earlier this month to unlock the network . The state legislators ' offices continue to operate via a combination of cell phones and laptops , some personal and some provided by the caucus . In the last two weeks , email service was also restored . On Monday , Senate Minority Leader Jay Costa said Microsoft technicians would begin going around to strip down and rebuild every computer with the goal of having everything restored in the next several days . `` [ They are ] working to rebuild our network so we 're all operating off one system , '' the Allegheny County Democrat said . `` We 're rebooting that very soon . '' Costa said he can not comment on the ongoing investigation or the exact dollar amount demandedAttack.Ransomby the hackers . The caucus has not and will not pay the ransomAttack.Ransom, he said . `` For people who do pay the ransomAttack.Ransom, the likelihood they 'll get the codes they need to undo the encryption is much lower than people talk about , '' he said . `` And there are a number of times it 's happened you do n't hear about . '' Hackers who launch such attacks lock their targets out of their data in an effort to extract a ransomAttack.Ransomfor its return . The security firm SonicWall estimated 638 million ransomware attacksAttack.Ransomthat cost $ 209 million last year , more than 167 times the 3.8 million attacksAttack.Ransomrecorded in 2015 .
The Federal Bureau of Investigation has issued a warning to healthcare organizations using File Transfer Protocol ( FTP ) servers . Medical and dental organizations have been advised to ensure FTP servers are configured to require users to be properly authenticated before access to stored data can be gained . Many FTP servers are configured to allow anonymous access using a common username such as ‘ FTP ’ or ‘ anonymous ’ . In some cases , a generic password is required , although security researchers have discoveredVulnerability-related.DiscoverVulnerabilitythat in many cases , FTP servers can be accessed without a password . The FBI warningVulnerability-related.DiscoverVulnerabilitycites research conducted by the University of Michigan in 2015 that revealedVulnerability-related.DiscoverVulnerabilitymore than 1 million FTP servers allowed anonymous access to stored data The FBI warns that hackers are targeting these anonymous FTP servers to gain accessAttack.Databreachto the protected health information of patients . PHI carries a high value on the black market as it can be used for identity theft and fraud . Healthcare organizations could also be blackmailedAttack.Ransomif PHI is stolenAttack.Databreach. Last year , the hacker operating under the name TheDarkOverlord conducted a number of attacksAttack.Databreachon healthcare organizations . The protected health information of patients was stolenAttack.Databreachand organizations were threatened with the publication of data if a sizable ransom paymentAttack.Ransomwas not made . In some cases , patient data were published online when payment was not receivedAttack.Ransom. There are reasons why IT departments require FTP servers to accept anonymous requests ; however , if that is the case , those servers should not be used to store any protected health information of patients . If PHI must be stored on the servers , they can not be configured to run in anonymous mode . The FBI suggests all healthcare organizations should instruct their IT departments to check the configuration of their FTP servers to ensure they are not running in anonymous mode and to take immediate action to secure those servers and reduce risk if they are .
After the ransackingAttack.Databreachof MongoDB , ElasticSearch , Hadoop , CouchDB , and Cassandra servers , attackers are now hijacking hundreds of MySQL databases , deleting their content , and leaving a ransom note behind asking forAttack.Ransoma 0.2 Bitcoin ( $ 235 ) paymentAttack.Ransom. According to breach detection firm GuardiCore , the attacks are happening via brute-force attacks on Internet-exposed MySQL servers , and there 's plenty of those laying around since MySQL is one of today 's most popular database systems . All attacks came from a server in the Netherlands Based on currently available evidence , the attacks started on February 12 , and only lasted for 30 hours , during which time attackers attempted to brute-force their way into MySQL root accounts . Investigators said all attacks came from the same IP address from the Netherlands , 109.236.88.20 , belonging to a hosting company called WorldStream . During their ransackingAttack.Databreach, attackers did n't behave in a constant pattern , making it hard to attribute the hacks to one group , despite the usage of the same IP . For example , after gaining access to MySQL servers , attackers created a new database called PLEASE_READ and left a table inside it called WARNING that contained their ransom demandsAttack.Ransom. In some cases , attackers only created the WARNING table and left it inside an already existing database , without creating a new one . Investigators report that attackers would then dump the database 's content and delete it afterward , leaving only the one holding their ransomAttack.Ransom. In some cases , attackers deleted the databases without dumping any data . Attackers have their own website Two ransom notes have been found in the hundreds of confirmed attacksAttack.Ransom, one askingAttack.Ransomvictims to get in contact via email and confirm the payment , while the other used a completely different mode of operation , redirecting users to a Tor-hosted website . The two Bitcoin addresses listed in the ransom notes received four and six paymentsAttack.Ransom, respectively , albeit GuardiCore experts doubt that all are from victims . `` We can not tell whether it was the attackers who made the transactions to make their victims feel more confident about payingAttack.Ransom, '' they said . Be sure the attacker still has your data Just like in the case of the now infamous MongoDB attacksAttack.Ransomthat have hitAttack.Ransomover 41,000 servers , it 's recommended that victims check logs before deciding to payAttack.Ransomand see if the attackers actually took their data . If companies elect to pay the ransomAttack.Ransom, should always ask the attacker for proof they still have their data . None of this would be an issue if IT teams follow standard security practices that involve using an automated server backup system and deleting the MySQL root account or at least using a strong and hard-to-brute-force password . This is not the first time MySQL servers have been held for ransomAttack.Ransom. The same thing happened in 2015 , in a series of attacksAttack.Ransomcalled RansomWebAttack.Ransom, where attackers used unpatched phpBB forums to hijack databases and hold websites up for ransomAttack.Ransom.
