Tag Archive for: targeting

Feds disrupt major ransomware group targeting schools, law firms, hospitals

/in


The U.S. Department of Justice has disrupted a major ransomware group — and enabled some people to restore their systems — with South Florida playing a central role in the cybercrime investigation, authorities said.

The FBI this month seized several websites operated by the Blackcat ransomware group, launched a disruption campaign, and “gained visibility” into the group’s computer network, according to an affidavit supporting a search warrant unsealed Tuesday in the Southern District of Florida.

The FBI developed a decryption tool that allowed its field offices nationwide and international law enforcement partners to offer more than 500 affected victims the capability to restore their computer systems, the Justice Department said. To date, the FBI has saved victims from ransom demands totaling approximately $68 million.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” said Deputy Attorney General Lisa Monaco in a statement Tuesday.

The FBI Miami Field Office is leading the investigation and the case involves federal prosecutors in Miami.

The Blackcat ransomware group is also known as ALPHV or Noberus. Ransomware is malicious software that denies individuals access to computer systems until one pays a ransom. Typically, cybercriminals encrypt an individual’s computer and then demand a ransom before decrypting it. Payment is usually requested in cryptocurrency and to addresses controlled by the criminals.

“With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online,” she noted. “We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

A message from a ransomware attack. The FBI disrupted a major ransomware group — Blackcat — with South Florida playing a central role in the cybercrime investigation, authorities said.A message from a ransomware attack. The FBI disrupted a major ransomware group — Blackcat — with South Florida playing a central role in the cybercrime investigation, authorities said.

A message from a ransomware attack. The FBI disrupted a major ransomware group — Blackcat — with South Florida playing a central role in the cybercrime investigation, authorities said.

Over the past 18 months, ALPHV/Blackcat has become the second most prolific ransomware in the world based on the hundreds of millions of dollars in ransom paid by victims, the…

Source…

Cybercriminals expand targeting of Iranian bank customers with known mobile malware

/in


Researchers have uncovered more than 200 fake mobile apps that mimic major Iranian banks to steal information from their customers.

The campaign was first discovered in July of this year, but since then, the cybercriminals have expanded their capabilities, according to U.S.-based cybersecurity firm Zimperium.

Initially, the threat actor behind the campaign created 40 credential-harvesting apps imitating four major Iranian banks, including Bank Mellat, Bank Saderat, Resalat Bank and Central Bank of Iran.

These apps mimicked legitimate versions found on the popular Iranian marketplace Cafe Bazaar and were distributed through several phishing websites. The first campaign lasted from December 2022 until May 2023.

In the ongoing campaign detected by Zimperium, the hackers created malicious apps that now imitate 12 Iranian banks. Once installed, these apps also scan victims’ phones to find cryptocurrency wallet apps — an indication that they could be targeted in the future, researchers said.

The earlier versions of fake apps could steal banking login credentials and credit card information, intercept SMS traffic to steal one-time passwords used for authentication, and hide app icons to prevent uninstallation.

In a new campaign, the hackers added more capabilities to their malware to make it easier to harvest credentials and steal data. The hackers also narrowed their focus to Xiaomi and Samsung devices to execute some of the malware features, according to the report.

Other evidence suggests that the attackers are now likely working on a malware variant that targets iOS devices, the researchers said.

In addition to malicious apps, the same threat actor is linked to phishing attacks targeting customers of the same banks. “The phishing campaigns used are sophisticated, trying to mimic original sites in the closest detail,” researchers said. The data stolen by the phishing sites is sent to Telegram channels controlled by hackers.

It is not yet clear which threat actor is behind this campaign and how many users were affected by it.

Last week, researchers at Microsoft uncovered a similar information-stealing campaign targeting customers of Indian banks with mobile malware. The…

Source…

Kazakhstan-based hackers targeting gov’t websites in Central Asia, Cisco says

/in


Hackers believed to be based in Kazakhstan are targeting other members of the Commonwealth of Independent States in a wide-ranging espionage campaign, according to new research.

Cisco’s Talos group has spent months tracking YoroTrooper — a hacking group focused on espionage that first emerged in June 2022. Researchers said the group’s targets, use of Kazakh currency, and fluency in Kazakh and Russian is part of what led them to believe the hackers are based in Kazakhstan.

YoroTrooper appears to have performed defensive actions in protecting the Kazakhstani state-owned email service and have only ever attacked the Kazakh government’s Anti-Corruption Agency.

Asheer Malhotra, a Cisco Talos threat researcher, told Recorded Future News that the group has actively tried to disguise its operations to make it seem like the attacks are coming from Azerbaijan in an attempt to “generate false flags and mislead attribution.”

“In terms of their modus operandi, their tactics and tools aren’t very sophisticated, however YoroTrooper has still enjoyed a substantial amount of success compromising targets in CIS [Commonwealth of Independent States] countries over the past two years, owing to their aggressive attempts to target their victims. Further, the threat actor shows no signs of slowing down in spite of Cisco Talos’ initial disclosure detailing YoroTrooper’s activities earlier this year,” Malhotra said.

Cisco Talos tracked attacks involving institutions and officials in Azerbaijan, Tajikistan, Kyrgyzstan, Uzbekistan, using VPN services to make it look like their hacks come from Azerbaijan.

The hackers compromised multiple state-owned websites and accounts belonging to government officials between May 2023 and August 2023.

Most of the attacks start with phishing emails and deploy custom-made malware that allows the group to steal data and credentials.

Screen Shot 2023-10-25 at 2.54.41 PM.png
Countries attacked by YoroTrooper. Image: Cisco Talos

Researchers found the hackers using Russian in their attempts to debug their tools while also visiting numerous websites written in Kazakh. In June the hackers began using Uzbek in their code, another language spoken widely in Kazakhstan.

The hackers use cryptocurrency…

Source…

Rising Wave of Hacking Attempts Targeting Sensitive Data on NHIS Servers

/in


The number of hacking attempts from abroad targeting the health insurance server, which contains personal, financial, and medical information, is on a steep rise. (Image courtesy of Yonhap)

The number of hacking attempts from abroad targeting the health insurance server, which contains personal, financial, and medical information, is on a steep rise. (Image courtesy of Yonhap)

SEOUL, Oct. 19 (Korea Bizwire) – The number of hacking attempts from abroad targeting the health insurance server, which contains personal, financial, and medical information, is on a steep rise.

According to data from the National Health Insurance Service (NHIS) on Wednesday, cyberattacks on NHIS servers have been on the rise since the NHIS implemented in-house security control in 2019. 

The number of cyberattack attempts detected by the NHIS over the past five years amounted to 1,781 in 2019, 3,684 in 2020, 3,489 in 2021, 8,429 in 2022, and 8,448 cases so far this year. 

At 98.3 percent, almost all of the cyberattack attempts are made from abroad. By country, China had the largest share, followed by the U.S., Netherlands, and Germany. Data on cyberattack attempts from North Korea is not compiled as North Korean IP addresses are originally interrupted at the NHIS communication server. 

Approximately 64.3 percent of the cyberattack attempts occurred during non-official work hours. According to the NHIS, all detected cyberattack attempts were interrupted, and a data breach has yet to occur.

The NHIS handles personal information, including ID numbers, financial information such as cards and accounts, and medical information, including medical checkups and recuperation allowances for 57 million individuals. 

To cope with the increase in cyberattacks and advancements in hacking techniques, the NHIS is working on several countermeasures, including expanding dedicated staff, mobilizing a multi-layered defense system, and operating a segregated Internet network.

Kevin Lee ([email protected])


Source…