Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Ukraine
API BazarBackdoor Conti Ransomware Cyber Attacks Emsisoft FBI Russian Hacker Ukraine

Ukrainian Researcher Released  Software for Conti Ransomware

 

Conti, the notorious ransomware gang, is now the subject of cyberattacks following its proclamation early last week, it wholeheartedly supports Russia's continuing invasion of neighboring Ukraine, with the most recent blow being the public release of its source code. 

This comes only days after an archive comprising well over a year's worth of instant conversations between members of Conti, believed to be based in Russia, was leaked: speaking 400 files and tens of thousands of lines of Russian-language internal chat logs. Messages from January 2021 to February 27 of such a year can be found in the internal communication files.

Its analysis cited a cybersecurity bulletin issued jointly by the Cybercrime and Infrastructure Agency (CISA) and the FBI over the weekend, which warned Russia's attack on Ukraine – which also included cyberattacks on the Ukrainian government and key infrastructure organizations – could spill over Ukraine's borders, especially in the wake of US and allied sanctions. 

Throughout the night, ContiLeaks began publishing more information, including the source code for the gang's administration panel, the BazarBackdoor API, storage server screenshots, and more. A password-protected folder including the source code for the Conti ransomware encryptor, decryptor, and function Object() { [native code] } was one component of the release to get people interested.While the leaker did not reveal the password publicly, another researcher cracked it soon after, giving everyone access to the Conti ransomware malware files' source code. 

The code may not provide more information if you are a reverse engineer. For those who can program in C but not reverse engineer, the source code contains a wealth of information about how the malware operates. While this is beneficial for security research, having this code available to the public has its pitfalls. Threat actors immediately coopt the code to establish their own operations, as we observed when the HiddenTear (for "educational purposes") and Babuk malware source code was leaked. 

In May, the FBI issued a five-page [PDF] warning to American firms about Conti ransomware assaults on healthcare and first-responder networks, citing at least 16 such attacks by Conti in the previous year and ransom demands as high as $25 million. 

"As a result of Russia's invasion, cybercrime organizations such as Conti have taken sides, with the assumption that many of these organizations are linked to Russia and perhaps to Russian intelligence", Brett Callow, a vulnerability analyst at Emsisoft, a cybersecurity firm based in New Zealand, stated.
Read more »
US Firms
Bridgestone Americas Corporate Networks Cyber Attacks Data Management Employee Factory shutdown US Firms

Cyber Attack on Bridgestone Lead to Plant Closures Across North America & Latin America

 

After sending workers home for several days, Bridgestone-Firestone tyre manufacturers across North America and Latin America are still fighting to recuperate from a cyberattack. 

Despite numerous attempts for comment, the corporation has remained silent. However, the factory's union, USW 1155L, used Facebook to inform employees that the company was still dealing with the cyberattack and that nobody needed to come in. 

The union wrote on Monday, "Warren hourly teammates who are scheduled to work day shift, March 1st, will not be required to report to work (no-hit, no pay, or you have the option to take a vacation)". 

The outages were originally reported on Sunday when the union posted on Facebook that Bridgestone Americas was investigating a potential source of the information security incident. The notice looked to be sent straight from the firm, rather than from the union. 

The company explained, "Since learning of the potential incident in the early morning hours of February 27, we have launched a comprehensive investigation to quickly gather facts while working to ensure the security of our IT systems. Out of an abundance of caution, we disconnected many of our manufacturing and retreading facilities in Latin America and North America from our network to contain and prevent any potential impact, including those at Warren TBR Plant. First shift operations were shut down, so those employees were sent home." 

"Until we learn more from this investigation, we cannot determine with certainty the scope or nature of any potential incident, but we will continue to work diligently to address any potential issues that may affect our operations, our data, our teammates, and our customers." 

The firm reiterated on Tuesday evening that hourly staff scheduled to work on Wednesday will not be required to report to work. Bridgestone Americas employs nearly 50,000 people in dozens of locations across North America, Central America, and the Caribbean. Outages affecting factories in Iowa, Illinois, North Carolina, South Carolina, Tennessee, and Canada were reported by local news outlets across the United States.
Read more »
Migrant Smugglers
Cyber Crime Dark Web Europol Fake Documents Migrant Smugglers

Europol Dismantles Criminal Network Distributing Forged EU Travel Documents on Dark Web

 

The Spanish National Police and the French Border Police, in a joint operation coordinated by Europol, have busted an organized cybercrime gang involved in the procurement and distribution of forged travel and ID documents for migrant smugglers. 

