Skip to main content

Posts

Showing posts with the label Cyber

Coronavirus Updates

Pipeline cyberattack was likely the work of a ransomware gang

Details of the industry-hobbling  Colonial Pipeline cyberattack  are starting to emerge.  Reuters  and  Bloomberg  say the hack was likely the work of a cybercriminal group, and that the  ransomware  gang DarkSide appears to be the primary suspect. Bloomberg claims DarkSide stole almost 100GB of data in two hours on May 6th as part of a "double-extortion scheme" where intruders threatened to both leak company data and lock Colonial out of its information. It's not certain if Colonial agreed to pay a ransom. The oil and gas giant reportedly asked FireEye's Mandiant forensics team to help investigate the breach. The attack was important enough to get the US government's involvement, regardless of who was responsible. Officials were scrambling to help Colonial restore its fuel supply business, while Reuters understood that a government investigation was in the "early stages." President Biden received a briefing on May 8th. I...

It's already possible to hack an AirTag

You knew it was just a matter of time before someone hacked  Apple's AirTags , but it might have happened sooner than you expected. 9to5Mac  reports  that security researcher Thomas Roth has already  cracked  the microcontroller for Apple's item tracker, dumping its firmware and discovering that you can re-flash it for your own purposes. Roth demonstrated the possibilities by modifying the NFC web address (the one that appears when you tap an AirTag) to his personal site. As you might guess, that raises the potential for hacked AirTags that send users to malware and phishing sites. The practical threat to users are likelysmall. An attacker would have to obtain someone's existing AirTag, modify it and place it such that an unsuspecting victim would find it and want to tap it. That's also presuming that Apple doesn't have a way to block modified AirTags, as 9to5 suggested. Still, this suggests you'll want to have an up-to-date phone and a reason...

Google to Automatically Enable Two-Step Verification for Some Accounts

Google is marking World Password Day with a blog post summarizing the password management features it offers, and the company announced that it will automatically enroll some accounts in two-step verification (2SV). The tech giant has been offering 2SV for Google accounts for years. Users who enable 2SV for their account — after entering their password — are asked to enter a code received via a text message or a voice call. In many cases, users can simply confirm their identity by taping a prompt on their smartphone when they log in, and Google also offers the option to use  security key devices  that are connected via a physical port (USB) or wirelessly (NFC). Google announced  on Thursday that it will soon start automatically enabling 2SV for users, if their accounts are “appropriately configured.” Jonathan Skelker, product manager of account security at Google, told SecurityWeek that “appropriately configured” refers to accounts that already include recovery info...

Insurer AXA Halts Ransomware Crime Reimbursement in France

In an apparent industry first, the global insurance company AXA said Thursday it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals. AXA, among Europe’s top five insurers, said it was suspending the option in response to concerns aired by French justice and cybersecurity officials during a Senate roundtable in Paris last month about the devastating global epidemic of ransomware. “The word to get out today is that, regarding ransomware, we don’t pay and we won’t pay,” cybercrime prosecutor Johanna Brousse said at the hearing. Only the U.S. surpassed France last year in damage from ransomware to businesses, hospitals, schools and local governments,  according to  the cybersecurity firm Emsisoft, estimating France’s related overall losses at more than $5.5 billion. The suspension only applies to France and does not affect existing policies, said Christine Weirsky, a spokeswoman for the U.S. AXA s...

New Pingback Malware Using ICMP Tunneling to Evade C&C Detection

Researchers on Tuesday disclosed a novel malware that uses a variety of tricks to stay under the radar and evade detection, while stealthily capable of executing arbitrary commands on infected systems. Called 'Pingback,' the Windows malware leverages Internet Control Message Protocol ( ICMP ) tunneling for covert bot communications, allowing the adversary to utilize ICMP packets to piggyback attack code, according to an  analysis  published today by Trustwave. Pingback (" oci.dll ") achieves this by getting loaded through a legitimate service called  MSDTC  (Microsoft Distributed Transaction Coordinator) — a component responsible for handling database operations that are distributed over multiple machines — by taking advantage of a method called  DLL search order hijacking , which involves using a genuine application to preload a malicious DLL file. Naming the malware as one of the plugins required for supporting  Oracle ODBC  interface in MSDTC ...

Acronis raises $250M at a $2.5B+ valuation to double down on cyber protection services

As cybersecurity continues to grow in profile amid an increasingly complex and dangerous landscape of malicious activity, a cyber security vendor that specializes in "all-in-one" services covering the many aspects of security IT has closed a big round of funding to grow. Acronis has raised $250 million, money that co-founder and CEO Serguei Beloussov said in an interview the company plans to use both to grow organically, as well as for acquisitions to bring more "proactive" technology into its portfolio. The funding is being led by CVC and values Acronis at over $2.5 billion. Originally a spinoff from the parent company of virtualization giant Parallels, Acronis initially made its name in data recovery and backup but has over time expanded to provide an all-in-one package of services, a business that is now profitable, with some 10,000 managed service providers and 500,000 businesses (SMBs and bigger) among its customers. "We didn’t need the money, but no...

