Important news from the world of hacking21. July 2022
Important news from the world of hacking
President Biden is preparing a comprehensive strategy to improve cybersecurity in the U.S., led by the Office of The National Cyber Director. The goal of these plans is to encourage key players to address cybersecurity.
According to reports, the President has assigned six different teams to work on this issue. Staff involved in the draft include Rob Knake, deputy national cyber director for strategy and budget; Harry Krejsa, deputy national cyber director for strategy and research; and Matthew Ferren, cyber policy advisor.
While the exact content of the strategy is not known, researchers have stated that the U.S. will focus more on strengthening defensive capabilities, as well as national cooperation between institutions and states.
Equally significant, given the talent gap, is improving the cybersecurity workforce.
President Biden has undertaken several cybersecurity initiatives that have resulted in policy actions. These include:
– An executive order directing companies to report their security breaches more quickly than before.
– an executive order that requires cybersecurity employees to work rotations so they can gain experience across multiple federal agencies.
The Mantis botnet was used to launch the largest HTTPS distributed denial-of-service attack to date. The cyberattack occurred in June 2022.
Thousands of Cloudflare customers were affected by cyberattacks, resulting in outages and service delays.
While it was known that DDoS attacks caused the outage, researchers have now revealed that a botnet known as Mantis was used by the threat actor to execute the DDoS.
The Mantis botnet is a malware that uses virtual machines to carry out cyberattacks, making it difficult to defend against, even though it only releases 5,000 bots.
The Cloudflare attack lasted only 30 seconds but caused 26 million requests per second, totaling 212 million HTTPS requests. The attack affected websites in Indonesia, Brazil, Russia, the U.S. and India.
North Korean hackers use the H0ly Gh0st ransomware to infiltrate victims. The threat actors are primarily targeting businesses and business owners, continuing the country’s strategy of remotely attacking companies and employers that could be hacked or defrauded and then exploited.
H0ly Gh0st ransomware is deployed by the hacking group H0ly Gh0st. The threat actor uses a relatively standard scheme among hackers. First, all the victim’s files are encrypted, then a sample is sent as a proof that an intrusion has indeed taken place, and then a ransom in Bitcoin is demanded.
The amount the group usually demands is believed to be between one and five BTC.
There is text on their website that claims the group’s goal is to close the gap between rich and poor.
Researchers have found that the group uses four different malware – variants of the malware, three of which are written in GO and one in C++. The group is being tracked by Microsoft’s security research team.
North Korea has been linked to numerous hacking campaigns. A group known as Lazarus stole $600 million worth of cryptocurrencies from the Ronin Bridge in Axie Infinity. Recently, the group also hacked the Horizon Bridge, capturing over $100 million.
The U.S. government recently warned healthcare organizations and private companies to be wary of North Korean-backed hackers targeting the United States.
A former CIA engineer Joshua Schulte was convicted of leaking classified documents that WikiLeaks later published. The documents are known as Vault 7.
The 33-year-old was indicted in 2017. Schulte was charged with theft and distribution of sensitive materials. The act has been called one of the most damaging releases in the country’s history by U.S. intelligence agencies, as it has endangered the lives of numerous security officials.
In this leaked document, WikiLeaks claims to show how the CIA developed malware, viruses, Trojans and other cyberattacks that were able to penetrate smartphones, smart TVs, laptops, PCs, etc. The purpose of these hacking campaigns was to spy on their targets. Some of these tools were reportedly developed in cooperation with other intelligence agencies, including the British MI5.
The files also show that the U.S. consulate in Frankfurt am Main was a covert hacking operation. The CIA sent hackers to the consulate, from where they were able to move freely throughout Europe and carry out various attacks. One of these attacks was a USB cyberattack, in which information is stolen even if the Internet is turned off.
Schulte is not the only former CIA employee who leaked files to WikiLeaks. Edward Snowden, a former CIA employee, transferred thousands of files to the organization. This prompted the United States Department of Justice to charge him with theft of government property and violation of the Espionage Act of 1917. Snowden is currently in Russia and has yet to stand trial.
1.9 million health records in the U.S. were hacked. The hackers penetrated Professional Finance Company and 650 healthcare providers. The hackers managed to steal sensitive data such as full names, addresses, the amount owed to healthcare providers, payment information, etc.
The company claims it detected the attack on Feb. 26, 2022, was able to stop it, and then turned the case over to legal authorities. PFC has contacted all affected victims and set up a call center to serve as a counseling center for them. The exact number of victims has not been disclosed by PFC, but the Ministry of Health has released a list that includes more than 1.9 million people.
Cyberattacks on healthcare providers and hospitals have increased exponentially in recent years. In 2011, there were 199 cases in which more than 500 records were hacked, while that number reached 714 last year.
A hive ransomware cyberattack in Costa Rica crippled the country’s healthcare system, causing the entire healthcare server system to fail.
Pakistani hackers targeted Indian students with a phishing campaign. The threat actors are believed to be a hacking group called Transparent Tribe.
The group, also known as APT36, Operation C-Major, PROJECTM and Mythic Leopard, has typically attacked government entities. This phishing campaign would be the first time the threat actor has targeted educational institutions.
Transparent Tribe has been active since 2013 and has targeted government organizations in around 30 countries. They typically target their victims by creating fake domains pretending to be a government organization and then carrying out the intrusion. Transparent Tribe is known for using Crimson RAT, a Windows-based remote intrusion that allows unauthorized access to the victim’s device.
Crimson Rat lists a victim’s files and folders in a directory path specified by C2, runs processes on the endpoint keylogger, obtains the critical information, takes screenshots of the victim’s screen and sends them to C2. The hackers then forward the keylogger logs and the rest of the information to C2.
The ransomware can be spread manually and can remain in the system for a long time to steal information. The attacks have been ongoing since December 2021, although it is not known whether schools have contacted the hackers or paid a ransom.
The number of ransomware hacks increased 21% in the second quarter compared to the first quarter of 2022. Researchers analyzed the same data leak websites and found a jump in the number of victims.
Most of the hacks were carried out by the Lockbit hacker group, which deployed an updated version of its ransomware. Of the 582 ransomware victims in Q2, Lockbit was responsible for 230 of those hacks. This means that the group has replaced the well-known Conti Ransomware hacking group, which was disbanded a few weeks ago.
The hackers targeted numerous industries. Industrial manufacturing topped the list at 18.4%, technology was second at 8.7%, construction at 7.9%, healthcare at 6.4%, and government at 5.5%.
Lockbit ransomware first appeared in 2019 and was immediately noticed by the industry because it can spread automatically. This feature distinguishes it from similar ransomware that spreads manually and makes it much faster.
State-backed hackers have stepped up their attempts to hack journalists. U.S.-based journalists covering politics are most affected.
Threat actors steal verification data from journalists and use that data to communicate with their targets.
While this tactic is used by numerous groups, researchers have singled out the Chinese group A412, also known as Zirconium. This group targets U.S.-based journalists, and their threat vector is web beacon attacks.
A web beacon is essentially a piece of code used to track a visitor’s behavior on a website or app. The beacon can go unnoticed by the victim, while the attacker can collect data such as the IP address, time of visit, etc.
Another China-backed group believed to be involved in these attacks is TA459, while outside of China, TA482 is also believed to be involved. TA456, an alleged Iranian-backed threat actor, is believed to send out fake newsletters masquerading as official newsletters from media outlets such as Fox and The Guardian. Threat actors use these fake emails to try to reach key diplomatic personnel at U.S. embassies around the world.