Search This Blog

Showing posts with label Cyber Attacks. Show all posts

City Officials of Grass Valley Negotiates with the Handlers of Ransomware Attack

 

The city of Grass Valley is one of the latest victims of a ransomware attack. The operators of the ransomware attack informed the city officials that they had obtained data from city systems and threatened to post it on the web if the city doesn't pay a ransom. Surprisingly, the city officials decided to pay the ransom. 

“I think everyone’s a target. We’re not supposed to negotiate with terrorists – it emboldens them,” said Matthew Coulter, a Grass Valley resident who clearly wasn’t happy by the decision taken by the city officials.

According to Grass Valley police, they were left with no choice after the perpetrators contacted them in late June and threatened to publish the stolen data. The copied data allegedly included information on people or businesses that had conversations with various Grass Valley systems, including law enforcement.

“If we didn’t pay a small ransom and that data was dumped on the world wide web, then all of the people that we interacted with would be at risk of identity theft, loss of privacy, et cetera. One of the factors that weighed heavily for the city council was if this was something we could do to protect the people that we serve,” said Grass Valley attorney Michael Colatuono. 

City and emergency services were not greatly affected, and some discretionary outages were temporarily implemented. The cost of the incident is covered by the city’s insurance, according to an earlier press release and statements during the news conference.

Grass Valley isn’t the first city in the region to become a target, and likely won’t be the last. Sierra College was affected earlier this year, others are dealing with similar issues. City officials said the Federal Bureau of Investigation was contacted and that various state agencies are still investigating to find the perpetrators behind the attack. Credit monitoring is available to anyone interested if their personal data may have been breached.

To counter any cyberattack, the most important thing to look out for is ‘phishing’ emails. They may come from emails that you seem to recognize, but they could be pretending to be someone you are familiar with. He said to always check email addresses and avoid clicking on links you don’t recognize, referencing how one click could read this chaos, said Matt Bishop, a cybersecurity expert and UC Davis professor.

Security Researchers Discovered Crimea Manifesto Buried in VBA Rat

 

On Thursday, Hossein Jazi and the Threat Intelligence team at Malwarebytes released a report revealing a new threat actor that may be targeting Russian and pro-Russian individuals. A manifesto regarding Crimea was included by the assailants, implying that the attack was politically motivated. A suspicious document called "Manifest.docx" is used in the attacks, and it downloads and runs two attack vectors: remote template injection and CVE-2021-26411, an Internet Explorer exploit. Malwarebytes' Threat Intelligence team discovered the "Манифест.docx" ("Manifest.docx") on July 21.

"Both techniques have been loaded by malicious documents using the template injection technique. The first template contains a url to download a remote template that has an embedded full-featured VBA Rat. This Rat has several different capabilities including downloading, uploading, and executing files," Jazi said. 

The second template is imported into the document and is included in Document.xml.rels. According to the threat research teams at Google and Microsoft, the loaded code contains an IE Exploit (CVE-2021-26411) that was previously utilized by Lazarus APT to target security researchers working on vulnerability disclosure. The shell code used in this vulnerability loads the same VBA Rat as the remote template injection exploit. 

The attack, according to Jazi, was motivated by the ongoing conflict between Russia and Ukraine, which includes Crimea. Cyberattacks on both sides have been on the rise, according to the report. The manifesto and Crimea information, however, might be utilized as a false flag by threat actors, according to Jazi. 

The attackers used a combination of social engineering and the exploit, according to the report, to boost their chances of infecting victims. Malwarebytes was unable to pin the assault on a single actor but said that victims were shown a decoy document with a statement from a group linked to a figure named Andrey Sergeevich Portyko, who supposedly opposes Russian President Vladimir Putin's Crimean Peninsula policies. 

The decoy document is loaded after the remote templates, according to Jazi. The document is written in Russian but also has an English translation. A VBA Rat is also included in the attack, which collects victim information, identifies the AV product installed on the victim's workstation, runs shell-codes, deletes files, uploads and downloads files, and reads disc and file system information. Instead of using well-known API calls for shell code execution, which can easily be flagged by AV products, the threat actor employed the unique EnumWindows to run its shell-code, according to Jazi.

Following a Ransomware Cyberattack, D-BOX Stated it is Gradually Restarting Operations

 

After a ransomware cyberattack on its internal information-technology systems, D-BOX Technologies Inc. says it is progressively resuming operations, with restoration work likely to be completed in the coming weeks. Production was never entirely disrupted by the cyberattack, according to the Montreal-based entertainment company, and rehabilitation of its different internal IT systems has begun. 

D-BOX creates and redefines realistic, immersive entertainment experiences by using elements such as motion, vibration, and texture to move the body and stimulate the imagination. D-BOX has partnered with some of the world's most innovative firms to provide new ways to improve amazing stories. 

The company has postponed the release of its interim financial statements and analysis for the three months ending June 30. The incident had a limited impact on internal systems, and services to studios and theatre operators were unaffected, according to the statement. The company expects a 40% increase in revenue in the first quarter, reaching roughly 3.1 million Canadian dollars ($2.5 million). It stated that its management was attempting to file the financial report as quickly as possible, but that a delay of two to four weeks was probable. 

Analysis suggests that the systems of its clients were neither hacked nor impacted during the cyberattack, according to a report by an external firm specializing in cyber incidents. As a result of the incident, D-BOX does not expect any security patches to its services or software updates to be necessary for its partners. In addition, as a precaution, the company has provided all of its employees and directors a 12-month subscription to Equifax's identity theft and fraud protection service. 

