Russia hammered by pro-Ukrainian hackers following invasion

Russia hammered by pro-Ukrainian hackers following invasion

Enlarge (credit: Getty Images)

For years, Dmitriy Sergeyevich Badin sat atop the FBI’s most wanted list. The Russian government-backed hacker has been suspected of cyber attacks on Germany’s Bundestag and the 2016 Olympics, held in Rio de Janeiro.

A few weeks into Russia’s invasion of Ukraine, his own personal information—including his email and Facebook accounts and passwords, mobile phone number and even passport details—was leaked online.

Another target since the war broke out two months ago has been the All-Russia State Television and Radio Broadcasting Company, known as a voice of the Kremlin and home to Vladimir Solovyov, whose daily TV show amplifies some of the most extreme Russian government propaganda.

Read 21 remaining paragraphs | Comments

#biz-it, #cyberattacks, #hacking, #russia, #ukraine-invasion

Russia wages “relentless and destructive” cyberattacks to bolster Ukraine invasion

Flag of Russia on a computer binary codes falling from the top and fading away.

Enlarge / Flag of Russia on a computer binary codes falling from the top and fading away. (credit: Getty Images)

On March 1, Russian forces invading Ukraine took out a TV tower in Kyiv after the Kremlin declared its intention to destroy “disinformation” in the neighboring country. That public act of kinetic destruction accompanied a much more hidden but no less damaging action: targeting a prominent Ukrainian broadcaster with malware to render its computers inoperable.

The dual action is one of many examples of the “hybrid war” Russia has waged against Ukraine since before the invasion began, according to a report published Wednesday by Microsoft. Shortly before the invasion, the company said, hackers in six groups aligned with the Kremlin have launched no fewer than 237 operations in concert with the physical attacks on the battlefield. Almost 40 of them targeting hundreds of systems used wiper malware, which deletes essential files stored on hard drives so the machines can’t boot.

“As today’s report details, Russia’s use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians,” Tom Burt, Microsoft corporate vice president for customer security, wrote. He said the “relentless and destructive Russian cyberattacks” were particularly concerning because many of them targeted critical infrastructure that could have cascading negative effects on the country.

Read 5 remaining paragraphs | Comments

#biz-it, #cyberattacks, #russia, #ukraine

Preparing for Armageddon: How Ukraine battles Russian hackers

Preparing for Armageddon: How Ukraine battles Russian hackers

Enlarge (credit: gwengoat | Getty Images)

For years, a small and disparate Ukrainian team including IT experts, intelligence officers, and a criminal prosecutor has kept a wary eye on a group of hackers nicknamed Armageddon.

The hackers were based in Crimea, shielded by the Russian government, which had seized the region in 2014, and out of the reach of the Security Service of Ukraine.

The Ukrainian team watched Armageddon from afar to learn the ways of its enemy. It quietly studied the hacking group’s cyber weapons, intercepted phone calls, and even outed its purported leaders.

Read 26 remaining paragraphs | Comments

#biz-it, #cyberattacks, #cyberwarfare, #fancy-bear, #russia, #russian-invasion-of-ukraine, #ukraine

Hackers stoke pandemonium amid Russia’s war in Ukraine

Hackers stoke pandemonium amid Russia’s war in Ukraine

Enlarge (credit: Elena Lacey | Getty Images)

On Thursday, hackers defaced a Russian Space Research Institute website and leaked files that they allege are stolen from Roscosmos, the Russian space agency. Their message? “Leave Ukraine alone else Anonymous will f*ck you up even more.” Meanwhile a DDoS attack pummeled Russia’s .ru “top level domain,” with the aim of essentially cutting off access to all URLs that end in .ru. These are just the latest incidents in a surge of hacktivism in support of Ukraine.

Protests against Russia’s war of choice with Ukraine have been held around the world, including in 48 Russian cities. The global community has raised millions of dollars for Ukraine through cryptocurrency donations, and private companies from Shell and BP to Apple have temporarily or permanently pulled out of the Russian market. Amidst the havoc, hacktivists are joining the cacophony in an attempt to make a statement and advance their cause.

Read 19 remaining paragraphs | Comments

#biz-it, #cyberattacks, #fancy-bear, #hacking, #policy, #russia, #ukraine, #war

Nation-state espionage group breaches Alaska Department of Health

A bear lumbers along a shore with pine trees in the background.

Enlarge / If Alaska’s native Ursus arctos population could be enlisted for cyber defense patrols, attackers might need paws for reflection before committing a criminal breach. (credit: Jared Lloyd via Getty Images)

Last week, Alaska’s Department of Health and Social Services (DHSS) disclosed a security breach apparently made by a sophisticated nation-state level attacker.

According to DHSS—which contracted with well-known security firm Mandiant to investigate the breach—the attackers gained a foothold inside DHSS’ network via one of its public-facing websites, from which it pivoted to deeper resources.

A months-long saga

This is not the first report of the DHSS breach. The organization first publicly announced the intrusion on May 18, with a June update announcing a multipronged investigation, and one more in August on completion of the first of three investigatory steps.

Read 6 remaining paragraphs | Comments

#apt, #biz-it, #breach, #cyberattacks, #infosec

Technology giant Olympus hit by BlackMatter ransomware

Olympus said in a brief statement Sunday that it is “currently investigating a potential cybersecurity incident” affecting its European, Middle East and Africa computer network.

“Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners,” the statement said.

But according to a person with knowledge of the incident, Olympus is recovering from a ransomware attack that began in the early morning of September 8. The person shared details of the incident prior to Olympus acknowledging the incident on Sunday.

