Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Ransomware
Banco Pichincha Bank Cyber Security Cobalt Strike Cyber Attacks Ecuador Ransomware

Banco Pichincha: Ecuador's Largest Bank Hit by a Cyber Attack

 

Banco Pichincha, Ecuador's biggest private bank by capitalization and depositors, has been struck by a cyberattack that has crippled its operations and knocked the ATM and online banking website to be unavailable to the users. 

The intrusion happened over the weekend, and the bank had to lock down parts of its network to prevent the attack from spreading to other systems. The bank's systems have been taken down, causing considerable inconvenience, with ATMs no longer functioning and service notifications appearing on internet banking websites. 

The bank has 1.8 million customers, $4.5 billion in assets, and $4 billion in deposits, along with over 200 offices; Banco Pichincha has subsidiaries in Peru (Banco Financiero Per), Colombia (Banco Pichincha) and Panama (Banco Pichincha Panamá). And it also has a representative office in Miami and eight in Spain, comprising two each in Madrid, Barcelona, Murcia, and Comunidad Valenciana. 

Employees were informed that bank applications, email, digital channels, and self-services would be unavailable due to a technological issue, in an internal notification addressed to the Bank's departments. Self-service consumers should be guided to bank teller windows for assistance during the downtime, as per the internal memo. 

Banco Pichincha published a statement on Tuesday afternoon following two days of silence over the bank's technological troubles, acknowledging that their systems were disrupted by a cyberattack. 

The statement read: "In the last few hours, we have identified a cybersecurity incident in our computer systems that have partially disabled our services. We have taken immediate actions such as isolating the systems potentially affected from the rest of our network and have cybersecurity experts assist in the investigation. 

At the moment, our network of agencies, ATMs for cash withdrawals and payments with debit and credit cards are operational. 

This technological incident did not affect the financial performance of the bank. We reiterate our commitment to safeguard the interests of our clients and restore normal care through our digital channels in the shortest possible time. 

We call for calm to avoid generating congestion and to stay informed through the official channels of Banco Pichincha to avoid the spread of false rumors." - Banco Pichincha. 

Although, the origin of the attack has not been revealed to the public by the bank, according to insiders in the cybersecurity field, the hack is a ransomware attack with malicious attackers placing a Cobalt Strike beacon on the network. 

Cobalt Strike is often used by ransomware gangs as well as other threat actors to obtain endurance and access to additional systems on a system.
Read more »
Technology
Crypto Currency Dogecoin Elon Musk NFTs Technology

Elon Musk Backed Floki Turns Rs 1000 Into Rs 34 Lakh

 

Everyone knows that at the start of this year, Musk was one of the most vocal proponents of Dogecoin. His regular pronouncements and tweets propelled the cryptocurrency to new heights. Tesla CEO Elon Musk, on the other hand, stated in June that he will be getting a Shiba Inu dog (the face of Dogecoin) as a pet shortly, and that it will be named 'Floki.'

In September of this year, Musk shared a photo of Floki, which sparked another surge in the Dogecoin. This benefited all the linked or inspired coins, such as Baby Doge and Shiba Inu. Floki Inu, on the other hand, has been the largest gainer, with significant returns to its investors. Surprisingly, the coin didn't even exist until recently. 

The digital token has risen 3,40,150% in just two months, from $0.00000002 on August 8 to $0.00006805 on October 8. In rupee terms, this implies it turned a Rs 1,000 investment into Rs 34 lakh in less than two months. As of Sunday, Floki Inu had a market capitalization of $700 million (Rs 5,250 crore), which was higher than that of listed companies such as Sequent Scientific, Strides Pharma, Inox Leisure, Cochin Shipyard, Sudarshan Chemicals, MTAR Technologies, and others. 

Floki Inu is also the only crypto project officially affiliated with Elon Musk's brother Kimbal Musk's 'Million Gardens Movement,' which aims to empower people to choose, grow, prepare, and consume healthy food. In a contribution drive for this movement last week, Floki Inu raised $1.4 million in just 35 minutes. Floki Inu issued 10,000 Flokitars to the general public on September 18, 2021. 

