US State Department announces $10 million bounty after Costa Rica ransomware attack

In the wake of a massive ransomware attack on the Costa Rican government in April, the US government issued a notice last week declaring a bounty potentially worth millions of dollars on people involved with the Conti ransomware used in the hack. Rodrigo Chaves Robles, Costa Rica’s recently sworn-in president, declared a national emergency due to the attack, according to CyberScoop.

According to BleepingComputer, the ransomware attack affected Costa Rica’s ministries of finance and Labor and Social Security, as well as the country’s Social Development and Family Allowances Fund, among other entities. The report also says that the attack affected some services from the country’s treasury starting on April 18th. Hackers not only took down some of the government’s systems, but they’re also leaking data, according to CyberScoop, which notes that almost 700GB of data has made its way onto Conti’s site.

The Department of State Bureau of International Narcotics and Law Enforcement Affairs (INL) Offers  Rewards of up to $10,000,000 United States dollars for Information Leading to the Identification or Location of key leaders, and up to $5,000,000 United States dollars for Information Leading to the Arrest, and/or Conviction of the Owners/Operators/A...  Conti Ransomware as a Service Group  Contact the FBI with any tips by phone or internet: Phone: +1-800-CALL-FBI +1-800-225-5324 

The US State Department says the attack “severely impacted the country’s foreign trade by disrupting its customs and taxes platforms” and offers “up to $10 million for information leading to the identification and/or location” of the organizers behind Conti. The US government is also offering $5 million for information “leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate” in a Conti-based ransomware attack.

Last year, the US offered similar bounties on REvil and DarkSide (the group behind the Colonial Pipeline attack). REvil is largely thought to be defunct after the US reportedly hacked the group’s servers and the Russian government claimed to have arrested several members.

The Costa Rican government isn’t the only entity to fall victim to Conti’s ransomware. As Krebs On Security notes, the group is particularly infamous for targeting healthcare facilities such as hospitals and research centers.

The gang is also known for having its chat logs leaked after it declared that it fully supported Russia’s government shortly after the invasion of Ukraine began. According to CNBC, those logs showed that the group behind the ransomware itself was having organizational issues — people weren’t getting paid, and there were arrests happening. However, like many ransomware operators, the actual software was also used by “affiliates,” or other entities who used it to carry out their own attacks.

In Costa Rica’s case, the attacker claims to be one of these affiliates and says that they aren’t part of a larger team or government, according to a message posted by CyberScoop. They have, however, threatened to carry out “more serious” attacks, calling Costa Rica a “demo version.”

Repost: Original Source and Author Link


Phishing attack pop-up targets MetaMask users visiting popular crypto sites

As if this week weren’t bad enough for many cryptocurrency owners, with stablecoins crashing and Coinbase suffering an outage at a particularly bad time, now they’ve reportedly been targeted by a new phishing attack. As reported by CoinDesk and The Block Crypto, sites including Etherscan, CoinGecko, and DexTools all warned users that they were aware of suspicious popups appearing for visitors, and advised them not to confirm any transactions based on popups.

Like many recent phishing attacks, this one appeared to promise a link to the Bored Ape Yacht Club project, with an ape skull logo and a (now-disabled) domain. It prompted users to connect their MetaMask wallets (a software cryptocurrency wallet that enables access on your phone or via a browser extension) to use on the site, and since it was appearing on domains that many people trust and use every day, they may have fallen for it and given it access.

Last November, the security company Check Point Research identified a phishing attack that used Google Ads that would either attempt to steal someone’s credentials or trick them into logging into the attacker’s wallet so that it would receive any transactions they attempted. In February, a phishing attack stole $1.7 million worth of NFTs from OpenSea users, while a more recent attempt via Discord only snagged $18,000 worth of tokens.

Etherscan said it has disabled third-party integrations for the time being. A tweet from CoinGecko identified the source of the malicious popup as Coinzilla, an industry advertising network that told customers it could deliver over 1 billion impressions per month across more than 600 reputable sites popular with crypto enthusiasts.

Repost: Original Source and Author Link


Ransomware attack on Planned Parenthood LA exposes info for 400,000 patients

Hackers were able to access files containing personal information for hundreds of thousands of Planned Parenthood Los Angeles patients with a ransomware attack that occurred in October, according to a report by The Washington Post. A letter sent to affected patients by Planned Parenthood explained that the files contained patients’ names and “one or more of the following: address, insurance information, date of birth, and clinical information, such as diagnosis, procedure, and/or prescription information.”

Planned Parenthood says the ransomware was installed on its network some time between October 9th and October 17th. On the 17th, the organization noticed the intrusion, took its systems offline, and contacted law enforcement and cybersecurity investigators. By early November, it had determined what the hackers had access to but is still in the dark about the attack’s perpetrator, according to CNN.

