In a significant move aimed at aiding victims of cyberattacks, the U.S. Federal Bureau of Investigation (FBI) has announced the distribution of more than 7,000 FBI decryption keys associated with the notorious LockBit ransomware decryption. This initiative comes as part of ongoing efforts to mitigate the devastating impact of ransomware attacks on businesses worldwide.   […]

The post 7000 LockBit Ransomware Decryption Keys Distributed By FBI appeared first on TuxCare.

The post 7000 LockBit Ransomware Decryption Keys Distributed By FBI appeared first on Security Boulevard.

Keytronic confirms that personal information was compromised after a ransomware group leaked allegedly stolen data.

The post Keytronic Says Personal Information Stolen in Ransomware Attack appeared first on SecurityWeek.

The content you are trying to access is private only to member users of the site. You must have a free membership at CISO2CISO.COM to access this content. You can register for free.       Thank you. The CISO2CISO Advisors Team.

La entrada How are Passwords Cracked ? by Hacker Combat. se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Read 11 remaining paragraphs | Comments

Ascension says patient information was stolen in an early-May ransomware attack that involved an employee downloading malware.

The post Ascension Says Personal, Health Information Stolen in Ransomware Attack appeared first on SecurityWeek.

The MGM Resorts breach is just one example demonstrating the crippling financial, legal and operational consequences of ransomware incidents.

The post A Deep Dive Into the Economics and Tactics of Modern Ransomware Threat Actors appeared first on Security Boulevard.

The financially motivated UNC3944 threat group has shifted focus to data theft extortion from software-as-a-service applications but without the use of ransomware variants, which it is historically known for. UNC3944, also known as 0ktapus, Octo Tempest, Scatter Swine and Scattered Spider, is a financially motivated threat group that has demonstrated significant adaptability in its tactics since its inception in May 2022. According to Google-owned cybersecurity company Mandiant, the threat group has now evolved its strategies to include data theft from SaaS applications. It leverages cloud synchronization tools for data exfiltration, persistence mechanisms against virtualization platforms and lateral movement via SaaS permissions abuse, Mandiant said.

Data Theft Extortion Without Ransomware

UNC3944 initially focused on credential harvesting and SIM swapping attacks but over the years has transitioned to ransomware. Mandiant has now found evidence that shows the threat group has taken a further leap and now shifted primarily to data theft extortion without any ransomware deployment. UNC3944’s latest attack lifecycle often begins with social engineering techniques aimed at corporate help desks. Mandiant said the threat group gained initial access exploiting privileged accounts in multiple instances. The UNC3944 group used personally identifiable information (PII) such as Social Security numbers, birth dates and employment details likely scraped from social media profiles of the victims to bypass identity verification processes of help desks. They often claimed the need for a multi-factor authentication (MFA) reset due to receiving a new phone, enabling them to reset passwords and bypass MFA protections on privileged accounts.

“Evidence also suggests UNC3944 has occasionally resorted to fear mongering tactics to gain access to victim credentials. These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.” - Mandiant

Phase I of UNC3944’s Attack Lifecycle

The first phase of the threat group’s attack lifecycle includes:

• Social Engineering: UNC3944 conducted sophisticated social engineering attacks, leveraging extensive research on victims to gain help desk access.
• Credential Harvesting: Used SMS phishing campaigns to harvest credentials.
• Internal Reconnaissance: After gaining access, conducted reconnaissance on Microsoft applications like SharePoint to gather internal documentation on VPNs, VDI and remote work utilities.
• Privilege Escalation: Abused Okta permissions to self-assign roles and gain broader access to SaaS applications.

[caption id="attachment_77144" align="aligncenter" width="1024"] UNC3944 attack lifecycle (Source: Mandiant)[/caption]

Phase II of the Attack Lifecycle

In the second phase of UNC3944’s attack lifecycle, the threat group employed aggressive persistence methods through the creation of new virtual machines in environments like vSphere and Azure. They use administrative privileges to create these machines and configure them to disable security policies, such as Microsoft Defender, to avoid detection. A lack of endpoint monitoring allowed the group to download tools like Mimikatz, ADRecon, and various covert tunneling utilities like NGROK, RSOCX and Localtonet to maintain access to the compromised device without needing VPN or MFA. UNC3944 has previously deployed Alphv ransomware on virtual machine file systems but Mandiant said since the turn of 2024, it has not observed ransomware deployment by this threat group.

Focus Shifts to SaaS Applications

The novel shift in UNC3944’s targeting is its exploitation of SaaS applications to gain further access and conduct reconnaissance.

“Mandiant observed access to such applications as vCenter, CyberArk, SalesForce, Azure, CrowdStrike, AWS, and GCP.”

Once the threat group gained access to any of the SaaS applications, they then used endpoint detection and response tooling to test access to the environment and further used tools like Airbyte and Fivetran to exfiltrate data to attacker-owned cloud storage.

Advanced Techniques of Phase II

Some of the advanced techniques demonstrated by UNC3944 in phase two of the attack lifecycle includes: ADFS Targeting: Exporting Active Directory Federated Services certificates to perform Golden SAML attacks for persistent cloud access. Data Exfiltration: Using cloud synchronization utilities to move data from SaaS platforms to external cloud storage. Endpoint Detection and Response (EDR): Creation of API keys in CrowdStrike’s console for executing commands and further testing access. Anti-Forensic Measures: UNC3944 employed anti-forensic techniques to obscure their activities. They use publicly available utilities to reconfigure virtual machines, disable logging, and remove endpoint protections. The attackers also used ISO files like PCUnlocker to reset local administrator passwords and bypass domain controls.

