September 2023

Ransomware attacks down in August after record levels in July

Ransomware attacks down in August after record levels in July

August 2023 saw a drop in ransomware attacks, according to NCC Group’s August Threat Pulse, with 390 attacks representing a 22% drop from July. 

It comes after back-to-back record months in June and July, largely the result of Cl0ps MOVEit exploitation and the ongoing impact of the attack. 

Lockbit 3.0 back in the top spot

Lockbit 3.0 returned to pole position in August, responsible for carrying out the largest volume of attacks at 125, 32% of total attacks in the month. It represents a 150% month-on-month increase on its July activity. BlackCat took the second spot with 41 attacks (11%), followed by 8Base with 32 (8%).

As expected, there was a steep fall in activity from Cl0p. The repercussions from its MOVEit exploitation seem to have largely subsided, with the group responsible for only 1% (3) of all attacks, a 98% decrease from July and June where Cl0p launched 161 ransomware attacks. 

Cl0ps slowdown of activity in August is similar to patterns witnessed in March earlier this year, after its mass exploitation of the GoAnywhere vulnerability was followed by a quiet period of attacks from the group.

Akira, a more recent ransomware player whose activity was first noted in April, has climbed to fourth place in August, after ranking in 8th place in July. The group focused 26% of its activity in the industrials sector and had a particular focus on the education sector. 

Industrials continues to be the most targeted region

Industrials continues to be the most targeted sector representing 31% of all attacks in August. Threat actors continue to target the sector to exploit personally identifiable information (PII) and intellectual property (IP), with larger organisations remaining a specifically active target for threat actors looking to increase their revenue from ransomware attacks. 

The top three industries within the sector targeted in August were professional and commercial services followed by machinery, tools, heavy vehicles, trains and ships, with construction and engineering placing third. 

North America remains the most targeted sector 

The report found 47% of all ransomware attacks in July took place in North America, consistent with previous months. However, the region experienced a 7% relative drop in August, as compared to July where it held 54% of all victims. Europe remains in second place with 108 victims in August, representing 28% of total attacks. 

Interestingly, the volume of ransomware attacks experienced in Asia has climbed in comparison to recent months, accounting for 15% of the total – an amount not witnessed since February this year. 

Spotlight: Geopolitical influence on cyber crime 

The overall rise in attacks within Asia comes as we witness several geopolitically motivated ransomware campaigns by Chinese threat actor Flax Typhoon, overlapping with Ethereal Panda.  

The group’s targeting of Taiwanese organisations across different industries has highlighted how ongoing political tensions continue to have a significant impact on the global cybercrime landscape, posing particular risks to education, manufacturing and critical infrastructure.

The methods adopted by Flax Typhoon also risk being deployed in attacks beyond Taiwan, posing severe risks to wider international security. The group favours Living Off the Land (LOTL) techniques, a method that does not require file installs, code or scripts, that is becoming increasingly popular due to its difficulty to detect. 

“After two record months for ransomware attacks, the fall in attacks in August was to be expected,” says Matt Hull, Global Head of Threat Intelligence at NCC Group. 

“The number of victims in June and July was somewhat inflated by the huge success that Cl0p had exploiting the vulnerability in the MoveIT platform. This being said, the number of recorded victims in August were still significantly higher than this time last year,” he says.

“In our Threat Spotlight, we highlight the ever-persistent threat of cyber espionage by Nation State Groups and look specifically at the activities of China against Taiwan,” Hull says. 

“What we do know is that there is historical evidence that tactics, techniques and procedures are shared by multiple threat Groups in China. 

“As such, with any new campaign it is a necessary reminder to governments and businesses alike that we must remain alert to the activities of threat actors so that we can better prevent and protect against possible intrusion.”

This content was originally published here.

Ransomware attacks down in August after record levels in July Read More »

OPSWAT-Sponsored SANS 2023 ICS/OT Cybersecurity Report Reveals Vital Priorities to Mitigate Ongoing Threats

OPSWAT-Sponsored SANS 2023 ICS/OT Cybersecurity Report Reveals Vital Priorities to Mitigate Ongoing Threats

Tampa, FL – September 21, 2023 — OPSWAT, a leader in critical infrastructure protection (CIP) cybersecurity solutions, sponsored the SANS 2023 ICS/OT Cybersecurity Survey, which unveils a distinct reality: despite notable improvements in defense strategies, including increased ICS cybersecurity awareness and enhanced incident response plans, survey respondents collectively consider current cybersecurity threats to ICS as severe/critical (25%) and high (44%). As a result, the top three items of utmost importance for ICS security programs in 2023 have been identified as network visibility, risk assessments, and transient device threat detection.