During the raids, in which three house searches were carried out and a total of 17 people were arrested, police seized computers, smartphones, storage devices, counterfeit and genuine ID documents and photocopies of ID documents, labor certificates, administrative documents, payment cards, and cash. 

According to a press release published by European Union’s law enforcement agency, the organized cybercrime gang network distributed forged ID and travel documents in France, Germany, Italy, and Spain. 

“The documents were used by other criminals involved in the smuggling of migrants to the US, the UK and Ireland and other criminal activities (such as property crimes, trafficking in human beings, drug trafficking),” the statement of Europol reads. The criminal network was directly involved in migrant smuggling activities and logistical arrangements in return for payments starting at €8000 ($9000) per person.” 

The members of the criminal gang, mainly originating from Eastern European countries, apparently also operated in Georgia and Lithuania. According to Europol, cybercriminals mainly used dark web channels to distribute forged documents, including residence permits, vehicle registration documents, driver’s licenses, and travel documents focusing on French, Romanian, Georgian, Lithuanian, and Polish IDs. 

Additionally, the suspects used instant messaging apps and postal services to send the documents to their intended recipients. Messaging apps, presumably encrypted ones, were used by the group to collaborate and exchange images of documents, vehicles, and money transfer slips. Europol analysts said they linked some of this information to other ongoing investigations. 

Last year witnessed a gradual shift in the methodology employed by migrant smugglers in the trafficking of human beings. Digital technology is playing a major role in the operations of migrant smugglers and they have expanded their use of social media platforms and mobile applications in order to offer their illegal services.  

Human traffickers have exploited the anonymity of the internet environment to target vulnerable individuals and then exploit them via both escort websites and even dating platforms. To counter this new threat, Europol signed a working agreement with the UK’s National Crime Agency (NCA) designed to formalize cooperation on this and other serious and organized crimes.
Read more »
Ukrainian Cyber Security
Cyber Attacks data security IT army Moscow Russia Russian Ukraine Ukrainian Cyber Security

Moscow Exchange Downed by Cyber-Attack

 

On Monday morning, the website for the Moscow Stock Exchange went down, becoming inaccessible. 
The Ukraine crowdsourced community of hackers operated by the Kyiv officials took responsibility for the outage in a message posted to Telegram while claiming the responsibility behind the attack.  

According to the officials early on Monday, the Kyiv officials called on its IT army members to launch attacks on the website. Following the attack, on Telegram, the IT Army claimed that it took only five minutes to knock the site down. However, as of now, its claims could not be verified. 

NetBlocks, a global internet connectivity tracking company reported that the site went offline on early Monday. However, the root cause behind the incident is still unknown. Mykhailo Fedorov, Ukraine’s deputy prime minister made a formal public statement on the incident and celebrated the formation of the IT army on Facebook. “The mission has been accomplished! Thank you!” the statement read. 

Also, last week Mykhailo Fedorov announced the formation of the IT Army and listed names of prominent Russian websites that the state-sponsored hackers could look to attack. 

In the middle of Monday afternoon, Sberbank, Russia’s largest lender website also went offline. The outage was reported by NetBlocks and celebrated by Fedorov, who declared: “Sberbank fell!” on social media. 

Further, Bloomberg reports that depositary receipts for Sberbank of Russia PJSC sank as much as 77%, while Gazprom PJSC dropped by 62%. 

Following the ongoing Russian war in Ukraine, the cyber threat Intelligence in their latest reports explained threats on cyberspace while saying that the outcome of this will affect every nation in the coming days, not just Ukraine. For now, the current situation changes the cybersecurity picture and worries the nations with the latest developments in cyberspace. 

Ultimately, critical infrastructures like power, banking, military infrastructures, and telecom are being targeted by the state actors, and the assets of several countries are increasingly coming under its grip. The US and UK have already issued warnings of potential cyber-attacks coming in the backdrop of the Russian military invasion in Ukraine.
Read more »
Ukraine
Cyber Security DDOS Attacks ISP Russian Hacker Satellite Ukraine

Viasat Claims Delay on a "Cyber Event"

 

Viasat Inc., an American communications provider, claims its satellite internet services in Ukraine and Europe are being disrupted by a "cyber incident." 

Based in Carlsbad, California, Viasat offers high-speed satellite broadband access and secure networking systems to military and commercial customers throughout the United States and around the world. The problem stems from Viasat's purchase of the Ka-SAT satellite from the satellite's launcher and former owner, Eutelsat, in April 2021. 

