Search This Blog

Showing posts with label Cyberattack. Show all posts

What is "Sunburst"? A look into the Most Serious Cyberattack in American History

 

A number of organisations have been attacked by what has been chronicled as one of the most severe acts of cyber-espionage in history named "Sunburst", the attackers breached the US Treasury, departments of homeland security, state, defence and the National Nuclear Security Administration (NNSA), part of Department of Energy responsible for safeguarding national security via the military application of nuclear science. While 4 out of 5 victims were US organisations, other targets include the UK, the UAE, Mexico, Canada, Spain, Belgium, and Israel. 
 
The attack came in the wake of the recent state-sponsored attack on the US cybersecurity firm FireEye. The company's CEO, Kevin Mandia said in his blog that the attackers primarily sought information pertaining to certain government customers.  
 
FireEye classified the attack as being 'highly sophisticated and customized; on the basis of his 25 years of experience in cybersecurity, Mandia concluded that FireEye has been attacked by a nation with world-class offensive capabilities. 

Similarly, last Sunday, the news of SolarWinds being hacked made headlines for what is being called as one of the most successful cyber attacks yet seen. As the attack crippled SolarWinds, its customers were advised to disengage the Orion Platform, which is one of the principal products of SolarWinds   used to monitor the health and performance of networks.  
 
Gauging the amplitude of the attack, the US Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA) described the security incident as a "serious threat", while other requesting for anonymity labelled it as the "the most serious hacking incident in the United State's history". The attack is ongoing and the number of affected organisations and nations will unquestionably rise. The espionage has been called as "unusual", even in this digital age.  
 
As experts were assessing how the perpetrator managed to bypass the defences of a networking software company like SolarWinds, Rick Holland came up with a theory, "We do know that SolarWinds, in their filing to the Security and Exchange Commission this week, alluded to Microsoft, which makes me think that the initial access into the SolarWinds environment was through a phishing email. So someone clicked on something they thought was benign - turned out it was not benign." 
 
Meanwhile, certain US government officials have alleged Russia for being behind these supply chain attacks, while Russia has constantly denied the allegations as the Russian Embassy wrote on Facebook, "Malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations,".  
 
"Russia does not conduct offensive operations in the cyber domain." The embassy added in its post to the US.

UK Finance Body: Beware of Parcel Delivery Scam, Especially During Christmas Season

 


After months of lockdown, this Christmas season has become even more special to people but fraudsters are also beginning to capitalize on the much-delayed excitement of the users. The banking trade body UK Finance has warned the public against parcel delivery scams getting popular during the Christmas shopping season. 

The banking trade body said that this Christmas, more people across the nation are expected to shop online than ever before and there are high chances that con men will take advantage of this.
 
According to Intelligences from UK Finance Trade body, malicious actors’ are sending purportedly phishing emails from genuine delivery companies, claiming that companies have been unable to deliver parcels, large letters or packages and later requesting recipients to send their personal and financial information such as their date of birth, address, bank details, and mobile numbers along with a fee in order to rearrange the delivery. 

It also has been observed that in certain cases, bank customers are also receiving a phone call from the fraudsters as their bank’s fraud team, suggesting them to move their money to a safe account or reveal their passcodes. 

Katy Worobec, managing director of economic crime at UK Finance said, "We are urging people not to give gift to fraudsters this Christmas and to follow the advice of the Take Five to Stop Fraud campaign. Criminals will stop at nothing to commit fraud and that includes exploiting the festive season to target their victims". 

Steps to Prevent Fraud Campaign:

• According to intelligence, people must be vigilant against phishing emails with fake links which can lead people to fake platforms and will ask them to fill in important data, particularly personal and financial. It can be seen that these emails may appear more genuine and trusted but be aware of any fraud scam like this which can cost you more than you expect. 

• People are advised to check their delivery notification attentively to ensure that they are genuine. Criminals are employing the same pattern as genuine companies use for their customers. 

• Customers should always remember that they are about to claim and hence, they should ask questions to the authorities or companies before sending information and money. 

• If one feels that the company is not genuine then he is advised to contact the company directly before sending any form of information. 

• Last and also the most important step to take is to report and register a complaint on a genuine platform if you are being attacked by any fraud or scam.

US Cybersecurity Company FireEye Hacked by 'Nation-Backed' Threat Actors


On Tuesday, one of the leading cybersecurity firms, FireEye said that it has been attacked by "highly sophisticated" state-sponsored hackers who stole the company's valuable hacking tools used for testing customers' security and computer networks. The attack was heavily customized to breach FireEye's systems. 
 
The breach substantiated the biting reality that the most advanced security vendors out there, primarily to protect others from intrusions can also be targeted and consequently hacked. Notably, the attacker mainly sought data of some government customers, using an unprecedented combination of tactics, according to the firm. CEO Kevin Mandia in his blogpost characterized the attack as a 'highly targeted cyberattack', a kind never witnessed before. So far, no customer data seem to be accessed by the attackers. 
 
