Tag Archive for: Victims

Scattered Spider traps 100+ victims in its web as it moves into ransomware • The Register

/in


Scattered Spider, the crew behind at least one of the recent Las Vegas casino IT security breaches, has already hit some 100 organizations during its so-far brief tenure in the cybercrime scene, according to Mandiant.

Further, as also witnessed in the ongoing MGM Resorts network outage, the gang, known for its social-engineering-based attacks, is now throwing data-stealing ransomware at victims, too.

In its analysis this week into Scattered Spider’s evolving tactics, Mandiant says the “expansion in the group’s monetization strategies” began in mid-2023. That write-up should be useful for IT defenders: it details mitigations, advice, and indicators of compromise to look out for.

The Google-owned threat intel firm tracks Scattered Spider as UNC3944. Its comments on the crime gang are significant because Mandiant is one the top incident response teams called in to clean up the messes made by such high-profile intruders.

“These changes in their end goals signal that the industries targeted by UNC3944 will continue to expand,” the analysis says. “Mandiant has already directly observed their targeting broaden beyond telecommunication and business process outsourcer (BPO) companies to a wide range of industries including hospitality, retail, media and entertainment, and financial services.”

Scattered Spider, which has been around for about two years, is a US-UK-based Lapsus$-like gang that specializes in SMS phishing and phone-based social engineering that it uses to steal login credentials belonging to employees of targeted organizations or otherwise ultimately sneak into IT networks of its targets without permission.

In one of the group’s first major phishing campaigns in 2022, dubbed Oktapus, the criminals initially went after employees of Okta customers, targeting as many as 135 orgs — IT, software development and cloud services providers based in the US.

First, Scattered Spider sent text messages to the employees with malicious links to sites spoofing their company’s authentication page. This allowed the gang to steal some 9,931 user credentials and 5,441 multi-factor authentication codes, we’re told.

Just last month, the crew targeted more Okta customers, this…

Source…

Homeland Security identifies 311 child victims of sexual exploitation in ‘cold cases’

/in


More than a dozen international law enforcement organizations worked together under U.S. leadership to identify and locate victims of child sexual exploitation in a just-completed operation that officials say is likely the most successful of its kind.

In the three-week “surge” known as Operation Renewed Hope, which began July 17, investigators combing through sexually graphic internet material involving children, much of it on the dark web and some of it decades old, made probable identifications of 311 child victims and confirmed the rescue of several victims from active abuse.

Homeland Security Investigations (HSI), part of Immigration and Customs Enforcement, took the lead in the operation, which included representatives from the Justice Department, the FBI, the U.S. Marshals, Interpol and Europol, as well as 13 law enforcement agencies from Australia, Canada and countries in Europe and South America.

In many of the cases in which victims have been identified, HSI officials told NBC News that the material had existed for many years, but investigators were previously unable to identify the child victims or the adult abusers. Thanks to new facial recognition and artificial intelligence technology, there are now fresh leads in these formerly cold cases.

After they narrowed down a location or tentatively identified a victim, the investigators sent their new leads to the appropriate local law enforcement agency. The operation sent more than 100 leads to HSI field offices and 25 partnering countries. Some suspects in Canada and the United States have already been arrested.

The announcement comes a week after the FBI revealed it had identified dozens of victims of child sex trafficking and more than 100 suspects in a separate sweep called Operation Cross Country.

Mike Prado, deputy assistant director of the HSI Cyber Crimes Center, said the results of Operation Renewed Hope “exceeded our wildest expectations in the sense of being able to identify children who have been abused for, in many cases, years.”

He gave NBC News a tour of the operation while it was in progress, being careful to avoid showing any of the highly graphic material under review.

In one room, more than 20…

Source…

Ransomware Victims Surge as Threat Actors Pivot to Zero-Day Exploits

/in


The number of organizations that became victims of ransomware attacks surged 143% between the first quarter of 2022 and first quarter of this year, as attackers increasingly leveraged zero-day vulnerabilities and one-day flaws to break into target networks.

In many of these attacks, threat actors did not so much as bother to encrypt data belonging to victim organizations. Instead, they focused solely on stealing their sensitive data and extort victims by threatening to sell or leak the data to others. The tactic left even those with otherwise robust backup and restoration processes backed into a corner.

A Surge in Victims

Researchers at Akamai discovered the trends when they recently analyzed data gathered from leak sites belonging to 90 ransomware groups. Leaks sites are locations where ransomware groups typically release details about their attacks, victims, and any data that they might have encrypted or exfiltrated.

Akamai’s analysis showed that several popular notions about ransomware attacks are no longer fully true. One of the most significant, according to the company, is a shift from phishing as an initial access vector to vulnerability exploitation. Akamai found that several major ransomware operators are focused on acquiring zero-day vulnerabilities — either through in-house research or by procuring it from gray-market sources — to use in their attacks.

One notable example is the Cl0P ransomware group, which abused a zero-day SQL-injection vulnerability in Fortra’s GoAnywhere software (CVE-2023-0669) earlier this year to break into numerous high-profile companies. In May, the same threat actor abused another zero-day bug it discovered — this time in Progress Software’s MOVEIt file transfer application (CVE-2023-34362) — to infiltrate dozens of major organizations globally. Akamai found Cl0p’s victim count surged ninefold between the first quarter of 2022 and first quarter of this year after it started exploiting zero-day bugs.

Although leveraging zero-day vulnerabilities is not particularly new, the emerging trend among ransomware actors to use them in large-scale attacks is significant, Akamai said.

“Particularly concerning is the in-house development of zero-day…

Source…

Florida patients among victims of spate of data hacking

/in


TAMPA — A criminal group now being pursued by the FBI had access to Tampa General Hospital’s computer system for three weeks.

Its attempt to encrypt and ransom the hospital’s data — which could have significantly impeded care of patients — was thwarted by internal security measures. Nonetheless, hackers were still able to download personal data on 1.2 million patients.

The crime is among a spate of recent data breaches affecting Florida patients. HCA Healthcare in July reported that an unauthorized user stole data on about 11 million patients in 20 states, including Florida, and posted it on an online forum. And this week, Johns Hopkins Health System, which runs All Children’s Hospital in St. Petersburg, reported the theft of personal information on 310,000 patients, including almost 10,000 from Florida.

Nationwide, more than 50 million patient records were compromised in 2022, according to analysis by cybersecurity firm Critical Insight. The records of more than 3.4 million Florida patient have been compromised this year and 36 data breaches are still under investigation, according to the Department of Health and Human Services, suggesting that health care firms will continue to remain a favorite target of hackers.

The health care sector is perceived as being more vulnerable than those in the finance, defense or aerospace sectors, said Joe Partlow, chief technology officer at ReliaQuest, a firm that provides computer security guidance to banks, utility companies and health care providers among others. Finance firms tend to invest more in security measures, in part because of regulations, he said. Health data also typically includes Social Security numbers and insurance details prized by hackers.

”They are a good target,” he said. “They know it’s a good trove of personal data.”

The damage is not just to patient confidentiality. The average cost of a health care breach rose to $11 million this year, a 53% increase since 2020, according to an IBM report.

Phishing emails that entice employees to enter log-ons and passwords are still the primary means used by hackers to gain access to computer systems, Partlow said.

Once they have broken in, one tactic is…

Source…