Search This Blog

Showing posts with label Cyber Attacks. Show all posts

Russian Electronic Voting System Struck by 19 DDoS Attacks in One Day

 

Yandex, the Russian technology and search engine powerhouse, disclosed last week that it had been hit by one of the world's biggest DDoS attacks ever recorded. 

A distributed denial-of-service (DDoS) attack involves flooding a website or service with a large amount of internet traffic until it stops working and eventually goes down. Cybercriminals have been known to create botnets and launch DDoS attacks using hacked systems or vulnerable/exposed Internet of Things (IoT) devices. 

Russia's remote electronic voting system has now become the next victim of the campaign, as to what appears to be a continuation of targeted DDoS attacks. 

According to reports, the 8th Russian State Duma (lower house) elections took place between September 17 and September 19. Voters had to head to the polls to cast their vote for the heads of nine Russian regions and 39 regional parliaments. 

According to Russian news agency Tass, remote electronic voting took place in six locations, including Sevastopol and the regions of Kursk, Murmansk, Nizhny Novgorod, Rostov, and Yaroslavl. 

Around 19 DDoS attempts were thwarted, according to Mikhail Oseevsky, president of Rostelecom. The head of the country's major digital service provider, Rostelecom, told the reporters at the Central Election Commission's information centre that some of the DDoS assaults were very short, spanning only a few minutes, while the biggest lasted 5 hours and 32 minutes. 

“It (the DDoS attack) began early in the morning and ended in the middle of the day,” Oseevsky disclosed. 

Many of the country's digital resources, including the elections, state services websites, and the CEC's portal, were attacked, according to Oseevsky. 

He continued by stating that there have been several efforts to launch large-scale attacks on these resources. The department, on the other hand, was well-prepared to combat and minimise the threat, according to the president. 

The assaults arose from a number of different countries which include: 
  • India 
  • China 
  • Brazil 
  • Russia 
  • Germany 
  • Thailand 
  • Lithuania 
  • Bangladesh 
  • United States 
According to the elections commission, three targeted cyberattacks were documented from abroad, two of which targeted the centre's main website and the third was a DDoS attack.

35 yrs Of Imprisonment for the Administrator of 200,000 DDoS Attacks

 

After a 9-day trial, a California jury that held two distributed denial of service (DDoS) operations administrators, found him guilty. Matthew Gatrel, a 32 years old man, of Saint Charles, Illinois, operated two websites that enabled payment to users to launch over 200,000 DDoS attacks on private and public targets. 

Court filings disclose that since October 2014 Gatrel has operated DDoS services. DownThem and Ampnode are the two sites being used, which allowed the operation of DDoS attacks. Gatrel has used DownThem to sell DDOS services subscriptions (sometimes referred to as "booters" or "stressers") and AmpNode has supplied clients that wanted pre-configured servers with DDoS attack programs and lists of vulnerable systems that may magnify the attack. 

The researchers have discovered that they have over 2,000 registered clients in databases of the DownThem booter portal. As per the documents, more than 200,000 DDoS attacks are launched by users. The targets covered households and schools, universities, websites of municipal and local authorities, and financial organizations throughout the world. 

“Often called a “booting” service, DownThem itself relied upon powerful servers associated with Gatrel’s AmpNode bulletproof hosting service. Many AmpNode customers were themselves operating for-profit DDoS services” - the U.S. Department of Justice.

Several subscriptions can be used by clients, each with different attack and offensive capabilities like length, force, or the potential of competitor attacks. 

If the victim is accessible, the service would deploy "reflected amplification attacks" from AmpNode attack servers, employing "hundreds or thousands of other servers connected to the Internet." 

In this operation, Gatrel hadn't been alone. In 2018, Juan Martinez of Pasadena assisted him to operate the DownThem website. 

Gatrel is faced with a maximum statutory imprisonment of 35 years scheduled for January 27, 2022, where sentences for the federal prison for three crimes of which he was found guilty are : 

  • one count of conspiracy to commit unauthorized impairment of a protected computer.
  • one count of conspiracy to commit wire fraud.
  • one count of unauthorized impairment of a protected computer.

However, Juan Martinez has already pleaded guilty, unlike Gatrel, to his final hearing on 2nd December · he can face a statutory maximum term of imprisonment of 10 years in his final trial.

City of Yonkers Refuses to Pay Ransom After Attackers Demand $10 million

 

The City of Yonkers has refused to pay the ransom after ransomware attackers demanded a ransom of $10 million to revive the disparate modules that overlay the different departments of the city.

Earlier this month, government employees at the City of Yonkers were restricted from accessing their laptops or computers after the city suffered a computer incursion by ransomware attackers. In the meantime, employees were told to restore as much data as possible manually from backups and this often means keeping pen and paper records that are transferred into databases.

The ransomware outbreak 

Ransomware attacks against the local governments are rising with each passing day. Last year, at least 2,354 governments, healthcare facilities, and schools were targeted by ransomware attackers. The local governments are the lucrative targets because they are less equipped in terms of resources and capabilities. 

A 2020 survey of state chief information security officers discovered that 70 percent listed ransomware as a top concern because of funding hurdles and lack of confidence in localities’ abilities to guard state information assets. And after a ransomware event occurs, only 45 percent of local enforcement agencies felt that they “had access to the resources” to analyze digital evidence linked to the crime. This then allows attackers to operate with more confidence, as the third way found that only 3 out of every 1,000 cybercrimes reported to the FBI result in an arrest. 