“Security is a top priority and D-BOX is committed to continuing to take all appropriate measures to ensure the highest integrity of all our systems,” said Sebastien Mailhot, President, and CEO of D-BOX. “I’m proud of the efforts of our IT team and external advisors, as they mitigated the attack and accomplished an enormous amount of work in order to resume activities. D-BOX is committed to continuing to communicate directly with all of its clients and partners, whom we thank for their patience as we resolve this situation. The Corporation believes that the financial impact of this cyberattack on the results should be negligible.”

BlackMatter & Haron Targeting Firms with Revenue of $100 Million and More

 

Cybersecurity researchers from South Korean security firm S2W Labs have unearthed two new ransomware groups. A sample of the first group of malware — which is identifying itself as 'Haron', was first submitted to VirusTotal on July 19. 

According to S2W Lab, the layout, organization, and tactics used by Haron are almost identical to those for Avaddon, the ransomware group that went dark in June after sending a master decryption key to BleepingComputer that victims could use to recover their data.

Both groups are targeting high-profile organizations in order to maximize their profits. Haron also runs a “leak site” where it threatens to publish data stolen from companies who refuse to pay for decrypting their files. According to S2W Lab, the engine driving Haron ransomware is Thanos, a separate piece of ransomware that has been around since at least 2019.

Haron was developed using a recently published Thanos builder for the C# programming language. Avaddon, on the other hand, was written in C++. Jim Walter, a senior threat researcher at security firm SentinelOne, said in a text message that he spotted what appear to be similarities with Avaddon in a couple of samples he recently started analyzing. He said he would know more soon. 

The second ransomware newcomer goes by the name 'BlackMatter'. According to Flashpoint, BlackMatter threat actors registered an account on the Russian forums XSS and Exploit on July 19 and immediately followed up to an infected corporate network consisting of 500 to 15,000 hosts. He said he was trying to buy access. With annual revenues of over $100 million in the United States, Canada, Australia, and the United Kingdom, it may indicate the operation of large-scale ransomware.

“Actors have deposited 4 BTC (about US $ 150,000) into their escrow accounts, which shows the seriousness of threat actors when they deposit large amounts in forums. Black Matter does not openly state that they are ransomware collective operators. The language and goals of their posts clearly indicate that they are ransomware collective operators. But technically it doesn’t violate the rules of the forum,” FlashPoint researchers said in the report. 

The emergence of BlackMatter coincides with the disappearance of DarkSide and REvil in the wake of highly publicized incidents of Colonial Pipeline, JBS, and Kaseya — raising speculations that the groups may eventually rebrand and resurface under a new identity.

Q2 2021 Report by Digital Shadow, Abridged

 

Q2 2021 was among the most important ransomware periods, with several significant events taking place. Humans witnessed one of the biggest pipelines in the United States being targeted, new ransomware organizations emerging and some others disappearing this quarter. People witnessed renowned cybercriminal forums denouncing ransomware and certain law enforcement activities radically changing some ransomware operations. 

According to the recent report by Digital Shadows, a cybersecurity firm, more than 700 firms were attacked with ransomware and their information was dumped on data leak websites in Q2 of 2021. Of the nearly 2,600 victims mentioned on the data leak websites of ransomware, 740 were identified in Q2 2021, depicting a 47% rise over Q1. 

Digital Shadows researchers found an increase of 183% between the first quarter of 2012 and the second quarter in the retail sector with ransomware operations. 

Q1 2021 was driven by supply chain attacks, such as that of the Microsoft Exchange Server and SolarWinds, compared to the latest quarter when the present and the future threat environment of ransomware was defined. 

The report includes the quarter's main events including the DarkSide Colonial Pipeline attack, the JBS attack on the world's largest meat processor, and enhanced US and European law enforcement actions. 

But the Photon Research Team from Digital Shadows noticed that other ranching themes had emerged under the surface. Since the Maze ransomware gang helped to popularize the definition of the data leak, double extortion methods among groups who wanted to inflict maximum harm after attacks have become widespread. 

 According to the investigation, data appeared to be common on dark web leak sites from organizations of the commercial products and services industry. The list of affected organizations was likewise dominated by construction and materials, retail, technology, and healthcare organizations. 

Conti Group led the way, following Avaddon, PYSA, and REvil with concerning activities. 

"This is the second consecutive quarter that we have seen Conti as the most active in terms of victims named to their DLS. Conti, believed to be related to the Ryuk ransomware, has consistently and ruthlessly targeted organizations in critical sectors, including emergency services," the report said. 

However, the research warns that several organizations have gone or emerged from nowhere in the global ransomware marketplace. According to digital shadows, the organization halted operations in Q2, are Avaddon, Babuk Locker, DarkSide, and Astro Locker, whilst groups such as Vice Society, Hive, Prometheus, LV Ransomware and Xing, Grife, and Ransomware, arose from their Dark-Web leak sites. 

In addition, 60% of victims' firms are situated in the United States, with only Canada witnessing a decline in ransomware assaults from Q1 to Q2. Over 350 US-based organizations, compared to 46 in France, 39 in the UK, and 35 in Italy, have been affected by ransomware in Q2. 

Lastly, the report's scientists questioned if Q3 saw other attacks similar to the Kaseya ransomware campaign, where REvil operators employed a zero-day vulnerability to infiltrate more than forty managed service providers.

Misconfigured Argo Workflows Instances Employed for Attacking Kubernetes Clusters

 

Intezer has discovered new Kubernetes cluster attack vectors using misconfigured instances of Argo Workflows. Threat actors have already been benefitted from this vector as researchers have noticed the use of such a wild way for the operators dropping crypto miners. 

