Staff at Dublin Airport have been warned that their personal data has fallen into the hands of hackers, following a data breach at a third-party service provider.
Read more in my article on the Hot for Security blog. Read More
Graham Cluley
The all in one place for non-profit security aid.
Staff at Dublin Airport have been warned that their personal data has fallen into the hands of hackers, following a data breach at a third-party service provider.
Read more in my article on the Hot for Security blog. Read More
Graham Cluley
Ransomware group claims it’s “compromised all of Sony systems”
Newcomer ransomware group RansomedVC claims to have successfully compromised the computer systems of entertainment giant Sony. As ransomware gangs do, it made the announcement on its dark web website, where it sells data that it’s stolen from victims’ computer networks.
The announcement says Sony’s data is for sale:
Sony Group Corporation, formerly Tokyo Telecommunications Engineering Corporation, and Sony Corporation, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan
We have successfully compromissed [sic] all of sony systems. We wont ransom them! we will sell the data. due to sony not wanting to pay. DATA IS FOR SALE
Sony has yet to comment on the matter, and it’s important to understand that we only have one side of the story—and the side we have comes from a group of criminals. The claims of Sony’s compromise may yet prove false or, perhaps more likely, exaggerated.
If RansomedVC is to be believed though, Sony has not caved into the group’s demands for a ransom, so good for Sony, bravo. Sometimes businesses feel they have to pay their extortionists, and we aren’t going to judge anyone for making that choice. However, we’re definitely happy to applaud loudly when they don’t pay.
If Sony has been breached then its customers will be understandably concerned to safeguard their data. With information so thin on the ground it’s too early to offer specific advice, but we suggest you read our guide to what you need to know if you’re involved in a data breach.
Should it confirm the breach, Sony will join a fairly lengthy list of games and entertainment companies that have had data stolen or ransomed. Games companies are prime targets for theft and extortion because of the high value and high profile of their intellectual property.
Notable victims have included Capcom and Ubisoft in 2020, and CD PROJEKT RED, makers of Cyberpunk 2077 and Witcher 3, in 2021, the same year that FIFA 21 source code stolen from Electronic Arts. In 2022 Bandai Namco was attacked by ransomware, and Rockstar Games suffered a serious breach at the hands of the short-lived Lapsus$ gang.
RansomedVC is a new ransomware group, first tracked by Malwarebytes in August 2023 after it published the details of nine victims on its dark web site. The only departure it makes from the usual cut ‘n’ paste criminality of ransomware groups is that it threatens to report victims for General Data Protection Regulation (GDPR) violations. It describes itself as a “digital tax for peace”, but of course it isn’t. We’ve heard this a million times before, and it’s always just a cash grab.
Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
Malwarebytes Labs
Hackers Hijacking Antivirus Updates to Deliver GuptiMiner
[[{“value”:”
A sophisticated malware campaign has been compromising the update mechanism of eScan antivirus software to distribute malicious backdoors and cryptocurrency mining software.
The campaign, dubbed GuptiMiner, has been linked to a threat actor with potential connections to the notorious Kimsuky group.
GuptiMiner leverages a man-in-the-middle attack to exploit vulnerabilities in the update process of the eScan antivirus, a product of an Indian cybersecurity firm.
By hijacking this process, the attackers have been able to distribute their malware to unsuspecting users stealthily.
Avast’s investigation led to the discovery of the issue, which was promptly reported to eScan and India’s Computer Emergency Response Team (CERT). On July 31, 2023, eScan confirmed that the vulnerability had been addressed and resolved.
The GuptiMiner campaign is not limited to a single type of malware but includes a variety of tools designed to breach large corporate networks.
Two distinct backdoors have been identified, each with the capability to provide attackers with remote access to infected systems.
Additionally, the campaign’s final payload involves deploying XMRig, a well-known cryptocurrency mining software, which harnesses the processing power of infected machines to mine Monero (XMR).
Since 2018, GuptiMiner has undergone significant evolution, with its developers continuously enhancing its capabilities. The malware exhibits a complex infection chain and employs advanced techniques such as:
DNS requests to attacker-controlled servers
Sideload malicious payloads
Extracting executable code from seemingly benign images
Utilizing a custom trusted root anchor certification authority to sign payloads
Infection Chain (Source : Avast)
These sophisticated methods not only demonstrate the attackers’ high level of expertise but also highlight the persistent threat posed by such malware campaigns.
The GuptiMiner campaign represents a severe security threat, particularly for large organizations that rely on antivirus solutions to protect their networks.
Hackers’ ability to use a trusted update process as a delivery mechanism for malware is a concerning development in the cybersecurity landscape.
In the GuptiMiner operation, the attackers used advanced techniques such as DNS requests to the attacker’s DNS servers, sideloading, extracting payloads from images, and signing payloads with trusted root anchor certification authority.
Avast immediately mitigated the threat upon discovery by disclosing the vulnerability to the affected parties.
The swift response from eScan and the subsequent resolution of the issue has prevented further exploitation of the vulnerability.
Users are advised to ensure their antivirus software is up to date and to remain cautious of any unusual system behavior that could indicate a compromise.
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.
The post Hackers Hijacking Antivirus Updates to Deliver GuptiMiner appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
New Warmcookie Windows backdoor pushed via fake job offers
A never-before-seen Windows malware named ‘Warmcookie’ is distributed through fake job offer phishing campaigns to breach corporate networks. […] Read More