The Breach details and impact on customers

The CitrixBleed vulnerability, which resides in widely used Citrix networking devices, has been under mass-exploitation by hackers since at least late August. Despite Citrix releasing patches in early October, many organizations, including Comcast, did not apply them in time. This oversight led to unauthorized access to Comcast’s internal systems between October 16th and 19th, though the company only detected the activity on October 25th. The damage is mainly concentrated within Xfinity, one of the biggest co’s divisions.

By November 16th, Xfinity, confirmed that customer data had likely been acquired by hackers. Also, this data includes usernames, hashed passwords, names, contact information, dates of birth, partial Social Security numbers, and answers to secret questions. Comcast’s data analysis is ongoing, and further disclosures of compromised data types may emerge.

The breach’s scale is monumental. Comcast’s filing with Maine’s attorney general revealed that almost 35.8 million customers are affected. Considering Comcast’s over 32 million broadband customers, the breach potentially impacts most, if not all, Xfinity customers.

What is CitrixBleed Vulnerability?

CitrixBleed is a critical-rated security flaw, targeting Citrix devices favored by large corporations. Hackers leveraging this vulnerability have targeted notable entities, including Boeing and the Industrial and Commercial Bank of China. As Citrix products are widely used, the sole fact of such vulnerability existence is critical.

The CitrixBleed vulnerability allows hackers to leverage improper input validation to bypass security controls. This results into gaining unauthorized access to internal systems. Nevertheless, the vulnerability allows attackers to inject malicious code or commands, potentially leading to malware injection.

As of now, it is unclear whether Xfinity received a ransom demand or how the incident affected the company’s operations. Also uncertain is whether the incident has been filed with the U.S. Securities and Exchange Commission under the new data breach reporting rules. Comcast’s response has been tight-lipped regarding these aspects.

Avoiding of data loss

Customers affected by the breach should take immediate steps to secure their personal information. Also, his includes monitoring credit reports, being vigilant for phishing attempts, and ensuring all online accounts are secured with strong, unique passwords and, where available, multi-factor authentication.

It’s crucial to read about cybersecurity threats and safe practices, as human error often leads to security breaches. Implementing strong access controls and network segmentation can limit the extent of a breach if one occurs. Additionally, regular backups and encrypted data storage are essential to recover from data loss incidents.

The post Comcast’s Xfinity Breach Exposes Data of 35.8 Million Users appeared first on Gridinsoft Blog.

Mr.Cooper’s Hacked, Huge Amounts of Data Exposed

Hackers have breached Mr. Cooper’s databases, impacting 14.6 million customers in one of the most significant recent data breaches. The breach was first noticed on October 31, when Mr. Cooper’s systems unexpectedly went offline, initially attributed to an outage. However, it was later revealed to be a result of a cyberattack. This incident caused concerns about the security measures and the company’s transparency in handling such issues. Customers experienced significant disruptions, unable to access their accounts or process mortgage payments.

In a detailed report to Maine’s attorney general’s office, Mr. Cooper disclosed the extent of the breach. Hackers managed to access a wealth of personal information, including customer names, addresses, dates of birth, phone numbers, SSNs, and bank account details. This breach is far more extensive than initially reported, with the number of victims surpassing the company’s current customer base, indicating that historical data of mortgage holders was also compromised.

Uncertainties And Consequences

Despite the scale of the attack, Mr. Cooper has been reticent about the specifics of the cyberattack. Thus, the attack’s nature, the perpetrators’ identity, and whether any ransom was demanded remain unclear. As a result, the company has faced criticism for its lack of transparency and delayed response to customer concerns. However, the financial implications of the attack are severe. Mr. Cooper estimates the cost of this cyberattack to be at least $25 million, a significant increase from initial estimates of $5 to 10 million. This cost includes expenses related to providing identity protection services to affected customers for two years.

In addition, this breach has far-reaching implications for the affected individuals. The exposure of sensitive personal information raises the risk of identity theft and financial fraud. Customers whose mortgages were previously handled by Nationstar Mortgage, now known as Mr. Cooper, are particularly vulnerable. The company has notified all affected individuals and advised them to take precautionary measures.

Cooper’s Response And Mitigation Efforts

In response to the breach, Mr. Cooper has taken several steps to mitigate the damage and prevent future incidents. These include enhancing their cybersecurity infrastructure and working closely with law enforcement and cybersecurity experts. Nonetheless, the company’s delayed response and initial miscommunication have been points of criticism. For the breach of such a scale, this is simply inappropriate.

The post Mr. Cooper’s Data Breach Affects Millions appeared first on Gridinsoft Blog.

Who are Moneris and Medusa?