"While we attempt to restore service to affected consumers, we're also looking into and evaluating our European network and systems to figure out what's causing the problem. We're also putting further network safeguards in place to avoid any further consequences." authorities stated. 

According to the firm, the interruption began on February 24, the day Russia invaded Ukraine, and it contacted "law enforcement and government partners," adding it had "no indication of consumer data is implicated." In a statement to PaxEx.Aero, another ISP, Germany-based EUSANET, the company said it was suffering problems as well. 

An insider told British news channel Sky News that the interruptions were triggered by a distributed denial of service (DDoS) attack. The number of Viasat users in Ukraine is unknown, and the firm has declined to specify how many are affected. Subsequently, Viasat's stock was up 3.5 percent in lunchtime trade Monday, trading at around $45. 

To optimize service area, Viasat operates huge satellites in geosynchronous orbit, which means people are stationary at a location roughly 35,000 kilometers from Earth.

This is the conventional method of providing broadband access from space, but a number of businesses, including SpaceX's Starlink, are investing in constructing networks in low-Earth orbit which use hundreds or thousands of satellites.
Read more »
Ukraine
America Anonymous Cyber Security CyberWar Government websites hacked Killnet Russia Russian Hackers russian media Ukraine

The Russian Hacker Group Killnet Took Down the Anonymous Website

 

The Russian hacker group Killnet said that they took down the Anonymous website "anonymoushackers[.]net" and called on Russians not to believe the Internet fakes and to stay calm. Killnet's appeal was published on one of its Telegram channels on Tuesday, March 1. 

According to the hacker group, "the Internet is full of fake information about hacking Russian banks, attacks on the servers of Russian media and much more. All this has no danger to people. This "information bomb" carries only text. And no more harm. Don't give in to fake information on the Internet. Do not doubt your country". 

Hackers blamed the events in Ukraine on the country's President, Vladimir Zelensky, as well as American leader Joe Biden. The leaders of the EU countries, as they say in the appeal, are following the lead of the United States. 

 According to independent verification done by CySecurity News, there is no official website for Anonymous Group. 

Russian hackers said that they had already disabled the website of the Anonymous group, along with the website of the Right Sector banned in the Russian Federation. The Anonymous hacker group declared a cyberwar on Russia and claimed responsibility for a hacker attack, for example, on the RT website. 

On February 28, the websites of Izvestia, TASS, Kommersant, Forbes, Fontanka, Mela, E1, Buro 24/7, RBC, Znak.Com and other Russian media were hacked. On the same day, massive DDoS attacks were launched against websites of the Crimean government and authorities. Hackers used a botnet with IP addresses mostly located in North and South America, Taiwan, and a number of other countries. 

On February 26, the Ministry of Information reported that users of the public services portal may face difficulties when working with the services of the site due to cyberattacks. At the same time, the department clarified that the personal data and information of citizens are reliably protected. On the same day, the administration of the President of the Russian Federation reported regular cyberattacks on the Kremlin's website. Moreover, Russian Railways reported that the company's website is subject to regular serious DDoS attacks. 

Earlier, Information security expert Nenakhov told what danger Anonymous hackers pose to Russia. According to him, DDoS attacks are the easiest thing that can happen. Government websites, government online services such as Gosuslugi, email, social media accounts of politicians, websites, and the IT infrastructure of state banks and defense companies are relatively more vulnerable to attacks.


Read more »
Ukraine
Cyber Attacks Cybersecurity NATO Russia Ukraine

Cyberattack on NATO Can Trigger Collective Defense Issue

 

Cyberattack on a NATO member State can incite Article 5, the collective defense clause, said a NATO official on Monday, amid threats that disturbance in cyberspace related to Russia's invasion of Ukraine could reach out to other countries. The military alliance since the beginning has made it clear that a cyberattack attack could entice the clause, however, such a scenario is mostly considered hypothetical. Allie also acknowledges that the effect of special malicious activities (Cybersecurity) in some situations can be considered an armed attack. 

"These are things that have been in hypothetical discussion for a decade, but because we've not come to any universal conclusion on what those standards should be, what level of attribution is needed, we're kind of in a very grey area," said U.S. Senate Intelligence Committee Chairman Mark Warner. As per officials, they will not speak about the seriousness of cyberattack, in triggering a collective response. Any action includes economic and diplomatic sanctions, conventional forces, and cyber measures. 

