this year used decoy documents with official-looking government logos to lureAttack.Phishingunsuspecting users from targeted organizations to download infected documents and compromise their computer networks . Documents pretending to beAttack.Phishingfrom the U.S.National Security Agency , Iraqi intelligence , Russian security firm Kaspersky and the Kurdistan regional government were among those used to trickAttack.Phishingvictims , Unit 42 said in a blog post ( goo.gl/SvwrXv ) . The Unit 42 researchers said the attacksAttack.Phishinghad targeted organizations in Saudi Arabia , Iraq , the United Arab Emirates , Turkey and Israel , as well as entities outside the Middle East in Georgia , India , Pakistan and the United States . The Saudi security agency said in its own statement that the attacksAttack.Databreachsought to stealAttack.Databreachdata from computers using email phishing techniques targeting the credentials of specific users . The NCSC said they also comprised so-called “ watering hole ” attacks , which seek to trickAttack.Phishingusers to click on infected web links to seize control of their machines . The technical indicators supplied by Unit 42 are the same as those described by the NCSC as being involved in attacks against Saudi Arabia . The NCSC said the attacks appeared to be by an “ advanced persistent threat ” ( APT ) group - cyber jargon typically used to describe state-backed espionage . Saudi Arabia has been the target of frequent cyber attacks , including the “ Shamoon ” virus , which cripples computers by wiping their disks and has hit both government ministries and petrochemical firms . Saudi Aramco , the world ’ s largest oil company , was hit by an early version of the “ Shamoon ” virus in 2012 , in the country ’ s worst cyber attack to date . The NCSC declined further comment on the source of the attack or on which organizations or agencies were targeted . Unit 42 said it was unable to identify the attack group or its aims and did not have enough data to conclude that the MuddyWater group was behind the Saudi attacks as outlined by NCSC . “ We can not confirm that the NCSC posting and our MuddyWater research are in fact related , ” Christopher Budd , a Unit 42 manager told Reuters . “ There ’ s just not enough information to make that connection with an appropriate level of certainty. ” Palo Alto Networks said the files it had uncovered were almost identical to information-stealing documents disguised asAttack.PhishingMicrosoft Word files and found to be targeting the Saudi government by security firm MalwareBytes in a September report .
Saudi Arabian security officials said on Monday that the country had been targeted as part of a wide-ranging cyber espionage campaign observed since February against five Middle East nations as well as several countries outside the region . The Saudi government ’ s National Cyber Security Center ( NCSC ) said in a statement the kingdom had been hit by a hacking campaign bearing the technical hallmarks of an attack group dubbed “ MuddyWater ” by U.S. cyber firm Palo Alto Networks . Palo Alto ’ s Unit 42 threat research unit published a report last Friday showing how a string of connected attacksAttack.Phishingthis year used decoy documents with official-looking government logos to lureAttack.Phishingunsuspecting users from targeted organizations to download infected documents and compromise their computer networks . Documents pretending to beAttack.Phishingfrom the U.S.National Security Agency , Iraqi intelligence , Russian security firm Kaspersky and the Kurdistan regional government were among those used to trickAttack.Phishingvictims , Unit 42 said in a blog post ( goo.gl/SvwrXv ) . The Unit 42 researchers said the attacksAttack.Phishinghad targeted organizations in Saudi Arabia , Iraq , the United Arab Emirates , Turkey and Israel , as well as entities outside the Middle East in Georgia , India , Pakistan and the United States . The Saudi security agency said in its own statement that the attacksAttack.Databreachsought to stealAttack.Databreachdata from computers using email phishing techniques targeting the credentials of specific users . The NCSC said they also comprised so-called “ watering hole ” attacks , which seek to trickAttack.Phishingusers to click on infected web links to seize control of their machines . The technical indicators supplied by Unit 42 are the same as those described by the NCSC as being involved in attacks against Saudi Arabia . The NCSC said the attacks appeared to be by an “ advanced persistent threat ” ( APT ) group - cyber jargon typically used to describe state-backed espionage . Saudi Arabia has been the target of frequent cyber attacks , including the “ Shamoon ” virus , which cripples computers by wiping their disks and has hit both government ministries and petrochemical firms . Saudi Aramco , the world ’ s largest oil company , was hit by an early version of the “ Shamoon ” virus in 2012 , in the country ’ s worst cyber attack to date . The NCSC declined further comment on the source of the attack or on which organizations or agencies were targeted . Unit 42 said it was unable to identify the attack group or its aims and did not have enough data to conclude that the MuddyWater group was behind the Saudi attacks as outlined by NCSC . “ We can not confirm that the NCSC posting and our MuddyWater research are in fact related , ” Christopher Budd , a Unit 42 manager told Reuters . “ There ’ s just not enough information to make that connection with an appropriate level of certainty. ” Palo Alto Networks said the files it had uncovered were almost identical to information-stealing documents disguised asAttack.PhishingMicrosoft Word files and found to be targeting the Saudi government by security firm MalwareBytes in a September report .
