Security

Arnica raises $7M to improve software supply chain security • ZebethMedia

By zebethcontrolPosted on October 31, 2022Posted in Arnica, Enterprise, First Rays Venture Partners, funding, Security, startup, StartupsNo Comments

Everybody wants to talk about software supply chain risks these days, whether that’s security teams, developers or government officials. It’s no surprise then, that VCs, despite the current economic climate, continue to fund startups in this space, too. One of the newest members in this club is Arnica, a startup that takes a somewhat broader view of supply chain security than most of its competitors and helps companies. The company today announced that it has raised a $7 million seed round. The round was led by Joule Ventures and First Rays Venture Partners. A number of angel investors, including Avi Shua (co-founder & CEO of Orca Security), Dror Davidoff (co-founder & CEO of Aqua Security) and Baruch Sadogursky (head of Developer Relations at JFrog), also participated in this round. Arnica founding team. Image Credits: Arnica “As a former buyer of application security products, I tested more than a dozen solutions for securing my previous company’s software supply chain but reached a dead end. Most products were expensive visibility dashboards driven by varying definitions of “best practices,” said Arnica CEO and co-founder Nir Valtman. “We decided to provide this visibility for free, for unlimited users, forever. We went further though and developed a comprehensive solution to not only identify risks based on historical and anomalous behavior but also to mitigate them. We do this by using automated workflows with single-click mitigations that empower developers to own security from within the tools they already use.” The team argues that supply chain attacks succeed because of inefficient developer access management or the inability to detect anomalous identity or code behavior. So that’s where Arnica comes in. Its behavior-based approach combines access management and a service that can detect anomalous developer behavior that could be the result of a breach. “Each of our machine learning algorithms have thousands of features that identify whether it was actually the developer who wrote the pushed code,” explained Valtman. “When an anomaly is detected, it kicks off an immediate workflow to validate it with the developer in a simple and secure way. It is not only good for the company, but also good for developers.” There’s also secret detection to avoid leaking those, a service that continuously monitors security and compliance and tools for identifying the open source libraries used across an organization, which can also compile a full software bill of materials (SBOM). The company plans to use the new funding to accelerate its go-to-market and R&D efforts, with a focus on expanding its automated workflows and mitigation capabilities. “In a market full of security solutions adding only incremental value, Arnica’s instant resolution-oriented approach is a game changer for enterprise dev teams,” said Brian Rosenzweig, partner at Joule Ventures. “Arnica goes beyond just flagging security problems — every issue that is identified can be immediately addressed with a provided one-click fix. This allows businesses to quickly protect their software supply chain from attacks, while behavior-based detection ensures it remains secure in the long term. Arnica’s pragmatic approach and advanced technology enable companies to avoid costly breaches without compromising on agility.”

Twilio hack investigation reveals second breach, as the number of affected customers rises • ZebethMedia

By zebethcontrolPosted on October 28, 2022Posted in cybersecurity, data breach, Security, telecommunications, TwilioNo Comments

