Group-IB: Hackers hit hard SEA and Singapore in 2018




Singapore, 19.03.2019 – Group-IB, an international company that specializes in preventing cyberattacks, on Money2020 Asia presented the analysis of hi-tech crime landscape in Asia in 2018 and concluded that cybercriminals show an increased interest in Asia in general and Singapore in particular. Group-IB team discovered new tool used by the Lazarus gang and analyzed North Korean threat actor’s recent attacks in Asia. Group-IB specialists discovered 19 928 of Singaporean banks’ cards that have shown up for sale in the dark web in 2018 and found hundreds of compromised government portals’ credentials stolen by hackers throughout past 2 years. The number of leaked cards increased in 2018 by 56%. The total underground market value of Singaporean banks’ cards compromised in 2018 is estimated at nearly $640 000.

Lazarus go rogue in Asia. New malware in gang’s arsenal

According to Group-IB Hi-Tech Crime Trends 2018 report, Southeast Asia, and Singapore in particular, is one of the most actively attacked regions in the world. In just one year, 21 state-sponsored groups, which is more than in the United States and Europe combined, were detected in this area, among which Lazarus – a notorious North-Korean state-sponsored threat actor.

Group-IB established that Lazarus is responsible for a number of latest targeted attacks on financial organizations in Asia. Group-IB Threat Intelligence team detected and analyzed the gang’s most recent attack, detected by the company experts, on one of the Asian banks.

In January 2019, Group-IB specialists obtained information about previously unknown malware sample used in this attack, dubbed by Group-IB RATv3.ps (RAT - remote administration tool). The new Trojan was presumably downloaded to a victim’s computer as part of the second phase of a so-called watering hole attack, which, according to Group-IB report on Lazarus, the group has been actively using since 2016. During the first stage, cybercriminals supposedly infected a website, visited by a victim, with a Trojan Ratankba, a unique tool used by Lazarus. Group-IB specialists note that the new RATv3.ps might have been used by North Korean hackers in other recent attacks at the end of 2018. At least one of RATs was available via a legitimate Vietnamese resource, which might have been involved in other attacks.

“The newly discovered Lazarus’ malware is multifunctional: it is capable of data exfiltration from the victim’s computer, downloading and executing programs and commands via shell, acting as a keylogger to retrieve victim’s passwords, moving, creating and deleting files, injecting code into other processes and screencasting,” – comments Dmitry Volkov, Group-IB CTO and Head of Threat Intelligence. “So in case of Lazarus a stitch in time saves nine. It is very hard to contain their attacks as they happen. You have to be well prepared and know their tactics and tools. In particular, it is extremely important to have most up-to date indicators of compromise, unavailable publicly, that can only be gathered through automated machine learning-powered threat hunting solutions. Given the group’s increased activity in the region in 2018, we believe that Lazarus will continue to carry out attacks against banks, which will result in illicit SWIFT payments, and will likely experiment with attacks on card processing, primarily focusing on Asia and the Pacific.”

Several cybersecurity researchers note that also in 2018 Lazarus carried out global campaign known as “Rising sun”. The malicious campaign affected close to 100 organizations around the world, including Singapore. The gang’s new endeavor took its name from the implant downloaded to victims’ computers. It was found that Rising Sun was created on the basis of the Trojan Duuzer family, which also belongs to cybercriminals from the Lazarus group. The malware spreader as part of this campaign was primarily aimed at collecting information from the victim’s computer according to various commands

According to Group-IB Hi-Tech Crime Trends report 2018, Lazarus, unlike most of other state-sponsored threat actors, does not shy away from attacking crypto. “Singapore, being one of the most crypto-friendly countries in the world, attracts not only thousands of crypto and blockchain entrepreneurs every year, but also threat actors willing to grab a piece of the pie. We expect that that other APTs like Silence, MoneyTaker, and Cobalt will stage multiple attacks on cryptocurrency exchanges in the near future,” – says Dmitry Volkov.

Have you been pwned?

Group-IB Threat Intelligence team identified hundreds of compromised credentials from Singaporean government agencies and educational institutions over the course of 2017 and 2018. Users’ logins and passwords from the Government Technology Agency (https://www.tech[.]gov.sg/), Ministry of Education (https://www.moe[.]gov.sg/), Ministry of Health (https://www.moh[.]gov.sg/), Singapore Police Force website (https://polwel[.]org.sg/about/), National University of Singapore learning management system (ivle.nus[.]edu.sg) and many other resources were stolen by cybercriminals. CERT-GIB (Computer Emergency Response Team) reached out to Singaporean CERT upon identification of this information. “Users’ accounts from government resources are either sold on underground forums or used in targeted attacks on government agencies for the purpose of espionage or sabotage. Even one compromised account, unless detected at the right time, can lead to the disruption of internal operations or leak of government secrets,” – comments Dmitry Volkov. Cybercriminals steal user accounts’ data using special spyware aimed at obtaining users' authentication data. According to Group-IB data, PONY FORMGRABBER, QBot and AZORult became the TOP 3 most popular Trojan-stealers among cybercriminals.

Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C server. Another Trojan-stealer — AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallets data. Qbot worm gathers login credentials through use of keylogger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites. All these Trojans are capable of compromising the credentials of crypto wallets and crypto exchanges users. More information on the most actively used Trojans and their targets can be accessed through Group-IB Threat Intelligence.

Public data leaks is another huge source of compromised user credentials from government websites. Group-IB team analyzed recent massive public data breaches and discovered 3689 unique records (email & passwords) related to Singaporean government websites accounts.

Underground market economy. Number of compromised cards of Singaporean banks on sale increases

In 2018, Group-IB detected the total of 19,928 compromised payment cards related to Singaporean banks on darknet cardshops. Singapore, as one of the major financial hubs in Southeast Asia is drawing more and more attention of financially motivated hackers every year. According to Group-IB data, compared to 2017, the number of leaked cards increased in 2018 by 56%. The total underground market value of Singaporean banks’ cards compromised in 2018 is estimated at nearly $640,000.

Group-IB Threat Intelligence team observed two abnormal spikes in Singaporean banks’ dumps, unauthorized digital copies of the information contained in magnetic stripe of a payment card, offered for sale on the dark web in 2018. The first one occurred on July 20th, when almost 500 dumps related to top Singaporean banks surfaced on one of the most popular underground hubs of stole card data, Joker’s Stash. On overage, the price per dump in this leak was relatively high and kept at 45$. The high price is due to the fact that most of the cards were premiums (e.g. Platinum, Signature etc.).

Another significant breach happened on November 23rd when the details of 1147 Singaporean banks dumps were set up for sale on cardshops. The seller wanted 50$ per item– 50% of stolen cards in batch were also marked as Premium.

Group-IB Threat Intelligence continuously detects and analyses data uploaded to cardshops all over the world. According to Group-IB’s annual Hi-Tech Crime Trends 2018 report, on average, from June 2017 to August 2018, the details of 1.8 million payment cards were uploaded to card shops monthly.

QR-codes on historical buildings of Russian city Astrakhan that led to Adult sites have been removed


Hacker reportedly changed website location of the QR-codes on historical buildings of Russian city Astrakhan and replaced them with adult website link. There was no technical detail provided how hacker was able to change the location of QR code.

When residents and guests of the city scanned QR-codes, their phones opened resources for adults, instead of sites with historical references.

Galina Goteeva, the Minister of Culture and Tourism of the region, said on March 15 that the signs with QR codes on the historical buildings of Astrakhan were changed.

QR-codes on historically significant buildings of Astrakhan were placed a few years ago. It was assumed that people can get a historical reference about the building after scanning the code with a mobile phone. Already in November last year, the Media reported about QR codes leading to porn sites and dating sites for quick sex.

In fact, the Regional Ministry of Culture for a long time struggled with the elimination of porn content, the signs were removed with great difficulty. And only at the end of the year sex traffic was stopped completely.

However, it is still a mystery why the signs with QR-codes hung for so long and why they were not promptly replaced. In total, there are at least 15 signs. QR-codes stopped working more than a year ago, but officials did not pay any attention to it: first, the pages gave an error, and later they began to lead to porn sites.

Group-IB : payment data of thousands of customers of UK and US online stores could have been compromised




Moscow, 14.03.2019 – Group-IB, an international company that specializes in preventing cyberattacks, has uncovered a malicious code designed to steal customers’ payment data on seven online stores in the UK and the US. The injected code has been identified as a new JavaScript Sniffer (JS Sniffer), dubbed by Group-IB as GMO.

Group-IB Threat Intelligence team first discovered the GMO JS Sniffer on the website of the international sporting goods company FILA UK, which could have led to the theft of payment details of at least 5,600 customers for the past 4 months.

Do your payments have the sniffles?

Most recent breaches similar to this include British Airways and Ticketmaster which were first analyzed by RiskIQ research team, where cybercriminals managed to compromise personal information of thousands of travelers and concert goers with a few of lines of code. British Airways and Ticketmaster websites were infected with JS Sniffers, a type of malicious code injected into a victim’s website designed to steal a consumer’s personal data including payment card details, names, credentials etc.