Employees of US NGOs Fight for the Future and Free Press were targeted with complex spear-phishing attemptsAttack.Phishingbetween July 7 and August 8 , reported today the Electronic Frontier Foundation ( EFF ) . Both organizations targeted in the attacksAttack.Phishingare currently fighting against for Net Neutrality in the US . Based on currently available evidence , the attacks appear to have been orchestrated by the same attacker , located in a UTC+3-5:30 timezone , said EFF Director of Cybersecurity Eva Galperin and EFF security researcher Cooper Quintin . At least one victim fell for the attacks `` Although this phishing campaignAttack.Phishingdoes not appear to have been carried out by a nation-state actor and does not involve malware , it serves as an important reminder that civil society is under attack , '' said the two today . `` It is important for all activists , including those working on digital civil liberties issues in the United States , to be aware that they may be targeted by persistent actors who are well-informed about their targets ’ personal and professional connections . '' At least one victim fell for the 70 fake emails sentAttack.Phishingduring the phishing attemptsAttack.Phishing. Attackers did n't deliver malware but luredAttack.Phishingvictims away on a remote site designed to phish Google , Dropbox , and LinkedIn credentials . `` The attackers were remarkably persistent , switching up their attacks after each failed attempt and becoming increasingly creative with their targeting over time , '' EFF said . The most creative of the spear-phishing emails was when victims receivedAttack.Phishingemails with the subject line `` You have been successfully subscribed to Pornhub.com , '' or `` You have been successfully subscribed to Redtube.com , '' two very popular adult video portals . Minutes later , victims receivedAttack.Phishinganother email made to look likeAttack.Phishingit was coming fromAttack.Phishingthe same two services . These second emails contained explicit subject lines . Because spear-phishing emails were aimedAttack.Phishingat work emails , most victims would have been inclined to unsubscribe from the incoming emails . This was the catch , as attackers doctored the unsubscribe link , leadingAttack.Phishingvictims to a fake Google login screen . Attackers used different tactics as the campaign progressed The PornHub and RedTube phishesAttack.Phishingwere not the only ones . Attackers also used other tactics . ⬭ Links to generic documents that asked users to enter credentials before viewing . ⬭ LinkedIn message notifications that tried to trickAttack.Phishingusers into giving away LinkedIn creds . ⬭ Emails disguised to look likeAttack.Phishingthey were coming fromAttack.Phishingfamily members , sharing photos , but which asked the victim to log in and give away credentials instead . ⬭ Fake email notifications for hateful comments posted onAttack.Phishingthe target 's YouTube videos . When the victim followed the link included in the email , the target would have to enter Google credentials before performing the comment moderation actions . ⬭ Emails that looked likeAttack.Phishinga friend was sharingAttack.Phishinginteresting news stories . Used topics and subject lines include : - Net Neutrality Activists 'Rickroll ' FCC Chairman Ajit Pai - Porn star Jessica Drake claims Donald Trump offered her $ 10G , use of his private jet for sex - Reality show mom wants to hire a hooker for her autistic son In one case , one of the targeted activists received a request from a user asking for a link to buy her music . When the target replied , the attacker answered backAttack.Phishingwith a Gmail phishing link , claiming the buy link did n't work . EFF experts say that victims who had two-factor authentication turned on for their accounts would have prevented attackers from logging into their profiles even if they had managed to obtainAttack.Databreachtheir password .