ICS/OT environments are becoming increasingly interconnected and complex, offering efficiency and innovation. However, this also exposes organizations to heightened vulnerabilities from relentless cyber threats. Dean Parsons, a SANS Certified Instructor, practitioner, and ICS/OT cybersecurity assessment expert, emphasizes, “This year’s survey reveals several notable changes compared to previous years. We see significant efforts in crucial areas and, regrettably, a lack of commitment in some equally important, evolving domains. However, there is a silver lining in the form of increased investments in asset inventorying, network-specific ICS/OT visibility and detection systems, and the development, training, and retention of staff with the required specific ICS security skillsets.”

Compromised IT Leads to Comprised OT

Respondents are predominantly concerned with and have experienced ICS incidents involving malware threats or attackers breaching the IT business network. These breaches often enable access and pivoting into the ICS/OT environment. Compromises in IT systems leading to threats entering OT/ICS networks ranked highest, followed by compromises of engineering workstations and external remote services.

To address these threats effectively, understanding the specific vectors within the top threat vector is essential. Questions arise about why IT compromises lead to ICS breaches, the enabling factors behind such breach points, methods used to compromise engineering stations, and the ownership of these critical processes. Luckily, penetration testing is occurring at multiple levels, with a focus on Levels 3, DMZ, and Level 2, indicating proactive measures to assess and enhance ICS security.

IT and OT Collaboration and Training

The report highlights a significant trend towards IT/OT staff convergence, with 38% of all respondents now responsible for both ICS and IT security, indicating increased responsibilities in 2023 compared to the 20% reported in 2022.

Incident Response 

Cybersecurity solution providers are frequently consulted (43%) when signs of infection or infiltration emerge, emphasizing the need for specialized expertise in incident response. Additionally, a quarter of respondents were uncertain about having an exercised and documented plan for operating ICS engineering systems in reduced capacity, and only 56% currently possess a dedicated ICS/OT Incident Response Plan.

“Building resilient critical infrastructure requires a proactive approach to cybersecurity as noted with the SANS’ report findings,” said Yiyi Miao, OPSWAT’s Chief Product Officer. “At OPSWAT, we’re committed to empowering organizations to safeguard their vital systems through effective industry-leading solutions.”

Download the SANS ICS/OT Cybersecurity Survey: 2023’s Challenges and Tomorrow’s Defenses. 

About SANS 

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cybersecurity training and certification to professionals in government and commercial institutions worldwide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cybersecurity events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on technical certifications in cybersecurity. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master’s and bachelor’s degrees, graduate certificates, and an undergraduate certificate in cybersecurity. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to manage their “human” cybersecurity risk easily and effectively. SANS also delivers a wide variety of free resources to the InfoSec community, including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet’s early warning system — the Internet Storm Center. At the heart of SANS are the many security practitioners representing varied global organizations, from corporations to universities, working together to support and educate the global information security community. SANS.org 

About OPSWAT 

For the last 20 years OPSWAT, a global leader in IT, OT, and ICS critical infrastructure cybersecurity, has continuously evolved an end-to-end solutions platform that gives public and private sector organizations and enterprises the critical advantage needed to protect their complex networks and ensure compliance. Empowered by a “Trust no file. Trust no device.™” philosophy, OPSWAT solves customers’ challenges around the world with zero-trust solutions and patented technologies across every level of their infrastructure, securing their networks, data, and devices, and preventing known and unknown threats, zero-day attacks, and malware. Discover how OPSWAT protects the world’s critical infrastructure and helps secure our way of life; visit www.opswat.com

This content was originally published here.

OPSWAT-Sponsored SANS 2023 ICS/OT Cybersecurity Report Reveals Vital Priorities to Mitigate Ongoing Threats Read More »

ClassLink Provides Cybersecurity Training Course to Help Schools Protect Public Directory Data

ClassLink Provides Cybersecurity Training Course to Help Schools Protect Public Directory Data

CLIFTON, N.J., Sept. 19, 2023 /PRNewswire/ — ClassLink, the leading provider of identity and access management (IAM) products for education, unveils Scope Your Google Directory, a timely ClassLink Academy course designed to protect schools from directory scraping.