FILA UK website (fila.co[.]uk) became cybercriminals’ new major target on the UK market . GMO JS Sniffer has also been discovered on 6 other websites of US-based companies. This type of attack is especially dangerous given that it can be applied to almost any e-commerce site around the world. Group-IB made multiple attempts to alert FILA, which was known to be impacted by GMO. Six other websites affected by this JS Sniffer were notified upon discovery as well. Group-IB team has also reached out to local authorities in the UK and the US to conduct outreach.

Group-IB’s Threat Intelligence team first discovered GMO on the FILA UK website. The malicious code was detected in early March 2019. In the course of further research it was revealed that GMO JS Sniffer has presumably been collecting customer payment data since November 2018. According to Alexa.com, the number of fila.co[.]uk unique monthly visitors is estimated at around 140k per month.

According to IRP, UK market research firm, a minimum conversion into purchase for fashion and clothing ecommerce is equal to 1%. Using very conservative estimates, payment and personal details of at least 5,600 customers could have been stolen by cybercriminals – everyone who has purchased items on fila.co.uk since November 2018 has potentially had their details compromised. Typically, after customer data is stolen, it is usually resold on underground cardshops. Another scheme of cashing out involves the use of compromised cards to buy valuable goods, e.g. electronics, for onward sale.


Mozilla Firefox Considers Blocking Cyber security Company Darkmatter; Reports Arise of Its Link to a Cyber Espionage Program




Firefox 'browser-maker' Mozilla is under talks about considering whether to block the cyber security organization DarkMatter from serving in as one of its internet security gatekeeper after a Reuters report connected the UAE-based firm to a cyber-espionage program.

The international news organization announced in January that the cyber-security company gave the staff the secret to a hacking operation with the codename Project Raven, on behalf of an Emirati intelligence agency. The unit there included previous U.S. intelligence officials who led hostile cyber operations for the UAE government.

The shrouded program, which operated from a converted Abu Dhabi house far from DarkMatter's headquarters, included hacking into the internet accounts of human rights activists, journalists and officials from rival governments.

Mozilla said the company is under talks to arrive at a decision on whether to deny the authority possessed by DarkMatter, however expects to decide within weeks. While two Mozilla officials said in a meeting a week ago that Reuters' report raised their worries about whether DarkMatter would abuse their position to certify sites as safe or not.

Selena Deckelmann, a senior director of engineering for Mozilla, said "We don't currently have technical evidence of misuse (by DarkMatter) but the reporting is strong evidence that misuse is likely to occur in the future if it hasn't already."

Likewise informing that Mozilla was thinking about stripping a few or the majority of the 400 certifications that DarkMatter has granted to sites under a limited authority since 2017.

In any case DarkMatter CEO Karim Sabbagh denied the Reuters report connecting his company in any way to Project Raven."We have never, nor will we ever, operate or manage non-defensive cyber activities against any nationality," he said in a letter to Mozilla on February 25th, posted online by the cyber security company.

While in the past Mozilla has depended heavily on technical issues when choosing whether to trust a company with certification authority or not, the Reuters investigation has driven it to re-evaluate its arrangement for affirming candidates.


Anonymous Threat Group Compromised 1 Million Web Pages of Popular Brands like Coca-Cola and McDonalds’s



Around 1 million Israeli based webpages owned by renowned brands like McDonalds’s and Coca-Cola have been compromised by an anonymous group of hackers who notably breached the websites of leading brands which were introduced for Israel natives with address ‘co.il’  – Cocacola.co.il and McDonalds.co.il and etcetera.  

The hacker group employed third-party accessibility plug-in known as ‘nagich.co.il’ which loaded infected JavaScript code that compromised the website and assisted the threat actors in exploiting and corrupting a million of web pages.

There’s a critical vulnerability which existed in the disabled page accessibility plug-in, Nagich, it permitted access to more than 1 million Israel based webpages and primarily assisted the attackers in corrupting the webpages.

Besides websites of renowned brands – Coca-Cola, McDonald’s and Toys"R"Us, other popular websites namely Ynet and Calcalist also fall prey to this breach. Reportedly, the attackers corrupted these websites and displayed political messages.

The Nagich website is not a usual site, it’s a website which contains an accessibility plugin - a Javascript which runs on a website which opts for this service and provides it a multitude of options. 

On giving necessary permissions, the severe vulnerability can run code on the website which means it can make any changes in our site and do whatever it wants. Hackers exploited it to replace the malicious code with an embedded link with the motives of corrupting webpages.

