Cyberattack Against UK Supercomputer ARCHER Forces Operators to Disable Access for Scientists

ARCHER, a UK world-class supercomputer, was hit by a cyberattack earlier this week. Providing invaluable resources for scientists studying global issues, the UK National Supercomputing service also serves a National Health Service (NHS) project working on developing a Coronavirus vaccine.

What happened? On May 11, attackers exploited ARCHER’s login nodes, forcing the EPCC Systems team to disable access to the system. Officials started investigating and informed the community that they will not be able to “to log in or to submit new jobs.”

Yesterday, the admin posted updates on the website, stating that “we now believe this to be a major issue across the academic community as several computers have been compromised in the UK and elsewhere in Europe. We have been working with the National Cyber Security Centre (NCSC) and Cray/HPE in order to better understand the position and plan effective remedies.”

Additionally, “all of the existing ARCHER passwords and SSH keys will be rewritten and will no longer be valid on ARCHER. When the ARCHER Service is returned, there will be a requirement to connect to ARCHER using a SSH key and a password. It is imperative that you do not reuse an old password or SSH key.”

Operators also advise users to change passwords on any other systems that take the same credentials as ARCHER.

”University teams are currently working with specialists from our technology partners and the National Cyber Security Centre to agree the recovery path and determine when access can be safely reinstated,” said a university spokesman. “There is currently nothing to suggest that any research, client or personal data has been impacted by this issue and all relevant stakeholders are being updated.”

While there is no evidence of a well-targeted attack, a recent joint advisory from UK and US officials says that, “we are currently investigating a number of incidents in which other states are targeting pharmaceutical companies, medical-research organizations, and universities, looking for intelligence and sensitive data, including research on the virus.”

At the same time, security specialists cannot deny that the most recent attack seeks to further jeopardize and steal intellectual property related to the Coronavirus treatments, and, although extensive malicious activity has been observed, no data theft has been confirmed so far.

Fake COVID-19 Cryptocurrency Emerges Promising to Gain Value with Each Death

A new report reveals exponential growth in the number of phishing and website scams leveraging the COVID-19 pandemic, including websites peddling fake COVID-19 cryptocurrencies and crypto wallets that aim to siphon data for phishing. One site even claims the value of its crypto coin increases with each death from the virus.

The findings in Bolster’s Q1 2020 State of Phishing and Online Fraud Report are in line with many other industry reports analyzing hackers’ COVID-19 gold-rush in recent weeks, including Bitdefender’s own research on the subject.

For example, in Q1 2020 Bolster recorded exponential growth in phishing and website scams. Almost a third of all confirmed phishing and counterfeit pages were related to COVID-19.

In March, researchers found 102,676 websites related to medical scams, with 1,092 sites either offering Hydroxychloroquine or spreading misinformation about using it to cure COVID-19.

COVID medical scams not only play on a cure, as we’ve seen before, but also on stimulus checks and loans. Hackers are also heavily targeting remote workers and those quarantined. Remote workers are using communication and collaboration platforms more than ever, leading to a 50% increase in phishing sites preying on the practice, from January to March. Streaming phishing sites mushroomed even more in the same period – by 85%, Bolster researchers said.

But perhaps the most interesting finding in the report was this (emphasis ours):

“Bolster discovered multiple phishing websites peddling fake COVID-19 cryptocurrencies and crypto wallets that aim to siphon data for future phishing, targeted malware, or credential stealing. One COVID-19 cryptocurrency bills itself as ‘The World’s Fastest Spreading Crypto Currency’ and attempts to get visitors to download suspicious files off GitHub. Another site prompts visitors to register to find out more information about a COVID coin that ‘gains value as more people die and get infected.’”

Here at Bitdefender we focus on protecting your devices from threats of all kinds. Now more than ever, we need autonomy and safety as we interact with the world through our internet-enabled devices. That’s why we have extended the trial for our best security suite, ensuring that you can take care of your family’s devices for up to 90 days. If you’re already set up, why not make an unexpected gift to your loved ones who might not be aware of emerging cyber threats?

Researchers spot 24,000 Android Apps Leaking User Data

Comparitech researchers led by cybersecurity expert Bob Diachenko have revealed that 24,000 Android Apps expose user information through misconfigurations on Google Firebase, a popular development platform used by roughly 30% of apps on the Google Play Store.