U.S. messaging giant Twilio confirmed it was hit by a second breach in June that saw cybercriminals access customer contact information. Confirmation of the second breach — carried out by the same “0ktapus” hackers that compromised Twilio again in August — was buried in an update to a lengthy incident report that Twilio concluded on Thursday. Twilio said the “brief security incident,” which occurred on June 29, saw the same attackers socially engineer an employee through voice phishing, a tactic whereby hackers make fraudulent phone calls impersonating the company’s IT department in an effort to trick employees into handing over sensitive information. In this case, the Twilio employee provided their corporate credentials, enabling the attacker to access customer contact information for a “limited number” of customers. “The threat actor’s access was identified and eradicated within 12 hours,” Twilio said in its update, adding that customers whose information was impacted by the June Incident were notified on July 2. When asked by ZebethMedia, Twilio spokesperson Laurelle Remzi declined to confirm the exact number of customers impacted by the June breach and declined to share a copy of the notice that the company claims to have sent to those affected. Remzi also declined to say why Twilio has only just disclosed the incident. Twilio also confirmed in its update that the hackers behind the August breach accessed the data of 209 customers, an increase from 163 customers it shared on August 24. Twilio has not named any of its impacted customers, but some — like encrypted messaging app Signal — have notified users that they were affected by Twilio’s breach. The attackers also compromised the accounts of 93 Authy users, Twilio’s two-factor authentication app it acquired in 2015. “There is no evidence that the malicious actors accessed Twilio customers’ console account credentials, authentication tokens, or API keys,” Twilio said about the attackers, which maintained access to Twilio’s internal environment for two days between August 7 and August 9, the company confirmed. The Twilio breach is part of a wider campaign from a threat actor tracked as “0ktapus,” which targeted at least 130 organizations, including Mailchimp and Cloudflare. But Cloudflare said the attackers failed to compromise its network after having their attempts blocked by phishing-resistant hardware security keys. As part of its efforts to mitigate the efficacy of similar attacks in the future, Twilio has announced that it will also roll out hardware security keys to all employees. Twilio declined to comment on its rollout timeline. The company says it also plans to implement additional layers of control within its VPN, remove and limit certain functionality within specific administrative tooling, and increase the refresh frequency of tokens for Okta-integrated applications.

Amazon accidentally exposed an internal server packed with Prime Video viewing habits • ZebethMedia

By zebethcontrolPosted on October 27, 2022Posted in SecurityNo Comments

It feels like every other day another tech startup is caught red-faced spilling reams of data across the internet because of a lapse in security. But even for technology giants like Amazon, it’s easy to make mistakes. Security researcher Anurag Sen found a database packed with Amazon Prime viewing habits stored on an internal Amazon server that was accessible from the internet. But because the database was not protected with a password, the data within could be accessed by anyone with a web browser just by knowing its IP address. The Elasticsearch database — named “sauron” (make of that what you will) — contained about 215 million entries of pseudonymized viewing data, such as the name of the show or movie that is being streamed, what device it was streamed on, and other internal data, like the network quality, and details about their subscription, such as if they are a Amazon Prime customer. According to Shodan, a search engine for internet-connected things, the database was first detected as exposed to the internet on September 30. While disconcerting that a company of Amazon’s size and wealth could leave such a huge cache of data on the internet for weeks without anyone noticing, based on our review, the data cannot be used to personally identify customers by name. But the lapse highlights a common problem that underpins many data exposures — misconfigured internet-facing servers that are left online without a password for anyone to access. Sen provided details of the database in an effort to get the data secured, and ZebethMedia passed the information to Amazon out of an abundance of caution. The database was inaccessible a short time later. “There was a deployment error with a Prime Video analytics server. This problem has been resolved and no account information (including login or payment details) were exposed. This was not an AWS issue; AWS is secure by default and performed as designed,” said Amazon spokesperson Adam Montgomery.

Versa raises $120M for its software-defined networking and security stack • ZebethMedia

By zebethcontrolPosted on October 27, 2022Posted in BlackRock, cybersecurity, Enterprise, Security, startup, Startups, VersaNo Comments

