Search This Blog

Showing posts with label Sophos. Show all posts

India’s Finance Software Powerhouse NSE Blown By EpsilonRed Ransomware


Nucleus Software Exports, an Indian financial software company has witnessed a major ransomware attack. The company that facilitates Indian banks and retail stores with software has suffered severely in regard to its internal networks and encrypted essential business data. 

As per the latest data, Nucleus Software Company is a leading provider of Banking and Financial Services and is also known for lending and transaction banking consultancy services to the global financial services industry. 

In the wake of the security incident, the company reported that they filed a report on Tuesday with the Indian National Stock Exchange authority, which said that the incident occurred on May 30, and the group that has attacked the system is known as ‘EpsilonRed’. 

Alongside, the NSE published its quarterly report in which it wrote that the company’s cyber-security researchers' team is working hard to get back its sensitive business credential, and towards fixing the damaged part of the system. Meanwhile, the company’s spokesperson assured their customers and said, “So far as sensitive data is concerned, we’d like to assure our customers that there is NO financial data of any customer available/stored with us and therefore the question of any leakage or loss of client data does not arise’’. 

The researchers' team from the cybersecurity community has disclosed that the ransomware that caused damage to the NSE’s network which is colloquially known as EpsilonRed, is also known as BlackCocaine. EpsilonRed/BlackCocaine is a different type of ransomware that has been discovered very recently. 

UK security firm Sophos had first reported on this new strain, last month. According to the Sophos report, the EpsilonRed gang makes its victims from unpatched Microsoft Exchange email servers, target the ProxyLogon exploit, after getting full command into the system, hackers install a collection of PowerShell scripts that gives access to hackers into the inside of a victim’s network. 

Furthermore, Sophos told that the ransomware gang got success in some of its attacks, and made payments of around $210,000 from its previous attacks. 

NSE has not disclosed the exact details of the breach nor if it followed the demand of the hackers. However, it is widely accepted that the attack was caused by an Exchange server. 

167 Fake iOS & Android Trading Apps Brought to Light by Researchers


Sophos, a worldwide leader in cybersecurity, has found 167 fake Android and iOS apps that criminals have been using to rob people who still believe they have a very well, trustworthy financial trading, banking, or cryptocurrency application. A research article titled, ‘Fake Android and iOS apps disguised as trading and cryptocurrency apps,’ illustrates how criminals utilized social technology, fake web pages like a fake iOS App Slot, and an iOS app tester to deliver the fake apps to unsuspecting customers. 

Fake applications were investigated and the results showed that all were very similar to each other, as stated by Sophos researchers. Many have included the "chat" option to integrate customer service. When researchers attempt to communicate by using chat with support teams, answers were almost alike. They also discovered a single server loaded with 167 counterfeit trading and cryptocurrency applications. In combination, this indicates that, according to Sophos, all fraud might be carried out by the same party. 

In one of the scenarios examined, the scammers approached the customers through a dating app by creating a profile and exchanging messages with specific objectives before attempting to encourage them to download and add money and cryptocurrency to a counterfeit application. The attackers blocked access when their targets later tried to withdraw funds or close the account. 

In other instances, websites built to resemble a reputable company, such as a bank, have been able to attract the targets. To persuade the users to install an app from the genuine App Store, they have even developed a fake "iOS App Store" download page with fabricated customer reviews. 

When the visitors pressed upon the links to install fake apps for Android or iOS, something like a smartphone web app was obtained but was only a shortcut icon connected to a fake website. 

Technicians have also delivered fake iOS applications via third-party websites to encourage developers towards testing new applications with a small number of Apple device users before applying to the official App Store. 

“People trust the brands and people they know – or think they know – and the operators behind these fake trading and cryptocurrency scams ruthlessly take advantage of that,” said Jagadeesh Chandraiah, a senior threat researcher at Sophos. “The fake applications we uncovered impersonate popular and trusted financial apps from all over the world, while the dating site sting begins with a friendly exchange of messages to build trust before the target is asked to install a fake app. Such tactics make the fraud seem very believable.”

“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play and Apple’s app store. Developers of popular apps often have a website, which directs users to the genuine app and, if they have the skills to do so, users should verify if the app they are about to install was created by its actual developer. Last, but not least, if something seems risky or too good to be true – high returns on investment or someone from a dating site asking you to transfer money or cryptocurrency assets into some ‘great’ account – then sadly it probably is,” he further added.

Sophos also recommends the user install an anti-virus program on the mobile device to defend Android and iOS devices from cyber attacks, like the Intercept X for Mobile.

Sloppiness of Student Allows Ryuk Ransomware to Target Bio Research Institute


Cybersecurity vendor Sophos has revealed how using a 'crack' version of a data visualization tool was the cause of a major ransomware attack that cost the European research institute a week’s work and a lot of money. 

A student working at a European biomolecular research institute was allowed to use expensive data visualization software. The student was on the hunt for a free version of a data visualization software tool, but the license was most likely too expensive– so as a workaround, the student eventually elected to find a cracked version instead.

The crack triggered a malware warning from Microsoft Defender, which he not only ignored but also decided to disable the antivirus tool, as well as the firewall. Thirteen days later a remote desktop protocol (RDP) connection was registered on the institute’s network using the student’s credentials and the incident response team from Sophos learned that the crack was actually info-stealing malware. 

“A feature of RDP is that a connection also triggers the automatic installation of a printer driver, enabling users to print documents remotely. This allowed the Rapid Response investigation team to see that the registered RDP connection involved a Russian language printer driver and was likely to be a rogue connection. Ten days after this connection was made, the Ryuk ransomware was launched,” Sophos explained. 

The malware was in use by a malicious third-party for a few days, harvesting keystrokes, stealing browser cookies, clipboard data, and such. While Sophos did not go into details: how much money the operators asked for, or whether or not the institute paid the ransom, it did say that the organization lost a week’s worth of data, given that its backup wasn’t up to date.

The institute also suffered the operational impact, like all computer and server files needed to be rebuilt from the ground up, before any data could be restored. It also said that the group that placed the info-stealer probably wasn’t the same one that installed Ryuk. The most likely scenario is, once access was established, that it got sold on the dark web to the highest bidder.

As a precautionary measure, Sophos advised organizations to install multi-factor authentication (MFA) for access to any internal networks, especially from third parties, keep software regularly updated, segment networks and restrict account privileges. It also urged customers to lock down RDP access with static Local Area Network (LAN) rules, via a group policy or using access control lists.

Sophos Uncovered Connection Between Mount Locker and Astro Locker Team


Sophos published another report on a recently revealed association between the Mount Locker ransomware group and a new group, called "Astro Locker Team." Sophos as of late recognized ransomware targeting an organization’s unprotected machines that had all the hallmarks of Mount Locker ransomware. However, when they followed the link in the ransom note to the attacker's chat/support site, Sophos incident responders found themselves faced with a near-unknown group calling themselves "AstroLocker Team" or "Astro Locker Team." Astro Locker has all the earmarks of being a new ransomware family – however, appearances can be beguiling. 

When comparing the Astro Locker leak site with the Mount Locker leak site, investigators noticed that all five of the organizations listed on the Astro Locker site were likewise listed as victims on the Mount Locker site. Delving in further, the size of the information leaks on each of the five matched and shared some of the same links to the spilled information. Taking a gander at the matching links all the more intently, Sophos experts saw one final association: a portion of the spilled information linked on the Mount Locker site was being facilitated on the Astro Locker onion site: http[:]//anewset****.onion.  

“In recent incidents where Sophos experts investigated and neutralized an active Mount Locker attack, we noticed various techniques that suggest these attackers are not as sophisticated as other ransomware groups like Ryuk, REvil and DoppelPaymer,” said Peter Mackenzie, manager of Sophos’s Rapid Response team. “It is possible that the Mount Locker group wants to rebrand themselves to create a new and more professional image, or it could be an attempt to kickstart a true ransomware-as-a-service (RaaS) program. Regardless, if any organizations become a victim of Astro Locker in the future, they should investigate the TTPs of both Mount Locker and Astro Locker.” 

Mackenzie contended that Mount Locker could be utilizing the Astro name to pretend the group has a significant new associate for its new RaaS program, or it very well might be a legitimate deal intended to speed up its change to turning into a RaaS operation. 

“Branding is a powerful force for ransomware groups. Good branding can come from a single threat group being skilled at hitting high-value targets and avoiding detection — such as DoppelPaymer — or by running a successful RaaS network — like Sodinokibi or Egregor. Powerful branding with ransomware groups can strike fear in targets and lead to a higher likelihood of pay-outs,” he concluded.

Deceased User's Accounts used by Nefilim Ransomware Actors


Recently we are witnessing that the Ransomware operators are teaming up to exchange software and infrastructure to further accelerate the operation of leakage and extortion that harms the victims of such attacks. One such ransomware is Nefilim. 

Nefilim also known as Nemty has emerged in 2020 as a new category onto the list of ransomware strains, here if the victims do not pay the ransom, Nefilim threatens to reveal information to the public; it has its own leaks platform called Corporate Leaks and is located in the TOR node. 

