Jerry, Author at Safernet

Business Software Solution Hit With BlackMatter Ransomware

Post On: 24 October, 2021 By : Jerry

BlackMatter Ransomware struck over the weekend, targeting business software solutions provider Marketron. Marketron is a growing business and has more than 6,000 customers in the media industry. It provides cloud-based revenue and traffic management tools for broadcast and media organizations. The company specializes in revenue management and audience engagement, handling advertising revenue of $5 billion every year.

Marketron customers were informed of the BlackMatter Ransomware attack in an email on Sunday night from the company CEO, Jim Howard, who said that “the Russian criminal organization BlackMatter” was responsible for the attack.

The BlackMatter Ransomware gang is seemingly ramping up operations – Last week SaferNet reported on a BlackMatter breach within the NEW Cooperative U.S. farmers organization, which demanded a $5.9 million ransom.

Howard is apologetic in the email to his customers, stating that they are unaware of how the BlackMatter Ransomware gang breached the network, given that Marketron has made significant investments recently in cybersecurity implementations designed to protect from intruders.

“This issue comes despite significant recent investments in separating backup and disaster recovery in different physical and network environments, instituting ‘zero trust’ access management policies, and new security detection and recovery tools”, Howard said in the email.

He went on to state that the company is in contact with both the BlackMatter Ransomware gang and the FBI, and that all efforts are being made to restore systems as soon as possible.

Marketron publically announced the incident this morning, stating that it was dealing with a “cyber event” that disrupted some of its business operations and impacted all its customers.

“Currently, all Marketron services are offline,” the company announced, adding that the attack affected the Marketron Traffic, Visual Traffic Cloud, Exchange, and Advertiser Portal services.

RadioTraffic and RepPak services were still standing but the company took them offline as a precaution. The only platforms that remained online were Pitch, Email Marketing, and Mobile Messaging.

Bo Bandy, VP of Marketing at Marketron, said in the disclosure that third-party forensic investigators were working “to understand the full nature and scope of the event, determine root cause, and to ensure the integrity, safety, and security of our systems and data.”

“We are unable to confirm the root cause of the event at this time and this investigation is very much on-going” Bandy said.

BlackMatter Ransomware is believed to be a rebrand of Darkside Ransomware, which took Colonial Pipeline offline in May.

The gang have been extremely active this month alone and has a gallery of victims including:

a wine and spirits company
an investment banking services provider in the U.S.
a vendor of citrus juicing equipment in Austria
a maker of drilling and foundation equipment in Italy
Japanese technology giant Olympus
a US-based construction company
a unified communications company in the UK

BlackMatter Ransomware Analysis

Note: This analysis was carried out by Sophos Labs

The Sophos research is based on a sample of the BlackMatter ransomware, with the SHA-256 hash: 22D7D67C3AF10B1A37F277EBABE2D1EB4FD25AFBD6437D4377400E148BCC08D6.

The operators behind the BlackMatter RaaS have established a presence on the dark web:

The list of sectors and entities this threat actor says it will not attack reflect the recent global incidents involving DarkSide (Colonial Pipeline) and REvil (Kaseya) ransomware, which drew widespread and probably unwelcome attention.

The operators behind BlackMatter claim that their ransomware incorporates the best features of DarkSide, REvil, and LockBit 2.0 ransomware. They also say that while they are closely acquainted with the Darkside operators, they are not the same people – this idea has been contested by researchers.

Below is a short comparison of some of the capabilities seen in the various groups:

When victims are hit with the BlackMatter ransomware and the files on the drives are encrypted, BlackMatter sets a wallpaper that is very similar to DarkSide’s. Also, like DarkSide, this is stored in the same folder on disk (C:\ProgramData), with an identical file size (2,818,366 bytes), image format (.BMP) and image size (1706 x 826 pixels, 16-bit color depth.)

Like DarkSide (and REvil), BlackMatter uses a run-time API that can hinder static analysis of the malware. And like the other two ransomware groups, strings are also encrypted and revealed during runtime. While both of these techniques are common across many recent malware, the way in which the runtime API and string decryption function in BlackMatter is very similar to the functionality seen in DarkSide and REvil.

In another shared similarity with both REvil and Darkside, BlackMatter ransomware stores configuration information in the binary in an encoded format. SophosLabs decoded this and found that BlackMatter ransomware has a similar structure and information stored in the configuration blob, like lists of processes and services to kill, the ransom note, C2 details, directories to avoid etc.

The ransomware can encrypt open (locked) documents. BlackMatter terminates several productivity-related processes before encryption begins:

ensvc
thebat
mydesktopqos
xfssvccon
firefox
infopath
winword
steam
synctime
notepad
ocomm
onenote
mspub
thunderbird
agensvc
sql
excel
powerpnt
outlook
wordpad
dbeng50
isqlplussvc
sqbcoreservice
oracle
ocautoupds
dbsnmp
msaccess
tbirdconfig
ocssd
mydesktopservice
visio

The BlackMatter ransomware collects information from victim machines, like hostname, logged in user, operating system, domain name, system type (architecture), language, as well as the size of the disk and available free space.

