The University of Sunderland in the UK has announced extensive operational issues that have taken most of its IT systems down, attributing the problem to a cyber-attack.
The first signs of disruption for the university’s IT systems appeared in Tuesday morning, but remain widely impactful and unresolved.
The attack appears to have taken down all telephone lines, the official website, the main email servers, library WiFi, on-premise PC/laptop access, printing, and all online portals that students use for accessing eBooks, journals, and other services.
Unfortunately, there is no estimate on when the systems will be up and running again, as the attack appears to be still in the containment phase.
Impact on students
The University of Sunderland is a public research institute that has about 20,000 students, so the disruption from the cyber-attack affects a notable number of people.
A spokesperson for the university has sent the following comment to BleepingComputer:
The University is now working with a number of agencies, including the police, to find out what exactly what has happened and the extent of the problems.
We take the security of our systems extremely seriously and will work to resolve the situation as quickly as possible.
Likely a ransomware attack
A national survey conducted in 2020 revealed that roughly 25%of all universities in the United Kingdom have suffered a ransomware attack at least one since 2013.
If you spend most of your time online (who doesn’t, really?), you might have come across the term dark web before. The mystery surrounding it creates a lot of curiosity among people and the chances are that you’re one of them as well.
Mail2Tor makes a good alternative as it allows users to send/receive messages anonymously through webmail or an email client. What’s more, all mail is secured using encryption, and the provider doesn’t store your IP address either.
Facebook knows a lot about you than you can imagine, it isn’t keen on sharing this data with others. The social media giant has also been the target of censorship from repressive governments time and time again. After all, it enables users from around the world to connect, communicate, and collaborate with each other freely.
So, it’s no surprise that Facebook has a .onion URL. It doesn’t do much in terms of maintaining an anonymous account, but lets you access the social media network from restricted countries.
An emerging threat actor likely supporting Iranian national interests has been behind a password spraying campaign targeting U.S., E.U., and Israeli defense technology companies, with additional activity observed against regional ports of entry in the Persian Gulf as well as maritime and cargo transportation companies focused in the Middle East.
Microsoft is tracking the hacking crew under the moniker DEV-0343.
The intrusions, which were first observed in late July 2021, are believed to have targeted more than 250 Office 365 tenants, fewer than 20 of which were successfully compromised following a passwordspray attack — a type of brute force attack wherein the same password is cycled against different usernames to log into an application or a network in an effort to avoid account lockouts
Indications thus far allude to the possibility that the activity is part of an intellectual property theft campaign aimed at government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems with the likely goal of stealing commercial satellite images and proprietary information.
DEV-0343’s Iranian connection is based on evidence of “extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another actor originating in Iran,” researchers from Microsoft Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU) said.
The password sprays emulate Firefox and Google Chrome browsers and rely on a series of unique Tor proxy I.P. addresses expressly used to obfuscate their operational infrastructure. Noting that the attacks peak between Sunday and Thursday from 7:30 AM to 8:30 PM Iran Time (4:00 AM to 5:00 PM UTC), Microsoft said dozens to hundreds of accounts within an entity are targeted depending on the size.
The Redmond-based tech giant also pointed out the password spraying tool’s similarities to that of “o365pray,” an actively updated open-source utility aimed at Microsoft Office 365, and is now urging customers to enable multi-factor authentication to mitigate compromised credentials and prohibit all incoming traffic from anonymizing services wherever applicable.
“Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program,” the researchers said. “Given Iran’s past cyber and military attacks against shipping and maritime targets, Microsoft believes this activity increases the risk to companies in these sectors.”
Sophos revealed that a new ransomware variant written in Python was deployed ten minutes after attackers broke into a TeamViewer account of the targeted organization.
About Python-based ransomware
The ransomware includes different sets of encryption keys, email addresses, and options for customizing the suffix to append the encrypted files.
Once installed, the ransomware disables all VMs and begins encryption, making it difficult for victims to decrypt the files.
At last
The growing number of ransomware attacks leveraging virtual machines is a pressing issue that organizations must take care of. Hardening the security of ESXi and other hypervisors with complex passwords is one of the best security practices to prevent attacks. Wherever possible, enable the use of MFA, and enforce the same for accounts with privileged permissions such as domain administrators.
In her opening remarks at a Senate subcommittee hearing with a Facebook whistle-blower on Tuesday, Senator Marsha Blackburn from Tennessee made a stunning allegation.
“News broke yesterday that the private data of over 1.5 billion — that’s right, 1.5 billion — Facebook users is being sold on a hacking forum,” Ms. Blackburn, the subcommittee’s ranking Republican member, said. “That’s its biggest data breach to date.”
