hackers

Ransomware is a global problem that needs a global solution • ZebethMedia

By zebethcontrolPosted on November 18, 2022Posted in hackers, ransomware, SecurityNo Comments

This time last year, we were optimistic. It seemed like the tide was turning on ransomware after the U.S. government scored a handful of wins against the cybercriminals carrying out these increasingly damaging attacks: the Justice Department successfully seized $2.3 million in bitcoin that Colonial Pipeline paid to the DarkSide ransomware gang to reclaim its data, and months later it played a part in bringing down the notorious REvil ransomware gang. Our optimism was short-lived. Despite this action, 2022 looks set to top last year as the worst year on record for ransomware attacks; a recent report shows that attacks have increased by 80% year-over-year and that the cybercriminals responsible for these attacks have easily dodged low enforcement action by taking advantage of ransomware as a service, or by simply rebranding. “It’s clear that ransomware attacks are on the rise,” Matthew Prince, CEO of Cloudflare, tells ZebethMedia. “In September 2022, nearly one in every four respondents to our customer survey reported receiving a ransomware attack or threat, the highest month so far of 2022.” 2022 hasn’t just been the worst year for ransomware attacks statistically, it has also just been… the worst. While hackers last year focused on critical infrastructure and financial services, this year’s focus has been on organizations where they can inflict the most damage. An attack on the Los Angeles Unified School District saw Vice Society hackers leak a 500 gigabyte trove of sensitive data, including previous conviction reports and psychological assessments of students, while an attack on IT services provider Advanced left the U.K’s NHS scrambling after it was forced to cancel appointments and staff relying on taking notes with pen and paper. Perhaps the most devastating attack of 2022 came just weeks ago after attackers breached Australian health insurance giant Medibank and accessed roughly 9.7 million customers’ personal details and health claims data for almost half-a-million customers. Data stolen during the attack included sensitive files related to abortions and alcohol-related illnesses. These attacks don’t just demonstrate that ransomware is worsening. They also show that ransomware is a global problem and that global action is needed to fight back successfully. Earlier in November, the U.S. government started to take strides in the right direction, announcing that it will establish an International Counter Ransomware Task Force, or ICRTF, to promote information and capability sharing. “This is a global issue, so governments need to come together,” Camellia Chan, CEO and founder at cybersecurity firm X-PHY tells ZebethMedia. “That said, collaboration alone won’t provide a solution. It’s more than signing an agreement.” This is a viewpoint shared among the cybersecurity community: signing agreements and sharing intelligence is all well and good, but it’s unlikely to deter financially motivated cybercriminals that continue to reap the rewards of these attacks. To gain ground on cybercriminals that continue to achieve a high rate of success, governments need a fresh approach. Fuel tanks are seen at Colonial Pipeline Baltimore Delivery in Baltimore, Maryland on May 10, 2021. The US government declared a regional emergency on May 9, 2021 as the largest U.S. fuel pipeline system remained largely shut down, two days after a ransomware attack. Image Credits: Jim Watson / AFP via Getty Images. “You can’t arrest your way out of the problem,” Morgan Wright, chief security advisor at SentinelOne, tells ZebethMedia. “There are numerous examples of both transnational criminal ransomware actors and nation-state actors being identified and indicted for various crimes. These offenders almost always live in countries with no extradition treaty with the country that has issued the indictments.” “One area I would like to see an increased effort is in the area of human collection of intelligence,” Wright added. “We need more penetration of state actors and criminal organizations. Too often, ransomware is viewed as a technical issue. It’s not. It’s human greed that uses technology to achieve an end goal.” This element of greed could also be targeted by increasing regulation of the cryptocurrency market, which many believe could be on the horizon following the recent collapse of FTX. Former CISA assistant director Bob Kolasky said that in order to discourage ransomware actors for good, governments need to reduce the financial instruments available for them to use. “This includes using regulatory pressure on the cryptocurrency market to make tracking and recouping ransomware payments easier,” Kolasky tells ZebethMedia, a view shared by others. “We need governments to take a bigger role in blocking cryptocurrencies, which is the enabler of attacker monetization strategies,” David Warburton, director of networking company F5 Labs, agrees, telling ZebethMedia: “While decentralized currencies, such as bitcoin, aren’t inherently bad, nor solely responsible for the ransomware epidemic we’re facing, there’s no denying they are a huge factor. “While control and regulation somewhat defeat the original intent of decentralized currencies, there’s no escaping the fact that without Bitcoin, ransomware simply wouldn’t exist,” said Warburton. But legislation wouldn’t work unless it’s a global effort, he said: “Many ransomware groups operate from countries which have no motivation to help those that are being targeted.” This is a problem that, like ransomware itself, has been worsened by Russia’s invasion of Ukraine, which has ended any cooperation between Europe, the U.S. and Russia on ransomware operations inside Russia. Jason Steer, chief information security officer at threat intelligence giant Recorded Future, said that this is an area that immediately needs more global government support. “The focus has significantly dropped off in 2022 due to Russia’s activities, where in fact many groups operate safely from,” said Steer. Even if governments joined forces to collaboratively fight the growing ransomware problem, it’s unlikely to have any immediate effect. Security experts expert no respite from ransomware as we enter 2023 as increasingly-savvy hackers exploit new attack vectors and continue to reap the financial rewards. “There are governments that are working to provide more support and resources. But it will never be enough,” says Wright. “Bad actors will always have the advantage, but we should make them pay in a significant way every time an attack is launched.”