The analyzed sample sends these details to a remote server hosted on paymenthacks.com. It uses a specific header to post the information.

The BlackMatter ransomware drops a ransom note in user-accessible folders on the disk.

Protection

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

The Republican Governors Association Servers Hit In Data Breach

Post On: 24 October, 2021 By : Jerry

The Republican Governors Association (RGA) revealed that they were victims of a data breach in notification letters sent last week to members. The data breach occurred during an extension Microsoft Exchange hacking campaign that hit organizations worldwide this year, an incident that uses what is now known as the ProxyLogon exploits.

RGA is a US political organization that providers Republican candidates with the campaign resources needed to get elected as governors across the country.

Following an investigation into a possible data breach which began in March, “RGA determined that the threat actors accessed a small portion of RGA’s email environment between February 2021 and March 2021 and that personal information may have been accessible to the threat actor(s) as a result.”

Though initially, the RGA stated they were not able to discover if any personal information was taken in the data breach, a subsequent “thorough data mining effort to identify potentially impacted individuals” revealed that names, Social Security numbers, and payment card information was exposed in the attack.

RGA discovered that individuals affected by this data breach had their personal information exposed on June 24 and completed its “data mining” efforts on September 1.

“Once potentially impacted individuals were identified, RGA worked to identify addresses and engage a vendor to provide call center, notification, and credit monitoring services,” RGA told impacted individuals in a data breach letter sent on September 15.

“RGA is also offering you two (2) years of complimentary credit monitoring and identity restoration services with Experian. RGA has also notified the Federal Bureau of Investigation, certain state regulators, and the consumer reporting agencies of this incident as required.”

ProxyLogon: Catalyst to the Data Breach

The hacking campaign RGA refers to in its data breach notification letter targeted more than a quarter of a million Microsoft Exchange servers, owned by tens of thousands of organizations around the world.

The attackers exploited four zero-days (collectively known as ProxyLogon) in attacks targeting on-premises Microsoft Exchange servers in indiscriminate attacks against orgs from multiple industry sectors worldwide, with the end goal of stealing sensitive information.

At the time of the attack, Microsoft stated that the Chinese state-sponsored hacking group known as Hafnium was behind some of these attacks.

ProxyLogon Attack Map. Source: WeLiveSecurity

“Historically, Hafnium primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,” Microsoft said.

In July, the company’s attribution was confirmed when the US and allies, including the European Union, the United Kingdom, and NATO, officially blamed China for this widespread Exchange hacking campaign.

Attack History Of The Exploits And Threat Actors That Used Them

The Biden administration attributed “with a high degree of confidence that malicious cyber actors affiliated with PRC’s MSS conducted cyber-espionage operations utilizing the zero-day vulnerabilities in Microsoft Exchange Server disclosed in early March 2021.”

The four zero-days that make ProxyLogon are as follows:

CVE-2021-26855: SERVER-SIDE REQUEST FORGERY
The Server-Side Request Forgery (SSRF) vulnerability provides a remote actor with admin access by sending a specially crafted web request to a vulnerable Exchange Server. The web request contains an XML SOAP payload directed at the Exchange Web Services (EWS) API endpoint. The SOAP request bypasses authentication using specially crafted cookies and allows an unauthenticated, remote actor to execute EWS requests encoded in the XML payload and ultimately perform operations on users’ mailboxes. This vulnerability, combined with the knowledge of a victim’s email address, means the remote actor can exfiltrate all emails from the victim’s Exchange mailbox.

Organizations that received this letter were companies that received threats in August and September of 2020. Analysis of this new wave of ransom letters suggests that the same threat actors from the middle of 2020 are behind these malicious communications.

CVE-2021-26857: REMOTE CODE EXECUTION VULNERABILITY
A post-authentication insecure deserialization vulnerability in the Unified Messaging service of a vulnerable Exchange Server allows commands to be run with SYSTEM account privileges. The SYSTEM account is used by the operating system and services that run under Windows. By default, the SYSTEM account is granted full control permissions to all files. A malicious actor can combine this vulnerability with stolen credentials or with the previously mentioned SSRF vulnerability to execute arbitrary commands on a vulnerable Exchange Server in the security context of SYSTEM.

CVE-2021-26858 AND CVE-2021-27065
Both of these post-authentication arbitrary files write vulnerabilities allow an authenticated user to write files to any path on a vulnerable Exchange Server. A malicious actor could leverage the previously mentioned SSRF vulnerability to achieve admin access and exploit this vulnerability to write web shells to virtual directories (VDirs) published to the internet by the server’s Internet Information Server (IIS). IIS is Microsoft’s web server, a dependency that is installed with Exchange Server and provides services for Outlook on the web, previously known as Outlook Web Access (OWA), Outlook Anywhere, ActiveSync, Exchange Web Services, Exchange Control Panel (ECP), the Offline Address Book (OAB) and Autodiscover.