Networking and cybersecurity firm Versa today announced that it raised $120 million in a mix of equity and debt led by BlackRock, with participation from Silicon Valley Bank. CEO Kelly Ahuja tells ZebethMedia that the proceeds, which bring Versa’s total capital raised to $316 million, will be put toward go-to-market efforts and scaling the company. He demurred when asked what percentage of the financing was equity versus debt. Versa’s large round suggests that, despite the market downturn, VCs haven’t lost faith in cybersecurity vendors yet. According to data from PitchBook, venture capital investments have reached about $13.66 billion so far this year, up from $11.47 billion compared to 2020 (albeit down from $26.52 billion in 2021). It helps these vendors have customers — or at least potential customers — in droves. A December 2021 survey by CSO found that 44% of security leaders at large companies expected their budgets to increase in the upcoming 12 months. And Gartner estimates spending on information security and risk management will total $172 billion in 2022, up from $155 billion in 2021 and $137 billion the year prior. “The pandemic drove enterprises to accelerate their transition to cloud and saw their workforce become fully distributed. This has led to a dramatic increase in cybersecurity issues — leading businesses to look for new ways to protect and connect their users, networks, and applications,” Ahuja told ZebethMedia in an email interview. “We find ourselves in an extremely good place to have the right solution that meets the market needs.” Apurva Mehta and Kumar Mehta, two brothers, co-founded Versa in 2012. They came from Juniper Networks, where Apurva Mehta was the CTO and chief architect of the mobility business unit and Kumar Mehta was the VP of engineering. Kelly Ahuja, a Cisco alum, was tapped as Versa’s CEO in 2016. Versa provides a vast range of subscription-based software services — too many to list here — but positions itself primarily as a secure access service edge (SASE) provider. As described by Gartner in 2019, SASE combines software-based wide area networking and security principles like zero trust into a single service model. Through partnerships with service providers, Versa connects users to apps in the cloud or data centers with security layered on top — like data loss prevention tools and gateway firewalls. Concretely, the company offers a hardware-agnostic software stack that provides a single interface — via the cloud, on-premises or both — to implement corporate security and networking policies. “Versa’s portfolio in SASE converges security and networking,” Ahuja said, noting that Versa has a “sizable” team working on machine learning and AI-based malware detection. “Versa has developed a differentiated platform that combines AI and machine learning-powered security services edge and software-defined WAN (SD-WAN) solutions that helps customers reduce cybersecurity risk.” When asked about current clientele, Ahuja said that 625-employee Versa’s solutions have been deployed by “tens of thousands” of enterprises globally. He declined to reveal revenue figures, instead pointing to San Jose-based Versa’s annual contract value, which he says grew 60% over the “past few years.” “Every industry and business are facing similar macro challenges — high inflation, risk of recession, and supply chain and geopolitical challenges,” Ahuja said. “[But] Versa provides a clear value proposition and ROI of reducing cybersecurity risk.” In a June 2021 piece covering Versa’s last funding round, CRN’s Gina Narcisi pointed out that the SD-WAN and SASE space has seen a great deal of consolidation in recent years. Cisco Systems acquired Viptela and VMware bought SD-WAN vendor VeloCloud, and more recently, HPE’s Aruba snapped up Silver Peak while Palo Alto Networks absorbed CloudGenix. Last year, Ahuja told Fierce Telecom’s Linda Hardesty that Versa wasn’t shopping itself. Plans haven’t changed, he says — Ahuja sees the latest financing as setting the firm on a path toward an initial public offering.

Persona expands beyond identity verification with new suite of services • ZebethMedia

By zebethcontrolPosted on October 27, 2022Posted in digital identity, Enterprise, identity verification, persona, SecurityNo Comments

Persona, a four year old identity startup, has done pretty well for itself with its original identity verification idea, an API that lets companies capture various documents like a driver’s license or passport to prove who you are online. It went so well, the company announced today that it has expanded into a full blown platform of identity-related services. In addition to the core verification product, the company now includes a set of services on the platform that customers can mix and match as they wish. These include a risk assessment engine, an identity workflow tool, a graph database aimed at link analysis and fraud detection and a marketplace, an app store of sorts, for external developers to help connect their business tools to Persona’s identity tools. Persona co-founder and CEO Rick Song says that the company has been developing these tools over time, but this is the first time it’s presenting them as a platform. “It’s been a work in progress for two plus years as we continually have built out each of these components piece by piece, but none of these have ever really been formally launched. They were kind of hidden behind the scenes,” he said. “We’d have a blog post talking about how you could utilize something, but never really consolidated it into a single platform. So the actual ‘platformization’ has really been a lot of work for us over this past year.” He says that while most customers are primarily using the identity verification service at this point, he is starting to see some expansion into the other products. “These days, we’re actually finding more customers who are adopting the Persona platform for nothing related to verifications at all. Instead they are using our suite of tools to run a manual [identity] review or use our graph product, which allows you to import data into our system and find fraud rings and suspect behavior within your population, or our automation orchestration tool and now the marketplace, which enables you to pull in a lot of different data and automate decisions.” The company founders used to work at Square, and they have FinTech customers like Square and Robinhood, but Song points to companies like Doordash, Coursera and Sonder Health as examples of broader customer use cases. In fact, he says that was the plan all along. “One of the earlier strategic goals for us was actually how can we not just build a FinTech identity platform, but rather a universal identity platform that could really work for any use case out there in the world.” Along the way, Persona has raised over $200 million including a $150 million investment last year at a healthy $1.5 billion valuation. Perhaps investors were willing to put so much capital into the company because it had this broader vision beyond identity verification.

