As a valued subscriber, we'd like to better understand your needs and challenges. Complete our 15 minute survey for a chance to win a $100 gift card and to allow us to learn how we can better serve you.
A look at Darkside ransomware. Ransomware attacks on schools are up. REvil hits Acer. California state employee exposes COVID patient data. Bogus Clubhouse app.
At a glance.
- A look at the Darkside ransomware gang.
- FBI warns that ransomware attacks on schools are up.
- REvil ransomware hits Acer.
- California state employee exposes Atascadero State Hospital COVID-19 data.
- Trojan impersonates Clubhouse app.
Take a walk on the Darkside.
After examining several recent campaigns, researchers at Varonis offer an in-depth examination of the techniques of the ransomware group Darkside. Since first emerging as a ransomware-as-a-service (RaaS) operation in 2020, the group has made a name for itself with campaigns that display in-depth knowledge of their victims’ technological weaknesses. Reverse engineering shows that the group avoids attacking Russia-based institutions, and they’ve publicly stated that they steer clear of hospitals, schools, and governments, opting to focus on larger, more lucrative organizations. What makes their operation unique is their focus on stealth strategies, like establishing command and control routed through TOR, deleting log files, and using customized code and connection hosts for each target. Their methods demonstrate the need for organizations to protect themselves by using multi-factor authentication, diligently patching vulnerabilities, and limiting employee access to sensitive data.
FBI warning: school malware attacks on the rise.
The US Federal Bureau of Investigation (FBI) has released an advisory warning of a surge of PYSA (aka Mespinoza) ransomware operations targeting educational institutions in the US and United Kingdom. The FBI first encountered PYSA in October 2020 but has not yet identified the threat group deploying the malware. Using a double-extortion tactic, the cybercriminals are not only using stolen credentials to infiltrate and shutdown networks, but also exfiltrating and threatening to publish sensitive information if the requested ransom is not paid, Inside Higher Ed explains. And as threat analyst Brett Callow of cybersecurity solutions company Emsisoft points out, PYSA is just one of several types of malware being deployed by various threat actors targeting schools. "The education sector has proved to be particularly profitable, so they will keep targeting them over and over again," he explains. Emsisoft found that there were at least twenty-six ransomware attacks against colleges and universities and fifty-eight attacks involving school districts last year, and according to cybersecurity company BlueVoyant, ransomware attacks on colleges doubled from 2019 to 2020. As CEO of LookingGlass Gilman Louie points out, “They’re juicy targets because they have student data, they have research information and they have critical operations that need to operate on a very strict timeline.”
Indeed, recent incidents demonstrate the escalation of attacks. After a network outage last week, Maricopa Community Colleges in the US state of Arizona are investigating a possible malware attack, KNXV reports. Nunatsiaq News notes that the service provider for the information system storing records for schools in the Canadian territory of Nunavut experienced a ransomware attack. And across the pond in the UK, the IT systems of South Gloucestershire schools were also hit with ransomware, Gazette Series reports. While learning institutions like these need to implement tighter security protocols in order to protect themselves, Louie says they also need increased funding to support that implementation.
REvil hits Acer.
The REvil ransomware gang has hit Taiwanese device manufacturer Acer with a $50 million extortion demand, the Record by Recorded Future reports. The extortion includes the now routine threat to release stolen company documents. Acer told BleepingComputer that, to preserve the security of their continuing investigation, they’re unable to provide details on the incident.
James McQuiggan, security awareness advocate at KnowBe4, commented on the incident:
“It was only a matter of time before the recent Microsoft Exchange vulnerability exploited an organization, and in the current climate, it was swift. The WannaCry ransomware from 2017 utilized the EternalBlue exploit and took only a few months before a massive attack occurred. With this attack, it took just weeks. Organizations must maintain a multi-layer network infrastructure to reduce cybercriminals' risk, quickly accessing sensitive data and systems. Compounded with security awareness training, this will allow employees to understand and recognize the importance of protecting their organization's critical systems. Furthermore, having a Security Operations Center that constantly monitors endpoints and the network for data transfers to unusual destinations during off-hours can alert the security team to investigate a possible attack.”