A ransom note left behind on infected computers claimed to be from the BlackMatter ransomware group. “Your network is encrypted, and not currently operational,” it reads. “If you pay, we will provide you the programs for decryption.” The ransom note also included a web address to a site accessible only through the Tor Browser that’s known to be used by BlackMatter to communicate with its victims.

Read more on TechCrunch

Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch that the site in the ransom note is associated with the BlackMatter group.

BlackMatter is a ransomware-as-a-service group that was founded as a successor to several ransomware groups, including DarkSide, which recently bounced from the criminal world after the high-profile ransomware attack on Colonial Pipeline, and REvil, which went silent for months after the Kaseya attack flooded hundreds of companies with ransomware. Both attacks caught the attention of the U.S. government, which promised to take action if critical infrastructure was hit again.

Groups like BlackMatter rent access to their infrastructure, which affiliates use to launch attacks, while BlackMatter takes a cut of whatever ransoms are paid. Emsisoft has also found technical links and code overlaps between Darkside and BlackMatter.

Since the group emerged in June, Emsisoft has recorded more than 40 ransomware attacks attributed to BlackMatter, but that the total number of victims is likely to be significantly higher.

Ransomware groups like BlackMatter typically steal data from a company’s network before encrypting it, and later threaten to publish the files online if the ransom to decrypt the files is not paid. Another site associated with BlackMatter, which the group uses to publicize its victims and touts stolen data, did not have an entry for Olympus at the time of publication.

Japan-headquartered Olympus manufactures optical and digital reprography technology for the medical and life sciences industries. Until recently, the company built digital cameras and other electronics until it sold its struggling camera division in January.

Olympus said it was “currently working to determine the extent of the issue and will continue to provide updates as new information becomes available.”

Christian Pott, a spokesperson for Olympus, did not respond to emails and text messages requesting comment.

#africa, #colonial-pipeline, #crime, #crimes, #cyberattacks, #cybercrime, #digital-cameras, #electronics, #kaseya, #middle-east, #olympus, #ransomware, #security, #spokesperson, #u-s-government, #united-states

Howard University cancels classes after ransomware attack

Washington D.C’s Howard University has canceled classes after becoming the latest educational institution to be hit by a ransomware attack.

The incident was discovered on September 3, just weeks after students returned to campus, when the University’s Enterprise Technology Services (ETS) detected “unusual activity” on the University’s network and intentionally shut it down in order to investigate.

“Based on the investigation and the information we have to date, we know the University has experienced a ransomware cyberattack,” the university said in a statement. While some details remain unclear — it’s unknown who is behind the attack or how much of a ransom was demanded — Howard University said that there is no evidence so far to suggest that personal data of its 9,500 undergraduate and graduate students been accessed or exfiltrated. 

“However, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed,” the statement said.

In order to enable its IT team to fully assess the impact of the ransomware attack, Howard University has canceled Tuesday’s classes, opening its campus to essential employees only. Campus Wi-Fi will also be down while the investigation is underway, though cloud-based software will remain available to students and teachers. 

“This is a highly dynamic situation, and it is our priority to protect all sensitive personal, research and clinical data,” the university said. “We are in contact with the FBI and the D.C. city government, and we are installing additional safety measures to further protect the University’s and your personal data from any criminal ciphering.”

But the university warned that that remediation will be “a long haul — not an overnight solution.”

Howard University is the latest in a long line of educational institutions to be hit by ransomware since the start of the pandemic, with the FBI’s Cyber Division recently warning that cybercriminals using this type of attack are focusing heavily on schools and universities due to the widespread shift to remote learning. Last year, the University of California paid $1.14 million to NetWalker hackers after they encrypted data within its School of Medicine’s servers, and the University of Utah paid hackers $457,000 to prevent them from releasing data stolen during an attack on its network. 

According to Emsisoft threat analyst Brett Callow last month, ransomware attacks have disrupted 58 U.S. education organizations and school districts, including 830 individual schools, so far in 2021. Emsisoft estimates that in 2020, 84 incidents disrupted learning at 1,681 individual schools, colleges, and universities.

“We’ll likely see a significant increase in ed sector incidents in the coming weeks,” Callow tweeted on Tuesday.

#california, #cloud-based-software, #crime, #crimes, #cyberattacks, #cybercrime, #federal-bureau-of-investigation, #ransomware, #security, #united-states, #university-of-california, #utah, #washington

Corelight secures $75M Series D to bolster its network defense offering

Corelight, a San Francisco-based startup that claims to offer the industry’s first open network detection and response (NDR) platform, has raised $75 million in Series D investment led by Energy Impact Partners. 

The round — which also includes a strategic investment from Capital One Ventures, Crowdstrike Falcon Fund and Gaingels — brings Corelight’s total raised to $160 million, following a $50 million Series C in October 2019, a $25 million Series B in September 2018, and a $9.2 million Series A in July 2017.

While it’s raised plenty of capital in the past few years, the startup isn’t planning its exit just yet. Brian Dye, CEO of Corelight, tells TechCrunch that given Corelight’s market opportunity and performance — the startup claims to be the fastest-growing NDR player at scale — it plans to invest in growth and expects to raise additional capital in the future. 

“Public listing timeframes are always hard to forecast, and we view the private markets as attractive in the short term, so we expect to remain private for the next couple years and will look at market conditions then to decide our next step,” Dye said, adding that the Corelight plans to use its latest investment to fuel the acceleration of its global market presence and to develop new data and cloud-based offerings.

