Search This Blog

Showing posts with label Cyber Attacks. Show all posts

Threat Actors Use Google Drives and Docs to Host Novel Phishing Attacks


On Thursday, researchers at email and collaboration security firm Avanan revealed that attackers are using standard tools within Google Docs/Drive that delivers malicious links aimed at stealing victims’ credentials. 

In a blog post, Avanan said attackers are bypassing link scanners and are dodging common security protections that aim to verify the links sent via email. Jeremy Fuchs, marketing content manager at Avanan, said this is the first time they have seen hackers employing these types of attacks through a Google-hosted document service. Usually, attackers lure their victims to a legitimate website before exploiting a particular website. 

According to the report published by Trend Micro, phishing remains the top threat vector in today's cybercrime scene. Of the 62.6 billion cyber-threats analyzed by Trend Micro last year, over 91% were sent via email. Previously, attackers have used the attack vector in smaller services such as MailGun, FlipSnack, and Movable Ink, according to Avanan. 

According to researchers, once the hacker publishes the lure, “Google provides a link with embed tags that are meant to be used on forums to render custom content. The attacker does not need the iframe tags and only needs to copy the part with the Google Docs link. This link will now render the full HTML file as intended by the attacker and it will also contain the redirect hyperlink to the actual malicious website.”

The hackers then use the phishing lure to get the victim to “Click here to download the document.” Once the victim clicks, the page redirects to the actual malicious phishing website through a web page designed to mimic the Google Login portal. Friedrich said Avanan researchers also spotted this same attack method used to spoof a DocuSign phishing email. In this case, the “View Document” button was a published Google Docs link that actually was a fake DocuSign login page that would transmit the entered password to an attacker-controlled server via a “Log in” button.

 “Combining this tactic with social engineering could create a very convincing campaign where the attacker can swipe personal or corporate login credentials. Threat actors know that stealing legitimate login credentials is the best way to discreetly enter an organization’s infrastructure. Once the attacker has those login credentials and can log into the cloud platform, they’ve chosen to build their campaign around, there’s no limit to what data they could exfiltrate,” said Hank Schless, senior manager, security solutions at Lookout.

Supply Chain Attack Conducted by Darkside Operator


Mandiant researchers have identified a supply chain attack against a CCTV provider by a Darkside ransomware gang affiliate that has been distinguished as UNC2465. UNC2465 and other linked gangs identified by FireEye/Mandiant as UNC2628 and UNC2659 are regarded as one of the key affiliates of the DARKSIDE Group. 

The intrusion began on 18 May 2021, a day after the public suspension of the DARKSIDE general program (Mandiant Advantage background). Mandiant believes that although no ransomware has been discovered, membership groups that have performed DARKSIDE attacks could employ several ransomware affiliate programs and switch to each other at any time. 

Mandiant found that the installers were malicious at the commencement of June and informed the CCTV firm of a possible compromise on this website, making it possible for UNC2465 to substitute legitimate and Trojanised files.

Although Mandiant does not anticipate that many individuals have been affected, this strategy is reported to boost awareness. 

Software supply chain attacks can be very complex, from the recent attacks discovered by FireEye to attacks targeting smaller suppliers. A single infiltration of the software supply chain attack gives access to all businesses running the software of a victim company – in this situation, UNC2465 has modified the installer instead of the software itself.

Mandiant noted in mid-May 2021, that numerous threat players quoted a notice that the operators of the service seemed to share with the DARKSIDE RaaS members. That notification indicated that it had lost the access and would be closing its service to its infrastructure, including its blog, payment, and CDN servers. 

Since then, other underground members have claimed that they are unpaid DARKSIDE affiliates, and in certain cases privately gave forum admins with proof indicating their claims are legitimate. 

Mandiant consulting responded to an intrusion in June 2021; The first vector, which Mandiant found was a trojanized security camera PVR installer from a reputable website. As a result of ongoing infrastructure use and equipment use since October 2020, Mandiant has attributed the general intrusion to DARKSIDE affiliate UNC2465. 

On 18 May 2021, a person accessed the Trojanized link in the concerned organization and installed a ZIP. A chain of Downloads and Scripts was run when the software was installed which led to SMOKEDHAM and afterward NGROK on the computer of the victim. 

Further malware use like BEACON is also reported to have taken place. The trojan program was enabled in Mandiant's opinion between 18 May 2021, and 08 June 2021. 

Mandiant indicates that the majority of publicly identified victims of ransomware shaming websites have progressed steadily over the last month. Despite the recent restriction on posts concerning ransomware in underground forums, threat actors may still exploit private chats and links to find ransomware services.

Putin called the accusations of launching a cyber war against the United States unsubstantiated

 Russian President Vladimir Putin said that the US accusations against Russia, including cyber attacks and election interference, are groundless, the US side has never provided any evidence.

"We are accused of a variety of things: interference in elections, cyber attacks, and so on. And they [the accusers] did not bother to provide any evidence. Just baseless accusations," he said, calling statements about Russia's involvement in cyber attacks in the United States a farce.

"The issue of cybersecurity is one of the most important today because all sorts of shutdowns of entire systems lead to very serious consequences, and this is possible," the Russian leader said in an interview with the program "Moscow. The Kremlin. Putin" of the Russia-1 TV channel.

