Authorities Shut Down Russian RSOCKS Botnet That Hacked Millions of Devices

source: thehackernews.com  |  image:  pexels.com

The U.S. Department of Justice (DoJ) on Thursday disclosed that it took down the infrastructure associated with a Russian botnet known as RSOCKS in collaboration with law enforcement partners in Germany, the Netherlands, and the U.K.

The botnet, operated by a sophisticated cybercrime organization, is believed to have ensnared millions of internet-connected devices, including Internet of Things (IoT) devices, Android phones, and computers for use as a proxy service.

Botnets, a constantly evolving threat, are networks of hijacked computer devices that are under the control of a single attacking party and are used to facilitate a variety of large-scale cyber intrusions such as distributed denial-of-service (DDoS) attacks, email spam, and cryptojacking.

Continue reading “Authorities Shut Down Russian RSOCKS Botnet That Hacked Millions of Devices”

New ‘GoodWill’ Ransomware Forces Victims to Donate Money and Clothes to the Poor

source: thehackernews.com  |  image: Pixabay.com

Cybersecurity researchers have disclosed a new ransomware strain called GoodWill that compels victims into donating for social causes and provide financial assistance to people in need.

“The ransomware group propagates very unusual demands in exchange for the decryption key,” researchers from CloudSEK said in a report published last week. “The Robin Hood-like group claims to be interested in helping the less fortunate, rather than extorting victims for financial motivations.”

Written in .NET, the ransomware was first identified by the India-based cybersecurity firm in March 2022, with the infections blocking access to sensitive files by making use of the AES encryption algorithm. The malware is also notable for sleeping for 722.45 seconds to interfere with dynamic analysis.

The encryption process is followed by displaying a multiple-paged ransom note that requires the victims to carry out three socially-driven activities to be able to obtain the decryption kit.

This includes donating new clothes and blankets to the homeless, taking any five underprivileged children to Domino’s Pizza, Pizza Hut, or KFC for a treat, and offering financial support to patients who need urgent medical attention but don’t have the financial means to do so.

Additionally, the victims are asked to record the activities in the form of screenshots and selfies and post them as evidence on their social media accounts.

“Once all three activities are completed, the victims should also write a note on social media (Facebook or Instagram) on ‘How you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill,'” the researchers said.

There are no known victims of GoodWill and their exact tactics, techniques, and procedures (TTPs) used to facilitate the attacks are unclear as yet.

Also unrecognized is the identity of the threat actor, although an analysis of the email address and network artifacts suggests that the operators are from India and that they speak Hindi.

Further investigation into the ransomware sample has also revealed significant overlaps with another Windows-based strain called HiddenTear, the first ransomware to have been open-sourced as a proof-of-concept (PoC) back in 2015 by a Turkish programmer.

“GoodWill operators may have gained access to this allowing them to create a new ransomware with necessary modifications,” the researchers said.

 

view an example of the ransomware letter here

What is a cyber attack?

source: businessleader.co.uk  |  Image: Pixabay.com

In this guest article, written exclusively as part of Business Leader’s Cyber Security Month, Bleddyn-Aled Wyke, Cyber Operations Executive at PureCyber, outlines what is a cyber attack.

A cyber-attack can take many forms, though one common thread throughout these is the threat actor. Whether the attack is untargeted, such as a phishing campaign against thousands of users hoping a careless one takes the bait, or more targeted, such as a Denial of Service (DoS) style attack against a company site denying normal users access to its services, there is a human presence behind this somewhere who has pushed the marble.

The National Cyber Security Centre (NCSC) presents a four-stage model mapping out the typical steps and processes carried out by threat actors in the process of an attack: Survey, Delivery, Breach, and Affect.

Firstly, the threat actor would look to survey an organisation’s infrastructure, in a bid to obtain as much information as possible. This could be through more technical means, scanning target networks to gain information about IT systems in place, or more physical methods such as social engineering to gain more private information such as internal processes or procedures.

With the knowledge gained here, the threat actor would look to move onto the delivery stage of the attack, where they attempt to put themselves into a position on a network where they can exploit a vulnerability they believe to exist within a target. An example of this would be gaining the format of a company’s e-mail address (e.g. first initial surname@target.com) and using this to send phishing e-mails containing a malicious file or link to employees, using this to either spread malware or steal credentials. It only takes one user to follow through with the file or link to compromise an organisation’s system.

Upon successful delivery of an exploit, the attacker would attempt to further breach the system. Whether this is via stolen credentials allowing them to achieve access to sensitive user or company information, or via the implementation of malware letting them take control of computers or networks, the attacker can either go straight for their target or can look to gain a more established presence.

They can move to have more of an effect, using their established control to gain access to more privileged systems, allowing them to gain more sensitive information, make changes to their benefit, or disrupt businesses. From here the threat actor will look to either leave, attempting to remove any indications of their presence, or set up a more persistent style threat, leaving a back door for them to come and go as they please.

 

Security News This Week: The NSA Swears It Has ‘No Backdoors’ in Next-Gen Encryption

source: wired.com  |  image: nsa.gov

 

 

The US is readying new encryption standards that will be so ironclad that even the nation’s top code-cracking agency says it won’t be able to bypass them.

The National Security Agency has been involved in parts of the process but insists it has no way of bypassing the new standards. 

“There are no backdoors,” said Rob Joyce, the NSA’s director of cybersecurity at the National Security Agency, in an interview. A backdoor enables someone to exploit a deliberate, hidden flaw to break encryption. An encryption algorithm developed by the NSA was dropped as a federal standard in 2014 amid concerns that it contained a backdoor.

