Water Curupira’s Email Spam Campaigns

Water Curupira, one of the known operators behind Pikabot, have been instrumental in various campaigns. It primarily aims at deploying backdoors such as Cobalt Strike, that end up with Black Basta ransomware. Initially involved in DarkGate and IcedID spam campaigns, the group has since shifted its focus exclusively to Pikabot.

Pikabot’s Mechanism

Pikabot operates through two main components, a distinguishing feature that enhances its malicious capabilities. The loader and core module enable unauthorized remote access and execution of arbitrary commands through a connection with a command-and-control (C&C) server.

Pikabot’s primary method of system infiltration involves spam emails containing archives or PDF attachments. These emails are skillfully designed to imitate legitimate communication threads. They utilize thread-hijacking techniques to increase the likelihood of recipients interacting with malicious links or attachments. The attachments, designed either as password-protected archives with an IMG file or as PDFs, are crafted to deploy the Pikabot payload.

System Impact

Once inside the target system, Pikabot demonstrates a complex and multi-layered infection process. It employs obfuscated JavaScript and a series of conditional execution commands, coupled with repeated attempts to download the payload from external sources. The core module of Pikabot is tasked with collecting detailed information about the system, encrypting this data, and transmitting it to a C&C server for potential use in further malicious activities.

Another layer of Pikabot mischievous actions is the ability to serve as a loader/dropper. Malware uses several classic techniques, such as DLL hookup and shellcode injection. Also, it is capable of straightforward executable file launching, which is suitable for certain attack cases. Among other threats, Pikabot is particularly known for spreading Cobalt Strike backdoor.

Recommendations

To protect yourself against threats like Pikabot, which is spread by Water Curupira through email spam, here are some key recommendations:

• Always hover over links to see where they lead before clicking.
• Be cautious of unfamiliar email addresses, mismatches in email and sender names, and spoofed company emails.
• For emails claiming to be from legitimate companies, verify both the sender’s identity and the email content before interacting with any links or downloading attachments.
• Keep your operating system and all software updated with the latest security patches.
• Consistently backup important data to an external and secure location, ensuring that you can restore information in case of a cyber attack.
• Educate yourself and your company. Keep up to date with the latest cyber news to stay ahead of the curve.

The post Water Curupira Hackers Spread PikaBot in Email Spam appeared first on Gridinsoft Blog.

Integris Health Patient Data Extortion

By December 24, Integris Health patients reported receiving extortion emails. The attackers, claiming to have exfiltrated the personal data of over 2 million individuals, demanded payment to prevent the sale of this information. The extortion emails included links to a dark website where around 4,674,000 records were purportedly available.

The website provided choices to either delete or view the data upon payment. However, it is unclear whether there are duplicate records among all of them. The compromised data comprised Social Security Numbers, birthdates, addresses, insurance, and employment details. This fact was confirmed by patients who identified their personal information in those emails.

Incident Background

In November 2023, Integris Health detected unauthorized activities within its network. An investigation revealed that an unidentified party accessed confidential patient files on November 28. It is unknown at this time exactly what information was compromised.

Integris Health reports that the investigation is still ongoing. However, given the attack’s scale, cybercriminals likely gained access to a wide range of data, including names, addresses, insurance policy numbers, dates of birth, medical records, and other personal information.

Integris Responds to Ransom Emails

Integris Health has updated its security advisory, warning patients against interacting with the extortion emails. Nevertheless, this incident follows a similar pattern to that observed in the Fred Hutchinson Cancer Center attack. It suggests a potential link between the threat actors.

The dilemma faced by victims is whether to pay the ransom to protect their identity. However, legends say that paying the ransom does not assure data security or deletion. It also potentially marks the payer as a target for future extortion attempts.

Is It A New Cybercrime Meta?

The tactic of contacting users whose data was leaked directly is rather new, but looks organic in the modern threat landscape. While ransomware gangs like BlackCat practice forcing the companies to pay by reporting the hacks to SEC, the hackers who stand behind the Integris hack opted for this peculiar approach. But overall, such unusual steps appear to be if not a new extortion method, then at least a way to enforce paying off the ransom.

