Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

User Security
American Firms Cyber Attacks Data Leak Ransomware User Security

Black Basta Ransomware Hits American Dental Association

 

A new ransomware gang dubbed Black Basta is exfiltrating corporate data and documents before encrypting the firm’s devices. It has quickly catapulted into operation this month and has targeted more than twelve firms in just a few weeks. 

The malicious actors then employ stolen data in double-extortion assaults and demand hefty amounts to decrypt files and prevent the publishing of the victim's stolen data. 

According to BleepingComputer, the American Dental Association was targeted by Black Basta last weekend, prompting the shutdown of some parts of its network. The ADA sent emails to its members noting that some of its systems, including ADA email and Aptify, as well as its webchat and telephone lines, have been disrupted as a result of the attack. 

Impacted systems were immediately taken down, with the ADA leveraging Gmail addresses while its email systems are offline. State dental associations, including those in Florida, New York, and Virginia, have also been hit by the ADA breach. 

The attackers claimed to have leaked 2.8GB of data, which they believe accounts for about 30% of the stolen data from the attack. The exfiltrated files include non-disclosure agreements, W2 forms, accounting spreadsheets, and ADA member data. 

The researchers first uncovered the Black Basta attacks in the second week of April, as the operation quickly began targeting firms worldwide. While not much else is known about the new ransomware gang as they have not begun marketing their operation or recruiting affiliates on hacking forums. 

Black Basta modus operandi 

The ransomware infiltrates into an existing Windows service and exploits it to launch the ransomware decryptor executable. The ransomware then changed the wallpaper to display a message stating, “Your network is encrypted by the Black Basta group. Instructions in the file readme.txt” and reboot the computer into Safe Mode with Networking. 

According to security expert Michael Gillespie, the portal Black Basta ransomware utilizes the ChaCha20 algorithm to encrypt files. Each folder on the encrypted device contains a readme.txt file that has information about the attack and a link and unique ID to log in to the negotiation chat session with the threat actors. 

Subsequently, the ransomware operators demand a ransom and threaten to leak data if payment is not made in seven days, and promise to secure data after a ransom is paid. Unfortunately, the encryption algorithm is secure and there is no way to recover files for free. The data extortion part of these attacks is conducted on the 'Black Basta Blog' or 'Basta News' Tor site, which contains a list of all victims who have not paid a ransom.
Read more »
Kaspersky
Amazon Web Services Botnets Cloudfare Cryptocurrency Frauds Cyber Attacks DDOS Attacks ISP Kaspersky

Cloudflare Blocks a  DDoS Attack with 15 million Requests Per Second

 

On Wednesday, Cloudflare, an internet infrastructure company, revealed it has successfully resisted one of the largest volumetric distributed denials of service (DDoS) attacks ever seen. A DDoS attack with a pace of 15.3 million requests per second (rps) was discovered and handled earlier this month, making it one of the greatest HTTPS DDoS attacks ever. 

According to Cloudflare's Omer Yoachimik and Julien Desgats, "HTTPS DDoS assaults are more pricey of necessary computational resources due to the increased cost of establishing a secure TLS encrypted connection." "As a result, the attacker pays more to launch the assault, and the victim pays more to mitigate it. Traditional bandwidth DDoS assaults, in which attackers seek to exhaust and jam the victim's internet connection bandwidth, are different from volumetric DDoS attacks. Instead, attackers concentrate on sending as many spam HTTP requests as possible to a victim's server to consume valuable server CPU and RAM and prevent legitimate visitors from accessing targeted sites."

Cloudflare previously announced it mitigated the world's largest DDoS attack in August 2021, once it countered a 17.2 million HTTP requests per second (rps) attack, which the company described as nearly three times larger than any prior volumetric DDoS attack ever observed in the public domain. As per Cloudflare, the current attack was launched from a botnet including about 6,000 unique infected devices, with Indonesia accounting for 15% of the attack traffic, trailed by Russia, Brazil, India, Colombia, and the United States. 

"What's intriguing is the majority of the attacks came from data centers," Yoachimik and Desgats pointed out. "We're seeing a significant shift away from residential network Internet Service Providers (ISPs) and towards cloud compute ISPs." According to Cloudflare, the attack was directed at a "crypto launchpad," which is "used to showcase Decentralized Finance projects to potential investors." 

Amazon Web Services recorded the largest bandwidth DDoS assault ever at 2.3 terabytes per second (Tbps) in February 2020. In addition, cybersecurity firm Kaspersky reported this week about the number of DDoS attacks increased 4.5 times year over year in the first quarter of 2022, owing partly to Russia's invasion of Ukraine.
Read more »
Safety
Antivirus Cyber Security Device Safety Google Research Safety

VirusTotal Reveals Claims of Critical Flaws in Google’s Antivirus Service

 

There have been questions raised regarding the credibility of research that claims to reveal a severe vulnerability in VirusTotal, a Google-owned antivirus comparison and threat intel service. 