According to Putin, the Russian Federation will be ready to extradite cybercriminals to the United States if the American side also extradites criminals to Russia.

He stressed that such agreements are expressed in the relevant interstate agreements, where the parties undertake certain obligations.

"And they are in the vast majority of cases equivalent. Both sides assume the same obligations," Putin explained.

On June 4, Putin called the accusations of cyber attacks on American companies made against Moscow ridiculous and suggested that the situation could have been provoked to increase disagreements in connection with the upcoming meeting with US President Joe Biden. The press secretary of the Russian leader Dmitry Peskov assured that Moscow will promptly consider the appeals of the American side in connection with the hacker attack on the JBS enterprises if such requests are received. He also stressed that Russia does not have data on the organizers of cyber attacks on JBS.

Putin did not rule out that Western intelligence services, including American ones, may conduct activities against Russia in the cyber sphere.

"I am not afraid of this, but I do not rule out that it may be so," the Russian leader said.

“What the US is afraid of may pose a threat to us. NATO has declared cyberspace a war zone. They are planning something, and this cannot but worry us," the Russian president added.

Cyber Attackers Faced a Denial After Fujifilm Refused to Pay Ransom


Japanese conglomerate Fujifilm, earlier this month on Wednesday 2nd June published a short statement to reveal the illegitimate infiltration of its server by foreign parties. The unauthorized entry on 01 June was recognized by Fujifilm – which is formerly known for selling photographic films but today develops biotechnology, chemical, and other digital imaging devices. 

It re-established operations with backups and its PR systems now are fully operating in the United States, Europe, the Middle East, and Africa and are back to business as usual, according to a Fujifilm-spokesperson. 

However,  information such as strains of ransomware, delivery channels, damage scale, and the ransom requested by the cyber gang has not been disclosed. The corporation has not responded to the request for comments from the Information Security Media Group. 

Chloe Messdaghi, an independent cybersecurity disruption consultant and researcher, says Fujifilm apparently “took the first responsible steps of recognizing the situation and systematically shutting all systems down to examine the attack. There may have been some hiccups and bumps, but because they had done the solid work of ensuring their data backups and restoration processes were current, they were able to decline to pay extortion and their disruption to business was minimal.” 

S-RM Cyber Security, Risk, and Intelligence Consultancy anticipate that 46% of all cyber attacks were ransomware attacks between January 1, 2021, and March 31, 2021. 

The Colonial Pipeline and JBS meat processing company, and the D.C. Metro Police Department, have been the victims of some of the largest recent attacks in the U.S. 

In the wake of the attacks, the White House called on companies to enhance their cybersecurity. As per the reports, president Joe Biden ordered a federal probe ransomware task committee. 

Other businesses that were recently attacked by Ransomware but declined to pay ransom included CD Projekt Red, Ireland's State Health Service Provider, Health Service Executive; Canon, and Bose. Meanwhile, the Colonial Pipeline Co., which paid $4.3 million to DarkSide in May for a flawed decryptor, was one of the ransomware victims who decided to pay their attackers. The U.S. Department of Justice then recovered the number of bitcoins paid at 2.3 million dollars. 

The U.S. subsidiaries of the biggest meat processor in the world, JBS in Brazil, have lately given REvil's attackers an 11 million dollar ransom for their assurance that a decryption tool and a "guarantee" will not be released by them. 

The FBI has urged the victims to not pay the ransom and said, “Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.” 

The senior consultant of the risk management research organization, Shared Assessments, Charlie Miller, states the key elements for a risk management ransomware program involve upgrading the risk response plan, establishing a data boot to enable malware-free data recovery, offering corporate managers cyber-attack simulation programs to help evaluate and respond to risk, and purchasing cyber insurance.

Israeli Chief-of-Staff was Hacked by an Iranian State-Sponsored Cybercriminal


According to the Times of Israel, an Iranian cybercriminal targeted the computer of a former IDF chief of staff and acquired access to his complete computer database. Yaser Balaghi was identified as the hacker by Channel 10. After the hack, he allegedly brags about it, while also unwittingly leaving a trail of his identity. Iran was compelled to stop a cyber operation that had targeted 1,800 persons around the world, including Israeli army generals, Persian Gulf human rights campaigners, and academics, due to this oversight. 

After Check Point, an Israeli cybersecurity firm, confirmed the Iranian hacking operation's existence two weeks ago, the Times of Israel was the first to report on it. The information from Check Point was also shown in a Channel 10 report on Tuesday. The attack began two months prior, according to Gil Shwed, CEO of Check Point Software Technologies, who told Israel Radio in late January that targets received email messages aimed at installing malware on their computers. More than a quarter of those who received the emails clicked them, unknowingly downloading spyware and allowing the hackers to steal data from their hard drives. 

Hezbollah and the Iranian regime have attacked Israel multiple times in the last two years. In the previous two years, Israel has been the target of several cyberattacks. Some of the infiltration attempts, according to officials, were carried out by hackers linked to Hezbollah and the Iranian government. 