Floki Inu is riding high on the play to earn revolution, which resonates with millions around the world, according to Sharat Chandra, Blockchain & Emerging Tech Evangelist. This explains the coin's unprecedented pricing. 

"It’s going to head north in the days and months to come. Team behind Floki is focussed on developing an ecosystem of use cases powered by NFTs, games, decentralized banking and creating new monetization models," Sharat said. 

According to Darshan Bathija, Co-Founder and CEO of Vauld, "the way this meme coin is being regarded has radically changed over the last six months as they have grown more mainstream." If a coin's price movements are influenced by a big external source, it poses a greater concern and investment risk, Darshan added.
Read more »
User Security
Cyber Attacks Data Leak Extortion Threat Ransom Payment User Security

New 'SnapMC' Hacker Group Breaches Networks in Under 30 Minutes

 

Cybersecurity researchers have unearthed a new threat group known as SnapMC, that aims to secure access to the company’s files, steal their sensitive data and demand ransom to keep it from being leaked.

According to NCC Group’s Threat Intelligence team, SnapMC has not been linked as of yet to any known threat actors. The name is derived from the actor’s lightning-fast hacks, typically completed in under 30 minutes, and the exfiltration tool mc.exe it uses.

To perform the attack, SnapMC scans for multiple vulnerabilities in both web servers and virtual private networking solutions. In particular, the threat group utilizes the so-called Blue Mockingbird vulnerability that affects older versions of the Telerik UI for ASP.NET applications. 

Once inside, the group sends extortion emails to victims. Typically, a victim is given 24 hours to respond to the email and another 72 hours to negotiate a ransom payment; a list of stolen data as evidence that the group has gained access to the victim’s infrastructure is included by the actors. 

To intimidate victims to begin negotiations, the threat group releases small portions of the data, threatens to leak the files online, threatens to tell media outlets regarding the breach or notify a victim’s customers about the hack. 

“There are multiple reasons for the success of these attacks: First, regulation and public awareness make victims more inclined to have the certainty of containing the incident by paying,” said Christo Butcher, global head for threat intelligence at the NCC Group Research and Intelligence Fusion Team. “Second, the threat actors behind various data breach extortion attacks are gaining more experience with every breach and subsequent extortion negotiation, which allows them to improve their skills in both negotiating as well as understanding the mindset of their victims.”

SnapMC does not deploy ransomware, despite having access to a victim’s internal network – the group focuses solely on data exfiltration and the subsequent extortion, the researchers observed while tracking the group.

Earlier this week, researchers published a technical report containing the tools and methodologies employed by SnapMC in their intrusions – in the hopes that organizations deploy proper defenses. 

NCC Group recommends that organizations should keep all their web-facing assets up to date; doing so will help in mitigating the risks. Gaining visibility into susceptible software and putting in place effective detection and response systems can also help in combating the attacks.
Read more »
Python Package
code execution Cyber Security PyPI Python Package

‘mitmproxy2’ Removed by PyPI due to Code Execution Issues

 

A Python package called 'mitmproxy2' was pulled off from the PyPI repository because it was a replica of the official "mitmproxy" library, though with an "artificially introduced" code execution flaw. 

The official Python library 'mitmproxy' is a free and open-source engaging HTTPS proxy that gets over 40,000 weekly downloads. 

Mitmproxy is an open-source proxy program that uses a man-in-the-middle technique to monitor HTTP and HTTPS connections between any HTTP(S) client (such as a mobile or desktop browser) and a web server (MITM).

Maximilian Hils, one of the developers of the 'mitmproxy' Python library, brought everyone else's attention to a fake'mitmproxy2' package submitted to PyPI, on the 11th of October. "mitmproxy2" is near "the same as regular mitmproxy, but with an artificial RCE vulnerability included." 