Hackers Exploit SonicWall Zero-Day Bug in FiveHands Ransomware Attacks

An "aggressive" financially motivated threat group tapped into a zero-day flaw in SonicWall VPN appliances prior to it being patched by the company to deploy a new strain of ransomware called FIVEHANDS. The group, tracked by cybersecurity firm Mandiant as UNC2447, took advantage of an "improper SQL command neutralization" flaw in the SSL-VPN SMA100 product ( CVE-2021-20016 , CVSS score 9.8) that allows an unauthenticated attacker to achieve remote code execution. "UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums," Mandiant researchers  said . "UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics."   CVE-2021-20016 is the same  zero-day  that...

New Chinese Malware Targeted Russia's Largest Nuclear Submarine Designer

A threat actor believed to be working on behalf of Chinese state-sponsored interests was recently observed targeting a Russia-based defense contractor involved in designing nuclear submarines for the naval arm of the Russian Armed Forces. The phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous "Royal Road" Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed " PortDoor ," according to Cybereason's Nocturnus threat intelligence team. "Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more," the researchers  said  in a write-up on Friday.   Rubin Design Bureau is a submarine design center located in Saint Petersburg, accounti...

Researchers Uncover Iranian State-Sponsored Ransomware Operation

Iran has been linked to yet another state-sponsored ransomware operation through a contracting company based in the country, according to new analysis. "Iran's Islamic Revolutionary Guard Corps ( IRGC ) was operating a state-sponsored ransomware campaign through an Iranian contracting company called 'Emen Net Pasargard' (ENP)," cybersecurity firm Flashpoint  said  in its findings summarizing three documents leaked by an anonymous entity named Read My Lips or Lab Dookhtegan between March 19 and April 1 via its Telegram channel. Dubbed "Project Signal," the initiative is said to have kickstarted sometime between late July 2020 and early September 2020, with ENP's internal research organization, named the "Studies Center," putting together a list of unspecified target websites. A second spreadsheet validated by Flashpoint explicitly spelled out the project's financial motivations, with plans to launch the ransomware operations in lat...

Microsoft Warns of 25 Critical Vulnerabilities in IoT, Industrial Devices

Azure Defender security team discovers that memory allocation is a systemic problem that can allow threat actors to execute malicious code remotely or cause entire systems to crash. Security researchers at Microsoft are warning the industry about 25 as-yet undocumented critical memory-allocation vulnerabilities across a number of vendors’ IoT and industrial devices that threat actors could exploit to execute malicious code across a network or cause an entire system to crash. Dubbing the newly discovered family of vulnerabilities “BadAlloc,” Microsoft’s Section 52—which is the Azure Defender for IoT security research group–said the flaws have the potential to affect a wide range of domains, from consumer and medical IoT devices to industry IoT, operational technology, and industrial control systems, according to a  report  published online Thursday by the Microsoft Security Response Center (MSRC). “Our research shows that memory allocation implementations written througho...

Chinese Hackers Attacking Military Organizations With New Backdoor

  Bad actors with suspected ties to China have been behind a wide-ranging cyberespionage campaign targeting military organizations in Southeast Asia for nearly two years, according to new research. Attributing the attacks to a threat actor dubbed " Naikon APT ," cybersecurity firm Bitdefender laid out the ever-changing tactics, techniques, and procedures adopted by the group, including weaving new backdoors named "Nebulae" and "RainyDay" into their data-stealing missions. The malicious activity is said to have been conducted between June 2019 and March 2021. "In the beginning of the operation the threat actors used Aria-Body loader and Nebulae as the first stage of the attack," the researchers  said . "Starting with September 2020, the threat actors included the RainyDay backdoor in their toolkit. The purpose of this operation was cyberespionage and data theft." Naikon  (aka Override Panda, Lotus Panda, or Hellsing) has a track re...

Passwordstate Warns of Ongoing Phishing Assaults Following Information Breach

  Click Studios, the Australian software firm which confirmed a  supply chain attack  affecting its Passwordstate password management application, has warned customers of an ongoing phishing attack by an unknown threat actor. "We have been advised a bad actor has commenced a phishing attack with a small number of customers having received emails requesting urgent action," the company  said  in an updated advisory released on Wednesday. "These emails are not sent by Click Studios." Last week, Click Studios said attackers had employed sophisticated techniques to compromise Passwordstate's update mechanism, using it to drop malware on user computers. Only customers who performed In-Place Upgrades between April 20, 8:33 PM UTC, and April 22, 0:30 AM UTC are said to be affected. While Passwordstate serves about 29,000 customers, the Adelaide-based firm maintained that the total number of impacted customers is very low. It's also urging users to refrain from...

Threat detection startup Vectra AI raises $130M on unicorn valuation of $1.2B

Cybersecurity nightmares like the SolarWinds hack highlight how malicious hackers continue to exploit vulnerabilities in software and apps to do their dirty work. Today a startup that’s built a platform to help organizations protect themselves from this by running threat detection and response at the network level is announcing a big round of funding to continue its growth. Vectra AI , which provides a cloud-based service that uses artificial intelligence technology to monitor both on-premise and cloud-based networks for intrusions, has closed a round of $130 million at a post-money valuation of $1.2 billion. The challenge that Vectra is looking to address is that applications — and the people who use them — will continue to be weak links in a company’s security set-up, not least because malicious hackers are continually finding new ways to piece together small movements within them to build, lay and finally use their traps. While there will continue to be an interesting, and mostly ...