Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Scam
Cyber Attacks Data Safety Fintech Fraud Payment Scam

Payment Fraud Attack Rate Across Fintech Increased by 70% in 2021

 

The index based on a global network of over 34,000 sites and apps and a poll of over 1,000 consumers, reveals that payment fraud attacks across fintech increased by 70% in 2021, the greatest increase of any category in the network. 

Payment fraud has increased in tandem with a whopping 121 percent year-over-year increase in fintech transaction volumes on Sift's network, making this industry a tempting target for cybercriminals. These escalating attacks, as per this data, were mostly focused on alternative payments such as digital wallets, which witnessed a 200 percent increase in payment fraud, as well as payments service providers (+169 percent) and cryptocurrency exchanges (+140 percent). 

These approaches were targeted towards buy now/pay later (BNPL) providers, which showed a 54 percent increase in fraud attack rates year over year. Sift's Trust and Safety Architects discovered a rising number of fraud schemes on Telegram in late 2021, providing unlimited access to BNPL accounts via fake credit card numbers and compromised email addresses, demonstrating the wide range of methods fraudsters use to target the whole fintech sector.

Along with a 23 percent increase in blocked payment fraud assaults in 2021, Sift noticed a network-wide rise in daily transaction volumes across all industries. Similarly, 49 percent of poll respondents indicated they've been a victim of payment abuse in the last one to three years, with 41 percent of those who have been victims in the last year alone. Financial service websites were regarded as the sites that pose the most risk by 33% of the victims, which could have a detrimental impact on the customer’s trust. 

Jane Lee, Trust and Safety Architect at Sift. stated, “Many brands fail to realize that the damage of payment fraud goes beyond the initial financial impact. The vast majority of consumers report abandoning brands after they experience fraud on a business’s website or app, diminishing customer lifetime value and driving up acquisition costs. Further, potential customers who see unauthorized charges from a particular company on their bank statements will forever associate that brand with fraud. In order to combat these attacks and grow revenue, businesses should look to adopt a Digital Trust & Safety strategy—one that focuses on preventing fraud while streamlining the experience for their customers.”
Read more »
User Privacy
Crypto Firms Data Breach data security User Privacy

HubSpot Hack Results in Data Leak at Prominent Cryptocurrency Firms

 

HubSpot, a marketing and sales platform suffered a data breach over the weekend impacting multiple firms including Circle, BlockFi, Pantera Capital, and NYDIG.

In emails to clients, the companies revealed their operations were not impacted and their treasuries were not at risk. Although user information was leaked to hackers, passwords and other internal information were not stolen. 

The breach was the result of a hacker securing access to an employee account and using it to target our customers in the cryptocurrency industry. Threat actors stole data from 30 HubSpot portals, and the company has notified all affected firms, terminated the account, and reworked its account privileges to ensure something like this doesn’t repeat, HubSpot explained in a blog post. 

Although HubSpot did not publish a full list of impacted firms, some media managed to identify a few names. Decrypt, a crypto news platform revealed that Pantera Capital, an American Crypto venture capital firm, sent out a letter to its customers, which said "Pantera uses Hubspot as a client relationship management platform. The information that may have been accessed includes first and last names, email addresses, mailing addresses, phone numbers, and regulatory classifications." 

“While our investigation is ongoing, we wanted to share these initial findings even as we may learn additional facts through our investigation that cause the details above to change or evolve,” HubSpot concluded. At this time, a timeline of events is unknown as HubSpot has not revealed when its systems were compromised. 

“SaaS and managed service providers are enticing targets for cybercriminals as they know that if they successfully compromise the provider, they will likely gain access to the data or networks of hundreds or thousands of the providers’ downstream customers,” Chris Clements, vice president of solutions architecture at information technology service management firm Cerberus Cyber Sentinel Corp., stated. “It’s a shortcut to mass exploitation that could otherwise take the attacker months or even years to achieve independently.” 