‘We know who you are’ • ZebethMedia

By zebethcontrolPosted on November 11, 2022Posted in Australia, data breach, hackers, medibank breach, ransomware, SecurityNo Comments

The Australian Federal Police claims to have identified the cybercriminals behind the Medibank ransomware attack, which compromised the personal data of 9.7 million customers. AFP Commissioner Reece Kershaw said on Friday that the agency knows the identity of the individuals responsible for the attack on Australia’s largest private health insurer. He declined to name the individuals but said the AFP believes that those responsible for the breach are in Russia, though some affiliates may be in other countries. In a tweet, Australian Prime Minister Anthony Albanese, whose own Medibank data was stolen, said the AFP knows where the hackers are and are working to bring them to justice. The Australian Federal Police have identified the hackers, revealing they’re located in Russia. We know where they are. And we are working hard to bring them to justice. — Anthony Albanese (@AlboMP) November 11, 2022 Kershaw said that police intelligence points to a “group of loosely affiliated cyber criminals” who are likely responsible for previous significant data breaches around the world, but did not name victims. “These cyber criminals are operating like a business with affiliates and associates who are supporting the business,” he added, pointing to ransomware as a service operation such as LockBit. On Thursday, a dual Russian-Canadian national linked to the LockBit operation was arrested in Canada. The hackers behind the Medibank breach have previously been linked to the high-profile Russian cybercrime gang REvil, also known as Sodinokibi. REvil’s once-defunct dark web leak site now redirects traffic to a new site that hosts the stolen Medibank data, and the hackers behind the breach have also been observed using a variant of REvil’s file-encrypting malware. The Russian Embassy in Canberra was quick to rebuff allegations that the Medibank hackers are based in Russia. “For some reason, this announcement was made before the AFP even contacted the Russian side through the existing professional channels of communication,” the embassy said in a statement on Friday. “We encourage the AFP to duly get in touch with the respective Russian law enforcement agencies.” Russia’s federal security services FSB (formerly the KGB) said in January that REvil “ceased to exist” after several arrests were made at the request of the U.S. government. In March, Ukrainian national Yaroslav Vasinskyi, an alleged key member of the REvil group linked to an attack on U.S. software vendor Kaseya, was extradited from Poland to the U.S. to face charges. “Even after a series of law enforcement operations against REvil, the gang and its affiliates still seem to keep returning, based on the analysis of the latest REvil ransomware sample,” Roman Rezvukhin, head of malware analysis and threat hunting team at Group-IB, tells ZebethMedia. Kershaw said on Friday that the AFP, along with international partners such as Interpol, will “be holding talks with Russian law enforcement about these individuals.” “It is important to note that Russia benefits from the intelligence-sharing and data shared through Interpol, and with that comes responsibilities and accountability,” Kershaw said. “To the criminals: We know who you are, and moreover, the AFP has some significant runs on the scoreboard when it comes to bringing overseas offenders back to Australia to face the justice system.” While the AFP has successfully extradited people from Poland, Serbia, and the United Arab Emirates in recent years to face criminal charges in Australia, extraditing Russian hackers is likely to be challenging. In 2018, Russian President Vladimir Putin declared that “Russia does not extradite its citizens to anyone.” Despite action by the AFP, the Medibank breach continues to worsen following its decision to refuse to pay the cybercriminals’ ransom demand. On Thursday, the attackers’ dark web blog posted more stolen data, including sensitive files related to abortions and alcohol-related illnesses. The cybercriminals claimed that they initially sought $10 million in ransom from Medibank before reducing the sum to $9.7 million, or $1 per affected customer, the blog said. “Unfortunately, we expect the criminal to continue to release stolen customer data each day,” Medibank CEO David Koczkar said on Friday. “These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care.”

Crime group hijacks hundreds of US news websites to push malware • ZebethMedia

By zebethcontrolPosted on November 3, 2022Posted in Evil Corp, hackers, malware, Proofpoint, ransomware, SecurityNo Comments

A cybercriminal group has compromised a media content provider to deploy malware on the websites of hundreds of news outlets in the U.S., according to cybersecurity company Proofpoint. The threat actors, tracked by Proofpoint as “TA569,” compromised the media organization to spread SocGholish, a custom malware active since at least 2018. The media company in question is not named, but was notified and is said to be investigating. Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, tells ZebethMedia that the organization provides “both video content and advertising to major news outlets.” DeGrippo added that 250 U.S. national newspaper sites and regional websites are affected, including media organizations serving Boston, Chicago, Cincinnati, Miami, New York, Palm Beach, and Washington, D.C. It’s unclear how the unnamed media company was compromised, but DeGrippo added that TA569 “has a demonstrated history of compromising content management systems and hosting accounts.” The SocGholish malware is injected into a benign JavaScript file that is loaded by the news outlets’ websites, which prompts the website visitor to download a fake software update. In this campaign, the prompt takes the form of a browser update for Chrome, Firefox, Internet Explorer, Edge, or Opera. “If the victim downloads and executes this ‘fakeupdate’ they will be infected by the SocGholish payload,” said DeGrippo. “This attack chain requires interaction from the end user at two points: accepting the download and executing the payload.” SocGholish serves as an “initial access threat,” which if successfully planted have historically served as a precursor to ransomware, according to Proofpoint. The threat actors’ end goal, the company says, is financial gain. Proofpoint tells ZebethMedia that it “assesses with high confidence” that TA569 is associated with WastedLocker, a variant of ransomware developed by the U.S.-sanctioned Evil Corp group. The company added that it does not believe TA569 is Evil Corp, but rather acts as a broker of already-compromised devices for the hacking group. It was revealed earlier this year that Evil Corp uses a ransomware-as-a-service model in an effort to skirt U.S. sanctions. The gang was sanctioned December 2019 due to its extensive development of Dridex malware, which the gang used to steal more than $100 million from hundreds of banks and financial institutions.