Late in January, Israel's Electric Authority was the target of a significant cyberattack, according to Energy Minister Yuval Steinitz. He didn't say where the attack was coming from, though. ClearSky, an Israeli cybersecurity firm, said in June that it has detected a continuous wave of cyberattacks emanating from Iran against targets in Israel and the Middle East, with Israeli generals once again being among the targets. The company claims that the goal is espionage or other nation-state goals. 

According to ClearSky, the hackers utilize targeted phishing techniques to gather user identity data by creating phoney websites that appear legitimate and trustworthy. They were successful in penetrating 40 targets in Israel and 500 sites worldwide. Retired generals, employees of security consultancy organizations, and academic experts were among the targets in Israel.

The US has linked major cyber attacks against Russia with Chinese hackers

 Solar JSOC spoke about a series of cyber attacks on Russian government systems in 2020. According to the American Company Sentinel Labs, the ThunderCats group, which is associated with China, is behind the attacks

Sentinel Labs, an American cybersecurity company, said that China is involved in a series of targeted hacker attacks on Russian government systems in 2020.

The report was prepared on the basis of a study by Rostelecom-Solar JSOC (a subsidiary of Rostelecom responsible for cybersecurity), conducted jointly with the National Coordination Center for Computer Incidents (NCCCI, established by the FSB). It said that in the past year, attackers attacked the federal executive authorities (FOIV) several times, using phishing and vulnerability of web applications published on the Internet, as well as hacking the infrastructure of contractors.

According to Rostelecom-Solar and the NCCCI, hackers developed malicious software called Mail-O, which used the cloud storages of Yandex and Group to download the collected data. Attackers disguised network activity under the legitimate Yandex Disk and Disk-O utilities. Experts said that they acted in the interests of a foreign state, but did not specify which one.

Analysts at Sentinel Labs studied how Mail-O works, as described by Russian experts, and concluded that ThunderCats hackers (part of the larger hacker group TA428, which is associated with China) were behind the attacks. They suggested that Mail-O is a variant of the more well-known malware PhantomNet or SManager. It was used by attackers from TA428 during cyber attacks on resources in Southeast Asia, including Vietnam.

According to Anastasia Tikhonova, head of the sophisticated cyber threat research department of the Threat Intelligence department of Group-IB, Russian organizations are regularly attacked by pro-government groups from different countries, "including China." It should be noted that the largest number of active pro-government groups (23) are concentrated in China.

In early May, E Hacking News reported that Chinese hackers attacked the Rubin Central Design Bureau for Marine Engineering (СKB Rubin), which designs submarines for the Russian Navy, by sending images of a submarine with malicious code to its CEO. 

341% Surge in DDoS Attacks During the Epidemic


The epidemic resulted in a 341 percent spike year-over-year in distributed denial of services (DDoS) attacks as per Nexusguard's Annual Threat Report 2020, which is targeting sectors that provided connection, services, and entertainment to populated populations that were compelled for shelter. 

The enormous change in online behavior and dependence on connectivity has stretched communications service providers (CSPs) and ISPs that have supplied the backbone for such remote operation, including DDoS (RDDoS) ransom attacks on the extorted payment companies in exchange for being online. 

Juniman Kasman, CTO for Nexusguard said, “During 2020, the pandemic forced a complete shift in how the world lived and worked, and attackers were ready to take full advantage of the situation, adeptly targeting connectivity and entertainment providers.” 

With lockdown and worldwide social distancing measures, online gaming and Internet dependency have flourished in 2020, which have also been tempting targets for attackers. Attack motivations include economic and political gains, retaliation, cyberwar, and even personal pleasure. 

Analysts expect the RDDoS attacks to grow by 30 percent over the next year, particularly because of cryptocurrencies' prominence. In contrast, smaller attacks (less than 10 Gbps in size) will contribute shortly to 99% of all DDoS attacks, as they remain hard to detect and cost-effective to deploy. 

“With attackers using stealthier, smaller attacks increasing in complexity, CSPs and enterprises will need deep learning, multidimensional DDoS detection, and other advanced techniques to avoid outages,” Kasman added.  

The research has explicated that CSPs – and in particular ISPs – continue to be affected by sophisticated bit-and-piece attacks that drip trash through a huge IP pool. 301 of the CSPs were struck by bit-and-piece attacks in 23 countries in the year 2020. 

Researchers warn that the newer evasive DDoS attacks will lead to catastrophic disruptions from CSPs and other businesses which rely on thresholds and symbolic detection methods.

A denial of service attack is a cyber-attack, wherein the attacker aims to disrupt the operations of a host connected to the Internet temporarily or permanently, by making a computer or network resource unavailable to its intended users. 

Cisco Smart Install Protocol is Still Being Exploited in Cyber-Attacks


Five years after Cisco issued its first warning, the Smart Install protocol is still being utilized in assaults, and there are around 18,000 internet-exposed devices that might be targeted by hackers. Smart Install is a plug-and-play configuration and image-management technology from Cisco that allows new switches to be deployed with zero-touch. Smart Install can be extremely important to organizations, but it can also be a significant security concern. 

A Smart Install network consists of a group of networking devices known as clients that are served by a common Layer 3 switch or router that serves as a director. You can use the Zero-Touch Installation process in a Smart Install network to install new access layer switches without the help of the network administrator. The director acts as a central management point for client switch images and configuration. When a new client switch is added to the network, the director immediately recognizes it and determines which Cisco IOS image and configuration file should be downloaded. 

