Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Verizon
Mobile Security Personal Information Phishing scam Spam SMS Verizon

Verizon Phishing Scam Uses Text Messages to Target Customers

 

Verizon subscribers had started to get malicious texts from unknown senders, according to a report published by Phone Arena on Saturday, October 9. Sending messages to a receiver using a suspicious phone number is a phishing technique. The precise contact number is 562-666-1159, and it informs users that their prior month's fee has already been paid. The exact message reads as follows: "Verizon Free Message: Sept bill is paid. Thanks, (first name of the customer)! Here's a little gift for you." 

According to Phone Arena, the majority of Verizon customers have already paid their September bills. As a result, the old invoice suggested that the hacker's message was entirely fictitious. In addition, Verizon is unlikely to deliver a gift to users who have paid their bills in advance. This current phishing attack could indicate that the user's personal information is about to be stolen. 

This attack was similar to what T-Mobile customers experienced previously. Phone Arena said it's conceivable that the phone numbers used to send the phoney messages came from T-Mobile's recent data hack, which affected 48 million members. The text pretended to be from T-Mobile and promised the recipients of the message a $100 free gift as compensation for an outage that occurred somewhere around that time. 

The way T-Mobile was spelled as Tmobile was one of the obvious clues that the whole affair was a hoax. The truth was hidden in the tiny print: the SMS was sent by a marketing firm with no ties to T-Mobile, and the firm was attempting to acquire information about T-Mobile consumers, presumably gathering confirmed phone numbers of the carrier's subscribers.

Coming back to Verizon, the cybercriminals behind the text message will request personal information from subscribers. If a subscriber falls for this ruse, his or her security number, bank account number, and other personal data will be stolen. The threat actor would have access to the required details of a subscriber's Verizon account if this happened. Once the scam is successful, the hackers will order a phone that the user will have to pay for. 

If customers are concerned whether a text or email is real, they should phone the carrier and inquire if someone from that company sent them the message in question, according to Phone Arena. They also recommended that anyone having a wireless account set up a password or PIN to keep their account safe from prying eyes.
Read more »
Vulnerabilities and Exploits
National Cyber Security Russia Russian Cyber Security Vulnerabilities and Exploits

Half of the Russian websites of small and medium-sized enterprises have vulnerabilities

According to Tinkoff, almost half (46%) of online resources for SMEs in Russia have cybersecurity issues.

The most critical of the most common errors is the weak protection of cloud storage, threatening data leakage (identified in more than a quarter of organizations).

These disappointing statistics are based on the analysis of more than 40 thousand sites and databases of small companies / individual entrepreneurs. The most vulnerable areas in terms of information security were areas such as consulting, retail, and IT (44% of the problems found).

Most often (in 33% of cases) SMEs make domain verification errors. Such mistakes provoke the capture of a resource through data substitution.

The second place in the rating is taken by the threat of confidential information leakage arising from open access to the database or from the use of a weak password (27%). The ability to obtain a key by a simple brute-force attack allows an attacker to obtain personal data of customers and company employees, trade secrets, source codes of programs, etc.

The third most frequent cybersecurity error, according to Tinkoff, is SSL Unknown subject (15%). Such a problem during SSL-certificate verification threatens with interception and disclosure of data (MITM attack).

The researchers also found that the resources of SMEs are poorly protected from attacks by cryptographers (9%).

The top five problems also included another common error — an expired SSL certificate (7%). When the browser shows that the certificate is invalid, the site may fall out of access; as a result, the company loses potential customers.

“Unfortunately, cybersecurity is poorly developed in Russia and business does not realize how important it is to protect data. Firstly, the services of good and competent specialists are very expensive; secondly, after the crisis, companies direct working capital primarily for the purchase of goods and current needs,” comments Pavel Segal, First Vice President of “OPORA Russia”.

Read more »
Vulnerabilities and Exploits
Old Bugs ransomware attacks Ransomware families Security Patch Vulnerabilities and Exploits

Threat Actors are Still Exploting Old Bugs to Target Organizations

 

Cybersecurity researchers at Qualys have published a free ransomware risk and assessment tool designed to scan systems, identify flaws and finally automate patching and remediation.

Researchers at Qualys analyzed 36 leading ransomware families and their attacks in recent years. It was found that unpatched flaws, device misconfigurations, internet-facing assets, and cracked software were consistently ranked among the top attack vectors.

