Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label cybercriminals. Show all posts
Mobile Encryption
Cyber Security Cyberattacks CyberCrime cybercriminals CyberThreat Europol Mobile Encryption

Mobile Encryption Innovation Aids Criminals, Europol Reports

 


Europol has proposed solutions to address some of the challenges posed by privacy-enhancing technologies found in Home Routing, which pose a challenge for law enforcement agencies in intercepting communications during criminal investigations as a result of these technologies. There was a previous report by the agency in its Digital Challenges series in which it discussed the difficulty of gathering admissible evidence during investigations due to end-to-end encryption on communication platforms. 

This is the name given to an in-home routing system used by telecommunications companies to allow customers to send traffic to their home network, from calls, messages, and internet data, even when they are away from home. In a new report that was published by the EU Innovation Hub for Internal Security, it was examined how users can uphold citizens' privacy while simultaneously facilitating criminal investigations and prosecutions. 

There is no doubt that encryption is one of the most important means by which private communications may be protected. Meanwhile, it is also conducive to allowing threat actors to always remain hidden from the eyes of law enforcement to carry out their malicious activities. Companies must understand the needs, challenges, and priorities of their stakeholders within the Justice and Home Affairs (JHA) community to take the necessary measures to preserve the fundamental rights of the citizens of Europe while maintaining a safe environment. 

The privacy-enhancing technologies (PETs) that can be applied in Home Routing support data encryption at the service level, and the devices that are subscribed in the home network exchange session-based keys with the provider. In the case of the home network provider using PET technology, all traffic remains encrypted, as the key is inaccessible to both the home network's backend and the visiting network, which serves as a forwarder. It is due to this setup that authorities are prevented from obtaining evidence through the use of local Internet service providers (ISPs) as part of lawful interception activities. 

It explains that by implementing Home Routing, any suspect using a foreign SIM card cannot be intercepted after that device is deployed, says the European agency in a press release. If this is the case, then it may be necessary for police forces to rely on the cooperation of foreign service providers or issue a European Investigation Order (EIO), which can take significantly longer than it would normally take to complete an investigation, especially in cases where emergency interceptions are required; for example, replying to an EIO can take up to four months in most cases. 

There is no doubt that criminals are aware of this loophole in the law and are exploiting it to avoid being caught by law enforcement in their respective countries, as summarized by the European agency. The European Union's law enforcement agency Europol is appealing to stakeholders to consider two possible solutions that would effectively eliminate delays and procedural frictions associated with lawful communication interceptions. 

One of the first variants being considered is the enforcement of a regulation in the European Union that disables PE in the home routing protocol. It will be possible for domestic service providers to intercept calls made by individuals who are using foreign SIM cards but they will not have to share information about the person of interest with outside parties. A spokesperson for the agency said that by using this solution, both roaming subscribers, as well as subscribers in their local area, will be able to take advantage of the same level of encryption as communication through their national SIM card. 

However, subscribers abroad do not benefit from the added encryption of their home country, which is included in the subscription package. Furthermore, there is a second proposal where companies propose implementing a cross-border mechanism that allows law enforcement agencies within the European Union to issue interception requests that are promptly handled by the service providers to assist law enforcement agencies. Europol has identified two potential solutions to address the challenges posed by Home Routing and mobile encryption in criminal investigations. 

The first solution allows Privacy-Enhancing Technologies (PET) to be enabled for all users. However, this could result in a service provider in another EU member state learning about individuals of interest in an investigation, which may not be desirable. The second proposed solution involves establishing a mechanism for rapidly processing interception requests from service providers in other EU member states. Europol emphasizes that these two solutions are merely possible avenues for safeguarding and maintaining existing investigatory powers. 

The agency's goal is to highlight the impact that Home Routing encryption has on investigations, urging national authorities, legislatures, and telecommunications service providers to collaborate in finding a viable solution to this problem.
Read more »
Ransomware attack
Cyber Attacks cybercriminals data security healthcare sectors LockBit Malware attacks Ransom Demand Ransomware attack

Comparitech Report Reveals Average Ransom Demands of Over $5.2 Million in Early 2024

 

In the first half of 2024, the average ransom demand per ransomware attack reached over $5.2 million (£4.1 million), according to a new analysis by Comparitech. This figure is derived from 56 known ransom demands issued by cybercriminals from January to June 2024. 

The largest of these demands was a staggering $100 million (£78.9 million) following an attack on India’s Regional Cancer Center (RCC) in April 2024. The second-highest confirmed demand was issued to UK pathology provider Synnovis, with attackers demanding $50 million (£39.4 million). This incident led to the cancellation of thousands of operations and appointments at hospitals in South East England, with the Qilin group claiming to have stolen 400GB of sensitive NHS patient data. The third-highest ransom demand in the first half of 2024 targeted Canadian retailer London Drugs in May 2024, with the LockBit group demanding $25 million (£19.7 million). 

Overall, Comparitech’s researchers logged 421 confirmed ransomware attacks during this period, impacting around 35.3 million records. These figures mark a reduction compared to the same period in 2023, which saw 704 attacks affecting 155.7 million records. However, disclosures for the first half of 2024 are ongoing, so these figures may increase. Comparitech also noted an additional 1,920 attacks claimed by ransomware gangs but not acknowledged by the victims. Private businesses experienced the highest number of incidents, with 240 attacks affecting 29.7 million records. 

The government sector followed with 74 attacks impacting 52,390 records, and the healthcare sector reported 63 attacks affecting 5.4 million records. LockBit remains the most prolific ransomware group, responsible for 48 confirmed attacks in the first half of 2024, despite a significant law enforcement operation that temporarily disrupted its activities in February. Following a brief period of dormancy, LockBit resurfaced as the most prominent ransomware group in May 2024, according to an analysis by NCC Group. Other notable ransomware groups during this period include Medusa with 31 attacks, BlackBasta with 27, Akira with 20, 8Base with 17, and INC Ransom with 16. 

The researchers observed an increasing trend among ransomware groups to forego file encryption and instead rely solely on data theft for extortion. This shift in tactics highlights the evolving landscape of ransomware attacks and underscores the need for robust cybersecurity measures.
Read more »
IT Infrastructure
Australia Australian Businesses Cyberattack cybercriminals Data Breach Fortinet Hacker attack Hackers IT Infrastructure

The Growing Threat of Data Breaches to Australian Businesses

 

Data breaches are now a significant threat to Australian businesses, posing the risk of "irreversible brand damage." A cybersecurity expert from Fortinet, a global leader in the field, has raised alarms about cybercriminals increasingly targeting the nation’s critical infrastructure. Cybercriminals are continually finding new ways to infiltrate Australia’s infrastructure, making businesses highly vulnerable to attacks. 

The Australian federal government has identified 11 critical sectors under the Security of Critical Infrastructure Act, which was amended in 2018 to enforce stricter regulations. Businesses in these sectors are required to complete annual reporting to notify the federal government of any attempts to access their networks. Michael Murphy, Fortinet’s Head of Operational Technology and Critical Infrastructure, recently discussed the severity of cyber threats on Sky News Business Weekend. During the 2022-2023 financial year, 188 cybersecurity incidents were reported across critical sectors, highlighting ongoing risks to national networks like water and energy supplies. 

Additionally, the Australian Bureau of Statistics found that 34 percent of businesses experienced resource losses managing cybersecurity attacks in the 2021-2022 financial year, and 22 percent of Australian businesses faced a cybersecurity attack during that period—more than double the previous year’s figure. Even small businesses are now vulnerable to cybercrime. Murphy pointed out that among entities with mandatory reporting, 188 incidents were reported, with 142 incidents reported by entities outside of critical infrastructure, demonstrating the widespread nature of the threat. He explained that hackers are motivated by various factors beyond financial gain, including the desire for control. 

