Search This Blog

Showing posts with label Cyber Attacks. Show all posts

Trust Wallet & MetaMask Crypto Wallets: Targeted by New Support Scam

 

Users of Trust Wallet and MetaMask wallets are the targets of ongoing malicious Twitter phishing attacks aimed at stealing cryptocurrency funds. MetaMask and Trust Wallet are mobile apps that enable users to create wallets to store, buy, send, and receive cryptocurrency and NFTs. 

When users first open the MetaMask or Trust Wallet apps, they are prompted to create a new wallet. The app then displays a 12-word recovery phrase and encourages users to save it somewhere safe as part of this procedure. This recovery phrase is used by the apps to generate the private keys needed to enter the wallet. Anyone who knows the recovery phrase can import the wallet and access the cryptocurrency funds it contains. 

BleepingComputer has been monitoring a Twitter phishing scam that targets Trust Wallet and MetaMask users and steals cryptocurrency wallets by spreading fake technical support forms for the past two weeks. The phishing scam begins with authentic MetaMask or Trust Wallet users tweeting about a problem with their wallets. Theft of money, problems accessing their wallets, and problems using the apps are all examples of these problems. 

Scammers respond to these tweets by posing as members of the app's support team or users who claim that "Instant support" helped them with the same problem. Users are encouraged to fill out a support form by visiting the included docs.google.com or forms.app links. 

Users who click on these links will be taken to a page that looks like a help form for Trust Wallet or MetaMask. These forms ask for the visitor's email address, name, the problem they're having, and then the scam's crown jewel: the wallet's 12 recovery phrases. Threat actors may use a Trust Wallet or MetaMask user's recovery phrase to import the victim's wallet on their own devices and steal all of the deposited cryptocurrency funds.

Unfortunately, there is nothing that a user can do to recover funds after they have been stolen by a threat actor. Phishing scams involving cryptocurrency have previously been extremely popular, with one MetaMask user losing over $30,000 in cryptocurrency after sharing their recovery phrase. 

The Trust Wallet and MetMask users should never share their wallet's recovery phrase or type it into any app or website. Furthermore, for help requests, a legitimate organization would not use Google Docs or online form-building sites. Just seek assistance from the specific pages affiliated with the app or computer you're having trouble with. 

When it comes to cryptocurrencies and financial assets, the user should always type the URL they wish to visit into their browser rather than relying on links in emails, as it is simple to build lookalike domains that impersonate legitimate sites. This way, users can avoid mistakenly clicking on phishing sites that impersonate a legitimate service.

Beware of Lorenz Ransomware Gang Targeting Organizations with Customized Attacks

 

Security researchers have unearthed a new ransomware operation known as Lorenz targeting organizations worldwide with customized attacks and demanding hundreds of thousands of dollars in ransoms. The Lorenz ransomware gang began operating last month and has since compiled a growing list of victims whose stolen data has been published on a data leak site.

According to Bleeping Computer, Michael Gillespie of ID Ransomware: the Lorenz ransomware encryptor is identical to a previous operation known as ThunderCrypt. However, it remains unclear if Lorenz is of the same group or has purchased the ransomware source code to design its own variant. 

Like other ransomware attacks, Lorenz breaches a network and expands laterally to other devices until it secures access to Windows domain administrator credentials. While expanding throughout the system, it will harvest unencrypted files from victims' servers, which they upload to remote servers under their control. This stolen data is then published on a dedicated data leak site to pressure victims into paying a ransom or to sell the data to other threat actors.

According to security experts, this Lorenz gang operates differently as compared to other ransomware gangs. To pressure victims into paying the ransom, Lorenz first makes the data available for sale to other threat actors or possible competitors. After a while, they start releasing password-protected RAR archives containing the victim's data. Unlike other enterprise-targeting ransomware, the Lorenz sample we looked at did not kill processes or shut down Windows services before encrypting. 

Each folder on the computer will be a ransom note named HELP_SECURITY_EVENT.html that contains information about what happened to a victim's files. It will also include a link to the Lorenz data leak site and a link to a unique Tor payment site where the victim can see their ransom demand.

Finally, if the victim doesn’t fall into the trap of the hackers, Lorenz publishes the password for the data leak archives so that they are publicly available to anyone who downloads the files. From ransom notes seen by BleepingComputer, Lorenz ransom demands range from $500,000 to $700,000. 

Furthermore, the ransomware is currently being analyzed for weaknesses, and paying the ransom never guarantees you actually get your data back, as it might still end up for sale on the Dark Web.

Beware of eCh0raix Ransomware Attacks, QNAP Warns Customers

 

QNAP warned its users of an actively exploited Roon Server zero-day vulnerability and eCh0raix ransomware attacks that are targeting its Network Attached Storage (NAS). The Taiwanese vendor claimed that it has received reports of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.

" The eCh0raix ransomware has been reported to affect QNAP NAS devices," the company said. Devices using weak passwords may be susceptible to attack. QNAP urged customers to "act immediately" to protect their data from potential eCh0raix attacks by: 

• Using stronger passwords for your administrator accounts. 

• Enabling IP Access Protection to protect accounts from brute force attacks. 

• Avoiding using default port numbers 443 and 8080. 