As Hils told Bleeping Computer, his biggest worry is that certain software developers would misunderstand 'mitmproxy2' for a newer version of 'mitmproxy,' resulting in vulnerable code being accidentally included in their products. Whilst investigating an unconnected PyPI warehouse problem, Hils came across this imitation package via "happy little accident". 

"When you run mitmproxy's web interface, we expose an HTTP API for that. If you remove all safeguards from that API, everyone on the same network can execute code on your machine with a single HTTP request," Hils told Bleeping Computer in an email interview. 

It's also unclear if the person who released the copycat 'mitmproxy2' software did the same with malevolent purposes or just because of poor coding techniques. It would have been much easier to just put some harmful code that is immediately executed upon installation. 

However, the issue is that if one uploads it to PyPI as 'mitmproxy2' with a version number that says it's newer/superseded, users will undoubtedly download it without realizing the changes. 

While investigating 'mitmproxy2,' BleepingComputer noticed that a new package called 'mitmproxy-iframe' had also arrived on the PyPI repository less than a day after 'mitmproxy2' was deleted. 

Since anyone can upload packages to open-source ecosystems, cybersecurity threats and attacks such as virus injection, typosquatting, brandjacking, and dependency misunderstanding have increased significantly in recent years. 

Such "whack-a-mole" problems will always repeat themselves unless actual validations are implemented by open-source registries.
Read more »
Tech Companies
BlackMatter Cyber Attacks IT system Medical Sector Ransom Notes Ransomware Tech Companies

Olympus Suffers Second Cyberattack in 2021

 

Olympus, a Japanese tech giant, disclosed that it was hit by a cyberattack that forced it to take down its IT systems in the United States, Canada, and Latin America. 

Olympus is a company founded in 1919 being a technology leader in the medical sector that develops cutting-edge opto-digital products, life science, and consumer electronics products. On October 12, Olympus announced on its website that it is investigating a potential cybersecurity incident discovered on October 10 and currently working with the utmost priority to fix this issue.  

The company stated, "Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue." 

"As part of the investigation and containment, we have suspended affected systems and have informed the relevant external partners. The current results of our investigation indicate the incident was contained to the Americas with no known impact to other regions." 

The firm did not state whether or not the customer or corporate data was obtained or stolen as a result of the "potential cybersecurity incident," but added that it would share updated information on the assault as soon as it becomes available. 

Olympus added, "We are working with appropriate third parties on this situation and will continue to take all necessary measures to serve our customers and business partners in a secure way. Protecting our customers and partners and maintaining their trust in us is our highest priority." 

According to an Olympus spokesman, the firm discovered no indication of data loss during an ongoing investigation into this occurrence. 

This incident comes after the ransomware assault on Olympus' EMEA (Europe, Middle East, and Africa) IT infrastructure in early September. Although Olympus did not disclose the identities of the attackers, ransom notes discovered on damaged computers showed that BlackMatter ransomware operators orchestrated the attack. 

The identical ransom notes directed victims to a Tor website previously used by the BlackMatter group to connect with its victims. Although Olympus did not provide many specifics about the nature of the attack that impacted its Americas IT systems, ransomware groups are notorious for carrying out their operations on weekends and holidays in order to minimize detection. 

In an August joint alert, the FBI and CISA stated that they had "observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021."
Read more »
Vulnerabilities
Cyber Security Routers Sensitive data Threat actors Vulnerabilities

InHand Networks Routers Could Expose Many Organizations to Remote Attacks

 

Researchers uncovered many major vulnerabilities in InHand Networks industrial routers that might expose numerous enterprises to remote attacks, and no patches appear to be available. Researchers from industrial cybersecurity firm OTORIO identified the issues in IR615 LTE routers made by industrial IoT solutions supplier InHand Networks over a year ago. The company has offices in China, the United States, and Germany, and its products are sold worldwide. Siemens, GE Healthcare, Coca-Cola, Philips Healthcare, and other large corporations are among InHand's customers, according to the company. 

