Search This Blog

Showing posts with label ransomware attacks. Show all posts

Wawa Paying $9 Million in Cash, Gift Cards in Data Breach Settlement


The Wawa convenience store chain is paying out up to $9 million in cash and gift cards to customers who were affected by a previous data breach, as reimbursements for their loss and inconvenience. 

The affected customers can request gift cards or cash that Wawa is paying out to settle a lawsuit over the security incident. Here's everything you need to learn about the proposed class action settlement – who's eligible, how to submit a claim for cash or a gift card, and how to object to the deal. 

Customers who used their payments cards at any Wawa store or gas pump during the data breach, but were not impacted by the fraud, qualifies to receive a $5 gift card, as compensation. These claimants are referred to as 'Tier One Claimants'. 

However, the claimants will be required to submit proof of the purchase they conducted at a Wawa store or fuel pump between March 04, 2019, and December 12, 2019 – when the data breach occurred – in order to claim the gift card. Customers would essentially be required to provide proof of the transaction date, preferably a store receipt of a statement by the bank, or a screenshot from the concerned bank or credit card company website or app. 

The next category of claimants, referred to as 'Tier Two Claimants' could receive a gift card worth $15 if they show reasonable proof of an actual or attempted fraudulent charge on their debit or credit card post-transaction. 

The last category of claimants, referred to as 'Tier Three Claimants' qualify to receive a cash reimbursement of upto $500, if they provide reasonably documented proof of money they spent in connection with the actual or attempted fraudulent transaction on their payment card. It must be reasonably attributed to the data breach incident. 

During the 9 month span of the data breach, around 22 million class members made a financial transaction at one of the Wawa stores. Customers have been given a deadline of November 29, 2021, to submit a claim for recompensation. By doing so, they are giving up their right to sue Wawa over the 2019 security incident. 

Those who wish to retain their right to sue the company over the security incident and do not wish to receive the payment will be required to exclude themselves from the class. The deadline given for the same is November 12, 2021. 
 

What is this settlement for?


In 2019, the Wawa convenience store chain experienced a data breach wherein cybercriminals hacked their point-of-sale systems to install malware and steal customers' card info. As the fraud impacted Wawa's 850 locations along the East Coast, the U.S based convenience store company found itself buried in a series of lawsuits. One of which – filed by the law firm Chimicles Schwartz Kriner & Donaldson-Smith, of Haverford – claimed that the data breach “was the inevitable result of Wawa's inadequate data security measures and cavalier approach to data security.”

The massive data breach that lasted for nine months,
affected in-store payments and payments at fuel pumps, including “credit and debit card numbers, expiration dates, and cardholder names on payment cards.” Meanwhile, hackers also attempted to sell the stolen financial data on the dark web. 

As a result, a police investigation was called in for and the organization also conducted an internal investigation by appointing a forensics firm for the same.

Ransomware Attacks Increased Exponentially in 2021

 

The growing threat of ransomware has been highlighted by NCC Group's Research Intelligence and Fusion Team (RIFT) analysis. Between January-March 2021 and April-June 2021, the number of ransomware assaults studied by the team climbed by 288%, indicating that enterprises are still facing waves of digital extortion in the form of targeted ransomware. 

The rise of the "triple extortion" ransomware technique whereby attackers, in addition to stealing sensitive data and threatening to release it publicly unless a payment is made, also target the organization's customers, vendors, or business partners in the same way, has fuelled the increase in attacks. 

Conti ransomware, which commonly employs email phishing to remote into a network via an employee's device, was responsible for 22% of ransomware data leaks studied between April and June. The Avaddon ransomware, which was linked to 17% of ransomware data leaks, was just behind it. While victims of this ransomware strain faced data encryption, the potential of data breaches, and the larger risk of DDoS attacks disrupting operations, the ransomware strain is now thought to be dormant. 

In addition to the substantial increase in ransomware assaults, organizations have seen a 29% of cyber-attacks worldwide, with the largest growth rates in the Europe Middle East and Africa (EMEA) area and America, at 36% and 24%, respectively. While the Asia-Pacific (APAC) region witnessed only a 13% increase in attacks, it had the highest number of weekly cyber intrusions at 1,338. The weekly number for EMEA was 777, while the weekly number for America was 688. 

This issue is hurting organizations all over the world, with the United States accounting for 49% of victims with known locations in the last three months, followed by France at 7% and Germany at 4%. The Colonial Pipeline ransomware attack in June, which was carried out by DarkSide ransomware affiliates, is one significant case. Oil supplies were disrupted, and there were fuel shortages across the United States as a result of the strike. 

Christo Butcher, global lead for threat intelligence at NCC Group, said: “Over the years, ransomware has become a significant threat to organizations and governments alike. We’ve seen targets range from IT companies and suppliers to financial institutions and critical national infrastructure providers, with ransomware-as-a-service increasingly being sold by ransomware gangs in a subscription model.” 

“It’s therefore crucial for organizations to be proactive about their resilience. This should include proactive remediation of security issues, and operating a least-privilege model, which means that if a user’s account is compromised, the attacker will only be able to access and/or destroy a limited amount of information,” he added.

Ahead of the Labor Day Holiday, the FBI and CISA Warn of Ransomware Risk Over Weekends and Holidays



Ahead of the Labour Day holiday coming about this weekend, CISA and the FBI have released joint advisory warning organizations of increased ransomware attack risk on weekends and holidays. 