Protection

Global DDOS Attack Campaign Targets Several VOIP Providers

Post On: 24 October, 2021 By : Jerry

Bandwidth.com has become another victim in a global distributed denial of service(DDOS) attack campaign which is targeting VoIP providers this month. The campaign has to lead to nationwide outages this week. Bandwidth is a voice over Internet Protocol (VoIP) services company that provides voice telephony over the Internet to businesses and resellers.

On September 25th Bandwidth began reporting that they were experiencing unexpected failures with their voice and messaging services.

“Bandwidth is investigating an incident impacting Voice and Messaging Services. Calls and Messages may experience unexpected failures. All teams are actively engaged,” reported Bandwidth on their status page.

Since the DDOS attacks began, Bandwidth has been providing frequent status updates detailing outages affecting voice, Enhanced 911 (E911) services, messaging, and access to the portal.

Bandwidth is a leading telephony provider for US VoIP companies, and due to the DDOS attack, many other VoIP vendors reported outages over the past few days, including Twilio, Accent, DialPad, Phone.com, and RingCentral.

Though it is not confirmed if all these outages are related to the DDOS attack, one outage report directly mentions Bandwidth while the others state that an upstream provider was involved.

“The upstream provider has indicated that service has returned to normal operation. We will continue to monitor this situation and report any new information as it becomes available. Customers should be prepared for potential impairments of inbound services within 12-16 hours as the potential exists for this DDoS attack to return. We will not close this issue until services have returned to the normal operation for a period of 72 hours.” said the report on Accent’s page.

Twilio initially told reporters at BleepingComputer they were not affected by the DDOS attack on Bandwidth, but their status page states that they had issues with Bandwidth on September 27th.

“Monitoring – We are observing recovery in Twilio Voice call quality and connection issues. Bandwidth is reporting the issue resolved as well. We will continue monitoring the service to ensure a full recovery. We will provide another update in 2 hours or as soon as more information becomes available.” said a representative on Twilio’s status page.

Initial DDOS Attacks

Early this month, VoIP provider VoIP.ms suffered a catastrophic week-long DDoS attack that took down almost all of their services and portals, leaving their customers without voice services.

The attack was tied up with extortion, where hackers began impersonating the notorious ransomware group REvil. They initially demanded one bitcoin ($45,000) to halt their attacks but later increased it to 100 bitcoins ($4.5 million).

Due to that DDOS attack, Bandwidth customers immediately suspected that Bandwidth was also suffering from a similar DDoS attack.

Because VoIP services are routed over the internet and require endpoints to be publicly accessible, they are easy pickings for DDOS extortion attacks.

During these attacks, hackers will overwhelm servers, portals, and gateways by sending more requests than can be handled and thus making the targeted devices and servers inaccessible to anyone else.

Bandwidth did not initially make an official statement on the attack, but employees informed customers of the DDOS attacks.

One such customer shared a screenshot on Reddit of a customer support message allegedly from a Technical Assistance Center manager who states that a DDoS attack is responsible for the outages.

“Bandwidth continues to experience a DDoS attack which is intermittently impacting our services. Our network operations and engineering teams continue active mitigation efforts to protect our network,” reads the screenshot.

On Monday night, Bandwidth said that services had been restored; it was not clear had they paid a ransom or not at this time. Attack resumed again Tuesday morning – it is common for threat actors to briefly halt attacks while they push extortion attempts.

Following the restart of the attack, Bandwidth came clean about the nature of the outages, confirming that they were being hit by a DDOS attack. Bandwidth CEO, David Morken, had the following to say:

“Bandwidth and a number of critical communications service providers have been targeted by a rolling DDoS attack. While we have mitigated much intended harm, we know some of you have been significantly impacted by this event. For that I am truly sorry.

You trust us with your mission-critical communications. There is nothing this team takes more seriously. We are working around the clock to support your teams and minimize the impact of this attack. Our account managers and support teams have been actively reaching out to customers individually to address any issues. If you are experiencing problems and you haven’t heard from us yet, please let us know.

Real-time updates will continue to be posted at status.bandwidth.com. We will not rest until we end this incident, and will continue to do all we can to protect against future ones. Thank you for your patience.”

Protection

Data Breach Compromises 3.1M Neiman Marcus Customer Card Details

Post On: 24 October, 2021 By : Jerry

Dallas-based Neiman Marcus Group has been hit in a data breach dating back well over a year. The clothing company took 17 months to notice the breach, which affected 3.1M customers. This week, Neiman Marcus acknowledge the data breach, stating that included personal customer information like names, contact information, payment card information (without CVV codes), gift card numbers (without PINs), usernames, passwords, and even security questions associated with online Neiman Marcus accounts.

The group, which also controls the brands Bergdorf Goodman, Neiman Marcus Last Call, and Horchow, said 3.1 million cards were affected in total during the data breach.

“No active Neiman Marcus-branded credit cards were impacted,” the company’s statement said. “At this time, the Company has no evidence that Bergdorf Goodman or Horchow online customer accounts were affected.”

Neiman Marcus is working with law enforcement and cybersecurity company Mandiant to get more information about the retailer’s data breach, the company said.

“At Neiman Marcus Group, customers are our top priority,” Geoffroy van Raemdonck, the company’s CEO, said in the announcement of the data breach. “We are working hard to support our customers and answer questions about their online accounts. We will continue to take actions to enhance our system security and safeguard information.”