Abuse of M365 Delve Feature

Mandiant observed advanced M365 features like Microsoft Office Delve being used for data reconnaissance by UNC3944 for uncovering accessible data sources. Delve offers quick access to files based on group membership or direct sharing and shows personalized content recommendations from M365 sources and mapping organizational relationships. While this feature is useful for collaboration, UNC3944 exploited Delve for rapid reconnaissance, identifying active projects and sensitive information by recent modification. These resources typically lack sufficient security monitoring and logging. Traditional security controls, like firewalls and network flow sensors, are ineffective for detecting large data transfers from SaaS platforms. Identifying data theft with traditional logs is challenging, and real-time detection remains difficult with historical log analysis. The storage of sensitive data in SaaS applications poses significant risks that is often overlooked due to the perceived security of SaaS models. UNC3944 exploited these weaknesses and took advantage of inadequate logging and monitoring to perform data theft undetected.

Recommended Mitigation Steps

Mandiant researchers recommended a number of controls to protect against the threat group's tactics:

• Implement host-based certificates and MFA for VPN access to ensure secure connections.
• Have stricter conditional access policies and limit visibility and access within cloud tenants.
• Have enhanced monitoring through centralized logs from SaaS applications and virtual machine infrastructures to detect suspicious activities.
• Ensure comprehensive logging for SaaS applications to detect signs of malicious intent.

The Toronto District School Board is investigating a recent ransomware attack that affected its testing environment. The Toronto board is Canada's largest school board, serving approximately 238,000 students across 600 schools in the city of Toronto. The board stated that it had taken immediate action and launched an investigation upon becoming aware of possible intrusion.

Toronto District School Board's Investigation Underway

The school board stated that the incident had affected its testing environment, which had been used to evaluate new technology and programs before being deployed on systems. The board's cybersecurity team had taken immediate action upon discovering the incident, securing systems and preserving data. The Toronto District School Board had notified details of the incident to the Toronto police and the Information and Privacy Commissioner of Ontario. [caption id="attachment_77136" align="alignnone" width="2800"] Source: www.tdsb.on.ca[/caption] In its letter of notification sent to parents and guardians, the Toronto District School Board stated that it had launched an investigation with the aid of third-party experts to fully assess the nature and scope of the incident. This includes potential compromise of its networks or breach of sensitive personal information. [caption id="attachment_77137" align="alignnone" width="1770"] Source: www.tdsb.on.ca[/caption] The letter added, "If it is determined that any personal information has been impacted, we will provide notice to all affected individuals. We understand that news of a cyber incident is concerning, but please know that we are doing everything possible to learn more about what occurred and address this situation.

Impact Unknown; More Details Expected Soon

Despite the attack, the district school board's systems remained fully operational and functional. While only the school's testing environment had been affected, Humber College cybersecurity expert Francis Syms remained concerned over the incident, as personal information is sometimes used on test environments. He added that test environments are usually not secured by multifactor authentication, potentially making data easier to access. However, he admitted that he was not aware of the testing system being used, as he was not part of the investigation team. The Toronto District School Board did not clarify whether the testing environment or its data contained any personal information. Ryan Bird, a spokesperson from the school district board, disclosed to CityNews Toronto that the full extent of the breach was unknown, or if any personal data had been compromised in the attack, but further details would be revealed by the end of the day. The Cyber Express team has reached out to the Toronto District School Board for further details and investigation results, but no responses have been received as of yet. Toronto's cybersecurity defenders have observed an uptick in cyberattacks in recent years, from both financially-motivated hackers and 'hacktivists' disrupting public systems. Some attacks occur during sensitive times such as elections, global conflicts, or visits by foreign leaders. However, ransomware attacks remain the most common form of attacks. City officials have been working with several agencies to rebuild trust in the safety of public systems and services. Charles Finlay, Toronto resident and executive director at Rogers Cybersecure Catalyst, had earlier stated to the Toronto Star, “I think the city has to be more forthcoming about what it is doing to ensure that those services are secure from cyber-attacks.” The City had witnessed several attacks on its public institutions such a Cl0p ransomware intrusion into the  City of Toronto's computer systems as well as an attack last year on the Toronto Public Library's computer systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Additional contributors to this report: Grayson North, Jason Baker May 2024 closed with an increase in overall victim volume, though […]

The post GRIT Ransomware Report: May 2024 appeared first on Security Boulevard.

Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Healthcare , Industry Specific Researchers Rahi Abouk and David Powell on Study Findings, Need for Better Planning Marianne Kolbasuk McGee (HealthInfoSec) • June 12, 2024     13 Minutes    Researchers Rahi Abouk, William Paterson University, and David Powell, RAND A study investigating the impact […]

La entrada Ransomware: Disruption of Hospitals and Nearby Facilities – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

If your organization hasn’t taken these steps to prevent a ransomware attack, it’s time to act now to protect your company, its data, employees and most importantly, customers.

The post 5 Ways to Thwart Ransomware With an Identity-First Zero Trust Model appeared first on Security Boulevard.

The notorious Monti ransomware has been sold to new owners. According to the actor's latest update, "This project was bought. It was bought because it suited our goals perfectly and did not have a bad reputation." The change in ownership and a shift in focus towards Western countries highlights a new approach towards ransomware. According to recent statements, the project has been acquired, with new owners expressing their intentions to revamp its infrastructure for future endeavors. In a cryptic post on their platform, the group hinted at upcoming developments, rallying for a collaborative effort to "build the future of the USA and Europe together."

Monti Ransomware Group and Change in Ownership

[caption id="attachment_76870" align="alignnone" width="938"] Source: Dark Web[/caption] This announcement follows a string of cyberattacks perpetrated by the Monti ransomware gang. Notably, a recent incident in the South of France targeted three prominent institutions simultaneously: the Pau-Pyrénées airport, the Pau business school, and the city's digital campus. These attacks, occurring overnight from May 12 to May 13, 2024, disrupted operations and raised concerns regarding cybersecurity vulnerabilities in critical sectors. While the affected institutions scrambled to mitigate the fallout, journalists uncovered insights from the Chamber of Commerce and Industry (CCI) shedding light on the situation. Despite assurances of minimal disruption to activities, the compromised digital infrastructure left a trail of compromised data, including sensitive documents and personal information of employees and students. The modus operandi of the Monti ransomware group draws parallels to its predecessors, notably the Conti ransomware, which ceased operations in May 2022. The emergence of Monti, with its similar tactics and techniques, suggests a strategic emulation aimed at exploiting the void left by Conti's absence.

