Tag Archive for: Ransomware

Prevent Ransomware with Proper Policy Hygiene

/in


Ransomware attacks typically begin with phishing, credential hacks, or taking advantage of open vulnerabilities. Once the bad actor is in, they rummage around looking for access to their honeypot, a hub of data, to hold hostage. Maintaining good policy hygiene and access control is paramount in preventing and stopping the bad guys before they get to your data.

Remember the Target hack back in 2013? Hackers stole credentials from an HVAC contractor, gained access to the network, pinged around, found the PCI network and injected malware into point of sale devices at every Target in America. Overly permissive access to the network made this possible. Having a clean set of firewall policies and a segmented network would have prevented the bad actor from ever gaining access past what the original victim, the HVAC contractor, required.

DevOps Experience 2022

Access within an organization should be relegated to just what is necessary to meet the needs of the business: nothing more, nothing less. This is good policy hygiene. Unnecessary complexity caused by things like duplicate/redundant and shadow rules, increases the probability of misconfigurations, human error, and risk. Bad actors rely on humans to make these mistakes, creating paths to use as attack vectors, and they are often not disappointed.

Unnecessary complexity is often a byproduct of day-to-day operations. A port is opened for RDP (remote desktop protocol) for troubleshooting, but is never closed. Access is granted for temporary communication between devices, but is left open as meetings and other priorities fill the day. A rule is created for a resource and not removed once it is decommissioned. The scenarios are endless but the results are the same: rules are created, then forgotten, resulting in policy clutter that causes inadvertent access and exposes security gaps for cyber criminals to leverage. When working with thousands of policies among hundreds of devices and platforms, it is nearly impossible to properly manage these policies manually.

FireMon provides a solution to this problem. By centralizing all of your security policy enforcement data into a single pane, a rule repository, FireMon allows you to manage policies across all of…

Source…

Emotet Resurfacing as Power Player in Ransomware Wars, Avertium Warns

/in


Avertium, a Top 250 MSSP, releases report that dives deep into the notorious Emotet botnet and warns of its criminal intent.

by D. Howard Kass • Sep 14, 2022

Avertium, a Top 250 MSSP, has released a new threat intelligence report that takes a deep dive on the notorious Emotet botnet and warns organizations of its criminal capabilities.

Emotet has a history of disappearing and re-emerging, most notably going underground following a surgical takedown in eight countries that dismantled the world’s most dangerous malware operation in January 2021. International law enforcement, including the Federal Bureau of Investigation (FBI), gained control of Emotet’s infrastructure. This effort involved hundreds of servers located globally by taking it down from the inside and redirecting the infected machines of victims to a law enforcement environment.

Emotet has been linked to many destructive ransomware infections and associated with TrickBot, Dridex, QakBot, Conti/Ryuk, BitPaymer and REvil-associated attacks. The malware, first discovered as a banking trojan in 2014, evolved over time to become the kingpin platform for cyber hijackers.

Emotet was sold as a service to smaller operatives and criminal groups as an access key to compromised systems vulnerable to data theft and ransomware extortion. Following the law enforcement action, the syndicate disappeared for the next 10 months, but beginning in Q1 2022 reappeared with new tactics and targets.

A Deeper Dive Into Emotet

Here’s what’s new with Emotet:

  • In March 2022 during U.S. tax season, Emotet was pretending to be the IRS and sent fake tax forms and bogus federal tax returns to victims.
  • By July 2022 researchers were reporting Emotet as the top malware threat.
  • Cyber researcher AdvIntel observed a total of 1,267,598 Emotet infections worldwide so far this year. Activity from Emotet peaked between February and March 2022, kicking off during the start of the Russian-Ukraine conflict. On August 8, 2022, AdvIntel confirmed that two education entities in Kansas City were infected with the botnet. Additionally, on August 12,…

Source…

Iranian nationals charged in alleged ransomware conspiracy | WKHM-AM

/in


Witthaya Prasongsin/Getty Images

(NEWARK, N.J.) — Three Iranian nationals attempted to hack into hundreds of computers in the U.S. and around the world, demanding, and sometimes getting, a ransom, according to an indictment unsealed Wednesday.

The four-count grand jury indictment returned in Newark federal court charged the trio with hacking conspiracy, two counts of computer hacking and a count of computer extortion over an alleged ransomware conspiracy that targeted a range of organizations and critical infrastructure sectors such as healthcare centers, power companies and transportation services inside the U.S. and abroad.

Mansour Ahmadi, Ahmad Aghda, and Amir Ravari hacked into hundreds of computers inside the U.S. and around the world by often exploiting known vulnerabilities in network devices or software programs, the indictment said.

Once they gained access to an organization or company’s software, they would use a program known as BitLocker to encrypt data on their victims’ systems and demand a ransom either by threatening to release stolen data or keeping the data encrypted unless they were paid — at times making demands for hundreds of thousands of dollars, according to the court filing.

The three men would often send their demands to office printers. Prosecutors detailed some of the correspondence they had with their victims. Some of those targeted include a domestic violence center, which Khatibi is alleged to have extorted $13,000 from, a housing authority, which he demanded $500,000 ransom from, and the computer systems of a U.S. township and county, the indictment said.

The indictment did not allege involvement by the government of Iran. Instead, the three demanded the money be paid to themselves, it said, although a U.S. official told reporters the Iranian government’s lax laws could share the blame for failing go after actors who engage in this type of alleged conspiracy. The official said all three men are still believed to be within Iran and have not been arrested, and acknowledged it’s unlikely any will see the inside of a U.S. courtroom.

Accompanying the announcement of the indictment, the FBI will release a new joint cybersecurity bulletin…

Source…

Suffolk cyber intrusion has hallmarks of ransomware attack, Bellone says

/in


Suffolk officials said they have detected malware in their probe of a cyber intrusion of county government systems, but had no timeline for when applications will be restored, County Executive Steve Bellone said Tuesday.

The incident, which was discovered last Thursday, had the hallmarks of a ransomware attack, although no monetary amount has been demanded, Bellone said during a news conference in Hauppauge.

Officials did not disclose a possible motive for the attack or say how it began.

“We’re doing everything in our power to ensure as little disruption as possible,” Bellone said. “One of our top priorities is maintaining continuity of operations while our team of experts investigate and determine the full scope and nature of this incident.”

There was no indication the data of county residents has been compromised, Bellone said.

The county immediately shut down its systems after the discovery to contain and eradicate the threat, Bellone said.

Bellone said all county agencies were functioning, although internal operations may be working differently.

The county will soon launch a temporary “landing website” with frequently requested information, he said.

Suffolk had a contract in place with a cybersecurity vendor and previously had conducted staff training and a contingency plan was in place, Bellone said.

“In Suffolk, we’ve been working to harden our infrastructure over the years,” he said. “We have continued to provide our employees with tools to help … mitigate these types of incidents.”

Vera Chinese

Vera Chinese covers Suffolk County government and politics.

Source…