In their analysis, the team reviewed 515,735 Android apps (18% of all apps on Google Play), and found 155,066 using Google’s cloud-hosted Firebase databases. Among selected apps, 4,282 were leaking sensitive information such as:

• Email addresses of 7 million users
• Usernames of 4.4 million
• Passwords of 1 million
• Phone numbers of 5.3 million
• Full names of 18.3 million
• Chat messages of 6.8 million
• GPS data of 6.2 million
• IP addresses of 156,000 users
• Street addresses of 500,000
• Undisclosed number of credit card numbers and photos of government-issued identification

When it comes to vulnerable Firebase configurations and app category, Games ranked the highest with 24.71%, followed by Education with 14.72%, Entertainment with 6.02%, Business with 5.28%, and Travel and local with 4.31%.

The researchers also found that 9,014 apps “even included write permissions, which would allow an attacker to add, modify, or remove data on the server, in addition to viewing and downloading it.” Malicious actors who also have write access could inject fake data into an application, phish or scam users, and, ultimately, spread malware.

The risk of exposure for any Android user is quite high, considering that vulnerable apps have been installed more than 4 billion times.
“Given the average smartphone user has between 60 and 90 apps installed, the chances are high that an Android user’s privacy has been compromised by at least one app,” researchers said.

Researchers notified Google on April 22, and provided a full report of their findings. The tech company said it is reaching out to developers with recommendations for amending potential misconfigurations.

What can an Android user do? Comparitech suggests following basic cyber hygiene rules:

• Stop recycling passwords across multiple account
• Only use trusted Google Play applications with good reviews and many downloads
• Read the Privacy Policy of the app to check what information you are sharing with the developer
• Don’t share sensitive information

U.S Government Lists CVEs Most Exploited by Foreign Cyber Adversaries

A joint report from the Cybersecurity and Infrastructure
Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the
broader U.S. government offers information about the commonly known
vulnerabilities exploited by sophisticated foreign cyber actors.

Outdated software and hardware remain one of the most
significant security problems for companies and organizations, and it’s a main
route attackers looking for a way in will take. Not surprisingly, bad actors
usually look for vulnerabilities that were never patched, even though, patches
are usually available.

It’s true that attackers sometimes use zero-day
vulnerabilities, exploits that are unknown and unpatched, but that’s the
exception and not the rule.

“The public and private sectors could degrade some
foreign cyber threats to U.S. interests through an increased effort to patch
their systems and implement programs to keep system patching up to date,” says
the advisory.

“A concerted campaign to patch these vulnerabilities
would introduce friction into foreign adversaries’ operational tradecraft and
force them to develop or acquire exploits that are more costly and less widely
effective. A concerted patching campaign would also bolster network security by
focusing scarce defensive resources on the observed activities of foreign
adversaries.”

The most exploited vulnerabilities between 2016 and 2019
are: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158,
CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and
CVE-2018-7600.

According to cybersecurity specialists in the U.S. government,
Microsoft’s Object Linking and Embedding (OLE) technology is often exploited,
followed in second place by widespread Web framework known as Apache Struts.

Foreign actors from China, Iran, North Korea, and Russia
are the most frequent users of vulnerabilities, looking for companies and
organizations that have yet to apply the patches for the vulnerabilities
mentioned above.

Finally, the landscape in 2020 looks a little bit
different, with bad actors exploiting unpatched VPN vulnerabilities, for Citrix
VPN or Pulse Secure VPN. Also, the surge of people working from home determined
criminals to target organizations whose hasty deployed Microsoft O365 without
implementing the necessary security measures.

The advisory also lists the mitigations for the mentioned
vulnerabilities, which most of the time can be done just by installing the
latest updates.

Law Firm Used by Celebrities Affected by REvil Ransomware and Data Breach

Grubman Shire Meiselas & Sacks, a New York-based law
firm use by numerous celebrities, was hit with REvil ransomware, and the
attackers also stole vast amounts of data, including artists’ contracts.

Many ransomware attacks target specific industries and
organization types, and law firms are not exempt. It turns out that they are
actually a prime draw for attackers, as shown y the latest incident shows.

Lots of well-known artist use the law firm’s services,
including Madonna, Mary J. Blige, Mariah Carey, HBO’s “Last Week Tonight With
John Oliver,” and others. According to a Variety report,
even Facebook is among the affected companies.

A ransomware attack means systems belonging to the law
firm were locked and the data encrypted. In this case, the ransomware is REvil,
also known as Sodinokibi. And, while encryption is bad enough, it turns out
that the attackers also stole 756GB of data.