Argo Workflows is an open-source workflow system that can be used for coordinating parallel operations at the Kubernetes region, which enables computer-intensive activities such as machine education and big data processing to accelerate processing time. It is also used in general to facilitate the installation of containers. 

Meanwhile, Kubernetes is a popular cloud engine for container orchestration. It is an open-source framework that enables automated containerized workloads, services, and applications deployed, scale and managed over hosts clusters. 

According to the investigation by Intezer, malware controllers drop encryption devices through Argo into the cloud, because certain instances are publicly visible through dashboards that require no authentication from outside users. Through these malfunctioning permissions, actors at risk can run unauthorized code within the environment of the target. 

Intezer security researchers, Ryan Robinson and Nicole Fishbein wrote a report documenting the intrusion and noted they had already detected infected nodes. Both indicated the attacks were serious, considering hundreds of misconfigured deployments had occurred and crypto miners like the Kannix/Monero miner were discovered by this attack vector. 

"We have detected exposed instances of Argo Workflows that belong to companies from different sectors including technology, finance, and logistics. Argo Workflows is an open-source, container-native workflow engine designed to run on K8s clusters. Argo Workflows instances with misconfigured permissions allow threat actors to run unauthorized code on the victim's environment," Robinson and Fishbein said. 

Confidential information such as code, credentials, and picture names in private containers may be included in the exposed instances. Researchers also noticed that permissions that allow visitors to deploy workflows in several instances are configured. They have also discovered that threat actors target some nodes that are wrongly installed.

According to researchers, the "Kannix/ Monero-miner," demands very little skill to use, and further this study indicates that other security teams have identified major crypto-currency mining operations against the clusters of the Kubernetes. 

"In Docker Hub, there are still several options for Monero mining that attackers can use. A simple search shows that there are at least 45 other containers with millions of downloads," the study said. 

Fishbein and Robinson recommend users browse the Argo Workflows dashboard using an unauthenticated incognito browser outside corporate situations to check for misplacements. Executives can also request the API for an instance and inspect the status code.

THORChain Suffers Another Major Hack Totaling $8M

 

Popular cross-chain liquidity exchange THORChain has been hit by another exploit, this time costing around $8 million, suffering a second security breach in two weeks. 

After the hack, THORChain tweeted that it suffered a “sophisticated attack” on its ETH router where nearly $8 million were stolen from them.

“THORChain has suffered a sophisticated attack on the ETH Router, around $8m. Hacker deliberately limited their impact, seemingly a Whitehat. ETH will be halted until it can be peer-reviewed with audit partners, as a priority. LPs in the ERC-20 pools will be subsidized,” THORChain tweeted.

The ETH router controls the movement of Ethereum-based tokens through THORChain cross-chain decentralized exchange.

“The Whitehat requested a 10% bounty – which will be awarded if they reach out, and they should be encouraged to do so.”

Threat actors warned that they discovered “multiple critical issues” and could have struck much greater damage, such as embezzling large amounts of Bitcoin, Binance Coin, Lycan coin, and many other cryptocurrencies.

Just seven days ago, THORChain suffered another multi-million security breach. The loss was
estimated at about 13,000 ETH (around $25 million). Later, however, this was revised on Twitter, with the project claiming, “At this stage, the estimate is around ~4000 ETH worth of assets (ETH/ERC20) was taken, not 13k ETH. More detailed assessment and recovery steps will be announced soon. The users who suffered (LPs) will be made whole in the coming weeks.”

Following last week’s hack, THORChain said it had been audited by multiple blockchain security companies to discover vulnerabilities in a given network. The DeFi protocol promised that the treasury has the necessary funds to compensate all victims and asked for the hackers to get in touch. 

“While the treasury has the funds to cover the stolen amount, we request the attacker get in contact with the team to discuss the return of funds and a bounty commensurate with the discovery,” THORChain added.

THORChain, now with a market worth of $841 million, was founded in 2018 and is a decentralized liquidity protocol that allows for swapping native assets between different blockchains. The cross-chain decentralized exchange would restart its network, donate funds back into the ETH pool to restore the lost funds, release the automatic-solvency checker, and work with security firms to audit.

Hacker Employ Milanote App for Spreading Phishing Email

 

The usage of collaborative applications had been a major victory with the pandemic. That incorporates Microsoft Teams, Google Meets, Zoom, and many others. Indeed, the software on the web makes brainstorming, designing, and collaborating with team members easier for all kinds of concepts. 

Milanote is among the most popular apps used in this period. It is recognized as an application for creators to note, compile and collaborate. It is used for sorting notes, gathering ideas, structuring activities - workflows, and much more. Companies mentioned, among many others, like Uber, Facebook, Google, and Nike, use it for their office routine. 

According to analysts, the Milanote app, also designated by reviewers as "the Evernote for creatives," has gained the attention of cybercriminals, that further abuse it to conduct credential-stealing campaigns that glide past secure email gateways (SEGs). 

The report compiled and published on Thursday by Avanan indicates that the hackers look to hack the victims using a simple email. The mail sent has the line of the subject as, "Project Proposal Invoice". The email body is rather explicit, only saying, “Hello. See attached invoice for the above-referenced project. Please contact me if you have questions or need additional information. Thank you.” There have been no customization, branding, or other characteristics of social engineering in the mail. 

“The email itself is pretty standard issue,” Gil Friedrich, CEO, and co-founder of Avanan stated. “It gets attention with the subject of ‘Invoice for Project Proposal.’ It’s certainly not the most sophisticated effort in the world, however, it understands what emails can get past static scanners, including, in this case, Milanote.” 

