Carbon Chemist

Tag: malware

  • Notorious Iranian Hackers Have Been Targeting the Space Industry With a New Backdoor

    Notorious Iranian Hackers Have Been Targeting the Space Industry With a New Backdoor

    [ad_1]

    The Iranian government-backed hacking group known as APT 33 has been active for more than 10 years, conducting aggressive espionage operations against a diverse array of public and private sector victims around the world, including critical infrastructure targets. And while the group is particularly known for strategic but technically simple attacks like “password spraying,” it has also dabbled in developing more sophisticated hacking tools, including potentially destructive malware tailored to disrupt industrial control systems. Now, findings from Microsoft released on Wednesday indicate that the group is continuing to evolve its techniques with a new multi-stage backdoor.

    Microsoft Threat Intelligence says that the group, which it calls Peach Sandstorm, has developed custom malware that attackers can use to establish remote access into victim networks. The backdoor, which Microsoft named “Tickler” for some reason, infects a target after the hacking group gains initial access via password spraying or social engineering. Beginning in April and as recently as July, the researchers observed Peach Sandstorm deploying the backdoor against victims in sectors including satellite, communications equipment, and oil and gas. Microsoft also says that the group has used the malware to target federal and state government entities in the United States and the United Arab Emirates.

    “We are sharing our research on Peach Sandstorm’s use of Tickler to raise awareness of this threat actor’s evolving tradecraft,” Microsoft Threat Intelligence said on Wednesday in its report. “This activity is consistent with the threat actor’s persistent intelligence gathering objectives and represents the latest evolution of their longstanding cyber operations.”

    The researchers observed Peach Sandstorm deploying Tickler and then manipulating victim Azure cloud infrastructure using the hackers’ Azure subscriptions to gain full control of target systems. Microsoft says that it has notified customers who were impacted by the targeting the researchers observed.

    The group has also continued its low-tech password spraying attacks, according to Microsoft, in which hackers attempt to access many target accounts by guessing leaked or common passwords until one lets them in. Peach Sandstorm has been using this technique to gain access to target systems both to infect them with the Tickler backdoor and for other types of espionage operations. Since February 2023, the researchers say they have observed the hackers “carrying out password spray activity against thousands of organizations.” And in April and May 2024, Microsoft observed Peach Sandstorm using password spraying to target United States and Australian organizations that are in the space, defense, government, and education, sectors.

    “Peach Sandstorm also continued conducting password spray attacks against the educational sector for infrastructure procurement and against the satellite, government, and defense sectors as primary targets for intelligence collection,” Microsoft wrote.

    The researchers say that in addition to this activity, the gang has also been continuing its social engineering operations on the Microsoft-owned professional social network LinkedIn, which they say date back to at least November 2021 and have continued into mid-2024. Microsoft observed the group setting up LinkedIn profiles that purport to be students, software developers, and talent acquisition managers who are supposedly based in the US and Western Europe.

    “Peach Sandstorm primarily used [these accounts] to conduct intelligence gathering and possible social engineering against the higher education, satellite sectors, and related industries,” Microsoft wrote. “The identified LinkedIn accounts were subsequently taken down.”

    Iranian hackers have been prolific and aggressive on the international stage for years and have shown no signs of slowing down. Earlier this month, reports surfaced that a different Iranian group has been targeting the 2024 US election cycle, including attacks against both the Trump and Harris campaigns.

    [ad_2]

    Source link

  • Google Has Unleashed Its Legal Fury on Hackers and Scammers

    Google Has Unleashed Its Legal Fury on Hackers and Scammers

    [ad_1]

    Following an ordeal over whether the defendants could obtain Russian passports, sit for depositions in Europe, and turn over work files, Google’s attorneys and Litvak traded accusations of lying. In 2022, US district judge Denise Cote sided with Google. She found in a 48-page ruling that the defendants “intentionally withheld information” and “misrepresented their willingness and ability” to disclose it to “avoid liability and further profit” from Glupteba. “The record here is sufficient to find a willful attempt to defraud the Court,” Cote wrote.