According to researchers, the top five CVEs exploited by leading ransomware families to target organizations worldwide, have been known for almost a decade and had vendor patches available. But because many organizations still haven't applied the available security updates, they remain susceptible to ransomware attacks. 

CVE-2012-1723, is the oldest of the top five vulnerabilities, a flaw in the Java Runtime Environment (JRE) component in Oracle Java SE 7, detailed in 2012. According to researchers, it's been commonly used to distribute Urausy ransomware. 

The other two other common flaws detailed by researchers are from 2013; CVE-2013-0431 is a vulnerability in JRE leveraged by Reveton ransomware, while CVE-2013-1493 is a vulnerability in Oracle Java that is exploited by Exxroute ransomware. In both cases, security updates have been available for more than eight years.

CVE-2018-12808, on the other hand, is a three-year-old bug in Adobe Acrobat, which is used to deliver ransomware via phishing emails and malicious PDF files. Both Ryuk ransomware and Conti ransomware have been known to use this attack method. The latest bug on the list is Adobe CVE-2019-1458, a privilege escalation flaw in Windows that appeared in December 2019 and has been commonly used by the NetWalker ransomware group.

“For IT and information security teams, applying all the patches needed to keep a network secure is often an uphill battle. The rate at which vulnerabilities are rising is exponentially higher than the rate at which operations teams are patching. This is the number one driving factor for why vulnerabilities remain unpatched It is easy for operations teams to get overwhelmed when they do not have a prioritized list of patches or software listings provided from security teams," Shailesh Athalye, SVP of product management at Qualys, stated. 

Threat actors exploit these flaws because they know many organizations don’t pay attention to the security updates and so they are actively searching for flaws that allow them to lay down the foundations for ransomware attacks.

"There is no silver bullet to prevent ransomware and remediate vulnerabilities, but overall, driving processes for reducing an attack surface should be the goal. The important part of vulnerability management is the combination of vulnerability assessment, prioritization, and remediation," Athalye further told.
Read more »
USA
Cyber Attacks Healthcare IT system OSF Healthcare Outage USA

Cyber Attacker had Prior Access to the IT Systems of OSF Healthcare Before Outage

 

The Journal Star reported that OSF HealthCare's computer systems were back up on April 25 following a two-day outage that forced the Peoria, Ill.-based health institution to implement downtime processes and policies. The outage occurred around 3:45 a.m. on April 23, as per the report. 

OSF HealthCare, based in Peoria, Ill.- started informing patients on October 1 that their personal health information had been exposed for more than six weeks as a result of a cyberattack on its IT systems earlier this year. At numerous OSF HealthCare hospitals and sites, the computer systems included patient information and records.

OSF HealthCare is a non-profit Catholic healthcare organization based in Illinois and Michigan that administers a medical group, hospital system, and other healthcare facilities. OSF HealthCare is owned and run by the Sisters of the Third Order of St. Francis and is headquartered in Peoria, Illinois. 

"During the outage, downtime procedures and protocols were closely followed, which included rescheduling some appointments and procedures," an OSF HealthCare spokesperson informed. "Patient safety is at the forefront of everything we do, and any decision to delay an appointment or procedure was made with safety in mind." 

OSF HealthCare announced on its website on Oct. 1 that the outage was caused by a data security problem. After conducting an investigation, the health system learned that an unauthorized entity obtained access to its networks from March 7 to April 23. The hacker gained access to various files relating to OSF Little Company of Mary and OSF Saint Paul patients. 

The compromised data include personally identifiable information, name, birthdates, Social Security numbers, treatment information, medication information, and health insurance information. As per the warning, financial information from a "smaller subset of patients" was also compromised. 

Patients whose Social Security numbers or driver's license information were disclosed will receive free credit and identity monitoring services from the health system. OSF HealthCare further stated that new precautions and technical security procedures have been adopted to safeguard its network infrastructure. 

OSF HealthCare operates 14 hospitals and a variety of other institutions throughout Illinois and Michigan. All institutions and facilities continued to operate and also admitted new patients during the April outage.
Read more »
virus
Advance Tools Backdoors Business Linux Linux RootKit malware Proxy Server remote access virus

ESET: FontOnLake Rootkit Malware Targets Linux Systems

 

Researchers have detected a new campaign that is potentially targeting businesses in Southeast Asia using previously unknown Linux malware that is designed to allow remote access to its administrators, as well as collect credentials and operate as a proxy server. 

