Tag: hits | Page 3

Ransomware Dwell Time Hits Low Of 24 Hours

October 5, 2023/in Internet Security

(MENAFN– PR Newswire)
Analysis from Secureworks annual State of The Threat Report shows ransomware median dwell time has dropped from 4.5 days to less than 24 hours in a year

ATLANTA, Oct. 5, 2023 /PRNewswire/ — Ransomware is being deployed within one day of initial access in more than 50% of engagements, says Secureworks® (NASDAQ: SCWX ) Counter Threat UnitTM (CTUTM). In just 12 months the median dwell time identified in the annual Secureworks State of the Threat Report has freefallen from 4.5 days to less than one day. In 10% of cases, ransomware was even deployed within five hours of initial access.

“The driver for the reduction in median dwell time is likely due to the cybercriminals’ desire for a lower chance of detection. The cybersecurity industry has become much more adept at detecting activity that is a precursor to ransomware. As a result, threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high,” said Don Smith, VP Threat Intelligence, Secureworks Counter Threat Unit.

“While we still see familiar names as the most active threat actors, the emergence of several new and very active threat groups is fuelling a significant rise in victim and data leaks. Despite high profile takedowns and sanctions, cybercriminals are masters of adaptation, and so the threat continues to gather pace,” Smith continued.

The annual State of the Threat report examines the cybersecurity landscape from June 2022 to July 2023. Key findings include:

While some familiar names including GOLD MYSTIC (LockBit), GOLD BLAZER (BlackCat/ALPV), and GOLD TAHOE (Cl0p) still dominate the ransomware landscape, new groups are emerging and listing significant victim counts on ” name and shame” leak sites . The past four months of this reporting period have been the most prolific for victim numbers since name-and-shame attacks started in 2019.

The three largest initial access vectors (IAV) observed in ransomware engagements where customers engaged Secureworks incident responders were: scan-and-exploit,…

Source…

Clop Hacking Rampage Hits US Agencies and Exposes Data of Millions

July 4, 2023/in Computer Security

United States cybersecurity officials said yesterday that a “small number” of government agencies have suffered data breaches as part of a broad hacking campaign that is likely being carried out by the Russia-based ransomware gang Clop. The cybercriminal group has been on a tear in exploiting a vulnerability in the file transfer service MOVEit to grab valuable data from victims including Shell, British Airways, and the BBC. But hitting US government targets will only increase global law enforcement’s scrutiny of the cybercriminals in the already high-profile hacking spree.

Progress Software, which owns MOVEit, patched the vulnerability at the end of May, and the US Cybersecurity and Infrastructure Security Agency released an advisory with the Federal Bureau of Investigation on June 7 warning about Clop’s exploitation and the urgent need for all organizations, both public and private, to patch the flaw. A senior CISA official told reporters yesterday that all US government MOVEit instances have now been updated.

CISA officials declined to say which US agencies are victims of the spree, but they confirmed that the Department of Energy notified CISA that it is among them. CNN, which first reported the attacks on US government agencies, further reported today that the hacking spree impacted Louisiana and Oregon state driver’s license and identification data for millions of residents. Clop has previously also claimed credit for attacks on the state governments of Minnesota and Illinois.

“We are currently providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” CISA director Jen Easterly told reporters on Thursday. “Based on discussions we have had with industry partners in the Joint Cyber Defense Collaborative, these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high-value information—in sum, as we understand it, this attack is largely an opportunistic one.”

Easterly added that CISA has not seen Clop threaten to release any data stolen from the US government. And the senior CISA official, who spoke to reporters on the condition that they…

Source…

Hackers Claim $70 Million Ransomware Attack on TSMC, Hits Supplier Instead

July 2, 2023/in Internet Security

The LockBit ransomware group claims it has hacked TSMC, with TSMC stating that one of its suppliers has been breached. The cybercriminals are demanding a ransom of $70 million by August 6 and threaten to leak considerable amount of sensitive data. TSMC told SecurityWeek that its network had not been breached, but one of its IT hardware suppliers had indeed been hacked.

“TSMC has recently been [made] aware that one of our IT hardware suppliers experienced a cybersecurity incident, which led to the leak of information pertinent to server initial setup and configuration,” a statement by TSMC sent to Tom’s Hardware reads. “At TSMC, every hardware component undergoes a series of extensive checks and adjustments, including security configurations, before being installed into TSMC’s system. Upon review, this incident has not affected TSMC’s business operations, nor did it compromise any [of] TSMC’s customer information.”

In response to the security breach and in accordance with its security guidelines, TSMC immediately ceased data sharing with the affected supplier. TSMC indicated that this is a routine procedure given the breach. At present, a law enforcement agency is investigating this cybersecurity occurrence.

“After the incident, TSMC has immediately terminated its data exchange with this supplier in accordance with the Company’s security protocols and standard operating procedures,” the foundry stated. “TSMC remains committed to enhancing the security awareness among its suppliers and making sure they comply with security standards. This cybersecurity incident is currently under investigation [and] involves a law enforcement agency.”

The notorious ransomware group published its initial threat on June 29 and gave TSMC seven days to respond; otherwise, a vast amount of sensitive information would be published. It then extended the ‘deadline’ to August 6. The group published a screenshot containing an @tsmc.com email.

TSMC claims that it did not fall victim to the cyberattack. The supplier affected by the attack is Kinmax Technology, a Taiwan-based systems integrator specializing on networking, storage, database management and, ironically, security. Kinmax…

Source…

Advanced Espionage Malware “Stealth Soldier” Hits Libyan Firms

June 8, 2023/in Computer Security

The Stealth Soldier campaign marks the possible reappearance of a threat actor known as “The Eye on the Nile” since its last operation in 2019.

Check Point Research has recently uncovered a series of highly-targeted espionage attacks in Libya, shedding light on a previously undisclosed backdoor called Stealth Soldier. This sophisticated malware operates as a custom modular backdoor with surveillance functionalities, including file exfiltration, screen and microphone recording, keystroke logging, and stealing browser information.

The campaign, which appears to be targeting Libyan organizations, marks the possible re-appearance of a threat actor known as “The Eye on the Nile” since its last operation in 2019.

Advanced Espionage Malware "Stealth Soldier" Hits Libyan Firms

Stealth Soldier, an implant used in limited and targeted attacks, has shown active maintenance with the latest version, Version 9, compiled in February 2023. Check Point Research’s investigation began with the discovery of multiple files submitted to VirusTotal between November 2022 and January 2023 from Libya.

These files, named in Arabic, such as “هام وعاجل.exe” (Important and Urgent.exe) and “برقية 401.exe” (Telegram 401.exe), turned out to be downloaders for different versions of the Stealth Soldier malware.

The execution flow of Stealth Soldier starts with the downloader, which triggers the infection chain. Although the delivery mechanism of the downloader remains unknown, social engineering is suspected.

The malware’s infection process involves downloading multiple files from the Command and Control (C&C) server, including the loader, watchdog, and payload. These components work together to establish persistence and execute the surveillance functionalities.

First, the loader downloads an internal module called PowerPlus to enable PowerShell commands and create persistence. Then, the watchdog periodically checks for updated versions of the loader and runs it accordingly. Finally, the payload collects data, receives commands from the C&C server, and executes various modules based on the attacker’s instructions.

The victim’s information collected by the Stealth Soldier’s payload includes the…

Source…

Tag Archive for: hits