In today’s digital age, schools’ increasing reliance on technology to streamline operations brings new challenges and threats, including directory scraping.

Directory scraping is the automated process of extracting information from online directories, often without the consent or knowledge of the organization that owns the directory. This information can include names, email addresses, phone numbers, and other personal data of students, faculty, and staff.

Directory scraping can have consequences for schools and lead to various issues, including data breaches, phishing attacks, identity theft, privacy violations, and potential misuse of sensitive information.

Schools should take proactive measures against directory scraping to protect their data and ensure data privacy. One effective strategy is directory scoping. Directory scoping involves controlling the visibility and accessibility of directory information to limit the exposure of sensitive data.

To assist schools in implementing effective directory scoping measures, ClassLink is pleased to offer the ‘Scope Your Google Directory’ course. This comprehensive course equips educational institutions with the knowledge and tools to secure their Google directory effectively. Admins can also learn how to mitigate scraping using ClassLink OneSync and other tools to safeguard sensitive data.

“The Scope Your Google Directory course is designed to keep school leaders up-to-date on best practices when it comes to protecting student, faculty, and staff data from bad actors. It empowers schools to take the necessary actions against data scraping to ensure that public directory data remains secure.” – Jeff Janover, VP of Security and Interoperability, ClassLink

This course, available to all ClassLink customers, can be accessed for free by logging in to ClassLink Academy and adding it to the course listings page from the course catalog.

About ClassLink

ClassLink is a global education provider of identity and analytics products that create more time for learning and help schools better understand digital engagement. As leading advocates for open data standards, we offer instant access to apps and files with single sign-on, streamline class rostering, automate account provisioning, and provide actionable analytics. ClassLink empowers 20 million students and staff in over 2,600 school systems. Visit classlink.com to learn more.

About ClassLink Academy

ClassLink Academy is a comprehensive online training platform designed to provide technical administrators, educational leaders, instructors, and students with top-notch resources. Its primary goal is to elevate user proficiency and comprehension in utilizing ClassLink’s suite of products. Visit classlink.com/academy to learn more.

This content was originally published here.

ClassLink Provides Cybersecurity Training Course to Help Schools Protect Public Directory Data Read More »

Cisco acquires cybersecurity firm Splunk for jaw-dropping $28B | VentureBeat

Cisco acquires cybersecurity firm Splunk for jaw-dropping $28B | VentureBeat

Head over to our on-demand library to view sessions from VB Transform 2023. Register Here

Cisco today announced it is acquiring cybersecurity and observability leader Splunk in a cash deal worth $28 billion. 

The San Jose, California-based networking giant said the move will bring together both companies’ capabilities to drive the next generation of AI-enabled security and observability and make organizations of all sizes more secure and digitally resilient in today’s data-driven, hyperconnected world. 

“From threat detection and response to threat prediction and prevention, we will help make organizations of all sizes more secure and resilient,” Chuck Robbins, the chairman and CEO of Cisco, said in a statement.

The deal, which values each Splunk share at $157, is expected to close by the end of the third quarter of 2024. It is subject to regulatory approvals and other customary closing conditions. Upon close, Splunk’s president and CEO Gary Steele will join Cisco’s executive leadership team reporting to Robbins.

VB Transform 2023 On-Demand

Did you miss a session from VB Transform 2023? Register to access the on-demand library for all of our featured sessions.

Strengthening cybersecurity and observability play

Cisco has already established a significant presence in cybersecurity.

The company offers a wide range of products and services to protect networks, data and applications from cyber threats, including firewalls, intrusion prevention systems (IPS), VPNs and endpoint security solutions.

Now, as the threat landscape continues to expand and the data ecosystem becomes more complex with the advent of generative AI and other evolving technologies, the company is teaming up with Splunk to bolster its cybersecurity play.

With this acquisition, Splunk’s security capabilities will complement Cisco’s existing portfolio of solutions, providing enterprises with strengthened security analytics and coverage from devices to applications to clouds.

Splunk was founded in 2003 by Erik Swan, Michael Baum and Rob Das with a mission to make big data searchable. Over the years, the platform evolved into a full-fledged tool for searching, monitoring, analyzing and visualizing machine-generated data in real-time, covering data points from websites, applications, sensors, devices and everything else that makes up the IT Infrastructure. This drove its application across multiple segments, including IT operations, business intelligence and cybersecurity (threat detection and management). 