Due to the delay in taking remedial measures to patch the vulnerability, Nagich officials, in a way led hackers to compromise hundreds of webpages.  



The First-Ever Millionaire Hacker on HackerOne




At a tender age of 19, Santiago Lopez is earning a handsome sum of money via bug bounty program HackerOne and discovering security flaws through vulnerability coordination. He is said to be the first one to make more than USD 1 million through the aforementioned channels and he ranks second on HackerOne.
Lopez is self-taught on how to quash layers of security protections as he resorted to tutorial videos and content on the internet for his hacking and information security classes which he started taking in 2015 at the age of 16.
He has worked and reported vulnerabilities for renowned organizations such as Twitter, Automattic, Verizon, HackerOne among others. As of now, he has successfully reported 1676 different vulnerabilities for online assets. Additionally, he has worked for the US government and other private organizations.
It was a year later when he was awarded a $50 pay for a CSRF vulnerability, the inflow of rewards began; the largest bounty being $9,000, which he received for a SSRF.
Santiago invested his initial bug bounty earnings on a brand new PC and as the money multiplied, the young IT enthusiast considered buying cars.
At HackerOne, the goal of their program is to touch the mark of $100 million by the end of 2020 and on the way of realizing this goal, in 2018, the security researchers at HackerOne have made more than $19 million in bounties which is significantly larger than over $24 million paid in the past five years.
It has been reported that the majority of the hackers dedicate around 10 hours per week searching for bugs, while one-fourth of them are found to be working 10-20 hours every week.
Referencing from a survey, the security researchers with extensive experience in the corresponding field forms the smallest percentage, whereas the majority which is 72.3% carries experiences ranging from one to five years.
It is the joys of accumulating money and dealing with challenges which are among the top driving factors for the researchers to submit bugs through HackerOne.





The Australian Parliament’s Anti –Encryption Law Opening Doors to Potential Cyber Attacks




The Australian Parliament recently gave a green light to an "anti-encryption" law i.e. the Assistance and Access Bill, broadly recognized by numerous U.S. tech giants, to give the nation's intelligence and law enforcement agencies access to end-to-end encrypted communications.

The bill passed, regardless of vocal opposition from cyber security and technology groups far and wide who cautioned that even secondary passages structured solely for law implementation will without a doubt is exploited by those keen to make way to potential cyber-attacks.

Portrayed as a "secondary passage" or "backdoor" the move is said to, in a general sense debilitate Australia's cyber security and perhaps the other users of these innovations as well.

There is additionally a "far reaching concern" that this law will eventually have a negative impact on the employment status from the Australian technology firms as the global network will never again trust these products.

Lawmakers, who in the present digital economy ought to work to close the "cyber exposure gap", not augment it are rather debilitating Australia's overall cyber security posture, with causing a major impact to the economic outcomes also.

There is no denying the fact that law implementation organizations around the world face reasonable difficulties, however laws that debilitate encryption are the wrong solution.

Therefore, as opposed to following Australia's hazardous point of reference, other nations must work to guarantee open wellbeing while likewise shutting the "cyber exposure gap" and reinforcing cyber security standards for all devices. The dangers related with Australia's activity ought not to be downplayed because cyber security is as much important as national security.


Hackers Delivering New Muncy Malware Worldwide through DHL Phishing Campaign



With malicious intentions of targeting the users across the globe, attackers are reported to be disseminating new dubbed Muncy malware in the form of EXE file through DHL phishing campaigns.

Resorting to malspam emails, DHL phishing is amongst the most far-reaching campaigns which distributed several sophisticated malware. They made it appear legitimate by exploiting the deplorable configuration of SMTP servers and by employing email spoofing techniques.

DHL is a company of global repute which specializes in providing express mail services, international couriers and parcels. The reputation of the well-established company took some hits by the cybercriminals as they abused it to distribute malware. 

They did so by configuring the malicious emails to appear to be coming from DHL express. The email comprised of an infected attachment in PDF format.

How the malware is executed?

As soon as the targeted user accesses the PDF attachment, Muncy Trojan file sneaks into the system. Then the packed malware is unpacked and once unpacked it scans the whole C:\ drive for the files containing sensitive data. 

Expert takes

Commenting on the matter, Pedro Tavares, Founder, and Pentester at CSIRT.UBI told the GBHackers, “The phishing campaign is trying to impersonate DHL shipment notification and the malware is attached in the email.”

“This malware is on the rise and is affecting user’s in-the-wild while stealing sensitive information from their devices.”