OTORIO researchers detected 13 vulnerabilities in the IR615 router, according to a report issued last week by the US Cybersecurity and Infrastructure Security Agency (CISA). The list contains high-severity improper authorization and cross-site scripting (XSS) vulnerabilities, as well as critical cross-site request forgery (CSRF), remote code execution, command injection, and weak password policy issues. 

Cisco also addressed dozens of vulnerabilities in its IOS software in 2020, including a dozen security vulnerabilities affecting its industrial routers and switches. Cisco released its semi-annual security advisory bundle for IOS and IOS XE software. The warnings included 25 vulnerabilities that were classified as critical or high severity. Hundreds of other advisories for high- and medium-severity problems affecting IOS and other software were also published by the firm. 

Coming back to InHand Networks, CISA warned that threat actors might use the flaws to gain complete control of the devices and intercept communications in order to acquire sensitive data. 

Thousands of internet-exposed InHand routers have been discovered as vulnerable to assaults, according to OTORIO, however, exploitation via the internet requires authorization to the router's web management portal. An attacker might use default credentials to enter into the device or use brute-force assaults to obtain login credentials. The router's weak password policy and a vulnerability that can be used to enumerate all valid user accounts facilitate brute-force assaults.

“The attacker may abuse the Remote Code Execution vulnerability to get a first foothold on the device via running CLI commands; implant a first backdoor on the device as a persistence stage; and start scanning the internal organization network in order to elevate the attacker privileges and move on to sensitive assets on the network,” explained Hay Mizrachi, a penetration tester at OTORIO.

“The final objective is to achieve Domain Admin privileges on the organization. Of course, if there are additional sensitive networks such as OT networks, the attacker can try to get a foothold and disrupt the day-to-day functioning of the product line floor to cause additional damage and financial costs.”
Read more »
United States Cyber Security
China Cyber Security Cyber Security National Cyber Security Russian Cyber Security United States Cyber Security

The US did not invite Russia and China to an online conference on combating cybercrime

The US National Security Council organized virtual meetings this week to discuss countering ransomware operators. In total, 30 countries were invited to the conference, including Ukraine, Mexico, Israel, Germany, and the UK, however, Russia and China were not invited to the discussion.

The cyber threat posed by ransomware is increasingly worrying people at the highest level. The ransoms have already reached over $400 million in 2020 and $81 million in the first quarter of 2021.

US President Joe Biden announced in early October that representatives from more than 30 countries will work together to fight back against cybercriminals distributing ransomware. This initiative was the result of very dangerous and large-scale attacks by ransomware operators that recently hit Colonial Pipeline and Kaseya.

It is interesting to note that recently Russian Deputy Foreign Minister Sergei Ryabkov made it clear that Moscow is interested in discussing the problem of ransomware viruses with Washington, but does not want contacts to be limited only to this topic. “American colleagues are still trying to focus all their work on what interests them,” he complained at the time.

Despite the previously announced cooperation in the field of cybersecurity between Moscow and Washington, no one expected Russian official representatives at the meetings. The organizers of the meetings did not invite China and Russia.

Perhaps the reason lies in a misunderstanding that arose at a certain stage. The United States has repeatedly asked Russia to take measures against ransomware operators located in the country. White House Press Secretary Jen Psaki even promised that Washington itself would deal with these cyber groups if the Kremlin could not.

Read more »
Kaspersky
Cyber Attacks Kaspersky

Kaspersky Lab estimated the losses of Russian business from cyberattacks

After a targeted attack, large businesses lost an average of $695,000, while small and medium businesses lost almost $32,000.

Kaspersky Lab experts have studied the cyberattacks that Russian companies have been subjected to since the beginning of the year. The collected statistics helped to identify the most dangerous type of data hacking for businessmen. The greatest damage was caused by targeted attacks.

The experts explained that these are pre-planned attacks, when attackers “purposefully attack a specific company”, having previously conducted reconnaissance and selected tools for the attack. On average, after such an attack, large businesses lost $695,000, while small and medium businesses lost $32,000 this year.