Moneris, a joint venture between the Royal Bank of Canada and the Bank of Montreal, is Canada’s largest payment processor. They were handling over 3.5 billion credit and debit card transactions annually. The company serves as a critical intermediary for businesses of all sizes, making its compromise a significant threat to the country’s economic stability. Sure enough, any cybersecurity incidents, as companies prefer to call ransomware attacks, will set the community abuzz.

The Medusa ransomware group is a relatively new cybercrime gang that has gained notoriety for its ruthless strategies. Criminals operate under a ransomware-as-a-service (RaaS) model, providing its hacking tools and expertise to affiliates in exchange for a share of the ransom proceeds. This approach has enabled the group to expand its reach and inflict damage on a wide range of victims.

Medusa Ransomware attempt to compromise Moneris

Moneris has confirmed the attempted ransomware attack but has assured its customers that no critical data has been compromised. The company has also stated that it has implemented measures to restore its systems and continue operations.

In response to the Medusa ransomware attack, Moneris has taken steps to mitigate the damage and protect its customers. The company has engaged cybersecurity experts to investigate the incident. It also implemented additional security protocols and communicated regularly with its customers to keep them informed.

The fallout from this breach extends beyond Moneris itself. A disruption in Moneris services lasting 90 minutes in late September caused widespread issues across the country. The company’s extensive contracts with the US military raise additional concerns. Considering the potential compromise of sensitive information related to military equipment and weapons.

Critical Financial Institutions Under Attack

Attack on Moneris seems to be one more element of a chain of attacks on critical financial infrastructure. Just a couple of days ago, another infamous ransomware group – LockBit – successfully hacked ICBS – the biggest commercial bank in the world. Such an interest in financial companies is obvious, though the trend is not less concerning.

Huge money flow, probability of handling sensitive information, having tremendous amounts of statistics – this is what attracts the hackers, and what makes these two breaches so dangerous. Even though attacks are most likely unrelated, crooks may start targeting them much more often. And while Moneris hack is mostly about disruptions of money transactions, hacks of institutional orgs like ICBS puts the global financial system at risk.

How to Protect Against Ransomware?

The incident highlights the growing sophistication and severity of ransomware attacks, targeting not just individual users but also large, well-established corporations like Moneris. The financial and reputational implications of such attacks can be devastating, making it crucial for businesses to invest in robust cybersecurity measures and maintain vigilance against evolving cyber threats. Here are some tips on how to protect against ransomware:

• Regularly backing up your data is crucial for its safety. Create an offline backup of your hard disk-stored files to protect your data. This is a copy of your data saved on a separate device not connected to your computer or network. If ransomware attacks your computer, the backup files will not be affected, and you can restore them without paying a ransom.
• It is important to keep your software up to date as software updates include crucial security patches that protect against ransomware attacks. Most software programs offer the option for automatic updates which will ensure that your software is always updated with the latest security patches.
• Train your employees. Conduct regular cybersecurity awareness training for employees to educate them about ransomware threats and safe online practices.
• Use reliable software. Install reputable antivirus and anti-malware software on your devices. Consider using additional security tools that offer real-time protection against ransomware.
• Be careful with user privileges. Follow the principle of least privilege (PoLP) to restrict user access to the minimum necessary for their roles.

The post Moneris Hacked, Medusa Ransomware Claims appeared first on Gridinsoft Blog.

What’s identity theft?

Identity theft is the use of someone’s personal information for fraudulent purposes. This can include name, social security number (SSN), credit card information, or other sensitive data. It also includes unauthorized access to bank accounts, credit card fraud, creating fake identities, or taking out loans in the victim’s name. In addition to the primary financial damage, identity theft often causes severe emotional distress to victims. It also creates serious problems in recovering and returning stolen identities.

Before the advent of the Internet, criminals had to monitor a victim’s physical mailbox in search of valuable information. Another standard practice was to rummage through the victim’s stinky trash to get the information they needed for identity theft. For example, those “you’re already approved,” pre-screened credit offers we all get in the mail. However, thanks to modern technology, today’s cybercriminals don’t need to go to such great lengths to invade someone’s privacy. Big businesses and large caches of data could be more profitable. They contained on their networks present a much more lucrative target than piecemeal attacks on individual consumers.

Types of identity theft

There are various types of identity theft, each with its own specific focus and methods. I will uncover the most common types of one according to available statistics.

Account takeover identity theft

Account takeover identity theft is a cybercrime where a fraudster gains unauthorized access to your existing accounts. Usually, such attacks aim at social media pages or bank accounts. The scammer can use this access to steal your money, take out loans or credit in your name, or deceive your friends, followers, or contacts with phishing attacks or other scams. As the “next tier” victims will see messages from a familiar person, the chances of a successful scam increase by orders of magnitude.

Credit identity theft

Credit identity theft is when a thief steals your credit card data and uses it for fraudulent purchases or obtains credit cards or loans under your name. According to the Federal Trade Commission, this is the most common form of identity theft. The reason is obvious – in this attack, fraudsters can go in cash much faster than in any other way.

Medical identity theft

Medical identity theft occurs when criminals use victims’ personal information to receive medical treatment, obtain prescription drugs, or see a doctor. In the past, medical identity theft could have impacted victims’ health coverage or led to higher medical costs. However, recent changes in the law have addressed these issues. Still, scammers can incur past-due medical debts in your name, which can appear on a victim’s credit report and negatively affect their credit score. Seniors who receive Medicare are particularly vulnerable to medical identity theft, as frequent medical visits usually may not raise suspicion.

Medical identity theft is also dangerous due to the sensitivity of such information. If hackers manage to leak medical data of a person, they can further blackmail them in order to avoid disclosing their health condition. And when we are talking about celebrities, there are a lot of tabloids ready to spend a small fortune on information on such a topic.

Tax identity theft

Tax identity theft is when a scammer steals an individual’s SSN and uses it to receive a tax refund or secure a job. This commonly happens when victims’ SSNs are exposed online due to a data breach. Despite the lack of love received from taxpayers, the US Internal Revenue Service’s initiatives aimed at decreasing tax-related identity theft are effective.

Criminal identity theft

Criminal identity theft is a specific theft in which the perpetrator steals another person’s identity to commit a crime. Examples of crimes committed through criminal identity theft include driving under the influence, shoplifting, drug possession, trespassing, probation or parole violations, and failure to appear in court. The thief may use stolen name, date of birth, SSN, or other identifying information to impersonate the victim. As a result, the victim may face criminal charges, and have a criminal record. Criminal identity theft can have a devastating impact on the victim’s life.

Child identity theft

Child identity theft is fraudulently using a child’s personal information to obtain financial gain. The question arises: why would someone want to pretend to be a child? Well, there are many reasons for that. Scammers can use a child’s Social Security Number (SSN) to claim them as a dependent, obtain a tax refund, open a line of credit, get a job, or even obtain a government ID. Making someone’s child a tool in illegal credit obtaining or tax refunds is rather cynical, but fraudsters involved in such schemes never had strict moral rules.

Synthetic identity theft

Synthetic identity theft means criminals create a new identity amalgamating real and fake information. They commonly steal real information, such as a Social Security number (SSN), and make up phony information. The latter is most commonly the name, address, or date of birth. Crooks obviously do it to mask a real identity in illegal activities. The thief can then use this synthetic identity to open credit accounts, get loans, or rent an apartment. Because the identity is new, credit bureaus or lenders may not flag it as fraudulent. This makes it easier for the thief to commit fraud without being caught.

How does it work?

While the number of identity theft methods is limited by the imagination of attackers. They can accomplish it either through physical contact with the victim or remotely. Somietimes, the attackers don’t need to do anything – the victim reveals all the necessary information themselves. The following are the most common examples:

Social engineering

By far, the unprecedented winner in successful identity theft is social engineering and phishing. Phishing involves tricking people into sharing sensitive information like usernames and passwords. Attackers often use social engineering tricks to manipulate emotions – most often greed and fear. They may send spoofed emails or text messages that appear to come from trusted sources. These messages urge recipients to take urgent action to verify payments or purchases. Clicking on the provided link will redirect users to a malicious login page designed to steal their login credentials.

Social media oversharing

The next point is very similar to the previous one, but the victim is the initiator here. There’s nothing wrong with wanting to share information on social media. However, users is essential to understand and choose what information to share and what should stay in private. Thus, oversharing on social media raises the risk of identity theft in case of a data breach. Facebook and Instagram have had bugs allowing access to the personal information of millions of users. To limit your exposure, check out our guide.

Malware and Exploits

Spyware and keyloggers steal personal information, such as usernames, passwords, and social security numbers. They can infect your computer through seemingly harmless software bundles or Trojans like Emotet, which can deliver spyware and other malware. Once infected, the spyware or keylogger sends your information to cybercriminals through C&C servers. Cybercriminals exploit software vulnerabilities to gain unauthorized access to a system and steal data. Researchers aim to report and patch these vulnerabilities in a race against criminals. Commonly exploited software includes operating systems, browsers, Adobe, and Microsoft Office applications.

Misplaced phones and wallets

Identity theft can occur when people lose their wallets, purses, or cell phones. Besides, crooks can steal them. Thieves can access important identification documents and sensitive information. And since smartphones commonly contain huge amounts of personal information, it is obvious that.

Data breaches

Data breaches refer to unauthorized access to a company’s database by hackers who target sensitive customer information. It includes names, addresses, social security numbers, and financial details. This can also be caused by SQL injection attacks or misconfigured access controls. SQL injection attacks exploit weaknesses in how websites interact with SQL databases, allowing hackers to access sensitive information. The alternative to this is misconfigured access controls that can accidentally make private information public.

Who is the primary target?

Identity theft can happen to anyone, but some groups are more vulnerable than others. For example, seniors are often targeted because they may be less familiar with technology and more trusting of unsolicited communications. People with good credit histories are also at risk since criminals can open new credit accounts in their name and make unauthorized purchases. Those with higher incomes may also be targeted as they have more financial resources to exploit. Children are also vulnerable targets as their personal information can be used for fraud over an extended period before being detected since they usually don’t have a financial history.

What can I do if I’m a victim of identity theft?

If you’re a victim, use this checklist to mitigate:

• Start by cleaning your computer. The first thing we recommend performing is a full scan of your device. Scan your system for threats using a good cybersecurity program such as Gridinsoft Anti-Malware. This will provide clarity and insight into whether the threat came from the infected device.
• Next, change your passwords. Whether or not you have malware on your device, intruders already have compromised your accounts. We recommend changing your passwords to prevent attackers from accessing your accounts. Please avoid reusing passwords across sites. Consider using a password manager for unique alphanumeric passwords and to detect spoofed websites.
• Enable MFA or 2FA. 2FA is an effective line of defense against unauthorized access. The attacker must enter a confirmation code if the account login and password are compromised. Since this code is usually sent to your other devices, it reduces the chance of an attacker gaining access to the account.
• Report stolen or lost cards. We strongly recommend contacting your bank ASAP if you lose your plastic bank card. Bank employees will block the card, thus preventing intruders from using it. You can also request to have your card reissued on your bank’s mobile app. It will take a few minutes; you can link the new card to Apple Pay or Google Pay and continue using it.
• File a report with the FTC. You’ll need it to obtain a seven-year fraud alert from the credit bureaus and remove fraudulent accounts from your credit file. You can file another report with your local law enforcement agency only if your creditors demand it or you know the identity thief personally. You can dispute wrong information on your credit report under the Fair Credit Reporting Act. If the reporting agency doesn’t fix it within 30 days, file a complaint with the Consumer Financial Protection Bureau.
• Be careful of phishing emails. It is crucial to keep a close eye on your email inbox. Opportunistic cybercriminals know that many individuals whose accounts have been breached expect to receive some form of communication regarding the incident. These scammers will take advantage of the situation by sending out fake emails that trick you into providing your personal information. It is, therefore, essential to be vigilant and cautious when receiving such emails.

In addition to the above, we have a article dedicated to Identity Theft traits. In it, we describe how to protect against Identity Theft in more detail.

The post What Is Identity Theft & How to Protect Against It appeared first on Gridinsoft Blog.

Interestingly, just the other day we wrote about a large leak of letters from the US military due to the typo, and we also wrote about a Western Digital data leak after a hack.

US Military Agencies Data on VirusTotal

Der Spiegel journalists were the first to leak an important 313 kilobyte file containing information about 5600 VirusTotal clients. According to them, the list contains the names of organizations and email addresses of employees who have registered accounts.

The publication emphasizes that it has verified the authenticity of the list and made sure that many of the people listed are actually civil servants, and some of the victims can be easily found on LinkedIn. According to media reports, more than 20 entries on the list belong to members of the US Cyber Command, the US Department of Justice, the Pentagon, the federal police, the FBI, the NSA, and so on.

From the UK, the list included more than ten employees of the Ministry of Defense, as well as email addresses belonging to employees of CERT-UK, which is part of the country’s Government Communications Center (GCHQ). According to the GCHQ email format, employee mailboxes contain only the initials of each user’s last name. However, full names are contained in email addresses belonging to specialists from the Ministry of Defense, the Cabinet of Ministers, the Office for the Decommissioning of Nuclear Power Plants and the UK Pension Fund.

In addition, employees of various ministries of Germany (including the Federal Police, the Federal Criminal Police Office and the Military Counterintelligence Service), Japan, the United Arab Emirates, Qatar, Lithuania, Israel, Turkey, France, Estonia, Poland, Saudi Arabia, Colombia, the Czech Republic, Egypt, Slovakia and Ukraine became victims of the leak. About 30 more email addresses belong to employees of Deutsche Bahn (Germany’s main railway operator), and the file also contains data about employees of the Bundesbank and such large companies as BMW, Mercedes-Benz and Deutsche Telekom.

Why is that so critical?

