Tag Archive for: Wave

UK battles hacking wave as ransomware gang claims ‘biggest ever’ NHS breach

/in


The U.K.’s largest NHS trust has confirmed it’s investigating a ransomware incident as the country’s public sector continues to battle a rising wave of cyberattacks.

Barts Health NHS Trust, which runs five London-based hospitals and serves more than 2.5 million patients, was recently added to the dark web leak site of the ALPHV ransomware gang. The gang, also known as BlackCat, says it has stolen 70 terabytes of sensitive data in what it claims is the biggest breach of healthcare data in the United Kingdom.

Samples of the allegedly stolen data, seen by TechCrunch, include employee identification documents, including passports and driver licenses, and internal emails labeled “confidential.”

When asked by TechCrunch, a Barts Health spokesperson did not dispute that it was affected by a security incident that involved the exfiltration of data, nor did they dispute the legitimacy of the stolen data samples shared by ALPHV. “We are aware of claims of a ransomware attack and are urgently investigating,” the spokesperson, who did not provide their name, told TechCrunch.

ALPHV, which first listed Barts Health on June 30, wrote that the NHS Trust had three days to contact the gang to prevent the publication of data, “most of it citizens [sic] confidential documents.” At the time of writing, the full trove of allegedly stolen data has not been published.

This incident is the second breach of NHS data in recent weeks. As first reported by the Independent, a June ransomware attack on the U.K.’s University of Manchester saw hackers access an NHS dataset that holds information on 1.1 million patients across 200 hospitals. The compromised data — gathered by the university for research purposes — includes NHS numbers and the first three letters of patients’ postcodes, according to reports.

When asked by TechCrunch, University of Manchester spokesperson Ben Robinson declined to comment on the reported theft of NHS data, but confirmed that the university had experienced a security incident that led to the exfiltration of data from its systems.

“We confirmed on 23 June that our systems have been accessed and student and alumni data has been copied. Individuals have…

Source…

Notorious Cyber Gang FIN7 Returns With Cl0p Ransomware in New Wave of Attacks

/in


May 20, 2023Ravie LakshmananCyber Crime / Ransomware

Cl0p Ransomware

The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor’s first ransomware campaign since late 2021.

Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest.

“In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and get a foothold into a target network,” the company’s threat intelligence team said. “They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware.”

FIN7 (aka Carbanak, ELBRUS, and ITG14) has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit, with the threat actor acting as a precursor for Maze and Ryuk ransomware attacks.

Active since at least 2012, the group has a track record of targeting a broad spectrum of organizations spanning software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities.

Another notable tactic in its playbook is its pattern of setting up fake security companies – Combi Security and Bastion Secure – to recruit employees for conducting ransomware attacks and other operations.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Last month, IBM Security X-Force revealed that members of the now-defunct Conti ransomware gang are using a new malware called Domino that’s developed by the cybercrime cartel.

FIN7’s use of POWERTRASH to deliver Lizar (aka DICELOADER or Tirion) was also highlighted by WithSecure a few weeks ago in connection with attacks exploiting a high-severity flaw in Veeam Backup & Replication software (CVE-2023-27532) to gain initial access.

The latest development signifies FIN7’s continued reliance on various ransomware families to target victims as part of a shift in its monetization strategy by pivoting away from payment card data theft to…

Source…

Leaked Babuk Code Fuels New Wave of VMware ESXi Ransomware

/in


Cybersecurity firm SentinelOne warns of an increase in the number of new ransomware families designed to target VMware ESXi that are based on the leaked Babuk source code.

Targeting both Windows and Linux systems, the Babuk ransomware family was initially detailed in January 2021 and was used in attacks against numerous organizations.

In September 2021, the malware’s source code was leaked online by one of its operators, which allowed security researchers to release a free decryption tool for it roughly two months later.

The leaked source code has been used to create new ransomware variants, including RTM Locker and Rook, and was also used in the Rorschach ransomware. Both RTM Locker and Rorschach (aka BabLock) target ESXi servers too.

Over the past year, SentinelOne says in a new technical report, the source code was used to create at least 10 ransomware families specifically targeting VMware ESXi servers.

Other smaller ESXi ransomware operations also adopted the code, including House’s Mario, Play, Cylance (unrelated to the security firm with the same name), Dataf Locker, Lock4, and XVGV.

Infamous ransomware gangs such as Alphv/BlackCat, Black Basta, Conti, Lockbit, and REvil have been observed targeting ESXi deployments as well.

Advertisement. Scroll to continue reading.

However, SentinelOne’s analysis of these malware families has revealed that only Conti and REvil ESXi lockers show overlaps with the leaked Babuk code.

The ESXiArgs locker that caused havoc earlier this year, however, showed very few similarities with Babuk, aside from the use of the same open-source Sosemanuk encryption implementation, the cybersecurity firm says.

“While ties to REvil remain tentative, the possibility exists that these groups – Babuk, Conti, and REvil – potentially outsourced an ESXi locker project to the same developer,” SentinelOne notes.

The identified links suggest that the two ransomware operations may have experienced small leaks or that they share code to collaborate, SentinelOne says.

Overall, the cybersecurity firm stresses on the fact that threat actors are increasingly using the Babuk code to build ESXi and Linux lockers and that they might also adopt the group’s…

Source…

Security Roundup: Leak of Top-Secret US Intel Risks a New Wave of Mass Surveillance

/in


US defense secretary Lloyd Austin on Thursday said he was considering “additional measures necessary to safeguard our nation’s secrets,” and he ordered a review of “our intelligence access, accountability, and control procedures within the department to inform our efforts to prevent this kind of incident from happening again.”

Hackers who claim to have breached data storage company Western Digital earlier this month say they are holding 10 terabytes of stolen data hostage and are ready to publish it unless the company pays a “minimum 8 figure” ransom, TechCrunch reports. 

An individual who says they carried out the hack spoke to TechCrunch on Thursday, claiming to have reams of customer information. While the hacker showed TechCrunch screenshots of internal emails and contact information of Western Digital’s employees, it’s still unclear exactly what data has been stolen.

“Cut the crap, get the money, and let’s both go our separate ways,” the hackers wrote in an email to several company executives. “Simply put, let us put our egos aside and work to find a resolution to this chaotic scenario.” 

A secretive Israeli spyware company’s hacking tools have been used to target politicians and journalists in at least 10 countries, according to research by Microsoft and the University of Toronto’s Citizen Lab made public Tuesday. 

The company, QuaDream, is a small, low-profile Israeli firm that develops smartphone hacking tools intended for government clients. The firm was established in 2016 by former employees of NSO Group, the maker of the Pegasus spyware.

The QuaDream spyware targeted older versions of Apple’s iOS phone software, and it worked by sending malicious calendar invites that would not be seen by the targets, researchers say.

According to the report, Citizen Lab has located QuaDream servers in Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the United Arab Emirates, and Uzbekistan. 

WhatsApp has introduced a new security feature that makes it harder for scammers to steal users’ accounts. The feature will require individuals who download WhatsApp to a new device to use their old device to confirm their account….

Source…