VirusTotal (VT) is a service that enables security researchers, system administrators, and others to evaluate suspicious files, domains, IP addresses, and URLs using an aggregated service that includes close to 70 antivirus vendors and scan engines. The security community, including, but not limited to, the vendors who maintain the scanning engines used by VT, receives samples provided through the service automatically. 

 In a blog post published on Tuesday, Israel-based cybersecurity education platform provider Cysource claims researchers were able to “execute commands remotely within [the] VirusTotal platform and gain access to its various scans capabilities”. 

A doctored DJVU file with a malicious payload added to the file's metadata is used in the attack. To accomplish remote code execution (RCE) and a remote shell, this payload exploits the CVE-2021-22204 vulnerability in Exiftool, a metadata analysis tool.

In April 2021, Cysource researchers presented their findings to Google's VRP, which were addressed a month later. VirusTotal claims that instead of providing a way to weaponize VirusTotal, Cysource has only demonstrated a way to exploit an unpatched third-party antivirus toolset. 

Bernardo Quintero, VirusTotal's founder, stated the code executions are occurring on third-party scanning systems that take and analyse samples obtained from VT, rather than VirusTotal itself, in a response to the findings released as a thread on Twitter. 

 “None [of the] reported machine was from VT and the ‘researchers’ knew it,” Quintero added.
Read more »
Ukraine-Russia Conflict
Cyber Attacks Data Leak Ransomware group Ukraine-Russia Conflict

Conti Ransomware Assault Continues Despite the Recent Breach

 

The notorious ransomware group Conti has continued its assaults on businesses despite the exposure of the group’s operations earlier this year. 

Researchers from Secureworks state that the Conti ransomware gang, tracked as a Russia-based threat actor Gold Ulrick, is the second most prevalent group in the ransomware landscape, responsible for 19% of all assaults in the three months between October and December 2021. 

Conti is one of the most prolific ransomware groups of the last year along with LockBit 2.0, PYSA, and Hive, and has blocked hospital, corporate, and government agency networks while demanding ransom for sharing the decryption key as part of their name-and-shame scheme. 

After the ransomware gang sided with Russia in February to invade Ukraine, an anonymous pro-Ukraine hacktivist under the Twitter handle ContiLeaks released the malware source code, credentials, chat logs, and operational workflows. 

"The chats reveal a mature cybercrime ecosystem with multiple threat groups that often collaborate and support each other," Secureworks said in a report published in March. Groups include Gold Blackburn (TrickBot and Diavol), Gold Crestwood (Emotet), Gold Mystic (LockBit), and Gold Swathmore (IcedID). 

According to Secureworks researchers, Conti has targeted more than 100 organizations in March after the ransomware gang claimed that half of their victims pay ransoms averaging $700,000. More than 30 new victims have already been published on the Conti website in April. 

Recent attacks targeted wind turbine giant Nordex, industrial components provider Parker Hannifin, and cookware and bakeware distribution giant Meyer Corporation. The group has also taken responsibility for a highly disruptive attack on Costa Rican government systems. 

"If GOLD ULRICK operations continue at that pace, the group will continue to pose one of the most significant cybercrime threats to organizations globally," said SecureWorks. 

Meanwhile, technical monitoring of Emotet campaigns by Intel 471 between December 25, 2021, and March 25, 2022, revealed that more than a dozen Conti ransomware targets were in fact victims of Emotet malspam attacks, showing just how close the two operations are intertwined. 

"While not every instance of Emotet means that a ransomware attack is imminent, our research shows that there is a heightened chance of an attack if Emotet is spotted on organizations' systems," said Intel 471.
Read more »
Telegram
APT Group Asus Cyclops Blink Data Breach GRU Russian Botnet Spear Phishing Campaign Telegram

US has Offered a $10 Million Bounty on Data About Russian Sandworm Hackers

 

The United States announced a reward of up to $10 million for information on six Russian military intelligence service hackers. According to the State Department's Rewards for Justice Program, "these people engaged in hostile cyber actions on behalf of the Russian government against U.S. vital infrastructure in violation of the Computer Fraud and Abuse Act."

The US Department of State has issued a request for information on six Russian officers (also known as Voodoo Bear or Iron Viking) from the Main Intelligence Directorate of the General Staff of the Russian Federation's Armed Forces (GRU) regarding their alleged involvement in malicious cyberattacks against critical infrastructure in the United States. The linkages attributed are as follows : 

  • Artem Valeryevich Ochichenko has been linked to technical reconnaissance and spear-phishing efforts aimed at gaining illegal access to critical infrastructure sites' IT networks around the world. 
  • Petr Nikolayevich Pliskin, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, and Yuriy Sergeyevich Andrienko, are accused of developing components of the NotPetya and Olympic Destroyer malware used by the Russian government to infect computer systems on June 27, 2017, and Yuriy Sergeyevich Andrienko, who are accused of developing components of the NotPetya and Olympic De.
  • Anatoliy Sergeyevich Kovalev is accused of inventing spear-phishing techniques and communications which were utilized by the Russian government to hack into critical infrastructure computer systems. 

On October 15, 2020, the US Justice Department charged the mentioned officials with conspiracy to commit wire fraud and aggravated identity theft for carrying out damaging malware assaults to disrupt and destabilize other countries and cause monetary damages. 

According to the indictment, GRU officers were involved in attacks on Ukraine, including the BlackEnergy and Industroyer malware-based attacks on the country's power grid in 2015 and 2016. The folks are accused of causing damage to protected computers, conspiring to commit computer fraud and abuse, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft by the US Department of Justice. According to the US Department of State, the APT group's cyber actions resulted in roughly $1 billion in losses for US firms.

The Rewards of Justice has established a Tor website at "he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad[.]onion" as part of the project, which may be used to anonymously submit reports on these threat actors or to communicate the information using Signal, Telegram, or WhatsApp. 

Recently, the Sandworm collective was linked to Cyclops Blink, a sophisticated botnet malware that snagged internet-connected firewall devices and routers from WatchGuard and ASUS. Other recent hacking efforts linked to the gang include the use of an improved version of the Industroyer virus against high-voltage electrical substations in Ukraine amid Russia's continuing invasion.
Read more »
Vulnerabilities and Exploits
Cyber Safety Internet Safety Linux Microsoft Nimbuspwn Vulnerabilities and Exploits

New Nimbuspwn Linux Flaws Could Provide Attackers Root Access

 

Microsoft uncovered vulnerabilities in Linux systems that could be used to grant attackers root access if they were chained together. 

The flaws, dubbed "Nimbuspwn," are detected in networkd-dispatcher, a dispatcher daemon for systemd-networkd connection status changes in Linux, and are labelled as CVE-2022-29799 and CVE-2022-29800. As part of a code review and dynamic analysis effort, Microsoft found the vulnerabilities while listening to signals on the System Bus. 

Microsoft’s Jonathan Bar Or explained, “Reviewing the code flow for networkd-dispatcher revealed multiple security concerns, including directory traversal, symlink race, and time-of-check-time-of-use race condition issues, which could be leveraged to elevate privileges and deploy malware or carry out other malicious activities.”
 
“The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution.” 

He went on to state that ransomware attackers might use Nimbuspwn as a route for root access in order to have a significant impact on affected machines. Clayton Craft, the maintainer of the networkd-dispatcher, apparently worked promptly to remedy the flaws after responsibly revealing the bugs. 

Linux users who are affected are recommended to apply patches as soon as they become available. Although Nimbuspwn has the potential to affect a huge number of people, attackers would first need local access to the targeted systems in order to exploit the flaws. 

Mike Parkin, senior technical engineer at Vulcan Cyber argued, “Any vulnerability that potentially gives an attacker root-level access is problematic. Fortunately, as is common with many open-source projects, patches for this new vulnerability were quickly released.” 

“While susceptible configurations aren’t uncommon, exploiting these vulnerabilities appears to require a local account and there are multiple ways to mitigate them beyond the recommended patching. There is currently no indication that these vulnerabilities have been exploited in the wild.”
Read more »
User Privacy
Data Breach Data Leak French Authority User Privacy

CNIL Imposes a Fine of 1.5 million Euros Against Software Publisher Dedalus

 

The French Authority for Data Protection (CNIL) has imposed one of its highest General Data Protection Regulation (“GDPR”) sanctions to date against Dedalus Biologie SAS (“Dedalus”), an application software editor that sells and services solutions for use by medical laboratories. 

Following a colossal health data breach disclosed in the press concerning nearly 500,000 individuals in February last year, CNIL has fined the company Dedalus Biologie 1.5 million euros mainly for failure to comply with its data security obligation. 

CNIL Findings 

The amount of the fine was determined with regard to the seriousness of the breaches, especially taking into account the fact that health personal data had been disclosed. CNIL found Dedalus Biologie to be in breach of Article 28(3) of the GDPR, given that the contractual documents concluded between Dedalus Biologie and its customers did not provide the information stipulated under the aforementioned provision. 

