These are some of the results of the third phase of Operation Cronos, a long-running collective effort of law enforcement authorities from 12 countries, Europol and Eurojust, who joined forces to effectively disrupt at all levels the criminal operations of the LockBit ransomware group. These actions follow the massive disruption of LockBit infrastructure in February 2024, as well as the large series of sanctions and operational actions that took place against LockBit administrators in May and subsequent months.
Between 2021 and 2023, LockBit was the most widely employed ransomware variant globally with a notable number of victims claimed on its data leak site. Lockbit operated on the ransom as a service model. The core group sold access to affiliates and received portions of the collected ransom payments. Entities deploying LockBit ransomware attacks had targeted organisations of various sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing and transportation. Reflecting the considerable number of independent affiliates involved, LockBit ransomware attacks display significant variation in observed tactics, techniques and procedures.
#2024 #EN #Eurojust #LockBit #busted #disrupt #europol
Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The said attack targeted multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations.
in light of the escalating frequency and complexity of ransomware attacks, are security leaders confident in their organization’s defenses? According to Group-IB’s Hi-Tech Crime Trends 2023/2024 Report, ransomware will have an increasingly significant impact in 2024 and beyond. Key trends driving this include the expansion of the Ransomware-as-a-Service (RaaS) market, the proliferation of stolen data on Dedicated Leak Sites (DLS), and a rise in affiliate programs.
In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner.
Nitrogen was leveraged to deploy Sliver and Cobalt Strike beacons on the beachhead host and perform further malicious actions. The two post-exploitation frameworks were loaded in memory through Python scripts.
After obtaining initial access and establishing further command and control connections, the threat actor enumerated the compromised network with the use of PowerSploit, SharpHound, and native Windows utilities. Impacket was employed to move laterally, after harvesting domain credentials.
The threat actor deployed an opensource backup tool call Restic on a file server to exfiltrate share data to a remote server.
Eight days after initial access the threat actor modified a privileged user password and deployed BlackCat ransomware across the domain using PsExec to execute a batch script.
Six rules were added to our Private Ruleset related to this intrusion.
The United States today unveiled sanctions and indictments against the alleged proprietor of Joker's Stash, a now-defunct cybercrime store that peddled tens of millions of payment cards stolen in some of the largest data breaches of the past decade. The…
The Binarly REsearch team has consistently uncovered security vulnerabilities in the Baseboard Management Controller (BMC) firmware -- a critical component of modern data center infrastructure. These vulnerabilities can be exploited remotely by threat actors, posing significant risk to enterprises.
In a previous report, “Old But Gold: The Underestimated Potency of Decades-Old Attacks on BMC Security,” we documented the BMC architecture in detail and showed that it is still possible to find classes of vulnerabilities known from the early 2000s.
A notorious hacker has announced the theft of data from an improperly protected server allegedly belonging to Deloitte.
The hacker known as IntelBroker announced late last week on the BreachForums cybercrime forum the availability of “internal communications” obtained from Deloitte, specifically an internet-exposed Apache Solr server that was accessible with default credentials.
On June 11th, 2024, we discovered a set of vulnerabilities in Kia vehicles that allowed remote control over key functions using only a license plate. These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.
Additionally, an attacker could silently obtain personal information, including the victim's name, phone number, email address, and physical address. This would allow the attacker to add themselves as an invisible second user on the victim's vehicle without their knowledge.
A key member of the notorious hacker group SiegedSec was arrested today by federal authorities. The arrest came just hours after the hacker published a provocative manifesto titled “The Conscience of a Catgirl.” The document offers sharp criticisms of governments, corporations, and the state of modern surveillance, right before the hacker was taken into custody.
CrowdStrike says it has revamped several testing, validation, and update rollout processes to prevent a repeat of the embarrassing July outage that caused widespread disruption on Windows systems around the world.
A stack-based buffer overflow vulnerability exists in the OpenPLC Runtime EtherNet/IP parser functionality of OpenPLC _v3 b4702061dc14d1024856f71b4543298d77007b88. A specially crafted EtherNet/IP request can lead to remote code execution. An attacker can send a series of EtherNet/IP requests to trigger this vulnerability.
Tens of thousands of fuel storage tanks in critical infrastructure facilities remain vulnerable to zero-day attacks due to buggy Automatic Tank Gauge systems from multiple vendors, say infosec researchers.
Automatic Tank Gauges (ATGs) are used to monitor fuel levels in storage tanks and ensure that the tanks don't leak. The ten CVEs disclosed today were found in products from several different vendors: Dover Fueling Solutions (DFS), OPW Fuel Management Systems (owned by DFS), Franklin Fueling Systems, and OMNTEC.
The National Institute of Standards and Technology (NIST), the federal body that sets technology standards for governmental agencies, standards organizations, and private companies, has proposed barring some of the most vexing and nonsensical password requirements. Chief among them: mandatory resets, required or restricted use of certain characters, and the use of security questions.
China-linked threat actors compromised some U.S. internet service providers as part of a cyber espionage campaign code-named Salt Typhoon.
The state-sponsored hackers aimed at gathering intelligence from the targets or carrying out disruptive cyberattacks.
The Wall Street Journal reported that experts are investigating into the security breached to determine if the attackers gained access to Cisco Systems routers, which are core network components of the ISP infrastructures.