In addition, the damage to Russian business in 2021 was caused by “the illegal use of IT resources by employees.” Kaspersky Lab experts also attributed such cases to cyber incidents. The losses caused by them reached nearly $510 thousand for large companies and $30 thousand for small ones.

A little less business suffered in cases when employees did not comply with the internal information security policy. In such incidents, according to the study, the damage for a large organization was $465 thousand, and for a small one — almost $30 thousand.

DDoS attacks, according to Kaspersky Lab, in turn, deprived large businesses of $463 thousand, and owners of small companies — more than $28 thousand.

At the end of May, Kaspersky Lab announced that the new attacks differ from cyberattacks using encryption viruses in that the scammers do not use specially created malware, but the standard BitLocker Drive Encryption technology included in the Windows operating system. Several Russian companies have been hit by ransomware attacks that have blocked access to corporate data and demanded a ransom.

Read more »
User Security
Cyber Fraud Fraudulent Scheme Psychic Mail Fraud United States User Security

US District Court Shuts Down an International Psychic Mail Fraud Scheme

 

The US District Court for the Southern District of Florida shuts down an international psychic mail fraud scheme operated by three individuals and two companies. The scammers forked millions of dollars by selling the promise of good fortune to tens of thousands of US residents.

Last week, the United States District Court permanently barred three France residents and two corporate defendants from participating in mass mailing campaigns. The complaint alleges that Robert Lhez, Mireille Dayer, and Julie Poulleau, using Arcana Center, a company in Delaware, and a Swiss corporation named Partners VAD International Sàrl, sent hundreds of thousands of mailers across the United States. 

According to the Department of Justice Office of Public Affairs, the letters were purportedly sent on behalf of companies or individuals offering unwary consumers psychic, clairvoyant, or astrological services. Individuals covered by the scheme were told that they would make some money as soon as they paid the prepaid fee.

Furthermore, the Justice Department alleged that the scammers forked millions of dollars from tens of thousands of victims, primarily the elderly. Victims sent the scammers more than 34,000 payments totaling over $1.4 million from March 2017 to June 2018 alone. However, none of the victims who handed over their cash received any of the promised good fortune.

“These solicitations were riddled with false and misleading statements that gave the false impression that in exchange for payment of a small fee, typically of $45 or $50, the individual recipient would come into good fortune resulting in an imminent financial windfall through the lottery, inheritance or other game of chance,” said the Department of Justice Office of Public Affairs in a statement. 

The defendants “have been known to Postal Inspectors for years, constantly changing their fraudulent schemes in the attempt to stay one step ahead of the law,” stated Eric Shen, inspector in charge of the US Postal Inspection Service’s Criminal Investigations Group. 

Juan Antonio Gonzalez, acting US Attorney for the Southern District of Florida urged the US residents to remain vigilant and question promotions that seem too good to be true and report suspected fraud to law enforcement. 

“Beyond financial losses, predatory fraud schemes like this one lead to immense emotional suffering for victims. We urge the public to question promotions that seem too good to be true and immediately report suspected fraud to law enforcement,” Gonzalez advised.
Read more »
Web Servers
Administrative Rights ALPACA Cyber Attacks Hacking Techniques TLS Certificates Web Servers

NSA: Risks Linked with Wildcard TLS Certificates and ALPACA Techniques

 

The National Security Agency issued a technical alert cautioning businesses against using wildcard TLS certificates and the new ALPACA TLS attack. 

The NSA advised companies to follow the technical recommendations in its alert and safeguard servers against situations in which attackers may obtain access and decrypt encrypted online traffic. 

While several instances and techniques might aid attackers in decrypting TLS-encrypted data, the NSA clearly specified the usage of wildcard TLS certificates, which many researchers have also warned against in the past.