Over the past few months, the government agencies have noticed a relative increase in 'highly destructive' ransomware attacks being launched by attackers on long weekends and holidays. Reportedly, these time frames – holidays, especially long weekends – are viewed as attractive time slots by cybercriminals to deploy ransomware due to a lower level of defense during weekends which maximizes the impact of infiltration. The physical absence of the personnel plays a significant role when the offices are normally closed. 

The FBI and CISA noted that the recent cyberattacks that crippled high-profile US entities were all scheduled by hackers over weekends. The cited case studies include recent attacks against JBS, Kaseya, and Colonial Pipeline. 

In May 2021, the DarkSide ransomware operators launched the Colonial Pipeline attack, around Mother's Day weekend. The data was stolen on May 06, 2021, and the malware attack occurred on May 07, 2021. 

In May 2021, the world's largest meat processing organization, JBS, experienced a cyberattack by the REvil ransomware group that disabled its beef and pork slaughterhouses. This attack took place on May 30, 2021 – leading into the Memorial Day public holiday. 

In July 2021 –  building on the weekend attack trend – Kaseya, a leading software provided to over 40,000 organizations, suffered a sophisticated cyberattack yet again by REvil ransomware. The attack was carried out on July 2nd, 2021 ahead of the Independence Day holiday in the United States on July 4th.  

"The FBI's Internet Crime Complaint Center, which provides the public with a trustworthy source for reporting information on cyber incidents, received 791,790 complaints about all types of internet crime -- a record number -- from the American public in 2020, with reported losses exceeding $4.1 billion," the advisory read.

The two agencies clarify that as of now there are no clear indications of a cyberattack that will take place around the oncoming 'Labour Day holiday', however, the alert warns that the threat actors have carried out increasingly damaging cyberattacks around holidays and weekends over the past several months. Therefore, the FBI and CISA urge the organizations to not lower their defenses while providing information on how to effectively combat the increasingly worsening threat of cyberattacks. They advised organizations to strengthen their security, minimize their exposure, and potentially "engage in preemptive threat hunting on their networks to search for signs of threat actors." 

“Threat actors can be present on a victim network long before they lock down a system, alerting the victim to the ransomware attack. Threat actors often search through a network to find and compromise the most critical or lucrative targets. Many will exfiltrate large amounts of data. Threat hunting encompasses the following elements of understanding the IT environment by developing a baseline through a behavior-based analytics approach, evaluating data logs, and installing automated alerting systems.” The joint advisory further said.

Ransomware on a Charge: Another Wake-Up Call for U.S. Shipping Industry

 

As the threat of ransomware attacks increases, the U.S. shipping industry is facing a particularly high resistance in safeguarding its global supply chain. 

The U.S. shipping industry is on the hit list of ransomware attackers — specifically the heavily computerized ports that receive cargo ships, as well as the actual crafts, security experts warned. The other major factor is the increasing strain on the global supply chain due to the Covid-19 pandemic with U.S. citizens ordering more goods to their homes than ever before. The White House has issued an executive order mandating organizations to strengthen cybersecurity protocols. 

Data analytical firms are keeping a close eye on the surge of ransomware attacks. Here are the recent reports highlighting the ransomware trends and implications: 

• Security researchers at Trend Micro discovered that 84% of the US firms have filed a complaint regarding phishing or ransomware threats in the last 12 months.

 • In the first half of 2021, the average ransomware payment surged 82% to a record $570,000 from $312,000 in 2020, according to a report from Palo Alto Networks’ Unit 42 security consulting group. 

• By 2031, the ransomware costs are expected to reach $265 billion, and that there will be a new attack every 2 seconds as ransomware attackers are continuously upgrading their malware payloads and related extortion activities, a report from Cybersecurity Ventures predicted.

Shipping ports are the ripe targets for ransomware attackers due to their heavy reliance on robotic operations and digitized inventory rather than human labor. “It keeps me up at night. Most of those systems weren’t designed with the notion that somebody was going to try to mess with them. Wasn’t part of the calculus,” Nina Kollars, associate professor of strategic and operational research at the U.S. Naval War College said. 

In 2018, ransomware attackers targeted shipping ports in San Diego and Barcelona, Spain with minor ones. In July, hackers locked up Transnet, a South Africa-owned company that oversees operations for the country’s major seaports. A ransomware attack halted operations at four of the eight ports. While many of the company’s computer networks were quickly restored, it led to rolling delays that pushed back some shipments by weeks. 

Earlier this year, the European Union Agency for Cybersecurity predicted there will be four times more software supply chain attacks in 2021 than there were in 2020, as ransomware attackers shift to larger, cross-border targets.

Researchers analyzed 24 supply chain attacks between January 2020 and July 2021 and stated that 66% of supply chain attacks were committed by exploiting an unknown flaw, while 16% leveraged known software vulnerabilities. 

When it came to supplier assets, most attacks during the specified timeline aimed to compromise code (66%), followed by data (20%) and processes (12%). As for customer assets, supply chain attacks most commonly targeted customer data (58%), followed by key people (16%) and financial resources (8%).