However, QNAP didn't mention how many reports it received from users directly affected by eCh0raix ransomware in the last weeks. QNAP also issued another security advisory to warn of an actively exploited zero-day vulnerability impacting Roon Labs’ Roon Server 2021-02-01 and earlier versions. 

“The QNAP security team has detected an attack campaign in the wild related to a vulnerability in Roon Server. QNAP NAS running the following versions of Roon Server may be susceptible to attack: Roon Server 2021-02-01 and earlier. We have already notified Roon Labs of the issue and are thoroughly investigating the case. We will release security updates and provide further information as soon as possible,” reads the advisory.

QNAP also provided the necessary safety measures by which users can disable Roon Server on their NAS:

1. Log on to QTS as administrator and open the app Center and then click. A search box appears.

2. Type "Roon Server" and then press ENTER. Roon Server appears in the search results.

3. Click the arrow below the Roon Server icon. 

4.  Select Stop. The application is disabled.

Unfortunately, QNAP has been on the target list of threat actors for quite some time. QNAP devices were previously targeted by eCh0raix ransomware (also known as QNAPCrypt) in June 2019 and June 2020. 

A massive Qlocker ransomware campaign also hit QNAP devices starting mid-April, with the threat actors behind the attacks making $260,000 in just five days by remotely encrypting data using the 7zip archive program.

Washington DC Police Hit by the Worst Ransomware Ever

 

In the U.S. capital, the police department experienced a major information leak after declining to satisfy the extortion demands of a Russian-speaking ransomware syndicate. As per the experts, the US police department has been hit by the worst ransomware ever. 

On Thursday 13th May, the Gang, identified as the Babuk Squad, published on the dark web, some thousands of confidential documents from the Washington Metropolitan Police Department. Hundreds of police officer intelligence documents, containing feeds from other agencies, such as the FBI and Secret Service, were discovered through a report by The Associated Press. 

Ransomware attacks have reached epidemic proportions as international gangs paralyze local and state governments, police, hospital, and private companies' computer networks. They need substantial payments for deciphering or to prevent the online leakage of stolen information. 

The Colonial Pipeline was shut down last week by a cyber-attack which caused gasoline stockpiling and panic buying across southeast sections of the nation's largest fuel pipeline. 

This Police data leak is "perhaps the most significant ransomware incident to date," due to the risks it poses for officers and civilians, said Brett Callow, a threat analyst and ransomware specialist at the Emsisoft security company. 

Most documents contained security details from many other law enforcement authorities regarding the inauguration of President Joe Biden, along with a connection to a militia group "embedded source." 

The two pipe bombs abandoned at the location of the Democratic Committee and the Republican National Committee before the revolt in the American Capitol on January 6 were studied by the FBI in one document. Yet another document explains the details. This involves "big data pull" from cell towers, as well as plans to "analyze purchases" of Nike shoes that a concerning individual uses. 

In response to an AP request for comments, the police department didn't initially respond but has reported earlier that personal data was compromised. 

Some of the information was subsequently leaked, exposing personal data from background checks of some officials, including information on previous use of drugs, financial conditions, and — in at least one instance — regarding past sexual assault. 

“This is going to send a shock through the law enforcement community throughout the country,” Ted Williams, a former officer at the department who is now a lawyer, told The Associated Press. 

Williams further added that it makes it harder for officers to do their work because of background checks and administrative files publicly disclosed.

“The more the crooks know about a law enforcement officer, the more the crooks try to use that for their advantage,” he said. 

Recently the Babuk community demanded $4 million to not publish the archives, but only around $100,000 was provided. The Ministry did not say whether it offered it. Any discussions will show the difficulty of the issue of ransomware, with the police forced to consider paying for criminal gangs.

Toshiba Unit Hacked by DarkSide

 

The DarkSide criminal gang, which was also responsible for the assault on Colonial Pipeline, which triggered widespread gas shortages and panic buying across the Southeast, hacked a Toshiba business unit earlier this month. 

Toshiba Tec said in a statement that the cyberattack affected its European subsidiaries, and the company is investigating the extent of the damage. It stated that “some details and data could have been leaked by the criminal gang,” but it did not confirm that customer information was leaked. 

"There are around 30 groups within DarkSide that are attempting to hack companies all the time, and they succeeded this time with Toshiba," said Takashi Yoshikawa, a senior malware analyst at Mitsui Bussan Secure Directions. During pandemic lockdowns, employees accessing company computer systems from home have made businesses more susceptible to cyber-attacks, he said. 

The assault seems to have been carried out by the Russian criminal group DarkSide, according to a company representative who spoke to Reuters. The attack happened on May 4, according to a spokesperson that confirmed the same to CNBC. According to the outlet, the hackers demanded a ransom, but the company refused to pay. Colonial Pipeline, on the other hand, is said to have paid a ransom of approximately $5 million within hours of the attack last week. 

The assault, which resulted in gas shortages and panic buying at US gas stations across the Southeast, likely drew more attention to DarkSide than it had hoped for, with President Biden promising to go after the group. 

According to screenshots of DarkSide's post given by the cybersecurity company, more than 740 gigabytes of data, including passports and other personal details, was compromised. On Friday, Reuters was unable to reach DarkSide's public-facing website. DarkSide's numerous websites, according to security researchers, have become inaccessible. 