The intimidation factor is what makes us blush most. When it comes to multi-billion dollar companies that are listed on stock exchanges – it is much more than just a feeling of embarrassment. It is unlikely for hackers to start texting all their victims, as such practice is simply counter-productive. With large companies, however, it is essential to expect and be ready for some unique new tricks hackers come up with.

The post Integris Health Hacked, Patients Receive Ransom Emails appeared first on Gridinsoft Blog.

KraftHeinz Hacked by Snatch Ransomware

On December 13th, the Snatch ransomware gang listed KraftHeinz on their Darknet site. Although the entry for KraftHeinz on the site dates back to August 16th, it was only updated on the announcement day. Notably, the entry lacked detailed information or file samples, typical for such breaches. However, the absence of data could imply that the attackers are waiting for negotiations or have other strategic reasons for withholding information.

But what info can be found in KraftHeinz network? The company barely had any business with retail customers, with all the deals going to wholesale chains. Nothing critical or sensitive about folks, sure, but enough important information about corporations.

What can be a better gift to a stock trader than a pack of info regarding the co’s financial results days before its earnings report? What can be more valuable for other hackers than an info about weak spots in a company’s security from someone who has already breached it earlier? Frauds will make their money, this way or another – that is for sure.

Food Industry Under Ransomware Attacks

This attack on KraftHeinz is not an isolated incident. In fact, it represents the second major attack on a food producer by Snatch in just two months. As for KraftHeinz scale, the company employs around 40,000 people in over 40 countries and reported net sales of $26 billion in 2022. As a result, the breach threatens corporate security. It poses a risk to a vast array of popular brands under the Kraft Heinz umbrella, including Oscar Meyer, Velveeta, and Jell-O, among others.

Before KraftHeinz, Tyson Foods, another giant in the food sector, fell victim to Snatch in November. The attack pattern mirrored that of KraftHeinz, with limited information disclosed by the ransom operators. Such attacks have something in common and underline a worrying trend in the food industry following previous high-profile cyber attacks on companies like JBS USA, New Cooperative Inc., and Dole Foods.

Who is Behind the Attack?

Seemingly, Snatch, a ransomware group active since 2018, might not be as well-known as other cybercriminal groups. Nonetheless, its impact is increasingly being felt. The US Cybersecurity and Infrastructure Security Agency has warned about Snatch’s tactics, which include exploiting Remote Desktop Protocol vulnerabilities and spending extended periods on a victim’s network before launching an attack.

Snatch utilizes a Ransomware-as-a-Service model and is known for its double extortion tactics. The group’s approach to ransomware attacks is meticulous, often involving prolonged observation of the victim’s network. Over the last year, at least 95 organizations have fallen prey to Snatch, per monitoring tool. The group’s position is noble, and their manifesto promises victim notification and prioritizes negotiations, pledging not to disclose the exploited vulnerabilities beyond the victim.

The post KraftHeinz Hacked by Snatch Ransomware Gang appeared first on Gridinsoft Blog.

Google Fixes CVE-2023-6345 0-day Vulnerability

Limited public information is available about CVE-2023-6345, but it is identified as an integer overflow issue affecting the Skia component within Chrome’s graphics engine. The National Vulnerability Database (NVD) describes it as a high-severity bug that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a malicious file.

Actually, soon after the official announcement of the vulnerability fix, the real-world exploit appeared. Due to this, Google has rated the CVE-2023-6345 fix as a high-priority update due. The company has refrained from disclosing technical details until the majority of users and vendors employing the Chromium browser engine implement the fixes.

Security analysts note that Google TAG researchers reported CVE-2023-6345, highlighting its connection to spyware and APT activity. Comparisons are drawn with a previous similar flaw (CVE-2023-2136), suggesting the latest patch aims to prevent attackers from bypassing the earlier update.

More Security Patches

Alongside the zero-day fix, Google has released a total of seven security updates addressing various vulnerabilities:

• CVE-2023-6348: Type Confusion in Spellcheck
• CVE-2023-6347: Use after free in Mojo
• CVE-2023-6346: Use after free in WebAudio
• CVE-2023-6350: Out of bounds memory access in libavif
• CVE-2023-6351: Use after free in libavif

This latest announcement marks the fourth zero-day vulnerability Google has disclosed and patched in its Chrome browser this year.