A Deeper Dive into Monti Ransomware Group

A deeper dive into the Monti ransomware incident reveals a sophisticated operation orchestrated through the exploitation of vulnerabilities like the notorious Log4Shell. The attackers infiltrated networks, encrypted user desktops, and disrupted critical server clusters, leaving organizations grappling with the aftermath. Despite its relative obscurity, the Monti ransomware group has garnered attention within the cybersecurity community. Analysts speculate that the group's emulation of Conti's strategies may stem from the leaked trove of Conti's internal data, providing a blueprint for nefarious activities. As cybersecurity threats evolve, it becomes imperative for organizations to fortify their defenses and stay vigilant against threat actors like the Monti ransomware. Collaborative efforts between cybersecurity experts and stakeholders are essential to mitigate risks and safeguard critical infrastructures from malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Black Basta ransomware gang may have exploited a Windows privilege escalation vulnerability as a zero-day before it was patched, new evidence suggests. Symantec researchers have revealed details that the Black Basta ransomware group linked to the Cardinal cybercriminal syndicate (also known as Storm-1811 or UNC4393) may have exploited a flaw in the Windows error reporting service as a zero-day prior to its March Patch Tuesday fix. Tracked as CVE-2024-26169, the vulnerability in question exists in the Windows Error Reporting Service. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said at the time of patching. The Redmond-based tech giant at the time reported no evidence of the bug being exploited in the wild. However, analysis of an exploit tool used in recent attacks indicated that it may have been compiled months before the official patch was released, indicating potential zero-day exploitation.

Black Basta’s Privilege Escalation Bug Exploitation

The Symantec team first uncovered the possible zero-day exploitation while investigating a recent ransomware attack attempt in which an exploit tool for CVE-2024-26169 was used. “Although the attackers did not succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity,” Symantec said. These TTPs included the use of batch scripts disguised as software updates, the researchers added.

Black Basta Exploit Tool Analysis

The exploit tool leverages a flaw where the Windows file “werkernel.sys” uses a null security descriptor for creating registry keys. The tool exploits this by creating a “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe” registry key, setting its “Debugger” value to its own executable pathname. This allows the attacker to start a shell with administrative privileges, Symantec explained. Two variants of the tool analyzed:

• Variant 1 (SHA256: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63): Compiled on February 27, before the vulnerability was patched.
• Variant 2 (SHA256: b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0): Compiled on December 18, 2023, nearly three months before an official fix was released.

While time stamp values in executables can be modified, in this case the attackers likely had little motivation to alter them, suggesting genuine pre-patch compilation.

Indicators of Compromise

Symantec shared the following IoCs: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63 – Exploit tool b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0 – Exploit tool a31e075bd5a2652917f91714fea4d272816c028d7734b36c84899cd583181b3d – Batch script 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d – Batch script 2408be22f6184cdccec7a34e2e79711ff4957e42f1ed7b7ad63f914d37dba625 – Batch script b0903921e666ca3ffd45100a38c11d7e5c53ab38646715eafc6d1851ad41b92e – ScreenConnect

About Black Basta Ransomware

The latest attempts of exploiting a Windows privilege escalation bug comes a month after Microsoft revealed details of Black Basta ransomware operators abusing its Quick Assist application that enables a user to share their Windows or macOS device with another person over a remote connection. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI in a May advisory said Black Basta's affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia since its launch in April 2022. An analysis from blockchain analytics firm Elliptic indicates that Black Basta has accumulated at least $107 million in ransom payments since early 2022, targeting more than 90 victims. The largest ransom payment received was $9 million, and at least 18 of the ransoms exceeded $1 million each. The average ransom payment was $1.2 million.

Ukraine National Police have arrested a man they say helped disguise ransomware used by Russia-based threat groups. The 28-year-old cryptor developer was unnamed in Ukraine and Netherlands announcements of the arrest, but the Dutch statement said he was arrested on April 18, 2024 in a lead-up to May’s massive “Operation Endgame” botnet takedown.

Cryptor Developer Worked with Conti, LockBit

Ukraine cyber ​​police and National Police investigators say they established that the man was involved in the LockBit and Conti ransomware groups. The Kyiv man infected a company in the Netherlands with Conti ransomware in 2021, demanded a ransom and threatened to release confidential company information if payment wasn’t made, according to the Dutch announcement, which cited work by the Netherlands’ High Tech Crime Team of the National Operations and Interventions Unit and the National Public Prosecution Service. They requested Ukraine’s assistance in the case as part of their investigation. As part of the arrest, Ukrainian police conducted house searches in the city of Kyiv and the Kharkiv region on April 18 and seized computer equipment, mobile phones and documents for further investigation (pictured below). [caption id="attachment_76895" align="alignnone" width="300"] Items seized in Ukraine ransomware arrest[/caption] The Ukraine cyber police said the man “specialized in the development of cryptors,” or “special software for masking computer viruses under the guise of safe files” (quotes translated from the Ukraine statement). “Thanks to his programming skills, the person involved was able to hide malicious software from the most popular antiviruses,” the Ukraine statement added.