The consequences of cyber attacks can be severe, disrupting systems and causing significant downtime, which leads to revenue loss and irreversible brand damage. Critical infrastructure sectors face unique challenges compared to the IT enterprise. Quick restoration of systems is often not an option, and recovery can take considerable time. This extended downtime not only affects revenue but also damages the reputation and trustworthiness of the affected organizations. Murphy noted that many incidents are driven by motives such as financial profiteering, socio-political influence, or simply the desire of hackers and syndicates to boost their credibility. 

As cyber threats evolve, it is crucial for businesses, especially those in critical infrastructure sectors, to strengthen their cybersecurity measures. While annual reporting and adherence to federal regulations are essential, proactive strategies and advanced security technologies are necessary to mitigate risks effectively.
Read more »
UNC
CrowdStrike Cyber Security cybercriminals Financial Threat Google Cloud Google Mandiant Mandiant Threat Intelligence UNC

Protecting Your Business from Snowflake Platform Exploitation by UNC5537

 

A recent report from Mandiant, a subsidiary of Google Cloud, has uncovered a significant cyber threat involving the exploitation of the Snowflake platform. A financially motivated threat actor, identified as UNC5537, targeted around 165 organizations' Snowflake customer instances, aiming to steal and exfiltrate data for extortion and sale. Snowflake, a widely-used cloud data platform, enables the storage and analysis of vast amounts of data. The threat actor gained access to this data by using compromised credentials, which were obtained either through infostealer malware or purchased from other cybercriminals. 

UNC5537 is known for advertising stolen data on cybercrime forums and attempting to extort victims. The sold data can be used for various malicious purposes, including cyber espionage, competitive intelligence, and financial fraud. The joint statement from Snowflake, Mandiant, and cybersecurity firm CrowdStrike clarifies that there is no evidence of a vulnerability, misconfiguration, or breach within Snowflake’s platform itself. 

Additionally, there is no indication that current or former Snowflake employees' credentials were compromised. Instead, the attackers acquired credentials from infostealer malware campaigns that infected systems not owned by Snowflake. This allowed them to access and exfiltrate data from the affected Snowflake customer accounts. Mandiant's research revealed that UNC5537 primarily used credentials stolen by various infostealer malware families, such as Vidar, Risepro, Redline, Racoon Stealer, Lumma, and Metastealer. Many of these credentials dated back to November 2020 but remained usable. The majority of credentials exploited by UNC5537 were exposed through previous infostealer malware incidents. 

The initial compromise often occurred on contractor systems used for personal activities like gaming and downloading pirated software, which are common vectors for spreading infostealers. Once obtained, the threat actor used these credentials to access Snowflake accounts and extract valuable customer data. UNC5537 also purchased credentials from cybercriminal marketplaces, often through Initial Access Brokers who specialize in selling stolen corporate access. The underground market for infostealer-obtained credentials is robust, with large lists of stolen credentials available for free or for purchase on the dark web and other platforms. 

According to Mandiant, 10% of overall intrusions in 2023 began with stolen credentials, making it the fourth most common initial intrusion vector. To protect your business from similar threats, it is crucial to implement robust cybersecurity measures. This includes regular monitoring and updating of all systems to protect against infostealer malware, enforcing strong password policies, and ensuring that all software is kept up to date with the latest security patches. Employee training on cybersecurity best practices, especially regarding the dangers of downloading pirated software and engaging in risky online behavior, is also essential. 

Moreover, consider using multi-factor authentication (MFA) to add an extra layer of security to your accounts. Regularly audit your systems for any unusual activity or unauthorized access attempts. Engage with reputable cybersecurity firms to conduct thorough security assessments and implement advanced threat detection solutions. By staying vigilant and proactive, businesses can better protect themselves from the threats posed by cybercriminals like UNC5537 and ensure the security and integrity of their data.
Read more »
Telecom Sector
Cyber Fraud cybercriminals DoT Fake Calls Fraud Calls Identity Fraud India Indian Government Spoofing Telecom Sector

Combatting International Spoofed Calls: India's New Measures to Protect Citizens

 

In recent times, fraudsters have increasingly used international spoofed calls displaying Indian mobile numbers to commit cybercrime and financial fraud. These calls, which appear to originate within India, are actually made by criminals abroad who manipulate the calling line identity (CLI). 

Such spoofed calls have been used in various scams, including fake digital arrests, FedEx frauds, narcotics in courier schemes, and impersonation of government and police officials. To combat this growing threat, the Department of Telecommunications (DoT) and Telecom Service Providers (TSPs) in India have developed a system to identify and block incoming international spoofed calls. 

This initiative aims to prevent such calls from reaching any Indian telecom subscriber. The Ministry of Communications announced that TSPs have been directed to block these calls and are already taking steps to prevent calls with spoofed Indian landline numbers. In addition to this, the DoT has launched the Sanchar Saathi portal, a citizen-centric platform designed to enhance user safety and security amid the rising threat of fraud and international call scams. This portal includes a feature called "Chakshu," which allows individuals to report suspicious calls and messages. 

Chakshu simplifies the process of flagging fraudulent communications, providing an extra layer of protection against cybercriminals. Chakshu serves as a backend repository for citizen-initiated requests on the Sanchar Saathi platform, facilitating real-time intelligence sharing among various stakeholders. The platform also provides information on cases where telecom resources have been misused, helping to coordinate actions among stakeholders. 

Union Minister Ashwini Vaishnaw has highlighted additional measures, including creating a grievance redressal platform for reporting unintended disconnections and a mechanism for returning money frozen due to fraud. These efforts aim to address the concerns of citizens who may have been inadvertently affected by the anti-fraud measures. Since its launch in May last year, the Sanchar Saathi portal has been instrumental in enhancing the security of telecom users. It has helped track or block over 700,000 lost mobile phones and detect more than 6.7 million suspicious communication attempts. 

These efforts underscore the government's commitment to safeguarding citizens from cyber threats and ensuring the integrity of telecom services. The DoT and TSPs' proactive measures, along with the Sanchar Saathi portal, represent significant steps towards protecting Indian citizens from international spoofed calls and other forms of cybercrime. By leveraging advanced technology and fostering collaboration among stakeholders, these initiatives aim to create a safer digital environment for all.
Read more »
Vishing Campaign
Cyber Security cybercriminals Information Security Personal Data QR code Quishing Scams Vishing Vishing Campaign

Understanding Vishing and Quishing: Protecting Yourself Against Telephone and QR Code Scams

 

In our digitally interconnected world, cybercriminals continuously devise new methods to exploit technology for their malicious intents. Two prevalent schemes gaining traction are vishing and quishing scams. These fraudulent activities capitalize on telephone calls and QR codes to deceive unsuspecting individuals into revealing sensitive personal and financial information. 

Vishing, derived from "voice" and "phishing," entails perpetrators posing as trusted entities over the phone to trick individuals into sharing confidential data like bank account details or passwords. Employing tactics such as urgent requests or threats of repercussions, these scammers manipulate victims into compliance. For instance, a vishing scam might involve a caller impersonating a bank representative, claiming an account issue that necessitates immediate action from the victim. 

Alternatively, fraudsters may masquerade as technical support agents from reputable companies, coercing victims into paying for unnecessary services or software under false pretenses of fixing non-existent computer problems. Another vishing variant, the "police officer tactic," targets vulnerable individuals, particularly the elderly, by feigning as law enforcement officers. Fabricating stories about imminent criminal threats, these scammers persuade victims to surrender valuables or cash, ostensibly for protection. 