New York Post says its site was hacked after posting offensive tweets • ZebethMedia

By zebethcontrolPosted on October 27, 2022Posted in cyberattack, data breach, news organizations, SecurityNo Comments

New York Post, one of the biggest New York City daily newspapers, said it was hacked on Thursday after several offensive articles and tweets were published to the newspaper’s website and Twitter account. The articles and tweets, which were racist and sexually violent in nature, were pulled a short time later. ZebethMedia is not publishing the contents of the tweets, several of which called for the assassination of politicians and public figures. The New York Post has been hacked. We are currently investigating the cause. — New York Post (@nypost) October 27, 2022 It’s believed the New York Post’s content management system, used for publishing stories and articles, may have been breached. The offensive tweets were sent via SocialFlow, a popular website plugin used to push stories to social media sites. The tweets also contained links that pointed to web pages on the Post’s website, but which were no longer accessible at the time of writing. A spokesperson for News Corp, which owns the New York Post, did not immediately respond to a request for comment. The breach comes weeks after Fast Company’s content management system was breached to push offensive Apple News notifications to readers. Fast Company pulled its site down for more than a week to rebuild its systems following the compromise.

SGNL.ai secures $12M to expand its enterprise authorization platform • ZebethMedia

By zebethcontrolPosted on October 27, 2022Posted in authorization, Costanoa Ventures, Enterprise, identity and access management, Security, startup, StartupsNo Comments