There are a number of speculations about who might have performed the attack, however, the firm gave no clarity about the origins of the attackers and is investigating the matter along with the FBI. In a similar context, Mandia indicated in his blog post that the nation responsible for the attack is someone with world-class offensive capabilities as the unfamiliarity of the attack speaks volumes about the top-notch capabilities tailor-made to attack FireEye.  
 
On the basis of his 25 years of experience in cybersecurity, Mr. Mandia further said in his Saturday's blog that this attack was “different from the tens of thousands of incidents we have responded to throughout the years,” and “used a novel combination of techniques not witnessed by us or our partners in the past.” 
 
“These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers,” the company said in the filing. “Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools.” 
 
While giving insights, a CISA spokesperson told, "As details are made available we are working to share and implement countermeasures across the federal networks and with our private sector partners," 
 
Meanwhile, FireEye has been said to have a "ringside seat" for some of the most advanced intrusions carried out globally by Mike Chapple, a former NSA official who's currently working at the University of Notre Dame as a cybersecurity expert.

Massive BEC Phishing Ring Uncovered, 3 Nigerian Nationals Arrested

 

In the city of Lagos, three Nigerian nationals suspected of participation in an organized cybercrime group behind malware distribution, phishing attacks, and a massive business email compromise (BEC) ring responsible for scams globally, have been arrested under “Operation Falcon” carried out jointly by international police organization with Nigeria Police Force and Singapore-based cybersecurity firm Group-IB, according to the reports by Interpol. 
 
In a Business Email Compromise (BEC) attack, the threat actor hacks and spoofs email to impersonate an organization’s CEO, vendors, or senior executives to trick employees and customers by gaining their trust; which later is exploited as the attackers encourage actions relating to funds transfer to criminal’s account or transferring confidential data, in some cases. 
 
The cybercriminals behind the operations performed a number of their phishing campaigns in disguise; masked as product inquiries, Coronavirus aid, or purchasing orders. Stealing authentication data from emails, web browsers, and FTP clients from organizations based in the UK, the US, Japan, Nigeria, and Singapore, has been identified as the primary objective of these phishing attacks, as per Group IB. 
 
As the ongoing investigation continues to uncover other suspects and monetization means employed by the ring, around 50,000 targeted victims have been discovered, so far. Allegedly, the participants of the rings developed phishing links and domains before performing mass BEC campaigns wherein they sophisticatedly targeted corporations of all sizes. Reportedly, 26 different malware variants were being deployed by the criminals including remote access Trojans (RATs) and spyware. 
 
"They then used these campaigns to disseminate 26 malware programmes, spyware, and remote access tools, including AgentTesla, Loki, Azorult, Spartan, and the nanocore and Remcos Remote Access Trojans,’ the INTERPOL said. 
 
"This group was running a well-established criminal business model," Interpol's Cybercrime Director Craig Jones noted. "From infiltration to cashing in, they used a multitude of tools and techniques to generate maximum profits." 
 
“These programs were used to infiltrate and monitor the systems of victim organizations and individuals, before launching scams and siphoning funds,” as per an announcement by INTERPOL. “According to Group-IB, the prolific gang is believed to have compromised government and private-sector companies in more than 150 countries since 2017.”

Chinese State-Sponsored Hackers Exploiting Zerologon Vulnerability

 

Chinese state-sponsored threat actors have been observed exploiting the Zerologon vulnerability in a global campaign targeting businesses from multiple industries in Japan and 17 other regions across the world including the United States and Europe. The attacked industries include engineering, automotive, managed service providers, and pharmaceutical. 

According to the information gathered by Symantec’s Broadcom division, these attacks have been attributed to the Cicada group also known as APT10, Cloud Hopper, or Stone Panda. 
 
The attackers are known for their sophistication, in certain cases, they were recorded to have hidden their suspicious acts effectively and remained undetected while operating for around a complete year. Previously, the state-backed actors have stolen data from militaries, businesses, and intelligence, and seemingly, Japanese subsidiaries are their newly found target. 
 
The links between the attacks and Cicada have been drawn based on the similar obfuscation methods and shellcode on loader DLLs to deliver malicious payloads, being used as noticed in the past along with various other similarities like living-off-the-land tools, backdoor QuasarRAT final payloads commonly employed by the hacking group. 
 
"The initial Cloud Analytics alert allowed our threat hunting team to identify further victims of this activity, build a more complete picture of this campaign, and attribute this activity to Cicada," Symantec said in their report. 
 
"The companies hit are, in the main, large, well-known organizations, many of which have links to Japan or Japanese companies, which is one of the main factors tying the victims together," the report further read. 
 
In September, Iranian-sponsored hacking group MuddyWater (MERCURY and SeedWorm) was seen to be actively exploiting Zerologon vulnerability. Another hacking group that exploited Zerologon was the financially-motivated TA505 threat group, also known as Chimborazo.
 
"The affected companies are from manufacturing, construction, and government-related industries, with top victims having around $143 billion, $33 billion and $2 billion yearly revenue," as per a report published by KELA, an Israel based Cybersecurity organization. 