On the flip side, quishing represents a newer cybercrime form exploiting QR codes to entice victims to fraudulent websites for data compromise. With QR code prevalence in daily life, quishing has become an increasingly insidious threat. Cybercriminals send deceptive emails containing QR codes, enticing recipients to scan them with their smartphones under false pretenses. Once scanned, these QR codes redirect users to malicious websites designed to distribute malware-infected files or capture login credentials entered by unsuspecting victims. 

Seamless QR code scanning integration into daily activities makes it easy for individuals to fall prey to quishing attacks without recognizing the danger. Protecting against vishing and quishing necessitates heightened vigilance and adherence to cybersecurity best practices. When receiving unsolicited phone calls, it's crucial to verify the caller's identity by independently contacting the organization they claim to represent using official contact information. 

Refrain from divulging personal or financial information over the phone unless legitimacy is verified. To guard against quishing scams, exercise caution when scanning QR codes, especially from unfamiliar or suspicious sources. Verify the website URL before entering sensitive information and ensure it's encrypted (https). Additionally, consider enabling multi-factor authentication for online accounts to add an extra security layer against unauthorized access. 

By staying informed about vishing and quishing tactics and implementing proactive security measures, individuals can safeguard themselves from falling victim to these malicious schemes. Awareness and caution remain paramount in protecting personal and financial well-being in today's digital landscape.
Read more »
Two Factor Authentication
CrowdStrike Cyber Attacks cybercriminals Employee Data Employees IBM Identity Theft MFA phishing Two Factor Authentication

Safeguarding Your Employee Data From Identity Theft

 

In today's digital age, where data breaches and cyberattacks are increasingly common, safeguarding against identity-based attacks has become paramount for organizations worldwide. Identity-based attacks, which involve the unauthorized access to sensitive information through compromised user credentials, pose significant risks to businesses of all sizes and industries. 

As CrowdStrike reported, 80% of attacks involve identity and compromised credentials, highlighting the widespread nature of this threat. Additionally, an IBM report found that identity-related attacks are now the top vector impacting global cybercrime, with a staggering 71% yearly increase. 

Cybercriminals employ various tactics to carry out identity-based attacks, targeting organizations through phishing campaigns, credential stuffing, password spraying, pass-the-hash techniques, man-in-the-middle (MitM) attacks, and more. Phishing campaigns, for example, involve the mass distribution of deceptive emails designed to trick recipients into divulging their login credentials or other sensitive information. Spear-phishing campaigns, on the other hand, are highly targeted attacks that leverage personal information to tailor phishing messages to specific individuals, increasing their likelihood of success.  

Credential stuffing attacks exploit the widespread practice of password reuse, where individuals use the same passwords across multiple accounts. Cybercriminals obtain credentials from previous data breaches or password dump sites and use automated tools to test these credentials across various websites, exploiting the vulnerabilities of users who reuse passwords. Password spraying attacks capitalize on human behavior by targeting commonly used passwords that match the complexity policies of targeted domains. 

Instead of trying multiple passwords for one user, attackers use the same common password across many different accounts, making it more difficult for organizations to detect and mitigate these attacks. Pass-the-hash techniques involve obtaining hashed versions of user passwords from compromised systems and using them to authenticate into other systems without needing to crack the actual password. This method allows attackers to move laterally within a network, accessing sensitive data and executing further attacks. MitM attacks occur when attackers intercept network connections, often by setting up malicious Wi-Fi access points. 

By doing so, attackers can monitor users' inputs, including login credentials, and steal sensitive information to gain unauthorized access to accounts and networks. To mitigate the risk of identity-based attacks, organizations must adopt a multi-layered approach to security. This includes implementing strong password policies to prevent the use of weak or easily guessable passwords and regularly auditing user accounts for vulnerabilities. 

Multi-factor authentication (MFA) should be implemented across all applications to add an extra layer of security by requiring users to provide a second form of authentication, such as a one-time password or biometric data, in addition to their passwords. Furthermore, organizations should protect against social engineering attacks, which often target service desk staff to gain unauthorized access to sensitive information. Automated solutions can help verify user identification and reduce the risk of social engineering vulnerabilities. 

 Identity-based attacks pose significant risks to organizations, but by implementing robust security measures and remaining vigilant against evolving threats, businesses can effectively mitigate these risks and safeguard their sensitive information from cybercriminals.
Read more »
Spyware
Cyber Attacks CyberCrime cybercriminals Cybersecurity CyberThreat iPhone LightSpy Spyware

LightSpy Spyware: A Chinese Affair Targeting iPhone Users in South Asia

 


The LightSpy spyware has been used by cyberespionage groups to spy on users of iPhones, iPads, and other mobile devices in the South Asian region in a recent cyberespionage campaign. According to reports, the cybercriminals behind this cybercriminal campaign are China-based hackers that have been planning surveillance attacks against a specific area. 

As a bonus, this latest version of LightSpy, codenamed 'F_Warehouse,' features a modular structure which significantly enhances the spying abilities of the program. As a result of some of the most alleged infected individuals who are coming from India, initial investigations suggest a possible focus on the country. 

Researchers found that Apple iOS spyware, known as LightSpy, is being used in cyber espionage campaigns targeting South Asia. This sophisticated mobile spyware has resurfaced after a period of inactivity that dates back several months. In a report published by the Blackberry Threat Research and Intelligence Team, cyber security researchers have stated that the most recent version of the LightSpy campaign uses an extremely sophisticated spying framework in combination with a modular framework. 

To protect its command and control servers from being interception and detected, LightSpy employs a certificate-pinning strategy. It is believed that the campaign primarily targets iPhone users in India, although there have been reports of incidents taking place in Bangladesh, Sri Lanka, Afghanistan, Pakistan, Bhutan, the Maldives, and Iran in recent times as well. Hackers have been suspected of exploiting hacker websites to facilitate the deployment of LightSpy spyware, as previously observed in previous campaigns, by using hacked news websites that had Hong Kong-related stories, as they did in previous campaigns. 

In a BlackBerry report, the company uncovered that the loader enables the delivery of the core implant along with several plugins that enhance the capabilities of the primary backdoor. It is considered that LightSpy is an iOS backdoor attack that spreads via watering hole attacks, in which popular websites are infected and then targeted by attackers who attack them when they visit these infected websites and gain access to their systems or mobiles. 

According to the BlackBerry security agency, it has been discovered that the latest spyware attacks may have been coordinated by news websites that were infected and visited by targeted individuals who then installed LightSpy on their computers. A spyware program such as this usually gathers information such as phone numbers, SMS messages, exact location and voicemail from your computer, among other things. 

The report suggests that the attack was carried out by Chinese hackers, as its infrastructure and functionality were very similar to that of DragonEgg spyware, a Chinese nation-state hacker group which has been linked to the attack. Accordingly, Chinese hackers are suspected of conducting the attack. Specifically, the report claims that LightSpy is capable of analyzing location data, sound recordings, contacts, SMS messages, and data from apps such as WeChat and Telegram to extract sensitive information from your phone. 

There is a growing threat of mobile espionage threat campaigns that is highlighted by the re-emergence of the LightSpy spyware implants. Apple’s security updates are all the more important after the recent mercenary spyware attacks that affected iPhone users in 92 countries. The campaign is in line with the recent mercenary spyware attack that had impacted iPhone users all over the world. 

As the agency points out, the most recent version of LightSpy discovered this month is also capable of retrieving files and data from popular apps like Telegram, WeChat, and iCloud Keychain data as well as the history of your web browsers in Safari and Chrome. There is indication that state-sponsored involvement may have been involved in the development of LightSpy in the form of permission pinning which prevents communication interception with its C2 server, as well as the presence of Chinese language artefacts in the implant's source code. 