“Aside from go-to-market expansion, we are investing to ensure that the insight we provide both continues to lead the industry and can be readily used by customers of all types,” he added. 

Corelight, which competes with the likes of FireEye and STG-owned McAfee, was founded in 2013 when Dr. Vern Paxson, a professor of computer science at the University of California, Berkeley, joined forces with Robin Sommer and Seth Hall to build a network visibility solution on top of an open-source framework called Zeek (formerly Bro). 

Paxson began developing Zeek in 1995 when he was working at Lawrence Berkeley National Laboratory (LBNL). The software is now widely regarded as the gold standard for both network security monitoring and network traffic analysis and has been deployed by thousands of organizations around the world, including the U.S. Department of Energy, various agencies in the U.S. government, and research universities like Indiana University, Ohio State, and Stanford.

#advanced-threat-detection, #cyberattacks, #cybersecurity, #network-security, #security, #startups

Ransomware recovery can be costly, and not just because of the ransom

Ransomware is rarely out of the headlines. Just last week, IT consulting giant Accenture was hit by the LockBit ransomware gang, days after Taiwan-based laptop maker Gigabyte also fell victim to an apparent ransomware attack, leading the hackers to leak gigabytes of confidential AMD and Intel data.

Unsurprisingly, ransomware — which has rocketed in activity during the pandemic — remains among the most costly to businesses, with large U.S companies losing an average of $5.66 million each year to ransomware. But new findings show that is not for the reason you might think.

While we often hear of multimillion-dollar ransom payments made by hackers, research from Proofpoint and the Ponemon Institute found that ransom payments typically account for less than 20% of the total cost of a ransomware attack. Of that $5.66 million figure each year, just $790,000 accounts for ransom payments. Rather, the research shows businesses suffer the majority of their losses through lost productivity and the time-consuming task of containing and cleaning up after a ransomware attack.

Proofpoint says that the remediation process for an average-sized organization takes on average 32,258 hours, which when multiplied by the average $63.50 IT hourly wage totals more than $2 million. Downtime and lost productivity is another costly consequence of ransomware attacks; the research shows that phishing attacks, for example, which were determined as the root cause of almost one-fifth of ransomware attacks last year, have led to employee productivity losses of $3.2 million in 2021, up from $1.8 million in 2015. 

“In the wake of a ransomware attack, communication and interaction between employees and any effected external parties must increase massively, causing many teams to have to drop all existing work as part of their ‘day job’ immediately and focus on this urgent matter, for potentially days, weeks or even months,” Proofpoint’s Andrew Rose told TechCrunch.

“They automatically face more scrutiny from customers, regulators and have to increase reliance on third parties. This may include a significant increase in external audits by customers and regulators, which again increases workload cost. There’s also the potential of regulatory fines, or class action lawsuits from customers,” said Rose.

This isn’t all businesses have to contend with from a financial point of view; organizations hit by ransomware are also likely to face an increase in cyber insurance costs, hefty IT expenditure and likely will have to cough up for PR teams, legal staff, customer services and external specialists. There’s also the brand and reputational fallout from such attacks: recent research from Cybereason shows that more than half of U.S. companies reported their brand was tarnished as a result of a ransomware attack. 

“For public organizations, there is also the potential for the share price to fall,” Rose adds. “Customers can also lose trust in a business once they know their data may have been at risk, which may in turn cause them to jump ship to a competitor, costing revenue.”

#crime, #cyberattacks, #cybercrime, #intel, #phishing, #ransomware, #security

US blames China for Exchange server hacks and ransomware attacks

The Biden administration has formally accused China of the mass-hacking of Microsoft Exchange servers earlier this year, which prompted the FBI to intervene as concerns rose that the hacks could lead to widespread destruction.

The mass-hacking campaign targeted Microsoft Exchange email servers with four previously undiscovered vulnerabilities that allowed the hackers — which Microsoft already attributed to a China-backed group of hackers called Hafnium — to steal email mailboxes and address books from tens of thousands of organizations around the United States.

Microsoft released patches to fix the vulnerabilities, but the patches did not remove any backdoor code left behind by the hackers that might be used again for easy access to a hacked server. That prompted the FBI to secure a first-of-its-kind court order to effectively hack into the remaining hundreds of U.S.-based Exchange servers to remove the backdoor code. Computer incident response teams in countries around the world responded similarly by trying to notify organizations in their countries that were also affected by the attack.

In a statement out Monday, the Biden administration said the attack, launched by hackers backed by China’s Ministry of State Security, resulted in “significant remediation costs for its mostly private sector victims.”

“We have raised our concerns about both this incident and the [People’s Republic of China’s] broader malicious cyber activity with senior PRC Government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace,” the statement read.

The National Security Agency also released details of the attacks to help network defenders identify potential routes of compromise. The Chinese government has repeatedly denied claims of state-backed or sponsored hacking.

The Biden administration also blamed China’s Ministry of State Security for contracting with criminal hackers to conduct unsanctioned operations, like ransomware attacks, “for their own personal profit.” The government said it was aware that China-backed hackers have demanded millions of dollars in ransom demands against hacked companies. Last year, the Justice Department charged two Chinese spies for their role in a global hacking campaign that saw prosecutors accuse the hackers of operating for personal gain.

Although the U.S. has publicly engaged the Kremlin to try to stop giving ransomware gangs safe harbor from operating from within Russia’s borders, the U.S. has not previously accused Beijing of launching or being involved with ransomware attacks.