"[M]ore and more threat actors, Advanced APT group and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks," KELA further added.

Manchester United Hit By a Cyber Attack on their Systems

 

Manchester United affirmed the hacking on the club and revealed systems required for the match remained secure.

Have been hit by a cyber-attack on their systems however state they are not “currently aware of any breach of personal data associated with our fans and customers”. 

In a statement, United stated: “Manchester United can confirm that the club has experienced a cyber-attack on our systems. The club has taken swift action to contain the attack and is currently working with expert advisers to investigate the incident and minimize the ongoing it disruption.

Paul Pogba 'significant for us' says Solskjær after Deschamps comments, “Although this is a sophisticated operation by organized cybercriminals, the club has extensive protocols and procedures in place for such an event and had rehearsed for this eventuality.

Our cyber defenses identified the attack and shut down affected systems to contain the damage and protect data. Club media channels, including our website and app, are unaffected and we are not currently aware of any breach of personal data associated with our fans and customers. 

We are confident that all critical systems required for matches to take place at Old Trafford remain secure and operational and that tomorrow’s game against West Bromwich Albion will go ahead.”




The club told the British authorities about the incident, including the information commissioner's office. 

The united likewise dispatched a forensic investigation into the incident. 

A spokesperson for the club added: “These types of attacks are becoming more and more common and are something you have to rehearse for.” 

United have informed the information commissioner's office and added that forensic tracing is being completed by carrying out an attempt to set up additional insight regarding the attack.


Managed.com Hosting Provider Hit by REvil Ransomware, $500K Ransom Demand


Managed hosting provider Managed.com has temporarily taken down all its servers and web hosting systems offline including clients' websites in response to a REvil ransomware attack that compromised public-facing web hosting systems. 
 
The threat actors behind the security incident that took place on Monday, 16th November are not known yet, however, the company said that it is involved with law enforcement agencies to investigate the matter and restore the services as securely as possible. As of now, it remains unclear if the attackers have stolen any data before the encryption of devices. 
 
Initially, the web hosting service refrained from revealing any details about the incident and posted an update claiming 'unscheduled maintenance' as the reason for the service interruption. However, later on, the company disclosed that it had encountered a ransomware attack that affected their systems and files containing critical data. 
 
In a status update, Managed.com said, "November 17, 2020 – On Nov.16, the Managed.com environment was attacked by a coordinated ransomware campaign. To ensure the integrity of our customers’ data, the limited number of impacted sites were immediately taken offline. Upon further investigation and out of an abundance of caution, we took down our entire system to ensure further customer sites were not compromised. Our Technology and Information Security teams are working diligently to eliminate the threat and restore our customers to full capacity. Our first priority is the safety and security of your data. We are working directly with law enforcement agencies to identify the entities involved in this attack. As more information is available, we will communicate directly with you." 
 
"Upon further investigation and out of an abundance of caution, we took down our entire system to ensure further customer sites were not compromised. Our Technology and Information Security teams are working diligently to eliminate the threat and restore our customers to full capacity. Our first priority is the safety and security of your data. We are working directly with law enforcement agencies to identify the entities involved in this attack,” the service further told in a statement. 
 
According to multiple sources, REvil, a ransomware-as-a-service infamously known for carrying out large attacks previously has demanded a $500,000 ransom in Monero to receive a decryption key. REvil has attacked big names like Kenneth Cole, Travelex, Brown-Forman, GSMLaw and SeaChange in the past.

Also known as Sodinokibi ransomware, REvil was first spotted in April 2019, it attacks Windows PCs to encrypt all the files on local drives (besides those enlisted in their configuration file) and leaves a ransom note on affected systems with instructions to get the files decrypted in turn of the demanded ransom.

Hackers Stole $2.3M, Wisconsin Republicans Claims

 

Wisconsin: Republican officials said that hackers stole $2.3m from the party's account being used to support Donald Trump's re-election. 

Following the discovery of the suspicious activity on 22nd October, the FBI has been contacted to investigate the matter, as per the statements given by the state party chairman Andrew Hitt. He also that the state was warned regarding such cyberattacks in August during the party's national convention. 
 
The campaign invoices from four vendors were manipulated by hackers to steal the funds, as per the reports by the Associated Press. These vendors were being paid to send out direct mail and handing out pro-Trump material like hats to support the Trump campaign. 
 
Seemingly, the attackers began from a phishing scam and proceeded with altering the invoices to direct payments from vendors to themselves, Mr. Hitt said. A party spokesman added that no data seemed to be stolen. However, millions were stolen from the Wisconsin Republicans' federal account. 
 
According to Joe Tidy, BBC cyber-security reporter, "The information security world is tense right now waiting and watching for cyberattacks that could affect the US election." 
 
"It sounds like an almost standard case of something called Business Email Compromise (BEC). Effectively the hackers have either gained access to or spoofed an email address to put themselves between the Wisconsin Republican party HQ and one of their suppliers. The party then transferred the money to the hackers instead of its campaign partner," he said. 
 