    Cote sanctioned Litvak, and he agreed to pay Google $250,000 in total through 2027 to settle. The jurist also ordered Starovikov and Filippov to pay nearly $526,000 combined to cover Google’s attorneys fees. Castañeda says Google has received payment from all three.

    Litvak tells WIRED that he still disagrees with the judge’s findings and that Russia’s strained relationship with the US may have weighed on whom the judge trusted. “It’s telling that after I filed a motion to reconsider, pointing out serious issues with the court’s decision, the court went back on its original decision and referred [the] case to mediation, which ended with … me not having to admit to doing anything wrong,” he says in an email.

    Google’s Castañeda says the case achieved the intended effect: The Russian hackers stopped misusing Google services and shut down their marketplace for stolen logins, while the number of Glupteba-infected computers fell 78 percent.

    Not every case delivers measurable results. Defendants in Google’s other three hacking cases haven’t responded to the accusations. That led to Google last year winning default judgment against three individuals in Pakistan accused of infecting more than 672,000 computers by masquerading malware as downloads of Google’s Chrome browser. Unopposed victories are also expected in the remaining cases, including one in which overseas app developers allegedly stole money through bogus investment apps and are being sued for violating YouTube Community Guidelines.

    Royal Hansen, Google’s vice president for privacy, safety, and security engineering, says lawsuits that don’t result in defendants paying up or agreeing to stop the alleged misuse still can make alleged perpetrators’ lives more difficult. Google uses the rulings as evidence to persuade businesses such as banks and cloud providers to cut off the defendants. Other hackers might not want to work with them knowing they have been outed. Defendants also could be more cautious about crossing international borders and becoming newly subject to scrutiny from local authorities. “That’s a win as well,” Hansen says.

    More to Come

    These days, Google’s small litigation advance team meets about twice a week with other units across the company to discuss potential lawsuits. They weigh whether a case could set a helpful precedent to give extra teeth to Google’s policies or draw awareness to an emerging threat.

    Team leader Day says that as Google has honed its process, filing cases has become more affordable. That should lead to more lawsuits each year, including some for the first time potentially filed outside the US or representing specific users who have been harmed, he says.

    The tech giants’ ever-sprawling empires leave no shortage of novel cases to pursue. Google’s sibling company Waymo recently adopted the affirmative litigation approach and sued two people who allegedly smashed and slashed its self-driving taxis. Microsoft, meanwhile, is weighing cases against people using generative AI technology for malicious or fraudulent purposes, says Steven Masada, assistant general counsel of the company’s Digital Crimes Unit.

    The questions remain whether the increasing cadence of litigation has left cybercriminals any bit deterred and whether a broader range of internet companies will go on the legal offense.

    Erin Bernstein, who runs the law firm Bradley Bernstein Sands, which helps governments pursue civil lawsuits, says she recently pitched a handful of companies across industries on doing their own affirmative litigation. Though none have accepted her offer, she’s optimistic. “It will be a growing area,” Bernstein says.

    But Google’s DeLaine Prado hopes affirmative litigation eventually slows. “In a perfect world, this work would disappear over time if it’s successful,” she says. “I actually want to make sure that our success kind of makes us almost obsolete, at least as it relates to this type of work.”

    [ad_2]

    Source link

  • Computer Crash Reports Are an Untapped Hacker Gold Mine

    Computer Crash Reports Are an Untapped Hacker Gold Mine

    [ad_1]

    When a bad software update from the security firm CrowdStrike inadvertently caused digital chaos around the world last month, the first signs were Windows computers showing the Blue Screen of Death. As websites and services went down and people scrambled to understand what was happening, conflicting and inaccurate information was everywhere. Rushing to understand the crisis, longtime Mac security researcher Patrick Wardle knew that there was one place he could look to get the facts: crash reports from computers impacted by the bug.