The function remains enabled and can be accessed without authentication once a device has been set up via Smart Install. Malicious actors have been able to remotely target devices with Smart Install enabled, including reloading devices, loading a new operating system image, and running arbitrary commands with elevated privileges. 

After an exploitation tool was made public in 2016, Cisco issued a warning on the misuse of Smart Install. In 2017 and 2018, the company sent more alerts, identifying hundreds of thousands of vulnerable devices, including those in critical infrastructure organizations. In 2018, it was revealed that hacktivists targeted the Smart Install function in assaults on Cisco switches in Iran and Russia as part of an ostensibly pro-US attack, as well as a state-sponsored cyberespionage group affiliated to Russia. 

In 2016, the number of networking equipment vulnerable to Smart Install assaults surpassed 250,000, but by 2018 it had reduced to 168,000. The Shadowserver Foundation is still keeping track of the number of potentially susceptible devices, reporting that almost 18,000 are currently online, including many in North America, South Korea, the United Kingdom, India, and Russia. 

Last month, Lumen Technologies' Black Lotus Labs cybersecurity unit discovered that a hacktivist group had compromised at least 100 internet-exposed routers belonging to both public and private sector entities, most of which were based in the United States.

Objectives for Ransomware Attack Against Nuclear Contractor Sol Oriens Remain Unknown


New Mexico-based government contractor Sol Oriens was attacked by the Russian REvil ransomware group that sparked worries in the national security community, because of the company's work with the Department of Energy's National Nuclear Security Administration.

However, the motives for the attack remain unknown. Sol Oriens confirmed it was targeted in May, according to CNBC's Eamon Javers, and the corporation stated no sensitive or important security-related material was compromised. The company's website remained down as of Friday, and Mother Jones reported that it had been down since June 3. Sol Oriens has yet not confirmed if the attack was ransomware. 

According to Michael DeBolt, senior vice president of intelligence at Intel 471, Sol Oriens was targeted by REvil, the same group that was accused of targeting meat manufacturer JBS. 

“From the REvil blog, all indications are that Sol Oriens was a target of opportunity, and not of design tied to some state-sponsored entity,” DeBolt stated. 

“However the sensitive nature of this particular victim did not elude the REvil operators and affiliates responsible for the attack. In fact, they explicitly threatened to reveal ‘documentation and data to military agencies of our choice [sic]’ and shared proof by way of screenshots on their name and shame blog. Even so, these actors primarily remain financially motivated.” 

According to Gary Kinghorn, senior director of marketing and alliances at Tempered Networks, the vulnerability of the information in this breach appears to be less than catastrophic if it was restricted to personal information and contacts, but there's no way of knowing if it went further than that. The goals of this attack, according to Kinghorn, are clearly useful to geopolitical opponents, and enterprises must be aware of the immense sophistication and resources behind these operations, regardless of purpose. 

Kinghorn added, “Organizations, particularly those holding DoE-class information and secrets, have to realize that yesterday’s security tools are no longer enough and are too error-prone to justify.” 

“The National Security Agency has already strongly suggested that government agencies move to zero trusts and even ensure encryption of all data in motion. These advanced steps can effectively make networks unhackable. However, right now, organizations are still weighing the costs and ROI until they get exposed like this to make changes.”

CD Projekt Red Confirmed that its Data is Disseminated Online


The company alleges the hacked information stolen from the CD project is being distributed online. The company behind Cyberpunk 2077 and The Witcher 3 claim that they cannot verify the actual details of the information shared but they believe that the stolen data relates to their games, contractors, and both current and past employees. 

Earlier in this year, it faced a ransomware attack, which “gained access to our internal network, collected certain data belonging to CD PROJEKT Capital Group and left a ransom note,” by a threat group (which was considered to be the HelloKitty Gang), the company said. 

The ransomware encrypted the system for the organization too, but CD Projekt Red managed to restore all the data from the backup — making stolen data the actual problem. 

The threat of "double extortion" has been increased by Ransomware groups, with a warning that if the victims do not pay, they will Auction stolen data. Many also maintain sites with "name and shame" title that operators use to publish leaked victims' information who was not able to pay the ransom. 

And the cybercriminals stated that they had "dumped full copies" of Cyberpunk 2077's, Gwent's, Witcher 3's and Witcher's "unreleased version;" and acquired the sensitive company information about bookkeeping, administration, HR, investor relations, law, and more. 

“Source codes will be sold or leaked online, and your documents will be sent to our contacts in gaming journalism,” according to a note. 

In a late Thursday statement, CD Projekt Red stated that its security staff “now have reason to believe that internal data illegally obtained during the attack is currently being circulated on the internet.” 

The report further states, “though we believe it may include current/former employee and contractor details in addition to data related to our games. Furthermore, we cannot confirm whether or not the data involved may have been manipulated or tampered with following the breach.” 

