Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

User Security
Cyber Security Mount Locker Ransomware group Sophos User Security

Sophos Uncovered Connection Between Mount Locker and Astro Locker Team

 

Sophos published another report on a recently revealed association between the Mount Locker ransomware group and a new group, called "Astro Locker Team." Sophos as of late recognized ransomware targeting an organization’s unprotected machines that had all the hallmarks of Mount Locker ransomware. However, when they followed the link in the ransom note to the attacker's chat/support site, Sophos incident responders found themselves faced with a near-unknown group calling themselves "AstroLocker Team" or "Astro Locker Team." Astro Locker has all the earmarks of being a new ransomware family – however, appearances can be beguiling. 

When comparing the Astro Locker leak site with the Mount Locker leak site, investigators noticed that all five of the organizations listed on the Astro Locker site were likewise listed as victims on the Mount Locker site. Delving in further, the size of the information leaks on each of the five matched and shared some of the same links to the spilled information. Taking a gander at the matching links all the more intently, Sophos experts saw one final association: a portion of the spilled information linked on the Mount Locker site was being facilitated on the Astro Locker onion site: http[:]//anewset****.onion.  

“In recent incidents where Sophos experts investigated and neutralized an active Mount Locker attack, we noticed various techniques that suggest these attackers are not as sophisticated as other ransomware groups like Ryuk, REvil and DoppelPaymer,” said Peter Mackenzie, manager of Sophos’s Rapid Response team. “It is possible that the Mount Locker group wants to rebrand themselves to create a new and more professional image, or it could be an attempt to kickstart a true ransomware-as-a-service (RaaS) program. Regardless, if any organizations become a victim of Astro Locker in the future, they should investigate the TTPs of both Mount Locker and Astro Locker.” 

Mackenzie contended that Mount Locker could be utilizing the Astro name to pretend the group has a significant new associate for its new RaaS program, or it very well might be a legitimate deal intended to speed up its change to turning into a RaaS operation. 

“Branding is a powerful force for ransomware groups. Good branding can come from a single threat group being skilled at hitting high-value targets and avoiding detection — such as DoppelPaymer — or by running a successful RaaS network — like Sodinokibi or Egregor. Powerful branding with ransomware groups can strike fear in targets and lead to a higher likelihood of pay-outs,” he concluded.
Read more »
User Data
Cyber Security cybercriminals Personal Data United Kingdom User Data

Hackers Send Fake Census Form Alerts to UK Respondents

 


The United Kingdom, like every other country, runs a census every ten years. The census asks residents a number of questions regarding the address of individuals, their age, name, nationality, employment, health, education, and language. (The census here is mandatory and participants are obliged to provide answers)
 
The census happens in the year that ends with number-1, except Scotland, the census is postponed until 2022 due to the Covid-19 pandemic. Due to the Covid-19 pandemic, most of the respondents are filling their services online, they are getting a unique 16 digit access code from the government to each resident via snail-mail. The participant can go to the official government census website, enter the 16 digit login code, saving him the arduous work of filling the form by hand, and snail-mail it back. If the participant fails to fill the census form before 21-03-2021, the government will send a chain of warning notifications with a unique 16 digit code, requesting the participant to fill the form and also fining €1000 if he fails to do so.
 
Naked Security reports, "the criminals did make some grammatical mistakes in their forms that a native speaker of English might notice, and these would be another giveaway, along with the fake domain name, but the crooks have cloned the UK Office for National Statistics “look and feel” very believably."
 
Stay alert of forged forms-
 
If the participant hasn't filled the form yet but may soon do it, he/she should stay wary of fake "census reminders" that are sent by the hackers. And if you've already filled your form, be on alert if you think there have to be some modifications in the details. The hackers are trying to take advantage of the online census by luring the participants into phishing attacks and stealing their data.
 
The fake form may ask for your postcode instead of your 16 digits unique code (the hackers could've also sent a fake 16 digit code but they chose not to), after that, the hackers will ask you similar questions that you may answer while filling out the original forms. However, in the fake form case, you end up exposing your personal details to the hackers, instead of sending your details to Office for National Statistics.

 
How to stay safe?

