our defenses against evolving cyber threats. 

Sisense, a formidable player in the realm of business intelligence software, recently found itself ensnared in a security breach that rippled through critical infrastructure organizations. With offices sprawled across strategic locations such as New York City, London, and Tel Aviv, and a prestigious clientele including Nasdaq, ZoomInfo, Verizon, and Air Canada, Sisense's allure to cyber adversaries is palpable. 

The breach, currently under scrutiny by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), serves as a stark reminder of the precarious balance between innovation and security in today's digital landscape. At the heart of the Sisense breach lie two sub-techniques that have become favoured tools in the arsenal of North Korean threat actors. The first involves the manipulation of Transparency, Consent, and Control (TCC), a foundational security protocol governing application permissions on Apple's macOS. 

Despite the robustness of security measures such as Full Disk Access (FDA) and System Integrity Protection (SIP), attackers have exhibited a remarkable ability to circumvent these controls, gaining unfettered access to macOS environments. This tactic underscores the imperative of continuous monitoring and adaptive security strategies to thwart the nefarious designs of cyber adversaries. 

The second sub-technique, colloquially known as "phantom" Dynamic Link Library (DLL) hijacking, sets its sights on Windows environments, leveraging nonexistent DLL files referenced by the operating system. By capitalizing on this loophole, threat actors such as the Lazarus Group and APT 41 can inject malicious code undetected, posing a grave threat to system integrity. 

The clandestine nature of this tactic exemplifies the ingenuity and adaptability of cyber adversaries in navigating the labyrinthine landscape of cybersecurity defenses. Mitigating these sophisticated threats necessitates a multifaceted approach that encompasses both technical fortifications and user awareness initiatives. For macOS users, safeguarding the integrity of System Integrity Protection (SIP) and exercising caution with app permissions are imperative steps in mitigating the risk of TCC manipulation. 

In Windows environments, proactive monitoring, robust application controls, and preemptive measures to block remote DLL loading are indispensable in thwarting phantom DLL attacks. Moreover, fostering a culture of collaboration and information sharing between industry stakeholders and government agencies is paramount in confronting the ever-evolving threat landscape. 

By pooling resources, sharing threat intelligence, and adopting a unified front against cyber adversaries, organizations can amplify their collective resilience and fortify their defenses against emerging threats. 

In conclusion, the Sisense breach and the intricate tactics employed by North Korean threat actors serve as poignant reminders of the relentless onslaught of cyber threats. By remaining vigilant, proactive, and collaborative, organizations can navigate the turbulent waters of cybersecurity with resilience and fortitude, safeguarding their digital assets and preserving the integrity of our interconnected world.
Read more »
Ransomware
2024 cyber crimes Cyber Crime cyber threat Cyber-attacks in India India Kaspersky Ransomware

India's Businesses Under Huge Cyber Threats, Kaspersky Reported

Indian businesses are being warned about the looming threat of ransomware attacks by cybersecurity experts. These attacks not only jeopardize company data but also pose a serious risk to user information. To address this urgent issue, experts stress the importance of promptly implementing advanced threat intelligence and industrial cybersecurity solutions. 

Kaspersky, a prominent cybersecurity firm, sheds light on the severity of the situation through their research findings. They indicate that ransomware attacks expected in 2024 could result in significant financial losses similar to those experienced in 2023. This underscores the vulnerability of both IT and operational systems within Indian companies, urging them to take proactive steps to defend against potential cyber threats. 

India's vast user base and thriving enterprises have become prime targets for cybercriminals, as per insights from Kaspersky. The cybersecurity firm reveals that India consistently ranks among the top 12 targeted countries and territories for Advanced Persistent Threats (APTs) globally. 

Kaspersky's data underscores ransomware as the predominant cyber threat in 2024. The company points out that the increasing adoption of digital platforms within Indian organizations has stretched the local ICT supply chain, exposing visible vulnerabilities that attract cyberattacks. 

According to Kaspersky, following are Current Challenges Faced by Organizations in India: 

Escalation of Cyberthreats: The advent of the digital age has exposed organizations to heightened vulnerabilities, underscoring the critical importance of cybersecurity. India grapples with a wide array of cyber threats, spanning from financial fraud and data breaches to sophisticated cyber espionage campaigns. 

Varied Attack Methods: Given its expansive population, India serves as a fertile ground for cybercriminals who employ diverse tactics such as phishing, ransomware, and social engineering to infiltrate systems and networks. 

Sector-Specific Targets: Certain sectors, including financial institutions, e-commerce platforms, and government entities, find themselves particularly susceptible to cyberattacks due to the sensitive nature of the data they handle. 

Surge in Ransomware Attacks: The proliferation of ransomware incidents has witnessed a dramatic surge, resulting in significant disruptions to businesses that endure downtime ranging from several days to weeks. 

Furthermore, according to Kaspersky's report, more than 200,000 ransomware incidents were identified by their solutions in India during 2023. Notable ransomware groups such as Fonix and LockBit have actively targeted Indian organizations spanning various sectors including manufacturing, retail, agriculture, media, and healthcare. 

Additionally, findings from a CISCO study reveal a significant impact of cyber attacks on Indian startup businesses and SMBs. Approximately 62% of these entities have incurred costs amounting to ₹3.5 crore (equivalent to over US$430,000). Interestingly, the financial damages resulting from these cyber attacks surpass the investment required for implementing solutions aimed at mitigating such threats.
Read more »
Technology
AI CISO cyber threat Data protection LLM Machine learning Ransomware Technology

Enterprise AI Adoption Raises Cybersecurity Concerns

 




Enterprises are rapidly embracing Artificial Intelligence (AI) and Machine Learning (ML) tools, with transactions skyrocketing by almost 600% in less than a year, according to a recent report by Zscaler. The surge, from 521 million transactions in April 2023 to 3.1 billion monthly by January 2024, underscores a growing reliance on these technologies. However, heightened security concerns have led to a 577% increase in blocked AI/ML transactions, as organisations grapple with emerging cyber threats.

The report highlights the developing tactics of cyber attackers, who now exploit AI tools like Language Model-based Machine Learning (LLMs) to infiltrate organisations covertly. Adversarial AI, a form of AI designed to bypass traditional security measures, poses a particularly stealthy threat.

Concerns about data protection and privacy loom large as enterprises integrate AI/ML tools into their operations. Industries such as healthcare, finance, insurance, services, technology, and manufacturing are at risk, with manufacturing leading in AI traffic generation.

To mitigate risks, many Chief Information Security Officers (CISOs) opt to block a record number of AI/ML transactions, although this approach is seen as a short-term solution. The most commonly blocked AI tools include ChatGPT and OpenAI, while domains like Bing.com and Drift.com are among the most frequently blocked.

However, blocking transactions alone may not suffice in the face of evolving cyber threats. Leading cybersecurity vendors are exploring novel approaches to threat detection, leveraging telemetry data and AI capabilities to identify and respond to potential risks more effectively.

CISOs and security teams face a daunting task in defending against AI-driven attacks, necessitating a comprehensive cybersecurity strategy. Balancing productivity and security is crucial, as evidenced by recent incidents like vishing and smishing attacks targeting high-profile executives.

Attackers increasingly leverage AI in ransomware attacks, automating various stages of the attack chain for faster and more targeted strikes. Generative AI, in particular, enables attackers to identify vulnerabilities and exploit them with greater efficiency, posing significant challenges to enterprise security.

Taking into account these advancements, enterprises must prioritise risk management and enhance their cybersecurity posture to combat the dynamic AI threat landscape. Educating board members and implementing robust security measures are essential in safeguarding against AI-driven cyberattacks.

As institutions deal with the complexities of AI adoption, ensuring data privacy, protecting intellectual property, and mitigating the risks associated with AI tools become paramount. By staying vigilant and adopting proactive security measures, enterprises can better defend against the growing threat posed by these cyberattacks.

Read more »
Ransomware Threat
Cyber Security cyber threat Cyberattacks data security INC NHS Ransomware Threat

Data Breach Alert: 3TB of NHS Scotland Data Held Ransom by Cyber Threat

 


A ransomware group targeting a small group of patients has published clinical data related to a small number of those patients on the internet that the Dumfries and Galloway Health Board is aware of. In the meantime, three terabytes of data are also alleged to have been stolen thanks to a security breach that occurred at the National Health Service (NHS) in Scotland, by the INC Ransom extortion gang. 

 As a result of a ransomware attack in a regional branch, NHS Scotland says it has been able to contain the malware, preventing the infection from spreading to other branches and the entire organisation. A group of cybercriminals called INC Ransom claimed responsibility for the attack on NHS Scotland this week, claiming they stole three terabytes (TB) of data and leaked a limited number of sensitive documents as part of the attack. 

Earlier this month, NHS Dumfries and Galloway announced a serious cyberattack that resulted in their hospital being shut down. INC Ransom was offering samples of files that contained medical evaluations, psychological reports, and other sensitive information regarding patients and doctors in accompanying its warning posted on its extortion website. 

Despite the rumours that such a compromise had already been reached, the Scottish government made sure to emphasize that only the NHS Dumfries and Galloway regional health board was affected by this new agreement. Several days later, NHS Dumfries and Galloway officials revealed that during a breach of security two weeks ago, large quantities of personally identifiable information had been accessed, stolen, and exfiltrated, resulting in a large number of people's details being misused. 

As of July 2023, the INC Ransom operation has gained a lot of attention, targeting both government organizations as well as private businesses to extort their data for ransom. Education, healthcare and government institutions, as well as industrial entities like Yamaha Motor Corporation, are among those that suffer losses from this attack. As the attack was likely to have occurred around March 15, reports emerged that a cybersecurity incident was affecting NHS Scotland services. 

There were several sample documents published yesterday by the threat actor in a blog post, including medical assessments, analysis results, and psychological reports on doctors and patients with sensitive details. Throughout its history, INC has shown no restraint in its process of choosing the types of victims it is willing to target, either. 

There have been several incidents of ransomware spreading across the healthcare industry, education, as well as charities. This is something that has happened in its short time on the ransomware scene. The fact remains, though, that very few cybercriminals exercise that level of restraint in the current day and age. Due to the critical nature of healthcare and the fact that it provides several essential services, cybercriminals and ransomware baddies continue to target it. 

There is a chance that there will be a ransom paid if disruptions can be caused, allowing for patients to be cared for with full capability if a ransom is paid. ALPHV/BlackCat was credited by the media with blaming Change Healthcare for a potentially devastating attack spread across a period of weeks across February and March of this year, which knocked out services for weeks on end.

In February, Romania experienced a significant ransomware incident affecting over 100 facilities, highlighting the persistent targeting of healthcare by cybercriminals. This incident is one of numerous examples underscoring the sector's vulnerability to such threats. The United States has responded to this challenge by introducing initiatives like the Advanced Research Projects Agency for Health (ARPA-H) within DARPA. 

This addition to a two-year cash-for-ideas competition aims to discover methods for securing code in critical infrastructure, including healthcare systems. Last summer, the announcement of the Artificial Intelligence Cyber Challenge (AICC) further demonstrated efforts to combat cyber threats. Teams participating in this challenge are tasked with developing autonomous tools to detect code issues in software used by vital organizations like hospitals and water treatment facilities—both prime targets for cybercrime.

ARPA-H has allocated $20 million towards the AIxCC, emphasizing its commitment to safeguarding healthcare from devastating attacks. Such attacks, exemplified by incidents like the one on Change Healthcare, underscore the urgent need for enhanced cybersecurity measures to prevent disruptions that could jeopardize patient care.
Read more »
school technology
American Schools Cyber Attacks cyber threat data security education sector Ransom Demand school technology

South St. Paul Public Schools Grapple with Ongoing Tech Disruption

 

South St. Paul Public Schools recently alerted families to ongoing technology disruption, shedding light on potential disruptions to online platforms, emails, and other digital services. In a note on Monday, the district acknowledged technical difficulties and later revealed the presence of "unauthorized activity" within its computer network. 

Upon discovering the unusual activity, the district swiftly took its systems offline to isolate the issue. To address the situation comprehensively, South St. Paul Public Schools enlisted the assistance of a third-party cybersecurity firm. This partnership aims not only to recover systems but also to investigate the cause and scope of the unauthorized activity. 

The district actively focuses on restoring all systems, emphasizing the importance of maintaining a productive learning environment for students and staff. Acknowledging the inevitability of cyber threats in today's interconnected world, South St. Paul Public Schools reassured families that proactive steps had been taken to create a secure online environment. 

This incident adds to a series of cybersecurity challenges faced by educational institutions in the region. In a previous case, the St. Paul school district notified over 43,000 families about a "data security incident" in February 2023. Fortunately, only student names and email addresses were compromised in the unauthorized access. 

The University of Minnesota also grappled with a data breach last year, exposing personal information spanning 30 years, from 1989 to August 2021. The breach targeted names, addresses, phone numbers, Social Security numbers, driver’s licenses, and passport information. Minneapolis Public Schools faced a ransomware attack in the same year, exposing confidential student documents online. 

The refusal to pay a $1 million ransom led to the compromise of sensitive data, including sexual assault cases, medical records, and discrimination complaints. South St. Paul Public Schools' proactive approach to addressing the ongoing technology disruption showcases the importance of swift action and collaboration with cybersecurity experts. 

As educational institutions continue to face digital threats, it becomes imperative for them to prioritize robust security measures, ongoing vigilance, and prompt response strategies. In an era where technology is deeply integrated into the educational landscape, the South St. Paul incident serves as a reminder of the ever-present challenges in safeguarding digital infrastructures. Educational institutions must remain vigilant, continually adapting to the evolving threat landscape to ensure a secure and uninterrupted learning experience for students and staff.
Read more »
PLCs
Cyber Security cyber threat Industrial control system Malware Threat PLCs

Web-Based PLC Malware: A New Frontier in Industrial Cybersecurity Threats

 

The increasing prevalence of programmable logic controllers (PLCs) featuring embedded web servers has opened avenues for potential catastrophic remote attacks on operational technology (OT) within industrial control systems (ICS) in critical infrastructure sectors. 

Researchers from the Georgia Institute of Technology have developed malware that could enable adversaries to remotely access embedded web servers in PLCs, potentially leading to manipulation of output signals, falsification of sensor readings, disabling safety systems, and other actions with severe consequences, including loss of life. PLCs are integral components of ICS, responsible for controlling physical processes and machinery in manufacturing, industrial, and critical infrastructure settings. 

Malware targeting PLCs typically aims to disrupt or sabotage the physical processes they control. The newly developed web-based PLC malware differs fundamentally from traditional PLC malware. Unlike previous versions that required prior physical or network access, the web-based malware attacks the front-end web layer in PLCs using malicious JavaScript. 

This approach eliminates some limitations faced by previous malicious code, providing advantages such as platform independence, ease of deployment, and higher levels of persistence. Historically, PLC malware-infected firmware or control logic, requires specific access or is easily erasable via factory resets. The web-based malware targets the web layer, making it fundamentally different and more challenging to mitigate. 

The outcomes of cyberattacks using this new strain of malware mirror those of previous successful PLC attacks, including the infamous Stuxnet campaign that targeted Siemens PLCs to dismantle high-speed centrifuges at Iran's Natanz uranium enrichment facility. While other attacks, such as BlackEnergy, Triton/Trisis, and INCONTROLLER, have demonstrated the potential damage to systems controlling physical processes, the Georgia Tech researchers' web-based PLC malware offers a more persistent and easier-to-deploy method. 

The researchers conducted a proof-of-concept cyberattack in a scenario resembling a Stuxnet-like attack on a widely used PLC controlling an industrial motor. The PLC featured a web-based interface for remote monitoring, programming, and configuration. In their test scenario, the researchers explored how an attacker could gain initial access to the PLC by remotely injecting malicious code into the web server. 

The web-based PLC malware allowed the attacker to physically damage the industrial motor, manipulate admin settings for further compromise, and steal data for industrial espionage. The unique aspect of this web-based PLC malware lies in its residence in PLC memory while being executed client-side by various browser-equipped devices across the ICS environment. The malware utilizes ambient browser-based credentials to interact with the PLC's legitimate web APIs, facilitating attacks on real-world machinery. 

This type of malware presents challenges for defenders due to its ease of deployment and platform-agnostic nature. As industrial systems continue to integrate web-based interfaces for remote access and monitoring, the security community must stay vigilant to address evolving threats like web-based PLC malware and ensure the resilience of critical infrastructure against potential cyber-physical attacks.
Read more »
ransomware attacks
Cyber Attacks cyber threat Cyberalert CyberCrime Cyberhackers Cybersecurity Immigratino System ransomware attacks

Cybersecurity Nightmare Unfolds as Malawi's Immigration Systems Under Attack

 


There has been a recent cyberattack on Malawi, according to President Lazarus Chakwera, which has caused the government to stop issuing passports. However, some observers believe such an attack did not occur. Chakwera informed parliament on Wednesday that security measures were in place to identify and apprehend the attackers who compromised the country's security. 

It was his statement that the attackers were demanding millions in ransom, but the administration was unwilling to pay it. The hacker has been causing the Department of Immigration and Citizenship Services' passport printing system to malfunction over the past three weeks, according to him. In Malawi, there is a high demand for passports with many young people seeking to migrate to find employment. 

As a result of Mr Chakwera's request, the immigration department is expected to provide a temporary solution within three weeks of regaining control of the system to resume passport issuance. There would be an additional security safeguard developed as part of the long-term solution, he said. 

In his address on Wednesday, Chakwera said that he had given the immigration department a three-week deadline to provide a temporary solution to the passport printing issue and to resume printing of passports. He further said at the same event that he had reassured hackers that the Malawi government would not pay ransoms. As a result of the government's termination of the contract with Techno Brain, which had supplied Malawi’s passports since 2019, Malawi has experienced passport issues since 2021. 

As a result of the government's inability to find a replacement for the company in 2023, the company was re-engaged temporarily. Nevertheless, immigration officials often had to scale back production due to shortages of materials or unpaid bills, which resulted in them having to scale down production several times. In addition to being the executive director of the Center for Democracy and Economic Development Initiatives, Sylvester Namiwa is also a member of the organization that has threatened to hold protests within the coming days if it does not receive an immediate resolution. 

According to Chakwera, he has questioned the integrity of the claim that the system had been hacked by someone else. During a radio interview with a local radio station on Thursday, Malawi's Information Minister Moses Nkukuyu explained that the information Chakwera presented in parliament had been provided by immigration experts. VOA's calls and texts to Wellington Chiponde, a spokesperson for the immigration department, were not responded to.
Read more »
ransomware attacks
ALPHV Cyber Crime cyber threat Cyberattacks CyberCrime Cybersecurity Financial Fraud LoanDepot ransomware attacks

ALPHV Ransomware Strikes: LoanDepot and Prudential Financial Targeted

 


Recently, Prudential Financial and loanDepot, two Fortune 500 companies were attacked by the ALPHV/Blackcat ransomware gang, which claims responsibility for the breaches. Despite the threat actors still having to prove their claims, the two companies were added to ALPHV's dark web leak site today, which is the first time the threat actors have added them to the dark web leak site. As a result of failed negotiations, ALPHV will be selling the stolen data from loanDepot's network and releasing Prudential's data for free as well. 

There was a data leak on the site of the infamous ALPHV ransomware operator - the BlackCat group - that revealed Prudential Financial and loanDepot as being the targets of the attacks on both firms, as an apparent admission by the group that it had been behind the attacks on these firms. Currently, the group has only added the names to its site, while the actual data has not yet been available. Because negotiations with Prudential Financial broke down, the group will be publishing its database for free for all to see. 

A company representative stated that the company would provide free credit monitoring and identity protection to those affected by the data breach. With roughly 6,000 employees and more than $140 billion in loan servicing in the United States, loanDepot is among the largest nonbank retail mortgage lenders in the U.S. A suspected cybercrime group breached Prudential Financial's network on February 4 and stole employee and contractor data. 

Prudential Financial also revealed on Tuesday that this breach occurred on February 4. Despite Prudential's ongoing investigation of the incident, it has not been determined if the attackers also exfiltrated customer or client data, even though the incident is being assessed in its full scope and impact. With revenue expected to exceed $50 billion in 2023, this Fortune 500 company will rank second in the world for life insurance companies in the U.S. 

They employ more than 40,000 people around the world. As part of the State Department's announcement, rewards of up to $10 million are being offered for tips that could lead to the identification or location of ALPHV gang leaders. 

During the first four months of this gang's activity between November 2021 and March 2022, it was linked to more than 60 breaches around the world, and an additional $5 million reward was offered for information on individuals who were either involved or attempted to be involved in ALPHV ransomware attacks. 

Law enforcement agencies estimate that ALPHV will have received at least $300 million through ransom payments from over 1,000 victims by the end of September 2023, as per the law enforcement agency. The Prudential Financial Corporation (Prudential Financial) filed an 8-K form with the Financial Industry Regulatory Authority (FINRA) last week detailing the incident that occurred. 

Although the company is still investigating the incident, its latest findings were that no sensitive information concerning its customers or clients was compromised. More than 40,000 people work for Prudential every year, and as a result, the company has more than $50 billion in revenues each year, making it one of the world's largest financial services companies. 

As a result of the new information, which comes shortly after the U.S. Upon receiving information that could help identify or locate ALPHV leaders, the State Department offered up to $10 million, with an additional $5 million for information on those who participated (or attempted to participate) in the ALPHV ransomware attack, for information that could lead to that identification. 

One of the most popular and active ransomware groups, next to LockBit, or Cl0p, is ALPHV. It has made headlines across the globe for its activism and popularity. In the latter half of 2021, it became apparent that DarkSide and BlackMatter had merged, possibly after these two companies merged. ALPHV and its affiliates are believed to have extorted hundreds of millions of dollars from its victims during its lifetime.
Read more »
Digital Privacy
AI technology Cyber Security cyber threat Data protection Digital Privacy

Indian SMEs Lead in Cybersecurity Preparedness and AI Adoption

 

In an era where the digital landscape is rapidly evolving, Small and Medium Enterprises (SMEs) in India are emerging as resilient players, showcasing robust preparedness for cyber threats and embracing the transformative power of Artificial Intelligence (AI). 

As the global business environment becomes increasingly digital, the proactive stance of Indian SMEs reflects their commitment to harnessing technology for growth while prioritizing cybersecurity. Indian SMEs have traditionally been perceived as vulnerable targets for cyber attacks due to perceived resource constraints. However, recent trends indicate a paradigm shift, with SMEs becoming more proactive and strategic in fortifying their digital defenses. 

This shift is partly driven by a growing awareness of the potential risks associated with cyber threats and a recognition of the critical importance of securing sensitive business and customer data. One of the key factors contributing to enhanced cybersecurity in Indian SMEs is the acknowledgment that no business is immune to cyber threats. 

With high-profile cyber attacks making headlines globally, SMEs in India are increasingly investing in robust cybersecurity measures. This includes the implementation of advanced security protocols, employee training programs, and the adoption of cutting-edge cybersecurity technologies to mitigate risks effectively. Collaborative efforts between industry associations, government initiatives, and private cybersecurity firms have also played a pivotal role in enhancing the cybersecurity posture of Indian SMEs. Awareness campaigns, workshops, and knowledge-sharing platforms have empowered SMEs to stay informed about the latest cybersecurity threats and best practices. 

In tandem with their cybersecurity preparedness, Indian SMEs are seizing the opportunities presented by Artificial Intelligence (AI) to drive innovation, efficiency, and competitiveness. AI, once considered the domain of large enterprises, is now increasingly accessible to SMEs, thanks to advancements in technology and the availability of cost-effective AI solutions. Indian SMEs are leveraging AI across various business functions, including customer service, supply chain management, and data analytics. AI-driven tools are enabling these businesses to automate repetitive tasks, gain actionable insights from vast datasets, and enhance the overall decision-making process. 

This not only improves operational efficiency but also positions SMEs to respond more effectively to market dynamics and changing customer preferences. One notable area of AI adoption among Indian SMEs is cybersecurity itself. AI-powered threat detection systems and predictive analytics are proving instrumental in identifying and mitigating potential cyber threats before they escalate. This proactive approach not only enhances the overall security posture of SMEs but also minimizes the impact of potential breaches. 

The Indian government's focus on promoting a digital ecosystem has also contributed to the enhanced preparedness of SMEs. Initiatives such as Digital India and Make in India have incentivized the adoption of digital technologies, providing SMEs with the necessary impetus to embrace cybersecurity measures and AI solutions. Government-led skill development programs and subsidies for adopting cybersecurity technologies have further empowered SMEs to strengthen their defenses. The availability of resources and expertise through government-backed initiatives has bridged the knowledge gap, enabling SMEs to make informed decisions about cybersecurity investments and AI integration. 

While the strides made by Indian SMEs in cybersecurity and AI adoption are commendable, challenges persist. Limited awareness, budget constraints, and a shortage of skilled cybersecurity professionals remain hurdles that SMEs need to overcome. Collaborative efforts between the government, industry stakeholders, and educational institutions can play a crucial role in addressing these challenges by providing tailored support, training programs, and fostering an ecosystem conducive to innovation and growth. 
 
The proactive approach of Indian SMEs towards cybersecurity preparedness and AI adoption reflects a transformative mindset. By embracing digital technologies, SMEs are not only safeguarding their operations but also positioning themselves as agile, competitive entities in the global marketplace. As the digital landscape continues to evolve, the resilience and adaptability displayed by Indian SMEs bode well for their sustained growth and contribution to the nation's economic vitality.
Read more »
Vulnerabilities and Exploits
cyber threat Device Security Linux Malware Attack Vulnerabilities and Exploits

Shim Bug Uncovered: A Ten-Year Security Breach in Linux Boot Loaders

 

In the dynamic realm of cybersecurity, discovering a significant flaw in every Linux boot loader signed in the past decade has underscored the pervasive nature of potential threats. This blog explores the intricacies of the Shim bug, its implications for Linux systems, and the urgent response required to mitigate its impact. 

The Shim bug, a critical vulnerability affecting Linux boot loaders, has sent security experts into a heightened state of alert. The flaw lies in the code of the Shim bootloader, a crucial component in the Secure Boot process designed to ensure the integrity of the boot sequence. The bug itself has silently persisted for an astounding ten years, evading detection until now. 

The far-reaching impact of the Shim bug cannot be overstated, as it compromises the security of every Linux boot loader signed over the past decade. Secure Boot, a fundamental security feature, is designed to prevent the loading of unsigned or malicious code during the boot process. However, this vulnerability allows threat actors to bypass these protections, opening the door to unauthorized access, malware injection, and other malicious activities. 

The longevity of the Shim bug's existence without detection raises questions about the efficacy of current security measures and the challenges inherent in identifying hidden vulnerabilities. Its discovery highlights the need for ongoing scrutiny, even of well-established and seemingly secure components within the Linux ecosystem. 

Addressing the Shim bug requires a swift and coordinated response from the Linux community. Developers and maintainers work diligently to release patches and updates addressing the vulnerability. Additionally, Linux users are urged to update their systems promptly, applying the necessary patches to safeguard their devices from potential exploitation. 

The Shim bug emphasizes the collaborative nature of the open-source community, where rapid identification and response to vulnerabilities are paramount. Developers, security experts, and Linux users alike must work in unison to fortify the security infrastructure of the operating system and ensure a resilient defence against emerging threats. 

The discovery of the Shim bug serves as a poignant reminder of the ever-evolving threat landscape and the importance of continuous vigilance in cybersecurity. It prompts a reevaluation of existing security practices, encouraging the adoption of proactive measures to detect and address vulnerabilities before they become decade-long silent menaces. 

As the Linux community grapples with the repercussions of the Shim bug, the broader cybersecurity landscape is reminded of the persistent challenges in securing complex systems. The discovery and swift response to such critical vulnerabilities are integral to maintaining the integrity and trustworthiness of open-source platforms like Linux. The lessons learned from the Shim bug should fuel ongoing efforts to fortify security measures, ensuring a resilient defence against future threats in the ever-changing realm of cybersecurity.
Read more »
Technology
cyber threat CyberCrime Data Breach Healthcare cybersecurity Technology

Patient Privacy in Focus: Healthcare's Cyber Challenges





Amidst the rapid evolution of technology in healthcare, a crucial focus has come to light: the security of medical devices. Let's explore the intricacies of this issue together, understanding its importance and finding the right balance between advancing technology and strengthening our healthcare foundation. 

The Growing Threat 

Healthcare systems are prime targets for hackers looking to snag valuable patient data. This isn't just a disruption in patient care – there's a twist involving our medical gadgets. Beyond compromising records, even medical devices like MRIs and ventilators face potential risks, especially those running on outdated software. 

Government Recommendations 

A recent government watchdog recommended increased collaboration between the Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) to enhance the security of medical devices. Although these devices haven't been the primary focus of cyber threats, their vulnerabilities pose risks to both hospital networks and patient well-being. 

Expert Insights 

Toby Gouker from First Health Advisory emphasises the critical nature of this issue, describing it as a significant vulnerability for health systems. Recognizing this weakness, healthcare providers must prioritise cybersecurity efforts, particularly concerning medical devices, to ensure the safety of patient data and uninterrupted healthcare services. 

Challenges in Legacy Devices 

Looking ahead, the focus on device security is not just a theoretical concern; according to Gouker, these devices will likely become more attractive targets as health systems improve their defences against hacking attempts targeting health records. Gouker emphasises the financial impact, pointing out that high-value devices like MRIs are often the backbone of hospital revenue. Disrupting these multimillion-dollar machines could potentially cripple entire health systems. 

Regulatory Measures and Connectivity Concerns 

A crucial detail is that, since March of the previous year, a new law mandates manufacturers to submit cybersecurity plans for new medical devices to the FDA. However, this regulation doesn't extend to the plethora of already-existing connected devices. Chelsea Arnone from the College of Healthcare Information Management Executives highlights the widespread connectivity, noting that everything from hospital beds to infusion pumps and vital-sign monitors is online and thus susceptible to hacking. Many of these devices use off-the-shelf software vulnerable to threats like viruses and worms. 

Urgent Need for a Comprehensive Approach 

Despite recent requirements for new devices, manufacturers have historically not been obligated to provide patches or solutions for vulnerabilities in ageing devices, although some have done so for a limited period. This information underscores the urgent need for a comprehensive approach to address cybersecurity risks in the evolving landscape of medical devices. 

Real-world Incident and Awareness Gap 

In a recent incident, a hospital discovered unauthorised access to a medical device from Russia, stressing on the challenges in addressing cybersecurity threats. An FDA report suggests managing cybersecurity risks for legacy devices, but only a fraction of health systems implement such measures due to cost and awareness issues. There's a pressing need for heightened awareness and cost-effective solutions to fortify medical device cybersecurity across healthcare organisations. 

In addressing healthcare cybersecurity challenges, bureaucratic obstacles appear to be of great concern, causing delays and inefficiencies in responding to hacking threats. Streamlining these processes is paramount. Be attentive, advocate transparency, and support efficient protocols to secure our healthcare systems against burgeoning cyber threats.



Read more »
threats
Cyber Data Cyber Security cyber threat Data Data Safety Safety threats

Securing Wearable Devices: Potential Risks and Precautions

 

In the rapidly evolving landscape of digital security, individuals are increasingly vulnerable to cyber threats, not only on conventional computers and smartphones but also on wearable devices. The surge in smartwatches and advanced fitness trackers presents a new frontier for potential security breaches.

Just like traditional devices, wearables store and transmit valuable data, making them attractive targets for hackers. If successfully compromised, these devices could become conduits for unauthorized prescription orders or even allow the tracking of an individual's location through the embedded GPS feature. The threat extends beyond personal wearables, with concerns arising about vulnerabilities in medical offices and equipment. The FDA has issued warnings about potential loopholes that hackers could exploit to target critical medical devices such as pacemakers and insulin pumps.

The risk isn't confined to personal privacy; there's a growing concern about the impact a hacked wearable could have on corporate networks. With the proliferation of connected devices, a compromised smartwatch might provide an easier entry point for hackers seeking to infiltrate company systems, especially if the wearable syncs with multiple networks.

One notable vulnerability lies in the Bluetooth connection that wearables commonly share with smartphones. While any internet-connected device carries inherent risks, wearables often use smartphones as intermediaries rather than operating as standalone devices. Presently, security compromises have mainly originated from devices connected to wearables or compromised external databases, making wearables a theoretical but legitimate concern.

To mitigate these risks, users are advised to exercise caution when installing apps on their wearables. Verifying the legitimacy of sources, checking user reviews, and researching app safety are essential steps to ensure the security of wearable devices. This advice extends to smartphones, where users should scrutinize app permissions, restricting access to unnecessary information and promptly deleting suspicious apps.

In this era of pervasive connectivity, safeguarding personal and corporate data requires a proactive approach, extending beyond conventional devices to include the emerging frontier of wearable technology.
Read more »
SMBs
Australian Businesses Australian Government Cyber Security cyber threat Small Businesses SMBs

Australian SMBs Faces Challenges in Cyber Security


The internet has turned into a challenge for small to midsize businesses based in Australia. In addition to the difficulty of implementing innovative technology quickly and with limited resources because of the rate of invention, they also face the same cyberthreats that affect other organizations. Then, as 60% of SMBs close following a breach, companies that are breached are likely to fail later.

This has raised concerns of the regulators. 

According to a recent report by ASIC, ‘medium to large’ business firms are recently been reporting severe cyber security capabilities in comparison to other organizations, including supply chain risk management, data security, and consequence management.

In response to the aforementioned threats, the Australian government has announced an AU $20 million package to boost small businesses. An optional cyber "health check" program is being established as part of this to assist small business owners in assessing the maturity of their cyber security. A Small Business Cyber Resilience Service, which will offer a one-on-one service to assist small firms in recovering from a cyber assault, will also receive $11 million of the package. 