After the ransackingAttack.Databreachof MongoDB , ElasticSearch , Hadoop , CouchDB , and Cassandra servers , attackers are now hijacking hundreds of MySQL databases , deleting their content , and leaving a ransom note behind asking forAttack.Ransoma 0.2 Bitcoin ( $ 235 ) paymentAttack.Ransom. According to breach detection firm GuardiCore , the attacks are happening via brute-force attacks on Internet-exposed MySQL servers , and there 's plenty of those laying around since MySQL is one of today 's most popular database systems . All attacks came from a server in the Netherlands Based on currently available evidence , the attacks started on February 12 , and only lasted for 30 hours , during which time attackers attempted to brute-force their way into MySQL root accounts . Investigators said all attacks came from the same IP address from the Netherlands , 109.236.88.20 , belonging to a hosting company called WorldStream . During their ransackingAttack.Databreach, attackers did n't behave in a constant pattern , making it hard to attribute the hacks to one group , despite the usage of the same IP . For example , after gaining access to MySQL servers , attackers created a new database called PLEASE_READ and left a table inside it called WARNING that contained their ransom demandsAttack.Ransom. In some cases , attackers only created the WARNING table and left it inside an already existing database , without creating a new one . Investigators report that attackers would then dump the database 's content and delete it afterward , leaving only the one holding their ransomAttack.Ransom. In some cases , attackers deleted the databases without dumping any data . Attackers have their own website Two ransom notes have been found in the hundreds of confirmed attacksAttack.Ransom, one askingAttack.Ransomvictims to get in contact via email and confirm the payment , while the other used a completely different mode of operation , redirecting users to a Tor-hosted website . The two Bitcoin addresses listed in the ransom notes received four and six paymentsAttack.Ransom, respectively , albeit GuardiCore experts doubt that all are from victims . `` We can not tell whether it was the attackers who made the transactions to make their victims feel more confident about payingAttack.Ransom, '' they said . Be sure the attacker still has your data Just like in the case of the now infamous MongoDB attacksAttack.Ransomthat have hitAttack.Ransomover 41,000 servers , it 's recommended that victims check logs before deciding to payAttack.Ransomand see if the attackers actually took their data . If companies elect to pay the ransomAttack.Ransom, should always ask the attacker for proof they still have their data . None of this would be an issue if IT teams follow standard security practices that involve using an automated server backup system and deleting the MySQL root account or at least using a strong and hard-to-brute-force password . This is not the first time MySQL servers have been held for ransomAttack.Ransom. The same thing happened in 2015 , in a series of attacksAttack.Ransomcalled RansomWebAttack.Ransom, where attackers used unpatched phpBB forums to hijack databases and hold websites up for ransomAttack.Ransom.
The average ransomware attackAttack.Ransomyielded $ 1,077 last year , new research shows , representing a 266 percent spike from a year earlier . The reason for the landmark year for hackers ? Many ransomware victims readily payAttack.Ransomthe price . The number of attacks , varieties of distinct malware and money lost ballooned as ransomware became one of the top tactics of attackers , according to new research from the security firm Symantec . Some of the most high-profile ransomware incidentsAttack.Ransomof the last year include San Francisco ’ s Muni getting hitAttack.Ransom, Washington D.C. ’ s police department being breachedAttack.Databreachjust before inauguration and a Los Angeles college payingAttack.Ransoma $ 28,000 ransomAttack.Ransom. Hoping to turn the tide against the billion-dollar ransomware industry , last year the FBI urged businesses to alert authorities and not pay upAttack.Ransom. Instead , most keep attacksAttack.Ransoma secret , paying offAttack.Ransomhackers 70 percent of the time . That behavior only increases the sweet spot for demandsAttack.Ransom, as criminals seek the highest possible ransomAttack.Ransomwhile trying to avoid the attention of law enforcement . Economists say hackers who apply more sophisticated pricing techniques “ could lead to dramatic increases in profits at relatively little costs . ” The highest demandAttack.Ransomseen in public during the last was $ 28,730 from MIRCOP ransomware . It ’ s not clear if anyone actually paid offAttack.Ransomthose specific hackers . In private , however , higher ransomsAttack.Ransomare finding success when hackers successfully target the right companies . An IBM Security study from December 2016 found that over half of the businesses they surveyed said they had already paidAttack.Ransomover $ 10,000 in ransomAttack.Ransomwhile 20 percent said they ’ d paidAttack.Ransomover $ 40,000 . Globally , 34 percent of victims end up paying ransomAttack.Ransom. American victims , however , pay at a rate of 64 percent , according to Norton . “ That ’ s a phenomenal number , ” Symantec ’ s Kevin Haley told CyberScoop . “ I always compare it to direct mail where if you get a 1 percent rate you ’ re doing really good . These guys get a 34 percent return rate . Extortion really paysAttack.Ransom. ” The twist of the knife comes when only 47 percent of victims who pay the ransomAttack.Ransomactually recover any files . “ If so many people are willing to pay the ransomAttack.Ransom, there ’ s no reason for the price to come down , ” Haley said . “ In fact , it ’ s only going to go up . We may see that average go even higher until that price ceiling is discovered when so many people aren ’ t willing to pay that much . But we haven ’ t hit it yet . ”
Saudi Arabian security officials said on Monday that the country had been targeted as part of a wide-ranging cyber espionage campaign observed since February against five Middle East nations as well as several countries outside the region . The Saudi government ’ s National Cyber Security Center ( NCSC ) said in a statement the kingdom had been hit by a hacking campaign bearing the technical hallmarks of an attack group dubbed “ MuddyWater ” by U.S. cyber firm Palo Alto Networks . Palo Alto ’ s Unit 42 threat research unit published a report last Friday showing how a string of connected attacksAttack.Phishingthis year used decoy documents with official-looking government logos to lureAttack.Phishingunsuspecting users from targeted organizations to download infected documents and compromise their computer networks . Documents pretending to beAttack.Phishingfrom the U.S.National Security Agency , Iraqi intelligence , Russian security firm Kaspersky and the Kurdistan regional government were among those used to trickAttack.Phishingvictims , Unit 42 said in a blog post ( goo.gl/SvwrXv ) . The Unit 42 researchers said the attacksAttack.Phishinghad targeted organizations in Saudi Arabia , Iraq , the United Arab Emirates , Turkey and Israel , as well as entities outside the Middle East in Georgia , India , Pakistan and the United States . The Saudi security agency said in its own statement that the attacksAttack.Databreachsought to stealAttack.Databreachdata from computers using email phishing techniques targeting the credentials of specific users . The NCSC said they also comprised so-called “ watering hole ” attacks , which seek to trickAttack.Phishingusers to click on infected web links to seize control of their machines . The technical indicators supplied by Unit 42 are the same as those described by the NCSC as being involved in attacks against Saudi Arabia . The NCSC said the attacks appeared to be by an “ advanced persistent threat ” ( APT ) group - cyber jargon typically used to describe state-backed espionage . Saudi Arabia has been the target of frequent cyber attacks , including the “ Shamoon ” virus , which cripples computers by wiping their disks and has hit both government ministries and petrochemical firms . Saudi Aramco , the world ’ s largest oil company , was hit by an early version of the “ Shamoon ” virus in 2012 , in the country ’ s worst cyber attack to date . The NCSC declined further comment on the source of the attack or on which organizations or agencies were targeted . Unit 42 said it was unable to identify the attack group or its aims and did not have enough data to conclude that the MuddyWater group was behind the Saudi attacks as outlined by NCSC . “ We can not confirm that the NCSC posting and our MuddyWater research are in fact related , ” Christopher Budd , a Unit 42 manager told Reuters . “ There ’ s just not enough information to make that connection with an appropriate level of certainty. ” Palo Alto Networks said the files it had uncovered were almost identical to information-stealing documents disguised asAttack.PhishingMicrosoft Word files and found to be targeting the Saudi government by security firm MalwareBytes in a September report .