 
1. Check the Domain name before filling the form on the official website.
 
2. Don't open links that you may receive via SMS or e-mail.
 
3. Stay alert of the text messages that you may receive, please go through the message before filling the form.
 
Read more »
Vulnerabilities and Exploits
APT actors CISA & FBI Fortinet FortiOS User Security Vulnerabilities and Exploits

FBI & CISA Warns of Active Attacks on Fortinet FortiOS Servers

 

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a Joint Cybersecurity Advisory (CSA) to warn users and administrators of active exploits targeting three susceptibilities in Fortinet FortiOS. Fortinet FortiOS is an operating system designed to improve enterprise security and it enables secure networks, endpoints, and clouds to keep the user safe from vulnerabilities and threats. 

According to the advisory, these three unpatched vulnerabilities in Fortinet FortiOS platforms belong to technology services, government agencies, and other private sector bodies. The advanced persistent threat (APT) actors are targeting the vulnerabilities CVE-2018-13379, a path traversal vulnerability (CVSS base score of 9.8); CVE-2020-12812, an improper authentication flaw (CVSS base score of 9.8) and CVE-2019-5591, a default configuration vulnerability (CVSS base score of 7.5) which were initially revealed in 2019.

The attackers have specifically exploited the vulnerability CVE-2018-13379 since its discovery in 2018. In 2019, nation-state hackers exploited the flaw and targeted the U.S. National Security Agency. Last year in October, a joint CISA/FBI advisory regarding federal, state, and local U.S. government networks being targeted mentioned the flaw.

“The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks. APT actors may use the other CVEs or common exploiting techniques – such as spear-phishing – to gain access to critical infrastructure networks to pre-position for follow-on attacks,” the advisory read.

Carl Windsor, Fortinet field chief technology officer responded to the joint advisory by stating that Fortinet has already patched the flaws and is educating the customers regarding the vulnerabilities.

“The security of our customers is our first priority. CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019 and July 2020 strongly recommending an upgrade. Upon resolution we have consistently communicated with customers, as recently as late as 2020,” he further stated.
Read more »
Facebook Scams.
Data Breach data security Facebook Hacked Facebook Scams.

Facebook Data Breach: How To Check If Your Details Were Leaked

 

By now you must have heard that the social network giant ‘Facebook’ has witnessed a very large-scale user data breach that has affected more than 533 million users from 100 plus states. 

Cybercriminals leaked the credentials on online serves that included Facebook IDs, addresses, photos, and other details and in certain cases email addresses. Ironically, it has been seen that the personal data of Facebook’s founder and CEO-Mark Zuckerberg, was also leaked in that breach. 

This article will guide you to check whether your personal data has been breached or not, as a part of the breach. Additionally, you also can check recent leaks or other past leaks in the post. 

The first step is to just go and visit Have I Been Pwned, it will ask for your account details such as your email address or logged-in phone number. If your email address (and the associated account) has been compromised, it will let you know, moreover, not only in regard to the recent breach but it will also give you an account of any other breaches in which your personal data may have been compromised.

"Have I Been Pwned" has been created by a security researcher named Troy Hunt, who was initially skeptical of adding a phone number option while searching breaches due to certain privacy risks, but ended up adding the feature. 

Another tool is a site called The News Each Day, wherein you can just enter your phone number, and then technical information will appear on your screen informing whether your data has been compromised or not. 

Additionally, all the users are advised to change the passwords of the compromised sites alongside, looking out for the best endpoint protection tools that are out there. Users are also recommended to verify the security of sites and apps around to keep their identity safe and secure, for which they are advised to rely on the best identity theft protection.
Read more »
Russia
Bank Cyber Security Data Breach Russia

The data of potential borrowers of Bank Dom.RF are being sold on the Internet

 The data was obtained as a result of a leak. A representative of the bank explained its vulnerability in the remote filing of initial applications for cash loans

Data about people who applied for a loan from Bank Dom.RF were put up for sale on the Internet. The bank confirmed the leak. The Central Bank is conducting a check.

The data of Russians was put up for sale on a specialized website. The announcement was published on April 3. According to the owners, they have more than 100,000 records of those who have applied for a bank loan. The records date back to 2020-2021. They may include information about the loan amount request, phone numbers, email addresses, full names, date of birth, passport information, TIN, SNILS, home and work addresses, job title, income and proxy information. The database sells for 100 thousand rubles ($1,308), individual lines for 7-15 rubles ($0.09 - 0.20).

Bank Dom.RF belongs to the same name financial development institution in the housing sector, which is fully controlled by the state. It is in the top 20 banks in terms of capital and in the top 3 in terms of the mortgage portfolio. It was formed in 2017 on the basis of the bank Rossiyskiy Kapital, which is being reorganized.