Taiwanese Computer Hardware Company Gigabyte Suffers Ransomware Attack

 

Gigabyte, a motherboard developing company from Taiwan and also a hardware giant was attacked by the RansomExx ransomware hacking group, who has blackmailed to leak 112 GB of hack data if the organization doesn't pay the ransom. Gigabyte is famous for making motherboards, but also builds other computer hardware and components, like laptops, monitors, graphic cards, and data center servers. The ransomware attack happened earlier this week which compelled the company to close down its systems in Taiwan. 

Besides this, the attack compromised multiple websites of Gigabyte, which includes support systems and website portions of the company. Customers have complained of having issues while accessing support docs or getting updated information on Ram's. The reason is most probably due to the ransomware attack. "The RansomEXX ransomware operation originally started under the name Defray in 2018 but rebranded as RansomEXX in June 2020 when they became more active. RansomEXX does not only target Windows devices but has also created a Linux encryptor to encrypt virtual machines running VMware ESXi servers," said Bleeping Computers. 

As per United Daily News (a Chinese news organization), Gigabyte revealed about the company suffering cyberattack which affected its servers. After finding unusual activity on its company network, Gigabyte closed down its IT systems and informed law agencies. However, Gigabyte itself has not officially confirmed which organization is behind the attack, but Bleeping Computers believe that it was carried out by the RansomExx gang. RansomExx hackers while encrypting a network attach ransom notes to each encrypted system. 

The ransom notes include a link to a private page accessible only to the victims to check the decryption of a file and to provide an email address for doing ransom negotiations. Bleeping Computer reports "like other ransomware operations, RansomEXX will breach a network through Remote Desktop Protocol, exploits, or stolen credentials. Once they gain access to the network, they will harvest more credentials as they slowly gain control of the Windows domain controller. During this lateral spread through the network, the ransomware gang will steal data from unencrypted devices used as leverage in ransom extortion."

Ransomware Attempt Volume Touching Over 300 Million, Sets Record




A new investigation report has been published by SonicWall network security organization in which it stated that ransomware attacks have been increased rampantly in the first half of 2021, with 304.7 million attempted attacks observed by the organization. 

SonicWall researchers' team has discovered several attempted ransomware attacks in both April and May, however, the record of these two months was knockdown by June, which recorded 78.4 million attempted ransomware attacks. 

According to the study, the total figure of ransomware attacks that has been observed by SonicWall in the first half of 2021 has broken the record of 2020's total attempts. 

"Even if we don't record a single ransomware attempt in the entire second half (which is irrationally optimistic), 2021 will already go down as the worst year for ransomware SonicWall has ever recorded," the report read.

According to the 2021 SonicWall Cyber Threat Report, some world's developed counties including the US, the UK, Germany, South Africa, and Brazil topped the list of countries most hard hit by ransomware in the first half of 2021. 

This report has also mentioned the names of some of the US districts that have been impacted more was Florida, which saw 111.1 million ransomware attempts, New York had 26.4 million, Idaho saw 20.5 million, and Rhode Island, as well as Louisiana, has to face nearly 9 million ransomware attacks attempts. 

Furthermore, the report touched upon what these ransomware attacks are doing with organizations' systems. The network collects malware and IP-sensitive credentials from tens of thousands of firewalls and email security devices from all over the world. 

As per the report, in 2021, the most common targets are important governmental organizations such as financial institutions, defense, and information broadcasting institutions; Governments face more attacks than any other industry each month. By the month of June, government customers saw 10 times as many ransomware attempts and an overall spike of 917%. 

Customers in the education field have been found to be largely targeted by ransomware attempts, with an increase of 615%. SonicWall Capture Labs threat researchers have found an increased risk of ransomware attacks across healthcare (594%), as well as retail (264%) organizations.

According to data from SonicWall's Capture Labs, the three ransomware groups including Ryuk, Cerber, and SamSam are alone responsible for 64% of all attempted ransomware attacks. Ryuk attempted 93.9 million attacks, however, a new hype has been seen in 2020, tripling Ryuk attempts. 

On the other hand, Cerber attempted 52.5 million ransomware attacks in 2021 while SamSam group has increased its attempts by 49.7 in 2021, from last year's 15.7 million attempts. 



Industrial Facilities are at Risk of Data Theft and Ransomware Attacks

 

Recently, multinational cybersecurity software company ‘Trend Micro’ has published a new report on cybersecurity in which it has highlighted the growing threats of downtime and sensitive credential theft from ransomware attacks targeting industrial facilities. 

“Industrial Control Systems are incredibly challenging to secure, leaving plenty of gaps in protection that threat actors are exploiting with growing determination,” said Ryan Flores, senior manager of forward-looking threat research for Trend Micro...” 

“…Given the US government is now treating ransomware attacks with the same gravity as terrorism, we hope our latest research will help industrial plant owners to prioritize and refocus their security efforts."

What happens when a threat actor targets your facility? 

In factories and other facilities, there are crucial elements of utility plants that help in monitoring and controlling industrial processes across IT-OT networks called Industrial Control Systems (ICS). However, in any case, when ransomware gets into these systems; it can stop all operations for several days and can heighten the risk of vulnerabilities. 

As per the published report, several different revised versions have been accounted for more than half of the ICS ransomware attacks in 2020 including Ryuk (20%), Nefilim (14.6%), Sodinokibi (13.5%), and LockBit (10.4%). 