"The reported hack comes as Mr. Trump and Democratic rival Joe Biden are both making a final push this week to secure Wisconsin ahead of the 3 November election." 
 
"There have also been hundreds of attempted attacks on the Wisconsin Democratic campaign, a spokeswoman told the Associated Press." 
 
"The Midwestern state is one of a handful of core battleground states - areas which could realistically go to the Republicans or Democrats - this election season. Candidates will need to win in several states like Wisconsin in order to win the presidency." He further added.


PoetRAT Targeting Public and Private Sector in Azerbaijan

 



APT groups have been targeting the public sector and other major organizations in Azerbaijan via recent versions of PoetRAT. Notably, the threat actor has advanced from Python to Lua script and makes use of Word documents to deploy malicious software.
 
PoetRAT was first discovered by Cisco Talos, it was being distributed using URLs that falsely appeared as Azerbaijan’s government domains, giving researchers a reason to believe that the adversaries intended to target citizens of the Eurasian country, Azerbaijan. The threat actors also attacked private organizations in the SCADA sector such as ‘wind turbine systems’. However, the recent campaigns that unfolded in the months of September and October were targeted towards the public sector and VIPs. In later updated versions, the operators worked out a new exfiltration protocol to cover their activities and avoid being caught. 
 
Written in Python and split into various parts, the malware provides full control of the infected system to the operation. It gathers documents, pictures from the webcam, and even passwords, employing other tools. In an attempt to improve their operational security (OpSec), the attacker replaces protocol and performs reconnaissance on infected machines. 
 
Over the past months, the developers of the malware have continuously evolved their strategies to penetrate into more sophisticated targets. The campaign demonstrates how the attackers manually pushed additional tools like keyloggers when required onto the infected machines. To name a few more, camera control applications, generic password stealers, and browser- focused password stealers. Besides malware campaigns, the operators also employed the same infrastructure to perform a phishing campaign wherein the phishing website impersonates the webmail of Azerbaijan’s Government.
 
Other instances when Azerbaijan grappled with cyberattacks include a data breach faced by the Azeri Navy sailors. The hacked data belonged to 18,872 sailors of the Azerbaijan Navy which included their full names, DOB, passport numbers, and expiry dates. In another attack, a U.K based live flight tracking service underwent DDoS attacks that temporarily halted its services, the attack is alleged to be having links with the ongoing geopolitical conflicts in Azerbaijan.

NZX Underwent Power Outage Caused Due to Multiple Cyberattacks, Trading Halted


New Zealand’s stock market exchange came to an abrupt halt after being hit by cyberattacks multiple times over a week, blocking the access to its website and resulting in a major power outage caused due to a distributed denial of service (DDOS) attack from overseas, state-backed adversaries.

The unknown attackers put to work a group of computers and bombarded the NZX website with requests to connect by commanding these computers, which resulted in overloading the exchange’s servers and shutting down its website.

The systems harnessed to instigate the attack probably belonged to innocent businesses that would have been exploited by the malware earlier. The owners of these compromised computers have most likely stayed oblivious to the fact that they have been hijacked to facilitate a cyberattack.

On Wednesday, the Wellington-based NZX exchange issued a statement wherein they explained how the Tuesday attack affected their websites and the market announcement platform. Blaming the attack on overseas adversaries, the NZX said that it had “experienced a volumetric DDoS attack from offshore via its network service provider, which impacted NZX network connectivity”.

“A DDOS attack aims to disrupt service by saturating a network with significant volumes of internet traffic. The attack was able to be mitigated and connectivity has now been restored for NZX,” the exchange further said.

While commenting on the matter, Dr. Rizwan Asghar, from the school of computer science at Auckland University told that it was difficult to trace the source of such a cyberattack as the threat actors exhibited a tendency to hide their IP addresses.

To combat the attacks, New Zealand’s spy agency, The Government Communications Security Bureau (GCSB) was sought by the NZX; by Friday GCSB constituted a group to investigate the matter which concluded that the motivation of the DDoS attack seems to be financial rather than political as claimed by few.

The findings of the investigation denied the involvement of state-backed agents in the attacks by stating that, "The nature of this tends to be a criminal activity rather than state-backed. You can't rule it out but it's more likely than not to be criminal activity."

Over 500 SSH Servers being Breached by FritzFrog P2P Botnet


Cyberspace has seen an unprecedented rise in modified versions of peer-to peer, also known as (P2P) threats, it might have appeared that these P2P services have been vanishing, but in reality, they have emerged even stronger in newer ways. BitTorrent and eMule are still known to be in use by attackers.

A peer-to-peer (P2P) network is an IT infrastructure in which two or more computers have agreed to share resources such as storage, bandwidth and processing power with one another. Besides file sharing, it also allows access to devices like printers without going through separate server software. A P2P network is not to be confused with client-server network that users have traditionally used in networking, here, the client does not contribute resources to the network.

Researchers at Guardicore have recently discovered a sophisticated peer-to-peer (P2P) botnet called as FritzFrog that has been actively operated since January 2020, breaching SSH servers; it’s a Golang-based modular malware that executes a worm malware written in Golang, it is multi-threaded, completely volatile, and fileless and leaves no trace on the infected system’s disk.

It has a decentralized infrastructure which distributes control among all its nodes. The network uses AES for symmetric encryption and the Diffie-Hellman protocol for key exchange in order to carry out P2P communication via an encrypted channel.

So far, more than 20 malware samples have been discovered by the researchers as FritzFrog attempted to brute force over 500 SSH servers belonging to educational institutions, governmental institutions, telecom organizations, banks, and medical centers worldwide. The campaign also targeted some well known high-education institutions in the United States and Europe, along with a railway firm.

Botnets are being leveraged by attackers for DDoS attacks and other malicious activities, as per the recent attack trend. Earlier in June this year, the Monzi malware was seen exploiting IoT devices, mainly DVRs and routers. Threat actors brought together various malware families namely Mirai, Gafgyt and IoT Reaper, to carry out a botnet capable of DDoS attacks, command or payload execution or data exfiltration.

“FritzFrog’s binary is an advanced piece of malware written in Golang. It operates completely in-memory; each node running the malware stores in its memory the whole database of targets and peers,” according to Guardicore’s report.

“FritzFrog takes advantage of the fact that many network security solutions enforce traffic only by the port and protocol. To overcome this stealth technique, process-based segmentation rules can easily prevent such threats.”

“Weak passwords are the immediate enabler of FritzFrog’s attacks. We recommend choosing strong passwords and using public key authentication, which is much safer. In addition, it is crucial to remove FritzFrog’s public key from the authorized_keys file, preventing the attackers from accessing the machine. Routers and IoT devices often expose SSH and are thus vulnerable to FritzFrog; consider changing their SSH port or completely disabling SSH access to them if the service is not in use.” The report further read.

Canada Cybersecurity: Health Care Industry Battles Cyberattacks as Experts Call-in Federal Support


Canada's hospitals and clinics are suffering massive cyber threats as the cyberattacks targeting the Canadian healthcare industry saw a sudden rise in number.

Researchers reported that the health-care sector is the most targeted sector in Canada amounting to a total of 48% of all security breaches in the country. Digital security of hospitals in Canada is being exposed to heavy risk as the growing number of data-breach incidents imply how the healthcare industry has become the new favorite of cybercriminals.

The issue has gained widespread attention that led to calls for imposing national cybersecurity standards on the healthcare industry. In order to tackle the problem effectively and protect the privacy of their patients, the institutions are required to update their cybersecurity arsenal for which the federal government's involvement is deemed necessary by the experts.

While commenting on the matter, Paul-Émile Cloutier, the president and CEO of HealthcareCAN, said: "My biggest disappointment at this moment is that it seems that anything that has to do with the health sector and cybersecurity is falling between the cracks at the federal level."

Cybersecurity experts expressed their concern in regard and put into perspective the current inability of the Canadian health system to cope up with the increasing risk.

Experts believe that information regarding a person's health can potentially be of more value to the cybercrime space than credit card data itself for an individual's health care identity contains data with unique values that remains the same over time such as the individual's health number or DOB, it assists hackers in stealing identities by making the process smooth.

Over the past year, various Canadian health-care institutions became victim of breaches including LifeLabs, one of the country's largest medical laboratory of diagnostic testing for healthcare, which was hit by a massive cyberattack compromising the health data of around 15 million Canadians. The private provider was forced to pay a ransom in order to retrieve the stolen customer data.

In another incident, attackers breached the computer networks of three hospitals in Ontario that led to a temporary shut down of diagnostic clinics and non-emergency cases were told to come back later.

Durham City, North Carolina Hit by Ransomware Attack



On Friday, The City of Durham, North Carolina suffered a cyberattack wherein Ryuk Ransomware crippled the city's IT systems and compromised its public safety phone networks. According to media reports, the city first experienced a phishing attack that eventually allowed the Ryuk Ransomware to develop onto its IT systems. In an immediate response, Durham shut down its network to prevent the attack from further spreading onto the entire network. All-access to the DCI Network for the Durham Police Department, the Durham Sheriff’s Office and their communications center had been temporarily disabled. Ryuk is well-planned and targeted ransomware that is being operated since 2018 by WIZARD SPIDER, a Russia-based operator of the TrickBot banking malware. After gaining access, Ryuk is programmed to permeate network servers as files are exchanged between systems.

As of now, there are no traces of data being stolen, however, users are advised to stay wary of phishing emails acting to be from the city officials. Alongside this, the attack led to the shut down of Durham's 911 call center and caused its Fire Department to be deprived of phone service. Ryuk's technical capabilities are relatively low, however, it has successfully targeted various small to large organizations across the world and encrypted hundreds of systems, storage, and data centres. Usually, the malware corrupt networks after they have been infected by the TrickBot Trojan, a malware designed to illegally harvest users' private data via phishing.

The malware is circulated via malicious email attachments and once it gathers all the important data from a given network, it lets the authors of Ryuk Ransomware acquire administrator credentials and gain access to the harvested data from the network, the malware does so by opening a shell back to the actors operating the threat.

"According to the SBI, the ransomware, named Ryuk, was started by a Russian hacker group and finds its way into a network once someone opens a malicious email attachment. Once it's inside, Ryuk can spread across network servers through file shares to individual computers," WRAL reported.

As per the findings that followed the investigations initiated by the city, the malware employed in the attack was found to be having Russian origins, however, the exact origin of the attack still remains unknown and the investigation regarding the same is underway.

Hackers Blackmail Patients of Surgical Company in a Cyber attack




The patients of a facial surgical company in Florida, who were hacked recently, are now being threatened by hackers. The hackers demand that the patients pay them money, or else they would leak their personal information online.

TCFRR (The Center for Facial Restoration), a facial surgery company based in Miramar, was attacked by cyber-criminals in November last year.

In an online statement published on the company's official website, plastic surgeon and company founder Dr. Richard Davis said: " On 8 November 2019, I got an anonymous e-mail from hackers claiming to breach my company's server. The cyber-criminals revealed that they had personal data of TCFRR's patients and threatened to either expose the data online or sell it to 3rd parties." 

Dr. Davis was then blackmailed and the hackers demanded a ransom (not disclosed) in return for not compromising his company's cybersecurity.

As if this was not enough, the hackers after blackmailing Dr. Davis, contacted TCFRR's patients individually, in-demand for extorting money from the rhinoplasty company's patients.

"The hackers were demanding a ransom negotiation, and after 29 November 2019, around 20 patients have reached our company having criticisms of individual ransom demands, accusing that these hackers are threatening to release their personal information (including personal photos) online unless their ransom demands are met," says Dr. Davis in a statement. 

He suspects that around 3500 patients (current and former) might have been the victim of this cyber attack. The hacked data might include passport, driving license, residential address, emails, contact information, banking credentials, and patients' photographs. 

Following the incident, the FBI's cybersecurity department was contacted on 12 November, and David frequented the FBI on 14 November to discuss the ransom demands and the cyber attack information.

To be further safe from any similar incident happening again, Dr. David has taken up some precautions that include installing new hard disks, and a new firewall and malware protection antivirus.

"I am disgusted by this criminal and selfish invasion, and I sincerely apologize to the patients for their crisis in this stupid and spiteful action," said Davis on his website.

The statement was published openly, the reason being that the company's server didn't have the option of contacting the patients personally.

Indian users third most affected by Formjacking attacks, after the US and Australia


Followed by the US and Australia, Indian users were the most exposed to Formjacking attacks, according to a new survey by cybersecurity firm, Symantec, which has blocked over 2.3 million formjacking attacks globally in the second quarter of 2019.

In 2018, American users faced 33% of the total formjacking attacks; however, during the first half of the year 2019, they became the most exposed to these attacks with more than 50% of all the global detections. On the other hand, India with 5.7% of all the global attacks ranks third, as per the Symantec report.

Formjacking, a new dangerous threat in the cyber world, operates by infecting websites via malicious codes; mainly, these are the websites that involve filling out job applications, government forms, and credit card details. Symantec carried out a comprehensive analysis of formjacking attacks in its Internet Security Threat Report (ISTR) which calls attention to the ways users and websites have been affected by this critical cyber threat in 2018-19.

“We expect this formjacking trend to continue and expand further to steal all kinds of data from web forms, not just payment card data. This also means that we are likely to see more software supply chain attacks. Unfortunately, formjacking is showing no signs of disappearing any time soon. Therefore, operators of online stores need to be aware of the risk and protect their online presence,” reads the report.

How ‘Formjacking’ Works? 

In order to inject malicious JavaScript code on the website, attackers and cybercriminals modify one of the JavaScript files which get loaded along with the website. Then, the malicious JavaScript code makes alterations in the behavior of the selected web process on the infected website which, as a result, allows hackers to unlawfully acquire credit card data and other sensitive information.

According to the findings of Symantec, the websites which are affected by Formjacking attacks stay under its influence for 46 days. A number of websites have fallen prey to formjacking, with publically reported attacks on the websites of major companies like British Airways, Ticketmaster, Feedify, and Newegg.

Warning the consumers around the globe, Candid Wueest, Principal Threat Researcher at Symantec, said, “Each month we discover thousands of formjacking infected websites, which generate millions of dollars for the cybercriminals," warned Candid Wueest, Principal Threat Researcher at Symantec.

"Consumers often don't notice that they have become a victim to a formjacking attack as it can happen on a trusted online store with the HTTPS padlock intact. Therefore, it is important to have a comprehensive security solution that can protect you against formjacking attacks," He added.

Hacker ordered to pay back £922k

A hacker who carried out cyber attacks on more than 100 companies has been ordered to pay back £922,978.14 of cryptocurrency.

Grant West had been jailed for fraud after carrying out attacks on brands such as Sainsbury's, Uber and Argos.

A police investigation, codename "Operation Draba", uncovered West's activity on the dark web under the moniker of "Courvoisier".