    “Even though I am not a Windows researcher, I was intrigued by what was going on, and there was this dearth of information,” Wardle tells WIRED. “People were saying that it was a Microsoft problem, because Windows systems were blue-screening, and there were a lot of wild theories. But actually it had nothing to do with Microsoft. So I went to the crash reports, which to me hold the ultimate truth. And if you were looking there you were able to pinpoint the underlying cause long before CrowdStrike came out and said it.”

    At the Black Hat security conference in Las Vegas on Thursday, Wardle made the case that crash reports are an underutilized tool. Such system snapshots give software developers and maintainers insight into possible problems with their code. And Wardle emphasizes that they can particularly be a fount of information about potentially exploitable vulnerabilities in software—for both defenders and attackers.

    In his talk, Wardle presented multiple examples of vulnerabilities he has found in software when the app crashed and he combed through the report looking for the possible cause. Users can readily view their own crash reports on Windows, macOS, and Linux, and they’re also available on Android and iOS, though they can be more challenging to access on mobile operating systems. Wardle notes that to glean insights from crash reports, you need a basic understanding of instructions written in the low-level machine code known as Assembly, but he emphasizes that the payoff is worth it.

    In his Black Hat talk, Wardle presented multiple vulnerabilities he discovered simply by examining crash reports on his own devices—including bugs in the analysis tool YARA and in the current version of Apple’s macOS operating system. In fact, when Wardle discovered in 2018 that an iOS bug caused apps to crash anytime they displayed the Taiwanese flag emoji, he got to the bottom of what was happening using, you guessed it, crash reports.

    “We revealed conclusively that Apple had acquiesced to demands from China to censor the Taiwanese flag, but their censorship code had a bug in it—ridiculous,” he says. “My friend who originally observed this was like, ‘My phone is being hacked by the Chinese. Whenever you text me it crashes. Or are you hacking me?’ And I said, ‘Rude, I wouldn’t hack you. And also, rude, if I did hack you, I wouldn’t crash your phone.’ So I pulled the crash reports to see what was going on.”

    Wardle emphasizes that if he can find so many vulnerabilities just by looking at crash reports from his own devices and those of his friends, software developers need to be looking there, too. Sophisticated criminal actors and well-funded state-backed hackers alike are probably already getting ideas from their own crash reports. Over the years, news reports have indicated that intelligence agencies like the US National Security Agency do mine crash logs. Wardle points out that crash reports are also a valuable source of information for detecting malware, since they can reveal anomalous and potentially suspicious activity. The notorious spyware broker NSO Group, for example, would often build mechanisms into into their malware specifically to delete crash reports immediately upon infecting a device. And the fact that malware is often buggy makes crashes more likely and crash reports valuable to attackers as well for understanding what went wrong with their code.

    “With crash reports, the truth is out there,” Wardle says. “Or, I guess, in there.”

    [ad_2]

    Source link

  • A New Plan to Break the Cycle of Destructive Critical Infrastructure Hacks

    A New Plan to Break the Cycle of Destructive Critical Infrastructure Hacks

    [ad_1]

    “It’s not just that the water goes out, it’s that when the sole wastewater facility in your community is down really bad things start to happen. For example, no water means no hospital,” he says. “I really encountered a lot of this during my leadership of the Covid Task Force. There is such interdependence across the basic functions of society.”

    UnDisruptable27 will focus on interacting with communities who aren’t reached by Washington DC-based policy discussions or Information Sharing and Analysis Centers (ISACs), which are meant to represent each infrastructure sector of the US. The project aims to communicate directly with people who actually work on the ground in US critical infrastructure, and grapple together with the reality that cybersecurity-related disasters could impact their daily work.

    “There’s a data breach, you get whatever services like identity protection for some period of time, and life carries on, and people think that there’s no long-term impact,” says Megan Stifel, IST’s chief strategy officer. “There’s this expectation that it’s fine, things will just continue. So we’re very interested in getting after this issue and thinking about how do we tackle critical infrastructure security with perhaps a new approach.”

