close
  • Sc chevron_right

    CryWiper Data Wiper Targeting Russian Sites

    news.movim.eu / Schneier · Monday, 5 December - 22:38

Kaspersky is reporting on a data wiper masquerading as ransomware that is targeting local Russian government networks.

The Trojan corrupts any data that’s not vital for the functioning of the operating system. It doesn’t affect files with extensions .exe, .dll, .lnk, .sys or .msi, and ignores several system folders in the C:\Windows directory. The malware focuses on databases, archives, and user documents.

So far, our experts have seen only pinpoint attacks on targets in the Russian Federation. However, as usual, no one can guarantee that the same code won’t be used against other targets.

Nothing leading to an attribution.

News article .

Slashdot thread .

  • Sc chevron_right

    Montenegro is the Victim of a Cyberattack

    news.movim.eu / Schneier · Tuesday, 6 September - 03:47

Details are few, but Montenegro has suffered a cyberattack :

A combination of ransomware and distributed denial-of-service attacks, the onslaught disrupted government services and prompted the country’s electrical utility to switch to manual control.

[…]

But the attack against Montenegro’s infrastructure seemed more sustained and extensive, with targets including water supply systems, transportation services and online government services, among many others.

Government officials in the country of just over 600,000 people said certain government services remained temporarily disabled for security reasons and that the data of citizens and businesses were not endangered.

The Director of the Directorate for Information Security, Dusan Polovic, said 150 computers were infected with malware at a dozen state institutions and that the data of the Ministry of Public Administration was not permanently damaged. Polovic said some retail tax collection was affected.

Russia is being blamed, but I haven’t seen any evidence other than “they’re the obvious perpetrator.”

  • Sc chevron_right

    Zero-Day Vulnerabilities Are on the Rise

    news.movim.eu / Schneier · Wednesday, 27 April, 2022 - 18:40 · 1 minute

Both Google and Mandiant are reporting a significant increase in the number of zero-day vulnerabilities reported in 2021.

Google:

2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That’s more than double the previous maximum of 28 detected in 2015 and especially stark when you consider that there were only 25 detected in 2020. We’ve tracked publicly known in-the-wild 0-day exploits in this spreadsheet since mid-2014.

While we often talk about the number of 0-day exploits used in-the-wild, what we’re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.

Mandiant:

In 2021, Mandiant Threat Intelligence identified 80 zero-days exploited in the wild, which is more than double the previous record volume in 2019. State-sponsored groups continue to be the primary actors exploiting zero-day vulnerabilities, led by Chinese groups. The proportion of financially motivated actors­ — particularly ransomware groups — ­deploying zero-day exploits also grew significantly, and nearly 1 in 3 identified actors exploiting zero-days in 2021 was financially motivated. Threat actors exploited zero-days in Microsoft, Apple, and Google products most frequently, likely reflecting the popularity of these vendors. The vast increase in zero-day exploitation in 2021, as well as the diversification of actors using them, expands the risk portfolio for organizations in nearly every industry sector and geography, particularly those that rely on these popular systems.

News article .

  • Ar chevron_right

    Why ransomware hackers love a holiday weekend

    news.movim.eu / ArsTechnica · Sunday, 5 September, 2021 - 11:00 · 1 minute

Gah, don

Enlarge / Gah, don't you miss unstressed travel? (credit: Klaus Vedfelt / Getty Images)

On the Friday heading into Memorial Day weekend this year, it was meat processing giant JBS . On the Friday before the Fourth of July, it was IT management software company Kaseya and, by extension, over a thousand businesses of varying size. It remains to be seen whether Labor Day will see a high-profile ransomware meltdown as well, but one thing is clear: Hackers love holidays.

Really, ransomware hackers love regular weekends, too. But a long one? When everyone’s off carousing with family and friends and studiously avoiding anything remotely office-related? That’s the good stuff. And while the trend isn’t new, a joint warning issued this week by the FBI and the Cybersecurity and Infrastructure Security Agency underscores how serious the threat has become.

wired-logo.png

The appeal to attackers is pretty straightforward. Ransomware can take time to propagate throughout a network, as hackers work to escalate privileges for maximum control over the most systems. The longer it takes for anyone to notice, the more damage they can do. “Generally speaking, the threat actors deploy their ransomware when there is less likelihood of people being around to start pulling plugs,” says Brett Callow, threat analyst at antivirus company Emsisoft. “The less chance of the attack being detected and interrupted.”