The problem is that the breach that Ms. Blackburn referenced is largely unverified, and possibly fake. The claim comes from an anonymous account on a forum that, according to vice obtained access to the database from a supposed company called “X2Emails.” The anonymous post, from Sept. 22, promised “scraped” data on “more than 1.5b Database of Facebook” consisting of users’ email addresses, locations, phone numbers, and other identifying information.
Some news outlets reported on the breach as fact, but there is no proof yet of a hack. Aric Toler, a researcher with Bellingcat, an investigative journalism group, pointed out that someone claimed to have paid for the supposedly hacked information and found out that it was a scam.
“Maybe it’s real, but no reason to breathlessly report it like this,” he wrote.
Joe Osborne, a Facebook spokesman, said, “We’re investigating this claim and have sent a takedown request to the forum that’s advertising the alleged data.”
If you download pirated software, your secret photos, banking accounts and other details will get stolen by hackers through trojans, malware and ransomware.
Nothing comes free, not even pirated software. Pirated software is one of the biggest problems of the modern world. While it makes expensive software available virtually for free to all those who find themselves unable to pay the full price of some of these products, it does impact software developers very badly as their work is stolen from them. However, even for those who download pirated software, there may be a big price to pay. The problem with carrying out a pirated software download is that it often comes with malware – malicious software. That means people who download pirated software also download malware on their computers and this allows hackers to steal their banking and other secret information easily. In short, installing the ‘cracked’ version of a software is dangerous and can cause a huge loss of money and more. Yes, nothing on Earth comes free – there is always a cost to pay.
So, before you install pirated software, here are 3 reasons why you should not do so:
It is illegal
Piracy is illegal in almost every country around the globe. Not only is distributing pirated software a punishable offense but also using it is equally problematic and is considered a violation of software copyright law. Penalty for violating the local copyright laws depends on the country in which the people concerned are being charged.
You won’t get updates
One of the biggest reasons why you should not download pirated software is for the lack of updates. For legitimate software, developers roll out timely updates not only to add new features but also to fix existing issues and bugs in the code of the software. However, this is not possible in the case of pirated software. So, using pirated software not only deprives you of new features and functionalities but it also leaves you vulnerable to hackers due to issues in existing codes.
Proofpoint researchers note that TangleBot targets users by sending text messages to Android devices in the U.S. and Canada. The SMS messages are disguised as Covid-19 regulations and booster shots information, along with messaging related to potential power outages, encouraging victims to click a link to a site that shows an Adobe Flash update is required.
If the dialogue boxes are selected, the malicious site will install the malware onto the smartphone. The attackers are dependent on users being oblivious to Adobe stopping its support for Flash in December 2020 and the fact that it hasn’t been supported on mobile devices since 2012.
If successful in its deception, TangleBot can then completely infiltrate the entire phone. The malware can control audio and video from the microphone and camera, view websites visited, access the collection of typed passwords, extract data from SMS activity and any stored content on the device. TangleBot can also grant itself permission to modify device configuration settings and allow attackers to view GPS location data.
The functionality gained by the hackers essentially delivers total surveillance and data collection capabilities. TangleBot provides some key distinguishing features that make it especially threatening, including advanced behaviors, transmission abilities, and a string decryption routine for obfuscation.
In addition to its spyware and keylogging abilities, the malware can block and make calls, inevitably leading to the possibility of dialing premium services. Voice biometric identification capabilities, meanwhile, could be used to impersonate the victim.
The report noted that the level of complexity seen in TangleBot makes itself stand out among other forms of malware.
“Characteristics relating to keylogging functionality, overlay ability, and data exfiltration are routine behaviors in any malware arsenal, TangleBot, however, sets itself apart with advanced behaviors and transmission capabilities, while showcasing the latest evolutions in malware attempting to thwart biometric voice-authentication security systems. One final component of TangleBot not seen in the original Medusa is the advanced use of a string decryption routine helping to obfuscate and conceal the behavior of the malware.”
The cutting-edge technology used to hide the purpose and functionality of the trojan software under many obfuscation layers is what led to the name TangleBot. Those methods include hidden .dex files, modular and functional design characteristics, minified code, and large amounts of unused code.
Android malware and trojans are becoming increasingly common for Google’s operating system, and it’s not just through text messages where a smartphone can be exposed. The GriftHorse malware was successfully embedded into apps officially approved for Google Play and other third-party app stores, allowing it to infect more than 10 million devices and steal tens of millions of dollars.
It’s a worrying state of affairs for Android, echoed by the researcher’s closing statement in the report.
“If the Android ecosystem has shown us anything this summer, it is that the Android landscape is rife with clever social engineering, outright fraud, and malicious software all designed to deceive and steal mobile users’ money and other sensitive information,” said the team. “These schemes can appear quite convincing and may play on fears or emotions that cause users to let down their guard.”
