Tag Archive for: sectors

Experts Warn of Hacking Group Targeting Aviation and Defense Sectors

/in


Entities in the aviation, aerospace, transportation, manufacturing, and defense industries have been targeted by a persistent threat group since at least 2017 as part of a string of spear-phishing campaigns mounted to deliver a variety of remote access trojans (RATs) on compromised systems.

The use of commodity malware such as AsyncRAT and NetWire, among others, has led enterprise security firm Proofpoint to a “cybercriminal threat actor” codenamed TA2541 that employs “broad targeting with high volume messages.” The ultimate objective of the intrusions is unknown as yet.

Social engineering lures used by the group does not rely on topical themes but rather leverages decoy messages related to aviation, logistics, transportation, and travel. That said, TA2541 did briefly pivot to COVID-19-themed lures in the spring of 2020, distributing emails concerning cargo shipments of personal protective equipment (PPE) or testing kits.

Automatic GitHub Backups

“While TA2541 is consistent in some behaviors, such as using emails masquerading as aviation companies to distribute remote access trojans, other tactics such as delivery method, attachments, URLs, infrastructure, and malware type have changed,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, told The Hacker News.

While earlier versions of the campaign utilized macro-laden Microsoft Word attachments to drop the RAT payload, recent attacks include links to cloud services hosting the malware. The phishing attacks are said to strike hundreds of organizations globally, with recurring targets observed in North America, Europe, and the Middle East.

The repeated use of the same themes aside, select infection chains have also involved the use of Discord app URLs that point to compressed files containing AgentTesla or Imminent Monitor malware, indicative of the malicious use of content delivery networks to distribute information gathering implants for remotely controlling compromised machines.

“Mitigating threats hosted on legitimate services continues to be a difficult vector to defend against as it likely involves implementation of a robust detection stack or policy-based blocking of services which might be business-relevant,”…

Source…

FBI Warns That Cuba Ransomware Gang Made $44 Million After Compromising 49 Critical Infrastructure Entities in Five Sectors

/in


The Federal Bureau of Investigation (FBI) warned that the Cuba ransomware gang earned more than $43.9 million in ransom after compromising at least 49 critical infrastructure entities.

Despite its name, cyber forensic experts believe that the Cuba ransomware gang is based in Russia, a country suspected of harboring most cybercriminals.

According to the FBI, Cuba ransomware gang victims include (but are not limited to) organizations in the financial, government, healthcare, manufacturing, and information technology sectors.

The FBI noted that Cuba ransomware actors had demanded up to $74 million in ransom payments.

Cuba ransomware gang partners with Hancitor malware operators

The FBI traced Cuba ransomware infection to Hancitor malware that leverages phishing campaigns, Microsoft Exchange vulnerabilities, compromised credentials, and brute-forcing remote desktop protocol (RDP) tools.

The malware gang adds compromised devices to a botnet to run a malware-as-a-service (MaaS) infrastructure and shares it with other ransomware groups.

“Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims’ networks,” the FBI wrote.

McAfee noted the lack of any evidence in April to connect the two groups, suggesting that the collaboration was a new partnership.

FBI publishes the indicators of compromise and TPPs employed by the Cuba ransomware gang

The FBI released the indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) employed by the ransomware gang to assist organizations to defend against Cuba ransomware attacks.

According to the FBI flash alert, the Cuba ransomware gang employs legitimate Windows services such as PowerShell, PsExec, etc, and Windows admin privileges to execute their malware before dropping a Cobalt Strike beacon.

Additionally, the malware drops two additional payloads “pones.exe” to steal passwords and “krots.exe” to write to the temporary “TMP” file. The file contains API calls related to memory injection.

“One of the initial PowerShell script functions…

Source…

Hackers have breached organizations in defense and other sensitive sectors, security firm says

/in


Posted:

Turn Off, Turn On: Simple Step Can Thwart Top Phone Hackers
Carolyn Kaster

FILE – In this Feb. 17, 2016, file photo an iPhone is seen in Washington. At a time of widespread digital insecurity it turns out that the oldest and simplest computer fix there is — turning a device off then back on again — can thwart hackers from stealing information from smartphones.

(CNN) — Suspected foreign hackers have breached nine organizations in the defense, energy, health care, technology and education sectors — and at least one of those organizations is in the US, according to findings that security firm Palo Alto Networks shared exclusively with CNN.

With the help of the National Security Agency, cybersecurity researchers are exposing an ongoing effort by these unidentified hackers to steal key data from US defense contractors and other sensitive targets.

It’s the type of cyber espionage that security agencies in both the Biden and Trump administrations have aggressively sought to expose before it does too much damage. The goal in going public with the information is to warn other corporations that might be targeted and to burn the hackers’ tools in the process.

Officials from the NSA and the US Cybersecurity and Infrastructure Security Agency (CISA) are tracking the threat. A division of the NSA responsible for mitigating foreign cyber threats to the US defense industrial base contributed analysis to the Palo Alto Networks report.

In this case, the hackers have stolen passwords from some targeted organizations with a goal of maintaining long-term access to those networks, Ryan Olson, a senior Palo Alto Networks executive, told CNN. The intruders could then be well placed to intercept sensitive data sent over email or stored on computer systems until they are kicked out of the network.

Olson said that the nine confirmed victims are the “tip of the spear” of the apparent spying campaign, and that he expects more victims to emerge. It’s unclear who is responsible for the activity, but Palo Alto Networks said some of the attackers’ tactics and tools overlap with those used by a suspected Chinese hacking…

Source…

Security Watch: Interconnected sectors raise need for robust cyber defence strategy

/in


Even as contradictory claims emerge from the Centre and the Maharashtra government over the involvement of Chinese actors in the Mumbai power outage of October last year, the allegations have put focus on the need for India to be better prepared to protect its critical infrastructure against globally rising cyber-attack attempts on key infrastructure. Cybersecurity experts pointed out that this is particularly significant given the increasing interconnectedness of sectors and proliferation of entry points into the internet, which could further grow with the adaption of 5G.

A National Cyber Security Strategy is being formulated by the Office of National Cyber Security Coordinator at the National Security Council Secretariat. A strategy document prepared by an inter-ministerial task force involving representatives from different central government ministries and departments has now been forwarded to an Empowered Technology Group for consultation. Once the process is through, the document will be placed before the Cabinet Committee on Security for deliberations and approval.

Hackers targeting critical infrastructure is not a new trend but experts believe that propensity for damage is more than ever, especially with countries investing in cyber offensive capabilities. In 2015, in what was the first known successful cyber attack on a power grid, hackers compromised systems of three energy distribution companies in Ukraine thereby disrupting electricity supply.

“Critical infrastructure is getting digitised in a very fast way — this includes financial services, banks, power, manufacturing, nuclear power plants, etc. Because of these a lot of security issues arise. We just saw the SolarWinds hack, which impacted national critical infrastructure in the US. Most countries are not prepared for combating the sophistication of attacks that are happening,” Saket Modi, co-founder & CEO of cybersecurity firm Safe Security told The Indian Express.

“A lot of countries have started taking advantage of this. They’re spending unprecedented amount of money and are building armies. Israel is a good example, they say that there is a fourth unit in the defence system, which is for…

Source…