It’s essential that firms understand that the data they share with third-party vendors largely passes out of their control and with little recourse should it be stolen if the third party is compromised, Clements concluded.
Read more »
Ukraine
C&C Conti Ransomware malware RaaS Russian Hacker Ukraine

Ukrainian Security Researcher  Source Code for New Conti Malware Has Been Exposed

 

The source code of a fresh version of the Conti ransomware has been disclosed by a Ukrainian security researcher. This is the latest in a string of leaks sparked by the criminal group's support for Russia. Conti is a ransomware gang based in Russia which uses a ransomware-as-a-service (RaaS) business model. While some ransomware demands are in the millions of dollars, Coveware thinks the average Conti demand is just over $765,000. 

The renowned Conti ransomware organization published a statement soon after Russia launched its incursion of Ukraine, warning this was prepared to strike the key infrastructure of Russia's adversaries in revenge for any assaults on Russia. 

In response, an anonymous user created the "Conti Leaks" Twitter account and began distributing materials supposedly stolen from the cybercrime ring. The first set of disclosures included correspondence sent within the Conti organization in the preceding year. More chat logs, credentials, email addresses, C&C server information, and source code for the Conti ransomware and other malware were included in the second phase. 

After a period of inactivity of more than two weeks, the Twitter account resurfaced over the weekend, releasing what looks to be the source code for a newer version of Conti. Previously, some speculated that the leaker was a Ukrainian security researcher, while others speculated that he was a rogue employee of the Conti group. Messages were leaked and shared. 

The discharge of ransomware source code, particularly for advanced operations such as Conti, can have catastrophic consequences for corporate networks and consumers. This is due to the fact other threat actors frequently exploit the disclosed raw code to create their own ransomware attacks. In the past, a researcher released the source code for ransomware called 'Hidden Tear,' which was soon adopted by several threat actors to begin various operations.
Read more »
National cyber security strategy
Cyber Security Cybersecurity Indian Cyber Security Insider Threat National cyber security strategy

Imperva: Majority of Indian Organisations Don't Have a Strategy for Stopping Insider Threats Despite Growing Risk

 

New research from Forrester (commissioned by Imperva) has found that three-quarters (74%) of APAC organisations do not have an insider risk management strategy or policy. In India, it is 69%. 
 
This approach is at odds with today’s threat landscape where the risk of malicious insiders has never been higher due to the rapid shift to remote work and ‘The Great Resignation’. The research backs this up, with insider threats being the cause of the majority (58%) of incidents that negatively impacted sensitive data in the last 12 months. 
 
Other key findings of the report include: 
 
· The majority of APAC respondents blame lack of budget (41%) and internal expertise (38%) 
 
· The main strategies being used to protect against insider threats are encryption (54%) and periodical manual monitoring/auditing of employee activity (44%) 
 
New research, commissioned by Imperva and conducted by Forrester, found that the majority (58%) of incidents that negatively impacted sensitive data in the last 12 months was caused by insider threats, and yet more than half (59%) of APAC organisations do not prioritise insider threats the way they prioritise external threats. 
 
“This approach is at odds with today’s threat landscape where the risk of malicious insiders has never been higher,” says George Lee, Vice President, Asia Pacific and Japan, Imperva. “The rapid shift to remote working means many employees are now outside the typical security controls that organisations employ, making it harder to detect and prevent insider threats. 
 
“Further, ‘The Great Resignation’ is creating an environment where there is a higher risk of employees stealing data. This data could be stolen intentionally by people looking to help themselves in future employment, or it could be taken inadvertently when an employee leaves the organisation.” 
 
Why are organisations not prioritising insider threats? The majority of APAC respondents blame lack of budget (41%) and internal expertise (38%), but other problems abound. A third (33%) of firms do not perceive insiders as a substantial threat, and 24% say their organisational indifference to insider threats is due to internal blockers such as a lack of executive sponsorship. In fact, three-quarters (74%) of APAC organisations do not have an insider risk management strategy or policy, and 70% do not have a dedicated insider threat team. 
 