Cybersecurity And Infrasture Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), jointly published a report titled ‘The Guide’, which aims at informing and enhancing network defense and reducing exposure to a ransomware attack. The two measures offered are Ransomware Prevention Best Practices and a Ransomware Response Checklist. Moreover, CISA provides various scanning and testing services to help organizations assess, identify and mitigate their exposure to threats, including ransomware, at no expense. 

The National Institute of Standards and Technology (NIST) also provides help against ransomware attacks. It offers help in detecting and responding. It is worth noting that lately, several cybersecurity agencies are coming forward for industries so that they can detect and mitigate future ransomware attacks and numerous guide reports are also being published on ransomware threats.

After Ransomware Attack AJG US Reported Data Breach

 

US-based global insurance brokerage and risk management firm, Arthur J. Gallagher (AJG) has reported a cyberattack on the company’s infrastructure. The company has started mailing about the breach to its potentially impacted individuals. It is worth noting that earlier, in September 2020, the company made headlines for a ransomware attack that crippled its systems. 

"Working with the cybersecurity and forensic specialists to determine what may have happened and what information may have been affected, we determined that an unknown party accessed or acquired data contained within certain segments of our network between June 3, 2020, and September 26, 2020," AJG reported to the press. 

As per the latest statistic, AJG stands as one of the largest insurance brokers in the world, it has more than 33,300 employees and the firm works in 49 countries remotely. Alongside, in Fortune 500 list, AJG ranked 429, and as per the information on its website this insurance company provides insurance-related services to more than 150 countries. 

Regarding the breach, the company has not given technical details, it remains unclear whether customers' or employees' credentials were accessed or stolen. However, during the investigation, the company found that sensitive information stored on systems in various forms have been breached during the attack including usernames, passwords, social security number or tax identification number, date of birth, passport details, driver's license, employee identification number, credit card information, medical records, electronic signature, claim, diagnosis, health insurance information, and biometric information.

Following the incident, the company has notified data regulatory authorities and all affected people (7,376 according to the information provided to the Office of Maine's Attorney General) as per the law. Additionally, the company has recommended affected individuals keep an eye on their bank, credit cards for any fraud cases.  

“While Gallagher is not aware of any attempted or actual misuse of the impacted information, Gallagher is providing access to credit monitoring services for twenty-four months through Kroll to individuals whose personal information was affected by this incident, at no cost to these individuals,” AJG added.

Cyber Attackers Faced a Denial After Fujifilm Refused to Pay Ransom

 

Image Source: https://thebeachmuse.com/

Japanese conglomerate Fujifilm, earlier this month on Wednesday 2nd June published a short statement to reveal the illegitimate infiltration of its server by foreign parties. The unauthorized entry on 01 June was recognized by Fujifilm – which is formerly known for selling photographic films but today develops biotechnology, chemical, and other digital imaging devices. 

It re-established operations with backups and its PR systems now are fully operating in the United States, Europe, the Middle East, and Africa and are back to business as usual, according to a Fujifilm-spokesperson. 

However,  information such as strains of ransomware, delivery channels, damage scale, and the ransom requested by the cyber gang has not been disclosed. The corporation has not responded to the request for comments from the Information Security Media Group. 

Chloe Messdaghi, an independent cybersecurity disruption consultant and researcher, says Fujifilm apparently “took the first responsible steps of recognizing the situation and systematically shutting all systems down to examine the attack. There may have been some hiccups and bumps, but because they had done the solid work of ensuring their data backups and restoration processes were current, they were able to decline to pay extortion and their disruption to business was minimal.” 

S-RM Cyber Security, Risk, and Intelligence Consultancy anticipate that 46% of all cyber attacks were ransomware attacks between January 1, 2021, and March 31, 2021. 

The Colonial Pipeline and JBS meat processing company, and the D.C. Metro Police Department, have been the victims of some of the largest recent attacks in the U.S. 

In the wake of the attacks, the White House called on companies to enhance their cybersecurity. As per the reports, president Joe Biden ordered a federal probe ransomware task committee. 

Other businesses that were recently attacked by Ransomware but declined to pay ransom included CD Projekt Red, Ireland's State Health Service Provider, Health Service Executive; Canon, and Bose. Meanwhile, the Colonial Pipeline Co., which paid $4.3 million to DarkSide in May for a flawed decryptor, was one of the ransomware victims who decided to pay their attackers. The U.S. Department of Justice then recovered the number of bitcoins paid at 2.3 million dollars. 

The U.S. subsidiaries of the biggest meat processor in the world, JBS in Brazil, have lately given REvil's attackers an 11 million dollar ransom for their assurance that a decryption tool and a "guarantee" will not be released by them. 

The FBI has urged the victims to not pay the ransom and said, “Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.” 

The senior consultant of the risk management research organization, Shared Assessments, Charlie Miller, states the key elements for a risk management ransomware program involve upgrading the risk response plan, establishing a data boot to enable malware-free data recovery, offering corporate managers cyber-attack simulation programs to help evaluate and respond to risk, and purchasing cyber insurance.

Prometheus: Emerging Ransomware Group That Has Published Mexican Government Data For Sale

 

Emerging technology has changed the way we make money or hoard wealth, indeed as in the 21st century, information and data means money, and the spy groups that are compromising systems of large tech companies around the world including public and private organizations, have reached some sort of a pinnacle of sophistication. 