SGNL.ai, a company developing enterprise authorization software, today announced that it raised $12 million in seed funding led by Costanoa Ventures with participation from Fika Ventures, Moonshots Capital and Resolute Ventures. CEO Scott Kriz said the proceeds will be used to develop the company’s core products and hire the initial team, as well as work with design partners to refine SGNL’s solution. In an interview with ZebethMedia, Kriz asserted that authorization is increasingly becoming a concern for management at every level. He’s not wrong. According to Gartner, organizations running cloud infrastructure services will suffer a minimum of 2,300 violations of least privilege policies — i.e. when a user is given privileges above what they need to do their job — per account each year by 2024. Meanwhile, the average global cost of a data breach reached a record $4.24 million in 2021, IBM recently reported, increasing by 10% from 2019 as more people transitioned to remote work. Kriz and SGNL’s second co-founder, Erik Gustavson, spent roughly a decade developing identity solutions at Bitium, which they co-launched in 2011, before conceiving of SGNL. After Google acquired Bitium in 2017, Gustavson joined the tech giant as an engineering manager working on “next-generation” identity access management for G Suite (now Google Workspace). Kriz also spent several years at Google on the product, identity and authorization team. “From our vantage point working in multiple, identity-focused areas at Google, it was clear to Gustavson and I that few companies had been able to effectively solve enterprise authorization at scale,” Kriz said. “Seeing a critical need to help companies keep user and customer data safe, we founded SGNL in 2021 to address the challenge. We quickly attracted a core team of identity industry experts who are passionate about pushing the boundaries of what is possible in enterprise authorization.” SGNL aims to provide “just-in-time” access to enterprise data to a company’s employees based on business context, such as business needs or justifications. Rather than relying on relatively static roles or attributes, the startup’s platform only grants access to software resources and data when a user needs them. A glance at SGNL.ai’s dashboard, which lets admins review authorizations across teams, divisions and individual employees. Image Credits: SGNL Beyond this, SGNL attempts to unify existing systems-of-record such as corporate directories, HR directories, customer relationship management platforms and ticketing systems, building a graph of workforce and customer data that can be used to determine dynamic access rights. Access can be audited in real time, ostensibly making it easier for managers to produce compliance reports and analyze historical authorizations. “The pandemic and broader shift in working patterns — hybrid, remote work, extended workforces, etc. — makes the problem of authorization and access management more urgent for the enterprise. The modern workforce is no longer operating from inside a corporate firewall using only on-premise applications,” Kriz added. “This creates ideal conditions for bad actors to exploit overly broad ambient access rights to attack the enterprise … SGNL’s platform helps contain the blast radius by reducing ambient access and determining access to sensitive data on a just-in-time basis.” Kriz declined to reveal the size of SGNL’s customer base or the company’s current revenue. But he noted identity management has attracted much investment over the past few years as new hurdles emerge across the enterprise security landscape. According to Crunchbase, $3.2 billion in venture dollars went into the identity management space in 2021, about 2.5 times the amount of investment from 2020’s $1.3 billion, which was already a record. SGNL’s challenge will be attracting customers away from rival vendors like Opal, whose software automatically discovers databases, servers, internal tools and apps to delegate access requests to employees. ConductorOne, another identity and access management automation platform, recently nabbed a $15 million investment. Identity and access management software provider ForgeRock filed for an IPO last September after raising over $700 million in VC cash. Kriz says he’s confident, though, that the current slowdown in tech will be a tailwind for SGNL as companies face pressure to purchase solutions instead of building them in-house. To his point, there’s some evidence to suggest IT teams are overwhelmed with tasks related to managing identity and access. For example, in a 2020 poll conducted by 1Password, responding IT personnel said that they burn a full month of work — 21 days — resetting passwords and tracking app usage. “The number and cost of data breaches is only increasing … SGNL is positioned well with the shift in most enterprise organizations to increase security, ensure compliance and reduce expenses,” Kriz said. Palo Alto-based SGNL, which currently has 28 employees, expects to hire seven more people by the end of the year.

Inside TheTruthSpy, the stalkerware network spying on thousands • ZebethMedia

By zebethcontrolPosted on October 26, 2022Posted in Android, cybersecurity, mobile spyware, Security, stalkerware, wiretappingNo Comments