Previous analysis by Imperva into the biggest data breaches of the last five years found one quarter (24%) of these were caused by human error (defined as the accidental or malicious use of credentials for fraud, theft, ransom or data loss) or compromised credentials. 
 
APAC firms are prioritising external threats over insider threats, despite the fact that insider events occur more often, says Lee, “Insider threats are hard to detect because internal users have legitimate access to critical systems, making them invisible to traditional security solutions like firewalls and intrusion detection systems. This lack of visibility is a significant risk to the security of an organisation's data. That is why leaders need to focus on the potential threats lurking within their own network.” 
 
The main strategies currently being used by APAC organisations to protect against insider threats and unauthorised usage of credentials are encryption (54%) and periodical manual monitoring/auditing of employee activity (44%). Many are also training employees to ensure they comply with data protection/data loss prevention policies (57%). Despite these efforts, breaches and other data security incidents are still occurring and more than half (55%) of respondents said that end users have devised ways to circumvent their data protection policies. 
 
“If your organisation hasn’t created a focused strategy to adequately address insider risk, this needs to be a priority for 2022. An effective insider threat detection system needs to be diverse, combining several tools to not only monitor insider behaviour, but also filter through the large number of alerts and eliminate false positives. Also, as protection of a companies’ intellectual property begins at the data layer, a comprehensive data protection plan must include a security tool that protects the data layer,” says Lee. 
 
According to Imperva, organisations looking to better protect against insider threats should take the following steps: 
 
● Gain stakeholder buy-in to invest in an insider risk program. Insider risk is a human problem, not a technology issue, and must be treated as such. It is also a risk that cuts across all parts of the business. Therefore it is important to get senior executives from across the company to endorse and support the insider risk program for it to be successful. Start at the top to gain buy-in and sponsorship, then engage with leaders from HR, Legal, IT, and other parts of the organisation. 
 
● Follow Zero Trust principles to address insider risk. Following a Zero Trust approach helps protect data and users while limiting the ability of insiders to use sensitive resources not required by their function. 
 
● Build a dedicated function to address insider risk. Since insider risk is a human problem and very sensitive in nature, it requires dedicated resources. These may be part of the security team or, better yet, a separate dedicated function. Either way, this team needs a specific mandate for insider risk and training to recognize and respond to insider threats. 
 
● Create processes for your insider risk program and follow them. The sensitivity of insider risk and its associated privacy concerns require that strict policies are implemented and followed. Treat every investigation as if it will end up in court and apply policies consistently. 
 
● Implement a comprehensive data security solution. A complete solution goes beyond DLP to include monitoring, advanced analytics, and automated response to prevent unauthorised, accidental, or malicious data access. The technologies you deploy should support the processes you’ve created and the mandate for your insider risk function. Your organisation will see cost savings and a reduction of risk from business impacting security events. 
 
Read more »
User Security
Cyber Scam Malicious Campaign Mobile Security User Privacy User Security

Scammers are Using Novel Technique to Target iPhone and Android Users

 

Cybersecurity researchers have unearthed a new methodology employed by fraudsters to target iPhone and Android users by tricking them into installing malware via dubious apps and use it to swipe thousands of dollars.

According to researchers at cybersecurity firm Sophos, a scam campaign dubbed CryptoRom typically begins with social-engineering attack, in which a scammer befriends a victim through dating apps like Tinder, Bumble, or Facebook Dating.

The scammer then moves their conversation to messaging apps such as WhatsApp and asks the victim to install a cryptocurrency trading application that's designed to mimic popular brands and lock people out of their accounts and freeze their funds. In some cases, victims are forced to pay a “tax” to withdraw their money, which they learn by chatting with an in-app customer service representative who is part of the malicious campaign. 