Although the leak only affects email addresses and names, even these can be valuable information for hackers. The fact is that the file sheds light on people who deal with cybersecurity and malware in many companies, departments and organizations. As a result, they can become targets for spear phishing attacks or social engineering. In addition, it can be understood from the list that, for example, some military personnel use personal mailboxes and personal Gmail, Hotmail and Yahoo accounts in their work.

Google representatives have already told the media that they are aware of the leak, and the company has already taken all necessary measures to eliminate it.

The post Hundreds of Military and Intelligence Agencies Uploaded Data to VirusTotal appeared first on Gridinsoft Blog.

What is MOVEit 0-day breach?

A 0-day vulnerability (CVE-2023-34362) in the MOVEit Transfer file transfer management solution became known in late May. All versions of MOVEit Transfer were affected by the problem, and it was reported that attacks on them began as early as May 27, 2023.

The bug itself was a SQL injection that leads to remote code execution. For example, exploitation of a vulnerability can lead to privilege escalation and give third parties unauthorized access to the MOVEit Transfer environment. Attackers used the vulnerability to deploy custom web shells on affected servers, allowing them to list files stored on the server, download files, and steal Azure Blob Storage account credentials and secrets, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings.

The week before, Microsoft analysts linked these attacks to the Clop ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). Among other things, this group is known for the fact that Clop ransomware operators leaked data from two universities.

Old vulnerability

As experts from the information security company Kroll now report, it seems that hackers have been looking for ways to exploit the mentioned zero-day vulnerability long before the start of mass attacks, and more precisely since 2021.

They also discovered that attackers were testing different ways to collect and steal sensitive data from compromised MOVEit Transfer servers back in April 2022.

Automated malicious activity increased markedly on May 15, 2023, right before the start of massive attacks on the 0-day vulnerability.

Victim data collection

Since similar activity was performed manually in 2021, experts believe that the attackers knew about the bug for a long time, but were preparing the necessary tools to automate mass attacks.

Victims of the attack

Hackers told reporters this past weekend that the vulnerability allowed them to break into MOVEit Transfer servers owned by “hundreds of companies.” Although after that the media urged not to take the word of the hackers, unfortunately, some victims have already confirmed the fact of compromise.

Zellis, a UK-based payroll and HR solution provider whose customers include Sky, Harrods, Jaguar, Land Rover, Dyson and Credit Suisse, was one of the first to confirm the breach and leak of customer data.

Some major Zellis customers have already made official statements about the hack. Among them: government agencies in Nova Scotia (including the Health Authority, which uses MOVEit to exchange confidential and classified information), the University of Rochester, British Airways and the BBC, which reported the theft of employees’ personal information and that there were other Zellis customers among the victims – Irish airline Aer Lingus and the British pharmacy chain Boots.

Currently, Clop has not yet begun to publish information stolen from companies. On their dark web site, the attackers gave the victims until June 12, stating that if the companies do not contact them and start negotiations on the payment of a ransom by that time, data leaks will follow.

The post Clop Attacks on MOVEit Transfer Affected British Airways, BBC and More appeared first on Gridinsoft Blog.

Western Digital, which was hit by a BlackCat hack in March 2023, has finally admitted that customers’ personal data was compromised during the incident.

Users of the company’s online store were affected: the leak contained their names, billing and shipping addresses, email addresses and phone numbers.

Western Digital was hacked at the end of March 2023. Then the attackers compromised the internal network and stole the company’s data. At the same time, ransomware was not deployed on the Western Digital network, and the files were not encrypted.

As a result of this attack, the company’s cloud services, including Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi and SanDisk Ixpand Wireless Charger, as well as mobile, desktop and web applications related to them, did not work for almost two weeks.

The responsibility for this attack, apparently, lies with the extortionist group BlackCat (aka ALPHV).

Let me remind you that Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups.

Recently, hackers have begun leaking data stolen from Western Digital and are threatening to sell the company’s stolen intellectual property, including firmware, code-signing certificates and customer personal information, on the black market unless ransomed.

At the end of last week, Western Digital representatives began to notify users of a data breach related to this attack.

Western Digital has now taken its online store offline and an investigation into the incident is still ongoing. The company says it expects to reopen the store around May 15, 2023.

Let me remind you that the media wrote that Western Digital My Cloud OS Fixes Critical Vulnerability.

The post Western Digital Admits that Users’ Personal Data Was Compromised in the Company’s Hack appeared first on Gridinsoft Blog.

The operators of the ransomware BlackCat (aka ALPHV) have published screenshots of Western Digital’s internal emails and video conferences. The hackers appear to have maintained access to the company’s systems even after Western Digital discovered and responded to the attack.

Let me also remind you that we wrote that BlackCat Says It Attacked Creos Luxembourg, European Gas Pipeline Operator, and also that Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups.