Facebook users have noticed and reported a new scam making rounds on the popular network . [ 1 ] This time , it is the same old Facebook Messenger virus that compromises user accounts and acts on behalf of the victim to distribute the malicious link further . The scam uses a basic social engineering technique that luresAttack.Phishingthe potential target into clicking on the provided URL . In addition , the victim feels safe since the link comes fromAttack.Phishingone of his Facebook friends . The message usually includes a short line that looks similar to “ its you ? [ name ] : |. ” The emoji at the end of the message differs , and the provided link is shortened ; therefore the user can not figure out where it leads . However , the shortcut indicates that the link leads to a mysterious video and triggers victim ’ s curiosity to check it out . Typical strategy : Install something to watch the video Cybersecurity experts are already familiar with the technique used to trickAttack.Phishingquestioning users into installing the Facebook Message Video virus . As soon as the victim clicks the compromised link and enters the phishing website ( which apparently is designed to look likeAttack.PhishingYouTube or another popular video sharing platform ) , a misleading pop-up appearsAttack.Phishing, asking the victim to install an update or an application ( it could be a fake Adobe Flash Player or a plug-in ) . The file suggested to the user contains no software related to video streaming and simply carries the malicious payload that later compromisesAttack.Databreachvictim ’ s account and sends outAttack.Phishingthe deceptive messages to all victim ’ s contacts . Speaking of fake Adobe Flash Players , we want to inform you that these are one of the most dangerous threats to your security . One of the latest cyber attacksAttack.Phishingwas based on fake pop-ups appearing on compromised sites , urgingAttack.Phishingpeople to install an updated Flash Player . Unfortunately , launching the install_flash_player.exe file only infected the computer with Bad Rabbit ransomware .
As thousands of freshmen move into their dorms for the first time , there are plenty of thoughts rushing through their minds : their first time away from home , what cringey nickname they 're gon na try to make a thing , if there are any parties before orientation kicks off . One thing that probably is n't on their minds is whether they 're going to get hacked . But that 's all Carnegie Mellon University 's IT department thinks about . Back-to-school season means hordes of vulnerable computers arriving on campus . The beginning of the semester is the most vulnerable time for a campus network , and every year , with new students coming in , schools have to make sure everything runs smoothly . Carnegie Mellon 's network gets hit with 1,000 attacks a minute -- and that 's on a normal day . Cybersecurity is an increasingly important aspect of our everyday lives , with technology playing a massive role in nearly everything we do . Universities have been vulnerable to attacksAttack.Databreachin the past , with cybercriminals stealingAttack.Databreachstudent and faculty databases and hackers vandalizing university websites . Students are often targets for hackers , even before they 're officially enrolled . Considering how much money flows into a university from tuition costs , along with paying for room and board , criminals are looking to cash in on weak campus cybersecurity . A bonus for hackers : Admissions offices often hold data with private information like student Social Security numbers and addresses , as well as their families ' data from financial aid applications . PhishingAttack.Phishinghappens when hackers stealAttack.Databreachyour passwords by sendingAttack.Phishingyou links to fake websites that look likeAttack.Phishingthe real deal . It 's how Russians hacked the Democratic National Committee during the presidential election , and it 's a popular attack to use on universities as well . The latest warning , sent Monday , called out malware hidden in a document pretending to beAttack.Phishingfrom Syracuse University 's chancellor . Digging through my old emails , I found about 20 phishingAttack.Phishingwarnings that had gone out during the four years I 'd been there . Syracuse declined to comment on phishing attacksAttack.Phishingagainst the school , but in a 2016 blog post , it said the attacks were `` getting more frequent , cunning and malicious . '' The school is not alone . Duo Security , which protects more than 400 campuses , found that 70 percent of universities in the UK have fallen victim to phishing attacksAttack.Phishing. Syracuse , which uses Duo Security , fights phishing attacksAttack.Phishingwith two-factor authentication , which requires a second form of identity verification , like a code sent to your phone . But it just rolled out the feature last year . Kendra Cooley , a security analyst at Duo Security , pointed out that students are more likely to fall for phishing attacksAttack.Phishingbecause they have n't been exposed to them as frequently as working adults have . Also , cybercriminals know how to target young minds . `` You see a lot of click-bait phishing messages like celebrity gossip or free travel , '' Cooley said . All students at Carnegie Mellon are required to take a tech literacy course , in which cybersecurity is a focus , said Mary Ann Blair , the school 's chief information security officer . The school also runs monthly phishing campaignsAttack.Phishing: If a student or faculty member fallsAttack.Phishingfor the friendly trapAttack.Phishing, they 're redirected to a training opportunity . When your network is being hit with at least two phishing attemptsAttack.Phishinga day , Blair said , it 's a crucial precaution to keep students on guard . `` It 's just constantly jiggling the doorknobs to see if they 're unlocked , '' Blair said . `` A lot of it is automated attacks . '' It 's not just the thousands of new students that have university IT departments bracing for impact , it 's also their gadgets . `` All these kids are coming on campus , and you do n't know the security level of their devices , and you ca n't manage it , because it 's theirs , '' said Dennis Borin , a senior solutions architect at security company EfficientIP . A lot of university IT teams have their hands tied because they ca n't individually go to every student and scan all their computers . Borin 's company protects up to 75 campuses across the United States , and it 's always crunch time at the beginning of the semester . `` If I was on campus , I would n't let anybody touch my device , '' Borin said . `` So if somebody has malware on their device , how do you protect against an issue like that ? '' Instead of going through every single student , Borin said , his company just casts a wide net over the web traffic . If there 's any suspicious activity coming from a specific device , they 're able to send warnings to the student and kick him or her off the network when necessary . Keeping school networks safe is important for ensuring student life runs smoothly . A university that had only two people on its team reached out to EfficientIP after it suffered an attack . All of the school 's web services were down for an entire week while recovering from the attack , Borin said . Scam artists love to take advantage of timing , and the back-to-school season is a great opportunity for them . There was an influx of fake ransomware protection apps when WannaCry hitAttack.Ransom, as well as a spike in phony Pokemon Go apps stuffed with malware during the height of the game 's popularity . If there 's a massive event going on , you can bet people are flooding the market with phony apps to trickAttack.Phishingvictims into downloading viruses . A quick search for `` back to school apps '' in August found 1,182 apps that were blacklisted for containing malware or spyware , according to security firm RiskIQ . Researchers from the company scanned 120 mobile app stores , including the Google Play store , which had more than 300 blacklisted apps . They found apps for back-to-school tools ; themes and wallpapers for your device ; and some apps that promised to help you `` cheat on your exams . '' Though most of the blacklisted apps are poorly made games , others pretend to help you be a better student . Other warning signs to watch out for when it comes to sketchy apps are poorly written reviews and developers using public domain emails for contacts , Risk IQ said . For any educational apps , like Blackboard Learn , you should always check the sources and look for the official versions . New students coming to school have enough to worry about . Let 's hope a crash course in cybersecurity is enough to ensure they make it to graduation without getting hit by hacks .