The new standards are intended to withstand quantum computing, a developing technology that is expected to be able to solve math problems that today’s computers can’t. But it’s also one that the White House fears could allow the encrypted data that girds the U.S. economy – and national security secrets – to be hacked. 

Continue reading “Security News This Week: The NSA Swears It Has ‘No Backdoors’ in Next-Gen Encryption”

CISA issues rare emergency directive as ‘critical’ cyber vulnerabilities emerge

source: federalnewsnetwork.com  |  image: pexels.com

Agencies have until Monday to mitigate vulnerabilities in five products from VMware that permit attackers to have deep access without the need to authenticate.

The Cybersecurity and Infrastructure Security Agency issued a new emergency directive today saying the vulnerabilities in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager put federal networks and systems at immediate risk.

“These vulnerabilities pose an unacceptable risk to federal network security,” said CISA Director Jen Easterly in a release. “CISA has issued this Emergency Directive to ensure that federal civilian agencies take urgent action to protect their networks. We also strongly urge every organization — large and small — to follow the federal government’s lead and take similar steps to safeguard their networks.”

Continue reading “CISA issues rare emergency directive as ‘critical’ cyber vulnerabilities emerge”

Cyber security: Global food supply chain at risk from malicious hackers

source: bbc.com  |  image: pexels.com

Modern “smart” farm machinery is vulnerable to malicious hackers, leaving global supply chains exposed to risk, experts are warning.

It is feared hackers could exploit flaws in agricultural hardware used to plant and harvest crops.

Agricultural manufacturing giant John Deere says it is now working to fix any weak spots in its software.

A recent University of Cambridge report said automatic crop sprayers, drones and robotic harvesters could be hacked.

The UK government and the FBI have warned that the threat of cyber-attacks is growing.

John Deere said protecting customers, their machines and their data was a “top priority”.

Smart technology is increasingly being used to make farms more efficient and productive – for example, until now the labour-intensive harvesting of delicate food crops such as asparagus has been beyond the reach of machines.

FBI, CISA, and NSA warn of hackers

increasingly targeting MSPs

source: bleepingcomputer.com, contributed by FAN Steve Page  |  image:  pixabay.com

 

Members of the Five Eyes (FVEY) intelligence alliance today warned managed service providers (MSPs) and their customers that they’re increasingly targeted by supply chain attacks.

Multiple cybersecurity and law enforcement agencies from FVEY countries (NCSC-UK, ACSC, CCCS, NCSC-NZ, CISA, NSA, and the FBI) shared guidance for MSPs to secure networks and sensitive data against these rising cyber threats.

“The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships,” the joint advisory reads.

Continue reading “FBI, CISA, and NSA warn of hackers increasingly targeting MSPs”

North Korean hackers targeting journalists with novel malware

source: bleepingcomputer.com  |  image: pixabay.com

 

North Korean state-sponsored hackers known as APT37 have been discovered targeting journalists specializing in the DPRK with a novel malware strain.

The malware is distributed through a phishing attack first discovered by NK News, an American news site dedicated to covering news and providing research and analysis about North Korea, using intelligence from within the country.

The APT37 hacking group, aka Ricochet Chollima, is believed to be sponsored by the North Korean government, which sees news reporting as a hostile operation, and attempted to use this attack to access highly-sensitive information and potentially identify journalists’ sources.

After NK News discovered the attack, they contacted the malware experts at Stairwell for further assistance, who took over the technical analysis.

Continue reading “North Korean hackers targeting journalists with novel malware”

FBI Warns of BlackCat Ransomware That Breached Over 60 Organizations Worldwide

 

source: thehackernews.com  |  image: pixabay.com

 

The U.S. Federal Bureau of Investigation (FBI) is sounding the alarm on the BlackCat ransomware-as-a-service (RaaS), which it said victimized at least 60 entities worldwide between as of March 2022 since its emergence last November.

Also called ALPHV and Noberus, the ransomware is notable for being the first-ever malware written in the Rust programming language, which is known to be memory safe and offer improved performance.

“Many of the developers and money launderers for BlackCat/ALPHV are linked to DarkSide/BlackMatter, indicating they have extensive networks and experience with ransomware operations,” the FBI said in an advisory published last week.

The disclosure comes weeks after twin reports from Cisco Talos and Kasperksy uncovered links between BlackCat and BlackMatter ransomware families, including the use of a modified version of a data exfiltration tool dubbed Fendr that’s been previously only observed in BlackMatter-related activity.

Continue reading “FBI Warns of BlackCat Ransomware That Breached Over 60 Organizations Worldwide”

Cyber warfare gets real for satellite operators

source: spacenews.com  |  image: pixabay.com

Recent network attacks in Ukraine have been ‘an eye opener for everybody’

WASHINGTON — The U.S. government on March 17 advised satellite operators to put their guard up in the wake of a cyberattack that disrupted internet services in Europe provided by Viasat’s KA-SAT.

“Given the current geopolitical situation, the Cybersecurity and Infrastructure Security Agency requests that all organizations significantly lower their threshold for reporting and sharing indications of malicious cyber activity,” said CISA, an organization within the Department of Homeland Security. 

Following CISA’s advisory, the Satellite Industry Association on March 18 issued a statement of “commitment to cybersecurity best practices” and expressed concern about “evolving attacks by criminals, terrorists, and nation states.”

Continue reading “Cyber warfare gets real for satellite operators”