LockBit Remains Active Despite Repeated Enforcement Activities

The Conti ransomware group reportedly dissolved in 2022 after a Ukrainian researcher leaked the group's source code in retaliation for the group's support of Russia's invasion of Ukraine, but LockBit has remained persistent. Despite the Ukraine arrest and law enforcement successes like Operation Endgame, Operation Cronos, and the unmasking of formerly anonymous LockBit leader Dmitry Khoroshev, LockBit has shown an ability to continually regroup and reestablish threat activities, recently launching high-profile ransomware attacks such as one that the city of Wichita is finally recovering from. Ukraine officials said the investigation is ongoing. The suspect is being charged under part 5 of Article 361, Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks, of the Criminal Code of Ukraine. The article provides for publishment of up to 15 years of imprisonment, and additional charges are possible. Netherlands officials thanked the Ukrainian investigators for their assistance and said they “are very pleased with the arrest in Ukraine and are grateful for the space that the Ukrainian police have found for this in times of war.”

The Black Basta ransomware gang may have exploited the Windows privilege escalation flaw CVE-2024-26169 before it was patched.

The post Ransomware Group May Have Exploited Windows Vulnerability as Zero-Day appeared first on SecurityWeek.

A long-running ransomware campaign that has been targeting Windows and Linux systems since 2019 is the latest example of how closely threat groups track public disclosures of vulnerabilities and proofs-of-concept (PoCs) and how quickly they move in to exploit them. The PHP Group last week disclosed a high-severity flaw – tracked as CVE-2024-4577 and with..

The post Ransomware Group Jumps on PHP Vulnerability appeared first on Security Boulevard.

Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Governance & Risk Management , Patch Management Flaw Allows Unauthenticated Attackers to Execute Arbitrary Code Prajeet Nair (@prajeetspeaks) • June 11, 2024     The TellYouThePass ransomware pass was quick to exploit a critical flaw in PHP. (Image: Shutterstock) A ransomware operation with a history […]

La entrada Ransomware Gang TellYouThePass Exploits PHP Vulnerability – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

The TellYouThePass ransomware gang started exploiting a recent code execution flaw in PHP days after public disclosure.

The post Ransomware Group Exploits PHP Vulnerability Days After Disclosure appeared first on SecurityWeek.

The City of Cleveland, Ohio, has been hit by a cyberattack that has closed City Hall and other offices, but the city says essential services remain operational. The city hasn’t revealed the nature of the incident, but the Cleveland cyberattack is one of the highest-profile ones to date affecting a major U.S. municipality. In a recent update on X, the city said it is “still investigating the nature and scope of the incident. The City is collaborating with several key partners who provide expert knowledge and deep experience in this work.”

Cleveland Essential Services Functioning

City Hall and offices at Erieview Plaza are closed to the public and non-essential employees, but the city sought to reassure residents that key services and data remain safe. Emergency services, such as 911, Police, Fire, and EMS are operational, along with other essential services such as water, pollution control, power services, ports and airports. The update said that “certain City data is confirmed to be unaffected, including: - Taxpayer information held by the CCA. - Customer information held by Public Utilities.” That still leaves other data sources that could be affected, however, such as city employees’ personal data. In its initial announcement on X, the city said, “We have shut down affected systems to secure and restore services. Emergency services and utilities are not affected. Updates will be provided as available.” The city hasn’t said whether the incident is ransomware or another cyber attack type, but that will presumably be revealed in later updates. Cleveland itself is home to 362,000 residents, while the surrounding metropolitan area has a population of more than 2 million.

Cleveland Cyberattack Follows Wichita Ransomware; Healthcare Network Hit

Cleveland isn’t the biggest U.S. city to be hobbled by a cyber attack, as at least a few bigger cities have been hit by cyber incidents. The 394,000-resident city of Wichita, Kansas was hit by a ransomware attack last month in an attack linked to the LockBit ransomware group, but Baltimore was perhaps the biggest U.S. city hit by a cyberattack in a crippling 2019 incident that closely followed an Atlanta cyberattack. All of that pales in comparison to the U.S. government, which got hit by more than 32,000 cybersecurity incidents in fiscal 2023, up 10% from fiscal 2022, according to a new White House report on federal cybersecurity readiness. Threat actors seemingly have no end of targets, as a healthcare network in Texas, Arkansas and Florida is also reporting recent cyber troubles that the BlackSuit ransomware group is claiming responsibility for. The Special Health Resources network posted a notice on its website (copied below) that states, “We are currently experiencing a network incident that has caused a temporary disruption to our phones and computer systems. During this time, we are STILL OPEN and ready to serve our patients and community!” [caption id="attachment_76662" align="alignnone" width="750"] Special Health Resources website notice[/caption] If Special Health’s troubles are linked to a cyberattack, they seem to have fared better than the damage sustained by NHS London recently, as cyber attackers seemingly have abandoned long-standing pledges to avoid attacking healthcare systems.

Read 22 remaining paragraphs | Comments

The NoName ransomware group has claimed responsibility for yet another cyberattack targeting government websites in Germany. The proclamation of the attack comes just 11 days after the group is said to have targeted German entities such as Energie Baden-Württemberg AG, Leistritz AG, and Aareal Bank AG. In this latest attack, the group allegedly targeted the Federal Office for Logistics and Mobility and the Federal Ministry of the Interior and Community. NoName allegedly carried out a DDos (Distributed Denial-of-Service) attack, preventing other users from accessing the websites. In the message posted on a dark web forum on Tuesday, NoName claimed that the attack on German websites was to condemn the visit of Ukrainian President Volodymyr Zelenskiy to the country to participate in a conference on Ukraine’s post-war recovery. “Ukrainian President Volodymyr Zelenskyy arrived in Germany late in the evening on Monday, June 10, to take part in an international conference on Ukraine's reconstruction. In his message in Telegram, Zelenskyy said that during his visit he had meetings with German Federal President Frank-Walter Steinmeier, Chancellor Olaf Scholz and Bundestag chairwoman Berbel Bas,” NoName said. “We decided to visit the conference too, and crush some websites,” it added. Despite the hack, NoName has not provided elaborate evidence or context of the cyberattack nor has it provided any details of how the German websites would be affected. While many experts had previously warned people not to underestimate thread actors who take out DDoS attacks, their effectiveness remains a big question, as most of the targets suffer only a few hours of downtime before returning to normal operations. As of the writing of this report, there has been no response from officials of the alleged target websites, leaving the claims unverified.