Cybercriminals are finding it more difficult to maintain the malicious URLs and deceptive domains used for phishing attacksAttack.Phishingfor more than a few hours because action is being taken to remove them from the internet much more quickly . That does n't mean that phishingAttack.Phishing-- one of the most common means of performing cyber-attacks -- is any less dangerous , but a faster approach to dealing with the issue is starting to hinder attacks . Deceptive domain names look likeAttack.Phishingthose of authentic services , so that somebody who clicks on a malicious link may not realise they are n't visiting the real website of the organisation being spoofedAttack.Phishing. One of the most common agencies to be imitatedAttack.Phishingby cyber-attackers around the world is that of government tax collectors . The idea behind such attacksAttack.Phishingis that people will be trickedAttack.Phishinginto believing they are owed money by emails claiming to beAttack.Phishingfrom the taxman . However , no payment ever comes , and if a victim falls for such an attack , they 're only going to lose money when their bank details are stolenAttack.Databreach, and they can even have their personal information compromisedAttack.Databreach. In order to combat phishingAttack.Phishingand other forms of cyber-attack , the UK 's National Cyber Crime Centre -- the internet security arm of GCHQ -- launched what it called the Active Cyber Defence programme a year ago . It appears to have some success in its first 12 months because , despite a rise in registered fraudulent domains , the lifespan of a phishing URL has been reduced and the number of global phishing attacksAttack.Phishingbeing carried out by UK-hosted sites has declined from five percent to three percent . The figures are laid out in a new NCSC report : Active Cyber Defence - One Year On . During that time , 121,479 phishing sites hosted in the UK , and 18,067 worldwide spoofingAttack.PhishingUK government , were taken down , with many of them purporting to beAttack.PhishingHMRC and linked to phishing emails in the form of tax refund scams . An active approach to dealing with phishing domains has also led to a reduction in the amount of time these sites are active , potentially limiting cybercriminal campaigns before they can gain any real traction . Prior to the launch of the program , the average time a phishing website spoofingAttack.Phishinga UK government website remained active was for 42 hours -- or almost two days . Now , with an approach designed around looking for domains and taking them down , that 's dropped to ten hours , leaving a much smaller window for attacks to be effective . However , while this does mean there 's less time for the attackers to stealAttack.Databreachinformation or finances , it does n't mean that they 're not successful in carrying out attacks . The increased number of registered domains for carrying out phishing attacksAttack.Phishingshows that crooks are happy to work a little bit harder in order to reap the rewards of campaigns -- and the NCSC is n't under any illusion that the job of protecting internet users is anywhere near complete . `` The ACD programme intends to increase our cyber adversaries ' risk and reduces their return on investment to protect the majority of people in the UK from cyber attacks , '' said Dr Ian Levy , technical director of the NCSC . `` The results we have published today are positive , but there is a lot more work to be done . The successes we have had in our first year will cause attackers to change their behaviour and we will need to adapt . '' A focus on taking down HMRC and other government-related domains has helped UK internet users , but cyber-attacks are n't limited by borders , with many malicious IPs hosted in practically every country used to carry out cyber-attacks around the world -- meaning every country should be playing a part . `` Obviously , phishingAttack.Phishingand web-inject attacks are not connected to the UK 's IP space and most campaigns of these types are hosted elsewhere . There needs to be concerted international effort to have a real effect on the security of users , '' says the report .
Ransomware has largely been an opportunistic , rather than a targeted , form of cybercrime with the goal of infecting as many users as possible . That model has worked so effectively that extortion is now ubiquitous when it comes to cybercrime — so much so that even fake attacks are proving to be successful . As I wrote earlier this month , the surge of extortion attacksAttack.Ransomimpacting organizations has led to a number of fake extortion threats , including empty ransomware demandsAttack.Ransomwhere actors contact organizations , lie about the organization ’ s data being encrypted , and ask for moneyAttack.Ransomto remove the non-existent threat . Cybercriminals like to follow the path of least resistance , and an attack doesn ’ t get much easier than simply pretending to have done something malicious . However , attacksAttack.Ransomover the past year have proven that infecting organizations with ransomware can result in much higher payoutsAttack.Ransom. The more disruptive the attack , the more money some organizations are willing to pay to make the problem go away . As a result , ransomware actors are shifting their targets towards more disruptive attacks , which we examine in our latest report , Ransomware Actors Shift Gears : New Wave of Ransomware AttacksAttack.RansomAims to Lock Business Services , Not Just Data . It was just 13 months ago that Hollywood Presbyterian Medical Center made national attention by payingAttack.Ransom$ 17,000 to decrypt its files after a ransomware attackAttack.Ransom. The incident was novel at the time , but those types of stories have since become commonplace . Organizations need to take action to protect themselves against ransomware actors that are trying to find more effective ways to disrupt business operations and demand even higher ransom payoutsAttack.Ransom.
A group calling itself XMR Squad has spent all last week launching DDoS attacks against German businesses and then contacting the same companies to inform them they had to payAttack.Ransom€250 ( $ 275 ) for `` testing their DDoS protection systems . '' German DDoS protection firm Link11 reported attacks against DHL , Hermes , AldiTalk , Freenet , Snipes.com , the State Bureau of Investigation Lower Saxony , and the website of the state of North Rhine-Westphalia . The attackAttack.Ransomagainst DHL Germany was particularly effective as it shut down the company 's business customer portal and all APIs , prompting eBay Germany to issue an alert regarding possible issues with packages sent via DHL . `` They seem to know what to hit , '' said Daniel Smith , security researcher for Radware , and one of the persons currently keeping tabs of the attacks . The group sent emails to all the companies it targeted . In the emails , they did n't ask for a ransomAttack.Ransomto stop the attacksAttack.Ransom, but a fee for having already carried out what they called a DDoS protection test . Usually , these types of groups launch DDoS attacks and then send emails to their victims requesting for paymentsAttack.Ransomto stop the attacksAttack.Ransom. XMR Squad 's emails looked like invoices for unrequested DDoS tests . Furthermore , the ransom note did n't include payment instructions , which is weird , to say the least . DDoS ransomsAttack.Ransomare usually handled in Bitcoin or another anonymous cryptocurrency . It was strange to see the group ask for paymentAttack.Ransomin Euros , as the group 's name included the term XMR , the shortname for Monero , an anonymous cryptocurrency . While the group advertised on Twitter that their location was in Russia , a German reporter who spoke with the group via telephone said `` the caller had a slight accent , but spoke perfect German . '' To the same reporter , the group also claimed they carried out the attacks only to get public attention . The attention they got was n't the one they expected , as their hosting provider took down their website , located at xmr-squad.biz . Germany , in particular , has been the target of several DDoS blackmailers in the past year . In January and February , a group calling itself Stealth Ravens launched DDoS-for-Bitcoin ransom attacksAttack.Ransom. Link11 , who tracked those attacksAttack.Ransom, claimed the group used a DDoS botnet built with the Mirai IoT malware and asked forAttack.Ransom5 Bitcoin ( $ 6,000 ) to stop attacksAttack.Ransom. Last year in June , another group named Kadyrovtsy also targeted German businesses , launching attacksAttack.Ransomof up to 50 Gbps . This group began DDoS ransom attacksAttack.Ransoma month earlier by first targeting Polish banks . All these groups are following the same modus operandi perfected by groups like DD4BC and Armada Collective . These two groups appeared in the summer and autumn of 2015 and targeted companies worldwide . In January 2016 , Europol arrested suspects believed to be DD4BC members in Bosnia and Herzegovina . Following the arrests , both groups became inactive . After the demise of these two main groups , there was a wave of copycats [ 1 , 2 , 3 , 4 , 5 ] that used their respective reputation to extort paymentsAttack.Ransomfrom companies , in many cases without even possessing any DDoS capabilities .