The last few years have witnessed a rapid surge in cyberattacks around the world and the consistency of these attacks has been growing dramatically. 

Recently, a new ransomware cyber gang identified as ‘Prometheus’ is making headlines, the group has become a threat to the Mexican Government as the threat actors published illegally compromised data on the dark web which was available for sale today itself. 

Following the aforementioned security incident, the group also became the first cyber-hacking group that has assailed the big state of Latin American at this level. 

Resecurity, a cybersecurity company out of Los Angeles while reporting about the attack said, the leaked data was compromised from the multiple e-mails handles as a result of ATO/BEC and leveraging network resources that belong to several Mexican government firms. The company also added that as of now, it is not easy to determine the extent of consequences and the end impact of the leaks. However, one thing is ascertained: it is an extortion game that has been played by malicious actors. 

As per the available data, Mexico is known as the big trading partner of the United States, the second-largest economy in Latin America, and the 17th-largest exporter around the world. In the past few years, the number of cybercrimes reported in the state has skyrocketed and in 2020, Mexico has become one of the countries with the most cybercrimes in Latin America. 

The data that has been leaked today on the website by the Prometheus group belongs to 27 victims. Some victims are from Hotel Nyack (New York, USA) Ghana National Gas, enterprises in France, and Tulsa Cardiovascular Center of Excellence (Oklahoma, USA), and others are from Switzerland, Norway, Netherlands, UAE, Brazil, and Malaysia. For the time being, The Institute for Security and Technology-coordinated Ransomware Task Force is conducting its research on the issue. 

Ransomware Attacks Growing at a Fast Rate

 

Ransomware has become a burning concern to every office in the world which wasn't even existing 30 years before. Probably there was never a danger of this kind. The fact that the ransomware gets stronger day by day, is the most profound concern. 

Current revelations show how diabolical the threat of ransomware is. In 2020, attacks rose by 715%, as opponents rejected the Covid-19 epidemic disruption to trap victims down with their guard. In addition to being more offensive, threat actors were much more reluctant to threaten the following: A patient was killed by a ransomware attack in the equipment gear that kept him alive in a German hospital and a California university was paying over $1 million to get back the IT online. In contrast to the unnamed impact on the country's economy, the Colonial Pipeline attack showed various weaknesses in US energy infrastructure. 

The whole strategy seems to work since the ransomware payments increased by 100% in 2020. There are no signs of ransomware attacks being curbed, as an Apple supplier also became a victim of a $50 million ransom demand. If ransomware was known to be alarming, it now took on a genuinely frightening character. And none of the organizations can find themselves as immune against it. 

This does not imply, that everyone has the same chance of a successful intrusion with ransomware. Indeed, that is what makes businesses most vulnerable – one that sees ransomware as unavoidable and unstoppable, one believes that the situation is bleak, instead of upgrading their security plan to keep up with developments in ransomware. 

At least throughout their early phases, the surge of attacks in 2020 seemed to be more like the attacks in the past years. Attackers would then use a phishing attempt to access an IT network and exploit certain known/unknown vulnerabilities. 

Following this initial violation, the automatic propagation methods were introduced gradually. Currently, however, a single goal is no longer enough. Ultimately, a change to operative human ransomware will occur that does not take small networks into account. 

Today's ransomware attacks travel across organizations by seeking information with high privileges. It aims at hitting the largest number of machines – i.e. maximizing damage. The safety department needs to prioritize the prevention of these lateral movements - and not just to spot them. Any ransomware attack might otherwise be cut so thoroughly that it is difficult to reverse. 

Instead of being dependent on malware to push the attack, ransomware managed by humankind is equipped with an operator to guide it towards the most effective goal possible through resistance mechanisms and protection. These attacks are more persistent, much more powerful, and more damaging. 

Spear phishing attacks are now the preferred method for the distribution of ransomware. Opponents choose a target and then tailor the email to sound as credible as possible. This dramatically contrasts with daily phishing, which means that large-scale e-mails are sent to vast lists of native contacts. Disputed users instead click on a connection or download an accessory that causes the infection of malware. 

Spear phishing operations are also becoming advanced: cybercriminals are sending spear-phishing email addresses that look just like licensed senders with domain spoofing techniques. 

In the face of this challenge, AV and EDR are destined to fail a cybersecurity plan. It may already be too late whenever these defenses kick in. This is the best advice: evolve or die. The only protection that succeeds is prevention. This means that one must follow a proactive cyber safety approach that focuses on zero trusts, reduces the attack surface, and, of course, moves goal protection.

Cring Ransomware Attacks Exploited Fortinet Flaw

 

Ransomware operators shut down two production facilities having a place with a European manufacturer in the wake of conveying a relatively new strain that encrypted servers that control a manufacturer's industrial processes, a researcher from Kaspersky Lab said on Wednesday. Threat actors are abusing a Fortinet vulnerability flagged by the feds a week ago that conveys a new ransomware strain, named Cring, that is targeting industrial enterprises across Europe. 

Researchers say the attackers are misusing an unpatched path-reversal flaw, followed as CVE-2018-13379, in Fortinet's FortiOS. The objective is to access the victim's enterprise networks and eventually convey ransomware, as indicated by a report by Kaspersky Lab. “In at least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted,” Kaspersky senior security researcher Vyacheslav Kopeytsev wrote in the report. 