Cisco notes that the companies’ combined capabilities will also provide observability across hybrid and multi-cloud environments, enabling enterprises to deliver smooth application experiences that power their digital businesses. This will also help enterprises with their AI efforts and allow for greater investments in new solutions, the company added.

“Together, we will form a global security and observability leader that harnesses the power of data and AI to deliver excellent customer outcomes and transform the industry. We’re thrilled to join forces with a long-time and trusted partner that shares our passion for innovation and world-class customer experience, and we expect our community of Splunk employees will benefit from even greater opportunities as we bring together two respected and purpose-driven organizations,” Steele said in the same statement.

Not the only acquisition in cybersecurity

While the deal stands out due to its massive size, it comes as another notable move from Cisco in the security and observability space.

Earlier this year, the company also acquired cloud security software company Lightspin Technologies; Smartlook, a digital experience and analytics solution that monitors user engagement on websites and mobile applications in real-time; and Armorblox, a company focused on the use of large language models (LLMs) and natural language understanding in cybersecurity.

For fiscal year 2023, the company’s total revenue guidance stands at $57 billion with a year-over-year increase of 11%.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

This content was originally published here.

Cisco acquires cybersecurity firm Splunk for jaw-dropping $28B | VentureBeat Read More »

Understanding the Differences Between On-Premises and Cloud Cybersecurity

Understanding the Differences Between On-Premises and Cloud Cybersecurity

The difference between managing cybersecurity in on-premises and cloud environments is not unlike playing traditional versus three-dimensional chess. While the tactics are similar and goals are the same — reduce risk, protect confidential data, meet compliance requirements, and the like — the cloud adds complexity that completely changes the dynamic. The cloud’s architecture, lack of change controls, and subtle and not-so-subtle differences in various cloud platforms’ basic design and operations make cloud security more complex.

While migrating to infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS), and serverless computing is well established, some veteran technical and management staff who were trained in on-premises environments still bring that operational bias to managing clouds. However, the nature of cloud environments means security and technical teams need a different mindset to understand and manage their new attack surface.

Three Clouds, Three Environments

Organizations often use multiple vendors’ clouds, whether to meet specific operational needs, optimize price and performance, or access specialized capabilities. Most midsize to large organizations use two or more clouds (making them multicloud) in conjunction with on-premises servers and infrastructure (referred to as hybrid cloud).

Microsoft Azure is the popular choice if you’re running Windows for your in-house applications. There is a natural gravity to move to Azure once it no longer makes sense to deploy more racks in your data center. If you are deploying large-scale Web apps, the natural affinity is towards Amazon Web Services (AWS), although Google Cloud Platform (GCP) is also attractive for these use cases. GCP is also known for its analytics capabilities (BigQuery), so some organizations use it exclusively as a data lake with advanced analytics.

To effectively protect every cloud environment, cybersecurity teams must be security experts for each one. But there is a disconnect between how much additional work people think two or three clouds should entail and the work it actually entails, as each cloud’s attack surface is distinct. So, splitting your workloads across two clouds almost doubles the knowledge and work required compared to running all your workloads in a single cloud.

DMZ Differences

Another difference is that an on-premises data center has a well-defined demilitarized zone (DMZ) to protect external-facing services, while cloud environments mostly don’t.

A physical data center has a clear (often physical) DMZ where multiple security controls and monitoring are implemented. There are clear pathways into and out of a data center that an adversary’s command-and-control channel and exfiltration traffic would need to traverse.

In the cloud, the DMZ is more of a logical construct, and often the DMZ’s reality does not align with the organization’s mental model. It is not unusual for a scan to find unexpected holes exposing organizational data outside the environment. Chasing down and managing your DMZ requires specialized expertise that security architects who focus on on-premises networks may not have.

Leaky Cloud Services

Attackers can leverage many multitenant cloud services to communicate in and out of a cloud environment in a way that bypasses the tenant’s network. A classic example is when an attacker breaks into an AWS environment and expands access (from the Internet or another AWS tenant) to an S3 bucket. You can’t observe an attacker reading 10GB of content from the S3 bucket on the tenant’s network; because it occurs in the cloud service provider’s backplane, it is basically invisible to the tenant. If that same 10GB of content was exfiltrated from an on-premises network, it likely would be flagged and the security team notified.