A group calling itself XMR Squad has spent all last week launching DDoS attacks against German businesses and then contacting the same companies to inform them they had to payAttack.Ransom€250 ( $ 275 ) for `` testing their DDoS protection systems . '' German DDoS protection firm Link11 reported attacks against DHL , Hermes , AldiTalk , Freenet , Snipes.com , the State Bureau of Investigation Lower Saxony , and the website of the state of North Rhine-Westphalia . The attackAttack.Ransomagainst DHL Germany was particularly effective as it shut down the company 's business customer portal and all APIs , prompting eBay Germany to issue an alert regarding possible issues with packages sent via DHL . `` They seem to know what to hit , '' said Daniel Smith , security researcher for Radware , and one of the persons currently keeping tabs of the attacks . The group sent emails to all the companies it targeted . In the emails , they did n't ask for a ransomAttack.Ransomto stop the attacksAttack.Ransom, but a fee for having already carried out what they called a DDoS protection test . Usually , these types of groups launch DDoS attacks and then send emails to their victims requesting for paymentsAttack.Ransomto stop the attacksAttack.Ransom. XMR Squad 's emails looked like invoices for unrequested DDoS tests . Furthermore , the ransom note did n't include payment instructions , which is weird , to say the least . DDoS ransomsAttack.Ransomare usually handled in Bitcoin or another anonymous cryptocurrency . It was strange to see the group ask for paymentAttack.Ransomin Euros , as the group 's name included the term XMR , the shortname for Monero , an anonymous cryptocurrency . While the group advertised on Twitter that their location was in Russia , a German reporter who spoke with the group via telephone said `` the caller had a slight accent , but spoke perfect German . '' To the same reporter , the group also claimed they carried out the attacks only to get public attention . The attention they got was n't the one they expected , as their hosting provider took down their website , located at xmr-squad.biz . Germany , in particular , has been the target of several DDoS blackmailers in the past year . In January and February , a group calling itself Stealth Ravens launched DDoS-for-Bitcoin ransom attacksAttack.Ransom. Link11 , who tracked those attacksAttack.Ransom, claimed the group used a DDoS botnet built with the Mirai IoT malware and asked forAttack.Ransom5 Bitcoin ( $ 6,000 ) to stop attacksAttack.Ransom. Last year in June , another group named Kadyrovtsy also targeted German businesses , launching attacksAttack.Ransomof up to 50 Gbps . This group began DDoS ransom attacksAttack.Ransoma month earlier by first targeting Polish banks . All these groups are following the same modus operandi perfected by groups like DD4BC and Armada Collective . These two groups appeared in the summer and autumn of 2015 and targeted companies worldwide . In January 2016 , Europol arrested suspects believed to be DD4BC members in Bosnia and Herzegovina . Following the arrests , both groups became inactive . After the demise of these two main groups , there was a wave of copycats [ 1 , 2 , 3 , 4 , 5 ] that used their respective reputation to extort paymentsAttack.Ransomfrom companies , in many cases without even possessing any DDoS capabilities .
( Reuters ) - Sabre Corp said on Tuesday there had been a breach in its hospitality unit ’ s hotel reservation system and had hired FireEye Inc ’ s Mandiant forensics division to probe the incident . `` The unauthorized access has been shut off and there is no evidence of continued unauthorized activity , '' Sabre said in a statement . The company , which offers hotel and airline booking services , said it had informed law enforcement about the breach in its SynXis Central Reservations . Sabre does not believe any other system was affected . “ 32,000 properties use Sabre ’ s reservation system , so the attackers were able to penetrate a single system and potentially access 32,000 additional targets , ” said Jeff Hill , Director of Product Management , Prevalent , which manages third-party risk . Mandiant did not immediately respond to a request for comment . Hotel groups are increasingly coming under attacksAttack.Databreachfrom hackers , who seek to stealAttack.Databreachpayment card data . InterContinental Hotels Group Plc said last month 1,200 of its franchised hotels in the United States , including Holiday Inn and Crowne Plaza , were victims of a three-month cyber attack . Hyatt Hotels Corp , Hilton , and Starwood Hotels , now owned by Marriott International Inc had also been victims of hacking attacks .
A ransomware threat called SLocker , which accounted for one-fifth of Android malware attacks in 2015 , is back with avengeance , according to security firm Wandera . SLocker encrypts images , documents and videos on Android devices and demands a ransomAttack.Ransomto decrypt the files . Once the malware is executed , it runs in the background of a user 's device without their knowledge or consent . Once it has encrypted files on the phone , the malware hijacks the device , blocking the user 's access , and attempts to intimidate them into paying a ransomAttack.Ransomto unlock it . Last year , security company Bitdefender said that ransomware was the largest malware risk to Android users in the second half of 2015 - with SLocker accounting for 22 per cent of Android malware threats in the UK in that period . The malware also topped the ransomware charts in Germany and Australia , and Bitdefender claimed that 44 per cent of Android users it asked had already paid out a ransomAttack.Ransomin order to regain access to their devices . The malware continued to cause problems and , in mid-2016 , its attacksAttack.Ransomwere estimated to have resulted in tens of millions of dollars in ransoms paidAttack.Ransom. Weeks after the initial wave of attacks , security companies patchedVulnerability-related.PatchVulnerabilitythe issue for their enterprise customers , devices were updatedVulnerability-related.PatchVulnerabilityand the threat disappeared . That is until now . Mobile security firm Wandera said that its mobile intelligence engine MI : RIAM had detected more than 400 variants of the same malware . It said that these strains were targeting businesses ' mobile fleets through easily accessible third-party app stores and websites where security checks are not as rigorous as they ought to be . According to Wandera , the variants have been redesigned and repackaged to avoid all known detection techniques . `` They utilise a wide variety of disguises including altered icons , package names , resources and executable files in order to evade signature-based detection , '' the company said . Third-party app stores and unknown vendors should be avoided by Android users , while corporate administrators should be wary of SLocker returning and put in place security measures to monitor devices accordingly .