According to Apple's recent threat notifications, which have been sent to users in 92 countries, including India, the situation has become more severe. It is unsurprising that LightSpy, a mobile spy tool with attractive new capabilities, has made a resurgence and is now posing an alarming threat to individuals and organisations throughout Southern Asia, indicating an alarming escalation in mobile spying attacks.
Read more »
ransomware attacks
CDR CISA Cyber Attacks Cyber Defenses cybercriminals EDR endpoint detection and response LockBit Malicious Software Open Source Software ransomware attacks

The Rise of Weaponized Software: How Cyber Attackers Outsmart Traditional Defenses

 

As businesses navigate the digital landscape, the threat of ransomware looms larger than ever before. Each day brings new innovations in cybercriminal techniques, challenging traditional defense strategies and posing significant risks to organizations worldwide. Ransomware attacks have become increasingly pervasive, with 66% of companies falling victim in 2023 alone, and this number is expected to rise. In response, it has become imperative for businesses to reassess their security measures, particularly in the realm of identity security, to effectively combat attackers' evolving tactics.
 
Ransomware has evolved beyond merely infecting computers with sophisticated malicious software. Cybercriminals have now begun exploiting legitimate software used by organizations to conduct malicious activities and steal identities, all without creating custom malware. One prevalent method involves capitalizing on vulnerabilities in Open Source Software (OSS), seamlessly integrating malicious elements into OSS frameworks. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about this growing trend, citing examples like the Lockbit operation, where cyber attackers leverage legitimate, free software for nefarious purposes. Conventional endpoint security solutions often lack the necessary behavior analytics capabilities to detect subtle indicators of compromise. 

As a result, attackers can exploit tools already employed by organizations to acquire admin privileges more easily while evading detection. This underscores the need for organizations to stay abreast of evolving techniques and adapt their defense strategies accordingly. Throughout the ransomware attack lifecycle, cybercriminals employ a variety of tactics to advance their missions. 

From initial infection to data exfiltration, each stage presents unique challenges and opportunities for attackers. For example, attackers may exploit vulnerabilities, manipulate cookies, or employ phishing emails to gain initial access. Once inside a network, they utilize legitimate software for persistence, privilege escalation, lateral movement, encryption, and data exfiltration. 

One critical aspect of mitigating the risk posed by ransomware is embracing an identity-centric defense-in-depth approach. This approach places emphasis on important security controls such as endpoint detection and response (EDR), anti-virus (AV)/next-generation antivirus (NGAV), content disarm and reconstruction (CDR), email security, and patch management. By prioritizing least privilege and behavior analytics, organizations can strengthen their defenses and mitigate the risk of falling victim to ransomware attacks. 

As ransomware attacks continue to evolve and proliferate, organizations must prioritize identity security and adopt a proactive approach to defense. By recognizing and addressing the tactics employed throughout the ransomware attack lifecycle, businesses can bolster their defenses, enhance identity security, and safeguard against the ever-evolving threat of ransomware.
Read more »
Smishing Scam
Cyber Crime cybercriminals Cybersecurity SMiShing Smishing Campaign Smishing Scam

Smishing Surge: Tactics, Threats, and 'The Com'


Recently, what we are observed is that enterprises facing a persistent threat from social engineering tactics aimed at acquiring login credentials for crucial systems like Identity and Access Management (IAM), cloud resources, and Single Sign-On (SSO) platforms. Successful breaches through these entry points can lead to widespread access within an organization, paving the way for data theft and ransomware attacks. 

In 2024, there has been a notable surge in phishing attempts conducted over Short Message Service (SMS), commonly known as smishing. Attackers capitalize on the ease and directness of SMS communication to deceive targets into revealing sensitive information. 

Do You Know What Tactics Cybercriminals employ to steal sensitive data through smishing? Let's Understand 

First is Malware Distribution, through smishing, malicious attackers lure victims into clicking on URLs that lead to the download of malware, or malicious software, onto their devices. This malware often disguises itself as a legitimate application, deceiving users into inputting confidential information. Once installed, the malware can intercept and transmit this data to the cybercriminals, compromising the victim's security. 

Second is the Creation of Malicious Websites, another tactic that involves directing victims to fake websites via smishing messages. These malicious websites are meticulously crafted to resemble legitimate platforms, enticing users to enter sensitive personal information. Cybercriminals utilize these custom-made sites to harvest data, capitalizing on the trust users place in recognizable interfaces. 

Additionally, it often happens when a group of malicious actors or an attacker establish deceptive domains mimicking legitimate platforms, such as a company's HR system. This tactic adds an air of authenticity to their phishing attempts, increasing the likelihood of success. 

 Do We Know What Group is Behind This? Yes

The perpetrators behind these attacks are a diverse group of threat actors collectively known as "The Com" or "The Community." This is an umbrella term which involves a majority of attackers, primarily young, operating across Canada, the U.S., and the U.K. Additionally, the group engages in various cybercriminal activities, including SIM swapping, cryptocurrency theft, swatting, real-life violence commissioning, and corporate intrusions. 

Furthermore, "The Com" has been identified as the source behind several high-profile breaches in recent years. Moreover, this online community shares overlaps with other research clusters and intrusion groups like Scattered Spider, Muddled Libra, UNC3944, and Octo Tempest.
Read more »
Hacking
Cyber Crime cybercriminals data security Ethical Hacking Hackers Hacking

Unveiling the New Era of Hacking Ethics: Profit Over Principles

 

Hacking, once a realm of curiosity-driven exploration, has morphed into a complex ecosystem of profit-driven cybercrime. Originating in the 1960s, hacking was fueled by the insatiable curiosity of a brilliant community known as "hackers." These early pioneers sought to push the boundaries of computing and digital technology, driven by a passion for discovery rather than malicious intent. 

However, the perception of hacking has since undergone a dramatic transformation. Today, the term "hacking" often conjures images of lone individuals in hoodies, exploiting vulnerabilities to steal data or wreak havoc from the safety of dimly lit rooms. While this stereotype may be exaggerated, it reflects a disturbing reality: the rise of cybercriminals who exploit technology for personal gain. 

In recent years, there has been a notable shift in the attitudes and behaviours of hackers, particularly within criminal cyber rings. Once governed by unwritten codes of ethics, these groups are now redefining the rules of engagement, prioritizing profit above all else. What was once considered off-limits—such as targeting hospitals or critical infrastructure—is now fair game for profit-driven hackers, posing significant risks to public safety and national security. 

One of the most alarming trends is the rise of ransomware attacks, where hackers encrypt sensitive data and demand payment for its release. These attacks have become increasingly brazen and aggressive, targeting organizations of all sizes and industries. The Colonial Pipeline attack, while technically not disrupting deliveries, sent shockwaves through the cybersecurity community, highlighting the audacity and impunity of modern cybercriminals. 

Moreover, hackers are no longer content with targeting individuals or businesses just once. Exploiting vulnerabilities multiple times has become commonplace, reflecting a growing sophistication and ruthlessness among cyber criminals. Several factors have contributed to this evolution of hacking ethics. Global tensions, technological advancements, and the proliferation of online platforms have all played a role in shaping the behaviour of modern hackers. 

The accessibility of hacking tools and information has lowered the barrier to entry, attracting individuals of all ages and skill levels to the world of cybercrime. Despite efforts by law enforcement and cybersecurity professionals, the threat of cybercrime continues to loom large. 

Businesses and individuals must remain vigilant, investing in robust cybersecurity measures and staying informed about evolving threats. By understanding the changing landscape of hacking ethics, we can better defend against cyber attacks and protect our digital assets and identities in an increasingly connected world.
Read more »
Software Companies
Cyber Attacks Cyberattakcs cybercriminals Cybersecurity Cyberwarfare Digital Services Microsoft Software Companies

Microsoft Source Code Heist: Russian Hackers Escalate Cyberwarfare

 


There was an update on the hacking attempts by hackers linked to Russian foreign intelligence on Friday. They used data stolen from corporate emails in January to gain access to Microsoft's systems again, which were used by the foreign intelligence services to gain access to the tech giant's products, which are widely used in the national security establishment in the United States. 