If this were just about having the right controls for cloud storage services in place, it might seem like a manageable problem. But each service in the cloud has its own features and controls, and some may enable hidden external communication. Your cybersecurity team must be able to find all of them (not just the ones you intend to use) and have the necessary controls and monitoring in place.

Problems With Updates

Cloud providers make regular updates, such as adding new services, improving capabilities in existing ones, or changing a service’s default settings. Even services you don’t intend to use can expose you to risk, as attackers who have burrowed into your environment can leverage a leaky service to establish external communications. Or, the provider might change a service’s default configuration from restrictive to permissive policies, blindly exposing you to risk. These are not just theoretical scenarios — attackers are already leveraging these capabilities.

Compare this to an on-prem data center, where you are in control of software updates. You would not install software that you did not intend to use, as it would expose you to more risk and more work. On-prem data centers tend to have the opposite problem: known vulnerabilities are not patched quickly enough. You might spend a lot of time and money deciding which software patches are critical so that you can reduce your attack surface to the greatest possible extent with the minimum possible number of software updates.

Protecting Your Cloud

Understanding the structural and operational differences between on-premises and cloud operations is essential. To start, while it may seem business-friendly to allow each business unit to choose its preferred cloud platform, each new cloud comes with substantial additional work to secure it.

Ignoring the risks, including training and staffing priorities, will expose you to threats when many advanced attackers are focusing on your cloud footprint. Today’s innovative cloud attacks will be tomorrow’s run-of-the-mill breaches.

This content was originally published here.

Understanding the Differences Between On-Premises and Cloud Cybersecurity Read More »

How to Get Your Board on Board With Cybersecurity

How to Get Your Board on Board With Cybersecurity

Nearly three-quarters (73%) of cybersecurity industry leaders have experienced burnout in the last 12 months — and who can blame them?

The shift to remote and hybrid work models has increased organizations’ reliance on cloud services, limiting security teams’ visibility into employee network and endpoint environments. But reduced visibility places company data at greater risk of cyber threats, and the subsequent surge in software supply chain attacks and ransomware incidents has cast a spotlight on the significance of cybersecurity. As a result, CISOs face more pressure than ever to maintain robust cyber defenses.

However, the role of the CISO has also evolved in other ways. With the frequency and severity of cyberattacks increasing, security has become a board-level issue given the potential reputational, financial, and operational damage associated with an attack. While it’s a positive development that more C-suite and board leaders are becoming active participants in cybersecurity conversations, it has also placed added pressure on CISOs, who must communicate advanced security protocols to a non-technical audience and justify their defense plans.

To champion cybersecurity initiatives while staying within budget constraints and aligning investments with overarching business goals, you need more than technical prowess. You must be able to effectively communicate and collaborate with your C-suite peers — and that’s sometimes not as easy as it sounds.

Four Ways CISOs Can Elevate Leadership Skills to Champion Cybersecurity

You know better than anyone that business success goes hand in hand with having proper cybersecurity processes and defenses in place. An effective cybersecurity strategy not only safeguards sensitive data but also yields significant cost savings and risk mitigation by preventing data exposure, curtailing downtime costs, and preserving the organization’s reputation.

As you embrace a more visible leadership role, alignment with your C-suite counterparts hinges on your ability to communicate, listen, and guide. Consider these tactics and strategies to hone your leadership skills so you can help your organization make more-informed cybersecurity decisions:

Ready to Lead Your Organization to a More Secure Future?

Your role as CISO is simultaneously growing in complexity and importance. In addition to remaining aware of emerging cyber threats and risk-mitigation strategies, you must also advocate for cybersecurity policies and investments that are in budget and align with the organization’s overarching business objectives.

In prioritizing your own professional development alongside companywide security initiatives, you can effectively defend your organization’s digital assets while fostering a culture of proactive defense.

This content was originally published here.

How to Get Your Board on Board With Cybersecurity Read More »

‘Culturestreak’ Malware Lurks Inside GitLab Python Package

'Culturestreak' Malware Lurks Inside GitLab Python Package

In what’s becoming an all-too-common occurrence in the current threat landscape, security researchers have found yet another malicious open source package, this time an active Python file on GitLab that hijacks system resources to mine cryptocurrency.