It is believed that given the time it took Neiman Marcus to disclose the data breach, many of the cards that were exposed are expired.

While Neiman Marcus is seemingly playing down the data breach, Chris Clements, VP of solutions architecture at Cerberus Sentinel, was blunter.

“The lack of both prevention and detection capabilities at many organizations is simply staggering,” Clements said. “I try as much as possible to shy away from victim blaming, but in many circumstances, organizations have been grossly negligent in securing customer data.”

Clements added that in many breaches, it’s very easy for an attacker to get their hands on customer data.

“Despite the press releases that almost never fail to describe the attackers or attack methods as ‘highly sophisticated,’ the reality is that most breaches aren’t some ‘super cyber heist plot’ out of a bad movie, but rather akin so some guy walking in the front door and wheeling out a file cabinet and no one is around to notice.”

Justin Fier with Darktrace, said that Neiman Marcus’s IT security team should take the position that the hackers involved have been lurking within their system since May 2020 when the initial attack took place. He adds that it’s the responsibility of Neiman Marcus to adopt a more modern security strategy.

“Today, the most cyber mature retailers are relying on artificial intelligence for everything from credit fraud to supply logistics and, of course, to continually monitor their risk across globally distributed networks and complex digital infrastructures”.

“As retailers like Neiman Marcus adapt to a more virtual world and embrace innovations to support remote shopping (like its recently announced virtual sneaker showroom) we should expect attacks on the industry to increase. These innovations open more avenues for attackers to poke to access the private data of consumers. Businesses have a responsibility to ensure their consumers’ personal data is protected with the best defensive technology available to them.” Fier continued.

At the moment, Neiman Marcus is asking customers to reset their passwords and has set up a call center for those concerned about their information being compromised during the data breach.

Nick Sanna, CEO of RiskLens, said retailers are under both ethical and regulatory obligations to protect customer data.

“They have an obligation to keep this sensitive customer data safe and out of the hands of the wrong people, obligations that are both ethical and regulatory in nature,” Sanna said. “The outcome of not doing this is exactly what Neiman Marcus Group is now facing.”

Protection Against Data Breaches

JVCKenwood Get Hit With $7 Million Conti Ransomware Attack

Post On: 24 October, 2021 By : Jerry

JVCKenwood has been infected in a Conti Ransomware attack where the hackers have stolen 1.7TB of data and are demanding a ransom fee of $7 Million.

JVCKenwood is a multinational electronics company based out of Japan that employs 16,956 people and has a 2021 revenue of $2.45 billion. The company is known for its brands JVC, Kenwood, and Victor, which manufacture car and home audio equipment, healthcare and radio equipment, professional and in-vehicle cameras, and portable power stations.

This week, the company disclosed that servers belonging to its sales division in Europe were hacked on September 22nd, and the Conti Ransomware gang accessed and stole data during the incident.

“JVCKENWOOD detected unauthorized access on September 22, 2021 to the servers operated by some of the JVCKENWOOD Group’s sales companies in Europe. It was found that there was a possibility of information leak by the third party who made the unauthorized access,” JVCKENWOOD announced in a press statement.

“Currently, a detailed investigation is being conducted by the specialized agency outside the company in collaboration with the relevant authorities. No customer data leak has been confirmed at this time. The details will be announced on the company website as soon as they become available.”

The ransom note left by Conti Ransomware has been shared by several media sources since.

In the negotiation chat, the Conti Ransomware gang claims to have stolen 1.5 TB of files and is demanding $7 million not to publish the data and provide a file decryptor.

In an attempt to up the credibility of the attack, the gang shared a PDF file indicating it is a scanned passport for a JVCKenwood employee.

It is believed that there has been no further contact from the JVCKenwood representative, possibly indicating the company will not pay the ransomware.

Conti is a ransomware family believed to be operated by the TrickBot threat actor group and is commonly installed after networks are compromised by the TrickBot, BazarBackdoor, and Anchor trojans.

Conti Ransomware has been responsible for a range of attacks, especially in the last 12 months. These include high-profile attacks against the City of Tulsa, Ireland’s Health Service Executive (HSE), Advantech, and numerous health care organizations.

Last week, a joint report between the FBI, CISA, and NSA warned of escalating Conti ransomware attacks.

Conti Ransomware Analysis

Note: The Analysis of Conti Ransomware was carried out by researchers at Vipre Labs.

Conti ransomware encrypts the files of their victims and publishes the data on their website similar to what other strains do. This extortion behavior is visible on their ransom note saying “We’ve downloaded your data and are ready to publish it on our news website”.

When executed, it will start to encrypt files and change the file extension of the encrypted files to .ODMUA. Like other ransomware, it will leave a ransom note that has a filename “readme.txt”.

The Conti ransomware website has an instruction on how to upload the README.txt for the decryption and a contact button at the bottom left of the page. Once you click the contact button, a form will appear where you will provide your contact information and question as shown below.

