Tag: victim | Page 5

Taiwanese PC Company MSI Falls Victim to Ransomware Attack

April 8, 2023/in Internet Security

Apr 08, 2023Ravie LakshmananMalware / Cyber Attack

Taiwanese PC company MSI (short for Micro-Star International) officially confirmed it was the victim of a cyber attack on its systems.

The company said it “promptly” initiated incident response and recovery measures after detecting “network anomalies.” It also said it alerted law enforcement agencies of the matter.

That said, MSI did not disclose any specifics about when the attack took place and if it entailed the exfiltration of any proprietary information, including source code.

“Currently, the affected systems have gradually resumed normal operations, with no significant impact on financial business,” the company said in a brief notice shared on Friday.

In a regulatory filing with the Taiwan Stock Exchange, it said that it’s setting up enhanced controls of its network and infrastructure to ensure the security of data.

MSI is further urging users to obtain firmware/BIOS updates only from its official website, and refrain from downloading files from other sources.

The disclosure comes as a new ransomware gang known as Money Message added the company to its list of victims. The threat actor was spotlighted by Zscaler late last month.

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter – Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don’t Miss Out – Save Your Seat!

“The group utilizes a double extortion technique to target its victims, which involves exfiltrating the victim’s data before encrypting it,” Cyble noted in an analysis published this week. “The group uploads the data on their leak site if the ransom is unpaid.”

The development comes a month after Acer confirmed a breach of its own that resulted in the theft of 160 GB of confidential data. It was advertised on March 6, 2023, for sale on the now-defunct BreachForums.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source…

[the_ad_group id="27628"]

Copper Mountain Mine victim of ransomware attack in Princeton

December 31, 2022/in Computer Security

Copper Mountain Mine, Princeton’s largest employer, is the victim of a ransomware attack according to a release on the company’s website.

There have been no safety or environmental incidents resulting from the attack, which occurred late on Dec. 27, the release states.

The mill has been temporarily shut down, proactively, while officials determine the effect of the attack on its control systems.

“The company quickly implemented its risk management systems and protocols in response to the attack. The company has isolated operations, switched to manual processes, where possible.”

The mine is working with authorities to investigate the source of the attack.

According to the province’s Information Security Branch (ISB), ransomware is a form of malicious code or malware that infects a computer or network and spreads rapidly to encrypt the data. This malware makes the data inaccessible to the users and the criminals responsible will demand payment from the user in order to have their files unencrypted and returned. The payment is often requested in Bitcoin or other electronic currency.

The ISB says there are three ways computers are commonly attacked.

• Email – the individual clicks on a malicious link or attachment in a phishing email.

• Malvertising – the individual visits a site that displays infected advertisements

• Drive-by-Downloading – the individual visits a legitimate or illegitimate website with an exploit that has not been patched. This means that simply opening the website will run the ransomware without the user knowing.

Copper Mountain Mine has more than 400 employees.

Do you have something to add to this story, or something else we should report on? Email:[email protected]

Like us on Facebook and follow us on Twitter.

Source…

Bumblebee Malware Loader’s Payloads Significantly Vary by Victim System

October 3, 2022/in Computer Security

A new analysis of Bumblebee, a particularly pernicious malware loader that first surfaced this March, shows that its payload for systems that are part of an enterprise network is very different from its payload for standalone systems.

On systems that appear to be part of a domain — for example, systems that might share the same Active Directory server — the malware is programmed to drop sophisticated post-exploitation tools such as Cobalt Strike. On the other hand, when Bumblebee determines it has landed on a machine that is part of a workgroup — or peer-to-peer LAN — the payload generally tends to be banking and information stealers.

Different Malware

“While the victim’s geographical location didn’t seem to have any effect on the malware behavior, we observed a very stark difference between the way Bumblebee behaves after infecting machines,” Check Point said in a report this week based on a recent analysis of the malware.

“If the victim is connected to WORKGROUP, in most cases it receives the DEX command (Download and Execute), which causes it to drop and run a file from the disk,” Check Point said. However, if the system is connected to an AD domain, the malware uses Download and Inject (DIJ) or Download shellcode and Inject (SHI) commands to download advanced payloads such as Cobalt, Strike, Meterpreter, and Silver.

Check Point’s analysis adds to the growing volume of research around Bumblebee in the six months or so since researchers first observed the malware in the wild. The malware has garnered attention for several reasons. One of them is its relatively widespread use among multiple threat groups. In an April 2022 analysis, researchers from Proofpoint said they had observed at least three distinct threat groups distributing Bumblebee to deliver different second-stage payloads on infected systems, including ransomware such as Conti and Diavol. Google’s threat analysis group identified one of the actors distributing Bumblebee as an initial access broker they are tracking as “Exotic Lily.”

Proofpoint and other security researchers have described Bumblebee as being used by threat actors previously associated with BazaLoader, a prolific malware loader that among other…

Source…

New Golang-based ‘Agenda Ransomware’ Can Be Customized For Each Victim

August 29, 2022/in Internet Security

A new ransomware strain written in Golang dubbed “Agenda” has been spotted in the wild, targeting healthcare and education entities in Indonesia, Saudi Arabia, South Africa, and Thailand.

“Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run,” Trend Micro researchers said in an analysis last week.

Qilin, the threat actor advertising the ransomware on the dark web, is said to provide affiliates with options to tailor the binary payloads for each victim, enabling the operators to decide the ransom note, encryption extension, as well as the list of processes and services to terminate before commencing the encryption process.

Additionally, the ransomware incorporates techniques for detection evasion by taking advantage of the ‘safe mode’ feature of a device to proceed with its file encryption routine unnoticed, but not before changing the default user’s password and enabling automatic login.

Upon successful encryption, Agenda renames the files with the configured extension, drops the ransom note in each encrypted directory, and reboots the machine in normal mode. The ransomware amount requested varies from company to company, ranging anywhere from $50,000 to $800,000.

Agenda, besides leveraging local account credentials to execute the ransomware binary, also comes with capabilities to infect an entire network and its shared drivers.

In one of the observed attack chains involving the ransomware, a public-facing Citrix server served as an entry point to ultimately deploy the ransomware in less than two days.

Trend Micro said it observed source code similarities between Agenda and the Black Basta, Black Matter, and REvil (aka Sodinokibi) ransomware families.

Black Basta, which first emerged in April 2022, is known to employ the double extortion technique of encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, while also threatening to post the stolen sensitive information should a victim choose not to pay the ransom.

As of last week, the Black Basta group has compromised over 75 organizations, according to Palo Alto Networks Unit 42, up from 50 in…

Source…

Tag Archive for: victim

Different Malware