Dom.RF reported that the leak was due to a vulnerability in remote initial cash loan applications. The bank notes that the data prevents access to customer accounts. "As part of operational work, it was eliminated in a short time, at the moment all the bank's systems are functioning normally. For preventive purposes, the security service of Dom.RF checked the integrity of all other systems of the bank and found no violations," reported the bank.

Russian media have already checked the data from a database. Six people responded and four of them confirmed that they had applied to the bank for a loan or were already its clients.

Read more »
Threat actors
CoreLoader Cycldek DropPhone FoundCore malware Threat actors

The Less Progressive but Consistent, Cycldek Threat Actors

 

It is somewhat usual for tools and methodologies to be allowed to share throughout the nebula of Chinese threat actors. The infamous "DLL side-loading triad" is one of that kind of example. The side-loading-dynamic link library (DLL) is an extremely effective method of cyber-attack that benefits from the management of DLL files by Microsoft Windows applications. A genuine executioner, a malicious DLL, and an encrypted payload have usually been dropped from a self-extraction file. Initially regarded as the LuckyMouse signature, developers observed that other organizations were using a similar 'triad' like HoneyMyte. Although it indicates that attacks depending only on this technique cannot be attributed, the efficient prevention of such triads shows increasing malicious activity. 

A malware sample has been identified by researchers knows as FoundCore Loader which is configured to attack high-profile organizations in Vietnam. As per the high-level perspective of the researchers, the virus chain follows an execution that starts from the – FINDER.exe (a genuine MS Outlook file) which side loads to the outbill.dll (a malicious loader ) that eventually hijacks the flow of the execution and decrypts and runs a Shellcode placed in a rdmin.src file ( that is a malicious loader companion). 

The FoundCore payload is the final payload that is a remote access tool that provides its operators with complete control of the victim machine. This malware begins with 4 threads when it is executed. The first one determines persistence through the development of a service. The second establishes unclear information for the system by modifying its fields like 'Description,' 'Image Path,' 'Display Name' (among others). The third set the vacant DACL ("D:P" SDDL) image for the current process to avoid access to the entire malicious file. To discourage the malicious file from entering. In the end, the worker thread bootstraps execution and connects to the C2 server. It can also incorporate a copy of itself into another process, based on its configuration. FoundCore gives complete control of the victim's machine to the threat player. The malware supports various instructions to manipulate the filesystem, manipulate the procedure, execute arbitrary commands, and record screenshots. DropPhone and CoreLoader are other malware delivered during the attacks. 

Cycldek, which has been active since 2013 and is also recognized as Goblin Panda and Conimes, is famous for its targeted delivery and preferences being the Vietnam targets and the governments in South East Asia. As per a report, that in June 2020 a piece of personalized malware had been used to exfiltrate airborne data, a clear sign of transformation for a group considered less sophisticated. According to Kaspersky, more recent attacks show even more sophistication. 

A genuine part of Microsoft Outlook was mistreated to load a DLL which would operate a shellcode that acts as a loader of FoundCore RAT in an attack on a high-profile Vietnamese organization. While Cycldek has been regarded to be one of the less advanced threat actors in the Chinese-speaking world, the goal of the campaign is recognized to be consistent.
Read more »
User Security
Altdos Customer Data Data Breach Data Leaked User Data User Privacy User Security

Furniture Retailer Vhive's Data Breach: Customer Information Leaked Online, Under Investigation

 

The officials are investigating a data breach at local furniture retailer Vhive, which resulted in customer’s personal information such as phone numbers and physical addresses being leaked online. In response to questions from The Straits Times on Saturday, April 3, police confirmed that a report had been filed on the matter.

According to the company, information compromised in the hack includes customers' names, physical and e-mail addresses, and mobile numbers, but it did not include identification numbers or financial information.

In a Facebook post on March 29, Vhive announced that its server was hacked on March 23 and that it was working with police and other relevant agencies, as well as IT forensic investigators, to investigate the breach. 

"All financial records in relation to purchases made with Vhive are held on a separate system which was not hacked," said Vhive. 

"We are truly sorry for the incident and stand ready to assist you if you require immediate help," Vhive told customers. 

According to ST's checks on Saturday afternoon, Vhive's e-mail servers were also compromised. The website only displayed a warning of the cyber attack, while the company's stores on the online shopping platforms Lazada and Shopee were open for business. 