Hackers encrypt data and demand payment in cryptocurrency to decrypt it, increasing the number and size of ransomware attacks. They are gradually releasing or threatening to release stolen data unless they are paid more. 

The attack software was distributed by DarkSide, according to investigators in the US Colonial case, which involves Russian speakers and avoids hacking targets in the former Soviet Union. DarkSide allows "affiliates" to hack into targets in other countries, and then manages the ransom and data release.

The White House believes that the attackers on the Colonial Pipeline are located in Russia

 The Russian authorities should take action against the hacker group DarkSide, which, according to Washington, is located in Russia and is involved in the cyberattack on the U.S. pipeline company Colonial Pipeline. This opinion was expressed on Tuesday by the press secretary of the White House Jennifer Psaki at a regular briefing for journalists.

She was asked whether Russia has any responsibility in connection with the fact that DarkSide is on Russian territory. "U.S. President Joe Biden said his intelligence community has not yet completed a comprehensive analysis of the incident. Moreover, according to the FBI, the attack is attributed to the hacker group DarkSide, located in Russia, so this country must act responsibly," noted Psaki.

"But, again, we will wait until our intelligence community to conduct a comprehensive analysis before we can report anything else on this," she concluded.

On Monday, Biden suggested that the criminal elements who carried out the hacking attack on the Colonial Pipeline may be in Russia. Brandon Wales, the Acting Director of the Cybersecurity and Infrastructure Security Agency (CISA), said on Tuesday that FBI experts are confident that criminal elements, not authorities of any state, were responsible for the cyber attack.

Press Secretary of the Russian President Dmitry Peskov stressed that Russia had nothing to do with the cyber attack. He stressed that "the United States refuses to cooperate in countering cybercrime."

The Russian Embassy in Washington rejected "baseless fabrications by individual journalists" about Moscow's possible involvement in this attack.

Earlier, E Hacking News reported that the hackers who caused Colonial Pipeline to shut down the biggest US petrol pipeline last Friday began their blitz against the company a day earlier, stealing a large amount of data before locking computers with ransomware and demanding payment, as per the sources.

According to the two reports, the intruders, who are members of the DarkSide cybercrime group, took nearly 100 gigabytes of data from the Alpharetta, Georgia-based company's network in just two hours on Thursday.

Fake Chrome App is Being Used as Part of a Cyberattack Campaign

 

According to researchers at cybersecurity company Pradeo, a new Android malware has been discovered that imitates the Google Chrome software and has already infected hundreds of thousands of smartphones. The hazard has been labeled a "Smishing Trojan" by the researchers. 
 
According to the researchers, the false Google Chrome app is part of a smartphone attack campaign that uses phishing to steal your credit card information. By downloading the fake software, the device becomes a part of the attack campaign as well. 

“The malware uses victims’ devices as a vector to send thousands of phishing SMS. We evaluate that the speed at which it is spreading has enabled it to already target hundreds of thousands of people in the last weeks. ”, said the researchers in their ‘Security Alert’ post on their website. 

The assault begins with a simple "smishing" gambit, according to Pradeo researchers: targets receive an SMS text telling them to pay "custom fees" to open a package delivery. If they fall for it and press, a message appears informing them that the Chrome app needs to be updated. If they accept the order, they'll be directed to a malicious website that hosts the phony app. It is, in reality, ransomware that is downloaded into their phones. 

After the ostensible "update," victims are directed to a phishing list, which completes the social engineering: According to the study, they are asked to pay a small sum (usually $1 or $2) in a less-is-more strategy, which is of course just a front to collect credit card information.

“Attackers know that we’re accustomed to receiving alerts of all types on our smartphones and tablets,” Hank Schless, senior manager of security solutions at Lookout said. “They take advantage of that familiarity to get mobile users to download malicious apps that are masked as legitimate ones.” 

The campaign is especially risky, according to Pradeo researchers, because it combines an effective phishing tactic, dissemination malware, and multiple security-solution bypasses. “The attack could be the work of a regular level but very ingenuous cybercriminal,” Pradeo’s Roxane Suau said. “All the techniques (code concealment, smishing, data theft, repackaging…) used separately are not advanced, but combined they create a campaign that is hard to detect, that spreads fast and tricks many users.”

Thousands of Cryptocurrency Users Targeted by Tor Network Exit Nodes

 

Cybersecurity researchers have said a threat actor has been adding malicious servers into the Tor network to intercept traffic heading to cryptocurrency websites and carry out SSL stripping attacks on users while accessing mixing websites.

The threat actor, through its exit relays, performed an SSL stripping attack on traffic headed towards cryptocurrency websites, downgrading the encrypted HTTPS connection to plaintext HTTP. In the case of the attacks against the Tor network, threat actors aimed at replacing the addresses of legitimate wallets with the ones under the control of the attackers to hijack transactions.

In August 2020, the security researcher and Tor node operator Nusenu first highlighted this malicious behavior and has now shared more details about the ongoing malicious behavior in a follow-up post. Nusenu has revealed a new part of its research that says threat actors are still active. 

