Finally, all administrative accounts should have 2FA enabled in case their credentials are stolen.
Hacker arrested for cryptojacking 1 million virtual servers
Bill Toulas
- January 13, 2024
- 10:09 AM
- 0
As announced today by Europol, the suspect is believed to be the mastermind behind a large-scale cryptojacking scheme that involves hijacking cloud computing resources for crypto-mining.
- By using the computing resources of others' servers to mine cryptocurrency, the cybercriminals can profit at the expense of the compromised organizations, whose CPU and GPU performance is degraded by the mining.
- For on-premise compromises, the damage extends to having to pay for increased power usage, commonly generated by miners.
Europol, the Ukrainian police, and the cloud provider worked together to develop operation intelligence that could be used to track down and identify the hacker.
The police say they arrested the hacker on January 9th, when they seized computer equipment, bank and SIM cards, electronic media, and other evidence of illegal activity.
Source: cyberpolice.gov.ua
- Europol and Ukraine have not identified the e-commerce company or its subsidiary.
- The threat actor then used these accounts to gain access to administrative privileges, which were used to create more than one million virtual computers for use in the cryptomining scheme.
The Ukrainian authorities confirmed that the suspect was using TON cryptocurrency wallets to move the illegal proceeds, with transactions equal to roughly $2 million.
The arrested individual now faces criminal charges under Part 5 of Art. 361 (unauthorized interference in the work of information, electronic communication, electronic communication networks) of the Criminal Code of Ukraine.
Mitigating the risk
Methods to defend against cryptojacking attacks include
- monitoring for unusual activity like unexpected spikes in resource usage,
- implementing endpoint protection and intrusion detection systems, and
- limiting administrative privileges and access to critical resources only to those needing them.
Cryptojackers often exploit documented flaws in cloud platforms to achieve an initial compromise. So, regularly applying the available security updates on all software is crucial to protecting systems against external threats.
Finally, all administrative accounts should have 2FA enabled in case their credentials are stolen.
___________________________________________________________________________________
You may be interested or need-to-know:
Major T-Mobile outage takes down account access, mobile app
A major T-Mobile outage is preventing customers from logging into their accounts and using the company's mobile app.
- JANUARY 11, 2024
- 06:21 PM
1
CISA: Critical Microsoft SharePoint bug now actively exploited
CISA warns that attackers are now exploiting a critical Microsoft SharePoint privilege escalation vulnerability that can be chained with another critical bug for remote code execution.
- JANUARY 12, 2024
- 02:24 PM
- 0
GitLab warns of critical zero-click account hijacking vulnerability
GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities, one of them allowing account hijacking with no user interaction.
- JANUARY 12, 2024
- 12:54 PM
- 0
The Week in Ransomware - January 12th 2024 - Targeting homeowners' data
- January 12, 2024
- 05:06 PM
- 1
Mortgage lenders and related companies are becoming popular targets of ransomware gangs, with four companies in this sector recently attacked.
This week, we learned that mortgage lender loanDepot suffered a cyberattack, which the company later confirmed was ransomware.
This comes on the heels of similar attacks against Mortgage giant Mr. Cooper, which led to the exposure of data for 14 million people, and attacks on title insurance companies, including First American Financial and Fidelity National Financial.
As these companies obtain a large amount of sensitive information from their customers, they become attractive targets for ransomware gangs to conduct double-extortion attacks.
Other attacks we learned about this week include the Toronto Zoo, a Black Hunt ransomware attack on Tigo Business, and LockBit claiming to be behind the attack on the Capital Health hospital network.
Finland is also warning of Akira ransomware increasingly targeting companies in the country and wiping backups.
Cybersecurity researchers are back from the holidays, sharing new research on a BlackBasta affiliate's use of PikaBot, Microsoft SQL servers being targeted by the Mimic ransomware, and threat actors impersonating security researchers to offer victims a chance to hack back at ransomware gangs.
For some good news, a Dutch police operation with Cisco Talos led to the arrest of a ransomware operator and the retrieval of decryption keys. This key was added to Avast's decryptor, allowing victims of the Tortilla ransomware (based on Babuk) to recover their files for free.
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @malwrhunterteam, @fwosar, @BleepinComputer, @serghei, @demonslay335, @Ionut_Ilascu, @Seifreed, @billtoulas, @AWNetworks, @Securonix, @TalosSecurity, @criptoboi, @pcrisk, @TrendMicro, and @Unit42_Intel.