Websites Including Ixigo Hacked, Leaving 127 Million Accounts Exposed For Sale






Over 127 million accounts were broken into from around 8 separate websites. This is the doing of a hacker who’d stolen records of 620 million people before.

The travel booking site “Ixigo” seems to be one of the major victims from which records were stolen.

Allegedly, these infamous records include the users’ names, email addresses, passwords and other personal details.

According to a research, 18 million user records were wrested from Ixigo and around 40 million were stolen from YouNow which is a live-video streaming site.

1.8 million accounts were wrested from Ge.tt and 57 million records were snatched off from Houzz.

Hakcer’s listings showed that an antiquated “MD5” hashing algorithm was applied to “scramble” passwords which are otherwise easy to “unscramble”.

It was claimed by the hacker themselves that they had user records from mainstream sites like MyFitnessPal and Animoto with declaring number of records to be 151 million and 25 million respectively.

Bitcoin currency of $20,000 could now be used in exchange for databases which make life easier for hackers, from the Dream Market cyber-souk in the Tor network.

The price is pretty hacker-pocket friendly. The major target audience for the deal seem to be spammers and credential stuffers.

These credentials could further be used to hack into other sites and wrest other user details.

The victimized websites have started alerting their users about the hazard and it would only be fit for the users to stay vigilant about it all.


Bank details of Bernard Matthews employees stolen

A suspected cyber-attack "potentially compromised" the bank account details of 200 workers at Bernard Matthews.

The turkey producer has made staff aware of the suspected hack.

The Norfolk-based company said it was alerted by its bank on 22 January, as first reported in the EDP.

A spokesman said: “After being first alerted by our bank, we reported the incident to the relevant authorities and put in place extra security measures, as well as offering additional security advice to those affected.” "We continue to monitor the situation but we are not aware colleagues have been affected any further," he added.

The person or group behind the hack is unknown.

Bernard Matthews employs 3,000 people across East Anglia. The company is a major employer in Norfolk and Suffolk, including at its plant at Holton, near Halesworth, and its headquarters at Great Witchingham.
The business has been through a difficult time in recent years, coming close to collapse in 2013.

Last year, it was one of two interested parties bidding to take over Banham Poultry, in Attleborough, which was eventually sold to Chesterfield Poultry.

In 2016 the Boparan Private Office, owned by food tycoon and 2 Sisters Food Group entrepreneur Ranjit Boparan, known as the “Chicken King”, bought the firm in a pre-pack deal in 2016 from Rutland Partners, saving 2,000 jobs after the firm posted pre-tax losses of £5.2m.

A Malware Program That Hobbled Newspapers Nationwide Makes a Comeback


Ryuk Malware has made a rebound once more and this time it focused on the Tribune publishing Newspaper operations. The Malware program, a refined curve on an extortionate exemplary, is believed to have been utilized in an attack that has maimed newspapers across the nation.

The Malware is such that it automatically spreads from one computer to another, enciphering essential documents en route with an unbreakable code. Endeavors to gain access to the enciphered information, and the malware displays a ransom note, to deposit bitcoin into an unidentified wallet and receive a  key to decode the user's entire system , the refusal for which will result in the documents remaining 'locked for good'.

The issue notwithstanding, surfaced near midnight Thursday and spread quickly over the next day, when sports editors at the Union-Tribune attempted to transmit the completed pages to the printing office. Thusly hindering the distribution of the Saturday editions of The Times and Union-Tribune papers in Florida, Chicago and Connecticut, as well as the West Coast editions of the Wall Street Journal along with the New York Times.

Ryuk showed up on the radar of cybersecurity specialists in August, when the security scientists MalwareHunterTeam rumored five unfortunate casualties. An investigation with Check Point Research was published soon thereafter, assessing that it had officially gotten the attackers more than $640,000, and that much of its code coordinated with that of a ransomware program called Hermes, which has been connected with the North Korean hacking group that was behind the famous WannaCry attack.

Ben Herzog, a security specialist with Check Point says that Ryuk is different as it is a relatively  'artisanal' malware, used to target explicit organizations with little resilience for disturbance, such like hospitals and other healing facilities, ports and now obviously, the newspapers.

Despite the fact that their analysis till now has not prevailed with regards to determining if Ryuk had a technique for consequently spreading among a system or not, which Itay Cohen, another security analyst with Check Point, said may specify "prior, manual work that was done by the attackers in order to take these networks as a hostage.”


BT and Europol sign agreement to share cybersecurity intelligence data


The European Union Agency for Law Enforcement Cooperation (Europol) and communications company BT have joined forces in an agreement to exchange threat intelligence data.