The malware group, called "FontOnLake" by the Slovak cybersecurity firm ESET, is reported to entail "well-designed modules" that are constantly modified with a wide range of features, indicating an active development stage. 

According to samples uploaded to VirusTotal, the initial attacks employing this threat may have happened as early as May 2020. The same virus is being tracked by Avast and Lacework Labs under the name HCRootkit. 

ESET researcher Vladislav Hrčka stated, "The sneaky nature of FontOnLake's tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks." 

"To collect data or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake's presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistence mechanism." 

FontOnLake's toolkit consists of three components: trojanized copies of genuine Linux utilities utilized to load kernel-mode rootkits and user-mode backdoors, all of which interact through virtual files. The C++-based implants themselves are programmed to monitor systems, discreetly perform commands on networks, and steal account passwords. 

A second variation of the backdoor also function as a proxy, modify files, and download arbitrary files, while a third variant, in addition to combining characteristics from the other two backdoors, can run Python scripts and shell commands. 

ESET discovered two variants of the Linux rootkit that are based on an open-source project called Suterusu and share features like hiding processes, files, network connections, and itself, as well as being able to perform file operations and obtain and run the user-mode backdoor. 

Enterprise Password Management 

It is yet unknown how the attackers gained initial network access but the cybersecurity firm highlighted that the malicious actor behind the assaults is "overly cautious" to avoid leaving any traces by depending on multiple, unique command-and-control (C2) servers with different non-standard ports. All the C2 servers observed in the VirusTotal artifacts are no longer working. 

Hrčka stated, "Their scale and advanced design suggest that the authors are well versed in cybersecurity and that these tools might be reused in future campaigns." 

"As most of the features are designed just to hide its presence, relay communication, and provide backdoor access, we believe that these tools are used mostly to maintain an infrastructure which serves some other, unknown, malicious purposes."
Read more »
Threat actors
Cookies Credential stealing Crypto Wallets Cyber Security Threat actors

Vidar Stealer Abuses Mastodon to get C2 Configuration Without Raising Alarms

 

The Vidar stealer has reappeared in a new campaign that takes advantage of the Mastodon social media network to obtain C2 configuration without raising alerts. New campaigns of Vidar Stealer's more recent versions suggest a new venue where Vidar receives dynamic configurations and drop zone information for downloading and uploading files. Vidar Stealer previously used the Thumbler and Faceit gaming platforms to access dynamic configuration from threat actors.

Vidar, first spotted in October 2018, is a descendant of the former Arkei Stealer, which, due to its simplicity, dynamic configuration methods, and continued development, appears to be one of the most popular stealers at the present. Vidar developers refined and centralized the execution vector, making each stealer independent and eliminating the need for extra executables.

All popular browser information such as passwords, cookies, history, and credit card details, cryptocurrency wallets, files according to regex strings provided by the TA, Telegram credentials for Windows versions, file transfer application information (WINSCP, FTP, FileZilla), and mailing application information are among the data that Vidar attempts to steal from infected machines. 

Vidar's victimology is made up of private individuals, streamers, and social influencers from all over the world. Manufacturing enterprises and financial institutions are targeted in some situations, usually in spam campaigns.

Vidar's usage of Mastodon, a popular open-source social media network, to gain dynamic configuration and C2 connectivity is what makes this campaign unique. The threat actors create Mastodon accounts and then put the IP of the stealer's C2 to their profile's description section. 

The goal is to secure communications from the compromised machine to the configuration source, and because Mastodon is a trusted platform, security tools shouldn't red flag it. At the same time, Mastodon is a relatively unmoderated space, making it unlikely that these malicious profiles will be discovered, reported, and removed. According to Cyberint researchers that uncovered this campaign, each C2 they saw included between 500 and 1,500 separate campaign IDs, indicating Vidar's widespread deployment. 

In preparation for data exfiltration, Vidar Stealer stores all acquired data in a working directory with a random 25-character name, including credentials from a variety of chat, email, FTP, and web-browsing applications, as well as cryptocurrency wallets, a desktop screenshot, and details of the system configuration.
Read more »
Hacking News
Cyber Security Incidents Group-IB Hacking News

Group-IB specialists confirmed the fact of hacking The Bell portal

On October 8, experts from the cybersecurity company Group-IB reported that the criminals on September 2 really hacked The Bell website and sent a newsletter on behalf of the publication.