This incidence is not different after updated ransomware playbook 'breach, extract, encrypt, offer,' "Dirk Schrader, global security research Vice President at New Net Technologies (NNT), has remarked. However, he added, “It was some sort of luck on CD Projekt Red’s side that – as far as we know – no customer data was involved, because if so the story would have evolved in very different ways. ”

It is worth noting that ransomware gang has fulfilled its pledge to auction off the company's data beforehand, where in February on the well-known Russian-language underground forum 'Exploit' the source code for Cyberpunk 2077 and its previously unreleased version of Witcher 3 were allegedly on sale. 

The lot was sold one day later, and though cyber investigators established the presence of the auction, they could not check for the quantity or veracity of what was sold. The auction demanded an opening offer of $1 million.

Lately, threat actors posted approximately 300GB of data that reportedly belongs to the CD Projekt Red on the Payload.bin data leak site. 

“Digital Shadows has seen several attempts to either sell or expose data related to CD Projekt Red since February, with unconfirmed actors first trying to auction game and other internal company data on a well-known Russian language forum,” Sean Nikkel, senior cyber-threat intel analyst at Digital Shadows said. 

The company added, “regardless of the authenticity of the data being circulated — we will do everything in our power to protect the privacy of our employees, as well as all other involved parties. We are committed and prepared to take action against parties sharing the data in question.”

Iranian Hackers Attacked Websites of an African Bank and US Federal Library


According to Iran Briefing, hackers posing as Iranians targeted the websites of the Sierra Leone Commercial African Bank and the United States Federal Depository Library Program, by posting pro-Iranian remarks and graphics. 

The website of Sierra Leone Commercial Bank was found to be "H4ck3D IRANIAN HACKER" in Google search results. 

The words "hacked by Iranian hacker, hacked by shield Iran" were written in Twitter screenshots on a drawing of former IRGC Quds Force commander Qasem Soleimani, who was killed in a US airstrike. 

According to CBC News, the library program's website was updated with a bloodied picture of US President Donald Trump being punched in the face, as well as a message is written in Farsi and English that read "martyrdom was Soleimani's... reward for years of implacable efforts," and another caption that read "this is only a small part of Iran's cyber ability!" 

A spokesman from the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency verified the incident. Though the hack has still proven to be the activity of Iranian state-sponsored actors. 

The representative stated, “We are aware the website of the Federal Depository Library Program [FDLP] was defaced with pro-Iranian, anti-US messaging”. 

“At this time, there is no confirmation that this was the action of Iranian state-sponsored actors”. 

The website has been removed from the internet and is no longer accessible. In coordination with the FDLP and other government partners, the Cybersecurity and Infrastructure Security Agency (CISA) is keeping an eye on the situation. 

According to another senior US official, the defacement was a minor event carried out by Iranian sympathizers. Former US Secretary of State Mike Pompeo indicated at the time that a cyberattack by Iran against the US could be a possible retaliation. 

It's unclear whether the hackers had a government position or had any connection to Iran. The hack occurs at a time when tensions between the US and Iran are still high following the assassination of Qasem Soleimani, the chief of Iran's Revolutionary Guards Corps Quds Force, by a US strike in Baghdad on Jan. 2. 

Iran has already threatened retaliation for the assassination, implying that US assets and interests in the Middle East, as well as US allies, may be targeted.

Russian hackers attacked the systems of the Dutch police during the investigation of the Boeing crash

 The Dutch newspaper Volkskrant on the day of the start of the hearing on the crash of the Malaysian Boeing in Ukraine published a material in which, citing anonymous sources, it claims that hackers allegedly connected with the Russian Foreign Intelligence Service (SVR) gained access to the Dutch police system in 2017 when the investigation into the crash of Flight MH17 was conducted.

According to the newspaper, the hacking was not noticed by the police, but it was the information of the Security Service (AIVD) that helped to detect it.

The hack led to a "great panic" over the MH17 investigation. The information was provided to the newspaper by people with knowledge of the incident, but the police and the AIVD refused to confirm or deny the hacking.

Sources told the newspaper that the hack detected by the AIVD came from the Dutch IP address of the police academy's server. "Traces of hackers were found in several places," Volkskrant reports, citing four sources. It is unclear if the hackers were able to gain access to any information relevant to the MH17 investigation, or what information they might have obtained.

Recall, a Malaysian Boeing flying from Amsterdam to Kuala Lumpur on flight MH17 crashed near Donetsk in 2014. All 298 people on board were killed. Kiev blamed the militia for the crash, but they said they did not have the means to shoot down an aircraft at such a height.

During the investigation of the joint investigation group (JIT) under the leadership of the Prosecutor General of the Netherlands, the investigation concluded that the Boeing was shot down from the Buk anti-aircraft missile system belonging to the Russian Armed Forces.

The Russian Foreign Ministry said that the accusations of Russia's involvement in the crash of the Malaysian Boeing are unfounded and regrettable, the investigation is biased and one-sided. President Vladimir Putin noted that Russia is not allowed to investigate the crash of the airliner in eastern Ukraine, and Moscow can recognize the results of the investigation if it takes a full part in it.

FBI Alerts: BEC Scammers are Posing as Construction Companies


The FBI has issued a warning to private sector enterprises about scammers masquerading construction companies in business email compromise (BEC) cyberattacks targeting firms in a variety of critical infrastructure sectors across the United States. 