“You can see the repeating pattern of new malicious relays getting added to the tor network and gaining significant traction before dropping sharply, when they got removed.” reads the study

“In terms of scale of the attacker’s exit fraction, they managed to break their own record from May 2020 (>23% malicious exit fraction) twice:

• on 2020–10–30 the malicious entity operated more than 26% of the tor network’s exit relay capacity

• on 2021–02–02 they managed more than 27% of tor’s exit relay capacity. This is the largest malicious tor exit fraction I’ve ever observed by a single actor.”

According to the researcher, the threat actor managed to fly under the radar for more than a year because the malicious exit relays were added to the Tor network in small increments until they made up more than 23% of all exit nodes. Threat actors operated more than 26% of the tor network’s exit relay capacity two times in the last year, reaching 27% in February 2021. 

Once the scheme was discovered, the exit relays were removed from the Tor network, anyway, the experts pointed out that threat actors were able to intercept the traffic for months. Despite being outed, the threat actor continues to add new malicious nodes and Nusenu estimates that between 4% and 6% of the Tor exit nodes are still under the control of the threat actor.

US and Australia Warn of Rise in Avaddon Ransomware Attacks

 

The Federal Bureau of Investigation (FBI) and the Australian Cyber Security Centre (ACSC) have issued an alert about an ongoing Avaddon ransomware campaign that is affecting organizations across a wide range of industries in the United States and across the world. 

Avaddon ransomware associates are attempting to breach the networks of manufacturing, healthcare, and other private sector entities around the world, according to a TLP:GREEN flash warning issued by the FBI last week. 

The ACSC clarified the targeting details today, stating that the ransomware group's associates are targeting companies from a broad variety of industries, including government, banking, law enforcement, energy, information technology, and health. Although the FBI only cites ongoing attacks, the ACSC lists a number of countries that have been targeted, including the United States, the United Kingdom, Germany, China, Brazil, India, the United Arab Emirates, France, and Spain, to name a few.

"The Australian Cyber Security Centre (ACSC) is aware of an ongoing ransomware campaign utilizing the Avaddon Ransomware malware [..] actively targeting Australian organizations in a variety of sectors," the ACSC added. 

Avaddon threat actors threaten victims with denial-of-service (DDoS) attacks in order to persuade them to pay ransoms, according to the ACSC (in addition to leaking stolen data and encrypting their system). However, no evidence of DDoS attacks has been discovered as a result of the Avaddon ransomware attacks, according to the FBI. 

The Avaddon ransomware group first declared in January 2021 that they would use DDoS attacks to bring down victims' websites or networks before they reach out and negotiate a ransom payment. 

When ransomware groups started using DDoS attacks against their victims as an additional leverage point, BleepingComputer first posted on this new trend in October 2020. SunCrypt and RagnarLocker were the two ransomware operations that used this new strategy at the time. 

The first Avaddon ransomware samples were discovered in February 2019, and the ransomware started hiring affiliates in June 2020 after launching a massive spam campaign that targeted users all over the world. Affiliates of the Avaddon RaaS operation are required to obey a set of guidelines, one of which is that no targets from the Commonwealth of Independent States be pursued (CIS). 

Avaddon pays each affiliate 65 percent of the ransom money they bring in, with the operators receiving the remaining 35 percent. Avaddon ransomware’s affiliates have also been known to steal data from their victims' networks before encrypting systems in order to double-extortion. 

Almost all active ransomware operations have adopted this technique, with victims commonly informing their customers or employees of potential data breaches following ransomware attacks.

Chinese hackers attacked a Russian developer of military submarines

Chinese hackers reportedly attacked the Rubin Central Design Bureau for Marine Engineering (СKB Rubin), which designs submarines for the Russian Navy, by sending images of a submarine with malicious code to its CEO. Experts believe the hackers are acting in the interests of the Chinese government.

According to cybersecurity company Cybereason, in April, Chinese hackers attacked the Russian CKB Rubin. The attack began with a fake letter that the hackers sent to the general director of CKB Rubin allegedly on behalf of the JCS “Concern “Sea Underwater Weapon – Gidropribor”, the State Research Centre of the Russian Federation.

The letter contained a malicious attachment in a file with images of an autonomous unmanned underwater vehicle. "It is very likely that hackers attacked Gidropribor or some other institution before that," the author of the Telegram channel Secator believes.

The RoyalRoad malware attachment used in the CKB Rubin attack is one of the tools that guarantees delivery of malicious code to the end system, which is most often used by groups of Asian origin, said Igor Zalewski, head of the Solar JSOC CERT Cyber Incident Investigation Department at Rostelecom-Solar.

Cybereason pointed out that the attack on CKB Rubin has similarities to the work of Tonto and TA428 groups. Both have been previously seen in attacks on Russian organizations associated with science and defense.

It is worth noting that the CKB Rubin traces its history back to 1901. More than 85% of the submarines which were part of the Soviet and Russian Navy at various times were built according to its designs.

According to Igor Zalevsky, the main Rubin's customer is the Ministry of Defense, CKB Rubin deals with critically important and unique information related to the military-industrial complex of the Russian Federation which explains the interest of cyber-criminals.

Experts believe that such attacks will gain momentum because specialized cyber centers are being created due to aggravation of information confrontation between states.