The Group-IB Computer Forensics and Malware Research Laboratory found out that on the evening of August 29, hackers began sending requests in an attempt to exploit a vulnerability that allows remote code execution. The next day, the program for checking for a number of web application vulnerabilities Burp Suite started to scan the website.

On August 30, the attackers gained access to the administrative panel of the publication's website. This allowed hackers to send a fake newsletter on September 2.

On the morning of September 2, the editorial board of The Bell reported the hacking of the email account, before that subscribers received a newsletter calling for a boycott of the elections to the Duma of Russia and to go on pickets on election day. The text of the letter and the design were stylized for the daily newsletter of the publication. 

The general director of the publication Elizaveta Ossetinskaya called the newsletter a provocation, “the purpose of which is to accuse us of political activity, which we have not engaged in, are not engaged in and were not going to engage in.”

In addition, earlier, it was reported that unknown people tried to hack the phone of The Bell journalist Irina Pankratova. They ordered the details of her calls and SMS messages using a fake notarial power of attorney in the office of MegaFon.

It is worth noting that Group-IB cooperates with Interpol, Europol and the OSCE. The organization provides assistance to Russian special services and law enforcement agencies in operations against hacker groups.

Earlier, CySecurity News reported that on September 29, the head of Group-IB Ilya Sachkov was arrested for two months. The Investigative Committee charged him with high treason.

Read more »
User Security
Cyber Attacks Private Details Ransomware attack User Privacy User Security

Four Months Later, Cox Media Group Acknowledges Ransomware Attack

 

Cox Media Group (CMG), which owns 57 TV and radio stations across 20 American markets, has formally announced that it was hit by a ransomware attack that crippled live TV and radio broadcast streams in June 2021.

The firm confirmed the assault in data breach notification letters sent last week via U.S. Mail to over 800 affected individuals whose private details were exposed in the attack. The media firm first informed potentially impacted individuals of the incident via email on July 30. 

"On June 3, 2021, CMG experienced a ransomware incident in which a small percentage of servers in its network were encrypted by a malicious threat actor. CMG discovered the incident on the same day, when CMG observed that certain files were encrypted and inaccessible,” the broadcasting firm stated.

Private information leaked, but not stolen

Cox Media Group instantly took down programs offline after the attack was discovered and reported the incident to the FBI after launching an investigation with the help of exterior cybersecurity specialists. 

The media company discovered proof that threat actors exfiltrated private details stored on the breached systems. While they also tried to exfiltrate this data outside of CMG's network, there is no evidence that they were successful in their attempt. Additionally, there was no evidence of identity theft, fraud, or financial losses impacting potentially affected individuals.

According to the breach notification letter, private details leaked during the assault include names, addresses, Social Security numbers, financial account numbers, health insurance information, health insurance policy numbers, medical condition information, medical diagnosis information, and online user credentials, stored for human resource management purposes.

"CMG did not pay a ransom or provide any funds to the threat actor as a result of this incident. There has been no observed malicious activity in CMG's environment since June 3, 2021," CMG added.

The corporate has additionally taken a number of steps to enhance its programs’ safety. "These steps include multi-factor authentication protocols, performing an enterprise-wide password reset, deploying additional endpoint detection software, reimaging all end-user devices, and rebuilding clean networks," CMG explained. 

CMG is a broadcasting, publishing, and digital media services company created by the amalgamation of Cox Newspapers, Cox Radio, and Cox Television in 2008. Its operations embrace 33 tv stations (including main associates of ABC, CBS, FOX, NBC, and MyNetworkTV), 65 radio stations, as well as more than 100 news outlets.
Read more »
Threat Detection
Authentication Keys Cyber Security email security Google Journalists Russian APT Security Keys Threat Detection

Google: Russian APT Targeting Journalists and Politicians

 

On October 7, 14,000 Google customers were informed that they were potential targets of Russian government-backed threat actors. The next day, the internet giant released cybersecurity upgrades, focusing on high-profile users' email accounts, such as politicians and journalists. 

APT28, also known as Fancy Bear, a Russian-linked threat organisation, has allegedly increased its efforts to target high-profile people. According to MITRE ATT&CK, APT28 has been operating on behalf of Russia's General Staff Main Intelligence Directorate 85th Main Special Service Center military unit 26165 since at least 2004. 

This particular operation, discovered in September, prompted a Government-Backed Attack alert to Google users this week, according to Shane Huntley, head of Google's Threat Analysis Group, or TAG, which handles state-sponsored attacks. 

Huntley verified that Gmail stopped and categorised the Fancy Bear phishing operation as spam. Google has advised targeted users to sign up for its Advanced Protection Program for all accounts. 

Erich Kron, a former security manager for the U.S. Army’s 2nd Regional Cyber Center, told ISMG: "Nation-state-backed APTs are nothing new and will continue to be a significant menace … as cyber warfare is simply a part of modern geopolitics."

Huntley said on Thursday in his Twitter thread, "TAG sent an above-average batch of government-backed security warnings. … Firstly these warnings indicate targeting NOT compromise. … The increased numbers this month come from a small number of widely targeted campaigns which were blocked." 

"The warning really mostly tells people you are a potential target for the next attack so, now may be a good time to take some security actions. … If you are an activist/journalist/government official or work in NatSec, this warning honestly shouldn't be a surprise. At some point some govt. backed entity probably will try to send you something."

Google's Security Keys 

Following the news of Fancy Bear's supposed targeting of high-profile individuals, Google stated in a blog post that cybersecurity functionalities in its APP programme will safeguard against certain attacks and that it was collaborating with organisations to distribute 10,000 free security keys to higher-profile individuals. The keys are two-factor authentication devices tapped by users during suspicious logins. 

According to Grace Hoyt, Google's partnerships manager, and Nafis Zebarjadi, its product manager for account security, Google's APP programme is updated to adapt to evolving threats - it is accessible to users, but is suggested for elected officials, political campaigns, activists, and journalists. It protects from phishing, malware, harmful downloads, and unwanted access. 

Alvarado, currently the threat intelligence team lead at the security firm Digital Shadows stated, "Although Google's actions are certainly a step in the right direction … the old saying, 'Where there is a will, there is a way,' still applies. … These [security] keys will undoubtedly make an attacker's job more difficult, but there are plenty of other options and vulnerabilities for [threat actors] to achieve their goals. 

KnowBe4's Kron alerted, "These security keys, while useful in their own limited scope, do not stop phishing emails from being successful. They only help when an attacker already has access to, or a way to bypass, the username and password for the email account being targeted." 

Global Partnerships 

Google stated it has partnered with the International Foundation for Electoral Systems, the UN Women Generation Equality Action Coalition for Technology and Innovation; and the nonprofit, nonpartisan organisation Defending Digital Campaigns in its initiatives to distribute 10,000 security keys. Google claims that as part of its partnership with the IFES, it has sent free security keys to journalists in the Middle East and female activists throughout Asia. 

Google stated it is giving security training through UN Women for UN chapters and groups that assist women in media, politics, and activism, as well as those in the C-suite. 

2FA Auto-Enrollment 

In a blog post on October 5, Google's group product manager for Chrome, AbdelKarim Mardini, and Guemmy Kim, Google's director of account security and safety, wrote that by the end of 2021, Google also aims to auto-enrol 150 million additional users in two-factor authentication - and require 2 million YouTubers to do the same. 

"We know that having a second form of authentication dramatically decreases an attacker's chance of gaining access to an account," Mardini and Kim wrote. 

"Two-step verification [is] one of the most reliable ways to prevent unauthorized access," Google said in May that it will soon begin automatically enrolling customers in 2-Step Verification if their accounts were configured correctly. 

This week, Google announced that it is auto-enrolling Google accounts with "proper backup mechanisms in place" to move to 2SV.
Read more »
Vulnerabilities
BrewDog Exploits Mobile Application Hacking Mobile Security Vulnerabilities

Data of 200,000 Shareholders Exposed due to a Vulnerability in the BrewDog App

 

BrewDog allegedly leaked the personal identifying information (PII) of around 200,000 shareholders for the better part of 18 months, according to experts. BrewDog "declined to inform their shareholders and asked not to be named" in the investigation that revealed the system vulnerabilities, according to PenTestPartners. 

The Scottish brewery incorporated a hard-coded Bearer authentication token associated with API endpoints targeted for BrewDog's mobile applications, according to the cybersecurity company. 