    Corman notes that even though cybersecurity incidents have become a well-known fact of life, business owners and infrastructure operators are often shaken and caught off guard when a cybersecurity incident actually affects them. Meanwhile, when government entities try to impose cybersecurity standards or become a partner on defense initiatives, communities often balk at the intrusion and perceived overreach. Last year, for example, the US Environmental Protection Agency was forced to rescind new cybersecurity guidelines for water systems after water companies and Republicans in Congress filed a lawsuit over the initiative.

    “Time and time again, trade associations or lobbyists or owners and operators have an allergic reaction to oversight and say, ‘We prefer voluntary, we’re doing fine on our own,’ ” Corman says. “And they really are trying to do the right thing. But then also time and time again, people are just shocked that disruption could happen and feel very blindsided. So you can only conclude that the people who feel the pain of our failures are not included in the conversation. They deserve to understand the risks inherent in this level of connectivity. We’ve tried a lot of things, but we have not tried just leveling with people.”

    UnDisruptable27 is launching this week for visibility among attendees at BSides as well as the other conferences, Black Hat and Defcon, that will run through Sunday in Las Vegas. Corman says that the goal is to combine the hacker mentality and, essentially, a call for volunteers with plans to work with creative collaborators on producing engaging content to fuel discourse and understanding. Information campaigns using memes and social media posts or moonshots like narrative podcasts and even reality TV are all on the table.

    “We must prioritize the security, safety, and resilience of critical infrastructure — including water, health care facilities, and utilities,” Craig Newmark, the Craigslist founder whose philanthropy is funding UnDisruptable27, told WIRED. “The urgency of this issue requires affecting human behavior through storytelling.”

    [ad_2]

    Source link

  • Red Tape Is Making Hospital Ransomware Attacks Worse

    Red Tape Is Making Hospital Ransomware Attacks Worse

    [ad_1]

    “I can tell you with complete confidence that ransomware attacks harm patients,” says Hannah Neprash, an associate professor of health policy at the University of Minnesota, who has researched the impact of ransomware attacks on US hospitals and concluded they result in higher mortality rates. “If you are a patient who has the misfortune to be admitted to a hospital when that hospital goes through a ransomware attack, the likelihood that you’re going to walk out the doors goes down,” Neprash says. “The longer the disruption, the worse the health outcomes.”

    In the hours and days immediately after ransomware attacks, it’s common for companies who have software connected to the targeted organization to pull their services. This can include everything from disconnecting medical records to refusing to email a cyberattack victim. This is where so-called assurance letters come in.

    “We’ve really seen the demand for these letters increase over the past few years as breaches have become much more litigious—from class actions lawyers chasing settlements to lawsuits between businesses,” says Chris Cwalina, the global head of cybersecurity and privacy at law firm Norton Rose Fulbright.

    Cwalina says he is unsure where and when the practice of sending assurance letters started but says it is likely it began with lawyers or security professionals who misunderstood legal requirements or the risks they are trying to prevent. “There is no legal requirement to request or obtain an attestation before systems can be reconnected,” Cwalina says.

    These assurance and attestation letters are often compiled with the support of specialist cybersecurity companies that are employed to respond to incidents. What can be reconnected and when will vary depending on the specific details of each attack.

    But much of the decisionmaking comes down to risk—or at least perceived risk. Charles Carmakal, the chief technology officer of Google-owned cybersecurity firm Mandiant, says companies will be worried that cybercriminals could move “laterally” between the victim and their systems. Companies want to know a system is clean and the attackers have been removed from the systems, Carmakal says.

    “I understand the rationale behind the assurance process. What I would say is that people do need to really consider what is the risk associated with the level of connectivity between two parties, and sometimes people tend to default to the most restrictive path,” Carmakal says. For instance, it is rare that Mandiant sees wormable ransomware moving from one victim to another, he says.