If the attachment link in the email is opened by the destination, a single-line document opens ("I shared a file with you. Click on the "Download" link (see below) with a clickable "Open Docs" button. 

Lately, the volume of these slippery phishing attacks has increased "dramatically," according to Avanan researchers. In the communication network, 1,430 e-mails were analyzed that contained a link to Milanote, and 1367 were part of the phishing campaigns (a whopping 95.5%). 

“[Most] use static scanners to scan attachments or links for malicious payloads,” according to the writeup. “In response, hackers are bypassing those detection mechanisms by nesting the payloads in deeper layers within legitimate services, fooling the static scanners. This is part of a larger trend of hackers utilizing legitimate services to host malicious content. Because the scanner doesn’t go that deep, hackers can leverage these services to host their content and easily send it to users.” 

Friedrich told that the scammers have been increasingly employing this technique in a large number of services. Another part of the development is that malicious hackers have resorted to them with the advent of collaborative platforms to create new techniques for social engineers and escape defenses. 

“We’re talking to people on Zoom, sharing thoughts on Slack, using whiteboards on Jamboard and thousands of other services. Email is still incredibly important, of course, but there are other places where information is transmitted,” he added. 

Cybercriminals may bring dangerous links to where they have been, rather than just email. It enables hackers with simple access to many of these collaboration apps. Since they did not get the same phishing training at these sites, users may have their guard down. It's an easy approach for con men to realize many of their malicious goals. Users are advised to stay alert to the Milanote attack and other similar rocketing attacks, by following the best safety practices available. 

USD 50 Million Ransom Demanded from Saudi Aramco Over Leaked Data

 

Saudi Arabia's state oil firm admitted on Wednesday that data from the corporation was leaked and that the files are now being used in a cyber-extortion effort including a USD 50 million ransom demand. The data was presumably leaked by one of the company's contractors. Saudi Aramco, the Saudi Arabian Oil Co., notified The Associated Press that it "recently became aware of the indirect release of a limited amount of company data which was held by third-party contractors."

Saudi Aramco is a public Saudi Arabian oil and gas enterprise headquartered in Dhahran. It is expected to be one of the world's most profitable corporations as of 2020. Saudi Aramco has the world's second-biggest proven crude oil reserves, with about 270 billion barrels (43 billion cubic metres), as well as the world's greatest daily oil production. 

The Master Gas System, operated by Saudi Aramco, is the world's biggest single hydrocarbon network. It handles about one hundred oil and gas fields in Saudi Arabia, including 288.4 trillion standard cubic feet (scf) of natural gas reserves, and its crude oil production totaled 3.4 billion barrels (540 million cubic metres) in 2013. The Ghawar Field, the world's largest onshore oil field, and the Safaniya Field, the world's largest offshore oil field, are both operated by Saudi Aramco. 

The oil company did not specify which contractor was affected, nor did it clarify whether the contractor was hacked or if the information was released in some other way. "We confirm that the release of data was not due to a breach of our systems, has no impact on our operations and the company continues to maintain a robust cybersecurity posture," Aramco said. 

The AP found a page on the darknet, a section of the internet kept behind an encrypted network and accessible only through specific anonymity-providing tools, that claimed the extortionist had 1 terabyte of Aramco data. The page offered Aramco the chance to have the data destroyed for USD 50 million in cryptocurrency, with a countdown counting down from USD 5 million, most likely to put pressure on the corporation. It's still unknown who's behind the ransom plot. 

Aramco has previously been the victim of cyber-attacks. The so-called Shamoon computer virus, which destroyed hard drives and then flashed a picture of a burning American flag on computer displays, affected the oil behemoth in 2012. Aramco was compelled to shut down its network and destroy over 30,000 machines as a result of the attack. Later, US officials blamed the strike on Iran, whose nuclear enrichment programme had just been targeted by the Stuxnet virus, which was most likely created by the US and Israel.

Cyber-Attack by Hackers Disrupt Iranian Railway System

 

On Saturday 10th of July, just after a cyber interruption in IRNA's computing devices, the official IRNA media outlet announced that Iran's Transport and Urbanization Ministry websites were out of operation. 

A day earlier, on Friday 9th of July, Iranian railways seemed to have been cyber-attacked, involving posts on notice boards at stations around the country concerning supposed train delays and cancellations. Tracking trains electronically throughout Iran is claimed to have been unsuccessful. 

The attackers published "long-delayed because of cyberattack" and "canceled" remarks on the display boards. They further appealed to the passengers to request information and also listed the telephone number of - Ayatollah Ali Khamenei, the country's supreme leader. 

The Fars media outlet claimed that the intrusion resulted in "unprecedented chaos" at railway stations. Although Iran's national railway company denied the claims of being hit by a cyberattack, on Saturday 10th of July.

It seems that at least a month earlier, the intruders had accessed the system. In the first report, hundreds of railroad activities were retarded or canceled, with thousands of passengers being stuck. 

The Iranian national railroad website was not operational, although whether the administration or the hackers took it down is still unclear. 

Likewise, attackers had previously controlled announcements at two airports and placed anti-government advertisements, further it was also not evident whether a message posted on the station notification board was from officials or was put by hackers. 

According to Iran International, “The number might belong either to the office of President Hassan Rouhani or Supreme Leader Ali Khamenei. It is not clear if hackers have posted the information or the authorities.” 

Additionally, the newspaper comments that Iran “periodically becomes a target of hackers from other countries, particularly Israel.” 

Israel is primarily responsible for a blackout at Iran's Natanz atomic plant in April 2021– particularly in the Israeli media. Nothing has been done by Israel or Iran to combat such vital Middle East infrastructure attacks. 