A group calling itself XMR Squad has spent all last week launching DDoS attacks against German businesses and then contacting the same companies to inform them they had to payAttack.Ransom€250 ( $ 275 ) for `` testing their DDoS protection systems . '' German DDoS protection firm Link11 reported attacks against DHL , Hermes , AldiTalk , Freenet , Snipes.com , the State Bureau of Investigation Lower Saxony , and the website of the state of North Rhine-Westphalia . The attackAttack.Ransomagainst DHL Germany was particularly effective as it shut down the company 's business customer portal and all APIs , prompting eBay Germany to issue an alert regarding possible issues with packages sent via DHL . `` They seem to know what to hit , '' said Daniel Smith , security researcher for Radware , and one of the persons currently keeping tabs of the attacks . The group sent emails to all the companies it targeted . In the emails , they did n't ask for a ransomAttack.Ransomto stop the attacksAttack.Ransom, but a fee for having already carried out what they called a DDoS protection test . Usually , these types of groups launch DDoS attacks and then send emails to their victims requesting for paymentsAttack.Ransomto stop the attacksAttack.Ransom. XMR Squad 's emails looked like invoices for unrequested DDoS tests . Furthermore , the ransom note did n't include payment instructions , which is weird , to say the least . DDoS ransomsAttack.Ransomare usually handled in Bitcoin or another anonymous cryptocurrency . It was strange to see the group ask for paymentAttack.Ransomin Euros , as the group 's name included the term XMR , the shortname for Monero , an anonymous cryptocurrency . While the group advertised on Twitter that their location was in Russia , a German reporter who spoke with the group via telephone said `` the caller had a slight accent , but spoke perfect German . '' To the same reporter , the group also claimed they carried out the attacks only to get public attention . The attention they got was n't the one they expected , as their hosting provider took down their website , located at xmr-squad.biz . Germany , in particular , has been the target of several DDoS blackmailers in the past year . In January and February , a group calling itself Stealth Ravens launched DDoS-for-Bitcoin ransom attacksAttack.Ransom. Link11 , who tracked those attacksAttack.Ransom, claimed the group used a DDoS botnet built with the Mirai IoT malware and asked forAttack.Ransom5 Bitcoin ( $ 6,000 ) to stop attacksAttack.Ransom. Last year in June , another group named Kadyrovtsy also targeted German businesses , launching attacksAttack.Ransomof up to 50 Gbps . This group began DDoS ransom attacksAttack.Ransoma month earlier by first targeting Polish banks . All these groups are following the same modus operandi perfected by groups like DD4BC and Armada Collective . These two groups appeared in the summer and autumn of 2015 and targeted companies worldwide . In January 2016 , Europol arrested suspects believed to be DD4BC members in Bosnia and Herzegovina . Following the arrests , both groups became inactive . After the demise of these two main groups , there was a wave of copycats [ 1 , 2 , 3 , 4 , 5 ] that used their respective reputation to extort paymentsAttack.Ransomfrom companies , in many cases without even possessing any DDoS capabilities .
