Tag Archive for: related

LockBit ransomware gang steals data related to security of UK military bases, due to unpatched Windows 7 PC • Graham Cluley


LockBit ransomware gang steals data related to security of UK military bases

An attack by the notorious LockBit ransomware gang stole 10 GB of data from a company that provides high-security fencing for military bases.

Zaun says that on 5-6 August a “sophisticated cyber attack” saw hackers exploit an obsolete Windows 7 PC to gain access to the company’s servers, and exfiltrate data which has since been published on the dark web.

According to the firm, classified documents are not believed to have been included in the haul:

“LockBit will have potentially gained access to some historic emails, orders, drawings and project files, we do not believe that any classified documents were stored on the system or have been compromised. We are in contact with relevant agencies and will keep these updated as more information becomes available. This is an ongoing investigation and as such subject to further updates.”

In what appears to be an attempt to reduce concern about the security breach, Zaun says that its perimeter fencing is hardly top secret:

“Zaun is a manufacturer of fencing systems and not a Government approved security contractor. As a manufacturer of perimeter fencing, any member of the public can walk up to our fencing that has been installed at these sites and look at it.”

Well, maybe that’s the case. But I would still be alarmed if there was sensitive information contained in the emails and other documents that were stolen. For instance, the contact details of personnel at military sites, or the specifics of a most sensitive area’s physical security.

I get the feeling that Zaun may know what it is doing when it comes to physical security, but may be lagging a little behind when it comes to digital security. Mainstream support for Windows 7 ended back in 2015.

Even if your organisation had managed to get itself on the list for extended Windows 7 security updates, the very last time you were able to receive them was until January 2023.

Zaun says it has contacted the National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) about the data breach.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the…

Source…

Chambersburg School District’s network disruption related to ransomware


The Chambersburg Area School District in Franklin County says the network disruption it has been dealing with is related to ransomware.Classes were back in session Thursday after being canceled for three days because of what the district called a “computer network issue.”The district has brought in forensic experts to look into the problem.In the latest message posted to its website, the district said, “We will continue to investigate to determine the full nature and scope of this event working alongside our subject matter specialists as well as law enforcement. We remain dedicated to the safety of our school community and the privacy of the personal and confidential information in our care and will continue to provide further updates as more information is confirmed. Thank you for your ongoing patience and support during this time.”

The Chambersburg Area School District in Franklin County says the network disruption it has been dealing with is related to ransomware.

Classes were back in session Thursday after being canceled for three days because of what the district called a “computer network issue.”

The district has brought in forensic experts to look into the problem.

In the latest message posted to its website, the district said, “We will continue to investigate to determine the full nature and scope of this event working alongside our subject matter specialists as well as law enforcement. We remain dedicated to the safety of our school community and the privacy of the personal and confidential information in our care and will continue to provide further updates as more information is confirmed. Thank you for your ongoing patience and support during this time.”

Source…

CT’s ECHN cyberattacks may not be related to FBI hacking probe


The FBI has taken out a massive automatic hacking system that is responsible for infecting hundreds of thousands of computers throughout the world and ransomware attacks, but it doesn’t appear to be connected to the Prospect Medical Holdings attack impacting Connecticut hospitals.

The system named Qakbot did infiltrate computer systems on the East Coast, but those attacks targeted “financial institutions,” FBI Director Christopher Wray said when announcing the takedown.

It also attacked a medical device manufacturer on the West Coast, he said.

While Prospect is based in California, Wray did not identify any health care providers impacted by the malware system, nor did an FBI press release.

Prospect facilities in Connecticut, including Manchester, Rockville, and Waterbury hospitals, were the victims of a cyberattack on Aug. 3.

Last year, Wray said that the system was used to steal gigabytes from a health care provider, and that stolen data was later leaked on the dark web.

Source…

COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises


Mandiant identified novel operational technology (OT) / industrial control system (ICS)-oriented malware, which we track as COSMICENERGY, uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia. 

COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts, which are rarely discovered or disclosed. What makes COSMICENERGY unique is that based on our analysis, a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cyber security company. Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware, such as INDUSTROYER and INDUSTROYER.V2, which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104.

The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware. Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets. OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of COSMICENERGY. 

COSMICENERGY Overview

COSMICENERGY’s capabilities and overall attack strategy appear reminiscent of the 2016 INDUSTROYER incident, which issued IEC-104 ON/OFF commands to interact with RTUs and, according to one analysis, may have made use of an MSSQL server as a conduit system to access OT. Leveraging this access, an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption. COSMICENERGY accomplishes this via its two derivative…

Source…