As part of the migration of data from one tool to another, as requested by two laboratories using the services of Dedalus Biologie, CNIL found that the latter extracted a larger volume of data than required including health personal data (e.g., health issues, infertility etc.)., and therefore processed data beyond the instructions given by the data controllers, in breach of Article 29 of the GDPR. 

Additionally, CNIL discovered a breach of the obligation to ensure the security of personal data (art 32 GDPR), due to technical breaches, such as: 

• lack of specific procedure for data migration operations; 
• lack of encryption of personal data stored on the problematic server; 
• absence of automatic deletion of data after migration to the other software; 
• lack of authentication required to access the public area of the server; 
• use of user accounts shared between several employees on the private zone of the server; and 
• absence of supervision procedure and security alert escalation on the server. 

To counter data breaches in the future, Dedalus Biologie asserted its willingness to attain the highest level of security and GDPR compliance, by strengthening its IT infrastructures, enhancing its internal and external procedures, and appointing additional DPO and IT information services managers.
Read more »
Windows
Cyber Security cybercriminals DLL Emotet Trojan Excel File Mallicious URLs Proofpoint TTPs Windows

Emotet is Evolving with Different Delivery Methods

 

Emotet is a well-known botnet and trojan which distributes follow-on malware via Windows platforms.  After a 10-month pause amid a coordinated law enforcement operation to take down its assault infrastructure, Emotet, the work of a cybercrime organization known as TA542 (formerly known as Mummy Spider or Gold Crestwood), marked its comeback late last year. 

Since then, Emotet campaigns have sent tens of thousands of messages to thousands of clients across many geographic regions, with message volumes exceeding one million in some situations. The threat actor behind the popular Emotet botnet is experimenting with new attack methods on a small scale before incorporating them into larger-scale spam campaigns, possibly in response to Microsoft's decision to deactivate Visual Basic for Applications (VBA) macros by default across all of its products.

According to analysts, the malicious actors behind Emotet, TA542, are experimenting with new approaches on a micro level before deploying them on a larger scale. The current wave of attacks is claimed to have occurred between April 4 and April 19, 2022, when prior large-scale Emotet campaigns were halted. 

Researchers from Proofpoint discovered numerous distinguishing characteristics in the campaign, including the usage of OneDrive URLs rather than Emotet's traditional dependence on Microsoft Office attachments or URLs connecting to Office files. Instead of Emotet's previous use of Microsoft Excel or Word documents with VBA or XL4 macros, the campaign employed XLL files, which are a sort of dynamic link library (DLL) file designed to expand the capability of Excel.

Alternatively, these additional TTPs could mean the TA542 is now conducting more targeted and limited-scale attacks in addition to the traditional mass-scale email operations. The lack of macro-enabled Microsoft Excel or Word document attachments is a notable departure from prior Emotet attacks, implying the threat actor is abandoning the tactic to avoid Microsoft's intentions to disable VBA macros by default beginning April 2022. 

The development came after the virus writers addressed an issue last week which prevented potential victims from being compromised when they opened weaponized email attachments.
Read more »
Technology
Crypto cryptocurrency Digital Assets digital currency Digital Money NFTs Technology

Hackers Steal NFTs Worth $3M in Bored Ape Yacht Club Heist

 

Hackers stole non-fungible tokens (NFTs) estimated to be worth $3 million after getting into the Bored Ape Yacht Club's Instagram account and uploading a link to a replica website that tried to capture marks' assets.

The fake post offered a free airdrop – essentially a promotional token giveaway, to customers who clicked the link and connected their MetaMask crypto-asset wallets to the scammer's wallet. Rather than receiving free items, victims had their digital wallets drained. 

Bored Ape Yacht Club tweeted Monday morning in a warning that came too late for some of its members, "It looks like BAYC Instagram was hacked. Do not mint anything, click links, or link your wallet to anything,"  

The Bored Ape Yacht Club, or BAYC, is a collection of photographs depicting bored primates in various attitudes and costumes, which can be used as internet profile avatars and sell for hundreds of dollars in crypto coins. 

Miscreants stole four Bored Apes, six Mutant Apes, and three Bored Ape Kennel Club NFTs, as well as "assorted additional NFTs estimated at a total value of $3 million," according to Yuga Labs, the company that launched Bored Ape Yacht Club. 

"We are actively working to establish contact with affected users," a Yuga Labs spokesperson said, adding that its hijacked Instagram account did have two-factor authentication enabled, "and the security practices surrounding the IG account were tight." 