"This style of cyber-fraud, known as sha zhu pan — literally 'pig butchering plate' — is a well-organized, syndicated scam operation that uses a combination of often romance-centered social engineering and fraudulent financial applications and websites to ensnare victims and steal their savings after gaining their confidence," stated Sophos analyst Jagadeesh Chandraiah. 

The malicious campaign exploits iOS TestFlight and Apple WebClip to deploy fake mobile apps and websites onto victims’ phones without being subject to the rigorous app store approval process. The malicious campaign was initially used in Asia but has hit the U.S. and European victims since October 2021. 

TestFlight is used for testing the beta version of apps before they head to the App Store. It is used for small internal tests, sent out to 100 users by email, and public beta tests distributed to up to 10,000 users. But the scammers exploit the TestFlight feature, which provides a way for users to download bogus apps outside of the App Store, researchers explained. 

Sophos researchers said some victims installed malicious versions of the legitimate BTCBOX Japanese crypto exchange app that were made available through the TestFlight feature. 

The fraudsters also employed iOS WebClips to trick iPhone users, as they were sent malicious URLs via the service. WebClips offers fast access to favorite webpages or links, as Apple highlights, with researchers stating that it can be employed to design fake apps to appear more authentic.
Read more »
Phishing and Spam
Cyber Security Data Theft Fake news Meta Phishing and Spam

According to Arkose Labs, the Bots Target Financial Organizations

 

Children as young as five use internet channels for a variety of activities, so it isn't just adults who are essentially living online. The epidemic hastened the adoption of the internet by children for online lessons, entertainment, and socializing.

In the preface to a company's study paper, 2022 State of Fraud & Account Security Report, Kevin Gosschalk, founder and CEO of Arkose Labs, writes, "A familiar term heard in the last few years is 'data is the new oil." "Data is the precious resource who feeds the digital world, which today permeates so much of our daily lives. Work, socializing, education, and a variety of other activities all take place primarily in the digital realm."

Bloomberg Intelligence estimates the online "metaverse" might be worth $800 billion by 2024, according to the cybersecurity firm. "Fraudsters will have an immensely broader attack surface to target as a result of this." Threat actors can corrupt smart appliances, connected autos, and virtual reality gadgets in addition to PCs and mobile devices." 

According to the Arkose research, fraud assaults on financial institutions are increasing in frequency "as well as sophistication." Internet fraud has increased by 85 percent in recent months, and much more than a fifth of all internet traffic is a cyberattack. Not only fraudsters, but Master Fraudsters - the worst type of fraudster – are coming after gaming, internet streaming, and social media sites with all guns blazing. These are the most prominent and, as a result, the most harmful internet pastimes for youngsters. 

Although children are more comfortable with the internet and can navigate it like a pro, but are not always aware of the dangers which lurk there. They might not be able to spot situations where cybercrooks are attempting to take advantage of human gullibility. 

The Arkose Labs analysis also highlighted an 85 percent increase in login or registration stage attacks year over year. "Once an existing account has been hijacked, attackers can monetize it in a variety of ways," according to Gosschalk, "including stealing bank information, reselling credentials, redeeming collected loyalty points, and more." "Fake new accounts are employed in assaults like stock hoarding, content harvesting, and spam and phishing messaging," says the report.

Indeed, according to the Arkose Labs analysis, the average individual now has over 100 passwords. Abuse of financial information and credentials drove an 85 percent increase in login and registration invasions last year compared to 2020. 

The Arkose Labs analysis indicated such automated services assist in targeting more enterprises: bots utilizing "scraping" assaults helped compromise at least 45 percent of the traffic on travel sites. Meanwhile, phishing, fraud, and the promise of a free trial were used to increase the number of bogus accounts last year compared to 2020. Financial firms and financial institutions have been major targets for attacks.
Read more »
Targets
attackers Bot Traffic Bots Cyber Attacks Targets

Attackers UtilizingDefault Credentials to Target Businesses, Raspberry Pi and Linux Top Targets

 

While automated attacks remain a major security concern to enterprises, findings from a Bulletproof analysis highlight the challenge created by inadequate security hygiene. According to research conducted in 2021, bot traffic currently accounts for 70% of total web activity.