Information security expert Denis Batrankov noted that designers are attacked for the sake of industrial espionage mainly by special services of other states. "The problem is that we all use software, which has many hacking methods that are not yet known. Intelligence agencies are buying new vulnerabilities from the black market for millions of dollars,” added he.


Sloppiness of Student Allows Ryuk Ransomware to Target Bio Research Institute

 

Cybersecurity vendor Sophos has revealed how using a 'crack' version of a data visualization tool was the cause of a major ransomware attack that cost the European research institute a week’s work and a lot of money. 

A student working at a European biomolecular research institute was allowed to use expensive data visualization software. The student was on the hunt for a free version of a data visualization software tool, but the license was most likely too expensive– so as a workaround, the student eventually elected to find a cracked version instead.

The crack triggered a malware warning from Microsoft Defender, which he not only ignored but also decided to disable the antivirus tool, as well as the firewall. Thirteen days later a remote desktop protocol (RDP) connection was registered on the institute’s network using the student’s credentials and the incident response team from Sophos learned that the crack was actually info-stealing malware. 

“A feature of RDP is that a connection also triggers the automatic installation of a printer driver, enabling users to print documents remotely. This allowed the Rapid Response investigation team to see that the registered RDP connection involved a Russian language printer driver and was likely to be a rogue connection. Ten days after this connection was made, the Ryuk ransomware was launched,” Sophos explained. 

The malware was in use by a malicious third-party for a few days, harvesting keystrokes, stealing browser cookies, clipboard data, and such. While Sophos did not go into details: how much money the operators asked for, or whether or not the institute paid the ransom, it did say that the organization lost a week’s worth of data, given that its backup wasn’t up to date.

The institute also suffered the operational impact, like all computer and server files needed to be rebuilt from the ground up, before any data could be restored. It also said that the group that placed the info-stealer probably wasn’t the same one that installed Ryuk. The most likely scenario is, once access was established, that it got sold on the dark web to the highest bidder.

As a precautionary measure, Sophos advised organizations to install multi-factor authentication (MFA) for access to any internal networks, especially from third parties, keep software regularly updated, segment networks and restrict account privileges. It also urged customers to lock down RDP access with static Local Area Network (LAN) rules, via a group policy or using access control lists.

Colonial Hackers Stole Data on Thursday Ahead of Shutdown

 

The hackers who caused Colonial Pipeline to shut down the biggest US petrol pipeline last Friday began their blitz against the company a day earlier, stealing a large amount of data before locking computers with ransomware and demanding payment, as per the sources.

According to the two reports, the intruders, who are members of the DarkSide cybercrime group, took nearly 100 gigabytes of data from the Alpharetta, Georgia-based company's network in just two hours on Thursday.

The step was part of a double-extortion scheme that has become a trademark of the group. According to the reports, Colonial was told that the stolen data will be released to the Internet, although information encrypted by the hackers on machines within the network will stay locked until it paid a ransom. The company didn't immediately respond to requests to comment on the investigation. It said earlier that it "proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems". 

Colonial's decision on Friday to shut down the main pipeline that supplies the US East Coast with gasoline, diesel, and jet fuel, without specifying when it would reopen, indicates a risky new escalation in the battle against ransomware, which President Joe Biden's administration identified as a priority. 

It's unclear how much the attackers requested or whether Colonial has agreed to pay. In cryptocurrency, ransomware demands can vary from a few hundred dollars to millions of dollars. Many businesses compensate, with the help of their insurers. 

According to the Associated Press, AXA, one of ’s leading insurance firms, announced last week that it will break the trend and stop offering schemes in France that reimburse customers for payments made to ransomware hackers. In recent years, cyberattacks have disrupted the operations of other energy assets in the US. Last year, the Department of Homeland Security announced that an unnamed natural gas compressor facility was shut down for two days due to an attack. 

The theft of Colonial's records, combined with the installation of ransomware on the company's machines, demonstrates the power that hackers frequently hold over their victims in such situations. The investigation is being assisted by FireEye Inc's Mandiant digital forensics division, according to the company. 

Mr. Biden was briefed on the incident on Saturday morning, according to the White House.

Ransomware Attack Shuts Down Top U.S. Fuel Pipeline Network

 

The operator of a major gasoline pipeline in the U.S. shut down operations late Friday following a ransomware attack pipeline system that transports fuel across the East Coast. The attack is unlikely to affect gasoline supply and prices unless it leads to a prolonged shutdown of the pipeline, experts said. 

Colonial Pipeline did not say what was demanded or who made the demand. Ransomware attacks are typically carried out by criminal hackers who seize data and demand a large payment in order to release it.

The company is the main source of gasoline, diesel, and jet fuel for the East Coast with a capacity of about 2.5 million barrels a day on its system from Houston as far as North Carolina, and another 900,000 barrels a day to New York. It presents a new challenge for an administration still dealing with its response to major hacks from months ago, including a massive breach of government agencies and corporations for which the U.S. sanctioned Russia last month.

President Joe Biden was briefed on the incident on Saturday morning, a White House spokesperson said and added that the federal government is working with the company to assess the implications of the attack, restore operations and avoid disruptions to the supply. The government is planning for various scenarios and working with state and local authorities on measures to mitigate any potential supply issues. 