“The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” said Monday’s statement.

The statement also said that the China-backed hackers engaged in extortion and cryptojacking, a way of forcing a computer to run code that uses its computing resources to mine cryptocurrency, for financial gain.

The Justice Department also announced fresh charges against four China-backed hackers working for the Ministry of State Security, which U.S. prosecutors said were engaged in efforts to steal intellectual property and infectious disease research into Ebola, HIV and AIDS, and MERS against victims based in the U.S., Norway, Switzerland and the United Kingdom by using a front company to hide their operations.

“The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe. Today’s international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft,” said deputy attorney general Lisa Monaco.

#attorney-general, #biden, #biden-administration, #china, #computer-security, #computing, #cyberattacks, #cybercrime, #cyberwarfare, #department-of-justice, #doj, #federal-bureau-of-investigation, #government, #hacker, #hacking, #healthcare, #internet-security, #microsoft, #national-security-agency, #norway, #russia, #security, #switzerland, #technology, #united-kingdom, #united-states

This crowdsourced payments tracker wants to solve the ransomware visibility problem

Ransomware attacks, fueled by COVID-19 pandemic turbulence, have become a major money earner for cybercriminals, with the number of attacks rising in 2020.

These file-encrypting attacks have continued largely unabated this year, too. In the last few months alone we’ve witnessed the attack on Colonial Pipeline that forced the company to shut down its systems — and the gasoline supply — to much of the eastern seaboard, the hack on meat supplier JBS that abruptly halted its slaughterhouse operations around the world, and just this month a supply chain attack on IT vendor Kaseya that saw hundreds of downstream victims locked out of their systems.

However, while ransomware attacks continue to make headlines, it’s near-impossible to understand their full impact, nor is it known whether taking certain decisions — such as paying the cybercriminals’ ransom demands — make a difference.

Jack Cable, a security architect at Krebs Stamos Group who previously worked for the U.S. Cybersecurity and Infrastructure Agency (CISA), is looking to solve that problem with the launch of a crowdsourced ransom payments tracking website, Ransomwhere. 

“I was inspired to start Ransomwhere by Katie Nickels’s tweet that no one really knows the full impact of cybercrime, and especially ransomware,” Cable told TechCrunch. “After seeing that there’s currently no single place for public data on ransomware payments, and given that it’s not hard to track bitcoin transactions, I started hacking it together.”

The website keeps a running tally of ransoms paid out to cybercriminals in bitcoin, made possible thanks to the public record-keeping of transactions on the blockchain. As the site is crowdsourced, it incorporates data from self-reported incidents of ransomware attacks, which anyone can submit. However, in order to make sure all reports are legitimate, each submission is required to take a screenshot of the ransomware payment demand, and every case is reviewed manually by Cable himself before being made publicly available. If an approved report’s authenticity is later called into question, it will be removed from the database.

The already-burgeoning database, which doesn’t include any personal or victim-identifying information, is available as a free download for the cybersecurity community and law enforcement officials, which Cable hopes will help give some much-needed public transparency about the current state of the problem.

“As we consider policy proposals to change the state of ransomware economics, we will need data to assess whether these actions are successful,” Cable said. “For law enforcement, as we saw with the Colonial Pipeline hack, law enforcement does have the ability to recover some payments, so it would be great if this can further aid their efforts.”

At the time of writing, the site is tracking a total of more than $32 million in ransom payments for 2021. The bulk of these payments have been made to the REvil, the Russia-linked ransomware gang that took credit for the JBS and Kaseya hacks. The group has racked up more than $11 million in ransom payments this year, according to Ransomwhere, an amount that could increase dramatically if its recent demands for $70 million as part of the Kaseya attack are met. 

Netwalker, one of the most popular ransomware-as-a-service offerings on the dark web, comes in second with more than $6.3 million in payments for 2021, though Ransomwhere’s tally shows that the group has racked up the most ransom payments in total, with roughly $28 million to its name based on the site’s data.

RangarLocker, DarkSide, and Egregor round out Ransomwhere’s top five list — for now at least — having amassed sums of $4.6 million, $4.4 million, and $3.2 million, respectively. 

Cable says that going forward, he’s exploring ways of partnering with companies in the security and blockchain analysis spaces in order to integrate data that they already have on ransomware actions. He’s also looking at ways to support other traceable cryptocurrencies, such as Ethereum, as well as at the potential to track downstream bitcoin addresses. 

“It’ll never be possible to get the full picture — criminals who are using Monero will be near-impossible to track”, Cable says. “But I would like to get as complete of a picture as possible.”

Read more:

#colonial-pipeline, #crime, #crimes, #cyberattacks, #cybercrime, #dark-web, #fujifilm, #kaseya, #monero, #ransomware, #security

Fujifilm becomes the latest victim of a network-crippling ransomware attack

Japanese multinational conglomerate Fujifilm has been forced to shut down parts of its global network after falling victim to a suspected ransomware attack.

The company, which is best known for its digital imaging products but also produces high tech medical kit including devices for rapid processing of COVID-19 tests, confirmed that its Tokyo headquarters was hit by a cyberattack on Tuesday evening.

“Fujifilm Corporation is currently carrying out an investigation into possible unauthorized access to its server from outside of the company. As part of this investigation, the network is partially shut down and disconnected from external correspondence,” the company said in a statement posted to its website.

“We want to state what we understand as of now and the measures that the company has taken. In the late evening of June 1, 2021, we became aware of the possibility of a ransomware attack. As a result, we have taken measures to suspend all affected systems in coordination with our various global entities.