California COVID data exposed by state employee.
The COVID-19 test and tracking data of more than two thousand individuals were exposed by a California state employee, the Sacramento Bee reports. The Department of State Hospitals (DSH) staffer used their access to Atascadero State Hospital data servers to copy records containing patient and staff names, test results, and other health data for purposes unrelated to their job duties, though it’s unclear exactly what those purposes were. The DSH discovered the breach during a routine review of employee access. The employee has been put on administrative leave, impacted individuals are being notified, and an investigation is underway.
Caleb Barlow, CEO of CynergisTek, which specializes in healthcare cybersecurity, sent us these comments on the incident:
"This is not normal personal identifying information, like SSNs, contact info or even health conditions. This has a deeply personal information, from who you may be dating, possible indiscretions that could be damaging and records of activities with possible unsavory individuals. This is a whole other dimension of data which we haven’t figured out what to do with. What happens when the pandemic is over? Will this information be neglected? There’s a major opportunity for abuse by threat actors that is really different from any other data set.”
Trojan malware impersonates Clubhouse app.
Cybercriminals are distributing an Android trojan by dressing it up as a new (currently non-existent) Android version of the popular invitation-only app Clubhouse, ESET Ireland explains. The fraudulent website expertly mimics a real Clubhouse site, but when the victim attempts to install the app, the site instead downloads a trojan called “Blackrock.” The malware uses an overlay attack to steal targets’ login credentials for over four hundred fifty financial apps, shopping sites, cryptocurrency exchanges, and social media and messaging platforms including Twitter, WhatsApp, and Amazon. Two-factor authentication will not prevent the Trojan from doing its dirty work, as the malware also intercepts text messages, so instead users must be vigilant about determining an app’s legitimacy before downloading.
We received some comments from industry experts. Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, wrote:
"Cybercriminals will exploit any opportunity to compromise their victims and the launch of a popular new app not yet available on a major platform like Android presents them with a major opportunity. The BlackRock trojan is one of the meaner pieces of mobile malware- it’s almost easier to list the accounts it doesn’t steal. Combined with having near complete control over the mobile device if granted Accessibility Service privileges, this can be devastating to victims whose phones are increasingly the central computing device in their life. To protect themselves, users should only install apps from trusted app stores and be very wary of giving apps permissions without understanding what the security implications may be."
Javvad Malik, Security Awareness Advocate at KnowBe4, commented:
"Social engineering is the most popular attack technique used by criminals. This attack is no different, preying on peoples desire to gain access to the hottest new social media platform without owning an iPhone. It's therefore important that people always remain vigilant in where they download apps for their phone and stick to only approved app stores. Downloading unofficial apps, or jailbreaking their phones can result in criminals gaining full access to the device. Given how much sensitive information is held on mobile devices, as well as its growing use as a means of authentication, keeping it secure is of utmost importance."
Hacking group used 11 zero-days to attack Windows, iOS, Android users (BleepingComputer) Project Zero, Google's zero-day bug-hunting team, discovered a group of hackers that used 11 zero-days in attacks targeting Windows, iOS, and Android users within a single year.
“Expert” hackers used 11 0-days to infect Windows, iOS, and Android users (Ars Technica) The breadth and abundance of exploits for unknown vulnerabilities sets group apart.
SolarWinds-Linked Attackers Target Microsoft 365 Mailboxes (Dark Reading) Researchers observe attackers altering mailbox folders to assign read-only permissions to any authenticated user on a target machine.
SilverFish: Swiss researchers identify threat actor with links to SolarWinds hack (Computing) The researchers found a 'major overlap' between the hack group's victims and those targeted in the SolarWinds attacks
Swiss Firm Says It Has Accessed Servers of a SolarWinds Hacker (Bloomberg Law) A Swiss cybersecurity firm says it has accessed servers used by a hacking group tied to the SolarWinds breach, revealing details about who the attackers targeted and how they carried out their operation. The firm, PRODAFT, also said the hackers have continued with their campaign through this month.