“We’ve seen ransomware start hitting soft targets like hospitals and municipalities, where losing access has real-world consequences and makes victims more likely to pay. We are talking about the risk of injury or death, not just losing your email,” said Ulf Lindqvist, a director at SRI International who specializes in threats to industrial systems.

After the shutdown was first reported on Friday, gasoline and diesel futures edged slightly higher on the New York Mercantile Exchange. Gasoline gained 0.6% while diesel futures rose 1.1%, both outpacing gains in crude oil. Gulf Coast cash prices for gasoline and diesel edged lower on prospects that supplies could accumulate in the region.

Colonial previously shut down its gasoline and distillate lines during Hurricane Harvey, which hit the Gulf Coast in 2017. That contributed to tight supplies and gasoline price rises in the United States after the hurricane forced many Gulf refineries to shut down.

Threat Actors Use Several New Advanced Techniques To Exploit Windows Services


 

According to the cybersecurity researchers, several fresh techniques, comparatively advanced — are being used by attackers, for exploiting legitimate Windows services to accelerate low-level privileges into the system (concept and practice of restricting access rights for users, accounts, and computing processes to only those resources required to perform routine, legitimate activities, least privilege is also a foundational component of zero trust strategies) to get full control of the system. 

By the means of this recent attack, the threat actors took the same advantages, targeting similar Windows services facilities as that of previous attacks. Meanwhile, threat actors are also working on some new techniques to get access to the recent version of the operating system, as reported by Antonio Cocomazzi, a system engineer at SentinelOne. Furthermore, Antonio Cocomazzi shed light on the same in a Black Hat Asian virtual conference this week. 

For the organizations, the biggest issue dealing with these cyberattacks is that these attacks exploit services that hold a very important part of the system as well as exist by design in the windows functioning system. These services are enabled and available by default into the system as well as they play an essential part in the implementation of Web networking, mail servers, database servers, and other important services. 

Exploits, named “juicy potatoes,” has become a mainstream method for threat actors to invade into the windows systems, said Cocoazzi. Further, he added that SentinelOne has disclosed some very specific evidence against this exploit: it is being used in multiple APT campaigns. 

“Microsoft has fixed the exploit in newer versions of its software. However, JuicyPotato still works on every updated Windows Server until version 2016 and on every updated Windows Client machine until version 10, build 1803. Additionally, newer versions of the so-called Potato family of exploits — such as RoguePotato and Juicy 2 — are now available that bypass the Microsoft fix that shut down JuicyPotato.” Antonio Cocomazzi, a system engineer at SentinelOne reported. 

More Than 200 Belgian Organizations Knocked Offline in a Massive DDoS Attack

 

Belgium's national public sector network Belnet suffered a massive DDoS (distributed denial of service) attack on Tuesday that paralyzed internet access for all institutions linked to the Belnet network, including the federal government and parliament, universities, researchers, and reservations for the country's vaccination program.

The attackers specifically targeted Belnet, a government-funded ISP that provides internet connectivity for Belgian government organizations, such as its Parliament, educational institutions, ministries, and research centers.

According to the local authorities, the incident has impacted the activities of more than 200 Belgian government organizations which includes My Minfin, the government’s official tax- and form-filling portal, but also IT systems used by schools and universities for remote learning applications. In a tweet today, the Belgium Justice Department also reported disruptions but did not go into details. 

"The fact that the perpetrators of the attack constantly changed tactics made it even more difficult to neutralize it. We are fully aware of the impact on the organizations connected to our network and their users and we are aware that this has profoundly disrupted their functioning,” said Dirk Haex, technical director at Belnet.

Parliament and other government activities were also disrupted today because some meetings couldn’t take place as they couldn’t be streamed for remote participants due to the ongoing DDoS attack. The country’s COVID-19 vaccine reservation portal, which is hosted on Belnet’s infrastructure, was also knocked offline as a result of the attack. 

According to the official Twitter account for the Belgian Chamber of Representatives, only the Finance and Foreign Relations committee was able to hold a meeting on Tuesday before others had to be canceled due to the ongoing DDoS attack. Several Belgium politicians and political observers noted today that the attack started around the same time the Belgium Parliament’s Foreign Affairs Committee was supposed to hold a meeting and hear a testimony from a survivor of China’s Uyghur forced labor camps. 

Neither Belnet nor any other Belgium government organization have attributed the DDoS attack to any particular entity and seeing that the attack is still ongoing and would have to be investigated, attribution is currently very far away.

Unidentified Cyberattackers Has Put Alaska Court System Offline

 

A recent cyberattack has forced The Alaska Court System (ACS) to temporarily discontinue its online services to the public including electronic court filings, online payments, and also prevented hearings that take place via videoconference till the cybersecurity unit removes malware from its network including its working website. Due to the ongoing world pandemic, court matters were being dealt with by an online service. However, now services will be given through phone calls. 

On Saturday, a statement has been put out by the court in which the court said that its website will be inactive and people will not be able to search cases while its research unit fixes the malware that has been executed on its network, in order to prevent a further cyber attack. 

"Today, we were advised that there did appear to be some attempts to infiltrate the court system's computer system. And so we figured out a way to disconnect from the internet to stop the problem to prevent anyone from continuing to try to tinker with our network”, Alaska Supreme Court Chief Justice Joel Bolger. 