Criminal ransomware groups have started to change tactics
as many companies take more precautions, such as insurance and backup systems.
After stealing data, the attackers threaten to release it publicly or sell it
on the dark web. Either way, it’s used as more leverage against the victim
because the backup might not be enough.

“We can confirm that we’ve been victimized by a
cyberattack,” said the firm to Variety. “We have notified our clients and our
staff. We have hired the world’s experts who specialize in this area, and we
are working around the clock to address these matters.”

Law enforcement agencies and cybersecurity experts always
advise against paying ransom, but it remains to be seen how this standoff will end.

One of the more prolific attacks involving REvil took
place on 31 December 2019 against Travelex, a foreign exchange firm.
Reportedly, the company eventually paid
$2.3 million
dollars to regain access to their systems.

Data Breach at U.S. Marshals Service Exposes Personal Data of 387,000 Prisoners

The U.S. Marshals Service (USMS) has started notifying 387,000 former and current inmates of a security breach that may have compromised their personal identifiable information.

According to USMS officials, the incident occurred in December 2019, when a bad actor infiltrated the DSNet system, a platform that aids “the movement and housing of USMS prisoners with the federal courts, Bureau of Prisons, and within the agency.”

The attacked exploited a vulnerability in the system to steal information on inmates, including names, dates of birth, social security numbers, and home addresses.

In a copy of the breach notification letter obtained by ZDNet, the Prisoner Operations Division of USMS, provides additional information on the incident:

“On December 30, 2019, the United States Marshals Service (USMS) Information Technology Division (ITD) received notification from the Department of Justice, Security Operations Center (JSOC) of a security breach affecting a public-facing USMS server that houses information pertaining to current and former USMS prisoners,” the letter reads.“You have been identified as an individual whose personally identifiable information (PII) may have been compromised as a result of this breach.”

The notice also warns individuals about the risks of identity theft, and recommends they complete a Federal Trade Commission ID Threat Affidavit that will notify any existing creditors about the compromised data.

Additionally, inmates should consider signing up for a credit freeze or fraud alert with an existing credit-reporting agency that may assist with limiting future damages.

While the USMS and DOJ claim to have taken “numerous corrective actions to prevent future attacks, including comprehensive code review/correction and testing before returning DSNet to service,” the data breach could have serious implications. Many affected individuals are serving long prison sentences, and bad actors could easily profit off the stolen personal information.

Identity theft should not be taken lightly, as millions of U.S. citizens fall victim each year. A bad credit score or loan on your behalf is not the only drawback you can face. It can take years, and additional expense, for victims to restore their identity.

Australian Transport Company Hit with Nefilim Ransomware Months after a Maito Ransomware Attack

Toll, a large Australian transportation company, was hit
with a new ransomware attack, only three months after a previous incident. This
time, the malware is named Nefilim, and attackers also stole data from the
affected servers.

The first attack, which crippled the transportation company, took place on January 31. It took the firm months to fully recover from that event, and it now faces yet another ransomware attack, this time of a different nature.

If the first Mailto ransomware attack directly affected
their entire infrastructure, on a global level, the second attack was more
insidious, likely because the company took better security measures.

Toll revealed that hackers gained access to one of their
servers, stole some data, and deployed the Nefilim ransomware. The affected
systems are slowly being brought back online.

“Our ongoing investigations have established that the
attacker has accessed at least one specific corporate server,” said Toll in a communique.
“This server contains information relating to some past and present Toll
employees, and details of commercial agreements with some of our current and
former enterprise customers. The server in question is not designed as a
repository for customer operational data.”

The investigation revealed that the attacker downloaded
some data from the server, but they have yet to determine precisely what was stolen.
The likely destination of the data is the “dark web” if it is ever put up for
sale.

The company is already in the process of contacting the
people and companies affected by the breach, and they’ve already announced that
they have no intention of paying the ransom, which is line with the standing
recommendations in such situations. Toll also notified the Australian Cyber
Security Centre (ACSC) and the Australian Federal Police (AFP) of the incident.

Thunderspy Attack Affects all Computers with Thunderbolt Released in the Past Decade

A slew of seven vulnerabilities identified in the Thunderbolt
port allow an attacker with physical access to the device to bypass all
security, no matter the platform. It affects all laptops and computers built
since 2011.

The vulnerabilities, known collectively as ThunderSpy, were
identified by security researcher Björn Ruytenberg, an MSc student in Computer
Science and Engineering.

These are not your average hardware vulnerabilities, as
they require considerable knowledge and some additional hardware. But once an
attacker has all the software and hardware tools, any computer that features
the Thunderbird port and was built in the past nine years can be compromised,
even if it runs Windows, Linux, or MacOS.