In 2019, the City of Baltimore was crippled for more than two weeks before the government’s systems were restored, in a delay that cost the city more than $18 million. Although Baltimore followed the instructions given by cyber security experts and the FBI to not pay the ransom, many people questioned the city’s strategy, given the extent of the damage.

“If we paid the ransom, there is no guarantee [the attackers] can or will unlock our system. There’s no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there’s no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future,” Mayor Bernard C. Jack Young said while responding to the critics.

“Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I’m confident we have taken the best course of action,” he added. 

No more ransom payments

When three more local governments were attacked within a space of few months, it sparked a meeting of the United States Conference of Mayors. The meeting of US mayors resulted in a unanimous decision to stop paying ransom demands.

“Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit. The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm,” the mayors wrote.

In the case of the City of Yonkers, the city confirmed that the virus was quarantined on the network, no ransom was paid and the Department of Homeland Security was notified.

German Election Authority Confirms Probable Cyber Attack

 

Suspected hackers momentarily impacted the website of the authority managing Germany's September 26 federal election, a spokesperson for the agency told AFP on Wednesday. 

The news was originally reported by Business Insider, and it comes as German federal prosecutors investigate suspected cyber assaults on legislators during the election campaign for a new parliament and a successor to Chancellor Angela Merkel's successor. 

In the context of the hacking report, the spokesperson stated, "At the end of August the website of the Federal Returning Officer only had limited accessibility for a few minutes due to a malfunction." 

"The problem was analysed and the technical concepts were further developed accordingly. The information for the public through the website of the Federal Returning Officer was and is ensured." 

According to Business Insider, the website that publishes the official election results was swamped with data requests in a so-called distributed denial of service assault, causing the servers to collapse. 

As per the official sources, IT systems essential for the smooth running of the election were unaffected, presumably due to enhanced safeguards in place. 

Last week, the German government accused Russian intelligence of conducting "phishing" assaults against German lawmakers, prompting the federal prosecutor's office to start an investigation on suspicion of espionage. 

Berlin has accused Russian hackers from the "Ghostwriter" gang, which is said to specialize in propagating disinformation. German intelligence believes they were attempting to obtain entry to the private email accounts of federal and regional MPs, and that the assaults were carried out by Russia's military intelligence organisation GRU. 

The European Union and the United States have frequently accused Moscow of interfering in democratic elections, a charge that Moscow rejects. 

The Russian Foreign Ministry spokesman, Maria Zakharova, stated at a briefing on Thursday, "Despite our repeated appeals through diplomatic channels, our partners in Germany have not provided any evidence of Russia's involvement in these attacks". 

Germany’s Foreign Ministry spokesperson Andrea Sasse said on Wednesday, “The German government regards this unacceptable action as a threat to the security of the Federal Republic of Germany and to the democratic decision-making process, and as a serious burden on bilateral relations. The federal government strongly urges the Russian government to cease these unlawful cyber activities with immediate effect."

New Malware Variant Employs Windows Subsystem for Linux for Attacks

 

Security experts have found a new malware variant that uses Windows Subsystem for Linux to infect systems covertly. The research highlights that malicious actors explore new attack tactics and focus on WSL to avoid being detected. 

Black Lotus Labs, the Lumen Technologies networking threat research organization, reported on Thursday 16th of September claimed that it has detected many malicious Python files in Debian Linux's binary ELF (Executable and Linkable) format. 

The initial samples were found at the beginning of May for the WSL environment and lasted until August 22 every 2 to 3 weeks. These function as WSL loaders and can be detected extremely poorly in public file scanning services. The next step is the injection of malWindows API calls into an ongoing process, a method that is neither new nor advanced. 

Of the few discovered instances, only one has been given a publicly routable IP address, indicating that attackers concerned are testing WSL for malware installation on Windows. The malevolent files mostly rely on Python 3 to perform their duties and are bundled with PyInstaller as ELF for Debian. 

“As the negligible detection rate on VirusTotal suggests, most endpoint agents designed for Windows systems don’t have signatures built to analyze ELF files, though they frequently detect non-WSL agents with similar functionality” Black Lotus Labs told. 

Just over a month ago, only one VirusTotal antivirus engine recognized a dangerous Linux file. Updating the scan for another sample demonstrated that the motors on the scanning service were not fully detected. 

One of the alternatives, written in Python 3 entirely, doesn't even use Windows APIs and is the first WSL loader effort. It is functional with both Windows and Linux with normal python libraries. 

In April 2016, Microsoft released the Windows Subsystem for Linux. When WSL was newly released from beta in September, investigators from Check Point revealed a catastrophe termed Bashware, where WSL could be misused to hide malicious code from security products. 

The scientists theorize that the code is still being created, even in the final level, depending on the incoherences detected in the analysis of multiple samples. The limited public IP exposure suggests activities in Ecuador and France at the end of June and the beginning of July, which are restricted to targets. 

Further, Black Lotus Labs recommends that everyone who has WSL enabled, make sure that logging is activated to detect these intrusions.

