Tag Archive for: Leverage

Hamas, Iranian hackers seek to leverage Israeli people’s stress


Tel Aviv [Israel], December 19 (ANI/TPS): The Israel National Cyber Directorate announced on Monday that Iran and Hezbollah were behind an attempted cyberattack on the Ziv Medical Centre in Safed in late November. “The attack was thwarted before it could successfully disrupt hospital operations and impact citizens’ medical treatment,” the INCD stated. “However, the attackers managed to extract private data stored in the hospital’s systems.”

While the INCD defends Israeli civilian and government cyberspace, including hospitals, and Internet and phone service providers, military cybersecurity is a very different matter, according to Alon Arvatz, CEO and co-founder of Stealth Startup. Most computers with any sensitive information are not connected to the Internet, and Israeli soldiers operating in Gaza aren’t allowed to carry cell phones for fear of exposing their locations or other sensitive data, Arvatz told the Tazpit Press Service in an interview last month.

“We read the frustrations from their families, saying, ‘I don’t know what’s going on with my son, or wife or child.’ So it’s heartbreaking,” he said. “But from a security perspective, it means very good things about the army and how it handles it. The worst thing that can happen is that a soldier would accidentally expose his location and the plans of the army.” On Oct. 7 and since, there has been widespread speculation about how Hamas terrorists infiltrated Israel in such large numbers, as well as how they were able to murder, torture and kidnap so many Israelis and others. Despite Israel’s reputation as one of the world’s cyberspace superpowers, Hamas appears to have sought to sabotage Israel’s vaunted rocket-alert system and siphon off donations intended for Oct. 7 victims, Arvatz told TPS.

Hackers Leveraging People’s StressParallel to Hamas’s ground invasion, the terrorists also launched “attacks into cyberspace, targeting various civilian and governmental targets,” said Arvatz, a veteran of the Israel Defense Force’s elite cyber Unit 8200 and author of The Battle for Your Computer: Israel and the Growth of the Global Cyber-Security Industry. Hamas’s multi-pronged attack–from land, sea, air and cyberspace–sought to…

Source…

New Royal ransomware attacks leverage BlackSuit encryptor – SC Media



New Royal ransomware attacks leverage BlackSuit encryptor  SC Media

Source…

Attackers Continue to Leverage Signed Microsoft Drivers


In December of last year, Microsoft worked with SentinelOne, Mandiant, and Sophos to respond to an issue in which drivers certified by Microsoft’s Windows Hardware Developer Program were being used to validate malware.

Unfortunately, the problem hasn’t gone away.

In a recent Mastodon post, security expert Kevin Beaumont observed, “Microsoft are still digitally signing malware kernel drivers, as they can’t identify malware (this comes up over and over again).”

Beaumont provided three examples of remote access trojans that had been verified by Microsoft as legitimate software, adding, “If you have Google’s VirusTotal (Microsoft do) you can run something like this to find them. signature:”Microsoft Windows Hardware Compatibility Publisher” p:5+ tag:signed name:.sys

In response to an email inquiry from eSecurity Planet, a Microsoft spokesperson acknowledged the ongoing issue, stating, “We have suspended the partners’ seller accounts. In addition, Microsoft Defender Antivirus provides blocking detection for these files.”

The essential challenge remains – and Microsoft has only been able to suspend individual offenders.

Microsoft’s Initial Response

In guidance first published on December 13, 2022, the company stated, “Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers.”

Microsoft was notified of the issue by SentinelOne, Mandiant, and Sophos in October 2022, and began an investigation. “This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature,” the company added. “A new attempt at submitting a malicious driver for signing on September 29th, 2022, led to the suspension of the sellers’ accounts in early October.”

Matching the Microsoft spokesperson’s more recent explanation above, the company stated at the time that Windows Security Updates were released revoking the…

Source…

Ransom Gangs Emailing Victim Customers for Leverage – Krebs on Security


Some of the top ransomware gangs are deploying a new pressure tactic to push more victim organizations into paying an extortion demand: Emailing the victim’s customers and partners directly, warning that their data will be leaked to the dark web unless they can convince the victim firm to pay up.

This letter is from the Clop ransomware gang, putting pressure on a recent victim named on Clop’s dark web shaming site.

“Good day! If you received this letter, you are a customer, buyer, partner or employee of [victim],” the missive reads. “The company has been hacked, data has been stolen and will soon be released as the company refuses to protect its peoples’ data.”

“We inform you that information about you will be published on the darknet [link to dark web victim shaming page] if the company does not contact us,” the message concludes. “Call or write to this store and ask to protect your privacy!!!!”

The message above was sent to a customer of RaceTrac Petroleum, an Atlanta company that operates more than 650 retail gasoline convenience stores in 12 southeastern states. The person who shared that screenshot above isn’t a distributor or partner of RaceTrac, but they said they are a RaceTrac rewards member, so the company definitely has their email address and other information.

Several gigabytes of the company’s files — including employee tax and financial records — have been posted to the victim shaming site for the Clop ransomware gang.

In response to questions from KrebsOnSecurity, RaceTrac said it was recently impacted by a security incident affecting one of its third-party service providers, Accellion Inc.

For the past few months, attackers have been exploiting a a zero-day vulnerability in Accellion File Transfer Appliance (FTA) software, a flaw that has been seized upon by Clop to break into dozens of other major companies like oil giant Shell and security firm Qualys.

“By exploiting a previously undetected software vulnerability, unauthorized parties were able to access a subset of RaceTrac data stored in the Accellion File Transfer Service, including email addresses and first names of some of our RaceTrac Rewards Loyalty users,”…

Source…