Cring is relatively new to the ransomware threat scene—which as of now incorporates prevailing strains REvil, Ryuk, Maze, and Conti. Cring was first noticed and revealed by the analyst who goes by Amigo_A and Swisscom's CSIRT team in January. The ransomware is one of a kind in that it utilizes two types of encryption and annihilates backup files to threaten victims and keep them from retrieving backup files without paying the ransom. A week ago, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) cautioned that nation-state advanced persistent threat (APT) groups were effectively abusing known security vulnerabilities in the Fortinet FortiOS operating system, influencing the organization's SSL VPN items. 

In its report, Kaspersky echoed the feds cautioning adding attackers are first scanning connections with Fortinet VPNs to check whether the software utilized on the gadget is the vulnerable version. The objective is to crack open affected hardware, give adversaries admittance to network credentials, and build up traction in the targeted network, Kopeytsev clarified. “A directory-traversal attack allows an attacker to access system files on the Fortigate SSL VPN appliance,” he wrote. “Specifically, an unauthenticated attacker can connect to the appliance through the internet and remotely access the file ‘sslvpn_websession,’ which contains the username and password stored in cleartext.”

Canadian IoT Solutions Provider, Sierra Wireless Hit by a Ransomware Attack


Sierra Wireless, a Canadian IoT solutions provider said that it has reopened its manufacturing site's production after the company suffered a ransomware attack that breached its internal infrastructure and official website on March 20. When the company came to know about the attack, it called one of the world's best cybersecurity firms "KPMG," to help Sierra Wireless in the investigation and inquiry of the incident.

According to Sierra Wireless, "security is a top priority, and Sierra Wireless is committed to taking all appropriate measures to ensure the highest integrity of all of our systems. As the investigation continues, Sierra Wireless commits to communicating directly to any impacted customers or partners, whom we thank for their patience as we work through this situation." 

Currently, the staff at Sierra Wireless is working on re-installing the company's internal infrastructure, after the corporate website was brought back online. Besides this, the Canadian MNC said that ransomware attacks couldn't breach services and customer-oriented products as the internal systems that were attacked were separated. The company believes that the scope of the attack was limited to Sierra Wireless' corporate website and internal systems, it is confident that the connectivity services and products weren't affected, and the breach couldn't penetrate the systems during the incident. 

As of now, the company isn't expected to issue any firmware or software security updates or product security patches, which are generally required after the ransomware attack. The company hasn't disclosed the ransomware operator behind the attack, it has also not specified what data was stolen from the incident before the encryption could happen. 

The attack happened in March, after that the company took back its Q1 guidance. A company spokesperson said that Sierra wireless won't reveal any further information regarding the attack as per the company protocol, because the data involved is highly confidential and sensitive. Bleeping Computer reports, "Siera Wireless' products (including wireless modems, routers, and gateways) sold directly to OEMs are being used in IoT devices and other electronic devices such as smartphones, and an extensive array of industries." Stay updated for more news.

MIDC’s Server Hacked, Threat to Destroy Data

 

The server of Maharashtra Industrial Development Corporation was hacked as of late. The ransomware 'SYNack' affected the applications and database servers facilitated at the MIDC headquarters in Mumbai by encrypting the information put away in these servers. Hackers have demanded Rs 500 crore, they have mailed a demand of Rs 500 crore on MIDC's official mail ID, sources said. 

The malware additionally tainted some desktop PCs across various office areas of the MIDC. The assailants had attached a ransom note giving details of the assault and the steps needed to be taken to approach them for decryption of information. Nonetheless, no sum was directly referenced in the ransom note, a statement given by the MIDC expressed. After the hack, every one of the 16 regional workplaces in the state, including the head office in Mumbai, has been shut down. 

The total data of all the industrial estates, entrepreneurs, government elements, and different plans identified with MIDC is accessible on an online system. The whole work has come to a halt since last Monday after the hack. The MIDC approached the police after which the Cyber Crime Police started their probe into the hacking incident, joint commissioner of police, crime, Milind Bharambe affirmed to the FPJ. 

 A statement issued by the MIDC read, "On Sunday, March 21, at around 2:30 AM, we received automated alerts that our applications were down. On further analysis during the day, the ransomware attack was confirmed. MIDC’s applications are hosted on ESDS cloud (services managed by ESDS, Cloud Service Provider) and local servers (managed by MIDC internal team). We have Trend Micro anti-virus license for end-point security monitoring. The details of the ransomware were shared with Trend Micro for further analysis." 

"As an immediate measure, the MIDC systems were disconnected from the network to contain the spread of the virus. The backup files for different application servers were stored on a different network segment on Cloud DC and were not infected. As per the recommendations from Cyber Security experts, several steps are being taken to control the spread of virus and minimize the impact," the statement read further.

LockBit Ransomware Emerging as a Dangerous Threat to Corporate Networks


LockBit, a relatively new Ransomware that was first identified performing targeted attacks by Northwave Security in September 2019 veiled as.ABCD virus. The threat actors behind the ransomware were observed to be leveraging brute-force tactics and evasion-based techniques to infect computers and encrypt files until the victim pays the ransom.