South Africa’s Department of Justice hit by a Ransomware Attack

 

South Africa's Justice Department was attacked earlier this month by a major ransomware attack and has been struggling since then to get back to normal. The attack was carried out on the 6th of September 2021, after ransomware compromised the department's entire information systems. 

It restricted the internal staff and the public from accessing any technological services, including email and websites. The judicial department handled the attack by instantaneously implementing an emergency plan, as per a Bleeping Computer report. The objective was to address such circumstances and to make sure that not every activity in the country was interrupted. 

The Justice and Constitutional Development Department declared that child support payments are now suspended until systems return online. 

The paper mentioned the statement of the Justice and Constitutional Development Speaker, Steve Mahlangu, who said, “[The attack] has led to all information systems being encrypted and unavailable to both internal employees as well as members of the public. As a result, all electronic services provided by the department are affected, including the issuing of letters of authority, bail services, e-mail, and the departmental website”.

Mahlangu noted that although it is not possible to anticipate the exact day when systems will be restored, the department will “ensure all child maintenance money is kept secure for payment to the rightful beneficiaries when the systems are back online.” 

He further stated that some departmental functions remained working despite the attack. For example, just after a change to manual mode for the recording of hearings, court sittings continued. The manual steps for issuing different legal documents were also performed. 

The Department of Justice has likewise changed to a new email system. Some employees have moved to the new email system. The department also couldn't identify the cybercriminals behind the attack. However, as the recovery of the network takes a while, the hackers were not reimbursed for the attack. 

Hackers and ransomware organizations frequently take data before an information system is encrypted. This compels victims to pay an enormous ransom fee for fear of public information leakage. However, till recently "no indication of data compromise" has been identified by departmental added IT experts.

A Look at the Triple Extortion Ransomware

 

Ransomware has traditionally concentrated on encryption, but one of the most common recent additions is the exfiltration and threatening disclosure of critical data in a "double extortion" assault. Threat actors, on the other hand, must continually develop new ways to enhance the effect of a successful assault since the financial incentives are so high. One of the most recent methods is known as "triple extortion," which adds another way to extort money from targets. 

The prospect of stolen data being released online has been a typical point of leverage for criminals seeking further ransom payments in what is known as double extortion. More than 70% of ransomware assaults now include exfiltrate data, demonstrating how quickly this type of attack tactic has become the norm.

Threat actors have lately introduced another layer to ransomware assaults based on this approach. In other words, this latest ransomware advancement means that a ransomware assault no longer stops at the first victim. Ransom demands may now be directed towards a victim's clients or suppliers under triple extortion. At the same time, other pressure points such as DDoS attacks or direct media leaks are added to the mix. 

The more leverage the perpetrators have in a ransomware assault, the more likely the victim is to pay. If the gang is successful in not just encrypting vital systems but also downloading sensitive data and threatening to leak it, they will have the upper hand and will be able to demand payment if the victim does not have sufficient backup procedures. 

According to Brian Linder, a cybersecurity evangelist at Check Point Software, triple extortion has become more common in the previous six months, with ransomware gangs making robocalls to customers, shareholders, partners, the press, and financial analysts if the victimised organisation fails to fall victim to the first two extortion efforts. 

“So, imagine if you don’t pay the ransom, we’re going to let all the stock analysts know that you’ve been attacked and likely drive some percentage of your market value out of the market,” Linder says. “We do expect this to be highly exploited. It’s fairly easy to do.” 

Depending on the attacker's initial effectiveness in infiltrating the network, they can get access to information about the victim's clients, including names and phone numbers, and have automated messages ready to go. 

Companies and organizations that retain client or customer data, as well as their own, are the most apparent targets for ransomware operations that go beyond single or double extortion. Healthcare organizations are obvious targets in this regard. As a result, the first known instance of triple extortion occurred late last year when hackers obtained access to Vastaamo, a Finnish physiotherapy provider. Threat actors demanded money directly from the thousands of Vastaamo clients whose records they were able to exfiltrate, rather than contacting the provider for a ransom.

Years-Long Attack by Chinese-Linked APT Groups Discovered by McAfee

 

A cyber-attack that had been sitting on the target organization's network for years stealing data was discovered during a McAfee investigation into a suspected malware infection. The sophisticated threat actors utilized a mix of known and novel malware tools in the attack, called Operation Harvest, to infiltrate the victim's IT infrastructure, exfiltrate data, and avoid detection, according to the investigators. McAfee researchers were able to narrow down the list of suspects to two advanced persistent threat (APT) nation-state groups with ties to China during the course of the two-month investigation. 

“Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data,” Christiaan Beek, lead scientist and senior principal engineer for the Enterprise Office of the CTO at McAfee, wrote in a report. 

“The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families,” Beek added. 

The actor gained initial access by compromising the victim's web server, which contained software to maintain the existence and storage of tools needed to acquire information about the victim's network and lateral movement/execution of files, according to forensic investigations. 

Between the operating method of the unique encryption function in the custom backdoor and the code used in the DLL, the adversaries used techniques that are commonly seen in this type of attack, but they also used distinctive new backdoors or variants of existing malware families, almost identical to methods attributed to the Winnti malware family. According to the findings, the adversary was looking to steal proprietary knowledge for military or intellectual property/manufacturing reasons.