“Thunderspy is stealth, meaning that you cannot find any
traces of the attack,” says the researcher. “It does not require your
involvement, i.e., there is no phishing link or malicious piece of hardware
that the attacker tricks you into using.”

“Thunderspy works even if you follow best security
practices by locking or suspending your computer when leaving briefly, and if
your system administrator has set up the device with Secure Boot, strong BIOS
and operating system account passwords, and enabled full disk encryption. All
the attacker needs is 5 minutes alone with the computer, a screwdriver, and
some easily portable hardware.”

This attack is not only theoretically possible —
Ruytenberg developed nine scenarios in which bad actors could exploit these
vulnerabilities. There’s even a short video underlying how the security of a
Windows system is bypassed.

Both Intel and Apple (Thunderbolt developer) were
informed of the vulnerabilities. Intel said it was already aware of some of
them, and Apple chose to do nothing about it because macOS was only partially
vulnerable.

Intel notified a number of affected partners, and Apple
simply said: “Some of the hardware security features you outlined are only
available when users run macOS. If users are concerned about any of the issues
in your paper, we recommend that they use macOS.”

The researcher also released a tool that tells people if
their hardware is affected by the vulnerability, and made it available on his
website.

Personal Information of 3.6 Million MobiFriends is Up for Grabs, Free Download Included

Following a data breach incident from January 2019, the personal information of more than 3.6 million MobiFriends users is now up for grabs on multiple online forums.

While the stolen data was initially posted for sale on a dark web forum by alleged bad actor ‘DonLuji’, the data dump has become fully accessible to anyone wishing to download its contents.

The leaked information from the Barcelona-based dating app contains personal identifiable information of 3,688,060 registered users, including MD5 hashed passwords, email addresses, mobile numbers, dates of birth, gender information, usernames, and app/website activity.

The researchers who discovered the compromised data sets also verified their validity, noting that, “the data leak contains professional email addresses related to well-known entities including American International Group (AIG), Experian, Walmart, Virgin Media, and a number of other F1000 companies.”

The consequences of the data leak are greatly amplified since seasoned hackers can easily crack the MD5 encryption algorithm used for encrypting the passwords. Apart from leaving customers exposed to account takeover, users are also vulnerable to spear-phishing and extortion attempts using the combination of professional email addresses and phone numbers.

Even if the data does not include private messages or images, the variety of leaked info is still enough for bad actors to deploy targeted phishing campaigns to gather additional information or financial details from victims.

The company failed to inform customers of the security incident, and no official statement has been released so far.

MobiFriends users should remain vigilant and pay attention to their Inboxes for unsolicited messages. As a precaution, it is advised to immediately change the passwords for any online account that shares the same login credentials as the MobiFriends, and enable two-factor authentication if possible.

European Cyber Units Dismantle InfinityBlack Hacking Group in Poland

InfinityBlack, a hacking group based in Poland and
Switzerland, was taken down by Polish and Swiss law enforcement after the
arrest of five alleged active members.

InfinityBlack has a very specific operating strategy, all
based on stealing loyalty scheme login credentials, which in turn would be
exchanged in various electronic devices. The hackers gained access to numerous
Swiss customer accounts, but losses were calculated ay only €50,000. Much of
their “wealth” was still tied up in €610,000 worth of loyalty points that have
yet to be siphoned off.

Polish National Police arrested five people on April 29
and confiscated electronic equipment, external hard drives and hardware
cryptocurrency wallets, all worth around €100,000. Law enforcement officials
also identified a couple of databases containing around 170 million entries.

“A number of investigation measures by specialists from the Cyber Investigation Division (DEC) of the Vaud Cantonal Police made it possible to dismantle the InfinityBlack hacker’s network set up to exploit this data to the detriment of businesses,” reads the official announcement.

“Between April 30 and May 2 2019, five arrests were made
in the canton of Vaud, Switzerland. Once the criminal gang cashing out the
loyalty points was identified in Switzerland, police exchanged criminal
intelligence and uncovered links to members of the separate hacking group in
Poland.”

The hackers had created an online platform to sell stolen
credentials, also known as combos since they contain both the user name and
password. Their goal was to sell this data to other criminal gangs who could use
it, but who were a lot less sophisticated.

The arrests and the dismantling of the InfinityBlack
group were possible because of cooperation between cyber units in Poland and
Switzerland.

Posts navigation

1 2 3 4 5 6 7
Scroll to top