A Memorandum of Understanding (MoU) was signed by both parties at Europol’s in The Hague in the Netherlands, which along with the creation of a framework to share knowledge of cybersecurity threats and attacks, will also help in facilitating sharing of information relating to cybersecurity trends, measures, technical expertise, and industry practices to reinforce cybersecurity in Europe.

To this end, BT will work alongside Europol’s European Cybercrime Centre (EC3), helping in identifying cyber threats and strengthening law enforcement response to cyber crimes.

“The signing of this Memorandum of Understanding between Europol and BT will improve our capabilities and increase our effectiveness in preventing, prosecuting and disrupting cybercrime,” said Steve Wilson, Head of Business at EC3. “Working co-operation of this type between Europol and industry is the most effective way in which we can hope to secure cyberspace for European citizens and businesses. I am confident that the high level of expertise that BT bring will result in a significant benefit to our Europe wide investigations.”

BT became, earlier in the year, the first telecom provider to share information on malicious websites and softwares with other internet service providers (ISPs) via a free online portal, called the Malware Information Sharing Platform (MISP), to help them in tackling cyber threats.

The company will now share that information with Europol to aid in cybercrime investigations.

“We at BT have long held the view that coordinated, cross border collaboration is key to stemming the global cyber-crime epidemic,” Kevin Brown, VP, BT Security Threat Intelligence, said. “We’re working with other law enforcement agencies in a similar vein to better share cybersecurity intelligence, expertise and best practice to help them expose and take action against the organised gangs of cybercriminals lurking in the dark corners of the web.”

BT currently has a team of more than 2,500 cybersecurity experts who have so far helped to identify and share information on more than 200,000 malicious domains.


Britain's National Cyber Security Centre Issues a Warning of a Global Campaign for the Possibility of Some Kind of Russian Activity


Britain's National Cyber Security Centre (NCSC) is on high caution for the likelihood of some kind of Russian movement. More people and resources have been dedicated towards the examination and investigation.

 The FBI and the US Department of Homeland Security issued a joint alarm cautioning of a global campaign with the foremost targets being internet service providers, firms running critical infrastructure, government departments and large companies.

White House cyber security co-ordinator Rob Joyce in a press conference session about the alert said that the US and its allies had "high confidence" that Russia was behind this "broad campaign".

He additionally said that, a huge number of machines coordinating information and data around the net were being targeted, as suggested by the insight gathered by the US and UK.

Despite the fact that it is conceivable that Russian intrusions might increment in the coming future, yet, it is too soon to be sure without a doubt if so. Up until this point, there has been moderately minimal indication of this in the US or UK, in spite of the fact that Russia is blamed for propelling ruinous attacks against Ukraine.

It merits saying that Britain and the US will do relatively indistinguishable activities in Russia, pre-positioning in Russian networks to have the capacity to react.

What nobody is very certain of is whether this makes an impediment somewhat like commonly assured nuclear destruction in the Cold War.
Furthermore, Mr. Joyce said that:
 “Many different organisations had come under attack for months at a time in a bid to scoop up valuable intellectual property, business information or to get at their customers and when we see malicious cyber-activity, whether Kremlin or other nation state actors, we are going to push back.

Ciaran Martin, head of the UK's NCSC, said that the issuing of the alert denoted a "significant moment" as the two forces had at no other time given joint exhortation on the most proficient method to manage attacks.

The worldwide crusade contained nitty gritty data about attack techniques, including the signs left when hardware has been compromised , and how networks arranges change when they have been broken.

Mr Martin said GCHQ, NCSC's parent association, had followed the risk postured by Russian cyber-gangs for over 20 years. Further intelligence about the attacks had been included by "multiple" cyber security associations and organizations, he added.

Nevertheless the guidance given to firms incorporates approaches to design their systems accurately and also gives an insight on how to apply patches to address hardware vulnerabilities


Japan Cryptocurrency Exchange Coincheck starts refunds for $530m hack

The cryptocurrency exchange that fell to a hack of about $534 million in January this year has now started reimbursing the affected customers that lost fund in the hack.

In its blog post, Coincheck said that it will refund users as per its original compensation plan at the rate of 88.549JPY ($0.83) per NEM stolen and that to qualify for reparations, users must have held that amount of NEM on their platform at 23:59:59 JST on 26 January, 2018.

The total amount reimbursed will equal to about $420 million.

After the hack, Coincheck had imposed restrictions on trading and withdrawal of some cryptocurrencies on the exchange. The company is now going to lift some of these restrictions to allow for withdrawals and sales, according to another blog post.