Western Digital was hacked at the end of March 2023. Then the attackers compromised the internal network and stole the company’s data. At the same time, ransomware was not deployed on the Western Digital network, and the files were not encrypted.

As a result of this attack, the company’s cloud services, including Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi and SanDisk Ixpand Wireless Charger, as well as mobile, desktop and web applications related to them, did not work for almost two weeks.

Let me remind you that the media wrote that Western Digital My Cloud OS Fixes Critical Vulnerability.

The fact that the incident is most likely related to a ransomware attack was first reported by TechCrunch. According to journalists, the attackers managed to steal about 10 TB of data from the company. The hackers shared samples of stolen data with TechCrunch, including files signed with stolen Western Digital keys, company phone numbers not publicly available, and screenshots of other internal data.

The first statement of hackers about the attack on WD

Although the attackers then claimed that they were not associated with the ALPHV group, soon a message appeared on the hack group’s website that Western Digital’s data would be published in the public domain if the company did not pay the ransom.

As information security researcher Dominic Alvieri now reports, in an effort to put pressure on the affected company, the hackers released 29 screenshots containing emails, documents and video conferences related to Western Digital’s response to this attack. In this way, the attackers hinted that they retained access to some Western Digital systems even after the hack was discovered (probably until April 1, 2023).

So, one screenshot includes a “media holding statement”, and the other is a letter about employees who “leak” information about the attack to journalists.

A new message from the attackers is also attached to this drain, in which they claim that they have personal information of the company’s customers and a full backup of SAP Backoffice.

The hackers say that if Western Digital does not pay the ransom, they will release the stolen files every week. They also threaten to sell the company’s stolen intellectual property on the black market, including firmware, code-signing certificates, and customers’ personal information.

The post BlackCat Group Leaks Western Digital Data to the Network appeared first on Gridinsoft Blog.

Medusa extortionist group claims to have published internal materials stolen from Microsoft, including the source codes of Bing, Bing Maps and Cortana.

Microsoft representatives have not yet commented on the hackers’ statements, but IT specialists say that the leak contains digital signatures of the company’s products, many of which are relevant.

According to the researcher, the hackers published about 12 GB of data, and this leak is probably related to last year’s attacks by the Lapsus$ group, which stole and made publicly available 37 GB of documents and sources of Microsoft products.

Also, we wrote that T-Mobile Admits that Lapsus$ Hack Group Stole Its Source Codes. Later, the authorities of Britain and Brazil reported the arrest of some members of the group.

Then Microsoft confirmed that Lapsus$ hacked its systems, but claimed that the leak did not affect «neither the client code nor any data».

That is, it is impossible to exclude the possibility that Medusa distributes materials that were stolen and «merged» in the network earlier.

Medusa (not to be confused with MedusaLocker) is a fairly “young” extortion group that announced itself at the beginning of this year by attacking state schools in Minneapolis. Then the criminals stole about 100 GB of data and demanded a ransom of 1 million US dollars from the school district, and instead of receiving the requested amount, they published confidential information online.

And before that, the hackers published a video that clearly demonstrates how they get access to the files of employees and students.

The post Medusa Groups Claims That It “Merged” the Source Code of Bing and Cortana into the Network appeared first on Gridinsoft Blog.

What is a Remote Access Trojan (RAT)?

A Remote Access Trojan (RAT) is a malicious program that opens a backdoor, allowing an attacker to control the victim’s device completely. Users often download RATs with a legitimate program, i.e., inside of hacked games from torrents or within an email attachment. Once an attacker compromises the host system, it can use it to spread RATs to additional vulnerable computers, thus creating a botnet. In addition, RAT can be deployed as a payload using exploit kits. Once successfully deployed, RAT directly connects to the command-and-control (C&C) server the attackers control. They achieve this by using a predefined open TCP port on the compromised device. Because the RAT provides administrator-level access, an attacker can do almost anything on a victim’s computer, such as:

• Use spyware and keyloggers to track the victim’s behavior
• Gain access to sensitive data, including social security numbers and credit card information
• View and record video from a webcam and microphone
• Take screenshots
• Format disks
• Download, change or delete files
• Distribute malware and viruses

How does a Remote Access Trojan work?

Like any other type of malware, a RAT can be attached to an email or posted on a malicious website. Cybercriminals can also exploit a vulnerability in a system or program. RAT is similar to Remote Desktop Protocol (RDP) or Anydesk but differs in its stealth. RAT establishes a command and control (C2) channel with the attacker’s server. This way, attackers can send commands to RAT, and it can return the data. RATs also have a set of built-in controls and methods for hiding their C2 traffic from detection.

RATs can be combined with additional modules, providing other capabilities. For example, suppose an attacker may gain a foothold using a RAT. Then, after examining the infected system with the RAT, he decides he needs to install a keylogger. Depending on his needs, RAT may have a built-in keylogging feature or the ability to download and add a keylogger module. It can also load and run an independent keylogger.