LockBit enables attackers to move around a network after compromising it quickly; it exploits SMB, ARP tables, and PowerShell to proliferate the malware through an infected network.

The developers rely on third parties to spread the malware via any means the third party devises. After successfully infecting the network, the attacker redirects the victim to a payment site operated by them. The victim is then subjected to threats of data leak until the ransom is paid to the attackers.

Modus operandi of the attack

The attackers drop the payload that is hidden under the '.text' sections, evading conventional AV's mechanism from catching the file while running a scan in the disk, the file is compressed by the attackers with a unique format.

Upon being executed, the file runs a scan on the entire LAN network and attempts to establish a connection to the hosts via SMB port (445) to spread the infected file across the entire internal network.

Then in order to bypass the need for User Control, the command "C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}" is run by an instance of SVCHOST.exe which is running by the process DLLhost.exe.

After that, the 'backup.exe' file executes the payload and encrypts most of the victim's files, changing their extensions to 'lockbit'. In the end, leaving a ransom note under the name 'Restore-My-Files.txt' in various folders on the host.

As per sources, the top targets of LockBit were located in the U.S., the U.K, China, India, Germany, France, and Indonesia. Experts suggest that users worldwide should strengthen their security defenses. It is also recommended to store the backups of important files separately so that it's hard to be accessed through a network.

Giving insights into a particular case, Patrick Van Looy, a cybersecurity specialist for Northwave, told BleepingComputer, "In this specific case it was a classic hit and run. After gaining access through brute-forcing the VPN, the attacker almost immediately launched the ransomware (which he could with the administrator account that he had access to). It was around 1:00 AM that the initial access took place, after which the ransomware was launched, and at around 4:00 AM the attacker logged off. This was the only interaction that we have observed."

Orange Confirms Ransomware Attack Compromising Data of 20 Enterprise Customers


Orange, the fourth-largest mobile operator in Europe has confirmed that it fell prey to a ransomware attack wherein hackers accessed the data of 20 enterprise customers. The attack targeted the 'Orange Business Services' division and was said to have taken place on the night of 4th July and was continued into the next day, ie., 5th July.

Orange is a France based multinational telecommunications corporation having 266 million customers worldwide and a total of 1,48,000 employees. It is a leading provider of global IT and telecommunications services to residential, professional, and large business clients. It includes fixed-line telephone, mobile communications, Internet and wireless applications, data transmission, broadcasting services, and leased line, etc.

The attack was brought to light by Nefilim Ransomware who announced on their data leak site that they acquired access to Orange's data through their business solutions division.

In a conversation with Bleeping Computer, the company said, "Orange teams were immediately mobilized to identify the origin of this attack and has put in place all necessary solutions required to ensure the security of our systems." Orange further told that the attack that occurred on the night of 4th July affected an internal IT platform known as, "Le Forfait Informatique", it was hosting data belonging to 20 SME customers that were breached by attackers, however, there were no traces of any other internal server being affected as a result of the attack. Giving insights, Tarik Saleh, a senior security engineer at DomainTools, said, "Orange certainly followed best practices by promptly disclosing the breach to its business customers, who will need to take all the possible precautions to make their data unusable in future attacks: changing the password of their accounts and looking out for potential phishing or spear-phishing emails."

While commenting on the security incident, Javvad Malik, Security Awareness Advocate at KnowBe4, said that in these times, it is essential, "that organizations put in place controls to prevent the attack from being successful, as even if they have backups from which they can restore, this won't bring back data that has been stolen."

"As part of this, organizations should implement a layered defensive strategy, in particular against credential stuffing, exploitation of unpatched systems, and phishing emails which are the main source of ransomware. This includes having technical controls, the right procedures, and ensuring staff has relevant and timely security awareness and training," he further added.

CNY Works Data Breach: Personal Details of 56,000 Customers Exposed


Social Security numbers, names, and other personal details of around 56,000 individuals were exposed as CNY Works faced a data breach. The data breach potentially affected people who sought employment via the company's services.

CNY Works is a New York-based non-profit corporation working to help businesses and job-seeking individuals with the objective of providing skilled workers to businesses and employment for those seeking a job within Central New York – providing a single entry point for Workforce Information.

The agency started sending letters to all its affected customers, warning them about the security breach – the officials told that files compromised during the attack (likely to be a ransomware attack) on their servers consisted of their names and Security numbers. However, the agency did not spot signs of any data being accessed, viewed, or taken down by the threat actors.

Social Security number is a nine-digit number used to record a person's earnings and verify his identity whenever he starts a new job; having your social security number compromised can lead to identity theft in various ways, cybercriminals can sell people's identities on the dark web marketplaces to highest bidders. In a way, it's like getting your bank account info. stolen, only that you can always get a new bank account number, while new Social Security numbers are rarely issued by the concerned administration.

While addressing the security issue, Lenore Sealy, executive director for CNY Works, said in an email to media outlets, “We are sending notification letters to approximately 56,000 individuals.”

“However, we are notifying individuals out of an abundance of caution. CNY Works has no evidence that any of the personal information for these individuals has been misused, or even that any of the personal information in its possession was accessed or stolen as a result of this incident.” The email further read.

