close
  • chevron_right

    Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity

    news.movim.eu / ArsTechnica · Wednesday, 29 March - 00:24 · 1 minute

Ransomware crooks are exploiting IBM file exchange bug with a 9.8 severity

Enlarge (credit: Getty Images )

Threat actors are exploiting a critical vulnerability in an IBM file-exchange application in hacks that install ransomware on servers, security researchers have warned.

The IBM Aspera Faspex is a centralized file-exchange application that large organizations use to transfer large files or large volumes of files at very high speeds. Rather than relying on TCP-based technologies such as FTP to move files, Aspera uses IBM’s proprietary FASP—short for Fast, Adaptive, and Secure Protocol—to better utilize available network bandwidth. The product also provides fine-grained management that makes it easy for users to send files to a list of recipients in distribution lists or shared inboxes or workgroups, giving transfers a workflow that’s similar to email.

In late January, IBM warned of a critical vulnerability in Aspera versions 4.4.2 Patch Level 1 and earlier and urged users to install an update to patch the flaw. Tracked as CVE-2022-47986, the vulnerability makes it possible for unauthenticated threat actors to remotely execute malicious code by sending specially crafted calls to an outdated programming interface. The ease of exploiting the vulnerability and the damage that could result earned CVE-2022-47986 a severity rating of 9.8 out of a possible 10.

Read 4 remaining paragraphs | Comments

  • Sc chevron_right

    Mass Ransomware Attack

    news.movim.eu / Schneier · Thursday, 23 March - 02:56

A vulnerability in a popular data transfer tool has resulted in a mass ransomware attack :

TechCrunch has learned of dozens of organizations that used the affected GoAnywhere file transfer software at the time of the ransomware attack, suggesting more victims are likely to come forward.

However, while the number of victims of the mass-hack is widening, the known impact is murky at best.

Since the attack in late January or early February—the exact date is not known—Clop has disclosed less than half of the 130 organizations it claimed to have compromised via GoAnywhere, a system that can be hosted in the cloud or on an organization’s network that allows companies to securely transfer huge sets of data and other large files.

  • chevron_right

    Ransomware attacks have entered a heinous new phase

    news.movim.eu / ArsTechnica · Tuesday, 14 March - 17:00

row of lockers

Enlarge (credit: Don Farrall/Getty Images)

In February, attackers from the Russia-based BlackCat ransomware group hit a physician practice in Lackawanna County, Pennsylvania, that's part of the Lehigh Valley Health Network (LVHN). At the time, LVHN said that the attack “involved” a patient photo system related to radiation oncology treatment. The health care group said that BlackCat had issued a ransom demand, “but LVHN refused to pay this criminal enterprise.”

After a couple of weeks, BlackCat threatened to publish data stolen from the system. “Our blog is followed by a lot of world media, the case will be widely publicized and will cause significant damage to your business,” BlackCat wrote on their dark-web extortion site. “Your time is running out. We are ready to unleash our full power on you!” The attackers then released three screenshots of cancer patients receiving radiation treatment and seven documents that included patient information.

Read 10 remaining paragraphs | Comments

  • Sc chevron_right

    CryWiper Data Wiper Targeting Russian Sites

    news.movim.eu / Schneier · Monday, 5 December - 22:38

Kaspersky is reporting on a data wiper masquerading as ransomware that is targeting local Russian government networks.

The Trojan corrupts any data that’s not vital for the functioning of the operating system. It doesn’t affect files with extensions .exe, .dll, .lnk, .sys or .msi, and ignores several system folders in the C:\Windows directory. The malware focuses on databases, archives, and user documents.

So far, our experts have seen only pinpoint attacks on targets in the Russian Federation. However, as usual, no one can guarantee that the same code won’t be used against other targets.

Nothing leading to an attribution.

News article .

Slashdot thread .

  • Sc chevron_right

    Montenegro is the Victim of a Cyberattack

    news.movim.eu / Schneier · Tuesday, 6 September, 2022 - 03:47

Details are few, but Montenegro has suffered a cyberattack :

A combination of ransomware and distributed denial-of-service attacks, the onslaught disrupted government services and prompted the country’s electrical utility to switch to manual control.

[…]

But the attack against Montenegro’s infrastructure seemed more sustained and extensive, with targets including water supply systems, transportation services and online government services, among many others.

Government officials in the country of just over 600,000 people said certain government services remained temporarily disabled for security reasons and that the data of citizens and businesses were not endangered.

The Director of the Directorate for Information Security, Dusan Polovic, said 150 computers were infected with malware at a dozen state institutions and that the data of the Ministry of Public Administration was not permanently damaged. Polovic said some retail tax collection was affected.