These tokens were delivered, however, this verification step was skipped because it was hardcoded to be activated after a user entered their credentials, providing access to an endpoint. 

Members of PenTestPartners, who also happened to be BrewDog stockholders, added one another's customer IDs to API endpoint URLs. During testing, they discovered that without an appropriate identification issue, they could access the PII of Equity for Punks stockholders. 

Identities, birth dates, email addresses, gender identities, contact information, prior delivery addresses, shareholder numbers, shares owned, referrals, and other information were all available in the leak. The customer IDs, however, were not regarded as "sequential." 

"An attacker could brute force the customer IDs and download the entire database of customers," the researchers said. "Not only could this identify shareholders with the largest holdings along with their home address, but it could also be used to generate a lifetimes supply of discount QR codes!" Hard-coding authentication tokens, according to PenTestPartners, are a failure to fulfill these criteria since some of the PII exposed falls within the GDPR security banner. 

The bug has been there since March 2020, since BrewDog's app version 2.5.5 introduced hard-coded tokens. However, BrewDog's team was unaware of the vulnerability for a long time and failed to protect their token system in later releases.

The problem was eventually resolved in version 2.5.13, which has been released on September 27, 2021. BrewDog, on the other hand, elected not to reveal anything significant in the release's changelog announcement. 

"The vulnerability is fixed," the researcher says. "As far as I know, BrewDog has not alerted their customers and shareholders that their details were left unprotected on the internet. I worked with BrewDog for a month and tested six different versions of their app for free. I'm left a bit disappointed by BrewDog both as a customer, a shareholder, and the way they responded to the security disclosure." 

BrewDog also told that: "BrewDog was notified of a vulnerability and the potential for data to be compromised. Investigations found no evidence that it was. Therefore there is no requirement to inform the ICO. An independent party documented the case as is required by the ICO." 

However, the corporation will also have to notify the UK's data protection officer due to the type of personal information exposed, as PII falls under GDPR, which is still in effect in the country.
Read more »
VMware
Cyber Attacks Linux Systems python Ransomware VMware

Attackers use Python Ransomware to Encrypt VMware ESXi Servers

 

Researchers uncovered a new Python ransomware from an unnamed gang that attacks ESXi servers and virtual machines (VMs) with "sniper-like" speed. Sophos stated on Tuesday that the ransomware is being used to infiltrate and encrypt virtual machines housed on an ESXi hypervisor in operations that take less than three hours from start to finish. 

In a press release accompanying his in-depth report, Andrew Brandt, principal researcher at Sophos, said, “This is one of the fastest ransomware attacks Sophos has ever investigated, and it appeared to precision-target the ESXi platform.” 

The Python coding language is rarely used for ransomware, according to Brandt. But, he continued, its use makes sense because Python comes pre-installed on Linux-based systems like ESXi, allowing Python-based attacks on these systems. 

The assault used a custom Python script that, when run on the target organization's virtual machine hypervisor, put all virtual machines offline. According to Sophos' security analysts, the attackers were swift to deploy the ransomware, the encryption process began about three hours after the initial intrusion. 

The attackers gained initial access using a TeamViewer account that did not have multi-factor authentication enabled and was running in the background on a computer owned by a user with Domain Administrator credentials. According to Sophos, the attackers logged in 30 minutes after midnight in the organization's time zone, then downloaded and used a tool to discover targets on the network, which led them to a VMware ESXi server. 

At roughly 2 a.m., the attackers used the built-in SSH service ESXi Shell to get into the server, which can be enabled on ESXi servers for administration purposes. The attackers logged into the ESXi Shell three hours after the network was first scanned, copied the Python script, and then ran it for each datastore disc volume, encrypting the virtual disc and settings files for virtual machines. 

“The script contains variables that the attacker can configure with multiple encryption keys, email addresses, and where they can customize the file suffix that gets appended to encrypted files,” Brandt wrote.

Sophos investigators discovered several, hardcoded encryption keys as well as a method for creating even more encryption key pairs when traversing through the code. Normally, an attacker would just need to insert the attacker's own 'public key,' which would be used to encrypt files on the targeted computer(s), according to Brandt. However, it appears that each time this ransomware is launched, it generates a new key.
Read more »
Subscribe to: Comments (Atom)