“We are currently working to determine the extent and the scale of the issue. We sincerely apologize to our customers and business partners for the inconvenience this has caused.”

As a result of the partial network shutdown, Fujifilm USA added a notice to its website stating that it is currently experiencing problems affecting all forms of communications, including emails and incoming calls. In an earlier statement, Fujifilm confirmed that the cyberattack is also preventing the company from accepting and processing orders. 

Fujifilm has yet to respond to our request for comment.

While Fujifilm is keeping tight-lipped on further details, such as the identity of the ransomware used in the attack, Bleeping Computer reports that the company’s servers have been infected by Qbot. Advanced Intel CEO Vitali Kremez told the publication that the company’s systems were hit by the 13-year-old Trojan, typically initiated by phishing, last month.

The creators of Qbot, also known as QakBot or QuakBot, have a long history of partnering with ransomware operators. It previously worked with the ProLock and Egregor ransomware gangs, but is currently said to be linked with the notorious REvil group.

“Initial forensic analysis suggests that the ransomware attack on Fujifilm started with a Qbot trojan infection last month, which gave hackers a foothold in the company’s systems with which to deliver the secondary ransomware payload,” Ray Walsh, digital privacy expert at ProPrivacy, told TechCrunch. “Most recently, the Qbot trojan has been actively exploited by the REvil hacking collective, and it seems highly plausible that the Russian-based hackers are behind this cyberattack.”

REvil, also known as Sodinokibi, not only encrypts a victim’s files but also exfiltrates data from their network. The hackers typically threaten to publish the victim’s files if their ransom isn’t paid. But a site on the dark web used by REvil to publicize stolen data appeared offline at the time of writing.

Ransomware attacks have been on the rise since the start of the COVID-19 pandemic, so much so that they have become the biggest single money earner for cybercriminals. Threat hunting and cyber intelligence firm Group-IB estimates that the number of ransomware attacks grew by more than 150% in 2020, and that the average ransom demand increased more than twofold to $170,000.

At the time of writing, it’s unclear whether Fujifilm has paid any ransom to the hackers responsible for the attack on its systems.

#articles, #ceo, #computer-security, #crime, #crimes, #cyberattacks, #cybercrime, #cyberwarfare, #dark-web, #digital-imaging, #fujifilm, #hardware, #intel, #ransomware, #security

SolarWinds hackers targeted NASA, Federal Aviation Administration networks

Hackers are said to have broken into the networks of U.S. space agency NASA and the Federal Aviation Administration as part of a wider espionage campaign targeting U.S. government agencies and private companies.

The two agencies were named by the Washington Post on Tuesday, hours ahead of a Senate Intelligence Committee hearing tasked with investigating the widespread cyberattack, which the previous Trump administration said was “likely Russian in origin.”

Spokespeople for the agencies did not immediately respond to a request for comment, but did not deny the breach in remarks to the Post.

It’s believed NASA and the FAA are the two remaining unnamed agencies of the nine government agencies confirmed to have been breached by the attack. The other seven include the Departments of Commerce, Energy, Homeland Security, Justice, and State, the Treasury, and the National Institutes of Health, though it’s not believed the attackers breached their classified networks.

FireEye, Microsoft, and Malwarebytes were among a number of cybersecurity companies also breached as part of the attacks.

The Biden administration is reportedly preparing sanctions against Russia, in large part because of the hacking campaign, the Post also reported.

The attacks were discovered last year after FireEye raised the alarm about the hacking campaign after its own network was breached. Each victim was a customer of the U.S. software firm SolarWinds, whose network management tools are used across the federal government and Fortune 500 companies. The hackers broke into SolarWinds’ network, planted a backdoor in its software, and pushed the backdoor to customer networks with a tainted software update.

It wasn’t the only way in. The hackers are also said to have targeted other companies by breaking into other devices and appliances on their victims’ networks, as well as targeting Microsoft vendors to breach other customers’ networks.

Last week, Anne Neuberger, the former NSA cybersecurity director who last month was elevated to the White House’s National Security Council to serve as the deputy national security adviser for cyber and emerging technology, said that the attack took “months to plan and execute,” and will “take us some time to uncover this layer by layer.”

#anne-neuberger, #biden-administration, #computer-security, #computing, #cyberattacks, #cybercrime, #cyberwarfare, #director, #federal-aviation-administration, #federal-government, #fireeye, #government, #information-technology, #malwarebytes, #microsoft, #russia, #security, #senate-intelligence-committee, #software, #solarwinds, #supply-chain-attack, #the-washington-post, #trump-administration, #u-s-government, #united-states

CD Projekt hit by ransomware attack, refuses to pay ransom

Polish video game maker CD Projekt, which makes Cyberpunk 2077 and The Witcher, has confirmed it was hit by a ransomware attack.

In a statement posted to its Twitter account, the company said it will “not give in nor negotiate” with the hackers, saying it has backups in place. “We have already secured our IT infrastructure and begun restoring data,” the company said.

According to the ransom note, the hackers said they would release the company’s stolen source code and other internal files if it did not pay the ransom, since the company would “most likely recover from backups.”

But the company said for now that no personal data was taken. “We are still investigating the incident, however at this time we can confirm that — to our best knowledge — the compromised systems did not contain any personal data of our players or users of our services.”

It’s an increasingly hostile tactic used by ransomware actors: Hackers target high-value businesses and companies with file-encrypting malware and hold the files for a ransom. But since many companies have backups, some ransomware groups threaten to publish the stolen files unless the ransom is paid.