Why Remote Access Trojan is Dangerous?

A 2015 incident in Ukraine illustrates the nefarious nature of RAT programs. At the time, attackers used remote-control malware to cut power to 80,000 people. As a result, they gained remote access to a computer authenticated in the SCADA (supervisory control and data collection) machines that controlled the country’s utility infrastructure. In addition, Remote Access Trojan allowed attackers to access sensitive resources by bypassing the elevated privileges of the authenticated user on the network. Thus, an attack using RATs can take on a threatening scale, up to the threat to national security.

Unfortunately, cybersecurity teams often have difficulty detecting RATs. This is because malware typically carries many concealing features, allowing it to avoid any detection. In addition, RATs manage resource utilization levels so that there is no performance degradation, making it difficult to detect the threat.

Ways of using RATs

The following are ways in which a RAT attack can compromise individual users, organizations, or even entire populations:

• Spying and blackmail: An attacker who has deployed a RAT on a user’s device gains access to the user’s cameras and microphones. Consequently, he can take pictures of the user and his surroundings and then use this to launch more sophisticated attacks or blackmail.
• Launch Distributed Denial of Service (DDoS) Attacks: Attackers install RATs on many user devices, then use those devices to flood the target server with spoofed traffic. Even though the attack can cause network performance degradation, users are often unaware that hackers use their devices for DDoS attacks.
• Cryptomining: In some cases, attackers can use RATs to mine cryptocurrency on the victim’s computer. By scaling this action to many devices, they can make huge profits.

Remote file storage: Sometimes attackers can use RATs to store illegal content on unsuspecting victims’ machines. That way, authorities can’t shut down the attacker’s account or storage server because he keeps information on devices belonging to legitimate users.

• Industrial Systems Compromise: As described above, attackers can use RATs to gain control over large industrial systems. These could be utilities such as electricity and water supplies. As a result, an attacker can cause significant damage to the industrial equipment by sabotaging these systems and disrupting critical services in entire areas.

Remote Access Trojan Examples

Sakula

Sakula is seemingly harmless software with a legitimate digital signature. However, the malware first appeared in 2012 and is used against high-level targets. It allows attackers to take full advantage of remote administration on the device and uses simple unencrypted HTTP requests to communicate with the C&C server. Additionally, it uses a Mimikatz password stealer to authenticate using a hash transfer method that reuses operating system authentication hashes to hijack existing sessions.

KjW0rm

KjW0rm is a worm written in VBS in 2014 that uses obfuscation, making it difficult to detect on Windows computers. It has many variations; the older parent version is called “Njw0rm”. The malware and all other variants belong to the same family, with many features and similarities in its workflow. It deploys stealthily and then opens a backdoor that allows attackers to gain complete control of the machine and send data back to the C&C server.

Havex

Havex is a Remote Access Trojan discovered in 2013 as part of a large-scale spying campaign targeting production control systems (ICS) used in many industries. Its author is a hacker group known as Dragonfly and Energetic Bear. It gives attackers complete control over industrial equipment. Havex uses several mutations to avoid detection and has a minimal footprint on the victim’s device. It communicates with the C&C server via HTTP and HTTPS protocols.

Agent.BTZ/ComRat

Agent.BTZ/ComRat (also called Uroburos) is a Remote Access Trojan that became infamous after hackers used it to break into the U.S. military in 2008. The first version of this malware was probably released in 2007 and had worm-like properties, spreading via removable media. From 2007 to 2012, developers released two significant versions of RAT. Most likely, this is a development of the Russian government. It can be deployed via phishing attacks and uses encryption, anti-analysis, and forensic techniques to avoid detection. In addition, it provides complete administrative control over the infected machine and can transmit data back to its C&C server.

Dark Comet

Backdoor.DarkComet is a Remote Access Trojan application that runs in the background and stealthily collects information about the system, connected users, and network activity. This Remote Access Trojan was first identified in 2011 and is still actively used today. It provides complete administrative control over infected devices. For example, it can disable task manager, firewall, or user access control (UAC) on Windows machines. In addition, dark Comet uses encryption, thereby avoiding detection by antivirus.

AlienSpy

AlienSpy is a RAT that supports multiple platforms. This allows payload creation for Windows, Linux, Mac OS X, and Android operating systems. It can collect information about the target system, activate the webcam, and securely connect to the C&C server, providing complete control over the device. In addition, AlienSpy uses anti-analysis techniques to detect the presence of virtual machines. According to the researcher who analyzed the threat, the operator behind the author of the service is a native Spanish speaker, probably Mexican.