It all depends on the seriousness of the attack. To check if a cyberattack meets the set threshold of an attack that is large enough to enable Article 5 is decided by the NATO allies. The US and Britain have been alarmed about possible cyberattacks ok Ukraine which can lead to global consequences. For instance, a harmful virus was made to attack Ukranian networks which later spread to other areas. 

Another concern among cybersecurity experts is that Russia can work along with gangs that operate via malicious software, for instance, the infamous US colonial pipeline incident which happened last year. "According to Reuters "Mark posed the hypothetical case of a Russian cyberattack on Ukraine that impacts NATO member Poland, triggering power outages that result in hospital patients dying or knocking out traffic lights, causing fatal road accidents involving U.S. troops deployed there."
Read more »
Ukraine
Credential Theft Credentials Harvesting Cyber Attacks Data Hacking Email Fraud Microsoft Spam Mails Ukraine

Microsoft Accounts Attacked by Russian-Themed Credential Theft

 

The Ukrainian conflict is being capitalized by malicious emails notifying Microsoft users of "unusual sign-in activity" from Russia. While there are valid concerns that the Russian-Ukrainian conflict would launch a global cyber warfare conflagration, small-time cybercriminals are stepping up their efforts amid the crisis. 

According to Malwarebytes, which discovered a slew of spam emails referencing Russian hacking activities. Phishing emails to Microsoft users have begun to circulate, warning of Moscow-led account hacking and attempting to steal credentials and other personal information. The messages' subject line reads, "Microsoft account unusual sign-in activity." The text in the body is as follows:  

“Unusual sign-in activity
We detected something unusual about a recent sign-in to the Microsoft account
Sign-in details
Country/region: Russia/Moscow
IP address:
Date: Sat, 26 Feb 2022 02:31:23 +0100
Platform: Kali Linux
Browser: Firefox
A user from Russia/Moscow just logged into your account from a new device, If this wasn’t you, please report the user. If this was you, we’ll trust similar activity in the future.
Report the user
Thanks,
The Microsoft account team”

According to Malwarebytes' Tuesday research, the emails then include a button to "report the user" as well as an unsubscribe option. When you click the button, a new message is created with the short subject line "Report the user." Microsoft account protection is referenced in the recipient's email address. Using email to answer could expose users to a variety of threats. 

The researchers explained, “People sending a reply will almost certainly receive a request for login details, and possibly payment information, most likely via a bogus phishing page. It’s also entirely possible the scammers will keep everything exclusively to communication via email. Either way, people are at risk of losing control of their accounts to the phishers. The best thing to do is not reply, and delete the email.” 

As usual, the spam contains red flags in the form of grammatical problems, such as misspellings like "acount." To put it another way, it's not a highly sophisticated attempt, but it's clever. Climbing curiosity (or terror) is a catnip for social engineers, as it is with any significant world event. 

“Given current world events, seeing ‘unusual sign-in activity from Russia’ is going to make most people do a double, and it’s perfect spam bait material for that very reason. [The emails] (deliberately or not) could get people thinking about the current international crisis. Being on your guard will pay dividends over the coming days and weeks, as more of the below is sure to follow,” stated researchers. 

The email is targeted just at Microsoft account holders, but the good news is that Outlook is sending it directly to spam.. However, the firm pointed out that, “depending on personal circumstance and/or what’s happening in the world at any given moment, one person’s ‘big deal’ is another one’s ‘oh no, my stuff.’ That’s all it may take for some folks to lose their login, and this mail is perhaps more salient than most for the time being.”
Read more »
User Security
Iranian hackers malware Middle East User Security

Iranian Hackers Employ Telegram Malware to Target Middle East Government Organization

 

An Iran-linked hacking group, UNC3313, has been discovered deploying two new targeted malwares, tracked as GRAMDOOR and STARWHALE. These backdoors were employed as part of an assault against an unnamed Middle East government entity in November 2021. 

According to cybersecurity firm Mandiant, the UNC3313 hacking group is associated with the MuddyWater state-sponsored group. "UNC3313 conducts surveillance and collects strategic information to support Iranian interests and decision-making," researchers stated. "Targeting patterns and related lures demonstrate a strong focus on targets with a geopolitical nexus." 

Last month in January, U.S. intelligence agencies publicly categorized MuddyWater as a subordinate element of the Iranian Ministry of Intelligence and Security (MOIS) that has been active since at least 2018. UNC3313 initially gained access via spear-phishing messages, followed by the exploitation of publicly available offensive security tools and remote access software for lateral movement and maintaining access to the environment. 
 
Multiple victims were tricked into clicking a URL to download a RAR archive file stored on OneHub by the phishing emails, which opened the way for installing ScreenConnect, a genuine remote access program for gaining a foothold. 