Update Google Chrome

As we said earlier, patches and updates are the best way to fix vulnerabilities. So if you’re using Mac or Linux, the update will take your browser to version 119.0.6045.199, while Windows users will be upgraded to version 119.0.6045.199/.200. To check if the update is available, go to “Help” in your Google Chrome menu, and then click on “About”. If the update is ready, it will automatically start downloading.

It may take a few days for the update to be available to everyone. Once you have installed the update, make sure to restart your browser for the changes to take effect. Otherwise, your browser will remain vulnerable to attacks.

The post Google Addresses Zero-Day Vulnerability in Chrome appeared first on Gridinsoft Blog.

What is Sextortion?

The term “Sextortion” is rather self-explanatory, aside from the fact that this practice has been in use for a pretty long time. That is a type of email scams that aim at money extortion through the threats of publishing explicit visual content with the victim. To look more authoritative, the scammer may claim to have access to the target’s social media accounts.

Contrary to more classic email phishing scams, the attacker will never ask the victim about an action other than sending a sum of money. The reason for such a generous act is, as the villain assures, its possession over some compromising materials about you. Email text often discloses the way these photos and videos were obtained – from a webcam while you were browsing through adult sites, leaked from the hacked phone, or the like.

All this boils down to a simple demand: send the money or I will leak all these nude videos and pics to the public. Some definitely not exaggerating mates say they will post it from your profile, as they have access to it as well. Though ones who try to look more realistic simply promise to tag your entire friends list on a specific social media.

Are Sextortion Threats Real?

99.5% of the time, they are not. Even though some people can have someone’s nude photos on hand, the number of scam emails exceeds the number of these people by orders of magnitude. And since such graphic materials rarely end up in the hands of a stranger, it will be particularly easy to identify the extortionist. This adds up to the generic message text and absence of any proof – some definite signs of a scam. By the way, let’s have a more detailed look at them.

How to detect a Sextortion Scam Email?

Same as any email scam, sextortion bears on 3 psychological tricks: calling for a shock, forcing the feel of vulnerability and feeling of urgency. This leaves its footprint in the text, and eventually makes it somewhat templated in all the scam cases. Let’s review the most popular of them.

Typical Sextortion Email Patterns in Text

With time, there were dozens and hundreds of different text patterns for extortion emails. Most of them, however, are created with the intention of being suitable to any victim. It would be rather uncomfortable for a scammer to adjust the text whenever they target a new group of people. Thus, utterly generic and abstract text with absolutely no personalization is what you would expect from sextortion scams.

The sense of shock appears as the stranger says it has your nude photos. Moreover, this guy tries to pose as a “professional hacker”. They boasts of having access to all the browsing history, webcams, online wallets and the like. Why would they do nothing about this info – hijacking accounts, stealing all the money from online wallets? The question is rhetorical.

Urgency to the situation appears due to the “deadline” you should pay the ransom before. As the hacker says, any negotiations and stuff are not possible, and failing the payment date will end up with publishing all the materials. Some crooks also say things like “this is not my email so I will stop using it shortly after”. This creates even bigger concerns about the inability to avoid public shame.

Sure enough, the same methods may be used by someone whose threats are real. But they never follow the pattern, at least not that straightforward. This distinguishes a letter written by a real human from a tool of scammers, designed to fit any circumstances.

Check For A Re-Used Crypto Wallet

As sextortion scams are running in “waves”, you are most likely not the only person who got such an email. Frauds often stick to the exact same text, changing only the crypto wallet they ask to send the ransom to. A simple Google search of the wallet may reveal not just one, but several text patterns used in the same scam wave.

Two sextortion emails from 2019 and 2023 using the same text

Two sextortion emails from 2019 and 2023 using the same text

Obviously, when the con actor is real in its threats and is not running this as a business, it will never use someone else’s crypto wallet or the one used in a scam before. Even when a real hacker does something like this (such an occasion happens once in a while) it will never use the same wallet twice. Moreover, “real hackers” rarely opt for Bitcoin as a payment method, preferring cryptos like Monero or DarkCoin. The latter have the anonymizing infrastructure that is so heavily demanded when you are going outlaw.

AI-fueled Sextortion Scams Incoming

All in all, sextortion is a rather old scam that was not really effective over the last few years. People are aware about it, and there is almost no way this is real after all. This is true, but over the last few years, there is a huge risk of sextortion scams being resurfaced with a force yet unseen. Let me explain.