The potential of state participation is established by the absence of any evident financial motive – indicating either a state or an activist's objective. 

Iran International revealed additional information on the rail attack on Sunday 16th of July 2021 from “an information security officer at the presidential administration.” The attackers entered the system at the beginning of June and had prepared the payload from late June itself. 

After access had been acquired by the attackers, the loading protocols and user passwords start to be altered. Perhaps it barred administrators from remotely accessing the system and deactivated retrieval systems. 

In recent times, Iran has indeed been the source and objective of cyber-attacks – some of which are probably state-sponsored, impeding its efforts to produce nuclear fuel.

Heartless Attackers Stole Identities of Surfside Condo Collapse Victims

 

Threat actors are targeting people who died in the June 24 collapse of Champlain Towers South in Surfside by ransacking their bank accounts and opening a credit card in their names. 

“It's terrible. I can't wait to put a face to these deeds right now, and I think all of South Florida is eager to see who would do something like this - what kind of person would do something like this. But I'm looking forward to our police department apprehending them, and they are out there looking. I wouldn't want to be that person right now,” Surfside Mayor Charles Burkett told 10 News.

The account of Antonio Lozano, 83, and his wife Gladys, 79, married nearly 59 years and found in their bed together, was compromised by a hacker the day of their funeral, their son Sergio Lozano told WSVN News. The hackers filled out a change of address form and opened up fraudulent credit cards and bank accounts for his parents’ account, then withdrew money via Zelle. 

“I find it totally devastating, after losing my parents, that I have to deal with all the estate issues, and now I’m having to deal with somebody stealing from my parents. After they’re dead and buried, they’re stealing from them?” Sergio Lozano stated. 

Authorities aren’t revealing details about how many of the victims have already been targeted but are urging family members of victims to check both recent credit history and contact the Social Security office. The death toll from the tragic condo collapse is currently hovering around 100. 

‘It’s the revictimization of the victims that we’re sort of starting to experience right now with these hackers. They’ve seen the names in the paper, they’re going right to that and we’ve had to have discussions with the families and listen to them telling us the stories about all of a sudden credit cards appearing in their names and things being purchased in their name, so we’ve told ‘em, you’ve got to immediately shut down your credit,” Burkett added.

RansomEXX Ransomware Hits Ecuador’s State-Run CNT Telco

 

Ecuador's state-run Corporación Nacional de Telecomunicación (CNT) suffered a massive ransomware attack causing havoc in the business operations, the payment gateway, and the company's customer support portal.

The public telecommunications organization is a state-run telecommunication carrier that provides fixed-line phone service, mobile, satellite TV, and internet connectivity. Following a ransomware attack, CNT displayed an alert warning on its website about a ransomware attack they suffered and that the customer support and online payment are no longer accessible. 
 
"The National Telecommunications Corporation, CNT EP, filed a protest to the State Attorney General's Office regarding the ransomware attacks on company's computer systems. The initial investigation is going on and, the person behind this incident will be held responsible," read the alert notification translated into English. 

“This attack affected the care processes in our Integrated Service Centers and Contact Center; In this regard, we indicate to our users that their services will not be suspended for non-payment. We must inform our clients, massive and corporate, that their data is They are duly protected. We also inform that services such as calls, internet and television, operate normally," company further added.

CNT has not revealed any details regarding the attack timeline yet, but Bleeping computer reported that the attack was organized by a ransomware operation called RansomEXX. The gang claims to have stolen 190 GB of data and shared screenshots of some of the documents on the hidden data leak page. These pages are only accessible via these links hidden in ransom notes. 

The RansomEXX gang is responsible for numerous high-profile attacks, including Brazil's Rio Grande do Sul court system, Texas Department of Transportation (TxDOT), Konica Minolta, IPG Photonics, nuclear weapons contractor Sol Oriens, and JBS, the world's largest meat producer. 

The ransomware gang first started operating under the name Defray in 2018 but became more active in June 2020 when it changed its name to RansomEXX and began to target big organizations. Like other ransomware gangs, RansomEXX will abuse a network via purchased credentials, brute-forced RDP servers, or by utilizing exploits.

Once the attackers secure access to a network, they will silently spread throughout the network while stealing unencrypted files to be used for extortion attempts. After gaining access to an administrator password, they deploy the ransomware on the network and encrypt all of its devices.

APT Malicious Campaigns Target Asian Entities

 

Researchers from Kaspersky have reported that hundreds of individuals from South East Asia, including Myanmar and the government of the Philippines, are continuously and extensively targeted by advanced persistent threats (APT) activities. 

In the analysis of the cyber-espionage attacks by LuminousMoth against a variety of Asian authorities that began from at least October 2020, analysts of Kaspersky found 100 victims in Myanmar and 1400 in the Philippines. This APT activity cluster, identified by Kaspersky as LuminousMoth, is associated with the HoneyMyte Chinese-speaker Threat Group with medium to high confidence. 

Links discovered, included network infrastructure connections such as command-and-control servers for the deployment of Cobalt Strike beacon payloads by groups and related tactical, techniques, and procedures (TTP). They are also reported to launch large-scale attacks on a substantial population of targets, aimed at impacting only a tiny subset of people that match their interests. 

"The massive scale of the attack is quite rare. It's also interesting that we've seen far more attacks in the Philippines than in Myanmar," Kaspersky GReAT security researcher Aseel Kayal said. "This could be due to the use of USB drives as a spreading mechanism or there could be yet another infection vector that we're not yet aware of being used in the Philippines,” he further added. 

The threat actors are using spear-phishing emails with malicious links from Dropbox which distributes camouflaged RAR archives like Word documents and bundling malware payloads for accessing the systems they are being targeted. 