A group calling itself XMR Squad has spent all last week launching DDoS attacks against German businesses and then contacting the same companies to inform them they had to payAttack.Ransom€250 ( $ 275 ) for `` testing their DDoS protection systems . '' German DDoS protection firm Link11 reported attacks against DHL , Hermes , AldiTalk , Freenet , Snipes.com , the State Bureau of Investigation Lower Saxony , and the website of the state of North Rhine-Westphalia . The attackAttack.Ransomagainst DHL Germany was particularly effective as it shut down the company 's business customer portal and all APIs , prompting eBay Germany to issue an alert regarding possible issues with packages sent via DHL . `` They seem to know what to hit , '' said Daniel Smith , security researcher for Radware , and one of the persons currently keeping tabs of the attacks . The group sent emails to all the companies it targeted . In the emails , they did n't ask for a ransomAttack.Ransomto stop the attacksAttack.Ransom, but a fee for having already carried out what they called a DDoS protection test . Usually , these types of groups launch DDoS attacks and then send emails to their victims requesting for paymentsAttack.Ransomto stop the attacksAttack.Ransom. XMR Squad 's emails looked like invoices for unrequested DDoS tests . Furthermore , the ransom note did n't include payment instructions , which is weird , to say the least . DDoS ransomsAttack.Ransomare usually handled in Bitcoin or another anonymous cryptocurrency . It was strange to see the group ask for paymentAttack.Ransomin Euros , as the group 's name included the term XMR , the shortname for Monero , an anonymous cryptocurrency . While the group advertised on Twitter that their location was in Russia , a German reporter who spoke with the group via telephone said `` the caller had a slight accent , but spoke perfect German . '' To the same reporter , the group also claimed they carried out the attacks only to get public attention . The attention they got was n't the one they expected , as their hosting provider took down their website , located at xmr-squad.biz . Germany , in particular , has been the target of several DDoS blackmailers in the past year . In January and February , a group calling itself Stealth Ravens launched DDoS-for-Bitcoin ransom attacksAttack.Ransom. Link11 , who tracked those attacksAttack.Ransom, claimed the group used a DDoS botnet built with the Mirai IoT malware and asked forAttack.Ransom5 Bitcoin ( $ 6,000 ) to stop attacksAttack.Ransom. Last year in June , another group named Kadyrovtsy also targeted German businesses , launching attacksAttack.Ransomof up to 50 Gbps . This group began DDoS ransom attacksAttack.Ransoma month earlier by first targeting Polish banks . All these groups are following the same modus operandi perfected by groups like DD4BC and Armada Collective . These two groups appeared in the summer and autumn of 2015 and targeted companies worldwide . In January 2016 , Europol arrested suspects believed to be DD4BC members in Bosnia and Herzegovina . Following the arrests , both groups became inactive . After the demise of these two main groups , there was a wave of copycats [ 1 , 2 , 3 , 4 , 5 ] that used their respective reputation to extort paymentsAttack.Ransomfrom companies , in many cases without even possessing any DDoS capabilities .
