Search This Blog

Showing posts with label Ransom Attack. Show all posts

McAfee: Hacking Team Babuk Has Flaws In It's Business Models

 

Recently, ransomware hacking groups have been mostly focusing on Microsoft Windows OS. McAfee researched dedicated Linux and Unix based ransomware, but cross platform ransomware didn't happen. But, hackers are always on the go, McAfee experts recently discovered that from the past few months, many hackers are experimenting with the binary writings in cross-platform script Golang (Go). The worst case scenario was confirmed when Babuk on an underground platform said that it was building a cross-platform focused on ESXi or VMware and Linux/Unix systems. 

Various core backend operating systems in organizations are using the nix operating systems. Besides this, in case of virtualization, wonder about ESXi hosting virtual desktop environment or various servers. McAfee previously wrote a brief blog covering many coding mess ups that Babuk team did while building. McAfee reports "Initially, in our research the entry vector and the complete tactics, techniques and procedures (TTPs) used by the criminals behind Babuk remained unclear. However, when its affiliate recruitment advertisement came online, and given the specific underground meeting place where Babuk posts, defenders can expect similar TTPs with Babuk as with other Ransomware-as-a-Service families." 

Despite Babuk being new to the scene, the group is continuously hacking high profile targets , even though various issues related to binary leading to a stage where files can't be retrieved, even if the transaction was successful. In the end, the problems faced by Babuk developers while creating the ESXi ransomware could've led to change of business model, from extortion to encryption and data theft. To summarise it all, the built and coding of decryption softwares is poorly done, which means that if an organisation is to pay a ransom, the process of files decryption can be delayed without the guarantee that stolen files will be completely retrieved. 

"In its recruitment posting Babuk specifically asks for individuals with pentest skills, so defenders should be on the lookout for traces and behaviors that correlate to open source penetration testing tools like winPEAS, Bloodhound and SharpHound, or hacking frameworks such as CobaltStrike, Metasploit, Empire or Covenant. Also be on the lookout for abnormal behavior of non-malicious tools that have a dual use, such as those that can be used for things like enumeration and execution, (e.g., ADfind, PSExec, PowerShell, etc.) We advise everyone to read our blogs on evidence indicators for a targeted ransomware attack" said McAfee in its blog.

Canadian IoT Solutions Provider, Sierra Wireless Hit by a Ransomware Attack


Sierra Wireless, a Canadian IoT solutions provider said that it has reopened its manufacturing site's production after the company suffered a ransomware attack that breached its internal infrastructure and official website on March 20. When the company came to know about the attack, it called one of the world's best cybersecurity firms "KPMG," to help Sierra Wireless in the investigation and inquiry of the incident.

According to Sierra Wireless, "security is a top priority, and Sierra Wireless is committed to taking all appropriate measures to ensure the highest integrity of all of our systems. As the investigation continues, Sierra Wireless commits to communicating directly to any impacted customers or partners, whom we thank for their patience as we work through this situation." 

Currently, the staff at Sierra Wireless is working on re-installing the company's internal infrastructure, after the corporate website was brought back online. Besides this, the Canadian MNC said that ransomware attacks couldn't breach services and customer-oriented products as the internal systems that were attacked were separated. The company believes that the scope of the attack was limited to Sierra Wireless' corporate website and internal systems, it is confident that the connectivity services and products weren't affected, and the breach couldn't penetrate the systems during the incident. 

As of now, the company isn't expected to issue any firmware or software security updates or product security patches, which are generally required after the ransomware attack. The company hasn't disclosed the ransomware operator behind the attack, it has also not specified what data was stolen from the incident before the encryption could happen. 

The attack happened in March, after that the company took back its Q1 guidance. A company spokesperson said that Sierra wireless won't reveal any further information regarding the attack as per the company protocol, because the data involved is highly confidential and sensitive. Bleeping Computer reports, "Siera Wireless' products (including wireless modems, routers, and gateways) sold directly to OEMs are being used in IoT devices and other electronic devices such as smartphones, and an extensive array of industries." Stay updated for more news.

Data Analytics Agency Polecat Held To Ransom After Server Exposed 30TB Of Records

 


On October 29, 2020, the Wizcase CyberResearch Team which was lead by Ata Hakcil has discovered that the server ‘Elasticsearch’ which is being owned by Polecat company, displayed about 30TB of record data on the website without any authentication required to access the records or any other form of encryption in place. 

A UK-based data agency ‘Polecat’ that provides “a combination of advanced data analytics and human expertise, [to help] the world’s largest organizations achieve reputation, risk, and ESG (environmental, social, and governance) management success” its official website reads. 

Researchers team had found records dating back to 2007 containing important information including employees’ usernames and passwords, social media records, around 6.5 billion tweets, and around one billion posts that generated from independent websites and blogs. 

Polecat’s cyber research team ‘Chase Williams’ has reported its discovery in a blog post which has been published on First March of 2021. 

The public information collected by the Polecat organization is gleaned on a foundation of daily happening events including subjects such as Covid-19, politicians, firearms, racism, and healthcare. Polecat was warned by the Wizcase research team about the data ransom on October 30 and the first of November 2020. Nevertheless, it just takes some seconds for an open unsecured server or bucket to be traced and exploited by malicious actors – and this took place a day after the researcher’s findings. 

“On October 30, a Meow attack was launched against the database. Meow attacks replace database indexes with the suffix ‘gg-meow’, leading to the destruction of swathes of data” Wizcase said. 

Additionally, it added “approximately half of the firm’s records were wiped, and then in a second wave a further few terabytes of information were deleted. At this point, roughly 4TB remained in the server. Most of these records were then destroyed and a ransom note was spotted by the researchers that demanded 0.04 Bitcoin (BTC) – roughly $550 at the time – in return for the files’ recovery”. 

Wizcase research team has warned against these types of scams by saying that it is very essential to note that these types of cyberattacks are usually automated and sent to many unprotected open databases.