The package, called “culturestreak,” originates from an active repository on the GitLab developer site from a user named Aldri Terakhir, Checkmarx revealed in a blog post Sept. 19.

If downloaded and deployed, the package runs in an infinite loop that exploits system resources for unauthorized mining of Dero cryptocurrency as part of a larger cryptomining operation, according to Checkmarx.

“Unauthorized mining operations like the one executed by the ‘culturestreak’ package pose severe risks as they exploit your system’s resources, slow down your computer, and potentially expose you to further risks,” Checkmarx security researcher Yehuda Gelb wrote in the post.

Persistent Threat

The finding underscores the existing, persistent supply chain threat posed by opportunistic threat actors who poison open source packages that developers use to build software as a way to reach as many victims as possible with minimal effort.

Earlier this year, Checkmarx even launched a specific threat intelligence API to identify malicious packages before they reach the software supply chain as a method of defense against this tactic.

Python packages in particular have been a method of choice for hiding malicious payloads due to the popularity of the open source software platform for building software. Python developers often share code packages online via repositories like GitLab and GitHub, making it an easily accessible ecosystem for threat actors to exploit.

Threat actors have also targeted users of the Python Package Index (PyPI) in a malicious social engineering campaign that aimed to steal their credentials to load compromised packages to the repository itself.

Evasion and Deployment

Once deployed, culturestreak decodes several Base64-encoded strings in an obfuscation technique often used to hide sensitive information or to make it more difficult for someone to understand the code’s intent.

In its first act of deception, the package decodes variables such as HOST, CONFIG, and FILE, which are then used in the subsequent steps of the operation. Then the malicious package sets the FILE variable, which serves as the filename for the downloaded malicious binary, to a random integer ranging from 1 to 999999.

“A possible reason for this is to hamper the ability of antivirus or security software to detect malicious files based on fixed naming conventions,” Gelb wrote.

Next, culturestreak attempts to download a binary file called “bwt2,” which is is saved to the /tmp/ directory, a common location for temporary files on Unix-like systems. Though the researchers couldn’t read the binary due to its obfuscation, they managed to reverse-engineer it to find it had been packed with the UPX executable packer, version 4.02.

Once unpacked, the researchers extracted a gcc binary file that turned out to be a known, optimized tool for mining Dero crypto on GitHub called “astrominer 1.9.2 R4.”

Cog in the Machine

As mentioned earlier, the binary is programmed to run in an infinite loop, using hardcoded pool URLs and wallet addresses, “indicating a calculated attempt to exploit the system resources for unauthorized mining of cryptocurrency [and] making it a relentless threat that continually exploits system resources,” Gelb wrote.

Pool URLs are servers in which multiple users combine their computing power to mine cryptocurrency more efficiently, he explained. “This means that the package is essentially turning your computer into a cog in a larger mining operation without your consent,” Gelb added.

The discovery of the culturestreak malicious code package serves as yet another reminder of how important it is for developers to “always vet code and packages from unverified or suspicious sources,” Gelb wrote. Developers also should follow threat-intelligence sources to stay informed of potential threats to their software development.

Checkmarx provided a list of indicators of compromise (IoCs) in Gelb’s post to help people identify if the malicious code package is running its cryptomining payload on their system.

This content was originally published here.

‘Culturestreak’ Malware Lurks Inside GitLab Python Package Read More »

International Criminal Court, which investigates war crimes, says its been hacked – ABC News

International Criminal Court, which investigates war crimes, says its been hacked - ABC News

The International Criminal Court (ICC), which handles highly sensitive information about war crimes, says its computer system has been hacked. 

Key points:

The ICC said it had detected unusual activity on its computer network at the end of last week, prompting a response that was ongoing. 

A spokesperson declined to comment on how serious the hack was, whether it has been fully resolved, or who might be behind it.

“Immediate measures were adopted to respond to this cybersecurity incident and to mitigate its impact,” the ICC said.

The ICC is the permanent war crimes tribunal in the Dutch city of The Hague, established in 2002 to try war crimes and crimes against humanity.

Prosecutors at the court are currently conducting 17 investigations into situations in Ukraine, Uganda, Venezuela, Afghanistan and the Philippines, among others.

In March, the court made headlines when it issued an arrest warrant for Russian President Vladimir Putin on suspicion of illegally deporting children from Ukraine.

The Kremlin rejects the accusations and the court’s jurisdiction.