A massive phishing campaignAttack.Phishingtook place today , but Google 's security staff was on hand and shut down the attacker 's efforts within an hour after users first reported the problem on Reddit . According to multiple reports on Twitter , the attacksAttack.Phishingfirst hitAttack.Phishingjournalists , businesses , and universities , but later spread to many other users as well . The attack itself was quite clever if we can say so ourselves . Victims receivedAttack.Phishinga legitimate ( non-spoofed ) email from one of their friends , that asked them to click on a button to receive access to a Google Docs document . If users clicked the button , they were redirected to the real Google account selection screen , where a fake app titledAttack.Phishing`` Google Docs '' ( not the real one ) asked the user 's permission to authorize it to access the shared document . In reality , the app only wanted access to the user 's Gmail inbox and contact list . After gaining accessAttack.Databreachto these details , the fake app copied the user 's contact list and sentAttack.Phishinga copy of itself to the new set of targets , spreading itself to more and more targets . The email was actually sentAttack.Phishingto `` hhhhhhhhhhhhhhhh @ mailinator.com , '' with the user 's email address added as BCC . Following the incident , Mailinator intervened and blocked any new emails from arriving into that inbox . Because of this self-replicating feature , the phishing attackAttack.Phishingspread like wildfire in a few minutes , just like the old Samy worm that devasted MySpace over a decade ago . Fortunately , one Google staff member was visting the /r/Google Reddit thread , and was able to spot a trending topic detailing the phishing campaignAttack.Phishing. The Google engineer forwarded the Reddit thread to the right person , and within an hour after users first complained about the issue , Google had already disabled the fake app 's ability to access the Google OAuth screen . Later on , as engineers had more time to investigate the issue , Google issued the following statement : We have taken action to protect users against an email impersonatingAttack.PhishingGoogle Docs & have disabled offending accounts . We ’ ve removed the fake pages , pushedVulnerability-related.PatchVulnerabilityupdates through Safe Browsing , and our abuse team is working to prevent this kind of spoofingAttack.Phishingfrom happening again . We encourage users to report phishing emails in Gmail . There are no reports that malware was deployed in the phishing attackAttack.Phishing. Cloudflare was also quick to take down all the domains associated with the phishing attackAttack.Phishing. Users that clicked on the button inside the phishing email can go to the https : //myaccount.google.com/permissions page and see if they granted the app permission to access their account . The real Google Docs is n't listed in this section , as it does not need permissions , being an official Google property .
Mere days after thousands of MongoDB databases were hit by ransomware attacksAttack.Ransom, cybercriminals have set their sights on ElasticSearch servers , according to reports . Hackers have reportedly hijacked insecure servers exposedVulnerability-related.DiscoverVulnerabilityto the internet with weak and easy-to-guess passwords . ElasticSearch is a Java-based search engine , commonly used by enterprises for information cataloguing and data analysis . According to security researcher Niall Merrigan , who has been monitoring the attacksAttack.Ransom, the cybercriminals are currently closing in on around 3,000 ElasticSearch servers . Merrigan told IBTimes UK : `` We found the first one on the 12th of Jan and then started tracking the different IOCs ( Indicators Of Compromise ) . The first actor has levelled off and looks like it has stopped . However , a second and third actor have joined in and are continuing to compromise servers . `` Attackers are finding open servers where there is no authentication at all . This can be done via a number of services and tools . Unfortunately , system admins and developers have been leaving these unauthenticated systems online for a while and attackers are just picking off the low hanging fruit right now . '' The recent MongoDB attacksAttack.Ransomsaw hackers demand ransomAttack.Ransomand erasing data to ensure victims ' compliance . In the ongoing ElasticSearch attacksAttack.Ransom, the cybercriminals demand a ransomAttack.Ransomof 0.2 Bitcoins , according to a report by BleepingComputer . However , according to Merrigan , $ 20,000 in Bitcoins have already been paidAttack.Ransomby victims of the MongoDB attackAttack.Ransom. Despite paying the ransomAttack.Ransom, the victims have not received their data back . `` So in this case it is a scam , '' the researcher said .
A lot of things can go wrong on your holidays , like losing luggage or missing a flight , forgetting your travel documents or getting sick at the worst possible time . But have you ever been locked out of your hotel room because of a cyberattack ? That ’ s just what happened to guests at a luxury hotel in Austria when they were left stranded outside of their rooms after a ransomware attackAttack.Ransomthat overrode electronic key systems . This concept , which can be summed up as “ if you don ’ t pay , your guests won ’ t be able to get into their rooms ” , underscores a strategy shift in ransomware . Instead of directly attackingAttack.Ransomthe hotel chain directly , cybercriminals are looking to increase profitability by compromisingAttack.Databreachthe well-being of paying customers . Infected computers and POS systems , credit card theftAttack.Databreach, accessAttack.Databreachto confidential information… in the age of the Internet of Things and smart homes , these attacksAttack.Databreachare becoming commonplace or even antiquated . Clearly the attacksAttack.Databreachthat this industry has been experiencing are not something casual or fleeting . Behind them lies a real economic interest and a preoccupation with stealthy operations . The hotel sector has become a major target for organized cybercriminals in possession of malware specifically designed to harm its running smoothly , not only in payment systems , but also by sealing off access to your room , turning lights on and off , or locking your blinds . This is , undoubtedly , a worrisome situation that could cause significant harm not only on an economic level , but also a PR level , sowing fear among clientele .