A spokesperson for Planned Parenthood LA told The Washington Post that it didn’t seem like the information had been “used for fraudulent purposes” and told CNN that it didn’t appear to be a targeted attack. But the data could be valuable if hackers choose to sell it, given its extremely sensitive nature — Planned Parenthood not only provides abortions but birth control, STD testing, and hormone therapy for trans patients, along with a host of other medical services. According to CNN, the data was limited to Planned Parenthood Los Angeles.

The cyberattack and data leak come at a time when abortion rights are especially fraught in the US. The Supreme Court is currently considering a case to determine the legality of a Mississippi law that bans abortions 15 weeks into pregnancy (as opposed to the 23 weeks set by Roe v. Wade), and earlier this year Texas made it illegal to get an abortion after just six weeks of pregnancy. Texas’ law means that abortions won’t be a legal option by the time most people find out they’re pregnant.

Ransomware attacks have also been a major issue this year, with the US Treasury reporting that payouts from the attacks could be on track to top a billion dollars for 2021 alone. CNN says a spokesperson for Planned Parenthood LA didn’t answer questions about whether there was a ransom demand made in this case.

Repost: Original Source and Author Link


Biden admin’s bug fix mandate aims to prevent the next major cybersecurity attack

The Biden administration is requiring civilian federal agencies to fix hundreds of cybersecurity flaws, as reported earlier by The Wall Street Journal. As the WSJ states, the BOD 22-01 directive from the Cybersecurity and Infrastructure Security Agency (CISA) covers around 200 known threats that cybersecurity experts discovered between 2017 and 2020, as well as 90 more flaws that were found in 2021. Federal agencies have six months to patch older threats and just two weeks to fix the ones that were discovered within the past year.

The WSJ report points out that federal agencies are usually left to their own devices when it comes to security, sometimes resulting in poor security management. The goal is to force federal agencies to fix all potential threats, whether they’re major or not, and establish a basic list for other private and public organizations to follow. While zero-day vulnerabilities that exploit previously unknown openings get major headlines, addressing “the subset of vulnerabilities that are causing harm now” can get ahead of many incidents.

Previously, a 2015 order gave federal agencies one month to fix threats deemed “critical risk.” This was changed in 2019 to include threats categorized as “high risk,” as pointed out by the WSJ. The new mandate distances itself from prioritizing specific threat levels and instead acknowledges that small holes can quickly cause larger problems if hackers can find a way to take advantage of them.

“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks,” says CISA director Jen Easterly. “While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”

CISA’s newly released list of known vulnerabilities notably includes the Microsoft Exchange Server flaw. In March, emails from over 30,000 US governmental and commercial organizations were hacked by a Chinese group, thanks to four known security holes that, had they been patched, would’ve prevented the attacks. CISA’s list requires patching the “Microsoft Exchange Remote Code Execution Vulnerability” and is calling on federal agencies to install available SolarWinds patches by May 2022.

The Solarwinds Orion Platform is also on the list, which was the victim of a major hack in late 2020 that compromised US government agencies. The CISA notes that the “SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands.”

Cybersecurity has been a priority for President Biden since he entered office. In May, he signed an executive order to help prevent future cybersecurity disasters. The order mandates two-factor authentication across the federal government, establishes a protocol for responding to cyberattacks, and forms a Cybersecurity Safety Review Board, among other safety measures.

Repost: Original Source and Author Link


Hacker claims responsibility for T-Mobile attack, bashes the carrier’s security

A person claiming to be behind the T-Mobile data breach that exposed almost 50 million people’s info has come forward to reveal his identity and to criticize T-Mobile’s security, according to a report by The Wall Street Journal. John Binns told the WSJ that he was behind the attack and provided evidence that he could access accounts associated with it, and he went into detail about how he was able to pull it off and why he did it.

According to Binns, he was able to get customer (and former customer) data from T-Mobile by scanning for unprotected routers. He found one, he told the Journal, which allowed him to access a Washington state data center that stored credentials for over 100 servers. He called the carrier’s security “awful” and said that realizing how much data he had access to made him panic. According to the WSJ, it’s unclear whether Binns was working alone, though he implied that he collaborated with others for at least part of the hack.

The information the hacker gained access to includes sensitive personal data, like names, birthdates, and Social Security numbers, as well as important cellular data like identification numbers for cellphones and SIM cards. T-Mobile has said in a statement that it’s “confident” that it’s “closed off the access and egress points the bad actor used in the attack.”

The WSJ’s report goes in depth into Binns’ history as a hacker. He claims that he got his start making cheats for popular video games and that he discovered the flaw that ended up being used in a botnet that attacked IoT devices (though he denies actually working on the code).