McAfee investigators drew out MITRE ATT&CK Enterprise methods, added the tools utilized, and compared the information to previous technique data to figure out who the perpetrators were. They discovered four groups that shared the same tactics and sub-techniques and then used a chart to narrow down the suspects to APT27 and APT41.

“After mapping out all data, TTP’s [tactics, techniques, and procedures] etc., we discovered a very strong overlap with a campaign observed in 2019/2020,” Beek wrote. “A lot of the (in-depth) technical indicators and techniques match. Also putting it into perspective, and over time, it demonstrates the adversary is adapting skills and evolving the tools and techniques being used.”

16.17 GB of User Data Stored in Fitness Bands, Exposed

 

The development and sudden boom in IoT equipment in the healthcare sector have resulted in the surge of cyber attacks. The use of wearable equipment such as health trackers and fitness bands has recently grown common. The safety and security features of these fitness trackers are an ongoing worry since they have a lot of important information about the user. 

Recently, 16.18 GB of unencrypted database disclosing over 61 million records of users stored in their fitness wearables was identified in the latest security analysis at WebsitePlanet. A substantial percentage of disclosed records were all related to IoT fitness and health monitoring devices. 

Following additional research, several references were made to "GetHealth," a New York City-based firm that claims a unified solution for hundreds of wearables, healthcare devices, and apps to access health and wellness data. The GetHealth database was not encrypted by default and allows easy accessibility for everyone. After researchers have notified GetHealth, the database is now encrypted. 

GetHealth platform can synchronize health-related information from a multitude of sources, such as Fitbit, Misfit Wearables, Microsoft Band, Strava, Google Fit, 23andMe, Daily Mile, FatSecret, Jawbone UP, Life Fitness, MapMyFitness, MapMyWalk, Moves App, PredictBGL, Runkeeper, Sony Lifelog, Strava, VitaDock, Withings, Apple HealthKit, Android Sensor, and S Health.

Plenty of the information leaked comprised the first and last names of users, date of birth, body weight, height, sex, geolocation, etc. “This information was in plain text while there was an ID that appeared to be encrypted. The geolocation was structured as in America/New_York, Europe/Dublin and revealed that users were located all over the world,” WebsitePlanet said. 

Whereas the researchers analyzed a sample of 20,000 records, the majority of leaked data were from Fitbit (2.766 times) as well as from Apple HealthKit (17,764). This security flaw affects a majority of the customers of Apple Healthkit because Healthkit gathers deeper health information than any other instruments or applications, like blood pressure, body weight, sleep levels, and blood glucose. 

Fitness trackers are equipped with vital information to monitor the user's health. This might also lead to several privacy problems, regrettably. The confidential material of users is a financial enterprise for individuals in charge of threats. In tailored phishing attacks, identity thefts, or social engineering attacks, the data may be abused by cybercriminals. 

“This case sets an example of how lack of care with sensitive data can make risks escalate indefinitely, as millions of people were exposed simply by wearing tracking devices during their workout sessions,” WebsitePlanet added.

Kumsong 121 North Korean Hacker Group Conducts Cyber Attacks via Social Media

 

Kumsong 121 the North Korean Hacker gang has unleashed a cyberattack employing social media in North Korea. The North Korean hacking attempts are a matter of concern for computer users and mobile telephone users likewise. 

Given the frequency of cyber threats from North Korea, smartphone and computer users ought to stay careful, safety experts advise. 

Kumsong 121 is conducting "smishing" cyberattacks against Android mobile phone users, as per EST Security. When victims download an infected Android package that a hacker creates, most of its private information, comprising address books, text messages, telephone records, locations, sound recordings, and images stored on their phones, is disclosed. 

EST Security reported on Tuesday in a news release that Kumsong 121 had discovered a potential "advanced persistent threat" (APT). The attack used a very complicated technique: the assailants used social media instead of e-mail to support the target and deliver a malicious attachment. 

The hackers selected extra aims from their pals in social media upon hacking an individual's social media profile. The hackers then dropped the target's security and became mates by delivering chat messages containing nice welcomes and regular issues or gossip. 

The hackers subsequently delivered the corrupted document file via e-mail to the target, asking for input in a recent piece on North Korean matters. A macro virus is included in the accompanying document file that makes the computer system exploitable when the email recipient acknowledges the file. The hackers effectively grafted social media into conventional attacks against specific persons on "spear phishing." 

Indeed, a hacker gang from North Korea recently tried to disseminate a contaminated record by disabling the social media account of a defector from North Korea and chatting with their friends. 

Kumsong 121 has infiltrated mobile phones of well-known personalities, including particular South Korean legislators, to obtain their personal information, claimed Mun Chong Hyun, head for the EST security response center (ESRC). He said hackers attack organizations in North Korea's websites or build counterfeit Facebook accounts for those functioning in the North Korean industry on an ongoing basis. 

“In particular, they often use mobile phones or email to contact you, pretending to be an acquaintance or industry expert,” he said. “When sent .apk or .doc files, the safest thing is to directly call the sender and confirm whether they are legit.”

Hackers switched to combined cyber attacks on the Russian financial sector

Experts began to note the particular interest of cybercriminals in the Russian banking sector as early as mid-summer 2021. In July, the Bank of Russia reported about the risks of "infecting" financial institutions through members of their ecosystems.