    “Vendors were interested to know that independent, outside cybersecurity experts were engaged with Scripps technical teams and verification that malware was contained and remediated with reasonable best efforts,” Thielman, the CIO of Scripps Heath, says. For Ascension, Fitzpatrick says, the company also held one-on-one calls with vendors and hosted eight webinars where it provided updates. It has also shared indicators of compromise—the traces left by attackers in its systems—with health organizations and the US Cybersecurity and Infrastructure Security Agency (CISA).

    Third-Party Doctrine

    Cybercriminals have become more brazen with attacks against hospitals and medical organizations in recent years; in one case, the Lockbit ransomware gang claimed it had rules against attacking hospitals but hit more than 100. Often these sort of attacks directly impact private sector companies that provide services to public infrastructure or medical organizations.

    “If you look plausibly at the threat picture in the years ahead, disruption to public services and public activity caused by [cybercrime] activity that affects the private sector is probably something that’s going to happen more and more,” says Ciaran Martin, a professor at the University of Oxford and the former head of the UK’s National Cyber Security Centre. In these instances, Martin suggests, there may be questions around whether governments have, or need, powers to direct private firms to respond in certain ways.

    [ad_2]

    Source link

  • A Catastrophic Hospital Hack Ends in a Leak of 300M Patient Records

    A Catastrophic Hospital Hack Ends in a Leak of 300M Patient Records

    [ad_1]

    The rolling series of breaches targeting customers of cloud platform Snowflake appears to be a supply chain attack wrapped in another supply chain attack. A hacker who claims to have been involved in the attacks tells WIRED that the hackers, known as ShinyHunter, stole victims’ Snowflake credentials by first breaching an employee of a third-party contractor. (The contractor, however, says it does not believe it was involved.)

    Ultimately, the breach of the Snowflake customer accounts, which include Ticketmaster, banking firm Santander, and potentially more than 160 other companies, was possible because their Snowflake accounts did not have multifactor authentication enabled.

    Antivirus giant Kaspersky’s worst nightmare has finally come true: The United States government announced on Thursday that it is banning the sale of its software to new customers in the US over alleged Russian national security threats. (Kaspersky has challenged the Biden administration’s claims.) Existing customers, meanwhile, will be banned from downloading Kaspersky software updates after September 29. What could go wrong?

    Perplexity AI, an artificial-intelligence-powered search startup, says it’s already valued at a billion dollars. But a WIRED investigation published this week found that its secret sauce has a pungent ingredient: bullshit.

    Beyond “hallucinating” details generated by its chatbot, WIRED found that the AI tool appears to be ignoring the Robots Exclusion Protocol—a standard web tool used to prevent scraping—on sites owned by WIRED’s parent company, Condé Nast, and other publications, seemingly allowing it to scrape articles despite the internet equivalent of a “Do Not Enter” sign hanging on WIRED and other Condé Nast sites. Perplexity’s chatbot later plagiarized that same article when prompted.

    People traveling through some of the largest train stations in the United Kingdom secretly had their faces scanned by Amazon’s face-recognition tools, according to documents obtained by WIRED. The technology, which was used as part of a trial run, predicted travelers’ various attributes, including gender, age, and likely emotions. The surveillance, which one privacy advocate called “concerning,” could potentially be used for serving advertisements.

    Finally, we detailed the rise of robot “dogs” used by militaries, explained what would happen if China invaded Taiwan, and got into the nitty-gritty of the boring-sounding but serious work of spotting the billion-dollar scam tactic known as business email compromise.

    That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

    For months, ransomware gangs have rampaged across the health care industry, with ruthless attacks targeting Change Healthcare’s national payment network for more than a thousand health care providers, Ascension Healthcare’s 140 hospitals, and dozens of other victims in the medical field. Now that hacking epidemic is crystallizing into yet another catastrophic hospital hack—one that has resulted in the data of 300 million UK patient records leaking online.