According to Binns, his relationship with US intelligence services is troubled, to say the least. A lawsuit that appears to have been filed by Binns in 2020 demands that the CIA, FBI, DOJ, and other agencies tell him what information they have on him. The lawsuit also accuses the government of, among other things, having an informant try to convince Binns to buy Stinger missiles on an FBI-owned website, attacking Binns with psychic and energy weapons, and even with being involved in his alleged kidnapping and torture. An FBI response to his lawsuit denied he was being investigated by the bureau for the botnet or having information related to the alleged surveillance, and abduction, and torture.

Binns told the WSJ that one of his goals behind the attack was to “generate noise,” saying that he hopes someone in the FBI will leak information related to his alleged kidnapping. It’s not likely that Binns’ situation will be improved now that he’s shone a spotlight on himself as the person who hacked one of the US’s major carriers. However, if his reports about how he gained access to a vast trove of T-Mobile data are true, it paints a concerning picture of the carrier’s security practices.

Repost: Original Source and Author Link


Sinclair TV stations experienced a massive outage during ransomware attack

Sinclair, the broadcast group that runs some of the most popular local channels across the US, experienced a nationwide outage during a ransomware attack on October 16th (via The Record). Viewers initially were informed technical difficulties caused the disruption, but the US Securities and Exchange Commission published a filing from Sinclair two days later, identifying ransomware as the source of the outage.

“Certain servers and workstations in its environment were encrypted with ransomware, and that certain office and operational networks were disrupted,” the report reads. “Data also was taken from the Company’s network. The Company is working to determine what information the data contained and will take other actions as appropriate based on its review.”

A person close to the situation tells The Verge that as of yesterday, employees still had problems accessing email or signing into systems, but today, those things are restored.

Sinclair’s report also notes the company still isn’t up and running at 100 percent. While it’s trying to resolve the issue, there may still be “disruption to parts of the Company’s business, including certain aspects of its provision of local advertisements by its local broadcast stations on behalf of its customers.”

Sinclair operates a massive number of local TV stations, causing the attack to prevent the company from broadcasting local news shows, sports games, and other scheduled content. According to The Record, the attack could’ve been much worse, as the bad actors weren’t able to compromise something called the “master control.” Having access to this tool let Sinclair replace some scheduled shows with a national feed — that way, not all of its channels were completely down.

And as The Record notes, the ransomware attack was preceded by a call for a password reset across all of Sinclair following the discovery of a “potentially serious network security issue.” It’s unclear whether that security issue has anything to do with the attack that just transpired. There still isn’t an official count of how many stations were shut down, as well as who exactly was responsible for the attack.

Ransomware attacks are becoming increasingly common; Colonial Pipeline, Gigabyte, and CNA Financial are just some of the high-profile companies targeted this year. According to a report by the US Treasury, ransomware payouts in 2021 are on track to beat the combined payouts from the entire past decade.

Repost: Original Source and Author Link


Hackers reportedly threaten to leak data from Gigabyte ransomware attack

Gigabyte has been the victim of a cyberattack, which was reportedly the work of a ransomware outfit called RansomEXX. According to The Record, the attack didn’t have an impact on any of the company’s production systems, but it did affect some internal servers. Currently, some parts of Gigabyte’s website, including its support section, are down, giving customers issues when trying to access warranty repair information and updates. The hackers who claim to have carried out the attack are reportedly threatening to release data from the company, including confidential documents from Intel, AMD, and American Megatrends.

Gigabyte is mainly known for its PC components such as motherboards and graphics cards, but it also has a line of laptops and peripherals like gaming monitors, which are often branded with the Aorus name.

According to a ransom note and dark web webpage, seen by Bleeping Computer and The Record, RansomEXX threatens to publish 112GB of data it got from Gigabyte and an American Megatrends Git repo. Bleeping Computer reports that the hackers also include screenshots of documents from Intel, AMD, and American Megatrends that are under an NDA. American Megatrends creates firmware for motherboard and computer manufacturers as well as for certain Chromebook manufacturers.

Various parts of Gigabyte’s website are nonfunctional.

PC manufacturers aren’t an uncommon target for hackers: earlier this year, Acer was reportedly hit with an attack by the REvil group, which would later go on to target one of Apple’s suppliers. In both cases, hackers threatened to release valuable data if the companies didn’t pay exorbitantly high ransoms of $50 million. The scourge of ransomware has also gone beyond traditional tech companies, affecting hospitals, fuel pipelines, insurance companies, and more.

In Gigabyte’s case, the sum that the hackers are seeking doesn’t yet appear to be public. Bleeping Computer reports, however, that RansomEXX’s ransom notes direct companies to contact an email address to start negotiations.

Gigabyte didn’t respond to a request for comment, but it told The Record that the company has isolated the affected servers, notified law enforcement, and is beginning an investigation. Gigabyte hasn’t publicly named RansomEXX as the responsible party.