Default credentials are the most popular passwords used by malicious attackers, acting as a 'skeleton key' for criminal access. With attackers increasingly deploying automated attack methods 

Brian Wagner, CTO at Bulletproof stated, “On the list are the default Raspberry Pi credentials (un:pi/pwd:raspberry). There are more than 200,000 machines on the internet running the standard Raspberry Pi OS, making it a reasonable target for bad actors. We also can see what looks like credentials used on Linux machines (un:nproc/pwd:nproc). This highlights a key issue – default credentials are still not being changed.”

“Using default credentials provides one of the easiest entry points for attackers, acting as a ‘skeleton key’ for multiple hacks. Using legitimate credentials can allow attackers to avoid detection and makes investigating and monitoring attacks much harder.” 

According to the findings, attackers are continuously utilising the same typical passwords to gain access to systems. Some are default passwords that haven't been updated since the company started using them. The RockYou database leak from December 2009 is accountable for a quarter of all passwords used by attackers today. This degree of activity suggests that these passwords are still valid. 

During the period of the research, threat actors started almost 240,000 sessions. The top IP address, which came from a German server, started 915 sessions and stayed on the Bulletproof honeypot for a total of five hours. Another attacker spent 15 hours on the honeypot, successfully logging in 29 times with more than 30 different passwords. In sum, 54 per cent of the more than 5,000 distinct IP addresses had intelligence indicating they were bad actor IP addresses.

Wagner continued, “Within milliseconds of a server being put on the internet, it is already being scanned by all manner of entities. Botnets will be targeting it and a host of malicious traffic is then being driven to the server.” 

“Although some of our data shows legitimate research companies scanning the internet, the greatest proportion of traffic we encountered to our honeypot came from threat actors and compromised hosts. These insights, combined with our data, highlight the importance of proactive monitoring to ensure you are aware of the threats to your business on a daily basis, as well as a tried and tested incident response plan.”
Read more »
Vulnerabilities
CVE CVE vulnerability Cyber Attacks Hacking Internet Data SolarWinds Vulnerabilities

SolarWinds Alerted About Attacks Targeting Web Help Desk Instances

 

SolarWinds alerted customers about attacks on Web Help Desk (WHD) instances that were exposed to the Internet and recommended they remove those from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw). WHD is a helpdesk ticketing and IT inventory management software for businesses that aim to automate ticketing and IT asset management operations. 

SolarWinds stated, "A SolarWinds customer reported an external attempted attack on their instance of Web Help Desk (WHD) 12.7.5. The customer's endpoint detection and response (EDR) system blocked the attack and alerted the customer to the issue. In an abundance of caution, SolarWinds recommends all Web Help Desk customers whose WHD implementation is externally facing to remove it from your public (internet-facing) infrastructure until we know more." 

Customers who are unable to remove WHD instances from servers that are accessible to the Internet should install EDR software and monitor them for attack attempts. SolarWinds hasn't been able to replicate the scenario, the business is working with the customer to analyse the report. 

A SolarWinds spokesperson told BleepingComputer, "We received a report from one customer about an attempted attack that was not successful. While we are investigating this matter, we have also alerted other customers about this potential issue out of an abundance of caution. At this point, we have no reason to believe other customers were impacted." 