Last spring , hackers got intoAttack.Databreachthe system at the ministry , which was then headed by now-Prime Minister Paolo Gentiloni , and the attacksAttack.Databreachcarried on for more than four months but did not gain accessAttack.Databreachto classified information , the paper said . “ The Italian government had already informed ( the paper ) of what it is reporting today , ” the source said in response to the article , noting that security had since been stepped up . “ These were not attacks on the encrypted computer system which carries the most important and sensitive information , but the email system for staff at the foreign ministry and embassies , ” the source said . Gentiloni , who took over as premier in December , was not affected by the attack , the Guardian quoted a government official as saying . He avoided using email when he was serving as foreign minister , the paper said . According to the Guardian , two people with knowledge of the attack said the Russian state was believed to have been behind it . The source close to the ministry could not confirm this . Cyber crime has come into sharp focus since United States intelligence agencies accused Russia of interfering in last year ’ s U.S. election . The Russian foreign ministry did not immediately respond to a request for comment on Friday ’ s report . The Kremlin has described allegations of Russian interference in the U.S. election as “ fabricated ” and “ a witch hunt ” . An Italian government source told Reuters this year that the foreign ministry had been hackedAttack.Databreachin the past and that Rome suspected the perpetrators were Russian , but that it is impossible to say with certainty where such attacks came from . Last month , an Italian brother and sister were arrested on suspicion of hackingAttack.Databreachinto the emails of European Central Bank President Mario Draghi and thousands of others . The police chief who conducted the investigation said there was no evidence they had acted on behalf of foreign states
Schools and colleges are being warned to be on the lookout for ransomware attacksAttack.Ransom, after a wave of incidents where fraudsters attempted to trickAttack.Phishingeducational establishments into opening dangerous email attachments . What makes the attacksAttack.Phishingunusual , however , is just how the attackers trickedAttack.Phishingusers into clicking on the malware-infected attachments . As Action Fraud warns , confidence tricksters are phoning up schools and colleges pretending to beAttack.Phishingfrom the “ Department of Education ” . The fraudsters request the email or phone number of the institution ’ s head teacher or financial administrator claiming they need to sendAttack.Phishingguidance forms to the individual directly , as they contain sensitive information . The emails , however , have a .ZIP file attached , which often contains a boobytrapped Word document or Excel spreadsheet which initiates the ransomware infection . According to reports , up to £8,000 can be demandedAttack.Ransomfor the safe decryption of files on the victims ’ computers . That is , of course , money that few schools can afford to spend . Similar scams have posed as beingAttack.Phishingfrom telecoms providers claiming to need to speak to the head teacher about “ internet systems ” or the Department of Work and Pensions . In all cases the chances of the attack succeeding are increased by the fact that it is prefaced by a phone call . We ’ re all very used to receiving suspicious emails in our inbox , but may be caught off guard if it is accompanied by an official-sounding phone call . Action Fraud ’ s warning indicates that there are considerable amounts of money to be made by online criminals through ransomware attacksAttack.Ransom. If there weren ’ t , they wouldn ’ t be prepared to go to such extreme efforts ( such as making bogus phone calls ) to increase the likelihood that their poisoned email attachments will be opened . More money can typically be extortedAttack.Ransomfrom an organisation than an individual , with some corporations having paid outAttack.Ransomhuge sums to blackmailers after having their data locked away through a ransomware attackAttack.Ransom.