    Synnovis, a joint-venture medical testing company partially owned by the UK’s National Health Service, has for weeks been battling and negotiating with the Russia-linked ransomware group Qilin, which has deeply disrupted its services in an attempt to extort the company. The result has been well over a thousand postponed operations and thousands more postponed outpatient appointments across multiple UK hospitals. Ambulances have been diverted from the affected hospitals, potentially causing delays in lifesaving care. They’ve even had to ask for new urgent donations of O-type blood, as testing disruptions have prevented other types from being used in patients’ blood transfusions.

    [ad_2]

    Source link

  • US Bans Kaspersky Software | WIRED

    US Bans Kaspersky Software | WIRED

    [ad_1]

    The Russian cybersecurity software firm Kaspersky’s days of operating in the United States are now officially numbered.

    The Biden administration on Thursday said it’s banning the company from selling its products to new US-based customers starting on July 20, with the company only allowed to provide software updates to existing customers through September 29. The ban—the first such action under authorities given to the Commerce Department in 2019—follows years of warnings from the US intelligence community about Kaspersky being a national security threat because Moscow could allegedly commandeer its all-seeing antivirus software to spy on its customers.

    “When you think about national security, you may think about guns and tanks and missiles,” Commerce secretary Gina Raimondo told reporters during a briefing Thursday. “But the truth is, increasingly, it’s about technology, and it’s about dual-use technology, and it’s about data.”

    The US conducted an “extremely thorough” investigation of Kaspersky and explored “every option” to mitigate its risks, Raimondo said, but officials settled on a full ban “given the Russian government’s continued offensive cyber capabilities and capacity to influence Kasersky’s operations.”

    The Kaspersky ban represents the latest rift in relations between the US and Russia as the latter country remains locked in a brutal war with Ukraine and takes other steps to threaten Western democracies, including testing a nuclear-powered anti-satellite weapon and forming a strategic alliance with North Korea. But the ban could also immediately complicate business operations for American companies using Kaspersky software, which will lose up-to-date antivirus definitions critical for blocking malware in only three months.

    The Biden administration knows roughly how many customers Kaspersky has in the US, but government lawyers have determined that this information is proprietary business data and cannot be published, according to a Commerce Department official, who briefed reporters on the condition of anonymity to discuss a sensitive matter. The official did say the “significant number” of US customers includes state and local governments and organizations that supply critical infrastructure such as telecommunications, power, and health care.

    Raimondo had a message for Kaspersky’s US customers on Thursday: “You have done nothing wrong, and you are not subject to any criminal or civil penalties. However, I would encourage you, in as strong as possible terms, to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”

    Commerce will work with the departments of Homeland Security and Justice to “get this message out” and “ensure a smooth transition,” including through a website explaining the ban, Raimondo said. “We certainly don’t want to disrupt the business or families of any Americans.”

    DHS’s Cybersecurity and Infrastructure Security Agency will contact critical infrastructure organizations that use Kaspersky to brief them on the alleged national security risks and “help them identify alternatives,” the Commerce Department official said.

    Kaspersky has consistently denied being a national security risk or an agent of the Kremlin. The company did not immediately respond to a request for comment about the new nationwide ban. But given Kaspersky’s past resort to litigation to defend itself, Thursday’s announcement could prompt another lawsuit that sets up a high-stakes legal test of Commerce’s national security powers.

    [ad_2]

    Source link

  • Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake

    Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake

    [ad_1]

    It’s possible the ShinyHunter hackers did not directly hack the EPAM worker, and simply gained access to the Snowflake accounts using usernames and passwords they obtained from old repositories of credentials stolen by info stealers. But, as Reddington points out, this means that anyone else can sift through those repositories for these and other credentials stolen from EPAM accounts. Reddington says they found data online that was used by nine different infostealers to harvest data from the machines of EPAM workers. This raises potential concerns about the security of data belonging to other EPAM customers.