Previous Instances of NoName Ransomware Attacks

Since first emerging on dark web in March 2022, the pro-Russian hacker group NoName has been increasingly active, shortly after Russia’s invasion of Ukraine. The group has taken responsibility for a series of cyberattacks targeting government agencies, media outlets, and private companies across Ukraine, the United States, and Europe. Before making the claim of targeting German websites, NoName had a history of targeting prominent organizations in other countries. In April 2024, the group allegedly launched a cyberattack on Moldova, affecting key government websites such as the Presidency, Ministry of Foreign Affairs, Ministry of Internal Affairs, and the State Registry. These websites were rendered inaccessible, displaying the message, “This Site Can’t be Reached.” The attack hinted at a politically motivated agenda, though NoName did not explicitly disclose their motives. In March 2024, NoName targeted multiple websites in Denmark, including significant entities like Movia, Din Offentlige Transport, the Ministry of Transport, Copenhagen Airports, and Danish Shipping. Similarly, in January 2024, the group attacked high-profile websites in the Netherlands, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), and GVB. More recently, NoName’s cyber onslaught on Finland raised further alarms. Finnish government organizations, including Traficom, the National Cyber Security Centre Finland (NCSC-FI), The Railways, and the Agency for Regulation and Development of Transport and Communications Infrastructure, faced temporary inaccessibility due to DDoS attacks. The ongoing cyberattacks by NoName across several countries serve as a reminder of the perils of the digital landscape. The operations of NoName ransomware, combined with their alleged political motives, highlight the urgent need for enhanced cybersecurity measures and international cooperation. The cybersecurity community must remain vigilant and proactive in protecting digital infrastructure from such malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Microsoft and Google will provide free or low-cost cybersecurity tools and services to rural hospitals in the United States at a time when health care facilities are coming under increasing attack by ransomware gangs and other threat groups. For independent rural and critical access hospitals, Microsoft will provide grants and as much as 75% discounts..

The post Microsoft, Google Come to the Aid of Rural Hospitals appeared first on Security Boulevard.

Not our fault, says CISO: “UNC5537” breached at least 165 Snowflake instances, including Ticketmaster, LendingTree and, allegedly, Advance Auto Parts.

The post Ticketmaster is Tip of Iceberg: 165+ Snowflake Customers Hacked appeared first on Security Boulevard.

The Underground Team ransomware group has allegedly claimed a cyberattack on Central Securities Corporation, asserting access to a staggering 42.8 GB of sensitive data compromised, spanning decades of company history and containing a trove of confidential information. The scope of the Central Securities Corporation cyberattack is staggering, reportedly encompassing a range of data from historical reports to personal correspondence and even passports of employees and their relatives. Such a comprehensive breach not only threatens the integrity of Central Securities Corporation but also poses a significant risk to the privacy and security of its employees and stakeholders.

Underground Team Ransomware Claims Central Securities Corporation Cyberattack

[caption id="attachment_76481" align="alignnone" width="1319"] Source: Dark Web[/caption] The aftermath of the Central Securities Corporation cyberattack is evident as the company's website remains inaccessible, leaving concerned parties in the dark about the extent of the damage and the company's response. Efforts to reach out to Central Securities Corporation have been impeded by the website's downtime, exacerbating the sense of urgency surrounding the situation. The cybercriminals behind the Central Securities Corporation cyberattack have brazenly demanded nearly $3 million in ransom, further compounding the company's woes. This incident highlights the ransomware strain like the Underground Team leverages novel approaches to extort money and exploit sensitive data.

Researchers Highlight Underground Team Ransomware Group

Security experts from Cyble have previously warned of the growing prevalence of targeted attacks, where hackers tailor their strategies to infiltrate specific targets with devastating consequences. The emergence of new ransomware variants highlights the constant battle organizations face in safeguarding their digital assets against evolving threats. One such variant, the Underground Team ransomware, has caught the attention of researchers for its unique ransom note and sophisticated techniques. Offering more than just decryption services, the ransom note promises insights into network vulnerabilities and data recovery assistance, signaling a new level of sophistication in ransomware operations. Technical analysis of the ransomware reveals intricate mechanisms employed to identify and encrypt system files, demonstrating the attackers' proficiency in exploiting vulnerabilities. By selectively targeting files and directories while bypassing certain extensions and folders, the ransomware achieves its malicious objectives with alarming efficiency. As for the cyberattack on Central Securities Corporation, this is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Central Securities Corporation cyberattack or any official confirmation from the organization.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Microsoft and Google have announced plans to offer free or highly discounted cybersecurity services to rural hospitals across the United States. These initiatives come as the U.S. healthcare sector faces a surge in ransomware attacks that more than doubled last year, posing a serious threat to patient care and hospital operations. The program - developed in collaboration with the White House, the American Hospital Association, and the National Rural Health Association - aims to make rural hospitals less defenseless by providing them with free security updates, security assessments, and training for hospital staff.

Microsoft and Google Cybersecurity Plans for Rural Hospitals

Microsoft has launched a full-fledged cybersecurity program to meet the needs of rural hospitals, which are often more vulnerable to cyberattacks due to more limited IT security resources, staff and training than their urban peers. The program will deliver free and low-cost technology services, including:

• Nonprofit pricing and discounts of up to 75% on Microsoft's security products for independent Critical Access Hospitals and Rural Emergency Hospitals.
• Larger rural hospitals already equipped with eligible Microsoft solutions will receive free advanced security suites for free.
• Free Windows 10 security updates for participating rural hospitals for at least one year.
• Cybersecurity assessments and training are being made free to hospital employees to help them better manage system security.