The current AI development is exciting. But what is more mind-boggling is the number of malignant implementations for this potential. In particular, we are talking about their photo editing capabilities. There are quite a few AI services even these days that will edit the clothing out of the picture of a person you’ve uploaded. Combine this ability with sextortion scams and the fact that most people share their normal photos without any doubt – and you receive fuel for a new, unpredictably powerful scam wave.

Scammers who stand behind sextortion emails will finally stop extorting money for nothing. This time, they may get not only a manipulative text, but things to prove their claims with. And, if you ignore the demand, they will post them somewhere. There’s still no reason to believe in their tails about access to all your accounts, but dumping the photos while tagging all your friends list may still be effective.

Sure, it is rather easy to prove the AI origin of images and videos. But the very fact of these images’ existence may throw people into panic. This will eventually force them to pay the ransom – which still does not guarantee that the scammer will not publish these fake photos. And even when you remain calm and ignore all the threats, it may be bothersome to prove that these nude photos of yours are just a hallucination of a vicious neural network.

How to protect yourself from email scams?

Well, that is not an easy question to answer. As I’ve just explained, things are getting complicated, and there is no well-rounded advice for the most modern cases. However, I took my time to think through the possible mitigation options for the majority of situations.

Control sharing your personal email address. While benign services try to keep their customers’ info private, there are enough services that do not care. Some shady forums, torrent tracking sites, websites with cracked software – they will gladly sell databases of their users’ emails to someone. Then, these databases are used to spam people and spread scams, including sextortion. Avoid leaving any personal info in such places, or at least do not use your personal email for authorization purposes.

Keep your head cold. A thing all extortionists rely on is your panic actions upon realization that someone may publish inappropriate graphic content with you online. You, in turn, should not do any emotional acts – that will save you both money and gray hair.

Change all your passwords. This is mostly for good measure, as only a few cases out of thousands of sextortion scams could really boast having your passwords leaked. Though, the very habit of updating your login credentials is a great enhancement to your personal cybersecurity.

Warn your friends, colleagues and relatives about a fake video. By announcing preventively that a provocative video can appear, you minimize the initial shock it may create. After that, all the fake video will do is call friendly laughs, avoiding shame or arguments. Even if the scammer is kidding and there is no graphic material in its possession, even a fake one, this will uplift the awareness of such cases.

The post What is Sextortion? Explanation, Signs & Ways to Avoid appeared first on Gridinsoft Blog.

Welltok Data Leaked Because of MOVEit

Welltok specializes in online wellness programs, predictive analytics, and supporting healthcare needs for providers nationwide. The breach, resulting from a MOVEit software vulnerability exploited by the Cl0p ransomware gang, allowed unauthorized access to confidential patient data.

Sensitive patient information compromised during the breach includes a whole lot of information. Among them are full names, email addresses, physical addresses, telephone numbers, Social Security Numbers (SSNs), Medicare/Medicaid ID numbers, and certain health insurance information. The breach has affected healthcare institutions in multiple states, with notable providers such as:

• Blue Cross and Blue Shield
• Corewell Health
• Mass General Brigham Health Plan
• Corewell Health
• Faith Regional Health Services

Welltok’s initial estimates didn’t disclose the full scale of impacted individuals. However, recent reports confirm that 8,493,379 people have been affected, making it the second-largest MOVEit data breach after Maximus. The breach’s ripple effect extends to various healthcare plans, emphasizing the widespread consequences for patients and healthcare providers.

Implications of Welltok Data Breach

Welltok sent out data breach letters to those impacted by the data security incident on November 17, 2023. The letters contain a list of compromised information.

A review of the affected files revealed that they contained sensitive information about health plan members, including their names, dates of birth, addresses, and health records. In addition, some individuals’ Social Security numbers, Medicare/Medicaid IDs, and health insurance information were also stolen. A substitute breach notification was uploaded to the Welltok website in October. However, the page was set as no-index, meaning it wouldn’t be indexed by search engines and would only likely be found by individuals who visited the website.

How to prevent data breaches?

To prevent data breaches, organizations should prioritize a comprehensive cybersecurity strategy. Begin by conducting regular security audits and implementing strong access controls, ensuring employees have minimal access privileges. Encrypt sensitive data both in transit and at rest, utilizing robust encryption methods. Keep systems updated with the latest security patches and employ multi-factor authentication to enhance access security.