Since last year ’ s revelation that attackers have compromised SWIFT software of Bangladesh ’ s central bank and usedAttack.Phishingit to perform fraudulent transfers worth tens of millions , news about similar attacks – both successful and not – have become a regular occurrence . Attackers usually use banks ’ compromised SWIFT system to sendAttack.Phishinginformation about fraudulent financial transactions , but in attacksAttack.Phishingaimed at three government-owned banks in India , they chose to create fake trade documents such as letters of credit and guarantees . A letter of credit allows the sellers to be sure that they will get paid once they prove that the sold goods have been provided , as the buyer ’ s bank – the institution that issued the letter of credit – is obliged to release the money , even if the buyer is unable to make payment . Bank guarantees are documents that guarantee that the bank will release an agreed-upon sum either to the seller or the buyer in case the other party ultimately can ’ t provide the goods or the cash . A source close to the investigation told Economic Times that there have been no monetary losses or ransom demands as of yet . He or she posits that the hackers were planningAttack.Phishingto use the forged documents to get cash from offshore banks or carry out trade of prohibited or illegal commodities . It ’ s still unknown how the compromises were effected , and it ’ s possible that other Indian banks have been hit as well . The Reserve Bank of India has been notified of the breaches , and it has directed several banks to check whether the trade documents they sent via SWIFT have a match in their core banking system
Are you such a video game fanatic that you simply can ’ t wait to get your paws on sneak previews of upcoming hit titles ? If so , your fervour may be fuelling the criminal activities of an unnamed group of who have targeted a developer of highly popular video games . Best known for developing The Witcher series of role-playing video games , CD Projekt Red took to Twitter to announce that it had been approached by extortionists who claimed to have stolenAttack.Databreachfiles from the company , including “ documents connected to early designs for the upcoming game , Cyberpunk 2077. ” CD Projekt Red says it will not pay the ransom being demandedAttack.Ransomby the thieves , who are threatening to release the stolen files to the general public : “ We will not be giving in to the demandsAttack.Ransomof the individual or individuals that have contacted us , which might eventually lead to the files being published online . The appropriate legal authorities will be informed about the situation. ” “ The documents are old and largely unrepresentative of the current vision for the game . Still , if you ’ re looking forward to playing Cyberpunk 2077 , it would be best for you to avoid any information not coming directly from CD PROJEKT RED. ” I applaud CD Projekt Red ’ s refusal to pay a ransomAttack.Ransom. PayingAttack.Ransomextortionists always runs the risk of encouraging blackmailers to strike again , putting not just your own company but others at further risk . No release date has yet been announced by the Polish game studio for Cyberpunk 2077 , which has been in development for years and is keenly anticipated by the game maker ’ s fans . For CD Projekt RED , the danger is not just whether assets belonging to the game leakingAttack.Databreachinto the public domain mess up its marketing strategy . There is also the risk that the gaming community will be unimpressed with any sneak previews of early versions of the game stolenAttack.Databreachby the hackers , and puncture the hype machine . Recent months have seen a rise in attacksAttack.Ransomwhere hackers have threatened to release a company ’ s intellectual property onto the net unless a ransom is paidAttack.Ransom. A month ago , for instance , The Dark Overlord hacking group attempted to blackmail moneyAttack.Ransomout of Netflix , before deciding to leak as-yet unaired episodes of hit TV show “ Orange is the New Black. ” The same hacking group has previously publishedAttack.Databreach180,000 medical records – including insurance and social security numbers , dates of birth , and payment information – after healthcare firms refused to give in to their demandsAttack.Ransom. Most recently , a chain of cosmetic surgeries in Lithuania warned that hackers were threatening to release the personal details of clients , including photographs . Readers with longer memories may recall that in September 2003 , a German hacker leakedAttack.Databreachthe source code of the game Half-Life 2 onto the internet , much to the delight of internet users who had become fed up with waiting for the long-awaited video game . It doesn ’ t matter that it ’ s not credit card data or passwords that are being stolenAttack.Databreach– theft is theftAttack.Databreach. Just because it ’ s a video game ’ s plans and designs that are being held for ransomAttack.Ransomby the hackers doesn ’ t make any difference . The threat is real – and could have a commercial impact on the game ’ s producer . CD Projekt Red should be applauded for being so transparent about what has happened , as it ’ s easy to imagine many firms would rather sweep bad news like this under the carpet . What we need now is for game fanatics to exercise some patience and self-control , and resist the urge to hunt out a game before the manufacturer is ready to release it officially themselves .
Researchers are now observing similar destructive attacks hitting openly accessible Hadoop and CouchDB deployments . Security researchers Victor Gevers and Niall Merrigan , who monitored the MongoDB and Elasticsearch attacks so far , have also started keeping track of the new Hadoop and CouchDB victims . The two have put together spreadsheets on Google Docs where they document the different attack signatures and messages left behind after data gets wiped from databases . In the case of Hadoop , a framework used for distributed storage and processing of large data sets , the attacks observed so far can be described as vandalism . That 's because the attackers do n't ask for paymentsAttack.Ransomto be made in exchange for returning the deleted data . Instead , their message instructs the Hadoop administrators to secure their deployments in the future . According to Merrigan 's latest count , 126 Hadoop instances have been wiped so far . The number of victims is likely to increase because there are thousands of Hadoop deployments accessible from the internet -- although it 's hard to say how many are vulnerable . The attacks against MongoDB and Elasticsearch followed a similar pattern . The number of MongoDB victims jumped from hundreds to thousands in a matter of hours and to tens of thousands within a week . The latest count puts the number of wiped MongoDB databases at more than 34,000 and that of deleted Elasticsearch clusters at more than 4,600 . A group called Kraken0 , responsible for most of the ransomware attacks against databases , is trying to sell its attack toolkit and a list of vulnerable MongoDB and Elasticsearch installations for the equivalent of US $ 500 in bitcoins . The number of wiped CouchDB databases is also growing rapidly , reaching more than 400 so far . CouchDB is a NoSQL-style database platform similar to MongoDB . Unlike the Hadoop vandalism , the CouchDB attacksAttack.Ransomare accompanied by ransom messages , with attackers asking forAttack.Ransom0.1 bitcoins ( around $ 100 ) to return the data . Victims are advised against payingAttack.Ransombecause , in many of the MongoDB attacksAttack.Ransom, there was no evidence that attackers had actually copiedAttack.Databreachthe data before deleting it . Researchers from Fidelis Cybersecurity have also observed the Hadoop attacks and have published a blog post with more details and recommendations on securing such deployments