In August, FinCERT noted a series of large-scale DDoS attacks on at least 12 major Russian banks, processing companies and Internet service providers. The requests came from the USA, Latin America and Asia.

In early September, the Russian financial sector was attacked again. So, large banks and telecom operators that provide them with communication services were attacked.

Since August 9, the Russian Cyber Threat Monitoring Center (SOC) of the international service provider Orange Business Services has recorded a big increase in the number of requests. Attackers combine not only well-known attacks such as TCP SYN, DNS Amplification, UDP Flood and HTTPS Flood, but also only recently discovered ones, for example, DTLS Amplification.

In total, more than 150 attacks were recorded during the month, from August 9 to September 9, 2021. At the same time, their intensity is constantly increasing. Criminals are constantly trying to increase the power of attacks in the hope that telecom providers will not be able to clean up traffic in such large volumes.

In addition, the attackers used large international botnets. So, SOC Orange Business Services identified one of the networks based in Vietnam and South America, with more than 60 thousand unique IP addresses, and which was used to organize attacks like HTTPS Flood on the 3D Secure payment verification service.

The attackers also used the HTTPS Flood attack to make it impossible to use the banks' application, in this case, the attack was carried out from the IP addresses of Russia, Ukraine and France.

“Based on how persistently and ingeniously cybercriminals act, we can say that we are dealing with a complex planned action aimed at destabilizing at least the Russian financial market,” said Olga Baranova, COO of Orange Business Services in Russia and the CIS.


Thousands of Organizations Targeted Via 'Operation Chimaera'

 

TeamTNT hacking group has enhanced its abilities by adding a set of tools that allow it to target multiple operating systems. 

Earlier this week, cybersecurity experts from AT&T Alien Labs published a report on a new campaign, tracked as Chimaera. According to AT&T researchers, infection statistics on the command-and-control (C2) server used in Chimaera suggests that the campaign began on July 25,2021. 

TeamTNT was first discovered last year and was related to the installation of cryptocurrency mining malware on susceptible Docker containers. The operations of the TeamTNT hacking group have been closely monitored by security firm Trend Micro, but in August 2020 experts from Cado Security contributed the more recent discovery of TeamTNT targeting Kubernetes installations. 

Now, the researchers at Alien Labs believe the hacking group is targeting Windows, AWS, Docker, Kubernetes, and various Linux installations, including Alpine. Despite the short time period, the latest campaign is responsible for "thousands of infections globally," the researchers say. 

In its latest campaign, TeamTNT is using open-source tools like the port scanner Masscan, libprocesshider software for executing the TeamTNT bot from memory, 7z for file decompression, the b374k shell php panel for system control, and Lazagne. 

Lazagne is an open-source application for multiple web operating systems that are stored on local devices including Chrome, Firefox, Wi-Fi, OpenSSH, and various database programs. According to Palo Alto Networks, the group has also added Peirates, a cloud penetration testing toolset in its armory to target cloud-based apps. 

“With these techniques available, TeamTNT actors are increasingly more capable of gathering enough information in target AWS and Google Cloud environments to perform additional post-exploitation operations. This could lead to more cases of lateral movement and potential privilege-escalation attacks that could ultimately allow TeamTNT actors to acquire administrative access to an organization’s entire cloud environment,” according to Palo Alto’s June report.

While now self-armed with the kit necessary to target a wide range of operating systems, TeamTNT still focuses on cryptocurrency mining. For example, Windows systems are targeted with the Xmrig miner. A service is created and a batch file is added to the startup folder to maintain persistence -- whereas a root payload component is used on vulnerable Kubernetes systems.

Ransomware Groups are Escalating Their Attacks on Healthcare Organizations

 

Ransomware groups have shown no signs of declining their attacks on hospitals, apparently intensifying attacks on healthcare institutions as countries all over the world cope with a new wave of COVID-19 virus. 

Two healthcare institutions in California and Arizona have begun sending out breach notification letters to thousands of people after both disclosed that sensitive information — including social security numbers, treatment information, and diagnosis data —, was obtained during recent hacks. 

LifeLong Medical Care, a California health facility, is mailing letters to about 115 000 people informing them of a ransomware attack on November 24, 2020. The letter does not specify which ransomware gang was responsible. Still, it does state that Netgain, a third-party vendor that offers services to LifeLong Medical Care, "discovered anomalous network activity" only then concluded that it was a ransomware assault by February 25, 2021. 

Netgain and LifeLong Medical Care finished their investigation by August 9, 2021. They discovered that full names, Social Security numbers, dates of birth, patient cardholder numbers, treatment, and diagnosis information were accessed and/or obtained during the assaults. 

Credit monitoring services, fraud alerts, or security freezes on credit files, credit reports, and stay attentive when it comes to "financial account statements, credit reports, and explanation of benefits statements for fraudulent or unusual behavior," as per LifeLong Medical Care. 

For further information, anyone with questions can call (855) 851-1278, which is a toll-free number. 

After being struck by a ransomware assault that revealed confidential patient information, Arizona-based Desert Wells Family Medicine was compelled to issue a similar letter to 35 000 patients. 

On May 21, Desert Wells Family Medicine learned it had been hit by ransomware and promptly engaged an incident response team to assist with the recovery. The incident was also reported to law enforcement. 