A massive cache of leaked data reveals the inner workings of a stalkerware operation that is spying on hundreds of thousands of people around the world, including Americans. The leaked data includes call logs, text messages, granular location data and other personal device data of unsuspecting victims whose Android phones and tablets were compromised by a fleet of near-identical stalkerware apps, including TheTruthSpy, Copy9, MxSpy and others. These Android apps are planted by someone with physical access to a person’s device and are designed to stay hidden on their home screens but will continuously and silently upload the phone’s contents without the owner’s knowledge. SPYWARE LOOKUP TOOL You can check to see if your Android phone or tablet was compromised here. Months after we published our investigation uncovering the stalkerware operation, a source provided ZebethMedia with tens of gigabytes of data dumped from the stakerware’s servers. The cache contains the stalkerware operation’s core database, which includes detailed records on every Android device that was compromised by any of the stalkerware apps in TheTruthSpy’s network since early 2019 (though some records date earlier) and what device data was stolen. Given that victims had no idea that their device data was stolen, ZebethMedia extracted every unique device identifier from the leaked database and built a lookup tool to allow anyone to check if their device was compromised by any of the stalkerware apps up to April 2022, which is when the data was dumped. ZebethMedia has since analyzed the rest of the database. Using mapping software for geospatial analysis, we plotted hundreds of thousands of location data points from the database to understand its scale. Our analysis shows TheTruthSpy’s network is enormous, with victims on every continent and in almost every country. But stalkerware like TheTruthSpy operates in a legal gray area that makes it difficult for authorities around the world to combat, despite the growing threat it poses to victims. First, a word about the data. The database is about 34 gigabytes in size and consists of metadata, such as times and dates, as well as text-based content, like call logs, text messages and location data — even names of Wi-Fi networks that a device connected to and what was copied and pasted from the phone’s clipboard, including passwords and two-factor authentication codes. The database did not contain media, images, videos or call recordings taken from victims’ devices, but instead logged information about each file, such as when a photo or video was taken, and when calls were recorded and for how long, allowing us to determine how much content was exfiltrated from victims’ devices and when. Each compromised device uploaded a varying amount of data depending on how long their devices were compromised and available network coverage. ZebethMedia examined the data spanning March 4 to April 14, 2022, or six weeks of the most recent data stored in the database at the time it was leaked. It’s possible that TheTruthSpy’s servers only retain some data, such as call logs and location data, for a few weeks, but other content, like photos and text messages, for longer. This is what we found. This map shows six weeks of cumulative location data plotted on a map of North America. The location data is extremely granular and shows victims in major cities, urban hubs and traveling on major transport lines. Image Credits: ZebethMedia The database has about 360,000 unique device identifiers, including IMEI numbers for phones and advertising IDs for tablets. This number represents how many devices were compromised by the operation to date and about how many people are affected. The database also contains the email addresses of every person who signed up to use one of the many TheTruthSpy and clone stalkerware apps with the intention of planting them on a victim’s device, or about 337,000 users. That’s because some devices may have been compromised more than once (or by another app in the stalkerware network), and some users have more than one compromised device. About 9,400 new devices were compromised during the six-week span, our analysis shows, amounting to hundreds of new devices each day. The database stored 608,966 location data points during that same six-week period. We plotted the data and created a time lapse to show the cumulative spread of known compromised devices around the world. We did this to understand how wide-scale TheTruthSpy’s operation is. The animation is zoomed out to the world level to protect individuals’ privacy, but the data is extremely granular and shows victims at transportation hubs, places of worship and other sensitive locations. By breakdown, the United States ranked first with the most location data points (278,861) of any other country during the six-week span. India had the second most location data points (77,425), Indonesia third (42,701), Argentina fourth (19,015) and the United Kingdom (12,801) fifth. Canada, Nepal, Israel, Ghana and Tanzania were also included in the top 10 countries by volume of location data. This map shows the total number of locations ranked by country. The U.S. had the most location data points at 278,861 over the six-week span, followed by India, Indonesia, and Argentina, which makes sense given their huge geographic areas and populations. Image Credits: ZebethMedia The database contained a total of 1.2 million text messages, including the recipient’s contact name, and 4.42 million call logs during the six-week span, including detailed records of who called whom, for how long, and their contact’s name and phone number. ZebethMedia has seen evidence that data was likely collected from the phones of children. These stalkerware apps also recorded the contents of thousands of calls during the six weeks, the data shows. The database contains 179,055 entries of call recording files that are stored on another TheTruthSpy server. Our analysis correlated records with the dates and times of call recordings with location data stored elsewhere in the database to determine where the calls were recorded. We focused on U.S. states that have stricter phone call recording laws, which require that more than

US charges Ukrainian national over alleged role in Raccoon Infostealer malware operation • ZebethMedia

By zebethcontrolPosted on October 26, 2022Posted in cybersecurity, malware, Security, ukraine, us governmentNo Comments