As stated by Michael Heller, a researcher at Sophos, the Rapid Response is a 24/7 service provided by Sophos that helps organizations to detect and neutralize the active threat by actors as soon as possible. Lately, a company that has been attacked with the Nefilim ransomware, reached out to the Rapid Responses by Sophos for help. In the incident reported by the company, a ransomware attack from Nefilim locked up more than 100 systems stemmed from the unregulated account compromised of an employee who died three months ago. The attackers traveled silently through the network, stole the domain admin keys, then located and filtered hundreds of GB of data prior to unleashing any malware that exposes the existence of such data. The account was obviously held deliberately as it was used for utilities, so the Rapid Response team had to determine which acts were legit and which were deceptive from that account. 

Nefilim ransomware replaces the initial files with encrypted copies, nearly all the big ransomware, making recovery difficult without either a decryption key or a recent backup. As soon as the Customer contracted Sophos, the Rapid Response Team took steps to load security into any applications that they might use, to guarantee that all the security measured required were added to systems that had already been implemented by Sophos and to find evidence about how and where the invading processes started and what could have been stolen. 

 As stated by Michael Heller, the latest victim of the attack was compromised by exploiting vulnerable versions of the Citrix Software, after which the actors gained access to the domain key or the domain admin account using Mimikatz. Well in general the actor can gain access either by Citrix Software or by Remote Desktop Protocol. 

“Ransomware is the final payload in a longer attack. It is the attacker telling you they already have control of your network and have finished the bulk of the attack. It is the attacker declaring victory,” stated, Peter Mackenzie, manager of Rapid Response. “Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what counts.”

Cybersecurity Company Sophos Hit By Data Breach Attack, Company Informs Customers


A data breach attack recently hit Sophos, a Uk based cybersecurity company. The company currently has notified its customers regarding the data attack via mail, which the company suffered last week. The leaked information includes user names, emails, and contact numbers. According to Sophos, only a small number of customers were affected by the data breach. The spokesperson says that a "small subset" of customers was affected; however, not providing any further details. 

Earlier this week, the company was informed of an access permission problem in a tool. The tool contains customers' information who contact Sophos support. The company said this in an email sent to its customers. 

The company says that it came to know about the issue through an expert and had fixed the misconfiguration as soon as it was reported. According to Sophos, customer privacy and safety is their topmost priority. It is currently contacting all impacted customers. 

Besides this, the company has implemented preventive measures to ensure that permission settings are not exploited. The data breach is the second cybersecurity incident that Sophos suffered this year. 

In April, a quite similar incident happened where hackers found and exploited a zero-day XG Firewall in Sophos and attacked companies worldwide. The hackers used Asnarok malware, but when the vulnerability was exposed, they shifted to ransomware and failed eventually. 

The email reads, "On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support. As a result, some data from a small subset of Sophos customers was exposed. We quickly fixed the issue. Your information was exposed, but due to remediation measures we have taken, your data is no longer exposed. Specifically, first name, last name, email address, and, where provided, a contact phone number. 

There is no action that you need to take at this time. At Sophos, customer privacy and security are always our top priority. We are contacting all affected customers. Additionally, we are implementing additional measures to ensure access permission settings are continuously secure. "

Hackers abuse Sophos Firewall Zero Day Vulnerability

Sophos, a UK cybersecurity company famous for its anti-virus products has released an emergency security update this Saturday to combat a Zero-Day vulnerability exploited by hackers in its XG enterprise firewall product.

They became aware of the vulnerability on Wednesday after one of their customers reported "a suspicious field value visible in the management interface." And they released an update containing the patch for the vulnerability.

The Vulnerability- SQL INJECTION BUG

"The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices," Sophos said.

The miscreant hackers attacked Sophos XG Firewall devices whose administration or user portal control panel were exposed on the internet. The hackers used the SQL Injection Vulnerability in XG firewall devices and downloaded a play-load on the device to steal data like passwords and usernames for the firewall device admin, portal admins, and user accounts for remote access, the firewall's license and serial number.

Sophos says that during its investigation, it did not find any proof that the hackers accessed anything beyond the firewall as well as no devices were accessed by the malware. They named the malware Asnarok.

 Patches already updated in user devices 

The company already pushed the patches in an automatic update in all XG Firewall devices that had the auto-update feature enabled. "This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack," it said. The update also shows a message to the user if their device was compromised or not in their Firewall control panel.

Sophos recommends some steps to take for the companies who had their device hacked mainly focused on resetting passwords and reboots:

  1.   Reset portal and device administrator accounts.
  2.   Reboot the infected firewall device. 
  3.   Reset all passwords of user accounts.

"Sophos also recommends that companies disable the firewall's administration interfaces on the internet-facing ports if they don't need the feature", writes zdnet.