The malware attempts to move into other systems through removable USB drives, along with the stolen files from previously hacked PCs, after it is carried out on the victim's device. 

The malware from Luminous Moth includes post operating tools that operators may utilize on their victim's networks for subsequent movement: one is disguised in the shadow of a fake Zoom software, while the other is meant to steal browser cookies from Chrome. 

Threat actors exfiltrate data from compromised devices to their command and control servers (C2), which in some situations have been used to circumvent identification by news outlets. 

The malware tries to infect other systems by distributing detachable USB drives once downloaded from one system. If a drive is discovered, the malware creates hidden folders on the drive where all victim data and harmful executables are moved. 

"This new cluster of activity might once again point to a trend we've been witnessing over this year: Chinese-speaking threat actors re-tooling and producing new and unknown malware implants," Kaspersky GReAT senior security researcher Mark Lechtik added.

Stolen Credit Card Data Hidden in Images by Magecart Hackers for Vague Exfiltration

 

Magecart-affiliated cybercriminals have adopted a new approach for obfuscating malware code within comment blocks and embedding stolen credit card data into pictures and other files stored on the site, illustrating how attackers are always upgrading their infection chains to avoid detection. 

Sucuri Security Analyst, Ben Martin, stated in a write-up, "One tactic that some Magecart actors employ is the dumping of swiped credit card details into image files on the server [to] avoid raising suspicion. These can later be downloaded using a simple GET request at a later date." 

Magecart is an umbrella name for several gangs of hackers that attack e-commerce websites intending to steal credit card data and sell them on the black market by injecting malicious JavaScript skimmers. 

Sucuri connected the assault to Magecart Group 7 based on similarities in the threat actor's techniques, methods, and practices (TTPs). The skimmer was located in one of the PHP files involved in the checkout process in the form of a Base64-encoded compressed string in one instance of a Magento e-commerce website infection analyzed by the GoDaddy-owned security business. 

Furthermore, the attackers are claimed to have utilized a method known as concatenation, in which the code was merged with extra comment portions that "does not functionally do anything but adds a layer of obfuscation making it more difficult to detect.” 

The attacks' ultimate objective is to collect customers' payment card information in real-time on the hacked website, which is then stored to a fake style sheet file (.CSS) on the server and then downloaded by the threat actor via a GET request. 

Martin added, "Magecart is an ever-growing threat to e-commerce websites. From the perspective of the attackers: the rewards are too large and consequences non-existent, why wouldn't they? Literal fortunes are made [by] stealing and selling stolen credit cards on the black market."

Chinese Hackers Target Taiwanese Telecom Firms

 

The Insikt Group, the intelligence research department of the US network security consulting firm Recorded Future, published a report on Thursday stating that a group suspected of being funded by the Chinese government is targeting Taiwan, Nepal, and the Philippines telecommunications organizations. 

The threat group, which researchers tracks as Threat Activity Group 22 (TAG-22), is targeting telecommunications, academic, research and development, and government organizations in the three countries. Some of the activity appears to be ongoing as of now, researchers said. 

The latest attack play into a larger backdrop of apparent Chinese hackers snooping on global competition in the telecommunications space, which has become an arena of political and economic conflict between China and the United States.

“In particular, the targeting of the ITRI is notable due to its role as a technology research and development institution that has set up and incubated multiple Taiwanese technology firms,” researchers wrote. The organization is focused on technology and sustainability projects that align with Chinese development interests. In recent years, Chinese groups have targeted multiple organizations across Taiwan’s semiconductor industry to obtain source code, software development kits, and chip designs.”

Last year, cybersecurity company CyCraft claimed that there was a two-year-long large-scale hacking operation focusing on Taiwan’s semiconductor industry, and this wave of operations is likely to be initiated by Chinese hackers. CrowdStrike, a US computer security technology company, also mentioned in a report last year that telecommunications is one of the areas most frequently targeted by Chinese hackers in the first half of 2020.

The researchers believe TAG-22 is using backdoors used by other Chinese state-sponsored groups, including Winnti Group and ShadowPad for initial access. It also employs open-source security tools like Cobalt Strike. Outside of the telecommunication industry, the threat group has targeted academia, research and development, and government organizations in Nepal, the Philippines, Taiwan, and Hongkong. 

While researchers primarily identified the group as operating in Asia, its scope of targets is generally broader, they said. That, as per researchers, puts it in line with other major Chinese hacking groups including APT17 and APT41.

Oil & Gas Targeted in Year-Long Cyber-Espionage Campaign

 

A sophisticated campaign aimed at big multinational oil and gas firms has been running for more than a year, spreading common remote access trojans (RATs) for cyber-espionage objectives, as per researchers. 

According to Intezer analysis, spear-phishing emails with malicious links are used to deploy RATs such as Agent Tesla, AZORult, Formbook, Loki, and Snake Keylogger on infected computers all with the goal of stealing confidential data, banking information, and browser information, as well as logging keyboard strokes. 

While energy corporations are the primary targets, the campaign has also targeted a few companies in the IT, industrial, and media industries, as per researchers. Its targets are primarily based in South Korea, but include companies from the United States, United Arab Emirates, and Germany, too. 

The report states, “The attack also targets oil and gas suppliers, possibly indicating that this is only the first stage in a wider campaign. In the event of a successful breach, the attacker could use the compromised email account of the recipient to send spear-phishing emails to companies that work with the supplier, thus using the established reputation of the supplier to go after more targeted entities.” 