Although SolarWinds did not specify what tools or tactics were utilised in the attack, there are at least four security flaws that an attacker may use to target t an unpatched WHD instance: 
• Access Restriction Bypass Via Referrer Spoof - Business Logic Bypass Vulnerability (CVE-2021-32076) - Fixed in WHD 12.7.6 
• Enabled HTTP PUT & DELETE Methods (CVE-2021-35243) - Fixed in WHD 12.7.7 Hotfix 1 
• Hard-coded credentials allowing arbitrary HSQL queries execution (CVE-2021-35232) - Fixed in WHD 12.7.7 Hotfix 1 
• Sensitive Data Disclosure Vulnerability (CVE-2021-35251) - Fixed in WHD 12.7.8 

According to the CVE-2021-35251 advisory, attackers might use unsecured WHD instances to gain access to environmental details about the Web Help Desk installation, making the other three security flaws easier to exploit.
Read more »
Ukraine-Russia Conflict
Chinese Hackers Cyber Attacks Ukraine Government Ukraine-Russia Conflict

China-Sponsored Hacking Groups are Targeting Ukrainian government

 

Google's Threat Analysis Group (TAG) has unearthed a cyberespionage operation sponsored by the Chinese People's Liberation Army (PLA) and other Chinese intelligence agencies targeting Ukrainian government to gather information on the ongoing conflict.

Billy Leonard, a security engineer at Google TAG, said Google has informed that Ukrainian government agencies are targeted by China-sponsored hacking groups. 

"Over the last few weeks Google TAG has identified a govt backed actor from CN targeting Ukrainian govt orgs, and we provided notifications to impacted parties,"  Billy Leonard said. “While our priority is providing notifications to impacted parties, we've provided related IOCs to community partners, and we will publish more details for the security community in the near future." 

Group leader Shane Huntley also confirmed Leonard’s assessment, saying that “the Ukrainian war has not only attracted the attention of European threatening players, but China is working hard here too.”

Last week, the hacktivist collective group Intrusion Truth stated that the campaign was directly sponsored by the Chinese government. The group announced that it is sharing IOCs with community partners and plan to provide additional details on the ongoing attacks in the future. 

Google TAG’s report on China’s ongoing cyber activity in Ukraine follows another warning issued a week ago regarding a Chinese-sponsored hacking group tracked as APT31 targeting Gmail users linked with the U.S. government. A day ago, Google security researchers disclosed that Russia and Belarus targeted Ukrainian and European government and military organizations in extensive phishing and DDoS assaults. 

"In the last 12 months, TAG has issued hundreds of government-backed attack warnings to Ukrainian users alerting them that they have been the target of government-backed hacking, largely emanating from Russia," stated Shane Huntley.

Google also reported China-backed Mustang Panda cyberespionage group (also known as Temp.Hex and TA416) have also switched to phishing assaults on European entities using lures linked with the invasion of Ukraine. 

In some attacks identified by Google, hackers employed malicious attachments with file names such as ‘Situation at the EU borders with Ukraine.zip’. On the same day, Proofpoint revealed that Mustang Panda was found phishing “European diplomatic organizations, including refugees and individuals involved in migrant services.”
Read more »
WastedLocker
Cyber Attacks DoppelPaymer Dridex Evil Corp Microsoft Excel Phoenix CryptoLocker User Data Leak WastedLocker

NRA Reacts to Allegations of a Ransomware Campaign

 

Last year, the National Rifle Association — champion of gun-toting maniacs worldwide, admitted it was hacked by cybercriminals. The organization's political action committee (PAC) confirmed the attack in a filing to the Federal Election Commission on Friday. 

Last October, a ransomware group known as "Grief" boasted to the digital underworld about hacking into the gun lobby's networks and stealing critical internal papers. It released screenshots of documents it claimed to be stolen during the event. The NRA did not confirm or deny it had been hacked at the time. 

"The National Rifle Association does not talk about its physical or electronic security. The NRA, on the other hand, takes exceptional precautions to safeguard information about its members, funders, and operations, and is extremely cautious in doing so." Andrew Arulanandam, managing director of NRA Public Affairs. 

The NRA was added as a new victim on the ransomware gang's data site today, along with pictures of Excel spreadsheets revealing US tax information and transaction amounts. The threat actors also published a 2.7 MB archive called 'National Grants.zip,' which comprises bogus NRA grant applications. After Grief claimed it obtained 13 files supposedly from the NRA's databases, security researchers began posting about the breach on Wednesday. According to an analysis of the documents supplied, it included records from a recent NRA board meeting as well as grant documents. If the NRA did not pay an undisclosed ransom, it threatened to release more files. 

