Tag: research | SpinSafe

Research reveals a resurfaced botnet targeting end-of-life devices

April 4, 2024/in Internet Security

Research from the Black Lotus Labs team at Lumen Technologies has identified multi-year efforts to target end-of-life (EoL) and IoT devices. Small home and small office routers are a particular target of this campaign, which is associated with an updated version of malware known as TheMoon.

“As we’ve expanded the types of devices that have operating systems in them, we haven’t kept up with the lessons learned from desktop and server computing, namely that automatic updates are the norm. This problem is exacerbated by consumers using devices for much longer periods of time than manufacturers want,” says John Bambenek, President at Bambenek Consulting. “By using security updates as leverage for buying new products, the net result is infected devices that are used in cybercrime. Criminals have all the time in the world to be patient, they are already netting a strong cash flow and there are more infectable devices than they have time to exploit.”

TheMoon emerged in 2014 and has been operating quietly ever since. Between January and February of 2024, it has grown to more than 40,000 bots across 88 countries. Many of these bots are deployed as the foundation of a cybercriminal-focused proxy service called Faceless.

Faceless is a malicious service, offering anonymity services to cybercriminals for a negligible price. Malicious actors utilizing Faceless services can divert their traffic to hide their origins.

Jason Soroko, the Senior Vice President of Product at Sectigo, says, “Routers and other networking equipment that use passwords have been easy victims to pray and spray attacks for years. It is unfortunate that stronger forms of authentication are not common. What’s new here is the usage of proxy networks for C2 traffic obfuscation. It shows that de-anonymizing Tor and VPN traffic is not only happening, but has been successfully used against attackers.”

Source…

Delinea Research Reveals that Ransomware Is Back on the Rise As Cybercriminals’ Motivation Shifts to Data Exfiltration

February 1, 2024/in Internet Security

PRESS RELEASE

SAN FRANCISCO, Jan. 30, 2024 /PRNewswire/ — Delinea, a leading provider of solutions that seamlessly extend Privileged Access Management (PAM), today published its annual “State of Ransomware” report which shows that ransomware attacks are increasing again and reveals a change in strategy among cybercriminals. The familiar tactics of crippling a company and holding it hostage have been replaced by new strategies that use stealth to exfiltrate private and sensitive data. Cybercriminals then frequently threaten to sell it to the highest bidder on the darknet or leverage it to reap a handsome cyber insurance payment.

Titled, “State of Ransomware 2024: Anticipating the Battle and Strengthening Your Defenses,” the report analyzed data from a Censuswide survey of over 300 US IT and Security decision-makers to identify significant changes compared to data from the previous year’s report and uncover new possible trends. First and foremost, ransomware is back on the rise. Although not back at the levels of 2021, the number of organizations claiming to have been a victim of ransomware in the past 12 months more than doubled since last year, from 25% to 53%. Mid-sized companies appeared to be in cybercriminals’ crosshairs the most, with 65% stating they’ve been a ransomware victim over the past 12 months. Organizations are also paying ransoms more frequently, up to 76% from 68% the prior year.

More striking, however, are the emerging trends in motivations, strategies, and tactics that the survey revealed. Data exfiltration registered a surge of 39% (reported by 64% of respondents, up from 46%) and became a preferred goal for the attackers, who are now gaining control of a company’s network to download sensitive data to sell on the darknet. This trend is also evidenced by the significant downturn of traditional money grabs as the main motivation (34%, down from 69% the year before).

“Ransomware certainly appears to have reached a critical sea change – it’s no longer just about the quick and easy payout,” said Rick Hanson, President at Delinea. “Even as organizations are investing more in safety nets like cyber insurance which often have ransomware payouts included in…

Source…

Ukrainian hackers take out hundreds of Russian space research servers and supercomputers

January 25, 2024/in Internet Security

The cyber warfare between Russia and Ukraine continues as hackers from the latter launch an attack and destroy the database and infrastructure of Russia’s Far Eastern Research Center of Space Hydrometeorology, “Planeta”.

According to Ukraine’s military intelligence agency, the attack resulted in two petabytes of data and 280 servers being destroyed. Additionally, a digital array valued at US$10 million was also lost in the attack, as well as disabling the research centre’s supercomputers beyond repair through the destruction of software.

“One such computing device together with software costs US$350,000. In the conditions of strict sanctions against Russia, to get such a software again it is impossible,” wrote Ukrainian Defence.

Data included satellite and meteorological data used by the Roscosmos space agency, Russian Defence, emergency situations ministries and other government departments.

Adding salt to the wound, airconditioning, emergency power, and humidification systems were also disabled.

“In total, dozens of strategic companies of the Russian Federation, which work on ‘defense’ and play a key role in supporting Russian occupation troops, will remain without critically important information and services for a long time,” the agency added.

“Glory to Ukraine!”

The attack is the latest in a series between Ukraine and Russia, with the latter recently disabling Ukraine’s largest telco, Kyivstar.

The attack, which occurred in December last year, resulted in service outages the telco originally said were the fault of a technical failure, before confirming a cyber attack.

The attack left Kyivstar’s over 25 million customer base, over half the country’s population, without mobile and home internet services.

A day after the incident, the attack was claimed by Russian hackers from the Solntsepek group, which said they wiped thousands of servers and 10,000 computers.

“We, the Solntsepek hackers, take full responsibility for the cyber attack on Kyivstar. We destroyed 10 thousand computers, more than 4 thousand servers, all cloud storage and backup systems,” said the group on Telegram.

“We attacked Kyivstar because the…

Source…