According to Intezer, “The company is FEBC, a religious Korean Christian radio broadcaster that reaches other countries outside of South Korea, many of these countries which downplay or ban religion. One of FEBC’s goals is to subvert the religion ban in North Korea.” 

Modus Operandi of the Attack:

According to analysts, the attackers launch the attack by sending emails customized to the staff at each of the companies targeted. The email addresses of the recipients range from basic (info@target company[.]com, sales@target company[.]com) to particular persons inside organizations, implying various levels of reconnaissance. 

The email addresses used in the "From" box are typo squatted or forged to provide the impression of authenticity. They are designed to seem like emails from real organizations that the targets are familiar with. Typosquatting fools email recipients into believing that an email has been sent from a trusted entity. 

“The contents and sender of the emails are made to look like they are being sent from another company in the relevant industry offering a business partnership or opportunity,” according to Intezer. 

Other attempts to appear official include making references to executives and utilizing the physical addresses, logos, and emails of genuine organizations in the text of the emails. As per the posting, these also contain requests for quotes (RFQ), contracts, and referrals/tenders for genuine projects linked to the targeted company's business. 

The file name and icon of the attachment in the majority of these emails seem like a PDF. Intezar experts stated the goal is to make the file appear less suspicious, entice the targeted user to open and read it. An information stealer is executed when the victim opens the attachment and clicks on the files it contains. 

Intezer also highlighted that the malware's execution is fileless, meaning it is loaded into memory without generating a file on disc, in order to avoid detection by standard antivirus. 

A Social-Engineering Bonanza: 

According to experts, while the technological parts of the operation are pretty standard, cyber attackers excel when it comes to social engineering and completing their study on their targets. 

One email, for example, claimed to be from Hyundai Engineering and mentioned an actual combined cycle power plant project in Panama. The email instructs the recipient to submit a bid for the project's equipment supply and includes more data and requirements "in the attached file" (containing the malware). In addition, the communication specifies a firm deadline for proposal submissions. 

Another email examined by Intezer researchers was sent to an employee of GS E&C, a Korean contractor involved in a number of worldwide power plant projects. The email requested both technical and commercial proposals for the goods listed in the attached, which was ostensibly a material take-off (MTO) document. 

Researchers stated, “The content of the emails demonstrates that the threat actor is well-versed in business-to-business (B2B) correspondence. This extra effort made by the attacker is likely to increase the credibility of the emails and lure victims into opening the malicious attachments.”

Job Seeking Engineers Have Become Lazarus Gang’s New Target

 

Amid operations sending malicious documentation to work-seekers, the renowned group Lazarus advanced persistent threat (APT) has been identified. In this case, defense companies are searching for jobs. 

As per a paper published online by AT&T Alien Labs, researchers monitored the activity of Lazarus for months with technical targets in the United States and Europe. 

According to the creator of the report, Fernando Martinez, emails from prominent defense contractors Airbus, General Motors (GM), and Rheinmetall have been sent to potential engineering recruits by the APT purport. 

Word documents with macros that implant malicious code in a victim's PC are included in the emails to prevent detection by changing the target computer settings. 

“The core techniques for the three malicious documents are the same, but the attackers attempted to reduce the potential detections and increase the faculties of the macros,” Martinez wrote. 

Lazarus's operation is the newest thing that targets the field of defense. In February, scientists attributed a 2020 spear-phishing campaign to the APT aiming to acquire key data by using advancing malware named ThreatNeedle from defense organizations. 

Indeed, with Microsoft Office Macros being used and third-party communications infrastructures being jeopardized, Lazarus is written all over the latest attacks that remain 'in line with the earlier Lazarus campaigns' as Martinez said. 

“Attack lures, potentially targeting engineering professionals in government organizations, showcase the importance of tracking Lazarus and their evolution,” he wrote. “We continue to see Lazarus using the same tactic, techniques, and procedures that we have observed in the past.” 

Researchers from AT&T Alien Labs have already seen Lazarus' activities, trying to attract victims to false Boeing and BAE systems jobs. Martinez noted that Twitter users were warned of the current campaign as Twitter users identified various papers related to Lazarus by Rheinmetall, GM, and Airbus from May to June this year. 

Researchers have discovered that campaigns using the three new documents are comparable in communicating with the command and control but that they can do malicious activities in distinct ways. Lazarus has circulated two malicious documents related to the German defense and automotive industry engineering firm Rheinmetall. The second had "more elaborate content," which made it possible for victims to remain unnoticed, noted Martinez. 

One of the distinctive aspects of the macro in the original malicious document is to rename the Microsoft Docs command-line software Certutil to try and disguise its actions. 

“The macro executes the mentioned payload with an updated technique,” Martinez wrote. “The attackers are no longer using Mavinject, but directly executing the payload with explorer.exe, significantly modifying the resulting execution tree.” 

Owing to Lazarus' historically prolific behavior – called the "most active" threat group in 2020 by Kaspersky— the recent attack on technicians "is not expected to be the last," Martinez said. 

Attack tactics that may target technical experts in governmental organizations illustrate the relevance of Lazarus tracking and its progression, Martinez added.

Cobalt Strike Payloads: Hackers Capitalizing on Ongoing Kaseya Ransomware Attacks

 

Cyberattack actors are trying to monetize off the currently ongoing Kaseya ransomware attack incident by attacking probable victims in a spam campaign attack forcing Cobalt Strike payloads acting as Kaseya VSA security updates. Cobalt Strike is a genuine penetration testing software and threat detection tool which is also used by attackers for post-cyberattack tasks and plant beacons that lets them to gain remote access to hack into compromised systems. The primary goal of such attacks is either stealing data (harvesting)/exfiltrating sensitive information, or deploying second-stage malware payloads. 