Analysts were alarmed by the disclosure as they expressed concerns about whether the U.S. government could use Microsoft's digital services and infrastructure safely. Microsoft is one of the world's largest software companies which provides systems and services to the government, including cloud computing. 

It has been alleged that the hackers have in recent weeks gained access to Microsoft's internal systems and source code repositories using information stolen from the company's corporate email system. The tech firm said that the hackers had used this information to access the company's corporate email systems. It is the nuts and bolts of a software program which make it work. 

Therefore, source code is of great importance to corporations - as well as spies trying to penetrate it. With access to the source code, hackers may be able to carry out follow-on attacks against other systems if they have access. During the first days of January, Microsoft announced that its cloud-based email system had been breached by the same hackers, days before another big tech company, Hewlett Packard Enterprise, announced that its cloud-based email system was breached. 

Although the full scope and purpose of the hacking activity is unclear, experts say the group responsible for the hack has a history of conducting extensive intelligence-gathering campaigns for the Kremlin. According to Redmond, which is examining the extent of the breach, the Russian state-sponsored threat actor may be trying to take advantage of the different types of secrets that it found in its investigation, including emails that were shared between Microsoft and its customers. 

Even though they have contacted the affected customers directly, the company didn't reveal what the secrets were nor what the extent of the compromise was. It is unclear what source code was accessed in this case. According to Microsoft, as well as stating that it has increased its security investments, the adversary ramped up its password spray attacks more than tenfold in February, in comparison to the "amount of activity" that was observed earlier in the year. 

Several analysts who track Midnight Blizzard report that they target governments, diplomatic agencies, non-governmental organizations, and other non-governmental organizations. Because of Microsoft's extensive research into Midnight Blizzard's operations, the company believes the hacker group might have targeted it in its January statement. 

Ever since at least 2021, when the group was found to have been behind a series of cyberattacks that compromised a wide range of U.S. government agencies, Microsoft's threat intelligence team has been conducting research on Nobleium and sharing it with the public. According to Microsoft, persistent attempts to breach the company are a sign that the threat actor has committed significant resources, coordination, and focus to the breach effort. 

As part of their espionage campaigns, Russian hackers have continued to hack into widely used tech companies in the years since the 2020 hack. US officials and private experts agree that this is indicative of their persistent, significant commitments to the breach. An official blog post that accompanied the SEC filing on Friday said that the hackers may have gathered an inventory of potential targets and are now planning to attack them, and may have enhanced their ability to do so by using the information they stole from Microsoft. 

Several high-profile cyberattacks have occurred against Microsoft due to its lax cybersecurity operations, including the compromise of Microsoft 365 (M365) cloud environment by Chinese threat actors Storm-0558, as well as a series of PrintNightmare vulnerabilities, ProxyShell bugs, two zero-day exchange server vulnerabilities known as ProxyNotShell that have been reported as well. 

Microsoft released the February Patch Tuesday update which addressed the admin-to-kernel exploit in the AppLocker driver that was disclosed by Avast six months after Microsoft accepted Avast's report about the exploit. The North Korean adversary Lazarus Group, which is known for exploiting the Windows kernel's read/write primitive to establish a read/write primitive on the operating system, used the vulnerability to install a rootkit on the system. The company replaced its long-time chief information security officer, Bret Arsenault, with Igor Tsyganskiy in December 2023 to alleviate security concerns.
Read more »
Technology
Cyber Haunting Cyberattacks CyberCrime cybercriminals Cyberhackers CyberThreat Ghost Locker Ransomware Technology

GhostLocker 2.0 Unleashes Cyber Haunting Spree in the Middle East, Africa, and Asia

 


A new version of the infamous GhostLocker ransomware has been developed by cyber criminals, and they are now targeting users across the Middle East, Africa, and Asia with this ransomware. With the help of the new GhostLocker 2.0 ransomware, two ransomware groups have joined forces in attacking organizations in Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam, and Thailand in double-extortion ransomware attacks, which have been conducted by two groups of ransomware groups, GhostSec and Stormous. 

The attack targets technology companies, universities, companies that manufacture, transport, and government organizations that have been rendered inaccessible by the file-encrypting malware. These are the main targets of these attacks, which attempt to scam victims into paying for decryption keys that would allow them to retrieve the data that was encrypted and render it inaccessible. 

According to researchers at Cisco Talos, who discovered the new malware campaign and cyberattack campaign being run by the criminals, the attackers had also threatened to release exposed victims' sensitive data unless they paid hush money to keep the information hidden. As a result of both GhostLocker and Stormous ransomware groups revamping their RaaS programs, they have introduced a new one called STMX_GhostLocker, which offers their affiliates several options for the distribution of ransomware. 

As well as on the Stormous ransomware data-leak site, the GhostSec and Stormous groups also announced they had been tampering with data on their Telegram channels. A Cisco Talos blog post released this week suggested that GhostSec was targeting Israel's industrial systems, critical infrastructure, and technology companies, according to the blog post. It is believed that there are victims, including the Israeli Ministry of Defense, but the motive of the group does not seem to be one of kinetic sabotage so much as it is one of profit-driven objectives. 

Telegram chats suggest that at least part of the motivation of the group (at least initially) is to raise funds for hacktivists and threat actors, as indicated by conversations in the group's Telegram channel. As a curious note, GhostSec has adopted the same name as Ghost Security Group, well-known as a hacktivist organization known for targeting ‘pro-Islamic State group’ websites and making other cyberattacks, though there remains no confirmation that the two organizations are linked. 

As a result of successful joint operations between the Stormous gang and Cuban ministries last July, the Stormous gang added the GhostLocker ransomware program to its existing StormousX program. A group of hackers calling themselves GhostSec has been carrying out attacks on corporate websites, including a national railway company in Indonesia as well as a corporate energy supplier in Canada. 

Cisco Talos has reported that the group could be using the GhostPresser tool as a means to conduct cross-site scripting (XSS) attacks against vulnerable websites when it launches attacks against them. This week, the kingpins of ransomware are also offering the GhostSec deep-scan tool suite that was created by them, which would allow potential attackers to sweep websites of potential targets to find ransomware implants. 

With the Python-based utility, users will be able to perform specific functions, such as scanning for specific vulnerabilities on targeted websites (by referring to specific CVE numbers) using placeholders. In Cisco Talos' opinion, "the promise of functionality demonstrates a continuous evolution, which goes hand in hand with GhostSec's continuous development of tools for their arsenal." In the chats that the malware's developers are having in their chats, they seem to refer to "ongoing work" on "GhostLocker v3", according to security researchers. 

In addition to encrypting files on the victim's computer with the extension .ghost, GhostLocker 2.0 drops a ransom note on the victim's machine and asks for a ransom to unlock it. Potential targets are being issued warnings that their compromised data will be publicly disclosed unless they reach out to ransomware operators within a strict seven-day timeframe. Affiliates of the GhostLocker ransomware-as-a-service are equipped with a sophisticated control panel enabling real-time monitoring of their attacks, all seamlessly registered on the dashboard. 

The command-and-control server for GhostLocker 2.0 is geolocated in Moscow, resembling the setup of earlier ransomware versions. Affiliates who opt to pay gain entry to a customizable ransomware builder, allowing the configuration of various options, including the target directory for encryption. The ransomware, designed by developers, is adept at exfiltrating and encrypting files with extensions such as .doc, .docx, .xls, and .xlsx, encompassing Word-created documents and spreadsheets. 