The confiscation order was made during a hearing at Southwark Crown Court.

West, from Sheerness, Kent, used phishing email scams to obtain the financial data of tens of thousands of customers.

He would then sell this personal data in different market places on the dark web, convert the profit made from selling financial details online into cryptocurrency, and store these in multiple accounts.

West, of Ashcroft Caravan Park, was jailed in May at Southwark Crown Court for 10 years and eight months.

Detectives had discovered evidence of West conducting cyber attacks on the websites of 17 major firms.

Following West's arrest, approximately £1m in cryptocurrency was seized from a number of his accounts. Taking currency fluctuations into account the currency is today valued at £922, 978.14.

The cryptocurrency will now be sold and the victims will receive compensation.

As well as financial data, he also sold cannabis which he shipped to customers, and "how to" guides instructing others how to carry out cyber attacks.

West also regularly used stolen credit card details to pay for items for himself, including holidays, food, shopping and household goods. West admitted conspiracy to defraud, possession of criminal property, unauthorised modification of computer material and various drugs offences.

A Security Researcher Discovers A Fully Unprotected Server On An Aerospace Company’s Network




A security researcher for security firm IOActive, discovered a completely unprotected server on an aerospace company’s network, apparently loaded with code designed in a way to keep running on the company's giant 737 and 787 passenger jets, left openly available and accessible to any individual who found it.

After a year Ruben Santamarta, the security researcher guarantees that the said leaked code has led him to further discover security flaws in one of the 787 Dreamliner's segments, somewhere down in the plane's multi-tiered system. Which he recommends that for a hacker, abusing those bugs could 'represent' one stage in a multi­stage attack that begins in the plane's in-flight entertainment system and stretches out to the highly protected, safe-critical systems like flight controls and sensors.

Despite the fact that the aerospace company Boeing, straight out denies that such an attack is even conceivable, it even rejects Santamarta's claims of having found a potential way to pull it off. Despite the fact that Santamarta himself concedes that he doesn't the possess the right evidence to affirm his claims, yet he along with the various avionics cybersecurity researchers who have inspected and reviewed his discoveries argue that while an all-out cyberattack on a plane's most sensitive frameworks 'remains a long way' from a material threat, the flaws revealed in the 787's code regardless speak to a rather troubled lacking of attention regarding cybersecurity from Boeing.


We don't have a 787 to test, so we can't assess the impact, we’re not saying it’s doomsday, or that we can take a plane down. But we can say: This shouldn’t happen," says Santamarta at the Black Hat security conference on the 8th of August in Las Vegas.

When Boeing investigated IOActive's claims they reasoned that there doesn't exist any genuine danger of a cyberattack and issued an announcement with respect to the issue ,” IOActive’s scenarios cannot affect any critical or essential airplane system and do not describe a way for remote attackers to access important 787 systems like the avionics system," the company's statement reads.

"IOActive reviewed only one part of the 787 network using rudimentary tools, and had no access to the larger system or working environments. IOActive chose to ignore our verified results and limitations in its research, and instead made provocative statements as if they had access to and analyzed the working system. While we appreciate responsible engagement from independent cybersecurity researchers, we’re disappointed in IOActive’s irresponsible presentation."

The company spokesperson even said that while investigating IOActive's claims, Boeing had even put an actual Boeing 787 in "flight mode" for testing, and after that had its security engineers attempt to misuse the vulnerabilities that Santamarta had uncovered.

Boeing says it likewise counselled with the  Federal Aviation Administration and the Department of Homeland Security about Santamarta's attack. While the DHS didn't react to a solicitation for input, a FAA spokesperson wrote in a statement that it's  "satisfied with the manufac­turer’s assessment of the issue."

However there are quite a few security researchers who accept that, in light of Santamarta's discoveries alone, a hacker could make any impending threat to an aircraft or its passengers, other than that Santamarta's research, in spite of Boeing's dissents and affirmations, as indicated by them ought to be a reminder to everybody that aircraft security is a long way from a 'solved area of cybersecurity research.'

Forensic services firm pays ransom after cyber-attack

The UK's biggest provider of forensic services has paid a ransom to criminals after its IT systems were disrupted in a cyber-attack, BBC News has learned.

Eurofins Scientific was infected with a ransomware computer virus a month ago, which led British police to suspend work with the global testing company.

At the time, the firm described the attack as "highly sophisticated".

BBC News has not been told how much money was involved in the ransom payment or when it was paid.

The National Crime Agency (NCA) said it was a "matter for the victim" as to whether a ransom had been paid.

The agency, which is investigating the attack, said: "As there is an ongoing criminal investigation, it would be inappropriate to comment."

Eurofins previously said the attack was "well-resourced" but three weeks later said its operations were "returning to normal".

Cyber-attack hits police forensic work

It said it would also not comment on whether a ransom had been paid or not.

It added it was "collaborating with law enforcement" in the UK and elsewhere.

The ransomware attack hit the company, which accounts for over half of forensic science provision in the UK, on the first weekend in June.

