Search This Blog

Showing posts with label servers. Show all posts

Lake County government shuts down servers after ransomware attack

After the massive cyberattack in Texas, officials from Lake County, Illinois revealed on Friday, August 23 that the county has been hit by a cyberattack that forced the shutdown of email service and several internal applications.

The officials also mentioned that the breach came in the form of ransomware, which is a type of malware that prevents users from accessing their system or personal files and demands a ransom payment in order to regain access.

Mark Pearman, director of county's information technology office said that on Thursday, August 22, the IT staff was installing cybersecurity software on 3,000 individual employee laptops and working on the process to remove the ransomware malware from 40 county servers.

The ransomware attack was first noticed by systems administrators on Thursday and to prevent it the IT staff started taking encrypted and unencrypted servers off the network.

However, the official clarified that there was no evidence of data theft from county servers and restoring the systems will take the entire week and more information about the attack will be known by Monday, August 26.

As reported, the IT department is working with the county's cybersecurity contractor, Crowdstrike to conduct a damage assessment. This process includes scanning of all the servers, almost 3,000 computers to determine those infected by the ransomware.

Almost a month ago, LaPorte County, Indiana also suffered a similar breach and the authorities paid a ransom of $132,000 worth of Bitcoins to the hackers to restore the access to affected systems.

Another ransomware hit 22 Texas town governments and recently Louisiana was also forced to declare a state of emergency after some of its school districts' networks were hacked. Now, Texas' 22 town government has become the victim of ransomware.

After all these events, National Guard Chief Gen Joseph Lengyel called the events a "cyber storm." He also mentioned that these multi-state cyber attack reiterates the need for more standardized policies and training for cyber units across the force.

More than 17,000 Domains Affected with Code which Steals Card Data



Cybercriminals running Magecart operations have added payment card skimming code to more than 17,000 domains with JavaScript files in misconfigured Amazon S3 buckets.

Cybercriminals exploited the lack of access control in Amazon's cloud storage services and affected over 17,000 domains via automated attacks which reconstructed JavaScript code randomly, without monitoring if the code could load a payment page.

The exploit came as a part of Megacart operations, originated in the month of April; attackers injected payment card skimming code to a high number of domains with JavaScript files in poorly configured Amazon S3 buckets which granted writing permissions to the person finding them.

According to the security researchers at RiskIQ, the discovery of these S3 buckets had been automated by the authors of the campaign.

Referencing from the findings made by Yonathan Klijnsma, RiskIQ's head of threat research, "Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket."

"Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content," he added.

The fact that a large number of websites employing Amazon's cloud storage services fell short in fortifying access to the corresponding assets played a major role for Magecart campaign in realizing its malicious objectives.