    EPAM has customers across various critical industries, including banks and other financial services, health care, broadcast networks, pharmaceutical, energy and other utilities, insurance, and software and hi-tech—the latter customers include Microsoft, Google, Adobe, and Amazon Web Services. It’s not clear, however, if any of these companies have Snowflake accounts to which EPAM workers have access. WIRED also wasn’t able to confirm whether Ticketmaster, Santander, Lending Tree, or Advance AutoParts are EPAM customers.

    The Snowflake campaign also highlights the growing security risks from third-party companies in general and from infostealers. In its blog post this week, Mandiant suggested that multiple contractors were breached to gain access to Snowflake accounts, noting that contractors—often known as business process outsourcing (BPO) companies—are a potential gold mine for hackers, because compromising the machine of a contractor that has access to the accounts of multiple customers can give them direct access to many customer accounts.

    “Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector,” wrote Mandiant in its blog post. “These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor’s laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.”

    The company also highlighted the growing risk from infostealers, noting that the majority of the credentials the hackers used in the Snowflake campaign came from repositories of data previously stolen by various infostealer campaigns, some of which dated as far back as 2020. “Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since 2020,” the company noted.

    This, accompanied by the fact that the targeted Snowflake accounts didn’t use MFA to further protect them, made the breaches in this campaign possible, Mandiant notes.

    Snowflake’s CISO, Brad Jones, acknowledged last week that the lack of multifactor authentication enabled the breaches. In a phone call this week, Jones told WIRED that Snowflake is working on giving its customers the ability to mandate that users of their accounts employ multifactor authentication going forward, “and then we’ll be looking in the future to [make the] default MFA,” he says.

    [ad_2]

    Source link

  • Medical-Targeted Ransomware Is Breaking Records After Change Healthcare’s $22M Payout

    Medical-Targeted Ransomware Is Breaking Records After Change Healthcare’s $22M Payout

    [ad_1]

    In fact, ransomware attacks on health care targets were on the rise even before the Change Healthcare attack, which crippled the United Healthcare subsidiary’s ability to process insurance payments on behalf of its health care provider clients starting in February of this year. Recorded Future’s Liska points out that every month of 2024 has seen more health care ransomware attacks than the same month in any previous year that he’s tracked. (While this May’s 32 health care attacks is lower than May 2023’s 33, Liska says he expects the more recent number to rise as other incidents continue to come to light.)

    Yet Liska still points to the April spike visible in Recorded Future’s data in particular as a likely follow-on effect of Change’s debacle—not only the outsize ransom that Change paid to AlphV, but also the highly visible disruption that the attack caused. “Because these attacks are so impactful, other ransomware groups see an opportunity,” Liska says. He also notes that health care ransomware attacks have continued to grow even compared to overall ransomware incidents, which stayed relatively flat or fell overall: April, for instance, saw 1,153 incidents compared to 1,179 in the same month of 2023.

    When WIRED reached out to United Healthcare for comment, a spokesperson for the company pointed to the overall rise in health care ransomware attacks beginning in 2022, suggesting that the overall trend predated Change’s incident. The spokesperson also quoted from testimony United Healthcare CEO Andrew Witty gave in a congressional hearing about the Change Healthcare ransomware attack last month. “As we have addressed the many challenges in responding to this attack, including dealing with the demand for ransom, I have been guided by the overriding priority to do everything possible to protect peoples’ personal health information,” Witty told the hearing. “As chief executive officer, the decision to pay a ransom was mine. This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”

    Change Healthcare’s deeply messy ransomware situation was complicated further—and made even more attention-grabbing for the ransomware hacker underworld—by the fact that AlphV appears to have taken Change’s $22 million extortion fee and jilted its hacker partners, disappearing without giving those affiliates their cut of the profits. That led to a highly unusual situation where the affiliates then offered the data to a different group, RansomHub, which demanded a second ransom from Change while threatening to leak the data on its dark web site.

    That second extortion threat later inexplicably disappeared from RansomHub’s site. United Healthcare has declined to answer WIRED’s questions about that second incident or to answer whether it paid a second ransom.