It also said that it is working on evaluating the risks associated with each currency and will “confirm the technical security of our systems regarding these currencies in order to resume normal operations.”

The exchange also plans to resume deposits and purchases of all currencies, and open for new registrations once security and management systems have been updated.

“Once again, we would like to apologize for the inconveniences that the illicit transfer of NEM from out platform and the resulting suspension in services has caused our customers and anyone else affected by this incident. Thank you for your patience,” the company said in its blog post.

New report says IoT adoption heightens cybersecurity threat

A new report by Navigant Research says that due to the increasing adoption of Internet of Things (IoT) devices and systems, threats to cybersecurity are also increasing as attackers are given more numbers of “vectors and surfaces” to target.

The report looks at the state of IoT as a whole, not just its utilities, and addresses questions such as common vulnerabilities present in IoT settings, strategies for cybersecurity, global revenue forecast on IoT security, etc. It also examines regulatory frameworks shaping the market and steps that can be taken to minimize risk.

Oracle Chairman, Larry Ellison, says that companies are losing this cyber war and that, “Make no mistake, it’s a war.”

“The mushrooming number of IoT devices being deployed by utilities and other enterprises carries an obvious and growing security risk,” said Neil Strother, principal research analyst with Navigant Research. “Smart managers need a comprehensive strategy to stay ahead of potentially devastating threats to IoT assets.”

He added that managers can no longer rely on the “old-school reactive” approach but must instead adopt “latest proactive and predictive tools and methodologies to keep devices and systems safe.”

The report itself is aimed at utility security managers, enterprises, IoT cybersecurity solution vendors, investor groups, regulators, and other stakeholders.

Russian Hacking Group Targets The German Government’s Internal Communications Network


An infamous Russian hacking group known as Fancy Bear, or APT28, is by and large broadly considered responsible on account of a security breach in Germany's defence and interior ministries' private networks as affirmed by a government spokesman.

It is said to be behind the reprehensible breaches in the 2016 US election likewise including various cyber-attacks on the West. The group is accounted for to have targeted on the government's internal communications network with malware.

As per the reports by the DPA news agency the hack was first acknowledged in December and there may have been a probability of it lasting up to a year.

"We can confirm that the Federal Office for Information Security (BSI) and intelligence services are investigating a cyber-security incident concerning the federal government's information technology and networks," a German interior ministry spokesman said on Wednesday.




The group apparently hacked into a government computer system particularly intended to operate separately from other open systems i.e. public networks to guarantee additional security known as the "Informationsverbund Berlin-Bonn" (IVBB) network. The framework is utilized by the German Chancellery, parliament, federal ministries and a few security institutions.

Fancy Bear, also called Pawn Storm, is believed to run a global hacking campaign that is ", as far-reaching as it is ambitious" as indicated by a report by computer security firm Trend Micro.
Palo Alto Systems, a cyber-security firm, on Wednesday released a report saying that Fancy Bear now gives off an impression of being utilizing malevolent emails to target North American and European foreign affairs officials, incorporating a European embassy in Moscow.

"Pawn Storm” was even reprimanded for a similar attack on the lower house of the German parliament in 2015 and is likewise thought to have targeted on the Christian Democratic Union party of Chancellor Angela Merkel.

Authorities in the nation issued rehashed notices about the capability of "outside manipulation" in a last year's German election.

The hacking bunch has been linked to the Russian state by various security experts investigating its international hacks and is additionally known by certain different names including CozyDuke, Sofacy, Sednit and Tsar Group.


Chinese Hacking Groups target UK Think Tanks

Cybersecurity firm, Crowdstrike, says that UK think tanks are being repeatedly targeted by Chinese hacking groups. Crowdstrike says that beginning in April 2017, it saw repeated targeting of British think tanks specialising in international security and defense issues.

The firm said it has investigated the breaches and attributes these attacks to groups they call “Panda,” which Crowdstrike said are China-based and linked to the Chinese state.

Crowdstrike was reportedly called in by some of the think tanks to investigate the attacks, help in clean-up, and protect their security. According to a report by BBC, not all attacks were successful.

The company also said that in 2017, Chinese cyber activity increased all over the world, targets including universities, law firms, technology companies across the world.

According to Dmitri Alperovitch, Crowdstrike’s co-founder and CTO, think tanks that work on Chinese policy were targeted “very aggressively” in an attempt to steal reports and information relating to connections with the government.

He said that this was because they believe the think tanks are influential in US and UK, saying "they believe that they may have access to information which is not public.”

According to Alperovitch, the hackers would persist and try to get back in even after they had been kicked out.