Conti ransomware will perform a known malware technique called process hollowing. It is where the malware will create a process in a suspended state, unmaps or removes the PE image layout from a given process space using ZwUnmapViewofSection function, write it’s malicious code using WriteProcessMemory, set a new entry point using SetThreadContext, and resume the execution of the suspended process using the ResumeThread function.

Upon research, we found out that the use of -p argument is to encrypt a specific directory with a single thread and the -m argument is to encrypt the files with multiple threads. It means that Conti ransomware has a multi-threading capability. Multi-threading is where main ransomware creates child threads to speed up the encryption.

It will use a string “hsfjuukjzloqu28oajh727190” that was decrypted using the decryption of string routine mentioned above for creating a mutex using CreateMutexA function. Then check if there’s an already running mutex. This was commonly used by ransomware to avoid infecting the system more than once.

It will also delete all the shadow volume copies on the infected system to ensure that the victims won’t be able to recover their encrypted files.

After deleting the shadow copies, Conti ransomware will now start its file encryption by first creating the ransom note which will be first drop in C drive using “CreateFileW” and write the content of its ransom note using “WriteFile”.

As with other ransomware, it will utilize the functions “FindFirstFileW” and “FindNextFileW” to find the files they will encrypt. Conti ransomware has a list of files/file extension and directories which will be excluded for the infection.

When Conti finds the file to be encrypted, it will now generate keys that will be used to encrypt the files. It will used the handle returned by calling the function “CryptAcquireContext” that request a cryptographic context from the Microsoft Enhanced Cryptographic Provider, then the “CryptGenRandom” function to generate cryptographically random bytes, and “CryptEncrypt” function. It leverages AES 256 encryption for their infection.

Then it will open the target file using the “CreateFile” function and retrieve the size of the target file using “GetFileSize”. After this the malware will decrypt different file extensions and check if the file extension of the targeted file is in the list.

Conti ransomware will not just encrypt the files of the infected machine but also spreads and infects the other machine on the same network using SMB protocol.

Protection

Attacks like the Conti Ransomware campaign show that cyberattacks are increasing at an exponential rate, and both government and business leaders are underprepared to face the fallout of an attack. There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.

Chinese VPNs Are Recording World Data On a Massive Scale

Post On: 24 October, 2021 By : Jerry

AN OVERVIEW OF THE GROWING THREAT

Approximately 20% of the world’s global population are being either directly or potentially set up for the Chinese government to collect all of their private emails, messenger conversations, personal records, as well as the psychological information that could be assessed from that data. The potential harvesting of this VPN data should concern us all.

“Everyone sees what you appear to be, and few experience what you really are.” ― Niccolò Machiavelli, The Prince

CHINA CAN ACCESS 20% OF THE WORLD’S PRIVATE DATA

There are 4.57 billion Internet users in the world.ⁱ 31% of those use a VPN.ⁱⁱ Upon reviewing a sample size of 30 popular VPNs, we can estimate that approximately 62% of those are secretly Chinese-owned VPNs currently installed on 878,354,000 consumer user devices.ⁱⁱⁱ Thus, we can estimate with arithmetic the following:

(4,570,000,000 Internet users x 31% VPN users) x 62% Chinese-owned VPNs
= 878,354,000 Chinese-owned VPNs installed on user devices worldwide.

In 2020, 29% of Americans reported using a VPN for personal use (up from 11% in 2019). Of the 275 million Internet users in the US, this means that 39 million Americans may be sharing embarrassing, personal, or otherwise secret data with China. Earlier this year, a number of VPN company databases were breached and leaked; these VPNs claimed to not keep user logs, yet they did. UFO VPN, based out of Hong Kong, is among them. The total amount of log data leaked exceeds one terabyte. In other words, simply because a VPN claims to not have logs does not mean they can be trusted on their word, when the CCP is involved. ^iv

STATE ACTORS SNOOPING ON AMERICANS IN THE VPN SPACE?

The free world’s vulnerability to shady VPNs is evident in all levels of the industry, including top market share companies. It is very hard to raise capital to start a business. It is very hard to run a business once that capital has been raised. It is almost impossible to raise capital for a business with political goals that run counter to the profit motive. Ergo, when VPN businesses get political, we may consider that smoke indicates a fire, with fire being evidence that the business in question may be a state-supported surreptitious operation designed to collect mass population data. Let’s start with the most obvious facts. VPNs make money pursuing the following markets, with video streaming at the top.

If one were to start a VPN business, the foremost priority would be to maximize profit by focusing on the largest segment of users: video streaming by circumventing geo-blocking. If a VPN were to go against the grain and seek out more fickle, suspicious, and narrowly focused customers, one could argue this is not the best use of capital. When businesses start to move away from focusing on profit, they may raise red flags as supporting state actor initiatives: or aligning with them. Express VPN is one of those curious cases.

Express VPN is a Hong Kong company that is officially registered as a company in the British Virgin Islands. Using Internet Archive, we can see that they used to announce their place of business as Hong Kong.^v For more than a decade they obscured their ties to Hong Kong, China, through an offshore shell company in the British Virgin Islands (ie. a shell company that exists only on paper).

