Tag Archive for: Suspected

Missouri county declares state of emergency amid suspected ransomware attack

/in


Downtown Kansas City, Missouri, which is part of Jackson County.
Enlarge / Downtown Kansas City, Missouri, which is part of Jackson County.

Jackson County, Missouri, has declared a state of emergency and closed key offices indefinitely as it responds to what officials believe is a ransomware attack that has made some of its IT systems inoperable.

“Jackson County has identified significant disruptions within its IT systems, potentially attributable to a ransomware attack,” officials wrote Tuesday. “Early indications suggest operational inconsistencies across its digital infrastructure and certain systems have been rendered inoperative while others continue to function as normal.”

The systems confirmed inoperable include tax and online property payments, issuance of marriage licenses, and inmate searches. In response, the Assessment, Collection and Recorder of Deeds offices at all county locations are closed until further notice.

The closure occurred the same day that the county was holding a special election to vote on a proposed sales tax to fund a stadium for MLB’s Kansas City Royals and the NFL’s Kansas City Chiefs. Neither the Jackson County Board of Elections nor the Kansas City Board of Elections have been affected by the attack; both remain open.

To date, ransomware attacks have hit 28 county, municipal, or tribal governments this year, according to Brett Callow, a threat analyst with security firm Emsisoft. Last year, there were 95; 106 occurred in 2022.

The Jackson County website says there are 654,000 residents in the 607-square-mile county, which includes most of Kansas City, the biggest city in Missouri.

The response to the attack and the investigation into it have just begun, but so far, officials said they had no evidence that data had been compromised.

“We are currently in the early stages of our diagnostic procedures, working closely with our cybersecurity partners to thoroughly explore all possibilities and identify the root cause of the situation,” officials wrote. “While the investigation considers ransomware as a…

Source…

Maltese suspected hacker to be extradited to United States for computer malware crimes

/in


A Maltese man is waiting to be extradited to the United States after an operation by the Maltese police assisting the FBI in investigations led to his arrest.

Daniel Joe Meli, who is 27 years old is believed to have worked with people who are not Maltese in connection with the sale of illegal malware on the dark web. The accused, who is from Żabbar, was also said to have been involved in mentoring services on a hack forum, an internet forum for hacker culture and computer security.

The malware, a remote access trojan or RAT, is used by criminals to gain access to computers and servers and control their operation. The police said there were several victims in the United States who had fallen prey to this RAT, with no reported victims in Malta so far.

Meli’s social media profiles suggests that he used to work with Air Malta as a check-in agent, and that he now works with Aviaserve.

The investigations in Malta, overseen by the police cybercrime unit, were initiated following a request for assistance from the United States, which indicated that the prime suspect in the sale of this RAT is Maltese.

Investigations revealed the identification of the Maltese suspect and his association with other criminals who are not Maltese and do not reside in Malta.

The suspect was arrested at his workplace in Gudja on 7 February, and during searches conducted at various locations related to the suspect, numerous items linked to this investigation were seized.

The 27-year-old man appeared in court on Thursday afternoon before Magistrate Dr. Giannella Camilleri Busuttil LL.D, to begin extradition proceedings to the United States, where he will face charges before the American court.

He has consented to extradition and is being held in custody at the Correctional Facility in Kordin.

In connection with this investigation, a Nigerian accomplice, residing in Nigeria, was also arrested.

Operations in various countries related to the same illegal malware trade on the dark web were being coordinated by Europol, involving several other states, including the Australian Federal Police, the Canadian Police, Croatian Police, Finnish Police, Dutch Police, Romanian Police, German Police, and Nigerian…

Source…

Suspected Akira ransomware attack against Tietoevry disrupts Sweden

/in


Massachusetts-based Anna Jaques Hospital was admitted to be compromised by the Money Message ransomware gang in a Christmas Day attack, which it claims resulted in the exfiltration of 600GB of data, as well as information from Beth Israel Lahey Health, which manages AJH, reports The Record, a news site by cybersecurity firm Recorded Future.

Source…

Ivanti VPN vulnerabilities exploited by suspected espionage group UNC5221

/in


New details have emerged surrounding two zero-day vulnerabilities impacting Ivanti Connect Secure VPN (formerly known as Pulse Secure) and Ivanti Policy Security appliances. These vulnerabilities have been published by cybersecurity firm Mandiant. The reported vulnerabilities have seen active exploitation in the wild, beginning as early as December 2023.

Threat actor UNC5221, a suspected espionage group currently being monitored by Mandiant, is believed to be behind the exploitation of these vulnerabilities. As highlighted by Mandiant Consulting CTO Charles Carmakal, these CVEs, when chained together, result in unauthenticated remote code execution.

UNC5221 reportedly employed multiple custom malware families to conduct post-exploitation espionage activity after successfully exploiting the zero-day vulnerabilities. This includes establishing footholds for continued access to the Connect Secure (CS) appliances.

According to Mandiant’s researchers, the group’s preparation for maintaining persistent access to the CS appliances suggests that these are not just opportunistic attacks. It would seem UNC5221 planned to maintain its presence on a subset of high-priority targets compromised after an eventual patch release.

Mandiant’s researchers added that, similar to UNC5221, they had previously noted multiple suspected APT actors resorting to appliance-specific malware to facilitate post-exploitation and evade detection. These cases, coupled with findings related to targeting, have led Mandiant to believe that this could be an espionage-motivated APT campaign.

While Mandiant continues to investigate these attacks in detail, early findings also note that UNC5221 primarily utilised compromised, out-of-support Cyberoam VPN appliances for its command and control. The compromised devices were domestic to the victims, likely further aiding the threat actor in evading detection.

Patches are currently being developed, with Ivanti customers advised to stay updated on release timelines. At present, Mandiant has not linked this activity to a previously known group. It also doesn’t currently have enough data to ascertain the origin of UNC5221.

The custom malware families used by…

Source…