Justin Spelhaug, corporate vice president of Microsoft Philanthropies, said in a statement, “Healthcare should be available no matter where you call home, and the rise in cyberattacks threatens the viability of rural hospitals and impact communities across the U.S. “Microsoft is committed to delivering vital technology security and support at a time when these rural hospitals need them most.” Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies, said in a statement:

“Cyber-attacks against the U.S. healthcare systems rose 130% in 2023, forcing hospitals to cancel procedures and impacting Americans’ access to critical care. Rural hospitals are particularly hard hit as they are often the sole source of care for the communities they serve and lack trained cyber staff and modern cyber defenses. President Biden is committed to every American having access to the care they need, and effective cybersecurity is a part of that. So, we’re excited to work with Microsoft to launch cybersecurity programs that will provide training, advice and technology to help America’s rural hospitals be safe online.”

Alongside Microsoft's efforts, Google also announced that it will provide free cybersecurity advice to rural hospitals and non-profit organizations while also launching a pilot program to match its cybersecurity services with the specific needs of rural healthcare facilities.

Plans Are Part of Broader National Effort

Rural hospitals remain one of the most common targets for cyberattacks, according to data from the National Rural Health Association. Rural hospitals in the U.S. serve over 60 million people living in rural areas, who sometimes have to travel considerable distance for care even without the inconvenience of a cyberattack. Neuberger stated, “We’re in new territory as we see ... this wave of attacks against hospitals.” Rick Pollack, president of the American Hospital Association, said, “Rural hospitals are often the primary source of healthcare in their communities, so keeping them open and safe from cyberattacks is critical. We appreciate Microsoft stepping forward to offer its expertise and resources to help secure part of America’s healthcare safety net.” The plans are a part of a broader effort by the United States government to direct private partners and tech giants such as Microsoft and Google to use their expertise to plug significant gaps in the defense of the healthcare sector. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Auction house Christie's says the data breach caused by the recent ransomware attack impacts the information of 45,000 individuals.

The post Christie’s Says Ransomware Attack Impacts 45,000 People appeared first on SecurityWeek.

U.S. Senator Ron Wyden, who late last month asked federal agencies to investigate flaws in UnitedHealth Group’s cybersecurity measures that led to the massive ransomware attack that disrupted hundreds of hospital and pharmacy operations, now is pushing the Health and Human Services (HHS) Department to require such large health care organizations to immediately implement protections...

The post Senator: HHS Needs to Require Security Measures for Health Sector appeared first on Security Boulevard.

The Akira ransomware group claims on its dark web leak site to have compromised data from Panasonic Australia. Shortly after that announcement, Singapore authorities issued an advisory advising affected companies to not heed the ransomware group's demands, in response to local law firm Shook Lin & Bok confirming that it had been struck by the group. Panasonic Australia is a regional subsidiary of Panasonic Holdings Corporation headquartered in Japan. It manufactures electronic equipment and devices such as cameras, home equipment, sound equipment, personal care devices, power tools, and air conditioning. The Akira ransomware group has previously targeted several high-profile organizations while netting millions in ransom payments from affected victims.

Akira Ransomware Group Attack on Panasonic Australia

The ransomware group alleged that it had exfiltrated sensitive project information and business agreements from the electronics manufacturer Panasonic Australia. No sample documents were posted to verify the authenticity of the breach claims. The potential impact of the breach on Panasonic Australia is unknown but could present a serious liability for the confidentiality of the company's stolen documents.

Cyber Security Agency of Singapore Issues Advisory

Singapore's Cyber Security Agency (CSA) along with the country's Personal Data Protection Commission (PDPC) issued an advisory to organizations instructing them to report Akira ransomware attacks to respective authorities rather than paying ransom demands. The advisory was released shortly after an Akira ransomware group attack on the Shook Lin & Bok law firm. While the firm still continued to operate as normal, it had reportedly paid a ransom of US$1.4 million in Bitcoin to the group. The Akira ransomware group had demanded a ransom of US$2 million from the law firm earlier, which was then negotiated down after a week, according to the SuspectFile article. The Cyber Security Agency of Singapore (CSA) stated that it was aware of the incident and offered assistance to the law firm. However, it cautioned against similar payments from other affected victims. "Paying the ransom does not guarantee that the data will be decrypted or that threat actors will not publish your data," the agency stated. "Furthermore, threat actors may see your organisation as a soft target and strike again in the future. This may also encourage them to continue their criminal activities and target more victims." The Singaporean authorities offered a number of recommendations to organizations:

• Enforce strong password policies with at least 12 characters, using a mix of upper and lower case letters, numbers, and special characters.
• Implement multi-factor authentication for all internet-facing services, such as VPNs and critical system accounts.
• Use reputable antivirus or anti-malware software to detect ransomware through real-time monitoring of system processes, network traffic, and file activity. Configure the software to block suspicious files, prevent unauthorized remote connections, and restrict access to sensitive files.
• Periodically scan systems and networks for vulnerabilities and apply the latest security patches promptly, especially for critical functions.
• Migrate from unsupported applications to newer alternatives.
• Segregate networks to control traffic flow between sub-networks to limit ransomware spread. Monitor logs for suspicious activities and carry out remediation measures as needed.
• Conduct routine backups following the 3-2-1 rule: keep three copies of backups, store them in two different media formats, and store one set off-site.
• Conduct incident response exercises and develop business continuity plans to improve readiness for ransomware attacks.
• Retain only essential data and minimize the collection of personal data to reduce the impact of data breaches.

"Organisations should periodically scan their systems and networks for vulnerabilities and regularly update all operating systems, applications, and software by applying the latest security patches promptly, especially for functions critical to the business," the police, CSA and PDPC said in a joint statement. The criminal group had previously also come under the attention of various other governments and security agencies, with the FBI and CISA releasing a joint cybersecurity advisory as part of the #StopRansomware effort. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Spy warez: Assistant director of the FBI’s Cyber Division Bryan Vorndran (pictured) might have the key to unscramble your files.

The post LockBit Victim? Ask FBI for Your Ransomware Key appeared first on Security Boulevard.