According to the healthcare institution, the ransomware gang "corrupted the data and patient electronic health records in Desert Wells' possession before May 21". After the malicious actors accessed the healthcare facility's database and backups, it was unrecoverable. 

Desert Wells Family Medicine stated in its letter, "This information in the involved patient electronic health records may have included patients' names in combination with their address, date of birth, Social Security number, driver's license number, patient account number, billing account number, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information." 

The organization stated that it is presently reconstructing its patient electronic health record system and will provide free credit monitoring and identity theft prevention services to victims. 

"Patients should also check statements from their healthcare providers or health insurers and contact them right away if they notice any medical services they did not get," the letter continued. 

These recent assaults, according to Sascha Fahrbach, a cybersecurity evangelist at Fudo Security, indicate that the healthcare business, with its precious personal information, remains an enticing and profitable target for hackers and insiders. 

"There were more than 600 healthcare data breaches last year, with more than 22 million people affected, and unfortunately, this trend shows no sign of slowing down. Healthcare operators need to reassess their security posture, as well as shifting their mindset when it comes to safeguarding their data," Fahrbach added. 

"In particular, third parties remain a security liability which needs to be urgently addressed. Many in the healthcare industry are not taking the proper steps to mitigate third-party remote access and third-party vendor risk." 

After the Hive ransomware knocked down a hospital system in Ohio and West Virginia last month, the FBI issued a notice two weeks ago, adding that the gang frequently corrupts backups as well.

Hive has targeted at least 28 companies so far, including Memorial Health System, which was struck by ransomware on August 15.

Mēris Botnet is the Perpetrator Behind the DDoS Attack that Hit Yandex

 

A new botnet dubbed Mēris has launched a record-breaking distributed denial-of-service (DDoS) attack on Russian internet company Yandex. The botnet is thought to have pounded the company's web infrastructure with millions of HTTP requests before peaking at 21.8 million requests per second (RPS), surpassing a recent botnet-powered attack that pounded an unnamed Cloudflare customer in the financial industry with 17.2 million RPS last month. 

 Mēris - which means "Plague" in Latvian - is a "botnet of a new kind," according to Russian DDoS mitigation provider Qrator Labs, which revealed details of the attack on Thursday. The DDoS assaults used a method known as HTTP pipelining, which allows a client (such as a web browser) to create a connection to a server and send numerous requests without having to wait for each answer. 

The malicious traffic came from over 250,000 compromised hosts, mostly Mikrotik network devices, with evidence pointing to a variety of RouterOS versions weaponized by exploiting yet unknown vulnerabilities. 

"It is also clear that this particular botnet is still growing. There is a suggestion that the botnet could grow in force through password brute-forcing, although we tend to neglect that as a slight possibility. That looks like some vulnerability that was either kept secret before the massive campaign's start or sold on the black market," the researchers noted. “Mēris can overwhelm almost any infrastructure, including some highly robust networks due to the enormous RPS power that it brings along.”

Mēris utilises the SOCKS4 proxy on the infected device, the HTTP pipelining DDoS method, and port 5678 to launch an assault, according to the researchers. The hacked devices, according to the researchers, are linked to MikroTik, a Latvian manufacturer of networking equipment for organisations of various kinds. Ports 2000 and 5678 were open on the majority of the attacker devices. The latter refers to MikroTik equipment, which employs it for the function of neighbour detection (MikroTik Neighbor Discovery Protocol). While MikroTik's regular service is delivered via the User Datagram Protocol (UDP), hacked devices additionally have an open Transmission Control Protocol (TCP). 

According to Qrator Labs experts, this type of disguise might be one of the reasons devices were hacked without their owners' knowledge. More than 328,000 hosts replied to a search for open TCP port 5678 on the public internet. However, this number does not include all MikroTik devices, as LinkSys equipment utilises TCP on the same port.

Virginia Defense Force Email Accounts Hit by a Cyber Attack

 

In July, a hacker invaded the email accounts of the Virginia Military Department and the Virginia Defense Force, told a representative from the Virginia National Guard. 

The attack "impacted" the e-mail reports of the Virginia Department of Military Assistance as well as the Virginia Department of Defense, but still, no proof of violations has been identified. Joint investigation with the State and Federal cyber security and law enforcement officials have made all these revelations. 

The Virginia National Guard's Chief of Public Affairs, A. A. Puryear, stated that the organization was alerted in July of potential cyber threats to the Virginia Defense Force and started investigating instantly in synchronization with state and federal cyber security officials and law enforcement to ascertain what all was affected by the severe cyber-attack. 

The National Guard of Virginia comprises the Virginia Army National Guard and the Virginia Air National Guard. It's a component of the Virginia government, the federal state has largely financed the Virginia National Guard throughout the United States. The National Guard is the only military organization authorized by the United States to operate as a state. The Virginia Defense Force is the Virginia National Guard's all-voluntary reserve and "serves as a force multiplier" in all domestic activities of the National Guard. 

"The investigation determined the threat impacted VDF and Virginia Department of Military Affairs email accounts maintained by a contracted third party, and there are no indications either VDF or DMA internal IT infrastructure or data servers were breached or had data taken," Puryear said. 