"Yuga Labs and Instagram are currently investigating how the hacker was able to gain access to the account," the spokesperson stated. 

This is the second time in less than a month that the NFT collection has been hacked. Bored Ape Yacht Club said on March 31 that their Discord server had been compromised. According to security firm PeckShield, a cybercriminal stole one NFT: Mutant Ape Yacht Club #8662 in a previous incident. 

In March, following the launch of the ApeCoin cryptocurrency by the Bored Ape Yacht Club, fraudsters stole around $1.5 million by claiming a huge amount of tokens using NFTs they did not own and obtaining bogus flash loans. Flash loans are given and repaid in a single blockchain transaction, which might take as little as seconds to get and return the funds. These and other recent hacks have raised security concerns about NFT and cryptocurrency technologies.
Read more »
Safety
Cyber Security Data Medical Medical Devices Safety

Medical Device Cybersecurity: What Next in 2022?

 

A survey report on medical device cybersecurity was published by Cybellum, along with trends and predictions for 2022. It's worth noting that medical device cybersecurity has become a very challenging task. 

With medical devices increasingly becoming software-driven machines and the rapid pace at which cybersecurity risk emerges as a result of new vulnerabilities, complex supply chains, new suppliers, and new product lines, keeping the entire product portfolio secure and compliant at all times appears to be impossible. Learning from peers and attempting to identify the best path forward is now more crucial than ever. 

Security experts from hundreds of medical device manufacturers were asked what their biggest challenges are and how they plan to tackle them in 2022 and beyond in this poll. The following are some of the intriguing findings from the survey about medical device manufacturers' security readiness: 
  • The top security difficulty for respondents is managing an expanding number of tools and technologies, which is partially explained by a lack of high-level ownership. 
  • Seventy-five percent of respondents said they don't have a dedicated senior manager in charge of device security. 
  • Almost 90% of respondents acknowledged that companies need to improve in critical areas including SBOM analysis and compliance readiness. 
  • In 2022, nearly half of companies increased their cybersecurity spending by more than 25%. 
  • A dedicated response team (PSIRT) is not in existence at more than 55% of medical device makers. 
David Leichner, CMO at Cybellum said, “We embarked on this survey to gain a more comprehensive understanding of the main challenges facing product security teams at medical device manufacturers, as part of our effort to help to better secure the devices. Some of our findings were quite surprising and highlight serious gaps that exist both in processes for securing medical devices and in regulation compliance.”
Read more »
Vulnerabilities and Exploits
Blockchain Wallet Crypto Wallet security threat User Security Vulnerabilities and Exploits

Critical Vulnerability Identified in Ever Surf Blockchain Wallet

 

A vulnerability identified in the browser version of the Ever Surf blockchain wallet could have allowed attackers full control over a victim’s wallet and subsequent funds, say threat analysts at Check Point Research. 

Available on Google Play and Apple iOS Store, Ever Surf is described as a cross-platform messenger, blockchain browser, and crypto wallet for the Everscale blockchain network. It currently has nearly 670,000 active accounts worldwide and claims it has facilitated at least 31.6 million transactions.

According to Check Point researchers, the web version of the Ever Surf blockchain wallet suffered from a relatively simple bug that allowed malicious actors to exfiltrate private keys and plant phrases stored in local browser storage. To do that, threat actors first needed to secure the encrypted keys of the wallet, which is usually done via malicious browser extensions, infostealer malware, or plain old phishing.

Subsequently, the bad actors could have used a simple script to perform decryption. The susceptibility made decryption possible in “just a couple of minutes, on consumer-grade hardware," the researchers stated. 

CPR reported the vulnerability to Ever Surf developers, who then published a desktop version that mitigates the flaw, the company said in a press release. The web version is now declared deprecated and should only be used for development purposes. Seed phrases from accounts that store real value in crypto should not be used in the web version of Ever Surf, the researchers warned. 

“Everscale is still in the early stages of development. We assumed that there might be vulnerabilities in such a young product,” said Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software 

“When working with cryptocurrencies, you always need to be careful, ensure your device is free of malware, do not open suspicious links, and keep OS and antivirus software updated. Despite the fact that the vulnerability we found has been patched in the new desktop version of the Ever Surf wallet, users may encounter other threats such as vulnerabilities in decentralized applications, or general threats like fraud, phishing,” Chailytko added. 

To mitigate the risks, researchers recommended users not to follow suspicious links, particularly those sent from unknown sources, always keep their OS and antivirus software updated, and avoid downloading any software or browser extensions before verifying the identity of the source.
Read more »
Subscribe to: Comments (Atom)