Russia hacks Winter Olympics, shifts blame on North Korea

According to a report in Washington Post on Sunday, U.S. Intelligence has found that Russian military spies hacked several hundred computers used by authorities during the 2018 Winter Olympic Games in South Korea.

Over 300 Olympic-related computers were hacked early in February, continuing a string of cyber attacks in the Winter Olympics.

U.S. officials say that this was a “false-flag” operation, where they carried out the attack while making it appear as though North Korea was behind it by using North Korean IP addresses. Olympics confirmed at the beginning of the games that an attack had taken place but did not reveal who the attackers were.

The attack took down internet and WiFi access during the opening ceremonies on February 9th, as well the event’s website, and also case the failure of several other Olympic-liked websites and broadcast systems.

Due to the attack, many attendees were unable to print their tickets, leading to empty seats.

Some analysts believe that the attack was in retribution to Russia’s ban in the Winter Olympics after an investigation into doping violations by Russia.

However, Russia’s foreign ministry has denied Russia’s involvement in the attacks. "We know that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea," it said.

Lee County Tax Collector’s email hacked

On Thursday, an email went out from the office of Lee County Tax Collector Larry Hart, sent by hackers having gained access to his email.





It has been reported that Hart was using a device out of his office and the device was compromised.

Lee County taxpayers are now worried that their information might have been compromised in the hack. However, Noelle Branning, Deputy Chief Tax Collector, said that because Larry Hart rarely emails taxpayers directly, they aren’t likely to have received the email.

"We don't think our taxpayers need to have any concern," Branning said. "Additionally, it doesn't appear that any taxpayer information has been compromised in any way."

While the office maintains that it does not seem that any information has been compromised, Branning cautions anyone opening an email from Hart to be careful.

"If it's an email coming from Mr. Hart containing an attachment or a link, no one should open the attachment, nor should they try to click on the link," said Branning.

Hart’s account has been disabled as a security measure and is undergoing a forensic exam. A cybersecurity professional is helping them get to the bottom of the hack. Meanwhile, an organisation-wide advisory has been sent to make them aware of the risk.

Other counties have also been warned of the possibility of a hack.

Advancing Ransomware Attacks and Creation of New Cyber Security Strategies

As ransomware is on the rise, the organisations are focusing too much on the anti-virus softwares rather than proactively forming strategies to deal with cyber-attacks which could pose as an indefinite threat to the users. Nevertheless one of the good advices to deal with this issue is the creation of the air-gaps, as through these it becomes quite easy to store and protect critical data. It even allows the offline storage of data. So, when a ransomware attack occurs, it should be possible to restore your data without much downtime – if any at all.

But it usually happens so that organisations more often than not find themselves taking one step forward and then one step back. As traditionally, the ransomware is more focused on backup programs and their associated storage but on the other hand it seems very keen on perpetually targeting the storage subsystems which has spurred organisations into having robust backup procedures in place to counter the attack if it gets through.

So in order for the organisations to be proactive it is recommended that they should resort to different ways to protecting data that allows it to be readily recovered whenever a ransomware attack, or some other cyber security issue, threatens to disrupt day-to-day business operations and activities.

Clive Longbottom, client services director at analyst firm Quocirca explains: “If your backup software can see the back-up, so can the ransomware. Therefore, it is a waste of time arguing about on-site v off-site – it comes down to how well air locked the source and target data locations are.”

However, to defend against any cyber-attack there needs to be several layers of defence which may or may not consist of a firewall, anti-virus software or backup. The last layer of defence that is to be used by the user though, must be the most robust of them all to stop any potential costly disruption in its track before it’s too late. So, anti-virus software must still play a key defensive role.

A ransomware attack is pretty brutal, warns Longbottom, “It requires a lot of CPU and disk activity. It should be possible for a system to pick up this type of activity and either block it completely, throttles it, or prevents it from accessing any storage system other than ones that are directly connected physically to the system.”

Now coming down to the traditional approach, it is often observed that data centres are in position in close proximity to each other in order to easily tackle the impact of latency, but for the fact they are all too often situated within the same circles of disruption increases the financial, operational and reputational risks associated with downtime.

Therefore there are a few certain tips that could allow the user to successfully migrate data to prevent ransomware attacks:
• The more layers you can add the better.
• User education.
• Update your Back-up regularly - it can be the last layer of defence.
• Have a copy off site – tape or cloud but don’t leave the drawbridge down.
• Planning of your backup process for your recovery requirement.

By following these one could successfully prevent cyber-attacks with ease and precision.