"There are no impacts on the Virginia Army National Guard or Virginia Air National Guard IT infrastructure. The investigation is ongoing with continued coordination with state and federal partners to determine the full impact of the threat and what appropriate follow-up actions should be taken." 

However, on the 20th of August, a treasure dataset obtained from the Virginia military department was published on Marketo - marketplace for stolen information. They argued to have 1GB of data that was available for sale. 

Findings have suggested that although administrators of Marketo are not sellers, certain data on their website is believed to have been collected and advertised which compelled victims to pay ransom during ransomware attacks. 

Earlier Marketo used to be in the headlines for selling the Japanese tech firm Fujitsu's data. Digital Shadows published in July an article about this group that was established in April 2021 and frequently publishes its stolen information on Twitter via an account. The organization has often argued that it was an "informational marketplace" and not a ransomware group. 

"They have taken the same route that Babuk did and are all 'data leaks.' To the best of our knowledge, they don't claim to steal the data themselves and instead, they offer a public outlet to groups who do, whether they are ransomware or not," Allan Liska, member of the computer security incident response team at Recorded Future said. 

Threat analyst and ransomware specialist, Brett Callow from Emsisoft stated that it is still not obvious exactly how Marketo obtains the data they sell, and also that their responsibilities for hacking or simply act as commission-based brokers aren't really clear. He said that certain victims on Marketo's leak site have lately been affected by attacks from ransomware, such as the X-Fab attack that the Maze ransomware attack in July 2020 and the Nefiliim ransomware attacks of Luxottica in September. 

"That said, at least some of the data the gang has attempted to sell may be linked to ransomware attacks, some of which date back to last year. Leaked emails can represent a real security risk, not only to the organization from which they were stolen but also to its customers and business partners," Callow said. 

Recently, the group has identified hundreds of institutions, including the US Defense Department, and normally leaks a new one weekly and mostly sells data from companies in the US and Europe.

Hackers Steal Data of 40,000 Patients From a Kidney Hospital in Thailand


On Wednesday, Thirachai Chantharotsiri, director of Bhumirajanagarindra Kidney Institute Hospital lodged a complaint that the personal information of over 40,000 patients has been stolen by a hacker. The compromised data included personal details and allegedly medical history of the patients. 

While talking to local media at Phaya Thai police station, Dr. Chantharotsiri told that on Monday, the database of the patients at a hospital in the Ratchathewi district of Bangkok became inaccessible to the hospital staff. A subsequent system check was carried out which revealed that the data had been stolen. The breach damaged the data system of the hospital which resulted in an inability to access the X-ray archive. 

According to the commissioner of the CCBI, Pol Lt Gen Kornchai Kalyklueng – owing to the ambiguity regarding the criminals – the investigating agency will seek support from American authorities and other international organizations to track down the hackers. 

Dr. Thirachai told that later, the facility received a call from a foreigner claiming to have hacked the system, the English-speaking man tried to negotiate for payment in exchange for the important information belonging to the hospital. 

The director filed a police complaint along with a recording of the call, reportedly, he did not hear from the anonymous caller again. 

In an attempt to mitigate concerns, the officials at the hospital maintained that the compromised data only include the primary data of the patients, emphasizing that diagnostic or medical records were untouched. 

As per the investigation of CCIB, the group behind the hacking is probably the one that hacked the systems of Krungthai Bank exposing client information and that of a hospital in the Northeast. Although the group identified is seemingly of Indian origins using a server in Singapore, most recent findings indicate that the threat actors were operating from the US.

Yandex was subjected to the largest DDoS attack in the history of the Runet

Last weekend, the largest DDoS attack in the history of the Runet was carried out on the company's servers. The record scale of the cyberattack was confirmed by the American company Cloudflare, which specializes in repelling cyber attacks and cooperates with Yandex.

The company barely prevented the DDoS attack, and it continues this week. At the same time, Yandex did not disclose the specifics of the cyberattack, citing an internal audit.

"We are conducting an investigation. We are talking about a threat to infrastructure on a national scale," the source said. He could not say whether the representatives of Yandex had filed a statement with the police or the FSB.

As the representative of Yandex emphasized, despite the power and complexity of repelling a DDoS attack, it did not affect the operation of services, and also did not violate the safety of the company's user data.

Alexander Lyamin, CEO of Qrator Labs, said that in August and September 2021, there is an increase in the number of DDoS attacks on companies from various sectors of the economy, from small businesses to the largest corporations.

“The Mirai botnet, which made a sensation five years ago and was built on the basis of video cameras, has returned to us. Having spent the last few weeks studying the new botnet, we can say that a completely new botnet has appeared, and it is built on the network equipment of a very popular vendor from the Baltic States. It spreads through a vulnerability in the firmware and already counts up to hundreds of thousands of infected devices," Mr. Lyamin noted.

In recent days, several massive DDoS attacks on Russian companies have been reported.

Earlier, E Hacking News reported that the largest banks in Russia were subjected to a large-scale DDoS attack. They experienced problems with payments and card services for some time.

On September 3, it was reported about a failure in the work of the social network Vkontakte. According to Downdetector, complaints about problems with access to the social network began on September 2 in the evening.