The Grief ransomware group is believed to be linked to Evil Corp, a Russian hacking group. Evil Corp has been active since 2009 and has been involved in a variety of destructive cyber activities, including the spread of the Dridex trojan, which was used to steal online banking credentials and money. 

In 2017, the hacking gang published BitPaymer, ransomware which was later renamed DoppelPaymer in 2019. The US Department of Justice charged members of the Evil Corp with stealing more than $100 million and adding the cyber group to the Office of Foreign Assets Control (OFAC) sanction list after years of attacking US interests. 

Soon after, the US Treasury cautioned ransomware negotiators may face civil penalties if anyone helped gangs on the blacklisted list get ransom payments. To avoid US sanctions, Evil Corp has been spreading new ransomware strains under different identities on a regular basis since then.WastedLocker, Hades, Phoenix CryptoLocker, PayLoadBin, and, quite recently, the Macaw Locker are among the ransomware families.

NRA members should take precautions to protect themselves from any penalties which may occur as a result of this breach, according to Paul Bischoff, a privacy advocate at Comparitech. With the Grief ransomware group emerging, security researchers believe it is another version of DoppelPaymer due to the code similarities. Because Grief is related to Evil Corp, ransomware negotiators are unlikely to allow ransom payments unless the victim first obtains OFAC certification.
Read more »
User Security
Cyber Security Ransomware group U.S. Firms User Security

Multiple Similarities Identified in BlackMatter And BlackCat Ransomware

 

Cisco Talos researchers have spotted overlaps in the tactics, techniques, and procedures (TTPs) between BlackCat and BlackMatter, indicating a robust link strong connection between the two ransomware groups. 

According to the Cisco Talos findings, BlackCat first emerged on the ransomware-as-a-service (RaaS) scene in November 2021 and has since targeted several companies by exploiting vulnerabilities in the Windows system. It has been called out for being similar to BlackMatter, a short-lived ransomware family that originated from DarkSide, which made news by infiltrating the Colonial Pipeline system last year in a ransomware assault. 

In an interview with the cybersecurity firm Recorded Future last month, a BlackCat spokesperson dismissed rumors that it's a rebranding of BlackMatter while noting that it's made up of affiliates linked with other RaaS groups.

"In part, we are all connected to gandrevil [GandCrab / REvil], blackside [BlackMatter / DarkSide], mazegreggor [Maze / Egregor], lockbit, etc., because we are adverts (aka affiliates)," the unnamed representative stated.

"We borrowed their advantages and eliminated their disadvantages." "BlackCat seems to be a case of vertical business expansion," Cisco Talos researchers Tiago Pereira and Caitlin Huey said. "In essence, it's a way to control the upstream supply chain by making a service that is key to their business (the RaaS operator) better suited for their needs and adding another source of revenue."

In addition, researchers uncovered multiple similarities between a BlackMatter attack in September 2021 and that of a BlackCat attack in December 2021, including the tools and file names employed, as well as a domain used to provide persistent access to the target network.

This overlapping use of the same command-and-control address suggests that a BlackMatter affiliate was likely an early adopter — possibly in the first month of operation of BlackCat, with both the attacks taking more than two weeks to reach the encryption stage.

"As we have seen several times before, RaaS services come and go. Their affiliates, however, are likely to simply move on to a new service. And with them, many of the TTPs are likely to persist," the researchers added.

The best way to mitigate risks is by investing in the best antivirus software, allowing for peace of mind when conducting business or sending private information. So far, the BlackCat group has targeted U.S.-based companies more than 30% of the time, so enterprises in North America are advised to be ready in case they are the next subject of attack for the ransomware group.
Read more »
Subscribe to: Comments (Atom)