Tag Archive for: extortion

New Ransomware Actor 8Base Rivals LockBit in Extortion

/in


Cybercrime
,
Fraud Management & Cybercrime
,
Next-Generation Technologies & Secure Development

Group Has Listed Nearly 40 Victims on Its Dark Web Leak Site So Far This Month

Mihir Bagwe (MihirBagwe) •
June 29, 2023    

New Ransomware Actor 8Base Rivals LockBit in Extortion
Image: 8Base

The new ransomware group 8Base is fast becoming a big player in the underground market, amassing nearly 40 victims in June – second only to the notorious LockBit ransomware gang.

See Also: Live Webinar | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security

The group has hit nearly 80 organizations since March 2022 and uses the double-extortion tactics of encryption and “name and shame,” according to a new report from VMware.

8Base was responsible for 15% of the attacks in May, as the group began releasing data from victims breached between April 2022 and May 2023, said a report the NCC Group released last week. Ransomware attacks soared in May, hitting 436 victims. Lockbit 3.0 remained the most active threat actor in 2023 and was responsible for 78 known victims and 18% of all incidents tracked in May.


The majority of 8Base targets are in the industrial sector, the NCC Group said. VMware said business services, finance, manufacturing and IT industries are also targets. The group so far has listed 38 victims in June. It uses a data leak site, a Twitter account and a Telegram channel to publicize its victims’ names.

The 8Base group’s activity is similar to the less-active RansomHouse ransomware gang, which buys leaked data, partners with data leak sites and then extorts companies for money.

The language on the…

Source…

Lessons From Clop: Combating Ransomware and Cyber Extortion Events

/in


Lessons from Clop

It’s been one month since the Clop ransomware group began exploiting the MOVEit vulnerability (CVE-2023-34362 (VulnDB ID: 322555) to claim nearly 100 victims across the globe, many of which have come public. This attack comes on the heels of Clop leveraging the GoAnywhere MFT vulnerability (CVE-2023-0669), which led them to claim they’d illegally obtained information for more than 100 companies.

When a ransomware or cyber extortion event occurs, security teams are racing against the clock:

  • What do we know about the cybercriminal group that’s claiming responsibility for an attack or double extortion?
  • Is our organization affected? If so, what is the extent of the breach and its impact on our systems, networks, people, and data?
  • How do we respond to and mitigate the situation?
Flashpoint Ignite’s finished intelligence is readily available to all teams to help mitigate risk across the entire organization.

These questions are of vital importance to organizations across the public and private sectors. And the recent Clop attacks—which affected organizations across the globe in nearly every vertical—are yet another example of why it’s vital to have proactive defense measures in place.

Targeting upstream data providers

First, it’s vital to have a deep understanding of the adversary, such as a RaaS (ransomware-as-a-service) group like Clop. Here are five ways that ransomware groups like Clop attack targets, as well as the threat vectors they seen to exploit:

  1. Supply chain attacks. As illustrated through MOVEit, Clop often targets upstream software vendors or service providers so that it can cast a wide net. A number of the known Clop victims are companies who were attacked via a third-party vendor. Attackers like Clop may exploit vulnerabilities in the communication or data exchange between these companies, or compromise the software or hardware components supplied by third-party providers to inject malicious code or backdoors.
  2. Cloud Service Providers (CSP). If a cloud service provider experiences a security breach, it can potentially impact third parties that utilize their cloud services in several ways. Clop successfully breached a cloud service…

Source…

Researchers Report First Instance of Automated SaaS Ransomware Extortion

/in


The 0mega ransomware group has successfully pulled off an extortion attack against a company’s SharePoint Online environment without needing to use a compromised endpoint, which is how these attacks usually unfold. Instead, the threat group appears to have used a weakly secured administrator account to infiltrate the unnamed company’s environment, elevate permissions, and eventually exfiltrate sensitive data from the victim’s SharePoint libraries. The data was used to extort the victim to pay a ransom.

Likely First of its Kind Attack

The attack merits attention because most enterprise efforts to address the ransomware threat tend to focus on endpoint protection mechanisms, says Glenn Chisholm, cofounder and CPO at Obsidian, the security firm that discovered the attack.

“Companies have been trying to prevent or mitigate ransomware-group attacks entirely through endpoint security investments,” Chisholm says. “This attack shows that endpoint security isn’t enough, as many companies are now storing and accessing data in SaaS applications.”

The attack that Obsidian observed began with an 0mega group actor obtaining a poorly secured service account credential belonging to one of the victim organization’s Microsoft Global administrators. Not only was the breached account accessible from the public Internet, it also did not have multi-factor authentication (MFA) enabled — something that most security experts agree is a basic security necessity, especially for privileged accounts.

The threat actor used the compromised account to create an Active Directory user — somewhat brazenly — called “0mega” and then proceeded to grant the new account all the permissions needed to create havoc in the environment. These included permissions to be a Global Admin, SharePoint Admin, Exchange Admin, and Teams Administrator. For additional good measure, the threat actor used the compromised admin credential to grant the 0mega account with so-called site collection administrator capabilities within the organization’s SharePoint Online environment and to remove all other existing administrators.

In SharePoint-speak, a site collection is a group of websites within a Web application that share administrative…

Source…

Extortion spree feared after breach of file-sharing software

/in


NEW YORK CITY – Cybersecurity experts are bracing for a potential wave of extortion demands after a vulnerability was discovered in encrypted file-sharing software, a flaw that hackers have already used to target a string of high-profile victims, including British Airways and the BBC.

Several companies and a Canadian province said on Monday that they were dealing with breaches related to the secure file transfer product MOVEit from Progress Software Corp, according to statements from several of the affected entities. The vulnerability allowed hackers to steal files that companies had uploaded to MOVEit, according to Progress.

The flaw had prompted security alerts in recent days from the United States Department of Homeland Security, the United Kingdom National Cyber Security Centre, Microsoft Corp and Mandiant, a subsidiary of Alphabet’s Google Cloud. 

Progress released a patch for the software last week.

“When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps,” its spokesman John Eddy said in a statement.

Microsoft said the hackers responsible for the attacks on MOVEit servers also run the Clop extortion website. Clop is the name of a ransomware variant that has been deployed against companies and organisations around the world, and it also sometimes refers to the hacking gang that uses it.

Hackers affiliated with the group also steal data and threaten to publish it on its website if a ransom is not paid. 

The group has primarily targeted the health care and financial sectors and has existed since February 2019, according to Trend Micro. The same attackers were responsible for previous hacks of two other secure file transfer products developed by Accellion and Fortra, said Mr Allan Liska, senior intelligence analyst at cyber security firm Recorded Future. 

Publicly available data sources show there are thousands of vulnerable MOVEit servers that could have been affected by the software flaw, Mr Liska said. The criminal hackers are expected to begin contacting companies and demanding payment in cryptocurrency in exchange for not uploading the company’s…

Source…