The Altdos hacking group, which operates mainly in Southeast Asia, has claimed responsibility for the breach. In an email to affected customers on Saturday, Altdos said it had hacked into Vhive three times in nine days and claimed to have stolen information of over 300,000 customers as well as nearly 600,000 transaction records. 

The group announced that it will publish 20,000 customer records daily until its demands to Vhive’s management are met. In its Facebook statement, Vhive said it would be closely guided by the forensic investigator and authorities on the steps to protect its systems and ensure that customers can conduct transactions securely. 

In previous hacking incidents, Altdos has stolen customer data from companies, blackmailed the compromised company, leaked the data online if its requirements were not met, and publicized the violations. The cyberattacks were mainly focused on stock exchanges and financial institutions. 

In January, Altdos claimed to have broken into the IT infrastructure of the Bangladeshi conglomerate Beximco Group and stole data from 34 of its databases. 

Last December, it hacked a Thai securities trading firm and posted stolen data online when the firm allegedly failed to confirm her emails and claims.
Read more »
User Data
Clop Ransomware Cyber Crime Ransom Ransomware group User Data

BCPS Hit by Conti Ransomware Gang, Hackers Demanded $40 Million Ransom

 

Several weeks ago, the Conti ransomware gang encrypted the systems at Broward County Public Schools and took steps to release sensitive personal information of students and staff except if the district paid a colossal $40 million ransom. Broward County Public Schools, the country's 6th biggest school district with an annual budget of about $4 billion, enlightened parents about a network outage on March 7 that adversely affected web-based teaching, but dependent on this new data, the incident was unmistakably much more serious. 

First reported by DataBreaches.net, the hackers took steps to disclose a huge trove of personal information, including the social security numbers of students, teachers, and employees, addresses, dates of birth, and school district financial contact information. "Upon learning of this incident, BCPS secured its network and commenced an internal investigation,” the statement continued. “A cybersecurity firm was engaged to assist. BCPS is approaching this incident with the utmost seriousness and is focused on securely restoring the affected systems as soon as possible, as well as enhancing the security of its systems." 

The hackers published screenshots of a text message from mid-March between them and a district official — clearly a negotiation for the hackers to deliver the documents back to the district. 

“The good news is that we are businessmen,” the text message from the hackers said. “We want to receive ransom for everything that needs to be kept secret, and don’t want to ruin your reputation. The amount at which we are ready to meet you and keep everything as collateral is $40,000,000.” 

After weeks of negotiations, the hackers in the end brought the proposal down to $10 million. Under district policy, that sum is the maximum it can pay without school board approval. 

Broward County's case was one of a few ransomware assaults that hit educational institutions in the past two weeks. The Clop ransomware gang was very active, with reported cases influencing the University of Maryland, Baltimore Campus (UMBC); the University of California, Merced; the University of Colorado; and the University of Miami. Jamie Hart, cyber threat intelligence analyst at Digital Shadows noticed that these assaults were led by the Clop gang and were targeted as a part of the Accellion FTA breach.
Read more »
Technology News
Firewall MalwareTech Microsoft Technology Technology News

Hackers Exploit Windows BITS Feature To Launch Malware Attack

Microsoft released the BITS (Background Intelligent Transfer Service) in Windows XP to coordinate and ease uploading and downloading files with large size. Systems and applications component, specifically update in Windows, use this BITS feature to provide application updates and OS so that they can work in minimal user disruption. BITS interact with applications to make jobs with one or more application to download or upload. The BITS feature operates in service and it can make transfers happen at any time. A local database stores file, state and job info.  

How the hackers exploit BITS?

The BITS, like every other technology, is used by applications and exploited by hackers. When harmful apps make BITS jobs, the files are uploaded and downloaded in the service host process context. This helps hackers to avoid firewall detection that may stop suspicious or unusual activities, allowing the attacker to hide the application that requests the transfer. Besides this, the transfers in BITS can be scheduled for later, which allows them to happen at given times, saving the hacker from depending on task-scheduler or long-running processes. 

Transfers in BITS are asynchronous, resulting in a situation where the apps that made jobs may not be working after the transfers that are requested are complete. Addressing this situation, these jobs in BITS can be made through a notification command that is user-specific. The command can be used in case of errors or after a job is complete. The BITS jobs linked with this notification command may authorize any command or executable to run. The hackers have exploited this feature and used it as a technique for continuously launching harmful applications.  