Researchers are now observing similar destructive attacks hitting openly accessible Hadoop and CouchDB deployments . Security researchers Victor Gevers and Niall Merrigan , who monitored the MongoDB and Elasticsearch attacks so far , have also started keeping track of the new Hadoop and CouchDB victims . The two have put together spreadsheets on Google Docs where they document the different attack signatures and messages left behind after data gets wiped from databases . In the case of Hadoop , a framework used for distributed storage and processing of large data sets , the attacks observed so far can be described as vandalism . That 's because the attackers do n't ask for paymentsAttack.Ransomto be made in exchange for returning the deleted data . Instead , their message instructs the Hadoop administrators to secure their deployments in the future . According to Merrigan 's latest count , 126 Hadoop instances have been wiped so far . The number of victims is likely to increase because there are thousands of Hadoop deployments accessible from the internet -- although it 's hard to say how many are vulnerable . The attacks against MongoDB and Elasticsearch followed a similar pattern . The number of MongoDB victims jumped from hundreds to thousands in a matter of hours and to tens of thousands within a week . The latest count puts the number of wiped MongoDB databases at more than 34,000 and that of deleted Elasticsearch clusters at more than 4,600 . A group called Kraken0 , responsible for most of the ransomware attacks against databases , is trying to sell its attack toolkit and a list of vulnerable MongoDB and Elasticsearch installations for the equivalent of US $ 500 in bitcoins . The number of wiped CouchDB databases is also growing rapidly , reaching more than 400 so far . CouchDB is a NoSQL-style database platform similar to MongoDB . Unlike the Hadoop vandalism , the CouchDB attacksAttack.Ransomare accompanied by ransom messages , with attackers asking forAttack.Ransom0.1 bitcoins ( around $ 100 ) to return the data . Victims are advised against payingAttack.Ransombecause , in many of the MongoDB attacksAttack.Ransom, there was no evidence that attackers had actually copiedAttack.Databreachthe data before deleting it . Researchers from Fidelis Cybersecurity have also observed the Hadoop attacks and have published a blog post with more details and recommendations on securing such deployments
For all the sophisticated tactics , techniques , and procedures employed by threat actors these days , phishingAttack.Phishingcontinued to be the top attack vector in 2016 , as it has been for some time . The big difference was that instead of targeting financial services companies , phishers increasingly targeted cloud storage service providers like Google and DropBox , security vendor PhishLabs said in a voluminous report on phishing trends released this week . Compared to 2013 , when barely 10 % of phishing attacksAttack.Phishingtargeted cloud storage services , about 22.5 % of phishing attacksAttack.Phishinglast year involved such companies . That was just barely below the 23 % of phishing scamsAttack.Phishinginvolving financial brands , the company noted . What that means is that users are likely going to get more phishing emails this year trying to get them to part with credentials to their cloud storage credentials . `` Over the last four years , the number of phishing attacksAttack.Phishingtargeting cloud storage services has skyrocketed , '' says Crane Hassold , senior security threat researcher at PhishLabs . `` Based on recent trends , it is likely that phishing attacksAttack.Phishingtargeting cloud storage services will overtake financial institutions as the top target for phishers in 2017 . '' So far at least , almost all phishing attacksAttack.Phishingimpacting this industry have involved only Google and DropBox . Many of the phishing campaignsAttack.Phishingtargeting cloud storage providers contain luresAttack.Phishingsaying that a document or picture has been shared with the victim and encourage them to sign in to their account in order to view it . A majority of the phishing pages involved in such campaignsAttack.Phishinghave really been poor duplicates of the pages used by Google , DropBox , and other legitimate sites . Even so , `` based on the growing popularity of these types of attacksAttack.Phishing, phishers must still be having success compromising victim even with this lack of authenticity , '' Hassold says . The PhishLabs report is based on an analysis of some one million confirmed phishing sites spread across more than 170,000 unique domains , and also from the company ’ s handling of more than 7,800 phishing attacksAttack.Phishingper month in 2016 . The analysis showed an alarming increase across the board in phishing-related activitiesAttack.Phishing. The number of phishing sites in 2016 , for instance , was 23 % higher than the year before , while the volume of phishing emails grew by an average of 33 % across financial services , cloud storage/file hosting , webmail/online , payment services , and ecommerce sites . PhishLabs identified a total of 976 brands belonging to 568 organizations that cybercriminal used in phishing campaignsAttack.Phishinglast year . The kind of data that phishers went after also broadened considerably last year . In addition to account credentials and personal data , phishers also used their phishing luresAttack.Phishingto try and snag financial , employment , and account security data like answers to challenge/response questions and mother ’ s maiden name . Ransomware 's Best Friend In 2016 , phishingAttack.Phishingalso continued to be by far the most prevalent method for delivering ransomware on everything from end user systems to systems belonging to businesses , government agencies , schools , and critical infrastructure targets . The use of email as an authentication measure made it easier for phishers to mass harvestAttack.Databreachcredentials for all email services on a single phishing site , instead of having to target email providers individually , Hassold says . `` Additionally , because a growing number of Web services are using email as a primary credential , phishers are able to multiply their profits by conducting password reuse attacks against these unsuspecting targets , '' he says . The easy availability of phish kits , or ready-to-use templates for creating working phishing sites , contributed to the problem . Many of these kits included sophisticated anti-detection mechanisms . Mechanisms included access control measures based on IP address , HTTP referrer , and hostname , whitelists , and blocklists . `` The big takeaway is that we ’ ve created ideal conditions for the mass harvestingAttack.Databreachof credentials via phishing attacksAttack.Phishing, '' Hassold notes . Unlike in the past where phishers were focused on immediate gains—by going after and selling access to financial accounts for instance—they are now trying to maximize the information they can compromise with the least effort .