In terms of market share, Express VPN ranks in the top 5 in the United States and the world.^vi Their daily user number comes close to 5 and 15 million users per day.

The above suggests Express VPN earned 50 million and 150 million dollars per month at an average subscription price of $10 per month. Despite this their BVI companies appears to report less than 0.1038 million in sales while we can estimate real revenue reaching 600 million to 1.2 billion in revenue per year, just not recorded in their offshore company in the BVI that they swear is their headquarters. See “Express VPN Inconsistencies.”^vii Let’s look at their recruiter, Nicholas Lui, employee of Network Guard.

It would appear that he has done recruiting for both Network Guard as well as ExpressVPN. Additionally, it appears that both share the same office, as evidenced in our write up about Express VPN. This is where it gets more interesting. If we go to https://chengbao.com.hk/ it redirects us to https://networkguard.com/. (Chengbao is Mandarin for “fortress.”)

Employees of Chengbao and Express populate the NG logo; when we click on NG on either profile both go to Network Guard. Network Guard has Express VPN Employees all over their activities. They also share stock photos from the same office.

Chengbao Ltd may be the de facto operating company for Express VPN, and Express VPN is a worthless British Virgin Islands shell company reducing, their fair share of taxes with their earnings reporting not reflecting the scale of their business making up a broad segment of the international VPN market share.

Intuit Warns QuickBooks Customers Of Ongoing Phishing Campaign

Post On: 23 October, 2021 By : Jerry

Intuit is warning its Quickbooks users that they may be targeted by an ongoing phishing campaign impersonating the company and trying to lure potential victims with fake renewal charges.

The company stated that they have been receiving reports from its users about an on-going phishing campaign. “This email did not come from Intuit. The sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit’s brands authorized by Intuit,” Intuit explained.

The financial software firm advises all customers who received one of these phishing messages not to click any links embedded in the emails or open attachments.

Users who have already click-through links on the phishing emails are advised to do the following:

Delete any downloaded files immediately.
Scan their systems using an up-to-date anti-malware solution.
Change their passwords.
Intuit also provides information on how customers can protect themselves from phishing attempts on its support website.

Intuit’s users are common targets for phishing attacks. In July, Intuit also alerted its customers of phishing emails, asking them to call a phone number to upgrade to QuickBooks 2021 until the end of the month to avoid having their databases corrupted or company backup files removed automatically.

Intuits is also being impersonated by other hackers in a fake copyright scam, according to SlickRockWeb CEO Eric Ellason said today.

Recipients targeted by these emails risk infecting themselves with the Hancitor (aka Chanitor) malware downloader or have Cobalt Strike beacons deployed on their systems.

The embedded links send the potential victims through advanced redirection chains using various security evasion tactics and victim fingerprinting malspam.

In June, Intuit also notified TurboTax customers that some of their personal and financial info was accessed by attackers following a series of account takeover attacks. The company also said that that was not a “systemic data breach of Intuit.”

The company’s investigation revealed that the attackers used credentials obtained from “a non-Intuit source” to access the customers’ accounts and their name, Social Security number, address(es), date of birth, driver’s license number, financial information, and more.

TurboTax customers were targeted in at least three other account takeover attack campaigns in 2014/2015 and 2019.

Protection Against Phishing

Ecuador’s Largest Bank Taken Offline By Cyberattack

Post On: 23 October, 2021 By : Jerry

Ecuador’s largest private bank Banco Pichincha has suffered a cyberattack that disrupted operations to the extent that ATMs and the online banking portal were taken out. The cyberattack occurred this weekend, causing Banco Pichincha to shut down parts of their network to halt the spread of the infection.

The shutdown of their systems due to the cyberattack lead to widespread disruptions, with ATMs and the bank’s online service showing maintenance messages.

In an internal notification sent to the Bank’s agencies, employees are notified that bank applications, email, digital channels, and self-services will not be operational due to a technology issue.

The document goes on to say that self-service customers should be directed to bank teller windows to be served during the outage.

After two days of silence regarding the outage, Banco Pichincha issued a statement Tuesday afternoon admitting that they suffered a cyberattack that led to the disruption of their systems.

The banks statement in English can be found here:

“In the last few hours, we have identified a cybersecurity incident in our computer systems that have partially disabled our services. We have taken immediate actions such as isolating the systems potentially affected from the rest of our network and have cybersecurity experts to assist in the investigation.

At the moment, our network of agencies, ATMs for cash withdrawals and payments with debit and credit cards are operational.

This technological incident did not affect the financial performance of the bank. We reiterate our commitment to safeguard the interests of our clients and restore normal care through our digital channels in the shortest possible time.

We call for calm to avoid generating congestion and to stay informed through the official channels of Banco Pichincha to avoid the spread of false rumors.”

Today, the only banking portal still shows a maintenance message but customers are able to access their online accounts. The mobile application is still shut down from the cyberattack.

At this time, the bank has not disclosed the nature of the cyberattack. However, researchers at BleepingComputer believe that it is a ransomware attack with threat actors installing a Cobalt Strike beacon on the network.

Ransomware gangs and other threat actors commonly use Cobalt Strike to gain persistence and access to other systems on a network.