Frontier Communications is notifying over 750,000 individuals that their personal information was stolen in a recent data breach.

The post 750k Impacted by Frontier Communications Data Breach appeared first on SecurityWeek.

Read 8 remaining paragraphs | Comments

Senator Ron Wyden (D-Ore.) is pressing the U.S. government to accelerate cybersecurity enhancements within the healthcare sector following the devastating Change Healthcare ransomware attack that exposed the protected health information of nearly a third of Americans. In a letter to Xavier Becerra, secretary of the U.S. Department of Health and Human Services, Wyden urged HHS to implement immediate, enforceable steps to improve “lax cybersecurity practices” of large healthcare organizations.

“It is clear that HHS’ current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” - Wyden.

He stated that the sub-par cybersecurity standards have allowed hackers to steal patient information and disrupt healthcare services, which has caused “actual harm to patient health.”

MFA Could Have Stopped Change Healthcare Attack

The call from Wyden comes on the back of the ransomware attack on Change Healthcare — a subsidiary of UnitedHealth Group — which, according to its Chief Executive Officer Andrew Witty, could have been prevented with the basic cybersecurity measure of Multi-Factor Authentication (MFA). The lack of MFA on a Citrix remote access portal account that Change Healthcare used proved to be a key vulnerability that allowed attackers to gain initial access using compromised credentials, Witty told the Senate Committee on Finance in a May 1 hearing.

“HHS’ failure to regulate the cybersecurity practices of major health care providers like UHG resulted in what the American Hospital Association has described as the worst cyberattack against the healthcare sector in U.S. history.” - Wyden

The use of MFA is a fundamental cybersecurity practice that HHS should mandate for all healthcare organizations, Wyden argued. He called for the implementation of broader minimum and mandatory technical cybersecurity standards, particularly for critical infrastructure entities that are designated as "systemically important entities" (SIE) by the U.S. Cybersecurity and Infrastructure Security Agency. “These technical standards should address how organizations protect electronic information and ensure the healthcare system’s resiliency by maintaining critical functions, including access to medical records and the provision of medical care,” Wyden noted. He suggested that HHS enforce these standards by requiring Medicare program participants to comply.

Wyden’s Proposed Cybersecurity Measures for HHS

Wyden said HHS should mandate a range of cybersecurity measures as a result of the attack. “HHS must follow the lead of other federal regulators in mandating cybersecurity best practices necessary to protect the healthcare sector from further, devastating, easily-preventable cyberattacks,” Wyden argued. The Democratic senator proposed several measures to enhance cybersecurity in the healthcare sector, including:

• Mandatory Minimum Standards: Establish mandatory cybersecurity standards, including MFA, for critical healthcare infrastructure.
• Rapid Recovery Capabilities: Ensure that organizations can rebuild their IT infrastructure within 48 to 72 hours following an attack.
• Regular Audits: Conduct regular audits of healthcare organizations to assess and improve their cybersecurity practices.
• Technical Assistance: Provide technical security support to healthcare providers.

Wyden criticized HHS for its current insufficient regulatory oversight, which he believes contributes to the ongoing cyberattacks harming patients and national security. “The current epidemic of successful cyberattacks against the health care sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security,” Wyden said. He urged HHS to use all of its authorities to protect U.S. healthcare providers and patients from mounting cybersecurity risks.

The State of Ransomware in Healthcare

The healthcare sector was the most common ransomware target among all critical infrastructure sectors, according to FBI’s Internet Crime Report 2023. The number of attacks and individuals impacted have grown exponentially over the last three years. [caption id="attachment_75474" align="aligncenter" width="1024"] Ransomware attacks on healthcare in last three years. (Source: Emsisoft)[/caption]

“In 2023, 46 hospital systems with a total of 141 hospitals were impacted by ransomware, and at least 32 of the 46 had information, including protected health information, stolen.” - Emsisoft

A study from McGlave, Neprash, and Nikpay from the University of Minnesota School of Public Health found that in a five-year period starting in 2016, ransomware attacks likely killed between 42 and 67 Medicare patients. Their study further observed a decrease in hospital volume and services by 17-25% during the week following a ransomware attack that not only hit revenue but also increased in-hospital mortality among patients who were already admitted at the time of attack.

HHS Cybersecurity Response

HHS announced in December plans to update its cybersecurity regulations for the healthcare sector for the first time in 21 years. These updates would include voluntary cybersecurity performance goals and efforts to improve accountability and coordination. The Healthcare and Public Health Sector Coordinating Council also unveiled a five-year Health Industry Cybersecurity Strategic Plan in April, which recommends 10 cybersecurity goals to be implemented by 2029. Wyden acknowledged and credited the latest reform initiatives from HHS and the HSCC, but remains concerned about the lengthy implementation timeline, which he said requires urgency when it comes to the healthcare sector. The latest letter follows Wyden’s request last week to the SEC and FTC to investigate for any negligence in cybersecurity practices of UnitedHealth Group. HHS is currently investigating the potential UHG breach that resulted in the exposure of protected health information of hundreds of thousands of Americans.

It remembers everything you do on your PC. Security experts are raging at Redmond to recall Recall.

The post Microsoft Recall is a Privacy Disaster appeared first on Security Boulevard.

A Russian cyber gang is believed to be behind a ransomware attack that disrupted London hospitals and led to operations and appointments being canceled.

The post A Russian Cyber Gang Is Thought to Be Behind a Ransomware Attack That Hit London Hospitals appeared first on SecurityWeek.

The FBI has obtained more than 7,000 LockBit ransomware decryption keys and is urging victims to get in touch with its IC3.

The post FBI Says It Has 7,000 LockBit Ransomware Decryption Keys appeared first on SecurityWeek.

RansomHub, which has become among the most prolific ransomware groups over the past few months, likely got its start with the source code from the Knight malware and a boost from a one-time BlackCat affiliate.