Highly sensitive documents at the ICC could include anything from criminal evidence to names of protected witnesses, though the court did not disclose what part of its systems had been accessed.

The court said in its statement that it was continuing to “analyse and mitigate the impact of this incident” with the assistance of the Dutch government.

It said it was also taking steps to strengthen its cybersecurity.

A spokesperson for the Dutch Justice Ministry confirmed the country’s National Cyber Security Centre was supporting the investigation but declined further comment.

The president of the ICC’s bar association, Marie-Hélène Proulx, said lawyers for defendants and victims had been affected “in the same manner as the court’s staff” by unspecified security measures taken in response to the incident.

“We commend efforts … in securing the court’s information systems and hope that the situation will be resolved promptly,” she said.

The Dutch intelligence agency (AIVD) said in its 2022 annual report that the ICC was “of interest to Russia because it is investigating possible Russian war crimes in Georgia and Ukraine”.

In June 2022, the AIVD disclosed it had found a Russian military agent posing as a Brazilian in an attempt to infiltrate the court.

In August 2023, ICC prosecutor Karim Khan said cyber attacks could be part of future war crimes investigations.

He warned that the ICC itself could be vulnerable and should strengthen its defences.

“Disinformation, destruction, the alteration of data, and the leaking of confidential information may obstruct the administration of justice at the ICC and, as such, constitute crimes within the ICC’s jurisdiction that might be investigated or prosecuted,” he wrote in a Foreign Policy Analytics report funded by Microsoft.

“But prevention remains better than cure.”

This content was originally published here.

International Criminal Court, which investigates war crimes, says its been hacked – ABC News Read More »

Researchers Raise Red Flag on P2PInfect Malware with 600x Activity Surge

Researchers Raise Red Flag on P2PInfect Malware with 600x Activity Surge

The peer-to-peer (P2) worm known as P2PInfect has witnessed a surge in activity since late August 2023, witnessing a 600x jump between September 12 and 19, 2023.

“This increase in P2PInfect traffic has coincided with a growing number of variants seen in the wild, suggesting that the malware’s developers are operating at an extremely high development cadence,” Cado Security researcher Matt Muir said in a report published Wednesday.

A majority of the compromises have been reported in China, the U.S., Germany, the U.K., Singapore, Hong Kong, and Japan.

P2PInfect first came to light in July 2023 for its ability to breach poorly secured Redis instances. The threat actors behind the campaign have since resorted to different approaches for initial access, including the abuse of the database’s replication feature to deliver the malware.

Cado Security said it has observed an increase in initial access events attributable to P2PInfect in which the Redis SLAVEOF command is issued by an actor-controlled node to a target to enable replication.

This is followed by delivering a malicious Redis module to the target, which, in turn, runs a command to retrieve and launch the main payload, after which another shell command is run to remove the Redis module from the disk as well as disable the replication.

One of the new features of the newer variants is the addition of a persistence mechanism that leverages a cron job to launch the malware every 30 minutes.Additionally, there now exists a secondary method that retrieves a copy of the malware binary from a peer and executes should it be deleted or the main process is terminated.

P2PInfect further overwrites existing SSH authorized_keys files with an attacker-controlled SSH key, effectively preventing existing users from logging in over SSH.

“The main payload also iterates through all users on the system and attempts to change their user passwords to a string prefixed by Pa_ and followed by 7 alphanumeric characters (e.g. Pa_13HKlak),” Muir said. This step, however, requires that the malware has root access.

Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

Despite the growing sophistication of the malware, P2PInfect’s exact goals are unclear. Cado Security said it observed the malware attempting to fetch a crypto miner payload, but there is no evidence of cryptomining to date.

“It’s clear that P2PInfect’s developers are committed to maintaining and iterating on the functionality of their malicious payloads, while simultaneously scaling the botnet across continents and cloud providers at a rapid rate,” Muir said.

“It is expected that those behind the botnet are either waiting to implement additional functionality in the miner payload, or are intending to sell access to the botnet to other individuals or groups.”

Found this article interesting? Follow us on and LinkedIn to read more exclusive content we post.

This content was originally published here.

Researchers Raise Red Flag on P2PInfect Malware with 600x Activity Surge Read More »

Pareto Phone workers not told criminal checks among 320,000 files published in hack – ABC News

Pareto Phone workers not told criminal checks among 320,000 files published in hack - ABC News

The ABC can reveal former staff of hacked tele-fundraiser Pareto Phone were not told for weeks that their highly sensitive employment information was published on the dark web.