In February, Banco Pichincha suffered another cyberattack by cybercriminals known as ‘Hotarus Corp’ who claimed to have stolen files from the bank’s network.

Pichincha disputed the hacker’s claims and said that one of their providers was breached instead.

“We know that there was unauthorized access to the systems of a provider that provides marketing services for the Pichincha Miles program,” Banco Pichincha said at the time.

“In relation to this information leak, and based on an extensive investigation, we have found no evidence of damage or access to the Bank’s systems and, therefore, the security of our clients’ financial resources is not compromised.”

Protection Against Cyberattacks

Identity Theft Alarms Sound as Data Breach Affects 1.6 Million Mercedes-Benz Customers

Post On: 29 August, 2021 By : Jerry

Identity Theft may become a concern for Mercedes-Benz owners and even potential buyers as the company has disclosed a massive data breach recently. The automobile company assessed 1.6 million customer records, including customer names, addresses, emails, phone numbers, and some purchased vehicle information to determine the impact. It appears that much of the data exposed in the data breach includes social security numbers, driver license numbers, and credit card information. Currently, it is not believed that all of the 1.6 million individuals affected have had their more personal information like SSNs exposed.

On June 11th, a vendor for the German automotive brand informed the company that the personal information of a number of customers was exposed due to an insufficiently secured cloud storage instance.

According to Mercedez-Benz, the breach affects customers and potential buyers who has entered sensitive information on the company website between 2014 and 2017. This also applies to Mercedez-Benz website.

“It is our understanding the information was entered by customers and interested buyers on dealer and Mercedes-Benz websites between January 1, 2014 and June 19, 2017.”

“No Mercedes-Benz system was compromised as a result of this incident, and at this time, we have no evidence that any Mercedes-Benz files were maliciously misused.”

“Data security is a serious matter for MBUSA. Our vendor confirmed that the issue is corrected and that such an event cannot be replicated.”

“We will continue our investigation to ensure that this situation is properly addressed,” said Mercedes-Benz in a press release.

Given the lengthy time scale and the number of uses affected, fears of identity theft have been sparked. Information such as social-security numbers are the key to carry out identity theft on unsuspecting victims.

The vendor who notified Mercedez-Benz of the data breach states that the exposed information included:

Self-reported customer credit scores
Driver license numbers
Social Security Numbers (SSNs)
Credit card numbers
Dates of Birth

The company also stated in their press release that the information would not have been searchable on or indexed by a typical search engine.

“To view the information, one would need knowledge of special software programs and tools – an Internet search would not return any information contained in these files,” says Mercedes-Benz.

The company is in the process of contacted affected individuals whose data was exposed in the breach.

“Any individual who had credit card information, a driver’s license number or a social security number included in the data will be offered complimentary 24-month subscription to a credit monitoring service. We will also notify the appropriate government agencies,” says the vehicle company.

The full amount of users affected by the breach is not known. Cybersecurity researchers at BleepingComputer have reached out to the company for more details but have yet to get a response.

The Dangers of Identity Theft

Identity Theft can be absolutely devastating for an individual. Usually, in the world of malware, we know certain things can be harmed. Our devices may need to be replaced, we may lose access to accounts for a few days or even forever, we may even need to pay a ransom for access to our data. The point is, with most types of Malware, we can eventually rebuild, though it may take longer than we anticipate. The fallout from identity theft is much longer.

Once your stolen information is used once, it can take anywhere from a few days to six months for that one incident. But your information is out there for a very, very long time. This means you could end up dealing with identity theft for many years, even decades.

Identity Theft has been around for a very long time and predates our modern technology by thousands of years. There have always been individuals that try to impersonate others for their own gain, financial or otherwise. However, the internet’s birth and wide adoption have led to new attack vectors, dwarfing any possible past attempts.

Now more than ever do we have data tied into our personal identity. Email addresses, banking numbers, phone numbers, social security numbers, home addresses – All of these and more form a picture of us as lines in a database.

And when this information falls into the wrong hands, it can do a lot of damage. Bank accounts can be drained, and your credit rating can get rattled; you can end up with medical bills or even a criminal record. The list of potential mishaps that can arise from identity theft is endless.

To hackers, identity theft represents a lucrative stream of income, and they can very easily cover their tracks. After they have seized personal information, they sell it on the dark web. This information can be sold over time, repeatedly, meaning that if you notice your identity has been stolen and used, it can be used in several instances over a long period of years.

There are some guidelines from the US government in discovering if you are a victim of identity theft if it is not immediately obvious:

You stop receiving your regular bills and credit card statements.
You receive statements for accounts you never opened.
Debt collectors start calling you day and night about debts you’ve never heard of.
The IRS alleges you failed to report income for a company you never worked for.
You see withdrawals/charges on your bank or credit card statement that you didn’t make.
You try to file your taxes only to discover that someone else beat you to it.
You try to file your taxes and find someone claimed your child as a dependent already.
Your credit report includes lines of credit you never opened.
Your credit score fluctuates wildly and for no apparent reason.
The most obvious sign—you receive a notification that you’ve been the victim of a data breach.
If you are unsure, it is always best to check with the authorities on the US government’s identity theft website.

