Tag Archive for: hosts

Guam Army National Guard hosts Guam Cybersecurity Summit > Andersen Air Force Base > Features




On Nov. 6-7, 2023, representatives from local and national agencies have visited the University of Guam lecture hall and gymnasium to partake in the 2024 Central Pacific Cybersecurity Summit.

“Over the next two days, we are going to lean on one another, exchange ideas, and use our collective expertise to fortify our island and our regions’ ability to not only respond but to recover from a cybersecurity attack,” said Lou Leon Guerrero, governor of Guam. “Because to simply say it’s a priority is an understatement. It is mission-critical to our island’s defense and our nation’s defense that we get this done.”

The goal is to execute a whole-of-government and community approach by providing opportunities for several different local and national agencies to communicate, exchange and strengthen strategies and ideas that will bolster the different levels of cybersecurity, while also deterring adversaries and promoting integrated deterrence.

“We recognize the vulnerability and weaknesses of our cybersecurity program, so we came up with the Central Pacific Cybersecurity summit to gather all the experts that can help us solidify and prevent future cyber-attacks,” Leon Guerrero said. “We want to protect and make a solid plan of actions to strengthen our cybersecurity and cybersecurity deterrence.”

Agencies such as U.S. Indo-Pacific Command (USINDOPACOM), U.S. Cyber Command (USCC), Cybersecurity and Infrastructure Security Agency (CISA), FBI, Guam Homeland and Civil Defense, Guam Office of Technology (OTECH), public utilities, internet service providers, Joint Region Marianas (JRM), Andersen Air Force Base, Marine Corp Base Camp Blaz, U.S. Coast Guard and more attended the summit sharing information and resources they had to offer.

Jennilyn LaBrunda, CISA cybersecurity advisor, discussed the resources available on the CISA website. Adam Dickinson and Robert Schuett of Google Mandiant, discussed the performance of Intelligence Led Security.

“This is just one of many ways that we can combine the efforts of our friends to come up with a unified plan to address every evolving threat of cyber-attacks.” said…

Source…

RTM Locker’s First Linux Ransomware Strain Targeting NAS and ESXi Hosts


Apr 27, 2023Ravie LakshmananLinux / Endpoint Security

Linux Ransomware

The threat actors behind RTM Locker have developed a ransomware strain that’s capable of targeting Linux machines, marking the group’s first foray into the open source operating system.

“Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware’s leaked source code,” Uptycs said in a new report published Wednesday. “It uses a combination of ECDH on Curve25519 (asymmetric encryption) and Chacha20 (symmetric encryption) to encrypt files.”

RTM Locker was first documented by Trellix earlier this month, describing the adversary as a private ransomware-as-a-service (RaaS) provider. It has its roots in a cybercrime group called Read The Manual (RTM) that’s known to be active since at least 2015.

The group is notable for deliberately avoiding high-profile targets such as critical infrastructure, law enforcement, and hospitals so as to draw as little attention as possible. It also leverages affiliates to ransom victims, in addition to leaking stolen data should they refuse to pay up.

The Linux flavor is specifically geared to single out ESXi hosts by terminating all virtual machines running on a compromised host prior to commencing the encryption process. The exact initial infector employed to deliver the ransomware is currently unknown.

NAS and ESXi Hosts

“It is statically compiled and stripped, making reverse engineering more difficult and allowing the binary to run on more systems,” Uptycs explained. “The encryption function also uses pthreads (aka POSIX threads) to speed up execution.”

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Following successful encryption, victims are urged to contact the support team within 48 hours via Tox or risk getting their data published. Decrypting a file locked with RTM Locker requires the public key appended to the end of the encrypted file and the attacker’s private key.

The development comes as Microsoft revealed that vulnerable PaperCut servers are being actively targeted by threat…

Source…

Sinkholing May Not Spell the End for Malware Hosts and Botnets


Sinkholing has long been employed as an effective cybersecurity solution to curb the spread of dangerous malware. Remember the infamous WannaCry ransomware outbreak in 2019? Security teams put a stop to the threat through sinkholing.

More recently, Microsoft sinkholed the web properties associated with Strontium, a Russian threat actor group that has been targeting Ukrainian sites via various cyber attacks.

While the tactic undoubtedly works, some trends related to ongoing threats may remain unknown. We hope to change that with this analysis conducted by WhoisXML API threat researcher Dancho Danchev, which gives cybersecurity teams more insights into sinkholed domains. The know-how can clue them into more web properties that may need to be taken offline as well.

Our in-depth analysis revealed:

  • More than 13,000 malware and botnet hosts sinkholed recently
  • A huge majority of the sinkholed domains appeared to be created using domain generation algorithms (DGAs)
  • Most of the sinkholed domains used the .com top-level domain (TLD) extension
  • A majority of the sinkholed domains existed for at least five years prior to being taken down

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated the pertinent data and made it available to anyone interested. You may download Danchev’s report and related threat research materials here.

Analysis and Findings

We began our investigation by obtaining 24 email addresses that are known to have been used to sinkhole domains connected to ongoing malware and botnet operations.

Sinkholed Domains

Using these email addresses as reverse WHOIS search terms led to the discovery of 13,265 domains. Examples include:

  • lztorsixnikxicahclbrasqu[.]org
  • azslrhksyldb[.]org
  • bqkrtxgkmriwsiwcngtivpx[.]info
  • fkbpvfnbhfwedagussg[.]com
  • honeybot[.]us
  • quicklygood[.]gdn
  • gramblr[.]ca
  • empire-js[.]us
  • eitherplunge[.]gdn
  • ee0[.]us

The domain distribution per email address (which we partially redacted for privacy reasons) is shown below.

Several nonprofit organizations, big cybersecurity companies, and government agencies like the Shadowserver Foundation, the Federal Bureau of Investigation (FBI),…

Source…

GoDaddy Hack Spreads to 6 More Web Hosts


The hack that exposed the details of 1.2 million GoDaddy customers has spread to six more web hosts. As Search Engine Journal reports, the six additional web hosts are all resellers of GoDaddy’s WordPress hosting services and include 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple, and tsoHost.

Customers of at least two of these web hosting companies have been sent emails very similar to the one GoDaddy sent out regarding the security breach. The hack they experienced also targeted Managed WordPress accounts and managed to leak email addresses, customer numbers, WordPress Admin passwords, sFTP database usernames and passwords for active customers, and in some cases SSL private keys.

WordPress security plugin maker Wordfence confirmed the hack has spread to these web hosts and published a quote from Dan Rice, VP of Corporate Communications at GoDaddy, as to the extent of the attack:

“The GoDaddy brands that resell GoDaddy Managed WordPress are 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple and tsoHost. A small number of active and inactive Managed WordPress users at those brands were impacted by the security incident. No other brands are impacted. Those brands have already contacted their respective customers with specific detail and recommended action.”

The intrusion began on Sept. 6, giving the attacker plenty of time to take advantage of the user data and access to accounts. It’s currently unknown how that access to the data has been used. All customers affected by the breach at the web hosts listed above need to be vigilant and extra cautious with the emails they receive.

Hopefully each company has either contacted or is in the process of contacting affected customers with the measures taken to close the security hole. If you believe your account was compromised and haven’t been contacted, be proactive and contact your web host to confirm the status/health of your account.

Source…