BEC scammers utilize a variety of techniques (such as social engineering and phishing) to hijack or spoof business email accounts in order to redirect pending or future payments to bank accounts under their control. 

The alert was delivered to enterprises today via a TLP:GREEN Private Industry Notification (PIN) to assist cybersecurity professionals in defending against these ongoing threats. 

The instances are part of a BEC campaign that began in March 2021 and has already resulted in monetary losses ranging from hundreds of thousands of dollars to millions of dollars. 

The scammers use data collected from web services about the construction companies they spoof and the customers they're targeting to successfully carry out these BEC attacks. Local and state government budget data portals, as well as subscription-based construction sector data aggregators, are used to gather valuable data (e.g., contact information, bid data, and project prices). 

The attackers can modify emails to undermine the victim's business relationship with the construction contractors using the information they've gathered. The scammers send emails urging the victims to update their direct deposit account and automated clearing house (ACH) information to make the emails more convincing. The new account information leads to bank accounts controlled by criminals. 

To make sure the victims won’t be able to tell that the messages are fraudulent, they are sent using names that impersonate the contractors' actual sites and real corporate logos and visuals. 

Around $2 billion lost in 2020 BEC scams:

Between November 2018 and September 2020, the FBI warned of a new wave of BEC attacks increasingly targeting US state, local, tribal, and territorial (SLTT) government bodies, with losses ranging from $10,000 to $4 million. 

Microsoft discovered a large-scale BEC operation targeting over 120 companies last month that used typo-squatted domains registered just days before the attacks began. 

The FBI stated, "The FBI's Internet Crime Complaint Center (IC3) notes BEC is an increasing and constantly evolving threat as criminal actors become more sophisticated and adapt to current events. There was a 5 percent increase in adjusted losses from 2019 to 2020, with over $1.7 billion adjusted losses reported to IC3 in 2019 and over $1.8 billion adjusted losses reported in 2020." 

The FBI also warned last year that BEC scammers were using email auto-forwarding and cloud email platforms like Microsoft Office 365 and Google G Suite in their attacks.  

Kubeflow: The Target of Cryptomining Attacks


Microsoft has discovered a new, widespread, ongoing threat that aims to infect Kubernetes clusters running Kubeflow instances with malicious TensorFlow pods that mine cryptocurrencies. Kubeflow is a popular open-source framework for conducting machine learning (ML) tasks in Kubernetes, while TensorFlow is an end-to-end, open-source ML platform. 

Microsoft security experts cautioned on Tuesday that they noticed a rise in TensorFlow pod deployments on Kubernetes clusters at the end of May — pods that were running legal TensorFlow images from the official Docker Hub account. However, a closer examination of the pods' entry point revealed that they are used to mine cryptocurrency. 

In a post on Tuesday, Yossi Weizman, a senior security research software engineer at Microsoft's Azure Security Center, said that the "burst" of malicious TensorFlow deployments was "simultaneous," implying that the attackers scanned the clusters first, kept a list of potential targets, and then fired on all of them at the same time. The attackers used two distinct images, according to Weizman. The first is the most recent version of TensorFlow (tensorflow/tensorflow:latest), and the second is the most recent version with GPU support (tensorflow/tensorflow:latest-gpu). 

According to Weizman, using TensorFlow images in the network "makes a lot of sense," because “if the images in the cluster are monitored, usage of a legitimate image can prevent attackers from being discovered.” Another rationale for the attackers' decision is that the TensorFlow image they chose is an easy way to conduct GPU activities using CUDA, which "allows the attacker to optimize the mining gains from the host," according to him. 

The newly found vulnerability is comparable to a cryptocurrency mining attack revealed by Microsoft in June. That previous campaign also targeted Kubeflow workloads, launching a broad XMRIG Monero-mining campaign by exploiting misconfigured dashboards. The most recent campaign includes the following changes: According to Weizman, the attackers abused their access to the Kubeflow centralized dashboard to establish a new pipeline this time.

Kubeflow Pipelines is a framework for creating machine learning pipelines based on Argo Workflow, an open-source, container-native workflow engine for coordinating parallel jobs. A pipeline is a collection of steps, each of which functions as its own container, that together creates an ML workflow. 

Users of Kubeflow should ensure that the centralized dashboard is not insecurely exposed to the internet, according to Microsoft.

Chip Maker ADATA Attacked by Ragnar Locker Ransomware Group


ADATA, a Taiwan-based leading memory and storage manufacturer, was forced to take its systems offline after a ransomware attack crippled its network in late May. 

ADATA is known for manufacturing superior DRAM memory modules, NAND nonvolatile storage cards, mobile accessories, gaming products, diversion products, wattage trains, and industrial solutions.

ADATA admitted in an email to Bleeping Computer that it was hit by a ransomware attack on May 23, 2021, and responded by shutting down the impacted systems and notifying all relevant international authorities of the ransomware attack. However, the firm claims that its business operations are no longer disrupted and that it is busy restoring the affected devices. 

ADATA didn’t offer info on the ransomware operation behind the incident or any ransom demands. However, Bleeping Computer says that the Ragnar Locker ransomware gang has already taken the responsibility for the ADATA attack. In fact, Ragnar Locker says that they have allegedly taken one 1.5TB of sensitive information from ADATA’s computers before deploying the ransomware. 