More than 320,000 files stolen from Pareto servers by cybercriminals in April were made public on the dark web last month, including tens of thousands of charity donor details.

Highly sensitive documents like police checks, child support documents, pay negotiations, HR incidents, immigration sponsorship details, COVID vaccination credentials, tax file numbers, passports and licences were also swept up in the wide-reaching leak.

Some former staff who were named told the ABC they were not informed by the company, despite the information being stolen in April and published more than a fortnight ago.

Pareto Phone collects donations on behalf of well-known charities, with more than 70 believed to be involved.

Dozens of employees have been named in the data breach.

Some of the sensitive employee information was up to eight years old.

Outcomes of board meetings and Christmas party photo albums were also published.

Do you know more?

If you have any information about this story, contact Jemima Burt.

Many employee records held by companies are not protected in the same way as customer data under the Privacy Act.

The Employment Records Exemption excludes documents pertaining to leave, taxation, banking, union, resignation information and even disciplinary action from standard privacy obligations.

But HopgoodGanim Employment lawyer Andrew Tobin said the scope of documents published in the Pareto Phone breach means the company might not be protected.

He said files including passport copies, child support details, individual pay information and tax file numbers might not be captured by the exemption – and could expose the company to litigation under other legislation.

“I genuinely don’t think that the exemption is all that clearly applicable to the scenario,” Mr Tobin said.

“Was the employer’s lack of attention to security matters and acts, for the purposes of the exemption, directly related to the employment relationship?

“You’d have to sort of think long and hard about that, because it probably wasn’t, it was a lack of diligence,” Mr Tobin said.

Numerous charities have accused Pareto Phone of breaching Australian Privacy Principles for retaining information up to 15 years old, beyond when the customer data was being used.

Last year a report by the Attorney General’s Department proposed to enhance privacy protections for private sector employees by amending or removing the employee records exemption.

“Submissions from employers and their representatives express a strong desire to retain the exemption or strengthen it. Submissions from employee representatives and other stakeholders consider that reform is needed,” the report said.

No action has been taken since.

Mr Tobin said if the exemption was removed, many private sector workplaces would fall short.

“I can point to a lot of employers, the vast, vast majority, who don’t actually have appropriate systems in place for the proper protection of that kind of information,” Mr Tobin said.

He said concerned employees could make their own complaints to the privacy watchdog.

Pareto Phone has not responded to the ABC’s requests for comment.

The list of charities involved has grown.

The telemarketer Pareto Phone was targeted by cyber criminals. (Pexels)

Tens of thousands of donors have had personal details like date of birth and contact details published, some have contained bank details while others have been largely unaffected.

Those named in the breach now include Hello Sunday Morning, Great Barrier Reef Foundation, Guide Dogs Vic, Taronga Zoo, The Walter and Eliza Hall Institute, RSPCA Qld & NSW, World Vision, Vinnies Qld, ActionAid, UNHCR, Greenpeace, Peter MacCallum Cancer Centre, Catholic Mission, SEDA, Make-a-Wish, Cerebral Palsy Alliance, Mission Australia, Wilderness Society, Black Dog Institute, Water Aid, Leukaemia Foundation, Diabetes NSW, Garvan Research Foundation, Four Paws, Flinders Foundation, Oxfam Australia, Variety NSW, Cancer Council SA, Vic & Qld, Arthritis Qld, Barnardos Australia, Stroke Foundation, Caritas Australia, Starlight Foundation, Youngcare, CBM Australia, Baker Heart and Diabetes Institute, Berry Street, Anglican Overseas Aid, Red Cross, Alfred Foundation, WWF Australia, Australian Conservation Foundation, PLAN Australia, The Heart Foundation, Canteen Australia, Fred Hollows Foundation, Amnesty International Australia, The Children’s Cancer Institute, Médecins Sans Frontières, Save the Children, Bush Heritage Australia, Vision Australia.

Many, but not all, have had donor information stolen.

A number of charities in New Zealand were also involved including Childfund NZ, Canteen NZ, Amnesty NZ.

Stay up to date with Queensland news:

This content was originally published here.

Pareto Phone workers not told criminal checks among 320,000 files published in hack – ABC News Read More »

Scroll to Top