Additionally, the court told that all currently scheduled cases and other emergency hearings on critical matters will be heard on their time. 

“I think for a few days, there may be some inconveniences, there may be some hearings that are canceled or some judges who decide to shift from videoconference to teleconference proceedings or the like. We don’t have all of that figured out yet,” Alaska Supreme Court Chief Justice Joel Bolger, the court system’s top administrative officer, told the press. 

This cyberattack is just another example of cyber threats against governmental organizations. There is no doubt that because of the pandemic, cyberattacks against government organizations have been increased. Along with Government organizations, the state and local level governments, with private firms and schools, hospitals, are also being targeted massively. 

In the light of the cyber threat, the newly formed Ransomware Task Force, which works under Microsoft and Amazon experts: aims at fixing ransomware and finding solutions to combat these cyberattacks. 

In the latest report, the task force has provided some haunting statistics of ransomware attacks: 

The average downtime due to ransomware attacks is 21 days, the average number of days it takes an organization to fully recover is 287, victims paid $350 million in ransom in 2020, a 311% increase from 2019, and the average ransom payment was $312,493, a 171% increase from 2019.

Scripps Health: The Non-Profit Healthcare Giant Hit by Cyberattack

 

According to many press reports and the San Diego Union-Tribune, the San Diego-based Scripps Health still tries to assemble certain parts and coordinate sensitive patient data following a ransomware attack on the computers of the healthcare system over the weekend. 

In a declaration, Scripps accepted the intrusion but did not indicate that it was a ransomware incident or not. Whether adversaries affected medical records, or any other confidential data is also unclear. 

In the report, an email from Jaime Pitner, Co-ordinator of County Emergency Services, said that Scripps had all four major hospitals in Chula Vista, Encinitas, La Jolla, and San Diego. The patient was transferred to other emergency facilities for strokes, traumas, and heart attacks. 

In September, Universal Health Services (UHS) staff members, a Fortune-500 owner of a national hospital network, announced extensive failures leading to delayed laboratory results, falling back into style and paper, and diverting patients. The suspect was the ransomware group Ryuk, which encrypted hospital systems over days. 

“No patients died tonight in our [emergency room] but I can surely see how this could happen in large centers due to delay in patient care,” as stated by a nurse. 

A ransomware attack in a hospital in Germany at the Dusseldorf University led to emergency department diversions to several other hospitals. A study from the Ministry of Justice of the State North Rhine-Westphalia indicates that a patient was killed, who had to be brought to a farther hospital in Wuppertal owing to some kind of clinic server attack. The patient died. However, the original murder charges in the case were subsequently dismissed. 

“Showing just how low cybercriminals will go, the attack on a major healthcare facility like Scripps highlights the dark side of ransomware, disturbingly putting lives at risk,” said Edgard Capdevielle, CEO of Nozomi Networks, via email. 

Employees have also stopped their everyday activities. The network of electronic health records has been broken and the nurses, physicians, and other staff have used manual procedures and paper records. This also happened during the UHS assault. And the "telemetry at most sites," which is used to track and warn electronically has been unavailable for the time being, says Scripps, prompting routine patient manual inspections. A source said the paper was influenced by medical imagery as well as other "resources." 

However, Scripps has affirmed that while the systems are offline, “patient care continues to be delivered safely and effectively at our facilities, utilizing established back-up processes, including offline documentation methods.” 

In their efforts to take advantage of and use the most insecure networks, health organizations, these malicious actors and attackers are relentless. According to Purandar Das, CEO, and co-founder at Sotero, Hospitals are indeed the top target for attackers – their vital position in communities will lead them to pay rapidly. 

He added, “Criminals are targeting organizations that have been slow to adopt a more robust and resilient architecture. Organizations have to move towards protecting data, via new encryption technologies, that keep them secure while enabling privileged access. This prevents a ‘data held hostage’ situation. Secondly, organizations have to move towards a resilient deployment architecture that enables them to bring up a failover system without risking long term outages.”

N3TW0RM Ransomware: Emerges in Wave of Cyberattacks in Israel

 

In a surge of cyberattacks that began last week, a new ransomware group known as 'N3TW0RM' is targeting Israeli companies. 

N3TW0RM, like other ransomware gangs, has set up a data leak platform where they threaten to release stolen files to threaten victims into paying a ransom. At least four Israeli companies and one nonprofit organization were successfully breached in this wave of attacks, according to Israeli news outlet Haaretz. 

Two Israeli companies, H&M Israel and Veritas Logistic have already been mentioned on the ransomware gang's data leak, with the threat actors allegedly leaking data stolen during the Veritas attack. According to Israeli media and BleepingComputer, the ransomware gang has not demanded especially large ransoms in comparison to other enterprise-targeting attacks. Veritas' ransom demand was three bitcoins, or roughly $173,000, as per Haaretz, while another ransom note shared with BleepingComputer indicates a demand of four bitcoins, or roughly $231,000. 

As per the WhatsApp message circulated by Israeli cybersecurity researchers, the N3TW0RM ransomware shares several characteristics with the Pay2Key attacks that took place in November 2020 and February 2021. 