A wildcard certificate is a digital TLS certificate obtained by a company from a certificate authority that allows the owner to apply it to a domain and all of its subdomains simultaneously (*.example.com). Companies have used wildcard certificates for years because they are less expensive and easier to administer, so administrators apply the same certificate to all servers instead of having to manage several certificates. 

The NSA stated, “A malicious cyber actor who gains control of the private key associated with a wildcard certificate will provide them the ability to impersonate any of the sites represented, and gain access to valid user credentials and protected information.” 

The agency is now advising administrators of both public and private networks to evaluate the necessity for a wildcard certificate inside their networks and prepare to install individual certificates to isolate and restrict potential breaches. 

About ALPACA attack 

Furthermore, the NSA's alert cautions of the new Application Layer Protocol Content Confusion Attack (ALPACA), which was revealed earlier this summer and is similarly vulnerable due to the usage of wildcard certificates. 

The problem was not taken seriously when it was revealed in June because carrying out an ALPACA attack needed threat actors to be able to intercept web traffic, which is challenging in some circumstances. 

However, the research team that identified the assault stated that over 119,000 web servers were exposed to ALPACA attacks, which is a significant amount. Four months later, the NSA is encouraging companies to take the matter seriously, determine whether their servers are susceptible, and reduce the risk, particularly if the organizations deal with sensitive information or are connected to the US government network. 

On October 7, the NSA stated, “NSA recommends NSS, DoD, and DIB administrators ensure their organization’s wildcard certificate usage does not create unmitigated risks, making their web servers vulnerable to ALPACA techniques.”
Read more »
Ransomware attack
AvosLocker Cyber Attacks Pacific City Bank Ransomware Ransomware attack

Pacific City Bank hit by a Ransomware Attack

 

Pacific City Bank (PCB) is issuing warnings to inform its customers about a security issue discovered on August 30, 2021, which they assert was quickly resolved. 

Pacific City Bank (PCB), one of America's leading Korean-American community financial service providers, has revealed a ransomware attack that occurred last month. 

“PCB responded promptly to disable the activity, investigate its source, and monitor PCB’s network. PCB subsequently became aware of claims that it had been the target of a ransomware attack. On September 7, 2021, PCB determined that an external actor had illegally accessed and/or acquired certain data on its network,” the bank said in a statement. 

On September 7, 2021, PCB's internal investigation into what happened was completed, and it discovered that malicious attackers had stolen the user's Loan application forms, Tax return documents, W-2 information of client firms, Payroll records of client firms, Full names, Addresses, Social Security Numbers, Wage and tax details from their systems. 

According to PCB, not all customers were influenced by such factors because each customer submitted different papers and information that was kept in the compromised systems. Furthermore, it is unknown whether this occurrence impacts the bank's complete clientele or simply a small percentage. 

The receivers of these notices were encouraged to be wary of unsolicited mail and to keep an eye on their bank statements and credit reports for indications of fraud. In addition, the bank has provided Equifax with a one-year free credit monitoring and identity theft protection program, with information on how to sign up included in the letters. 

While the bank didn't mention the ransomware gang responsible for the September attack, AvosLocker has claimed the attack and posted an entry on their information leak website. The event is scheduled for September 4, 2021, therefore the five-day gap could simply be the "grace" period of the opening negotiation round when ransomware operators avoid making public statements. 

There have been no discrepancies in the data that were subsequently placed on the blackmail portal because they show what PCB has now conceded was breached. AvosLocker is among the most recent ransomware operators, having emerged in the wild this summer and soliciting affiliates to join the RaaS on numerous underground sites. 

The group employs a multi-threaded malware strain that allows attackers to encrypt files quickly whereas the attacker deploys the payloads individually. Although the AvosLocker uses text and API obfuscation to avoid static identification, it is otherwise "naked," meaning it lacks a cryptographic layer.

Established in California, PCB, is an American community bank that concentrates on the Korean-American community and provides commercial banking services. It is also the third-largest Korean American bank following Bank of Hope and Hanmi Bank, with branches in eight states. 
Read more »
Subscribe to: Comments (Atom)