So far, the ransomware gang has posted screenshots of the stolen files in order to prove their claims. However, they’re threatening to leak the rest of the data if the memory manufacturer does not pay the ransom. Chip manufacturers have become a lucrative target for ransomware operators, who can use the threat of downtime, which can prove to be a lot more costly in these turbulent times than the ransom, as another bargaining chip.

Security researchers discovered the Ragnar Locker ransomware in late December 2019. The gang operates by targeting enterprise endpoints and terminating remote management computer code (such as ConnectWise and Kaseya) installed by managed service suppliers (MSPs) to manage clients’ systems remotely.

In November 2020, the FBI said that Ragnar Locker Ransomware targeted "cloud service providers, communication, construction, travel, and enterprise software companies." The attack on ADATA is significant also because of its timing, as it comes in the midst of the ongoing chip shortage. With manufacturers struggling to keep pace with the demands, any downtime could further delay the industry's recovery. 

ADATA stated to BleepingComputer that it is "determined to devote ourselves making the system protected than ever, and yes, this will be our endless practice while the company is moving forward to its future growth and achievements."

Spanish Government Witnesses Cyber Attack


Earlier this morning, the Ministry of Labour and Social Economy of the Spanish government witnessed a cyber-attack. At the moment, Ministry did not comment on the specifications, nature, and severity of the attack. 

According to the official website of the department, the Ministry organizes and supervises Spain’s employment work, social economy, and look after social responsibility policies. This Ministerial Department has an annual budget of around €39 million. 

In the wake of the attack, the IT cyber-researchers at the department – an agency within Spain’s National Intelligence Centre from the National Cryptological Centre together with the Spanish Ministry of Labor and Social Economy (MITES) are investigating the attack and working to restore services. 

“The Ministry of Labor and Social Economy has been affected by a computer attack…” 

“…The technical managers of the Ministry and the National Cryptological Center are working together to determine the origin and restore normality as soon as possible," MITES’ media office said earlier today. 

After the cyber-attack the official website of the Ministry was still accessible, however, the communications office and the multimedia room were down. 

"The computer attack that the Ministry of Labor and Social Economy has suffered has NOT affected the operation of the State Public Employment Service, The Electronic Office, the website, and the set of services continue to be provided normally,"  SEPE reported. 

Furthermore, a government agency of the Spanish, Servicio Público de Empleo Estatal (SEPE) – a part of MITES that took a severe hit by ransomware in March due to which the services of the department were inaccessible for around two weeks – reported that it was not affected by the cyberattack. 

According to the resources, the SEPE department was hit by a Russian Ryuk ransomware gang on March 09, 2021.  As a result, over 700 agency offices across Spain were badly impacted. Besides, the agency’s workstations, the ransomware attack had impacted remote working stations of the department. It should be noted that the Spanish labor agency is the only ministry that has been hit by a ransomware attack in Spain.

Navistar International Corporation Hit by Cyberattack

Navistar International Corporation, a maker of United States trucks and military vehicles confirmed that it was hit by a cyberattack recently which resulted in data theft. In form 8-K filing with SEC (Security and Exchange Commission) this Monday, the company said that the company came to know about an attack on its IT systems on May 20, 2021. Navistar took immediate actions to limit the impact of the cyberattack and has launched an investigation with various cybersecurity and foreign agencies. Due to the attack, Navistar has strengthened its cybersecurity infrastructure and data protection, saying all of its systems are fully functional. 

On May 31, the company got a mail saying it was hit by a cyberattack and some data had been stolen.  As of now, the company is enquiring about and finding the impact of the attack. It has already called law enforcement agencies for help. Navistar didn't disclose any technical details about the attack but it might be a possibility that it was a ransomware attack. The claim is based on the recent rise of ransomware incidents in the US. In all these incidents, major US organizations were attacked and crucial data was stolen. Navistar was established in 1986, it makes trucks, diesel engines, and buses. 

Besides this, the Navistar Defense subsidiary makes military automobiles. After the attack that made US Colonial Pipeline to close its operations and distribution systems at the start of May, JBS USA, the world's largest meat processing company of US subsidiary also announced recently that it had closed down its plants in America and Australia.  Besides this, recently, Steamship Authority, the largest ferry service to the Massachusetts Islands of Martha’s Vineyard and Nantucket from Cape Cod, was hit by a cyberattack of a similar kind. 

At the start of this year, Molson Coors Beverage company was also hit by a ransomware attack. "White House this week urged corporate executives and business leaders to take the appropriate measures to protect their organizations against ransomware attacks. The  memo, signed by Anne Neuberger, deputy national security advisor for cyber and emerging technology, mentions the recent increase in the number of ransomware incidents, as well as the Biden administration’s response to such attacks targeting government and private sector organizations," reports Security Wee

The Russian expert assessed the demand of the State Department to stop cyberattacks on the United States

 "Moscow should not react to such statements until the United States is ready to seriously discuss the rules of conduct in cyberspace," said Dmitry Drobnitsky, an American political scientist, commenting on the statement of the head of the State Department Anthony Blinken that Russia allegedly has a duty to ensure an end to cyber attacks across the United States

"Mr. Blinken's words are a private statement. It is difficult to somehow assess it since the sphere of cybersecurity is not regulated in any way at the moment. At the same time, Moscow in general and the Russian president, in particular, have repeatedly offered the United States to consider this issue in a comprehensive manner, putting forward a number of initiatives, including at the UN level”, said political scientist-Americanist Dmitry Drobnitsky.