January 7th 2024
Mortgage firm loanDepot cyberattack impacts IT systems, payment portal
U.S. mortgage lender loanDepot has suffered a cyberattack that caused the company to take IT systems offline, preventing online payments against loans.
January 8th 2024
Capital Health attack claimed by LockBit ransomware, risk of data leak
The LockBit ransomware operation has claimed responsibility for a November 2023 cyberattack on the Capital Health hospital network and threatens to leak stolen data and negotiation chats by tomorrow.
Toronto Zoo: Ransomware attack had no impact on animal wellbeing
Toronto Zoo, the largest zoo in Canada, says that a ransomware attack that hit its systems on early Friday had no impact on the animals, its website, or its day-to-day operations.
US mortgage lender loanDepot confirms ransomware attack
?Leading U.S. mortgage lender loanDepot confirmed today that a cyber incident disclosed over the weekend was a ransomware attack that led to data encryption.
New Phobos ransomware variant
PCrisk found a new Phobos variant that appends the .jopanaxye extension and drops ransom notes named info.txt and info.hta.
New STOP Ransomware variants
PCrisk found new STOP ransomware variants that append the .cdwe and .cdaz extensions.
New Makops variant
PCrisk found a new Makops variant that appends the .SOG extension and drops a ransom note named +README-WARNING+.txt.
New Abyss ransomware
PCrisk found a new ransomware that appends the .abyss extension and drops a ransom note named WhatHappened.txt.
January 9th 2024
Paraguay warns of Black Hunt ransomware attacks after Tigo Business breach
The Paraguay military is warning of Black Hunt ransomware attacks after Tigo Business suffered a cyberattack last week impacting cloud and hosting services in the company's business division.
Decryptor for Babuk ransomware variant released after hacker arrested
Researchers from Cisco Talos working with the Dutch police obtained a decryption tool for the Tortilla variant of Babuk ransomware and shared intelligence that led to the arrest of the ransomware's operator.
Hackers target Microsoft SQL servers in Mimic ransomware attacks
A group of financially motivated Turkish hackers targets Microsoft SQL (MSSQL) servers worldwide to encrypt the victims' files with Mimic (N3ww4v3) ransomware.
Ransomware victims targeted by fake hack-back offers
Some organizations victimized by the Royal and Akira ransomware gangs have been targeted by a threat actor posing as a security researcher who promised to hack back the original attacker and delete stolen victim data.
Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign
A threat actor we track under the Intrusion set Water Curupira (known to employ the Black Basta ransomware) has been actively using Pikabot. a loader malware with similarities to Qakbot, in spam campaigns throughout 2023.
New Phobos variant
PCrisk found a new Phobos variant that appends the .2700 extension and drops a ransom note named +README-WARNING+.txt.
New Abyss ransomware
PCrisk found a new ransomware that appends the .abyss extension and drops a ransom note named WhatHappened.txt.
January 10th 2024
Fidelity National Financial: Hackers stole data of 1.3 million people
Fidelity National Financial (FNF) has confirmed that a November cyberattack (claimed by the BlackCat ransomware gang) has exposed the data of 1.3 million customers.
January 11th 2024
Finland warns of Akira ransomware wiping NAS and tape backup devices
The Finish National Cybersecurity Center (NCSC-FI) is informing of increased Akira ransomware activity in December, targeting companies in the country and wiping backups.
Medusa Ransomware Turning Your Files into Stone
Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. Medusa threat actors use this site to disclose sensitive data from victims unwilling to comply with their ransom demands.
New Phobos variant
PCrisk found a new Phobos variant that appends the .mango extension and drops a ransom note named +README-WARNING+.txt.
New STOP Ransomware variants
PCrisk found new STOP ransomware variants that append the .cdtt and .cdpo extensions.
New Ping ransomware
PCrisk found a new ransomware that appends the .pings extension and drops a ransom note named FILE RECOVERY.txt.
January 12th 2024
New Dharma variant
PCrisk found a new Dharma ransomware variant that appends the .AeR extension and drops ransom notes named info.txt and info.hta.
New Xorist variant
PCrisk found a new Xorist variant that appends the .CoV extension and drops a ransom note named HOW TO DECRYPT FILES.txt.
That's it for this week! Hope everyone has a nice weekend!
.png)
No comments:
Post a Comment