Qatar is set to host the 2022 FIFA Soccer World Cup , and to do so , the country must build a number of stadiums . Additionally , Qatar 's economy is also in full bloom , and many companies taking advantage of local tax-free zones are also driving a real-estate boom , with tens of buildings being built every year . At the heart of Qatar 's roaring constructions sector are migrant workers , usually from East-Asian countries , such as India , Bangladesh , and most often Nepal . Loopholes in local legislation allow employers to withhold passports and force employees to work under appalling conditions , facing steep penalties , and even jail time if they try to leave the country before their contract expires . These conditions have attracted the attention of many activists , organizations , and journalists , that have published damning reports , even going as far as asking FIFA to revoke the rights to hold the 2022 World Cup until Qatar revises its labour laws . Claudio Guarnieri , a security researcher working for Amnesty International , has published a report today that reveals how an unknown person or group has createdAttack.Phishinga fake persona named Saleena Malik , which they used to get close to journalists and activists . The primary goal was to become friends with potential victims , and after months of having private conversations , lureAttack.Phishingthe target into accessing a phishing page disguised asAttack.Phishinga Google login , and collect their credentials . Malik 's phishing attacksAttack.Phishingdid n't happen right away , but always after the victim had time to get acquainted with her fake persona . In most cases , Malik posed asAttack.Phishinga person with similar interests in activism and Qatar 's migrant labor laws . After months of private conversations via email , LinkedIn and/or Facebook , Malik would eventually inviteAttack.Phishinga target to access a document or connect via Google Hangouts . In all cases , before accessing Malik 's documents or Google Hangouts , the victim would first be promptedAttack.Phishingby a fake login page that collected their credentials . Guarnieri , who was alerted to Malik 's actions by one of the targeted journalists , was able to identify where these phishing pages were hosted and where they sent data for storage . This is how the researcher tracked down at least 30 other victims of Malik 's expert phishing attacksAttack.Phishing. Additionally , with collaboration from victims , Guarneri was also able to discover that the people behind the Malik persona had also accessed some of the phished Gmail accounts . The intruder 's IP address belonged to a local Qatar Internet service provider . What the researchers was n't able to find was who was behind the attacks . His guesses include the government of Qatar , another government wanting to make Qatar look bad , or a contractor hired by one of the construction firms or a government agency . In a statement for Amnesty International , a spokesperson for the government of Qatar denied any involvement . These particular set of attacksAttack.Phishingshow a deep knowledge of social engineering , and especially phishing tactics . Whoever was behind this campaign had both the knowledge , skills and patience to wait for the seeds he planted to bear fruits many months later
Researchers identified over 70 organizations targeted in these attacks , with most located in Ukraine , and especially in the self-declared separatist states of Donetsk and Luhansk , near the Russian border . The target list includes editors of Ukrainian newspapers , a scientific research institute ; a company that designs remote monitoring systems for oil & gas pipeline infrastructures ; an international organization that monitors human rights , counter-terrorism and cyberattacks on critical infrastructure in Ukraine ; and an engineering company that designs electrical substations , gas distribution pipelines , and water supply plants ; among many others . According to CyberX security experts , attacksAttack.Phishingare mostly driven by spear-phishing emails that spread Word documents that contain malicious macros . AttacksAttack.PhishinglureAttack.Phishingvictims into allowing the macros in these documents to execute by telling them the document was created in a newer version of Word , and enabling macros allows them to view their content . Enabling macros downloads several malware families in multiple stages . The downloaded malware does n't include destructive features and uses several mechanisms to remain hidden , an important clue pointing to the fact its authors are using it for reconnaissance only . Using Dropbox instead of a custom web server for collecting dataAttack.Databreachis yet another sign that hackers are trying to stay hidden as long as possible . This is because it would be much easier to detect malicious traffic sent to a remote web server compared to Dropbox , an application whitelisted by firewalls and other security products . CyberX researchers named this particular campaign BugDrop because crooks used the PC 's microphone 's to bug victims , and Dropbox to exfiltrateAttack.Databreachdata . After they analyzed the malware deployed in this campaign , CyberX security experts claim the malware and techniques used in the BugDrop operation are similar to Groundbait , another cyber-espionage campaign discovered in May 2016 by ESET researchers .
In this campaignAttack.Phishing, hackers are distributing the malware through 2 files namely “ NDA-ranked-8th-toughest-College-in-the-world-to-get-into.xls ” and “ NIA-selection-order-.xls ” respectively . These files are being circulatedAttack.Phishingvia WhatsApp in the form of authentic word files obtainingAttack.Databreachsensitive information from users which include online banking credentials , PIN codes and similar details . According to IBTimes , Android users in India are the key targets of this new WhatsApp scamAttack.Phishing. However , there isn ’ t any particular operating system that is being cited as the most affected one . It is worth noting that these sorts of malware campaigns are usually designed to work on Google ’ s operating system instead of the iOS . The reason why Indian android OS users are frequently being targeted by hackers in such campaigns is that Indian market is very popular for low-cost , cheap Android smartphones that run on older versions of the android OS . Hackers are attackingAttack.Phishingtwo key organizations in India to compel users to click on the word documents attached in the malicious WhatsApp message . This message has names of two major organizations of India namely National Defense Academy/NDA and National Investigation Academy/NIA . These files are in Excel format mainly but versions of these files in Word and PDF formats have also been identified . Authorities in India have already issued security alerts to the concerned authorities since it is being speculated that this new campaignAttack.PhishingattacksAttack.Phishinglaw enforcement authorities and military personnel in the majority . “ It has been analyzed that the men and women in defense , paramilitary and police forces could be the target groups , ” believe security officials in India . Israeli Tech firm claims its new CatchApp can hack any WhatsApp account According to the Economic Times , the NIA and NDA are very popular organizations in India as well as abroad ; there is a high level of curiosity about the way these organizations function among masses , which is why people are so interested in opening the infected attachments on WhatsApp . At the moment it isn ’ t clear what else this malware performs when the files are opened and if WhatsApp has taken any action in this regard to prevent users from getting affected .
Last week we first tweeted that the GuardiCore Global Sensor Network ( GGSN ) has detected a wide ransomware attackAttack.Ransomtargeting MySQL databases . The attacksAttack.Ransomlook like an evolution of the MongoDB ransomware attacksAttack.Ransomfirst reported earlier this year by Victor Gevers . Similarly to the MongoDB attacksAttack.Ransom, owners are instructed to payAttack.Ransoma 0.2 Bitcoin ransomAttack.Ransom( approx. $ 200 ) to regain access to their content . We saw two very similar variations of the attackAttack.Ransomusing two bitcoin wallets . In this post we will describe in detail the attack flow and provide some recommendations on how to protect your databases from similar attacks along with attack IoCs . The attacks started at midnight at 00:15 on February 12 and lasted about 30 hours in which hundreds of attacks were reported by GGSN . We were able to trace all the attacks to 109.236.88.20 , an IP address hosted by worldstream.nl , a Netherlands-based web hosting company . The attacker is ( probably ) running from a compromised mail server which also serves as HTTP ( s ) and FTP server . Worldstream was notified a few days after we reported the attack . The attack starts with ‘ root ’ password brute-forcing . Once logged-in , it fetches a list of the existing MySQL databases and their tables and creates a new table called ‘ WARNING ’ that includes a contact email address , a bitcoin address and a payment demandAttack.Ransom. In one variant of the attack the table is added to an existing database ; in other cases the table is added to a newly created database called ‘ PLEASE_READ ’ . The attacker will then delete the databases stored on the server and disconnect , sometimes without even dumping them first . The attack as reported by GuardiCore Centra We logged two versions of the ransom message : INSERT INTO PLEASE_READ. ` WARNING ` ( id , warning , Bitcoin_Address , Email ) VALUES ( ‘ 1′ , ’ Send 0.2 BTC to this address and contact this email with your ip or db_name of your server to recover your database ! Your DB is Backed up to our servers ! ’ , ‘ 1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY ’ , ‘ backupservice @ mail2tor.com ’ ) INSERT INTO ` WARNING ` ( id , warning ) VALUES ( 1 , ‘ SEND 0.2 BTC TO THIS ADDRESS 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9 AND GO TO THIS SITE http : //sognd75g4isasu2v.onion/ TO RECOVER YOUR DATABASE ! The second version offers the owner to visit the following darknet web site ‘ http : //sognd75g4isasu2v.onion/ ’ to recover the lost data . The darknet web site referenced in the ransom note . Each version uses a different bitcoin wallet , 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9 vs 1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY and based on Blockchain public information people have been paying up .