Repost: Original Source and Author Link


Pokemon Unite Bug Accidentally Wrecks Gengar’s Best Attack

Arriving with Pokémon Unite‘s first major balance patch is a truly unfortunate Gengar bug. The bug prevents Gengar’s move Hex from dealing damage about half of the times it’s used, according to Dot Esports.

Hex still allows Gengar to teleport to its target, but upon arriving, it sometimes deals no damage. Hex also occasionally doesn’t receive its cooldown reduction from attacking a Pokémon with a status condition. The bug was confirmed by the official Pokémon Unite Twitter account, and an in-game message given to all users on login states that the development team is very sorry for the bug and that they’re working on a fix.

The following bugs have been confirmed in the current version of the game.

– Gengar: Hex

We deeply apologize for any inconvenience this may be causing and hope to have all issues fixed soon.

— Pokémon UNITE (@PokemonUnite) August 4, 2021

Gengar’s Sludge Bomb/Hex combo was one of the most powerful solo Pokémon combos at the game’s launch. Sludge Bomb gives the opposing Pokémon a status condition, while Hex chases a Pokémon and deals extra damage if the opposing Pokémon has a status condition. Used together, these two moves could weaken, chase, and defeat an opposing Pokémon in seconds.

Even without Sludge Bomb, Hex was so powerful on launch that the development team nerfed it in patch, decreasing its damage and shortening its window of invulnerability. Unfortunately, the nerf also came with the unintended bug, making Gengar too unstable for any sort of play, be it high-level competitive or regular random matches.

While players have determined what the bug is on their own, Nintendo and TiMi have not confirmed any information other than acknowledging that an issue with Gengar exists and that they “hope to have all issues fixed soon.”

Pokemon Unite is available now on Nintendo Switch and will release on mobile devices in September.

Editors’ Choice

Repost: Original Source and Author Link


19 days after REvil’s ransomware attack on Kaseya VSA systems, there’s a fix

Just ahead of the July 4th holiday weekend, a ransomware attack targeted organizations using Kaseya VSA remote management software. The outfit behind the attack, REvil, initially requested a $70 million ransom and claimed to have locked down millions of devices. That was before REvil suddenly went offline on July 13th, disconnecting its servers, abandoning forums, and shutting down a page on the dark web used to communicate with victims.

Now, Kaseya says it has obtained a universal decryptor from a “third party” that can restore data encrypted during the attack. The company has not said how it came by this technology, telling Bleeping Computer that it could not confirm or deny any ransom payment had occurred.

On 7/21/2021, Kaseya obtained a decryptor for victims of the REvil ransomware attack, and we’re working to remediate customers impacted by the incident.

We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor. Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.

NBC News reporter Kevin Collier first reported the decryption tool’s existence and speculates that one of three sources is likely behind the key: the US government, the Russian government, or a ransom payment to the attackers.

Kaseya says cybersecurity firm Emsisoft confirmed the restoration tool is “effective,” and now it’s working with victims of the attack to decrypt affected systems. It’s unknown how much help the tool will offer, coming several weeks after the attacks, but it’s better than nothing.

Repost: Original Source and Author Link


Microsoft attributes new SolarWinds attack to a Chinese hacker group

Microsoft’s Threat Intelligence Center (MSTIC) reported on Tuesday that SolarWinds software was attacked with a zero-day exploit by a group of hackers it calls “DEV-0322.” The hackers were focused on SolarWinds’ Serv-U FTP software, with the presumed goal of accessing the company’s clients in the US defense industry.

The zero-day attack was first spotted in a routine Microsoft 365 Defender scan. The software noticed an “anomalous malicious process” that Microsoft explains in more detail in its blog, but it seems the hackers were attempting to make themselves Serv-U administrators, among other suspicious activity.

SolarWinds reported the zero-day exploit on Friday, July 9th, explaining that all of the Serv-U releases from May 5th and earlier contained the vulnerability. The company released a hotfix to address the issue and the exploit has since been patched, but Microsoft writes that if Serv-U’s Secure Shell (SSH) protocol connected to the internet, the hackers could “remotely run arbitrary code with privileges, allowing them to perform actions like install and run malicious payloads, or view and change data.” Anyone running older Serv-U software is encouraged to update it as soon as possible.

The first hack that shoved SolarWinds into the limelight in December 2020 exposed hundreds of government agencies and businesses. Unlike the previous hack, which is now widely connected to a Russian state-affiliated group of hackers called Cozy Bear, Microsoft says this zero-day attack originated in China. DEV-0322 has made a habit of attacking “entities in the US Defense Industrial Base Sector,” Microsoft writes, and is known for “using commercial VPN solutions and compromised consumer routers in their attacker infrastructure.”

Repost: Original Source and Author Link