Tag Archive for: October

2nd October – Threat Intelligence Report


For the latest discoveries in cyber research for the week of 2nd October, please download our Threat_Intelligence Bulletin.

TOP ATTACKS AND BREACHES

  • Check Point researchers have detected a phishing campaign exploiting popular file-sharing program Dropbox. The threat actors use legitimate Dropbox pages to send official email messages to the victims, which will then redirect the recipients to credential stealing pages.
  • Japanese entertainment giant Sony, as well as major Japanese telecom provider NTT Docomo have been the victims of ransomware attacks during the past week. The ‘ransomed.vc’ threat group has assumed responsibility for both attacks and has demanded millions of dollars in ransom from the two companies. The group threatens to sell or leak data exfiltrated in the breaches if its demands are not met.
  • American conglomerate Johnson Controls has been hit by ransomware. Ransomware group Dark Angels is demanding $51M from the company in ransom and claims to have exfiltrated more than 25TB of data during the attack. The American Department of Homeland Security is reportedly investigating whether information regarding its facilities had been leaked in the attack, as Johnson Controls is a contractor for the department’s buildings.
  • Hong Kong cryptocurrency exchange firm Mixin has disclosed that $200M have been stolen in a breach of its network. According to the firm’s statement, the threat actors have gained access by attacking a database belonging to the company’s cloud provider in order to conduct the theft.
  • Russian flight booking vendor Leonardo’s services have been disrupted by a distributed-denial-of-service attack. As a result, multiple Russian airline companies, including the state-owned Aeroflot, were unable to process booking requests. Ukrainian hacktivist collective ‘IT Army of Ukraine’ has claimed responsibility for the attack.
  • Kuwait’s Ministry of Finance has acknowledged that its network had been breached in a cyber-attack. The ministry claims that financial data of its employees was not impacted in the attack. Ransomware group Rhysida has assumed responsibility and demands $400,000 in ransom.

Check Point Harmony Endpoint and Threat Emulation…

Source…

A sneak preview of the first ever international Nuclear Security Training and Demonstration Centre (NSTDC) and the training activities planned to start in October 2023 was given today during a side event held at the margins of the 67th IAEA General Conference


A sneak preview of the first ever international Nuclear Security Training and Demonstration Centre (NSTDC) and the training activities planned to start in October 2023 was given today during a side event held at the margins of the 67th IAEA General Conference.  

Lydie Evrard, IAEA Deputy Director General and Head of the Department of Nuclear Safety and Security, highlighted the unique nature of the new IAEA facility, noting that “the NSTDC is built to respond to growing requests by countries for capacity building in the field of nuclear security that could not be met elsewhere.”  

“The IAEA has developed a training programme that will complement the existing national and international mechanisms of nuclear security capacity building,” said in her remarks.  

The NSTDC is housed in a new multipurpose building (MPB) located at the IAEA’s laboratories in Seibersdorf, 30 km south of Vienna, Austria. The MPB construction work started in July 2021, after the Director General of the IAEA, Rafael Mariano Grossi, broke ground for the new facility

Under the NSTDC training programme, there are currently 23 training courses and workshops. All of them address training needs in the area of physical protection of nuclear and other radioactive material and associated facilities; and in the area of detection and response to criminal or intentional unauthorized acts involving or directed at nuclear or other radioactive material, associated facilities or associated activities.  

Considering the IAEA work for cancer care, the NSTDC training programme includes a course for countries anticipating in or planning to join the Rays of Hope titled “Introduction to life cycle security of radioactive material and associated facilities in cancer care”. The course aims to familiarize participants with key considerations towards ensuring life cycle security and sustainability of radioactive material and associated facilities used for cancer care, including information and computer security aspects of nuclear security. 

“The NSTDC is a modern, specialized training facility, supported by state-of-the-art technical infrastructure,” said Marina Labyntseva, Head of the Education and…

Source…

2022 set to break hacking records as DeFI protocols lose $760m in October


2022 is on course to be a record year for crypto hacking as a record amount of digital assets were stolen via crypto hacks in October.