    Many ransomware hackers nonetheless widely believe that Change Healthcare actually paid two ransoms, says Jon DiMaggio, a security researcher with cybersecurity firm Analyst1 who frequently talks to members of ransomware gangs to gather intelligence. “Everyone was talking about the double ransom,” DiMaggio says. “If the people I’m talking to are excited about this, it’s not a leap to think that other hackers are as well.”

    The noise that situation created, as well as the scale of disruption to health care providers from Change Healthcare’s downtime and its hefty ransom, served as the perfect advertisement for the lucrative potential of hacking fragile, high-stakes health care victims, DiMaggio says. “Health care has always had so much to lose, it’s just something the adversary has realized now because of Change,” he says. “They just had so much leverage.”

    As those attacks snowball—and some health care victims have likely forked over their own ransoms to control the damage to their life-saving systems—the attacks aren’t likely to stop. “It’s always looked like an easy target,” DiMaggio notes. “Now it looks like an easy target that’s willing to pay.”

    [ad_2]

    Source link

  • Ransomware Is ‘More Brutal’ Than Ever in 2024

    Ransomware Is ‘More Brutal’ Than Ever in 2024

    [ad_1]

    Today, people around the world will head to school, doctor’s appointments, and pharmacies, only to be told, “Sorry, our computer systems are down.” The frequent culprit is a cybercrime gang operating on the other side of the world, demanding payment for system access or the safe return of stolen data.

    The ransomware epidemic shows no signs of slowing down in 2024—despite increasing police crackdowns—and experts worry that it could soon enter a more violent phase.

    “We’re definitely not winning the fight against ransomware right now,” Allan Liska, a threat intelligence analyst at Recorded Future, tells WIRED.

    Ransomware may be the defining cybercrime of the past decade, with criminals targeting a wide range of victims including hospitals, schools, and governments. The attackers encrypt critical data, bringing the victim’s operation to a grinding halt, and then extort them with the threat of releasing sensitive information. These attacks have had serious consequences. In 2021, the Colonial Pipeline Company was targeted by ransomware, forcing the company to pause fuel delivery and spurring US president Joe Biden to implement emergency measures to meet demand. But ransomware attacks are a daily event around the world—last week, ransomware hit hospitals in the UK—and many of them don’t make headlines.

    “There is a visibility problem into incidents; most organizations don’t disclose or report them,” says Brett Callow, a threat analyst at Emsisoft. He adds that this makes it “hard to ascertain which way they are trending” on a month-by-month basis.

    Researchers are forced to rely on information from public institutions that disclose attacks, or even criminals themselves. But “criminals are lying bastards,” says Liska.

    By all indications, the problem is not going away and may even be accelerating in 2024. According to a recent report by security firm Mandiant, a Google subsidiary, 2023 was a record-breaking year for ransomware. Reporting indicates that victims paid more than $1 billion to gangs—and those are just the payments that we know about.

    A major trend identified in the report was more frequent posts by gangs to so-called “shame sites,” where attackers leak data as part of an extortion attempt. There was a 75 percent jump in posts to data leak sites in 2023 compared to 2022, according to Mandiant. These sites employ flashy tactics like countdowns to when the sensitive data of victims will be made public if they don’t pay. This illustrates how ransomware gangs are ramping up the severity of their intimidation tactics, experts told WIRED.

    “Generally speaking, their tactics are becoming progressively more brutal,” Callow says.

    For example, hackers have also begun to directly threaten victims with intimidating phone calls or emails. In 2023, the Fred Hutchinson Cancer Center in Seattle was struck by a ransomware attack, and cancer patients were individually sent emails threatening to release their personal information if they did not pay.

    “My concern is that this will spill over into real-world violence very soon,” says Callow. “When there are millions to be had, they might do something bad to an executive of a company that was refusing to pay, or a member of their family.”

    [ad_2]

    Source link