Read 10 remaining paragraphs | Comments

index?i=5M4fX9nq73U:yyu61SMnNhM:V_sGLiPBpWUindex?i=5M4fX9nq73U:yyu61SMnNhM:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • Ar chevron_right

    Colonial Pipeline paid a $5 million ransom—and kept a vicious cycle turning

    news.movim.eu / ArsTechnica · Saturday, 15 May, 2021 - 10:00

Colonial Pipeline paid a $5 million ransom—and kept a vicious cycle turning

Enlarge (credit: Sean Rayford | Getty Images)

Nearly a week after a ransomware attack led Colonial Pipeline to halt fuel distribution on the East Coast , reports emerged on Friday that the company paid a 75 bitcoin ransom—worth as much as $5 million, depending on the time of payment—in an attempt to restore service more quickly. And while the company was able to restart operations Wednesday night , the decision to give in to hackers' demands will only embolden other groups going forward. Real progress against the ransomware epidemic, experts say, will require more companies to say no.

Not to say that doing so is easy. The FBI and other law enforcement groups have long discouraged ransomware victims from paying digital extortion fees, but in practice many organizations resort to paying. They either don't have the backups and other infrastructure necessary to recover otherwise, can't or don't want to take the time to recover on their own, or decide that it's cheaper to just quietly pay the ransom and move on. Ransomware groups increasingly vet their victims' financials before springing their traps , allowing them to set the highest possible price that their victims can still potentially afford.

Read 11 remaining paragraphs | Comments

index?i=lWQwpmFeF6c:iVko6v6MAzM:V_sGLiPBpWUindex?i=lWQwpmFeF6c:iVko6v6MAzM:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • Ar chevron_right

    Pipeline attacker Darkside suddenly goes dark—here’s what we know

    news.movim.eu / ArsTechnica · Friday, 14 May, 2021 - 21:25

Pipeline attacker Darkside suddenly goes dark—here’s what we know

Enlarge

Darkside—the ransomware group that disrupted gasoline distribution across a wide swath of the US this week—has gone dark, leaving it unclear if the group is ceasing, suspending, or altering its operations or is simply orchestrating an exit scam.

On Thursday, all eight of the dark web sites Darkside used to communicate with the public went down , and they remain down as of publication time. Overnight, a post attributed to Darkside claimed, without providing any evidence, that the group’s website and content distribution infrastructure had been seized by law enforcement, along with the cryptocurrency it had received from victims.

The dog ate our funds

“At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked,” the post stated, according to a translation of the Russian-language post published Friday by security firm Intel471. “The hosting support service doesn't provide any information except ‘at the request of law enforcement authorities.’ In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account.”

Read 17 remaining paragraphs | Comments

index?i=6YpXlRdG56U:efbIqwr7pNQ:V_sGLiPBpWUindex?i=6YpXlRdG56U:efbIqwr7pNQ:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • Ar chevron_right

    Ireland’s healthcare system taken down after ransomware attack

    news.movim.eu / ArsTechnica · Friday, 14 May, 2021 - 16:17

St. Vincent

Enlarge / St. Vincent's University Hospital in Dublin, Ireland. (credit: Bloomberg | Getty Images)

Ireland has shut down most of the major IT systems running its national healthcare service, leaving doctors unable to access patient records and people unsure of whether they should show up for appointments, following a “very sophisticated” ransomware attack.

Paul Reid, chief executive of Ireland’s Health Service Executive, told a morning radio show that the decision to shut down the systems was a “precautionary” measure after a cyber attack that impacted national and local systems “involved in all of our core services.”

Some elements of the Irish health service remain operational, such as clinical systems and its Covid-19 vaccination program, which is powered by separate infrastructure. Covid tests already booked are also going ahead.

Read 12 remaining paragraphs | Comments

index?i=kIW2dHc6flo:W07g3r73udU:V_sGLiPBpWUindex?i=kIW2dHc6flo:W07g3r73udU:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA
  • Ar chevron_right

    Colonial Pipeline resumes operations after ransomware prompted closure

    news.movim.eu / ArsTechnica · Thursday, 13 May, 2021 - 00:21

A paper sign reading no gas in both English and Spanish has been taped to a gasoline pump.

Enlarge (credit: Getty Images )

Colonial Pipeline said it restarted operations on Wednesday afternoon after a five-day outage brought on by a ransomware attack caused gasoline shortages and panic buying in East Coast states.

colonial-pipeline-300x233.png

“Following this restart, it will take several days for the product delivery supply chain to return to normal,” the operator of the 5,500-mile pipeline said on its website. “Some markets served by Colonial Pipeline may experience, or continue to experience, intermittent service interruptions during the start-up period. Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal.”

Colonial temporarily halted operations on Saturday, after determining that it was the victim of a ransomware attack. The pipeline runs through 11 states, from New Jersey to Texas.

Read 5 remaining paragraphs | Comments

index?i=GQ-GchMavXk:rMMhCD_ltyI:V_sGLiPBpWUindex?i=GQ-GchMavXk:rMMhCD_ltyI:F7zBnMyn0Loindex?d=qj6IDK7rITsindex?d=yIl2AUoC8zA