This initiative will focus on areas where SMBs are the most vulnerable. However, small firms will also need to take it upon themselves to place a lot greater emphasis on resilience than they have been doing in the face of growing cyber threats. 

The Risk in Numbers 

The ASIC research analysis found that small businesses are only slightly more effective than half of their medium and big counterparts in several areas, such as identifying threats and overcoming them.

The significant percentages of small businesses are as follows:

  • Do not follow or benchmark against any cyber security standard (34%).
  • Do not perform risk assessments of third parties and vendors (44%).
  • Have no or limited capability in using multi-factor authentication (33%)./ Do not patch applications (41%).
  • Do not perform vulnerability scans (45%). Do not have backups in place (30%).

The Cost to Small Business

The Annual Cyber Threat Report 2022-23 published by the Australian Signals Directorate reveals that the average cost of cybercrime has increased by 14% over the past year. Small firms paid $46,000, medium-sized organizations paid $97,200, and bigger enterprises paid $71,600.

Of course, that is a financial burden for any business, but it seems to be especially harmful for SMBs. Approximately 60% of small firms that experience a breach ultimately go out of business as a direct result of it.

These organizations face a real existential threat from cyber security. Even those who manage to escape the breach's direct costs still have to deal with the harm to their reputation, which can cost them partners and customers as well as short-term cash flow. In the best-case scenario, a cyberattack "just" prevents the small business from expanding and growing.

What can Small Businesses do? 

After identifying the restrictions on resources available to small businesses, the ASD and Australian Cyber Security Centre have designed the Essential Eight, a set of best practices for security and small enterprises. These are as follows:

  • Creating, implementing and managing a whitelist of approved applications. 
  • Implementing a process to regularly update and patch systems, software and applications.
  • Disabling macros in Microsoft Office applications unless specifically required, and training employees not to deploy macros in unsolicited email attachments or documents. 
  • Securing the configuration of web browsers to prevent harmful content, hence hardening user applications. Keeping browser extensions up to date and only using those that are required.
  • Restricting administrative privileges to those who need them. 
  • Configuring operating system patching through automatic updates.
  • Using strong, unique passwords and enabling multi-factor authentication. 
  • Isolating backups from the network and performing daily backups of important data.  

Read more »
SEKOIA
BEC Cyber Security cyber threat Finance Sector Phishing Campaigns SEKOIA

Sekoia Reports: Latest in the Financial Sector Cyber Threat Landscape


France-based cybersecurity company Sekoia published a new report regarding the evolution in the financial sector threat landscape. 

Among the many cybersecurity issues, phishing attacks like QR code phishing were the ones that have seen a massive surge in the sector.

Also, the report noted that the finance sector is subject to attacks on the software supply chain. 

Phishing as a Service Massively Hits the Sector

Sekoia claims that in 2023, the phishing-as-a-service paradigm reached widespread use. Cybercriminals are selling phishing kits that comprise phishing pages that mimic various financial institutions, as well as kits designed to take over Microsoft and obtain login credentials for Microsoft 365, which businesses utilize to authenticate to multiple services.

One instance of such a threat is NakedPages PhaaS, that offers phishing pages for varied targets, among which are the financial institutions. With over 3,500 individuals, the threat actor maintains licenses and frequently posts updates on its Telegram channel.

In regards to the aforementioned number, Sekoia based strategic threat intelligence analyst, Livia Tibirna says “generally speaking, cybercrime actors tend to increase their audience, and so their visibility, by inviting users to join their public resources. Therefore, the users are potential (future) customers of the threat actors’ services. Yet, other type of users joining threat actors’ Telegram resources are cybersecurity experts monitoring the related threats.”

QR Code Phishing Campaigns are on the Rise/ Sekoia reports an upsurge in the quantity of QR code phishing, or quishing, activities. Attacks known as "quishing" include using QR codes to trick people into divulging personal information—like login passwords or bank account details.

The cybersecurity firm notes that QR code phishing will eventually increase due to its “effectiveness in evading detection and circumventing email protection solutions.”

According to Sekoia, the most popular kit in Q3 of 2023 is the Dadsec OTT phishing as a service platform, which includes quishing features. It has been noted in a number of extensive attack campaigns, specifically posing as financial institutions.

Multiple Supply Chain Risks

Attacks against the supply chain of open-source software increased by 200% between 2022 and 2023. Since open-source components are used in digital products or services by 94% of firms in the financial sector, the industry is susceptible to attacks that take advantage of supply chain compromises involving open-source software.

One of the examples is the Log4Shell vulnerability and its exploitation, that has targeted thousands of companies globally for financial benefits and espionage. 

There have also been reports of supply chain attacks that particularly target the banking industry, demonstrating the potential of certain threat actors to create complex attacks against the industry.

"It is highly likely that advanced threat actors will persist in explicitly targeting the software supply chain in the banking sector," according to Sekoia.

Financially Oriented Malware 

Sekoia also mentioned some of the financially oriented malware that are predominantly designed to steal financial data, like credit card information, banking credentials, crypto wallets and other critical data, like: 

Mobile Banking Trojans: Sekoia has expressed special concern about the growing number of Trojans associated with mobile banking, which more than doubled in 2022 compared to the previous year and is still growing in 2023. According to Sekoia, this is probably because more mobile devices are being used for financial services, and that malware makes it easier to get around two-factor authentication.

Spyware: According to Sekoia, the usage of spyware, which are malicious programs made to gather passwords, sensitive data, and keystrokes, has increased in bank fraud in 2023. One kind of Android malware is called SpyNote, and it has added targeting of banking applications to its list of features.

Ransomware: The finance industry is a prime target for ransomware; in the third quarter of 2023, it was the sector most affected. Ransom demands ranged from $180,000 to $40 million, and in many instances, they had severe physical repercussions.

According to Sekoia, well-known ransomware actors that use extortion to affect the financial industry, like BianLian, have changed to an exfiltration-based extortion strategy that does not encrypt the victims' systems or data. This action is probably taken to prevent widespread encryption issues during large-scale hacking operations.

Reduce Cyber Threat Risks

The financial sector is vulnerable to several security risks. Although BEC and phishing have been around for a while, they have become more sophisticated over time to continue to impact the industry and stay up with emerging technologies. Every employee of financial institutions needs to be trained to recognize potential fraud or phishing efforts. Additionally, they want to have a simple method for informing their IT staff of any unusual activities.

However, more indirect attacks have recently entered the chart, since threat actors have been targeting organizations through supply chain attacks. Specifically, before being implemented, open-source software utilized in goods or services needs to be thoroughly examined.  

Read more »
Social Media
cyber threat Cyberattacks CyberCrime Cybersecurity Data Theft data threat IAK IT Service Social Media

Guarding the Gate: How to Thwart Initial Access Brokers' Intrusions

 


The term "Access-as-a-service" (AaaS) refers to a new business model in the underground world of cybercrime in which threat actors sell one-time methods to gain access to networks to infiltrate networks for as little as one dollar. 