For BITS jobs, the command data is stored in a database rather than the traditional directory register, this helps hackers as the tools that are used to identify persistent executables or commands by unknown actors may overlook it. The jobs in BITS can be made using the BITS-admin command lines tool or via API functions.  Cybersecurity firm FireEye reports, "the Background Intelligent Transfer Service continues to provide utility to applications and attackers alike. The BITS QMGR database can present a useful source of data in an investigation or hunting operation. BitsParser may be utilized with other forensic tools to develop a detailed view of attacker activity." 
Read more »
US
Cyber Security Nuclear Agency Twitter US

Child Tweets Gibberish from US Nuclear Agency Account

 

An unintelligible tweet sent out from the official account of U.S. Strategic Command in charge of the nation’s nuclear arsenal last weekend had left many in shock. Some jokingly said the cryptic tweet, “;l;;gmlxzssaw,” was a US nuclear launch code and some even thought it was a message to political conspiracists.

Now the US strategic command has revealed that it was a young member of the account’s social media manager who accidentally tweeted from the official account, which was then deleted within minutes. Many people saw this tweet as an attack on the country’s nuclear arsenal including Mikael Thalen, a journalist with the Daily Dot. He decided to file a Freedom of Information Act (FOIA) request to get answers. 

“Filed a FOIA request with U.S. Strategic Command to see if I could learn anything about their gibberish tweet yesterday. Turns out their Twitter manager left his computer unattended, resulting in his ‘very young child’ commandeering the keyboard,” Thalen wrote on his Twitter account. 

“The command’s Twitter manager…momentarily left the command’s Twitter account open and unattended. His very young child took advantage of the situation and started playing with the keys and unfortunately, and unknowingly, posted the tweet. Absolutely nothing nefarious occurred, i.e., no hacking of our Twitter account. The post was discovered and notice to delete it occurred telephonically,” U.S. Strategic Command responded. 

According to a report published by Kaspersky security researchers, remote workers can be more vulnerable to outside attacks, which was proved in this instance. “Lockdown has been a stressful time for everyone…without additional support from young employers, young people and caregivers could continue to deviate further from pre-set and learned IT security rules, exposing their companies to further increased security risk,” Margaret Cunnigham, principal researcher at Facepoint stated.
Read more »
USA
beer brand giants Cyber Attacks Molson Coors USA

Molson Coors "Cyberattack Incident" Could Cost Company $140 Million

 

The popular beer brands producers in the United States such as Molson Canadian, Coors Light, Miller Lite, Carling, Blue Moon, Coors Banquet, and many more, disclosed severe impacts of a cyberattack on their business, including brewery operations, production, and shipments. 

Brewing giant Molson Coors stated that the disruptive cyberattack led to a huge disruption in its brewery functioning operations and is going to cost the organization around $140 million. Additionally, Officials added that the company is working hard for its normalization: production and shipping have yet to reach normal operating levels. 

“Despite this progress led by the significant efforts of the Molson Coors team, along with the support of leading forensic information technology firms and other advisors, the Company has experienced and continues to experience some delays and disruptions in its business, including brewery operations, production, and shipments in the U.K., Canada, and the U.S.,” a March 26 statement reads. 

While the firm did not press a cause for what is being called a "cybersecurity incident”, but the occurrence comes amid a wave of malware and ransomware attacks that has a huge impact on companies worldwide. The recent cyberattack affected healthcare providers, computer producers- Acer, IoT provider Sierra Wireless and various other giants. 

The company stated that the cyber attack is going to impact its first quarter of business and consequently 2021 financial revenue as well, but the company has not released specific figures on expected costs. But, it is being observed that for the normal revenue company has to work hard and wait. 

According to the company, “the cybersecurity incident and the February winter storms in Texas will shift between 1.8 and 2.0 million hectoliters of production and shipments from the first quarter 2021 to the balance of the fiscal year 2021 and will also shift between $120 million to $140 million of underlying EBITDA from the first quarter 2021 to the balance of the fiscal year 2021.” 

The company is also yet to share its technical data regarding the cyber attack incident, but various experts are speculating that it could be ransomware-related cybercrime. 

“We notified law enforcement and are cooperating in their investigation. We also have notified and are working with all of our relevant insurance companies,” the company said in a statement.
Read more »
Subscribe to: Comments (Atom)