Ransomware is a computer virus that prevents users from accessing their system or personal files. Messages sent by the perpetrators demand a payment in order to unlock the frozen accounts.

Eurofins deals with over 70,000 criminal cases in the UK each year.

It carries out DNA testing, toxicology analysis, firearms testing and computer forensics for police forces across the UK.

Forensic science work has been carried out by private firms and police laboratories in England and Wales since the closure of the government's Forensic Science Service in 2012.

'Court hearings postponed'

An emergency police response to the cyber-attack was led by the National Police Chiefs' Council (NPCC) to manage the flow of forensic submissions so DNA and blood samples which needed urgent testing were sent to other suppliers.

Chinese Cyber-attack Hit Telegram Amidst Hong Kong Protests


Telegram a secure messaging app was as of late literally bombarded by a network of computers in China following the protests started by the Hong Kong government's plans to authorize another law.

On Tuesday night, as the protesters assembled close to the Legislative Building of Hong Kong, the authorities arrested the administrator of a Telegram talk group with approx. 20,000 individuals, despite the fact that he was absent at the protest site.

This law thusly enacted by the Hong Kong Government is said to enable individuals in the city to be 'extradited' to Mainland China, where the court framework is closed off from open scrutiny and firmly constrained by the Communist Party.

The uncommon estimates taken up by the Hong Kong authorities propose that the police have made their own way against the protesters, by constraining the digital communication.

Since the protesters were utilizing the present systems networking tools to summon their positions, share wellbeing tips and arrange reserves of nourishment and beverages, even as they find a way to shroud their characters. The experts reacted by tracking them where they plan their moves, recommending that they are taking cues to the manners in which China polices the internet.

Protesters and police offers like have yet brought along carried another 'technological savvy to the standoff.

Lokman Tsui, a professor at the School of Journalism and Mass Communication at the Chinese University of Hong Kong, shared his opinions with respect to the entire circumstance by saying that, We know the government is using all kinds of data and trails to charge people later on, this is why people are minimizing their footprints as much as possible, they are being much more conscious and savvy about it.”

The police used tear gas as protesters came closer to the Legislative Council building in Hong Kong on Wednesday. Protesters used the app Telegram to organize, but the police were watching.

Telegram said on its Twitter account that it had the option to settle its administrations not long after the attack started. It portrayed the overwhelming traffic as a DDoS attack, in which servers are invaded with solicitations from a planned system of PCs.

A significant number of these protesters seem, by all accounts, to be college-eyed and carefully adroit. They went to considerable lengths to keep from being captured or carefully followed. To go to and from the protesters, many remained in lines to purchase single-ride subway tickets as opposed to utilizing their digital payment cards, which can be followed. Some even standing up to the police, securing their faces with caps and covers, giving them anonymity just as some protection from the tear gas.

Beijing however is the one nation that has been accused in the past for attacks that silence political speech outside mainland China's borders.

“The bottom line is whether to trust Beijing,” said Dr. Tsui, the communications professor. “This is a government that routinely lies to its own citizens, that censors information, that doesn’t trust its own citizens. You can’t ask us to trust you if you don’t trust us.”

“These kids that are out there, all the young people, they’re smart,” he added. “They know not to trust Beijing.”

The event however presents no new challenge for Telegram, for as it has been utilized for boundless protests previously too — and has confronted numerous administration as well as government crackdowns. Some of the leading examples of nations who prohibited or obstructed its utilization include Russia, Moscow and Iran.

Victoria health systems vulnerable to cyber attacks: Report

An audit by the office of the Auditor-General found patient data stored in Victoria's public health system is highly vulnerable to cyber-attacks, and many health agencies have low risk awareness of the security flaws.

The audit exploited weaknesses in four audited agencies and accessed patient data to demonstrate the multitude of risks to the security of patient data and hospital services.

The report found deficiencies in how health services manage user access to digital records, including unused and terminated employee accounts still enabled, and failure to keep user access forms as proof that users have had their access approved.

The work also uncovered a lack of any formal, regular user access review to ensure only staff who need access have it—only one audited health service was found to provide mandatory cyber and data security training to all staff.

“Given that staff actions can undermine ICT and physical controls, it is vital that all staff—including clinical staff—can identify and manage the risks to patient data,” the audit reported.

The report stated that Victoria’s public health system is “highly vulnerable” to the kind of cyber attacks recently a Melbourne-based cardiology provider, which resulted in stolen or unusable patient data and disrupted hospital services.

The audited health services are not proactive enough, and do not take a whole-of-hospital approach to security that recognises that protecting patient data is not just a task for their IT staff,” the report concluded.

The Auditor-General Andrew Greaves examined Barwon Health (BH), the Royal Children’s Hospital (RCH), and the Royal Victorian Eye and Ear Hospital (RVEEH), and also examined how two areas of the Department of Health and Human Services (DHHS), the Digital Health branch and Health Technology Solutions (HTS), are supporting health services.

“This weak security culture among government staff is a significant and present risk that must be urgently addressed,” the report said. “At one site, we accessed discarded, sensitive information too easily.