According to him, the world community needs an international agreement that establishes new rules of conduct in cyberspace, because it permeates absolutely all areas of life, and the consequences of hacker attacks on civilian and military infrastructure can be very serious. "But the Americans left our proposals unanswered", the expert added.

"Moscow should not react to such statements until the United States is ready to seriously discuss the rules of conduct in cyberspace and consider this issue as an international problem. Because in the absence of regulation, each country is forced to deal with cyber threats alone," Drobnitsky concluded.

Earlier, United States Secretary of State Anthony Blinken demanded that Russia stop cyberattacks on the territory of the United States. "I think it's the obligation of any country to do whatever it can to find these enterprises and to bring them to justice, including in the case of the attack on the Colonial Pipeline. The enterprise that was responsible [for] that attack, its leaders were in Russia, are in Russia, so I think there's an obligation on Russia's part to make sure that that doesn't continue," Blinken said.

Meanwhile, government sources on NBC have reported that United States President Joe Biden may instruct the US military to prepare "offensive cyber operations" against Russian-based hackers.

Private Details Compromised After Cyber Attack on NSW Health


The New South Wales Ministry of Health (NSW Health) has confirmed that it was impacted by a cyberattack involving the Accellion file transfer system. The system was widely used to share and store files by organizations across the globe, including NSW Health. 

NSW Health has been working with NSW Police and Cyber Security NSW and to date, and so far, there is no evidence any of the information has been misused. Strike Force Martine has been set up to determine the impact on NSW government agencies that were caught up in the attack on Accellion.

It is estimated that some 100 organizations across the globe were affected by the Accellion hack, including global corporations, financial institutions, government departments, hospitals, and universities. Within this group, the company said that fewer than 25 appeared to have suffered significant data theft. 

"Following the NSW government's advice earlier this year around a worldwide cyber-attack that included NSW government agencies, NSW Health is notifying people whose data may have been accessed in the global Accellion cyber-attack. Different types of information, including identity information and in some cases, health-related personal information, were included in the attack," NSW Health spokesperson stated.

The local authorities said medical records in public hospitals were not stolen and the software involved is no longer in use by NSW Health.

 “A cyber incident help line has been set up to provide further information and support to those people NSW Health is contacting. If you are contacted by NSW Health, you will be given the cyber incident help line details; if you are not contacted by NSW Health, no action is required. The privacy of individuals is of the utmost importance to NSW Health, and we are making impacted people aware of the attack so that they can take appropriate precautions and access our support services," the spokesperson added. 

In April 2020, the NSW government suffered a cyberattack compromising the private records of 186,000 customers. After an investigation that lasted four months, Service NSW said it discovered that 738GB of data (over 3.8 million documents), was stolen from 47 staff email accounts. 

The Australian Securities and Investments Commission (ASIC) confirmed in January that one of its servers was breached in relation to Accellion software used by the agency to transfer files and attachments.

South Korea Under Major Cyber Attacks in Pandemic Era


As per Ciso, ransomware attacks have proliferated in South Korea over the last year, impacting hospitals and shopping malls as the coronavirus pandemic has increased Internet usage. 

A major plastic surgery clinic in southern Seoul disclosed on Thursday that its servers had been the target of a ransomware attack on its website. Personal data about their patients seem to have been obtained by the hackers. This is the most recent in a string of ransomware assaults recorded in the city.

According to the Ministry of Science and ICT, the number of ransomware assaults reported in the country increased by more than thrice to 127 last year, up from 39 in 2019. According to the Yonhap news agency, there have been around 65 cases so far this year. A wide spectrum of businesses has been attacked by ransomware attacks. 

Last month, Super Hero's operations were interrupted for hours due to a ransomware attack that affected 15,000 delivery employees around the world. Hackers broke into the local fashion and retail behemoth E-Land Group last November, forcing the shutdown of 23 of its 50 NC Department Store and NewCore outlet sites. 

Cyber-attacks have increased in both number and profile as the epidemic has led to more Internet usage. According to Kim Seung-joo, a cybersecurity specialist at Korea University, ransomware assaults might pose more problems than just destroying a company's complete work system because enterprises are relying more on remote work during the epidemic. 

As an outcome, a growing number of companies are paying the ransom. This technique supports the spread of ransomware. It's a vicious circle, Kim said, urging more investment in cybersecurity to avoid the crisis in the first place. 

Regrettably, the attacks appear to be part of a bigger global pattern. The hack of Colonial Pipeline, a major oil pipeline operator in the United States, was a notable recent incident. The corporation was compelled to pay a $4.4 million ransom. 

As ransomware assaults continue in South Korea, the ICT ministry established a 24-hour monitoring team last month to help businesses harmed by the attacks. Companies that have been targeted by the attacks are currently receiving assistance from the government, including the restoration of their systems.