Unlike its predecessor developed in Python, the latest iteration of GhostLocker is coded in the GoLang programming language. Despite this shift, the functionality remains akin to the previous version, with a notable enhancement: the encryption key length has been doubled from 128 to 256 bits. In response to this menacing campaign, organizations are advised by Cisco Talos to fortify their defences through a comprehensive security approach, facilitating prompt attack detection. 

This involves studying the tactics, techniques, and procedures (TTPs) employed by the GhostLocker group, as well as ensuring up-to-date detection signatures for the newest GhostLocker ransomware version. Cisco further recommends that organizations fortify their web servers with layered defence mechanisms, incorporating demilitarized zones (DMZs) to isolate public-facing systems. This is particularly pertinent given the GhostSec group's track record of conducting denial-of-service (DoS) attacks on victim websites. 

Despite these precautionary measures, the true impact of the recent GhostLocker attacks remains elusive. Cisco has underscored the uncertainty surrounding the number of potential victims affected. While some data has surfaced on the leak site, it remains challenging to ascertain its accuracy, including the extent of financial transactions, if any. As the cybersecurity landscape evolves, GhostLocker ransomware emerges as a persistent threat, underscoring the critical need for organizations to continuously enhance their security measures. 

The adoption of a defence-in-depth strategy, meticulous analysis of threat actors' TTPs, and regular updates to detection mechanisms are imperative in safeguarding against the ever-evolving tactics of malicious entities. The call for layered defence, including the implementation of DMZs for web servers, reinforces the proactive approach required to mitigate the risks associated with this sophisticated ransomware campaign.
Read more »
cybercriminals
Bank Details Bank fraud BIN Attack Credit Card Fraud Cyber Fraud cybercriminals

‘BIN’ Attacks: Cybercriminals are Using Stolen ‘BIN’ Details for Card Fraud


While cybersecurity networks might be boosting themselves with newer technologies, cybercrime groups are also augmenting their tactics with more sophisticated tools. 

The latest example in cyberspace is the “BIN attacks,” that targeted small businesses. The tactic involved manipulation of the Bank Identification Number (BIN) of credit cards that allowed threat actors to put the stolen card details through trial and error on unsuspecting e-commerce websites. 

Behind the Scenes of the 'BIN' Attacks

In 2023 alone, the payment card fraud amounted to a whopping $577 million, which was 16.5% more than in 2022. Among its victims, the Commonwealth Bank was the one that experienced the fraud when a Melbourne wholesaler faced a barrage of 13,500 declined e-commerce transactions in a month. 

The incident, previously noted as a clerical error, turned out to be an event of cybercrime that impacted both businesses and consumers. 

The cybercriminals initially obtained the first six digits of a credit card, called the Bank Identification Number (BIN). This information was then used for trial and error to determine what combinations of card numbers, expiration dates, and security codes work. Subsequently, the card data that were taken are verified through inconspicuous transactions to ascertain their authenticity. Once verified, card numbers that have been compromised are either sold by fraudsters or used in larger-scale fraudulent transactions.

Customer Accounts Compromised

Commonwealth Bank account holders, Bob Barrow and John Goodall, discovered that they were the targets of fraudulent activities. Despite having no online activity with their cards, they were astonished when they found out about the transactions made on their accounts. This made them question the security of their financial information.

Credit card numbers are more random and limitless than one might believe. Out of the sixteen digits on a card, the six-digit BIN leaves just ten that follow a pattern. Because there are comparatively fewer options, cybercriminals can leverage automated methods to quickly guess valid combinations, which presents a serious threat to conventional security measures. 

While the affected entities are expected to come up with more stringent safety measures, the responsibility does not solely lay on the banks. Financial institutions do not always conduct the transactions; they are often the victims themselves who issue the cards. The attacks emphasize the necessity of a multi-layered safeguard, with companies utilizing strong fraud prevention systems and online shop security-focused payment processors like Stripe and Square. This is necessary since a BIN attack's aftermath might cause firms to go bankrupt.

Read more »
Sophos report
Cyber Attacks cybercriminals Cybersecurity Ransom Payment Ransomware recovery cost Retail Industry security measures Sophos report

Report: Retailers Face Challenges in Coping with Ransomware Attacks

 

In a disconcerting revelation, a recently released report suggests that retailers are finding themselves increasingly outmatched in the ongoing battle against ransomware operators. Conducted by cybersecurity experts Sophos, the survey enlisted the perspectives of 3,000 IT and cybersecurity leaders from small and medium-sized businesses (SMBs) and enterprises worldwide, with a particular focus on 355 respondents hailing from the retail sector. 

The findings are rather sobering, indicating that a mere 26% of retailers were successful in thwarting a ransomware attack before succumbing to having their valuable data encrypted. This figure represents a noticeable decline from the preceding year's 28%, and even more starkly from the 34% recorded two years prior.

Chester Wisniewski, the Director of Global Field CTO at Sophos, sounds a cautionary note, deeming the survey a resounding wake-up call for organizations within the retail industry. His message is clear: retailers must urgently fortify their security measures in the face of the escalating ransomware threat.

The report also sheds light on the protracted recovery process faced by victims who opt to meet the ransom demand. Among those who acquiesced, the median recovery cost, excluding the ransom payment itself, surged to four times that of those with a functional backup, reaching a staggering $3 million compared to $750,000. 

Approximately 43% of victims opted to pay the ransom, prompting Wisniewski to caution against shortcuts, underscoring the imperative of rebuilding systems to prevent cybercriminals from reaping the rewards of their malicious activities.

While there is a glimmer of optimism for retailers in the report - the percentage of firms targeted by ransomware threats dropped from 77% to 69% compared to the previous year - the recovery times have taken a hit. The proportion of companies able to recover in less than a day dwindled from 15% to a mere 9%, while those grappling with recovery periods exceeding a month increased from 17% to 21%.

Ransomware, as the report highlights, typically gains entry through the actions of unwitting employees, such as downloading malware or inadvertently providing attackers access to crucial endpoints. 

Consequently, the report underscores the critical importance of comprehensive employee education regarding the perils of cyberattacks. In addition to fostering employee awareness, safeguarding against ransomware necessitates strategic measures such as regular backups of critical systems and data, coupled with the implementation of robust endpoint protection services. The call to action is clear - retailers must fortify their cybersecurity defenses comprehensively to navigate the evolving threat landscape successfully.
Read more »
Quishing
Cyber Security Cyberattacks CyberCrime cybercriminals Emails QR code Quishing

Quishing Emerges as a Leading Cybersecurity Challenge

 


Researchers are predicting that cybercriminals will employ email-based quashing attacks as a means of stealing data from users. Several quishing campaigns are known to have been large, long-running, and dynamic, based on attack cadence and variations within the lures and domains featured in the messages used by the campaigns. 

A study released by the Global State of Mobile Phishing Report recently raises some sobering insights into the widespread use of mobile phishing attacks. The report noted that over 50% of the personal devices used by employees of a company had been hacked every quarter, which is an astounding number. 

Technology is constantly evolving to make users' personal and professional lives more convenient in the era of digital technology, as the usage of technology gradually increased over the years. One of the advancements that have made life easier for consumers has been the Quick Response (QR) code. The user can either share the URLs of websites and contact information, or they can pay with this two-dimensional barcode which is easy to read. 

In addition to improving our daily lives, QR codes have also created new avenues for cybercriminals to exploit, which has made it easier for them to steal information. This method of phishing is also known as quishing and poses a significant threat to individuals and organizations alike. QR codes are phishing attacks that have been on the rise for years. 

Even though "squishing" sounds all cute and squishy, it's a serious practice that has to be taken seriously. A QR code can be obtained by generating a fake email that contains a QR code that is inserted into the email, and then sending it to a person as a phishing email. 

In an attempt to trick the recipients of an email attack into visiting malicious websites or downloading malware onto their devices, hackers use QR codes embedded in the email to trick them. Social engineering tactics are usually used in these kinds of attacks to exploit the trust that people place in emails because they often put their trust in them. 