Russia is being blamed, but I haven’t seen any evidence other than “they’re the obvious perpetrator.”

  • Sc chevron_right

    Zero-Day Vulnerabilities Are on the Rise

    news.movim.eu / Schneier · Wednesday, 27 April, 2022 - 18:40 · 1 minute

Both Google and Mandiant are reporting a significant increase in the number of zero-day vulnerabilities reported in 2021.

Google:

2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That’s more than double the previous maximum of 28 detected in 2015 and especially stark when you consider that there were only 25 detected in 2020. We’ve tracked publicly known in-the-wild 0-day exploits in this spreadsheet since mid-2014.

While we often talk about the number of 0-day exploits used in-the-wild, what we’re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.

Mandiant:

In 2021, Mandiant Threat Intelligence identified 80 zero-days exploited in the wild, which is more than double the previous record volume in 2019. State-sponsored groups continue to be the primary actors exploiting zero-day vulnerabilities, led by Chinese groups. The proportion of financially motivated actors­ — particularly ransomware groups — ­deploying zero-day exploits also grew significantly, and nearly 1 in 3 identified actors exploiting zero-days in 2021 was financially motivated. Threat actors exploited zero-days in Microsoft, Apple, and Google products most frequently, likely reflecting the popularity of these vendors. The vast increase in zero-day exploitation in 2021, as well as the diversification of actors using them, expands the risk portfolio for organizations in nearly every industry sector and geography, particularly those that rely on these popular systems.

News article .

  • chevron_right

    Why ransomware hackers love a holiday weekend

    news.movim.eu / ArsTechnica · Sunday, 5 September, 2021 - 11:00 · 1 minute

Gah, don

Enlarge / Gah, don't you miss unstressed travel? (credit: Klaus Vedfelt / Getty Images)

On the Friday heading into Memorial Day weekend this year, it was meat processing giant JBS . On the Friday before the Fourth of July, it was IT management software company Kaseya and, by extension, over a thousand businesses of varying size. It remains to be seen whether Labor Day will see a high-profile ransomware meltdown as well, but one thing is clear: Hackers love holidays.

Really, ransomware hackers love regular weekends, too. But a long one? When everyone’s off carousing with family and friends and studiously avoiding anything remotely office-related? That’s the good stuff. And while the trend isn’t new, a joint warning issued this week by the FBI and the Cybersecurity and Infrastructure Security Agency underscores how serious the threat has become.

wired-logo.png

The appeal to attackers is pretty straightforward. Ransomware can take time to propagate throughout a network, as hackers work to escalate privileges for maximum control over the most systems. The longer it takes for anyone to notice, the more damage they can do. “Generally speaking, the threat actors deploy their ransomware when there is less likelihood of people being around to start pulling plugs,” says Brett Callow, threat analyst at antivirus company Emsisoft. “The less chance of the attack being detected and interrupted.”

Read 10 remaining paragraphs | Comments

index?i=5M4fX9nq73U:yyu61SMnNhM:V_sGLiPBpWUindex?i=5M4fX9nq73U:yyu61SMnNhM:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • chevron_right

    Colonial Pipeline paid a $5 million ransom—and kept a vicious cycle turning

    news.movim.eu / ArsTechnica · Saturday, 15 May, 2021 - 10:00

Colonial Pipeline paid a $5 million ransom—and kept a vicious cycle turning

Enlarge (credit: Sean Rayford | Getty Images)

Nearly a week after a ransomware attack led Colonial Pipeline to halt fuel distribution on the East Coast , reports emerged on Friday that the company paid a 75 bitcoin ransom—worth as much as $5 million, depending on the time of payment—in an attempt to restore service more quickly. And while the company was able to restart operations Wednesday night , the decision to give in to hackers' demands will only embolden other groups going forward. Real progress against the ransomware epidemic, experts say, will require more companies to say no.

Not to say that doing so is easy. The FBI and other law enforcement groups have long discouraged ransomware victims from paying digital extortion fees, but in practice many organizations resort to paying. They either don't have the backups and other infrastructure necessary to recover otherwise, can't or don't want to take the time to recover on their own, or decide that it's cheaper to just quietly pay the ransom and move on. Ransomware groups increasingly vet their victims' financials before springing their traps , allowing them to set the highest possible price that their victims can still potentially afford.

Read 11 remaining paragraphs | Comments

index?i=lWQwpmFeF6c:iVko6v6MAzM:V_sGLiPBpWUindex?i=lWQwpmFeF6c:iVko6v6MAzM:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA