- Brazilian Hospitals Infected with Ransomware After RDP Brute-Force Attacks. From Softpedia.
Members of TeamXRat, a hacking crew based in Brazil, have created their own ransomware variant that they spread to local companies and hospitals after taking control over their servers and networks via RDP (Remote Desktop Protocol) brute-force attacks.
The group, who has previously created and sold banking malware, is at its first attempt at creating ransomware, which, based on a Kaspersky Lab analysis, seems to be derived from the Xorist ransomware, detected and decrypted back in March.
One Single Ransomware Gang Made over $121 Million. From Softpedia.
A group or individual operating a ransomware distribution operation has earned 189,813 Bitcoin (over $121 million) from his/their activities, according to a recent quarterly report published this week by McAfee Labs.
Experts say that the crook’s current Bitcoin wallet address still holds around $94 million, meaning the crook spent $27 million, either on servers and other costs or on himself.
These kinds of profits are exactly what drive cyber-criminals to ransomware operations.
Ransomware incidents up 128% compared to last year:According to McAfee’s telemetry data, the total number of ransomware infections has grown 128 percent year-over-year. Every quarter, the company’s security experts find new versions of ransomware, more than the previous one.
- Threat Alert: Cerber Ransomware v3 Spotted in the Wild. From Softpedia. A
new version of the Cerber ransomware was released last week, which is easily to identify based on the .cerber3 extension it adds to all encrypted files.
The move comes after crooks released version v1.5 and v2 in quick succession at the start of August. Before releasing Cerber v2, the crooks distributed v1 for more than six months, with very small updates, once in a while.
The Cerber gang was forced to issue v2 in order to break a free decrypter provided by the infosec community that was hindering their profits by letting users recover files for free.
2. Exposed: An inside look at the Magnitude Exploit Kit. From CSO Online. Researchers at Trustwave have provided CSO with an inside look at the Magnitude Exploit Kit’s infrastructure. Linked to attacks against PHP.net and Yahoo, this kit has gone from obscurity to a certified threat in a short amount of time, while generating more than $60,000 USD per week in income.
Fantom Ransomware Mimics Windows Update Screen. From Softpedia.
Ransomware often tries to disguise its malicious behavior using various tricks. The latest method observed is that employed by a new variant called Fantom, which shows a fake Windows Update screen while, in reality, it’s encrypting the user’s files.
The ransomware, spotted for the first time only a few days ago by AVG security researcher Jakub Kroustek, is coded on top of EDA2, a ransomware building kit that was open-sourced last year but eventually taken down.
EDA2 contained flaws that allowed researchers to obtain the decryption keys from the ransomware’s C&C server. According to an analysis from Bleeping Computer, those flaws aren’t there anymore, meaning one of the Fantom coders must have found and fixed them.
Ransomware Attacks May Trigger Breach Notifications. From On The Wire. A powerful California congressman is pushing the federal government to treat ransomware attacks on medical facilities as data breaches and require notifications of patients. The pressure is coming from Rep. Ted Lieu (D-Calif.) and follows comments from officials at the Department of Health and Human Services about the department’s plan to issue guidance to health care organizations about ransomware attacks. The Office for Civil Rights section of HHS, which has responsibility for health information privacy, will provide guidance on how to handle ransomware attacks, and Lieu is eager to ensure that the guidance specifically addresses how ransomware attacks relate to data breach regulations.
He Was a Hacker for the NSA and He Was Willing to Talk. I Was Willing to Listen. From The Intercept. The sender was a hacker who had written a series of provocative memos at the National Security Agency. His secret memos had explained — with an earthy use of slang and emojis that was unusual for an operative of the largest eavesdropping organization in the world — how the NSA breaks into the digital accounts of people who manage computer networks, and how it tries to unmask people who use Tor to browse the web anonymously. Outlining some of the NSA’s most sensitive activities, the memos were leaked by Edward Snowden, and I had written about a few of them for The Intercept.
- A Massive Botnet of CCTV Cameras Involved in Ferocious DDoS Attacks. From Softpedia.
A botnet of over 25,000 bots lies at the heart of recent DDoS attacks that are ferociously targeting business around the world. More exactly, we’re talking about massive Layer 7 DDoS attacks that are overwhelming Web servers, occupying their resources and eventually crashing websites. US-based security vendor Sucuri discovered this botnet, very active in the last few weeks, and they say it’s mainly composed of compromised CCTV systems from around the world. Their first meeting with the botnet came when a jewelry shop that was facing a prolonged DDoS attack opted to move their website behind Sucuri’s main product, its WAF (Web Application Firewall).
New and improved CryptXXX ransomware rakes in $45,000 in 3 weeks. From ArsTechnica. Whoever said crime doesn’t pay didn’t know about the booming ransomware market. A case in point, the latest version of the scourge known as CryptXXX, which raked in more than $45,000 (£34,344) in less than three weeks. Over the past few months, CryptXXX developers have gone back and forth with security researchers. The whitehats from Kaspersky Lab provided a free tool that allowed victims to decrypt their precious data without paying the ransom, which typically reaches $500 or more. Then, CryptXXX developers would tweak their code to defeat the get-out-of-jail decryptor. The researchers would regain the upper hand by exploiting another weakness and so on.
Adobe Flings Flash Fix for Fresh APT Target. From BankInfoSecurity. Security experts are once again warning enterprises to immediately update – or delete – all instances of the Adobe Flash Player they may have installed on any system in the wake of reports that a zero-day flaw in the web browser plug-in is being targeted by an advanced persistent threat group.
How to Run a Russian Hacking Ring. From The Atlantic. And for many of those cybercriminals, hacking is as unglamorous as any other business. That’s what a group of security researchers found when they infiltrated a ring of hackers based in Russia earlier this year, and monitored its dealings over the course of five months. The researchers were with Flashpoint, an American cybersecurity company that investigates threats on the dark and deep web. Their undercover operation began when they came across a post on a Russian hacker forum on the dark web—a part of the internet that’s inaccessible to regular browsers—that read very much like a get-rich-quick ad you might find on Facebook.
Twitter denies security breach after hacker tries to sell 32M compromised accounts. From Washington Times. Twitter on Thursday denied being the victim of a security breach amid reports that a hacker has put the log-in credentials for more than 32 million accounts up for sale on the dark web. LeakedSource, an online search engine for stolen data, said Wednesday that a pseudonymous hacker provided the website with a data set purportedly containing the usernames, passwords and other data pertaining to 32,888,300 Twitter accounts. Fifteen of the victims identified in the breach were contacted by LeakedSource, and each one verified the validity of the information supplied to the website.
- Companies Are Stockpiling Bitcoin in Case They Get Infected with Ransomware. From Softpedia. According to the numbers crunched by Citrix and Censuswide, who polled 250 UK IT and security managers, one in three UK businesses is now creating a backup account for holding cryptocurrency such as Bitcoin in the event of a cyber-attack. Companies are willing to pay as much as £50,000 ($72,700) to unlock their computers and retrieve their IP (intellectual property) in case ransomware somehow makes it into their network. The exact percentages are 36 percent of the companies with 250-500 employees, 57 percent of the businesses with 501-1,000 employees, and 18 percent of the firms with over 2,000 employees.
Enterprises Still Don’t Base Vuln Remediation On Risk. From Dark Reading. “Despite the growing number of breaches, the state of application security is not improving significantly,” says Asma Zubair, director of product management for WhiteHat. “Applications continue to remain vulnerable. About one-third of insurance applications, about 40 percent of banking and financial services applications, about half of healthcare and retail applications, and more than half of manufacturing, food and beverage, and IT applications are always vulnerable.”
Vulnerabilities in Facebook Chat and Messenger exploitable with basic HTML knowledge. From Help Net Security. Check Point’s security research team has discovered vulnerabilities in Facebook’s standard online Chat function, and its separately downloaded Messenger app. The vulnerabilities, if exploited, would allow anyone to essentially take control of any message sent by Chat or Messenger, modify its contents, distribute malware and even insert automation techniques to outsmart security defences.
‘Alarming’ rise in ransomware tracked. From BBC. There are now more than 120 separate families of ransomware, said experts studying the malicious software.Other researchers have seen a 3,500% increase in the criminal use of net infrastructure that helps run ransomware campaigns. The rise is driven by the money thieves make with ransomware and the increase in kits that help them snare victims.