"UNC3313 moved rapidly to establish remote access by using ScreenConnect to infiltrate systems within an hour of initial compromise," the researchers explained, adding the security incident was quickly contained and remediated. 
 
In the successive phases, threat actors escalated privileges, carried out internal reconnaissance, and attempted to download additional tools and payloads on remote systems by running obfuscated PowerShell commands. 
 
Researchers at Mandiant also spotted a previously undocumented backdoor called STARWHALE, a Windows Script File (.WSF) that implements received commands from a hardcoded command-and-control (C2) server via HTTP. 
 
The second implant unearthed by the researchers was GRAMDOOR, known for its capability to use the Telegram Bot API for network interactions with the attacker-controlled server to avoid detection, underlining the use of communication technologies to facilitate data exfiltration once again. 
 
The findings of Mandiant correlate with the latest joint advisory published by the cybersecurity firms from the U.K. and the U.S., accusing the MuddyWater group of espionage strikes aiming at the defense, local government, oil, and natural gas, and telecommunications industries worldwide.
Read more »
Sensitive data
California Cyber Attacks data security Online data breach Sensitive data

State Bar of California's Confidential Details Leaked by a Website

 

The State of Bar California is inspecting a data attack after hearing that a site is publishing sensitive information about 260,000 attorney discipline cases pertaining to California and different jurisdictions. State Bar officials came to know about the posted records on Feb 24 on Saturday night, all the sensitivity details that were posted on the site judyrecords.com, that includes case numbers, information about various cases and statuses, respondents, file dates, and witness names that were removed. 

State Bar executive Leah Wilson in a statement said that the bar apologizes for the site's unauthorized display of personal data. The bar takes full responsibility for protecting confidential data with sincerity, and it is currently doing everything it can to resolve the issue quickly and protect respondents from further attacks. 

According to reports, full case records were not leaked, as per officials, they don't know if the published information was due to a hacking attack. Judyrecords.com is a site that covers court case records nationwide. 

The State Bar website lets the public search for case details, but the details about the attorney discipline case published by judyrecords.com are not meant for public access. The information was stored in State Bar's Odyssey case management system, which is given by vendor Tyler Technologies. 

As per the California Business and Professions Code, disciplinary investigations are confidential filing of formal charges. The conclusion of the data breach is that the State Bar notified law enforcement and asked forensic expert teams to inspect the issue. Tyler Technologies is currently assisting in the inquiry. 

Besides this, the state bar also asked the hosting provider of the website to take down the published information. Judyrecords website says, "Judyrecords is a 100% free nationwide search engine that lets you instantly search hundreds of millions of United States court cases and lawsuits. Judy records have over 100x more cases than Google Scholar and 10x more cases than PACER, the official case management system of the United States federal judiciary. As of Dec 2021, Judy records now features the free full-text search of all United States patents from 1/1/1976 to 11/10/2021 — over 7.9 million patents in total."
Read more »
Security threats
Axis Breach Cyber Attacks Datatheft Security threats

Swedish Camera Giant Axis Still Recovering From Cyberattack

 

Recently Camera maker Axis has reported to the public that the company is still struggling with a cyberattack that severely disrupted its IT systems on February 20th. 

The Swedish camera giant has released a statement on its official website and said that the organization was notified from its cybersecurity and intrusion detection system on Sunday before it shut down all its public-facing facilities globally in the wake of the cyberattack. 

Following the incident, the organization has reported that in their ongoing investigation they did not witness any information regarding an attack on their customer and partner data. 

"Our ongoing investigation of the attack has come a long way but is not entirely finalized. So far, we have no indication that any customer and partner data whatsoever has been affected. As far as the investigation currently shows, we were able to stop the attack before it was completed, limiting the potential damage," Axis said on Thursday. 

Furthermore, the company added that the external services of the company have been successfully recovered from the attack, and they are working towards restoring the remaining services.

“Most prioritized external services have now been restored. Restoring the remaining services is our highest priority, together with doing it in a way that does not jeopardize security. The time of disconnected services and limited possibilities to communicate with Axis has been an unfortunate but necessary consequence. Our gradual entry into a post-attack normal is based on changes that help us avoid similar future situations,” the company added. 

The company declared the outages on Twitter handle however it did not entertain requests for further comments. On its status site Friday afternoon, the company said its Case Insight tool in the US and the Camera Station License System were dealing with partial outages.
Read more »
Subscribe to: Comments (Atom)