Invest in employee training to raise awareness about cybersecurity risks, particularly phishing attacks. Secure network perimeters using firewalls and intrusion detection systems, monitoring user activities for any anomalies. Regularly back up critical data and establish a solid recovery plan to minimize downtime in case of a breach.

The post Welltok Data Breach Exposes More Than 8 million Patients appeared first on Gridinsoft Blog.

Who are Gamaredon?

Gamaredon’s unique profile goes beyond its commitment to espionage goals. The Security Service of Ukraine (SSU) has linked Gamaredon personnel to the Russian Federal Security Service (FSB), adding a geopolitical twist to the group’s activities. The FSB, responsible for counterintelligence, antiterrorism, and military surveillance, sheds light on the strategic and state-sponsored nature of Gamaredon’s operations. Despite the ever-changing landscape of its targets, Gamaredon’s infrastructure exhibits consistent patterns, emphasizing the need for careful scrutiny from cybersecurity experts.

What is LitterDrifter?

One of Gamaredon’s tools – the notorious USB-propagating worm, LitterDrifter. This VBS-written malware showcases Gamaredon’s adaptability and innovation. Despite the old name of malware type, it packs quite a lot of functions much needed in modern cyberattacks.

As a part of the APT’s infrastructure, LitterDrifter introduces a global element to Gamaredon’s operations. Beyond its intended targets in Ukraine, this worm has left potential infections in its wake in countries like the USA, Vietnam, Chile, Poland, Germany, and even Hong Kong. The global reach of LitterDrifter adds to the overall potential of the threat actor in globe-scale cyberattacks.

The key functionality of LitterDrifter worm circulates around being the remote access tool. In other words, it is a backdoor with worm-like self-spreading capabilities. It is a hidden unauthorized access point in a computer system, software, or network that allows accessing the target environment. In cyberattacks, backdoors mostly act as initial access and reconnaissance tools, which then “open the gates” for further malware injection.

LitterDrifter doesn’t just spread automatically over USB drives. It introduces a global element to Gamaredon’s operations. Beyond its intended targets in Ukraine, this worm has left potential infections in its wake in countries like the USA, Vietnam, Chile, Poland, Germany, and even Hong Kong. The global reach of LitterDrifter highlights the broader threat it poses to cybersecurity worldwide.

Gamaredon’s Campaign Against Ukraine

Gamaredon Group has exhibited a sustained and targeted cyber espionage campaign against Ukraine and its institutions. It includes military, non-governmental organizations (NGOs), judiciary, law enforcement, and nonprofit entities since at least 2013. The group, suspected to have ties to Russian cyber espionage efforts, has consistently focused on infiltrating Ukrainian entities. It is evident in its choice of Ukrainian language lures and primary targets within the region.

LitterDrifter emerges as yet another tool employed by the group in its multifaceted cyber operations. As revealed through ongoing monitoring and analysis researchers, Gamaredon has utilized LitterDrifter alongside various other techniques and malware to achieve its objectives. This has further strengthened the group’s status as a advanced persistent threat against Ukrainian and allied interests.

Protection against LitterDrifter

As LitterDrifter reveals its global impact, it prompts a call for a unified and fortified global cybersecurity defense. The worm’s ability to transcend borders underscores the importance of international collaboration in addressing and mitigating cyber threats.

Protecting from threats like LitterDrifter requires a combination of proactive cybersecurity practices and vigilance. Here are some recommendations to enhance your protection against such worms:

• Be cautious when inserting USB drives into your computer, especially if they are from unknown or untrusted sources. Consider using USB drives that have read-only switches to prevent unauthorized writing.
• Regularly back up your important data and store backups in a secure location. In the event of a ransomware attack, having recent backups can help you restore your system without paying the ransom.
• Follow security best practices such as using strong, unique passwords, enabling two-factor authentication, and limiting user privileges. These practices can add layers of protection against various cyber threats.
• Keep yourself informed about the latest cybersecurity threats and vulnerabilities. Being aware of the evolving threat landscape enables you to adapt your security measures accordingly.