ProLock Ransomware Operators Join Hands with QakBot Trojan to Infect Victims' Networks


'Human-operated ransomware' has been on a rise with the emergence of ProLock in the month of March, the new ransomware came as a successor to 'PwndLocker', another variant of malware targeting all the major industries from finance, retail to healthcare and governmental organizations as well. Notably, in late April, the attack targeting the largest ATM provider in the United States, Diebold Nixdorf was the first major attack carried by ProLock where the attackers only compromised the company's corporate network while their ATMs and customer networks were left untouched, according to the media reports.

In order to acquire access to targets' networks, ProLock has joined hands with financial malware primarily targeting businesses, QakBot. Since its initial online fraud attacks, the banking trojan has constantly evolved to specialize in SOCKS proxy, anti-research capabilities and to effectively steal victims' online banking credentials. The malware has been upgraded so much so that one of its present variants can even incapacitate securing software functioning at the endpoints. Interestingly, the assistance of QakBot that distinguishes the malware from other ransomware operators further strengthens the operations of ProLock as it helps the malware with credential dumping and anti-detection techniques.

ProLock makes use of RDP and QakBot to set the attack into motion, it assists the threat actors in evading detection and with persistence. Researchers told QBot specializes in bypassing detection as it is programmed to check out for its latest version and replace its current version with the newest one. Meanwhile, in order to acquire persistence in the network, the attackers use authentic accounts for RDP. RDP allows the malware to move laterally across networks and accumulate data, which later is exfiltrated through a command-line tool. Side by side, the files are being encrypted by ProLock that adds a .proLock, .pr0Lock or .proL0ck extension to all the encrypted files and leaves a ransom note demanding a ransom in turn for their data. However, as of now, ProLock doesn't have a website to publish victims' stolen data in case they are denied ransom.

“ProLock uses many similar techniques as other ransomware operators to achieve their goals,” said Oleg Skulkin, senior digital forensics analyst at Group-IB in a recent analysis. “At the same time, however, the group does have its own unique approach. With more and more cybercrime groups showing interest in enterprise ransomware deployment campaigns, some operators may be involved in deploying different ransomware families, so we’ll likely see more overlaps in tactics, techniques, and procedures.”

SeaChange, Video Delivery Software Solutions Provider Hit By Sodinokibi Ransomware


SeaChange, a leading supplier of video delivery software solutions has been attacked by the authors of Sodinokibi ransomware. Reportedly, the operators have published images of the data they claim to have obtained after encrypting the systems and are threatening the Waltham, Massachusets based company to leak the stolen data.

SeaChange International has offices in Poland and Brazil, it is a remotely managed video solution provider with around 50 million subscribers across the globe. BBC, DISH, COX, DNA, Quickline, RCN, and Starhub are a few names amongst their 200+ video provider customers.

The cybercriminals behind Sodinokibi ransomware have been actively involved in posting illegally obtained data of victims onto their leak website since 2019 and then demanding a ransom for the release of the same. Lately, attackers have increasingly employed this strategy of building pressure on non-paying victims and converting them into a paying one by releasing the stolen data bit by bit, starting from smaller parts.

In this particular case, the attackers created a webpage by the company's name and published the images of the allegedly stolen data on that page, it contained a screenshot of folders on one of the SeaChange's servers targeted by the attackers, a driver's license, insurance certificates and a cover letter for a proposal sent to Pentagon for video-on-demand service. However, the operators did not specify the ransom amount at that time.

While denying to provide further data, Sodinokibi operators said, "Thank you for your interest and your questions, but I really can't answer. We publish confidential information about companies if they ignore us for a long time or decide not to pay. Otherwise, we are not ready to share any information about them in their own interests, including share which companies we have encrypted, how much data we have stolen, etc."

New Orleans: Mayor Declares State of Emergency after a Cyberattack


The city of New Orleans after being hit by a cyberattack, declared a state of emergency wherein the employees and officials were asked to shut down the computers, power down devices by unplugging and take down all servers as a cautionary measure. As a part of the incident, The Nola.gov website was also down.

Officials suspect the involvement of ransomware as the attacks demanding ransom has become increasingly common in the recent past and ransomware was detected as per Mayor LaToya Cantrell, however, there is no confirmatory lead on the matter as the city has not received any ransom demand from the attackers.

Earlier this year, in November, The State of Louisiana was hit by a ransomware attack which prompted officials to shut down government websites and deactivate other digital services and consequently, a state of emergency was being declared by the governor. As per the sources, it is the gravest cyber attack the state had witnessed till date, it took about two weeks for the authorities to restore all the systems and make them functional again. The attack was followed by aggressive measures being taken by the security officers who classified the attack being a "sophisticated and coordinated" one. As per the latest findings, it remains unclear whether the two attacks are linked to each other or not.

While drawing other correlations, New Orleans Mayor LaToya Cantrell referenced the attack back to one where several school systems in Louisiana were attacked by malware. The compromised school systems were from Sabine, Morehouse, and Ouachita, according to the reports by CNN.

“Out of an abundance of caution, all employees were immediately alerted to power down computers, unplug devices & disconnect from WiFi. All servers have been powered down as well,” stated a tweet from New Orleans’ Office of Homeland Security & Emergency Preparedness.

During a press conference in regard of the matter, Mayor LaToya Cantrell said, “We have a unified command, we’re here with not only our local partners but our state and federal partners as well, which includes our national guard, Louisiana state police, FBI, the state fusion center and secret service."