Tag: Targets | Page 4

Ransomware gang targets nonprofit providing clean water to world’s poorest

January 12, 2024/in Internet Security

Water for People, a nonprofit that aims to improve access to clean water for people whose health is threatened by a lack of it for drinking and sanitation, is the latest organization to have been hit by ransomware criminals.

The ransomware-as-a-service gang Medusa listed Water for People on its darknet site Thursday night, threatening to publish stolen information unless the nonprofit pays a $300,000 extortion fee.

A Water for People spokesperson told Recorded Future News: “The accessed data predates 2021, did not compromise our financial systems and no business operations were impacted. We’re working with top incident response firms, as well as our insurance company and hardening our systems with our security team to prevent future incidents.”

The attack follows the nonprofit receiving a $15 million grant from MacKenzie Scott, the billionaire ex-wife of Amazon founder Jeff Bezos. There is no evidence that Water for People was specifically targeted because of this donation.

The organization operates in nine different countries, from Guatemala and Honduras in Latin America, to Mozambique in Africa and to India, and aims to improve water access for more than 200 million people over the next eight years.

“While the recent cyber attack from Medusa Locker Ransomware has not impacted our important work fighting the global water crisis and equipping communities with lasting access to clean water and sanitation services, it does reflect that even non-profits like ours are in the cross-hairs of these threat actors. We attempted good-faith negotiations that led nowhere,” the spokesperson added.

It is not the first time the Medusa gang’s activities have impacted an organization associated with water provision, although the gang and its affiliates appear to work opportunistically, according to new analysis by Palo Alto Networks’ Unit 42.

Last year, an Italian company that provides drinking water to nearly half a million people was hit by the gang.

Back in 2021, U.S. law enforcement agencies said ransomware gangs in general had hit five water and wastewater treatment facilities in the country — not including three other widely reported cyberattacks on water utilities.

Despite…

Source…

Stealthy new botnet targets VPN devices and routers while staying disguised

January 4, 2024/in Internet Security

The US Government, together with several other countries, has issued a joint Cybersecurity Advisory notice warning of malicious work being carried out by a state-sponsored Chinese cyber actor known as Volt Typhoon.

The Chinese group has been observed targeting US critical infrastructure sectors, and other countries are believed to be at risk.

In fact, the attack uncovered by Microsoft earlier this year has captured the attention not only of the NSA, CISA, and FBI of the United States, but also officials in Australia, Canada, New Zealand, and the UK.

Chinese group stealthily targeting routers

According to Microsoft, the group, which has only been active since 2021, has previously targeted critical infrastructure on the Micronesian island Guam in the Western Pacific, which is an unincorporated territory of the US, as well as other American regions.

This particular campaign looks not to be especially focused, with sectors including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education all under threat.

Volt Typhoon uses built-in network administration tools, otherwise known as living off the land, to evade endpoint detection by blending in with normal Windows system and network activities.

Microsoft summarized the steps: “They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence.”

The threat actor was also noted to be blending into normal network activity by routing its traffic through compromised small office and home office (SOHO) network equipment, such as routers, firewalls, and VPN devices.

The security notice suggests that organizations harden domain controllers and monitor event logs, look for abnormal account activity, and investigate unusual IP addresses. Full details of the attack and mitigations can be found on the US Department of Defense’s website.

More from TechRadar Pro

Source…

UAC-0099 Targets Ukrainian Companies With Lonepage Malware – Gridinsoft Blog

December 24, 2023/in Computer Security

Ukrainian cyberwarfare sees further action as the UAC-0099 threat actor escalates its cyber espionage campaign against Ukrainian firms. Leveraging a severe vulnerability in the popular WinRAR software, the group orchestrates sophisticated attacks to deploy the Lonepage malware, a VBS malware capable of remote command execution and data theft.