Pay2Key has been linked to the Fox Kitten hacking group, an Iranian nation-state hacking group whose mission was to disrupt and damage Israeli interests rather than collect a ransom payment. At this time, no hacker groups have been linked to the N3TW0RM attacks. 

One source in the Israeli cybersecurity industry told BleepingComputer that N3TW0RM is also being used to sow havoc for Israeli interests as given the low ransom demands and lack of response to negotiations. However, according to Arik Nachmias, CEO of incident response firm Honey Badger Security, the attacks in N3TW0RM's case are motivated by money. 

While encrypting a network, threat actors typically distribute a standalone ransomware executable to each system they want to encrypt but N3TW0RM uses a client-server model. The N3TW0RM threat actors install a programme on a victim's server that will listen for connections from the workstations, thus according to samples [VirusTotal] of the ransomware seen by BleepingComputer and conversations with Nachmias. 

The threat actors then use PAExec to deploy and execute the'slave.exe' client executable on every device that the ransomware will encrypt, according to Nachmias. When encrypting files, the '.n3tw0rm' extension will be appended to their titles. 

According to Nachmias, the server portion would save the keys in a file and then instruct the clients to start encrypting devices. This strategy helps the threat actor to keep all aspects of the ransomware activity inside the victim's network without having to rely on a remote command and control server.

However, it increases the attack's complexity and can allow a victim to recover their decryption keys if all of the files are not deleted after the attack.

Ransomware Hackers Target Popular Cloud Service Provider 'Swiss Cloud'

 

Swiss Cloud, a Switzerland-based cloud hosting provider, suffered a ransomware attack that seriously impacted its server infrastructure. The incident took place on Tuesday, April 27, according to Swiss Cloud’s status page. 

The company, which is one of Switzerland’s major hosting providers, said on Friday in an update posted on its website that it’s working to restore affected servers from existing backups. 

“After the cyber-attack on April 27, work is proceeding to clean up the systems and restore normal operations at swiss cloud computing ag. The backup systems can be used for recovery. Parts of the complex server network affected by the attack must first be cleaned up individually and reconfigured with the corresponding temporal effects. The work to clean up and restore the servers, for which swiss cloud computing ag is supported by specialists from the system partners of HPE and Microsoft, gives reason to be confident that the systems will be available again in the coming week. The work will also continue on weekends in 24-hour shifts.” reads a statement posted by the company on its website. 

More than 6,500 clients affected

While the incident did not affect the company’s entire server infrastructure—spread among different data centers across Switzerland, the disruption has impacted server availability for more than 6,500 customers. One of the most high-profile customers impacted by Swiss Cloud’s outage is Sage, a company that delivers payroll and HR software for German-speaking nations. 

However, while the company might be confident regarding the timeline of its recovery plan, similar ransomware attacks have also taken place at other cloud and web hosting providers over the past few years. In most cases, recovery efforts lasted weeks, not days. This includes incidents at Managed.com, Equinix, CyrusOne, Cognizant, X-Cart, A2 Hosting, SmarterASP.NET, Dataresolution.net, iNSYNQ, and Internet Nayana, just to name the larger attacks. 

Web hosting and cloud infrastructure providers are not particularly targeted by the ransomware groups, but once they’re breached, they usually face some of the largest ransom demands. This is because even the smallest downtime they suffer trickles down to all their customers, and providers face immense pressure to restore services from all sides. This pressure is also why some companies choose to pay the ransom demand even if they have backups.

UNICC and Group-IB Shut Down 134 Scam Websites In a Major Crackdown

Cybersecurity agency Group-IB and UNICC carried out a joint venture where they took down 134 websites handled by hacking group "DarkPath." As per UN and Group-IB, these websites were earlier used to impersonate WHO. Hackers built a diverse network of 134 malicious domains that were pretending to be WHO on 'Health Awareness Day, ' asking people to fill a fake survey with an assurance of rewards in return. The hackers assured users €200 to take out the surveys and also share them with WhatsApp contacts. 

But, the rewards were never sent and the scam had built a massive spam campaign that gave new traffic to malicious websites. After informing UN's International Computing Centre, group IB worked with a range of service suppliers and network regulators, hosting providers, domain registrars to quash the 134 websites scam campaign. When the websites were blocked, hackers avoided using the WHO brand for their network campaign. But Dark Path still is active despite the WHO breakdown. As per Group-IB findings, the sites managed to land around 200000 users on the fake sites every day. 

Along with the multi-stage nature of the attack that makes it harder for researchers to detect, users saw personalized content that depends upon geolocation, language settings, and user agents. For instance, the reward currency for filling out the survey would vary depending upon the user's location. DarkPath controlled scam websites are still active and keep targeting millions of victims around the globe. These hackers promote their websites via paid ads, social media, and email blasts. 

According to UNICC, .during the infrastructure analysis, "Group-IB researchers examined the domains and other digital indicators and concluded that the whole network is likely to be maintained and controlled by a scammer collective codenamed DarkPath Scammers. Most of the domains with phishing and scam content are using CDN’s (Content Delivery Networks) to hide IP addresses of the real servers. The scammers are using the same infrastructure configuration with its traits and misconfigurations across all their servers. Group-IB continues to monitor the scammers’ activity. Organizations should carry out seamless online monitoring to promptly detect any cases of illicit use of their brands."