Heseber BOT

The Heseber BOT is based on the traditional VNC remote access tool. It uses VNC to remotely control the target device and transfer data to the C&C server. However, it does not provide administrative access to the machine unless the user has such permissions. Since VNC is a legitimate tool, Haseber antivirus tools do not identify it as a threat.

Sub7

Sub7 is a Remote Access Trojan that runs on a client-server model. The backdoor was first discovered in May 1999 and ran on Windows 9x and the Windows NT family of operating systems up to Windows 8.1. The server is a component deployed on the victim machine, and the client is the attacker’s GUI to control the remote system. The server tries to install itself into a Windows directory and, once deployed, provides webcam capture, port redirection, chat, and an easy-to-use registry editor.

Back Orifice

Back Orifice is a Remote Access Trojan for Windows introduced in 1998. It supports most versions beginning with Windows 95 and is deployed as a server on the target device. It takes up little space, has a GUI client, and allows an attacker to gain complete control over the system. RAT can also use image processing techniques to control multiple computers simultaneously. The server communicates with its client via TCP or UDP, usually using port 31337.

How To Protect Against Remote Access Trojan?

As stated above, Remote Access Trojans rely on their stealthiness. Once it has appeared, you will likely struggle to detect it, even if the exact malware sample is not new. That’s why the best way to protect against Remote Access Trojan is to not even give it a chance to run. The following methods represent proactive actions that severely decrease the chance of malware introduction and the possibility of getting in trouble.

Security training

Unfortunately, the weakest link in any defense is the human element, which is the root cause of most security incidents, and RATs are no exception. Therefore, ‘s strategy for defending against RATs depends on organization-wide security training. In addition, victims usually launch this malware through infected attachments and links in phishing campaigns. Therefore, employees must be vigilant not to contaminate the company network and jeopardize the entire organization accidentally.

Using multi-factor authentication (MFA)

Since RATs typically try to steal passwords and usernames for online accounts, using MFA can minimize the consequences if a person’s credentials are compromised. The main advantage of MFA is that it provides additional layers of security and reduces the likelihood that a consumer’s identity will be compromised. For example, suppose one factor, such as the user’s password, is stolen or compromised. In that case, the other factors provide an additional layer of security.

Strict access control procedures

Attackers can use RATs to compromise administrator credentials and gain access to valuable data on the organization’s network. However, with strict access controls, you can limit the consequences of compromised credentials. More stringent rules include:

• More strict firewall settings
• Safelisting IP addresses for authorized users
• Using more advanced antivirus solutions

Solutions for secure remote access

Every new endpoint connected to your network is a potential RAT compromise opportunity for attackers. Therefore, to minimize the attack surface, it’s important to only allow remote access through secure connections established through VPNs or security gateways. You can also use a clientless solution for remote access. It does not require additional plug-ins or software on end-user devices, as these devices are also targets for attackers.

Zero-trust security technologies

Recently, zero-trust security models have grown in popularity because they adhere to the “never trust, always verify” principle. Consequently, the zero-trust security approach offers precise control over lateral movements instead of full network access. It is critical to suppressing RAT attacks, as attackers use lateral moves to infect other systems and access sensitive data.

Focus on infection vectors

Like other malware, Remote Access Trojan is a threat only if installed and implemented on the target computer. Using secure browsing, anti-phishing solutions, and constantly patching systems can minimize the likelihood of RAT. Overall, these actions are a good tone for improving security for any case, not only against Remote Access Trojans.

Pay attention to abnormal behavior

RATs are Trojans that may present themselves as legitimate applications but contain malicious features associated with the actual application. Tracking the application and system for abnormal behavior can help identify signs that might indicate a Remote Access Trojan.

Monitoring network traffic

An attacker uses RATs to remotely control an infected computer over the network. Consequently, a RAT deployed on a local device communicates with a remote C&C server. Therefore, you should pay attention to unusual network traffic associated with such messages. In addition, it would be best to use tools such as web application firewalls to monitor and block C&C messages.

Implement least privilege

The concept of least privilege implies that applications, users, systems, etc., should be restricted to the permissions and access they need to do their jobs. Therefore, using the least privilege can help limit an attacker’s actions with RAT.

Are Remote Access Trojans illegal?

Well, yes, but actually, no. It all depends on how and what you use it for. It is not the program itself that makes such tasks illegal. It’s the implementation. You can test and execute if you’ve written a Remote Access Trojan and have a home lab. You can use it if you have written permission from the other party. However, if you use the RAT maliciously, you may face some legal problems. So, to distinguish, professionals use the term “remote access tools” for legitimate access and control and “remote access trojan” for illegitimate access and control.

The post Remote Access Trojan (RAT Malware) appeared first on Gridinsoft Blog.