One group of criminals, which are known as access brokers, initial access brokers, and initial access traders (IABs), are stealing credentials of enterprise users and selling them to other groups of attackers. There are also encryption tools that can be used by these buyers to secretly exfiltrate your personal information from the target organization using malware-as-a-service (MaaS) or ransomware-as-a-service (RaaS). 

Cybercrime-as-a-service (CaaS) is a growing trend that is increasingly being used as a platform for committing crimes. A significant portion of the evolution of ransomware attacks over the last decade has taken place at both the technological level and organizational level as threat actors have attempted to expand the scope and profitability of their operations. 

A pivotal factor behind the widespread increase in the frequency and complexity of ransomware attacks can be attributed to the provision of ransomware as a service (RaaS). RaaS, which operates much like SaaS, and involves the creation of ransomware capabilities and selling or leasing them to buyers, has lowered the barrier to entry for the extortion business and provided a simpler and more accessible model. 

There are now a number of operators working together in unison to orchestrate the attacks in order to achieve the goal, including Users, Affiliates, and Initial Access Brokers, who act as a cohesive team. According to the recent report, "Rise of Initial Access Brokers", these intermediaries, which are the first to get access to cyberattack victims, are playing a key role at the top of the kill-chain funnel of cyberattacks. 

An independent analysis bureau (IAB) can be defined as a de facto intermediary whose business model is exactly what their name suggests: they breach the networks of as many companies as they are able to. Upon accessing victims, they then sell to the highest bidders at the highest prices. There is a tendency for ransomware groups to buy the ransomware from the buyers. 

A growing number of independent advisory boards have been formed recently mainly as a result of the pandemic and the ensuing migration to work from home. As a result of workers log in remotely and connecting to untrustworthy Wi-Fi networks, untrustworthy Wi-Fi networks can be exploited to allow attackers to gain access to systems.

There is a growing trend among cybercriminals of scanning at scale for vulnerabilities that will allow them to access remote systems, such as virtual private networks (VPNs) and selling this access to their victims. Once the details of a vulnerability are made public, the Information Assurance Business deploys info stealers to gather keystrokes, session cookies, credentials, screenshots and video recordings, local information, browser history, bookmarks, and clipboard material from the compromised device as soon as the details are made public. 

As soon as an information stealer is installed in an organization or system, a remote access Trojan (RAT) will begin to collect raw log files to log information. As a result, these logs are manually reviewed to identify usernames and passwords that may be used to sell or monetize identities on the Dark Web. This means that IABs are seeking login credentials to access virtual private networks (VPNs), remote desktop protocols (RDPs), Web applications, and email servers that will aid in the recruitment of spear phishing scammers and potential business email compromise schemes. Occasionally, some brokers have direct contact with system administrators or end users who may be willing to sell access to their systems directly through them. 

Threat groups have been advertising (on the Dark Web) in recent months for administrators and end users who are willing to share their credentials with them in exchange for large amounts of cryptocurrency in exchange for sharing credentials for a few minutes. 

Threat groups have contacted employees from specific organizations to obtain access to their systems in exchange for larger payments. It is safe to say that initial access brokers have taken the spotlight in the past year because they have demonstrated a significant ability to facilitate network intrusions by ransomware affiliates and operators, and they have been very successful at it. As the cybercrime underground ecosystem becomes more active and popular, these initial access brokers ("IABs") will continue to gain popularity as the cybercrime underground ecosystem grows. 

A Guide to Defending Against Access Brokers 


Users should identify their attack surface and develop a plan to address it, to close security gaps, security teams must gain an outside-in perspective on their entire enterprise attack surface. Empower user security teams to map their assets, visualize attack paths, and define plans to address them so that they can close the gaps.  

Identity protection should be considered a priority, today, plenty of malware-free attacks, social engineering, and similar attempts have been made to steal and use credentials, making it crucial that strong identity protection is implemented. Employees need to be taught about social media, not just how to use it. 

Avoid announcing department closures or IT service changes on social media, and remind them to refrain from sharing private information on social media. Users should train their staff not to share credentials over support calls, emails, or support tickets. 

Finally, users should avoid publishing executive or IT contact information on their company's website — it might facilitate impersonation attempts on their behalf. 

To protect the cloud, a strong cloud protection strategy is required. There have been increasing attacks on cloud infrastructure and attackers have been employing a variety of tactics, techniques, and procedures to compromise cloud-based data and applications that are critical to businesses. 

The role of IABs in the realm of RaaS (Ransomware-as-a-Service) is continuously evolving. By understanding and keeping up with their shifting tactics, methods, and trends, organizations can better prepare themselves to effectively mitigate the risk and impact of ransomware attacks. As IABs continually remodel and refine their strategies, it becomes increasingly crucial for organizations to adopt and implement robust security measures. 

Strengthening the security of the supply chain, implementing multi-factor authentication across all systems and platforms, deploying advanced threat-hunting solutions to proactively detect and prevent attacks, and conducting regular and comprehensive training sessions for employees are key steps that organizations should take to effectively mitigate the growing threat posed by IABs.
Read more »
Ransomware
Cyber Security cyber threat Cyberattacks CyberCrime FBI Ragnar Locker Ransomware

Ransomware Kingpin Behind Ragnar Locker Arrested in Paris

 


An international law enforcement action coordinated by European Interpol and officials of foreign law enforcement agencies led to the removal of the Ragnar Locker ransomware group on October 20, 2023. Various law enforcement agencies including the French, American, and Japanese law enforcement agencies were involved in the operation, which was conducted by Eurojust and Europol jointly. A notice stating that the group had seized the websites was posted on the group's Tor negotiation and data leak websites indicating that the websites had been taken down. 

As part of a joint international operation, law enforcement agencies arrested a malware developer linked to the Ragnar Locker ransomware gang and seized their dark websites that were previously used to distribute the malware. 168 international companies are believed to have been hit by attacks by the Ragnar Locker ransomware gang since 2020, and throughout that time, they have made over $1 million in profits. 

In a related operation, which was conducted on October 18 and 19 in Paris, a "key target" said to have been involved in the Ragnar Locker ransomware group was arrested as part of this operation. A report on one of the EU's official news outlets, Europa, claims that the developer of the ransomware has also been arrested, in addition to the victim of the ransomware. Law enforcement agencies from around the world have collaborated to make these arrests possible. 

There was an arrest in Paris, France, on October 16, of the "main leader" of the malicious ransomware that was circulating on the Internet. It was also reported that his home in the Czech Republic had been raided by the police. It was found that the alleged leaders of the Ragnar Group developers were brought before the examining magistrate of the Paris Justice Court at the end of a weeklong action. 