According to data from blockchain security firm PeckShield released on Monday, about $760 million worth of crypto value was looted by hackers and cybercriminals in 44 incidents that affected 53 protocols in October.

However, some of the exploited protocols recovered $100 million, a fraction of that sum within the same period.

PeckShield reported that $2.98 billion of crypto assets had been stolen in 2022, almost double $1.55 billion, the total value of crypto stolen in 2021,  

The biggest exploit of this ‘Hacktober’ was the BNB Chain hack which resulted in a loss of $586 million alone. Earlier in October, the BNB chain executed a hard fork to restore security after an unknown hacker stole $100 million via a vulnerability in the platform’s cross-chain bridge.

Binance co-founder and CEO Changpeng Zhao (“CZ”) disclosed that hackers accessed a cross-chain bridge where users transfer digital assets from one blockchain to another. The hackers created 2 million BNB tokens out of thin air.

The PeckShield report listed the Mango Markets Defi protocol as the second biggest loser in October. However, the exploiter agreed to return some of the funds.

Related post: $117m stolen in Mango Market hack 

March had recorded the highest loss because oo crypto hacks before October, with around $710 million stolen. Most of this was due to the Ronin Bridge hack, which resulted in $625 million in crypto assets being pilfered.

Causes of the hacks 

There are several causes for the high volume of crypto hacks in October. The leading causes include wallets compromised by profanity hacks, Blockchain bridge vulnerabilities, insecure smart contract codes, the unaccounted-for game theory behind protocol functionality, exploited cross-chain bridges, and oracle price manipulation.

For the crypto lender, Mango Markets, the attacker, Avraham Eisenburg, claimed actions behind the exploit were legal after an oracle price manipulation. Following a community vote, an agreement was struck, and Eisenburg walked away with $47 million…

Source…

Ankura CTIX FLASH Update – October 2022 – 3 | Ankura


Ransomware/Malware Activity

Prestige Ransomware Emerges, Targets Ukraine and Poland

A new ransomware variant has emerged in the wild, being used in targeted attacks against the logistics and transportation sectors within Ukraine and Poland. The variant has been dubbed ‘Prestige’, named after their initial codename that was displayed in the group’s ransom note as ‘Prestige ranusomeware’. Tactics, techniques, procedures (TTPs), and indicators of compromise from this ransomware variant are being clustered by Microsoft under DEV-0960. Prior to deployment, DEV-0960 executes stage-one malicious scripts via RemoteExec and Impacket followed by open-source collection tools which gain access to system administrator credentials. Once threat actors lay the groundwork for the ransomware attack, Prestige is deployed and is spread throughout the victim’s infrastructure. The Prestige payload can be cloned to remote systems and configured to run scheduled tasks or leverage PowerShell to establish persistence throughout several systems within the network. Prestige can also be copied to the Active Directory Domain Controller and distributed accordingly through Group Policy. Attacks from DEV-0960 actors appear to favor Russia, targeting enemies of the state and the Russia-Ukraine conflict. CTIX analysts will continue to monitor the evolution of ransomware throughout the landscape and provide additional details accordingly.

Threat Actor Activity

Operation CuckooBees Revived, APT41 Targets Organizations in Hong Kong

APT41 threat actors have launched a campaign targeting organizations throughout Hong Kong.  Based on known tactics, techniques, and procedures (TTPs), this is likely a continuation of Operation CuckooBees. The original espionage operation was a massive intellectual property theft campaign which allowed APT41 threat actors to exfiltrate hundreds of gigabytes worth of research documentation, source code, manufacturing data, formulas, and diagrams. The majority of these attacks occurred throughout Eastern Asia, North America, and Western Europe. Recent activity surrounding this operation was uncovered when security analysts from Symantec identified traces of the Spyder Loader…

Source…