Protection

In some cases, a victim cannot be faulted for identity theft. For example, those affected by the data breach handed their information over to companies in good faith in the story above. Unfortunately, these companies, or more specifically the vendor, failed in protecting this information. However, many other times, business owners and families are singled out and targeted in their offices and homes.

For times like these, it is critical that you have the right tools to protect yourself. One of these tools is SaferNet.

REvil Ransomware hits Fashion Company French Connection

Post On: 29 August, 2021 By : Jerry

REvil Ransomware has hit high street this week, as the fashion company French Connection has become infected with the notorious strain of ransomware. It is believed that REvil Ransomware operators breached the company’s back-end and stole private internal data. French Connection was established in 1972. Originally founded as a mid-market fashion brand, the company has since expanded to include men’s and women’s accessories.

While the exact attack vector has not yet been confirmed, cybersecurity researchers believe that the hackers exploited a security vulnerability on the back-end to carry out the attack. It is likely that unpatched software or hardware led to the breach and following encryption.

The gang has been using the scans of several high-profile individuals, including those of the founder and chief executive Stephen Marks, chief financial officer Lee Williams, and chief operating officer Neil Williams, to prove the breach took place.

French Connection has confirmed that it was the target of a cyber-attack that affected its back-end servers. Although it is believed that the front-end servers – those that process payments for French Connection’s online outlets – were not affected by the attack, the company noted.

Due to a breach, the company immediately suspended all systems and engaged third-party experts to help resolve the situation:

“As soon as it became aware of the breach, the company took immediate action, suspending all affected systems and engaging third-party experts to assist with resolving the situation,” French Connection’s statement continued. “The company is now actively working to restore its systems as quickly and safely as possible and where necessary is using manual overrides to ensure that the company can continue to operate.”

French Connection said it had no evidence that any data related to its customers was accessed during the breach, and the company is “continuing to operate largely as normal.”

The company have yet to disclose the amount demanded by REvil Ransomware operators.

REvil Ransomware Analysis

REvil Ransomware is a Ransomware-as-a-Service (RaaS), meaning it can be sold on a subscription basis and is usable by just about anybody. In 2020, it extorted large amounts of money for corporations and individuals. According to researchers, it is the most widespread ransomware strain. Groups using have a knack for shaking down businesses that don’t meet their demands, often through threats or leaking dating.

REvil Ransomware, also known as Sodinokibi, first appeared in April 2019 and rose to prominence after another RaaS gang called GandCrab shut down its service. REvil was first advertised on Russian-language cybercrime forums. The main actor associated with advertising and promoting REvil ransomware is called Unknown aka UNKN. In the early days of REvil, researchers and security firms identified it as a strain of GandCrab, or at least established multiple links between the two. An alleged member of the group, using the handle Unknown, confirmed in an interview that the ransomware was not a new creation and that it was built on top of an older codebase that the group acquired.

The group behind REvil Ransomware and other groups selling RaaS often do so on a commission basis. Usually, this means a cut of between 20% and 30% of the money earned through infecting victims with ransomware.

In 2020, the IBM Security X-Force Incident Response reported that 1 in 3 Ransomware infections were caused by REvil Ransomware.

In February 2021, the REvil ransomware operation posted a job notice where they were looking to recruit people to perform DDoS attacks and use VOIP calls to contact victims and their partners.

In March, a security researcher known as 3xp0rt discovered that REvil has announced that they were introducing new tactics that affiliates can use to exert even more pressure on victims.

These new tactics include a free service where the threat actors, or affiliated partners, will perform voice-scrambled VOIP calls to the media and victim’s business partners with information about the attack. The ransomware gang is likely assuming that warning businesses that their data may have been exposed in an attack on of their partners, will create further pressure for the victim to pay.

REvil Ransomware is also providing a paid service that allows affiliates to perform Layer 3 and Layer 7 DDoS attacks against a company for maximum pressure. A Layer 3 attack is commonly used to take down the company’s Internet connection. In contrast, threat actors would use a Layer 7 attack to take down a publicly accessible application, such as a web server.

It is highly configurable, and it can be customized to behave differently depending on the host. This makes it a highly attractive RaaS client. Some of its features include:

Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453.
Whitelists files, folders and extensions from encryption.
Kills specific processes and services prior to encryption.
Encrypts files on local and network storage.
Customizes the name and body of the ransom note, and the contents of the background image.
Exfiltrates encrypted information on the infected host to remote controllers.
REvil Ransomware uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers.

REvil ransomware exploits a kernel privilege escalation vulnerability in win32k.sys tracked as CVE-2018-8453 to gain SYSTEM privileges on the infected host. If the configuration instructs a sample to execute this exploit, it will allocate executable memory, decrypt the exploit code in the newly allocated region and invoke it.

Protection Against Ransomware

REvil Ransomware and other Ransomware clients are some of the most common and deadly cybersecurity threats out there today. Families and businesses should be aware of these threats, and equip the right tools to tackle them. One of these tools is SaferNet.