Recent findings regarding the effectiveness of mobile phishing attacks have been released in the Global State of Mobile Phishing Report. Over half of a company's employees' devices are exposed to phishing every few weeks, and at least one-third of those are not even aware that it is happening. 

Additionally, there was a seven-fold increase in the number of QR code phishing reports in Q2 of 2022. Many industries are targeted by these types of attacks, including insurance, legal, financial, and healthcare. A high level of regulation is enforced in these industries as a result of the sensitive and valuable nature of their data. As a result, they are a good target for cybercriminals as they are easy to reach. 

Increasingly, QR codes are appearing everywhere: they are in restaurants, mass vehicles, commercials, signs, walls, bathrooms, advertisements on billboards and posters; and even companies are shipping their products with QR codes so that consumers can access the manual via their phones. 

There are two main ways that criminals are attempting to quench attacks at the moment: they send targets a QR code via email and then try to crack it. In many cases, those emails are simply a call to action for users to verify their accounts and to act within a specific time frame otherwise their accounts will be locked or closed. A QR code would be inserted into an email on a desktop computer by the user, and once scanned, it would cause havoc on the computer.  

Using traditional email filtering methods, it is hard to detect QR code attacks since there are no embedded links or malicious attachments to scan. In addition, email filtering is not designed to follow a QR code to its destination to look for malicious content. The threat is also moved to another device which is more likely not to be protected by corporate security software, as well as shifting the actual threat to another device. 

Detecting these attacks can be done using artificial intelligence and image recognition technology. Fake QR codes are usually not the only sign that a malicious email is being sent. In addition, AI-based detection will take into account other signals as well - such as the sender's name, the content, the size, and the placement of images – to determine whether a message is malicious. To detect and prevent QR code scams, Barracuda Impersonation Protection will employ several techniques, as well as others. 

Currently, there are many quashing attacks targeting individual consumers, but enterprises, as well as their employees, are also at risk of squishing attacks. Researchers from HP and Abnormal Security discovered, in particular, that email-based QR phishing campaigns, like those uncovered by the researchers, could be used to steal credentials or spread malicious software to business accounts. 

Fraudulent QR Code Signs


Receivers need to pay close attention to the labels on the quashing codes to see that these codes are marked. These include: 

  • There are several errors on destination websites, including spelling errors, poor-quality images, and inadequate design. 
  • Rather than beginning with HTTPS, a URL starts with HTTP.
  • The true destination site is hidden by short URLs that are unreadable. 
Read more »
Topgolf Callaway
Cyberattacks CyberCrime cybercriminals Cybersecurity Precautions Data Breach Golf Gear Manufacturer Passwords Reset Sports. Topgolf Callaway

Golfing Community Shaken as Calloway Data Breach Hits One Million Fans

 


At the start of August, Topgolf Callaway (Callaway) was hacked by hackers, exposing the sensitive account and personal information of over 1 million customers to the dangers of identity theft. There are many manufacturers and retailers of various types of sports equipment in the US, however, Callaway is the leading brand of golf gear and accessories, including clubs, balls, bags, gloves, and hats.

Amounted to approximately $1.2 billion in revenue in the past year, the company has a presence in more than 70 countries globally. A total of roughly 25,000 people are employed at this company. In the company's product line, there is a variety of golf gear that is made by Callaway. 

Over 1 million people were affected by a data breach reported by the company. As part of an "IT system incident" that began on August 1 and involved some users of Topgolf Callaway Brands Corp.'s e-commerce websites, Topgolf Callaway Brands Corp. has been alerting customers that certain users' information had been exposed. 

A notification email was sent by the company to the victims last week, explaining what had happened and what steps were being taken by the company to address the issue. According to the email, there was an intrusion by an unknown malicious external party into the company's e-commerce system on August 1, impacting the availability of some of the company's e-commerce services as a result. 

The cyber intrusion occurred on an unknown date in the past. A security breach has affected users of several Callaway Golf sites, including Callaway Golf Preowned, Odyssey, Ogio, and Odyssey. As a result of the attack, sensitive user data, such as full names, shipping addresses, e-mail addresses, phone numbers, order history, account passwords, and security questions, were stolen by the attackers. 

As per the notice, no sensitive information such as payment information, ID information, or Social Security Numbers (SSNs) were collected. Upon investigation into this matter, it has been found that data about users of the website, including their names, mailing addresses, email addresses, phone numbers, order history, passwords for their accounts, and answers to their security questions are impacted. 

A police report has been filed and the police have been notified immediately. Approximately 1,114,954 pieces of private information were exposed in total during the data breach. Because the attackers stole passwords and answered security questions, 

A public notice about the breach was made on August 29th by the Maine Attorney General's office. Maine has strict rules concerning cyberattacks that compromise the privacy of any of its residents, of whom 2,219 were affected by the hack. 

There have been no breaches of payment card and government identification numbers, such as Social Security numbers, that have affected credit and debit cards. A company representative confirmed that the company does not store any of this information. 

There was a lot of time when the security questions had to be disabled, and the passwords had to be reset by force almost a month later. Callaway reset everyone's log-in credentials and compelled everyone to change their password at the next login time until a new password could be created. The Maine Division of Environmental Protection notified all residents affected by this action by email on the same day that this action was completed. 

Upon resetting their passwords, customers will be able to access their accounts once they have regained access to them. There is a strong recommendation that users should also change the passwords on other websites where they use the same login information. 

Topgolf Callaway has set up a special toll-free incident response line, which is available to answer any questions or concerns that individuals may have. Detailed instructions can be found on the company's website, as well as a dedicated, toll-free incident response line. 

Although it is unclear whether the incident is a ransomware attack, as many of the company's e-commerce services have been affected by the incident, it is a strong possibility that it is indeed a ransomware attack. 

The attack, if it was indeed a ransomware attack, has so far not been claimed by any ransomware groups, nor has it been attempted to be sold through the dark web. It is unlikely, however, that this information won't surface somewhere on the dark web someday. 

There is a possibility that the data collected could be used for identity theft and phishing attacks. However, the company is taking measures to protect its customers' data through proactive measures. To regain access to the system, users are automatically directed to the “callawaygolf.com/reset-password” page where they can find instructions on how to proceed with resetting their password. 

Following the data theft, the company worked fast to reset passwords for all users who had their passwords stolen. The use of the same passwords for other websites or online services should be avoided if you are already consistently using the same password for multiple websites or online services. 

Passwords should be made up of alphanumeric and symbol characters only. Credential-stuffed attacks can be minimized by adopting this precautionary measure. Callaway customers need to stay cautious when communicating with unknown senders regarding the possibility of sharing additional data, and they should treat them as potentially malicious messages.
Read more »
Rhysida
Cyberattack CyberCrime cybercriminals Health HHS malware PMH Ransomware Vendetta Rhysida

Ransomware Vendetta: Rhysida Group Strikes Prospect Medical, Warns of Auctioning Stolen Data

 


It has been claimed that Rhysida, an ever-evolving ransomware group, is responsible for the recent cyberattack on Prospect Medical Holdings during which hospitals and medical facilities in four states have been attacked. As a result, Prospect Medical Holdings was forced to take its systems down earlier this month. 

The Prospect Health Group operates 16 hospitals in California, Connecticut, Pennsylvania, and Rhode Island, as well as more than 165 clinics and outpatient facilities throughout these states. According to Callow, many US healthcare systems have been affected by ransomware this year, infecting at least 53 hospitals under their control, and at least 20 of these organizations have had their data stolen as a result of the attack. 

The Department of Health and Human Services issued an alert earlier this month to warn people about Rhysida, a ransomware-as-a-service group that first arose in mid-May. The group is currently in its infancy and does not have some advanced features such as plaintext strings that reveal registry modification commands as well as some advanced features such as plaintext strings that display registry management commands. 