CD Projekt Red did not immediately respond to TechCrunch’s questions, including what kind of ransomware was used to attack its systems.

It’s thought to be the second time in recent years that the company has been hit by ransomware. The game maker confirmed in 2017 that a hack resulted in the compromising of early work related to the Cyberpunk 2077. Weeks following the game’s launch Sony and Microsoft offered gamers refunds, citing bugs and poor performance on older consoles.

#articles, #cd-projekt-red, #cyberattacks, #cybercrime, #cyberpunk, #cyberwarfare, #gaming, #malware, #ransomware, #security, #security-breaches, #twitter

2020 was a disaster, but the pandemic put security in the spotlight

Let’s preface this year’s predictions by acknowledging and admitting how hilariously wrong we were when this time last year we said that 2020 “showed promise.”

In fairness (almost) nobody saw a pandemic coming.

With 2020 wrapping up, much of the security headaches exposed by the pandemic will linger into the new year.

The pandemic is, and remains, a global disaster of epic proportions that’s forced billions of people into lockdown, left economies in tatters with companies (including startups) struggling to stay afloat. The mass shifting of people working from home brought security challenges with it, like how to protect your workforce when employees are working outside the security perimeter of their offices. But it’s forced us to find and solve solutions to some of the most complex challenges, like pulling off a secure election and securing the supply chain for the vaccines that will bring our lives back to some semblance of normality.

With 2020 wrapping up, much of the security headaches exposed by the pandemic will linger into the new year. This is what to expect.

Working from home has given hackers new avenues for attacks

The sudden lockdowns in March drove millions to work from home. But hackers quickly found new and interesting ways to target big companies by targeting the employees themselves. VPNs were a big target because of outstanding vulnerabilities that many companies didn’t bother to fix. Bugs in enterprise software left corporate networks open to attack. The flood of personal devices logging onto the network — and the influx of malware with it — introduced fresh havoc.

Sophos says that this mass decentralizing of the workforce has turned us all into our own IT departments. We have to patch our own computers, install security updates, and there’s no IT just down the hallway to ask if that’s a phishing email.

Companies are having to adjust to the cybersecurity challenges, since working from home is probably here to stay. Managed service providers, or outsourced IT departments, have a “huge opportunity to benefit from the work-from-home shift,” said Grayson Milbourne, security intelligence director at cybersecurity firm Webroot.

Ransomware has become more targeted and more difficult to escape

File-encrypting malware, or ransomware, is getting craftier and sneakier. Where traditional ransomware would encrypt and hold a victim’s files hostage in exchange for a ransom payout, the newer and more advanced strains first steal a victim’s files, encrypt the network and then threaten to publish the stolen files if the ransom isn’t paid.

This data-stealing ransomware makes escaping an attack far more difficult because a victim can’t just restore their systems from a backup (if there is one). CrowdStrike’s chief technology officer Michael Sentonas calls this new wave of ransomware “double extortion” because victims are forced to respond to the data breach as well.

The healthcare sector is under the closest guard because of the pandemic. Despite promises from some (but not all) ransomware groups that hospitals would not be deliberately targeted during the pandemic, medical practices were far from immune. 2020 saw several high profile attacks. A ransomware attack at Universal Health Services, one of the largest healthcare providers in the U.S., caused widespread disruption to its systems. Just last month U.S. Fertility confirmed a ransomware attack on its network.

These high-profile incidents are becoming more common because hackers are targeting their victims very carefully. These hyperfocused attacks require a lot more skill and effort but improve the hackers’ odds of landing a larger ransom — in some cases earning the hackers millions of dollars from a single attack.

“This coming year, these sophisticated cyberattacks will put enormous stress on the availability of services — in everything from rerouted healthcare services impacting patient care, to availability of online and mobile banking and finance platforms,” said Sentonas.

#computer-security, #cyberattacks, #encryption, #enterprise-software, #facial-recognition, #government, #law-enforcement, #malware, #privacy, #ransomware, #security, #u-s-government

Decrypted: Google finds a devastating iPhone security flaw, FireEye hack sends alarm bells ringing

In case you missed it: A ransomware attack saw patient data stolen from one of the largest U.S. fertility networks; the Supreme Court began hearing a case that may change how millions of Americans use computers and the internet; and lawmakers in Massachusetts have voted to ban police from using facial recognition across the state.

In this week’s Decrypted, we’re deep-diving into two stories beyond the headlines, including why the breach at cybersecurity giant FireEye has the cybersecurity industry in shock.


THE BIG PICTURE

Google researcher finds a major iPhone security bug, now fixed

What happens when you leave one of the best security researchers alone for six months? You get one of the most devastating vulnerabilities ever found in an iPhone — a bug so damaging that it can be exploited over-the-air and requires no interaction on the user’s part.

The AWDL bug under attack using a proof-of-concept exploit developed by a Google researcher. Image Credits: Ian Beer/Google Project Zero

The vulnerability was found in Apple Wireless Direct Link (AWDL), an important part of the iPhone’s software that among other things allows users to share files and photos over Wi-Fi through Apple’s AirDrop feature.

“AWDL is enabled by default, exposing a large and complex attack surface to everyone in radio proximity,” wrote Google’s Ian Beer in a tweet, who found the vulnerability in November and disclosed it to Apple, which pushed out a fix for iPhones and Macs in January.