Threat actors start attacking F5 devices using recent vulnerability (The Record by Recorded Future) Multiple hacking groups have started attacking F5 networking devices after the publication of proof-of-concept exploit code online for a recent critical vulnerability the vendor patched last week.
ESET Exposes Malware Disguised as Clubhouse App (Infosecurity Magazine) The malware can steal login information for 458 online services
Beware Android trojan posing as Clubhouse app (ESET Ireland) The malware can grab login credentials for more than 450 apps and bypass SMS-based two-factor authentication. Cybercriminals are attempting to take advantage of the popularity of Clubhouse to deliv…
Area 1 Stops New Microsoft Spoofing Campaign Targeting Financial Departments (Area 1 Security) A sophisticated Microsoft Office 365 credential harvesting campaign targets financial departments at companies across multiple industries, as well as newly-appointed CEOs and executive assistants.
New XcodeSpy malware targets iOS devs in supply-chain attack (BleepingComputer) A malicious Xcode project known as XcodeSpy is targeting iOS devs in a supply-chain attack to install a macOS backdoor on the developer's computer.
Why That Email About Your Apple ID Being Locked Is a Scam (MUO) Here are the most common signs that you're dealing with a phishing email that will steal your Apple ID and password.
Going Back to Work: New Opportunities for Phishers (INKY) As people begin to contemplate returning to work in a physical office, phishers are thinking about new ways to exploit, through phishing emails, workers’ desire for accurate information about COVID-19, vaccines, and related work policy changes.
Computer giant Acer hit by $50 million ransomware attack (BleepingComputer) Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000.
REvil Ransomware Targets Acer’s Microsoft Exchange Server: Source (CRN) The notorious REvil ransomware gang recently targeted a Microsoft Exchange server on Taiwanese PC giant Acer‘s domain, according to Advanced Intelligence CEO Vitali Kremez.
Ransomware gang demands $50 million from computer maker Acer (The Record by Recorded Future) Taiwanese computer maker Acer has suffered a ransomware attack over the past weekend at the hands of the REvil ransomware gang, which is now demanding a whopping $50 million ransom payment to decrypt the company's computers and not leak its data on the dark web.
Hackers auction stolen CD Projekt data with ‘charity fundraiser' (IT PRO) Hacker announcement discovered on a Tor site likely linked to 'HelloKitty' ransomware gang
Instagram, WhatsApp, and Facebook Messenger have recovered from a major outage (The Verge) More than a 100,000 users reported Instagram issues.
Maricopa Community Colleges investigating possible cyber attack after network outage (KNXV) Maricopa Community Colleges said Friday they are investigating a possible cyber attack after a network outage that has been impacting students since earlier this week.
Nunavut schools' service provider suffers ransomware attack (Nunatsiaq News) Updated on Sunday, March 21, 2021 at 1 p.m. Nunavut’s Department of Education has confirmed a ransomware attack took place at the service provider for the
South Gloucestershire schools hit by ransomware attack (Gazette Series) A number of schools in South Gloucestershire have been left without access to their IT systems after being subjected to a targeted ransomware attack.
Algoma Power billing company falls victim to ransomware attack (SooToday.com) Company can confirm that no customer banking information was compromised as a result of the attack
Internet tip leads feds, SC police to arrest Lancaster County man for child porn (Herald) A Lancaster County man faces as much as 200 years in prison after he was charged for sharing child porn over the internet, officials said.
When in Doubt, Report Cybersecurity Events (JD Supra) The New York State Department of Financial Services (DFS) announced the $1.5 million settlement of its investigation of Residential Mortgage Services...
Time for Answers About Those Intelligence Reports DHS Filed About Me (Lawfare) I’m not seeking damages or a judgment that what the Department of Homeland Security did was illegal, but I do want to understand who else the department reported on based on First Amendment-protected activity.