There have been major attacks on organizations in several sectors including education, government, manufacturing, technology, and managed service providers by Rhysida. As part of its ongoing data leak investigation, the Federal Bureau of Investigation has revealed that most of the data stolen from eleven victims have been uploaded to the threat actor's data leak site between June and the beginning of August. 

As a result of a cyberattack launched by the Rhysida ransomware group on Prospect Medical Holdings, the group claims to have gained access to 500,000 social security numbers, confidential corporate records, and patient records from the company. 

A ransom note was reportedly displayed on employee screens the day after the attack, warning that their network had been compromised and their devices had been encrypted as a result of the attack, which was believed to have occurred on August 3rd. 

There is a claim that Rhysida has more than one terabyte of stolen data on her hands, along with an SQL database containing more than 1.3 terabytes of data. In the listing on the dark web, the group offered to sell the data for 50 bitcoin, which would equate to roughly $1.3 million, based on the listing that was made available. 

BleepingComputer later found out that the Rhysida ransomware gang was behind the attack even though PMH did not respond to questions about the security incident. According to current reports, PMH hospital networks, including CharterCare, have been able to successfully restore the functionality of the hospital networks' systems. However, efforts remain ongoing to make sure that patient records are reinstated as soon as possible. 

Earlier this month, the Department of Health and Human Services (HHS) warned that the hacker group Rhysida seemed to be responsible for recent attacks against healthcare organizations, with a claim of responsibility for the attack on Prospect Medical. Described by the Department of Health and Human Services (HHS) as a new ransomware-as-a-service (RaaS) group, Rhysida has emerged since May 2023. 

An HHS official said the group encrypts a target's networks through Cobalt Strike and phishing attacks to breach their targets' networks and plant their malicious payloads on those networks. Once the victim has not paid the ransom, the group threatens the victim by releasing all of the data that has been exfiltrated. HHS has indicated that Rhysida is still in its infancy and there are limited advanced features that it has developed, as evidenced by its name Rhysida-0.1, and the lack of advanced features. 

According to the report, the ransomware also leaves PDF notes in the affected folders instructing victims to contact the group through their portal and pay in Bitcoin. There are numerous countries across Western Europe, North and South America, as well as Australia that have been affected by Rhysida and its victims. 

It is primarily focused on the education, government, manufacturing technology, and managed services industries that are attacked by these cyber criminals. As exemplified by the attack on PMH, they have recently attacked the healthcare and public health sectors, and this has had a significant impact on the healthcare industry. There have been several ransomware gangs who have claimed credit for attacks in the past, including Rhysida, said Emily Phelps, director at Cyware.
Read more »
ransomware attacks
Cyber Hacker Cyber Security Cyberattacks CyberCrime cybercriminals Ransom Demands ransomware attacks

Behind Closed Cyber Doors: 50 Ransomware Negotiations' Unexpected Insights

 


A cybersecurity expert will usually recommend that negotiators should be avoided when trying to resolve the issue of ransomware hackers. A victim recently defied conventional wisdom and attempted to negotiate with their attackers on December 30, 2020, despite their attackers attempting to kill them. 

As the victim typed the words "Help?" At one point during the compromise of the computers, a response was received from one of the hackers offering to negotiate with the victim. During the interview, the hackers admitted that they had encrypted the victim's network and data in addition to downloading internal documents and files from the victim's network. As a ransom, they requested a payment of $8,500,000 for the key to unlock the encrypted files. 

Unexpectedly, there was a misunderstanding in the negotiation that led to the breakdown of the deal. As a result, the hackers mistook the victim's wishes for the destruction of files and did not provide the decryption key to do so. In the end, the ransom demand was markedly reduced, resulting in a final amount of only $450,000 being agreed upon, thereby resulting in a 94.7% reduction from the original demand of $1 million. 

In the case of ransomware incidents, the details are usually shrouded in secrecy and made to remain out of the public domain as long as possible. Despite the secrecy, Valéry Marchive, a French journalist who specializes in cybersecurity, does not like it. This can be used as a weapon in the fight against ransomware gangs, as all these cloak-and-dagger conversations he has had with these criminal gangs provide valuable insight into how they operate and can be used by them to attack.

Marchive has been compiling a database of ransomware negotiation chats over the past few years, and as of recent made the database available to the public as part of its effort to reduce ransomware attacks. The recent research report on the data used by Cyber Threat Intelligence Analyst Calvin So focuses on how stylometric analysis (essentially, the study of writing styles) can help identify patterns and individuals based on the text dialogue they use within the report. 

The results of an analysis of negotiation transcripts of 50 trial cases from Marchive's archives show that victims who negotiate tend to pay much less than the initial ransom demand, resulting in a significant reduction in the amount asked. There has been a fair amount of negotiation between the victims and the pirates, and on average only half of the original demand was paid (52.7%). It is important to note that only one victim among the sample paid the full amount without negotiating with the con artist. 

In some interesting cases, ransomware hackers have adopted a very professional, congenial approach to communicating with victims when faced with ransomware threats. As a security vulnerability exposer, they will bill victims for their service and present themselves as a threat to your computer system. In addition to victimizing, victims sometimes engage in friendly banter with their attackers, which may suggest that their relationship with their attackers is unusual. 

There is No Set Deadline


The most common thing that victims negotiate with their lawyers is an extended deadline. When a victim appears willing to pay for the hack, it is free for the hackers, as long as they are willing to negotiate and take the victim to the table. The fact that hackers proposed reducing the ransom so long as the payment was posted as quickly as possible was a big clue that they were hacking.  

When hackers start negotiations, they often use this response as their first gesture as they want to initiate transactions as soon as possible, however, they are willing to extend this deadline as long as they feel progress is being made, or they think the victim is in the process of obtaining funds. 

A facade of civility conceals the fact that there are threats hidden both within and without the facade. When negotiations are at an impasse, hackers challenge their victims, taunt them, and issue ultimatums to end the negotiations. Even though negotiating with ransomware hackers is generally not recommended, a better understanding of how these negotiations happen can provide valuable insights into how to combat ransomware attacks in the future. 

Avoid Dealing With the Devil 


Even though anonymous company representatives may have come away relatively unscathed, this should not be taken as a sign that you should negotiate with ransomware groups – quite the opposite. 

It is important to remember that even though the company's sample set of transcripts did not show hackers reneging on their commitment to release the hostage data as soon as the victim paid for it, there is no guarantee that even if they release the data, they will not make a copy of it to sell it to others.   

Cybercriminal activity comes with a variety of risks, and this is just one of them. According to Max, there is no reason for the bad guys to carry out their plans since they have no incentive to do so. The money has been delivered, and that is a task completed for them, so they feel satisfied with their work.

One way to stick it to ransomware groups is to make sure you never fall prey to their ruse in the first place, but that should go without saying. As a result, most of the time, it is possible to prevent the vulnerability of individuals and companies to hackers by implementing some best practices. 

According to PCMag, the first step you should take is to implement a password policy that requires all passwords to be unique with at least 20 characters. There is an easy and essential policy that each employee with a work account should adhere to.

Furthermore, there should be a similar policy in place for all personal accounts of employees. Keeping that in mind, we strongly recommend you use a reliable password manager for managing your passwords across multiple accounts so that you can create and manage them easily. 

In addition, it is critical to ensure that all the devices installed on the work premises, such as smartphones and tablets, have security features enabled in their configurations. Ensure that you patch and update your operating system and software regularly, and be sure to perform regular backups of your data as well. For those users who are looking to protect themselves from ransomware, there is a wide variety of apps that can assist you.
Read more »
Subscribe to: Posts (Atom)