But exploiting the bug allowed Beer to gain access to the underlying iPhone software using Wi-Fi to gain control of a vulnerable device — including the messages, emails and photos — as well as the camera and microphone — without alerting the user. Beer said that the bug could be exploited over “hundreds of meters or more,” depending on the hardware used to carry out the attack. But the good news is that there’s no evidence that malicious hackers have actively tried to exploit the bug.

News of the bug drew immediate attention, though Apple didn’t comment. NSA’s Rob Joyce said the bug find is “quite an accomplishment,” given that most iOS bugs require chaining multiple vulnerabilities together in order to get access to the underlying software.

FireEye hacked by a nation-state, but the aftermath is unclear

#apple, #articles, #computer-security, #cyberattacks, #cyberwarfare, #decrypted, #dragos, #fireeye, #google, #government, #infrastructure, #iphone, #massachusetts, #national-security-agency, #online-platforms, #orca-security, #president, #ransomware, #ron-wyden, #security, #series-b, #supreme-court, #the-washington-post, #trump, #u-s-government, #white-house, #wi-fi

Cyber threat startup Cygilant hit by ransomware

Cygilant, a threat detection cybersecurity company, has confirmed a ransomware attack.

Christina Lattuca, Cygilant’s chief financial officer, said in a statement that the company was “aware of a ransomware attack impacting a portion of Cygilant’s technology environment.”

“Our Cyber Defense and Response Center team took immediate and decisive action to stop the progression of the attack. We are working closely with third-party forensic investigators and law enforcement to understand the full nature and impact of the attack. Cygilant is committed to the ongoing security of our network and to continuously strengthening all aspects of our security program,” the statement said.

Cygilant is believed to be the latest victim of NetWalker, a ransomware-as-a-service group, which lets threat groups rent access to its infrastructure to launch their own attacks, according to Brett Callow, a ransomware expert and threat analyst at security firm Emsisoft .

The file-encrypting malware itself not only scrambles a victim’s files but also exfiltrates the data to the hacker’s servers. The hackers typically threaten to publish the victim’s files if the ransom isn’t paid.

A site on the dark web associated with the NetWalker ransomware group posted screenshots of internal network files and directories believed to be associated with Cygilant.

Cygilant did not say if it paid the ransom. But at the time of writing, the dark web listing with Cygilant’s data had disappeared.

“Groups permanently delist companies when they’ve paid or, in some cases, temporarily delist them once they’ve agreed to come to the negotiating table,” said Callow. “NetWalker has temporarily delisted pending negotiations in at least one other case.”

#boston, #crimes, #cyberattacks, #cybercrime, #cygilant, #dark-web, #emsisoft, #hack, #malware, #massachusetts, #ransomware, #security, #security-breaches, #startups, #tc

Booze and cruise providers are the latest to be hit by ransomware scourge

A stylized ransom note asks for bitcoin in exchange for stolen data.

Enlarge (credit: Aurich Lawson)

Ransomware operators are continuing their blitz on corporations with deep pockets, with Jack Daniel’s distiller Brown-Forman and cruise line behemoth Carnival being two of the latest to be hit.

In a statement, Brown-Forman officials wrote:

Brown-Forman was the victim of a cybersecurity attack. Our quick actions upon discovering the attack prevented our systems from being encrypted. Unfortunately, we believe some information, including employee data, was impacted. We are working closely with law enforcement, as well as world class third-party data security experts, to mitigate and resolve this situation as soon as possible. There are no active negotiations.

The statement came after Bloomberg News reported that it had received an anonymous tip of a ransomware attack. A Dark Web site that claims to be run by members of the REvil strain of ransomware says it has obtained 1 terabyte of data from Louisville, Kentucky-based Brown-Forman. (In addition to producing Jack Daniel’s, Brown-Forman also owns Finlandia vodka and other spirits.)

Read 6 remaining paragraphs | Comments

#biz-it, #brown-forman, #carnival, #cyberattacks, #policy, #ransomware, #tech

Homeland Security warns over ‘wormable’ Windows 10 bug

Homeland Security’s cybersecurity advisory unit is warning Windows 10 users to make sure that their systems are fully patched, after exploit code for a “wormable” bug was published online last week.

The code takes advantage of a security vulnerability patched by Microsoft back in March. The bug caused confusion and concern after details of the “critical”-rated bug were initially published but quickly pulled offline.

The exploit code, known as SMBGhost, exploits a bug in the server message block — or SMB — component that lets Windows talk with other devices, like printers and file servers. Once exploited, the bug gives the attacker unfettered access to a Windows computer to run malicious code, like malware or ransomware, remotely from the internet.

Worse, because the code is “wormable” it can spread across networks, similar to how the NotPetya and WannaCry ransomware attacks spread across the world, causing billions of dollars in damage.

Even though Microsoft published a patch months ago, tens of thousands of internet-facing computers are still vulnerable, prompting the advisory.

In the advisory, Homeland Security’s Cybersecurity and Infrastructure Security Agency said hackers are “targeting unpatched systems” using the new code and advise users to install updates immediately.

The researcher who published the code, a GitHub user who goes by the handle Chompie1337, said by their own admittance that their proof-of-concept code was “written quickly and needs some work to be more reliable,” but warned that the code, if used maliciously, could cause considerable damage.

“Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die,” said the researcher.

If you haven’t updated Windows recently, now would be a good time.

#computing, #cyberattacks, #cybercrime, #cyberwarfare, #github, #microsoft, #microsoft-windows, #petya, #ransomware, #security, #security-breaches, #vulnerability

A new Java-based ransomware targets Windows and Linux

Security researchers have discovered a new kind of ransomware that uses a little-known Java file format to make it more difficult to detect before it detonates its file-encrypting payload.