The post LitterDrifter – Russia’s USB Worm Targeting Ukrainian Entities appeared first on Gridinsoft Blog.

What is Plume?

Plume Design, Inc. develops and sells smart home Wi-Fi mesh networking systems. Its flagship product, the Plume SuperPod, is a mesh Wi-Fi system that uses AI to optimize network performance. Plume also provides software features such as parental controls, network security, and motion sensing. ISPs, cable companies, and telecoms use the company’s technology.

It works as a Software-as-a-Service (SaaS) specializing in smart Wi-Fi solutions, cloud management, and AI-driven security services. Operating in over 45 countries, the company boasts a significant user base, claiming to serve more than 55 million homes and small businesses.

Plume Data Breach Details

Plume, a leading provider of smart WiFi services, finds itself at the center of a potential data breach. The attackers have purportedly posted gigabytes of user data on a prominent data leak forum. The breach, if confirmed, could impact millions of Plume’s customers and staff members. Attackers claim to have successfully infiltrated Plume’s systems, making off with a substantial 20GB of data from the company’s WiFi database. This trove of information reportedly encompasses more than 15 million lines, featuring diverse user profiles, including mobile app users, customers, and even Plume’s internal staff.

The attackers said the dataset encompasses sensitive information like email addresses, device details, carriers, first and last names, iOS and Android versions, and more. As for the company’s reaction, Plume’s response to the claims has been prompt, acknowledging the alleged breach and initiating an internal investigation. A representative from Plume stated, “We are aware of the claim, and our teams are actively investigating the situation.”

Data Sample Validation

The research team has delved into the data sample provided by the attackers, affirming that the sample aligns with the details outlined in the attackers’ statements. However, the lack of a complete data set from the attackers raises questions about the authenticity of the leaked information. Without a comprehensive dataset, whether the compromised data genuinely belongs to Plume or was sourced from an alternative origin remains uncertain.

Notably, the attackers have taken an unconventional approach by creating an X account and announcing the alleged breach on social media platforms. This departure from traditional covert channels raises some eyebrows within the cybersecurity community. In contrast, attackers typically opt for discreet methods when publicizing their exploits.

Potential Impacts

As Plume’s investigative teams delve deeper into the situation, users are advised to remain vigilant and consider implementing additional security measures. While the company is actively addressing the claims, the potential exposure of sensitive information necessitates a proactive approach from users to safeguard their data.

The post Plume Hacked, Data Leaked in the Darknet appeared first on Gridinsoft Blog.

The decision was made last week following negotiations in Washington between Anne Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, and her South Korean and Japanese colleagues.

As part of the initiative, regular quarterly meetings will be held in a new format.

North Korean hackers are state sponsored

North Korea is often accused of cyberattacks aimed at financing its missile and nuclear programs. As noted in a recent UN report, in 2022, hackers working for the DPRK were particularly likely to attack foreign companies to steal cryptocurrency. Thanks to high-tech methods, record amounts were stolen compared to previous years.

The UN said most of the cyberattacks its researchers looked at were carried out by groups controlled by North Korea’s top spy agency. These groups include Kimsuky, Lazarus Group and Andariel, and are monitored by the cybersecurity industry in the US, Europe and Asia.

For example, the media reported that the FBI has officially linked the hack of the Harmony Horizon cross-chain bridge to the Lazarus group. The robbery, which took place at summer 2022, resulted in theft of $100 million worth of cryptocurrency assets.

North Korea’s activity in the cyber threats has been growing over recent years

Aside from country-specific cyberattacks, North Korean hackers also launch supply chain attacks. For example, in April we reported that a group linked to the Asian dictatorship authorities attacked the supply chain of the company 3CX, which caused a number of other attacks on supply chains.

According to experts, the UNC4736 hackers were associated with the financially motivated hacker group Lazarus from North Korea.

We also talked about the hunt of North Korean cybercriminals for IT specialists. Attackers have sought to infect researchers’ home systems and software with malware aiming to infiltrate the networks of companies for which their targets work.

Government groups for this spy company switched from phishing emails to using fake LinkedIn accounts allegedly belonging to HR. These accounts carefully imitate the identities of real people in order to deceive victims and increase the chances of an attack being successful.

Having contacted the victim and made her an “interesting offer” for a job, the attackers try to transfer the conversation to WhatsApp, and then use either the messenger itself or email to deliver a backdoor, which the researchers called Plankwalk, as well as other malware.