U.S. officials have charged a Ukrainian national over his alleged role in the Raccoon Infostealer malware-as-a-service operation that infected millions of computers worldwide. Mark Sokolovsky — also known online as “raccoonstealer,” according to an indictment unsealed on Tuesday — is currently being held in the Netherlands while waiting to be extradited to the United States. The U.S. Department of Justice accused Sokolovsky of being one of the “key administrators” of the Raccoon Infostealer, a form of Windows malware that steals passwords, credit card numbers, saved username and password combinations, and granular location data. Raccoon Infostealer was leased to individuals for approximately $200 per month, the DOJ said, which was paid to the malware’s operators in cryptocurrency, typically Bitcoin. These individuals employed various tactics, such as COVID-19-themed phishing emails and malicious web pages, to install the malware onto the computers of unsuspecting victims. The malware then stole personal data from their computers, including login credentials, bank account details, cryptocurrency addresses, and other personal information, which were used to commit financial crimes or sold to others on cybercrime forums. An example of one of the phishing emails sent by the crime group. Image Credits: U.S. Justice Department. According to U.S. officials, the malware stole more than 50 million unique credentials and forms of identification from victims around the world since February 2019. These victims include a financial technology company based in Texas and an individual who had access to U.S. Army information systems, according to the unsealed indictment. Cybersecurity firm Group-IB said the malware may have been used to steal employee credentials during the recent Uber breach. But the DOJ said it “does not believe it is in possession of all the data stolen by Raccoon Infostealer and continues to investigate.” The Justice Department said it worked with European law enforcement to dismantle the IT infrastructure powering Raccoon Infostealer in March 2022, when Dutch authorities arrested Sokolovsky. According to one report, the malware operation claimed it was suspending its operations after one of its lead developers was allegedly killed during Russia’s invasion of Ukraine. A new version of Raccoon Infostealer was reportedly launched in June this year. The FBI also announced on Tuesday that it has created a website that allows anyone to check if their data is contained in the U.S. government’s archive of information stolen by Raccoon Infostealer. “This case highlights the importance of the international cooperation that the Department of Justice and our partners use to dismantle modern cyber threats,” said Deputy Attorney General Lisa O. Monaco. “As reflected in the number of potential victims and global breadth of this attack, cyber threats do not respect borders, which makes international cooperation all the more critical. I urge anyone who thinks they could be a victim to follow the FBI’s guidance on how to report your potential exposure.” Sokolovsky is charged with computer fraud, wire fraud, money laundering, and identity theft and faces up to 20 years in prison if found guilty. The DOJ said Sokolovsky is appealing a September 2022 decision by the Amsterdam District Court granting his extradition to the United States.

Hive ransomware gang leaks data stolen during Tata Power cyberattack • ZebethMedia

By zebethcontrolPosted on October 25, 2022Posted in cyberattack, data breach, ransomware, Security, Tata PowerNo Comments

The Hive ransomware group has claimed responsibility for the recent cyberattack on Tata Power, a leading Indian energy company, and has started leaking stolen employee data. Tata Power, which serves more than 12 million customers through its distributors, confirmed on October 14 that it had been hit by a cyberattack that impacted some of its IT systems. “The company has taken steps to retrieve and restore the systems. All critical operational systems are functioning,” Tata Power said at the time, but did not confirm any specific details about the attack and its impact at the time. Hive, the ransomware gang that recently hit the Costa Rican government, this week listed Tata Power on its dark web leak site, which it uses to publicize attacks and stolen data. The group claims it encrypted the company’s data on October 3, suggesting Tata Power may have known about the breach two weeks prior to its initial filing, according to the listing, which ZebethMedia has seen. The listing of stolen data suggests any negotiations to pay a ransom failed. This data, reviewed by ZebethMedia, includes sensitive employee information, such as Aadhaar national identity card numbers, tax account numbers, salary information, home addresses and phone numbers. The leaked data, which was posted to Hive’s dark web leak site on October 24, also includes engineering drawings, financial and banking records, client records and some private keys. “The leak has sensitive data but nothing that affects power grids,” Rahul Sasi, co-founder and CEO of threat intelligence firm CloudSEK, who also reviewed the leaked data, told ZebethMedia. Sasi said that the group’s motivation appears to be purely financial. ZebethMedia contacted Tata Power but had not received a response at the time of publication. The Hive ransomware gang has been active since mid-2021. The gang and its affiliates started targeting organizations that experienced high downtime costs, such as healthcare providers, energy providers and retailers. The group is known for its aggressive tactics and has been observed using methods such as “triple extortion,” whereby the attackers seek money not only from the organization that was first targeted but also from anyone who might be impacted by the disclosure of that organization’s data. The attack on Tata Power is the latest in a series of attacks carried out by Hive. Last month, the group claimed an attack on the New York Racing Association just a few days after leaking data stolen from Bell Canada-owned subsidiary Bell Technical Solutions.