Consulting giant KPMG’s incident response unit was called in to run the recovery effort at an unnamed European educational institute hit by a ransomware attack. BlackBerry’s security research unit, which partners with KPMG, analyzed the malware and published its findings Thursday.

BlackBerry’s researchers said that a hacker broke into the institute’s network using a remote desktop server connected to the internet, and deployed a persistent backdoor in order to gain easy access to the network after they leave. After a few days of inactivity to prevent detection, the hacker re-enters the network again through the backdoor, disables any running anti-malware service, spreads the ransomware module across the network, and detonates the payload, encrypting each computer’s files and holding them hostage for a ransom.

The researchers said it was the first time they’ve seen a ransomware module compiled into a Java image file format, or JIMAGE. These files contain all the components needed for the code to run — a bit like a Java application — but are rarely scanned by anti-malware engines and can go largely undetected.

BlackBerry named the ransomware ‘Tycoon,” referencing a folder name found in the decompiled code. The researchers said the module had code that allows the ransomware to run on both Windows and Linux computers.

Ransomware operators typically use strong, off-the-shelf encryption algorithms to scramble victims’ files in exchange for a ransom, often demanded in cryptocurrency. For most victims, their only options are to hope they have a backup or pay the ransom. (The FBI has long discouraged victims from paying the ransom.)

But the researchers said there was hope that some victims could recover their encrypted files without paying the ransom. Early versions of the Tycoon ransomware used the same encryption keys to scramble their victims’ files. That means one decryption tool could be used to recover files for multiple victims, the researchers said. But newer versions of Tycoon seem to have fixed this weakness.

BlackBerry’s Eric Milam and Claudiu Teodorescu told TechCrunch that they have observed about a dozen “highly targeted” Tycoon infections in the past six months, suggesting the hackers carefully select their victims, including educational institutions and software houses.

But, as is often the case, the researchers said that the actual number of infections is likely far higher.

#crimes, #cryptolocker, #cyberattacks, #cybercrime, #encryption, #linux, #malware, #microsoft-windows, #prevention, #ransomware, #security, #security-breaches

Decrypted: No warrants for web data, UK grid cyberattack, CyberArk buys Idaptive

One vote.

That’s all it needed for a bipartisan Senate amendment to pass that would have stopped federal authorities from further accessing millions of Americans’ browsing records. But it didn’t. One Republican was in quarantine, another was AWOL. Two Democratic senators — including former presidential hopeful Bernie Sanders — were nowhere to be seen and neither returned a request for comment.

It was one of several amendments offered up in the effort to reform and reauthorize the Foreign Intelligence Surveillance Act, the basis of U.S. spying laws. The law, signed in 1978, put restrictions on who intelligence agencies could target with their vast listening and collection stations. But after the Edward Snowden revelations in 2013, lawmakers champed at the bit to change the system to better protect Americans, who are largely protected from the spies within its borders.

One privacy-focused amendment, brought by Sens. Mike Lee and Patrick Leahy, passed — permits for more independent oversight to the secretive and typically one-sided Washington, D.C. court that authorizes government surveillance programs, the Foreign Intelligence Surveillance Court. That amendment all but guarantees the bill will bounce back to the House for further scrutiny.

Here’s more from the week.


THE BIG PICTURE

Three years after WannaCry, U.S. still on North Korea’s tail

A feature-length profile in Wired magazine looks at the life of Marcus Hutchins, one of the heroes who helped stop the world’s biggest cyberattack three years to the day.

The profile — a 14,000-word cover story — examines his part in halting the spread of the global WannaCry ransomware attack and how his early days led him into a criminal world that prompted him to plead guilty to felony hacking charges. Thanks in part to his efforts in saving the internet, he was sentenced to time served and walked free.

#california, #cryptography, #cyberattacks, #cybercrime, #decrypted, #electricity, #exit, #extra-crunch, #iphone, #market-analysis, #mobile, #north-america, #ransomware, #recent-funding, #security, #senate, #startups, #u-s-government

Hackers target oil producers as they struggle with a record glut of crude

Hackers target oil producers as they struggle with a record glut of crude

Enlarge (credit: Department of Energy and Climate Change (UK))

As the world’s top oil producers prepared for a weeklong meeting earlier this month to plan a response to slumping prices of crude, espionage hackers commenced a sophisticated spearphishing campaign that was concentrated on US-based energy companies. The goal: install a notorious trojan that siphoned their most sensitive communications and data.

Setting the campaign apart, the emails were mostly free of the typos, broken grammar, and other sloppiness that are typical phishes. The emails also reflected a sender who was well-acquainted with the business of energy production. A barrage of emails that started on March 31, for instance, purported to come from Engineering for Petroleum and Process Industries, a real Egyptian state oil company.

Not your father’s spear-phishing

The sender invited the recipient to submit a bid for equipment and materials as part of a real ongoing project, known as the Rosetta Sharing Facilities Project, on behalf of Burullus, a gas joint venture that’s half-owned by another Egyptian state oil company. The email, which was sent to about 150 oil and gas companies over a week starting on March 31, attached two files that masqueraded as bidding conditions, forms, and a request for proposal. The relatively small number of emails demonstrates a narrow targeting of the carefully crafted campaign. By contrast, many phishing non-discriminately send tens of thousands emails.

Read 9 remaining paragraphs | Comments

#biz-it, #cyberattacks, #gas, #oil, #spear-phishing