Experts Find Kurdish Espionage Campaign Active on Facebook

 

Experts at ESET have probed a targeted espionage mobile campaign towards the Kurdish ethnic group, the campaign is in action since March 2020, disseminating (through dedicated FB accounts) two android backdoors named as SpyNote and 888 RAT, appearing to be genuine apps. The profiles were found presenting android news in Kurdish and news for pro Kurds. Few profiles intentionally sent additional monitoring apps to FB groups (public) with content in Kurd's support. Data downloaded from a website hints that around 1,481 URL downloads were promoted through FB posts.

Live Security said "we identified 28 unique posts as part of this BladeHawk campaign. Each of these posts contained fake app descriptions and links to download an app, and we were able to download 17 unique APKs from these links."The latest Android 888 Rat was used by the BladeHawk and Kasablanka groups. Both the groups used false names to call out the same Android Rat- Gaza007 and LodaRat respectively. 

The espionage campaign in this article is directly linked to two cases (publicly disclosed) that surfaced in 2020. QiAnXin Threat Intelligence center identified the hacking group behind the BladeHawk campaign, which it has adopted. 

The 2 campaigns were spread through FB, via malware with built-in commercials, samples using the same C&C servers, and automated tools (SpyNote and 888 Rat). Experts found six FB profiles linked to the BladeHawk attack, distributing Android espionage. These were reported to FB and eventually taken down. 

Two FB profiles targeted tech users and the other four disguised as Pro Kurds. The profiles were made in 2020 and soon after, started distributing the fake apps. Except for one account, none of the other profiles have posted any content except Android Rat posing to be genuine applications.

"These profiles are also responsible for sharing espionage apps to Facebook public groups, most of which were supporters of Masoud Barzani, former President of the Kurdistan Region; an example can be seen in Figure 1. Altogether, the targeted groups have over 11,000 followers," reports Live Security.

Microsoft Office Users Targeted in a New Zero-Day Attack

 

Microsoft issued a warning to Windows users on Tuesday that attackers are actively exploiting an unpatched remote execution zero-day vulnerability in MSHTML, a proprietary browser engine for the now-discontinued Internet Explorer using weaponized MS Office documents. 

Tracked as CVE-2021-40444, the vulnerability affects Windows Server 2008 through 2019 and Windows 8.1 through 10 and has a severity level of 8.8 out of the maximum 10.

"Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents," the company said in a security advisory. 

"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," it added.

ActiveX is a software framework from Microsoft that adapts its earlier Component Object Model and Object Linking and Embedding technologies for content downloaded from a network. 

Microsoft credited researchers from EXPMON and Mandiant for reporting the flaw, although the company did not provide further details about the nature of the attacks, the identity of the adversaries exploiting this zero-day, or their targets in light of real-world attacks. 

The researchers at EXPMON stated they discovered the issue after detecting a "highly sophisticated zero-day attack" directed at Microsoft Office users, adding they shared the findings with Microsoft on Sunday. "The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous)," EXPMON researchers said. 

However, the risk can be mitigated if Microsoft Office operates with default configurations, wherein documents downloaded from the web are opened in Protected View or Application Guard for Office, which is designed to prevent untrusted files from accessing trusted resources in the compromised system. 

Microsoft, upon completion of the investigation, is expected to publish a security patch or an out-of-cycle security update as part of its Patch Tuesday monthly release cycle "depending on customer needs." In the interim, the Windows maker is advising users and organizations to disable all ActiveX controls in Internet Explorer to mitigate any potential threat.

New Zealand Banks and Post Offices Hit by a Cyber Attack

 

On Wednesday, the websites of a number of financial institutions in New Zealand, as well as the country's national postal service, were momentarily unavailable due to a cyber-attack, according to officials. A DDoS (distributed denial of service) attack targeting a number of organizations in the nation has been reported, according to the country's Computer Emergency Response Team (CERT). 

Minister David Clark, who is in charge of the digital economy and communications, said CERT has informed him that "a number" of organizations have been compromised. “At this time, efforts to ascertain the impact of this incident are ongoing. I won’t get ahead of this process,” Clark said, in a statement. “CERT assures me it is actively engaging with affected parties to understand and monitor the situation.” 

CERT's objective is to assist businesses and government agencies on how to respond to and prevent cyber-attacks. It also collaborates with other government institutions and law enforcement, such as the National Cyber Security Centre (NCSC). 

According to local media sources, Australia and New Zealand Banking Group's (ANZ.AX) New Zealand site and NZ Post were among the websites hit by the attack. ANZ informed clients through Facebook that it was aware that some of them were unable to use online banking services. "Our tech team are working hard to get this fixed, we apologize for any inconvenience this may cause," the post said. 

The "intermittent interruptions" on NZ Post's website were caused by a problem with one of its third-party suppliers, according to the company. Several Kiwibank clients took to social media to complain outages at the little institution, which is partially controlled by the New Zealand Post. In a Twitter post, Kiwibank apologized to clients and said it was trying to resolve "intermittent access" to its app, online banking, phone banking, and website. 

A DDoS assault overloads a website with more traffic than it can manage, causing it to fail. While the identity of the attacker and their motivation are unknown in this case, the goal might be to extract a ransom from the victim in order for the assault to be stopped. During the NZX assault, Minister for Intelligence Agencies Andrew Little expressed the government's advice: Don't pay the ransom.