Those remarks are clearly outlined by security firm Eset’s recent analysis showing how Android malware is growing across multiple threat areas.
Two Indiana hospitals say their IT systems are disabled as they recover from cyberattacks suffered last week.
Both hospitals in recent weeks have had to divert patients or postpone elective procedures as COVID-19 cases surged in the state, but so far neither have said whether patient care is being affected as they deal with the data security incidents.
The two hospitals – Johnson Memorial Health in Franklin and Schneck Medical Center, located about 40 miles away in Seymour – are also the latest healthcare providers in Indiana to be hit with cyberattacks suspected to potentially involve ransomeware.
Indianapolis, Indiana-based Eskanzi Health, which operates a public healthcare system, was hit in early August with a ransomware attack that also involved the exfiltration of patient and employee data, some of which was later posted by hackers on the dark web
Eskenazi began notifying about 1,000 affected individuals last week.
Johnson Memorial Hospital Attack
Johnson hospital, a 125-bed facility, says in a statement posted on its website that it is working with the FBI and cybersecurity experts to investigate a cyberattack that occurred on Saturday.
As a result of this attack, the computer network at Johnson Memorial has been disabled, the statement says. “We are working as quickly as possible to restore normal computer operations,” the hospital says.
“However, these types of attacks take time to fully resolve and it may be several days before the JMH computer system is fully operational.”
A receptionist answering the phone at Johnson Memorial on Monday told Information Security Media Group that “all” the hospital’s IT systems were still down. But the organization did not immediately respond to ISMG’s request for more details about the incident and the entity’s recovery status.
Johnson Memorial’s last public statement over the weekend said that at the time, no appointments or surgeries had been canceled. “We ask all patients scheduled to receive services Monday to report to JMH as normal. We do recommend patients arrive a bit earlier than usual, as registration processes may be slower than on a typical day,” the weekend statement said.
In early September, however, Johnson Memorial Health had begun to periodically divert or postpone some patients’ care as the organization dealt with a surge in COVID-19 cases, according to local media site daily journal.
2018 hacktivist group attack on a hospital
2014 hacktivist DDOS attack directed at Boston Children’s Hospital computer network not only knocked the pediatric hospital off the internet for two weeks, but also caused internet disruptions at several other Boston hospitals for days, the U.S. Justice Department said in 2018
Lockbit2.0 ransomware operators hit the Israeli aerospace and defense firm E.M.I.T. Aviation Consulting Ltd, threat actors claim to have stolen data from the company and are threatening to leak them on the dark web leak site of the group in case the company will not pay the ransom.
E.M.I.T. Aviation Consulting Ltd was founded in 1986, the company design and assemble complete aircraft, tactical and sub tactical UAV systems, and mobile integrated reconnaissance systems.
At the time of this writing, the ransomware gang has yet to share any files as proof of the attack, the countdown will end on 07 October 2021.
It is not clear how the threat actors breached the company and when the security breach took place.
Like other ransomware operations, LockBit 2.0 implemented a ransomware-as-a-service model and maintains a network of affiliates.
The Lockbit ransomeware gang has been active since September 2019, in June the group announced the Lockbit ransomeware 2.0.
After ransomware ads were banned on hacking forum, the LockBit operators set up their own leak site promoting the latest variant and advertising the LockBit 2.0 affiliate program.
The group is very active in this period, the list of recent victims includes Riviana, Wormington & Bollinger, Anasia Group, Vlastuin Group, SCIS Air Security, Peabody Properties, DATA SPEED SRL, Island independent buying group, Day Lewis, Buffington Law Firm and tens of other companies worldwide.
In August, the Australian Cyber Security Centre (ACSC) has warned of escalating LockBit 2.0 ransomware attacks against Australian organizations starting July 2021.
Hackers stole from the accounts of at least 6,000 customers of Coinbase Global Inc COIN, according to a breach notification letter sent by the cryptocurrency exchange to affected customers.
The hack took place between March and May 20 of this year, according to a copy ofthe letter posted on the website of California’s Attorney General.
Unauthorized third parties exploited a flaw in the company’s SMS account recovery process to gain access to the accounts, and transfer funds to crypto wallets not associated with Coinbase, the company said.
“We immediately fixed the flaw and have worked with these customers to regain control of their accounts and reimburse them for the funds they lost,” a Coinbase spokesperson said on Friday.
The hackers needed to know the email addresses, passwords and phone numbers linked to the affected Coinbase accounts, and have access to personal emails, the company said.
Coinbase said there was no evidence to suggest the information was obtained from the company.
News of the hack was earlier reported by technology news portal Bleeping Computer.
Trending cyber news 