UAC-0099 Exploits WinRar Vulnerability

In most recent attacks, UAC-0099’s focus on exploiting the WinRAR vulnerability (CVE-2023-38831, CVSS score: 7.8) signifies a sophisticated approach to cyberattacks. This high-severity flaw in WinRAR, a widely used file compression tool, opens a backdoor for attackers to inject malicious code into unsuspecting systems. Also, the exploit involves the use of rigged self-extracting (SFX) archives and specially crafted ZIP files, designed to bypass traditional security measures and deliver the Lonepage malware directly into the heart of target systems.

Attack Vectors Using WinRAR:

Self-Extracting Archives Deception: Attackers distribute SFX files, which house malicious LNK shortcuts camouflaged as innocuous DOCX documents. These files, using familiar icons like Microsoft WordPad, entice victims into unwittingly executing malicious PowerShell scripts that install Lonepage.
Manipulated ZIP Files: UAC-0099 also employs ZIP archives specifically crafted to exploit the WinRAR flaw. These files are engineered to trigger the vulnerability, illustrating the group’s adeptness at leveraging software weaknesses to their advantage.

WinRar Vulnerability — WinRAR vulnerability chain

What is UAC-0099?

The UAC-0099 group, first identified by Ukraine’s Computer Emergency Response Team (CERT-UA) in June 2023, primarily targets Ukrainian employees working for international companies. Their tactics, while not technologically groundbreaking, prove effective in compromising critical information from a wide range of state organizations and media entities. Deep Instinct’s recent analysis reveals a disturbing trend: the group’s consistent focus on espionage, endangering not just the organizations, but also the individuals involved.

What is Lonepage Malware?

Lonepage Malware is a sophisticated Visual Basic Script (VBS) based malware used by…

Source…

InfectedSlurs botnet targets QNAP VioStor NVR vulnerability

December 24, 2023/in Internet Security

InfectedSlurs botnet targets QNAP VioStor NVR vulnerability

Pierluigi Paganini
December 17, 2023

The Mirai-based botnet InfectedSlurs was spotted targeting QNAP VioStor NVR (Network Video Recorder) devices.

In November, Akamai warned of a new Mirai-based DDoS botnet, named InfectedSlurs, actively exploiting two zero-day vulnerabilities to infect routers and video recorder (NVR) devices.

The researchers discovered the botnet in October 2023, but they believe it has been active since at least 2022. The experts reported the two vulnerabilities to the respective vendors, but they plan to release the fixes in December 2023.

At the time, the company did not reveal the names of the impacted vendors, the researchers determined that the bot also used default admin credentials to install the Mirai variants.

A close look at the ongoing campaign revealed that the bot also targets wireless LAN routers built for hotels and residential applications.

On December 6, The Akamai Security Intelligence Response Team (SIRT) published the first update to the InfectedSlurs advisory series. The security firm revealed that threat actors were exploiting a vulnerability, tracked as CVE-2023-49897 (CVSS score 8.0) that impacted several routers, including Future X Communications (FXC) AE1021 and AE1021PE wall routers, running firmware versions 2.0.9 and earlier.

The Akamai SIRT this week published an additional update after one of the affected vendors, QNAP, released advisory information and guidance.

The experts reported that the InfectedSlurs botnet is exploiting a remote code execution (RCE) vulnerability, tracked as CVE-2023-47565 (CVSS score 8.0), in QNAP VioStor NVR (Network Video Recorder) devices.

The vulnerability affects VioStor NVR Versions 5.0.0 and earlier (5.0.0 released June 21, 2014).

“QNAP considers these devices discontinued for support; however, the vendor recommends upgrading VioStor firmware on existing devices to the latest available version. This issue had previously been patched, although it was never publicly reported/disclosed.” reads the advisory published by Akamai.

The Akamai SIRT discovered that the bot was running an exploit targeting QNAP VioStor NVR devices…

Source…

Tag Archive for: Targets

UAC-0099 Exploits WinRar Vulnerability

Attack Vectors Using WinRAR:

What is UAC-0099?

What is Lonepage Malware?

InfectedSlurs botnet targets QNAP VioStor NVR vulnerability

The Mirai-based botnet InfectedSlurs was spotted targeting QNAP VioStor NVR (Network Video Recorder) devices.