Cisco Talos Incident Response (CTIR) team in a September report said that "interestingly, 66 percent of all ransomware attacks this quarter involved red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans." The malware spam campaign discovered by Malwarebytes Threat Intelligence experts use two distinct approaches to plant the Cobalt Strike payloads. Emails sent as a part of this spam campaign comes with an infected attachment and an attached link built to disguised as a Microsoft patch for Kaseya VSA zero-day compromised in the Revil ransomware attack. 

Malwarebytes Threat Intelligence team said that a malspam campaign is taking advantage of the Kaseya VSA ransomware attack to drop CobaltStrike. It contains an attachment named 'SecurityUpdates.exe' as well as a link pretending to be a security update from Microsoft to patch Kaseya vulnerability, the report said. The hackers gain persistent remote access to attack systems after running malicious attachments/downloads and launching fake Microsoft updates on their devices. 

Bleeping Computer reports "just as with this month's malspam campaign, the June phishing campaign was also pushing malicious payloads designed to deploy the Cobalt Strike penetration testing tool, which would have allowed the attackers to compromise the recipients' systems. The payload download pages were also customized using the target company's graphics to make them appear trustworthy." These two campaigns highlight that threat actors in the phishing business keep track of the latest news for pushing lures relevant to recent events to boost their campaigns rates of success, said Bleeping Computers.

MageCart Group12 Employing New Technique to Target E-Commerce Websites

 

MageCart Group12 is known for targeting e-commerce websites with the goal of skimming payment information from online shoppers and selling them on the dark web. The credit-card skimmer group is using PHP web shells to secure remote administrative access to the sites under attack to steal credit-card data, rather than using their previously favored JavaScript code, which they simply installed into vulnerable sites to log the information keyed into online checkout sites.

Researchers from Sucuri have learned that the scammers are saving their stolen credit-card data in .JPG files until they could be exfiltrated from compromised e-Commerce sites running Magento. Most users are stuck in an old version of Magento and are unable to upgrade because they do not have sufficient funds to hire the developer back once their site becomes out-of-date and vulnerable. 

The cost to migrate a Magento 1 website (which had its end of life in 2020) to the more secure Magento 2 ranges from $5,000 to $50,000. Researchers believe that Magecart will continue to evolve and enhance its attacking techniques as long as its cybercrimes keep turning a profit. 

“The file named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper .PNG format for a valid image file. The way it is injected in compromised sites is by replacing the legitimate shortcut icon tags with a path to the fake .PNG file,” researchers explained. 

But in this new methodology, the phony favicon is used to load a PHP web shell. The web shell is harder to detect and block because it injects the skimmer code on the server-side, rather than the client side. “The creative use of the fake .JPG allows an attacker to conceal and store harvested credit-card details for future use without gaining too much attention from the website owner,” Luke Leal, a researcher at Sucuri stated.

“The latest techniques observed in these recent Magecart attacks show how the groups themselves are staying innovative by using previous techniques with new coding and tactics. The most recent findings highlight how difficult it may be for defenders to detect skimming activity itself without employing additional code reviews or other types of blocking and inspection, Sean Nikkel, senior cyber threat intel analyst at Digital Shadows told Threatpost. 

In September 2020, Magecart Group 12 hacked nearly 2,000 e-commerce sites in an automated campaign impacting tens of thousands of customers, who had their credit cards and other information stolen. Scammers employed the classic Magecart attack technique where e-commerce sites are injected with a web skimmer, which secretly exfiltrates personal and banking information entered by users during the online checkout process.

Russia's 'Cozy Bear' Breached the Systems of the Republican National Committee

 

According to two people familiar with the situation, Russian government hackers broke into the Republican National Committee's computer systems last week, at the same time a Russia-linked criminal group launched a huge ransomware attack. According to the sources, the government hackers were members of a group known as APT 29 or Cozy Bear. 

That organization has previously been linked to Russia's foreign intelligence service and has been suspected of hacking the Democratic National Committee in 2016 and a supply-chain cyberattack involving SolarWinds Corp., which infiltrated nine US federal organizations and was revealed in December. It is unclear what data the hackers accessed or took, if any. The RNC has denied being hacked on many occasions. “There is no indication the RNC was hacked or any RNC information was stolen,” spokesman Mike Reed said. 

Chief of Staff Richard Walters claimed in a statement released after this story was posted that the RNC learned over the weekend that a third-party provider, Synnex Corp., had been breached. “We immediately blocked all access from Synnex accounts to our cloud environment,” he said. “Our team worked with Microsoft to conduct a review of our systems and after a thorough investigation, no RNC data was accessed. We will continue to work with Microsoft, as well as federal law enforcement officials, on this matter.”

Microsoft declined to disclose any additional information in a statement. A company spokeswoman responded, “We can’t talk about the specifics of any particular case without customer permission. We continue to track malicious activity from nation-state threat actors -- as we do routinely -- and notify impacted customers.” Dmitry Peskov, a spokesman for the Kremlin, denied that the Russian government was involved. “We can only repeat that whatever happened, and we don’t know specifically what took place here, this had no connection to official Moscow,” he said on a conference call. 

The RNC attack, combined with the recent ransomware incident, is a big provocation to President Joe Biden, who warned Russian President Vladimir Putin about cyberattacks at a summit on June 16. As agreed at the meeting, the two countries have been holding "some contacts" about cybersecurity, according to Peskov, who declined to disclose specifics or comment on whether the recent incident was discussed. 

It is unclear whether the RNC hack is linked to the ransomware strikes, which used a number of previously discovered flaws in software from Miami-based Kaseya Ltd.