North Korea as part of a new axis of evil

The North Korean regime is dangerous not only because it sponsors cyber attacks on Western enterprises and companies, and not only because of repression against its citizens and the testing of new missiles that threaten the democratic countries of the Pacific region.

Recently, the Russian and North Korean dictatorships agreed to supply Korean weapons for use during the Russian invasion of Ukraine. CNN reported that more than a million artillery shells were transferred to Russia as part of this agreement.

Therefore, news about the consolidation of efforts in the fight against regimes that carry out certain actions that violate human rights can only be welcomed. Cyberspace has become a battlefield not only against crime – the confrontation in cyberspace is already taking place at the interstate level.

The post North Korean Hackers Force US, Japan & South Korea Consultations appeared first on Gridinsoft Blog.

Hackers typically does not like attacking critical infrastructure. Though, we have records on hackers attacking water treatment plant in Florida. This ledto a change in chemical composition of drinking water in a little town. There was also the case of hacking into the computer system of a water utility.

According to a press release issued by the US Department of Justice, Gallo deliberately removed the main operating and monitoring system for the refinery and then shut down the servers that ran those systems.

Gallo’s indictment charges include one charge of transmitting a program, information, code, and command to damage a protected computer, pursuant to 18 U.S.C. §§ 1030(a)(5)(A) and ©(4)(B)(i). Gallo faces up to 10 years in prison and a $250,000 fine, and the court can order additional supervised time, additional fines and damages if appropriate.

In March 2023, the Biden administration announced that it would make it mandatory for states to conduct cybersecurity audits of public water systems. Water systems are a critical infrastructure that is increasingly at risk of cyberattacks from both cybercriminal organizations and actor states, the US Environmental Protection Agency said.

In June 2021, a report published by NBC News reported that attackers attempted to compromise an unknown water treatment plant that serves the San Francisco Bay, the attack occurred on January 15th. The hackers gained access to systems at the station using a former employee’s TeamViewer account and attempted to manipulate the software used to purify drinking water. In February 2021, the Sheriff of Pinellas reported that attackers attempted to increase sodium hydroxide levels 100 times in Oldsmar’s water supply. The scenario described by Pinellas Sheriff Bob Gualtieri is alarming: An attacker tried to increase the level of sodium hydroxide, also known as lye, by 100 times in Oldsmar’s water supply.

In March 2021, the U.S. Department of Justice indicted Wyatt A. Travnicek, of Ellsworth County, Kansas, for accessing and tampering with the Ellsworth County rural water computer system. Travnicek accessed the computer system of the public water supply system on March 27, 2019 without permission. Travnicek worked for Ellsworth County on the rural water supply for about a year, remotely monitoring the plan by accessing Post Rock’s computer system. After gaining access to the public water supply, the man allegedly committed malicious acts that halted processes at the facility that affected cleaning and disinfection procedures.

In May 2021, WSSC Water suffered a ransomware attack targeting a portion of their network that runs non-essential business systems. In October 2021, a joint cybersecurity bulletin published by the FBI, NSA, CISA, and the Environmental Protection Agency revealed three more ransomware gang attacks on US wastewater treatment plants (WWS) this year.

The attacks became publicly known and took place in March, July and August 2021, respectively. The three sites affected by ransomware operators are located in Nevada, Maine and California. In all of the attacks, ransomware encrypted files on infected systems, and in one of the security incidents, attackers compromised a system used to control industrial SCADA equipment.

Three incidents, included in the bulletin:

1. August 2021. Attackers used Ghost ransomware against a WWS facility in California. The ransomware variant was on the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
2. July 2021. Cybercriminals used remote access to inject ZuCaNo ransomware into a wastewater SCADA computer at a WWS Maine facility. The cleaning system operated manually until the SCADA computer was restored with local control and more frequent rounds of operators.
3. March 2021. Cybercriminals used an unknown variant of ransomware against a WWS facility in Nevada. The ransomware affected the victim’s SCADA system and backup systems. A SCADA system provides visibility and monitoring, but is not a complete Manufacturing Control System (ICS).

The post California Water Treatment Plant Is in the Hands of a Hacker appeared first on Gridinsoft Blog.