The post RansomHub Rides High on Knight Ransomware Source Code appeared first on Security Boulevard.

Mandiant saw an increase in ransomware activity in 2023 compared to 2022, including a 75% increase in posts on data leak sites.

The post Resurgence of Ransomware: Mandiant Observes Sharp Rise in Criminal Extortion Tactics appeared first on SecurityWeek.

Several hospitals in London have canceled operations and appointments after being hit in a ransomware attack.

The post London Hospitals Cancel Operations and Appointments After Being Hit in Ransomware Attack appeared first on SecurityWeek.

The BianLian ransomware gang has leaked data allegedly stolen from Australian mining company Northern Minerals.

The post Ransomware Gang Leaks Data From Australian Mining Company appeared first on SecurityWeek.

The newly-released Apple cybersecurity threat study reveals interesting data points and demonstrates how the threat landscape is evolving.

The post 8 Takeaways from Apple 2023 Threat Research appeared first on Security Boulevard.

Several major hospitals in London have faced service disruptions following a ransomware attack on a third-party responsible for providing pathology services. As a result, the Synnovis ransomware attack has been assigned a critical incident emergency status by the authorities. On Monday, a ransomware attack targeted Synnovis, a company offering pathology services such as blood tests for transfusions to various healthcare organizations. A spokesperson for NHS England London confirmed the incident, stating that the hospital network was currently disconnected from Synnovis IT servers. The Synnovis ransomware attack was having a "significant impact" on the delivery of services at Guy’s and St Thomas’ hospitals, King’s College Hospital NHS Foundation Trusts, and primary care services in southeast London, the spokesperson added. Royal Brompton and Harefield hospitals, renowned heart and lung centers in the UK, have also reportedly been impacted. As a result of the attack, some appointments have been canceled and patients redirected with short notice, placing additional strain on other hospitals.

"We are currently experiencing disruption to our pathology services, particularly blood tests."

"This is following a cyber attack affecting our pathology service provider Synnovis," said the NHS statement. "Very regrettably we have had to cancel some procedures and operations. We apologise unreservedly to all patients who are affected." The disruption in the blood transfusion IT system poses a risk to trauma cases, with only urgent blood components being transfused when critically necessary for patients. Efforts are underway by the Department of Health and Social Care, NHS England, and the National Cyber Security Centre to address the cyber incident and support affected organizations while prioritizing patient safety. The uncertainty surrounding the duration of the disruption raises concerns about resource availability and potential further critical incidents. The attack follows a similar one that hit NHS services in Scotland in March.

CEO's Statement on Synnovis Ransomware Attack

Mark Dollar, the CEO of Synnovis, acknowledged the severity of the situation, emphasizing the collaborative efforts between IT experts from Synnovis and the NHS to assess the extent of the damage and implement necessary measures. Patient care has been disrupted, leading to some activities being canceled or redirected to alternative providers to prioritize urgent needs, Dollar said.

"It is still early days and we are trying to understand exactly what has happened."

A taskforce of IT experts from Synnovis and the NHS is working to fully assess the impact this has had, and to take the appropriate action needed. We are working closely with NHS Trust partners to minimise the impact on patients and other service users."

"Regrettably this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised."

"We are incredibly sorry for the inconvenience and upset this is causing to patients, service users and anyone else affected. We are doing our best to minimise the impact and will stay in touch with local NHS services to keep people up to date with developments," Dollar added. Synnovis has invested heavily in ensuring that IT arrangements are of the highest order of safety but Dollar, citing the ransomware attack, said, "This is a harsh reminder that this sort of attack can happen to anyone at any time and that, dispiritingly, the individuals behind it have no scruples about who their actions might affect." As the healthcare sector continues to navigate the evolving landscape of cyber threats, stakeholders must remain vigilant, prioritize cybersecurity protocols, and collaborate to fortify defenses against ransomware attacks. Safeguarding patient data and preserving the trust of individuals relying on healthcare services are critical imperatives in the ongoing battle against cybercrime in the healthcare industry.

Read 7 remaining paragraphs | Comments

Snowflake, Inc. says NO, threatening legal action against those who say it was. But reports are coming in of several more massive leaks from other Snowflake customers.

The post Was the Ticketmaster Leak Snowflake’s Fault? appeared first on Security Boulevard.

The RansomHub ransomware group claims to have stolen the information of over 2 million Frontier Communications customers.

The post Ransomware Group Claims Cyberattack on Frontier Communications appeared first on SecurityWeek.

The UPGRADE program seeks to enhance and automate cybersecurity for healthcare facilities, focused on protecting operations and ensuring continuity of patient care.

The post Cybersecurity Automation in Healthcare Program Launched by HHS Agency appeared first on Security Boulevard.

Three-quarters of SMBs fear that a cyberattack could put them out of business. For good reason: 96% of them have already been the victims of a cyberattack.

The post Cyberattack Risks Keep Small Business Security Teams on Edge appeared first on Security Boulevard.

Credential phishing is a type of cyberattack where attackers attempt to deceive your employees into providing their sensitive information, such as their Microsoft usernames and passwords. What is not obvious is credential phishing is the root cause of many breaches, including the recent ransomware breach at UnitedHealth subsidiary Change Healthcare. According to UnitedHealth Group CEO […]

The post Understanding Credential Phishing first appeared on SlashNext.

The post Understanding Credential Phishing appeared first on Security Boulevard.

Senator Ron Wyden wants the FTC and SEC to investigate the ransomware attack on UnitedHealth's Change subsidiary to see if there was criminal negligence by the CEO or board.

The post Senator Calls for FTC, SEC Probe Into UnitedHealth’s ‘Negligence’ in Breach appeared first on Security Boulevard.

Daft name, serious risk: Kit from ActionTec and Sagemcom remotely ruined and required replacement.

The post ‘Pumpkin Eclipse’ — 600,000+ Rural ISP Routers Bricked Beyond Repair appeared first on Security Boulevard.