It also turned out that the ransomware infrastructure had been confiscated in the Netherlands, Germany, and Sweden. The data leak website associated with the ransomware had also been taken offline in Sweden as well. 

The Ragnar Locker ransomware group was one of the first big game-hunting ransomware groups to steal data in addition to encrypting files and threatening victims with ransom. The Ragnar Locker ransomware operation was not a ransomware-as-a-service (RaaS) operation, but rather an operation in collaboration with external penetration testers to gain first access to victims' networks, as opposed to many other ransomware groups. 

There was an announcement on Friday that at least one arrest had been made after the dark website was seized on Thursday, with at least one arrest being reported on Friday. As a result of the seized negotiation site now being seized by law enforcement, ransomware victims will now receive a message indicating that they are being assisted by law enforcement, even though no assistance has yet been provided for them. 

There was news that a 35-year-old Czech national who was arrested in France on October 16 under suspicion of being the group leader had been detained, and police in his country had searched his residence on suspicion of protecting his activities.

According to Ukrainian authorities, there was a search of a suspect's home in Kyiv and several devices and electronic media were taken from the residence of the suspect. The name of the suspect has not yet been released publicly.  

In late 2019, Ragnar Locker began operating as an affiliate of Maze or MountLocker. The company has been operating since then. There was no doubt that this group was one of the biggest groups in terms of attack volumes or money collected, but it was a significant threat and several critical infrastructure entities in several countries were penetrated by the group as a major threat, making it a priority for law enforcement. 

A central theme that emerges from the groups that are targeted by these major law enforcement campaigns is their tendency to become overly audacious in their attacks on sensitive critical infrastructure, such as power grids, water supply systems, and hospitals. While Ragnar Locker gained notoriety for its high-profile attacks on gaming company Capcom and liquor giant Campari, it is the attacks on entities like Energias de Portugal that truly propelled it up the priority ladder.  

A flash warning issued by the FBI in early 2022 revealed that Ragnar Locker had already breached the defences of 52 critical infrastructure companies across 10 different sectors in the United States up until that point in time. This alarming revelation highlights the scale and impact of Ragnar Locker's activities. 

This investigation was conducted by agents from the US FBI and the French Secret Service, along with representatives of Europol and INTERPOL. As a result of this investigation, two senior Ragnar Locker operatives were arrested, along with eight other officers from French and US intelligence agencies. 

There have been arrests and disruptions this week due to the investigation that has been ongoing for the past few days. Europol had supported the investigation from the very beginning, bringing together all the concerned nations to coordinate a coordinated action. 

During the preparation of the current steps, its cybercrime experts conducted 15 coordination meetings along with two week-long sprints. As a consequence of Europol's decision last week to establish a virtual command post for smooth cooperation among all entities involved in cybercrime, the company is also providing analysis, malware, forensic, and crypto-tracing assistance.  

This move by the government to bring down the Ragnar Locker ransomware group underlines the importance of international cooperation to combat cybercrimes. Law enforcement officials from different countries worked together to dismantle the infrastructure of the group and arrest its key members as part of this operation. 

The Ragnar Locker ransomware group was brought to an end by a remarkable display of international collaboration among law enforcement agencies. International cooperation has proven to be an effective method of safeguarding our digital environment in this particular operation.
Read more »
Ransomware
Cyber Crime cyber threat Cyberattacks Cybersecurity Ransomware

The Insider Threat: Everest Cybercriminals Offering Cash for Remote Access

 


In a transition researchers consider to be a major improvement for cybercriminals who operate in the dark web, Everest ransomware has stepped up its efforts to direct employees into purchasing access to corporate networks directly from them. 

Earlier this week, Everest said in a post at the top of its dark web victim blog that it would pay a "good percentage" of the profits generated from successful attacks to anyone who assisted in assisting in Everest's initial hack. 

As a result of these commitments, the group is making an extra effort to be transparent regarding the nature of every operation, as well as maintaining confidentiality about the role each partner played in these operations. Specifically, Everest is interested in providing access to organizations located in the US, Canada, and Europe. 

The company would accept remote access to these organizations using a variety of methods, such as TeamViewer, AnyDesk, and RDP. Upon looking at the message, it is similar to the one it published in July. Around the same time, researchers suggested that the ransomware game might be dead in the water and the company was dropping the ransomware altogether. 

The IAB first became active in 2021, but activity has been rising since November 2022 with a greater level of IAB activity than that of previous years. It has become very commonplace for internationally coordinated gangs of ransomware gangs to be busted to avoid being the next target. Everest could aim to avoid becoming the next victim. 

Researchers say that BreachForums, which was closed earlier this year, may be trying to sell its access as part of a new business model, to take advantage of its fame as an established ransomware force as part of its campaign. According to researchers, around the same time it published its first message, it seemed to be indicating it might be exiting the ransomware game entirely. 

The message appears to be the same as the one it posted back in July. According to Searchlight Cyber, over the past few months, there have been several signs that the ransomware group was moving toward being an initial access broker (IAB), which is an "extremely rare" move. 

As of November 2022, it has shown increased IAB activity compared to the initial act of acting as an IAB that occurred in 2021. Ransomware criminals often hire IAB groups as a means of transferring access to organizations' networks, sometimes to more than one group at the same time, which makes it simpler for ransomware to be deployed. 

It's not completely understood why a ransomware group might move to the IAB rather than a ransomware group, resulting in a less lucrative business, and the reasons for this are not fully understood but have been speculated to include evading law enforcement in addition to losing members of the team. 

There is an increasing trend of international coordinated attacks by ransomware gangs that are becoming more and more common, and Everest may be trying to avoid becoming the next Hive or REvil. Researchers have indicated that BreachForums could also be trying to sell its access as part of a new business model to take advantage of its reputation as an established ransomware force. 

In the past few years, cybercriminal groups, such as LockBit, have adopted the tactic of exploiting disgruntled employees or otherwise rebellious employees, which is not new. In a survey conducted by Pulse and Bravura Security in 2022, 65 per cent of corporate executives were interviewed directly by ransomware criminals to help facilitate access to their employers' networks, according to a report by Pulse and Bravura Security. 

Promises of large payouts are frequently made to professionals who are willing to facilitate access for the thieves or even go as far as deploying the ransomware themselves. This tactic is used to entice individuals into participating in cybercrime activities. 

Interestingly, an investigation conducted by Abnormal Security in 2021 shed light on one specific case involving the Demonware gang. It was discovered that this group offered a staggering 40 per cent of the total proceeds from a successful attack as compensation for anyone who would deploy their ransomware. 

In an intriguing turn of events, the researchers at Abnormal Security were approached by someone claiming to be a member of the Demonware gang. This individual, who had adopted a fake persona, made an enticing offer of $1 million in Bitcoin. The catch? The researchers were expected to successfully ransom an organization for a whopping $2.5 million. It's fascinating to see how cybercriminals are willing to go to such lengths to entice others into their illegal activities.
Read more »
Subscribe to: Posts (Atom)